Added check on SSL
Dieser Commit ist enthalten in:
Ursprung
7ce0537ce8
Commit
8d66bf093e
1 geänderte Dateien mit 23 neuen und 7 gelöschten Zeilen
|
@ -1,3 +1,4 @@
|
||||||
|
!!! warning
|
||||||
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.
|
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.
|
||||||
|
|
||||||
mailcow uses **at least** 3 domain names that should be covered by your new certificate:
|
mailcow uses **at least** 3 domain names that should be covered by your new certificate:
|
||||||
|
@ -6,21 +7,21 @@ mailcow uses **at least** 3 domain names that should be covered by your new cert
|
||||||
- autodiscover.**example.org**
|
- autodiscover.**example.org**
|
||||||
- autoconfig.**example.org**
|
- autoconfig.**example.org**
|
||||||
|
|
||||||
### Let's Encrypt
|
## Let's Encrypt
|
||||||
|
|
||||||
This is just an example of how to obtain certificates with certbot. There are several methods!
|
This is just an example of how to obtain certificates with certbot. There are several methods!
|
||||||
|
|
||||||
1\. Get the certbot client:
|
### 1\. Get the certbot client:
|
||||||
``` bash
|
``` bash
|
||||||
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
|
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
|
||||||
```
|
```
|
||||||
|
|
||||||
2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
|
### 2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
|
||||||
``` bash
|
``` bash
|
||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
```
|
```
|
||||||
|
|
||||||
3\. Request the certificate with the webroot method:
|
### 3\. Request the certificate with the webroot method:
|
||||||
``` bash
|
``` bash
|
||||||
cd /path/to/git/clone/mailcow-dockerized
|
cd /path/to/git/clone/mailcow-dockerized
|
||||||
source mailcow.conf
|
source mailcow.conf
|
||||||
|
@ -37,7 +38,7 @@ certbot certonly \
|
||||||
!!! warning
|
!!! warning
|
||||||
Remember to replace the example.org domain with your own domain, this command will not work if you dont.
|
Remember to replace the example.org domain with your own domain, this command will not work if you dont.
|
||||||
|
|
||||||
4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
|
### 4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
|
||||||
``` bash
|
``` bash
|
||||||
mv data/assets/ssl/cert.{pem,pem.backup}
|
mv data/assets/ssl/cert.{pem,pem.backup}
|
||||||
mv data/assets/ssl/key.{pem,pem.backup}
|
mv data/assets/ssl/key.{pem,pem.backup}
|
||||||
|
@ -45,9 +46,24 @@ ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/a
|
||||||
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
|
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
|
||||||
```
|
```
|
||||||
|
|
||||||
5\. Restart affected containers:
|
### 5\. Restart affected containers:
|
||||||
```
|
```
|
||||||
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
|
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
|
||||||
```
|
```
|
||||||
|
|
||||||
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
|
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
|
||||||
|
|
||||||
|
## Check your configuration
|
||||||
|
|
||||||
|
To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.
|
||||||
|
|
||||||
|
To check the certificate served by dovecot or postfix we will use `openssl`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# Connect via SMTP (25)
|
||||||
|
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25
|
||||||
|
# Connect via SMTPS (465)
|
||||||
|
openssl s_client -showcerts -connect mx.mailcow.email:465
|
||||||
|
# Connect via SUBMISSION (587)
|
||||||
|
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587
|
||||||
|
```
|
||||||
|
|
Laden …
In neuem Issue referenzieren