nickslowinski/mailcow-dockerized-docs
1
0
Fork 0
Code Issues Pull-Requests Projekte Releases Pakete Wiki Aktivität

Added check on SSL

Quellcode durchsuchen
Dieser Commit ist enthalten in:
timo 2017-05-09 17:20:59 +02:00
Ursprung 7ce0537ce8
Commit 8d66bf093e
1 geänderte Dateien mit 23 neuen und 7 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

30
docs/firststeps-ssl.md
Datei anzeigen

@ -1,4 +1,5 @@
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.
!!! warning
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.
mailcow uses **at least** 3 domain names that should be covered by your new certificate:
@ -6,21 +7,21 @@ mailcow uses **at least** 3 domain names that should be covered by your new cert
- autodiscover.**example.org**
- autoconfig.**example.org**
### Let's Encrypt
## Let's Encrypt
This is just an example of how to obtain certificates with certbot. There are several methods!
1\. Get the certbot client:
### 1\. Get the certbot client:
``` bash
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
```
2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
### 2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
``` bash
docker-compose up -d
```
3\. Request the certificate with the webroot method:
### 3\. Request the certificate with the webroot method:
``` bash
cd /path/to/git/clone/mailcow-dockerized
source mailcow.conf
@ -37,7 +38,7 @@ certbot certonly \
!!! warning
Remember to replace the example.org domain with your own domain, this command will not work if you dont.
4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
### 4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
``` bash
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
@ -45,9 +46,24 @@ ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/a
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```
5\. Restart affected containers:
### 5\. Restart affected containers:
```
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
```
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
## Check your configuration
To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.
To check the certificate served by dovecot or postfix we will use `openssl`:
```
# Connect via SMTP (25)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25
# Connect via SMTPS (465)
openssl s_client -showcerts -connect mx.mailcow.email:465
# Connect via SUBMISSION (587)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587
```