From a8b8b9d7b289796303f45d7a311a6b19b0f4514f Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:29:56 -0400 Subject: [PATCH 01/11] Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. --- docs/prerequisite-dns.md | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index a5f29fdbf..d37d7ef3b 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -31,18 +31,21 @@ autoconfig IN CNAME mail In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading. ``` +# Name Type Value @ IN TXT "v=spf1 mx a -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. ``` +# Name Type Value dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..." ``` The last step in protecting yourself and others is the implementation of a **DMARC** TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)). ``` +# Name Type Value _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org" ``` @@ -51,18 +54,19 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ **SRV** records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782). ``` -_imap._tcp IN SRV 0 1 143 mail.example.org. -_imaps._tcp IN SRV 0 1 993 mail.example.org. -_pop3._tcp IN SRV 0 1 110 mail.example.org. -_pop3s._tcp IN SRV 0 1 995 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. -_sieve._tcp IN SRV 0 1 4190 mail.example.org. -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN TXT "path=/SOGo/dav/" -_caldavs._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN TXT "path=/SOGo/dav/" +# Name Type Priority Weight Port Value +_imap._tcp IN SRV 0 1 143 mail.example.org. +_imaps._tcp IN SRV 0 1 993 mail.example.org. +_pop3._tcp IN SRV 0 1 110 mail.example.org. +_pop3s._tcp IN SRV 0 1 995 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. +_smtps._tcp IN SRV 0 1 465 mail.example.org. +_sieve._tcp IN SRV 0 1 4190 mail.example.org. +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN TXT "path=/SOGo/dav/" +_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN TXT "path=/SOGo/dav/" ``` ## Testing @@ -73,10 +77,11 @@ Here are some tools you can use to verify your DNS configuration: - [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF) - [Mail-tester](https://www.mail-tester.com/) (DKIM, DMARC, SPF) - [DMARC Analyzer](https://www.dmarcanalyzer.com/spf/checker/) (DMARC, SPF) +- [MultiRBL.valli.org](http://multirbl.valli.org/) (DNSBL, RBL, FCrDNS) ## Misc -If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. This is clearly optional. +If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is [Postmark](https://dmarc.postmarkapp.com) These are clearly optional. ``` @ IN TXT "google-site-verification=..." From 1d536f7850edbcfa1ed3b0b5b6eb383b978b3b1a Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:04:40 -0400 Subject: [PATCH 02/11] Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. --- docs/prerequisite-dns.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index d37d7ef3b..7c29aec89 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -81,10 +81,27 @@ Here are some tools you can use to verify your DNS configuration: ## Misc -If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is [Postmark](https://dmarc.postmarkapp.com) These are clearly optional. +### Optional DMARC Statistics +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. + +**NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. + +- [Postmaster Tool](https://gmail.com/postmaster) +- [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) +- [Fraudmarc](https://fraudmarc.com/) +- [Postmark](https://dmarc.postmarkapp.com) +- [Dmarcian](https://dmarcian.com/) + +The services should provide you with a TXT record, which will give you details about spam-classified mails by your domain. +Using Google Postmaster as an example: ``` + +# Name Type Value + @ IN TXT "google-site-verification=..." + ``` + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From a50b53bd9d02b7625b7bbd14c960acb6a7f66d5f Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:09:07 -0400 Subject: [PATCH 03/11] Minor edit to DMARC stats section --- docs/prerequisite-dns.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 7c29aec89..3296ea577 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -103,5 +103,6 @@ Using Google Postmaster as an example: ``` +However, ensure to read documentation from the service you choose, as this process may vary. [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From ed4e12f2e2d11c745aec85df9d6e879294f3ad4e Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:12:14 -0400 Subject: [PATCH 04/11] Removed line breaks from dmarc & added a reference --- docs/prerequisite-dns.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 3296ea577..73f085cf1 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -8,6 +8,9 @@ Below you can find a list of **recommended DNS records**. While some are mandato ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) +- A thorough guide on DMARC +[Demystifying DMARC: A guide to preventing email spoofing](https://seanthegeek.net/459/demystifying-dmarc/) + ## Reverse DNS of your IP @@ -96,11 +99,9 @@ The services should provide you with a TXT record, which will give you details a Using Google Postmaster as an example: ``` - # Name Type Value @ IN TXT "google-site-verification=..." - ``` However, ensure to read documentation from the service you choose, as this process may vary. From 75d481fa1121ba153ce59c4ed2eaabe893fe43d4 Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Wed, 14 Oct 2020 09:57:48 -0400 Subject: [PATCH 05/11] Added missing quotes and colan to new reference --- docs/prerequisite-dns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 73f085cf1..e89fc6393 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -8,8 +8,8 @@ Below you can find a list of **recommended DNS records**. While some are mandato ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) -- A thorough guide on DMARC -[Demystifying DMARC: A guide to preventing email spoofing](https://seanthegeek.net/459/demystifying-dmarc/) +- A thorough guide on understanding DMARC: +["Demystifying DMARC: A guide to preventing email spoofing"](https://seanthegeek.net/459/demystifying-dmarc/) ## Reverse DNS of your IP From fb8c386dff2a96fed67de602a3e185bb968b7534 Mon Sep 17 00:00:00 2001 From: heavygale Date: Tue, 20 Oct 2020 21:32:00 +0200 Subject: [PATCH 06/11] Some fixes and improvements Fixed broken links and listings, some minor typos, and some added information. --- docs/debug-attach_service.md | 2 ++ docs/debug-common_problems.md | 6 ++--- docs/firststeps-rspamd_ui.md | 2 +- docs/firststeps-snat.md | 4 +--- docs/firststeps-ssl.md | 33 ++++++++++++++------------ docs/firststeps-sync_jobs_migration.md | 4 ++-- docs/i_u_m_install.md | 8 +++---- docs/prerequisite-dns.md | 8 +++---- 8 files changed, 35 insertions(+), 32 deletions(-) diff --git a/docs/debug-attach_service.md b/docs/debug-attach_service.md index e20719995..8fde69614 100644 --- a/docs/debug-attach_service.md +++ b/docs/debug-attach_service.md @@ -36,6 +36,8 @@ Here is a brief overview of what container / service does what: | redis-mailcow | Storage back-end for DKIM keys and Rspamd | | rspamd-mailcow | Mail filtering system. Used for av handling, dkim signing, spam handling | | clamd-mailcow | Scans attachments for viruses | +| olefy-mailcow | Scans attached office documents for macro-viruses | +| solr-mailcow | Provides full-text search in Dovecot | | sogo-mailcow | Webmail client that handles Microsoft ActiveSync and Cal- / CardDav | | nginx-mailcow | Nginx remote proxy that handles all mailcow related HTTP / HTTPS requests | | acme-mailcow | Automates HTTPS (SSL/TLS) certificate deployment | diff --git a/docs/debug-common_problems.md b/docs/debug-common_problems.md index 7954a4529..dbc5ace30 100644 --- a/docs/debug-common_problems.md +++ b/docs/debug-common_problems.md @@ -10,7 +10,7 @@ Please check in your mailcow UI if you made the domain a **backup MX**: There are a lot of things that could prevent you from sending mail: -- Check if your IP is on any blacklists. You could use [dnsbl.info](http://www.dnsbl.info/) or any other similar service to check for your IP. +- Check if your IP address is on any blacklists. You could use [dnsbl.info](http://www.dnsbl.info/) or any other similar service to check for your IP address. - There are some consumer ISP routers out there, that block mail ports for non whitelisted domains. Please check if you can reach your server on the ports `465` or `587`: ``` @@ -40,7 +40,7 @@ This error tries to tell you that one of the (health) conditions for a certain c A wrong configured firewall could also cause such a failure. The containers need to be able to talk to each other over the network 172.22.1.1/24. -It might also be wrongly linked file (i.e. SSL certificate) that prevents a crucial container (nginx) from starting, so always check your logs to get an Idea where your problem is coming from. +It might also be wrongly linked file (i.e. SSL certificate) that prevents a crucial container (nginx) from starting, so always check your logs to get an idea where your problem is coming from. ## Address already in use @@ -51,7 +51,7 @@ If you get an error message like: ERROR: for postfix-mailcow Cannot start service postfix-mailcow: driver failed programming external connectivity on endpoint mailcowdockerized_postfix-mailcow_1: Error starting userland proxy: listen tcp 0.0.0.0:25: bind: address already in use ``` -while trying to start / install mailcow: dockerized, make sure you've followed our section on the [prerequisites](prerequisite-system/#firewall-ports). +while trying to start / install mailcow: dockerized, make sure you've followed our section on the [prerequisites](../prerequisite-system/#firewall-ports). ## XYZ can't connect to ... diff --git a/docs/firststeps-rspamd_ui.md b/docs/firststeps-rspamd_ui.md index fb0b49a96..01ae321f1 100644 --- a/docs/firststeps-rspamd_ui.md +++ b/docs/firststeps-rspamd_ui.md @@ -1,4 +1,4 @@ -Rspamd (https://rspamd.com/webui/) is an easy to use spam filtering tool presently installed with mailcow. +[Rspamd](https://rspamd.com/) is an easy to use spam filtering tool presently installed with mailcow. 1. Go to the mailcow web admin interface 2. Navigate to the Access tab. (Configuration > Administration > Access) diff --git a/docs/firststeps-snat.md b/docs/firststeps-snat.md index 3f6179b7e..bdaf53b2e 100644 --- a/docs/firststeps-snat.md +++ b/docs/firststeps-snat.md @@ -1,7 +1,5 @@ -## SNAT - SNAT is used to change the source address of the packets sent by mailcow. -It can be used to change the outgoing IP on systems with multiple IP addresses. +It can be used to change the outgoing IP address on systems with multiple IP addresses. Open `mailcow.conf`, set either or both of the following parameters: diff --git a/docs/firststeps-ssl.md b/docs/firststeps-ssl.md index 0d9176ac7..8fc2a1656 100644 --- a/docs/firststeps-ssl.md +++ b/docs/firststeps-ssl.md @@ -4,10 +4,10 @@ The "acme-mailcow" container will try to obtain a LE certificate for `${MAILCOW_ !!! warning mailcow **must** be available on port 80 for the acme-client to work. Our reverse proxy example configurations do cover that. You can also use any external ACME client (certbot for example) to obtain certificates, but you will need to make sure, that they are copied to the correct location and a post-hook reloads affected containers. See more in the Reverse Proxy documentation. - + By default, which means **0 domains** are added to mailcow, it will try to obtain a certificate for `${MAILCOW_HOSTNAME}`. -For each domain you add, it will try to resolve `autodiscover.ADDED_MAIL_DOMAIN` and `autoconfig.ADDED_MAIL_DOMAIN` to its IPv6 or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request. +For each domain you add, it will try to resolve `autodiscover.ADDED_MAIL_DOMAIN` and `autoconfig.ADDED_MAIL_DOMAIN` to its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request. Only names that can be validated, will be added as SAN. @@ -25,7 +25,7 @@ Do not use quotes (`"`) and do not use spaces between the names! ADDITIONAL_SAN=smtp.*,cert1.example.com,cert2.example.org,whatever.* ``` -Each name will be validated against its IPv6 or - if IPv6 is not configured in your domain - IPv4 address. +Each name will be validated against its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. A wildcard name like `smtp.*` will try to obtain a smtp.DOMAIN_NAME SAN for each domain added to mailcow. @@ -47,9 +47,9 @@ The file will be deleted automatically. ### Validation errors and how to skip validation -You can skip the **IP verification** by setting `SKIP_IP_CHECK=y` in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts. +You can skip the **IP verification** by setting `SKIP_IP_CHECK=y` in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP address. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts. -If you encounter problems with "HTTP validation", but your IP confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from `br-mailcow` to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (`docker-compose down`), stop the firewall service, flush the chains and restart Docker. +If you encounter problems with "HTTP validation", but your IP address confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from `br-mailcow` to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (`docker-compose down`), stop the firewall service, flush the chains and restart Docker. You can also skip this validation method by setting `SKIP_HTTP_VERIFICATION=y` in "mailcow.conf". Be warned that this is discouraged. In most cases, the HTTP verification is skipped to workaround unknown NAT reflection issues, which are not resolved by ignoring this specific network misconfiguration. If you encounter problems generating TLSA records in the DNS overview within mailcow, you are most likely having issues with NAT reflection you should fix. @@ -73,9 +73,10 @@ By default, "acme-mailcow" will create a single SAN certificate for all validate This provides best compatibility but means the Let's Encrypt limit exceeds if you add too many domains to a single mailcow installation. To solve this, you can configure `ENABLE_SSL_SNI` to generate: -* A main server certificate with `MAILCOW_HOSTNAME` and all fully qualified domain names in the `ADDITIONAL_SAN` config -* One additional certificate for each domain found in the database with autodiscover.*, autoconfig.* and any other `ADDITIONAL_SAN` configured in this format (subdomain.*). -* Limitations: A certificate name `ADDITIONAL_SAN=test.example.com` will be added as SAN to the main certificate. A separate certificate/key pair will **not** be generated for this format. + +- A main server certificate with `MAILCOW_HOSTNAME` and all fully qualified domain names in the `ADDITIONAL_SAN` config +- One additional certificate for each domain found in the database with autodiscover.*, autoconfig.* and any other `ADDITIONAL_SAN` configured in this format (subdomain.*). +- Limitations: A certificate name `ADDITIONAL_SAN=test.example.com` will be added as SAN to the main certificate. A separate certificate/key pair will **not** be generated for this format. Postfix, Dovecot and Nginx will then serve these certificates with SNI. @@ -86,14 +87,16 @@ Set `ENABLE_SSL_SNI=y` in "mailcow.conf" and recreate "acme-mailcow" by running You should make sure these clients use the `MAILCOW_HOSTNAME` for secure connections if you enable this feature. Here is an example: -* `MAILCOW_HOSTNAME=server.email.tld` -* `ADDITIONAL_SAN=webmail.email.tld,mail.*` -* Mailcow email domains: "domain1.tld" and "domain2.tld" + +- `MAILCOW_HOSTNAME=server.email.tld` +- `ADDITIONAL_SAN=webmail.email.tld,mail.*` +- Mailcow email domains: "domain1.tld" and "domain2.tld" The following certificates will be generated: -* `server.email.tld, webmail.email.tld` -> this is the default certificate, all clients can connect with these domains -* `mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld` -> individual certificate for domain1.tld, cannot be used by clients without SNI support -* `mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld` -> individual certificate for domain2.tld, cannot be used by clients without SNI support + +- `server.email.tld, webmail.email.tld` -> this is the default certificate, all clients can connect with these domains +- `mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld` -> individual certificate for domain1.tld, cannot be used by clients without SNI support +- `mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld` -> individual certificate for domain2.tld, cannot be used by clients without SNI support ### How to use your own certificate @@ -111,7 +114,7 @@ docker restart $(docker ps -qaf name=nginx-mailcow) docker restart $(docker ps -qaf name=dovecot-mailcow) ``` -See https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients for a full example script. +See [Post-hook script for non-mailcow ACME clients](../firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients) for a full example script. ### Test against staging ACME directory diff --git a/docs/firststeps-sync_jobs_migration.md b/docs/firststeps-sync_jobs_migration.md index 120118498..a519461f4 100644 --- a/docs/firststeps-sync_jobs_migration.md +++ b/docs/firststeps-sync_jobs_migration.md @@ -10,7 +10,7 @@ Sync jobs are used to copy or move existing emails from an external IMAP server 3. Fill in the "Host" and "Port" fields with their respective correct values from the upstream IMAP server. -4. In the "Username" and 'Password" fields, supply the correct access credentials from the upstream IMAP server. +4. In the "Username" and "Password" fields, supply the correct access credentials from the upstream IMAP server. 5. Select the "Encryption Method". If the upstream IMAP server uses port 143, it is likely that the encryption method is TLS and SSL for port 993. Nevertheless, you can use PLAIN authentication, but it is stongly discouraged. @@ -19,4 +19,4 @@ Sync jobs are used to copy or move existing emails from an external IMAP server 7. Make sure to tick "Active" and click "Add". !!! info - Once Completed, log into the mailbox and check if all emails are imported correctly. If all goes well, All your mails shall end up in your new mailbox. And don't forget to delete or deactivate the sync job after it is used. \ No newline at end of file + Once Completed, log into the mailbox and check if all emails are imported correctly. If all goes well, all your mails shall end up in your new mailbox. And don't forget to delete or deactivate the sync job after it is used. \ No newline at end of file diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index d30d69eb3..62a333752 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -22,7 +22,7 @@ systemctl start docker.service !!! warning **mailcow requires the latest version of docker-compose.** It is highly recommended to use the commands below to install `docker-compose`. Package managers (e.g. `apt`, `yum`) **likely won't** give you the latest version. _Note: This command downloads docker-compose from the official Docker Github repository and is a safe method. The snippet will determine the latest supported version by mailcow. In almost all cases this is the latest version available (exceptions are broken releases or major changes not yet supported by mailcow)._ - + ``` curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose @@ -108,7 +108,7 @@ networks: If you do not have an IPv6 enabled network on your host and you don't care for a better internet (thehe), it is recommended to [disable IPv6](https://mailcow.github.io/mailcow-dockerized-docs/firststeps-disable_ipv6/) for the mailcow network to prevent unforeseen issues. -**5\.** Pull the images and run the composer file. The parameter `-d` will start mailcow: dockerized detached: +**5\.** Pull the images and run the compose file. The parameter `-d` will start mailcow: dockerized detached: ``` docker-compose pull docker-compose up -d @@ -118,8 +118,8 @@ Done! You can now access **https://${MAILCOW_HOSTNAME}** with the default credentials `admin` + password `moohoo`. - !!! info - If you are not using mailcow behind a reverse proxy, you should [redirect all HTTP requests to HTTPS](https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/). +!!! info + If you are not using mailcow behind a reverse proxy, you should [redirect all HTTP requests to HTTPS](https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/). The database will be initialized right after a connection to MySQL can be established. diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index a5f29fdbf..2812cd6d9 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -9,9 +9,9 @@ Below you can find a list of **recommended DNS records**. While some are mandato - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) -## Reverse DNS of your IP +## Reverse DNS of your IP address -Make sure that the PTR record of your IP matches the FQDN of your mailcow host: `${MAILCOW_HOSTNAME}` [^1]. This record is usually set at the provider you leased the IP (server) from. +Make sure that the PTR record of your IP address matches the FQDN of your mailcow host: `${MAILCOW_HOSTNAME}` [^1]. This record is usually set at the provider you leased the IP address (server) from. ## The minimal DNS configuration @@ -31,7 +31,7 @@ autoconfig IN CNAME mail In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading. ``` -@ IN TXT "v=spf1 mx a -all" +@ IN TXT "v=spf1 mx -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. @@ -82,4 +82,4 @@ If you are interested in statistics, you can additionally register with the [Pos @ IN TXT "google-site-verification=..." ``` -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From 5404be00dade27f3f760362c12bd1b09f0cda07b Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Sat, 24 Oct 2020 14:16:31 -0400 Subject: [PATCH 07/11] Changes to DMARC and Added FQDN header - Removed the Google Postmaster TXT record example - Increased clarity to follow the DMARC statistics guide to deploying, as they may not all utilize TXT files and the process can vary per service or tool. - Increased clarity that other services and tools are available for DMARC statistics than just the listed few - Add a header to FQDN for separation from the DMARC section under Misc. --- docs/prerequisite-dns.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index e89fc6393..bc975841f 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -89,21 +89,15 @@ If you are interested in statistics, you can additionally register with some of **NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. + - [Postmaster Tool](https://gmail.com/postmaster) - [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) - [Fraudmarc](https://fraudmarc.com/) - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -The services should provide you with a TXT record, which will give you details about spam-classified mails by your domain. -Using Google Postmaster as an example: - -``` -# Name Type Value - -@ IN TXT "google-site-verification=..." -``` - -However, ensure to read documentation from the service you choose, as this process may vary. +**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +### Fully Qualified Domain Name (FQDN) [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From 1dafbccff2b3e060e9f296d1d08507e673b90e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 24 Oct 2020 21:52:34 +0200 Subject: [PATCH 08/11] Update u_e-dovecot-vmail-volume.md --- docs/u_e-dovecot-vmail-volume.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/u_e-dovecot-vmail-volume.md b/docs/u_e-dovecot-vmail-volume.md index 40a339843..0cf07aa64 100644 --- a/docs/u_e-dovecot-vmail-volume.md +++ b/docs/u_e-dovecot-vmail-volume.md @@ -2,10 +2,12 @@ If you want to use another folder for the vmail-volume, you can create a `docker ``` version: '2.1' -services: - dovecot-mailcow: - volumes: - - /data/mailcow/vmail:/var/vmail +volumes: + vmail-vol-1: + driver_opts: + type: none + device: /data/mailcow/vmail + o: bind ``` ### Moving an existing vmail folder: From f36bf4b6c791206b542d48f0fda3e7a6369f8af7 Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Sat, 24 Oct 2020 16:01:15 -0400 Subject: [PATCH 09/11] changed capitalization --- docs/prerequisite-dns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 3b94214b8..95b5a5543 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -87,7 +87,7 @@ Here are some tools you can use to verify your DNS configuration: ### Optional DMARC Statistics If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -100,4 +100,4 @@ It is worth mentioning, that the following suggestions are not a comprehensive l **NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. ### Fully Qualified Domain Name (FQDN) -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. \ No newline at end of file +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From 64f764d2d583b695f601553d8edf05467011d841 Mon Sep 17 00:00:00 2001 From: Matthew Frost Date: Thu, 29 Oct 2020 10:38:21 +0100 Subject: [PATCH 10/11] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 95b5a5543..596c84d51 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -99,5 +99,32 @@ It is worth mentioning, that the following suggestions are not a comprehensive l **NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +### Email Test for SPF, DKIM and DMARC: + +To test send an email to the email below and wait for a reply: + +check-auth@verifier.port25.com + +You will get a report back that looks like the following: + +``` + +========================================================== +Summary of Results +========================================================== +SPF check: pass +"iprev" check: pass +DKIM check: pass +DKIM check: pass +SpamAssassin check: ham + +========================================================== +Details: +========================================================== +.... +``` +The full report will contain more technical details this is just the first section, we found this to be quite usful for testing both outgoing mail and spam scores. + + ### Fully Qualified Domain Name (FQDN) [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From ca2ad569057777a7350837f8476e5eb594e8b24b Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 29 Oct 2020 11:55:49 +0200 Subject: [PATCH 11/11] Update u_e-rspamd.md --- docs/u_e-rspamd.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index 545cd82d6..3aa0125c7 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -128,20 +128,20 @@ reject_message = "My custom reject message"; Save the file and restart Rspamd: `docker-compose restart rspamd-mailcow`. -While the above works for rejected mails with a high spam score, global maps (as found in "Global filter maps" in /admin) will ignore this setting. For these maps, the multimap module in Rspamd needs to be adjusted: +While the above works for rejected mails with a high spam score, prefilter reject actions will ignore this setting. For these maps, the multimap module in Rspamd needs to be adjusted: -1. Open `{mailcow-dir}/data/conf/rspamd/local.d/multimap.conf` and find the desired map symbol (e.g. `GLOBAL_SMTP_FROM_BL`). +1. Find prefilet reject symbol for which you want change message, to do it run: `grep -R "SYMBOL_YOU_WANT_TO_ADJUST" /opt/mailcow-dockerized/data/conf/rspamd/` 2. Add your custom message as new line: ``` -GLOBAL_SMTP_FROM_BL { - type = "from"; - message = "Your domain is blacklisted, contact postmaster@your.domain to resolve this case.";` - map = "$LOCAL_CONFDIR/custom/global_smtp_from_blacklist.map"; +GLOBAL_RCPT_BL { + type = "rcpt"; + map = "${LOCAL_CONFDIR}/custom/global_rcpt_blacklist.map"; regexp = true; prefilter = true; action = "reject"; + message = "Sending mail to this recipient is prohibited by postmaster@your.domain"; } ```