diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 0f822da69..6043970d4 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,14 +14,14 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments==2.8.1 mkdocs-redirects + pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.1 + uses: JamesIves/github-pages-deploy-action@4.1.3 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. diff --git a/README.md b/README.md index f814a2400..128e342eb 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material +pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve -``` \ No newline at end of file +``` diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index afc932563..271a7b94e 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -1,5 +1,7 @@ ### Backup +#### Manual + You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. Please do not copy this script to another location. @@ -30,3 +32,43 @@ To run a backup unattended, define MAILCOW_BACKUP_LOCATION as environment variab ``` MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all ``` + +#### Cronjob + +You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: + +``` +5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +``` + +Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). + +This following script may be placed in `/etc/cron.daily/mailcow-backup` - do not forget to mark it as executable via `chmod +x`: + +``` +#!/bin/sh + +# Backup mailcow data +# https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/ + +set -e + +OUT="$(mktemp)" +export MAILCOW_BACKUP_LOCATION="/opt/backup" +SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh" +PARAMETERS="backup all" +OPTIONS="--delete-days 30" + +# run command +set +e +"${SCRIPT}" ${PARAMETERS} ${OPTIONS} 2>&1 > "$OUT" +RESULT=$? + +if [ $RESULT -ne 0 ] + then + echo "${SCRIPT} ${PARAMETERS} ${OPTIONS} encounters an error:" + echo "RESULT=$RESULT" + echo "STDOUT / STDERR:" + cat "$OUT" +fi +``` diff --git a/docs/clients.js b/docs/clients.js index cc6cf1257..78b4365f5 100644 --- a/docs/clients.js +++ b/docs/clients.js @@ -1,7 +1,7 @@ if (window.location.href.indexOf('/client/') >= 0) { window.window.addEventListener('load', function () { function setCookie(name, value) { - document.cookie = encodeURIComponent(name) + "=" + encodeURIComponent(value) + "; path=/"; + sessionStorage.setItem(name, value); } function getParameterByName(name) { @@ -39,18 +39,7 @@ if (window.location.href.indexOf('/client/') >= 0) { if (window.location.href.indexOf('/client') >= 0) { window.window.addEventListener('load', function () { function getCookie(cn) { - var fixedcn = encodeURIComponent(cn); - var cs = document.cookie.split(';'); - for (var i = 0; i < cs.length; i++) { - var c = cs[i]; - while (c.charAt(0) == ' ') { - c = c.substring(1); - } - if (c.indexOf(fixedcn + "=") == 0) { - return decodeURIComponent(c.substring(cn.length + 1, c.length)); - } - } - return ""; + return sessionStorage.getItem(cn); } /* Hide variable fields if no values are available */ diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index e12dd9dfb..aea044b9e 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,11 +1,39 @@ -Per default mailcow considers all networks as untrusted, except for its own IPV4_NETWORK and IPV6_NETWORK scope. Though it is reasonable in most cases, you may want to loosen this restriction under certain circumstances to allow connections from other networks. +By default mailcow considers **all networks as untrusted** excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction. -To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +By default mailcow uses `mynetworks_style = subnet` to determine internal subnets and leaves `mynetworks` unconfigured. -**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. To add `1.2.3.4/32` it may look like the configuration below: +If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. This means you **have to** add the IPV4_NETWORK and IPV6_NETWORK scopes as well as loopback subnets manually! + +## Unauthenticated relaying + +!!! Warning + Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. + +### IPv4 hosts/subnets + +To add the subnet `192.168.2.0/24` to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: + +Edit `data/conf/postfix/extra.cf`: ``` -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 1.2.3.4/32 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.2.0/24 ``` -Per default we use "mynetworks_style = subnet" to only include local networks we are part of. +Run `docker-compose restart postfix-mailcow` to apply your new settings. + +### IPv6 hosts/subnets + +Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be placed in brackets `[]` with the netmask appended. + +To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: + +Edit `data/conf/postfix/extra.cf`: + +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 +``` + +Run `docker-compose restart postfix-mailcow` to apply your new settings. + +!!! Info + More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 0d198c428..e5e7427cd 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -84,9 +84,11 @@ Here are some tools you can use to verify your DNS configuration: ## Misc ### Optional DMARC Statistics -If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own. + +!!! Tip +It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -96,18 +98,15 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +!!! Tip -### Email Test for SPF, DKIM and DMARC: +These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary. -To test send an email to the email below and wait for a reply: +### Email test for SPF, DKIM and DMARC: -check-auth@verifier.port25.com - -You will get a report back that looks like the following: +To run a rudimentary email authentication check, send a mail to `check-auth at verifier.port25.com` and wait for a reply. You will find a report similar to the following: ``` - ========================================================== Summary of Results ========================================================== @@ -122,8 +121,10 @@ Details: ========================================================== .... ``` -The full report will contain more technical details this is just the first section, we found this to be quite usful for testing both outgoing mail and spam scores. + +The full report will contain more technical details. ### Fully Qualified Domain Name (FQDN) + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index dd2a99b18..bde36cfb8 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -2,9 +2,9 @@ Download Roundcube 1.4.x to the web htdocs directory and extract it (here `rc/`) ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.9/roundcubemail-1.4.9-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.4.9 rc +mv roundcubemail-1.4.11 rc # Change permissions chown -R root: rc/ ``` diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index 9743b6e55..9581dd9b6 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -6,10 +6,17 @@ nano data/conf/nginx/my_custom_site.conf A good template to begin with: -``` hl_lines="9" +``` hl_lines="16" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; index index.php index.html; client_max_body_size 0; root /web; @@ -31,10 +38,17 @@ server { Another example with a reverse proxy configuration: -``` hl_lines="9 21" +``` hl_lines="16 28" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; index index.php index.html; client_max_body_size 0; root /web; diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 909e10918..3fde37361 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -1,10 +1,15 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your contacts or calendars. For a more in-depth documentation on SOGo please visit its [own documentation](http://wiki.sogo.nu/). -## Change theme +## Apply custom SOGo theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. -After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. +Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. + +You can use the provided `custom-theme.js` as an example starting point by removing the comments. +After you modified `data/conf/sogo/custom-theme.js` and made changes to your new SOGo theme you need to + +* edit `data/conf/sogo/sogo.conf` and append/set `SOGoUIxDebugEnabled = YES;` +* restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme Checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` @@ -19,9 +24,9 @@ Find in `data/conf/sogo/custom-theme.js`: 'hue-3': 'A700' }) .accentPalette('green', { - 'default': '600', // background color of fab buttons + 'default': '600', // background color of fab buttons and login screen 'hue-1': '300', // background color of center list toolbar - 'hue-2': '300', + 'hue-2': '300', // highlight color for selected mail and current day calendar 'hue-3': 'A700' }) .backgroundPalette('frost-grey'); diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index ee6f3c7a4..eef2d45b3 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -68,7 +68,7 @@ No, they will vanish: - **How many client sessions can be open at the same time?** -10 sessions are allowed per session. +10 sessions are allowed per user. ``` shaper_rules: