From bb160f39a560ba3d0e7a49da575c1273ec7c088f Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 01:45:13 +0200 Subject: [PATCH 01/15] Adjusted headers and added chapter requirements --- docs/dns.md | 0 docs/mc14_import.md | 0 docs/requirements.md | 39 +++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 28 ++++++++++++++++------------ 4 files changed, 55 insertions(+), 12 deletions(-) create mode 100644 docs/dns.md create mode 100644 docs/mc14_import.md create mode 100644 docs/requirements.md diff --git a/docs/dns.md b/docs/dns.md new file mode 100644 index 000000000..e69de29bb diff --git a/docs/mc14_import.md b/docs/mc14_import.md new file mode 100644 index 000000000..e69de29bb diff --git a/docs/requirements.md b/docs/requirements.md new file mode 100644 index 000000000..b0bebaddb --- /dev/null +++ b/docs/requirements.md @@ -0,0 +1,39 @@ +Before you run **mailcow: dockerized**, there are a few requirements that you should check: +- **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should consider switching to the kernel 4.9 from jessie backports because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! +- Mailcow: dockerized requires some ports to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. +- A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the basis covered bevore you begin! + +## Minimum System Resources + +Please make sure that your system has at least the following resources: + +| Resource | mailcow-dockerized | +| ----------------------- | ------------------ | +| CPU | 1 GHz | +| RAM                     | 1 GiB         | +| Disk | 5 GiB | +| System Type | x86_64 | + +## Firewall & Ports + +Please check if any of mailcow's standard ports are open and not blocked by other applications: + +```bash +netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995' +``` + +If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. + +If you have a firewall already up and running please make sure that these ports are open for incomming connections: + +| Service | Protocol | Port | Container | +| --------------------|:--------:|:-------|:----------------| +| Postfix Submission | TCP | 587 | postfix-mailcow | +| Postfix SMTPS | TCP | 465 | postfix-mailcow | +| Postfix SMTP | TCP | 25 | postfix-mailcow | +| Dovecot IMAP | TCP | 143 | dovecot-mailcow | +| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | +| Dovecot POP3 | TCP | 110 | dovecot-mailcow | +| Dovecot POP3S | TCP | 995 | dovecot-mailcow | +| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | +| HTTP(S) | TCP | 80/443 | nginx-mailcow | diff --git a/mkdocs.yml b/mkdocs.yml index 02e7859bf..9b81a6cf6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -6,29 +6,33 @@ markdown_extensions: - codehilite(guess_lang=true) - toc(permalink=true) pages: -- 'Information and support': 'index.md' -- 'Installation & update': +- 'Information & Support': 'index.md' +- 'Prerequisites': + - 'System Requirements': 'requirements.md' + - 'DNS Setup': 'dns.md' +- 'Migrating from mailcow 0.14': 'mc14_import.md' +- 'Installation & Update': - 'Installation': 'install.md' - 'Update': 'update.md' -- 'First Steps': +- 'First Steps': - 'SSL': 'ssl.md' - 'Rspamd Web UI': 'rspamd_ui.md' - 'Reverse Proxy': 'rp.md' - - 'Setup a relayhost (optional)': 'relayhost.md' + - 'Setup a Relayhost (optional)': 'relayhost.md' - 'Log to Syslog': 'syslog.md' - - 'Local MTA on Docker host': 'local_mta.md' - - 'Sender and receiver model': 'sender_rcv.md' + - 'Local MTA on Docker Host': 'local_mta.md' + - 'Sender and Receiver Model': 'sender_rcv.md' - 'Usage & Examples': - - 'mailcow UI configuration': 'mailcow_ui.md' + - 'mailcow UI Configuration': 'mailcow_ui.md' - 'Redirect HTTP to HTTPS': '80_to_443.md' - - 'Anonymize headers': 'anonym_headers.md' - - 'Adjust service configurations': 'change_config.md' - - 'Docker Compose Bash completion': 'dc_bash_compl.md' - - 'Two-factor authentication': 'tfa.md' + - 'Anonymize Headers': 'anonym_headers.md' + - 'Adjust Service Configurations': 'change_config.md' + - 'Docker Compose Bash Completion': 'dc_bash_compl.md' + - 'Two-Factor Authentication': 'tfa.md' - 'Blacklist / Whitelist': 'bl_wl.md' - 'Backup Maildir': 'backup_maildir.md' - 'Customize Dockerfiles': 'cust_dockerfiles.md' - - 'Disable sender addresses verification': 'disable_sender_verification.md' + - 'Disable Sender Addresses Verification': 'disable_sender_verification.md' - 'Debug': 'debug.md' - 'Autodiscover / Autoconfig': 'autodiscover_config.md' - 'Redis': 'redis.md' From 80df7ea5d37871847f093f578ab7a68e7311c2b1 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 01:48:54 +0200 Subject: [PATCH 02/15] Formatting. --- docs/requirements.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/requirements.md b/docs/requirements.md index b0bebaddb..417dedb44 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -1,4 +1,5 @@ Before you run **mailcow: dockerized**, there are a few requirements that you should check: + - **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should consider switching to the kernel 4.9 from jessie backports because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! - Mailcow: dockerized requires some ports to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. - A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the basis covered bevore you begin! From 44f978af77acfd3c7176aa0532c0c62cc3a9179f Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 01:52:17 +0200 Subject: [PATCH 03/15] Added DNS chapter --- docs/dns.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/docs/dns.md b/docs/dns.md index e69de29bb..2b13f3e63 100644 --- a/docs/dns.md +++ b/docs/dns.md @@ -0,0 +1,75 @@ +Below you can find a list of **recommended DNS records**. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV). + +## References +* A good article covering all relevant topics: + ["3 DNS Records Every Email Marketer Must Know"](https://www.rackaid.com/blog/email-dns-records) +* Another great one, but Zimbra as an example platform: + ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) +* An in-depth discussion of SPF, DKIM and DMARC: + ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) + +## Reverse DNS of your IP + +Make sure that the PTR record of your IP matches the FQDN hostname of your mailcow host: `mail.domain.tld`. This record is usually set at the provider you leased the IP (server) from. + +## The minimal DNS configuration + +This example shows you a set of records for one domain. Each domain that is added to mailcow needs at least this set or records. + +``` +mail IN A 1.2.3.4 +autodiscover IN A 1.2.3.4 +autoconfig IN A 1.2.3.4 + +@ IN MX 10 mail +``` + +## DKIM, SPF and DMARC + +In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.openspf.org). + +``` +@ IN TXT "v=spf1 mx ~all" +``` + +It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org). + +``` +default._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..." +``` + +The last step in protecting yourself and others is the implementation of a **DMARC** TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)). + +``` +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org" +``` + +## The advanced DNS configuration + +**SRV** records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.tld."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782). + +``` +_imap._tcp IN SRV 0 1 143 mail.example.org. +_imaps._tcp IN SRV 0 1 993 mail.example.org. +_pop3._tcp IN SRV 0 1 110 mail.example.org. +_pop3s._tcp IN SRV 0 1 995 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. +_autoconfig._tcp IN SRV 0 1 443 autoconfig.example.org. +_autodiscover._tcp IN SRV 0 1 443 autodiscover.example.org. +``` + + +## Testing +Here are some tools you can use to verify your DNS configuration: +- [MX Toolbox](https://mxtoolbox.com/SuperTool.aspx) (DNS, SMTP, RBL) +- [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF) +- [HAD Pilot](https://www.had-pilot.com/testdetails.html) (DKIM, DMARC, SPF) +- [DMARC Analyzer](https://www.dmarcanalyzer.com/spf-record-check/) (DMARC, SPF) + +## Misc + +If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. This is clearly optional. + +``` +@ IN TXT "google-site-verification=..." +``` From e5565c906e4445b7f7dc5d51ff3fba406b4cfac9 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 02:07:53 +0200 Subject: [PATCH 04/15] Added links, removed WARNING from install --- docs/install.md | 4 +--- docs/requirements.md | 22 +++++++++++++--------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/docs/install.md b/docs/install.md index 38c792b22..dc5bcbd4d 100644 --- a/docs/install.md +++ b/docs/install.md @@ -1,5 +1,3 @@ -**WARNING**: Please use Ubuntu 16.04 instead of Debian 8 or [switch to the kernel 4.9 from jessie backports](https://packages.debian.org/jessie-backports/linux-image-amd64) because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with healthchecks! Full details here: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) - You need Docker and Docker Compose. 1\. Learn how to install [Docker](https://docs.docker.com/engine/installation/linux/) and [Docker Compose](https://docs.docker.com/compose/install/). @@ -9,7 +7,7 @@ Quick installation for most operation systems: - Docker ``` curl -sSL https://get.docker.com/ | sh -``` +``` - Docker-Compose ``` diff --git a/docs/requirements.md b/docs/requirements.md index 417dedb44..9e0c3c58c 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -1,19 +1,21 @@ Before you run **mailcow: dockerized**, there are a few requirements that you should check: -- **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should consider switching to the kernel 4.9 from jessie backports because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! -- Mailcow: dockerized requires some ports to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. -- A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the basis covered bevore you begin! +- **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should [switch to the kernel 4.9 from jessie backports](https://packages.debian.org/jessie-backports/linux-image-amd64) because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! + Full more details read: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) +- Mailcow: dockerized requires [some ports](#default-ports) to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. +- A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the [basics](dns/#the-minimal-dns-configuration) covered bevore you begin! +- Make sure that your system has a correct date and time setup. This is crucial for stuff like two factor TOTP authentication. ## Minimum System Resources Please make sure that your system has at least the following resources: -| Resource | mailcow-dockerized | -| ----------------------- | ------------------ | -| CPU | 1 GHz | -| RAM                     | 1 GiB         | -| Disk | 5 GiB | -| System Type | x86_64 | +| Resource | mailcow: dockerized | +| ----------------------- | ------------------- | +| CPU | 1 GHz | +| RAM                     | 1 GiB         | +| Disk | 5 GiB | +| System Type | x86_64 | ## Firewall & Ports @@ -25,6 +27,8 @@ netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995' If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. +### Default Ports + If you have a firewall already up and running please make sure that these ports are open for incomming connections: | Service | Protocol | Port | Container | From a5661544497f060e0366a9074657dd421f6bbce5 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 02:21:50 +0200 Subject: [PATCH 05/15] Added section on system time --- docs/requirements.md | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/requirements.md b/docs/requirements.md index 9e0c3c58c..4ead30dc8 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -1,7 +1,8 @@ Before you run **mailcow: dockerized**, there are a few requirements that you should check: - **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should [switch to the kernel 4.9 from jessie backports](https://packages.debian.org/jessie-backports/linux-image-amd64) because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! - Full more details read: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) + + Fore more details read: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) - Mailcow: dockerized requires [some ports](#default-ports) to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. - A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the [basics](dns/#the-minimal-dns-configuration) covered bevore you begin! - Make sure that your system has a correct date and time setup. This is crucial for stuff like two factor TOTP authentication. @@ -42,3 +43,35 @@ If you have a firewall already up and running please make sure that these ports | Dovecot POP3S | TCP | 995 | dovecot-mailcow | | Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | | HTTP(S) | TCP | 80/443 | nginx-mailcow | + +## Enabling NTP services + +To ensure that you have the correct date and time setup on your system, please check the output of `timedatectl status`: + +```bash +$ timedatectl status + Local time: Sat 2017-05-06 02:12:33 CEST + Universal time: Sat 2017-05-06 00:12:33 UTC + RTC time: Sat 2017-05-06 00:12:32 + Time zone: Europe/Berlin (CEST, +0200) + NTP enabled: yes +NTP synchronized: yes + RTC in local TZ: no + DST active: yes + Last DST change: DST began at + Sun 2017-03-26 01:59:59 CET + Sun 2017-03-26 03:00:00 CEST + Next DST change: DST ends (the clock jumps one hour backwards) at + Sun 2017-10-29 02:59:59 CEST + Sun 2017-10-29 02:00:00 CET +``` + +The lines `NTP enabled: yes` and `NTP synchronized: yes` indicate wether you have NTP enabled and if it's syncronized. + +To enable NTP you need to run the command `timedatectl set-ntp true`. You also need to edit your `/etc/systemd/timesyncd.conf`: + +``` +# vim /etc/systemd/timesyncd.conf +[Time] +Servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org +``` From 436e630938971c7c8be3fcc67aa6e943c142934c Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 02:29:52 +0200 Subject: [PATCH 06/15] Added config parameter to port table --- docs/requirements.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/requirements.md b/docs/requirements.md index 4ead30dc8..f32eb70ef 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -32,17 +32,17 @@ If this command returns any results please remove or stop the application runnin If you have a firewall already up and running please make sure that these ports are open for incomming connections: -| Service | Protocol | Port | Container | -| --------------------|:--------:|:-------|:----------------| -| Postfix Submission | TCP | 587 | postfix-mailcow | -| Postfix SMTPS | TCP | 465 | postfix-mailcow | -| Postfix SMTP | TCP | 25 | postfix-mailcow | -| Dovecot IMAP | TCP | 143 | dovecot-mailcow | -| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | -| Dovecot POP3 | TCP | 110 | dovecot-mailcow | -| Dovecot POP3S | TCP | 995 | dovecot-mailcow | -| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | -| HTTP(S) | TCP | 80/443 | nginx-mailcow | +| Service | Protocol | Port | Container | Variable | +| --------------------|:--------:|:-------|:----------------|--------------------------------| +| Postfix SMTP | TCP | 25 | postfix-mailcow | `${SMTP_PORT}` | +| Postfix SMTPS | TCP | 465 | postfix-mailcow | `${SMTPS_PORT}` | +| Postfix Submission | TCP | 587 | postfix-mailcow | `${SUBMISSION_PORT}` | +| Dovecot IMAP | TCP | 143 | dovecot-mailcow | `${IMAP_PORT}` | +| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | `${IMAPS_PORT}` | +| Dovecot POP3 | TCP | 110 | dovecot-mailcow | `${POP_PORT}` | +| Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | +| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | +| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}`/`${HTTPS_PORT}` | ## Enabling NTP services From 3430a69a671ee7c79bacc2546f9ef4ce349999b1 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 02:38:21 +0200 Subject: [PATCH 07/15] Formatting --- docs/dns.md | 13 ++++++++----- docs/requirements.md | 6 +++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/dns.md b/docs/dns.md index 2b13f3e63..1030f117c 100644 --- a/docs/dns.md +++ b/docs/dns.md @@ -1,11 +1,12 @@ Below you can find a list of **recommended DNS records**. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV). ## References -* A good article covering all relevant topics: + +- A good article covering all relevant topics: ["3 DNS Records Every Email Marketer Must Know"](https://www.rackaid.com/blog/email-dns-records) -* Another great one, but Zimbra as an example platform: +- Another great one, but Zimbra as an example platform: ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) -* An in-depth discussion of SPF, DKIM and DMARC: +- An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) ## Reverse DNS of your IP @@ -14,9 +15,10 @@ Make sure that the PTR record of your IP matches the FQDN hostname of your mailc ## The minimal DNS configuration -This example shows you a set of records for one domain. Each domain that is added to mailcow needs at least this set or records. +This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set or records to function correctly. ``` +# Name Type Value mail IN A 1.2.3.4 autodiscover IN A 1.2.3.4 autoconfig IN A 1.2.3.4 @@ -58,9 +60,10 @@ _autoconfig._tcp IN SRV 0 1 443 autoconfig.example.org. _autodiscover._tcp IN SRV 0 1 443 autodiscover.example.org. ``` - ## Testing + Here are some tools you can use to verify your DNS configuration: + - [MX Toolbox](https://mxtoolbox.com/SuperTool.aspx) (DNS, SMTP, RBL) - [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF) - [HAD Pilot](https://www.had-pilot.com/testdetails.html) (DKIM, DMARC, SPF) diff --git a/docs/requirements.md b/docs/requirements.md index f32eb70ef..10afb81b6 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -5,7 +5,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh Fore more details read: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) - Mailcow: dockerized requires [some ports](#default-ports) to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. - A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the [basics](dns/#the-minimal-dns-configuration) covered bevore you begin! -- Make sure that your system has a correct date and time setup. This is crucial for stuff like two factor TOTP authentication. +- Make sure that your system has a correct date and [time setup](#date-and-time). This is crucial for stuff like two factor TOTP authentication. ## Minimum System Resources @@ -44,11 +44,11 @@ If you have a firewall already up and running please make sure that these ports | Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | | HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}`/`${HTTPS_PORT}` | -## Enabling NTP services +## Date and Time To ensure that you have the correct date and time setup on your system, please check the output of `timedatectl status`: -```bash +``` $ timedatectl status Local time: Sat 2017-05-06 02:12:33 CEST Universal time: Sat 2017-05-06 00:12:33 UTC From 89e2a43f494dc2bc3cfabd7cc746998e0d5a0afc Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 02:39:43 +0200 Subject: [PATCH 08/15] Formatting --- docs/requirements.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/requirements.md b/docs/requirements.md index 10afb81b6..27c1de03d 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -1,8 +1,6 @@ Before you run **mailcow: dockerized**, there are a few requirements that you should check: -- **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should [switch to the kernel 4.9 from jessie backports](https://packages.debian.org/jessie-backports/linux-image-amd64) because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! - - Fore more details read: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) +- **WARNING**: When you want to run the dockerized version on your Debian 8 (Jessie) box you should [switch to the kernel 4.9 from jessie backports](https://packages.debian.org/jessie-backports/linux-image-amd64) because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with *healthchecks*! For more details read: [github.com/docker/docker/issues/30402](https://github.com/docker/docker/issues/30402) and [forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448](https://forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448) - Mailcow: dockerized requires [some ports](#default-ports) to be open for incomming connections, so make sure that your firewall is not bloking these. Also make sure that no other application is interferring with mailcow's configuration. - A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the [basics](dns/#the-minimal-dns-configuration) covered bevore you begin! - Make sure that your system has a correct date and [time setup](#date-and-time). This is crucial for stuff like two factor TOTP authentication. From 4659dc0de80a73a01e0d05c8a7f954dad4d3a771 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 03:19:10 +0200 Subject: [PATCH 09/15] Added chapter on migrating from MC v0.14 --- docs/mc14_import.md | 94 ++++++++++++++++++++++++++++++++++++++++++++ docs/requirements.md | 6 +-- mkdocs.yml | 2 +- 3 files changed, 98 insertions(+), 4 deletions(-) diff --git a/docs/mc14_import.md b/docs/mc14_import.md index e69de29bb..a77aa05d7 100644 --- a/docs/mc14_import.md +++ b/docs/mc14_import.md @@ -0,0 +1,94 @@ +**WARNING** Please be adviced that this guide is a first draft. Mailcow: dockerized changed quite a lot on its DB configuration. It now uses the InnoDB file format `Barracuda` and the `utf8mb4` character set. There is also some change to the DB / TABLE structure. + +Also note that this guide doesn't touch on the users settings like *Spamlevels*, *TLS Settings*, etc. nor the export / import of your roundcube or SOGo settings. + +Lastly please check the section on how to [import / restore](backup_maildir/#restore) your maildir backup to get an idea how to migrate your mails. + +## Create mailcow db backups + +First you need to modify the table `mailcow`. Mailcow-dockerized adds three and moves two existing columns in the table `mailbox`. The columns `tls_enforce_in` and `tls_enforce_out` get moved two rows up (behind `domain`). The columns `key`, `multiple_bookings` and `wants_tagged_subject` need to be added after `tls_enforce_out`. + +It should look like this: + +``` +MariaDB [mailcow]> desc mailbox; ++----------------------+--------------+------+-----+-------------------+-----------------------------+ +| Field | Type | Null | Key | Default | Extra | ++----------------------+--------------+------+-----+-------------------+-----------------------------+ +| username | varchar(255) | NO | PRI | NULL | | +| password | varchar(255) | NO | | NULL | | +| name | varchar(255) | YES | | NULL | | +| maildir | varchar(255) | NO | | NULL | | +| quota | bigint(20) | NO | | 0 | | +| local_part | varchar(255) | NO | | NULL | | +| domain | varchar(255) | NO | MUL | NULL | | +| tls_enforce_in | tinyint(1) | NO | | 0 | | +| tls_enforce_out | tinyint(1) | NO | | 0 | | +| kind | varchar(100) | NO | | | | +| multiple_bookings | tinyint(1) | NO | | 0 | | +| wants_tagged_subject | tinyint(1) | NO | | 0 | | +| created | datetime | NO | | CURRENT_TIMESTAMP | | +| modified | datetime | YES | | NULL | on update CURRENT_TIMESTAMP | +| active | tinyint(1) | NO | | 1 | | ++----------------------+--------------+------+-----+-------------------+-----------------------------+ +``` + +You can do this with a UI like [Adminer](https://www.adminer.org/#download) or use the MySQL CLI like : + +``` +MariaDB [mailcow]> ALTER TABLE mailbox MODIFY COLUMN tls_enforce_in TINYINT(1) NOT NULL DEFAULT '0' AFTER domain, +MODIFY COLUMN tls_enforce_out TINYINT(1) NOT NULL DEFAULT '0' AFTER tls_enforce_in; +MariaDB [mailcow]> ALTER TABLE mailbox ADD COLUMN `kind` VARCHAR(255) NOT NULL AFTER `tls_enforce_out`, +ADD COLUMN `multiple_bookings` TINYINT(1) NOT NULL DEFAULT '0' AFTER `kind`, +ADD COLUMN `wants_tagged_subject` TINYINT(1) NOT NULL DEFAULT '0' AFTER `multiple_bookings`; +MariaDB [mailcow]> DESC mailbox; +``` + +When this is done we can backup the tables: + +``` +mysqldump --replace --no-create-info --default-character-set=utf8mb4 \ + -u $MAILCOWDB_USER -p$MAILCOWDB_PW $MAILCOWDB_NAME \ + alias alias_domain domain domain_admins mailbox quota2 sender_acl > backup_mailcow.sql +``` + +> **--replace**: Write `REPLACE` statements rather than `INSERT` statements +> **--no-create-info**: Don't write `CREATE TABLE` statements. +> **--default-character-set** make sure our exported default charset is *utf8mb4*. +> *Remember to adjust your mysql details* `MAILCOWDB_*` + + +## Prepare mailcow: dockerized + +Visit your new installation (http://host.domain.tld) with a browser of your choice to initiate the empty database. Check if the DB is initiated afterwards: + +``` +# source mailcow.conf +# docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} +MariaDB [mailcow]> show tables; ++-------------------------------+ +| Tables_in_mailcow | ++-------------------------------+ +| admin | +| alias | +[...] +``` + +## Import your backups: + + ``` + # source mailcow.conf + # docker exec -i $(docker-compose ps -q mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} < backup_mailcow.sql + ``` + + Recalculate used quota with `doveadm`: + + ``` + # docker-compose exec dovecot-mailcow doveadm quota recalc -A + ``` + + Restart SOGo: + + ``` + # docker-compose restart sogo-mailcow + ``` diff --git a/docs/requirements.md b/docs/requirements.md index 27c1de03d..479790960 100644 --- a/docs/requirements.md +++ b/docs/requirements.md @@ -20,8 +20,8 @@ Please make sure that your system has at least the following resources: Please check if any of mailcow's standard ports are open and not blocked by other applications: -```bash -netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995' +``` +# netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995' ``` If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. @@ -40,7 +40,7 @@ If you have a firewall already up and running please make sure that these ports | Dovecot POP3 | TCP | 110 | dovecot-mailcow | `${POP_PORT}` | | Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | | Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | -| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}`/`${HTTPS_PORT}` | +| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | ## Date and Time diff --git a/mkdocs.yml b/mkdocs.yml index 9b81a6cf6..8268cf5a2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -8,7 +8,7 @@ markdown_extensions: pages: - 'Information & Support': 'index.md' - 'Prerequisites': - - 'System Requirements': 'requirements.md' + - 'Prepare Your System': 'requirements.md' - 'DNS Setup': 'dns.md' - 'Migrating from mailcow 0.14': 'mc14_import.md' - 'Installation & Update': From 74ecec967bc6670747c3cdc40c33b65a04565469 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 03:31:03 +0200 Subject: [PATCH 10/15] Formatting and MC v0.14 MySQL VARS --- docs/mc14_import.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/mc14_import.md b/docs/mc14_import.md index a77aa05d7..5f755d398 100644 --- a/docs/mc14_import.md +++ b/docs/mc14_import.md @@ -46,21 +46,27 @@ MariaDB [mailcow]> DESC mailbox; When this is done we can backup the tables: -``` +```bash +# Load your mysql variables into environment +DBHOST=$(grep database_host /var/www/mail/inc/vars.inc.php | cut -d'"' -f2) +DBNAME=$(grep database_name /var/www/mail/inc/vars.inc.php | cut -d'"' -f2) +DBUSER=$(grep database_user /var/www/mail/inc/vars.inc.php | cut -d'"' -f2) +DBPASS=$(grep database_pass /var/www/mail/inc/vars.inc.php | cut -d'"' -f2) + +# Backup your tables mysqldump --replace --no-create-info --default-character-set=utf8mb4 \ - -u $MAILCOWDB_USER -p$MAILCOWDB_PW $MAILCOWDB_NAME \ + --host &{DBHOST}-u${DBUSER} -p${DBPASS} ${DBNAME} \ alias alias_domain domain domain_admins mailbox quota2 sender_acl > backup_mailcow.sql ``` -> **--replace**: Write `REPLACE` statements rather than `INSERT` statements -> **--no-create-info**: Don't write `CREATE TABLE` statements. -> **--default-character-set** make sure our exported default charset is *utf8mb4*. -> *Remember to adjust your mysql details* `MAILCOWDB_*` +- **--replace**: Write `REPLACE` statements rather than `INSERT` statements +- **--no-create-info**: Don't write `CREATE TABLE` statements. +- **--default-character-set** make sure our exported default charset is *utf8mb4*. ## Prepare mailcow: dockerized -Visit your new installation (http://host.domain.tld) with a browser of your choice to initiate the empty database. Check if the DB is initiated afterwards: +To initiate your a fresh database, visit **https://${MAILCOW_HOSTNAME}** with a browser of your choice. Check if the DB is initiated correctly afterwards: ``` # source mailcow.conf From 08fd44e9944a26075cf75bdee0bb59b62f6a8e1d Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 03:51:31 +0200 Subject: [PATCH 11/15] Some minor corrections --- docs/bl_wl.md | 4 +++- docs/images/bl_wl.png | Bin 0 -> 12338 bytes docs/ssl.md | 4 ++-- docs/tfa.md | 16 ++++++---------- 4 files changed, 11 insertions(+), 13 deletions(-) create mode 100644 docs/images/bl_wl.png diff --git a/docs/bl_wl.md b/docs/bl_wl.md index 31561e858..08b925537 100644 --- a/docs/bl_wl.md +++ b/docs/bl_wl.md @@ -1,3 +1,5 @@ -Edit a domain as (domain) administrator to add an item to the filter table. +To add or edit an entry to your **domain wide** filter table, login to your *mailcow UI* as (domain) administrator. + +![Black- and Whitelist configuration](images/bl_wl.png) Beware that a mailbox user can login to mailcow and override a domain policy filter item. diff --git a/docs/images/bl_wl.png b/docs/images/bl_wl.png new file mode 100644 index 0000000000000000000000000000000000000000..3619868f54571b218c378cb3045b9ddece06391d GIT binary patch literal 12338 zcmd6N2Ut^Gw`MGeAA*QdM4AdH9R#Ebh)8eJI|$N3@6~{cfYOVAlz_C*L3#%@(wlT4 zBteiGNTh@aA!H8z-)(d6%ri50W}bT<%1+KXd#}CL+UtGS-s|lX9aS2t8&n_=h(=xQ zu|5cNJ{D+?Uc3PO?J{~*00P|vsXtaU49eL?4!N=rPRKiGa#5P`eDF$|En}9lYGe=MO z@O*f9v*@caNu`A1kAl6>g3oJtYUvHV4$H14X3$?0La#RfcRYr`jg@O-d7*+CLmMAZ zt(ZB$YP6poF~#c8&eC5zzuys3?jltA@TS+ZN#IV4U?|I96z9%R91FHob{bHr0LF9_ z^s9Atmo8n@f0S}+#TSuwf)orF&(mAhajBO~=cFqs)`&FNa~rbpP(#D@OBb<ey;we=WxVQJeccPPpodqeNKVr_6 zKmzHh&+oT97ucZ6FE=o{dF5O0z!rGb{M7;jj1~l{o^^;-?i?C_rKu~v$<%2gz{hTE zR0aI7mv=xXHAFrv?oPhMjat+?JN{$=9!D-P#U3kew){4I`S4*Yd~#3Nzx;3&_|`zZB0L};%yJTK`fsLee2eKmY!tW3y1t;ig=3_yYWiNI(7nS`rBc#Ly94~j@}$~YQe}a z$~eefQ;N>QK%L)adTR~kUtLV|pFaHjt!_r*GGz&p>BZ%1LrkL~=3yZxq)8VuUG^HD z^#sgDebvjtNcfj`UDZUI${Q8ZRUEqa?TsFdlyyv`c!TzJ_7VScDbT_79$go_`*M-nSttj!|u=4gUb~% z3y5?EDi??Cr|T^$odkQ{(kDUMl+$hH(V-zHQ~KCn_DlO`K%chT2hQ2SW0d=*<*I}z z8h0C{ej#m{mwzsny&6i-^TTk4;G$H6+b;`_}F;$hE&kObMB(2>$N)fEyHWq z_rDF;j~(dT(aHX^F53Hg3I-&@w{m_0T5Nz!c;htb_s=FWPzMnN&8dKeAiNMqWd!K- zM;E7u0YmIU=-n!I>ZrT^o7ZruKf{IBqI#WJl-X$2Jznzy_Uro?9aL!zS9(y?#bRlK zDW8P~d^DMwFE{wat0UFEwoq1189I-e|2Dbu;jChyHS+lCC{13MBx>BAx2 zL3p=P*BQ`L>;l4WTs$#to8sd%{2E(^AVo$ll$IQ%u4z0c`^-5shDFgDW;)f*yIk6I zPpMXIv-Eu^?3d4zmk*yL=E-wNg{Zwh3wqk+uQNzRan{@%`3t2fK*3->mkWMSh&AI< zchyvkG;Zpch5L@Ym6$O;^%B;mcc!7R$5KTPMYe`ZvTfLjv;p{yc*2H{+UJ#|nu`)4 z^QTUVMSWq6%~c4mUQh{M7wH@tV_z%3)|Y2`>RC@h6Ehm>0>YHOrgrv?mQCYJsLnsS z<|%>9o^_S2?{{hwnI_Dkn!bE~@#x3G?~QYy7p?mLh_?47Sy&&KvA1L_iT5(Z9#nEu zDCq*y?S4JjOga1cqWk|`LBQTvGeQ??3V-wZm)db~pITR2kXX3cwk!-BUMvZf0>gg!adKeDCZ;i=Cco zMgE6JKla4Zq8#D?yYah5P$F{*jJ}6LO{w^<-+;7+FTvFK=7ZJWevj>O&&$P`s^Tw;43$; zsR%KhS$^_Fb7to2shSUcLRwaH)UD(?^=nImOpO{h8#;HJa?LdX`^<03K9mr6RtZ3) zd4OjWQral^*~ow;q^DqVGb)w8vSeNeyYaN9(nQLhK##UNNecQHkTIoYVe$>~k&?g(y-c@K-$|^ABD(fN* z%Zc%o{@Og$>pYFNCU7c>b5!Re%xjGsjpR8@)*33)o_HiFJ9$y zR~=Pva7aP`7`3^osR-CV0kS#A1J8|Oq!PsJq`p2VkB|nN_O7$y!1p`0sGA!KzU~RK zVddC)7^Nq9H{UiEJQexyRHUd+cgF8~c(*e8d7w^=PLq%4u=eSilLrV1!1Na7WvV>E z(o!d7P5>Q|eEEM!7XN>7FG98Hy9OZXliNx7(W=$42(LAifAZK6|a3 zvwGIwEkk|CFyO0Hzl43Z#cb7(2sLw*|E#a*eV?(VwowvR;;3&fnc%35%0>Y|@3Qe` z>+#BQ{6R7`{7LJy99id1xmw#D@a`a5n8EMoWki1;{m^VlE)%(h*mr-ha`IO@hUW1N zOP#aRUM5y!v8#7v=T5e_c^HzR3u#>O=t=e{Ga}sV!0OAnA7=s!uhiPVPZt;hkDKbR z6s8jnw;5ymB}^2XGOzX&ocWoX?GGhdImDcJ=YR>kyQq=dIBidCta6pP1}sfJ+)8~g zE-NPE1}gOMO_|}yU&i&7$L4o@itWa=wU)p9@@*=lD~)R346zn(o*po^OSg;c{V6Pe zrT!qAbdffdj@^riicWKfw8uH!h^(ZZH1^c&*aiZ0zXUwl9rn1^nagJkpIt)on1{r4 z1lIS5PM$I@1NHlz-x@fY)8q#GW70cnzQgi0+H11RD|pxv2gRwCm%#UlRG&KImwD*Y z9Im6rJN)3#NA1;GqC$u|dsVwZlPsnvwu2DK44Ak73@ioZnU^xe9c>#Griz#+)-e1Z#>k-dtKvzEi&P~4#+i;c{JP6&1S_?BOT0>&T&0|ww=WZ3bbW6|KP8B=+C=9{v|VKymK z?(DpF^Dc20-8yHH#%58>{<7uOF2pr{zZq~5C#)bd#oVe4S;>2?QN`nC>gxTJ;dT}W zO})t^wxOWC_f1;d#DJraTQwS;Wz|K!Va8F+Y)6tTOr^c?&nA4dj~;+C>o_A6E)=GR zPaR!v&UIwVK$qfK$F|G2g$(Sb{70>wMeUVS2aB#*zwtSlaOW17{Oe(6<%Gve9t+np zD@{P(bKZd{i(mpC`~Amg33yP%y?6r5ki`U7y<-=QDMolWH;W!qcj;kHL@`TWp&jae3r9bBau3pY@~n{$Ur4`(6jfI%=TGexz9%8dr*Vw{_Y&&D~YaY*b)v#Ochh zsZY>!h8;ZYvlZ>Lk3NMOII*bDz2WA+VZsLuptWb# z;J`aw(M*~0ut!q=vll$+<}?U*?_vG70yWw zXSocc+jeD7+FM2kNT)Yzt9x-2P0)j7*@1>u5D1dJ4SJERAe5h!T}QE^!Md z__(%|wej6|&vFDR4ZOysE{!nknl@_BO<|C(sXGcxGM6b(E0@^!C0|CkGhC1mP@hkn z)0mFNJx5`%$pVx5Va)+Qj+V?|VRA+7@2e??PWv zAZ}NiH@>?TaJ79ipnbE+)kCrLcG)(2v6oEWQJe3+pp|PpM|I6ZBlcQ(DBdo<@|YHJ zS;$R6tojnUg;etFuAl)1>x8#79Jhq5cZ@wy$apWQzS$H=IfLlmxXc_d51GK#k!;D` zC5XGxHGpk{Y!%p=J#|~dtpdX(Tv*yZhFLgxl5{qGiScq1es9B^(}5+P`{-*5Se5?m zV|xo2wOIKhhmYuNST}Ua$tl~ts?WV=uklh|vO5sCEqM`Y`t96hRUzAIhef`h_)^NP zco@|M32|91Mb!fECtTnm5dnYh9>Hge3cZ|t{H>G&Io+W+>SDLTssOPy`q-_a0DgZO zC2VH*g4jq9kz6B*!L4W!Ka9pIrxH7UAjSoHZtt=O>$VX)ny>T}sK~?AcGX5mubW>^ z`Resh(M;Ft^~_*Ufx><_=K#&!nso=9AD_3L2%R?8>ldi_wjAeynu1@ua753f(x5CUk z$bNSP$))&vTcn|c3iL<3n|awwoL_e9%ktwxN~RiQVtY>kGGJDgG>;BZxZ0^XKDb@& z)5Ht^IF-^%E7?Oj8zrce7!HX;ggKfqop=+K3<|FpaINI*=GG0rWFg_(hmWZRi1d4R z)Hh`)T2SLJzywb4uDtZ10}=l6#AQidIs`dZ7dN?uIE~j^W4-Q5g)^S@vaNaRk{b;_ z&4~GCVJshmj%{0j0OgRakr-4rvW}kLfdmM!r7<+ptEUM+S82M1p!O|x;{*rFZL@w8 zrJifrVE-g@BTLZ-yVeNXlN4f;rtF{^K@}gZ3@lGCD%R(?hh%&>j27E&34mmrNe*4T zOBfbKod9d?C{!9F|DB&P9=E6Bsaj7T+aLO~(>A;h(FB+%KG=-MSC! zhJt-{7H`h>}cZZy@2wm2Jq%ZWGmErlcFOh3oumCk7!0hiX7 z12HQ`71JHYf#exMf__8Lh8oPaKSo-)s1~lRC*YHA8^h^#ttn4ET!Bnnew5ngpXvB` zJHX**BEo3RX+Ai$D1h@W{9{QL)}J9(2*Gig9h}vmn_x;16I#}S%)iHbLrHTj?(1KU z+;eNtVB%i`t%(oAw1TcT4bS2cFM51;a+USvI8xbsA7L9v+ePw-7}zwni9u3(1p_C( zwXJ~;q_`h1-$Y2MIAnXcA_WKSr`$A0kU=)JrTHl4X}SA^F6E8q!_tNQq%n)iByTaD zXS+e%xH7!}9~)pMI{OT+Ig=L}vIF<@xNzA{K4X?YbD8@Pb2g1$KaZMeu$^$MHV!aLpD>T@u=xjJ(zbtG&sa*v91 zNOPi6LmaA%t<6{0=XK=Gj7>PH?fiO7O)YPWDwuoaYZX|L@Ap+-+*jPY?PMk8PBhF- zH2-+Kr|^2lHZ3IqIY3Fn__9QtLKrklD#D%a?(zS(9 zovA>F>?kI7p-Ecp`Ysg@;rF5NQ2~v4SPE873byT8JPrvU%TLJ+4mPBqJQ?Pq+sB0l^o%DN0W`;AJ8Xl}* zfpaHdM5!&xw2bHCES|<>2oFoPu3>$~#D~P(IwHuk*;U<{4jk_;G)L5;S!z$=tUnZ< zp>!KJqJ*-DvrEpQ=??649BXqQY`A(3H=-{9u$&lGflOGjp{J7DY?^kjLncgM$oMu? zw!6&Y&K=+Wk*{qdoDM18W?1BCYUV2f)U0H@8plW1$PnL4AA2`#tgl!8p8ZsiEBh;;jX(hkCm3jQjK`I=uFNsLDoAu&Za_t*n|?%O`19RIaW^~$?UMJz8{ccyH&c&}+y%I7segE;|2AG%a@pbO$X0u*oR2|U{SCl`>3ZL3^duLml+1DdFy3hXh|5i z33*AE(|DK)6Wc!VhmtbIbm7hUMGoaptT|f4`tYqJbJbvF0nKq!tpPVh)w%UU8d~9T zT5W5adqFW_ zEHo4NdM}+W3megni~^GF;tH)hRizs_;7)~At(+c3Y$k{M-0C7t{JpXM&{-fAe-Zf& zAR*#{+;zpW*_4ka?XsiYFM_>b6Q}0)D-N>b1?1i`oL^ghAN5qL*K^KkPk&?TqAMRMv*m zJc^=*zjIf8H@G^T8*u(SFG$SUD8)K2^}DBzoTVI7n(cLS&$ik!2p2-c-gJC}$Pc2W zVy67$etQ}8e&!KF?A47p(TxT>0PIER)lFb5XB4SEQETXFM%fOC0KW2N3U0J?@H8o< z$RnH61Ed1H)}n3C3Ys)8wbLu!_ESX~t4G=PH|URI4!W+r8*Y)*su+{ku8lBK8$otO-!-apyS>%Vy@clvKE%Et;Yk0--%tf__GY}Kz~K8(R(h2olag5 zn0&oysonTfF{4sxtD#E8awE-F=xlWxvbt?MYfol0S#mKS;ZJ^+=IKA}VGn(BjbBp+ zC#%JOf4>0}$5Pi}(4e|62ZMS?I}iF0%L`w24es}HcoVxx5_dz+5$H~ha|Wbx( z9n+G}C$=YNERgvnetpOj&y1TC3z~r3%@J|uo=RLY5-4wIcbT1?ZZ~cU9JFh;@O6ZLO0UUQ(7-bk(pOsOVJ4{tV84yeMxjT# zq|PgPukK`T(82}4EzJZiYt>SGu=hXKK1Y&zgNq*|kMhg~UXv*KjZE9<(plL|F^?f6 zpo%939mO=h+Lcf0o}o482C}Be-NQnA43MleeeKHWDh%xG^p)#o7zoODQTUOAa#y)J zXg^cZovX0Xor~Uu=_Z}UN&@2{fMp<35h=jf$U@OvU)%X>lE(o6Kfq1+OpI^Y;VF1G zoaMNOMC_IK0Pn59soy#c>{S}E2~avkE0w3Zex^RUsQ(GB*n7r{1#mmZ#w-7HIJ|KA|IHz7$`ntJ!(F~WITkTY z9?oz|-=#Tt!+X0|fSa!hlXV~1`K0WZ0;~xVdS)A=jA<%Ua}n8^64mS3jpt7cRdD35 zRj|5P=5Sks-Adle(*JiDX%Et1VcZ#d=-nfzv@*j09FKy8BIA4kR|CChZ@k%4Q0*pG z@SZ`BtP4R&q`5cMJU9TrNW|ey|99Bn_7G)4#bvZ-`XPG-BFWbDw#pfh7ouMZp5zT| z`&wMm1E70Ibi0yI-6C`Tkd7bWX2FgFPHVSMYXL;2)`|EU`nnk9+jWAPJAPsIBBg1w z46)zq1T8WjDM#6s%k9@^-G*(CJ~kMCBM1lfZd4d_u?g30&?4t9-3$3$F&fyOoP3(~ zR++2sI2(?uJ+8H%Arc!{nCEsNX|t0tDsGv^k0}VAa~_VJKl+4qfyi}v)Ig&AdkEw! zE3obD-7mGgmK}F`0&4okPOl;*iLIv8YHTnjjawag&_ykVg{<)~WkCDO=F*C)ee^Wn z?)FSpvlKTBt7+hkP4rEQ{T{=h%zJZfl5T(~%mcdjy8LOx+`4iZUZ zEHL$Z7sF%ip|Q#5V(#KsY%IvjzslaaIb)x7@QJQPg;z)x+n)cdnHM3_fDSbGExeKn zeQ@K@jLT}zde&D@S*-ExGKK?&?)gz;+r_=DB8X!@1MGysp8MI(lhDaIoSDEr&aqp} z3a_%j%EAZZA(b>9D^eIx#PPt;o>lZR2(;%6@M|-~R2y+Q>|Fv+Ey7QSMo3Cwsmfg6 zxafh1mK;;(73X>U{-?736yobR(rW+M5nL6>h^7N$ev8BR_h`e}_5`I>zl0Djt~VvT zO8_YOWH}xwdDG*@{C4PePCAtNw_DaqSuyA6HRU#%Ib%zc?(Ea!d?x1TQ>#2Me_^L* z0<#S&ITL6>VV2x6sHZ7S=uI3!wrqW0OfCob!tC|qOiygDgED~<6`LKUQH2GB$jha> zPh)iSr5_N2MdH|KEp#fLC6Vecv+-AZUr0LLJ`=_QHXNrzgN?4nRL>d>DW_%aZt#IX zPp^w!K6U*=aY9dlM+MiU22DpsgFufqyz_$fro^7;a0{`m%17dkY;w0qb%2~8JZ`Af zu(SBl9U-{LG~2EjZ}u;F%)PiS*SQi_m1j}i>4zSx_VZ@y`tndC;fVVOlh#QtlD?wU znnY}Ln!Y&<`b0BAGAze2xUH&VD@dI#)C&p%y_ib^ToX92ssIjz?h~%nEk~%n+B|%( z#eeS?>LkRx$zh<0Q^VmBrw$vIFC%VHTu^zLcbk1XKS){_va0Z@|fxAFxJBlzPvA7O}&S+KVR59QA3HR=U5yl2oFcnXb%CAkZhHKkJ>D zK9>DOkwZd9-zTj$nqoJLmDT%kfKM;RoX%x|I!2jb?Ybp*0cNE0nBnc$cWY6JfWn3T zyvzH)S84Mf9G*AR_Ye2h z+E0AX(Xul~2V9Gfi?BU~3;YQwhbdM*?6}mpq8J@Uj8|!InsI5|-&yYCch7DK4l*!(swBKu+QXOUCdV*bXC&gQp3L$POFN3u_+IR zDwgl4*pQbwj+*xC#%iEL~WMrZsx)`+{C zn)Y?EcOI0(p9t)WI^z-NAcW#;O(EOF5CgzPCv=N5jy8vc?XTNH@c8b1gT3c1HQnK5 zHC;hmoX2YD=Oz=~WPIZnTP2&yu)@5k^D?jKML7DUT6pbQ|7dtKj3HL0Z+;GCjCIgC z+-B>xI?AT<35O?z^JudPA zqDOZBRzZi8Js}Jd9UsN9^?Hh%edOal=GAdYzBCPwr#`)V)6Hb#GQ)2!-@j!HkVD{+ z93-V+0t7Cyk8eivlaVH()Jo)j^5dkltMts2l96%e{#XH7W0zbsxtSmlYcXGz8x0Hb zR`Rr9Q_sW0F>Kpg^mzC|(;n%l$vXV^)=7K8bNQO8DsA`f>UFINFsaeny*rJ|-<)AZ zB0Pz!6B$}HGNSG7(J^t5T`pTJ);a8s*|s+8S!%L&_rM^d+hSy82R*y=Yj-~rQLz~o zNBPI*Jxd8q5_{#jexnMQOZxEDjW43J{DYnzF2247hfBHgp?NtQ4%MYL2Ql-bo@M@b zro)4(sA=|ubEP-&8;GN zKCNQbDdl_YXwdWQZpxPXsv+2a-*Gu@GY`t+>+^gmY)=c(nt`S366*}wdDPvIQ_IRE zxz9(AxE3~Q9T2j+D;Kr;D5^HzMbeFMJk1keG_!>4vX?0EJQc(T*jSsXvv4NXctF7v*p7Js-U zsftpy@bby5-G-vD>$WD40? zazH!v4Xy;_JPimaA6eiRE|PnEx`L_nJ-ZGcMcML@SL08JX!524#oGKy%?T;>h5{MU z%KOsKS0S{A5I?Kog&=p^U zeyLxaKyo$>6lp6jL7L}e_b_

Tp4v6BXQ>n0p%W@L|xH+0Sp6k>hTdXjV72dr`+1&Rm-uqzgXb6|f4`}A=F)#>IHp*c63+(wjI6;}Q(}c_Y??8UrY97X1 zdpfF95pw9F>a@A;A7&uiGs~BOcJ{>hs3H$y5cBg3-yFM2mq!m-yHLa6wU76Ga;Kzc zDi-)5QnGots;+E>+`O-lol=W?1pRCai~0Ha3F9z}P)~*R{M%}u6K_&1N+biU?4JXj z+zY$p{X=A~M65#TG?TFoisZAhV~s*SkU7}fadkiOV$YE&neNKgk$(V~=?@x;j^b}E zQ{VnO3eW<@F6z+Kz>vMRb;}`Zflck=kZ9e3mh7AUGr=X$=hm{avV2(j#(IM(;k&ei zgT#O7=Dto^oY;%MBd*+gJG#X_00dvrzd(G&UGbnoF#Z92<=Tt1j6fTp1%wYbUbOf8 zeGe<+o8Aa~mu3{Yue`=*Yh@9O=J$a~Tv1P@_LEPCCNW1hRX0RIqVypz(Pu zLBIYrZvIUUY)U4_cXoE5(K(2VdeBjL=MKM!@V|a;waaw>2b>ZLMIy!IycD2N=*Dti zB9O;|UQovUp&@5LmeBy){U5O^5XeNaHy`;JSYe=QIFaCM{dcwYr|tix+U);;G5(*D zzyF}Cwcc1|4*BP&HRj-dsr)`I0KfDNAb3H(Jq6w56AR#%2o>h~r^@hu6o|XG9T0Kd z7+g2GtJQ8Ch^7N`%Kxs9=f6JyF?Me?MmfbVAONOt@>>b$to^j_wM*LnrrunI#f?KD zYzpYF`t&g;CnvG#Fh?Oq5-yxPIX9On15G$N-qR)R^l|*#VH%`e!cPuMfcvAPqx;=t z63#JJnWS8JDtR~w&-CAkoiGpZ2RYy5^}&DM^-%ctEPjkkInmVPJss{Wltza;^XX literal 0 HcmV?d00001 diff --git a/docs/ssl.md b/docs/ssl.md index aa672f37c..9ebccb7a9 100644 --- a/docs/ssl.md +++ b/docs/ssl.md @@ -1,6 +1,6 @@ mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates. -mailcow uses 3 domain names that should be covered by your new certificate: +mailcow uses **at least** 3 domain names that should be covered by your new certificate: - ${MAILCOW_HOSTNAME} - autodiscover.**example.org** @@ -35,7 +35,7 @@ certbot certonly \ ``` **Remember to replace the example.org domain with your own domain, this command will not work if you dont.** - + 4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: ``` bash mv data/assets/ssl/cert.{pem,pem.backup} diff --git a/docs/tfa.md b/docs/tfa.md index 60ad71df0..674a88ea6 100644 --- a/docs/tfa.md +++ b/docs/tfa.md @@ -1,14 +1,10 @@ -So far three methods for TFA are implemented. +So far three methods for *Two Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP -FOr U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. - -Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). - -While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. - -U2F and Yubi OTP support multiple keys per user. - -As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those psaswords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. +- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. +- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). +- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. +- U2F and Yubi OTP support multiple keys per user. +- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those psaswords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in. From 0b5b541d2cd287b7c0be924d7c303e517a4a7851 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 03:53:17 +0200 Subject: [PATCH 12/15] Added comment --- docs/tfa.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/tfa.md b/docs/tfa.md index 674a88ea6..8f5e2079f 100644 --- a/docs/tfa.md +++ b/docs/tfa.md @@ -2,6 +2,7 @@ So far three methods for *Two Factor Authentication* are implemented: U2F, Yubi - For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. - Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). + - While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. - U2F and Yubi OTP support multiple keys per user. - As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those psaswords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. From 0ae794a9f72b8fedde49be78eff58644f1764340 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 03:59:47 +0200 Subject: [PATCH 13/15] Added images --- docs/images/tagging.png | Bin 0 -> 25050 bytes docs/tagging.md | 4 +++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 docs/images/tagging.png diff --git a/docs/images/tagging.png b/docs/images/tagging.png new file mode 100644 index 0000000000000000000000000000000000000000..20591d514303d4813654be5feccd84e97a6f234e GIT binary patch literal 25050 zcmeFZXH-+$+b@dSf(=j+QL5X9G*Oh^w%Zb=ij)AMh=|nCLm-s6MP!59u$3ktpi)9j zXdzNULpuUm$^T^QkcDTZb;Hn#D5 zeqlB~5>@y9{8}h%@YCnloL@`-Y+}C`b8mnq3V&$0){yX}qWa9`=NZh#k8j2;E$Zb> zVS7qy#g50TQr)*hK+S=KzcghQD$7(Ivwc|kdfI2>eUxtdNQX=bwzBP<&LOpu*TCxhvk}Org5o;!x6Tsb{4}^sM>(Liu`+wf6|KH-)FLj~J+gK-J|JGKu z#LIoR%#YvFV{022Q0Nq_xc)8y0bPfe`x=f4w1+UKU)FC;OLF3gn^`OsBVJOy#pY55 zxWqaekV-z@&I!rEMKaSzXVZP_f7Sg(pgkIpM0i~!$8L1Hi5H~u$I*tP!0@bZtn|?x z{wpJA;~@f{&i>}NM?n9_$Y=vj7eh^xy*}hC4+wg`q@RK0g>lyL#6F4>vV_TG#&AFG z70~@<4@h7vyW4%(%l)R`P5z7@@gJJ1)e?Ac3HUDgb1Sp*H60{EIC*0a==d%3-dcMi zkHgsV5f*rJsNv|7dyv+Ts&e9@@eci2@|nYRDi}e z`Lh^Ns!!i7Fn!%`&*@&>hVG^Q=dWX*y^hW4&mw%AT8?(3wimOqj7r+V)FhrU=T~p0 z(~AthOc>@}MU=ggIE1={OZ(GnVyaPydg{0or%4fn&Or8i%w(~4#E~@Q4jNgIRmT#e5-~gd(NqlvuHq9 ziDWxO%%G9EWZ!gl!e=;3Jf?*`%3FzNWdOevZkt6>xJix?oYBB0zS3}&P4Ga0Pr86f zKZ~mypPj!G8}d7CDHhZ07zisXu?dGhtl{+KsCQo4?rIvB$fCP^v|5aBQQ3E8L`vYY$kVd|?;X!g z*df)VrJxrx!}Zy`!Fu(pUU72w5%mOv5R=v}&_?Kv06m=<^vdPHj1ewL?lLGN_y7Z*2L;jyCHt5|}zLARZ5UPpzIgF{GM6F6cf z6t?nvS%~L&S&NiZ1bR7!?c|loT`GF2&u%g3=Pd&Y&El-pvOieN#>3WlQglWe()fqD zDqH<~otL^CFP<R|&>O!WTjN$JI}IdaH}|{Kddm$qkB!H1 zx=By#HFu1DuCm}?tNb(Q{&0_{LP3a9-c8k#nI`j3fw0J&j`p-;QBGDQZ=d)Jb-H9G z@axLQV|;^$3bkCX(H-hTXcq(_tctu&h0^9%d4*Ino;`7EJw#J8m@`zveKfDurNX_A zytjz~Ld1?jm{HX;9Z!8UiZOYI1pkqti9$~DpS@i#iFcTf= z8tmzG-!)<)562zgsO(4aUkCqCGlHQmRskU^J=zRN6=tG9eB8s2kB-DhAW8+QNeJ=t z1Y!*q8Hu4_okS&e2~79917`IjGkgM^`DcmeNzdR8Di-X#V^Nz>2B-sspYn`&1rN^t^NBHY+r$sQTds?53uYBzB zl0?A#)hK}zRTc-D64EP}j%Erc%;LFD!~NY4WQGc!JzRNqEH*M1d=(KIsf|A*pJa6CE3zV=`Q#zwb*^bKbdPT;GquJ(uN^i5$NuJjI^O)>oPQ2XG= z&FT4vkX9DBo2fT?U#Y%kIS`nYx+6xB6CR{E+|>QN2QnnuV1D5!WqNDMFKuP)PK~9~ z3G&^qdvCrdh6A@rV3j0Wh=oGxH_yjLDdKX7s`|Vjh4*Xh=|^{9p?QEi@)J&hRVem0 zsj3#&jnsYB%dQY_oO>#RWr!!)8Y#-eD`py#!eCd{)m3oyY1Rr!z#A-pk8U+=;)ldD zRe_+o>~A}IGFoVNSM%?w9&Qj1Xl67>2rLdGd_9L_@3_C8$+_-liB(KGx!1^1`#p!5 z5-11)H3^;X>AI2P|BBUlZrsqd?)s;I_d&XOlk<6OINf2+_6(-o=3PZkJx5RL1fqUI$ez&h-seW6t$$WSLbqcJDmz3q*HR(((HTH(C5vE|4usKe`Rhm%!mXKyc30wURX?svP3ny+)N z`dYR2jg`GQVavGnG`r}Kir-FN?1lk9*{KH(jeeN`&&0Jnq)OKw^wibV9&)rm5M&RR z`09cqN*C}Be0V=541TZ%V%H9hQV4g>KmY!vlF4yv^CtAdP6URK}P<>3n5>+4icw#R4RA;O2%IA_**G_PYsy|JoWUa zzNuI0))sLs6NV+wuW~N0F!P2vJ5fno=FDoQ@5Q7)H)bkoFey=x?BBD}Rb`~^f@`E4 zZ;8rCHH{xQe+>BepSLJNEG-H<)u#Qa_)3B1O~8ft<&drdh)VuwyyB}no}9sCOs{MX z0?^o(G4T%7^r5Kf6{P)ZM<3TjT*JSFWcwPjFZ?YRRbkDPWdQ z&?o>R`+Og_y6vUXDEQXV8Z54oWFLlaUahVfwmMU-b;Y!Iko$Z*wmnK&l&|79fQmmU zA1B9tPr4M}))%WfSGm5s*$z>BiJl%Or_mDmeaWyEQe^lz_(mR|#2k4BydX2@PzJ%} zeK&5r|M~rb#GW~;k~}h^%IbKw7++QzH-KRI<8lIw{KvJ-kDved79fHDl_XgCPqVFy z_)O_vALV=am3$z2{kZD%{&$t*u6oWo1ZStrS%MQSiuwTLgqlZW@%fl60^mggzwO~i z=#@qM=sbnUWkqE@u;5cGE(?1g9$0#^6o6tj-LFY_s;7%YJ~T0B1gNE()Jp%01e`zUe*Rb20c7lpuHRWD#n46ovpn*2Y(M-`!k=Euoz;>$ z%1=VKixH6Qx{VG7qT;k+j+aarRLj(SjJSkFOenQ)Z|vb=LUonSh#vj^6A8 zsHMiDzGv2WI$WLjV*o`>2@tR{vkD*{0Rob2=oU?mYgwz4@%s?@Us5|8FDhMvPWrRy z_zStjJLlHg-Pp!wFdYeCL{+l2?g-VJ6*D5Qtk~ZRdyX?72zZXU@ku=c?SQ7tOckZH6_>~-8M~`h zPc35AtEd$2xmOQ;(fEat7>~a0R^SN!_vQ>0r2wt;&DE*{S}I=v182#2L^0sHi$P=F}cjbD64`_{SzBy|jsX}w%_eHyGngWYCo zUR#bLfwZo71**#Yoznf8IXPL`b>BZ%<3-KK*O$7?DpO6Bj!Q*%gsI6$I{I6Uj@%0% zSq(>=RN)ek~COJ_b;d05t>NIwBi zR`oq?8H)f|U}+>6k^HCP)f2+EpuW7ZJBUo%6pa=!zm4dzKR?h+e}H!-ji=diOAA)! zl5~%z@w<9q=DoQ&MK7RD<6ffJAtw`0m&*b@K-nNfz;9J4x3{^qosPNG2@9yi0+~Fa zXx0OJsR~ewn#}o|BZVhU7#k~5`cfa34Y;>|AZ5osaTyNr3xa)@KVfA07c8irhzVKU z`l9Onc8}m`=S3~@ZD-P{Rr>+Ha#~FA6Tu4aaUAn|>i~CMV-B)nsWd*Z{K+8=MeEWulX)C!>$dV5F|D3X6c*`nxD#= z$ebeg@uEM-1UnOVR+H@*^Zl-lzUuL^H^D811lj8$nH4<*4B}5xE`>oq!ymxRCP?^ zoBa>$(Xy=tU=O(8IR_6l8S*suLHPS3W@=f8`mvSRUA5u|Q1@5fbpG=BgFo3tO0QOC z;!cB$RP^36R~Jup^EJ0_zpVb!hvI)|FX)grV-DJKk{@Z}_yxqDkw&g|$j-?`Ugm|o zj2Qqm`rQR){tZ564d9&KzA43$++%SqqSS#bPG3>}lj$kz+pU&%sqHoDPIbL@;WU75 z{5Qsa^V5oFpw&uQk=uy_s9=rzadP7vCth4jl5vTr7yS4Up-~q=zg#O^M}t7`^~Eb4 zSiMH-MQ^PelwTjE-^O_jumMw5XRK!q2gk30`#OpD06G&UdxF8bxxKS+6|k3x&1|Pl zecr8=7WNoNtm&a5`@0HVBdu#jww@1QoiYu=OMfE_{Y&oxcfl#OhUYZoFz>X7vZS|X z-bX9XxY)+Dj9(E1$zs18hiv^us}h&kIU;4QQINGWDF*=bdKMnJjX%^C|4(`CnvZ7y zvCT6`x+5tVZ=KY>pg(rM1Mu&ba^d(Uhdm%lL;HsQ_D$J{<;;g=ViCL+17_;Fu|a2e zaZ=J7Yufg220N31eMJWMf%Sm0BHmjUoo7Tv{vD{UKDt5N*d4Lf5N2l^>SVC9Fyo1{ zqjG0C-LX4uAmC^Ahs{`h_Hsl?aUD9oeq%RhXCeII7A7j&Da4>hkb!ld;)o<|J#amv z`SZ!K2)E^ zb=qLR%2gVOy;fnyT6s{PMd`BQ49*~sMF;!_JjX&pdE4v-;Lo}Zy-!Lx7;JRM>syt5ED-@eWS?d-zps@I#6_;Px+!pX78-U7 z%`f(agancQbM69T6PKd0>57QRb$_1cyR5!0xjY>#!Y&qg4;RGlMh|Iw;ieCwFf-fH z8~z3%>{|vOxBSlMC2g?3e^W8o%12s#6X%qn^ktQ9ltt=a$x_kZc7G@{fiHCEa&dLd zbt-#ft-l$h$q_t7EXvPE-!s^1HS-aZz}fxuZa%&a9|rlYF&SHeKn353r4orTi+s~< zsFb&%zxn;5COZfEzP)Qt>^ApT9n<_$5tL0?!D=0rpHR;tFEu7MIyMg);(PZ&ThO_;6mtPK`<+u5>n%&r%lT~#so!qCQzp-U%N zgYif}WCu|Bweoyy`DE%gzf?|p>}Sc@xf;R97TE`ujL0!Fz!vs-&XLQk%lYRWf6QvG&6UtXJ^>;L{N=elMe-tB&dVntvC_wH>* z$(J?Sw(Pv1!RCX9ehc4q0UI4_jGy9^oBG`xx%pu|1jeHNOVa!o@-JGA?941&n$Ap8muh|1F}8>XnQPs&|81=03WXM5iOw>pxLMQ@G&k>>=Ob@ zoA>Hbz)lgk<&+};xT^yqjKGmGplAp@%x2TEvO9ayKhSddKlXX6A9x8oBeRRINdC3? z&o0vwmH(+*eq9Jpm@MLyUzh_9AwoDTKvM^XwmB0@vMi9^>8PO;$j{iQnposMUej34 z-%<;E9CI1Fw616T*v%f;$pC7`n@^JJ3T4BzXcSFm-#$Ae7W=`ju-y$UrRK7_4p# zgUASwVgX0|MM^U{0KJH3XPP@5q3;C+*DKsjn-PiJa~vME7_i|}gCau-V1>d!5UIED zQBuh@Ihop`1a)F4(F7eMSO{kmm<~cHpP}Y>Eg(JBY5OVJ`hq?hWs)B8}9}X`AA49w*_!LpQT0harBG8jP4#%svnvIssSK4DhzdrC$7P<&b?d z+QSn5=*{}&-#lc+UEiRDy-ZjLJ(wL#tRmUl_xS0B>g0eZbp}qv^^NW5Y5dUes|>6V z4>@b2y|C8nmE!7ZCfkIVRMJ@1V~}s`16>~~upp6?Ra#aKe;NY1Qv$p4h$p9&Em~NG z2OUi@F0HL%eZrc~CCP`%m5r)gNs3EC#81@c@1r{1KNNb&hiPgb=!E1QM7OlLNvA%S z*8p3(T=ox?lOtb#^d_&Eu2MRZXSns&o0Pctky`Lq{Trt)-6>FJv0rBsuHYn)vLLEx2-biZLp1Vuq2$Z7|M;Pi#HWX>Z%4zE^o2$K9hLiT)D~a zWVCItYgo2QnOax!l+=c>^7;5I$)Q#Ql&2Fdh)q3InmY4x6c~ZmE?M|QBgcDs=;P8x!`_w-owr$ zkCTBL-J#Rc{p%ysWp%}hEoCv_Yj4&klf+*v2u?)!bdO!kXLQwaU*|X)>FhPDa&4=W zN>a$4N*lcJEAy~t#XI%-BK^?x;5Qzle@`@;#6u(hFe-~YO>P(3=+6IiYrgIBVYPjn zAvGZ}bo>Y*&$#iPYpLj(wpD6gi8WTX{`l_CiMPAW>#wANy?oKKo9hw^@zP!?Fg--Z z?m?QnPV`>T`z++H?dz7jRG@5%q_s0cgQTTcR4d!OZ0Z>EvbzqeMlChC70%gJm(H(d zJ#q4TG_&y>89iKPG8O)Ng5!+M^EqMDOJSaGQT3BuqW1=9sI)~)4o3JOs(4{G$C>T< z;b#m`5|xam&=Q=dpJPe3n1Ez8-Libm ztk_(U$&+Aq2d|Gd~ z_@Ic7s8lqI6G|aY+B7bX(yJ_`*CdJ1W9nUB>#y`R!~5iX$-?AC$>8vhtz{;wBK8MM zFok>FLP%DYWA_b|z6J7126l3K64js3yCfh?fTuNtosonqe_BBjwNzYhrGzkQ**7Vhx=;oW5X0k zdc7W<*426lp9@kUABJ3Mk#u}X9y)_2=cxr*GQAq0mEC{k&rwyt((urtcVn}UBd#H6 zf6xcL+AjZPE<4}9`!i*0BWh?5=z0W_#$xy)NgI<9i1c=Yt|#?Z`kUc{d^sj;hxM*} z-`AqPC3tD;F?e3hH9gsLB(r95@KaNzv=-{@kgDq&jIbxArA+VC^TnYPxMH;{cY^RZ zxyH-kyuSlV9;DW1?TUBRi>uP>Mxt9ZRZAAyuaP6Jxf|Hz@Yb9RXd9om$#q#Eokh%g zKvh7}R##s@GSX?!vd@pI@~eh!6g`ae+4A!^OFW1 zOI53?C7-`+uT!T|6>no^C{VFSc3ZKO_^gXCNa(5OCH9vzii_#_1GDYziiWkpr@LT@ ztb+;+t4AlFd+P7@c#iYvU6rayUd5rPR%X=`$y9XaaDWBD^!zdykvSe5JCAoB@3mOcVyBiBoltBA?vO-jm6Z$?T zEJ7*w8e_)1YPKyvSu47gb$G&dI^(5^;Dapyy8ZS9&@=_H_&gx*O5K+cbs?)0`!Cik zu6}VcI*au#h;|q(mun2VknFqKmK=9Da2=a>ophqSM^)%XU;ivl;{fVIG8*ovnuKVvm(93Xw=$>m{8L6A8^ zT$}MH%Ufo062VEhgDn*ed8*Ec^aBHhk3|2EuTYq?R;KYfKcl4%|Ey7pxpg-r+_1Bzvka1`jI!Yx< zPmRu%%cO+2XwLV`VVXTC!am2PZYi5#!<5Jh3OegX8d@aFCR`;sjWfQTSVj8yO&v90 z{bCR3JLwbwb>k@M+F(Bi0#}F{689ale)-|74qWq10BZe32=QAes2J@c;o0eL4G8vf zy-Whfcbzx!fz7R>JC&Na!cl#5cjs}i@O$aDn6II?D^o|;YZLTCNx^S?M)M~cKeVXJ zEBL*td8wD0EE<|?N>fjg9WLy{BtIwK?k8~7R4K1Bh%!#-B0%7(HhGR4mU+$vOBH{r zb*)RM&s`~Q$#m)1ga4z!{3hQVKcFDy5h}$7xAY9^MS|ybR7=8xPWO75+Lwu6qy72> z&hLQl`RL)->qW6@n|UM@Nl5PCRR0G_l-9`?50%GlipA5MKTJ{DqT+mh@txN4Xb zOEm4=S=jEy<|ZnjCBTZVt|*QbVW_w*5L)eHJ!tQkWEeb6sSRG$vdxnxl~0M0{*e3T zOe_qx?<57=PcbtM!&=%>H4dRZCxhliPU}VJv4a&+DGqC3{***^dsW0WZ<;gRRv8Fp-Po2vQ|l>D zl3OQpQE-BOWrUZEn^-OtsouxGYkE$-N%ZerMzP^xoY#95R` z&qF}!+J3Lt;2vYaOBCYoZnhl#s;dK+C~19h0T^WfiVdRT!eSa(o(ryW`#h3!?7Ckq zcF?Q`3&bxpiykZwqIY|>20TWVs4iIJmi6a}vNxsiAJ~rW$heTm9dKU`7uz=VOS4OD zzsKa|BoGe%*yz^=2c6AZMMk|Eg(g*IXK_^Z-2$&9{oGg~YqVQN#PNBC#| zU7+-lFlnzAicEaj2D4I<-ABvYqkE80Wh%Kg-h!b(3!D3He@ghDX+D+Si zR0Yc+U;o$(x0GdklAzUrK|kz(_io_GJ}{U9N{`C37@C8ZSMpodn>C zHFz;ij!ZkH?+8~eb@-FpOb?aB@$skl68`lVAC*lAka7KL64 z@=h0(Ql74Vnmx2Wx;>0vx^FXDYeou^vJZxrImAVU{-7hSn<0I;Al?2>LDc!i%NN>4 zsvW_pn3x6b4_9eY zko#D^0xy1SwIH388nMovZ0AI`GjMQR_zNY$+xt-`0-YMVq1%jzCCG+rDljKR3d#W9 zZ5@NkZ8S9_1lwA#2W@_I@>{FY7fsR93{bM@TMGHJ=M~g-Mi^*y{NV!Nt0d2i?=CBJa0|DaD*#p&e*{VPCMAQ1$t=pnq02#+ z*KgI$+qKD5U7%(AA&SHMUwOO<2)w1%TpuN-WYN?=_J@x}Za9XgZ)%-H9S~>#Ctip3 z>4B4-zg||hO;&qj2DT+xeh*oF^ofUyQenPKi_-$KM!AUadZ5&)Z&fnlxW&&j9p6-KjI?4FskIES16P=ikeDDdfY37;*4e$U zqg-)FGUAVt&?=>w2W#Qy718%(aiO(3OkX0;3>#?Ul;);|ovDD^yhk0;qqy>NUC|H$qTRzy2~kTEO^PS@&JL&k*%?e9j(P^L0JdjhC*u zZ%l_Q98_*b_p)r_;juW%IB!kXT0bN+BCurc`CWBNJA?SkgPREqBQBuh0WLMEn) zE(JXn5$>=P_-j6Lx6NUGBws#+TG+|N5QP~7c>(%PpTja-PUY!rj`vth1O=^Xb){S# z8ZxgK5rO@nCKvCWG;mhX%BwTv-OQz6NLLoQDQEAVZ+Q*TwnWRZYLu-6oyNUvy{1({ zbwbUO5Fql7V>;g0*5~@mVDLQ7s`SFpY46kz(<8e1`TgESas{xOt1IVq`8+|%rO58@ zMd?DyAz%93l<-inGb00UthLoPMhXF8Jic}&KWErh8c(&DzMl4oatt$jo+`;TaI0>! z?O#5GY$~(#?#wJzkpMt{ZYUmLqEpGjFpg!(f@!;)Z)$l)tIE9dzjQeJrZI99s$m&W z61yztO*1E>m~`U#7E6r175p+mT=j7apurdGl>B-IWn+4fAv5HE`Od(Oq86mu(1PG& zk~eo)mPndt)!iQ5ymHz*Gz!JK4iw}+_iMT9++3m`ZNZjul;^jcKXrS_yQMaErFgw> zFfTga(k3ih^fB3VsKtUVRqr#gZ8dNOO5@ZM?H#NRp~}NJ%#yjWi{6d^YPg=&V!o*D zo4!Zd$(LO%Fy_OLQv$>>_nkwC?AfpKn^F`6%r-CA5chtL0e=y$m9S6F>ABY1F4h4H zfQcN{z0>2-Z~a~?q_Z>}D_}GEOn!D!JzwZ^vd62bSs2x`*9;)x5_)$Dd50TM;#~3i z?58q4{me`7*|2S6oe`BEJS4C|efGa|mJw-vim+zu$GH;Ei3pEZP_?UBKClmFK=C5F zd3N%&C(W4&38JQQ-QGwTa3qN%N{FljnZeW`-Xcsv^>Ek+kt(w&!H0yd2(MRM?MsCW zvvznUXGvO9_%<#K3rTUMDuh+7)+29z99j8-R}Nn%n!nRP8l-}HPlBdxLXK5-ULSJ) zKJn$tiefl2-3?hMtoeg_40b&&9lJO>Uuf-T=>yAkypddic7z|7QZDy_<3?pQlUF-1 zyOG35z_h)p`JRe1s#?mCx)bk{mw3wtcKvq(%8{pMTx|$MRQKhbF zZnQ<}AG#Fte#QJc@GIw&g+e~97YFi!_YHmUA8TzxMNY}(m&`aUm#tIwKDPM?P~MGt+_A@YsuigkUYd_5>hBotVS+>_i|R>vWZk>a9vX9~X&=PfkNT0(i@wZ-c%bh14=OT|I`!fp3b7dHjVT+hzkr$ z1BJ}}e(7VgcG!`7o!2aDxJ8*B`Q@JuSl}I!od+6u@!THASI(VW9Jq$-<@MExx^ZGZ zYJJ+ES_qQ&HFSf@r!i$Kx0}tX(gd}t9eIbc!2>GOqWRsW>X160||2rhkb1&ix)Da&2}7R ztA0rD3f%8_`9ExOZAI}B-zFDECG0Hm6syi_R;lwub6`7^m^b9skU1y~NZYpfS}LO@ z>TCf;RvksP~~#7=MgdhC^-Wi4+|%JpZVoUEgxI$@{y2&L0YIqj3fgQMay^4O}%qdi%s*K+=mjF6*(VZfE!L&+>e2*-rbkK|L z|DGhhLVJ-p+cC6{uvBJTl)o@=z_3%*%3pc$uZ$-qJGpT0?QISckep^zcGj&=-t{Px3GD9B8w(|7cuV|>Af*(<1}z)`z= z;-zmJE!$Mx?GYCpVHw8aZ0VI+m1tIKooivwd?BTzRbp5sh|-df&v9j+Jkl?-q26r% zMOzRWGdpo}b4Ae``2rCcuCpen-DS4Ngt-S)5>>pg^I$lmbMhpJDbup#Nz6Ko+V?(h z%J`Y<`v@0Q#4187NtTRR>njcVPCXvx?L2==Q(7rT%uy+d=`zBqZJktXhPSqZLbnsq&^}5sXLOI;i+19~9T1Y+}9afR=9Ve zAXA-YEYFk|XHjr$r=n}4+EyDtgF z#S66Gq1s*Ru~etWs9k?79t|%RDgRpH>C6uuAJ$p<6X03yiIp9ejV@)~-Ycl@&GaEu zP9_F9=A*5dwxJ0G3{H^Wxx0c|VbkEgr_*X(`k{okK$?5CsO|QTGF$kC0ZN}f^t^3QOr(?25TStm4!d&Ky zbM@&Ke>VPTH70KA#^`ll|Bd~qQl%w^=74$Nfg5LIIeSSlT`prD|MT4yI4Kp;BGbdR7x|6NQvR`k)1Uruk%vn}s(rapGZ$;640K7p)x?}X zNV%xB2Xr*k&hJ|M7B#1cK+uymbGQzdmU1Q3t!_n%#R!WFs>4n8%NOlT}$ zH%=eLIhuEE`%L`J!X_W$v?xOy{e3@Txbg6x&7bXwFYI+Ys(eVfvPIrhzGXqYBRRj| zO`xm9^SAcqSGPb|<;Kg2I+=%WVxzL{-~msm{U5ZBYHI^S5C zsF)Z7o@Uj&{9gZ%iV7Cqx7~JGv)oEPwA{oZ*=bbL*lQ4VP)ATS;@sL+0ia~vM30lI zC2!NBqUlw_uC)mqpAWIx=klOexhdu|~v+pyCb(_;yg zFFdq8g*xGBf?|DXP!^yZpk24*m-e%vA!jCCo%gE_MB?q94NHJSpiRFF_k3T@!C42p zx{6%Llr<>(Now|Be~_B*0WZ_*$MYxOv?UeIujlyG{_5*F3}mIYU?4S!5jw9jbYM;9 z1C_SqZ;pgfnV$^~M-_H;Y4AmDj{4%^e%z!TP*58PKQWSQ&Uu&#pn4f|x)`f&R9)DP z_p|*&!TD3O%)U*$u1wglEa=)7H$jI46n|G;=d-BAl>cN+##5LZ`97e?PBW_Qg51{n1K)` zDo7uMT3dacN@T7UPL6zMr$CJ;kY9_D2GbKmCMY-O7GP^L{}A9GkDE0mYE5z|B_vg7 zk{%>9OHuwu_rv1U^Y_g*1D7MuT$48L3#b~-FfUc*upRLVjhAEO>?XQ4v;|e$hrg)4 zeGC-~-$#@YK_N2Y4mW0=q~}M>w^qV0Bxiqnqc@l3mf=Rz7_-KudI-w3H4X;RvlDv% zp7~6DPtp3@`Hh5A!aGRS2Wnt9^wh`9Gy~0pX`o(2M+J>Mq#48s`^l89Xx+B{Ht{Ql zf+zk3RJ~Nm(4LFh0S7q@(T;MR>UiOezDVS<kNQe+$Cf+aw#H~dgx7YjC@t6k`xDObG0408 zD<}n&T44DQM*3@@v@79hTUb(Tk#wF}qA+^escT3y%D3y;egZevlQeU)WT=gF*?Vf= z?(yk;c;xYjU$RyJH)5Vs zm{AH=cAqlDr6tMYqa(h?)XWTqKMQk&3X0pN7_1#5bbk! z2~|Kx7pJBzUriD%@+nekERD!wz!U;`mhee25N?q8O>iIRC|#FXAJ$QghW>19+{Bh% z^@kV&yA2n=(HB}z*0O&;SUY~PPEVYgd}!^(rz&B9gYqrvDj3;5nDwI>^S);-Np@Gf znWTfiWhyT&yKKyTL1;#1BA+rS={Q1OT8~PmkL6p4RFAtazfCI1?{+_2G&s-R2Wq;$ zY~dZuSc*H__%~!&@-Oje6gwi!ci=)vd_2)m*Yg~MfgmO*)!i!zMahd z!%q0w?w+4tuLVuj$^*8I?A9pZwp!pXHC}%1;#TP;h}SO*fD5x->H%t?&8G&>svo2_ zUeC+rYO2#{b7MIL=*J_xH#&OF<|_!}BYWcy96Kp>tC;!mcK53c9VsP;wMvx7VL@)j ziFJEFowY(7a+${>S?>4?#(L*-dNe(g!mDf!xC4e}uH3?Ut(9Libb!_1Zt; zjhHX}E&tKGV5O{tTwY$w5Cko*o|bB(FE9T_8xRBC2Wffvo$r3|*IAOh5cOU5@ae;C zVsX?#`Bu{7ZH}MPKv_j*UBf2md6J~?ktLny=K2r+%HCN!3E~KpR;Nf0JHmCtBTs6x z>=Y2Tu7R1tbm>L0fVSxXg=7)AUy@2WlV#GQ&D)g!9;Q?e+xl1mxc20eJNI2w6cvYf zu*``7$Epd1tPM-5j&*05JV>a zZdqtddw3jHWH+E4Plx>j?K_v!oXOUQP{yPM-qQq+w%~FFFyvKNH0}o8Hfe?$Fj8Dz zU8j)bJ&P^e+u_y?)$%328O#f;3IqhI$Eba|yPrtG6eV`GN&p9c>U)V|3bQMrNUIWF z(Zj)p^&qQ4%ZQW?4b6i`u4%4cZ%yzx2>^&-g{iW!JM*x4g{g{i;~RO47oDh*D3Lz; zU!1};SH%>SLiJ$9)J178>^I-58Yx*P>)4l&RwnZb8aDX0({FX!2Nkw=J~+PvGVLbH z*MdXe*HZCq;sDU_2Y{TbTGwx_j6xu6lP;O;aq1vHu(P55b1wkbM$frxmzgzIzN-uu z=tm`b7V+Lm;2J+U-3-4&3J9MF`9KsTx4RF>-L=l{S&2 zpr4~_@{t<<`u|~X*8e-&UhbX?0uG*f;p|G}Ai$}3Ycx4@)`WjBXKWV`%b&z!>)G=S zQR%Mv{2$(H>;=AgB6t(Xm-_tE5`rSouuyFk_a6(@e9&e43OQAl0ouuHgH@PI0T{Nu9Nf)*g!jQX?DxcQ%j%7xBb?H(}Ypy zJkB1a+>Y@31^HjjSKP*qj8JC{GWkcgUYLIsz1-0aY(up%E(`fR_U7+h^W0yrU&;9P zf~iQbH<=x5wY(E(MPa^#ofq|Q5|xJ{Kz}d^!e@dh35LEIChZrb;|oF}`b@rR=Z#;{ z+pz8A7~h|pNdP}CL3LbB_>(@>jZyEXB$}R2vE$^%WV#1NSjC3ew+7u- zQNN$iVE!opRKmFVn`oufuTa(Mzqw?}#*4P%+--3AdGe~G!%fqKyI*jjtA<_uJ-`vX z3h0TC#wm6tUvMj{-+hRO4x@hTyq4^5YujeiMD)7{rJt*10ehRRX}p!FnA<I~W^Y20zHkm8Ssutom>J(;&2=#)z zKV6N=Gq}bZ;h!Xv2N1m1lUCTe^C_63uuB=l@H0h0UIETX%#4}JFE8t$=jH}8GRBjx z&!DODBd^X8!nwau82Wb!JAQBwUdEcWYOifTpGV(4{mP1Q?X;FoXiiTjr}~0SQDp_* z8j0Lq&otD5AJ-2}w&Mf^OSCDB5b~K*k%gUvjMo^3UjMaAp+SV4+Q5d}G|g$f0p$)_ zU@+TW#CI|0X?9&CR)P`kmq>~Kpp}|}=d?!VyUC%oQ+gxVcdY07+o0>ghSX}9Q})b?$~j=mnX7QMW?WKV*%AP7R?W^*_Z5gS=uuC~cO+?f>oiT(ws?@!y_ym&+^ z;^{gZeqZrS@Y1ja3%}CD-Xd`DQWc>JBTMT)TPH=SPey4CP12s83J7o9M~hzu(&g2bEk&tuPJ=oZa$36OF_ z3Twr)!vH7-!BS3;aiK~J^5ib+97i#sFTY?G^e!?6ty-i;QG&aS`oDlb+Z z;qEAMBDKFg@cV$>&?omN=awu=vggxf14g%5FBf~awmGdHg&cAM1CWV6k1IJ+U#3i= z_J}+2G{ZO>^BOe~%(SYiD%dttg~fcdowecfwOolapx5UCcS?4hYfhOcRjjL4_M)o; z(F=%g=l6iJ-ffA2%ovP$HZ5V$%WXu@wjVY^2!mTM4O25l^n-&}Ek!n#3M(s$K-*>% z>SHUv<4a5JGQAGK;pcLtk*wl#TJ)t{>z;N+VN{OW1{@~0VEB3|`BLWh%0eQuvxYd= zP?9ky1>0b_Z*Z^Pofz8AY}fNc$nOaaGOFD`LbOmXs+Q2!2TbU1_JI^a^~nC#_zA1KPS30sW1Q%8S-WZmhZQ5+te93syoa;P*keX&=v+R4K~tE5aNQV&f<&Xcpe^{B5GEOB^W zO|`4Xc5o8^P=vszV^6cq?#)}{m^0KeB`Z0RWG&>WwzOe&>&cz9>ZN2QJzbz1)ls3N zQ*#y1KJU;SYnVIIdoVAhYrQhC2+^JOK@4<=)hT$?4IOV)!@V=3Qlzk``_Vn%7E+wi zsZH0f`?%=YGg?vMX5@Uwd_N$W7m<3&R#X$tCBk_A$I;M<3_Zb#`0aUd&hntz z$Yy}lIS!3u3y816^XI?i`5};R2pA4ZY|q=@Gu&&8kf}?fzZ`ZMHPe9?9w<>LM?Z6go0p19^zMa2dUB zQsCVgG@_iRgr_x~9``B8;ehZ#Zp3uYGg#t`n;9;UgDEu2qAx7iyQ$P7>fjOmsB>0~ z1$V{}B>H_)qVV;&<|`V0Bl5P0&7d9%lbq`&CDswx9Wt|>Oo_LGiK8YKG=L^|SSf3+ zf@AAv**jgRr8rM+;r*5EyEY**3dqr6TetVYrNiv5E@DxiX92Lk|4~4Z&BjI+s{`)sS-4C{-vcs0)<5>U78=~M{_S;U^zz03uR!cm?L^f0kzYgAh-Px5nx3q*Z z%#|K-+EmB;VpA$p{8xC(h`SpX7i-dC1>pM+l+RA(IPp5EtvQH;po*gO43St03pauqlFD=O*W++7z**Owl zH0zAwha-#g!}>Hc!)wv>T6`rQZYCmY&^^*~%V4$2R?TfIg1t$!g0lb0_B%ElzTpK% z%YA>ew?~|cwPtZBPV+5G1vSJ-Y*+ox?LJv#Z^{s)yvk>~9u62*g|bmH%w&|on4uLW zi%FT#hwHWAMbvfi3Mi6R`>Pi{4{$*h^zH~4)Ci)1e*|@y_&xymo`5Ql5)O5m%BqYU ze2&b5MP-wh;uFMv57U-Dyhfk=g97PK_8HzW{*HCPMQ%D~jn-eWg$6-JIhX5|mFR@1 zhTlr&DK%Au^FSQcC|RO5m=|`IKu31Geb@aKwq~SEWS{9pJXl}v`1^;e|90W&+0#?T zqcmGbt!QM{@Yt-A^$$HhL25ib`(S)+PA|z&r)DF+X1-)o{6Fzw>c8>fF8(P0M1KN* z$NoRHoq0T4+uFyq_o#EUI0IEg^^_`dic(XI?I{|qwuVTJt%f2IL<~i7=vz(=Q4}?| zqK3q*f|{z1#H@xOVyYM_rbfg(+#Tn9?(qI~-_Pg1`6v18?7jBh&sxt~-}UTg{r1%F zM`iN>owC#Ue?iLBgWbtPb6GBmerV!GwVk#;Id)SlxwpL+1l+el1R%E*Dy37leWpVy zbdUAM{|H-!xaFz*fhp2I*kU~8(~yE(iDGR1y2_Oe(Pg6xuYNFxXLR3%}rAs zU#P*gj++7~=!~{e($Lr9^#ybk2tTTP@M-*UT>tJv%$^~eC5z>(rq6G#+IL}Q&QMFc zLUtePyXfUQ4Vq19sgMhX^uaoZ$9SZGH7`7Em@iuVqkH&6#F}5YbYZYh!HQhKN!`G@ zlKy7{udS_WX`zh3xy@D>0AfQm`o3^&P4V{f*s-#PjnmeYR{B;3bUF)ZW{oR%2EiRU z2Kz+T5AlVztQn(AQ1hH=wiK}5nmc&{ePb+@T`d9%E&>X+D4lEI@XRUzi2iUaJBJ7Y z#l9B_ppxtu$nl{GDh4y9wYEqRZ+)KdxWKA1&&Yp$h#qhs;%q$Ia&-;`UtkOI9H6-o z0LnuzVJ#!dc(Q`yxk>B{FH8V?@CpQM$wU}l1@dGqae~5efrQ&6PKymQ-072^x$u?> zxvi!#Ez|6MNroRi9^905;C@NM*4R39_Vx(^{8}w89-~7|8&5)43o3X^8kaB>iqsW% zK%21Wa2CqJy1U1VqmII9P-koMZSEx_V(j$I@zZag;xj_tU4tK7-8tWrot`qtYtmCM z9LqADSMyA7yG-Cf2qzk2&`MGW)P}rwj7>xGwaJuK4J(hjg^-nqMi4z24bsBlndcf( zcKJe(RYn(mW*Yqn zFT8=)zQlf4Y`W3SWMFH%VU$Bctu=Ep!?$-FIQ_dgktAI)dYce|*}5>yp8q-M?EF)_ z(?|kB$9D)c@IHGy!DmJrdFm(06iHanNk-?0Q~;%QT{9?g|Ff7ar+H1Qj9D2v`-+Vt zKHFA=D5;M}?gySj&?{o&8C!)~HhZfu_HmxaP24&$w(^=W5-?SgW|o+FWrTiSG3;*V z-MZ0OKAVh646V6HfEe|S@xl+w3U7xNTI3A` zDArytPYG+vR;@jneKoYVWTo;F(UFjAR;r+(dAlK_TE7Apy@1(}-Ngre-=XQO7N=eK zeF)X%kZ^fE7Eyj^IN$2L@p(E5pTiCv@73n{P-hHGleH?s@!O$;8-%QSla2Y&=^)WX z<~JpKJ8OpiD&mA;bSDYT@mBN}rN@HsRX7zBL|qFY@|PN=y=(Kpxj@>Py;DHTw~t!mW5 z(22D+)Z0H+JJDs?XBkOOw(wBsw zOn;o^cfm9=tO|1l)$|2u$lK-9STGUS%AQu)^%|dYP5h@Btxg#GhWgcY=d^B~y);O* zujzg;qGkCdNFh>0@=96-+BQ>jH|$OHvY;T~nhg3e1zaD7j7GA~ne4X)IhfHgO~p3C zZJJrk$YpDL(z3$0;nwoI6HCdsBDA_2JEu44E!BeE+(!uUQON4(X7QRlaIZS;QC=Xx z7z?n5ZKijj`qT|~1IP88so2zDl6T0-r+C(~o|#LoBiPbQ=Tn(vhyE9^m|Dum->QEE zp_SoaIyA5Xt&R0asWp7De+Tr@&bNK7&{ocF+Z`E2iBRyykg<4D%_Jzg@*-Y53N z)njHj_xt+;FsZ>c9$xR-0Y%ISKz5F&jWrRDcalTUk=?qKhlx`+p!dm-qZqeWT0d+l zHH(EhI`nO{(gXQpif#1I4y)BB;oJ7qQ;^uf7wG!I)qXH8YWD{r2^A0f_AfWcg?SEj z_b@MYl~8f4AK7Vju~D0x_rV>6d6ivvs(NMx-dh?-xB>Bb<4bIujg9fwp<~Gyp(~od zJj2jx)ct)9zQfK21P3L9DzXr~GSn0Bqb@Nl% zWe;yL=syvo67PjwMs6^o(HdtgR$Mk`Dt#J-@V8|s`e}=Z<|w>Th?fs-zg)AD_1f=; zKZKublTA06>_S`ncC!6>e)H$9f(vMiB8y}V%(0nu9$CP@n6sII2^)d-lRYLKESRh3_2xt;e~PKf_rV-665irKuD zQ&A2>-BDCY_}s6GTidxTat7b>zG?lE9vhpcrGy#`rUhI=VyRq@vlcx}p}80?a|l^u z54^8t_C?C*C1VH*+M+~(d(y;|3p^e*bdhIquxun?s;NKC+z z1KO@y!fK<&s0cN3~yo0+p%wS?|^MpHq<$0^rktUn~*xKgWldqJx^Ju>HVx2Gy| z$T>rzsJhg|+%=j7tF(#5e&#ZVFSLPxl$bwq;gH z&xUT4ieo1h<4v6GWBFw~>ToK)&6Ecnu2J}FvN4NPi}1_y|a$4rmg zgpP2m8^FcSBUa^JO`Ih)zgp9)6SBk0Nyik_8hv&GGE?G;80U%Orklp4z6E7V?IWZZ zu_pCHWoCWv0SwWjTXLHD4{N?<>-sx9Op?T#O#H3q7>}nUK%q~LPdg$O{C?qCv=&L` zks|tU(|QAr@x0RdSe?C}A9;T<1Btctz z)ixZ@u}_*RfU{=}zkvc_Yos(_ljFvX(sVy3Itg^B%(1!Xm2xeoXtLpX*G|G#Ly5Y$ zFL;fBt|i;^6ZJUULnqvT+=?mJVE6@1rqtFNVUG?d1KFX080HI<41(@m|0~sAny#KU zr(rsoT6`TCMo9852e%Uv0EiTB^NopFEDRYDgD0%JgbkWCoF6_T#vp_Y_M#E*W6|1` z4n4!GHCYOrmgwJH3?VX$&&qPc$z58%fS_?W6n3EdG?I-aNJ)n!eu9<;@3Kk%>)>3u zug)>?m|!(+Q3`7ZF$##Jc312{4mW_A6I=plurp^k1i(zQa|R7NTgl}n{!f}|ZlE>| zhC#kvaiN3fql4Q~A`l}I8cd+VGKv240s{{H_c8zLMCl$((%hIA|4KM}XJB@5Y@$Zvwo zGV}Umt`ne}5fm|y$2Na=zXF$1?{}dvbi^`W-}1cMr;<+fgQY58vJY+h3@B+VUgkL&gZ1Uba2LFf%_o{nv zo+w_`n=_v|(? zGNqBy(^4F@Ut$(LuPF7eg+Qg0h@%ZJVj`Hnbf8@{Tt~$$tg(NFwlEB4Tbj-Ffj+3@ zM=p=NjFGyArW2@(gkgn+B#4a?01U|k)#;}2!^g&{)tS7Bck`=&@KN!k{Qa@CpG>XJ zsTsA~poQH6d$u;R+){0Q)zGNSGU>B`m%^`p-(^DEd{o`o?OEL(bYa2uXHBNj%F@Pb z(?uqApSEmnZsa8+zfuj0J}ySF*!S8F``o{^(O96`UnZiUdDeAAa8_zPDJHGZfPv;U zHX(=2C|m2!?)D$;u_O3JQu{Cw23|sJN z(^3!&alPV9CqXb3L$4IIrTR5L@E<)A`#|LiYKY~5V=7G072bHg?|hk9(VFNc314vH zgZx5=QVsC_)q1Of%0cp5IB2$-TetC5({c-)XOyZE5QEQWwu~#YhwozsGj!SVo&Ed? zYLj3QKI8PEBr(wJ81m(*ApWjama?Z8s4ezAGD%W0_QwktTe9w_DdqjHbYME)+VVFV zscz_1G*f<5T};hMLWxtC1ja!YlJt-6B%ryk!!Pko44SA`Q{X8MDpt$8*%K+#`t(<| zAlfbeWCeTI73geJ6y%{(||&#G!qeXR+${6Q`1eP^`> z)eeXT4*DRSQ)^+O(fav+1XJ+_xXa$$ILrf*iIZDh_$H7&jW!>CXb}I0ByW~90t6fV z^+HPt((D{J=4rM(9X1%+kjU6Y|2*jF5j}DDThJ1ZrAm^%@$YWKK3Ii($Mi7-u}aQ8EvXx<(bJ@ONF&wDG)^ zk{QQnOB9`x;y#vzANwzd#E#hG|1aY9pBDddWV{%7VL&kV9Ra{G|Ah-02ok^@?6L0v z8XNr2uD!V{C;Zn}hlpJ0K4*CMI~-T9Syaj4$=72R|M>T4ry;PCL;WW}BYN_V*E*95 zwvsgaw;k-l*5`hTnH{T7e zRR7`r Date: Sat, 6 May 2017 04:29:55 +0200 Subject: [PATCH 14/15] Restructured menu and reworked debugging chapter --- docs/debug.md | 27 +++++++++++++++++++++++++++ docs/redis.md | 8 -------- mkdocs.yml | 26 +++++++++++++------------- 3 files changed, 40 insertions(+), 21 deletions(-) diff --git a/docs/debug.md b/docs/debug.md index 4e4c69412..4155d03bc 100644 --- a/docs/debug.md +++ b/docs/debug.md @@ -1,3 +1,5 @@ +## Logs + You can use `docker-compose logs $service-name` for all containers. Run `docker-compose logs` for all logs at once. @@ -5,3 +7,28 @@ Run `docker-compose logs` for all logs at once. Follow the log output by running docker-compose with `logs -f`. Limit the output by calling logs with `--tail=300` like `docker-compose logs --tail=300 mysql-mailcow`. + +## Reset admin password +Reset mailcow admin to `admin:moohoo`: + +``` +cd mailcow_path +bash mailcow-reset-admin.sh +``` + +## What container does what + +Here is a brief overview of what container does what: + +| Container Name | Service Descriptions | +| --------------- | ------------------------------------------------------------------------- | +| bind9-mailcow | Local (DNSSEC) DNS Resolver | +| mysql-mailcow | Stores most of mailcow's settings | +| postfix-mailcow | Receives and sends mails | +| dovecot-mailcow | User logins and sieve filter | +| redis-mailcow | Storage backend for DKIM keys, Rmilter and Rspamd | +| rspamd-mailcow | Mail filtering system. Used for av handling, dkim signing, spam handling | +| rmilter-mailcow | Integrates Rspamd into postfix | +| clamd-mailcow | Scans attachments for viruses | +| sogo-mailcow | Webmail client that handles Microsoft ActiveSync and Cal- / CardDav | +| nginx-mailcow | Nginx remote proxy that handles all mailcow related HTTP / HTTPS requests | diff --git a/docs/redis.md b/docs/redis.md index 996a4723a..61ded2cc5 100644 --- a/docs/redis.md +++ b/docs/redis.md @@ -13,11 +13,3 @@ docker-compose exec redis-mailcow redis-cli - Remove volume `rspamd-vol-1` to remove all Rspamd data. Running `docker-compose down -v` will **destroy all mailcow: dockerized volumes** and delete any related containers. - -## Reset admin password -Reset mailcow admin to `admin:moohoo`: - -``` -cd mailcow_path -bash mailcow-reset-admin.sh -``` diff --git a/mkdocs.yml b/mkdocs.yml index 8268cf5a2..09290c9d7 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -19,27 +19,27 @@ pages: - 'Rspamd Web UI': 'rspamd_ui.md' - 'Reverse Proxy': 'rp.md' - 'Setup a Relayhost (optional)': 'relayhost.md' - - 'Log to Syslog': 'syslog.md' + - 'Log to Syslog & fail2ban': 'syslog.md' - 'Local MTA on Docker Host': 'local_mta.md' - 'Sender and Receiver Model': 'sender_rcv.md' - 'Usage & Examples': + - 'Debugging & Troubleshooting': 'debug.md' - 'mailcow UI Configuration': 'mailcow_ui.md' - - 'Redirect HTTP to HTTPS': '80_to_443.md' - - 'Anonymize Headers': 'anonym_headers.md' - - 'Adjust Service Configurations': 'change_config.md' - - 'Docker Compose Bash Completion': 'dc_bash_compl.md' - - 'Two-Factor Authentication': 'tfa.md' - - 'Blacklist / Whitelist': 'bl_wl.md' - - 'Backup Maildir': 'backup_maildir.md' - - 'Customize Dockerfiles': 'cust_dockerfiles.md' - - 'Disable Sender Addresses Verification': 'disable_sender_verification.md' - - 'Debug': 'debug.md' - - 'Autodiscover / Autoconfig': 'autodiscover_config.md' - 'Redis': 'redis.md' - 'MySQL': 'mysql.md' - 'Rspamd': 'rspamd.md' - - 'Tagging': 'tagging.md' - 'Why bind9?': 'why_bind9.md' + - 'Adjust Service Configurations': 'change_config.md' + - 'Customize Dockerfiles': 'cust_dockerfiles.md' + - 'Docker Compose Bash Completion': 'dc_bash_compl.md' + - 'Backup Maildir': 'backup_maildir.md' + - 'Two-Factor Authentication': 'tfa.md' + - 'Redirect HTTP to HTTPS': '80_to_443.md' + - 'Anonymize Headers': 'anonym_headers.md' + - 'Tagging': 'tagging.md' + - 'Blacklist / Whitelist': 'bl_wl.md' + - 'Autodiscover / Autoconfig': 'autodiscover_config.md' + - 'Disable Sender Addresses Verification': 'disable_sender_verification.md' - 'Third party apps': - 'Roundcube': 'roundcube.md' - 'Portainer': 'portainer.md' From eb8d9c86445cd40ae8413f18748064603c663504 Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 04:54:23 +0200 Subject: [PATCH 15/15] Spellings --- docs/mc14_import.md | 6 +++--- docs/tfa.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/mc14_import.md b/docs/mc14_import.md index 5f755d398..7d044663d 100644 --- a/docs/mc14_import.md +++ b/docs/mc14_import.md @@ -66,7 +66,7 @@ mysqldump --replace --no-create-info --default-character-set=utf8mb4 \ ## Prepare mailcow: dockerized -To initiate your a fresh database, visit **https://${MAILCOW_HOSTNAME}** with a browser of your choice. Check if the DB is initiated correctly afterwards: +To initiate your fresh installed database, visit **https://${MAILCOW_HOSTNAME}** with a browser of your choice. Check if the DB is initiated correctly afterwards: ``` # source mailcow.conf @@ -93,8 +93,8 @@ MariaDB [mailcow]> show tables; # docker-compose exec dovecot-mailcow doveadm quota recalc -A ``` - Restart SOGo: + Restart services: ``` - # docker-compose restart sogo-mailcow + # docker-compose restart ``` diff --git a/docs/tfa.md b/docs/tfa.md index 8f5e2079f..8eaa827b7 100644 --- a/docs/tfa.md +++ b/docs/tfa.md @@ -1,4 +1,4 @@ -So far three methods for *Two Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP +So far three methods for *Two-Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP - For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. - Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com).