From 2cc7e092b3b76a6318931401b2c3b861564cbbf6 Mon Sep 17 00:00:00 2001 From: Stephen Schwetz Date: Tue, 4 May 2021 00:22:42 +1000 Subject: [PATCH 1/9] Provide better examples and more explaination Updated IP Ranges to correct documentation ranges Provided IPv6 Example Added warning about becoming an open relay --- docs/firststeps-trust_networks.md | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index e12dd9dfb..07886b51d 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,11 +1,30 @@ -Per default mailcow considers all networks as untrusted, except for its own IPV4_NETWORK and IPV6_NETWORK scope. Though it is reasonable in most cases, you may want to loosen this restriction under certain circumstances to allow connections from other networks. +## Default Unauthenticated Relaying +By default mailcow considers all networks as untrusted, excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction +As default we use "mynetworks_style = subnet". -To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +## Permitting unauthenticated relaying. -**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. To add `1.2.3.4/32` it may look like the configuration below: +!!! Warning +Incorrect setup of mynetworks will allow your server to be used as an open relay to send unsolicitated bulk email. This **will** affect your ability to send emails to other mail servers, and can take some time to be reversed. If you don't know what this is for, than you do not need it. -``` -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 1.2.3.4/32 +!!! Note Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` from your mailcow.conf, or the loopback ranges 127.0.0.0/8, [::ffff:127.0.0.0]/104, and [::1]. + +To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. + +### Permitting IPV4 hosts +To add `192.0.2.0/24` it may look like the configuration below: + +``` data/conf/postfix/extra.cf +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 ``` -Per default we use "mynetworks_style = subnet" to only include local networks we are part of. +### Permitting IPv6 hosts + +The addition of ipv6 hosts is done the same as ipv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:DB8::/32 to be allowed to relay we would use the following configuration: + +``` data/conf/postfix/extra.cf +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 +``` + +!!! Info +Further Information on Postfix's mynetwork can be located [here](http://www.postfix.org/postconf.5.html#mynetworks "Postfix's mynetworks") From d6512bdc6a9a35cb385d81e37f91d6e77c0c02e5 Mon Sep 17 00:00:00 2001 From: Stephen Schwetz Date: Tue, 4 May 2021 01:00:20 +1000 Subject: [PATCH 2/9] Update prerequisite-dns.md quick tidy up --- docs/prerequisite-dns.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 0d198c428..c9a23e60b 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -86,7 +86,8 @@ Here are some tools you can use to verify your DNS configuration: ### Optional DMARC Statistics If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +!!! Tip +It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -96,18 +97,14 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +!!! Tip +The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. ### Email Test for SPF, DKIM and DMARC: -To test send an email to the email below and wait for a reply: - -check-auth@verifier.port25.com - -You will get a report back that looks like the following: +To test send an email to the email check-auth@verifier.port25.com and wait for a reply. You will get a report back that looks like the following: ``` - ========================================================== Summary of Results ========================================================== From 9585becdd3aa0fbe991a021b1786aeecf2be022d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:33:14 +0200 Subject: [PATCH 3/9] Update docs/firststeps-trust_networks.md Co-authored-by: Peter --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 07886b51d..a1576cc13 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -20,7 +20,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 ### Permitting IPv6 hosts -The addition of ipv6 hosts is done the same as ipv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:DB8::/32 to be allowed to relay we would use the following configuration: +The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 From 860c6f783d9af9d2ec8d2f3bdd23d96baa66f60f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:33:29 +0200 Subject: [PATCH 4/9] Update docs/firststeps-trust_networks.md Co-authored-by: Peter --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index a1576cc13..ba43d7cac 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -12,7 +12,7 @@ Incorrect setup of mynetworks will allow your server to be used as an open relay To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. ### Permitting IPV4 hosts -To add `192.0.2.0/24` it may look like the configuration below: +To add `192.168.2.0/24` it may look like the configuration below: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 From e4e868436c93600205f160a7670e712dd0a7911a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:34:07 +0200 Subject: [PATCH 5/9] Update docs/prerequisite-dns.md Co-authored-by: Peter --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index c9a23e60b..714bef480 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -87,7 +87,7 @@ Here are some tools you can use to verify your DNS configuration: If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. !!! Tip -It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. From 77bad7d6c2d288588bd6e77d3df1cac4e5b86c96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:34:23 +0200 Subject: [PATCH 6/9] Update docs/prerequisite-dns.md Co-authored-by: Peter --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 714bef480..ee574290c 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -102,7 +102,7 @@ The services may provide you with a TXT record, which you would insert into your ### Email Test for SPF, DKIM and DMARC: -To test send an email to the email check-auth@verifier.port25.com and wait for a reply. You will get a report back that looks like the following: +To test send an email to the email `check-auth at verifier.port25.com` and wait for a reply. You will get a report back that looks like the following: ``` ========================================================== From 832b7ccfe2fe777a3eeb47826050fd0b0a23e3f9 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 3 May 2021 22:55:26 +0200 Subject: [PATCH 7/9] Update docs/firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index ba43d7cac..18fdff11a 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -23,7 +23,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: ``` data/conf/postfix/extra.cf -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` !!! Info From 093f786b3ee59aaf19e350881b855f6d547a3e20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 12:04:03 +0200 Subject: [PATCH 8/9] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 35 ++++++++++++++++++------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 18fdff11a..801371e14 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,30 +1,37 @@ -## Default Unauthenticated Relaying -By default mailcow considers all networks as untrusted, excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction -As default we use "mynetworks_style = subnet". +By default mailcow considers **all networks as untrusted** excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction. -## Permitting unauthenticated relaying. +By default mailcow uses `mynetworks_style = subnet` to determine internal subnets and leaves `mynetworks` unconfigured. + +If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. This means you **have to** add the IPV4_NETWORK and IPV6_NETWORK scopes as well as loopback subnets manually! + +## Unauthenticated relaying !!! Warning -Incorrect setup of mynetworks will allow your server to be used as an open relay to send unsolicitated bulk email. This **will** affect your ability to send emails to other mail servers, and can take some time to be reversed. If you don't know what this is for, than you do not need it. +Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. -!!! Note Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` from your mailcow.conf, or the loopback ranges 127.0.0.0/8, [::ffff:127.0.0.0]/104, and [::1]. +### IPv4 hosts/subnets -To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +To add the subnet `192.168.2.0/24` to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: -### Permitting IPV4 hosts -To add `192.168.2.0/24` it may look like the configuration below: +Edit `data/conf/postfix/extra.cf`: -``` data/conf/postfix/extra.cf -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.2.0/24 ``` -### Permitting IPv6 hosts +Run `docker-compose restart postfix-mailcow` to apply your new settings. -The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: +### IPv6 hosts/subnets + +Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be placed in brackets `[]` with the netmask appended. + +To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` +Run `docker-compose restart postfix-mailcow` to apply your new settings. + !!! Info -Further Information on Postfix's mynetwork can be located [here](http://www.postfix.org/postconf.5.html#mynetworks "Postfix's mynetworks") +More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From 045ab389e8f86941f67558fa453020a6b849a923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 12:36:07 +0200 Subject: [PATCH 9/9] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index ee574290c..e5e7427cd 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -84,10 +84,11 @@ Here are some tools you can use to verify your DNS configuration: ## Misc ### Optional DMARC Statistics -If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. + +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own. !!! Tip -It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for receiving DMARC reports. +It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -98,11 +99,12 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Dmarcian](https://dmarcian.com/) !!! Tip -The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. -### Email Test for SPF, DKIM and DMARC: +These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary. -To test send an email to the email `check-auth at verifier.port25.com` and wait for a reply. You will get a report back that looks like the following: +### Email test for SPF, DKIM and DMARC: + +To run a rudimentary email authentication check, send a mail to `check-auth at verifier.port25.com` and wait for a reply. You will find a report similar to the following: ``` ========================================================== @@ -119,8 +121,10 @@ Details: ========================================================== .... ``` -The full report will contain more technical details this is just the first section, we found this to be quite usful for testing both outgoing mail and spam scores. + +The full report will contain more technical details. ### Fully Qualified Domain Name (FQDN) + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`.