Merge branch 'master' of https://github.com/mailcow/mailcow-dockerized-docs

docs/firststeps-disable_ipv6.md

@@ -1,19 +1,50 @@
 This is **ONLY** recommended if you do not have an IPv6 enabled network on your host!
 
-If IPv6 MUST be disabled to fit a network, open `docker-compose.yml`, search for `enable_ipv6`...
+If you really need to, you can disable the usage of IPv6 in the compose file.
+Additionally, you can  also disable the startup of container "ipv6nat-mailcow", as it's not needed if you won't use IPv6.
 
+Instead of editing docker-compose.yml directly, it is preferrable to create an override file for it 
+and implement your changes to the service there. Unfortunately, this right now only seems to work for services, not for network settings.
+
+To disable IPv6 on the mailcow network, open docker-compose.yml with your favourite text editor and search for the network section (it's near the bottom of the file). 
+
+Change `enable_ipv6: true` to `enable_ipv6: false`:
 
 ```
 networks:
   mailcow-network:
-    [...]
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.name: br-mailcow
     enable_ipv6: true
-    [...]
+    ipam:
+      driver: default
+      config:
+        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
+        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
 ```
 
-...change it to `enable_ipv6: false`.
+To disable the ipv6nat-mailcow container as well, go to your mailcow directory and create a new file called "docker-compose.override.yml": 
 
-mailcow needs to be shutdown, the containers removed and the network recreated:
+**NOTE:** If you already have an override file, of course don't recreate it, but merge the lines below into your existing one accordingly!
+
+```
+# cd /opt/mailcow-dockerized
+# touch docker-compose.override.yml
+```
+
+Open the file in your favourite text editor and fill in the following:
+
+```
+version: '2.1'
+services:
+
+    ipv6nat-mailcow:
+      restart: "no"
+      entrypoint: ["echo", "ipv6nat disabled in compose.override.yml"]
+```
+
+For these changes to be effective, you need to fully stop and then restart the stack, so containers and networks are recreated:
 
 ```
 docker-compose down

docs/firststeps-rp.md

@@ -98,11 +98,10 @@ server {
   return 301 https://$host$request_uri;
 }
 server {
-  listen 443;
+  listen 443 ssl;
-  listen [::]:443;
+  listen [::]:443 ssl;
   server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
 
-  ssl on;
   ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
   ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -133,7 +132,10 @@ server {
 }
 ```
 
-### HAProxy
+### HAProxy (community supported)
+
+!!! warning
+    This is an unsupported community contribution. Feel free to provide fixes.
 
 **Important/Fixme**: This example only forwards HTTPS traffic and does not use mailcows built-in ACME client.
 
@@ -149,6 +151,77 @@ backend mailcow
   server mailcow 127.0.0.1:8080 check
 ```
 
+### Traefik v2 (community supported)
+
+!!! warning
+    This is an unsupported community contribution. Feel free to provide fixes.
+
+**Important**: This config only covers the "reverseproxing" of the webpannel (nginx-mailcow) using Traefik v2, if you also want to reverseproxy the mail services such as dovecot, postfix... you'll just need to adapt the following config to each container and create an [EntryPoint](https://docs.traefik.io/routing/entrypoints/) on your `traefik.toml` or `traefik.yml` (depending which config you use) for each port. 
+
+For this section we'll assume you have your Traefik 2 `[certificatesresolvers]` properly configured on your traefik configuration file, and also using acme, also, the following example uses Lets Encrypt, but feel free to change it to your own cert resolver. You can find a basic Traefik 2 toml config file with all the above implemented which can be used for this example here [traefik.toml](https://github.com/Frenzoid/TraefikBasicConfig/blob/master/traefik.toml) if you need one, or a hint on how to adapt your config.
+
+
+So, first of all, we are going to disable the acme-mailcow container since we'll use the certs that traefik will provide us.
+For this we'll have to set `SKIP_LETS_ENCRYPT=y` on our `mailcow.conf`, and run `docker-compose up -d` to apply the changes.
+
+Then we'll create a `docker-compose.override.yml` file in order to override the main `docker-compose.yml` found in your mailcow root folder. 
+
+```
+version: '2.1'
+
+services:
+    nginx-mailcow:
+      networks:
+        # add Traefik's network
+        web:
+      labels:
+        - traefik.enable=true
+        # Creates a router called "moo" for the container, and sets up a rule to link the container to certain rule,
+        #   in this case, a Host rule with our MAILCOW_HOSTNAME var.
+        - traefik.http.routers.moo.rule=Host(`${MAILCOW_HOSTNAME}`)
+        # Enables tls over the router we created before.
+        - traefik.http.routers.moo.tls=true
+        # Specifies which kind of cert resolver we'll use, in this case le (Lets Encrypt).
+        - traefik.http.routers.moo.tls.certresolver=le
+        # Creates a service called "moo" for the container, and specifies which internal port of the container
+        #   should traefik route the incoming data to.
+        - traefik.http.services.moo.loadbalancer.server.port=80
+        # Specifies which entrypoint (external port) should traefik listen to, for this container.
+        #   websecure being port 443, check the traefik.toml file liked above.
+        - traefik.http.routers.moo.entrypoints=secure
+
+    certdumper:
+        image: humenius/traefik-certs-dumper
+        container_name: traefik_certdumper
+        volumes:
+          # mount the folder which contains Traefik's `acme.json' file
+          #   in this case Traefik is started from its own docker-compose in ../traefik
+          - ../traefik/data:/traefik:ro
+          # mount mailcow's SSL folder
+          - ./data/assets/ssl/:/output:rw
+        environment:
+          # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
+          - DOMAIN=${MAILCOW_HOSTNAME}
+
+networks:
+  web:
+    external: true
+```
+
+Start the new containers with `docker-compose up -d`.
+
+
+Now, theres only one thing left to do, which is setup the certs so that the mail services can use them as well, since Traefik 2 uses an acme v2 format to save ALL the license from all the domains we have, we'll need to find a way to dump the certs, lucky we have [this tiny container](https://hub.docker.com/r/humenius/traefik-certs-dumper) which grabs the `acme.json` file trough a volume, and a variable `DOMAIN=example.org`, and with these, the container will output the `cert.pem` and `key.pem` files, for this we'll simply run the `traefik-certs-dumper` container binding the `/traefik` volume to the folder where our `acme.json` is saved, bind the `/output` volume to our mailcow `data/assets/ssl/` folder, and set up the `DOMAIN=example.org` variable to the domain we want the certs dumped from. 
+
+This container will watch over the `acme.json` file for any changes, and regenerate the `cert.pem` and `key.pem` files directly into `data/assets/ssl/` being the path binded to the container's `/output` path.
+
+You can use the command line to run it, or use the docker-compose shown [here](https://hub.docker.com/r/humenius/traefik-certs-dumper).
+
+After we have the certs dumped, we'll have to reload the configs from our postfix and dovecot containers, and check the certs, you can see how [here](https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/#how-to-use-your-own-certificate).
+
+Aaand that should be it 😊, you can check if the Traefik router works fine trough Traefik's dashboard / traefik logs / accessing the setted domain trough https, or / and check HTTPS, SMTP and IMAP trough the commands shown on the page linked before.
+
+
 ### Optional: Post-hook script for non-mailcow ACME clients
 
 Using a local certbot (or any other ACME client) requires to restart some containers, you can do this with a post-hook script.

docs/firststeps-ssl.md

@@ -31,6 +31,20 @@ A wildcard name like `smtp.*` will try to obtain a smtp.DOMAIN_NAME SAN for each
 
 Run `docker-compose up -d` to recreate affected containers automatically.
 
+### Force renewal
+
+To force a renewal, you need to create a file named `force_renew` and restart the `acme-mailcow` container:
+
+```
+cd /opt/mailcow-dockerized
+touch data/assets/ssl/force_renew
+docker-compose restart acme-mailcow
+# Now check the logs for a renewal
+docker-compose logs --tail=200 -f acme-mailcow
+```
+
+The file will be deleted automatically.
+
 ### Validation errors and how to skip validation
 
 You can skip the **IP verification** by setting `SKIP_IP_CHECK=y` in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts.

docs/i_u_m_migration.md

@@ -24,8 +24,9 @@ chmod +x /usr/local/bin/docker-compose
 
 Please use the latest Docker engine available and do not use the engine that ships with your distros repository.
 
-**2\.** Make sure that Docker is stopped:
+**2\.** Stop Docker and assure Docker has stopped:
 ```
+systemctl stop docker.service
 systemctl status docker.service
 ```
     

docs/prerequisite-system.md

@@ -31,7 +31,7 @@ ClamAV and Solr are greedy RAM munchers. You can disable them in `mailcow.conf`
 Please check if any of mailcow's standard ports are open and not in use by other applications:
 
 ```
-# netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995'
+# netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190'
 ```
 
 !!! warning

docs/u_e-postfix-disable_sender_verification.md

@@ -4,7 +4,7 @@ Edit a mailbox and select "Allow to send as *".
 
 For historical reasons we kept the old and deprecated guide below:
 
-## Deprecated guide
+## Deprecated guide (DO NOT USE ON NEWER MAILCOWS!)
 
 This option is not best-practice and should only be implemented when there is no other option available to achieve whatever you are trying to do.
 

docs/u_e-postfix-postscreen_whitelist.md

@@ -1,3 +1,3 @@
-IPs can be removed from Postscreen and therefore _also_ from RBL checks in `data/conf/postfix/postscreen_access.cidr`.
+IPs can be removed from Postscreen and therefore _also_ from RBL checks in `data/conf/postfix/custom_postscreen_whitelist.cidr`.
 
 Postscreen does multiple checks to identify malicious senders. In most cases you want to whitelist an IP to exclude it from blacklist lookups.

docs/u_e-reeanble-weak-protocols.md

@@ -1,4 +1,4 @@
-On February the 12th 2020 we disabled the deprecated protocols TLS 1.0 and 1.1.
+On February the 12th 2020 we disabled the deprecated protocols TLS 1.0 and 1.1 in Dovecot (POP3, POP3S, IMAP, IMAPS) and Postfix (SMTPS, SUBMISSION).
 
 Unauthenticated mail via SMTP on port 25/tcp does still accept >= TLS 1.0 . It is better to accept a weak encryption than none at all.
 

docs/u_e-unbound-fwd.md

@@ -1,19 +1,34 @@
-If you want or have to use an external DNS service, you can define it in `data/conf/unbound/unbound.conf`:
+If you want or have to use an external DNS service, you can either set a forwarder in Unbound or copy an override file to define external DNS servers:
+
+   !!! warning
+   Please do not use a public resolver like we did in the example above. Many - if not all - blacklist lookups will fail with public resolvers.
+   **Important**: Only DNSSEC validating DNS services will work.
+
+## Method A, Unbound
+
+Edit `data/conf/unbound/unbound.conf` and append the following parameters:
 
 ```
 forward-zone:
   name: "."
-  forward-addr: 8.8.8.8
+  forward-addr: 8.8.8.8 # NO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE
-  forward-addr: 8.8.4.4
+  forward-addr: 8.8.4.4 # NO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE
 ```
 
-Please do not use a public resolver like we did in the example above. Many - if not all - blacklist lookups will fail with public resolvers.
+Restart Unbound:
-
-**Important**: Only DNSSEC validating DNS services will work.
-
-Restart Unbound after changing its config file:
 
 ```
 docker-compose restart unbound-mailcow
 ```
 
+
+## Method B, Override file
+
+```
+cd /opt/mailcow-dockerized
+cp helper-scripts/docker-compose.override.yml.d/EXTERNAL_DNS/docker-compose.override.yml .
+```
+
+Edit `docker-compose.override.yml` and adjust the IP.
+
+Run `docker-compose down ; docker-compose up -d`.

mkdocs.yml

@@ -62,7 +62,7 @@ nav:
       - 'Configuration': 'u_e-mailcow_ui-config.md'
       - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md'
       - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md'
-      - 'Temporary email aliase': 'u_e-mailcow_ui-spamalias.md'
+      - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md'
       - 'Tagging': 'u_e-mailcow_ui-tagging.md'
       - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md'
   - 'Postfix':
@@ -96,7 +96,7 @@ nav:
   - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md'
   - 'Adjust Service Configurations': 'u_e-change_config.md'
   - 'Deinstall': 'u_e-deinstall.md'
-  - 'Re-enable TLS 1.0 upwards': 'u_e-reeanble-weak-protocols.md'
+  - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md'
 - 'Client Configuration':
   - 'Overview': 'client.md'
   - 'Android': 'client/client-android.md'