nickslowinski/mailcow-dockerized-docs
1
0
Fork 0
Code Issues Pull-Requests Projekte Releases Pakete Wiki Aktivität
mailcow-dockerized-docs/site/mkdocs/search_index.json
andryyy 04a30160b7 Add gitignore for site data
2017-05-01 21:38:12 +02:00

309 Zeilen
Kein EOL
78 KiB
JSON
Originalformat Blame Verlauf

{
"docs": [
{
"location": "/",
"text": "mailcow: dockerized - \ud83d\udc2e + \ud83d\udc0b = \ud83d\udc95\n\n\n\n\nIf you want to support mailcow, consider hosting mailcow on a Servercow virtual machine @ Servercow!\n\n\nScreenshots\n\n\nYou can find screenshots \non Imgur\n.\n\n\nOverview\n\n\nmailcow dockerized comes with \n12 containers\n linked in \none bridged network\n.\nEach container represents a single application.\n\n\n\n\nDovecot\n\n\nClamAV\n\n\nMemcached\n\n\nRedis\n\n\nMySQL\n\n\nBind9 (Resolver) (formerly PDNS Recursor)\n\n\nPHP-FPM\n\n\nPostfix\n\n\nNginx\n\n\nRmilter\n\n\nRspamd\n\n\nSOGo\n\n\n\n\n7 volumes\n to keep dynamic data - take care of them!\n\n\n\n\nvmail-vol-1\n\n\ndkim-vol-1\n\n\nredis-vol-1\n\n\nmysql-vol-1\n\n\nrspamd-vol-1\n\n\npostfix-vol-1\n\n\ncrypt-vol-1\n\n\n\n\nThe integrated \nmailcow UI\n allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access:\n\n\n\n\nDKIM key management\n\n\nBlack- and whitelists per domain and per user\n\n\nSpam score managment per-user (reject spam, mark spam, greylist)\n\n\nAllow mailbox users to create temporary spam aliases\n\n\nPrepend mail tags to subject or move mail to subfolder (per-user)\n\n\nAllow mailbox users to toggle incoming and outgoing TLS enforcement\n\n\nAllow users to reset SOGo ActiveSync device caches\n\n\nimapsync to migrate or pull remote mailboxes regularly\n\n\nTFA: Yubi OTP and U2F USB (Google Chrome and derivates only)\n\n\nAdd domains, mailboxes, aliases, domain aliases and SOGo resources\n\n\nAdd whitelisted hosts to forward mail to mailcow\n\n\n\n\nLooking for a farm to host your cow?",
"title": "This is mailcow"
},
{
"location": "/#mailcow-dockerized-",
"text": "If you want to support mailcow, consider hosting mailcow on a Servercow virtual machine @ Servercow!",
"title": "mailcow: dockerized - \ud83d\udc2e + \ud83d\udc0b = \ud83d\udc95"
},
{
"location": "/#screenshots",
"text": "You can find screenshots on Imgur .",
"title": "Screenshots"
},
{
"location": "/#overview",
"text": "mailcow dockerized comes with 12 containers linked in one bridged network .\nEach container represents a single application. Dovecot ClamAV Memcached Redis MySQL Bind9 (Resolver) (formerly PDNS Recursor) PHP-FPM Postfix Nginx Rmilter Rspamd SOGo 7 volumes to keep dynamic data - take care of them! vmail-vol-1 dkim-vol-1 redis-vol-1 mysql-vol-1 rspamd-vol-1 postfix-vol-1 crypt-vol-1 The integrated mailcow UI allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access: DKIM key management Black- and whitelists per domain and per user Spam score managment per-user (reject spam, mark spam, greylist) Allow mailbox users to create temporary spam aliases Prepend mail tags to subject or move mail to subfolder (per-user) Allow mailbox users to toggle incoming and outgoing TLS enforcement Allow users to reset SOGo ActiveSync device caches imapsync to migrate or pull remote mailboxes regularly TFA: Yubi OTP and U2F USB (Google Chrome and derivates only) Add domains, mailboxes, aliases, domain aliases and SOGo resources Add whitelisted hosts to forward mail to mailcow Looking for a farm to host your cow?",
"title": "Overview"
},
{
"location": "/install/",
"text": "Install mailcow\n\n\nWARNING\n: Please use Ubuntu 16.04 instead of Debian 8 or \nswitch to the kernel 4.9 from jessie backports\n because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with healthchecks! Full details here: \ngithub.com/docker/docker/issues/30402\n and \nforum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448\n\n\nYou need Docker and Docker Compose.\n\n\n1. Learn how to install \nDocker\n and \nDocker Compose\n.\n\n\nQuick installation for most operation systems:\n\n\n\n\nDocker\n\n\n\n\ncurl -sSL https://get.docker.com/ | sh\n\n\n\n\n\n\n\nDocker-Compose\n\n\n\n\ncurl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) \n /usr/local/bin/docker-compose\nchmod +x /usr/local/bin/docker-compose\n\n\n\n\n\nPlease use the latest Docker engine available and do not use the engine that ships with your distros repository.\n\n\n2. Clone the master branch of the repository\n\n\ngit clone https://github.com/andryyy/mailcow-dockerized \n cd mailcow-dockerized\n\n\n\n\n\n3. Generate a configuration file. Use a FQDN (\nhost.domain.tld\n) as hostname when asked.\n\n\n./generate_config.sh\n\n\n\n\n\n4. Change configuration if you want or need to.\n\n\nnano mailcow.conf\n\n\n\n\n\nIf you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080.\n\n\nYou may need to stop an existing pre-installed MTA which blocks port 25/tcp. See \nthis chapter\n to learn how to reconfigure Postfix to run besides mailcow after a successful installation.\n\n\n5. Pull the images and run the composer file. The paramter \n-d\n will start mailcow: dockerized detached:\n\n\ndocker-compose pull\ndocker-compose up -d\n\n\n\n\n\nDone!\n\n\nYou can now access \nhttps://${MAILCOW_HOSTNAME}\n with the default credentials \nadmin\n + password \nmoohoo\n.\n\n\nThe database will be initialized right after a connection to MySQL can be established.\n\n\nUpdate mailcow\n\n\nThere is no update routine. You need to refresh your pulled repository clone and apply your local changes (if any). Actually there are many ways to merge local changes.\n\n\nStep 1, method 1\n\n\nStash all local changes, pull changes from the remote master branch and apply your stash on top of it. You will most likely see warnings about non-commited changes; you can ignore them:\n\n\n# Stash local changes\ngit stash\n# Re-pull master\ngit pull\n# Apply stash and remove it\ngit stash pop\n\n\n\n\n\nStep 1, method 2\n\n\nFetch new data from GitHub, commit changes and merge remote repository: \n\n\n# Get updates/changes\ngit fetch\n# Add all changed files to local clone\ngit add -A\n# Commit changes, ignore git complaining about username and mail address\ngit commit -m \nLocal config aat $(date)\n\n# Merge changes\ngit merge\n\n\n\n\n\nIf git complains about conflicts, solve them! Example:\n\n\nCONFLICT (content): Merge conflict in data/web/index.php\n\n\n\n\n\nOpen \ndata/web/index.php\n, solve the conflict, close the file and run \ngit add -A\n + \ngit commit -m \"Solved conflict\"\n.\n\n\nStep 1, method 3\n\n\nThanks to fabreg @ GitHub!\n\n\nIn case both methods do not work (for many reason like you're unable to fix the CONFLICTS or any other reasons) you can simply start all over again.\n\n\nKeep in mind that all local changes \nto configuration files\n will be lost. However, your volumes will not be removed.\n\n\n\n\nCopy mailcow.conf somewhere outside the mailcow-dockerized directory\n\n\nStop and remove mailcow containers: \ndocker-compose down\n\n\nDelete the directory or rename it\n\n\nClone the remote repository again (\ngit clone https://github.com/andryyy/mailcow-dockerized \n cd mailcow-dockerized\n). \nPay attention\n to this step - the folder must have the same name of the previous one!\n\n\nCopy back your previous \nmailcow.conf\n into the mailcow-dockerizd folder \n\n\n\n\nIf you forgot to stop Docker before deleting the cloned directoy, you can use the following commands:\n\n\ndocker stop $(docker ps -a -q)\ndocker rm $(docker ps -a -q)\n\n\n\n\n\nStep 2\n\n\nPull new images (if any) and recreate changed containers:\n\n\ndocker-compose pull\ndocker-compose up -d --remove-orphans\n\n\n\n\n\nStep 3\n\n\nClean-up dangling (unused) images and volumes:\n\n\ndocker rmi -f $(docker images -f \ndangling=true\n -q)\ndocker volume rm $(docker volume ls -qf dangling=true)",
"title": "Installation"
},
{
"location": "/install/#install-mailcow",
"text": "WARNING : Please use Ubuntu 16.04 instead of Debian 8 or switch to the kernel 4.9 from jessie backports because there is a bug (kernel panic) with the kernel 3.16 when running docker containers with healthchecks! Full details here: github.com/docker/docker/issues/30402 and forum.mailcow.email/t/solved-mailcow-docker-causes-kernel-panic-edit/448 You need Docker and Docker Compose. 1. Learn how to install Docker and Docker Compose . Quick installation for most operation systems: Docker curl -sSL https://get.docker.com/ | sh Docker-Compose curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) /usr/local/bin/docker-compose\nchmod +x /usr/local/bin/docker-compose Please use the latest Docker engine available and do not use the engine that ships with your distros repository. 2. Clone the master branch of the repository git clone https://github.com/andryyy/mailcow-dockerized cd mailcow-dockerized 3. Generate a configuration file. Use a FQDN ( host.domain.tld ) as hostname when asked. ./generate_config.sh 4. Change configuration if you want or need to. nano mailcow.conf If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080. You may need to stop an existing pre-installed MTA which blocks port 25/tcp. See this chapter to learn how to reconfigure Postfix to run besides mailcow after a successful installation. 5. Pull the images and run the composer file. The paramter -d will start mailcow: dockerized detached: docker-compose pull\ndocker-compose up -d Done! You can now access https://${MAILCOW_HOSTNAME} with the default credentials admin + password moohoo . The database will be initialized right after a connection to MySQL can be established.",
"title": "Install mailcow"
},
{
"location": "/install/#update-mailcow",
"text": "There is no update routine. You need to refresh your pulled repository clone and apply your local changes (if any). Actually there are many ways to merge local changes.",
"title": "Update mailcow"
},
{
"location": "/install/#step-1-method-1",
"text": "Stash all local changes, pull changes from the remote master branch and apply your stash on top of it. You will most likely see warnings about non-commited changes; you can ignore them: # Stash local changes\ngit stash\n# Re-pull master\ngit pull\n# Apply stash and remove it\ngit stash pop",
"title": "Step 1, method 1"
},
{
"location": "/install/#step-1-method-2",
"text": "Fetch new data from GitHub, commit changes and merge remote repository: # Get updates/changes\ngit fetch\n# Add all changed files to local clone\ngit add -A\n# Commit changes, ignore git complaining about username and mail address\ngit commit -m Local config aat $(date) \n# Merge changes\ngit merge If git complains about conflicts, solve them! Example: CONFLICT (content): Merge conflict in data/web/index.php Open data/web/index.php , solve the conflict, close the file and run git add -A + git commit -m \"Solved conflict\" .",
"title": "Step 1, method 2"
},
{
"location": "/install/#step-1-method-3",
"text": "Thanks to fabreg @ GitHub! In case both methods do not work (for many reason like you're unable to fix the CONFLICTS or any other reasons) you can simply start all over again. Keep in mind that all local changes to configuration files will be lost. However, your volumes will not be removed. Copy mailcow.conf somewhere outside the mailcow-dockerized directory Stop and remove mailcow containers: docker-compose down Delete the directory or rename it Clone the remote repository again ( git clone https://github.com/andryyy/mailcow-dockerized cd mailcow-dockerized ). Pay attention to this step - the folder must have the same name of the previous one! Copy back your previous mailcow.conf into the mailcow-dockerizd folder If you forgot to stop Docker before deleting the cloned directoy, you can use the following commands: docker stop $(docker ps -a -q)\ndocker rm $(docker ps -a -q)",
"title": "Step 1, method 3"
},
{
"location": "/install/#step-2",
"text": "Pull new images (if any) and recreate changed containers: docker-compose pull\ndocker-compose up -d --remove-orphans",
"title": "Step 2"
},
{
"location": "/install/#step-3",
"text": "Clean-up dangling (unused) images and volumes: docker rmi -f $(docker images -f dangling=true -q)\ndocker volume rm $(docker volume ls -qf dangling=true)",
"title": "Step 3"
},
{
"location": "/first_steps/",
"text": "SSL (and: How to use Let's Encrypt)\n\n\nmailcow dockerized comes with a snakeoil CA \"mailcow\" and a server certificate in \ndata/assets/ssl\n. Please use your own trusted certificates.\n\n\nmailcow uses 3 domain names that should be covered by your new certificate:\n\n\n\n\n${MAILCOW_HOSTNAME}\n\n\nautodiscover.\nexample.org\n\n\nautoconfig.\nexample.org\n\n\n\n\nObtain multi-SAN certificate by Let's Encrypt\n\n\nThis is just an example of how to obtain certificates with certbot. There are several methods!\n\n\n1. Get the certbot client:\n\n\nwget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot \n chmod +x /usr/local/sbin/certbot\n\n\n\n\n\n2. Make sure you set \nHTTP_BIND=0.0.0.0\n and \nHTTP_PORT=80\n in \nmailcow.conf\n or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:\n\n\ndocker-compose up -d\n\n\n\n\n\n3. Request the certificate with the webroot method:\n\n\ncd\n /path/to/git/clone/mailcow-dockerized\n\nsource\n mailcow.conf\ncertbot certonly \n\\\n\n --webroot \n\\\n\n -w \n${\nPWD\n}\n/data/web \n\\\n\n -d \n${\nMAILCOW_HOSTNAME\n}\n \n\\\n\n -d autodiscover.example.org \n\\\n\n -d autoconfig.example.org \n\\\n\n --email you@example.org \n\\\n\n --agree-tos\n\n\n\n\n\nRemember to replace the example.org domain with your own domain, this command will not work if you dont.\n\n\n4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:\n\n\nmv data/assets/ssl/cert.\n{\npem,pem.backup\n}\n\nmv data/assets/ssl/key.\n{\npem,pem.backup\n}\n\nln \n$(\nreadlink -f /etc/letsencrypt/live/\n${\nMAILCOW_HOSTNAME\n}\n/fullchain.pem\n)\n data/assets/ssl/cert.pem\nln \n$(\nreadlink -f /etc/letsencrypt/live/\n${\nMAILCOW_HOSTNAME\n}\n/privkey.pem\n)\n data/assets/ssl/key.pem\n\n\n\n\n\n5. Restart affected containers:\n\n\ndocker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow\n\n\n\n\n\nWhen renewing certificates, run the last two steps (link + restart) as post-hook in a script.\n\n\nRspamd Web UI\n\n\nAt first you may want to setup Rspamds web interface which provides some useful features and information.\n\n\n1. Generate a Rspamd controller password hash:\n\n\ndocker-compose exec rspamd-mailcow rspamadm pw\n\n\n\n\n\n2. Replace the default hash in \ndata/conf/rspamd/override.d/worker-controller.inc\n by your newly generated:\n\n\nenable_password = \nmyhash\n;\n\n\n\n\n\nYou can use \npassword = \"myhash\";\n instead of \nenable_password\n to disable write-access in the web UI.\n\n\n3. Restart rspamd:\n\n\ndocker-compose restart rspamd-mailcow\n\n\n\n\n\nOpen https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!\n\n\nOptional: Reverse proxy\n\n\nYou don't need to change the Nginx site that comes with mailcow: dockerized.\nmailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI.\n\n\n1. Make sure you change HTTP_BIND and HTTPS_BIND in \nmailcow.conf\n to a local address and set the ports accordingly, for example:\n\n\nHTTP_BIND\n=\n127\n.0.0.1\n\nHTTP_PORT\n=\n8080\n\n\nHTTPS_PORT\n=\n127\n.0.0.1\n\nHTTPS_PORT\n=\n8443\n\n\n\n\n\n\n IMPORTANT: Do not use port 8081 \n\n\nRecreate affected containers by running \ndocker-compose up -d\n.\n\n\n2. Configure your local webserver as reverse proxy:\n\n\nApache 2.4\n\n\nVirtualHost\n \n*:443\n\n \nServerName\n mail.example.org\n \nServerAlias\n autodiscover.example.org\n \nServerAlias\n autoconfig.example.org\n\n \n[\n...\n]\n\n \n# You should proxy to a plain HTTP session to offload SSL processing\n\n \nProxyPass\n / http://127.0.0.1:8080/\n \nProxyPassReverse\n / http://127.0.0.1:8080/\n \nProxyPreserveHost\n \nOff\n\n \nyour-ssl-configuration-\nhere\n\n [...]\n\n \n# If you plan to proxy to a HTTPS host:\n\n \n#SSLProxyEngine On\n\n\n \n# If you plan to proxy to an untrusted HTTPS host:\n\n \n#SSLProxyVerify none\n\n \n#SSLProxyCheckPeerCN off\n\n \n#SSLProxyCheckPeerName off\n\n \n#SSLProxyCheckPeerExpire off\n\n\n/VirtualHost\n\n\n\n\n\n\nNginx\n\n\nserver\n \n{\n\n \nlisten\n \n443\n;\n\n \nserver_name\n \nmail.example.org\n \nautodiscover.example.org\n \nautoconfig.example.org\n;\n\n\n \n[\n...\n]\n\n \nyour-ssl-configuration-here\n\n \nlocation\n \n/\n \n{\n\n \nproxy_pass\n \nhttp\n:\n//\n127.0.0.1\n:\n8080\n/\n;\n\n \nproxy_redirect\n \nhttp\n:\n//\n127.0.0.1\n:\n8080\n/\n \n$\nscheme\n://\n$\nhost\n:\n$\nserver_port\n/\n;\n\n \nproxy_set_header\n \nX-Real-IP\n \n$remote_addr\n;\n\n \nproxy_set_header\n \nX-Forwarded-For\n \n$proxy_add_x_forwarded_for\n;\n\n \nproxy_set_header\n \nX-Forwarded-Proto\n \n$scheme\n;\n\n \n}\n\n \n[\n...\n]\n\n\n}\n\n\n\n\n\n\nOptional: Setup a relayhost\n\n\nInsert these lines to \ndata/conf/postfix/main.cf\n. \"relayhost\" does already exist (empty), just change its value.\n\n\nrelayhost = [your-relayhost]:587\nsmtp_sasl_password_maps = hash:/opt/postfix/conf/smarthost_passwd\nsmtp_sasl_auth_enable = yes\n\n\n\n\n\nCreate the credentials file:\n\n\necho \nyour-relayhost username:password\n \n data/conf/postfix/smarthost_passwd\n\n\n\n\n\nRun:\n\n\ndocker-compose exec postfix-mailcow postmap /opt/postfix/conf/smarthost_passwd\ndocker-compose exec postfix-mailcow chown root:postfix /opt/postfix/conf/smarthost_passwd /opt/postfix/conf/smarthost_passwd.db\ndocker-compose exec postfix-mailcow chmod 660 /opt/postfix/conf/smarthost_passwd /opt/postfix/conf/smarthost_passwd.db\ndocker-compose exec postfix-mailcow postfix reload\n\n\n\n\n\nHelper script\n\n\nThere is a helper script \nmailcow-setup-relayhost.sh\n you can run to setup a relayhost.\n\n\nUsage:\n\nSetup a relayhost:\n./mailcow-setup-relayhost.sh relayhost port \n(\nusername\n)\n \n(\npassword\n)\n\nUsername and password are optional parameters.\n\nReset to defaults:\n./mailcow-setup-relayhost.sh reset\n\n\n\n\n\nOptional: Log to Syslog\n\n\nEnable Rsyslog to receive logs on 524/tcp:\n\n\n# This setting depends on your Rsyslog version and configuration format.\n# For most Debian derivates it will work like this...\n$ModLoad imtcp\n$TCPServerAddress 127.0.0.1\n$InputTCPServerRun 524\n\n# ...while for Ubuntu 16.04 it looks like this:\nmodule(load=\nimtcp\n)\ninput(type=\nimtcp\n address=\n127.0.0.1\n port=\n524\n)\n\n# No matter your Rsyslog version, you should set this option to off\n# if you plan to use Fail2ban\n$RepeatedMsgReduction off\n\n\n\n\n\nRestart rsyslog after enabling the TCP listener.\n\n\nNow setup Docker daemon to start with the syslog driver.\nThis enables the syslog driver for all containers!\n\n\nDebian users can change the startup configuration in \n/etc/default/docker\n while CentOS users find it in \n/etc/sysconfig/docker\n:\n\n\n...\nDOCKER_OPTS=\n--log-driver=syslog --log-opt syslog-address=tcp://127.0.0.1:524\n\n...\n\n\n\n\n\nCaution:\n For some reason Ubuntu 16.04 and some, but not all, systemd based distros do not read the defaults file parameters.\n\n\nJust run \nsystemctl edit docker.service\n and add the following content to fix it.\n\n\nNote:\n If \"systemctl edit\" is not available, just copy the content to \n/etc/systemd/system/docker.service.d/override.conf\n.\n\n\nThe first empty ExecStart parameter is not a mistake.\n\n\n[Service]\n\n\nEnvironmentFile\n=\n/etc/default/docker\n\n\nExecStart\n=\n\n\nExecStart\n=\n/usr/bin/docker daemon -H fd:// $DOCKER_OPTS\n\n\n\n\n\n\nRestart the Docker daemon and run \ndocker-compose down \n docker-compose up -d\n to recreate the containers.\n\n\nUse Fail2ban\n\n\nThis is a subsection of \"Log to Syslog\", which is required for Fail2ban to work.\n\n\nOpen \n/etc/fail2ban/filter.d/common.conf\n and search for the prefix_line parameter, change it to \".*\":\n\n\n__prefix_line = .*\n\n\n\n\n\nCreate \n/etc/fail2ban/jail.d/dovecot.conf\n...\n\n\n[dovecot]\n\n\nenabled\n \n=\n \ntrue\n\n\nfilter\n \n=\n \ndovecot\n\n\nlogpath\n \n=\n \n/var/log/syslog\n\n\nchain\n \n=\n \nFORWARD\n\n\n\n\n\n\nand \njail.d/postfix-sasl.conf\n:\n\n\n[postfix-sasl]\n\n\nenabled\n \n=\n \ntrue\n\n\nfilter\n \n=\n \npostfix-sasl\n\n\nlogpath\n \n=\n \n/var/log/syslog\n\n\nchain\n \n=\n \nFORWARD\n\n\n\n\n\n\nRestart Fail2ban.\n\n\nInstall a local MTA\n\n\nThe easiest option would be to disable the listener on port 25/tcp.\n\n\nPostfix\n users disable the listener by commenting the following line (starting with \nsmtp\n or \n25\n) in \n/etc/postfix/master.cf\n:\n\n\n#smtp inet n - - - - smtpd\n\n\n\n\n\nRestart Postfix after applying your changes.\n\n\nSender and receiver model\n\n\nWhen a mailbox is created, a user is allowed to send mail from and receive mail for his own mailbox address.\n\n\nMailbox me@example.org is created. example.org is a primary domain. \nNote: a mailbox cannot be created in an alias domain.\n\nme@example.org is only known as me@example.org.\nme@example.org is allowed to send as me@example.org.\n\n\n\n\n\nWe can add an alias domain for example.org:\n\n\nAlias domain alias.com is added and assigned to primary domain example.org.\nme@example.org is now known as me@example.org and me@alias.com.\nme@example.org is now allowed to send as me@example.org and me@alias.com.\n\n\n\n\n\nWe can add aliases for a mailbox to receive mail for and to send from this new address.\n\n\nIt is important to know, that you are not able to receive mail for \nmy-alias@my-alias-domain.tld\n. You would need to create this particular alias.\n\n\nme@example.org is assigned the alias alias@example.org\nme@example.org is now known as alias@example.org, me@alias.com, alias@example.org\n\nme@example.org is NOT known as alias@alias.com.\n\n\n\n\n\nAdministrators and domain administrators can edit mailboxes to allow specific users to send as other mailbox users (\"delegate\" them).\n\n\nYou can choose between mailbox users or completely disable the sender check for domains.\n\n\nSOGo \"mail from\" addresses\n\n\nMailbox users can, obviously, select their own mailbox address, as well as all alias addresses and aliases that exist through alias domains.\n\n\nIf you want to select another \nexisting\n mailbox user as your \"mail from\" address, this user has to delegate you access through SOGo (see SOGo documentation). Moreover a mailcow (domain) administrator\nneeds to grant you access as described above.",
"title": "First Steps"
},
{
"location": "/first_steps/#ssl-and-how-to-use-lets-encrypt",
"text": "mailcow dockerized comes with a snakeoil CA \"mailcow\" and a server certificate in data/assets/ssl . Please use your own trusted certificates. mailcow uses 3 domain names that should be covered by your new certificate: ${MAILCOW_HOSTNAME} autodiscover. example.org autoconfig. example.org",
"title": "SSL (and: How to use Let's Encrypt)"
},
{
"location": "/first_steps/#obtain-multi-san-certificate-by-lets-encrypt",
"text": "This is just an example of how to obtain certificates with certbot. There are several methods! 1. Get the certbot client: wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot chmod +x /usr/local/sbin/certbot 2. Make sure you set HTTP_BIND=0.0.0.0 and HTTP_PORT=80 in mailcow.conf or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx: docker-compose up -d 3. Request the certificate with the webroot method: cd /path/to/git/clone/mailcow-dockerized source mailcow.conf\ncertbot certonly \\ \n --webroot \\ \n -w ${ PWD } /data/web \\ \n -d ${ MAILCOW_HOSTNAME } \\ \n -d autodiscover.example.org \\ \n -d autoconfig.example.org \\ \n --email you@example.org \\ \n --agree-tos Remember to replace the example.org domain with your own domain, this command will not work if you dont. 4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: mv data/assets/ssl/cert. { pem,pem.backup } \nmv data/assets/ssl/key. { pem,pem.backup } \nln $( readlink -f /etc/letsencrypt/live/ ${ MAILCOW_HOSTNAME } /fullchain.pem ) data/assets/ssl/cert.pem\nln $( readlink -f /etc/letsencrypt/live/ ${ MAILCOW_HOSTNAME } /privkey.pem ) data/assets/ssl/key.pem 5. Restart affected containers: docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow When renewing certificates, run the last two steps (link + restart) as post-hook in a script.",
"title": "Obtain multi-SAN certificate by Let's Encrypt"
},
{
"location": "/first_steps/#rspamd-web-ui",
"text": "At first you may want to setup Rspamds web interface which provides some useful features and information. 1. Generate a Rspamd controller password hash: docker-compose exec rspamd-mailcow rspamadm pw 2. Replace the default hash in data/conf/rspamd/override.d/worker-controller.inc by your newly generated: enable_password = myhash ; You can use password = \"myhash\"; instead of enable_password to disable write-access in the web UI. 3. Restart rspamd: docker-compose restart rspamd-mailcow Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!",
"title": "Rspamd Web UI"
},
{
"location": "/first_steps/#optional-reverse-proxy",
"text": "You don't need to change the Nginx site that comes with mailcow: dockerized.\nmailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI. 1. Make sure you change HTTP_BIND and HTTPS_BIND in mailcow.conf to a local address and set the ports accordingly, for example: HTTP_BIND = 127 .0.0.1 HTTP_PORT = 8080 HTTPS_PORT = 127 .0.0.1 HTTPS_PORT = 8443 IMPORTANT: Do not use port 8081 Recreate affected containers by running docker-compose up -d . 2. Configure your local webserver as reverse proxy:",
"title": "Optional: Reverse proxy"
},
{
"location": "/first_steps/#apache-24",
"text": "VirtualHost *:443 \n ServerName mail.example.org\n ServerAlias autodiscover.example.org\n ServerAlias autoconfig.example.org\n\n [ ... ] \n # You should proxy to a plain HTTP session to offload SSL processing \n ProxyPass / http://127.0.0.1:8080/\n ProxyPassReverse / http://127.0.0.1:8080/\n ProxyPreserveHost Off \n your-ssl-configuration- here \n [...]\n\n # If you plan to proxy to a HTTPS host: \n #SSLProxyEngine On \n\n # If you plan to proxy to an untrusted HTTPS host: \n #SSLProxyVerify none \n #SSLProxyCheckPeerCN off \n #SSLProxyCheckPeerName off \n #SSLProxyCheckPeerExpire off /VirtualHost",
"title": "Apache 2.4"
},
{
"location": "/first_steps/#nginx",
"text": "server { \n listen 443 ; \n server_name mail.example.org autodiscover.example.org autoconfig.example.org ; \n\n [ ... ] \n your-ssl-configuration-here \n location / { \n proxy_pass http : // 127.0.0.1 : 8080 / ; \n proxy_redirect http : // 127.0.0.1 : 8080 / $ scheme :// $ host : $ server_port / ; \n proxy_set_header X-Real-IP $remote_addr ; \n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; \n proxy_set_header X-Forwarded-Proto $scheme ; \n } \n [ ... ] }",
"title": "Nginx"
},
{
"location": "/first_steps/#optional-setup-a-relayhost",
"text": "Insert these lines to data/conf/postfix/main.cf . \"relayhost\" does already exist (empty), just change its value. relayhost = [your-relayhost]:587\nsmtp_sasl_password_maps = hash:/opt/postfix/conf/smarthost_passwd\nsmtp_sasl_auth_enable = yes Create the credentials file: echo your-relayhost username:password data/conf/postfix/smarthost_passwd Run: docker-compose exec postfix-mailcow postmap /opt/postfix/conf/smarthost_passwd\ndocker-compose exec postfix-mailcow chown root:postfix /opt/postfix/conf/smarthost_passwd /opt/postfix/conf/smarthost_passwd.db\ndocker-compose exec postfix-mailcow chmod 660 /opt/postfix/conf/smarthost_passwd /opt/postfix/conf/smarthost_passwd.db\ndocker-compose exec postfix-mailcow postfix reload",
"title": "Optional: Setup a relayhost"
},
{
"location": "/first_steps/#helper-script",
"text": "There is a helper script mailcow-setup-relayhost.sh you can run to setup a relayhost. Usage:\n\nSetup a relayhost:\n./mailcow-setup-relayhost.sh relayhost port ( username ) ( password ) \nUsername and password are optional parameters.\n\nReset to defaults:\n./mailcow-setup-relayhost.sh reset",
"title": "Helper script"
},
{
"location": "/first_steps/#optional-log-to-syslog",
"text": "Enable Rsyslog to receive logs on 524/tcp: # This setting depends on your Rsyslog version and configuration format.\n# For most Debian derivates it will work like this...\n$ModLoad imtcp\n$TCPServerAddress 127.0.0.1\n$InputTCPServerRun 524\n\n# ...while for Ubuntu 16.04 it looks like this:\nmodule(load= imtcp )\ninput(type= imtcp address= 127.0.0.1 port= 524 )\n\n# No matter your Rsyslog version, you should set this option to off\n# if you plan to use Fail2ban\n$RepeatedMsgReduction off Restart rsyslog after enabling the TCP listener. Now setup Docker daemon to start with the syslog driver.\nThis enables the syslog driver for all containers! Debian users can change the startup configuration in /etc/default/docker while CentOS users find it in /etc/sysconfig/docker : ...\nDOCKER_OPTS= --log-driver=syslog --log-opt syslog-address=tcp://127.0.0.1:524 \n... Caution: For some reason Ubuntu 16.04 and some, but not all, systemd based distros do not read the defaults file parameters. Just run systemctl edit docker.service and add the following content to fix it. Note: If \"systemctl edit\" is not available, just copy the content to /etc/systemd/system/docker.service.d/override.conf . The first empty ExecStart parameter is not a mistake. [Service] EnvironmentFile = /etc/default/docker ExecStart = ExecStart = /usr/bin/docker daemon -H fd:// $DOCKER_OPTS Restart the Docker daemon and run docker-compose down docker-compose up -d to recreate the containers.",
"title": "Optional: Log to Syslog"
},
{
"location": "/first_steps/#use-fail2ban",
"text": "This is a subsection of \"Log to Syslog\", which is required for Fail2ban to work. Open /etc/fail2ban/filter.d/common.conf and search for the prefix_line parameter, change it to \".*\": __prefix_line = .* Create /etc/fail2ban/jail.d/dovecot.conf ... [dovecot] enabled = true filter = dovecot logpath = /var/log/syslog chain = FORWARD and jail.d/postfix-sasl.conf : [postfix-sasl] enabled = true filter = postfix-sasl logpath = /var/log/syslog chain = FORWARD Restart Fail2ban.",
"title": "Use Fail2ban"
},
{
"location": "/first_steps/#install-a-local-mta",
"text": "The easiest option would be to disable the listener on port 25/tcp. Postfix users disable the listener by commenting the following line (starting with smtp or 25 ) in /etc/postfix/master.cf : #smtp inet n - - - - smtpd Restart Postfix after applying your changes.",
"title": "Install a local MTA"
},
{
"location": "/first_steps/#sender-and-receiver-model",
"text": "When a mailbox is created, a user is allowed to send mail from and receive mail for his own mailbox address. Mailbox me@example.org is created. example.org is a primary domain. \nNote: a mailbox cannot be created in an alias domain.\n\nme@example.org is only known as me@example.org.\nme@example.org is allowed to send as me@example.org. We can add an alias domain for example.org: Alias domain alias.com is added and assigned to primary domain example.org.\nme@example.org is now known as me@example.org and me@alias.com.\nme@example.org is now allowed to send as me@example.org and me@alias.com. We can add aliases for a mailbox to receive mail for and to send from this new address. It is important to know, that you are not able to receive mail for my-alias@my-alias-domain.tld . You would need to create this particular alias. me@example.org is assigned the alias alias@example.org\nme@example.org is now known as alias@example.org, me@alias.com, alias@example.org\n\nme@example.org is NOT known as alias@alias.com. Administrators and domain administrators can edit mailboxes to allow specific users to send as other mailbox users (\"delegate\" them). You can choose between mailbox users or completely disable the sender check for domains.",
"title": "Sender and receiver model"
},
{
"location": "/first_steps/#sogo-mail-from-addresses",
"text": "Mailbox users can, obviously, select their own mailbox address, as well as all alias addresses and aliases that exist through alias domains. If you want to select another existing mailbox user as your \"mail from\" address, this user has to delegate you access through SOGo (see SOGo documentation). Moreover a mailcow (domain) administrator\nneeds to grant you access as described above.",
"title": "SOGo \"mail from\" addresses"
},
{
"location": "/u_and_e/",
"text": "mailcow UI configuration\n\n\nSeveral configuration parameters of the mailcow UI can be changed by creating a file \ndata/web/inc/vars.local.inc.php\n which overrides defaults settings found in \ndata/web/inc/vars.inc.php\n.\n\n\nThe local configuration file is persistent over updates of mailcow. Try not to change values inside \ndata/web/inc/vars.inc.php\n, but use them as template for the local override.\n\n\nmailcow UI configuration parameters can be to...\n\n\n\n\n...change the default language*\n\n\n...change the default bootstrap theme\n\n\n...set a password complexity regex\n\n\n...add mailcow app buttons to the login screen\n\n\n...set a pagination trigger\n\n\n...set action after submitting forms (stay in form, return to previous page)\n\n\n\n\n* To change SOGos default language, you will need to edit \ndata/conf/sogo/sogo.conf\n and replace \"English\" by your preferred language.\n\n\nAnonymize headers\n\n\nSave as \ndata/conf/postfix/mailcow_anonymize_headers.pcre\n:\n\n\n/^\\s*Received:[^\\)]+\\)\\s+\\(Authenticated sender:(.+)/\n REPLACE Received: from localhost (localhost [127.0.0.1]) (Authenticated sender:$1\n/^\\s*User-Agent/ IGNORE\n/^\\s*X-Enigmail/ IGNORE\n/^\\s*X-Mailer/ IGNORE\n/^\\s*X-Originating-IP/ IGNORE\n/^\\s*X-Forward/ IGNORE\n\n\n\n\n\nAdd this to \ndata/conf/postfix/main.cf\n:\n\n\nsmtp_header_checks = pcre:/opt/postfix/conf/mailcow_anonymize_headers.pcre\n\n\n\n\n\nBackup and restore maildir (simple tar file)\n\n\nBackup\n\n\nThis line backups the vmail directory to a file backup_vmail.tar.gz in the mailcow root directory:\n\n\ncd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date +\n%Y%m%d_%H%M%S\n)\ndocker run --rm -it -v $(docker inspect --format \n{{ range .Mounts }}{{ if eq .Destination \n/var/vmail\n }}{{ .Name }}{{ end }}{{ end }}\n $(docker-compose ps -q dovecot-mailcow)):/vmail -v \n${\nPWD\n}\n:/backup debian:jessie tar cvfz /backup/backup_vmail.tar.gz /vmail\n\n\n\n\n\nYou can change the path by adjusting ${PWD} (which equals to the current directory) to any path you have write-access to.\nSet the filename \nbackup_vmail.tar.gz\n to any custom name, but leave the path as it is. Example: \n[...] tar cvfz /backup/my_own_filename_.tar.gz\n\n\nRestore\n\n\ncd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date +\n%Y%m%d_%H%M%S\n)\ndocker run --rm -it -v $(docker inspect --format \n{{ range .Mounts }}{{ if eq .Destination \n/var/vmail\n }}{{ .Name }}{{ end }}{{ end }}\n $(docker-compose ps -q dovecot-mailcow)):/vmail -v \n${\nPWD\n}\n:/backup debian:jessie tar xvfz /backup/backup_vmail.tar.gz\n\n\n\n\n\nDocker Compose Bash completion\n\n\nFor the tab-tab... :-)\n\n\ncurl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose\n\n\n\n\n\nBlack and Whitelist\n\n\nEdit a domain as (domain) administrator to add an item to the filter table.\n\n\nBeware that a mailbox user can login to mailcow and override a domain policy filter item. \n\n\nCustomize Dockerfiles\n\n\nMake your changes in \ndata/Dockerfiles/$service\n and build the image locally:\n\n\ndocker build data/Dockerfiles/service -t mailcow/$service\n\n\n\n\n\nNow auto-recreate modified containers:\n\n\ndocker-compose up -d\n\n\n\n\n\nDisable sender addresses verification\n\n\nThis option is not best-practice and should only be implemented when there is no other option available to archive whatever you are trying to do.\n\n\nSimply create a file \ndata/conf/postfix/check_sasl_access\n and enter the following content. This user must exist in your installation and needs to authenticate before sending mail.\n\n\nuser-to-allow-everything@example.com OK\n\n\n\n\n\nOpen \ndata/conf/postfix/main.cf\n and find \nsmtpd_sender_restrictions\n. Prepend \ncheck_sasl_access hash:/opt/postfix/conf/check_sasl_access\n like this:\n\n\nsmtpd_sender_restrictions = check_sasl_access hash:/opt/postfix/conf/check_sasl_access reject_authenticated_sender_login_mismatch [...]\n\n\n\n\n\nRun postmap on check_sasl_access:\n\n\ndocker-compose exec postfix-mailcow postmap /opt/postfix/conf/check_sasl_access\n\n\n\n\n\nRestart the Postfix container.\n\n\nInstall Roundcube\n\n\nDownload Roundcube 1.3.x (beta at the time of Feb 2017) to the web htdocs directory and extract it (here \nrc/\n):\n\n\ncd data/web/rc\nwget -O - https://github.com/roundcube/roundcubemail/releases/download/1.3-beta/roundcubemail-1.3-beta-complete.tar.gz | tar xfvz -\n# Change folder name\nmv roundcubemail-1.3* rc\n# Change permissions\nchown -R root: rc/\n\n\n\n\n\nCreate a file \ndata/web/rc/config/config.inc.php\n with the following content.\n\n\nChange the \ndes_key\n parameter to a random value.\n It is used to temporarily store your IMAP password.\n\n\n?php\n\n\nerror_reporting\n(\n0\n);\n\n\nif\n \n(\n!\nfile_exists\n(\n/tmp/mime.types\n))\n \n{\n\n\nfile_put_contents\n(\n/tmp/mime.types\n,\n \nfopen\n(\nhttp://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types\n,\n \nr\n));\n\n\n}\n\n\n$config\n \n=\n \narray\n();\n\n\n$config\n[\ndb_dsnw\n]\n \n=\n \nmysql://\n \n.\n \ngetenv\n(\nDBUSER\n)\n \n.\n \n:\n \n.\n \ngetenv\n(\nDBPASS\n)\n \n.\n \n@mysql/\n \n.\n \ngetenv\n(\nDBNAME\n);\n\n\n$config\n[\ndefault_host\n]\n \n=\n \ntls://dovecot\n;\n\n\n$config\n[\ndefault_port\n]\n \n=\n \n143\n;\n\n\n$config\n[\nsmtp_server\n]\n \n=\n \ntls://postfix\n;\n\n\n$config\n[\nsmtp_port\n]\n \n=\n \n587\n;\n\n\n$config\n[\nsmtp_user\n]\n \n=\n \n%u\n;\n\n\n$config\n[\nsmtp_pass\n]\n \n=\n \n%p\n;\n\n\n$config\n[\nsupport_url\n]\n \n=\n \n;\n\n\n$config\n[\nproduct_name\n]\n \n=\n \nRoundcube Webmail\n;\n\n\n$config\n[\ndes_key\n]\n \n=\n \nrcmail-!24ByteDESkey*Str\n;\n\n\n$config\n[\nlog_dir\n]\n \n=\n \n/dev/null\n;\n\n\n$config\n[\ntemp_dir\n]\n \n=\n \n/tmp\n;\n\n\n$config\n[\nplugins\n]\n \n=\n \narray\n(\n\n \narchive\n,\n\n\n);\n\n\n$config\n[\nskin\n]\n \n=\n \nlarry\n;\n\n\n$config\n[\nmime_types\n]\n \n=\n \n/tmp/mime.types\n;\n\n\n$config\n[\nimap_conn_options\n]\n \n=\n \narray\n(\n\n\nssl\n \n=\n \narray\n(\nverify_peer\n \n=\n \nfalse\n,\n \nverify_peer_name\n \n=\n \nfalse\n,\n \nallow_self_signed\n \n=\n \ntrue\n)\n\n\n);\n\n\n$config\n[\nenable_installer\n]\n \n=\n \nfalse\n;\n\n\n$config\n[\nsmtp_conn_options\n]\n \n=\n \narray\n(\n\n\nssl\n \n=\n \narray\n(\nverify_peer\n \n=\n \nfalse\n,\n \nverify_peer_name\n \n=\n \nfalse\n,\n \nallow_self_signed\n \n=\n \ntrue\n)\n\n\n);\n\n\n\n\n\n\nPoint your browser to \nhttps://myserver/rc/installer\n and follow the instructions.\nInitialize the database and leave the installer.\n\n\nDelete the directory \ndata/web/rc/installer\n after a successful installation!\n\n\nEnable change password function in Roundcube\n\n\nOpen \ndata/web/rc/config/config.inc.php\n and enable the password plugin:\n\n\n...\n$config[\nplugins\n] = array(\n \narchive\n,\n \npassword\n,\n);\n...\n\n\n\n\n\nOpen \ndata/web/rc/plugins/password/password.php\n, search for \ncase 'ssha':\n and add above:\n\n\n \ncase\n \nssha256\n:\n\n \n$\nsalt\n \n=\n \nrcube_utils\n::\nrandom_bytes\n(\n8\n);\n\n \n$\ncrypted\n \n=\n \nbase64_encode\n(\n \nhash\n(\nsha256\n,\n \n$\npassword\n \n.\n \n$\nsalt\n,\n \nTRUE\n \n)\n \n.\n \n$\nsalt\n \n);\n\n \n$\nprefix\n \n=\n \n{SSHA256}\n;\n\n \nbreak\n;\n\n\n\n\n\n\nOpen \ndata/web/rc/plugins/password/config.inc.php\n and change the following parameters (or add them at the bottom of that file):\n\n\n$config[\npassword_driver\n] = \nsql\n;\n$config[\npassword_algorithm\n] = \nssha256\n;\n$config[\npassword_algorithm_prefix\n] = \n{SSHA256}\n;\n$config[\npassword_query\n] = \nUPDATE mailbox SET password = %P WHERE username = %u\n;\n\n\n\n\n\nMySQL\n\n\nConnect\n\n\nsource mailcow.conf\ndocker-compose exec mysql-mailcow mysql -u\n${\nDBUSER\n}\n -p\n${\nDBPASS\n}\n \n${\nDBNAME\n}\n\n\n\n\n\n\nBackup\n\n\ncd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date +\n%Y%m%d_%H%M%S\n)\ndocker-compose exec mysql-mailcow mysqldump --default-character-set=utf8mb4 -u\n${\nDBUSER\n}\n -p\n${\nDBPASS\n}\n \n${\nDBNAME\n}\n \n backup_\n${\nDBNAME\n}\n_\n${\nDATE\n}\n.sql\n\n\n\n\n\nRestore\n\n\ncd /path/to/mailcow-dockerized\nsource mailcow.conf\ndocker-compose exec mysql-mailcow mysql -u\n${\nDBUSER\n}\n -p\n${\nDBPASS\n}\n \n${\nDBNAME\n}\n \n backup\n_file.sql\n\n\n\n\n\n\nReset MySQL passwords\n\n\nStop the stack by running \ndocker-compose stop\n.\n\n\nWhen the containers came to a stop, run this command:\n\n\ndocker-compose run --rm --entrypoint \n/bin/sh -c \ngosu mysql mysqld --skip-grant-tables \n sleep 10 \n mysql -hlocalhost -uroot \n exit 0\n mysql-mailcow\n\n\n\n\n\n1. Find database name\n\n\nMariaDB [(none)]\n show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| mailcow_database | \n=====\n| mysql |\n| performance_schema |\n+--------------------+\n4 rows in set (0.00 sec)\n\n\n\n\n\n2. Reset one or more users\n\n\nBoth \"password\" and \"authentication_string\" exist. Currently \"password\" is used, but better set both.\n\n\nMariaDB [(none)]\n SELECT user FROM mysql.user;\n+--------------+\n| user |\n+--------------+\n| mailcow_user | \n===== \n| root |\n+--------------+\n2 rows in set (0.00 sec)\n\nMariaDB [(none)]\n FLUSH PRIVILEGES;\nMariaDB [(none)]\n UPDATE mysql.user SET authentication_string = PASSWORD(\ngotr00t\n), password = PASSWORD(\ngotr00t\n) WHERE User = \nroot\n AND Host = \n%\n;\nMariaDB [(none)]\n UPDATE mysql.user SET authentication_string = PASSWORD(\nmookuh\n), password = PASSWORD(\nmookuh\n) WHERE User = \nmailcow\n AND Host = \n%\n;\nMariaDB [(none)]\n FLUSH PRIVILEGES;\n\n\n\n\n\nDebugging\n\n\nYou can use \ndocker-compose logs $service-name\n for all containers.\n\n\nRun \ndocker-compose logs\n for all logs at once.\n\n\nFollow the log output by running docker-compose with \nlogs -f\n.\n\n\nLimit the output by calling logs with \n--tail=300\n like \ndocker-compose logs --tail=300 mysql-mailcow\n.\n\n\nRedirect port 80 to 443\n\n\nSince February the 28th 2017 mailcow does come with port 80 and 443 enabled.\n\n\nOpen \nmailcow.conf\n and set \nHTTP_BIND=0.0.0.0\n.\n\n\nOpen \ndata/conf/nginx/site.conf\n and add a new \"catch-all\" site at the top of that file:\n\n\nserver\n \n{\n\n \nlisten\n \n80\n \ndefault_server\n;\n\n \ninclude\n \n/etc/nginx/conf.d/server_name.active\n;\n\n \nreturn\n \n301\n \nhttps\n:\n//\n$\nhost\n$\nrequest_uri\n;\n\n\n}\n\n\n\n\n\n\nRestart the stack, changed containers will be updated:\n\n\ndocker-compose up -d\n\n\nRedis\n\n\nClient\n\n\ndocker-compose exec redis-mailcow redis-cli\n\n\n\n\n\nRemove persistent data\n\n\n\n\nRemove volume \nmysql-vol-1\n to remove all MySQL data.\n\n\nRemove volume \nredis-vol-1\n to remove all Redis data.\n\n\nRemove volume \nvmail-vol-1\n to remove all contents of \n/var/vmail\n mounted to \ndovecot-mailcow\n.\n\n\nRemove volume \ndkim-vol-1\n to remove all DKIM keys.\n\n\nRemove volume \nrspamd-vol-1\n to remove all Rspamd data.\n\n\n\n\nRunning \ndocker-compose down -v\n will \ndestroy all mailcow: dockerized volumes\n and delete any related containers.\n\n\nReset admin password\n\n\nReset mailcow admin to \nadmin:moohoo\n:\n\n\ncd mailcow_path\nbash reset_admin.sh\n\n\n\n\n\nRspamd\n\n\nLearn spam and ham\n\n\nRspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash.\nThis is archived by using the Dovecot plugin \"antispam\" and a simple parser script.\n\n\nRspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning)\n\n\nThe bayes statistics are written to Redis as keys \nBAYES_HAM\n and \nBAYES_SPAM\n.\n\n\nYou can also use Rspamd's web ui to learn ham and/or spam.\n\n\nLearn ham or spam from existing directory\n\n\nYou can use a one-liner to learn mail in plain-text (uncompressed) format:\n\n\n# Ham\nfor file in /my/folder/cur/*; do docker exec -i $(docker-compose ps -q rspamd-mailcow) rspamc learn_ham \n $file; done\n# Spam\nfor file in /my/folder/.Junk/cur/*; do docker exec -i $(docker-compose ps -q rspamd-mailcow) rspamc learn_spam \n $file; done\n\n\n\n\n\nConsider attaching a local folder as new volume to \nrspamd-mailcow\n in \ndocker-compose.yml\n and learn given files inside the container. This can be used as workaround to parse compressed data with zcat. Example:\n\n\nfor file in /data/old_mail/.Junk/cur/*; do rspamc learn_spam \n zcat $file; done\n\n\n\n\n\nCLI tools\n\n\ndocker-compose exec rspamd-mailcow rspamc --help\ndocker-compose exec rspamd-mailcow rspamadm --help\n\n\n\n\n\nSee \nRspamd documentation\n\n\nAdjust service configurations\n\n\nThe most important configuration files are mounted from the host into the related containers:\n\n\ndata/conf\n\u251c\u2500\u2500 bind9\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 named.conf\n\u251c\u2500\u2500 dovecot\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dovecot.conf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dovecot-master.passwd\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 sieve_after\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 sql\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dovecot-dict-sql.conf\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 dovecot-mysql.conf\n\u251c\u2500\u2500 mysql\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 my.cnf\n\u251c\u2500\u2500 nginx\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dynmaps.conf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 site.conf\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 templates\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 listen_plain.template\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 listen_ssl.template\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 server_name.template\n\u251c\u2500\u2500 pdns\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 pdns_custom.lua\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 recursor.conf\n\u251c\u2500\u2500 postfix\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 main.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 master.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 postscreen_access.cidr\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 smtp_dsn_filter\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 sql\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_relay_recipient_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_tls_enforce_in_policy.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_tls_enforce_out_policy.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_alias_domain_catchall_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_alias_domain_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_alias_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_domains_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_mailbox_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_relay_domain_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_sender_acl.cf\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 mysql_virtual_spamalias_maps.cf\n\u251c\u2500\u2500 rmilter\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 rmilter.conf\n\u251c\u2500\u2500 rspamd\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dynmaps\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 authoritative.php\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 settings.php\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 tags.php\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 vars.inc.php -\n ../../../web/inc/vars.inc.php\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 local.d\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 dkim.conf\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 metrics.conf\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 options.inc\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 redis.conf\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 rspamd.conf.local\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 statistic.conf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 lua\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 rspamd.local.lua\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 override.d\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 logging.inc\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 worker-controller.inc\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 worker-normal.inc\n\u2514\u2500\u2500 sogo\n \u251c\u2500\u2500 sieve.creds\n \u2514\u2500\u2500 sogo.conf\n\n\n\n\n\nJust change the according configuration file on the host and restart the related service:\n\n\ndocker-compose restart service-mailcow\n\n\n\n\n\nTagging\n\n\nMailbox users can tag their mail address like in \nme+facebook@example.org\n and choose between to setups to handle this tag:\n\n\n1. Move this message to a subfolder \"facebook\" (will be created lower case if not existing)\n\n\n2. Prepend the tag to the subject: \"[facebook] Subject\"\n\n\nTwo-factor authentication\n\n\nSo far two methods for TFA are implemented. Both work with the fantastic \nYubikey\n.\n\n\nWhile Yubi OTP needs an active internet connection and an API ID and key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS.\n\n\nBoth methods support multiple YubiKeys.\n\n\nAs administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.\n\n\nThe key used to login will be displayed in green, while other keys remain grey.\n\n\nYubi OTP\n\n\nThe Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key.\nThe API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.\n\n\nU2F\n\n\nOnly Google Chrome (+derivates) and Opera support U2F authentication to this day natively.\nFor Firefox you will need to install the \"U2F Support Add-on\" as provided on \nmozilla.org\n.\n\n\nU2F works without an internet connection.\n\n\nPortainer\n\n\nIn order to enable Portainer, the docker-compose.yml and site.conf for nginx must be modified.\n\n\n1. docker-compose.yml: Insert this block for portainer\n\n\n portainer-mailcow:\n image: portainer/portainer\n volumes:\n - /var/run/docker.sock:/var/run/docker.sock\n restart: always\n dns:\n - 172.22.1.254\n dns_search: mailcow-network\n networks:\n mailcow-network:\n aliases:\n - portainer\n\n\n\n\n\n2a. data/conf/nginx/site.conf: Just beneath the opening line, at the same level as a server { block, add this:\n\n\nupstream\n \nportainer\n \n{\n\n \nserver\n \nportainer-mailcow\n:\n9000\n;\n\n\n}\n\n\n\nmap\n \n$\nhttp_upgrade\n \n$\nconnection_upgrade\n \n{\n\n \ndefault\n \nupgrade\n;\n\n \n \nclose\n;\n\n\n}\n\n\n\n\n\n\n2b. data/conf/nginx/site.conf: Then, inside \nboth\n (ssl and plain) server blocks, add this:\n\n\n \nlocation\n \n/\nportainer\n/\n \n{\n\n \nproxy_http_version\n \n1.1\n;\n\n \nproxy_set_header\n \nHost\n \n$http_host\n;\n \n#\n \nrequired\n \nfor\n \ndocker\n \nclient\ns\n \nsake\n\n \nproxy_set_header\n \nX-Real-IP\n \n$remote_addr\n;\n \n#\n \npass\n \non\n \nreal\n \nclient\ns\n \nIP\n\n \nproxy_set_header\n \nX-Forwarded-For\n \n$proxy_add_x_forwarded_for\n;\n\n \nproxy_set_header\n \nX-Forwarded-Proto\n \n$scheme\n;\n\n \nproxy_read_timeout\n \n900\n;\n\n\n \nproxy_set_header\n \nConnection\n \n;\n\n \nproxy_buffers\n \n32\n \n4k\n;\n\n \nproxy_pass\n \nhttp\n:\n//\nportainer\n/\n;\n\n \n}\n\n\n \nlocation\n \n/\nportainer\n/\napi\n/\nwebsocket\n/\n \n{\n\n \nproxy_http_version\n \n1.1\n;\n\n \nproxy_set_header\n \nUpgrade\n \n$http_upgrade\n;\n\n \nproxy_set_header\n \nConnection\n \n$connection_upgrade\n;\n\n \nproxy_pass\n \nhttp\n:\n//\nportainer\n/\napi\n/\nwebsocket\n/\n;\n\n \n}\n\n\n\n\n\n\nNow you can simply navigate to https://${MAILCOW_HOSTNAME}/portainer/ to view your Portainer container monitoring page. You\u2019ll then be prompted to specify a new password for the \nadmin\n account. After specifying your password, you\u2019ll then be able to connect to the Portainer UI.\n\n\nChange autodiscover setup type\n\n\nThis disables ActiveSync in the autodiscover service for Outlook and configures it with IMAP and SMTP instead:\n\n\nOpen \ndata/web/autodiscover.php\n and set \n'useEASforOutlook' =\n 'yes'\n to \n'useEASforOutlook' =\n 'no'\n.\n\n\nTo always use IMAP and SMTP instead of EAS, set \n'autodiscoverType' =\n 'imap'\n.\n\n\nWhy Bind?\n\n\nFor DNS blacklist lookups and DNSSEC.\n\n\nMost systems use either a public or a local caching DNS resolver.\nThat's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics.\nMost if not all providers apply a rate limit based on the DNS resolver that is used to query their service.\nUsing a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon.",
"title": "Usage & Examples"
},
{
"location": "/u_and_e/#mailcow-ui-configuration",
"text": "Several configuration parameters of the mailcow UI can be changed by creating a file data/web/inc/vars.local.inc.php which overrides defaults settings found in data/web/inc/vars.inc.php . The local configuration file is persistent over updates of mailcow. Try not to change values inside data/web/inc/vars.inc.php , but use them as template for the local override. mailcow UI configuration parameters can be to... ...change the default language* ...change the default bootstrap theme ...set a password complexity regex ...add mailcow app buttons to the login screen ...set a pagination trigger ...set action after submitting forms (stay in form, return to previous page) * To change SOGos default language, you will need to edit data/conf/sogo/sogo.conf and replace \"English\" by your preferred language.",
"title": "mailcow UI configuration"
},
{
"location": "/u_and_e/#anonymize-headers",
"text": "Save as data/conf/postfix/mailcow_anonymize_headers.pcre : /^\\s*Received:[^\\)]+\\)\\s+\\(Authenticated sender:(.+)/\n REPLACE Received: from localhost (localhost [127.0.0.1]) (Authenticated sender:$1\n/^\\s*User-Agent/ IGNORE\n/^\\s*X-Enigmail/ IGNORE\n/^\\s*X-Mailer/ IGNORE\n/^\\s*X-Originating-IP/ IGNORE\n/^\\s*X-Forward/ IGNORE Add this to data/conf/postfix/main.cf : smtp_header_checks = pcre:/opt/postfix/conf/mailcow_anonymize_headers.pcre",
"title": "Anonymize headers"
},
{
"location": "/u_and_e/#backup-and-restore-maildir-simple-tar-file",
"text": "",
"title": "Backup and restore maildir (simple tar file)"
},
{
"location": "/u_and_e/#backup",
"text": "This line backups the vmail directory to a file backup_vmail.tar.gz in the mailcow root directory: cd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date + %Y%m%d_%H%M%S )\ndocker run --rm -it -v $(docker inspect --format {{ range .Mounts }}{{ if eq .Destination /var/vmail }}{{ .Name }}{{ end }}{{ end }} $(docker-compose ps -q dovecot-mailcow)):/vmail -v ${ PWD } :/backup debian:jessie tar cvfz /backup/backup_vmail.tar.gz /vmail You can change the path by adjusting ${PWD} (which equals to the current directory) to any path you have write-access to.\nSet the filename backup_vmail.tar.gz to any custom name, but leave the path as it is. Example: [...] tar cvfz /backup/my_own_filename_.tar.gz",
"title": "Backup"
},
{
"location": "/u_and_e/#restore",
"text": "cd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date + %Y%m%d_%H%M%S )\ndocker run --rm -it -v $(docker inspect --format {{ range .Mounts }}{{ if eq .Destination /var/vmail }}{{ .Name }}{{ end }}{{ end }} $(docker-compose ps -q dovecot-mailcow)):/vmail -v ${ PWD } :/backup debian:jessie tar xvfz /backup/backup_vmail.tar.gz",
"title": "Restore"
},
{
"location": "/u_and_e/#docker-compose-bash-completion",
"text": "For the tab-tab... :-) curl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose",
"title": "Docker Compose Bash completion"
},
{
"location": "/u_and_e/#black-and-whitelist",
"text": "Edit a domain as (domain) administrator to add an item to the filter table. Beware that a mailbox user can login to mailcow and override a domain policy filter item.",
"title": "Black and Whitelist"
},
{
"location": "/u_and_e/#customize-dockerfiles",
"text": "Make your changes in data/Dockerfiles/$service and build the image locally: docker build data/Dockerfiles/service -t mailcow/$service Now auto-recreate modified containers: docker-compose up -d",
"title": "Customize Dockerfiles"
},
{
"location": "/u_and_e/#disable-sender-addresses-verification",
"text": "This option is not best-practice and should only be implemented when there is no other option available to archive whatever you are trying to do. Simply create a file data/conf/postfix/check_sasl_access and enter the following content. This user must exist in your installation and needs to authenticate before sending mail. user-to-allow-everything@example.com OK Open data/conf/postfix/main.cf and find smtpd_sender_restrictions . Prepend check_sasl_access hash:/opt/postfix/conf/check_sasl_access like this: smtpd_sender_restrictions = check_sasl_access hash:/opt/postfix/conf/check_sasl_access reject_authenticated_sender_login_mismatch [...] Run postmap on check_sasl_access: docker-compose exec postfix-mailcow postmap /opt/postfix/conf/check_sasl_access Restart the Postfix container.",
"title": "Disable sender addresses verification"
},
{
"location": "/u_and_e/#install-roundcube",
"text": "Download Roundcube 1.3.x (beta at the time of Feb 2017) to the web htdocs directory and extract it (here rc/ ): cd data/web/rc\nwget -O - https://github.com/roundcube/roundcubemail/releases/download/1.3-beta/roundcubemail-1.3-beta-complete.tar.gz | tar xfvz -\n# Change folder name\nmv roundcubemail-1.3* rc\n# Change permissions\nchown -R root: rc/ Create a file data/web/rc/config/config.inc.php with the following content. Change the des_key parameter to a random value. It is used to temporarily store your IMAP password. ?php error_reporting ( 0 ); if ( ! file_exists ( /tmp/mime.types )) { file_put_contents ( /tmp/mime.types , fopen ( http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types , r )); } $config = array (); $config [ db_dsnw ] = mysql:// . getenv ( DBUSER ) . : . getenv ( DBPASS ) . @mysql/ . getenv ( DBNAME ); $config [ default_host ] = tls://dovecot ; $config [ default_port ] = 143 ; $config [ smtp_server ] = tls://postfix ; $config [ smtp_port ] = 587 ; $config [ smtp_user ] = %u ; $config [ smtp_pass ] = %p ; $config [ support_url ] = ; $config [ product_name ] = Roundcube Webmail ; $config [ des_key ] = rcmail-!24ByteDESkey*Str ; $config [ log_dir ] = /dev/null ; $config [ temp_dir ] = /tmp ; $config [ plugins ] = array ( \n archive , ); $config [ skin ] = larry ; $config [ mime_types ] = /tmp/mime.types ; $config [ imap_conn_options ] = array ( ssl = array ( verify_peer = false , verify_peer_name = false , allow_self_signed = true ) ); $config [ enable_installer ] = false ; $config [ smtp_conn_options ] = array ( ssl = array ( verify_peer = false , verify_peer_name = false , allow_self_signed = true ) ); Point your browser to https://myserver/rc/installer and follow the instructions.\nInitialize the database and leave the installer. Delete the directory data/web/rc/installer after a successful installation!",
"title": "Install Roundcube"
},
{
"location": "/u_and_e/#enable-change-password-function-in-roundcube",
"text": "Open data/web/rc/config/config.inc.php and enable the password plugin: ...\n$config[ plugins ] = array(\n archive ,\n password ,\n);\n... Open data/web/rc/plugins/password/password.php , search for case 'ssha': and add above: case ssha256 : \n $ salt = rcube_utils :: random_bytes ( 8 ); \n $ crypted = base64_encode ( hash ( sha256 , $ password . $ salt , TRUE ) . $ salt ); \n $ prefix = {SSHA256} ; \n break ; Open data/web/rc/plugins/password/config.inc.php and change the following parameters (or add them at the bottom of that file): $config[ password_driver ] = sql ;\n$config[ password_algorithm ] = ssha256 ;\n$config[ password_algorithm_prefix ] = {SSHA256} ;\n$config[ password_query ] = UPDATE mailbox SET password = %P WHERE username = %u ;",
"title": "Enable change password function in Roundcube"
},
{
"location": "/u_and_e/#mysql",
"text": "",
"title": "MySQL"
},
{
"location": "/u_and_e/#connect",
"text": "source mailcow.conf\ndocker-compose exec mysql-mailcow mysql -u ${ DBUSER } -p ${ DBPASS } ${ DBNAME }",
"title": "Connect"
},
{
"location": "/u_and_e/#backup_1",
"text": "cd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date + %Y%m%d_%H%M%S )\ndocker-compose exec mysql-mailcow mysqldump --default-character-set=utf8mb4 -u ${ DBUSER } -p ${ DBPASS } ${ DBNAME } backup_ ${ DBNAME } _ ${ DATE } .sql",
"title": "Backup"
},
{
"location": "/u_and_e/#restore_1",
"text": "cd /path/to/mailcow-dockerized\nsource mailcow.conf\ndocker-compose exec mysql-mailcow mysql -u ${ DBUSER } -p ${ DBPASS } ${ DBNAME } backup _file.sql",
"title": "Restore"
},
{
"location": "/u_and_e/#reset-mysql-passwords",
"text": "Stop the stack by running docker-compose stop . When the containers came to a stop, run this command: docker-compose run --rm --entrypoint /bin/sh -c gosu mysql mysqld --skip-grant-tables sleep 10 mysql -hlocalhost -uroot exit 0 mysql-mailcow 1. Find database name MariaDB [(none)] show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| mailcow_database | =====\n| mysql |\n| performance_schema |\n+--------------------+\n4 rows in set (0.00 sec) 2. Reset one or more users Both \"password\" and \"authentication_string\" exist. Currently \"password\" is used, but better set both. MariaDB [(none)] SELECT user FROM mysql.user;\n+--------------+\n| user |\n+--------------+\n| mailcow_user | ===== \n| root |\n+--------------+\n2 rows in set (0.00 sec)\n\nMariaDB [(none)] FLUSH PRIVILEGES;\nMariaDB [(none)] UPDATE mysql.user SET authentication_string = PASSWORD( gotr00t ), password = PASSWORD( gotr00t ) WHERE User = root AND Host = % ;\nMariaDB [(none)] UPDATE mysql.user SET authentication_string = PASSWORD( mookuh ), password = PASSWORD( mookuh ) WHERE User = mailcow AND Host = % ;\nMariaDB [(none)] FLUSH PRIVILEGES;",
"title": "Reset MySQL passwords"
},
{
"location": "/u_and_e/#debugging",
"text": "You can use docker-compose logs $service-name for all containers. Run docker-compose logs for all logs at once. Follow the log output by running docker-compose with logs -f . Limit the output by calling logs with --tail=300 like docker-compose logs --tail=300 mysql-mailcow .",
"title": "Debugging"
},
{
"location": "/u_and_e/#redirect-port-80-to-443",
"text": "Since February the 28th 2017 mailcow does come with port 80 and 443 enabled. Open mailcow.conf and set HTTP_BIND=0.0.0.0 . Open data/conf/nginx/site.conf and add a new \"catch-all\" site at the top of that file: server { \n listen 80 default_server ; \n include /etc/nginx/conf.d/server_name.active ; \n return 301 https : // $ host $ request_uri ; } Restart the stack, changed containers will be updated: docker-compose up -d",
"title": "Redirect port 80 to 443"
},
{
"location": "/u_and_e/#redis",
"text": "",
"title": "Redis"
},
{
"location": "/u_and_e/#client",
"text": "docker-compose exec redis-mailcow redis-cli",
"title": "Client"
},
{
"location": "/u_and_e/#remove-persistent-data",
"text": "Remove volume mysql-vol-1 to remove all MySQL data. Remove volume redis-vol-1 to remove all Redis data. Remove volume vmail-vol-1 to remove all contents of /var/vmail mounted to dovecot-mailcow . Remove volume dkim-vol-1 to remove all DKIM keys. Remove volume rspamd-vol-1 to remove all Rspamd data. Running docker-compose down -v will destroy all mailcow: dockerized volumes and delete any related containers.",
"title": "Remove persistent data"
},
{
"location": "/u_and_e/#reset-admin-password",
"text": "Reset mailcow admin to admin:moohoo : cd mailcow_path\nbash reset_admin.sh",
"title": "Reset admin password"
},
{
"location": "/u_and_e/#rspamd",
"text": "",
"title": "Rspamd"
},
{
"location": "/u_and_e/#learn-spam-and-ham",
"text": "Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash.\nThis is archived by using the Dovecot plugin \"antispam\" and a simple parser script. Rspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning) The bayes statistics are written to Redis as keys BAYES_HAM and BAYES_SPAM . You can also use Rspamd's web ui to learn ham and/or spam.",
"title": "Learn spam and ham"
},
{
"location": "/u_and_e/#learn-ham-or-spam-from-existing-directory",
"text": "You can use a one-liner to learn mail in plain-text (uncompressed) format: # Ham\nfor file in /my/folder/cur/*; do docker exec -i $(docker-compose ps -q rspamd-mailcow) rspamc learn_ham $file; done\n# Spam\nfor file in /my/folder/.Junk/cur/*; do docker exec -i $(docker-compose ps -q rspamd-mailcow) rspamc learn_spam $file; done Consider attaching a local folder as new volume to rspamd-mailcow in docker-compose.yml and learn given files inside the container. This can be used as workaround to parse compressed data with zcat. Example: for file in /data/old_mail/.Junk/cur/*; do rspamc learn_spam zcat $file; done",
"title": "Learn ham or spam from existing directory"
},
{
"location": "/u_and_e/#cli-tools",
"text": "docker-compose exec rspamd-mailcow rspamc --help\ndocker-compose exec rspamd-mailcow rspamadm --help See Rspamd documentation",
"title": "CLI tools"
},
{
"location": "/u_and_e/#adjust-service-configurations",
"text": "The most important configuration files are mounted from the host into the related containers: data/conf\n\u251c\u2500\u2500 bind9\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 named.conf\n\u251c\u2500\u2500 dovecot\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dovecot.conf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dovecot-master.passwd\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 sieve_after\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 sql\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dovecot-dict-sql.conf\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 dovecot-mysql.conf\n\u251c\u2500\u2500 mysql\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 my.cnf\n\u251c\u2500\u2500 nginx\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dynmaps.conf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 site.conf\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 templates\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 listen_plain.template\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 listen_ssl.template\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 server_name.template\n\u251c\u2500\u2500 pdns\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 pdns_custom.lua\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 recursor.conf\n\u251c\u2500\u2500 postfix\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 main.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 master.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 postscreen_access.cidr\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 smtp_dsn_filter\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 sql\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_relay_recipient_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_tls_enforce_in_policy.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_tls_enforce_out_policy.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_alias_domain_catchall_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_alias_domain_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_alias_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_domains_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_mailbox_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_relay_domain_maps.cf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 mysql_virtual_sender_acl.cf\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 mysql_virtual_spamalias_maps.cf\n\u251c\u2500\u2500 rmilter\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 rmilter.conf\n\u251c\u2500\u2500 rspamd\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 dynmaps\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 authoritative.php\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 settings.php\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 tags.php\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 vars.inc.php - ../../../web/inc/vars.inc.php\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 local.d\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 dkim.conf\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 metrics.conf\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 options.inc\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 redis.conf\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 rspamd.conf.local\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 statistic.conf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 lua\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 rspamd.local.lua\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 override.d\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 logging.inc\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 worker-controller.inc\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 worker-normal.inc\n\u2514\u2500\u2500 sogo\n \u251c\u2500\u2500 sieve.creds\n \u2514\u2500\u2500 sogo.conf Just change the according configuration file on the host and restart the related service: docker-compose restart service-mailcow",
"title": "Adjust service configurations"
},
{
"location": "/u_and_e/#tagging",
"text": "Mailbox users can tag their mail address like in me+facebook@example.org and choose between to setups to handle this tag: 1. Move this message to a subfolder \"facebook\" (will be created lower case if not existing) 2. Prepend the tag to the subject: \"[facebook] Subject\"",
"title": "Tagging"
},
{
"location": "/u_and_e/#two-factor-authentication",
"text": "So far two methods for TFA are implemented. Both work with the fantastic Yubikey . While Yubi OTP needs an active internet connection and an API ID and key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. Both methods support multiple YubiKeys. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in. The key used to login will be displayed in green, while other keys remain grey.",
"title": "Two-factor authentication"
},
{
"location": "/u_and_e/#yubi-otp",
"text": "The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key.\nThe API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.",
"title": "Yubi OTP"
},
{
"location": "/u_and_e/#u2f",
"text": "Only Google Chrome (+derivates) and Opera support U2F authentication to this day natively.\nFor Firefox you will need to install the \"U2F Support Add-on\" as provided on mozilla.org . U2F works without an internet connection.",
"title": "U2F"
},
{
"location": "/u_and_e/#portainer",
"text": "In order to enable Portainer, the docker-compose.yml and site.conf for nginx must be modified. 1. docker-compose.yml: Insert this block for portainer portainer-mailcow:\n image: portainer/portainer\n volumes:\n - /var/run/docker.sock:/var/run/docker.sock\n restart: always\n dns:\n - 172.22.1.254\n dns_search: mailcow-network\n networks:\n mailcow-network:\n aliases:\n - portainer 2a. data/conf/nginx/site.conf: Just beneath the opening line, at the same level as a server { block, add this: upstream portainer { \n server portainer-mailcow : 9000 ; } map $ http_upgrade $ connection_upgrade { \n default upgrade ; \n close ; } 2b. data/conf/nginx/site.conf: Then, inside both (ssl and plain) server blocks, add this: location / portainer / { \n proxy_http_version 1.1 ; \n proxy_set_header Host $http_host ; # required for docker client s sake \n proxy_set_header X-Real-IP $remote_addr ; # pass on real client s IP \n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; \n proxy_set_header X-Forwarded-Proto $scheme ; \n proxy_read_timeout 900 ; \n\n proxy_set_header Connection ; \n proxy_buffers 32 4k ; \n proxy_pass http : // portainer / ; \n } \n\n location / portainer / api / websocket / { \n proxy_http_version 1.1 ; \n proxy_set_header Upgrade $http_upgrade ; \n proxy_set_header Connection $connection_upgrade ; \n proxy_pass http : // portainer / api / websocket / ; \n } Now you can simply navigate to https://${MAILCOW_HOSTNAME}/portainer/ to view your Portainer container monitoring page. You\u2019ll then be prompted to specify a new password for the admin account. After specifying your password, you\u2019ll then be able to connect to the Portainer UI.",
"title": "Portainer"
},
{
"location": "/u_and_e/#change-autodiscover-setup-type",
"text": "This disables ActiveSync in the autodiscover service for Outlook and configures it with IMAP and SMTP instead: Open data/web/autodiscover.php and set 'useEASforOutlook' = 'yes' to 'useEASforOutlook' = 'no' . To always use IMAP and SMTP instead of EAS, set 'autodiscoverType' = 'imap' .",
"title": "Change autodiscover setup type"
},
{
"location": "/u_and_e/#why-bind",
"text": "For DNS blacklist lookups and DNSSEC. Most systems use either a public or a local caching DNS resolver.\nThat's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics.\nMost if not all providers apply a rate limit based on the DNS resolver that is used to query their service.\nUsing a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon.",
"title": "Why Bind?"
}
]
}
In neuem Issue referenzieren „git blame“ ansehen Permalink kopieren