mailcow-dockerized-docs/search/search_index.json

1 Zeile
Kein EOL
292 KiB
JSON

{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"\ud83d\udc2e + \ud83d\udc0b = \ud83d\udc95","text":""},{"location":"#help-mailcow","title":"Help mailcow","text":"<p>Please consider a support contract for a small monthly fee at Servercow EN to support further development. We support you while you support us. :)</p> <p>If you are super awesome and would like to support without a contract, you can get a SAL license that confirms your awesomeness (a flexible one-time payment) at Servercow EN.</p>"},{"location":"#get-support","title":"Get support","text":"<p>There are two ways to achieve support for your mailcow installation.</p>"},{"location":"#commercial-support","title":"Commercial support","text":"<p>For professional and prioritized commercial support you can sign a basic support subscription at Servercow EN. For custom inquiries or questions please contact us at info@servercow.de instead.</p> <p>Furthermore we do also provide a fully featured and managed mailcow here. This way we take care about the technical magic underneath and you can enjoy your whole mail experience in a hassle-free way.</p>"},{"location":"#community-support-and-chat","title":"Community support and chat","text":"<p>The other alternative is our free community-support on our various channels below. Please notice, that this support is driven by our awesome community around mailcow. This kind of support is best-effort, voluntary and there is no guarantee for anything.</p> <ul> <li> <p>Our mailcow community @ community.mailcow.email</p> </li> <li> <p>Telegram (Support) @ t.me/mailcow.</p> </li> <li> <p>Telegram (Off-Topic) @ t.me/mailcowOfftopic.</p> </li> <li> <p>Twitter @mailcow_email</p> </li> </ul> <p>Telegram desktop clients are available for multiple platforms. You can search the groups history for keywords.</p> <p>For bug tracking, feature requests and code contributions only:</p> <ul> <li>GitHub @ mailcow/mailcow-dockerized</li> </ul>"},{"location":"#demos","title":"Demos","text":"<p>Since September 2022 we\u00b4re providing two seperate Demo instances: </p> <ul> <li>demo.mailcow.email is the classic Demo based on the stable releases.</li> <li>nightly-demo.mailcow.email is the new nightly demo based on unreleased testing features. (So especially interesting for those who have no possibility to create a test instance themselves.)</li> </ul> <p>Use the following credentials to login on both demos:</p> <ul> <li>Administrator: admin / moohoo</li> <li>Domain-Administrator: department / moohoo</li> <li>Mailbox: demo@440044.xyz / moohoo</li> </ul> <p>Success</p> <p>The demo instances get the latest updates directly after releases from GitHub. Fully automatic, without any downtime!</p>"},{"location":"#overview","title":"Overview","text":"<p>The integrated mailcow UI allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access:</p> <ul> <li>DKIM and ARC support</li> <li>Black- and whitelists per domain and per user</li> <li>Spam score management per-user (reject spam, mark spam, greylist)</li> <li>Allow mailbox users to create temporary spam aliases</li> <li>Prepend mail tags to subject or move mail to sub folder (per-user)</li> <li>Allow mailbox users to toggle incoming and outgoing TLS enforcement</li> <li>Allow users to reset SOGo ActiveSync device caches</li> <li>imapsync to migrate or pull remote mailboxes regularly</li> <li>TFA: Yubikey OTP and U2F USB (Google Chrome and derivatives only), TOTP</li> <li>Add domains, mailboxes, aliases, domain aliases and SOGo resources</li> <li>Add whitelisted hosts to forward mail to mailcow</li> <li>Fail2ban-like integration</li> <li>Quarantine system</li> <li>Antivirus scanning incl. macro scanning in office documents</li> <li>Integrated basic monitoring</li> <li>A lot more...</li> </ul> <p>mailcow: dockerized comes with multiple containers linked in one bridged network. Each container represents a single application.</p> <ul> <li>ACME</li> <li>ClamAV (optional)</li> <li>Dovecot</li> <li>MariaDB</li> <li>Memcached</li> <li>Netfilter (Fail2ban-like integration by @mkuron)</li> <li>Nginx</li> <li>Oletools via Olefy</li> <li>PHP</li> <li>Postfix</li> <li>Redis</li> <li>Rspamd</li> <li>SOGo</li> <li>Solr (optional)</li> <li>Unbound</li> <li>A Watchdog to provide basic monitoring</li> </ul> <p>Warning</p> <p>Mails are stored compressed and encrypted. The key pair can be found in crypt-vol-1. Be sure to backup this volume!</p> <p>Docker volumes to keep dynamic data - take care of them!</p> <ul> <li>clamd-db-vol-1</li> <li>crypt-vol-1</li> <li>mysql-socket-vol-1</li> <li>mysql-vol-1</li> <li>postfix-vol-1</li> <li>redis-vol-1</li> <li>rspamd-vol-1</li> <li>sogo-userdata-backup-vol-1</li> <li>sogo-web-vol-1</li> <li>solr-vol-1</li> <li>vmail-index-vol-1</li> <li>vmail-vol-1</li> </ul>"},{"location":"backup_restore/b_n_r-accidental_deletion/","title":"Recover accidentally deleted data","text":"<p>So you deleted a mailbox and have no backups, he?</p> <p>If you noticed your mistake within a few hours, you can probably recover the users data.</p>"},{"location":"backup_restore/b_n_r-accidental_deletion/#sogo","title":"SOGo","text":"<p>We automatically create daily backups (24h interval starting from running up -d) in <code>/var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/</code>.</p> <p>Make sure the user you want to restore exists in your mailcow. Re-create them if they are missing.</p> <p>Copy the file named after the user you want to restore to <code>__MAILCOW_DIRECTORY__/data/conf/sogo</code>.</p> <p>1. Copy the backup: <code>cp /var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/restoreme@example.org __MAILCOW_DIRECTORY__/data/conf/sogo</code></p> <p>2. Run <code>docker compose exec -u sogo sogo-mailcow sogo-tool restore -F ALL /etc/sogo restoreme@example.org</code></p> <p>Run <code>sogo-tool</code> without parameters to check for possible restore options.</p> <p>3. Delete the copied backup by running <code>rm __MAILCOW_DIRECTORY__/data/conf/sogo</code></p> <p>4. Restart SOGo and Memcached: <code>docker compose restart sogo-mailcow memcached-mailcow</code></p>"},{"location":"backup_restore/b_n_r-accidental_deletion/#mail","title":"Mail","text":"<p>In case of an accidental deletion of a mailbox, you will be able to recover for (by default) 5 days. This depends on the <code>MAILDIR_GC_TIME</code> parameter in <code>mailcow.conf</code>.</p> <p>A deleted mailbox is copied in its encrypted form to <code>/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage</code>.</p> <p>The folder inside <code>_garbage</code> follows the structure <code>[timestamp]_[domain_sanitized][user_sanitized]</code>, for example <code>1629109708_exampleorgtest</code> in case of test@example.org deleted on 1629109708.</p> <p>To restore make sure you are actually restoring to the same mailcow it was deleted from or you use the same encryption keys in <code>crypt-vol-1</code>.</p> <p>Make sure the user you want to restore exists in your mailcow. Re-create them if they are missing.</p> <p>Copy the folders from <code>/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage/[timestamp]_[domain_sanitized][user_sanitized]</code> back to <code>/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/[domain]/[user]</code> and resync the folder and recalc the quota:</p> <pre><code>docker compose exec dovecot-mailcow doveadm force-resync -u restoreme@example.net '*'\ndocker compose exec dovecot-mailcow doveadm quota recalc -u restoreme@example.net\n</code></pre>"},{"location":"backup_restore/b_n_r-backup/","title":"Backup","text":""},{"location":"backup_restore/b_n_r-backup/#backup","title":"Backup","text":""},{"location":"backup_restore/b_n_r-backup/#manual","title":"Manual","text":"<p>You can use the provided script <code>helper-scripts/backup_and_restore.sh</code> to backup mailcow automatically.</p> <p>Please do not copy this script to another location.</p> <p>To run a backup, write \"backup\" as first parameter and either one or more components to backup as following parameters. You can also use \"all\" as second parameter to backup all components. Append <code>--delete-days n</code> to delete backups older than n days.</p> <pre><code># Syntax:\n# ./helper-scripts/backup_and_restore.sh backup (vmail|crypt|redis|rspamd|postfix|mysql|all|--delete-days)\n\n# Backup all, delete backups older than 3 days\n./helper-scripts/backup_and_restore.sh backup all --delete-days 3\n\n# Backup vmail, crypt and mysql data, delete backups older than 30 days\n./helper-scripts/backup_and_restore.sh backup vmail crypt mysql --delete-days 30\n\n# Backup vmail\n./helper-scripts/backup_and_restore.sh backup vmail\n</code></pre>"},{"location":"backup_restore/b_n_r-backup/#variables-for-backuprestore-script","title":"Variables for backup/restore script","text":""},{"location":"backup_restore/b_n_r-backup/#multithreading","title":"Multithreading","text":"<p>With the 2022-10 update it is possible to run the script with multithreading support. This can be used for backups as well as for restores.</p> <p>To start the backup/restore with multithreading you have to add <code>THREADS</code> as an environment variable in front of the command to execute the script.</p> <p><pre><code>THREADS=14 /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all\n</code></pre> The number after the <code>=</code> character indicates the number of threads. Please keep your core count -2 to leave enough CPU power for mailcow itself.</p>"},{"location":"backup_restore/b_n_r-backup/#backup-path","title":"Backup path","text":"<p>The script will ask you for a backup location. Inside of this location it will create folders in the format \"mailcow_DATE\". You should not rename those folders to not break the restore process.</p> <p>To run a backup unattended, define MAILCOW_BACKUP_LOCATION as environment variable before starting the script:</p> <pre><code>MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all\n</code></pre> <p>Tip<p>Both variables mentioned above can also be combined! Ex: <pre><code>MAILCOW_BACKUP_LOCATION=/opt/backup THREADS=14 /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all\n</code></pre></p> </p>"},{"location":"backup_restore/b_n_r-backup/#cronjob","title":"Cronjob","text":"<p>You can run the backup script regularly via cronjob. Make sure <code>BACKUP_LOCATION</code> exists:</p> <pre><code>PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3\n</code></pre> <p>Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution).</p> <p>This following script may be placed in <code>/etc/cron.daily/mailcow-backup</code> - do not forget to mark it as executable via <code>chmod +x</code>:</p> <pre><code>#!/bin/sh\n\n# Backup mailcow data\n# https://mailcow.github.io/mailcow-dockerized-docs/backup_restore/b_n_r-backup/\n\nset -e\n\nOUT=\"$(mktemp)\"\nexport MAILCOW_BACKUP_LOCATION=\"/opt/backup\"\nSCRIPT=\"/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh\"\nPARAMETERS=\"backup all\"\nOPTIONS=\"--delete-days 30\"\n\n# run command\nset +e\n\"${SCRIPT}\" ${PARAMETERS} ${OPTIONS} 2&gt;&amp;1 &gt; \"$OUT\"\nRESULT=$?\n\nif [ $RESULT -ne 0 ]\n then\n echo \"${SCRIPT} ${PARAMETERS} ${OPTIONS} encounters an error:\"\n echo \"RESULT=$RESULT\"\n echo \"STDOUT / STDERR:\"\n cat \"$OUT\"\nfi\n</code></pre>"},{"location":"backup_restore/b_n_r-backup/#backup-strategy-with-rsync-and-mailcow-backup-script","title":"Backup strategy with rsync and mailcow backup script","text":"<p>Create the destination directory for mailcows helper script: <pre><code>mkdir -p /external_share/backups/backup_script\n</code></pre></p> <p>Create cronjobs: <pre><code>PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /external_share/backups/mailcow-dockerized\n40 2 * * * rsync -aH --delete /var/lib/docker/volumes /external_share/backups/var_lib_docker_volumes\n5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/external_share/backups/backup_script /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3\n# If you want to, use the acl util to backup permissions of some/all folders/files: getfacl -Rn /path\n</code></pre></p> <p>On the destination (in this case <code>/external_share/backups</code>) you may want to have snapshot capabilities (ZFS, Btrfs etc.). Snapshot daily and keep for n days for a consistent backup. Do not rsync to a Samba share, you need to keep the correct permissions!</p> <p>To restore you'd simply need to run rsync the other way round and restart Docker to re-read the volumes. Run <code>docker compose pull</code> and <code>docker compose up -d</code>.</p> <p>If you are lucky Redis and MariaDB can automatically fix the inconsistent databases (if they are inconsistent). In case of a corrupted database you'd need to use the helper script to restore the inconsistent elements. If a restore fails, try to extract the backups and copy the files back manually. Keep the file permissions!</p>"},{"location":"backup_restore/b_n_r-backup_restore-maildir/","title":"Maildir","text":""},{"location":"backup_restore/b_n_r-backup_restore-maildir/#backup","title":"Backup","text":"<p>This line backups the vmail directory to a file backup_vmail.tar.gz in the mailcow root directory: <pre><code>cd /path/to/mailcow-dockerized\ndocker run --rm -i -v $(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination \"/var/vmail\" }}{{ .Name }}{{ end }}{{ end }}' $(docker compose ps -q dovecot-mailcow)):/vmail -v ${PWD}:/backup debian:stretch-slim tar cvfz /backup/backup_vmail.tar.gz /vmail\n</code></pre></p> <p>You can change the path by adjusting ${PWD} (which equals to the current directory) to any path you have write-access to. Set the filename <code>backup_vmail.tar.gz</code> to any custom name, but leave the path as it is. Example: <code>[...] tar cvfz /backup/my_own_filename_.tar.gz</code></p>"},{"location":"backup_restore/b_n_r-backup_restore-maildir/#restore","title":"Restore","text":"<pre><code>cd /path/to/mailcow-dockerized\ndocker run --rm -it -v $(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination \"/var/vmail\" }}{{ .Name }}{{ end }}{{ end }}' $(docker compose ps -q dovecot-mailcow)):/vmail -v ${PWD}:/backup debian:stretch-slim tar xvfz /backup/backup_vmail.tar.gz\n</code></pre>"},{"location":"backup_restore/b_n_r-backup_restore-mysql/","title":"MySQL (mysqldump)","text":""},{"location":"backup_restore/b_n_r-backup_restore-mysql/#backup","title":"Backup","text":"<pre><code>cd /path/to/mailcow-dockerized\nsource mailcow.conf\nDATE=$(date +\"%Y%m%d_%H%M%S\")\ndocker compose exec -T mysql-mailcow mysqldump --default-character-set=utf8mb4 -u${DBUSER} -p${DBPASS} ${DBNAME} &gt; backup_${DBNAME}_${DATE}.sql\n</code></pre>"},{"location":"backup_restore/b_n_r-backup_restore-mysql/#restore","title":"Restore","text":"<p>Warning</p> <p>You should redirect the SQL dump without <code>docker compose</code> to prevent parsing errors.</p> <pre><code>cd /path/to/mailcow-dockerized\nsource mailcow.conf\ndocker exec -i $(docker compose ps -q mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} &lt; backup_file.sql\n</code></pre>"},{"location":"backup_restore/b_n_r-coldstandby/","title":"Cold-standby backup","text":"<p>mailcow offers an easy way to create a consistent copy of itself to be rsync'ed to a remote location without downtime.</p> <p>This may also be used to transfer your mailcow to a new server.</p>"},{"location":"backup_restore/b_n_r-coldstandby/#you-should-know","title":"You should know","text":"<p>The provided script will work on default installations.</p> <p>It may break when you use unsupported volume overrides. We don't support that and we will not include hacks to support that. Please run and maintain a fork if you plan to keep your changes.</p> <p>The script will use the same paths as your default mailcow installation. That is the mailcow base directory - for most users <code>/opt/mailcow-dockerized</code> - as well as the mountpoints.</p> <p>To find the paths of your source volumes we use <code>docker inspect</code> and read the destination directory of every volume related to your mailcow compose project. This means we will also transfer volumes you may have added in an override file. Local bind mounts may or may not work.</p> <p>The script uses rsync with the <code>--delete</code> flag. The destination will be an exact copy of the source.</p> <p><code>mariabackup</code> is used to create a consistent copy of the SQL data directory.</p> <p>After rsync'ing the data we will run <code>docker compose pull</code> and remove old image tags from the destination.</p> <p>Your source will not be changed at any time.</p> <p>You may want to make sure to use the same <code>/etc/docker/daemon.json</code> on the remote target.</p> <p>You should not run disk snapshots (e.g. via ZFS, LVM etc.) on the target at the very same time as this script is run.</p> <p>Versioning is not part of this script, we rely on the destination (snapshots or backups). You may also want to use any other tool for that.</p>"},{"location":"backup_restore/b_n_r-coldstandby/#prepare","title":"Prepare","text":"<p>You will need an SSH-enabled destination and a keyfile to connect to said destination. The key should not be protected by a password for the script to work unattended.</p> <p>In your mailcow base directory, e.g. <code>/opt/mailcow-dockerized</code> you will find a file <code>create_cold_standby.sh</code>.</p> <p>Edit this file and change the exported variables:</p> <pre><code>export REMOTE_SSH_KEY=/path/to/keyfile\nexport REMOTE_SSH_PORT=22\nexport REMOTE_SSH_HOST=mailcow-backup.host.name\n</code></pre> <p>The key must be owned and readable by root only.</p> <p>Both the source and destination require <code>rsync</code> &gt;= v3.1.0. The destination must have Docker and docker compose v2 available.</p> <p>The script will detect errors automatically and exit.</p> <p>You may want to test the connection by running <code>ssh mailcow-backup.host.name -p22 -i /path/to/keyfile</code>.</p>"},{"location":"backup_restore/b_n_r-coldstandby/#backup-and-refresh-the-cold-standby","title":"Backup and refresh the cold-standby","text":"<p>Run the first backup, this may take a while depending on the connection:</p> <pre><code>bash /opt/mailcow-dockerized/create_cold_standby.sh\n</code></pre> <p>That was easy, wasn't it?</p> <p>Updating your cold-standby is just as easy:</p> <pre><code>bash /opt/mailcow-dockerized/create_cold_standby.sh\n</code></pre> <p>It's the same command.</p>"},{"location":"backup_restore/b_n_r-coldstandby/#automated-backups-with-cron","title":"Automated backups with cron","text":"<p>First make sure that the <code>cron</code> service is enabled and running:</p> <pre><code>systemctl enable cron.service &amp;&amp; systemctl start cron.service\n</code></pre> <p>To automate the backups to the cold-standby server you can use a cron job. To edit the cron jobs for the root user run:</p> <pre><code>crontab -e\n</code></pre> <p>Add the following lines to synchronize the cold standby server daily at 03:00. In this example errors of the last execution are logged into a file.</p> <pre><code>PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n\n0 3 * * * bash /opt/mailcow-dockerized/create_cold_standby.sh 2&gt; /var/log/mailcow-coldstandby-sync.log\n</code></pre> <p>If saved correctly, the cron job should be shown by typing:</p> <pre><code>crontab -l\n</code></pre>"},{"location":"backup_restore/b_n_r-restore/","title":"Restore","text":""},{"location":"backup_restore/b_n_r-restore/#restore","title":"Restore","text":"<p>Please do not copy this script to another location.</p> <p>To run a restore, start mailcow, use the script with \"restore\" as first parameter.</p> <pre><code># Syntax:\n# ./helper-scripts/backup_and_restore.sh restore\n</code></pre> <p>The script will ask you for a backup location containing the mailcow_DATE folders.</p>"},{"location":"client/client-android/","title":"Android","text":"<ol> <li>Open the Email app.</li> <li>If this is your first email account, tap Add Account; if not, tap More and Settings and then Add account.</li> <li>Select Microsoft Exchange ActiveSync.</li> <li>Enter your email address () and password.</li> <li>Tap Sign in.</li> </ol>"},{"location":"client/client-apple/","title":"Apple macOS / iOS","text":""},{"location":"client/client-apple/#method-1-via-mobileconfig","title":"Method 1 via Mobileconfig","text":"<p>Email, contacts and calendars can be configured automatically on Apple devices by installing a profile. To download a profile you must login to the mailcow UI first.</p>"},{"location":"client/client-apple/#method-11-imap-smtp-and-calcarddav","title":"Method 1.1: IMAP, SMTP and Cal/CardDAV","text":"<p>This method configures IMAP, CardDAV and CalDAV.</p> <ol> <li>Download and open the file from https://${MAILCOW_HOSTNAME}/mobileconfig.phpmailcow.mobileconfig.</li> <li>Enter the unlock code (iPhone) or computer password (Mac).</li> <li>Enter your email password three times when prompted.</li> </ol>"},{"location":"client/client-apple/#method-12-imap-smtp-no-dav","title":"Method 1.2: IMAP, SMTP (no DAV)","text":"<p>This method configures IMAP and SMTP only.</p> <ol> <li>Download and open the file from https://${MAILCOW_HOSTNAME}/mobileconfig.php?only_emailmailcow.mobileconfig.</li> <li>Enter the unlock code (iPhone) or computer password (Mac).</li> <li>Enter your email password when prompted.</li> </ol>"},{"location":"client/client-apple/#method-2-exchange-activesync-emulation","title":"Method 2 (Exchange ActiveSync emulation)","text":"<p>On iOS, Exchange ActiveSync is also supported as an alternative to the procedure above. It has the advantage of supporting push email (i.e. you are immediately notified of incoming messages), but has some limitations, e.g. it does not support more than three email addresses per contact in your address book. Follow the steps below if you decide to use Exchange instead.</p> <ol> <li>Open the Settings app, tap Mail, tap Accounts, tap Add Acccount, select Exchange.</li> <li>Enter your email address () and tap Next.</li> <li>Enter your password, tap Next again.</li> <li>Finally, tap Save.</li> </ol>"},{"location":"client/client-emclient/","title":"eM Client","text":"<ol> <li>Launch eM Client.</li> <li>If this is the first time you launched eM Client, it asks you to set up your account. Proceed to step 4.</li> <li>Go to Menu at the top, select Tools and Accounts.</li> <li>Enter your email address () and click Start Now.</li> <li>Enter your password and click Continue.</li> <li>Enter your name () and click Next.</li> <li>Click Finish.</li> </ol>"},{"location":"client/client-kontact/","title":"KDE Kontact","text":"<ol> <li>Launch Kontact.</li> <li>If this is the first time you launched Kontact or KMail, it asks you to set up your account. Proceed to step 4.</li> <li>Go to Mail in the sidebar. Go to the Tools menu and select Account Wizard.</li> <li>Enter your name (), email address () and your password. Click Next.</li> <li>Click Create Account. If prompted, re-enter your password and click OK.</li> <li>Close the window by clicking Finish.</li> <li>Go to Calendar in the sidebar.</li> <li>Go to the Settings menu and select Configure KOrganizer.</li> <li>Go to the Calendars tab and click the Add button.</li> <li>Choose DAV groupware resource and click OK.</li> <li>Enter your email address () and your password. Click Next.</li> <li>Select ScalableOGo from the dropdown menu and click Next.</li> <li>Enter your mailcow hostname into the Host field and click Next.</li> <li>Click Test Connection and then Finish. Finally, click OK twice.</li> </ol> <p>Once you have set up Kontact, you can also use KMail, KOrganizer and KAddressBook individually.</p>"},{"location":"client/client-manual/","title":"Manual configuration","text":"<p>These instructions are valid for unchanged port bindings only!</p>"},{"location":"client/client-manual/#email","title":"Email","text":"Service Encryption Host Port IMAP STARTTLS mailcow hostname 143 IMAPS SSL mailcow hostname 993 POP3 STARTTLS mailcow hostname 110 POP3S SSL mailcow hostname 995 SMTP STARTTLS mailcow hostname 587 SMTPS SSL mailcow hostname 465 <p>Please use the \"plain\" password setting as the authentication mechanism. Contrary to what the name implies, the password will not be transferred to the server in plain text as no authentication is allowed to take place without TLS.</p>"},{"location":"client/client-manual/#contacts-and-calendars","title":"Contacts and calendars","text":"<p>SOGos default calendar (CalDAV) and contacts (CardDAV) URLs:</p> <ol> <li> <p>CalDAV https://mail.example.com/SOGo/dav/user@example.com/Calendar/personal/https:///SOGo/dav//Calendar/personal/</p> </li> <li> <p>CardDAV https://mail.example.com/SOGo/dav/user@example.com/Contacts/personal/https:///SOGo/dav//Contacts/personal/</p> </li> </ol> <p>Some applications may require you to use https://mail.example.com/SOGo/dav/https:///SOGo/dav/ or the full path to your calendar, which can be found and copied from within SOGo.</p>"},{"location":"client/client-outlook/","title":"Microsoft Outlook","text":""},{"location":"client/client-outlook/#outlook-2016-or-higher-from-office-365-on-windows","title":"Outlook 2016 or higher from Office 365 on Windows","text":"<p>This is only applicable if your server administrator has not disabled EAS for Outlook. If it is disabled, please follow the guide for Outlook 2007 instead.</p> <p>Outlook 2016 has an issue with autodiscover. Only Outlook from Office 365 is affected. If you installed Outlook from another source, please follow the guide for Outlook 2013 or higher. </p> <p>For EAS you must use the old assistant by launching <code>C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OLCFG.EXE</code>. If this application opens, you can go to step 4 of the guide for Outlook 2013 below.</p> <p>If it does not open, you can completely disable the new account creation wizard and follow the guide for Outlook 2013 below.</p>"},{"location":"client/client-outlook/#outlook-2007-or-2010-on-windows","title":"Outlook 2007 or 2010 on Windows","text":""},{"location":"client/client-outlook/#outlook-2007-or-higher-on-windows-calendercontacts-via-caldav-synchronizer","title":"Outlook 2007 or higher on Windows (Calender/Contacts via CalDav Synchronizer)","text":"<ol> <li>Download and install Outlook CalDav Synchronizer.</li> <li>Launch Outlook.</li> <li>If this is the first time you launched Outlook, it asks you to set up your account. Proceed to step 5.</li> <li>Go to the File menu and click Add Account.</li> <li>Enter your name (), email address () and your password. Click Next.</li> <li>Click Finish.</li> <li>Go to the CalDav Synchronizer ribbon and click Synchronization Profiles.</li> <li>Click the second button at top (Add multiple profiles), select Sogo, click Ok.</li> <li>Click the Get IMAP/POP3 account settings button.</li> <li>Click Discover resources and assign to Outlook folders.</li> <li>In the Select Resource window that pops up, select your main calendar (usually Personal Calendar), click the ... button, assign it to Calendar, and click OK. Go to the Address Books and Tasks tabs and repeat repeat the process accordingly. Do not assign multiple calendars, address books or task lists!</li> <li>Close all windows with the OK buttons.</li> </ol>"},{"location":"client/client-outlook/#outlook-2013-or-higher-on-windows-active-sync-not-recommended","title":"Outlook 2013 or higher on Windows (Active Sync - not recommended)","text":"<p>This is only applicable if your server administrator has not disabled EAS for Outlook. If it is disabled, please follow the guide for Outlook 2007 instead.</p> <ol> <li>Launch Outlook.</li> <li>If this is the first time you launched Outlook, it asks you to set up your account. Proceed to step 4.</li> <li>Go to the File menu and click Add Account.</li> <li>Enter your name (), email address () and your password. Click Next.</li> <li>When prompted, enter your password again, check Remember my credentials and click OK.</li> <li>Click the Allow button.</li> <li>Click Finish.</li> </ol>"},{"location":"client/client-outlook/#outlook-2011-or-higher-on-macos","title":"Outlook 2011 or higher on macOS","text":"<p>The Mac version of Outlook does not synchronize calendars and contacts and therefore is not supported.</p>"},{"location":"client/client-thunderbird/","title":"Mozilla Thunderbird","text":"<ol> <li> Launch Thunderbird. </li> <li> If this is the first time you launched Thunderbird, it asks you whether you would like a new email address. Click Skip this and use my existing email and proceed to step 4. </li> <li> Go to the File menu and select New, Existing Mail Account.... </li> <li> Enter your name (), email address () and your password. Make sure the Remember password checkbox is selected and click Continue. </li> <li> Once the configuration has been automatically detected, make sure IMAP is selected and click Done. </li> <li> To use your contacts from the server, click on the arrow next to \"Address Books\" and click the Connect button on each address book you would like to use. </li> <li> To use your calendars from the server, click on the arrow next to \"Calendars\" and click the Connect button on each calendar you would like to use. </li> <li> Click Finish to close the Account Setup window."},{"location":"client/client-windows/","title":"Windows Mail","text":"<p>Windows 8 and higher support email, contacts and calendar via Exchange ActiveSync.</p> <ol> <li>Open the Mail app.</li> <li>If you have not previously used Mail, you can click Add Account in the main window. Proceed to step 4.</li> <li>Click Accounts in the sidebar on the left, then click Add Account on the far right.</li> <li>Select Exchange.</li> <li>Enter your email address () and click Next.</li> <li>Enter your password and click Log in.</li> </ol> <p>Once you have set up the Mail app, you can also use the People and Calendar apps.</p>"},{"location":"client/client/","title":"Overview","text":"<p>mailcow supports a variety of email clients, both on desktop computers and on smartphones. Below, you can find a number of configuration guides that explain how to configure your mailcow account.</p> <p>Tip</p> If you access this page by logging into your mailcow server and clicking the \"Show configuration guides for email clients and smartphones\" link, all of the guides will be personalized with your email address and server name. <p>Success</p> Since you accessed this page after logging into your mailcow server, all of the guides have been personalized with your email address and server name. <ul> <li>Android</li> <li>Apple iOS / macOS</li> <li>eM Client</li> <li>KDE Kontact / KMail</li> <li>Microsoft Outlook</li> <li>Mozilla Thunderbird</li> <li>Windows Mail</li> <li>Manual configuration</li> </ul>"},{"location":"i_u_m/i_u_m_deinstall/","title":"Deinstallation","text":"<p>To remove mailcow: dockerized with all it's volumes, images and containers do:</p> <pre><code>docker compose down -v --rmi all --remove-orphans\n</code></pre> <p>Info</p> <ul> <li>-v Remove named volumes declared in the <code>volumes</code> section of the Compose file and anonymous volumes attached to containers.</li> <li>--rmi Remove images. Type must be one of: <code>all</code>: Remove all images used by any service. <code>local</code>: Remove only images that don't have a custom tag set by the <code>image</code> field. <li>--remove-orphans Remove containers for services not defined in the compose file.</li> <li>By default <code>docker compose down</code> only removes currently active containers and networks defined in the <code>docker-compose.yml</code>.</li>"},{"location":"i_u_m/i_u_m_install/","title":"Installation","text":""},{"location":"i_u_m/i_u_m_install/#docker-and-docker-compose-installation","title":"Docker and Docker Compose Installation","text":"<p>You need Docker (a version &gt;= <code>20.10.2</code> is required) and Docker Compose (a version <code>&gt;= 2.0</code> is required).</p> <p>Learn how to install Docker and Docker Compose.</p> <p>Quick installation for most operation systems:</p>"},{"location":"i_u_m/i_u_m_install/#docker","title":"Docker","text":"<pre><code>curl -sSL https://get.docker.com/ | CHANNEL=stable sh\n# After the installation process is finished, you may need to enable the service and make sure it is started (e.g. CentOS 7)\nsystemctl enable --now docker\n</code></pre>"},{"location":"i_u_m/i_u_m_install/#docker-compose","title":"docker compose","text":"<p>Danger</p> <p>mailcow requires the latest version of docker compose v2. If Docker was installed using the script above, the Docker Compose plugin is already automatically installed in a version &gt;=2.0. Is your mailcow installation older or Docker was installed in a different way, the Compose plugin or the standalone version of Docker must be installed manually.</p>"},{"location":"i_u_m/i_u_m_install/#installation-via-paketmanager-plugin","title":"Installation via Paketmanager (plugin)","text":"<p>Info</p> <p>This approach with the package sources is only possible if the Docker repository has been included. This can happen either through the instructions above (see Docker) or through a manually integration.</p> <p>On Debian/Ubuntu systems: <pre><code>apt update\napt install docker-compose-plugin\n</code></pre></p> <p>On Centos 7 systems: <pre><code>yum update\nyum install docker-compose-plugin\n</code></pre></p> <p>Danger</p> <p>The Docker Compose command syntax is <code>docker compose</code> for the plugin variant of Docker Compose!!!</p>"},{"location":"i_u_m/i_u_m_install/#installation-via-script-standalone","title":"Installation via Script (standalone)","text":"<p>Info</p> <p>This installation is the old familiar way. It installs Docker Compose as a standalone program and does not rely on the Docker installation way.</p> <pre><code>curl -L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) &gt; /usr/local/bin/docker-compose\nchmod +x /usr/local/bin/docker-compose\n</code></pre> <p>Danger</p> <p>The Docker Compose command syntax is <code>docker-compose</code> for the standalone variant of Docker Compose!!! </p> <p>Please use the latest Docker engine available and do not use the engine that ships with your distros repository.</p>"},{"location":"i_u_m/i_u_m_install/#check-selinux-specifics","title":"Check SELinux specifics","text":"<p>On SELinux enabled systems, e.g. CentOS 7:</p> <ul> <li>Check if \"container-selinux\" package is present on your system:</li> </ul> <pre><code>rpm -qa | grep container-selinux\n</code></pre> <p>If the above command returns an empty or no output, you should install it via your package manager.</p> <ul> <li>Check if docker has SELinux support enabled:</li> </ul> <pre><code>docker info | grep selinux\n</code></pre> <p>If the above command returns an empty or no output, create or edit <code>/etc/docker/daemon.json</code> and add <code>\"selinux-enabled\": true</code>. Example file content:</p> <pre><code>{\n \"selinux-enabled\": true\n}\n</code></pre> <p>Restart the docker daemon and verify SELinux is now enabled.</p> <p>This step is required to make sure mailcows volumes are properly labeled as declared in the compose file. If you are interested in how this works, you can check out the readme of https://github.com/containers/container-selinux which links to a lot of useful information on that topic.</p>"},{"location":"i_u_m/i_u_m_install/#install-mailcow","title":"Install mailcow","text":"<p>Clone the master branch of the repository, make sure your umask equals 0022. Please clone the repository as root user and also control the stack as root. We will modify attributes - if necessary - while bootstrapping the containers automatically and make sure everything is secured. The update.sh script must therefore also be run as root. It might be necessary to change ownership and other attributes of files you will otherwise not have access to. We drop permissions for every exposed application and will not run an exposed service as root! Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical.</p> <pre><code>$ su\n# umask\n0022 # &lt;- Verify it is 0022\n# cd /opt\n# git clone https://github.com/mailcow/mailcow-dockerized\n# cd mailcow-dockerized\n</code></pre>"},{"location":"i_u_m/i_u_m_install/#initialize-mailcow","title":"Initialize mailcow","text":"<p>Generate a configuration file. Use a FQDN (<code>host.domain.tld</code>) as hostname when asked. <pre><code>./generate_config.sh\n</code></pre></p> <p>Change configuration if you want or need to. <pre><code>nano mailcow.conf\n</code></pre> If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080.</p> <p>You may need to stop an existing pre-installed MTA which blocks port 25/tcp. See this chapter to learn how to reconfigure Postfix to run besides mailcow after a successful installation.</p> <p>Some updates modify mailcow.conf and add new parameters. It is hard to keep track of them in the documentation. Please check their description and, if unsure, ask at the known channels for advise.</p>"},{"location":"i_u_m/i_u_m_install/#troubleshooting","title":"Troubleshooting","text":""},{"location":"i_u_m/i_u_m_install/#users-with-a-mtu-not-equal-to-1500-eg-openstack","title":"Users with a MTU not equal to 1500 (e.g. OpenStack)","text":"<p>Whenever you run into trouble and strange phenomena, please check your MTU.</p> <p>Edit <code>docker-compose.yml</code> and change the network settings according to your MTU. Add the new driver_opts parameter like this: <pre><code>networks:\n mailcow-network:\n ...\n driver_opts:\n com.docker.network.driver.mtu: 1450\n ...\n</code></pre></p>"},{"location":"i_u_m/i_u_m_install/#users-without-an-ipv6-enabled-network-on-their-host-system","title":"Users without an IPv6 enabled network on their host system","text":"<p>Please don't turn off IPv6, even if you don't like it. IPv6 is the future and should not be ignored.</p> <p>If you do not have an IPv6 enabled network on your host and you don't care for a better internet (thehe), it is recommended to disable IPv6 for the mailcow network to prevent unforeseen issues.</p>"},{"location":"i_u_m/i_u_m_install/#start-mailcow","title":"Start mailcow","text":"<p>Pull the images and run the compose file. The parameter <code>-d</code> will start mailcow: dockerized detached: <pre><code>docker compose pull\ndocker compose up -d\n</code></pre></p> <p>Done!</p> <p>You can now access https://${MAILCOW_HOSTNAME} with the default credentials <code>admin</code> + password <code>moohoo</code>.</p> <p>Info</p> <p>If you are not using mailcow behind a reverse proxy, you should redirect all HTTP requests to HTTPS.</p> <p>The database will be initialized right after a connection to MySQL can be established.</p> <p>Your data will persist in multiple Docker volumes, that are not deleted when you recreate or delete containers. Run <code>docker volume ls</code> to see a list of all volumes. You can safely run <code>docker compose down</code> without removing persistent data.</p>"},{"location":"i_u_m/i_u_m_migration/","title":"Migration","text":"<p>Warning</p> <p>This guide assumes you intend to migrate an existing mailcow server (source) over to a brand new, empty server (target). It takes no care about preserving any existing data on your target server and will erase anything within <code>/var/lib/docker/volumes</code> and thus any Docker volumes you may have already set up.</p> <p>Tip</p> <p>Alternatively, you can use the <code>./helper-scripts/backup_and_restore.sh</code> script to create a full backup on the source machine, then install mailcow on the target machine as usual, copy over your <code>mailcow.conf</code> and use the same script to restore your backup to the target machine.</p> <p>1. Follow the installation guide to install Docker and Compose.</p> <p>2. Stop Docker and assure Docker has stopped: <pre><code>systemctl stop docker.service\nsystemctl status docker.service\n</code></pre></p> <p>3. Run the following commands on the source machine (take care of adding the trailing slashes in the first path parameter as shown below!) - WARNING: This command will erase anything that may already exist under <code>/var/lib/docker/volumes</code> on the target machine: <pre><code>rsync -aHhP --numeric-ids --delete /opt/mailcow-dockerized/ root@target-machine.example.com:/opt/mailcow-dockerized\nrsync -aHhP --numeric-ids --delete /var/lib/docker/volumes/ root@target-machine.example.com:/var/lib/docker/volumes\n</code></pre></p> <p>4. Shut down mailcow and stop Docker on the source machine. <pre><code>cd /opt/mailcow-dockerized\ndocker compose down\nsystemctl stop docker.service\n</code></pre></p> <p>5. Repeat step 3 with the same commands. This will be much quicker than the first time.</p> <p>6. Switch over to the target machine and start Docker. <pre><code>systemctl start docker.service\n</code></pre></p> <p>7. Now pull the mailcow Docker images on the target machine. <pre><code>cd /opt/mailcow-dockerized\ndocker compose pull\n</code></pre></p> <p>8. Start the whole mailcow stack and everything should be done! <pre><code>docker compose up -d\n</code></pre></p> <p>9. Finally, change your DNS settings to point to the target server. Also check the <code>SNAT_TO_SOURCE</code> variable in your <code>mailcow.conf</code> file if you have changed your public IP address, otherwise SOGo may not work.</p>"},{"location":"i_u_m/i_u_m_update/","title":"Update","text":""},{"location":"i_u_m/i_u_m_update/#automatic-update","title":"Automatic update","text":"<p>An update script in your mailcow-dockerized directory will take care of updates.</p> <p>But use it with caution! If you think you made a lot of changes to the mailcow code, you should use the manual update guide below.</p> <p>Run the update script: <pre><code>./update.sh\n</code></pre></p> <p>If it needs to, it will ask you how you wish to proceed. Merge errors will be reported. Some minor conflicts will be auto-corrected (in favour for the mailcow-dockerized repository code).</p>"},{"location":"i_u_m/i_u_m_update/#options","title":"Options","text":"<pre><code># Options can be combined\n\n# - Check for updates and show changes\n./update.sh --check\n\n# - Do not start mailcow after applying an update\n./update.sh --skip-start\n\n# - Skip ICMP Check to public DNS resolvers (Use it only if you\u00b4ve blocked any ICMP Connections to your mailcow machine)\n./update.sh --skip-ping-check\n\n# - Switch your mailcow updates to the unstable (nightly) branch.\nFOR TESTING PURPOSES ONLY!!!! NOT READY FOR PRODUCTION!!!\n./update.sh --nightly\n\n# - Switch your mailcow updates to the stable (master) branch. Default unless you changed it with --nightly.\n./update.sh --stable\n\n# - Force update (unattended, but unsupported, use at own risk)\n./update.sh --force\n\n# - Run garbage collector to cleanup old image tags and exit\n./update.sh --gc\n\n# - Update with merge strategy option \"ours\" instead of \"theirs\"\n# This will **solve conflicts** when merging in favor for your local changes and should be avoided. Local changes will always be kept, unless we changed file XY, too.\n./update.sh --ours\n\n# - Don't update, but prefetch images and exit\n./update.sh --prefetch\n</code></pre>"},{"location":"i_u_m/i_u_m_update/#i-forgot-what-i-changed-before-running-updatesh","title":"I forgot what I changed before running update.sh","text":"<p>See <code>git log --pretty=oneline | grep -i \"before update\"</code>, you will have an output similar to this:</p> <pre><code>22cd00b5e28893ef9ddef3c2b5436453cc5223ab Before update on 2020-09-28_19_25_45\ndacd4fb9b51e9e1c8a37d84485b92ffaf6c59353 Before update on 2020-08-07_13_31_31\n</code></pre> <p>Run <code>git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab</code> to see what changed.</p>"},{"location":"i_u_m/i_u_m_update/#can-i-roll-back","title":"Can I roll back?","text":"<p>Yes.</p> <p>See the topic above, instead of a diff, you run checkout:</p> <pre><code>docker compose down\n# Replace commit ID 22cd00b5e28893ef9ddef3c2b5436453cc5223ab by your ID\ngit checkout 22cd00b5e28893ef9ddef3c2b5436453cc5223ab\ndocker compose pull\ndocker compose up -d\n</code></pre>"},{"location":"i_u_m/i_u_m_update/#hooks","title":"Hooks","text":"<p>You can hook into the update mechanism by adding scripts called <code>pre_commit_hook.sh</code> and <code>post_commit_hook.sh</code> to your mailcows root directory. See this for more details.</p>"},{"location":"i_u_m/i_u_m_update/#update-cycle","title":"Update Cycle","text":"<ul> <li>We schedule a monthly release cycle for a major update at the first tuesday of the month.</li> <li>The releases are numbered like this: <code>YYYY-MM</code> (e.g. <code>2022-05</code>)</li> <li>Fixes for a main Update will be stated as \"Revisions\" like a,b,c (e.g. <code>2022-05a</code>, <code>2022-05b</code> etc.)</li> </ul>"},{"location":"i_u_m/i_u_m_update/#update-variants","title":"Update variants","text":"<p>stable (stable updates): These updates are suitable for productive usage. They appear in a cycle of at least 1x per month.</p> <p>nightly (unstable updates): These updates are NOT suitable for production use and are for testing only. The nightly updates are ahead of the stable updates, since in these updates we test newer and more extensive features before they go live for all users.</p>"},{"location":"i_u_m/i_u_m_update/#new-get-nightly-updates","title":"NEW: Get Nightly Updates","text":""},{"location":"i_u_m/i_u_m_update/#info-about-the-nightly-updates","title":"Info about the Nightly Updates","text":"<p>Since the 2022-08 update there is the possibility to change the update sources. Until now, the master branch on GitHub served as the only (official) update source. With the August 2022 update, however, there is now the Nightly Branch which contains unstable and major changes for testing and feedback.</p> <p>The Nightly Branch always gets new updates when something is finished on the mailcow project that will be included in the new main version.</p> <p>Besides the obvious changes that will be included in the next major update anyway, it also contains exclusive features that need a longer testing time (e.g. the UI update to Bootstrap 5).</p>"},{"location":"i_u_m/i_u_m_update/#how-do-i-get-nightly-updates","title":"How do I get Nightly Updates?","text":"<p>The process is relatively simple. With the 2022-08 update (assuming an update to the version) it is possible to run <code>update.sh</code> with the parameter <code>--nightly</code>.</p> <p>Danger<p>Please make a backup before or follow the Best Practice Nightly Update section before switching to mailcow nightly builds. We are not responsible for any data loss/corruption, so work with caution!</p> </p> <p>The script will now change the branch with <code>git checkout nightly</code>, which means it will ask for the IPv6 settings again. But this is normal.</p> <p>If everything worked fine (for which we made a backup before) the mailcow UI should now show the current version number and date stamp in the lower right corner: </p>"},{"location":"i_u_m/i_u_m_update/#best-practice-nightly-update","title":"Best Practice Nightly Update","text":"<p>Info<p>We recommend using the Nightly Update only if you have another machine or VM and NOT use it productively.</p> </p> <ol> <li>use the cold standby script to copy the machine before the switch to the nightly builds on another system.</li> <li>run the <code>update.sh</code> script on the new machine with the parameter <code>--nightly</code> and confirm.</li> <li>experience/test the nightly updates on the secondary machine.</li> </ol>"},{"location":"manual-guides/u_e-80_to_443/","title":"Redirect HTTP to HTTPS","text":"<p>Since February the 28th 2017 mailcow does come with port 80 and 443 enabled.</p> <p>Do not use the config below for reverse proxy setups, please see our reverse proxy guide for this, which includes a redirect from HTTP to HTTPS.</p> <p>Open <code>mailcow.conf</code> and set <code>HTTP_BIND=</code> - if not already set.</p> <p>Create a new file <code>data/conf/nginx/redirect.conf</code> and add the following server config to the file:</p> <pre><code>server {\n root /web;\n listen 80 default_server;\n listen [::]:80 default_server;\n include /etc/nginx/conf.d/server_name.active;\n if ( $request_uri ~* \"%0A|%0D\" ) { return 403; }\n location ^~ /.well-known/acme-challenge/ {\n allow all;\n default_type \"text/plain\";\n }\n location / {\n return 301 https://$host$uri$is_args$args;\n }\n}\n</code></pre> <p>In case you changed the HTTP_BIND parameter, recreate the container:</p> <pre><code>docker compose up -d\n</code></pre> <p>Otherwise restart Nginx:</p> <pre><code>docker compose restart nginx-mailcow\n</code></pre>"},{"location":"manual-guides/u_e-autodiscover_config/","title":"Autodiscover / Autoconfig","text":"<p>You do not need to change or create this file, autodiscover works out of the box. This guide is only meant for customizations to the autodiscover or autoconfig process.</p> <p>Newer Outlook clients (especially those delivered with O365) will not autodiscover mail profiles. Keep in mind, that ActiveSync should NOT be used with a desktop client.</p> <p>Open/create <code>data/web/inc/vars.local.inc.php</code> and add your changes to the configuration array.</p> <p>Changes will be merged with \"$autodiscover_config\" in <code>data/web/inc/vars.inc.php</code>):</p> <pre><code>&lt;?php\n$autodiscover_config = array(\n // General autodiscover service type: \"activesync\" or \"imap\"\n // emClient uses autodiscover, but does not support ActiveSync. mailcow excludes emClient from ActiveSync.\n 'autodiscoverType' =&gt; 'activesync',\n // If autodiscoverType =&gt; activesync, also use ActiveSync (EAS) for Outlook desktop clients (&gt;= Outlook 2013 on Windows)\n // Outlook for Mac does not support ActiveSync\n 'useEASforOutlook' =&gt; 'yes',\n // Please don't use STARTTLS-enabled service ports in the \"port\" variable.\n // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).\n // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the \"tlsport\" variable.\n 'imap' =&gt; array(\n 'server' =&gt; $mailcow_hostname,\n 'port' =&gt; array_pop(explode(':', getenv('IMAPS_PORT'))),\n 'tlsport' =&gt; array_pop(explode(':', getenv('IMAP_PORT'))),\n ),\n 'pop3' =&gt; array(\n 'server' =&gt; $mailcow_hostname,\n 'port' =&gt; array_pop(explode(':', getenv('POPS_PORT'))),\n 'tlsport' =&gt; array_pop(explode(':', getenv('POP_PORT'))),\n ),\n 'smtp' =&gt; array(\n 'server' =&gt; $mailcow_hostname,\n 'port' =&gt; array_pop(explode(':', getenv('SMTPS_PORT'))),\n 'tlsport' =&gt; array_pop(explode(':', getenv('SUBMISSION_PORT'))),\n ),\n 'activesync' =&gt; array(\n 'url' =&gt; 'https://'.$mailcow_hostname.($https_port == 443 ? '' : ':'.$https_port).'/Microsoft-Server-ActiveSync',\n ),\n 'caldav' =&gt; array(\n 'server' =&gt; $mailcow_hostname,\n 'port' =&gt; $https_port,\n ),\n 'carddav' =&gt; array(\n 'server' =&gt; $mailcow_hostname,\n 'port' =&gt; $https_port,\n ),\n);\n</code></pre> <p>To always use IMAP and SMTP instead of EAS, set <code>'autodiscoverType' =&gt; 'imap'</code>.</p> <p>Disable ActiveSync for Outlook desktop clients by setting \"useEASforOutlook\" to \"no\".</p>"},{"location":"manual-guides/u_e-reeanble-weak-protocols/","title":"Re-enable TLS 1.0 and TLS 1.1","text":"<p>On February the 12th 2020 we disabled the deprecated protocols TLS 1.0 and 1.1 in Dovecot (POP3, POP3S, IMAP, IMAPS) and Postfix (SMTPS, SUBMISSION).</p> <p>Unauthenticated mail via SMTP on port 25/tcp does still accept &gt;= TLS 1.0 . It is better to accept a weak encryption than none at all.</p> <p>How to re-enable weak protocols?</p> <p>Edit <code>data/conf/postfix/extra.cf</code>:</p> <pre><code>submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3\nsmtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3\n</code></pre> <p>Edit <code>data/conf/dovecot/extra.conf</code>:</p> <pre><code>ssl_min_protocol = TLSv1\n</code></pre> <p>Restart the affected services:</p> <pre><code>docker compose restart postfix-mailcow dovecot-mailcow\n</code></pre> <p>Hint: You can enable TLS 1.2 in Windows 7.</p>"},{"location":"manual-guides/u_e-update-hooks/","title":"Run scripts before and after updates","text":"<p>It is possible to add pre- and post-update-hooks to the <code>update.sh</code> script that upgrades your whole mailcow installation.</p> <p>To do so, just add the corresponding bash script into your mailcow root directory: </p> <ul> <li><code>pre_update_hook.sh</code> for commands that should run before the update</li> <li><code>post_update_hook.sh</code> for commands that should run after the update is completed</li> </ul> <p>Keep in mind that <code>pre_update_hook.sh</code> runs every time you call <code>update.sh</code> and <code>post_update_hook.sh</code> will only run if the update was successful and the script doesn't have to be re-run.</p> <p>The scripts will be run by bash, an interpreter (e.g. <code>#!/bin/bash</code>) as well as an execute permission flag (\"+x\") are not required.</p>"},{"location":"manual-guides/u_e-why_unbound/","title":"Why unbound?","text":"<p>For DNS blacklist lookups and DNSSEC.</p> <p>Most systems use either a public or a local caching DNS resolver. That's a very bad idea when it comes to filter spam using DNS-based black hole lists (DNSBL) or similar technics. Most if not all providers apply a rate limit based on the DNS resolver that is used to query their service. Using a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon.</p>"},{"location":"manual-guides/ClamAV/u_e-clamav-additional_dbs/","title":"Additional Databases","text":""},{"location":"manual-guides/ClamAV/u_e-clamav-additional_dbs/#additional-databases-for-clamav","title":"Additional Databases for ClamAV","text":"<p>Default ClamAV databases do not have great detection levels, but it can be enhanced with free or paid signature databases.</p>"},{"location":"manual-guides/ClamAV/u_e-clamav-additional_dbs/#list-of-known-free-databases-as-of-april-2022","title":"List of known free databases | As of April 2022","text":"<ul> <li>SecurityInfo - free ClamAV DBs for testing purposes, required registration after which you can use them from 1 IP</li> <li>InterServer - free to use ClamAV DBs, but they do not fit well for email scanning</li> </ul>"},{"location":"manual-guides/ClamAV/u_e-clamav-additional_dbs/#enable-securiteinfo-databases","title":"Enable SecuriteInfo databases","text":"<ol> <li>Sign up for a free account at https://www.securiteinfo.com/clients/customers/signup</li> <li>You will receive an email to activate your account and then a follow-up email with your login name</li> <li>Login and navigate to your customer account: https://www.securiteinfo.com/clients/customers/account</li> <li>Click on the Setup tab</li> <li>You will need to get <code>your_id</code> from one of the download links, they are individual for every user</li> <li> <p>Add to <code>data/conf/clamav/freshclam.conf</code> with replaced <code>your_id</code> part: <pre><code>DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.hdb\nDatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.ign2\nDatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/javascript.ndb\nDatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/spam_marketing.ndb\nDatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfohtml.hdb\nDatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfoascii.hdb\nDatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfopdf.hdb\n</code></pre></p> </li> <li> <p>For free SecuriteInfo databases, download speed is limited to 300 kB/s. In <code>data/conf/clamav/freshclam.conf</code>, increase the default <code>ReceiveTimeout 20</code> value to <code>ReceiveTimeout 90</code> (time in seconds), otherwise some of the database downloads could fail because of their size.</p> </li> <li> <p>Adjust <code>data/conf/clamav/clamd.conf</code> to align with next settings: <pre><code>DetectPUA yes\nExcludePUA PUA.Win.Packer\nExcludePUA PUA.Win.Trojan.Packed\nExcludePUA PUA.Win.Trojan.Molebox\nExcludePUA PUA.Win.Packer.Upx\nExcludePUA PUA.Doc.Packed\nMaxScanSize 150M\nMaxFileSize 100M\nMaxRecursion 40\nMaxEmbeddedPE 100M\nMaxHTMLNormalize 50M\nMaxScriptNormalize 50M\nMaxZipTypeRcg 50M\n</code></pre></p> </li> <li>Restart ClamAV container: <pre><code>docker compose restart clamd-mailcow\n</code></pre></li> </ol> <p>Please note:</p> <ul> <li>You can't use <code>ExcludePUA</code> and <code>IncludePUA</code> in <code>clamd.conf</code> simultaneously, so please comment any <code>IncludePUA</code> if you uncommented them before. </li> <li>List of databases provided in this example fit most use-cases, but SecuriteInfo also provides other databases. Please check SecuriteInfo FAQ for additional information.</li> <li>With the current DB set (including default DBs) ClamAV will consume about 1.3Gb of RAM on your server.</li> <li>If you modified <code>message_size_limit</code> in Postfix you need to adapt <code>MaxSize</code> settings in ClamAV as well.</li> </ul>"},{"location":"manual-guides/ClamAV/u_e-clamav-additional_dbs/#enable-interserver-databases","title":"Enable InterServer databases","text":"<ol> <li>Add to <code>data/conf/clamav/freshclam.conf</code>: <pre><code>DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb\nDatabaseCustomURL http://sigs.interserver.net/interservertopline.db\nDatabaseCustomURL http://sigs.interserver.net/shell.ldb\nDatabaseCustomURL http://sigs.interserver.net/whitelist.fp\n</code></pre></li> <li>Restart ClamAV container: <pre><code>docker compose restart clamd-mailcow\n</code></pre></li> </ol>"},{"location":"manual-guides/ClamAV/u_e-clamav-whitelist/","title":"Whitelist","text":""},{"location":"manual-guides/ClamAV/u_e-clamav-whitelist/#whitelist-specific-clamav-signatures","title":"Whitelist specific ClamAV signatures","text":"<p>You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with <code>VIRUS_FOUND</code>). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.:</p> <pre><code>docker compose logs clamd-mailcow | grep \"FOUND\"\n</code></pre> <p>This line confirms that such was identified:</p> <pre><code>clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -&gt; instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND\n</code></pre> <p>To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file:</p> <pre><code>echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' &gt;&gt; data/conf/clamav/whitelist.ign2\n</code></pre> <p>Then restart the clamd-mailcow service container in the mailcow UI or using docker compose:</p> <pre><code>docker compose restart clamd-mailcow\n</code></pre> <p>Cleanup cached ClamAV results in Redis:</p> <pre><code># docker compose exec redis-mailcow /bin/sh\n/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL\n/data # exit\n</code></pre>"},{"location":"manual-guides/Docker/u_e-docker-cust_dockerfiles/","title":"Customize Dockerfiles","text":"<p>You need to copy the override file with corresponding build tags to the mailcow: dockerized root folder (i.e. <code>/opt/mailcow-dockerized</code>):</p> <pre><code>cp helper-scripts/docker-compose.override.yml.d/BUILD_FLAGS/docker-compose.override.yml docker-compose.override.yml\n</code></pre> <p>Customize <code>data/Dockerfiles/$service</code> and build the image locally: <pre><code>docker build data/Dockerfiles/$service -t mailcow/$service:$tag\n</code></pre> (without a personalized :$tag docker will use :latest automatically)</p> <p>Now the created image has to be activated in docker-compose.override.yml, e.g.: <pre><code>$service-mailcow:\n build: ./data/Dockerfiles/$service\n image: mailcow/$service:$tag\n</code></pre></p> <p>Now auto-recreate modified containers:</p> <pre><code>docker compose up -d\n</code></pre>"},{"location":"manual-guides/Dovecot/u_e-dovecot-any_acl/","title":"Enable \"any\" ACL settings","text":"<p>On August the 17th, we disabled the possibility to share with \"any\" or \"all authenticated users\" by default.</p> <p>This function can be re-enabled by setting <code>ACL_ANYONE</code> to <code>allow</code> in mailcow.conf:</p> <pre><code>ACL_ANYONE=allow\n</code></pre> <p>Apply the changes by running <code>docker compose up -d</code>.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-catchall_vacation/","title":"Vacation replies for catchall addresses","text":"<p>The Dovecot parameter <code>sieve_vacation_dont_check_recipient</code> - which was by default set to <code>yes</code> in mailcow configurations pre 21st July 2021 - allows for vacation replies even when a mail is sent to non-existent mailboxes like a catch-all addresses.</p> <p>We decided to switch this parameter back to <code>no</code> and allow a user to specify which recipient address triggers a vacation reply. The triggering recipients can also be configured in SOGos autoresponder feature.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-expunge/","title":"Expunge a Users mails","text":"<p>If you want to delete old mails out of the <code>.Junk</code> or <code>.Trash</code> folders or maybe delete all read mails that are older than a certain amount of time you may use dovecot's tool doveadm man doveadm-expunge.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-expunge/#the-manual-way","title":"The manual way","text":"<p>That said, let's dive in:</p> <p>Delete a user's mails inside the junk folder that are read and older than 4 hours</p> <pre><code>docker compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mailbox 'Junk' SEEN not SINCE 4h\n</code></pre> <p>Delete all user's mails in the junk folder that are older than 7 days</p> <pre><code>docker compose exec dovecot-mailcow doveadm expunge -A mailbox 'Junk' savedbefore 7d\n</code></pre> <p>Delete all mails (of all users) in all folders that are older than 52 weeks (internal date of the mail, not the date it was saved on the system =&gt; <code>before</code> instead of <code>savedbefore</code>). Useful for deleting very old mails on all users and folders (thus especially useful for GDPR-compliance).</p> <pre><code>docker compose exec dovecot-mailcow doveadm expunge -A mailbox % before 52w\n</code></pre> <p>Delete mails inside a custom folder inside a user's inbox that are not flagged and older than 2 weeks</p> <pre><code>docker compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mailbox 'INBOX/custom-folder' not FLAGGED not SINCE 2w\n</code></pre> <p>Info</p> <p>For possible time spans or search keys have a look at man doveadm-search-query</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-expunge/#job-scheduler","title":"Job scheduler","text":""},{"location":"manual-guides/Dovecot/u_e-dovecot-expunge/#via-the-host-system-cron","title":"via the host system cron","text":"<p>If you want to automate such a task you can create a cron job on your host that calls a script like the one below:</p> <pre><code>#!/bin/bash\n# Path to mailcow-dockerized, e.g. /opt/mailcow-dockerized\ncd /path/to/your/mailcow-dockerized\n\n/usr/local/bin/docker compose exec -T dovecot-mailcow doveadm expunge -A mailbox 'Junk' savedbefore 2w\n/usr/local/bin/docker compose exec -T dovecot-mailcow doveadm expunge -A mailbox 'Junk' SEEN not SINCE 12h\n[...]\n</code></pre> <p>To create a cron job you may execute <code>crontab -e</code> and insert something like the following to execute a script:</p> <pre><code># Execute everyday at 04:00 A.M.\n0 4 * * * /path/to/your/expunge_mailboxes.sh\n</code></pre>"},{"location":"manual-guides/Dovecot/u_e-dovecot-expunge/#via-docker-job-scheduler","title":"via Docker job scheduler","text":"<p>To archive this with a docker job scheduler use this docker-compose.override.yml with your mailcow: </p> <pre><code>version: '2.1'\n\nservices:\n\n ofelia:\n image: mcuadros/ofelia:latest\n restart: always\n command: daemon --docker\n volumes:\n - /var/run/docker.sock:/var/run/docker.sock:ro \n network_mode: none\n\n dovecot-mailcow:\n labels:\n - \"ofelia.enabled=true\"\n - \"ofelia.job-exec.dovecot-expunge-trash.schedule=0 4 * * *\"\n - \"ofelia.job-exec.dovecot-expunge-trash.command=doveadm expunge -A mailbox 'Junk' savedbefore 2w\"\n - \"ofelia.job-exec.dovecot-expunge-trash.tty=false\"\n</code></pre> <p>The job controller just need access to the docker control socket to be able to emulate the behavior of \"exec\". Then we add a few label to our dovecot-container to activate the job scheduler and tell him in a cron compatible scheduling format when to run. If you struggle with that schedule string you can use crontab guru. This docker-compose.override.yml deletes all mails older then 2 weeks from the \"Junk\" folder every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this:</p> <pre><code>common.go:124 \u25b6 NOTICE [Job \"dovecot-expunge-trash\" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w,\ncommon.go:124 \u25b6 NOTICE [Job \"dovecot-expunge-trash\" (8759567efa66)] Finished in \"285.032291ms\", failed: false, skipped: false, error: none,\n</code></pre> <p>If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug.</p> <p>In case you want to add more jobs, ensure you change the \"dovecot-expunge-trash\" part after \"ofelia.job-exec.\" to something else, it defines the name of the job. Syntax of the labels you find at mcuadros/ofelia.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-extra_conf/","title":"Customize/Expand dovecot.conf","text":"<p>Create a file <code>data/conf/dovecot/extra.conf</code> - if missing - and add your additional content here.</p> <p>Restart <code>dovecot-mailcow</code> to apply your changes:</p> <pre><code>docker compose restart dovecot-mailcow\n</code></pre>"},{"location":"manual-guides/Dovecot/u_e-dovecot-fts/","title":"FTS (Solr)","text":""},{"location":"manual-guides/Dovecot/u_e-dovecot-fts/#fts-solr","title":"FTS Solr","text":"<p>Solr is used for setups with memory &gt;= 3.5 GiB to provide full-text search in Dovecot.</p> <p>Please be aware that applications like Solr may need maintenance from time to time.</p> <p>Besides that, Solr will eat a lot of RAM, depending on the usage of your server. Please avoid it on machines with less than 3 GB RAM.</p> <p>The default heap size (1024 M) is defined in mailcow.conf.</p> <p>Since we run in Docker and create our containers with the \"restart: always\" flag, a oom situation will at least only trigger a restart of the container.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-fts/#fts-related-dovecot-commands","title":"FTS related Dovecot commands","text":"<pre><code># single user\ndocker compose exec dovecot-mailcow doveadm fts rescan -u user@domain\n# all users\ndocker compose exec dovecot-mailcow doveadm fts rescan -A\n</code></pre> <p>Dovecot Wiki: \"Scan what mails exist in the full text search index and compare those to what actually exist in mailboxes. This removes mails from the index that have already been expunged and makes sure that the next doveadm index will index all the missing mails (if any).\"</p> <p>This does not re-index a mailbox. It basically repairs a given index.</p> <p>If you want to re-index data immediately, you can run the followig command, where '*' can also be a mailbox mask like 'Sent'. You do not need to run these commands, but it will speed things up a bit:</p> <pre><code># single user\ndocker compose exec dovecot-mailcow doveadm index -u user@domain '*'\n# all users, but obviously slower and more dangerous\ndocker compose exec dovecot-mailcow doveadm index -A '*'\n</code></pre> <p>This will take some time depending on your machine and Solr can run oom, monitor it!</p> <p>Because re-indexing is very sensible, we did not include it to mailcow UI. You will need to take care of any errors while re-indexing a mailbox.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-fts/#delete-mailbox-data","title":"Delete mailbox data","text":"<p>mailcow will purge index data of a user when deleting a mailbox.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-idle_interval/","title":"Changing the IMAP IDLE interval","text":""},{"location":"manual-guides/Dovecot/u_e-dovecot-idle_interval/#what-is-the-idle-interval","title":"What is the IDLE interval?","text":"<p>Per default, Dovecot sends a \"I'm still here\" notification to every client that has an open connection with Dovecot to get mails as quickly as possible without manually polling it (IMAP PUSH). This notification is controlled by the setting <code>imap_idle_notify_interval</code>, which defaults to 2 minutes. </p> <p>A short interval results in the client getting a lot of messages for this connection, which is bad for mobile devices, because every time the device receives this message, the mailing app has to wake up. This can result in unnecessary battery drain.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-idle_interval/#edit-the-value","title":"Edit the value","text":""},{"location":"manual-guides/Dovecot/u_e-dovecot-idle_interval/#change-configuration","title":"Change configuration","text":"<p>Create a new file <code>data/conf/dovecot/extra.conf</code> (or edit it if it already exists). Insert the setting followed by the new value. For example, to set the interval to 5 minutes you could type:</p> <pre><code>imap_idle_notify_interval = 5 mins\n</code></pre> <p>29 minutes is the maximum value allowed by the corresponding RFC.</p> <p>Warning</p> <p>This isn't a default setting in mailcow because we don't know how this setting changes the behavior of other clients. Be careful if you change this and monitor different behavior.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-idle_interval/#reload-dovecot","title":"Reload Dovecot","text":"<p>Now reload Dovecot: <pre><code>docker compose exec dovecot-mailcow dovecot reload\n</code></pre></p> <p>Info</p> <p>You can check the value of this setting with <pre><code>docker compose exec dovecot-mailcow dovecot -a | grep \"imap_idle_notify_interval\"\n</code></pre> If you didn't change it, it should be at 2m. If you did change it, you should see your new value.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-mail-crypt/","title":"Mail crypt","text":"<p>Warning</p> <p>Mails are stored compressed (lz4) and encrypted. The key pair can be found in crypt-vol-1.</p> <p>If you want to decode/encode existing maildir files, you can use the following script at your own risk:</p> <p>Enter Dovecot by running <code>docker compose exec dovecot-mailcow /bin/bash</code> in the mailcow-dockerized location.</p> <pre><code># Decrypt /var/vmail\nfind /var/vmail/ -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do\nif [[ $(head -c7 \"$file\") == \"CRYPTED\" ]]; then\ndoveadm fs get compress lz4:1:crypt:private_key_path=/mail_crypt/ecprivkey.pem:public_key_path=/mail_crypt/ecpubkey.pem:posix:prefix=/ \\\n \"$file\" &gt; \"/tmp/$(basename \"$file\")\"\n if [[ -s \"/tmp/$(basename \"$file\")\" ]]; then\n chmod 600 \"/tmp/$(basename \"$file\")\"\n chown 5000:5000 \"/tmp/$(basename \"$file\")\"\n mv \"/tmp/$(basename \"$file\")\" \"$file\"\n else\n rm \"/tmp/$(basename \"$file\")\"\n fi\nfi\ndone\n\n# Encrypt /var/vmail\nfind /var/vmail/ -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do\nif [[ $(head -c7 \"$file\") != \"CRYPTED\" ]]; then\ndoveadm fs put crypt private_key_path=/mail_crypt/ecprivkey.pem:public_key_path=/mail_crypt/ecpubkey.pem:posix:prefix=/ \\\n \"$file\" \"$file\"\n chmod 600 \"$file\"\n chown 5000:5000 \"$file\"\nfi\ndone\n</code></pre>"},{"location":"manual-guides/Dovecot/u_e-dovecot-more/","title":"More Examples with DOVEADM","text":"<p>Here is just an unsorted list of useful <code>doveadm</code> commands that could be useful.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-more/#doveadm-quota","title":"doveadm quota","text":"<p>The <code>quota get</code> and <code>quota recalc</code>1 commands are used to display or recalculate the current user's quota usage. The reported values are in kilobytes.</p> <p>To list the current quota status for a user / mailbox, do:</p> <pre><code>doveadm quota get -u 'mailbox@example.org'\n</code></pre> <p>To list the quota storage value for all users, do:</p> <pre><code>doveadm quota get -A |grep \"STORAGE\"\n</code></pre> <p>Recalculate a single user's quota usage:</p> <pre><code>doveadm quota recalc -u 'mailbox@example.org'\n</code></pre>"},{"location":"manual-guides/Dovecot/u_e-dovecot-more/#doveadm-search","title":"doveadm search","text":"<p>The <code>doveadm search</code>2 command is used to find messages matching your query. It can return the username, mailbox-GUID / -UID and message-GUIDs / -UIDs.</p> <p>To view the number of messages, by user, in their .Trash folder:</p> <pre><code>doveadm search -A mailbox 'Trash' | awk '{print $1}' | sort | uniq -c\n</code></pre> <p>Show all messages in a user's inbox older then 90 days:</p> <pre><code>doveadm search -u 'mailbox@example.org' mailbox 'INBOX' savedbefore 90d\n</code></pre> <p>Show all messages in any folder that are older then 30 days for <code>mailbox@example.org</code>:</p> <pre><code>doveadm search -u 'mailbox@example.org' mailbox \"*\" savedbefore 30d\n</code></pre> <ol> <li> <p>https://wiki.dovecot.org/Tools/Doveadm/Quota \u21a9</p> </li> <li> <p>https://wiki.dovecot.org/Tools/Doveadm/Search \u21a9</p> </li> </ol>"},{"location":"manual-guides/Dovecot/u_e-dovecot-public_folder/","title":"Public folders","text":"<p>Create a new public namespace \"Public\" and a mailbox \"Develcow\" inside that namespace:</p> <p>Edit or create <code>data/conf/dovecot/extra.conf</code>, add:</p> <pre><code>namespace {\n type = public\n separator = /\n prefix = Public/\n location = maildir:/var/vmail/public:INDEXPVT=~/public\n subscriptions = yes\n mailbox \"Develcow\" {\n auto = subscribe\n }\n}\n</code></pre> <p><code>:INDEXPVT=~/public</code> can be omitted if per-user seen flags are not wanted.</p> <p>The new mailbox in the public namespace will be auto-subscribed by users.</p> <p>To allow all authenticated users access full to that new mailbox (not the whole namespace), run:</p> <pre><code>docker compose exec dovecot-mailcow doveadm acl set -A \"Public/Develcow\" \"authenticated\" lookup read write write-seen write-deleted insert post delete expunge create\n</code></pre> <p>Adjust the command to your needs if you like to assign more granular rights per user (use <code>-u user@domain</code> instead of <code>-A</code> for example).</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-public_folder/#allow-authenticated-users-access-to-the-whole-public-namespace","title":"Allow authenticated users access to the whole public namespace","text":"<p>To allow all authenticated users access full access to the whole public namespace and its subfolders, create a new <code>dovecot-acl</code> file in the namespace root directory:</p> <p>Open/edit/create <code>/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/public/dovecot-acl</code> (adjust the path accordingly) to create the global ACL file with the following content:</p> <pre><code>authenticated kxeilprwts\n</code></pre> <p><code>kxeilprwts</code> equals to <code>lookup read write write-seen write-deleted insert post delete expunge create</code>.</p> <p>You can use <code>doveadm acl set -u user@domain \"Public/Develcow\" user=user@domain lookup read</code> to limit access for a single user. You may also turn it around to limit access for all users to \"lr\" and grant only some users full access.</p> <p>See Dovecot ACL for further information about ACL.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-static_master/","title":"Static master user","text":"<p>Random master usernames and passwords are automatically created on every restart of dovecot-mailcow.</p> <p>That's recommended and should not be changed.</p> <p>If you need the user to be static anyway, please specify two variables in <code>mailcow.conf</code>.</p> <p>Both parameters must not be empty!</p> <pre><code>DOVECOT_MASTER_USER=mymasteruser\nDOVECOT_MASTER_PASS=mysecretpass\n</code></pre> <p>Run <code>docker compose up -d</code> to apply your changes.</p> <p>The static master username will be expanded to <code>DOVECOT_MASTER_USER@mailcow.local</code>.</p> <p>To login as <code>test@example.org</code> this would equal to <code>test@example.org*mymasteruser@mailcow.local</code> with the specified password above.</p> <p>A login to SOGo is not possible with this username. A click-to-login function for SOGo is available for admins as described here No master user is required.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-vmail-volume/","title":"Move Maildir (vmail)","text":""},{"location":"manual-guides/Dovecot/u_e-dovecot-vmail-volume/#the-new-way","title":"The \"new\" way","text":"<p>Warning</p> <p>Newer Docker versions seem to complain about existing volumes. You can fix this temporarily by removing the existing volume and start mailcow with the override file. But it seems to be problematic after a reboot (needs to be confirmed).</p> <p>An easy, dirty, yet stable workaround is to stop mailcow (<code>docker compose down</code>), remove <code>/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data</code> and create a new link to your remote filesystem location, for example:</p> <pre><code>mv /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data_backup\nln -s /mnt/volume-xy/vmail_data /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data\n</code></pre> <p>Start mailcow afterwards.</p>"},{"location":"manual-guides/Dovecot/u_e-dovecot-vmail-volume/#the-old-way","title":"The \"old\" way","text":"<p>If you want to use another folder for the vmail-volume, you can create a <code>docker-compose.override.yml</code> file and add the following content:</p> <pre><code>version: '2.1'\nvolumes:\n vmail-vol-1:\n driver_opts:\n type: none\n device: /data/mailcow/vmail \n o: bind\n</code></pre>"},{"location":"manual-guides/Dovecot/u_e-dovecot-vmail-volume/#moving-an-existing-vmail-folder","title":"Moving an existing vmail folder:","text":"<ul> <li>Locate the current vmail folder by its \"Mountpoint\" attribute: <code>docker volume inspect mailcowdockerized_vmail-vol-1</code></li> </ul> <pre><code>[\n {\n \"CreatedAt\": \"2019-06-16T22:08:34+02:00\",\n \"Driver\": \"local\",\n \"Labels\": {\n \"com.docker.compose.project\": \"mailcowdockerized\",\n \"com.docker.compose.version\": \"1.23.2\",\n \"com.docker.compose.volume\": \"vmail-vol-1\"\n },\n \"Mountpoint\": \"/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data\",\n \"Name\": \"mailcowdockerized_vmail-vol-1\",\n \"Options\": null,\n \"Scope\": \"local\"\n }\n]\n</code></pre> <ul> <li>Copy the content of the <code>Mountpoint</code> folder to the new location (e.g. <code>/data/mailcow/vmail</code>) using <code>cp -a</code>, <code>rsync -a</code> or a similar non strcuture breaking copy command</li> <li>Stop mailcow by executing <code>docker compose down</code> from within your mailcow root folder (e.g. <code>/opt/mailcow-dockerized</code>)</li> <li>Create the file <code>docker-compose.override.yml</code>, edit the device path accordingly</li> <li>Delete the current vmail folder: <code>docker volume rm mailcowdockerized_vmail-vol-1</code></li> <li>Start mailcow by executing <code>docker compose up -d</code> from within your mailcow root folder (e.g. <code>/opt/mailcow-dockerized</code>)</li> </ul>"},{"location":"manual-guides/Nginx/u_e-nginx_custom/","title":"Custom sites","text":""},{"location":"manual-guides/Nginx/u_e-nginx_custom/#ssl","title":"SSL","text":"<p>Please see Advanced SSL and explicitly check <code>ADDITIONAL_SERVER_NAMES</code> for SSL configuration.</p> <p>Please do not add ADDITIONAL_SERVER_NAMES when you plan to use a different web root.</p>"},{"location":"manual-guides/Nginx/u_e-nginx_custom/#new-site","title":"New site","text":"<p>To create persistent (over updates) sites hosted by mailcow: dockerized, a new site configuration must be placed inside <code>data/conf/nginx/</code>:</p> <p>A good template to begin with:</p> <pre><code>nano data/conf/nginx/my_custom_site.conf\n</code></pre> <pre><code>server {\n ssl_certificate /etc/ssl/mail/cert.pem;\n ssl_certificate_key /etc/ssl/mail/key.pem;\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_prefer_server_ciphers on;\n ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;\n ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;\n ssl_session_cache shared:SSL:50m;\n ssl_session_timeout 1d;\n ssl_session_tickets off;\n index index.php index.html;\n client_max_body_size 0;\n # Location: data/web\n root /web;\n # Location: data/web/mysite.com\n #root /web/mysite.com\n include /etc/nginx/conf.d/listen_plain.active;\n include /etc/nginx/conf.d/listen_ssl.active;\n server_name mysite.example.org;\n server_tokens off;\n\n # This allows acme to be validated even with a different web root\n location ^~ /.well-known/acme-challenge/ {\n default_type \"text/plain\";\n rewrite /.well-known/acme-challenge/(.*) /$1 break;\n root /web/.well-known/acme-challenge/;\n }\n\n if ($scheme = http) {\n return 301 https://$server_name$request_uri;\n }\n}\n</code></pre>"},{"location":"manual-guides/Nginx/u_e-nginx_custom/#new-site-with-proxy-to-a-remote-location","title":"New site with proxy to a remote location","text":"<p>Another example with a reverse proxy configuration:</p> <pre><code>nano data/conf/nginx/my_custom_site.conf\n</code></pre> <pre><code>server {\n ssl_certificate /etc/ssl/mail/cert.pem;\n ssl_certificate_key /etc/ssl/mail/key.pem;\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_prefer_server_ciphers on;\n ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;\n ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;\n ssl_session_cache shared:SSL:50m;\n ssl_session_timeout 1d;\n ssl_session_tickets off;\n index index.php index.html;\n client_max_body_size 0;\n root /web;\n include /etc/nginx/conf.d/listen_plain.active;\n include /etc/nginx/conf.d/listen_ssl.active;\n server_name example.domain.tld;\n server_tokens off;\n\n location ^~ /.well-known/acme-challenge/ {\n allow all;\n default_type \"text/plain\";\n }\n\n if ($scheme = http) {\n return 301 https://$host$request_uri;\n }\n\n location / {\n proxy_pass http://service:3000/;\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n client_max_body_size 0;\n }\n}\n</code></pre>"},{"location":"manual-guides/Nginx/u_e-nginx_custom/#config-expansion-in-mailcows-nginx","title":"Config expansion in mailcows Nginx","text":"<p>The filename used for a new site is not important, as long as the filename carries a .conf extension.</p> <p>It is also possible to extend the configuration of the default file <code>site.conf</code> file:</p> <pre><code>nano data/conf/nginx/site.my_content.custom\n</code></pre> <p>This filename does not need to have a \".conf\" extension but follows the pattern <code>site.*.custom</code>, where <code>*</code> is a custom name.</p> <p>If PHP is to be included in a custom site, please use the PHP-FPM listener on phpfpm:9002 or create a new listener in <code>data/conf/phpfpm/php-fpm.d/pools.conf</code>.</p> <p>Restart Nginx (and PHP-FPM, if a new listener was created):</p> <pre><code>docker compose restart nginx-mailcow\ndocker compose restart php-fpm-mailcow\n</code></pre>"},{"location":"manual-guides/Nginx/u_e-nginx_webmail-site/","title":"Create subdomain webmail.example.org","text":"<p>IMPORTANT: This guide only applies to non SNI enabled configurations. The certificate path needs to be adjusted if SNI is enabled. Something like <code>ssl_certificate,key /etc/ssl/mail/webmail.example.org/cert.pem,key.pem;</code> will do. But: The certificate should be acquired first and only after the certificate exists a site config should be created. Nginx will fail to start if it cannot find the certificate and key.</p> <p>To create a subdomain <code>webmail.example.org</code> and redirect it to SOGo, you need to create a new Nginx site. Take care of \"CHANGE_TO_MAILCOW_HOSTNAME\"!</p> <p>nano data/conf/nginx/webmail.conf</p> <pre><code>server {\n ssl_certificate /etc/ssl/mail/cert.pem;\n ssl_certificate_key /etc/ssl/mail/key.pem;\n index index.php index.html;\n client_max_body_size 0;\n root /web;\n include /etc/nginx/conf.d/listen_plain.active;\n include /etc/nginx/conf.d/listen_ssl.active;\n server_name webmail.example.org;\n server_tokens off;\n location ^~ /.well-known/acme-challenge/ {\n allow all;\n default_type \"text/plain\";\n }\n\n location / {\n return 301 https://CHANGE_TO_MAILCOW_HOSTNAME/SOGo;\n }\n}\n</code></pre> <p>Save and restart Nginx: <code>docker compose restart nginx-mailcow</code>.</p> <p>Now open <code>mailcow.conf</code> and find <code>ADDITIONAL_SAN</code>. Add <code>webmail.example.org</code> to this array, don't use quotes!</p> <pre><code>ADDITIONAL_SAN=webmail.example.org\n</code></pre> <p>Run <code>docker compose up -d</code>. See \"acme-mailcow\" and \"nginx-mailcow\" logs if anything fails.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-attachment_size/","title":"Max. message size (attachment size)","text":"<p>Open <code>data/conf/postfix/extra.cf</code> and set the <code>message_size_limit</code> accordingly in bytes. See <code>main.cf</code> for the default value.</p> <p>Restart Postfix:</p> <pre><code>docker compose restart postfix-mailcow\n</code></pre>"},{"location":"manual-guides/Postfix/u_e-postfix-custom_transport/","title":"Custom transport maps","text":"<p>For transport maps other than those to be configured in mailcow UI, please use <code>data/conf/postfix/custom_transport.pcre</code> to prevent existing maps or settings from being overwritten by updates.</p> <p>In most cases using this file is not necessary. Please make sure mailcow UI is not able to route your desired traffic properly before using that file.</p> <p>The file needs valid PCRE content and can break Postfix, if configured incorrectly.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-disable_sender_verification/","title":"Disable Sender Addresses Verification","text":""},{"location":"manual-guides/Postfix/u_e-postfix-disable_sender_verification/#new-guide","title":"New guide","text":"<p>Edit a mailbox and select \"Allow to send as *\".</p> <p>For historical reasons we kept the old and deprecated guide below:</p>"},{"location":"manual-guides/Postfix/u_e-postfix-disable_sender_verification/#deprecated-guide-do-not-use-on-newer-mailcows","title":"Deprecated guide (DO NOT USE ON NEWER MAILCOWS!)","text":"<p>This option is not best-practice and should only be implemented when there is no other option available to achieve whatever you are trying to do.</p> <p>Simply create a file <code>data/conf/postfix/check_sasl_access</code> and enter the following content. This user must exist in your installation and needs to authenticate before sending mail. <pre><code>user-to-allow-everything@example.com OK\n</code></pre></p> <p>Open <code>data/conf/postfix/main.cf</code> and find <code>smtpd_sender_restrictions</code>. Prepend <code>check_sasl_access hash:/opt/postfix/conf/check_sasl_access</code> like this: <pre><code>smtpd_sender_restrictions = check_sasl_access hash:/opt/postfix/conf/check_sasl_access reject_authenticated_sender_login_mismatch [...]\n</code></pre></p> <p>Run postmap on check_sasl_access:</p> <pre><code>docker compose exec postfix-mailcow postmap /opt/postfix/conf/check_sasl_access\n</code></pre> <p>Restart the Postfix container.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-extra_cf/","title":"Customize/Expand main.cf","text":"<p>Please create a new file <code>data/conf/postfix/extra.cf</code> for overrides or additional content to <code>main.cf</code>.</p> <p>Postfix will complain about duplicate values once after starting postfix-mailcow, this is intended.</p> <p>Syslog-ng was configured to hide those warnings while Postfix is running, to not spam the log files with unnecessary information every time a service is used.</p> <p>Restart <code>postfix-mailcow</code> to apply your changes:</p> <pre><code>docker compose restart postfix-mailcow\n</code></pre>"},{"location":"manual-guides/Postfix/u_e-postfix-pflogsumm/","title":"Statistics with pflogsumm","text":"<p>To use pflogsumm with the default logging driver, we need to query postfix-mailcow via docker logs and direct the output to pflogsumm:</p> <pre><code>docker logs --since 24h $(docker ps -qf name=postfix-mailcow) | pflogsumm\n</code></pre> <p>The above log output is limited to the last 24 hours.</p> <p>It is also possible to create a daily pflogsumm report via cron. Create the /etc/cron.d/pflogsumm file with the following content:</p> <pre><code>SHELL=/bin/bash\n59 23 * * * root docker logs --since 24h $(docker ps -qf name=postfix-mailcow) | /usr/sbin/pflogsumm -d today | mail -s \"Postfix Report of $(date)\" postmaster@example.net\n</code></pre> <p>To work, a local postfix must be installed on the server, which relays to the mailcow postfix.</p> <p>More detailed information can be found in section Post installation tasks -&gt; Local MTA on Dockerhost.</p> <p>Based on the postfix logs of the last 24 hours, this example then sends a pflogsumm report to postmaster@example.net every day at 23:59:00.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-postscreen_whitelist/","title":"Whitelist IP in Postscreen","text":"<p>IPs can be removed from Postscreen and therefore also from RBL checks in <code>data/conf/postfix/custom_postscreen_whitelist.cidr</code>.</p> <p>Postscreen does multiple checks to identify malicious senders. In most cases you want to whitelist an IP to exclude it from blacklist lookups.</p> <p>The format of the file is as follows:</p> <p><code>CIDR ACTION</code></p> <p>Where CIDR is a single IP address or IP range in CIDR notation, and action is either \"permit\" or \"reject\".</p> <p>Example:</p> <pre><code># Rules are evaluated in the order as specified.\n# Blacklist 192.168.* except 192.168.0.1.\n192.168.0.1 permit\n192.168.0.0/16 reject\n</code></pre> <p>The file is reloaded on the fly, postfix restart is not required.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-relayhost/","title":"Relayhosts","text":"<p>As of September 12, 2018 you can setup relayhosts as admin by using the mailcow UI.</p> <p>This is useful if you want to relay outgoing emails for a specific domain to a third-party spam filter or a service like Mailgun or Sendgrid. This is also known as a smarthost.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-relayhost/#add-a-new-relayhost","title":"Add a new relayhost","text":"<p>Go to the <code>Routing</code> tab of the <code>Configuration and Details</code> section of the admin UI. Here you will see a list of relayhosts currently setup.</p> <p>Scroll to the <code>Add sender-dependent transport</code> section.</p> <p>Under <code>Host</code>, add the host you want to relay to. Example: if you want to use Mailgun to send emails instead of your server IP, enter smtp.mailgun.org</p> <p>If the relay host requires a username and password to authenticate, enter them in the respective fields. Keep in mind the credentials will be stored in plain text.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-relayhost/#test-a-relayhost","title":"Test a relayhost","text":"<p>To test that connectivity to the host works, click on <code>Test</code> from the list of relayhosts and enter a From: address. Then, run the test.</p> <p>You will then see the results of the SMTP transmission. If all went well, you should see <code>SERVER -&gt; CLIENT: 250 2.0.0 Ok: queued as A093B401D4</code> as one of the last lines.</p> <p>If not, review the error provided and resolve it.</p> <p>Note: Some hosts, especially those who do not require authentication, will deny connections from servers that have not been added to their system beforehand. Make sure you read the documentation of the relayhost to make sure you've added your domain and/or the server IP to their system.</p> <p>Tip: You can change the default test To: address the test uses from null@mailcow.email to any email address you choose by modifying the $RELAY_TO variable on the vars.inc.php file under /opt/mailcow-dockerized/data/web/inc This way you can check that the relay worked by checking the destination mailbox.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-relayhost/#set-the-relayhost-for-a-domain","title":"Set the relayhost for a domain","text":"<p>Go to the <code>Domains</code> tab of the <code>Mail setup</code> section of the admin UI.</p> <p>Edit the desired domain.</p> <p>Select the newly added host on the <code>Sender-dependent transports</code> dropdown and save changes.</p> <p>Send an email from a mailbox on that domain and you should see postfix handing the message over to the relayhost in the logs.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-trust_networks/","title":"Add trusted networks","text":"<p>By default mailcow considers all networks as untrusted excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction.</p> <p>By default mailcow uses <code>mynetworks_style = subnet</code> to determine internal subnets and leaves <code>mynetworks</code> unconfigured.</p> <p>If you decide to set <code>mynetworks</code>, Postfix ignores the mynetworks_style setting. This means you have to add the IPV4_NETWORK and IPV6_NETWORK scopes as well as loopback subnets manually!</p>"},{"location":"manual-guides/Postfix/u_e-postfix-trust_networks/#unauthenticated-relaying","title":"Unauthenticated relaying","text":"<p>Warning</p> <p>Incorrect setup of <code>mynetworks</code> will allow your server to be used as an open relay. If abused, this will affect your ability to send emails and can take some time to be resolved.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-trust_networks/#ipv4-hostssubnets","title":"IPv4 hosts/subnets","text":"<p>To add the subnet <code>192.168.2.0/24</code> to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes:</p> <p>Edit <code>data/conf/postfix/extra.cf</code>:</p> <pre><code>mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.2.0/24\n</code></pre> <p>Run <code>docker compose restart postfix-mailcow</code> to apply your new settings.</p>"},{"location":"manual-guides/Postfix/u_e-postfix-trust_networks/#ipv6-hostssubnets","title":"IPv6 hosts/subnets","text":"<p>Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be placed in brackets <code>[]</code> with the netmask appended.</p> <p>To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes:</p> <p>Edit <code>data/conf/postfix/extra.cf</code>:</p> <pre><code>mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32\n</code></pre> <p>Run <code>docker compose restart postfix-mailcow</code> to apply your new settings.</p> <p>Info</p> <p>More information about mynetworks can be found in the Postfix documentation.</p>"},{"location":"manual-guides/Redis/u_e-redis/","title":"Redis","text":"<p>Redis is used as a key-value store for rspamd's and (some of) mailcow's settings and data. If you are unfamiliar with redis please read the introduction to redis and maybe visit this wonderful guide on how to use it.</p>"},{"location":"manual-guides/Redis/u_e-redis/#client","title":"Client","text":"<p>To connect to the redis cli execute:</p> <pre><code>docker compose exec redis-mailcow redis-cli\n</code></pre>"},{"location":"manual-guides/Redis/u_e-redis/#debugging","title":"Debugging","text":"<p>Here are some useful commands for the redis-cli for debugging:</p>"},{"location":"manual-guides/Redis/u_e-redis/#monitor","title":"MONITOR","text":"<p>Listens for all requests received by the server in real time:</p> <pre><code># docker compose exec redis-mailcow redis-cli\n127.0.0.1:6379&gt; monitor\nOK\n1494077286.401963 [0 172.22.1.253:41228] \"SMEMBERS\" \"BAYES_SPAM_keys\"\n1494077288.292970 [0 172.22.1.253:41229] \"SMEMBERS\" \"BAYES_SPAM_keys\"\n[...]\n</code></pre>"},{"location":"manual-guides/Redis/u_e-redis/#keys","title":"KEYS","text":"<p>Get all keys matching your pattern:</p> <pre><code>KEYS *\n</code></pre>"},{"location":"manual-guides/Redis/u_e-redis/#ping","title":"PING","text":"<p>Test a connection:</p> <pre><code>127.0.0.1:6379&gt; PING\nPONG\n</code></pre> <p>If you want to know more, here is a cheat sheet.</p>"},{"location":"manual-guides/Rspamd/u_e-rspamd/","title":"Rspamd","text":"<p>Rspamd is used for AV handling, DKIM signing and SPAM handling. It's a powerful and fast filter system. For a more in-depth documentation on Rspamd please visit its own documentation.</p>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#learn-spam-ham","title":"Learn Spam &amp; Ham","text":"<p>Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash. This is achieved by using the Sieve plugin \"sieve_imapsieve\" and parser scripts.</p> <p>Rspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning). We configured the plugin to keep a sane ratio between spam and ham learns.</p> <p>The bayes statistics are written to Redis as keys <code>BAYES_HAM</code> and <code>BAYES_SPAM</code>.</p> <p>Besides bayes, a local fuzzy storage is used to learn recurring patterns in text or images that indicate ham or spam.</p> <p>You can also use Rspamd's web UI to learn ham and / or spam or to adjust certain settings of Rspamd.</p>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#learn-spam-or-ham-from-existing-directory","title":"Learn Spam or Ham from existing directory","text":"<p>You can use a one-liner to learn mail in plain-text (uncompressed) format:</p> <pre><code># Ham\nfor file in /my/folder/cur/*; do docker exec -i $(docker compose ps -q rspamd-mailcow) rspamc learn_ham &lt; $file; done\n# Spam\nfor file in /my/folder/.Junk/cur/*; do docker exec -i $(docker compose ps -q rspamd-mailcow) rspamc learn_spam &lt; $file; done\n</code></pre> <p>Consider attaching a local folder as new volume to <code>rspamd-mailcow</code> in <code>docker-compose.yml</code> and learn given files inside the container. This can be used as workaround to parse compressed data with zcat. Example:</p> <pre><code>for file in /data/old_mail/.Junk/cur/*; do rspamc learn_spam &lt; zcat $file; done\n</code></pre>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#reset-learned-data-bayes-neural","title":"Reset learned data (Bayes, Neural)","text":"<p>You need to delete keys in Redis to reset learned data, so create a copy of your Redis database now:</p> <p>Backup database</p> <pre><code># It is better to stop Redis before you copy the file.\ncp /var/lib/docker/volumes/mailcowdockerized_redis-vol-1/_data/dump.rdb /root/\n</code></pre> <p>Reset Bayes data</p> <pre><code>docker compose exec redis-mailcow sh -c 'redis-cli --scan --pattern BAYES_* | xargs redis-cli del'\ndocker compose exec redis-mailcow sh -c 'redis-cli --scan --pattern RS* | xargs redis-cli del'\n</code></pre> <p>Reset Neural data</p> <pre><code>docker compose exec redis-mailcow sh -c 'redis-cli --scan --pattern rn_* | xargs redis-cli del'\n</code></pre> <p>Reset Fuzzy data</p> <pre><code># We need to enter the redis-cli first:\ndocker compose exec redis-mailcow redis-cli\n# In redis-cli:\n127.0.0.1:6379&gt; EVAL \"for i, name in ipairs(redis.call('KEYS', ARGV[1])) do redis.call('DEL', name); end\" 0 fuzzy*\n</code></pre> <p>Info</p> <p>If redis-cli complains about...</p> <pre><code>(error) ERR wrong number of arguments for 'del' command\n</code></pre> <p>...the key pattern was not found and thus no data is available to delete - it is fine.</p>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#cli-tools","title":"CLI tools","text":"<pre><code>docker compose exec rspamd-mailcow rspamc --help\ndocker compose exec rspamd-mailcow rspamadm --help\n</code></pre>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#disable-greylisting","title":"Disable Greylisting","text":"<p>Only messages with a higher score will be considered to be greylisted (soft rejected). It is bad practice to disable greylisting.</p> <p>You can disable greylisting server-wide by editing:</p> <p><code>{mailcow-dir}/data/conf/rspamd/local.d/greylist.conf</code></p> <p>Add the line:</p> <pre><code>enabled = false;\n</code></pre> <p>Save the file and restart \"rspamd-mailcow\": <code>docker compose restart rspamd-mailcow</code></p>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#spam-filter-thresholds-global","title":"Spam filter thresholds (global)","text":"<p>Each user is able to change their spam rating individually. To define a new server-wide limit, edit <code>data/conf/rspamd/local.d/actions.conf</code>:</p> <pre><code>reject = 15;\nadd_header = 8;\ngreylist = 7;\n</code></pre> <p>Save the file and restart \"rspamd-mailcow\": <code>docker compose restart rspamd-mailcow</code></p> <p>Existing settings of users will not be overwritten!</p> <p>To reset custom defined thresholds, run:</p> <pre><code>source mailcow.conf\ndocker compose exec mysql-mailcow mysql -umailcow -p$DBPASS mailcow -e \"delete from filterconf where option = 'highspamlevel' or option = 'lowspamlevel';\"\n# or:\n# docker compose exec mysql-mailcow mysql -umailcow -p$DBPASS mailcow -e \"delete from filterconf where option = 'highspamlevel' or option = 'lowspamlevel' and object = 'only-this-mailbox@example.org';\"\n</code></pre>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#custom-reject-messages","title":"Custom reject messages","text":"<p>The default spam reject message can be changed by adding a new file <code>data/conf/rspamd/override.d/worker-proxy.custom.inc</code> with the following content:</p> <pre><code>reject_message = \"My custom reject message\";\n</code></pre> <p>Save the file and restart Rspamd: <code>docker compose restart rspamd-mailcow</code>.</p> <p>While the above works for rejected mails with a high spam score, prefilter reject actions will ignore this setting. For these maps, the multimap module in Rspamd needs to be adjusted:</p> <ol> <li> <p>Find prefilet reject symbol for which you want change message, to do it run: <code>grep -R \"SYMBOL_YOU_WANT_TO_ADJUST\" /opt/mailcow-dockerized/data/conf/rspamd/</code></p> </li> <li> <p>Add your custom message as new line:</p> </li> </ol> <pre><code>GLOBAL_RCPT_BL {\n type = \"rcpt\";\n map = \"${LOCAL_CONFDIR}/custom/global_rcpt_blacklist.map\";\n regexp = true;\n prefilter = true;\n action = \"reject\";\n message = \"Sending mail to this recipient is prohibited by postmaster@your.domain\";\n}\n</code></pre> <ol> <li>Save the file and restart Rspamd: <code>docker compose restart rspamd-mailcow</code>.</li> </ol>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#discard-instead-of-reject","title":"Discard instead of reject","text":"<p>If you want to silently drop a message, create or edit the file <code>data/conf/rspamd/override.d/worker-proxy.custom.inc</code> and add the following content:</p> <pre><code>discard_on_reject = true;\n</code></pre> <p>Restart Rspamd:</p> <pre><code>docker compose restart rspamd-mailcow\n</code></pre>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#wipe-all-ratelimit-keys","title":"Wipe all ratelimit keys","text":"<p>If you don't want to use the UI and instead wipe all keys in the Redis database, you can use redis-cli for that task:</p> <pre><code>docker compose exec redis-mailcow sh\n# Unlink (available in Redis &gt;=4.) will delete in the backgronud\nredis-cli --scan --pattern RL* | xargs redis-cli unlink\n</code></pre> <p>Restart Rspamd:</p> <pre><code>docker compose restart rspamd-mailcow\n</code></pre>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#trigger-a-resend-of-quarantine-notifications","title":"Trigger a resend of quarantine notifications","text":"<p>Should be used for debugging only!</p> <pre><code>docker compose exec dovecot-mailcow bash\nmysql -umailcow -p$DBPASS mailcow -e \"update quarantine set notified = 0;\"\nredis-cli -h redis DEL Q_LAST_NOTIFIED\nquarantine_notify.py\n</code></pre>"},{"location":"manual-guides/Rspamd/u_e-rspamd/#increase-history-retention","title":"Increase history retention","text":"<p>By default Rspamd keeps 1000 elements in the history.</p> <p>The history is stored compressed.</p> <p>It is recommended not to use a disproportionate high value here, try something along 5000 or 10000 and see how your server handles it:</p> <p>Edit <code>data/conf/rspamd/local.d/history_redis.conf</code>:</p> <pre><code>nrows = 1000; # change this value\n</code></pre> <p>Restart Rspamd afterwards: <code>docker compose restart rspamd-mailcow</code></p>"},{"location":"manual-guides/SOGo/u_e-sogo/","title":"SOGo","text":"<p>SOGo is used for accessing your mails via a webbrowser, adding and sharing your contacts or calendars. For a more in-depth documentation on SOGo please visit its own documentation.</p>"},{"location":"manual-guides/SOGo/u_e-sogo/#apply-custom-sogo-theme","title":"Apply custom SOGo theme","text":"<p>mailcow builds after 28 January 2021 can change SOGo's theme by editing <code>data/conf/sogo/custom-theme.js</code>. Please check the AngularJS Material intro and documentation as well as the material style guideline to learn how this works. </p> <p>You can use the provided <code>custom-theme.js</code> as an example starting point by removing the comments. After you modified <code>data/conf/sogo/custom-theme.js</code> and made changes to your new SOGo theme you need to </p> <ol> <li>edit <code>data/conf/sogo/sogo.conf</code> and append/set <code>SOGoUIxDebugEnabled = YES;</code></li> <li>restart SOGo and Memcached containers by executing <code>docker compose restart memcached-mailcow sogo-mailcow</code>.</li> <li>open SOGo in browser</li> <li>open browser developer console, usually shortcut is F12</li> <li>only if you use Firefox: write by hands in dev console <code>allow pasting</code> and press enter</li> <li>paste java script snipet in dev console: <pre><code>copy([].slice.call(document.styleSheets)\n .map(e =&gt; e.ownerNode)\n .filter(e =&gt; e.hasAttribute('md-theme-style'))\n .map(e =&gt; e.textContent)\n .join('\\n')\n)\n</code></pre></li> <li>open text editor and paste data from clipboard (Ctrl+V), you should get minified CSS, save it</li> <li>copy CSS file to mailcow server <code>data/conf/sogo/custom-theme.css</code></li> <li>edit <code>data/conf/sogo/sogo.conf</code> and set <code>SOGoUIxDebugEnabled = NO;</code></li> <li>append/create <code>docker-compose.override.yml</code> with: <pre><code>version: '2.1'\n\nservices:\n sogo-mailcow:\n volumes:\n - ./data/conf/sogo/custom-theme.css:/usr/lib/GNUstep/SOGo/WebServerResources/css/theme-default.css:z\n</code></pre></li> <li>run <code>docker compose up -d</code></li> <li>run <code>docker compose restart memcached-mailcow</code></li> </ol>"},{"location":"manual-guides/SOGo/u_e-sogo/#reset-to-sogo-default-theme","title":"Reset to SOGo default theme","text":"<ol> <li>checkout <code>data/conf/sogo/custom-theme.js</code> by executing <code>git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js</code></li> <li>find in <code>data/conf/sogo/custom-theme.js</code>: <pre><code>// Apply new palettes to the default theme, remap some of the hues\n $mdThemingProvider.theme('default')\n .primaryPalette('green-cow', {\n 'default': '400', // background color of top toolbars\n 'hue-1': '400',\n 'hue-2': '600', // background color of sidebar toolbar\n 'hue-3': 'A700'\n })\n .accentPalette('green', {\n 'default': '600', // background color of fab buttons and login screen\n 'hue-1': '300', // background color of center list toolbar\n 'hue-2': '300', // highlight color for selected mail and current day calendar\n 'hue-3': 'A700'\n })\n .backgroundPalette('frost-grey');\n</code></pre> and replace it with: <pre><code> $mdThemingProvider.theme('default');\n</code></pre></li> <li>remove from <code>docker-compose.override.yml</code> volume mount in <code>sogo-mailcow</code>: <pre><code>- ./data/conf/sogo/custom-theme.css:/usr/lib/GNUstep/SOGo/WebServerResources/css/theme-default.css:z\n</code></pre></li> <li>run <code>docker compose up -d</code></li> <li>run <code>docker compose restart memcached-mailcow</code></li> </ol>"},{"location":"manual-guides/SOGo/u_e-sogo/#change-favicon","title":"Change favicon","text":"<p>mailcow builds after 31 January 2021 can change SOGo's favicon by replacing <code>data/conf/sogo/custom-favicon.ico</code> for SOGo and <code>data/web/favicon.png</code> for mailcow UI. Note: You can use <code>.png</code> favicons for SOGo by renaming them to <code>custom-favicon.ico</code>. For both SOGo and mailcow UI favicons you need use one of the standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing <code>docker compose restart memcached-mailcow sogo-mailcow</code>.</p>"},{"location":"manual-guides/SOGo/u_e-sogo/#change-logo","title":"Change logo","text":"<p>mailcow builds after 21 December 2018 can change SOGo's logo by replacing or creating (if missing) <code>data/conf/sogo/sogo-full.svg</code>. After you replaced said file you need to restart SOGo and Memcached containers by executing <code>docker compose restart memcached-mailcow sogo-mailcow</code>.</p>"},{"location":"manual-guides/SOGo/u_e-sogo/#connect-domains","title":"Connect domains","text":"<p>Domains are usually isolated from eachother.</p> <p>You can change that by modifying <code>data/conf/sogo/sogo.conf</code>:</p> <p>Search... <pre><code> // SOGoDomainsVisibility = (\n // (domain1.tld, domain5.tld),\n // (domain3.tld, domain2.tld)\n // );\n</code></pre> ...and replace it by - for example:</p> <pre><code> SOGoDomainsVisibility = (\n (example.org, example.com, example.net)\n );\n</code></pre> <p>Restart SOGo: <code>docker compose restart sogo-mailcow</code></p>"},{"location":"manual-guides/SOGo/u_e-sogo/#disable-password-changing","title":"Disable password changing","text":"<p>Edit <code>data/conf/sogo/sogo.conf</code> and change <code>SOGoPasswordChangeEnabled</code> to <code>NO</code>. Please do not add a new parameter.</p> <p>Run <code>docker compose restart memcached-mailcow sogo-mailcow</code> to activate the changes.</p>"},{"location":"manual-guides/SOGo/u_e-sogo/#reset-totp-disable-totp","title":"Reset TOTP / Disable TOTP","text":"<p>Run <code>docker compose exec -u sogo sogo-mailcow sogo-tool user-preferences set defaults user@example.com SOGoTOTPEnabled '{\"SOGoTOTPEnabled\":0}'</code> from within the mailcow directory.</p>"},{"location":"manual-guides/Unbound/u_e-unbound-fwd/","title":"Using an external DNS service","text":"<p>If you want or have to use an external DNS service, you can either set a forwarder in Unbound or copy an override file to define external DNS servers:</p> <p>Warning</p> <p>Please do not use a public resolver like we did in the example above. Many - if not all - blacklist lookups will fail with public resolvers, because blacklist server has limits on how much requests can be done from one IP and public resolvers usually reach this limits. Important: Only DNSSEC validating DNS services will work.</p>"},{"location":"manual-guides/Unbound/u_e-unbound-fwd/#method-a-unbound","title":"Method A, Unbound","text":"<p>Edit <code>data/conf/unbound/unbound.conf</code> and append the following parameters:</p> <pre><code>forward-zone:\n name: \".\"\n forward-addr: 8.8.8.8 # DO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE\n forward-addr: 8.8.4.4 # DO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE\n</code></pre> <p>Restart Unbound:</p> <pre><code>docker compose restart unbound-mailcow\n</code></pre>"},{"location":"manual-guides/Unbound/u_e-unbound-fwd/#method-b-override-file","title":"Method B, Override file","text":"<pre><code>cd /opt/mailcow-dockerized\ncp helper-scripts/docker-compose.override.yml.d/EXTERNAL_DNS/docker-compose.override.yml .\n</code></pre> <p>Edit <code>docker-compose.override.yml</code> and adjust the IP.</p> <p>Run <code>docker compose down ; docker compose up -d</code>.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/","title":"Thresholds","text":"<p>Watchdog uses default values for all thresholds defined in <code>docker-compose.yml</code>.</p> <p>The default values will work for most setups. Example: <pre><code>- NGINX_THRESHOLD=${NGINX_THRESHOLD:-5}\n- UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5}\n- REDIS_THRESHOLD=${REDIS_THRESHOLD:-5}\n- MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5}\n- MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1}\n- SOGO_THRESHOLD=${SOGO_THRESHOLD:-3}\n- POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8}\n- CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15}\n- DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12}\n- DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20}\n- PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5}\n- RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1}\n- FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1}\n- ACME_THRESHOLD=${ACME_THRESHOLD:-1}\n- RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5}\n- OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5}\n- MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20}\n- MAILQ_CRIT=${MAILQ_CRIT:-30}\n</code></pre></p> <p>To adjust them just add necessary threshold variables (e.g. <code>MAILQ_THRESHOLD=10</code>) to <code>mailcow.conf</code> and run <code>docker compose up -d</code>.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#thresholds-descriptions","title":"Thresholds descriptions","text":""},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#nginx_threshold","title":"NGINX_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to Nginx on port 8081 and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#unbound_threshold","title":"UNBOUND_THRESHOLD","text":"<p>Notifies administrators if Unbound can not resolve/valide external domains/DNSSEC and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#redis_threshold","title":"REDIS_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to Redis on port 6379 and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#mysql_threshold","title":"MYSQL_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to MySQL or can not query a table and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#mysql_replication_threshold","title":"MYSQL_REPLICATION_THRESHOLD","text":"<p>Notifies administrators if the MySQL replication fails.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#sogo_threshold","title":"SOGO_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to SOGo on port 20000 and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#postfix_threshold","title":"POSTFIX_THRESHOLD","text":"<p>Notifies administrators if watchdog can not sent a test mail via port 589 and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#clamd_threshold","title":"CLAMD_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to Clamd and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#dovecot_threshold","title":"DOVECOT_THRESHOLD","text":"<p>Notifies administrators if watchdog fails with various tests with Dovecot container and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#dovecot_repl_threshold","title":"DOVECOT_REPL_THRESHOLD","text":"<p>Notifies administrators if the Dovecot replication fails.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#phpfpm_threshold","title":"PHPFPM_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to PHP-FPM on port 9001/9002 and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#ratelimit_threshold","title":"RATELIMIT_THRESHOLD","text":"<p>Notifies administrators if a ratelimit got hit.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#fail2ban_threshold","title":"FAIL2BAN_THRESHOLD","text":"<p>Notifies administrators if a fail2ban banned an IP.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#acme_threshold","title":"ACME_THRESHOLD","text":"<p>Notifies administrators if something is wrong with the acme-mailcow container. You may check its logs.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#rspamd_threshold","title":"RSPAMD_THRESHOLD","text":"<p>Notifies administrators if watchdog fails with various tests with Rspamd container and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#olefy_threshold","title":"OLEFY_THRESHOLD","text":"<p>Notifies administrators if watchdog can not establish a connection to olefy on port 10005 and it will restart the container automatically when issues were found and the threshold has been reached.</p>"},{"location":"manual-guides/Watchdog/u_e-watchdog-thresholds/#mailq_crit-and-mailq_threshold","title":"MAILQ_CRIT and MAILQ_THRESHOLD","text":"<p>Notifies administrators if number of emails in the postfix queue is greater then <code>MAILQ_CRIT</code> for period of <code>MAILQ_THRESHOLD * (60\u00b130)</code> seconds.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-bl_wl/","title":"Blacklist / Whitelist","text":"<p>To add or edit an entry to your domain-wide filter table, log in to your mailcow UI as (domain) administrator and go to: <code>Configuration &gt; Email Setup &gt; Domains &gt; Edit Domain &gt; Spam Filter</code>.</p> <p>Info</p> <p>Be aware that a user can override this setting by setting their own blacklist and whitelist!</p> <p>There is also a global filter table in <code>Configuration &gt; Configuration &amp; Details &gt; Global filter maps</code> to configure a server wide filter for multiple regex maps (todo: screenshots).</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-config/","title":"Configuration","text":"<p>Several configuration parameters of the mailcow UI can be changed by creating a file <code>data/web/inc/vars.local.inc.php</code> which overrides defaults settings found in <code>data/web/inc/vars.inc.php</code>.</p> <p>The local configuration file is persistent over updates of mailcow. Try not to change values inside <code>data/web/inc/vars.inc.php</code>, but use them as template for the local override.</p> <p>mailcow UI configuration parameters can be used to...</p> <ul> <li>...change the default language1</li> <li>...change the default bootstrap theme</li> <li>...set a password complexity regex</li> <li>...enable DKIM private key visibility</li> <li>...set a pagination trigger size</li> <li>...set default mailbox attributes</li> <li>...change session lifetimes</li> <li>...create fixed app menus (which cannot be changed in mailcow UI)</li> <li>...set a default \"To\" field for relayhost tests</li> <li>...set a timeout for Docker API requests</li> <li>...toggle IP anonymization</li> </ul> <ol> <li> <p>To change SOGos default language, you will need to edit <code>data/conf/sogo/sogo.conf</code> and replace \"English\" by your preferred language.\u00a0\u21a9</p> </li> </ol>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-css/","title":"CSS overrides","text":"<p>For custom overrides of specific elements via CSS, use <code>data/web/css/build/0081-custom-mailcow.css</code>.</p> <p>The file is excluded from tracking and persists over updates.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-fido/","title":"WebAuthn / FIDO2","text":""},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-fido/#how-is-uv-handled-in-mailcow","title":"How is UV handled in mailcow?","text":"<p>The UV flag (as in \"user verification\") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey).</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-fido/#login-and-key-processing","title":"Login and key processing","text":"<p>mailcow uses client-side key processing. We ask the authenticator (i.e. YubiKey) to save the registration in its memory.</p> <p>A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the \"key login\" via mailcow UI login.</p> <p>When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-fido/#who-can-use-webauthn-to-login-to-mailcow","title":"Who can use WebAuthn to login to mailcow?","text":"<p>As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2.</p> <p>You want to use WebAuthn/Fido as 2FA? Check it out here: Two-Factor Authentication</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-netfilter/","title":"Netfilter","text":""},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-netfilter/#change-netfilter-ban-settings","title":"Change Netfilter Ban Settings","text":"<p>To change the Netfilter settings in general please navigate to: <code>Configuration -&gt; Configuration &amp; Details -&gt; Configuration -&gt; Fail2ban parameters</code>.</p> <p>You should now see a familar interface:</p> <p>Here you can set several options regarding the bans itself. For example the max. Ban time or the max. attempts before a ban is executed.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-netfilter/#change-netfilter-regex","title":"Change Netfilter Regex","text":"<p>Danger</p> <p>The following area requires at least basic regex knowledge. If you are not sure what you are doing there, we can only advise you not to attempt a reconfiguration.</p> <p>In addition to the ban settings, you can also define what exactly should be used from the mailcow container logs to ban a possible attacker.</p> <p>To do this, you must first expand the regex field, which will look something like this:</p> <p>There you can now create various new filter rules.</p> <p>Info</p> <p>As updates progress, it is possible that new Netfilter regex rules will be added or removed. If this is the case, it is recommended to reset the Netfilter regex rules by clicking on <code>Reset to default</code>.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-pushover/","title":"Pushover","text":"<p>Info</p> <p>Pushover makes it easy to get real-time notifications on your Android, iPhone, iPad, and Desktop</p> <p>You can use Pushover to get a push notification on every mail you receive for each mailbox where you enabled this feature.</p> <p>1. As admin open your mailbox' settings and scroll down to the Pushover settings</p> <p>2. Register yourself on Pushover</p> <p>3. Put your 'User Key' in the 'User/Group Key' field in your mailbox settings</p> <p>4. Create an Applications to get the API Token/Key which you also need to put in your mailbox settings</p> <p>5. Optional you can edit the notification title/text and define certain sender email addresses where a push notification is triggered</p> <p>6. Save everything and then you can verify your credentials</p> <p>If everything is done you can test sending a mail and you will receive a push message on your phone</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-spamalias/","title":"Temporary email aliases","text":"<p>These temporary email aliases are mostly used for places where we need to provide an email address but don't want future correspondence with. They are also called spam alias.</p> <p>To create, delete or extend a temporary email aliases you need to login to mailcow's UI as a mailbox user and navigate to the tab Temporary email aliases:</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-spamfilter/","title":"Spamfilter","text":"<p>A mailbox user may adjust the spam filter and black- / whitelist settings for his mailbox individually by navigating to the Spam filter tab in the users mailcow UI.</p> <p>Info</p> <p>For global adjustments on your spam filter please check our section on Rspamd. For a domain wide black- and whitelist please check our guide on Black / Whitelist</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-sub_addressing/","title":"Sub-addressing","text":"<p>Mailbox users can tag their mail address like in <code>me+facebook@example.org</code>. They can control the tag handling in the users mailcow UI panel under <code>Mailbox &gt; Settings</code>. </p> <p><code>sub-addressing</code> (RFC 5233) or <code>plus addressing</code> also known as tagging (do not mix with Tags)</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-sub_addressing/#available-actions","title":"Available Actions","text":"<p>1. Move this message to a sub folder \"facebook\" (will be created lower case if not existing)</p> <p>2. Prepend the tag to the subject: \"[facebook] Subject\"</p> <p>Please note: Uppercase tags are converted to lowercase except for the first letter. If you want to keep the tag as it is, please apply the following diff and restart mailcow: <pre><code>diff --git a/data/conf/dovecot/global_sieve_after b/data/conf/dovecot/global_sieve_after\nindex e047136e..933c4137 100644\n--- a/data/conf/dovecot/global_sieve_after\n+++ b/data/conf/dovecot/global_sieve_after\n@@ -15,7 +15,7 @@ if allof (\n envelope :detail :matches \"to\" \"*\",\n header :contains \"X-Moo-Tag\" \"YES\"\n ) {\n- set :lower :upperfirst \"tag\" \"${1}\";\n+ set \"tag\" \"${1}\";\n if mailboxexists \"INBOX/${1}\" {\n fileinto \"INBOX/${1}\";\n } else {\n</code></pre></p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tags/","title":"Tags (for Domains and Mailboxes)","text":"<p>Info</p> <p>You need the mailcow Version 2022-05 at least for this feature. If you don\u00b4t have the Version installed please consider a update. For more informations about a mailcow update please take a look at the Update section here in the docs.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tags/#what-are-tags-designed-for","title":"What are Tags designed for?","text":"<p>With the Tags you can easily sort your Domains and Mailboxes by the tags instead of their name.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tags/#where-are-the-tags-located","title":"Where are the Tags located?","text":"<p>The Tags are located in the Domain/Mailbox section of the mailcow UI. To view them simply click on the small plus symbol on the left of your Domain/Mailbox (following picture is showing the domain ribbon menu): </p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tags/#how-can-i-addremove-a-tag","title":"How can i add/remove a Tag?","text":"<p>You can simply add/remove a Tag during the creation of a new Domain/Mailbox. You also can add/remove them if you edit your desired Domain/Mailbox.</p> <p>It looks similar to this (following picture showing the domain edit section):</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tags/#how-can-i-search-for-a-tag","title":"How can i search for a tag?","text":"<p>Simply type the Tag Name in the search bar in the Domain/Mailbox Section and wait for it to complete.</p> <p>You can even specify if you want to search for tags only.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/","title":"Two-Factor Authentication","text":"<p>So far three methods for Two-Factor Authentication are implemented: WebAuthn (replacing U2F since February 2022), Yubi OTP, and TOTP</p> <ul> <li>For WebAuthn to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key.</li> <li>Both WebAuthn and Yubi OTP work well with the fantastic Yubikey.</li> <li>While Yubi OTP needs an active internet connection and an API ID + key, WebAuthn will work with any Fido Security Key out of the box, but can only be used when mailcow is accessed over HTTPS.</li> <li>WebAuthn and Yubi OTP support multiple keys per user.</li> <li>As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like \"Google Authenticator\" after initially scanning a QR code or entering the given secret manually.</li> </ul> <p>As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.</p> <p>The key used to login will be displayed in green, while other keys remain grey.</p> <p>Information on how to remove 2FA can be found here.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#yubi-otp","title":"Yubi OTP","text":"<p>The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key. The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#example-setup","title":"Example setup","text":"<p>First of all, the YubiKey must be configured for use as an OTP Generator. To do this, download the <code>YubiKey Manager</code> from the Yubico website: here</p> <p>In the following you configure the YubiKey for OTP. Via the menu item <code>Applications</code> -&gt; <code>OTP</code> and a click on the <code>Configure</code> button. In the following menu select <code>Credential Type</code> -&gt; <code>Yubico OTP</code> and click on <code>Next</code>.</p> <p>Set a checkmark in the <code>Use serial</code> checkbox, generate a <code>Private ID</code> and a <code>Secret key</code> via the buttons. So that the YubiKey can be validated later, the checkmark in the <code>Upload</code> checkbox must also be set and then click on <code>Finish</code>.</p> <p>Now a new browser window will open in which you have to enter an OTP of your YubiKey at the bottom of the form (click on the field and then tap on your YubiKey). Confirm the captcha and upload the information to the Yubico server by clicking 'Upload'. The processing of the data will take a moment.</p> <p>After the generation was successful, you will be shown a <code>Client ID</code> and a <code>Secret key</code>, make a note of this information in a safe place.</p> <p>Now you can select <code>Yubico OTP authentication</code> from the dropdown menu in the mailcow UI on the start page under <code>Access</code> -&gt; <code>Two-factor authentication</code>. In the dialog that opened now you can enter a name for this YubiKey and insert the <code>Client ID</code> you noted before as well as the <code>Secret key</code> into the fields provided. Finally, enter your current account password and, after selecting the <code>Touch Yubikey</code> field, touch your YubiKey button.</p> <p>Congratulations! You can now log in to the mailcow UI using your YubiKey!</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#webauthn-u2f-replacement","title":"WebAuthn (U2F, replacement)","text":"<p>Warning</p> <p>Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn. The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the <code>update.sh</code> </p> <p>To use WebAuthn, the browser must support this standard.</p> <p>The following desktop browsers support this authentication type:</p> <ul> <li>Edge (&gt;=18)</li> <li>Firefox (&gt;=60)</li> <li>Chrome (&gt;=67)</li> <li>Safari (&gt;=13)</li> <li>Opera (&gt;=54)</li> </ul> <p>The following mobile browsers support this authentication type:</p> <ul> <li>Safari on iOS (&gt;=14.5)</li> <li>Android Browser (&gt;=97)</li> <li>Opera Mobile (&gt;=64)</li> <li>Chrome for Android (&gt;=97)</li> </ul> <p>Sources: caniuse.com, blog.mozilla.org</p> <p>WebAuthn works without an internet connection.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#what-will-happen-to-my-registered-fido-security-key-after-the-update-from-u2f-to-webauthn","title":"What will happen to my registered Fido Security Key after the Update from U2F to WebAuthn?","text":"<p>Warning</p> <p>With this new U2F replacement (WebAuthn) you have to re-register your Fido Security Key, thankfully WebAuthn is backwards compatible and supports the U2F protocol.</p> <p>Ideally, the next time you log in (with the key), you should get a text box saying that your Fido Security Key has been removed due to the update to WebAuthn and deleted as a 2-factor authenticator.</p> <p>But don't worry! You can simply re-register your existing key and use it as usual, you probably won't even notice a difference, except that your browser won't show the U2F deactivation message anymore.</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#disable-unofficial-supported-fido-security-keys","title":"Disable unofficial supported Fido Security Keys","text":"<p>With WebAuthn there is the possibility to use only official Fido Security Keys (from the big brands like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.).</p> <p>This is primarily for security purposes, as it allows administrators to ensure that only official hardware can be used in their environment.</p> <p>To enable this feature, change the value <code>WEBAUTHN_ONLY_TRUSTED_VENDORS</code> in mailcow.conf from <code>n</code> to <code>y</code> and restart the affected containers with <code>docker compose up -d</code>.</p> <p>The mailcow will now use the Vendor Certificates located in your mailcow directory under <code>data/web/inc/lib/WebAuthn/rootCertificates</code>. </p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#example","title":"Example:","text":"<p>If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the <code>data/web/inc/lib/WebAuthn/rootCertificates</code>. After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices.</p> <p>That\u00b4s for every vendor the same, so choose what you like (if you want to).</p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#use-own-certificates-for-webauthn","title":"Use own certificates for WebAuthn","text":"<p>If you have a valid certificate from the vendor of your key you can also add it to your mailcow!</p> <p>Just copy the certificate into the <code>data/web/inc/lib/WebAuthn/rootCertificates</code> folder and restart your mailcow.</p> <p>Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. </p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#is-it-dangerous-to-keep-the-vendor-check-disabled","title":"Is it dangerous to keep the Vendor Check disabled?","text":"<p>No, it isn\u00b4t! These vendor certificates are only used to verify original hardware, not to secure the registration process.</p> <p>As you can read in these articles, the deactivation is not software security related: - https://developers.yubico.com/U2F/Attestation_and_Metadata/ - https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651 - https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01</p> <p>In the end, however, it is of course your decision to leave this check disabled or enabled. </p>"},{"location":"manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#totp","title":"TOTP","text":"<p>The best known TFA method mostly used with a smartphone.</p> <p>To setup the TOTP method login to the Admin UI and select <code>Time-based OTP (TOTP)</code> from the list.</p> <p>Now a modal will open in which you have to type in a name for your 2FA \"device\" (example: John Deer\u00b4s Smartphone) and the password of the affected Admin account (you are currently logged in with).</p> <p>You have two seperate methods to register TOTP to your account: 1. Scan the QR-Code with your Authenticator App on a Smartphone or Tablet. 2. Use the TOTP Code (under the QR Code) in your TOTP Program or App (if you can\u00b4t scan a QR Code).</p> <p>After you have registered the QR or TOTP code in the TOTP app/program of your choice you only need to enter the now generated TOTP token (in the app/program) as confirmation in the mailcow UI to finally activate the TOTP 2FA, otherwise it will not be activated even though the TOTP token is already generated in your app/program.</p>"},{"location":"models/model-acl/","title":"ACL","text":"<p>Editing a domain administrator or a mailbox user allows to set restrictions to that account.</p> <p>Important: For overlapping modules like sync jobs, which both domain administrators and mailbox users can be granted access to, the domain administrators permissions are inherited, when logging in as mailbox user.</p> <p>Some examples:</p> <p>1.</p> <ul> <li>A domain administror has not access to sync jobs but can login as mailbox user</li> <li>When logging in as mailbox user, he does not gain access to sync jobs, even if the given mailbox user has access when logging in directly</li> </ul> <p>2.</p> <ul> <li>A domain administror has access to sync jobs and can login as mailbox user</li> <li>The mailbox user he tries to login as has not access to sync jobs</li> <li>The domain administrator, now logged in as mailbox user, inherits its permission to the mailbox user and can access sync jobs</li> </ul> <p>3.</p> <ul> <li>A domain administrator logs in as mailbox user</li> <li>Every permission, that does not exist in a domain administrators ACL, is automatically granted (example: time-limited alias, TLS policy etc.)</li> </ul>"},{"location":"models/model-passwd/","title":"Password hashing","text":""},{"location":"models/model-passwd/#fully-supported-hashing-methods","title":"Fully supported hashing methods","text":"<p>The most current mailcow fully supports the following hashing methods. The default hashing method is written in bold:</p> <ul> <li>BLF-CRYPT</li> <li>SSHA</li> <li>SSHA256</li> <li>SSHA512</li> </ul> <p>The methods above can be used in <code>mailcow.conf</code> as <code>MAILCOW_PASS_SCHEME</code> value.</p>"},{"location":"models/model-passwd/#read-only-hashing-methods","title":"Read-only hashing methods","text":"<p>The following methods are supported read only. If you plan to use SOGo (as per default), you need a SOGo compatible hashing method. Please see the note at the bottom of this page how to update the view if necessary. With SOGo disabled, all hashing methods below will be able to be read by mailcow and Dovecot.</p> <ul> <li>ARGON2I (SOGo compatible)</li> <li>ARGON2ID (SOGo compatible)</li> <li>CLEAR</li> <li>CLEARTEXT</li> <li>CRYPT (SOGo compatible)</li> <li>DES-CRYPT</li> <li>LDAP-MD5 (SOGo compatible)</li> <li>MD5 (SOGo compatible)</li> <li>MD5-CRYPT (SOGo compatible)</li> <li>PBKDF2 (SOGo compatible)</li> <li>PLAIN (SOGo compatible)</li> <li>PLAIN-MD4</li> <li>PLAIN-MD5</li> <li>PLAIN-TRUNC</li> <li>SHA (SOGo compatible)</li> <li>SHA1 (SOGo compatible)</li> <li>SHA256 (SOGo compatible)</li> <li>SHA256-CRYPT (SOGo compatible)</li> <li>SHA512 (SOGo compatible)</li> <li>SHA512-CRYPT (SOGo compatible)</li> <li>SMD5 (SOGo compatible)</li> </ul> <p>That means mailcow is able to verify users with a hash like <code>{MD5}1a1dc91c907325c69271ddf0c944bc72</code> from the database.</p> <p>The value of <code>MAILCOW_PASS_SCHEME</code> will always be used to encrypt new passwords.</p> <p>I changed the password hashes in the \"mailbox\" SQL table and cannot login.</p> <p>A \"view\" needs to be updated. You can trigger this by restarting sogo-mailcow: <code>docker compose restart sogo-mailcow</code></p>"},{"location":"models/model-sender_rcv/","title":"Sender and receiver model","text":"<p>When a mailbox is created, a user is allowed to send mail from and receive mail for his own mailbox address.</p> <pre><code>Mailbox me@example.org is created. example.org is a primary domain.\nNote: a mailbox cannot be created in an alias domain.\n\nme@example.org is only known as me@example.org.\nme@example.org is allowed to send as me@example.org.\n</code></pre> <p>We can add an alias domain for example.org:</p> <pre><code>Alias domain alias.com is added and assigned to primary domain example.org.\nme@example.org is now known as me@example.org and me@alias.com.\nme@example.org is now allowed to send as me@example.org and me@alias.com.\n</code></pre> <p>We can add aliases for a mailbox to receive mail for and to send from this new address.</p> <p>It is important to know, that you are not able to receive mail for <code>my-alias@my-alias-domain.tld</code>. You would need to create this particular alias.</p> <pre><code>me@example.org is assigned the alias alias@example.org\nme@example.org is now known as me@example.org, me@alias.com, alias@example.org\n\nme@example.org is NOT known as alias@alias.com.\n</code></pre> <p>Please note that this does not apply to catch-all aliases:</p> <pre><code>Alias domain alias.com is added and assigned to primary domain example.org\nme@example.org is assigned the catch-all alias @example.org\nme@example.org is still just known as me@example.org, which is the only available send-as option\n\nAny email send to alias.com will match the catch-all alias for example.org\n</code></pre> <p>Administrators and domain administrators can edit mailboxes to allow specific users to send as other mailbox users (\"delegate\" them).</p> <p>You can choose between mailbox users or completely disable the sender check for domains.</p>"},{"location":"models/model-sender_rcv/#sogo-mail-from-addresses","title":"SOGo \"mail from\" addresses","text":"<p>Mailbox users can, obviously, select their own mailbox address, as well as all alias addresses and aliases that exist through alias domains.</p> <p>If you want to select another existing mailbox user as your \"mail from\" address, this user has to delegate you access through SOGo (see SOGo documentation). Moreover a mailcow (domain) administrator needs to grant you access as described above.</p>"},{"location":"post_installation/firststeps-disable_ipv6/","title":"Disable IPv6","text":"<p>This is ONLY recommended if you do not have an IPv6 enabled network on your host!</p> <p>If you really need to, you can disable the usage of IPv6 in the compose file. Additionally, you can also disable the startup of container \"ipv6nat-mailcow\", as it's not needed if you won't use IPv6.</p> <p>Instead of editing docker-compose.yml directly, it is preferable to create an override file for it and implement your changes to the service there. Unfortunately, this right now only seems to work for services, not for network settings.</p> <p>To disable IPv6 on the mailcow network, open docker-compose.yml with your favourite text editor and search for the network section (it's near the bottom of the file). </p> <p>1. Modify docker-compose.yml</p> <p>Change <code>enable_ipv6: true</code> to <code>enable_ipv6: false</code>:</p> <pre><code>networks:\n mailcow-network:\n [...]\n enable_ipv6: true # &lt;&lt;&lt; set to false\n [...]\n</code></pre> <p>2. Disable ipv6nat-mailcow</p> <p>To disable the ipv6nat-mailcow container as well, go to your mailcow directory and create a new file called \"docker-compose.override.yml\": </p> <p>NOTE: If you already have an override file, of course don't recreate it, but merge the lines below into your existing one accordingly!</p> <pre><code># cd /opt/mailcow-dockerized\n# touch docker-compose.override.yml\n</code></pre> <p>Open the file in your favourite text editor and fill in the following:</p> <pre><code>version: '2.1'\nservices:\n\n ipv6nat-mailcow:\n image: bash:latest\n restart: \"no\"\n entrypoint: [\"echo\", \"ipv6nat disabled in compose.override.yml\"]\n</code></pre> <p>For these changes to be effective, you need to fully stop and then restart the stack, so containers and networks are recreated:</p> <pre><code>docker compose down\ndocker compose up -d\n</code></pre> <p>3. Disable IPv6 in unbound-mailcow</p> <p>Edit <code>data/conf/unbound/unbound.conf</code> and set <code>do-ip6</code> to \"no\":</p> <pre><code>server:\n [...]\n do-ip6: no\n [...]\n</code></pre> <p>Restart Unbound:</p> <pre><code>docker compose restart unbound-mailcow\n</code></pre> <p>4. Disable IPv6 in postfix-mailcow</p> <p>Create <code>data/conf/postfix/extra.cf</code> and set <code>smtp_address_preference</code> to <code>ipv4</code>:</p> <pre><code>smtp_address_preference = ipv4\ninet_protocols = ipv4\n</code></pre> <p>Restart Postfix:</p> <pre><code>docker compose restart postfix-mailcow\n</code></pre> <p>5. If your docker daemon completly disabled IPv6:</p> <p>Fix the following NGINX, Dovecot and php-fpm config files</p> <pre><code>sed -i '/::/d' data/conf/nginx/listen_*\nsed -i '/::/d' data/conf/nginx/templates/listen*\nsed -i '/::/d' data/conf/nginx/dynmaps.conf\nsed -i 's/,\\[::\\]//g' data/conf/dovecot/dovecot.conf\nsed -i 's/\\[::\\]://g' data/conf/phpfpm/php-fpm.d/pools.conf\n</code></pre>"},{"location":"post_installation/firststeps-dmarc_reporting/","title":"DMARC Reporting","text":"<p>DMARC Reporting done via Rspamd DMARC Module.</p> <p>Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.html</p> <p>Important:</p> <ol> <li> <p>Change <code>example.com</code>, <code>mail.example.com</code> and <code>Example</code> to reflect your setup</p> </li> <li> <p>DMARC reporting requires additional attention, especially over the first few days</p> </li> <li> <p>All receiving domains hosted on mailcow send from one reporting domain. It is recommended to use the parent domain of your <code>MAILCOW_HOSTNAME</code>:</p> <ul> <li>If your <code>MAILCOW_HOSTNAME</code> is <code>mail.example.com</code> change the following config to <code>domain = \"example.com\";</code></li> <li>Set <code>email</code> equally, e.g. <code>email = \"noreply-dmarc@example.com\";</code></li> </ul> </li> <li> <p>It is optional but recommended to create an email user <code>noreply-dmarc</code> in mailcow to handle bounces.</p> </li> </ol>"},{"location":"post_installation/firststeps-dmarc_reporting/#enable-dmarc-reporting","title":"Enable DMARC reporting","text":"<p>Create the file <code>data/conf/rspamd/local.d/dmarc.conf</code> and set the following content:</p> <pre><code>reporting {\n enabled = true;\n email = 'noreply-dmarc@example.com';\n domain = 'example.com';\n org_name = 'Example';\n helo = 'rspamd';\n smtp = 'postfix';\n smtp_port = 25;\n from_name = 'Example DMARC Report';\n msgid_from = 'rspamd.mail.example.com';\n max_entries = 2k;\n keys_expire = 2d;\n}\n</code></pre> <p>Create or modify <code>docker-compose.override.yml</code> in the mailcow-dockerized base directory:</p> <pre><code>version: '2.1'\n\nservices:\n rspamd-mailcow:\n environment:\n - MASTER=${MASTER:-y}\n labels:\n ofelia.enabled: \"true\"\n ofelia.job-exec.rspamd_dmarc_reporting_yesterday.schedule: \"@every 24h\"\n ofelia.job-exec.rspamd_dmarc_reporting_yesterday.command: \"/bin/bash -c \\\"[[ $${MASTER} == y ]] &amp;&amp; /usr/bin/rspamadm dmarc_report $(date --date yesterday '+%Y%m%d') &gt; /var/lib/rspamd/dmarc_reports_last_log 2&gt;&amp;1 || exit 0\\\"\"\n ofelia-mailcow:\n depends_on:\n - rspamd-mailcow\n</code></pre> <p>Run <code>docker compose up -d</code></p>"},{"location":"post_installation/firststeps-dmarc_reporting/#send-a-copy-reports-to-yourself","title":"Send a copy reports to yourself","text":"<p>To receive a hidden copy of reports generated by Rspamd you can set a <code>bcc_addrs</code> list in the <code>reporting</code> config section of <code>data/conf/rspamd/local.d/dmarc.conf</code>:</p> <pre><code>reporting {\n enabled = true;\n email = 'noreply-dmarc@example.com';\n bcc_addrs = [\"noreply-dmarc@example.com\",\"parsedmarc@example.com\"];\n[...]\n</code></pre> <p>Rspamd will load changes in real time, so you won't need to restart the container at this point.</p> <p>This can be useful if you...</p> <ul> <li>...want to check that your DMARC reports are sent correctly and authenticated.</li> <li>...want to analyze your own reports to get statistics, i.e. to use with ParseDMARC or other analytic systems.</li> </ul>"},{"location":"post_installation/firststeps-dmarc_reporting/#troubleshooting","title":"Troubleshooting","text":"<p>Check when the report schedule last ran:</p> <pre><code>docker compose exec rspamd-mailcow date -r /var/lib/rspamd/dmarc_reports_last_log\n</code></pre> <p>See the latest report output:</p> <pre><code>docker compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log\n</code></pre> <p>Manually trigger a DMARC report:</p> <pre><code>docker compose exec rspamd-mailcow rspamadm dmarc_report\n</code></pre> <p>Validate that Rspamd has recorded data in Redis: Change <code>20220428</code> to date which you interested in.</p> <p><pre><code>docker compose exec redis-mailcow redis-cli SMEMBERS \"dmarc_idx;20220428\"\n</code></pre> Take one of the lines from output you interested in and request it, f.e.: <pre><code>docker compose exec redis-mailcow redis-cli ZRANGE \"dmarc_rpt;microsoft.com;mailto:d@rua.agari.com;20220428\" 0 49\n</code></pre></p>"},{"location":"post_installation/firststeps-dmarc_reporting/#change-dmarc-reporting-frequency","title":"Change DMARC reporting frequency","text":"<p>In the example above reports are sent once every 24 hours and send reports for yesterday. This will be okay for most setups.</p> <p>If you have a large mail volume and want to run the DMARC reporting more than once a day you need create second schedule and run it with <code>dmarc_report $(date '+%Y%m%d')</code> to process the current day. You have to make sure that the first run on each day also processes the last report from the day before, so it needs to be started twice, one time with <code>$(date --date yesterday '+%Y%m%d')</code> at <code>0 5 0 * * *</code> (00:05 AM) and then with <code>$(date '+%Y%m%d')</code> with desired interval.</p> <p>The Ofelia schedule has the same implementation as <code>cron</code> in Go, supported syntax described at cron Documentation</p> <p>To change schedule:</p> <ol> <li>Edit <code>docker-compose.override.yml</code>:</li> </ol> <pre><code>version: '2.1'\n\nservices:\n rspamd-mailcow:\n environment:\n - MASTER=${MASTER:-y}\n labels:\n ofelia.enabled: \"true\"\n ofelia.job-exec.rspamd_dmarc_reporting_yesterday.schedule: \"0 5 0 * * *\"\n ofelia.job-exec.rspamd_dmarc_reporting_yesterday.command: \"/bin/bash -c \\\"[[ $${MASTER} == y ]] &amp;&amp; /usr/bin/rspamadm dmarc_report $(date --date yesterday '+%Y%m%d') &gt; /var/lib/rspamd/dmarc_reports_last_log 2&gt;&amp;1 || exit 0\\\"\"\n ofelia.job-exec.rspamd_dmarc_reporting_today.schedule: \"@every 12h\"\n ofelia.job-exec.rspamd_dmarc_reporting_today.command: \"/bin/bash -c \\\"[[ $${MASTER} == y ]] &amp;&amp; /usr/bin/rspamadm dmarc_report $(date '+%Y%m%d') &gt; /var/lib/rspamd/dmarc_reports_last_log 2&gt;&amp;1 || exit 0\\\"\"\n ofelia-mailcow:\n depends_on:\n - rspamd-mailcow\n</code></pre> <ol> <li> <p>Run <code>docker compose up -d</code></p> </li> <li> <p>Run <code>docker compose restart ofelia-mailcow</code></p> </li> </ol>"},{"location":"post_installation/firststeps-dmarc_reporting/#disable-dmarc-reporting","title":"Disable DMARC Reporting","text":"<p>To disable reporting:</p> <ol> <li> <p>Set <code>enabled</code> to <code>false</code> in <code>data/conf/rspamd/local.d/dmarc.conf</code></p> </li> <li> <p>Revert changes done in <code>docker-compose.override.yml</code> to <code>rspamd-mailcow</code> and <code>ofelia-mailcow</code></p> </li> <li> <p>Run <code>docker compose up -d</code></p> </li> </ol>"},{"location":"post_installation/firststeps-ip_bindings/","title":"IP bindings","text":"<p>Warning</p> <p>Changing the binding does not affect source NAT. See SNAT for required steps.</p>"},{"location":"post_installation/firststeps-ip_bindings/#ipv4-binding","title":"IPv4 binding","text":"<p>To adjust one or multiple IPv4 bindings, open <code>mailcow.conf</code> and edit one, multiple or all variables as per your needs:</p> <pre><code># For technical reasons, http bindings are a bit different from other service bindings.\n# You will find the following variables, separated by a bind address and its port:\n# Example: HTTP_BIND=1.2.3.4\n\nHTTP_PORT=80\nHTTP_BIND=\nHTTPS_PORT=443\nHTTPS_BIND=\n\n# Other services are bound by using the following format:\n# SMTP_PORT=1.2.3.4:25 will bind SMTP to the IP 1.2.3.4 on port 25\n# Important! Specifying an IPv4 address will skip all IPv6 bindings since Docker 20.x.\n# doveadm, SQL as well as Solr are bound to local ports only, please do not change that, unless you know what you are doing.\n\nSMTP_PORT=25\nSMTPS_PORT=465\nSUBMISSION_PORT=587\nIMAP_PORT=143\nIMAPS_PORT=993\nPOP_PORT=110\nPOPS_PORT=995\nSIEVE_PORT=4190\nDOVEADM_PORT=127.0.0.1:19991\nSQL_PORT=127.0.0.1:13306\nSOLR_PORT=127.0.0.1:18983\n</code></pre> <p>To apply your changes, run <code>docker compose down</code> followed by <code>docker compose up -d</code>.</p>"},{"location":"post_installation/firststeps-ip_bindings/#ipv6-binding","title":"IPv6 binding","text":"<p>Changing IPv6 bindings is different from IPv4. Again, this has a technical background.</p> <p>A <code>docker-compose.override.yml</code> file will be used instead of editing the <code>docker-compose.yml</code> file directly. This is to maintain updatability, as the <code>docker-compose.yml</code> file gets updated regularly and your changes will most likely be overwritten.</p> <p>Edit to create a file <code>docker-compose.override.yml</code> with the following content. Its content will be merged with the productive <code>docker-compose.yml</code> file.</p> <p>An example IPv6 2001:db8:dead:beef::123 is given. The first suffix <code>:PORT1</code> defines the external port, while the second suffix <code>:PORT2</code> routes to the corresponding port inside the container and must not be changed.</p> <pre><code>version: '2.1'\nservices:\n\n dovecot-mailcow:\n ports:\n - '[2001:db8:dead:beef::123]:143:143'\n - '[2001:db8:dead:beef::123]:993:993'\n - '[2001:db8:dead:beef::123]:110:110'\n - '[2001:db8:dead:beef::123]:995:995'\n - '[2001:db8:dead:beef::123]:4190:4190'\n\n postfix-mailcow:\n ports:\n - '[2001:db8:dead:beef::123]:25:25'\n - '[2001:db8:dead:beef::123]:465:465'\n - '[2001:db8:dead:beef::123]:587:587'\n\n nginx-mailcow:\n ports:\n - '[2001:db8:dead:beef::123]:80:80'\n - '[2001:db8:dead:beef::123]:443:443'\n</code></pre> <p>To apply your changes, run <code>docker compose down</code> followed by <code>docker compose up -d</code>.</p>"},{"location":"post_installation/firststeps-local_mta/","title":"Local MTA on Docker host","text":"<p>The easiest option would be to disable the listener on port 25/tcp.</p> <p>Postfix users disable the listener by commenting the following line (starting with <code>smtp</code> or <code>25</code>) in <code>/etc/postfix/master.cf</code>: <pre><code>#smtp inet n - - - - smtpd\n</code></pre></p> <p>Furthermore, to relay over a dockerized mailcow, you may want to add <code>172.22.1.1</code> as relayhost and remove the Docker interface from \"inet_interfaces\":</p> <pre><code>postconf -e 'relayhost = 172.22.1.1'\npostconf -e \"mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128\"\npostconf -e \"inet_interfaces = loopback-only\"\npostconf -e \"relay_transport = relay\"\npostconf -e \"default_transport = smtp\"\n</code></pre> <p>Now it is important to not have the same FQDN in <code>myhostname</code> as you use for your dockerized mailcow. Check your local (non-Docker) Postfix' main.cf for <code>myhostname</code> and set it to something different, for example <code>local.my.fqdn.tld</code>.</p> <p>\"172.22.1.1\" is the mailcow created network gateway in Docker. Relaying over this interface is necessary (instead of - for example - relaying directly over ${MAILCOW_HOSTNAME}) to relay over a known internal network.</p> <p>Restart Postfix after applying your changes.</p>"},{"location":"post_installation/firststeps-logging/","title":"Logging","text":"<p>Logging in mailcow: dockerized consists of multiple stages, but is, after all, much more flexible and easier to integrate into a logging daemon than before.</p> <p>In Docker the containerized application (PID 1) writes its output to stdout. For real one-application containers this works just fine. Run <code>docker compose logs --help</code> to learn more. </p> <p>Some containers log or stream to multiple destinations.</p> <p>No container will keep persistent logs in it. Containers are transient items!</p> <p>In the end, every line of logs will reach the Docker daemon - unfiltered.</p> <p>The default logging driver is \"json\".</p>"},{"location":"post_installation/firststeps-logging/#filtered-logs","title":"Filtered logs","text":"<p>Some logs are filtered and written to Redis keys but also streamed to a Redis channel.</p> <p>The Redis channel is used to stream logs with failed authentication attempts to be read by netfilter-mailcow.</p> <p>The Redis keys are persistent and will keep 10000 lines of logs for the web UI.</p> <p>This mechanism makes it possible to use whatever Docker logging driver you want to, without losing the ability to read logs from the UI or ban suspicious clients with netfilter-mailcow.</p> <p>Redis keys will only hold logs from applications and filter out system messages (think of cron etc.).</p>"},{"location":"post_installation/firststeps-logging/#logging-drivers","title":"Logging drivers","text":""},{"location":"post_installation/firststeps-logging/#via-docker-composeoverrideyml","title":"Via docker-compose.override.yml","text":"<p>Here is the good news: Since Docker has some great logging drivers, you can integrate mailcow: dockerized into your existing logging environment with ease.</p> <p>Create a <code>docker-compose.override.yml</code> and add, for example, this block to use the \"gelf\" logging plugin for <code>postfix-mailcow</code>:</p> <pre><code>version: '2.1'\nservices:\n postfix-mailcow: # or any other\n logging:\n driver: \"gelf\"\n options:\n gelf-address: \"udp://graylog:12201\"\n</code></pre> <p>Another example for Syslog:</p> <pre><code>version: '2.1'\nservices:\n\n postfix-mailcow: # or any other\n logging:\n driver: \"syslog\"\n options:\n syslog-address: \"udp://127.0.0.1:514\"\n syslog-facility: \"local3\"\n\n dovecot-mailcow: # or any other\n logging:\n driver: \"syslog\"\n options:\n syslog-address: \"udp://127.0.0.1:514\"\n syslog-facility: \"local3\"\n\n rspamd-mailcow: # or any other\n logging:\n driver: \"syslog\"\n options:\n syslog-address: \"udp://127.0.0.1:514\"\n syslog-facility: \"local3\"\n</code></pre>"},{"location":"post_installation/firststeps-logging/#for-rsyslog-only","title":"For Rsyslog only:","text":"<p>Make sure the following lines aren't commented out in <code>/etc/rsyslog.conf</code>:</p> <pre><code># provides UDP syslog reception\nmodule(load=\"imudp\")\ninput(type=\"imudp\" port=\"514\")\n</code></pre> <p>To move <code>local3</code> input to <code>/var/log/mailcow.log</code> and stop processing, create a file <code>/etc/rsyslog.d/docker.conf</code>:</p> <pre><code>local3.* /var/log/mailcow.log\n&amp; stop\n</code></pre> <p>Restart rsyslog afterwards.</p>"},{"location":"post_installation/firststeps-logging/#via-daemonjson-globally","title":"via daemon.json (globally)","text":"<p>If you want to change the logging driver globally, edit Dockers daemon configuration file <code>/etc/docker/daemon.json</code> and restart the Docker service:</p> <pre><code>{\n...\n \"log-driver\": \"gelf\",\n \"log-opts\": {\n \"gelf-address\": \"udp://graylog:12201\"\n }\n...\n}\n</code></pre> <p>For Syslog:</p> <pre><code>{\n...\n \"log-driver\": \"syslog\",\n \"log-opts\": {\n \"syslog-address\": \"udp://1.2.3.4:514\"\n }\n...\n}\n</code></pre> <p>Restart the Docker daemon and run <code>docker compose down &amp;&amp; docker compose up -d</code> to recreate the containers with the new logging driver.</p>"},{"location":"post_installation/firststeps-logging/#log-rotation","title":"Log rotation","text":"<p>As those logs can get quite big, it is a good idea to use logrotate to compress and delete them after a certain time period.</p> <p>Create <code>/etc/logrotate.d/mailcow</code> with the following content:</p> <pre><code>/var/log/mailcow.log {\n rotate 7\n daily\n compress\n delaycompress\n missingok\n notifempty\n create 660 root root\n}\n</code></pre> <p>With this configuration, logrotate will run daily and keep a maximum of 7 archives.</p> <p>To rotate the logfile weekly or monthly replace <code>daily</code> with <code>weekly</code> or <code>monthly</code> respectively.</p> <p>To keep more archives, set the desired number of <code>rotate</code>.</p> <p>Afterwards, logrotate can be restarted.</p>"},{"location":"post_installation/firststeps-rp/","title":"Reverse Proxy","text":"<p>You don't need to change the Nginx site that comes with mailcow: dockerized. mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy.</p> <p>1. Make sure you change HTTP_BIND and HTTPS_BIND in <code>mailcow.conf</code> to a local address and set the ports accordingly, for example: <pre><code>HTTP_BIND=127.0.0.1\nHTTP_PORT=8080\nHTTPS_BIND=127.0.0.1\nHTTPS_PORT=8443\n</code></pre></p> <p>This will also change the bindings inside the Nginx container! This is important, if you decide to use a proxy within Docker.</p> <p>IMPORTANT: Do not use port 8081, 9081 or 65510!</p> <p>Recreate affected containers by running <code>docker compose up -d</code>.</p> <p>Important information, please read them carefully!</p> <p>Info</p> <p>If you plan to use a reverse proxy and want to use another server name that is not MAILCOW_HOSTNAME, you need to read Adding additional server names for mailcow UI at the bottom of this page.</p> <p>Warning</p> <p>Make sure you run <code>generate_config.sh</code> before you enable any site configuration examples below. The script <code>generate_config.sh</code> copies snake-oil certificates to the correct location, so the services will not fail to start due to missing files.</p> <p>Warning</p> <p>If you enable TLS SNI (<code>ENABLE_TLS_SNI</code> in mailcow.conf), the certificate paths in your reverse proxy must match the correct paths in data/assets/ssl/{hostname}. The certificates will be split into <code>data/assets/ssl/{hostname1,hostname2,etc}</code> and therefore will not work when you copy the examples from below pointing to <code>data/assets/ssl/cert.pem</code> etc.</p> <p>Info</p> <p>Using the site configs below will forward ACME requests to mailcow and let it handle certificates itself. The downside of using mailcow as ACME client behind a reverse proxy is, that you will need to reload your webserver after acme-mailcow changed/renewed/created the certificate. You can either reload your webserver daily or write a script to watch the file for changes. On many servers logrotate will reload the webserver daily anyway.</p> <p>If you want to use a local certbot installation, you will need to change the SSL certificate parameters accordingly. Make sure you run a post-hook script when you decide to use external ACME clients. You will find an example at the bottom of this page.</p> <p>2. Configure your local webserver as reverse proxy:</p>"},{"location":"post_installation/firststeps-rp/#apache-24","title":"Apache 2.4","text":"<p>Required modules: <pre><code>a2enmod rewrite proxy proxy_http headers ssl\n</code></pre></p> <p>Let's Encrypt will follow our rewrite, certificate requests in mailcow will work fine.</p> <p>Take care of highlighted lines.</p> <pre><code>&lt;VirtualHost *:80&gt;\n ServerName CHANGE_TO_MAILCOW_HOSTNAME\n ServerAlias autodiscover.*\n ServerAlias autoconfig.*\n RewriteEngine on\n\n RewriteCond %{HTTPS} off\n RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]\n\n ProxyPass / http://127.0.0.1:8080/\n ProxyPassReverse / http://127.0.0.1:8080/\n ProxyPreserveHost On\n ProxyAddHeaders On\n RequestHeader set X-Forwarded-Proto \"http\"\n&lt;/VirtualHost&gt;\n&lt;VirtualHost *:443&gt;\n ServerName CHANGE_TO_MAILCOW_HOSTNAME\n ServerAlias autodiscover.*\n ServerAlias autoconfig.*\n\n # You should proxy to a plain HTTP session to offload SSL processing\n ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000\n ProxyPassReverse /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync\n ProxyPass / http://127.0.0.1:8080/\n ProxyPassReverse / http://127.0.0.1:8080/\n ProxyPreserveHost On\n ProxyAddHeaders On\n RequestHeader set X-Forwarded-Proto \"https\"\n\n SSLCertificateFile MAILCOW_PATH/data/assets/ssl/cert.pem\n SSLCertificateKeyFile MAILCOW_PATH/data/assets/ssl/key.pem\n\n # If you plan to proxy to a HTTPS host:\n #SSLProxyEngine On\n\n # If you plan to proxy to an untrusted HTTPS host:\n #SSLProxyVerify none\n #SSLProxyCheckPeerCN off\n #SSLProxyCheckPeerName off\n #SSLProxyCheckPeerExpire off\n&lt;/VirtualHost&gt;\n</code></pre>"},{"location":"post_installation/firststeps-rp/#nginx","title":"Nginx","text":"<p>Let's Encrypt will follow our rewrite, certificate requests will work fine.</p> <p>Take care of highlighted lines.</p> <pre><code>server {\n listen 80 default_server;\n listen [::]:80 default_server;\n server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;\n return 301 https://$host$request_uri;\n}\nserver {\n listen 443 ssl http2;\n listen [::]:443 ssl http2;\n server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;\n\n ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;\n ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;\n ssl_session_timeout 1d;\n ssl_session_cache shared:SSL:50m;\n ssl_session_tickets off;\n\n # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations\n # An example config is given below\n ssl_protocols TLSv1.2;\n ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;\n ssl_prefer_server_ciphers off;\n\n location /Microsoft-Server-ActiveSync {\n proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_connect_timeout 75;\n proxy_send_timeout 3650;\n proxy_read_timeout 3650;\n proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo\n client_body_buffer_size 512k;\n client_max_body_size 0;\n }\n\n location / {\n proxy_pass http://127.0.0.1:8080/;\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n client_max_body_size 0;\n # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update\n # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537\n proxy_buffer_size 128k;\n proxy_buffers 64 512k;\n proxy_busy_buffers_size 512k;\n }\n}\n</code></pre>"},{"location":"post_installation/firststeps-rp/#haproxy-community-supported","title":"HAProxy (community supported)","text":"<p>Warning</p> <p>This is an unsupported community contribution. Feel free to provide fixes.</p> <p>Important/Fixme: This example only forwards HTTPS traffic and does not use mailcows built-in ACME client.</p> <pre><code>frontend https-in\n bind :::443 v4v6 ssl crt mailcow.pem\n default_backend mailcow\n\nbackend mailcow\n option forwardfor\n http-request set-header X-Forwarded-Proto https if { ssl_fc }\n http-request set-header X-Forwarded-Proto http if !{ ssl_fc }\n server mailcow 127.0.0.1:8080 check\n</code></pre>"},{"location":"post_installation/firststeps-rp/#traefik-v2-community-supported","title":"Traefik v2 (community supported)","text":"<p>Warning</p> <p>This is an unsupported community contribution. Feel free to provide fixes.</p> <p>Important: This config only covers the \"reverseproxing\" of the webpannel (nginx-mailcow) using Traefik v2, if you also want to reverseproxy the mail services such as dovecot, postfix... you'll just need to adapt the following config to each container and create an EntryPoint on your <code>traefik.toml</code> or <code>traefik.yml</code> (depending which config you use) for each port. </p> <p>For this section we'll assume you have your Traefik 2 <code>[certificatesresolvers]</code> properly configured on your traefik configuration file, and also using acme, also, the following example uses Lets Encrypt, but feel free to change it to your own cert resolver. You can find a basic Traefik 2 toml config file with all the above implemented which can be used for this example here traefik.toml if you need one, or a hint on how to adapt your config.</p> <p>So, first of all, we are going to disable the acme-mailcow container since we'll use the certs that traefik will provide us. For this we'll have to set <code>SKIP_LETS_ENCRYPT=y</code> on our <code>mailcow.conf</code>, and run <code>docker compose up -d</code> to apply the changes.</p> <p>Then we'll create a <code>docker-compose.override.yml</code> file in order to override the main <code>docker-compose.yml</code> found in your mailcow root folder. </p> <pre><code>version: '2.1'\n\nservices:\n nginx-mailcow:\n networks:\n # Add Traefik's network\n web:\n labels:\n - traefik.enable=true\n # Creates a router called \"moo\" for the container, and sets up a rule to link the container to certain rule,\n # in this case, a Host rule with our MAILCOW_HOSTNAME var.\n - traefik.http.routers.moo.rule=Host(`${MAILCOW_HOSTNAME}`)\n # Enables tls over the router we created before.\n - traefik.http.routers.moo.tls=true\n # Specifies which kind of cert resolver we'll use, in this case le (Lets Encrypt).\n - traefik.http.routers.moo.tls.certresolver=le\n # Creates a service called \"moo\" for the container, and specifies which internal port of the container\n # should traefik route the incoming data to.\n - traefik.http.services.moo.loadbalancer.server.port=${HTTP_PORT}\n # Specifies which entrypoint (external port) should traefik listen to, for this container.\n # websecure being port 443, check the traefik.toml file liked above.\n - traefik.http.routers.moo.entrypoints=websecure\n # Make sure traefik uses the web network, not the mailcowdockerized_mailcow-network\n - traefik.docker.network=web\n\n certdumper:\n image: humenius/traefik-certs-dumper\n command: --restart-containers ${COMPOSE_PROJECT_NAME}-postfix-mailcow-1,${COMPOSE_PROJECT_NAME}-nginx-mailcow-1,${COMPOSE_PROJECT_NAME}-dovecot-mailcow-1\n network_mode: none\n volumes:\n # Mount the volume which contains Traefik's `acme.json' file\n # Configure the external name in the volume definition\n - acme:/traefik:ro\n # Mount mailcow's SSL folder\n - ./data/assets/ssl/:/output:rw\n # Mount docker socket to restart containers\n - /var/run/docker.sock:/var/run/docker.sock:ro\n restart: always\n environment:\n # only change this, if you're using another domain for mailcow's web frontend compared to the standard config\n - DOMAIN=${MAILCOW_HOSTNAME}\n\nnetworks:\n web:\n external: true\n # Name of the external network\n name: traefik_web\n\nvolumes:\n acme:\n external: true\n # Name of the external docker volume which contains Traefik's `acme.json' file\n name: traefik_acme\n</code></pre> <p>Start the new containers with <code>docker compose up -d</code>.</p> <p>Now, there's only one thing left to do, which is setup the certs so that the mail services can use them as well, since Traefik 2 uses an acme v2 format to save ALL the license from all the domains we have, we'll need to find a way to dump the certs, lucky we have this tiny container which grabs the <code>acme.json</code> file trough a volume, and a variable <code>DOMAIN=example.org</code>, and with these, the container will output the <code>cert.pem</code> and <code>key.pem</code> files, for this we'll simply run the <code>traefik-certs-dumper</code> container binding the <code>/traefik</code> volume to the folder where our <code>acme.json</code> is saved, bind the <code>/output</code> volume to our mailcow <code>data/assets/ssl/</code> folder, and set up the <code>DOMAIN=example.org</code> variable to the domain we want the certs dumped from. </p> <p>This container will watch over the <code>acme.json</code> file for any changes, and regenerate the <code>cert.pem</code> and <code>key.pem</code> files directly into <code>data/assets/ssl/</code> being the path binded to the container's <code>/output</code> path.</p> <p>You can use the command line to run it, or use the docker compose shown here.</p> <p>After we have the certs dumped, we'll have to reload the configs from our postfix and dovecot containers, and check the certs, you can see how here.</p> <p>Aaand that should be it \ud83d\ude0a, you can check if the Traefik router works fine trough Traefik's dashboard / traefik logs / accessing the setted domain trough https, or / and check HTTPS, SMTP and IMAP trough the commands shown on the page linked before.</p>"},{"location":"post_installation/firststeps-rp/#caddy-v2-supported-by-the-community","title":"Caddy v2 (supported by the community)","text":"<p>Warning</p> <p>This is an unsupported community contribution. Feel free to provide fixes.</p> <p>The configuration of Caddy with mailcow is very simple.</p> <p>In the caddyfile you just have to create a section for the mailserver.</p> <p>For example <pre><code>MAILCOW_HOSTNAME autodiscover.MAILCOW_HOSTNAME autoconfig.MAILCOW_HOSTNAME {\n log {\n output file /var/log/caddy/MAILCOW_HOSTNAME.log {\n roll_disabled\n roll_size 512M\n roll_uncompressed\n roll_local_time\n roll_keep 3\n roll_keep_for 48h\n }\n }\n\n reverse_proxy 127.0.0.1:HTTP_BIND\n}\n</code></pre></p> <p>This allows Caddy to automatically create the certificates and accept traffic for these mentioned domains and forward them to mailcow.</p> <p>Important: The ACME client of mailcow must be disabled, otherwise mailcow will fail.</p> <p>Since Caddy takes care of the certificates itself, we can use the following script to include the Caddy generated certificates into mailcow:</p> <pre><code>#!/bin/bash\nMD5SUM_CURRENT_CERT=($(md5sum /opt/mailcow-dockerized/data/assets/ssl/cert.pem))\nMD5SUM_NEW_CERT=($(md5sum /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/your.domain.tld/your.domain.tld.crt))\n\nif [ $MD5SUM_CURRENT_CERT != $MD5SUM_NEW_CERT ]; then\n cp /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/your.domain.tld/your.domain.tld.crt /opt/mailcow-dockerized/data/assets/ssl/cert.pem\n cp /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/your.domain.tld/your.domain.tld.key /opt/mailcow-dockerized/data/assets/ssl/key.pem\n postfix_c=$(docker ps -qaf name=postfix-mailcow)\n dovecot_c=$(docker ps -qaf name=dovecot-mailcow)\n nginx_c=$(docker ps -qaf name=nginx-mailcow)\n docker restart ${postfix_c} ${dovecot_c} ${nginx_c}\n\nelse\n echo \"Certs not copied from Caddy (Not needed)\"\nfi\n</code></pre> <p>Attention</p> <p>Caddy's certificate path varies depending on the installation type. In this installation example, Caddy was installed using the Caddy repo (more informations here). To find out the Caddy certificate path on your system, just run a <code>find / -name \"certificates\"</code>.</p> <p>This script could be called as a cronjob every hour:</p> <pre><code>0 * * * * /bin/bash /path/to/script/deploy-certs.sh &gt;/dev/null 2&gt;&amp;1\n</code></pre>"},{"location":"post_installation/firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients","title":"Optional: Post-hook script for non-mailcow ACME clients","text":"<p>Using a local certbot (or any other ACME client) requires to restart some containers, you can do this with a post-hook script. Make sure you change the paths accordingly: <pre><code>#!/bin/bash\ncp /etc/letsencrypt/live/my.domain.tld/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem\ncp /etc/letsencrypt/live/my.domain.tld/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem\npostfix_c=$(docker ps -qaf name=postfix-mailcow)\ndovecot_c=$(docker ps -qaf name=dovecot-mailcow)\nnginx_c=$(docker ps -qaf name=nginx-mailcow)\ndocker restart ${postfix_c} ${dovecot_c} ${nginx_c}\n</code></pre></p>"},{"location":"post_installation/firststeps-rp/#adding-additional-server-names-for-mailcow-ui","title":"Adding additional server names for mailcow UI","text":"<p>If you plan to use a server name that is not <code>MAILCOW_HOSTNAME</code> in your reverse proxy, make sure to populate that name in mailcow.conf via <code>ADDITIONAL_SERVER_NAMES</code> first. Names must be separated by commas and must not contain spaces. If you skip this step, mailcow may respond to your reverse proxy with an incorrect site.</p> <pre><code>ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld\n</code></pre> <p>Run <code>docker compose up -d</code> to apply.</p>"},{"location":"post_installation/firststeps-rspamd_ui/","title":"Rspamd UI","text":"<p>Rspamd is an easy to use spam filtering tool presently installed with mailcow.</p> <ol> <li>Go to the mailcow web admin interface</li> <li>Navigate to the Access tab. (Access &gt; Rspamd UI)</li> <li>Modify the Rspamd UI password</li> <li>Go to https://${MAILCOW_HOSTNAME}/rspamd in a browser and log in!</li> </ol> <p>Additional configuration options and documentation can be found here : https://rspamd.com/webui/</p>"},{"location":"post_installation/firststeps-snat/","title":"SNAT","text":"<p>SNAT is used to change the source address of the packets sent by mailcow. It can be used to change the outgoing IP address on systems with multiple IP addresses.</p> <p>Open <code>mailcow.conf</code>, set either or both of the following parameters:</p> <pre><code># Use this IPv4 for outgoing connections (SNAT)\nSNAT_TO_SOURCE=1.2.3.4\n\n# Use this IPv6 for outgoing connections (SNAT)\nSNAT6_TO_SOURCE=dead:beef\n</code></pre> <p>Run <code>docker compose up -d</code>.</p> <p>The values are read by netfilter-mailcow. netfilter-mailcow will make sure, the post-routing rules are on position 1 in the netfilter table. It does automatically delete and re-create them if they are found on another position than 1.</p> <p>Check the output of <code>docker compose logs --tail=200 netfilter-mailcow</code> to ensure the SNAT settings have been applied.</p>"},{"location":"post_installation/firststeps-ssl/","title":"Advanced SSL","text":""},{"location":"post_installation/firststeps-ssl/#lets-encrypt-out-of-the-box","title":"Let's Encrypt (out-of-the-box)","text":"<p>The \"acme-mailcow\" container will try to obtain a LE certificate for <code>${MAILCOW_HOSTNAME}</code>, <code>autodiscover.ADDED_MAIL_DOMAIN</code> and <code>autoconfig.ADDED_MAIL_DOMAIN</code>.</p> <p>Warning</p> <p>mailcow must be available on port 80 for the acme-client to work. Our reverse proxy example configurations do cover that. You can also use any external ACME client (certbot for example) to obtain certificates, but you will need to make sure, that they are copied to the correct location and a post-hook reloads affected containers. See more in the Reverse Proxy documentation.</p> <p>By default, which means 0 domains are added to mailcow, it will try to obtain a certificate for <code>${MAILCOW_HOSTNAME}</code>.</p> <p>For each domain you add, it will try to resolve <code>autodiscover.ADDED_MAIL_DOMAIN</code> and <code>autoconfig.ADDED_MAIL_DOMAIN</code> to its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request.</p> <p>Only names that can be validated, will be added as SAN.</p> <p>For every domain you remove, the certificate will be moved and a new certificate will be requested. It is not possible to keep domains in a certificate, when we are not able validate the challenge for those.</p> <p>If you want to re-run the ACME client, use <code>docker compose restart acme-mailcow</code> and monitor its logs with <code>docker compose logs --tail=200 -f acme-mailcow</code>.</p>"},{"location":"post_installation/firststeps-ssl/#additional-domain-names","title":"Additional domain names","text":"<p>Edit \"mailcow.conf\" and add a parameter <code>ADDITIONAL_SAN</code> like this:</p> <p>Do not use quotes (<code>\"</code>) and do not use spaces between the names!</p> <pre><code>ADDITIONAL_SAN=smtp.*,cert1.example.com,cert2.example.org,whatever.*\n</code></pre> <p>Each name will be validated against its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address.</p> <p>A wildcard name like <code>smtp.*</code> will try to obtain a smtp.DOMAIN_NAME SAN for each domain added to mailcow.</p> <p>Run <code>docker compose up -d</code> to recreate affected containers automatically.</p> <p>Info</p> <p>Using names other name <code>MAILCOW_HOSTNAME</code> to access the mailcow UI may need further configuration.</p> <p>If you plan to use a server name that is not <code>MAILCOW_HOSTNAME</code> to access the mailcow UI (for example by adding <code>mail.*</code> to <code>ADDITIONAL_SAN</code> make sure to populate that name in mailcow.conf via <code>ADDITIONAL_SERVER_NAMES</code>. Names must be separated by commas and must not contain spaces. If you skip this step, mailcow may respond with an incorrect site.</p> <pre><code>ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld\n</code></pre> <p>Run <code>docker compose up -d</code> to apply.</p>"},{"location":"post_installation/firststeps-ssl/#force-renewal","title":"Force renewal","text":"<p>To force a renewal, you need to create a file named <code>force_renew</code> and restart the <code>acme-mailcow</code> container:</p> <pre><code>cd /opt/mailcow-dockerized\ntouch data/assets/ssl/force_renew\ndocker compose restart acme-mailcow\n# Now check the logs for a renewal\ndocker compose logs --tail=200 -f acme-mailcow\n</code></pre> <p>The file will be deleted automatically.</p>"},{"location":"post_installation/firststeps-ssl/#validation-errors-and-how-to-skip-validation","title":"Validation errors and how to skip validation","text":"<p>You can skip the IP verification by setting <code>SKIP_IP_CHECK=y</code> in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP address. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts.</p> <p>If you encounter problems with \"HTTP validation\", but your IP address confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from <code>br-mailcow</code> to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (<code>docker compose down</code>), stop the firewall service, flush the chains and restart Docker.</p> <p>You can also skip this validation method by setting <code>SKIP_HTTP_VERIFICATION=y</code> in \"mailcow.conf\". Be warned that this is discouraged. In most cases, the HTTP verification is skipped to workaround unknown NAT reflection issues, which are not resolved by ignoring this specific network misconfiguration. If you encounter problems generating TLSA records in the DNS overview within mailcow, you are most likely having issues with NAT reflection you should fix.</p> <p>If you changed a SKIP_* parameter, run <code>docker compose up -d</code> to apply your changes.</p>"},{"location":"post_installation/firststeps-ssl/#disable-lets-encrypt","title":"Disable Let's Encrypt","text":""},{"location":"post_installation/firststeps-ssl/#disable-lets-encrypt-completely","title":"Disable Let's Encrypt completely","text":"<p>Set <code>SKIP_LETS_ENCRYPT=y</code> in \"mailcow.conf\" and recreate \"acme-mailcow\" by running <code>docker compose up -d</code>.</p>"},{"location":"post_installation/firststeps-ssl/#skip-all-names-but-mailcow_hostname","title":"Skip all names but ${MAILCOW_HOSTNAME}","text":"<p>Add <code>ONLY_MAILCOW_HOSTNAME=y</code> to \"mailcow.conf\" and recreate \"acme-mailcow\" by running <code>docker compose up -d</code>.</p>"},{"location":"post_installation/firststeps-ssl/#the-lets-encrypt-subjectaltname-limit-of-100-domains","title":"The Let's Encrypt subjectAltName limit of 100 domains","text":"<p>Let's Encrypt currently has a limit of 100 Domain Names per Certificate.</p> <p>By default, \"acme-mailcow\" will create a single SAN certificate for all validated domains (see the first section and Additional domain names). This provides best compatibility but means the Let's Encrypt limit exceeds if you add too many domains to a single mailcow installation.</p> <p>To solve this, you can configure <code>ENABLE_SSL_SNI</code> to generate:</p> <ul> <li>A main server certificate with <code>MAILCOW_HOSTNAME</code> and all fully qualified domain names in the <code>ADDITIONAL_SAN</code> config</li> <li>One additional certificate for each domain found in the database with autodiscover., autoconfig. and any other <code>ADDITIONAL_SAN</code> configured in this format (subdomain.*).</li> <li>Limitations: A certificate name <code>ADDITIONAL_SAN=test.example.com</code> will be added as SAN to the main certificate. A separate certificate/key pair will not be generated for this format.</li> </ul> <p>Postfix, Dovecot and Nginx will then serve these certificates with SNI.</p> <p>Set <code>ENABLE_SSL_SNI=y</code> in \"mailcow.conf\" and recreate \"acme-mailcow\" by running <code>docker compose up -d</code>.</p> <p>Warning</p> <p>Not all clients support SNI, see Dovecot documentation or Wikipedia. You should make sure these clients use the <code>MAILCOW_HOSTNAME</code> for secure connections if you enable this feature.</p> <p>Here is an example:</p> <ul> <li><code>MAILCOW_HOSTNAME=server.email.tld</code></li> <li><code>ADDITIONAL_SAN=webmail.email.tld,mail.*</code></li> <li>Mailcow email domains: \"domain1.tld\" and \"domain2.tld\"</li> </ul> <p>The following certificates will be generated:</p> <ul> <li><code>server.email.tld, webmail.email.tld</code> -&gt; this is the default certificate, all clients can connect with these domains</li> <li><code>mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld</code> -&gt; individual certificate for domain1.tld, cannot be used by clients without SNI support</li> <li><code>mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld</code> -&gt; individual certificate for domain2.tld, cannot be used by clients without SNI support</li> </ul>"},{"location":"post_installation/firststeps-ssl/#how-to-use-your-own-certificate","title":"How to use your own certificate","text":"<p>Make sure you disable mailcows internal LE client (see above).</p> <p>To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to <code>data/assets/ssl/cert.pem</code> and the corresponding key to <code>data/assets/ssl/key.pem</code>.</p> <p>IMPORTANT: Do not use symbolic links! Make sure you copy the certificates and do not link them to <code>data/assets/ssl</code>.</p> <p>Restart affected services afterwards:</p> <pre><code>docker restart $(docker ps -qaf name=postfix-mailcow)\ndocker restart $(docker ps -qaf name=nginx-mailcow)\ndocker restart $(docker ps -qaf name=dovecot-mailcow)\n</code></pre> <p>See Post-hook script for non-mailcow ACME clients for a full example script.</p>"},{"location":"post_installation/firststeps-ssl/#test-against-staging-acme-directory","title":"Test against staging ACME directory","text":"<p>Edit <code>mailcow.conf</code> and add <code>LE_STAGING=y</code>.</p> <p>Run <code>docker compose up -d</code> to activate your changes.</p>"},{"location":"post_installation/firststeps-ssl/#custom-directory-url","title":"Custom directory URL","text":"<p>Edit <code>mailcow.conf</code> and add the corresponding directory URL to the new variable <code>DIRECTORY_URL</code>:</p> <pre><code>DIRECTORY_URL=https://acme-custom-v9000.api.letsencrypt.org/directory\n</code></pre> <p>You cannot use <code>LE_STAGING</code> with <code>DIRECTORY_URL</code>. If both are set, only <code>LE_STAGING</code> is used.</p> <p>Run <code>docker compose up -d</code> to activate your changes.</p>"},{"location":"post_installation/firststeps-ssl/#check-your-configuration","title":"Check your configuration","text":"<p>Run <code>docker compose logs acme-mailcow</code> to find out why a validation fails.</p> <p>To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.</p> <p>To check the certificate served by Postfix, Dovecot and Nginx we will use <code>openssl</code>:</p> <pre><code># Connect via SMTP (587)\necho \"Q\" | openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587\n# Connect via IMAP (143)\necho \"Q\" | openssl s_client -starttls imap -showcerts -connect mx.mailcow.email:143\n# Connect via HTTPS (443)\necho \"Q\" | openssl s_client -connect mx.mailcow.email:443\n</code></pre> <p>To validate the expiry dates as returned by openssl against MAILCOW_HOSTNAME, you are able to use our helper script:</p> <pre><code>cd /opt/mailcow-dockerized\nbash helper-scripts/expiry-dates.sh\n</code></pre>"},{"location":"post_installation/firststeps-sync_jobs_migration/","title":"Sync job migration","text":"<p>Sync jobs are used to copy or move existing emails from an external IMAP server or within mailcow's existing mailboxes.</p> <p>Info</p> <p>Depending on your mailbox's ACL you may not have the option to add a sync job. Please contact your domain administrator if so.</p>"},{"location":"post_installation/firststeps-sync_jobs_migration/#setup-a-sync-job","title":"Setup a Sync Job","text":"<ol> <li> <p>In the \"Configuration &gt; Mail Setup\" or \"User Settings\" interface, create a new sync job.</p> </li> <li> <p>If you are an administrator, select the username of the downstream mailcow mailbox in the \"Username\" dropdown.</p> </li> <li> <p>Fill in the \"Host\" and \"Port\" fields with their respective correct values from the upstream IMAP server.</p> </li> <li> <p>In the \"Username\" and \"Password\" fields, supply the correct access credentials from the upstream IMAP server.</p> </li> <li> <p>Select the \"Encryption Method\". If the upstream IMAP server uses port 143, it is likely that the encryption method is TLS and SSL for port 993. Nevertheless, you can use PLAIN authentication, but it is stongly discouraged.</p> </li> <li> <p>For all ther other fields, you can leave them as is or modify them as desired.</p> </li> <li> <p>Make sure to tick \"Active\" and click \"Add\".</p> </li> </ol> <p>Info</p> <p>Once Completed, log into the mailbox and check if all emails are imported correctly. If all goes well, all your mails shall end up in your new mailbox. And don't forget to delete or deactivate the sync job after it is used.</p>"},{"location":"prerequisite/prerequisite-dns/","title":"DNS setup","text":"<p>Below you can find a list of recommended DNS records. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV).</p>"},{"location":"prerequisite/prerequisite-dns/#references","title":"References","text":"<ul> <li>A good article covering all relevant topics: \"3 DNS Records Every Email Marketer Must Know\"</li> <li>Another great one, but Zimbra as an example platform: \"Best Practices on Email Protection: SPF, DKIM and DMARC\"</li> <li>An in-depth discussion of SPF, DKIM and DMARC: \"How to eliminate spam and protect your name with DMARC\"</li> <li>A thorough guide on understanding DMARC: \"Demystifying DMARC: A guide to preventing email spoofing\"</li> </ul>"},{"location":"prerequisite/prerequisite-dns/#reverse-dns-of-your-ip-address","title":"Reverse DNS of your IP address","text":"<p>Make sure that the PTR record of your IP address matches the FQDN of your mailcow host: <code>${MAILCOW_HOSTNAME}</code> 1. This record is usually set at the provider you leased the IP address (server) from.</p>"},{"location":"prerequisite/prerequisite-dns/#the-minimal-dns-configuration","title":"The minimal DNS configuration","text":"<p>This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set of records to function correctly.</p> <pre><code># Name Type Value\nmail IN A 1.2.3.4\nautodiscover IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME})\nautoconfig IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME})\n@ IN MX 10 mail.example.org. (your ${MAILCOW_HOSTNAME})\n</code></pre> <p>Note: The <code>mail</code> DNS record which binds the subdomain to the given ip address must only be set for the domain on which mailcow is running and that is used to access the web interface. For every other mailcow managed domain, the <code>MX</code> record will route the traffic.</p>"},{"location":"prerequisite/prerequisite-dns/#dkim-spf-and-dmarc","title":"DKIM, SPF and DMARC","text":"<p>In the example DNS zone file snippet below, a simple SPF TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to (\"<code>~all</code>\"). Please refer to SPF Project for further reading.</p> <pre><code># Name Type Value\n@ IN TXT \"v=spf1 mx a -all\"\n</code></pre> <p>It is highly recommended to create a DKIM TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to OpenDKIM for further reading.</p> <pre><code># Name Type Value\ndkim._domainkey IN TXT \"v=DKIM1; k=rsa; t=s; s=email; p=...\"\n</code></pre> <p>The last step in protecting yourself and others is the implementation of a DMARC TXT record, for example by using the DMARC Assistant (check).</p> <pre><code># Name Type Value\n_dmarc IN TXT \"v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org\"\n</code></pre>"},{"location":"prerequisite/prerequisite-dns/#the-advanced-dns-configuration","title":"The advanced DNS configuration","text":"<p>SRV records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give \".\" as the target address (instead of \"mail.example.org.\"). Please refer to RFC 2782.</p> <pre><code># Name Type Priority Weight Port Value\n_autodiscover._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_caldavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_caldavs._tcp IN TXT \"path=/SOGo/dav/\"\n_carddavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_carddavs._tcp IN TXT \"path=/SOGo/dav/\"\n_imap._tcp IN SRV 0 1 143 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_imaps._tcp IN SRV 0 1 993 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_pop3._tcp IN SRV 0 1 110 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_pop3s._tcp IN SRV 0 1 995 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_sieve._tcp IN SRV 0 1 4190 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_smtps._tcp IN SRV 0 1 465 mail.example.org. (your ${MAILCOW_HOSTNAME})\n_submission._tcp IN SRV 0 1 587 mail.example.org. (your ${MAILCOW_HOSTNAME})\n</code></pre>"},{"location":"prerequisite/prerequisite-dns/#testing","title":"Testing","text":"<p>Here are some tools you can use to verify your DNS configuration:</p> <ul> <li>MX Toolbox (DNS, SMTP, RBL)</li> <li>port25.com (DKIM, SPF)</li> <li>Mail-tester (DKIM, DMARC, SPF)</li> <li>DMARC Analyzer (DMARC, SPF)</li> <li>MultiRBL.valli.org (DNSBL, RBL, FCrDNS)</li> </ul>"},{"location":"prerequisite/prerequisite-dns/#misc","title":"Misc","text":""},{"location":"prerequisite/prerequisite-dns/#optional-dmarc-statistics","title":"Optional DMARC Statistics","text":"<p>If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own.</p> <p>Tip</p> <p>It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports.</p> <p>It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools available, but only a small few of the many choices.</p> <ul> <li>Postmaster Tool</li> <li>parsedmarc (self-hosted)</li> <li>Fraudmarc</li> <li>Postmark</li> <li>Dmarcian</li> </ul> <p>Tip</p> <p>These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure you read the provider's documentation from the service you choose as this process may vary.</p>"},{"location":"prerequisite/prerequisite-dns/#email-test-for-spf-dkim-and-dmarc","title":"Email test for SPF, DKIM and DMARC:","text":"<p>To run a rudimentary email authentication check, send a mail to <code>check-auth at verifier.port25.com</code> and wait for a reply. You will find a report similar to the following:</p> <pre><code>==========================================================\nSummary of Results\n==========================================================\nSPF check: pass\n\"iprev\" check: pass\nDKIM check: pass\nDKIM check: pass\nSpamAssassin check: ham\n\n==========================================================\nDetails:\n==========================================================\n....\n</code></pre> <p>The full report will contain more technical details.</p>"},{"location":"prerequisite/prerequisite-dns/#fully-qualified-domain-name-fqdn","title":"Fully Qualified Domain Name (FQDN)","text":"<ol> <li> <p>A Fully Qualified Domain Name (FQDN) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname, the domain name, and the Top Level Domain (TLD for short). In the example of <code>mx.mailcow.email</code> the hostname would be <code>mx</code>, the domain name <code>mailcow</code> and the TLD <code>email</code>.\u00a0\u21a9</p> </li> </ol>"},{"location":"prerequisite/prerequisite-system/","title":"Prepare your system","text":"<p>Before you run mailcow: dockerized, there are a few requirements that you should check:</p> <p>Warning</p> <p>Do not try to install mailcow on a Synology/QNAP device (any NAS), OpenVZ, LXC or other container platforms. KVM, ESX, Hyper-V and other full virtualization platforms are supported.</p> <p>Info</p> <ul> <li>mailcow: dockerized requires some ports to be open for incoming connections, so make sure that your firewall is not blocking these.</li> <li>Make sure that no other application is interfering with mailcow's configuration, such as another mail service</li> <li>A correct DNS setup is crucial to every good mailserver setup, so please make sure you got at least the basics covered before you begin!</li> <li>Make sure that your system has a correct date and time setup. This is crucial for various components like two factor TOTP authentication.</li> </ul>"},{"location":"prerequisite/prerequisite-system/#minimum-system-resources","title":"Minimum System Resources","text":"<p>Not supported</p> <p>OpenVZ, Virtuozzo and LXC</p> <p>Please make sure that your system has at least the following resources:</p> Resource mailcow: dockerized CPU 1 GHz RAM Minimum 6 GiB + 1 GiB swap (default config) Disk 20 GiB (without emails) System Type x86_64 <p>ClamAV and Solr can be greedy with RAM. You may disable them in <code>mailcow.conf</code> by settings <code>SKIP_CLAMD=y</code> and <code>SKIP_SOLR=y</code>.</p> <p>Info</p> <p>We are aware that a pure MTA can run on 128 MiB RAM. mailcow is a full-grown and ready-to-use groupware with many extras making life easier. mailcow comes with a webserver, webmailer, ActiveSync (MS), antivirus, antispam, indexing (Solr), document scanner (Oletools), SQL (MariaDB), Cache (Redis), MDA, MTA, various web services etc.</p> <p>A single SOGo worker can acquire ~350 MiB RAM before it gets purged. The more ActiveSync connections you plan to use, the more RAM you will need. A default configuration spawns 20 workers.</p>"},{"location":"prerequisite/prerequisite-system/#ram-usage-examples","title":"RAM usage examples","text":"<p>A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GiB RAM.</p> <p>6 GiB RAM + 1 GiB swap are fine for most private installations while 8 GiB RAM are recommended for ~5 to 10 users.</p> <p>We can help to correctly plan your setup as part of our support.</p>"},{"location":"prerequisite/prerequisite-system/#supported-os","title":"Supported OS","text":"<p>Basically, mailcow can be used on any distribution that is supported by Docker CE (see https://docs.docker.com/install/). However, in some cases there may be incompatibilities between the operating systems and the mailcow components.</p> <p>The following table contains all operating systems officially supported and tested by us (as of November 2022):</p> OS Compatibility Alpine 3.16 and older \u26a0\ufe0f Centos 7 \u2705 Debian 10, 11 \u2705 Ubuntu 18.04, 20.04, 22.04 \u2705 Rocky Linux 9 \u2754 <p>Legend<p>\u2705 = Works out of the box using the instructions. \u26a0\ufe0f = Requires some manual adjustments otherwise usable. \u274c = In general NOT Compatible. \u2754 = Pending.</p> </p> <p>Note: All other operating systems (not mentioned) may also work, but have not been officially tested.</p>"},{"location":"prerequisite/prerequisite-system/#firewall-ports","title":"Firewall &amp; Ports","text":"<p>Please check if any of mailcow's standard ports are open and not in use by other applications:</p> <pre><code>ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190'\n# or:\nnetstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190'\n</code></pre> <p>Danger</p> <p>There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See this (blog.donnex.net) or this (unrouted.io) guide for information about how to use iptables-persistent with the DOCKER-USER chain. As mailcow runs dockerized, INPUT rules have no effect on restricting access to mailcow. Use the FORWARD chain instead.</p> <p>If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the <code>mailcow.conf</code> configuration file.</p>"},{"location":"prerequisite/prerequisite-system/#default-ports","title":"Default Ports","text":"<p>If you have a firewall in front of mailcow, please make sure that these ports are open for incoming connections:</p> Service Protocol Port Container Variable Postfix SMTP TCP 25 postfix-mailcow <code>${SMTP_PORT}</code> Postfix SMTPS TCP 465 postfix-mailcow <code>${SMTPS_PORT}</code> Postfix Submission TCP 587 postfix-mailcow <code>${SUBMISSION_PORT}</code> Dovecot IMAP TCP 143 dovecot-mailcow <code>${IMAP_PORT}</code> Dovecot IMAPS TCP 993 dovecot-mailcow <code>${IMAPS_PORT}</code> Dovecot POP3 TCP 110 dovecot-mailcow <code>${POP_PORT}</code> Dovecot POP3S TCP 995 dovecot-mailcow <code>${POPS_PORT}</code> Dovecot ManageSieve TCP 4190 dovecot-mailcow <code>${SIEVE_PORT}</code> HTTP(S) TCP 80/443 nginx-mailcow <code>${HTTP_PORT}</code> / <code>${HTTPS_PORT}</code> <p>To bind a service to an IP address, you can prepend the IP like this: <code>SMTP_PORT=1.2.3.4:25</code></p> <p>Important: You cannot use IP:PORT bindings in HTTP_PORT and HTTPS_PORT. Please use <code>HTTP_PORT=1234</code> and <code>HTTP_BIND=1.2.3.4</code> instead.</p>"},{"location":"prerequisite/prerequisite-system/#important-for-hetzner-firewalls","title":"Important for Hetzner firewalls","text":"<p>Quoting https://github.com/chermsen via https://github.com/mailcow/mailcow-dockerized/issues/497#issuecomment-469847380 (THANK YOU!):</p> <p>For all who are struggling with the Hetzner firewall:</p> <p>Port 53 unimportant for the firewall configuration in this case. According to the documentation unbound uses the port range 1024-65535 for outgoing requests. Since the Hetzner Robot Firewall is a static firewall (each incoming packet is checked isolated) - the following rules must be applied:</p> <p>For TCP <pre><code>SRC-IP: ---\nDST IP: ---\nSRC Port: ---\nDST Port: 1024-65535\nProtocol: tcp\nTCP flags: ack\nAction: Accept\n</code></pre></p> <p>For UDP <pre><code>SRC-IP: ---\nDST IP: ---\nSRC Port: ---\nDST Port: 1024-65535\nProtocol: udp\nAction: Accept\n</code></pre></p> <p>If you want to apply a more restrictive port range you have to change the config of unbound first (after installation):</p> <p>{mailcow-dockerized}/data/conf/unbound/unbound.conf: <pre><code>outgoing-port-avoid: 0-32767\n</code></pre></p> <p>Now the firewall rules can be adjusted as follows:</p> <pre><code>[...]\nDST Port: 32768-65535\n[...]\n</code></pre>"},{"location":"prerequisite/prerequisite-system/#date-and-time","title":"Date and Time","text":"<p>To ensure that you have the correct date and time setup on your system, please check the output of <code>timedatectl status</code>:</p> <pre><code>$ timedatectl status\n Local time: Sat 2017-05-06 02:12:33 CEST\n Universal time: Sat 2017-05-06 00:12:33 UTC\n RTC time: Sat 2017-05-06 00:12:32\n Time zone: Europe/Berlin (CEST, +0200)\n NTP enabled: yes\nNTP synchronized: yes\n RTC in local TZ: no\n DST active: yes\n Last DST change: DST began at\n Sun 2017-03-26 01:59:59 CET\n Sun 2017-03-26 03:00:00 CEST\n Next DST change: DST ends (the clock jumps one hour backwards) at\n Sun 2017-10-29 02:59:59 CEST\n Sun 2017-10-29 02:00:00 CET\n</code></pre> <p>The lines <code>NTP enabled: yes</code> and <code>NTP synchronized: yes</code> indicate whether you have NTP enabled and if it's synchronized.</p> <p>To enable NTP you need to run the command <code>timedatectl set-ntp true</code>. You also need to edit your <code>/etc/systemd/timesyncd.conf</code>:</p> <pre><code># vim /etc/systemd/timesyncd.conf\n[Time]\nNTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org\n</code></pre>"},{"location":"prerequisite/prerequisite-system/#hetzner-cloud-and-probably-others","title":"Hetzner Cloud (and probably others)","text":"<p>Check <code>/etc/network/interfaces.d/50-cloud-init.cfg</code> and change the IPv6 interface from eth0:0 to eth0:</p> <pre><code># Wrong:\nauto eth0:0\niface eth0:0 inet6 static\n# Right:\nauto eth0\niface eth0 inet6 static\n</code></pre> <p>Reboot or restart the interface. You may want to disable cloud-init network changes.</p>"},{"location":"prerequisite/prerequisite-system/#mtu","title":"MTU","text":"<p>Especially relevant for OpenStack users: Check your MTU and set it accordingly in docker-compose.yml. See Troubleshooting in our Installation guide.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/","title":"Borgmatic Backup","text":""},{"location":"third_party/borgmatic/third_party-borgmatic/#introduction","title":"Introduction","text":"<p>Borgmatic is a great way to run backups on your Mailcow setup as it securely encrypts your data and is extremely easy to set up.</p> <p>Due to it's deduplication capabilities you can store a great number of backups without wasting large amounts of disk space. This allows you to run backups in very short intervals to ensure minimal data loss when the need arises to recover data from a backup.</p> <p>This document guides you through the process to enable continuous backups for mailcow with borgmatic. The borgmatic functionality is provided by the borgmatic Docker image. Check out the <code>README</code> in that repository to find out about the other options (such as push notifications) that are available. This guide only covers the basics.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#setting-up-borgmatic","title":"Setting up borgmatic","text":""},{"location":"third_party/borgmatic/third_party-borgmatic/#create-or-amend-docker-composeoverrideyml","title":"Create or amend <code>docker-compose.override.yml</code>","text":"<p>In the mailcow-dockerized root folder create or edit <code>docker-compose.override.yml</code> and insert the following configuration:</p> <pre><code>version: '2.1'\n\nservices:\n borgmatic-mailcow:\n image: ghcr.io/borgmatic-collective/borgmatic\n hostname: mailcow\n restart: always\n dns: ${IPV4_NETWORK:-172.22.1}.254\n volumes:\n - vmail-vol-1:/mnt/source/vmail:ro\n - crypt-vol-1:/mnt/source/crypt:ro\n - redis-vol-1:/mnt/source/redis:ro,z\n - rspamd-vol-1:/mnt/source/rspamd:ro,z\n - postfix-vol-1:/mnt/source/postfix:ro,z\n - mysql-socket-vol-1:/var/run/mysqld/:z\n - borg-config-vol-1:/root/.config/borg:Z\n - borg-cache-vol-1:/root/.cache/borg:Z\n - ./data/conf/borgmatic/etc:/etc/borgmatic.d:Z\n - ./data/conf/borgmatic/ssh:/root/.ssh:Z\n environment:\n - TZ=${TZ}\n - BORG_PASSPHRASE=YouBetterPutSomethingRealGoodHere\n networks:\n mailcow-network:\n aliases:\n - borgmatic\n\nvolumes:\n borg-cache-vol-1:\n borg-config-vol-1:\n</code></pre> <p>Ensure that you change the <code>BORG_PASSPHRASE</code> to a secure passphrase of your choosing.</p> <p>For security reasons we mount the maildir as read-only. If you later want to restore data you will need to remove the <code>ro</code> flag prior to restoring the data. This is described in the section on restoring backups.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#create-dataconfborgmaticetcconfigyaml","title":"Create <code>data/conf/borgmatic/etc/config.yaml</code>","text":"<p>Next, we need to create the borgmatic configuration.</p> <pre><code>source mailcow.conf\ncat &lt;&lt;EOF &gt; data/conf/borgmatic/etc/config.yaml\nlocation:\n source_directories:\n - /mnt/source\n repositories:\n - ssh://user@rsync.net:22/./mailcow\n exclude_patterns:\n - '/mnt/source/postfix/public/'\n - '/mnt/source/postfix/private/'\n - '/mnt/source/rspamd/rspamd.sock'\n\nretention:\n keep_hourly: 24\n keep_daily: 7\n keep_weekly: 4\n keep_monthly: 6\n prefix: \"\"\n\nhooks:\n mysql_databases:\n - name: ${DBNAME}\n username: ${DBUSER}\n password: ${DBPASS}\n options: --default-character-set=utf8mb4\nEOF\n</code></pre> <p>Creating the file in this way ensures the correct MySQL credentials are pulled in from <code>mailcow.conf</code>.</p> <p>This file is a minimal example for using borgmatic with an account <code>user</code> on the cloud storage provider <code>rsync.net</code> for a repository called <code>mailcow</code> (see <code>repositories</code> setting). It will backup both the maildir and MySQL database, which is all you should need to restore your mailcow setup after an incident. The retention settings will keep one archive for each hour of the past 24 hours, one per day of the week, one per week of the month and one per month of the past half year.</p> <p>Check the borgmatic documentation on how to use other types of repositories or configuration options. If you choose to use a local filesystem as a backup destination make sure to mount it into the container. The container defines a volume called <code>/mnt/borg-repository</code> for this purpose.</p> <p>Note</p> <p>If you do not use rsync.net you can most likely drop the <code>remote_path</code> element from your config.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#create-a-crontab","title":"Create a crontab","text":"<p>Create a new text file in <code>data/conf/borgmatic/etc/crontab.txt</code> with the following content:</p> <pre><code>14 * * * * PATH=$PATH:/usr/local/bin /usr/local/bin/borgmatic --stats -v 0 2&gt;&amp;1\n</code></pre> <p>This file expects crontab syntax. The example shown here will trigger the backup to run every hour at 14 minutes past the hour and log some nice stats at the end.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#place-ssh-keys-in-folder","title":"Place SSH keys in folder","text":"<p>Place the SSH keys you intend to use for remote repository connections in <code>data/conf/borgmatic/ssh</code>. OpenSSH expects the usual <code>id_rsa</code>, <code>id_ed25519</code> or similar to be in this directory. Ensure the file is <code>chmod 600</code> and not world readable or OpenSSH will refuse to use the SSH key.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#bring-up-the-container","title":"Bring up the container","text":"<p>For the next step we need the container to be up and running in a configured state. To do that run:</p> <pre><code>docker compose up -d\n</code></pre>"},{"location":"third_party/borgmatic/third_party-borgmatic/#initialize-the-repository","title":"Initialize the repository","text":"<p>By now your borgmatic container is up and running, but the backups will currently fail due to the repository not being initialized.</p> <p>To initialize the repository run:</p> <pre><code>docker compose exec borgmatic-mailcow borgmatic init --encryption repokey-blake2\n</code></pre> <p>You will be asked you to authenticate the SSH host key of your remote repository server. See if it matches and confirm the prompt by entering <code>yes</code>. The repository will be initialized with the passphrase you set in the <code>BORG_PASSPHRASE</code> environment variable earlier.</p> <p>When using any of the <code>repokey</code> encryption methods the encryption key will be stored in the repository itself and not on the client, so there is no further action required in this regard. If you decide to use a <code>keyfile</code> instead of a <code>repokey</code> make sure you export the key and back it up separately. Check the Exporting Keys section for how to retrieve the key.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#restart-container","title":"Restart container","text":"<p>Now that we finished configuring and initializing the repository restart the container to ensure it is in a defined state:</p> <pre><code>docker compose restart borgmatic-mailcow\n</code></pre>"},{"location":"third_party/borgmatic/third_party-borgmatic/#restoring-from-a-backup","title":"Restoring from a backup","text":"<p>Restoring a backup assumes you are starting off with a fresh installation of mailcow, and you currently do not have any custom data in your maildir or your mailcow database.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#restore-maildir","title":"Restore maildir","text":"<p>Warning</p> <p>Doing this will overwrite files in your maildir! Do not run this unless you actually intend to recover mail files from a backup.</p> <p>If you use SELinux in Enforcing mode</p> <p>If you are using mailcow on a host with SELinux in Enforcing mode you will have to temporarily disable it during extraction of the archive as the mailcow setup labels the vmail volume as private, belonging to the dovecot container exclusively. SELinux will (rightfully) prevent any other container, such as the borgmatic container, from writing to this volume.</p> <p>Before running a restore you must make the vmail volume writeable in <code>docker-compose.override.yml</code> by removing the <code>ro</code> flag from the volume. Then you can use the following command to restore the maildir from a backup:</p> <pre><code>docker compose exec borgmatic-mailcow borgmatic extract --path mnt/source --archive latest\n</code></pre> <p>Alternatively you can specify any archive name from the list of archives (see Listing all available archives)</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#restore-mysql","title":"Restore MySQL","text":"<p>Warning</p> <p>Running this command will delete and recreate the mailcow database! Do not run this unless you actually intend to recover the mailcow database from a backup.</p> <p>To restore the MySQL database from the latest archive use this command:</p> <pre><code>docker compose exec borgmatic-mailcow borgmatic restore --archive latest\n</code></pre> <p>Alternatively you can specify any archive name from the list of archives (see Listing all available archives)</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#after-restoring","title":"After restoring","text":"<p>After restoring you need to restart mailcow. If you disabled SELinux enforcing mode now would be a good time to re-enable it.</p> <p>To restart mailcow use the follwing command:</p> <pre><code>docker compose down &amp;&amp; docker compose up -d\n</code></pre> <p>If you use SELinux this will also trigger the re-labeling of all files in your vmail volume. Be patient, as this may take a while if you have lots of files.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#useful-commands","title":"Useful commands","text":""},{"location":"third_party/borgmatic/third_party-borgmatic/#manual-archiving-run-with-debugging-output","title":"Manual archiving run (with debugging output)","text":"<pre><code>docker compose exec borgmatic-mailcow borgmatic -v 2\n</code></pre>"},{"location":"third_party/borgmatic/third_party-borgmatic/#listing-all-available-archives","title":"Listing all available archives","text":"<pre><code>docker compose exec borgmatic-mailcow borgmatic list\n</code></pre>"},{"location":"third_party/borgmatic/third_party-borgmatic/#break-lock","title":"Break lock","text":"<p>When borg is interrupted during an archiving run it will leave behind a stale lock that needs to be cleared before any new operations can be performed:</p> <pre><code>docker compose exec borgmatic-mailcow borg break-lock user@rsync.net:mailcow\n</code></pre> <p>Where <code>user@rsync.net:mailcow</code> is the URI to your repository.</p> <p>Now would be a good time to do a manual archiving run to ensure it can be successfully performed.</p>"},{"location":"third_party/borgmatic/third_party-borgmatic/#exporting-keys","title":"Exporting keys","text":"<p>When using any of the <code>keyfile</code> methods for encryption you MUST take care of backing up the key files yourself. The key files are generated when you initialize the repository. The <code>repokey</code> methods store the key file within the repository, so a manual backup isn't as essential.</p> <p>Note that in either case you also must have the passphrase to decrypt any archives.</p> <p>To fetch the keyfile run:</p> <pre><code>docker compose exec borgmatic-mailcow borg key export --paper user@rsync.net:mailcow\n</code></pre> <p>Where <code>user@rsync.net:mailcow</code> is the URI to your repository.</p>"},{"location":"third_party/checkmk/u_e-checkmk/","title":"CheckMK","text":"<p>Mailcow provides the ability to check for updates using its own update script.</p> <p>If you want to check for mailcow updates using checkmk, you can create an executable file in the <code>local</code> directory of the checkmk agent (typically <code>/usr/lib/check_mk_agent/local/</code>) with the name <code>mailcow_update</code> and the following content:</p> <pre><code>#!/bin/bash\ncd /opt/mailcow-dockerized/ &amp;&amp; ./update.sh -c &gt;/dev/null\nstatus=$?\nif [ $status -eq 3 ]; then\n echo \"0 \\\"mailcow_update\\\" mailcow_update=0;1;;0;1 No updates available.\"\nelif [ $status -eq 0 ]; then\n echo \"1 \\\"mailcow_update\\\" mailcow_update=1;1;;0;1 Updated code is available.\\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master\"\nelse\n echo \"3 \\\"mailcow_update\\\" - Unknown output from update script ...\"\nfi\nexit\n</code></pre> <p>If the mailcow installation directory is not <code>/opt/</code>, adjust this in the 2nd line.</p> <p>After that re-inventory the services for your mailcow host in checmk and a new check named <code>mailcow_update</code> should be selectable.</p> <p>This will run the <code>mailcow_update</code> everytime checkmk agent is checked, you can cache the result by placing the script in a subfolder named the number of seconds you wish to cache it. \\ <code>/usr/lib/check_mk_agent/local/3600/</code> will cache the response for an 3600 seconds (1 hour).</p>"},{"location":"third_party/checkmk/u_e-checkmk/#screenshots","title":"Screenshots","text":""},{"location":"third_party/checkmk/u_e-checkmk/#no-updates-available","title":"No updates available","text":"<p>If there are no updates available, <code>OK</code> is displayed.</p>"},{"location":"third_party/checkmk/u_e-checkmk/#new-updates-available","title":"New updates available","text":"<p>If updates are available, <code>WARN</code> is displayed.</p> <p>If <code>CRIT</code> is desired instead, replace the 7th line with the following:</p> <pre><code> echo \"2 \\\"mailcow_update\\\" mailcow_update=1;1;;0;1 Updated code is available.\\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master\"\n</code></pre>"},{"location":"third_party/checkmk/u_e-checkmk/#detailed-check-output","title":"Detailed check output","text":"<ul> <li>This provides a link to mailcow's GitHub commits, if updates are available.</li> <li>Metrics are also displayed ( not only when updates are available):</li> <li>0 = No updates available</li> <li>1 = New updates available</li> </ul>"},{"location":"third_party/exchange_onprem/third_party-exchange_onprem/","title":"Exchange Hybrid Setup","text":"<p>Using Microsoft Exchange in a hybrid setup is possible with mailcow. With this setup you can add mailboxes on your mailcow and still use Exchange Online Protection. All mailboxes setup in Exchange will receive their mails as usual, while with the hybrid approach additional Mailboxes can be setup in mailcow without any further configuration.</p> <p>This setup becomes very handy if you have enabled the Office 365 security defaults and third party applications can no longer login into your mailboxes by any of the supported methods.</p>"},{"location":"third_party/exchange_onprem/third_party-exchange_onprem/#requirements","title":"Requirements","text":"<ul> <li>The mx Record of your domain needs to point at the Exchange mail service. Log into your Admin center and look out for the dns settings of your domain to find your personalized gateway domain. It should look like this <code>contoso-com.mail.protection.outlook.com</code>. Contact your domain registrant to get further information on how to change mx record.</li> <li>The domain you want to have additional mailboxes for must be setup as <code>internal relay domain</code> in Exchange.<ol> <li>Log in to your Exchange Admin Center</li> <li>Select the <code>mail flow</code> pane and click on <code>accepted domains</code></li> <li>Select the domain and switch it from <code>authorative</code> to <code>internal relay</code></li> </ol> </li> </ul>"},{"location":"third_party/exchange_onprem/third_party-exchange_onprem/#set-up-the-mailcow","title":"Set up the mailcow","text":"<p>Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record.</p> <ol> <li>Add the domain to your mailcow</li> <li>Add your personalized Exchange Host address as relayhost</li> <li>Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. (Admin &gt; Configuration &amp; Details &gt; Configuration Dropdown &gt; Forwarding Hosts)</li> <li>Go to the domain settings and select the newly added host on the <code>Sender-dependent transports</code> dropdown. Enable relaying by ticking the <code>Relay this domain</code>, <code>Relay all recipients</code> and the <code>Relay non-existing mailboxes only.</code> checkboxes</li> </ol> <p>Info</p> <p>From now on your mailcow will accept all mails relayed from Exchange. The inbound filtering and so the neural learning of your cow will no longer work. Because all mails are routed through Exchange the filtering process is handled there.</p>"},{"location":"third_party/exchange_onprem/third_party-exchange_onprem/#set-up-connectors-in-exchange","title":"Set up Connectors in Exchange","text":"<p>All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to set up two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the official guide from Microsoft.</p> <p>Warning</p> <p>For the connector that handles mails from your mailcow to Exchange Microsoft offers two ways of authenticating it. The recommended way is to use a tls certificate configured with a subject name that matches an accepted domain in Exchange. Otherwise you need to choose authentication with the static ip address of your mailcow.</p>"},{"location":"third_party/exchange_onprem/third_party-exchange_onprem/#validating","title":"Validating","text":"<p>The easiest way to validate the hybrid setup is by sending a mail from the internet to a mailbox that only exists on the mailcow and vice versa.</p>"},{"location":"third_party/exchange_onprem/third_party-exchange_onprem/#common-issues","title":"Common Issues","text":"<ul> <li>The connector validation from Exchange to your mailcow failed with <code>550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient test@contoso.com not found by SMTP address lookup</code> Possible Solution: Your domain is not set up as <code>internal relay</code>. Exchange therefore cannot find the recipient</li> <li>Mails sent from the mailcow to a mailbox in the internet cannot be sent. Non Delivery Report with error <code>550 5.7.64 TenantAttribution; Relay Access Denied</code> Possible Solution: The authentication method failed. Make sure the certificate subject matches an accepted domain in Exchange. Try authenticating by static ip instead.</li> </ul> <p>Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment</p>"},{"location":"third_party/gitea/third_party-gitea/","title":"Gitea","text":"<p>With Gitea' ability to authenticate over SMTP it is trivial to integrate it with mailcow. Few changes are needed:</p> <p>1. Open <code>docker-compose.override.yml</code> and add gitea:</p> <pre><code>version: '2.1'\nservices:\n\n gitea-mailcow:\n image: gitea/gitea:1\n volumes:\n - ./data/gitea:/data\n networks:\n mailcow-network:\n aliases:\n - gitea\n ports:\n - \"${GITEA_SSH_PORT:-127.0.0.1:4000}:22\"\n</code></pre> <p>2. Create <code>data/conf/nginx/site.gitea.custom</code>, add: <pre><code>location /gitea/ {\n proxy_pass http://gitea:3000/;\n}\n</code></pre></p> <p>3. Open <code>mailcow.conf</code> and define the binding you want gitea to use for SSH. Example:</p> <pre><code>GITEA_SSH_PORT=127.0.0.1:4000\n</code></pre> <p>5. Run <code>docker compose up -d</code> to bring up the gitea container and run <code>docker compose restart nginx-mailcow</code> afterwards.</p> <p>6. If you forced mailcow to https, execute step 9 and restart gitea with <code>docker compose restart gitea-mailcow</code> . Go head with step 7 (Remember to use https instead of http, <code>https://mx.example.org/gitea/</code> </p> <p>7. Open <code>http://${MAILCOW_HOSTNAME}/gitea/</code>, for example <code>http://mx.example.org/gitea/</code>. For database details set <code>mysql</code> as database host. Use the value of DBNAME found in mailcow.conf as database name, DBUSER as database user and DBPASS as database password.</p> <p>8. Once the installation is complete, login as admin and set \"settings\" -&gt; \"authorization\" -&gt; \"enable SMTP\". SMTP Host should be <code>postfix</code> with port <code>587</code>, set <code>Skip TLS Verify</code> as we are using an unlisted SAN (\"postfix\" is most likely not part of your certificate).</p> <p>9. Create <code>data/gitea/gitea/conf/app.ini</code> and set following values. You can consult gitea cheat sheet for their meaning and other possible values.</p> <pre><code>[server]\nSSH_LISTEN_PORT = 22\n# For GITEA_SSH_PORT=127.0.0.1:4000 in mailcow.conf, set:\nSSH_DOMAIN = 127.0.0.1\nSSH_PORT = 4000\n# For MAILCOW_HOSTNAME=mx.example.org in mailcow.conf (and default ports for HTTPS), set:\nROOT_URL = https://mx.example.org/gitea/\n</code></pre> <p>10. Restart gitea with <code>docker compose restart gitea-mailcow</code>. Your users should be able to login with mailcow managed accounts.</p>"},{"location":"third_party/gogs/third_party-gogs/","title":"Gogs","text":"<p>With Gogs' ability to authenticate over SMTP it is trivial to integrate it with mailcow. Few changes are needed:</p> <p>1. Open <code>docker-compose.override.yml</code> and add Gogs:</p> <pre><code>version: '2.1'\nservices:\n\n gogs-mailcow:\n image: gogs/gogs\n volumes:\n - ./data/gogs:/data\n networks:\n mailcow-network:\n aliases:\n - gogs\n ports:\n - \"${GOGS_SSH_PORT:-127.0.0.1:4000}:22\"\n</code></pre> <p>2. Create <code>data/conf/nginx/site.gogs.custom</code>, add: <pre><code>location /gogs/ {\n proxy_pass http://gogs:3000/;\n}\n</code></pre></p> <p>3. Open <code>mailcow.conf</code> and define the binding you want Gogs to use for SSH. Example:</p> <pre><code>GOGS_SSH_PORT=127.0.0.1:4000\n</code></pre> <p>5. Run <code>docker compose up -d</code> to bring up the Gogs container and run <code>docker compose restart nginx-mailcow</code> afterwards.</p> <p>6. Open <code>http://${MAILCOW_HOSTNAME}/gogs/</code>, for example <code>http://mx.example.org/gogs/</code>. For database details set <code>mysql</code> as database host. Use the value of DBNAME found in mailcow.conf as database name, DBUSER as database user and DBPASS as database password.</p> <p>7. Once the installation is complete, login as admin and set \"settings\" -&gt; \"authorization\" -&gt; \"enable SMTP\". SMTP Host should be <code>postfix</code> with port <code>587</code>, set <code>Skip TLS Verify</code> as we are using an unlisted SAN (\"postfix\" is most likely not part of your certificate).</p> <p>8. Create <code>data/gogs/gogs/conf/app.ini</code> and set following values. You can consult Gogs cheat sheet for their meaning and other possible values.</p> <pre><code>[server]\nSSH_LISTEN_PORT = 22\n# For GOGS_SSH_PORT=127.0.0.1:4000 in mailcow.conf, set:\nSSH_DOMAIN = 127.0.0.1\nSSH_PORT = 4000\n# For MAILCOW_HOSTNAME=mx.example.org in mailcow.conf (and default ports for HTTPS), set:\nROOT_URL = https://mx.example.org/gogs/\n</code></pre> <p>9. Restart Gogs with <code>docker compose restart gogs-mailcow</code>. Your users should be able to login with mailcow managed accounts.</p>"},{"location":"third_party/mailman3/third_party-mailman3/","title":"Installing mailcow and Mailman 3 based on dockerized versions","text":"<p>Info</p> <p>This guide is a copy from dockerized-mailcow-mailman. Please post issues, questions and improvements in the issue tracker there.</p> <p>Warning</p> <p>mailcow is not responsible for any data loss, hardware damage or broken keyboards. This guide comes without any warranty. Make backups before starting, 'coze: No backup no pity!</p>"},{"location":"third_party/mailman3/third_party-mailman3/#introduction","title":"Introduction","text":"<p>This guide aims to install and configure mailcow-dockerized with docker-mailman and to provide some useful scripts. An essential condition is, to preserve mailcow and Mailman in their own installations for independent updates.</p> <p>There are some guides and projects on the internet, but they are not up to date and/or incomplete in documentation or configuration. This guide is based on the work of:</p> <ul> <li>mailcow-mailman3-dockerized by Shadowghost</li> <li>mailman-mailcow-integration</li> </ul> <p>After finishing this guide, mailcow-dockerized and docker-mailman will run and Apache as a reverse proxy will serve the web frontends.</p> <p>The operating system used is an Ubuntu 20.04 LTS.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#installation","title":"Installation","text":"<p>This guide is based on different steps:</p> <ol> <li>DNS setup</li> <li>Install Apache as a reverse proxy</li> <li>Obtain SSL certificates with Let's Encrypt</li> <li>Install mailcow with Mailman integration</li> <li>Install Mailman</li> <li>\ud83c\udfc3 Run</li> </ol>"},{"location":"third_party/mailman3/third_party-mailman3/#dns-setup","title":"DNS setup","text":"<p>Most of the configuration is covered by mailcows DNS setup. After finishing this setup add another subdomain for Mailman, e.g. <code>lists.example.org</code> that points to the same server:</p> <pre><code># Name Type Value\nlists IN A 1.2.3.4\nlists IN AAAA dead:beef\n</code></pre>"},{"location":"third_party/mailman3/third_party-mailman3/#install-apache-as-a-reverse-proxy","title":"Install Apache as a reverse proxy","text":"<p>Install Apache, e.g. with this guide from Digital Ocean: How To Install the Apache Web Server on Ubuntu 20.04.</p> <p>Activate certain Apache modules (as root or sudo):</p> <pre><code>a2enmod rewrite proxy proxy_http headers ssl wsgi proxy_uwsgi http2\n</code></pre> <p>Maybe you have to install further packages to get these modules. This PPA by Ond\u0159ej Sur\u00fd may help you.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#vhost-configuration","title":"vHost configuration","text":"<p>Copy the mailcow.conf and the mailman.conf in the Apache conf folder <code>sites-available</code> (e.g. under <code>/etc/apache2/sites-available</code>).</p> <p>Change in <code>mailcow.conf</code>: - <code>MAILCOW_HOSTNAME</code> to your MAILCOW_HOSTNAME</p> <p>Change in <code>mailman.conf</code>: - <code>MAILMAN_DOMAIN</code> to your Mailman domain (e.g. <code>lists.example.org</code>)</p> <p>Don't activate the configuration, as the ssl certificates and directories are missing yet.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#obtain-ssl-certificates-with-lets-encrypt","title":"Obtain SSL certificates with Let's Encrypt","text":"<p>Check if your DNS config is available over the internet and points to the right IP addresses, e.g. with MXToolBox:</p> <ul> <li>https://mxtoolbox.com/SuperTool.aspx?action=a%3aMAILCOW_HOSTNAME</li> <li>https://mxtoolbox.com/SuperTool.aspx?action=aaaa%3aMAILCOW_HOSTNAME</li> <li>https://mxtoolbox.com/SuperTool.aspx?action=a%3aMAILMAN_DOMAIN</li> <li>https://mxtoolbox.com/SuperTool.aspx?action=aaaa%3aMAILMAN_DOMAIN</li> </ul> <p>Install certbot (as root or sudo):</p> <pre><code>apt install certbot\n</code></pre> <p>Get the desired certificates (as root or sudo):</p> <pre><code>certbot certonly -d MAILCOW_HOSTNAME\ncertbot certonly -d MAILMAN_DOMAIN\n</code></pre>"},{"location":"third_party/mailman3/third_party-mailman3/#install-mailcow-with-mailman-integration","title":"Install mailcow with Mailman integration","text":""},{"location":"third_party/mailman3/third_party-mailman3/#install-mailcow","title":"Install mailcow","text":"<p>Follow the mailcow installation. Omit step 5 and do not pull and up with <code>docker compose</code>!</p>"},{"location":"third_party/mailman3/third_party-mailman3/#configure-mailcow","title":"Configure mailcow","text":"<p>This is also Step 4 in the official mailcow installation (<code>nano mailcow.conf</code>). So change to your needs and alter the following variables:</p> <pre><code>HTTP_PORT=18080 # don't use 8080 as mailman needs it\nHTTP_BIND=127.0.0.1 #\nHTTPS_PORT=18443 # you may use 8443\nHTTPS_BIND=127.0.0.1 #\n\nSKIP_LETS_ENCRYPT=y # reverse proxy will do the SSL termination\n\nSNAT_TO_SOURCE=1.2.3.4 # change this to your IPv4\nSNAT6_TO_SOURCE=dead:beef # change this to your global IPv6\n</code></pre>"},{"location":"third_party/mailman3/third_party-mailman3/#add-mailman-integration","title":"Add Mailman integration","text":"<p>Create the file <code>/opt/mailcow-dockerized/docker-compose.override.yml</code> (e.g. with <code>nano</code>) and add the following lines:</p> <p><pre><code>version: '2.1'\n\nservices:\n postfix-mailcow:\n volumes:\n - /opt/mailman:/opt/mailman\n networks:\n - docker-mailman_mailman\n\nnetworks:\n docker-mailman_mailman:\n external: true\n</code></pre> The additional volume is used by Mailman to generate additional config files for mailcow postfix. The external network is build and used by Mailman. mailcow needs it to deliver incoming list mails to Mailman.</p> <p>Create the file <code>/opt/mailcow-dockerized/data/conf/postfix/extra.cf</code> (e.g. with <code>nano</code>) and add the following lines:</p> <p><pre><code># mailman\n\nrecipient_delimiter = +\nunknown_local_recipient_reject_code = 550\nowner_request_special = no\n\nlocal_recipient_maps =\n regexp:/opt/mailman/core/var/data/postfix_lmtp,\n proxy:unix:passwd.byname,\n $alias_maps\nvirtual_mailbox_maps =\n proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf,\n regexp:/opt/mailman/core/var/data/postfix_lmtp\ntransport_maps =\n pcre:/opt/postfix/conf/custom_transport.pcre,\n pcre:/opt/postfix/conf/local_transport,\n proxy:mysql:/opt/postfix/conf/sql/mysql_relay_ne.cf,\n proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf,\n regexp:/opt/mailman/core/var/data/postfix_lmtp\nrelay_domains =\n proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf,\n regexp:/opt/mailman/core/var/data/postfix_domains\nrelay_recipient_maps =\n proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf,\n regexp:/opt/mailman/core/var/data/postfix_lmtp\n</code></pre> As we overwrite mailcow postfix configuration here, this step may break your normal mail transports. Check the original configuration files if anything changed.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#ssl-certificates","title":"SSL certificates","text":"<p>As we proxying mailcow, we need to copy the SSL certificates into the mailcow file structure. This task will do the script renew-ssl.sh for us:</p> <ul> <li>Copy the file to <code>/opt/mailcow-dockerized</code></li> <li>Change mailcow_HOSTNAME to your mailcow hostname</li> <li>Make it executable (<code>chmod a+x renew-ssl.sh</code>)</li> <li>Do not run it yet, as we first need Mailman</li> </ul> <p>You have to create a cronjob, so that new certificates will be copied. Execute as root or sudo:</p> <pre><code>crontab -e\n</code></pre> <p>To run the script every day at 5am, add:</p> <pre><code>0 5 * * * /opt/mailcow-dockerized/renew-ssl.sh\n</code></pre>"},{"location":"third_party/mailman3/third_party-mailman3/#install-mailman","title":"Install Mailman","text":"<p>Basicly follow the instructions at docker-mailman. As they are a lot, here is in a nuthshell what to do:</p> <p>As root or sudo:</p> <pre><code>cd /opt\nmkdir -p mailman/core\nmkdir -p mailman/web\ngit clone https://github.com/maxking/docker-mailman\ncd docker-mailman\n</code></pre>"},{"location":"third_party/mailman3/third_party-mailman3/#configure-mailman","title":"Configure Mailman","text":"<p>Create a long key for Hyperkitty, e.g. with the linux command <code>cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo</code>. Save this key for a moment as HYPERKITTY_KEY.</p> <p>Create a long password for the database, e.g. with the linux command <code>cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo</code>. Save this password for a moment as DBPASS.</p> <p>Create a long key for Django, e.g. with the linux command <code>cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo</code>. Save this key for a moment as DJANGO_KEY.</p> <p>Create the file <code>/opt/docker-mailman/docker compose.override.yaml</code> and replace <code>HYPERKITTY_KEY</code>, <code>DBPASS</code> and <code>DJANGO_KEY</code> with the generated values:</p> <pre><code>version: '2'\n\nservices:\n mailman-core:\n environment:\n - DATABASE_URL=postgres://mailman:DBPASS@database/mailmandb\n - HYPERKITTY_API_KEY=HYPERKITTY_KEY\n - TZ=Europe/Berlin\n - MTA=postfix\n restart: always\n networks:\n - mailman\n\n mailman-web:\n environment:\n - DATABASE_URL=postgres://mailman:DBPASS@database/mailmandb\n - HYPERKITTY_API_KEY=HYPERKITTY_KEY\n - TZ=Europe/Berlin\n - SECRET_KEY=DJANGO_KEY\n - SERVE_FROM_DOMAIN=MAILMAN_DOMAIN # e.g. lists.example.org\n - MAILMAN_ADMIN_USER=admin # the admin user\n - MAILMAN_ADMIN_EMAIL=admin@example.org # the admin mail address\n - UWSGI_STATIC_MAP=/static=/opt/mailman-web-data/static\n restart: always\n\n database:\n environment:\n - POSTGRES_PASSWORD=DBPASS\n restart: always\n</code></pre> <p>At <code>mailman-web</code> fill in correct values for <code>SERVE_FROM_DOMAIN</code> (e.g. <code>lists.example.org</code>), <code>MAILMAN_ADMIN_USER</code> and <code>MAILMAN_ADMIN_EMAIL</code>. You need the admin credentials to log into the web interface (Postorius). For setting the password for the first time use the Forgot password function in the web interface.</p> <p>About other configuration options read Mailman-web and Mailman-core documentation.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#configure-mailman-core-and-mailman-web","title":"Configure Mailman core and Mailman web","text":"<p>Create the file <code>/opt/mailman/core/mailman-extra.cfg</code> with the following content. <code>mailman@example.org</code> should be pointing to a valid mail box or redirection.</p> <pre><code>[mailman]\ndefault_language: de\nsite_owner: mailman@example.org\n</code></pre> <p>Create the file <code>/opt/mailman/web/settings_local.py</code> with the following content. <code>mailman@example.org</code> should be pointing to a valid mail box or redirection.</p> <p><pre><code># locale\nLANGUAGE_CODE = 'de-de'\n\n# disable social authentication\nMAILMAN_WEB_SOCIAL_AUTH = []\n\n# change it\nDEFAULT_FROM_EMAIL = 'mailman@example.org'\n\nDEBUG = False\n</code></pre> You can change <code>LANGUAGE_CODE</code> and <code>SOCIALACCOUNT_PROVIDERS</code> to your needs.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#run","title":"\ud83c\udfc3 Run","text":"<p>Run (as root or sudo)</p> <pre><code>a2ensite mailcow.conf\na2ensite mailman.conf\nsystemctl restart apache2\n\ncd /opt/docker-mailman\ndocker compose pull\ndocker compose up -d\n\ncd /opt/mailcow-dockerized/\ndocker compose pull\n./renew-ssl.sh\n</code></pre> <p>Wait a few minutes! The containers have to create there databases and config files. This can last up to 1 minute and more.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#remarks","title":"Remarks","text":""},{"location":"third_party/mailman3/third_party-mailman3/#new-lists-arent-recognized-by-postfix-instantly","title":"New lists aren't recognized by postfix instantly","text":"<p>When you create a new list and try to immediately send an e-mail, postfix responses with <code>User doesn't exist</code>, because postfix won't deliver it to Mailman yet. The configuration at <code>/opt/mailman/core/var/data/postfix_lmtp</code> is not instantly updated. If you need the list instantly, restart postifx manually:</p> <pre><code>cd /opt/mailcow-dockerized\ndocker compose restart postfix-mailcow\n</code></pre>"},{"location":"third_party/mailman3/third_party-mailman3/#update","title":"Update","text":"<p>mailcow has it's own update script in <code>/opt/mailcow-dockerized/update.sh</code>, see the docs.</p> <p>For Mailman just fetch the newest version from the github repository.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#backup","title":"Backup","text":"<p>mailcow has an own backup script. Read the docs for further informations.</p> <p>Mailman won't state backup instructions in the README.md. In the gitbucket of pgollor is a script that may be helpful.</p>"},{"location":"third_party/mailman3/third_party-mailman3/#todo","title":"ToDo","text":""},{"location":"third_party/mailman3/third_party-mailman3/#install-script","title":"install script","text":"<p>Write a script like in mailman-mailcow-integration/mailman-install.sh as many of the steps are automatable.</p> <ol> <li>Ask for all the configuration variables and create passwords and keys.</li> <li>Do a (semi-)automatic installation.</li> <li>Have fun!</li> </ol>"},{"location":"third_party/mailpiler/third_party-mailpiler_integration/","title":"Mailpiler Integration","text":"<p>This is a simple integration of mailcow aliases and the mailbox name into mailpiler when using IMAP authentication.</p> <p>Disclaimer: This is not officially maintained nor supported by the mailcow project nor its contributors. No warranty or support is being provided, however you're free to open issues on GitHub for filing a bug or provide further ideas. GitHub repo can be found here.</p> <p>Info</p> <p>Support for domain wildcards were implemented in Piler 1.3.10 which was released on 03.01.2021. Prior versions basically do work, but after logging in you won't see emails sent from or to the domain alias. (e.g. when @example.com is an alias for admin@example.com)</p>"},{"location":"third_party/mailpiler/third_party-mailpiler_integration/#the-problem-to-solve","title":"The problem to solve","text":"<p>mailpiler offers the authentication based on IMAP, for example:</p> <pre><code>$config['ENABLE_IMAP_AUTH'] = 1;\n$config['IMAP_HOST'] = 'mail.example.com';\n$config['IMAP_PORT'] = 993;\n$config['IMAP_SSL'] = true;\n</code></pre> <ul> <li>So when you log in using <code>patrik@example.com</code>, you will only see delivered emails sent from or to this specific email address.</li> <li>When additional aliases are defined in mailcow, like <code>team@example.com</code>, you won't see emails sent to or from this email address even the fact you're a recipient of mails sent to this alias address.</li> </ul> <p>By hooking into the authentication process of mailpiler, we are able to get required data via the mailcow API during login. This fires API requests to the mailcow API (requiring read-only API access) to read out the aliases your email address participates and also the \"Name\" of the mailbox specified to display it on the top-right of mailpiler after login.</p> <p>Permitted email addresses can be seen in the mailpiler settings top-right after logging in.</p> <p>Info</p> <p>This is only pulled once during the authentication process. The authorized aliases and the realname are valid for the whole duration of the user session as mailpiler sets them in the session data. If user is removed from specific alias, this will only take effect after next login.</p>"},{"location":"third_party/mailpiler/third_party-mailpiler_integration/#the-solution","title":"The solution","text":"<p>Note: File paths might vary depending on your setup.</p>"},{"location":"third_party/mailpiler/third_party-mailpiler_integration/#requirements","title":"Requirements","text":"<ul> <li>A working mailcow instance</li> <li>A working mailpiler instance (You can find an installation guide here, check supported versions here)</li> <li>An mailcow API key (read-only works just fine): <code>Configuration &amp; Details - Access - Read-Only Access</code>. Don't forget to allow API access from your mailpiler IP.</li> </ul> <p>Warning</p> <p>As mailpiler authenticates against mailcow, our IMAP server, failed logins of users or bots might trigger a block for your mailpiler instance. Therefore you might want to consider whitelisting the IP address of the mailpiler instance within mailcow: <code>Configuration &amp; Details - Configuration - Fail2ban parameters - Whitelisted networks/hosts</code>.</p>"},{"location":"third_party/mailpiler/third_party-mailpiler_integration/#setup","title":"Setup","text":"<ol> <li> <p>Set the custom query function of mailpiler and append this to <code>/usr/local/etc/piler/config-site.php</code>:</p> <pre><code>$config['MAILCOW_API_KEY'] = 'YOUR_READONLY_API_KEY';\n$config['MAILCOW_SET_REALNAME'] = true; // when not specified, then default is false\n$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'query_mailcow_for_email_access';\ninclude('auth-mailcow.php');\n</code></pre> <p>You can also change the mailcow hostname, if required: <pre><code>$config['MAILCOW_HOST'] = 'mail.domain.tld'; // defaults to $config['IMAP_HOST']\n</code></pre></p> </li> <li> <p>Download the PHP file with the functions from the GitHub repo:</p> <pre><code>curl -o /usr/local/etc/piler/auth-mailcow.php https://raw.githubusercontent.com/patschi/mailpiler-mailcow-integration/master/auth-mailcow.php\n</code></pre> </li> <li> <p>Done!</p> </li> </ol> <p>Make sure to re-login with your IMAP credentials for changes to take effect.</p> <p>If it doesn't work, most likely something's wrong with the API query itself. Consider debugging by sending manual API requests to the API. (Tip: Open <code>https://mail.domain.tld/api</code> on your instance)</p>"},{"location":"third_party/nextcloud/third_party-nextcloud/","title":"Nextcloud","text":""},{"location":"third_party/nextcloud/third_party-nextcloud/#manage-nextcloud-using-the-helper-script","title":"Manage Nextcloud using the helper script","text":"<p>Nextcloud can be set up (parameter <code>-i</code>) and removed (parameter <code>-p</code>) with the helper script included with mailcow. In order to install Nextcloud simply navigate to your mailcow-dockerized root folder and run the helper script as follows:</p> <p><code>./helper-scripts/nextcloud.sh -i</code></p> <p>In case you have forgotten the password (e.g. for admin) and can't request a new one via the password reset link on the login screen calling the helper script with <code>-r</code> as parameter allows you to set a new password. Only use this option if your Nextcloud isn't configured to use mailcow for authentication as described in the next section.</p> <p>In order for mailcow to generate a a certificate for the nextcloud domain you need to add \"nextcloud.domain.tld\" to ADDITIONAL_SAN in mailcow.conf and run <code>docker compose up -d</code> to apply. For more informaton refer to: Advanced SSL.</p>"},{"location":"third_party/nextcloud/third_party-nextcloud/#background-jobs","title":"Background jobs","text":"<p>To use the recommended setting (cron) to execute the background jobs following lines need to be added to the <code>docker-compose.override.yml</code>:</p> <pre><code>version: '2.1'\nservices:\n php-fpm-mailcow:\n labels:\n ofelia.enabled: \"true\"\n ofelia.job-exec.nextcloud-cron.schedule: \"@every 5m\"\n ofelia.job-exec.nextcloud-cron.command: \"su www-data -s /bin/bash -c \\\"/usr/local/bin/php -f /web/nextcloud/cron.php\\\"\"\n</code></pre> <p>After adding these lines the <code>docker compose up -d</code> command must be executed to update the docker image and also the docker scheduler image must be restarted to pick up the new job definition by executing <code>docker compose restart ofelia-mailcow</code>. To check if the job was successfully picked up by <code>ofelia</code> the command <code>docker compose logs ofelia-mailcow</code> will contain a line similar to <code>New job registered \"nextcloud-cron\" - ...</code>.</p> <p>By adding these lines the background jobs will be executed every 5 minutes. To verify that the execution works correctly, the only way is to see it in the basic settings when logged in as an admin in Nextcloud. If everything is correct the first scheduled execution will change the background jobs processing setting to <code>(X) Cron</code> and the timestamp after <code>Last job ran</code> will be updated every 5 minutes.</p>"},{"location":"third_party/nextcloud/third_party-nextcloud/#configure-nextcloud-to-use-mailcow-for-authentication","title":"Configure Nextcloud to use mailcow for authentication","text":"<p>The following describes how set up authentication via mailcow using the OAuth2 protocol. We will only assume that you have already set up Nextcloud at cloud.example.com and that your mailcow is running at mail.example.com. It does not matter if your Nextcloud is running on a different server, you can still use mailcow for authentication.</p> <p>1. Log into mailcow as administrator.</p> <p>2. Scroll down to OAuth2 Apps and click the Add button. Specify the redirect URI as <code>https://cloud.example.com/index.php/apps/sociallogin/custom_oauth2/Mailcow</code> and click Add. Save the client ID and secret for later.</p> <p>Info</p> <p>Some installations, including those setup using the helper script of mailcow, need to remove index.php/ from the URL to get a successful redirect: <code>https://cloud.example.com/apps/sociallogin/custom_oauth2/Mailcow</code></p> <p>3. Log into Nextcloud as administrator.</p> <p>4. Click the button in the top right corner and select Apps. Click the search button in the toolbar, search for the Social Login plugin and click Download and enable next to it.</p> <p>5. Click the button in the top right corner and select Settings. Scroll down to the Administration section on the left and click Social login.</p> <p>6. Uncheck the following items:</p> <ul> <li>\"Disable auto create new users\"</li> <li>\"Allow users to connect social logins with their accounts\"</li> <li>\"Do not prune not available user groups on login\"</li> <li>\"Automatically create groups if they do not exists\"</li> <li>\"Restrict login for users without mapped groups\"</li> </ul> <p>7. Check the following items:</p> <ul> <li>\"Prevent creating an account if the email address exists in another account\"</li> <li>\"Update user profile every login\"</li> <li>\"Disable notify admins about new users\"</li> </ul> <p>Click the Save button.</p> <p>8. Scroll down to Custom OAuth2 and click the + button. 9. Configure the parameters as follows:</p> <ul> <li>Internal name: <code>Mailcow</code></li> <li>Title: <code>Mailcow</code></li> <li>API Base URL: <code>https://mail.example.com</code></li> <li>Authorize URL: <code>https://mail.example.com/oauth/authorize</code></li> <li>Token URL: <code>https://mail.example.com/oauth/token</code></li> <li>Profile URL: <code>https://mail.example.com/oauth/profile</code></li> <li>Logout URL: (leave blank)</li> <li>Client ID: (what you obtained in step 1)</li> <li>Client Secret: (what you obtained in step 1)</li> <li>Scope: <code>profile</code></li> </ul> <p>Click the Save button at the very bottom of the page.</p> <p>If you have previously used Nextcloud with mailcow authentication via user_external/IMAP, you need to perform some additional steps to link your existing user accounts with OAuth2.</p> <p>1. Click the button in the top right corner and select Apps. Scroll down to the External user authentication app and click Remove next to it. 2. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run <code>source mailcow.conf &amp;&amp; docker compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME</code>): <pre><code>INSERT INTO nc_users (uid, uid_lower) SELECT DISTINCT uid, LOWER(uid) FROM nc_users_external;\nINSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT(\"Mailcow-\", uid) FROM nc_users_external;\n</code></pre></p> <p>If you have previously used Nextcloud without mailcow authentication, but with the same usernames as mailcow, you can also link your existing user accounts with OAuth2.</p> <p>1. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run <code>source mailcow.conf &amp;&amp; docker compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME</code>): <pre><code>INSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT(\"Mailcow-\", uid) FROM nc_users;\n</code></pre></p>"},{"location":"third_party/nextcloud/third_party-nextcloud/#update","title":"Update","text":"<p>The Nextcloud instance can be updated easily with the web update mechanism. In the case of larger updates, there may be further changes to be made after the update. After the Nextcloud instance has been checked, problems are shown. This can be e.g. missing indices in the DB or similar. It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container.</p> <p>As an an example run the following command to add the missing indices. <code>docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) bash -c \"php /web/nextcloud/occ db:add-missing-indices\"</code></p>"},{"location":"third_party/nextcloud/third_party-nextcloud/#debugging-troubleshooting","title":"Debugging &amp; Troubleshooting","text":"<p>It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in <code>data/web/nextcloud/config/*</code>.</p> <pre><code>'trusted_proxies' =&gt;\n array (\n 0 =&gt; 'fd4d:6169:6c63:6f77::/64',\n 1 =&gt; '172.22.1.0/24',\n 2 =&gt; 'NewSubnet/24',\n ),\n</code></pre> <p>After the changes have been made, the nginx container must be restarted. <code>docker compose restart nginx-mailcow</code></p>"},{"location":"third_party/portainer/third_party-portainer/","title":"Portainer","text":"<p>In order to enable Portainer, the docker-compose.yml and site.conf for Nginx must be modified.</p> <p>1. Create a new file <code>docker-compose.override.yml</code> in the mailcow-dockerized root folder and insert the following configuration <pre><code>version: '2.1'\nservices:\n portainer-mailcow:\n image: portainer/portainer-ce\n volumes:\n - /var/run/docker.sock:/var/run/docker.sock\n - ./data/conf/portainer:/data\n restart: always\n dns:\n - 172.22.1.254\n dns_search: mailcow-network\n networks:\n mailcow-network:\n aliases:\n - portainer\n</code></pre> 2a. Create <code>data/conf/nginx/portainer.conf</code>: <pre><code>upstream portainer {\n server portainer-mailcow:9000;\n}\n\nmap $http_upgrade $connection_upgrade {\n default upgrade;\n '' close;\n}\n</code></pre></p> <p>2b. Insert a new location to the default mailcow site by creating the file <code>data/conf/nginx/site.portainer.custom</code>: <pre><code> location /portainer/ {\n proxy_http_version 1.1;\n proxy_set_header Host $http_host; # required for docker client's sake\n proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_read_timeout 900;\n\n proxy_set_header Connection \"\";\n proxy_buffers 32 4k;\n proxy_pass http://portainer/;\n }\n\n location /portainer/api/websocket/ {\n proxy_http_version 1.1;\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection $connection_upgrade;\n proxy_pass http://portainer/api/websocket/;\n }\n</code></pre></p> <p>3. Apply your changes: <pre><code>docker compose up -d &amp;&amp; docker compose restart nginx-mailcow\n</code></pre></p> <p>Now you can simply navigate to https://${MAILCOW_HOSTNAME}/portainer/ to view your Portainer container monitoring page. You\u2019ll then be prompted to specify a new password for the admin account. After specifying your password, you\u2019ll then be able to connect to the Portainer UI.</p>"},{"location":"third_party/portainer/third_party-portainer/#reverse-proxy","title":"Reverse Proxy","text":"<p>If you are using a reverse proxy you will have to configure it to properly forward websocket requests.</p> <p>This needs to be done for the docker console and other components to work.</p> <p>Here is an example for Apache:</p> <pre><code>&lt;Location /portainer/api/websocket/&gt;\n RewriteEngine on\n RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]\n RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]\n RewriteRule /portainer/api/websocket/(.*) ws://127.0.0.1:8080/portainer/api/websocket/$1 [P]\n&lt;/Location&gt;\n</code></pre>"},{"location":"third_party/roundcube/third_party-roundcube/","title":"Roundcube","text":""},{"location":"third_party/roundcube/third_party-roundcube/#installing-roundcube","title":"Installing Roundcube","text":"<p>Download Roundcube 1.6.x to the web htdocs directory and extract it (here <code>rc/</code>): <pre><code># Check for a newer release!\ncd data/web\nwget -O - https://github.com/roundcube/roundcubemail/releases/download/1.6.0/roundcubemail-1.6.0-complete.tar.gz | tar xfvz -\n\n# Change folder name\nmv roundcubemail-1.6.0 rc\n\n# Change permissions\nchown -R root: rc/\n</code></pre></p> <p>If you need spell check features, create a file <code>data/hooks/phpfpm/aspell.sh</code> with the following content, then <code>chmod +x data/hooks/phpfpm/aspell.sh</code>. This installs a local spell check engine. Note, most modern web browsers have built in spell check, so you may not want/need this. <pre><code>#!/bin/bash\napk update\napk add aspell-en # or any other language\n</code></pre></p> <p>Create a file <code>data/web/rc/config/config.inc.php</code> with the following content. - Change the <code>des_key</code> parameter to a random value. It is used to temporarily store your IMAP password. - The <code>db_prefix</code> is optional but recommended. - If you didn't install spell check in the above step, remove <code>spellcheck_engine</code> parameter and replace it with <code>$config['enable_spellcheck'] = false;</code>. <pre><code>&lt;?php\nerror_reporting(0);\nif (!file_exists('/tmp/mime.types')) {\nfile_put_contents(\"/tmp/mime.types\", fopen(\"http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types\", 'r'));\n}\n$config = array();\n$config['db_dsnw'] = 'mysql://' . getenv('DBUSER') . ':' . getenv('DBPASS') . '@mysql/' . getenv('DBNAME');\n$config['imap_host'] = 'tls://dovecot:143';\n$config['smtp_host'] = 'tls://postfix:587';\n$config['smtp_user'] = '%u';\n$config['smtp_pass'] = '%p';\n$config['support_url'] = '';\n$config['product_name'] = 'Roundcube Webmail';\n$config['des_key'] = 'yourrandomstring_changeme';\n$config['log_dir'] = '/dev/null';\n$config['temp_dir'] = '/tmp';\n$config['plugins'] = array(\n 'archive',\n 'managesieve'\n);\n$config['spellcheck_engine'] = 'aspell';\n$config['mime_types'] = '/tmp/mime.types';\n$config['imap_conn_options'] = array(\n 'ssl' =&gt; array('verify_peer' =&gt; false, 'verify_peer_name' =&gt; false, 'allow_self_signed' =&gt; true)\n);\n$config['enable_installer'] = true;\n$config['smtp_conn_options'] = array(\n 'ssl' =&gt; array('verify_peer' =&gt; false, 'verify_peer_name' =&gt; false, 'allow_self_signed' =&gt; true)\n);\n$config['db_prefix'] = 'mailcow_rc1';\n</code></pre></p> <p>Point your browser to <code>https://myserver/rc/installer</code> and follow the instructions. Initialize the database and leave the installer.</p> <p>Delete the directory <code>data/web/rc/installer</code> after a successful installation!</p>"},{"location":"third_party/roundcube/third_party-roundcube/#configure-managesieve-filtering","title":"Configure ManageSieve filtering","text":"<p>Open <code>data/web/rc/config/config.inc.php</code> and change the following parameters (or add them at the bottom of that file): <pre><code>$config['managesieve_host'] = 'tls://dovecot:4190';\n$config['managesieve_conn_options'] = array(\n 'ssl' =&gt; array('verify_peer' =&gt; false, 'verify_peer_name' =&gt; false, 'allow_self_signed' =&gt; true)\n);\n// Enables separate management interface for vacation responses (out-of-office)\n// 0 - no separate section (default),\n// 1 - add Vacation section,\n// 2 - add Vacation section, but hide Filters section\n$config['managesieve_vacation'] = 1;\n</code></pre></p>"},{"location":"third_party/roundcube/third_party-roundcube/#enable-change-password-function-in-roundcube","title":"Enable change password function in Roundcube","text":"<p>Open <code>data/web/rc/config/config.inc.php</code> and enable the password plugin:</p> <pre><code>...\n$config['plugins'] = array(\n 'archive',\n 'password',\n);\n...\n</code></pre> <p>Open <code>data/web/rc/plugins/password/password.php</code>, search for <code>case 'ssha':</code> and add above:</p> <pre><code> case 'ssha256':\n $salt = rcube_utils::random_bytes(8);\n $crypted = base64_encode( hash('sha256', $password . $salt, TRUE ) . $salt );\n $prefix = '{SSHA256}';\n break;\n</code></pre> <p>Open <code>data/web/rc/plugins/password/config.inc.php</code> and change the following parameters (or add them at the bottom of that file):</p> <pre><code>$config['password_driver'] = 'sql';\n$config['password_algorithm'] = 'ssha256';\n$config['password_algorithm_prefix'] = '{SSHA256}';\n$config['password_query'] = \"UPDATE mailbox SET password = %P WHERE username = %u\";\n</code></pre>"},{"location":"third_party/roundcube/third_party-roundcube/#integrate-carddav-addressbooks-in-roundcube","title":"Integrate CardDAV addressbooks in Roundcube","text":"<p>Download the latest release of RCMCardDAV to the Roundcube plugin directory and extract it (here <code>rc/plugins</code>): <pre><code>cd data/web/rc/plugins\nwget -O - https://github.com/mstilkerich/rcmcarddav/releases/download/v4.4.1/carddav-v4.4.1-roundcube16.tar.gz | tar xfvz -\nchown -R root: carddav/\n</code></pre></p> <p>Copy the file <code>config.inc.php.dist</code> to <code>config.inc.php</code> (here in <code>rc/plugins/carddav</code>) and append the following preset to the end of the file - don't forget to replace <code>mx.example.org</code> with your own hostname: <pre><code>$prefs['SOGo'] = array(\n 'name' =&gt; 'SOGo',\n 'username' =&gt; '%u',\n 'password' =&gt; '%p',\n 'url' =&gt; 'https://mx.example.org/SOGo/dav/%u/',\n 'carddav_name_only' =&gt; true,\n 'use_categories' =&gt; true,\n 'active' =&gt; true,\n 'readonly' =&gt; false,\n 'refresh_time' =&gt; '02:00:00',\n 'fixed' =&gt; array( 'active', 'name', 'username', 'password', 'refresh_time' ),\n 'hide' =&gt; false,\n);\n</code></pre> Please note, that this preset only integrates the default addressbook (the one that's named \"Personal Address Book\" and can't be deleted). Additional addressbooks are currently not automatically detected but can be manually added within the roundecube settings.</p> <p>Enable the plugin by adding <code>carddav</code> to <code>$config['plugins']</code> in <code>rc/config/config.inc.php</code>.</p> <p>If you want to remove the default addressbooks (stored in the Roundcube database), so that only the CardDAV addressbooks are accessible, append <code>$config['address_book_type'] = '';</code> to the config file <code>data/web/rc/config/config.inc.php</code>.</p> <p>Optionally, you can add Roundcube's link to the mailcow Apps list. To do this, open or create <code>data/web/inc/vars.local.inc.php</code> and add the following code-block:</p> <p>NOTE: Don't forget to add the <code>&lt;?php</code> delimiter on the first line</p> <pre><code>...\n$MAILCOW_APPS = array(\n array(\n 'name' =&gt; 'SOGo',\n 'link' =&gt; '/SOGo/'\n ),\n array(\n 'name' =&gt; 'Roundcube',\n 'link' =&gt; '/rc/'\n )\n);\n...\n</code></pre>"},{"location":"third_party/roundcube/third_party-roundcube/#upgrading-roundcube","title":"Upgrading Roundcube","text":"<p>Upgrading Roundcube is rather simple, go to the Github releases page for Roundcube and get the link for the \"complete.tar.gz\" file for the wanted release. Then follow the below commands and change the URL and Roundcube folder name if needed. </p> <pre><code># Enter a bash session of the mailcow PHP container\ndocker exec -it mailcowdockerized-php-fpm-mailcow-1 bash\n\n# Install required upgrade dependency, then upgrade Roundcube to wanted release\napk add rsync\ncd /tmp\nwget -O - https://github.com/roundcube/roundcubemail/releases/download/1.6.0/roundcubemail-1.6.0-complete.tar.gz | tar xfvz -\ncd roundcubemail-1.6.0\nbin/installto.sh /web/rc\n\n# Type 'Y' and press enter to upgrade your install of Roundcube\n# Type 'N' to \"Do you want me to fix your local configuration\" if prompted\n\n# If you see \"NOTICE: Update dependencies by running php composer.phar update --no-dev\" just download composer.phar and run it:\ncd /web/rc\nwget https://getcomposer.org/download/2.4.2/composer.phar\nphp composer.phar update --no-dev\n# When asked \"Do you trust \"roundcube/plugin-installer\" to execute code and wish to enable it now? (writes \"allow-plugins\" to composer.json) [y,n,d,?] \" hit y and continue.\n\n\n# Remove leftover files\ncd /tmp\nrm -rf roundcube*\n\n# If you're going from 1.5 to 1.6 please run the config file changes below\nsed -i \"s/\\$config\\['default_host'\\].*$/\\$config\\['imap_host'\\]\\ =\\ 'tls:\\/\\/dovecot:143'\\;/\" /web/rc/config/config.inc.php\nsed -i \"/\\$config\\['default_port'\\].*$/d\" /web/rc/config/config.inc.php\nsed -i \"s/\\$config\\['smtp_server'\\].*$/\\$config\\['smtp_host'\\]\\ =\\ 'tls:\\/\\/postfix:587'\\;/\" /web/rc/config/config.inc.php\nsed -i \"/\\$config\\['smtp_port'\\].*$/d\" /web/rc/config/config.inc.php\nsed -i \"s/\\$config\\['managesieve_host'\\].*$/\\$config\\['managesieve_host'\\]\\ =\\ 'tls:\\/\\/dovecot:4190'\\;/\" /web/rc/config/config.inc.php\nsed -i \"/\\$config\\['managesieve_port'\\].*$/d\" /web/rc/config/config.inc.php\n</code></pre>"},{"location":"third_party/roundcube/third_party-roundcube/#let-admins-log-into-roundcube-without-password","title":"Let admins log into Roundcube without password","text":"<p>First, install plugin dovecot_impersonate and add Roundcube as an app (see above).</p> <p>Edit <code>mailcow.conf</code> and add the following:</p> <pre><code># Allow admins to log into Roundcube as email user (without any password)\n# Roundcube with plugin dovecot_impersonate must be installed first\n\nALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE=y\n</code></pre> <p>Edit <code>docker-compose.override.yml</code> and crate/extend the section for <code>php-fpm-mailcow</code>:</p> <pre><code>version: '2.1'\nservices:\n php-fpm-mailcow:\n environment:\n - ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE=${ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE:-n}\n</code></pre> <p>Edit <code>data/web/js/site/mailbox.js</code> and the following code after <code>if (ALLOW_ADMIN_EMAIL_LOGIN) { ... }</code></p> <pre><code>if (ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE) {\n item.action += '&lt;a href=\"/rc-auth.php?login=' + encodeURIComponent(item.username) + '\" class=\"login_as btn btn-xs ' + btnSize + ' btn-primary\" target=\"_blank\"&gt;&lt;i class=\"bi bi-envelope-fill\"&gt;&lt;/i&gt; Roundcube&lt;/a&gt;';\n}\n</code></pre> <p>Edit <code>data/web/mailbox.php</code> and add this line to array <code>$template_data</code>:</p> <pre><code> 'allow_admin_email_login_roundcube' =&gt; (preg_match(\"/^(yes|y)+$/i\", $_ENV[\"ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE\"])) ? 'true' : 'false',\n</code></pre> <p>Edit <code>data/web/templates/mailbox.twig</code> and add this code to the bottom of the javascript section:</p> <pre><code> var ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE = {{ allow_admin_email_login_roundcube }};\n</code></pre> <p>Copy the contents of the following files from this Snippet:</p> <ul> <li><code>data/web/inc/lib/RoundcubeAutoLogin.php</code></li> <li><code>data/web/rc-auth.php</code></li> </ul> <p>Finally, restart mailcow</p> <pre><code>docker compose down\ndocker compose up -d\n</code></pre>"},{"location":"troubleshooting/debug-admin_login_sogo/","title":"Admin login to SOGo","text":"<p>This is an experimental feature that allows admins and domain admins to directly log into SOGo as a mailbox user, without knowing the users password.</p> <p>For this, an additional link to SOGo is displayed in the mailbox list (mailcow UI).</p> <p>Multiple concurrent admin-logins to different mailboxes are also possible when using this feature.</p>"},{"location":"troubleshooting/debug-admin_login_sogo/#enabling-the-feature","title":"Enabling the feature","text":"<p>The feature is disabled by default. It can be enabled in the <code>mailcow.conf</code> by setting: <pre><code>ALLOW_ADMIN_EMAIL_LOGIN=y\n</code></pre> and recreating the affected containers with <pre><code>docker compose up -d\n</code></pre></p>"},{"location":"troubleshooting/debug-admin_login_sogo/#drawbacks-when-enabled","title":"Drawbacks when enabled","text":"<ul> <li>Each SOGo page-load and each Active-Sync request will cause an additional execution of an internal PHP script. This might impact load-times of SOGo / EAS. In most cases, this should not be noticeable but should be kept in mind if you face any performance issues.</li> <li>SOGo will not display a logout link for admin-logins, to login normally one has to logout from the mailcow UI so the PHP session is destroyed.</li> <li>Subscribing to another user's calendar or address book while logged in as admin does not work. Neither does inviting other users to calendar events. The page will reload when these things are attempted.</li> </ul>"},{"location":"troubleshooting/debug-admin_login_sogo/#technical-details","title":"Technical details","text":"<p>SOGoTrustProxyAuthentication option is set to YES which makes SOGo trust the x-webobjects-remote-user header.</p> <p>Dovecot will receive a random master-password which is valid for all mailboxes when used by the SOGo container.</p> <p>Clicking on the SOGo button in the mailbox list will open sogo-auth.php which checks permissions, sets session variables and redirects to the SOGo mailbox.</p> <p>Each SOGo, CardDAV, CalDAV and EAS http request will cause an additional, nginx internal auth_request call to sogo-auth.php with the following behavior:</p> <ul> <li> <p>If a basic_auth header is present, the script will validate the credentials in place of SOGo and provide the following headers: <code>x-webobjects-remote-user</code>, <code>Authorization</code> and <code>x-webobjects-auth-type</code>.</p> </li> <li> <p>If no basic_auth header is present, the script will check for an active mailcow admin session for the requested email user and provide the same headers but with the dovecot master password used in the <code>Authorization</code> header.</p> </li> <li> <p>If both fails the headers will be set empty, which makes SOGo use its standard authentication methods.</p> </li> </ul> <p>All of these options / behaviors are disabled if the <code>ALLOW_ADMIN_EMAIL_LOGIN</code> is not enabled in the config.</p>"},{"location":"troubleshooting/debug-attach_service/","title":"Attach to a Container","text":""},{"location":"troubleshooting/debug-attach_service/#attaching-a-container-to-your-shell","title":"Attaching a Container to your Shell","text":"<p>To attach a container to your shell you can simply run</p> <pre><code>docker compose exec $Service_Name /bin/bash\n</code></pre>"},{"location":"troubleshooting/debug-attach_service/#connecting-to-services","title":"Connecting to Services","text":"<p>If you want to connect to a service / application directly it is always a good idea to <code>source mailcow.conf</code> to get all relevant variables into your environment.</p>"},{"location":"troubleshooting/debug-attach_service/#mysql","title":"MySQL","text":"<pre><code>source mailcow.conf\ndocker compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}\n</code></pre>"},{"location":"troubleshooting/debug-attach_service/#redis","title":"Redis","text":"<pre><code>docker compose exec redis-mailcow redis-cli\n</code></pre>"},{"location":"troubleshooting/debug-attach_service/#service-descriptions","title":"Service Descriptions","text":"<p>Here is a brief overview of what container / service does what:</p> Service Name Service Descriptions unbound-mailcow Local (DNSSEC) DNS Resolver mysql-mailcow Stores SOGo's and most of mailcow's settings postfix-mailcow Receives and sends mails dovecot-mailcow User logins and sieve filter redis-mailcow Storage back-end for DKIM keys and Rspamd rspamd-mailcow Mail filtering system. Used for av handling, dkim signing, spam handling clamd-mailcow Scans attachments for viruses olefy-mailcow Scans attached office documents for macro-viruses solr-mailcow Provides full-text search in Dovecot sogo-mailcow Webmail client that handles Microsoft ActiveSync and Cal- / CardDav nginx-mailcow Nginx remote proxy that handles all mailcow related HTTP / HTTPS requests acme-mailcow Automates HTTPS (SSL/TLS) certificate deployment memcached-mailcow Internal caching system for mailcow services watchdog-mailcow Allows the monitoring of docker containers / services php-fpm-mailcow Powers the mailcow web UI netfilter-mailcow Fail2Ban like integration"},{"location":"troubleshooting/debug-common_problems/","title":"Common Problems","text":"<p>Here we list common problems and possible solutions:</p>"},{"location":"troubleshooting/debug-common_problems/#mail-loops-back-to-myself","title":"Mail loops back to myself","text":"<p>Please check in your mailcow UI if you made the domain a backup MX:</p>"},{"location":"troubleshooting/debug-common_problems/#i-can-receive-but-not-send-mails","title":"I can receive but not send mails","text":"<p>There are a lot of things that could prevent you from sending mail:</p> <ul> <li>Check if your IP address is on any blacklists. You could use dnsbl.info or any other similar service to check for your IP address.</li> <li>There are some consumer ISP routers out there, that block mail ports for non whitelisted domains. Please check if you can reach your server on the ports <code>465</code> or <code>587</code>:</li> </ul> <pre><code># telnet 74.125.133.27 465\nTrying 74.125.133.27...\nConnected to 74.125.133.27.\nEscape character is '^]'.\n</code></pre>"},{"location":"troubleshooting/debug-common_problems/#my-mails-are-identified-as-spam","title":"My mails are identified as Spam","text":"<p>Please read our guide on DNS configuration.</p>"},{"location":"troubleshooting/debug-common_problems/#docker-compose-throws-weird-errors","title":"docker compose throws weird errors","text":"<p>... like:</p> <ul> <li><code>ERROR: Invalid interpolation format ...</code></li> <li><code>AttributeError: 'NoneType' object has no attribute 'keys'</code>.</li> <li><code>ERROR: In file './docker-compose.yml' service 'version' doesn't have any configuration options</code>.</li> </ul> <p>When you encounter one or similar messages while trying to run mailcow: dockerized please check if you have the latest version of Docker and docker compose</p>"},{"location":"troubleshooting/debug-common_problems/#container-xy-is-unhealthy","title":"Container XY is unhealthy","text":"<p>This error tries to tell you that one of the (health) conditions for a certain container are not met. Therefore it can't be started. This can have several reasons, the most common one is an updated git clone but old docker image or vice versa.</p> <p>A wrong configured firewall could also cause such a failure. The containers need to be able to talk to each other over the network 172.22.1.1/24.</p> <p>It might also be wrongly linked file (i.e. SSL certificate) that prevents a crucial container (nginx) from starting, so always check your logs to get an idea where your problem is coming from.</p>"},{"location":"troubleshooting/debug-common_problems/#address-already-in-use","title":"Address already in use","text":"<p>If you get an error message like:</p> <pre><code>ERROR: for postfix-mailcow Cannot start service postfix-mailcow: driver failed programming external connectivity on endpoint mailcowdockerized_postfix-mailcow_1: Error starting userland proxy: listen tcp 0.0.0.0:25: bind: address already in use\n</code></pre> <p>while trying to start / install mailcow: dockerized, make sure you've followed our section on the prerequisites.</p>"},{"location":"troubleshooting/debug-common_problems/#xyz-cant-connect-to","title":"XYZ can't connect to ...","text":"<p>Please check your local firewall! Docker and iptables-based firewalls sometimes create conflicting rules, so disable the firewall on your host to determine whether your connection issues are caused by such conflicts. If they are, you need to manually create appropriate rules in your host firewall to permit the necessary connections.</p> <p>If you experience connection problems from home, please check your ISP router's firewall too, some of them block mail traffic on the SMTP (587) or SMTPS (465) ports. It could also be, that your ISP is blocking the ports for SUBMISSION (25).</p> <p>While Linux users can chose from a variety of tools1 to check if a port is open, the Windows user has only the PowerShell command <code>Test-NetConnection -ComputerName host -Port port</code> available by default.</p> <p>To enable telnet on a Windows after Vista please check this guide or enter the following command in an terminal with administrator privileges:</p> <pre><code>dism /online /Enable-Feature /FeatureName:TelnetClient\n</code></pre>"},{"location":"troubleshooting/debug-common_problems/#inotify-instance-limit-for-user-5000-uid-vmail-exceeded-see-453","title":"Inotify instance limit for user 5000 (UID vmail) exceeded (see #453)","text":"<p>Docker containers use the Docker hosts inotify limits. Setting them on your Docker host will pass them to the container.</p>"},{"location":"troubleshooting/debug-common_problems/#dovecot-keeps-restarting-see-2672","title":"Dovecot keeps restarting (see #2672)","text":"<p>Check that you have at least the following files in <code>data/assets/ssl</code>:</p> <pre><code>cert.pem\ndhparams.pem\nkey.pem\n</code></pre> <p>If <code>dhparams.pem</code> is missing, you can generate it with</p> <pre><code>openssl dhparam -out data/assets/ssl/dhparams.pem 4096\n</code></pre> <ol> <li> <p>netcat, nmap, openssl, telnet, etc.\u00a0\u21a9</p> </li> </ol>"},{"location":"troubleshooting/debug-logs/","title":"Logs","text":"<p>Warning</p> <p>This section only applies for Dockers default logging driver (JSON).</p> <p>To view the logs of all mailcow: dockerized related containers, you can use <code>docker compose logs</code> inside your mailcow-dockerized folder that contains your <code>mailcow.conf</code>. This is usually a bit much, but you could trim the output with <code>--tail=100</code> to the last 100 lines per container, or add a <code>-f</code> to follow the live output of all your services.</p> <p>To view the logs of a specific service you can use <code>docker compose logs [options] $service_name</code></p> <p>Info</p> <p>The available options for the command docker compose logs are:</p> <ul> <li>--no-color: Produce monochrome output.</li> <li>-f: Follow the log output.</li> <li>-t: Show timestamps.</li> <li>--tail=\"all\": Number of lines to show from the end of the logs for each container.</li> </ul>"},{"location":"troubleshooting/debug-mysql_aria/","title":"Recover crashed Aria storage engine","text":""},{"location":"troubleshooting/debug-mysql_aria/#mariadb-aria-recovery-after-crash","title":"MariaDB: Aria recovery after crash","text":"<p>If your server crashed and MariaDB logs an error similar to <code>[ERROR] mysqld: Aria recovery failed. Please run aria_chk -r on all Aria tables (*.MAI) and delete all aria_log.######## files</code> you may want to try the following to recover the database to a healthy state:</p> <p>Start the stack and wait until mysql-mailcow begins to report a restarting state. Check by running <code>docker compose ps</code>.</p> <p>Now run the following commands:</p> <pre><code># Stop the stack, don't run \"down\"\ndocker compose stop\n# Run a bash in the stopped container as user mysql\ndocker compose run --rm --entrypoint '/bin/sh -c \"gosu mysql bash\"' mysql-mailcow\n# cd to the SQL data directory\ncd /var/lib/mysql\n# Run aria_chk\naria_chk --check --force */*.MAI\n# Delete aria log files\nrm aria_log.*\n</code></pre> <p>Now run <code>docker compose down</code> followed by <code>docker compose up -d</code>.</p>"},{"location":"troubleshooting/debug-mysql_upgrade/","title":"Manual MySQL upgrade","text":""},{"location":"troubleshooting/debug-mysql_upgrade/#run-a-manual-mysql_upgrade","title":"Run a manual mysql_upgrade","text":"<p>This step is usually not necessary. </p> <pre><code>docker compose stop mysql-mailcow watchdog-mailcow\ndocker compose run --rm --entrypoint '/bin/sh -c \"gosu mysql mysqld --skip-grant-tables &amp; sleep 10 &amp;&amp; bash &amp;&amp; exit 0\"' mysql-mailcow\n</code></pre> <p>As soon as the SQL shell spawned, run <code>mysql_upgrade</code> and exit the container:</p> <pre><code>mysql_upgrade\nexit\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/","title":"Reset Passwords (incl. SQL)","text":""},{"location":"troubleshooting/debug-reset_pw/#mailcow-admin-account","title":"mailcow Admin Account","text":"<p>Resets the mailcow admin account to a random password. Older mailcow: dockerized installations may find the <code>mailcow-reset-admin.sh</code> script in their mailcow root directory (mailcow_path).</p> <pre><code>cd mailcow_path\n./helper-scripts/mailcow-reset-admin.sh\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/#reset-mysql-passwords","title":"Reset MySQL Passwords","text":"<p>Stop the stack by running <code>docker compose stop</code>.</p> <p>When the containers came to a stop, run this command:</p> <pre><code>docker compose run --rm --entrypoint '/bin/sh -c \"gosu mysql mysqld --skip-grant-tables &amp; sleep 10 &amp;&amp; mysql -hlocalhost -uroot &amp;&amp; exit 0\"' mysql-mailcow\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/#1-find-database-name","title":"1. Find database name","text":"<pre><code># source mailcow.conf\n# docker compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}\nMariaDB [(none)]&gt; show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| mailcow_database | &lt;=====\n| mysql |\n| performance_schema |\n+--------------------+\n4 rows in set (0.00 sec)\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/#2-reset-one-or-more-users","title":"2. Reset one or more users","text":""},{"location":"troubleshooting/debug-reset_pw/#21-maria-db-104-older-mailcow-installations","title":"2.1 Maria DB &lt; 10.4 (older mailcow installations)","text":"<p>Both \"password\" and \"authentication_string\" exist. Currently \"password\" is used, but better set both.</p> <pre><code>MariaDB [(none)]&gt; SELECT user FROM mysql.user;\n+--------------+\n| user |\n+--------------+\n| mailcow | &lt;=====\n| root |\n+--------------+\n2 rows in set (0.00 sec)\n\nMariaDB [(none)]&gt; FLUSH PRIVILEGES;\nMariaDB [(none)]&gt; UPDATE mysql.user SET authentication_string = PASSWORD('gotr00t'), password = PASSWORD('gotr00t') WHERE User = 'root';\nMariaDB [(none)]&gt; UPDATE mysql.user SET authentication_string = PASSWORD('mookuh'), password = PASSWORD('mookuh') WHERE User = 'mailcow' AND Host = '%';\nMariaDB [(none)]&gt; FLUSH PRIVILEGES;\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/#22-maria-db-104-current-mailcows","title":"2.2 Maria DB &gt;= 10.4 (current mailcows)","text":"<pre><code>MariaDB [(none)]&gt; SELECT user FROM mysql.user;\n+--------------+\n| user |\n+--------------+\n| mailcow | &lt;=====\n| root |\n+--------------+\n2 rows in set (0.00 sec)\n\nMariaDB [(none)]&gt; FLUSH PRIVILEGES;\nMariaDB [(none)]&gt; ALTER USER 'mailcow'@'%' IDENTIFIED BY 'mookuh';\nMariaDB [(none)]&gt; ALTER USER 'root'@'%' IDENTIFIED BY 'gotr00t';\nMariaDB [(none)]&gt; ALTER USER 'root'@'localhost' IDENTIFIED BY 'gotr00t';\nMariaDB [(none)]&gt; FLUSH PRIVILEGES;\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/#remove-two-factor-authentication","title":"Remove Two-Factor Authentication","text":""},{"location":"troubleshooting/debug-reset_pw/#for-mailcow-webui","title":"For mailcow WebUI:","text":"<p>This works similar to resetting a MySQL password, now we do it from the host without connecting to the MySQL CLI:</p> <pre><code>source mailcow.conf\ndocker compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e \"DELETE FROM tfa WHERE username='YOUR_USERNAME';\"\n</code></pre>"},{"location":"troubleshooting/debug-reset_pw/#for-sogo","title":"For SOGo:","text":"<pre><code>docker compose exec -u sogo sogo-mailcow sogo-tool user-preferences set defaults user@example.com SOGoGoogleAuthenticatorEnabled '{\"SOGoGoogleAuthenticatorEnabled\":0}'\n</code></pre>"},{"location":"troubleshooting/debug-reset_tls/","title":"Reset TLS certificates","text":"<p>In case you encounter problems with your certificate, key or Let's Encrypt account, please try to reset the TLS assets:</p> <pre><code>source mailcow.conf\ndocker compose down\nrm -rf data/assets/ssl\nmkdir data/assets/ssl\nopenssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj \"/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}\" -sha256 -nodes\ncp -n -d data/assets/ssl-example/*.pem data/assets/ssl/\ndocker compose up -d\n</code></pre> <p>This will stop mailcow, source the variables we need, create a self-signed certificate and start mailcow.</p> <p>If you use Let's Encrypt you should be careful as you will create a new account and a new set of certificates. You will run into a ratelimit sooner or later.</p> <p>Please also note that previous TLSA records will be invalid.</p>"},{"location":"troubleshooting/debug-rm_volumes/","title":"Remove Persistent Data","text":"<p>You may want to remove a set of persistent data to resolve a conflict or to start over.</p> <p><code>mailcowdockerized</code> can vary and depends on your compose project name (if it's unchanged, <code>mailcowdockerized</code> is the correct value). If you are unsure about volume names, run <code>docker volume ls</code> for a full list.</p> <p>Delete a single volume:</p> <pre><code>docker volume rm mailcowdockerized_${VOLUME_NAME}\n</code></pre> <ul> <li>Remove volume <code>mysql-vol-1</code> to remove all MySQL data.</li> <li>Remove volume <code>redis-vol-1</code> to remove all Redis data.</li> <li>Remove volume <code>vmail-vol-1</code> to remove all contents of <code>/var/vmail</code> mounted to <code>dovecot-mailcow</code>.</li> <li>Remove volume <code>rspamd-vol-1</code> to remove all Rspamd data.</li> <li>Remove volume <code>crypt-vol-1</code> to remove all crypto data. This will render all mails unreadable.</li> </ul> <p>Alternatively, running <code>docker compose down -v</code> will destroy all mailcow: dockerized volumes and delete any related containers and networks.</p>"},{"location":"troubleshooting/debug-rspamd_memory_leaks/","title":"Advanced: Find memory leaks in Rspamd","text":"<p>A quick guide to deeply analyze a malfunctioning Rspamd.</p> <pre><code>docker compose exec rspamd-mailcow bash\n\nif ! grep -qi 'apt-stable-asan' /etc/apt/sources.list.d/rspamd.list; then\n sed -i 's/apt-stable/apt-stable-asan/i' /etc/apt/sources.list.d/rspamd.list\nfi\n\napt-get update ; apt-get upgrade rspamd\n\nnano /docker-entrypoint.sh\n\n# Before \"exec \"$@\"\" add the following lines:\n\nexport G_SLICE=always-malloc\nexport ASAN_OPTIONS=new_delete_type_mismatch=0:detect_leaks=1:detect_odr_violation=0:log_path=/tmp/rspamd-asan:quarantine_size_mb=2048:malloc_context_size=8:fast_unwind_on_malloc=0\n</code></pre> <p>Restart Rspamd: <code>docker compose restart rspamd-mailcow</code></p> <p>Your memory consumption will increase by a lot, it will also steadily grow, which is not related to a possible memory leak you are looking for.</p> <p>Leave the container running for a few minutes, hours or days (it should match the time you usually wait for the leak to \"happen\") and restart it: <code>docker compose restart rspamd-mailcow</code>.</p> <p>Now enter the container by running <code>docker compose exec rspamd-mailcow bash</code>, change the directory to /tmp and copy the asan Files to your desired location or upload them via termbin.com (<code>cat /tmp/rspamd-asan.* | nc termbin.com 9999</code>).</p>"},{"location":"troubleshooting/debug/","title":"Introduction","text":"<p>When a problem occurs, then always for a reason! What you want to do in such a case is:</p> <ol> <li>Read your logs; follow them to see what the reason for your problem is.</li> <li>Follow the leads given to you in your logfiles and start investigating.</li> <li>Restarting the troubled service or the whole stack to see if the problem persists.</li> <li>Read the documentation of the troubled service and search it's bugtracker for your problem.</li> <li>Search our issues for your problem.</li> <li>Create an issue over at our GitHub repository if you think your problem might be a bug or a missing feature you badly need. But please make sure, that you include all the logs and a full description to your problem. Please do not ask for support on Git.</li> <li>Join our Telegram community or find the official support packages at Servercow.Alternatively ask Twitter and tag us with @mailcow_email</li> </ol>"}]}