Mailcow dockerized server on hetzner robot with multiply ipv4 and ipv6

Mailcow dockerized server on hetzner robot with multiply ipv4 and ipv6

Start info

  • Main server hetzner with ip 96.216.15.45 on enp0s31f6 interface;

  • ipv4 subnet 135.183.115.16/24;

  • ipv6 subnet 2a01:4g9:3a:556::/64;

  • docker and docker-compose installed;

  • sysctl tuned.

mail domain name: linux2be.com
mail domain gui: mail.linux2be.com
mail domain smtp: mail.linux2be.com
mail domain mx: mail.linux2be.com

System configure(ubuntu 20.04)

Add ip address(iv4 and ipv6) to interface enp0s31f6

ip addr add 135.183.115.17/32 dev enp0s31f6
ip addr add 2a01:4g9:3a:556::17/64 dev enp0s31f6

Create dirs and clone repo for out first mail server

mkdir  -p /docker-compose/SWARM/services/mail/linux2be.com/mailcow-dockerized;
cd /docker-compose/SWARM/services/mail/linux2be.com;
git clone https://github.com/mailcow/mailcow-dockerized.git;

Create dns records mail.linux2be.com

A  135.183.115.17 mail.linux2be.com
AAAA  2a01:4g9:3a:556::17  mail.linux2be.com
cname autoconfig mail.linux2be.com
cname autodiscover mail.linux2be.com

Add an TXT record for your domain and set the value to "v=spf1 mx ~all",

Create ptr record

135.183.115.17  mail.linux2be.com
2a01:4g9:3a:556::17  mail.linux2be.com

Create config file

./generate_config.sh

And edit .env file

# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail.linux2be.com
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcowl2b
DBUSER=mailcowl2b
# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=d7Z6qxZVVI910BekrY5FgTLd6P4Ef
DBROOT=fKlpZR9Ey4qSmRxrwNTfQdX3wxyyrd
# ------------------------------
# HTTP/S Bindings
# ------------------------------
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!
HTTP_PORT=80
HTTP_BIND=135.183.115.17
HTTPS_PORT=443
HTTPS_BIND=135.183.115.17
HTTP_BIND_IPV6=2a01:4g9:3a:556::17
HTTPS_BIND_IPV6=2a01:4g9:3a:556::17
# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 0.0.0.0:465 etc.
SMTP_PORT=135.183.115.17:25
SMTPS_PORT=135.183.115.17:465
SUBMISSION_PORT=135.183.115.17:587
IMAP_PORT=135.183.115.17:143
IMAPS_PORT=135.183.115.17:993
POP_PORT=135.183.115.17:110
POPS_PORT=135.183.115.17:995
SIEVE_PORT=135.183.115.17:4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654
SMTP_PORT_IPV6=2a01:4g9:3a:556::17:25
SMTPS_PORT_IPV6=2a01:4g9:3a:556::17:465
SUBMISSION_PORT_IPV6=2a01:4g9:3a:556::17:587
IMAP_PORT_IPV6=2a01:4g9:3a:556::17:143
IMAPS_PORT_IPV6=2a01:4g9:3a:556::17:993
POP_PORT_IPV6=2a01:4g9:3a:556::17:110
POPS_PORT_IPV6=2a01:4g9:3a:556::17:995
# Your timezone
TZ=Europe/Moscow
# Fixed project name
# Please use lowercase letters only
COMPOSE_PROJECT_NAME=mc_linux2be_com
# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to "All authenticated users"
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow
# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly
MAILDIR_GC_TIME=7200
# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net"
# plus every domain you add in the future.
#
# You can also just add static names...
#ADDITIONAL_SAN=srv1.example.net
# ...or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#
ADDITIONAL_SAN=autodiscover.linux2be.com,autoconfig.linux2be.com
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=n
# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://wiki.dovecot.org/SSL/SNIClientSupport
ENABLE_SSL_SNI=y
# Skip IPv4 check in ACME container - y/n
SKIP_IP_CHECK=n
# Skip HTTP verification in ACME container - y/n
SKIP_HTTP_VERIFICATION=n
# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
SKIP_CLAMD=n
# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
SKIP_SOGO=n
# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
SKIP_SOLR=n
# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
SOLR_HEAP=2048
# Allow admins to log into SOGo as email user (without any password)
ALLOW_ADMIN_EMAIL_LOGIN=n
# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
USE_WATCHDOG=y
# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces
#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
#WATCHDOG_NOTIFY_EMAIL=webmaster@mail.example
# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=y
# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n
# Max log lines per service to keep in Redis logs
LOG_LINES=9999
# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
IPV4_NETWORK=172.22.117
# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
# Use this IPv4 for outgoing connections (SNAT)
SNAT_TO_SOURCE=135.183.115.17
# Use this IPv6 for outgoing connections (SNAT)
SNAT6_TO_SOURCE=2a01:4g9:3a:556::17
# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY
#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1
# mail_home is ~/Maildir
MAILDIR_SUB=Maildir
# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480
# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to DOVECOT_MASTER_USER@mailcow.local
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=jdjsJjdsjdjsmmm9999dklllMMdddd
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=jdjsJjdsjdjsmmm9999dklllMMdddd

we change docker subnet to 172.21.117, change database user and name, added ipv6 data, change DOVECOT_MASTER_USER,DOVECOT_MASTER_PASS,SNAT_TO_SOURCE,SNAT6_TO_SOURCE

Edit docker-compose.yml file.

version: '2.1'
services:
    unbound-mailcow:
      image: mailcow/unbound:1.12
      environment:
        - TZ=${TZ}
      volumes:
        - ./data/hooks/unbound:/hooks:Z
        - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z
      restart: always
      tty: true
      networks:
        mailcow-network:
          ipv4_address: ${IPV4_NETWORK:-172.22.1}.254
          aliases:
            - unbound
    mysql-mailcow:
      image: mariadb:10.4
      depends_on:
        - unbound-mailcow
      stop_grace_period: 45s
      volumes:
        - mysql-vol-1:/var/lib/mysql/:Z
        - mysql-socket-vol-1:/var/run/mysqld/:z
        - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
      environment:
        - TZ=${TZ}
        - MYSQL_ROOT_PASSWORD=${DBROOT}
        - MYSQL_DATABASE=${DBNAME}
        - MYSQL_USER=${DBUSER}
        - MYSQL_PASSWORD=${DBPASS}
        - MYSQL_INITDB_SKIP_TZINFO=1
      restart: always
      ports:
        - "${SQL_PORT:-127.0.0.1:13306}:3306"
      networks:
        mailcow-network:
          aliases:
            - mysql
    redis-mailcow:
      image: redis:5-alpine
      volumes:
        - redis-vol-1:/data/:Z
      restart: always
      ports:
        - "${REDIS_PORT:-127.0.0.1:7654}:6379"
      environment:
        - TZ=${TZ}
      networks:
        mailcow-network:
          ipv4_address: ${IPV4_NETWORK:-172.22.1}.249
          aliases:
            - redis
    clamd-mailcow:
      image: mailcow/clamd:1.37
      restart: always
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - TZ=${TZ}
        - SKIP_CLAMD=${SKIP_CLAMD:-n}
      volumes:
        - ./data/conf/clamav/:/etc/clamav/:Z
      networks:
        mailcow-network:
          aliases:
            - clamd
    rspamd-mailcow:
      image: mailcow/rspamd:1.73
      stop_grace_period: 30s
      depends_on:
        - dovecot-mailcow
      environment:
        - TZ=${TZ}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      volumes:
        - ./data/hooks/rspamd:/hooks:Z
        - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
        - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z
        - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z
        - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z
        - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z
        - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z
        - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z
        - rspamd-vol-1:/var/lib/rspamd:z
      restart: always
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      hostname: rspamd
      networks:
        mailcow-network:
          aliases:
            - rspamd
    php-fpm-mailcow:
      image: mailcow/phpfpm:1.69
      command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
      depends_on:
        - redis-mailcow
      volumes:
        - ./data/hooks/phpfpm:/hooks:Z
        - ./data/web:/web:rw,z
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
        - ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
        - rspamd-vol-1:/var/lib/rspamd:z
        - mysql-socket-vol-1:/var/run/mysqld/:z
        - ./data/conf/sogo/:/etc/sogo/:z
        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
        - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z
        - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z
        - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z
        - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini:Z
        - ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini:Z
        - ./data/conf/dovecot/global_sieve_before:/global_sieve/before:Z
        - ./data/conf/dovecot/global_sieve_after:/global_sieve/after:Z
        - ./data/assets/templates:/tpls:z
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
        - LOG_LINES=${LOG_LINES:-9999}
        - TZ=${TZ}
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - IMAP_PORT=${IMAP_PORT:-143}
        - IMAPS_PORT=${IMAPS_PORT:-993}
        - POP_PORT=${POP_PORT:-110}
        - POPS_PORT=${POPS_PORT:-995}
        - SIEVE_PORT=${SIEVE_PORT:-4190}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
        - SUBMISSION_PORT=${SUBMISSION_PORT:-587}
        - SMTPS_PORT=${SMTPS_PORT:-465}
        - SMTP_PORT=${SMTP_PORT:-25}
        - API_KEY=${API_KEY:-invalid}
        - API_KEY_READ_ONLY=${API_KEY_READ_ONLY:-invalid}
        - API_ALLOW_FROM=${API_ALLOW_FROM:-invalid}
        - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
        - SKIP_SOLR=${SKIP_SOLR:-y}
        - SKIP_CLAMD=${SKIP_CLAMD:-n}
        - SKIP_SOGO=${SKIP_SOGO:-n}
        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
        - MASTER=${MASTER:-y}
      restart: always
      networks:
        mailcow-network:
          aliases:
            - phpfpm
    sogo-mailcow:
      image: mailcow/sogo:1.91
      environment:
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - TZ=${TZ}
        - LOG_LINES=${LOG_LINES:-9999}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - ACL_ANYONE=${ACL_ANYONE:-disallow}
        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - SOGO_EXPIRE_SESSION=${SOGO_EXPIRE_SESSION:-480}
        - SKIP_SOGO=${SKIP_SOGO:-n}
        - MASTER=${MASTER:-y}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      volumes:
        - ./data/conf/sogo/:/etc/sogo/:z
        - ./data/web/inc/init_db.inc.php:/init_db.inc.php:Z
        - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:Z
        - mysql-socket-vol-1:/var/run/mysqld/:z
        - sogo-web-vol-1:/sogo_web:z
        - sogo-userdata-backup-vol-1:/sogo_backup:Z
      restart: always
      networks:
        mailcow-network:
          ipv4_address: ${IPV4_NETWORK:-172.22.1}.248
          aliases:
            - sogo
    dovecot-mailcow:
      image: mailcow/dovecot:1.134
      depends_on:
        - mysql-mailcow
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      cap_add:
        - NET_BIND_SERVICE
      volumes:
        - ./data/hooks/dovecot:/hooks:Z
        - ./data/conf/dovecot:/etc/dovecot:z
        - ./data/assets/ssl:/etc/ssl/mail/:ro,z
        - ./data/conf/sogo/:/etc/sogo/:z
        - ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/:z
        - vmail-vol-1:/var/vmail:Z
        - vmail-index-vol-1:/var/vmail_index:Z
        - crypt-vol-1:/mail_crypt/:z
        - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
        - ./data/assets/templates:/templates:z
        - rspamd-vol-1:/var/lib/rspamd:z
        - mysql-socket-vol-1:/var/run/mysqld/:z
      environment:
        - DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-}
        - DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-}
        - LOG_LINES=${LOG_LINES:-9999}
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - TZ=${TZ}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
        - MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-1440}
        - ACL_ANYONE=${ACL_ANYONE:-disallow}
        - SKIP_SOLR=${SKIP_SOLR:-y}
        - MAILDIR_SUB=${MAILDIR_SUB:-}
        - MASTER=${MASTER:-y}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
        - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
      ports:
        - "${DOVEADM_PORT:-127.0.0.1:19991}:12345"
        - "${SIEVE_PORT:-4190}:4190"
        - "${IMAP_PORT:-143}:143"
        - "${IMAPS_PORT:-993}:993"
        - "${POP_PORT:-110}:110"
        - "${POPS_PORT:-995}:995"
        - "${IMAP_PORT_IPV6:-143}:143"
        - "${IMAPS_PORT_IPV6:-993}:993"
        - "${POP_PORT_IPV6:-110}:110"
        - "${POPS_PORT_IPV6:-995}:995"
      restart: always
      tty: true
      ulimits:
        nproc: 65535
        nofile:
          soft: 20000
          hard: 40000
      hostname: ${MAILCOW_HOSTNAME}
      networks:
        mailcow-network:
          ipv4_address: ${IPV4_NETWORK:-172.22.1}.250
          aliases:
            - dovecot
    postfix-mailcow:
      image: mailcow/postfix:1.56
      depends_on:
        - mysql-mailcow
      volumes:
        - ./data/hooks/postfix:/hooks:Z
        - ./data/conf/postfix:/opt/postfix/conf:z
        - ./data/assets/ssl:/etc/ssl/mail/:ro,z
        - postfix-vol-1:/var/spool/postfix:z
        - crypt-vol-1:/var/lib/zeyple:z
        - rspamd-vol-1:/var/lib/rspamd:z
        - mysql-socket-vol-1:/var/run/mysqld/:z
      environment:
        - LOG_LINES=${LOG_LINES:-9999}
        - TZ=${TZ}
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      cap_add:
        - NET_BIND_SERVICE
      ports:
        - "${SMTP_PORT:-25}:25"
        - "${SMTPS_PORT:-465}:465"
        - "${SUBMISSION_PORT:-587}:587"
        - "${SMTP_PORT_IPV6:-25}:25"
        - "${SMTPS_PORT_IPV6:-465}:465"
        - "${SUBMISSION_PORT_IPV6:-587}:587"
      restart: always
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      hostname: ${MAILCOW_HOSTNAME}
      networks:
        mailcow-network:
          aliases:
            - postfix
    memcached-mailcow:
      image: memcached:alpine
      restart: always
      environment:
        - TZ=${TZ}
      networks:
        mailcow-network:
          aliases:
            - memcached
    nginx-mailcow:
      depends_on:
        - sogo-mailcow
        - php-fpm-mailcow
        - redis-mailcow
      image: registry.gitlab.com/devops_containers/dockers/nginx:1.19.4-alpine-libressl
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
        envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
        envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active &&
        . /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active &&
        . /etc/nginx/conf.d/templates/sogo_eas.template.sh > /etc/nginx/conf.d/sogo_eas.active &&
        sed -i 's/error_log.*/error_log \/dev\/stdout;/'  /etc/nginx/conf.d/includes/site-defaults.conf &&
        sed -i 's/access_log.*/access_log \/dev\/stdout json_combined;/'  /etc/nginx/conf.d/includes/site-defaults.conf &&
        if [[ -f /etc/nginx/conf.d/000-map-size.conf ]];then rm  /etc/nginx/conf.d/000-map-size.conf;fi &&
        nginx -qt &&
        until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
        until ping sogo -c1 > /dev/null; do sleep 1; done &&
        until ping redis -c1 > /dev/null; do sleep 1; done &&
        until ping rspamd -c1 > /dev/null; do sleep 1; done &&
        exec nginx -g 'daemon off;'"
      environment:
        - HTTPS_PORT=${HTTPS_PORT:-443}
        - HTTP_PORT=${HTTP_PORT:-80}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - TZ=${TZ}
        - SKIP_SOGO=${SKIP_SOGO:-n}
        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
      volumes:
        - ./data/web:/web:ro,z
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
        - ./data/conf/nginx/:/etc/nginx/conf.d/:rw,Z
        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
      ports:
        - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
        - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
        - "${HTTPS_BIND_IPV6:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
        - "${HTTP_BIND_IPV6:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
      restart: always
      networks:
        mailcow-network:
          aliases:
            - nginx
    acme-mailcow:
      depends_on:
        - nginx-mailcow
      image: mailcow/acme:1.76
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - LOG_LINES=${LOG_LINES:-9999}
        - ADDITIONAL_SAN=${ADDITIONAL_SAN}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
        - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
        - DIRECTORY_URL=${DIRECTORY_URL:-}
        - ENABLE_SSL_SNI=${ENABLE_SSL_SNI:-n}
        - SKIP_IP_CHECK=${SKIP_IP_CHECK:-n}
        - SKIP_HTTP_VERIFICATION=${SKIP_HTTP_VERIFICATION:-n}
        - ONLY_MAILCOW_HOSTNAME=${ONLY_MAILCOW_HOSTNAME:-n}
        - LE_STAGING=${LE_STAGING:-n}
        - TZ=${TZ}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
        - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
        - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
      volumes:
        - ./data/web/.well-known/acme-challenge:/var/www/acme:rw,Z
        - ./data/assets/ssl:/var/lib/acme/:rw,z
        - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
        - mysql-socket-vol-1:/var/run/mysqld/:z
      restart: always
      networks:
        mailcow-network:
          aliases:
            - acme
    netfilter-mailcow:
      image: mailcow/netfilter:1.38
      stop_grace_period: 30s
      depends_on:
        - dovecot-mailcow
        - postfix-mailcow
        - sogo-mailcow
        - php-fpm-mailcow
        - redis-mailcow
      restart: always
      privileged: true
      environment:
        - TZ=${TZ}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
        - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
        - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      network_mode: "host"
      volumes:
        - /lib/modules:/lib/modules:ro
    watchdog-mailcow:
      image: mailcow/watchdog:1.85
      # Debug
      #command: /watchdog.sh
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      volumes:
        - rspamd-vol-1:/var/lib/rspamd:z
        - mysql-socket-vol-1:/var/run/mysqld/:z
        - postfix-vol-1:/var/spool/postfix:z
        - ./data/assets/ssl:/etc/ssl/mail/:ro,z
      restart: always
      environment:
        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
        - LOG_LINES=${LOG_LINES:-9999}
        - TZ=${TZ}
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - DBROOT=${DBROOT}
        - USE_WATCHDOG=${USE_WATCHDOG:-n}
        - WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL}
        - WATCHDOG_NOTIFY_BAN=${WATCHDOG_NOTIFY_BAN:-y}
        - WATCHDOG_EXTERNAL_CHECKS=${WATCHDOG_EXTERNAL_CHECKS:-n}
        - WATCHDOG_MYSQL_REPLICATION_CHECKS=${WATCHDOG_MYSQL_REPLICATION_CHECKS:-n}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0}
        - CHECK_UNBOUND=${CHECK_UNBOUND:-1}
        - SKIP_CLAMD=${SKIP_CLAMD:-n}
        - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
        - SKIP_SOGO=${SKIP_SOGO:-n}
        - HTTPS_PORT=${HTTPS_PORT:-443}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
        - EXTERNAL_CHECKS_THRESHOLD=1
        - NGINX_THRESHOLD=5
        - UNBOUND_THRESHOLD=5
        - REDIS_THRESHOLD=5
        - MYSQL_THRESHOLD=5
        - MYSQL_REPLICATION_THRESHOLD=1
        - SOGO_THRESHOLD=3
        - POSTFIX_THRESHOLD=8
        - CLAMD_THRESHOLD=15
        - DOVECOT_THRESHOLD=12
        - DOVECOT_REPL_THRESHOLD=20
        - PHPFPM_THRESHOLD=5
        - RATELIMIT_THRESHOLD=1
        - FAIL2BAN_THRESHOLD=1
        - ACME_THRESHOLD=1
        - IPV6NAT_THRESHOLD=1
        - RSPAMD_THRESHOLD=5
        - OLEFY_THRESHOLD=5
        - MAILQ_THRESHOLD=20
        - MAILQ_CRIT=30
      networks:
        mailcow-network:
          aliases:
            - watchdog
    dockerapi-mailcow:
      image: mailcow/dockerapi:1.37
      security_opt:
        - label=disable
      restart: always
      oom_kill_disable: true
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - DBROOT=${DBROOT}
        - TZ=${TZ}
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
      networks:
        mailcow-network:
          aliases:
            - dockerapi
    solr-mailcow:
      image: mailcow/solr:1.7
      restart: always
      volumes:
        - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data:Z
      ports:
        - "${SOLR_PORT:-127.0.0.1:18983}:8983"
      environment:
        - TZ=${TZ}
        - SOLR_HEAP=${SOLR_HEAP:-1024}
        - SKIP_SOLR=${SKIP_SOLR:-y}
      networks:
        mailcow-network:
          aliases:
            - solr
    olefy-mailcow:
      image: mailcow/olefy:1.4
      restart: always
      environment:
        - TZ=${TZ}
        - OLEFY_BINDADDRESS=0.0.0.0
        - OLEFY_BINDPORT=10055
        - OLEFY_TMPDIR=/tmp
        - OLEFY_PYTHON_PATH=/usr/bin/python3
        - OLEFY_OLEVBA_PATH=/usr/bin/olevba3
        - OLEFY_LOGLVL=20
        - OLEFY_MINLENGTH=500
        - OLEFY_DEL_TMP=1
      networks:
        mailcow-network:
          aliases:
            - olefy
    ipv6nat-mailcow:
      depends_on:
        - unbound-mailcow
        - mysql-mailcow
        - redis-mailcow
        - clamd-mailcow
        - rspamd-mailcow
        - php-fpm-mailcow
        - sogo-mailcow
        - dovecot-mailcow
        - postfix-mailcow
        - memcached-mailcow
        - nginx-mailcow
        - acme-mailcow
        - netfilter-mailcow
        - watchdog-mailcow
        - dockerapi-mailcow
        - solr-mailcow
      environment:
        - TZ=${TZ}
      image: robbertkl/ipv6nat
      security_opt:
        - label=disable
      restart: always
      privileged: true
      network_mode: "host"
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - /lib/modules:/lib/modules:ro
networks:
  mailcow-network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-mailcow-l2
      com.docker.network.driver.mtu: 1500
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
volumes:
  vmail-vol-1:
  vmail-index-vol-1:
  mysql-vol-1:
  mysql-socket-vol-1:
  redis-vol-1:
  rspamd-vol-1:
  solr-vol-1:
  postfix-vol-1:
  crypt-vol-1:
  sogo-web-vol-1:
  sogo-userdata-backup-vol-1:

We
We add ipv6 port mappings there.

Edit mtu size by adding data to docker-compose


cat /sys/class/net/enp0s31f6/mtu

output

1500

and set in docker-compose

com.docker.network.driver.mtu: 1500

Pull all docker images

docker-compose pull

Check docker-compose config

docker-compose config

Up


docker-compose up -d

Login in default admin page


https://mail.linux2be.com/admin

Default login password

  admin / moohoo

Create new admin user

supddd dsdsdsdkjh347fhdfdf

And delete default admin user(admin)

Create dkim record(1024 key) for domain linux2be.com from page https://mail.linux2be.com/admin

Create txt record(s) for domain linux2be.com

TXT dkim._domainkey.linux2be.com

with data

v=DKIM1;k=rsa;t=s;s=email;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPDrvswC/FnfYa8hrcZZCfDYsq7YJ+/uNAEWQLPcilZ5PFiNtHLg/Pfrq34pjSDIj+Z7+uVQq7piEBf6mH5hxQ714Lx/C44H+v394PlBj/cTsfdXLZkAkr4ntVbzo9mEK+RdEa9q8LLLyF7dn80OJeFJFijk2jyPsJoUE6YSyYVQIDAQAB

Create mx record

@ IN MX 10 mail.linux2be.com

Create dmarc record for linux2be.com

TXT _dmarc.linux2be.com "v=DMARC1;p=reject;rua=mailto:webmaster@linux2be.com; ruf=mailto:webmaster@linux2be.com"

Create spf record

TXT linux2be.com "v=spf1 ip4:135.183.115.17 ip6:2a01:4g9:3a:556::17 a mx ~all"

Create srv records(if nessecary)

_imap._tcp          IN SRV     0 1 143   mail.linux2be.com
_imaps._tcp         IN SRV     0 1 993   mail.linux2be.com
_pop3._tcp          IN SRV     0 1 110   mail.linux2be.com
_pop3s._tcp         IN SRV     0 1 995   mail.linux2be.com
_submission._tcp    IN SRV     0 1 587   mail.linux2be.com
_smtps._tcp         IN SRV     0 1 465   mail.linux2be.com
_sieve._tcp         IN SRV     0 1 4190  mail.linux2be.com
_autodiscover._tcp  IN SRV     0 1 443   mail.linux2be.com
_carddavs._tcp      IN SRV     0 1 443   mail.linux2be.com
_carddavs._tcp      IN TXT     "path=/SOGo/dav/"
_caldavs._tcp       IN SRV     0 1 443   mail.linux2be.com
_caldavs._tcp       IN TXT     "path=/SOGo/dav/"

Add mail domain to google postmaster

https://postmaster.google.com/u/0/managedomains

Result records – example with cloudflare

img

Check records

host -tMX linux2be.com - ok
dig TXT _dmarc.linux2be.com - ok
dig TXT dkim._domainkey.linux2be.com - ok
dig TXT _dmarc. linux2be.com - ok
dig txt google._domainkey.linux2be.com - ok
nslookup -type=txt _dmarc.linux2be.com - ok 

spf

https://www.dmarcanalyzer.com/spf/checker/ – ok

Create domain and mail boxes

noreply@linux2be.com  pXL}\+99#Zq#twhYVsdsd
webmaster@linux2be.com pXL}\+99#Zq#twhYsdsdsdsds

Snippets

let’s encrypt renew certs script

#!/bin/bash
DOMAINS="linux2be.com"
mailcow_renew_cert(){
  for DOMAIN in $DOMAINS
  do
    echo "renew ssl cert for domain $DOMAIN"
    cd /docker-compose/SWARM/services/mail/${DOMAIN}/mailcow-dockerized/ && touch data/assets/ssl/force_renew && docker-compose restart acme-mailcow && rm data/assets/ssl/force_renew
    sleep 180;
  done
}
mailcow_reload(){
  dockers_postfix=$(docker ps -qaf name=postfix-mailcow)
  dockers_nginx=$(docker ps -qaf name=nginx-mailcow)
  dockers_dovecot=$(docker ps -qaf name=dovecot-mailcow)
  for docker_postfix in ${dockers_postfix}
  do
    echo "reload postfix docker $docker_postfix"
    docker exec $docker_postfix postfix reload
  done
  for docker_nginx in ${dockers_nginx}
  do
    echo "reload nginx docker $docker_nginx"
    docker exec $docker_nginx nginx -s reload
  done
  for docker_dovecot in ${dockers_dovecot}
  do
    echo "reload dovecot docker $docker_dovecot"
    docker exec $docker_dovecot dovecot reload
  done
}
main(){
  mailcow_renew_cert
  mailcow_reload
}
main

And check ssl info

echo | openssl s_client -showcerts -servername mail.linux2be.com -connect mail.linux2be.com:443 2>/dev/null | openssl x509 -inform pem -noout -text  | head -n 10

FAQ

SPF defines the range of domains from which letters can go to users of your organization

DMARC defines how suspicious emails in the domain are processed.

MANS

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.