diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile index 29eb69f6..2d209b32 100644 --- a/core/admin/Dockerfile +++ b/core/admin/Dockerfile @@ -1,17 +1,21 @@ -FROM python:3-alpine - +FROM alpine:3.8 +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Image specific layers under this line RUN mkdir -p /app WORKDIR /app COPY requirements-prod.txt requirements.txt -RUN apk add --no-cache openssl \ - && apk add --no-cache --virtual build-dep openssl-dev libffi-dev python-dev build-base \ - && pip install -r requirements.txt \ +RUN apk add --no-cache openssl curl \ + && apk add --no-cache --virtual build-dep openssl-dev libffi-dev python3-dev build-base \ + && pip3 install -r requirements.txt \ && apk del --no-cache build-dep COPY mailu ./mailu COPY migrations ./migrations -COPY start.sh /start.sh +COPY start.py /start.py RUN pybabel compile -d mailu/translations @@ -19,4 +23,6 @@ EXPOSE 80/tcp VOLUME ["/data"] ENV FLASK_APP mailu -CMD ["/start.sh"] +CMD /start.py + +HEALTHCHECK CMD curl -f -L http://localhost/ui || exit 1 diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py index 3914e9f6..6b245c3b 100644 --- a/core/admin/mailu/__init__.py +++ b/core/admin/mailu/__init__.py @@ -54,3 +54,4 @@ def create_app(): """ config = configuration.ConfigManager() return create_app_from_config(config) + diff --git a/core/admin/mailu/internal/templates/default.sieve b/core/admin/mailu/internal/templates/default.sieve index 5a80a181..d771ee99 100644 --- a/core/admin/mailu/internal/templates/default.sieve +++ b/core/admin/mailu/internal/templates/default.sieve @@ -32,9 +32,6 @@ if exists "X-Virus" { stop; } -{% if user.reply_enabled %} -if currentdate :value "le" "date" "{{ user.reply_enddate }}" -{ - vacation :days 1 :subject "{{ user.reply_subject }}" "{{ user.reply_body }}"; -} +{% if user.reply_active %} +vacation :days 1 :subject "{{ user.reply_subject }}" "{{ user.reply_body }}"; {% endif %} diff --git a/core/admin/mailu/internal/views/dovecot.py b/core/admin/mailu/internal/views/dovecot.py index 99ec0f6b..bf2ce2e5 100644 --- a/core/admin/mailu/internal/views/dovecot.py +++ b/core/admin/mailu/internal/views/dovecot.py @@ -3,13 +3,24 @@ from mailu.internal import internal from flask import current_app as app import flask - +import socket +import os @internal.route("/dovecot/passdb/") def dovecot_passdb_dict(user_email): user = models.User.query.get(user_email) or flask.abort(404) + allow_nets = [] + allow_nets.append( + app.config.get("POD_ADDRESS_RANGE") or + socket.gethostbyname(app.config["HOST_FRONT"]) + ) + if os.environ["WEBMAIL"] != "none": + allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"])) + print(allow_nets) return flask.jsonify({ - "password": user.password, + "password": None, + "nopassword": "Y", + "allow_nets": ",".join(allow_nets) }) diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py index 22839e3b..d1c6b370 100644 --- a/core/admin/mailu/models.py +++ b/core/admin/mailu/models.py @@ -40,11 +40,14 @@ class IdnaEmail(db.TypeDecorator): impl = db.String(255, collation="NOCASE") def process_bind_param(self, value, dialect): - localpart, domain_name = value.split('@') - return "{0}@{1}".format( - localpart, - idna.encode(domain_name).decode('ascii'), - ) + try: + localpart, domain_name = value.split('@') + return "{0}@{1}".format( + localpart, + idna.encode(domain_name).decode('ascii'), + ) + except ValueError: + pass def process_result_value(self, value, dialect): localpart, domain_name = value.split('@') @@ -276,6 +279,8 @@ class User(Base, Email): reply_enabled = db.Column(db.Boolean(), nullable=False, default=False) reply_subject = db.Column(db.String(255), nullable=True, default=None) reply_body = db.Column(db.Text(), nullable=True, default=None) + reply_startdate = db.Column(db.Date, nullable=False, + default=date(1900, 1, 1)) reply_enddate = db.Column(db.Date, nullable=False, default=date(2999, 12, 31)) @@ -295,14 +300,24 @@ class User(Base, Email): @property def destination(self): if self.forward_enabled: - result = self.self.forward_destination + result = self.forward_destination if self.forward_keep: result += ',' + self.email return result else: return self.email - scheme_dict = {'BLF-CRYPT': "bcrypt", + @property + def reply_active(self): + now = date.today() + return ( + self.reply_enabled and + self.reply_startdate < now and + self.reply_enddate > now + ) + + scheme_dict = {'PBKDF2': "pbkdf2_sha512", + 'BLF-CRYPT': "bcrypt", 'SHA512-CRYPT': "sha512_crypt", 'SHA256-CRYPT': "sha256_crypt", 'MD5-CRYPT': "md5_crypt", @@ -315,8 +330,14 @@ class User(Base, Email): ) def check_password(self, password): + context = User.pw_context reference = re.match('({[^}]+})?(.*)', self.password).group(2) - return self.get_password_context().verify(password, reference) + result = context.verify(password, reference) + if result and context.identify(reference) != context.default_scheme(): + self.set_password(password) + db.session.add(self) + db.session.commit() + return result def set_password(self, password, hash_scheme=None, raw=False): """Set password for user with specified encryption scheme diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py index 326d721b..4f7a30ae 100644 --- a/core/admin/mailu/ui/forms.py +++ b/core/admin/mailu/ui/forms.py @@ -117,6 +117,7 @@ class UserReplyForm(flask_wtf.FlaskForm): reply_subject = fields.StringField(_('Reply subject')) reply_body = fields.StringField(_('Reply body'), widget=widgets.TextArea()) + reply_startdate = fields.html5.DateField(_('Start of vacation')) reply_enddate = fields.html5.DateField(_('End of vacation')) submit = fields.SubmitField(_('Update')) diff --git a/core/admin/mailu/ui/templates/user/reply.html b/core/admin/mailu/ui/templates/user/reply.html index 7906bc42..7225a178 100644 --- a/core/admin/mailu/ui/templates/user/reply.html +++ b/core/admin/mailu/ui/templates/user/reply.html @@ -13,14 +13,17 @@
{{ form.hidden_tag() }} {{ macros.form_field(form.reply_enabled, - onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate').removeAttr('readonly')} + onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')} else{$('#reply_subject,#reply_body,#reply_enddate').attr('readonly', '')}") }} {{ macros.form_field(form.reply_subject, **{("rw" if user.reply_enabled else "readonly"): ""}) }} {{ macros.form_field(form.reply_body, rows=10, **{("rw" if user.reply_enabled else "readonly"): ""}) }} {{ macros.form_field(form.reply_enddate, - **{("rw" if user.reply_enabled else "readonly"): ""}) }} + **{("rw" if user.reply_enabled else "readonly"): ""}) }} + {{ macros.form_field(form.reply_startdate, + **{("rw" if user.reply_enabled else "readonly"): ""}) }} + {{ macros.form_field(form.submit) }}
{% endcall %} diff --git a/core/admin/migrations/versions/3b281286c7bd_.py b/core/admin/migrations/versions/3b281286c7bd_.py new file mode 100644 index 00000000..57b5c327 --- /dev/null +++ b/core/admin/migrations/versions/3b281286c7bd_.py @@ -0,0 +1,24 @@ +""" Add a start day for vacations + +Revision ID: 3b281286c7bd +Revises: 25fd6c7bcb4a +Create Date: 2018-09-27 22:20:08.158553 + +""" + +revision = '3b281286c7bd' +down_revision = '25fd6c7bcb4a' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + with op.batch_alter_table('user') as batch: + batch.add_column(sa.Column('reply_startdate', sa.Date(), nullable=False, + server_default="1900-01-01")) + + +def downgrade(): + with op.batch_alter_table('user') as batch: + batch.drop_column('reply_startdate') diff --git a/core/admin/start.py b/core/admin/start.py new file mode 100755 index 00000000..bf0dc38f --- /dev/null +++ b/core/admin/start.py @@ -0,0 +1,7 @@ +#!/usr/bin/python3 + +import os + +os.system("flask mailu advertise") +os.system("flask db upgrade") +os.system("gunicorn -w 4 -b :80 --access-logfile - --error-logfile - --preload 'mailu:create_app()'") diff --git a/core/admin/start.sh b/core/admin/start.sh deleted file mode 100755 index b3538204..00000000 --- a/core/admin/start.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -flask mailu advertise -flask db upgrade - -gunicorn -w 4 -b :80 --access-logfile - --error-logfile - --preload "$FLASK_APP:create_app()" diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile index d8d4c55b..1d4f7b91 100644 --- a/core/dovecot/Dockerfile +++ b/core/dovecot/Dockerfile @@ -1,10 +1,16 @@ FROM alpine:3.8 - +# python3 shared with most images RUN apk add --no-cache \ - dovecot dovecot-pigeonhole-plugin dovecot-fts-lucene rspamd-client \ - python3 py3-pip \ - && pip3 install --upgrade pip \ - && pip3 install jinja2 podop tenacity + python3 py3-pip \ + && pip3 install --upgrade pip +# Shared layer between rspamd, postfix, dovecot, unbound and nginx +RUN pip3 install jinja2 +# Shared layer between rspamd, postfix, dovecot +RUN pip3 install tenacity +# Image specific layers under this line +RUN apk add --no-cache \ + dovecot dovecot-pigeonhole-plugin dovecot-fts-lucene rspamd-client bash \ + && pip3 install podop COPY conf /conf COPY start.py /start.py @@ -13,3 +19,5 @@ EXPOSE 110/tcp 143/tcp 993/tcp 4190/tcp 2525/tcp VOLUME ["/data", "/mail"] CMD /start.py + +HEALTHCHECK --start-period=350s CMD echo QUIT|nc localhost 110|grep "Dovecot ready." diff --git a/core/dovecot/conf/bin/ham b/core/dovecot/conf/bin/ham new file mode 100755 index 00000000..c74a97bd --- /dev/null +++ b/core/dovecot/conf/bin/ham @@ -0,0 +1,4 @@ +#!/bin/bash + +tee >(rspamc -h antispam:11334 -P mailu learn_ham /dev/stdin) \ + | rspamc -h antispam:11334 -P mailu -f 13 fuzzy_add /dev/stdin \ No newline at end of file diff --git a/core/dovecot/conf/bin/mailtrain b/core/dovecot/conf/bin/mailtrain deleted file mode 100755 index cfa36398..00000000 --- a/core/dovecot/conf/bin/mailtrain +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -rspamc -h antispam:11334 -P mailu "learn_$1" /dev/stdin <&0 diff --git a/core/dovecot/conf/bin/spam b/core/dovecot/conf/bin/spam new file mode 100755 index 00000000..e6a66f89 --- /dev/null +++ b/core/dovecot/conf/bin/spam @@ -0,0 +1,4 @@ +#!/bin/bash + +tee >(rspamc -h antispam:11334 -P mailu learn_spam /dev/stdin) \ + >(rspamc -h antispam:11334 -P mailu -f 11 fuzzy_add /dev/stdin) \ No newline at end of file diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index d6c4eb21..a9ec2676 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -136,7 +136,8 @@ service managesieve { } plugin { - sieve = dict:proxy:/tmp/podop.socket:sieve + sieve = file:~/sieve;active=~/.dovecot.sieve + sieve_before = dict:proxy:/tmp/podop.socket:sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_extensions = +spamtest +spamtestplus +editheader sieve_global_extensions = +vnd.dovecot.execute diff --git a/core/dovecot/conf/report-ham.sieve b/core/dovecot/conf/report-ham.sieve index 1ad8abdf..0c69d67b 100644 --- a/core/dovecot/conf/report-ham.sieve +++ b/core/dovecot/conf/report-ham.sieve @@ -8,4 +8,4 @@ if string "${mailbox}" "Trash" { stop; } -execute :pipe "mailtrain" "ham"; +execute :pipe "ham"; diff --git a/core/dovecot/conf/report-spam.sieve b/core/dovecot/conf/report-spam.sieve index b2a544a6..108d6210 100644 --- a/core/dovecot/conf/report-spam.sieve +++ b/core/dovecot/conf/report-spam.sieve @@ -1,3 +1,3 @@ require "vnd.dovecot.execute"; -execute :pipe "mailtrain" "spam"; +execute :pipe "spam"; diff --git a/core/dovecot/start.py b/core/dovecot/start.py index afd0513e..8bf66efd 100755 --- a/core/dovecot/start.py +++ b/core/dovecot/start.py @@ -21,20 +21,17 @@ def start_podop(): convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ)) -@retry(stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) -def resolve(): - os.environ["FRONT_ADDRESS"] = socket.gethostbyname(os.environ.get("FRONT_ADDRESS", "front")) - os.environ["REDIS_ADDRESS"] = socket.gethostbyname(os.environ.get("REDIS_ADDRESS", "redis")) - if os.environ["WEBMAIL"] != "none": - os.environ["WEBMAIL_ADDRESS"] = socket.gethostbyname(os.environ.get("WEBMAIL_ADDRESS", "webmail")) - # Actual startup script -resolve() +resolve = retry(socket.gethostbyname, stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) +os.environ["FRONT_ADDRESS"] = resolve(os.environ.get("FRONT_ADDRESS", "front")) +os.environ["REDIS_ADDRESS"] = resolve(os.environ.get("REDIS_ADDRESS", "redis")) +if os.environ["WEBMAIL"] != "none": + os.environ["WEBMAIL_ADDRESS"] = resolve(os.environ.get("WEBMAIL_ADDRESS", "webmail")) for dovecot_file in glob.glob("/conf/*.conf"): convert(dovecot_file, os.path.join("/etc/dovecot", os.path.basename(dovecot_file))) # Run Podop, then postfix multiprocessing.Process(target=start_podop).start() -os.system("chown -R mail:mail /mail /var/lib/dovecot") +os.system("chown -R mail:mail /mail /var/lib/dovecot /conf") os.execv("/usr/sbin/dovecot", ["dovecot", "-c", "/etc/dovecot/dovecot.conf", "-F"]) diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile index 1b61447a..7181487e 100644 --- a/core/nginx/Dockerfile +++ b/core/nginx/Dockerfile @@ -1,9 +1,13 @@ FROM alpine:3.8 - -RUN apk add --no-cache certbot nginx nginx-mod-mail openssl \ - python py-jinja2 py-requests-toolbelt py-pip \ - && pip install --upgrade pip \ - && pip install idna +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Shared layer between rspamd, postfix, dovecot, unbound and nginx +RUN pip3 install jinja2 +# Image specific layers under this line +RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl \ + && pip3 install idna requests COPY conf /conf COPY *.py / @@ -12,3 +16,5 @@ EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 100 VOLUME ["/certs"] CMD /start.py + +HEALTHCHECK CMD curl -k -f -L http://localhost/health || exit 1 diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 8fcda1c3..17d67526 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -34,6 +34,8 @@ http { '' $scheme; } + # Disable the main http server when on kubernetes (port 80 and 443) + {% if KUBERNETES_INGRESS != 'true' %} # Main HTTP server server { # Variables for proxifying @@ -48,8 +50,8 @@ http { # Only enable HTTPS if TLS is enabled with no error {% if TLS and not TLS_ERROR %} - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; include /etc/nginx/tls.conf; ssl_session_cache shared:SSLHTTP:50m; @@ -91,8 +93,10 @@ http { {% endif %} location {{ WEB_WEBMAIL }} { + {% if WEB_WEBMAIL != '/' %} rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent; rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break; + {% endif %} include /etc/nginx/proxy.conf; client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; proxy_pass http://$webmail; @@ -146,7 +150,12 @@ http { proxy_pass_request_body off; proxy_set_header Content-Length ""; } + + location /health { + return 204; + } } + {% endif %} # Forwarding authentication server server { diff --git a/core/nginx/config.py b/core/nginx/config.py index 33071d01..07b7ea32 100755 --- a/core/nginx/config.py +++ b/core/nginx/config.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import jinja2 import os diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py index b6044eca..3fe8ea92 100755 --- a/core/nginx/letsencrypt.py +++ b/core/nginx/letsencrypt.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import os import time diff --git a/core/nginx/start.py b/core/nginx/start.py index b63b64a2..7c5fa71e 100755 --- a/core/nginx/start.py +++ b/core/nginx/start.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import os import subprocess diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile index ea58ce1d..ac9c8159 100644 --- a/core/postfix/Dockerfile +++ b/core/postfix/Dockerfile @@ -1,9 +1,16 @@ FROM alpine:3.8 +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Shared layer between rspamd, postfix, dovecot, unbound and nginx +RUN pip3 install jinja2 +# Shared layer between rspamd, postfix, dovecot +RUN pip3 install tenacity +# Image specific layers under this line RUN apk add --no-cache postfix postfix-pcre rsyslog \ - python3 py3-pip \ - && pip3 install --upgrade pip \ - && pip3 install jinja2 podop tenacity + && pip3 install podop COPY conf /conf COPY start.py /start.py @@ -12,3 +19,5 @@ EXPOSE 25/tcp 10025/tcp VOLUME ["/data"] CMD /start.py + +HEALTHCHECK --start-period=350s CMD echo QUIT|nc localhost 25|grep "220 .* ESMTP Postfix" diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 1f5c8f7c..7db429bb 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -32,7 +32,7 @@ relayhost = {{ RELAYHOST }} recipient_delimiter = {{ RECIPIENT_DELIMITER }} # Only the front server is allowed to perform xclient -smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} +smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} {{ POD_ADDRESS_RANGE }} ############### # TLS diff --git a/core/postfix/start.py b/core/postfix/start.py index decc17b9..b3bb328d 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -24,12 +24,10 @@ def start_podop(): convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ)) -@retry(stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) -def resolve(): - os.environ["FRONT_ADDRESS"] = socket.gethostbyname(os.environ.get("FRONT_ADDRESS", "front")) - # Actual startup script -resolve() +resolve = retry(socket.gethostbyname, stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) + +os.environ["FRONT_ADDRESS"] = resolve(os.environ.get("FRONT_ADDRESS", "front")) os.environ["HOST_ANTISPAM"] = os.environ.get("HOST_ANTISPAM", "antispam:11332") os.environ["HOST_LMTP"] = os.environ.get("HOST_LMTP", "imap:2525") diff --git a/docs/Dockerfile b/docs/Dockerfile index af481a27..828788f7 100644 --- a/docs/Dockerfile +++ b/docs/Dockerfile @@ -2,13 +2,21 @@ FROM python:3-alpine COPY requirements.txt /requirements.txt +ARG version=master +ENV VERSION=$version + RUN pip install -r /requirements.txt \ - && apk add --no-cache nginx \ + && apk add --no-cache nginx curl \ && mkdir /run/nginx COPY ./nginx.conf /etc/nginx/conf.d/default.conf COPY . /docs -RUN sphinx-build /docs /build +RUN mkdir -p /build/$VERSION \ + && sphinx-build /docs /build/$VERSION -CMD nginx -g "daemon off;" \ No newline at end of file +EXPOSE 80/tcp + +CMD nginx -g "daemon off;" + +HEALTHCHECK CMD curl -f -L http://localhost/ || exit 1 diff --git a/docs/_templates/layout.html b/docs/_templates/layout.html index 3f424a0a..63db07e2 100644 --- a/docs/_templates/layout.html +++ b/docs/_templates/layout.html @@ -1,2 +1,9 @@ -{% set version=github_version %} {% extends "!layout.html" %} +{% block document %} +{% if version != stable_version %} +
+

You are currently browsing documentation for the {{ version }} branch. Documentation for the stable {{ stable_version }} branch can be found here.

+
+{% endif %} +{{ super() }} +{% endblock %} diff --git a/docs/_templates/page.html b/docs/_templates/page.html deleted file mode 100644 index 97296793..00000000 --- a/docs/_templates/page.html +++ /dev/null @@ -1,4 +0,0 @@ -{%- extends "layout.html" %} -{% block body %} - {{ body|replace("VERSION_TAG", version) }} -{% endblock %} diff --git a/docs/_templates/versions.html b/docs/_templates/versions.html new file mode 100644 index 00000000..db4d332d --- /dev/null +++ b/docs/_templates/versions.html @@ -0,0 +1,16 @@ +
+ + Versions + v: {{ version }} + + +
+
+
{{ _('Versions') }}
+ {% for slug, url in versions %} +
{{ slug }}
+ {% endfor %} +
+
+
+ diff --git a/docs/cli.rst b/docs/cli.rst index 8cfb440b..bdf4a6d1 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -39,7 +39,7 @@ primary difference with simple `user` command is that password is being imported .. code-block:: bash - docker-compose exec admin flask mailu user --hash_scheme='SHA512-CRYPT' myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce' + docker-compose run --rm admin python manage.py user --hash_scheme='SHA512-CRYPT' myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce' user_delete ------------ diff --git a/docs/compose/.env b/docs/compose/.env index 7823bc3e..2100e27a 100644 --- a/docs/compose/.env +++ b/docs/compose/.env @@ -130,8 +130,8 @@ LOG_DRIVER=json-file COMPOSE_PROJECT_NAME=mailu # Default password scheme used for newly created accounts and changed passwords -# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) -PASSWORD_SCHEME=BLF-CRYPT +# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT) +PASSWORD_SCHEME=PBKDF2 # Header to take the real ip from REAL_IP_HEADER= diff --git a/docs/conf.py b/docs/conf.py index f89b39fd..64997eb1 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -2,6 +2,8 @@ # -*- coding: utf-8 -*- # +import os + extensions = ['sphinx.ext.imgmath', 'sphinx.ext.viewcode'] templates_path = ['_templates'] source_suffix = '.rst' @@ -9,9 +11,9 @@ master_doc = 'index' project = 'Mailu' copyright = '2018, Mailu authors' author = 'Mailu authors' -version = release = 'latest' +version = release = os.environ.get('VERSION', 'master') language = None -exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store'] +exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'Dockerfile', 'docker-compose.yml'] pygments_style = 'sphinx' todo_include_todos = False html_theme = 'sphinx_rtd_theme' @@ -33,6 +35,11 @@ html_context = { 'display_github': True, 'github_user': 'mailu', 'github_repo': 'mailu', - 'github_version': 'master', + 'github_version': version, + 'stable_version': '1.5', + 'versions': [ + ('1.5', '/1.5/'), + ('master', '/master/') + ], 'conf_py_path': '/docs/' } diff --git a/docs/contributors/environment.rst b/docs/contributors/environment.rst index f1f447e2..b539293b 100644 --- a/docs/contributors/environment.rst +++ b/docs/contributors/environment.rst @@ -1,20 +1,117 @@ Development environment ======================= +Git +--- + +Before any partaking in development, you will need to fork the Mailu repository on GitHub. +For this you will need a `GitHub`_ account. GitHub has excellent documentation on: + +#. How to `fork a repo`_ and set upstream (Mailu); +#. Keeping your fork `synced`_; +#. Sending a `pull request`_. + +Working on Mailu usually requires you to clone (download) your fork to your work station and +create a branch. From here you can work on Mailu. When done, create a commit and push the +branch to your GitHub repository. Then, on GitHub you can create a "pull request". +Please make sure you have read the :ref:`git_workflow` section of the *Development guidelines* +before submitting any pull requests. + +.. note:: It is strongly advised to **never** modify the ``master`` branch of your fork. + This will make it impossible to sync your fork with upstream and creating new (and clean) + branches! This includes never merging other branches from yourself or other users into your + ``master``. If you want to do that, create a separate branch for it. + +Short work flow example +``````````````````````` + +.. code-block:: bash + + git clone https://github.com//Mailu.git + cd Mailu + git add remote upstream https://github.com/Mailu/Mailu.git + git checkout -b fix-something master + +Work on the code as desired. Before doing a commit, you should at least build +and run the containers. Keep reading this guide for more information. After this, +continue to commit and send a PR. + +.. code-block:: bash + + git commit -a + #Enter commit message in editor, save and close. + git push --set-upstream origin fix-something + +Now you can go to your GitHub page, select the new branch and "send pull request". + +Updating your fork +`````````````````` + +The Mailu ``master`` branch is an ever evolving target. It is important that newly +created branches originate from the latest ``upstream/master``. In order to do so, you will +need to `sync your fork`__: + +.. code-block:: bash + + git fetch --all + git checkout master + git merge upstream/master + +If you kept your master branch clean, this should fast-forward it to the latest upstream version. +Likewise, if you worked on your branch for a longer amount of time, it is advised to merge the +latest ``upstream/master`` into the branch. + +.. code-block:: bash + + git checkout my-old-branch + git merge upstream/master + +Now, git won't fast forward but write a merge commit. Typically you can accept the commit message +presented. Read the output if there are any merge conflicts. In ``git status`` you can find the files +that need editing to have the desired contents. Also, it will tell you how to mark them as resolved. + +Optionally, you can ``git push`` after any of above merges to propagate them to GitHub. + +__ `synced`_ + +Bad habits +``````````` + +Some bad habits from users that we are sometimes confronted with. Please refrain yourself from: + +- ``git reset REF`` and ``git push --force`` after submitting a PR. +- Merge a branch (other then master) into yours and submitting a PR before that other branch got + merged into master. It will cause you to submit commits someone else wrote and are probably outside + the subject of your PR. (There are valid cases however, but take care!) +- ``git reset REF`` after merging ``upstream/master`` into your branch. It will unstage **all** + changed files that where updated in the merge. Your will have to clean up all of them + (don't delete!) using ``git checkout -- ``. And take care not to do that to the files you + have modified. However, it can be that the merge modified some other lines then yours. You'll have + to make sure there will be no conflicts when you are submitting this messed up branch to Mailu! You + get the point, I hope. +- ``git rebase`` on a branch that is pull-requested. Others will not be able to see you modified the + branch and it messes with the order of commits, compared to a merge. It might break things after we + have conducted tests. + +.. _`GitHub`: https://github.com/ +.. _`fork a repo`: https://help.github.com/articles/fork-a-repo/ +.. _`synced`: https://help.github.com/articles/syncing-a-fork/ +.. _`pull request`: https://help.github.com/articles/about-pull-requests/ + Docker containers ----------------- -The development environment is quite similar to the production one. You should always use -the ``master`` version when developing. +The development environment is quite similar to the production one. Building images ``````````````` -We supply a separate ``test/build.yml`` file for -convenience. To build all Mailu containers: +We supply a separate ``test/build.yml`` file for convenience. +After cloning the git repository to your workstation, you can build the images: .. code-block:: bash + cd Mailu docker-compose -f tests/build.yml build The ``build.yml`` file has two variables: @@ -73,10 +170,96 @@ Finally, if you need to install packages inside the containers for debugging: docker-compose exec admin apk add --no-cache package-name +Reviewing +--------- + +System requirements +``````````````````` + +Reviewing pull requests requires some additional git setup. First, for 90% of the review jobs, +you will need a PC or server that can expose all Mailu ports to the outside world. Also, a valid +domain name would be required. This can be a simple free DynDNS account. Do not use a production +server, as there are cases where data corruption occurs and you need to delete the ``/mailu`` +directory structure. + +If you do no posses the resources, but want to become an involved tester/reviewer. +Please contact `muhlemmer on Matrix`_. +He can provide access to a testing server, if a thrust relation can be established. + +.. _`muhlemmer on Matrix`: https://matrix.to/#/@muhlemmer:matrix.org + +Preparations +```````````` + +#. Setup `Git`_ the same way as on a development PC. It is advised to keep ``origin`` as your + own repository and ``upstream`` as the one from Mailu. This will avoid confusion; +#. You will need a ``docker-compose.yml`` and ``.env``, set up for the test server; +#. Make sure that the build ``$VERSION`` corresponds with those files. + +Add the sender +`````````````` + +Replace ```` with the repository name the PR is sent from. + +.. code-block:: bash + + git remote add https://github.com//Mailu.git + +Merge conflicts +``````````````` + +Before proceeding, check the PR page in the bottom. It should not indicate a merge conflict. +If there are merge conflicts, you have 2 options: + +#. Do a review "request changes" and ask the author to resolve the merge conflict. +#. Solve the merge conflict yourself on Github, using the web editor. + +If it can't be done in the web editor, go for option 1. Unless you want to go through the trouble of +importing the branch into your fork, do the merge and send a PR to the repository of the *sender*. + +Merge the PR locally +``````````````````````` + +When someone sends a PR, you need merge his PR into master locally. This example will put you in a +"detached head" state and do the merge in that state. Any commits done in this state will be lost +forever when you checkout a "normal" branch. This is exactly what we want, as we do not want to mess +with our repositories. This is just a test run. + +The following must be done on every PR or after every new commit to an existing PR: +1. Fetch the latest status of all the remotes. +2. List all local and remote available branches (this is not needed, but very helpful at times) +3. Checkout ``upstream/master`` +4. Merge ``upstream/master`` with ``SENDER/branch`` + +.. code-block:: bash + + git fetch --all + git checkout upstream/master + # ...You are in 'detached HEAD' state.... (bla bla bla) + git branch -a + # Hit `q` to exit the viewer, if it was opened. Uses arrows up/down for scrolling. + git merge kaiyou/fix-sender-checks + +If git opens a editor for a commit message just save and exit as-is. If you have a merge conflict, +see above and do the complete procedure from ``git fetch`` onward again. + +Test +```` + +You can now build and run the containers for testing. See the "`Docker containers`_" section for +instructions. Play around. See if (external) mails work. Check for whatever functionality the PR is +trying to fix. When happy, you can approve the PR. When running into failures, mark the review as +"request changes" and try to provide as much as possible details on the failure. +(Logs, error codes form clients etc). + +.. note:: Github marks positive reviews as obsolete when a new commit is added to a PR. + This requires a new review from your side. + Web administration ------------------ -The administration Web interface requires a proper dev environment that can easily be setup using ``virtualenv`` (make sure you are using Python 3) : +The administration Web interface requires a proper dev environment that can easily be setup using +``virtualenv`` (make sure you are using Python 3) : .. code-block:: bash @@ -105,7 +288,8 @@ of the screen, that you can open to access query details, internal variables, et Documentation ------------- -Documentation is maintained in the ``docs`` directory and are maintained as `reStructuredText`_ files. It is possible to run a local documentation server for reviewing purposes, using Docker: +Documentation is maintained in the ``docs`` directory and are maintained as `reStructuredText`_ +files. It is possible to run a local documentation server for reviewing purposes, using Docker: .. code-block:: bash @@ -113,8 +297,10 @@ Documentation is maintained in the ``docs`` directory and are maintained as `reS docker build -t docs docs docker run -p 127.0.0.1:8080:80 docs -You can now read the local documentation by navigating to http://localhost:8080. +In a local build Docker always assumes the version to be master. +You can read the local documentation by navigating to http://localhost:8080/master. -.. note:: After modifying the documentation, the image needs to be rebuild and the container restarted for the changes to become visible. +.. note:: After modifying the documentation, the image needs to be rebuild and the container + restarted for the changes to become visible. .. _`reStructuredText`: http://docutils.sourceforge.net/rst.html diff --git a/docs/contributors/guide.rst b/docs/contributors/guide.rst index 705af469..865fca94 100644 --- a/docs/contributors/guide.rst +++ b/docs/contributors/guide.rst @@ -13,6 +13,8 @@ Docker best practices and be as generic as possible : - interesting settings should be available as environment variables - base images should be well-trusted (officiel Alpine or Debian for instance). +.. _git_workflow: + Git workflow ------------ diff --git a/docs/docker-compose.yml b/docs/docker-compose.yml new file mode 100644 index 00000000..0caaa7a4 --- /dev/null +++ b/docs/docker-compose.yml @@ -0,0 +1,21 @@ +version: '3' + + +services: + docs_master: + image: mailu/docs:master + labels: + - traefik.enable=true + - traefik.port=80 + - traefik.main.frontend.rule=Host:${hostname};PathPrefix:/master/ + + docs_15: + image: mailu/docs:1.5 + labels: + - traefik.enable=true + - traefik.port=80 + - traefik.root.frontend.redirect.regex=.* + - traefik.root.frontend.redirect.replacement=/1.5/ + - traefik.root.frontend.rule=Host:${hostname};PathPrefix:/ + - traefik.main.frontend.rule=Host:${hostname};PathPrefix:/1.5/ + diff --git a/docs/faq.rst b/docs/faq.rst new file mode 100644 index 00000000..395b739c --- /dev/null +++ b/docs/faq.rst @@ -0,0 +1,276 @@ +Frequently asked questions +========================== + +Informational +------------- + +Where to ask questions? +``````````````````````` + +First, please read this FAQ to check if your question is listed here. +Simple questions best fit in our `Matrix`_ room. +For more complex questions, you can always open a `new issue`_ on GitHub. +We actively monitor the issues list. + + +My installation is broken! +`````````````````````````` + +We're sorry to hear that. Please check for common mistakes and troubleshooting +advice in the `Technical issues`_ section of this page. + +I think I found a bug! +`````````````````````` + +If you did not manage to solve the issue using this FAQ and there is not any +`open issues`_ describing the same problem, you can continue to open a +`new issue`_ on GitHub. + +I want a new feature or enhancement! +```````````````````````````````````` + +Great! We are always open for suggestions. We currently maintain two tags: + +- `Enhancement issues`_: Typically used for optimization of features in the project. +- `Feature request issues`_: For implementing new functionality, + plugins and applications. + +Please check if your idea (or something similar) is already mentioned there. +If there is one open, you can choose to vote with a thumbs up, so we can +estimate the popular demand. Please refrain from writing comments like +*"me too"* as it clobbers the actual discussion. + +If you can't find anything similar, you can open a `new issue`_. +Please also share (where applicable): + +- Use case: how does this improve the project? +- Any research done on the subject. Perhaps some links to upstream website, + reference implementations etc. + +Why does my feature/bug take so long to solve? +`````````````````````````````````````````````` + +You should be aware that creating, maintaining and expanding a mail server +distribution requires a lot of effort. Mail servers are highly exposed to hacking attempts, +open relay scanners, spam and malware distributors etc. We need to work in a safe way and +have to prevent pushing out something quickly. + +**TODO: Move the next section into the contributors part of docs** +We currently maintain a strict work flow: + +#. Someone writes a solution and sends a pull request; +#. We use Travis-CI for some very basic building and testing; +#. The pull request needs to be code-reviewed and tested by at least two members + from the contributors team. + +Please consider that this project is mostly developed in people their free time. +We thank you for your understanding and patience. + +I would like to donate (for a feature) +`````````````````````````````````````` + +Donations are welcome at the `patreon`_ account of the project lead. It will be used to pay +for infra structure and project related costs. If there are leftovers, it will be distributed +among the developers. + +It is not yet possible to pay for a specific feature. We don't have +any bounty system implemented. Feel free to come with suggestions in +our ongoing `project management`_ discussion issue. + + +.. _`Matrix`: https://matrix.to/#/#mailu:tedomum.net +.. _`open issues`: https://github.com/Mailu/Mailu/issues +.. _`new issue`: https://github.com/Mailu/Mailu/issues/new +.. _`Enhancement issues`: https://github.com/Mailu/Mailu/issues?q=is%3Aissue+is%3Aopen+label%3Atype%2Fenhancement +.. _`Feature request issues`: https://github.com/Mailu/Mailu/issues?q=is%3Aopen+is%3Aissue+label%3Atype%2Ffeature +.. _`patreon`: https://patreon.com/kaiyou +.. _`project management`: https://github.com/Mailu/Mailu/issues/508 + +Deployment related +------------------ + +How does Mailu scale up? +```````````````````````` + +Recent works allow Mailu to be deployed in Docker Swarm and Kubernetes. +This means it can be scaled horizontally. For more information, refer to :ref:`kubernetes` +or the `Docker swarm howto`_. + +*Issue reference:* `165`_, `520`_. + +How to achieve HA / failover? +````````````````````````````` + +The mailboxes and databases for Mailu are kept on the host filesystem under ``$ROOT/``. +For making the **storage** highly available, all sorts of techniques can be used: + +- Local raid-1 +- btrfs in raid configuration +- Distributed network filesystems such as GlusterFS or CEPH + +Note that no storage HA solution can protect against incidental deletes or file corruptions. +Therefore it is advised to create backups on a regular base! + +A backup MX can be configured as **failover**. For this you need a separate server running +Mailu. On that server, your domains will need to be setup as "Relayed domains", pointing +to you main server. MX records for the mail domains with a higher priority number will have +to point to this server. Please be aware that a backup MX can act as a `spam magnet`_. + +For **service** HA, please see: `How does Mailu scale up?`_ + + +*Issue reference:* `177`_, `591`_. + +.. _`spam magnet`: https://blog.zensoftware.co.uk/2012/07/02/why-we-tend-to-recommend-not-having-a-secondary-mx-these-days/ + + +Can I run Mailu without host iptables? +`````````````````````````````````````` + +When disabling iptables in docker, its forwarding proxy process takes over. +This creates the situation that every incoming connection on port 25 seems to come from the +local network (docker's 172.17.x.x) and is accepted. This causes an open relay! + +For that reason we do **not** support deployment on Docker hosts without iptables. + +*Issue reference:* `332`_. + +How can I override settings? +```````````````````````````` + +Postfix, dovecot and Rspamd support overriding configuration files. Override files belong in +``$ROOT/overrides``. Please refer to the official documentation of those programs for the +correct syntax. The following file names will be taken as override configuration: + +- `Postfix`_ - ``postfix.cf``; +- `Dovecot`_ - ``dovecot.conf``; +- `Rspamd`_ - All files in the ``rspamd`` sub-directory. + +.. _`Postfix`: http://www.postfix.org/postconf.5.html +.. _`Dovecot`: https://wiki.dovecot.org/ConfigFile +.. _`Rspamd`: https://www.rspamd.com/doc/configuration/index.html + +.. _`Docker swarm howto`: https://github.com/Mailu/Mailu/tree/master/docs/swarm/master +.. _`165`: https://github.com/Mailu/Mailu/issues/165 +.. _`177`: https://github.com/Mailu/Mailu/issues/177 +.. _`332`: https://github.com/Mailu/Mailu/issues/332 +.. _`520`: https://github.com/Mailu/Mailu/issues/520 +.. _`591`: https://github.com/Mailu/Mailu/issues/591 + +Technical issues +---------------- + +In this section we are trying to cover the most common problems our users are having. +If your issue is not listed here, please consult issues with the `troubleshooting tag`_. + +Changes in .env don't propagate +``````````````````````````````` + +Variables are sent to the containers at creation time. This means you need to take the project +down and up again. A container restart is not sufficient. + +.. code-block:: bash + + docker-compose down && \ + docker-compose up -d + +*Issue reference:* `615`_. + +TLS certificate issues +`````````````````````` + +When there are issues with the TLS/SSL certificates, Mailu denies service on secure ports. +This is a security precaution. Symptoms are: + +- 403 browser errors; + +These issues are typically caused by four scenarios: + +#. ``TLS_FLAVOR=notls`` in ``.env``; +#. Certificates expired; +#. When ``TLS_FLAVOR=letsencrypt``, it might be that the *certbot* script is not capable of + obtaining the certificates for your domain. See `letsencrypt issues`_ +#. When ``TLS_FLAVOR=certs``, certificates are supposed to be copied to ``/mailu/certs``. + Using an external ``letsencrypt`` program, it tends to happen people copy the whole + ``letsencrypt/live`` directory containing symlinks. Symlinks do not resolve inside the + container and therefore it breaks the TLS implementation. + +letsencrypt issues +.................. + +In order to determine the exact problem on TLS / Let's encrypt issues, it might be helpful +to check the logs. + +.. code-block:: bash + + docker-compose logs front | less -R + docker-compose exec front less /var/log/letsencrypt/letsencrypt.log + +Common problems: + +- Port 80 not reachable from outside. +- Faulty DNS records: make sure that all ``HOSTNAMES`` have **A** (IPv4) and **AAAA** (IPv6) + records, pointing the the ``BIND_ADDRESS4`` and ``BIND_ADDRESS6``. +- DNS cache not yet expired. It might be that old / faulty DNS records are stuck in a cache + en-route to letsencrypt's server. The time this takes is set by the ``TTL`` field in the + records. You'll have to wait at least this time after changing the DNS entries. + Don't keep trying, as you might hit `rate-limits`_. + +.. _`rate-limits`: https://letsencrypt.org/docs/rate-limits/ + +Copying certificates +.................... + +As mentioned above, care must be taken not to copy symlinks to the ``/mailu/certs`` location. + +**The wrong way!:** + +.. code-block:: bash + + cp -r /etc/letsencrypt/live/domain.com /mailu/certs + +**The right way!:** + +.. code-block:: bash + + mkdir -p /mailu/certs + cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem + cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem + +See also :ref:`external_certs`. + +*Issue reference:* `426`_, `615`_. + +Do you support Fail2Ban? +```````````````````````` +Fail2Ban is not included in Mailu. Fail2Ban needs to modify the host's IP tables in order to +ban the addresses. We consider such a program should be run on the host system and not +inside a container. The ``front`` container does use authentication rate limiting to slow +down brute force attacks. + +We *do* provide a possibility to export the logs from the ``front`` service to the host. +For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log +manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration. +Be aware that webmail authentication appears to come from the Docker network, +so don't ban those addresses! + +*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_. + +Users can't change their password from webmail +`````````````````````````````````````````````` + +All users have the abilty to login to the admin interface. Non-admin users +have only restricted funtionality such as changing their password and the +spam filter weight settings. + +*Issue reference:* `503`_. + +.. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting +.. _`85`: https://github.com/Mailu/Mailu/issues/85 +.. _`116`: https://github.com/Mailu/Mailu/issues/116 +.. _`171`: https://github.com/Mailu/Mailu/issues/171 +.. _`426`: https://github.com/Mailu/Mailu/issues/426 +.. _`503`: https://github.com/Mailu/Mailu/issues/503 +.. _`584`: https://github.com/Mailu/Mailu/issues/584 +.. _`592`: https://github.com/Mailu/Mailu/issues/592 +.. _`615`: https://github.com/Mailu/Mailu/issues/615 diff --git a/docs/index.rst b/docs/index.rst index 5219145f..e1f924d2 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -44,6 +44,7 @@ the version of Mailu that you are running. general features + faq releases demo @@ -55,7 +56,7 @@ the version of Mailu that you are running. configuration compose/requirements compose/setup - kubernetes/stable/index + kubernetes/mailu/index dns reverse diff --git a/docs/kubernetes/1.6/README.md b/docs/kubernetes/1.6/README.md deleted file mode 100644 index 21780a0c..00000000 --- a/docs/kubernetes/1.6/README.md +++ /dev/null @@ -1,157 +0,0 @@ -# Install Mailu master on kubernetes - -## Prequisites - -### Structure - -There's chosen to have a double NGINX stack for Mailu, this way the main ingress can still be used to access other websites/domains on your cluster. This is the current structure: - -- `NGINX Ingress controller`: Listens to the nodes ports 80 & 443 and directly forwards all TCP traffic on the E-amail ports (993,143,25,587,...). This is because this `DaemonSet` already consumes ports 80 & 443 and uses `hostNetwork: true` -- `Cert manager`: Creates automatic Lets Encrypt certificates based on an `Ingress`-objects domain name. -- `Mailu NGINX Front container`: This container receives all the mail traffic forwarded from the ingress controller. The web traffic is also forwarded based on an ingress -- `Mailu components`: All Mailu components are split into separate files to make them more - -### What you need -- A working Kubernetes cluster (tested with 1.10.5) -- A working [cert-manager](https://github.com/jetstack/cert-manager) installation -- A working nginx-ingress controller needed for the lets-encrypt certificates. You can find those files in the `nginx` subfolder - -#### Cert manager - -The `Cert-manager` is quite easy to deploy using Helm when reading the [docs](https://cert-manager.readthedocs.io/en/latest/getting-started/2-installing.html). -After booting the `Cert-manager` you'll need a `ClusterIssuer` which takes care of all required certificates through `Ingress` items. An example: - -```yaml -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-prod -spec: - acme: - email: something@example.com - http01: {} - privateKeySecretRef: - key: "" - name: letsencrypt-stage - server: https://acme-v02.api.letsencrypt.org/directory -``` - -## Deploying Mailu - -All manifests can be found in the `mailu` subdirectory. All commands below need to be run from this subdirectory - -### Personalization -- All services run in the same namespace, currently `mailu-mailserver`. So if you want to use a different one, change the `namespace` value in **every** file -- Check the `storage-class` field in the `pvc.yaml` file, you can also change the sizes to your liking. Note that you need `RWX` (read-write-many) and `RWO` (read-write-once) storageclasses. -- Check the `configmap.yaml` and adapt it to your needs. Be sure to check the kubernetes DNS values at the end (if you use a different namespace) -- Check the `ingress-ssl.yaml` and change it to the domain you want (this is for the kubernetes ingress controller, it will forward to `mailu/nginx` a.k.a. the `front` pod) - -## Installation -First run the command to start Mailu: - -```bash -kubectl create -f rbac.yaml -kubectl create -f configmap.yaml -kubectl create -f pvc.yaml -kubectl create -f ingress-ssl.yaml -kubectl create -f redis.yaml -kubectl create -f front.yaml -kubectl create -f webmail.yaml -kubectl create -f imap.yaml -kubectl create -f security.yaml -kubectl create -f smtp.yaml -kubectl create -f fetchmail.yaml -kubectl create -f admin.yaml -kubectl create -f webdav.yaml -``` - -## Create the first admin account - -When the cluster is online you need to create you master user to access `https://mail.example.com/admin`. -Enter the main `admin` pod to create the root account: - -```bash -kubectl -n mailu-mailserver get po -kubectl -n mailu-mailserver exec -it mailu-admin-.... /bin/sh -``` - -And in the pod run the following command. The command uses following entries: -- `admin` Make it an admin user -- `root` The first part of the e-mail adres (ROOT@example.com) -- `example.com` the domain appendix -- `password` the chosen password for the user - -```bash -flask mailu admin root example.com password -``` - -Now you should be able to login on the mail account: `https://mail.example.com/admin` - -## Adaptations - -### Postfix -I noticed you need an override for the `postfix` server in order to be able to send mail. I noticed Google wasn't able to deliver mail to my account and it had to do with the `smtpd_authorized_xclient_hosts` value in the config file. The config can be read [here](https://github.com/hacor/Mailu/blob/master/core/postfix/conf/main.cf#L35) and is pointing to a single IP of the service. But the requests come from the host IPs (the NGINX Ingress proxy) and they don't use the service specific IP. - -Enter the `postfix` pod: - -```bash -kubectl -n mailu-mailserver get po -kubectl -n mailu-mailserver exec -it mailu-smtp-.... /bin/sh -``` - -Now you're in the pod, create an override file like so: - -```bash -vi /overrides/postfix.cf -``` - -And give it the following contents, off course replacing `10.2.0.0/16` with the CIDR of your pod range. This way the NGINX pods can also restart and your mail server will still operate - -```bash -not_needed = true -smtpd_authorized_xclient_hosts = 10.2.0.0/16 -``` - -The first line seems stupid, but is needed because its pasted after a #, so from the second line we're really in action. -Save and close the file and exit. Now you need to delete the pod in order to recreate the config file. - -```bash -kubectl -n mailu-mailserver delete po/mailu-smtp-.... -``` - -### Dovecot -- If you are using Dovecot on a shared file system (Glusterfs, NFS,...), you need to create a special override otherwise a lot of indexing errors will occur on your Dovecot pod. -- I also higher the number of max connections per IP. Now it's limited to 10. -Enter the dovecot pod: - -```bash -kubectl -n mailu-mailserver get po -kubectl -n mailu-mailserver exec -it mailu-imap-.... /bin/sh -``` - -Create the file `/overrides/dovecot.conf` - -```bash -vi /overrides/dovecot.conf -``` - -And enter following contents: -```bash -mail_nfs_index = yes -mail_nfs_storage = yes -mail_fsync = always -mmap_disable = yes -mail_max_userip_connections=100 -``` - -Save and close the file and delete the imap pod to get it recreated. - -```bash -kubectl -n mailu-mailserver delete po/mailu-imap-.... -``` - -Wait for the pod to recreate and you're online! -Happy mailing! - -Wait for the pod to recreate and you're online! -Happy mailing! diff --git a/docs/kubernetes/1.6/mailu/ingress-ssl.yaml b/docs/kubernetes/1.6/mailu/ingress-ssl.yaml deleted file mode 100644 index 61ae3cf7..00000000 --- a/docs/kubernetes/1.6/mailu/ingress-ssl.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: mailu-ssl-ingress - namespace: mailu-mailserver - annotations: - kubernetes.io/ingress.class: tectonic - kubernetes.io/tls-acme: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - ingress.kubernetes.io/ssl-redirect: "true" - # Replace letsencrypt-prod with the name of the certificate issuer - certmanager.k8s.io/cluster-issuer: letsencrypt-prod - #ingress.kubernetes.io/rewrite-target: "/" - #ingress.kubernetes.io/app-root: "/ui" - #ingress.kubernetes.io/follow-redirects: "true" - labels: - app: mailu - role: mail - tier: backend -spec: - tls: - - hosts: - - "mail.example.com" - secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt - rules: - - host: "mail.example.com" - http: - paths: - - path: "/" - backend: - serviceName: front - servicePort: 80 \ No newline at end of file diff --git a/docs/kubernetes/1.6/mailu/static-ips.yaml b/docs/kubernetes/1.6/mailu/static-ips.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/docs/kubernetes/mailu/admin-ingress.yaml b/docs/kubernetes/mailu/admin-ingress.yaml new file mode 100644 index 00000000..72aafa68 --- /dev/null +++ b/docs/kubernetes/mailu/admin-ingress.yaml @@ -0,0 +1,86 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mailu-admin-ingress + namespace: mailu-mailserver + annotations: + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + certmanager.k8s.io/cluster-issuer: letsencrypt-stage + ingress.kubernetes.io/permanent-redirect: "https://mail.example.com/admin/ui/" + ingress.kubernetes.io/follow-redirects: "true" + labels: + app: mailu + role: mail + tier: backend +spec: + tls: + - hosts: + - "mail.example.com" + secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt + rules: + - host: "mail.example.com" + http: + paths: + - path: "/admin" + backend: + serviceName: admin + servicePort: 80 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mailu-admin-ui-ingress + namespace: mailu-mailserver + annotations: + kubernetes.io/tls-acme: "true" + certmanager.k8s.io/cluster-issuer: letsencrypt-stage + ingress.kubernetes.io/rewrite-target: "/ui" + ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Prefix /admin; + labels: + app: mailu + role: mail + tier: backend +spec: + tls: + - hosts: + - "mail.example.com" + secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt + rules: + - host: "mail.example.com" + http: + paths: + - path: "/admin/ui" + backend: + serviceName: admin + servicePort: 80 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mailu-admin-static-ingress + namespace: mailu-mailserver + annotations: + kubernetes.io/tls-acme: "true" + certmanager.k8s.io/cluster-issuer: letsencrypt-stage + ingress.kubernetes.io/rewrite-target: "/static" + ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Prefix /admin; + labels: + app: mailu + role: mail + tier: backend +spec: + tls: + - hosts: + - "mail.example.com" + secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt + rules: + - host: "mail.example.com" + http: + paths: + - path: "/admin/static" + backend: + serviceName: admin + servicePort: 80 \ No newline at end of file diff --git a/docs/kubernetes/1.6/mailu/admin.yaml b/docs/kubernetes/mailu/admin.yaml similarity index 98% rename from docs/kubernetes/1.6/mailu/admin.yaml rename to docs/kubernetes/mailu/admin.yaml index b36760a2..435b7975 100644 --- a/docs/kubernetes/1.6/mailu/admin.yaml +++ b/docs/kubernetes/mailu/admin.yaml @@ -1,4 +1,3 @@ - apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/docs/kubernetes/1.6/mailu/configmap.yaml b/docs/kubernetes/mailu/configmap.yaml similarity index 83% rename from docs/kubernetes/1.6/mailu/configmap.yaml rename to docs/kubernetes/mailu/configmap.yaml index 9ebce8b1..4f8dad81 100644 --- a/docs/kubernetes/1.6/mailu/configmap.yaml +++ b/docs/kubernetes/mailu/configmap.yaml @@ -21,7 +21,7 @@ VERSION: "master" # Set to a randomly generated 16 bytes string - SECRET_KEY: "YourKeyHere" + SECRET_KEY: "MySup3rS3cr3tPas" # Address where listening ports should bind BIND_ADDRESS4: "127.0.0.1" @@ -45,6 +45,14 @@ # Opt-out of statistics, replace with "True" to opt out DISABLE_STATISTICS: "False" + ################################### + # Kubernetes configuration + ################################### + + # Use Kubernetes Ingress Controller to handle all actions on port 80 and 443 + # This way we can make use of the advantages of the cert-manager deployment + KUBERNETES_INGRESS: "true" + ################################### # Optional features ################################### @@ -71,19 +79,18 @@ # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT: "50000000" - # Networks granted relay permissions, make sure that you include your Docker - # internal network (default to 172.17.0.0/16) - # For kubernetes this is the CIDR of the pod network - RELAYNETS: "10.2.0.0/16" - POD_ADDRESS_RANGE: "10.2.0.0/16" - - # Will relay all outgoing mails if configured #RELAYHOST= # This part is needed for the XCLIENT login for postfix. This should be the POD ADDRESS range FRONT_ADDRESS: "front.mailu-mailserver.svc.cluster.local" + # This value is needed by the webmail to find the correct imap backend + IMAP_ADDRESS: "imap.mailu-mailserver.svc.cluster.local" + + # This value is used by Dovecot to find the Redis server in the cluster + REDIS_ADDRESS: "redis.mailu-mailserver.svc.cluster.local" + # Fetchmail delay FETCHMAIL_DELAY: "600" @@ -106,13 +113,16 @@ ################################### # Path to the admin interface if enabled + # Kubernetes addition: You need to change ALL the ingresses, when you want this URL to be different!!! WEB_ADMIN: "/admin" # Path to the webmail if enabled + # Currently, this is not used, because we intended to use a different subdomain: webmail.example.com + # This option can be added in a feature release WEB_WEBMAIL: "/webmail" # Website name - SITENAME: "AppSynth" + SITENAME: "Mailu" # Linked Website URL WEBSITE: "https://example.com" diff --git a/docs/kubernetes/1.6/mailu/fetchmail.yaml b/docs/kubernetes/mailu/fetchmail.yaml similarity index 100% rename from docs/kubernetes/1.6/mailu/fetchmail.yaml rename to docs/kubernetes/mailu/fetchmail.yaml diff --git a/docs/kubernetes/1.6/mailu/front.yaml b/docs/kubernetes/mailu/front.yaml similarity index 70% rename from docs/kubernetes/1.6/mailu/front.yaml rename to docs/kubernetes/mailu/front.yaml index e25ac828..9951f30c 100644 --- a/docs/kubernetes/1.6/mailu/front.yaml +++ b/docs/kubernetes/mailu/front.yaml @@ -1,23 +1,41 @@ - -apiVersion: extensions/v1beta1 -kind: Deployment +apiVersion: apps/v1beta2 +kind: DaemonSet metadata: name: mailu-front namespace: mailu-mailserver + labels: + k8s-app: mail-loadbalancer + component: ingress-controller + type: nginx spec: - replicas: 1 + selector: + matchLabels: + k8s-app: mail-loadbalancer + component: ingress-controller + type: nginx template: metadata: labels: - app: mailu-front - role: mail - tier: backend + k8s-app: mail-loadbalancer + component: ingress-controller + type: nginx spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/node + operator: Exists + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/node: "" + dnsPolicy: ClusterFirstWithHostNet restartPolicy: Always terminationGracePeriodSeconds: 60 containers: - name: front - image: mailu/nginx:latest + image: mailu/nginx:master imagePullPolicy: Always envFrom: - configMapRef: @@ -26,12 +44,6 @@ spec: - name: certs mountPath: /certs ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - name: pop3 containerPort: 110 protocol: TCP @@ -85,21 +97,15 @@ metadata: name: front namespace: mailu-mailserver labels: - app: mailu-admin - role: mail - tier: backend + k8s-app: mail-loadbalancer + component: ingress-controller + type: nginx spec: selector: - app: mailu-front - role: mail - tier: backend + k8s-app: mail-loadbalancer + component: ingress-controller + type: nginx ports: - - name: http - port: 80 - protocol: TCP - - name: https - port: 443 - protocol: TCP - name: pop3 port: 110 protocol: TCP diff --git a/docs/kubernetes/1.6/mailu/imap.yaml b/docs/kubernetes/mailu/imap.yaml similarity index 96% rename from docs/kubernetes/1.6/mailu/imap.yaml rename to docs/kubernetes/mailu/imap.yaml index 069b7730..37f4899e 100644 --- a/docs/kubernetes/1.6/mailu/imap.yaml +++ b/docs/kubernetes/mailu/imap.yaml @@ -37,8 +37,8 @@ spec: - containerPort: 4190 resources: requests: - memory: 500Mi - cpu: 500m + memory: 1Gi + cpu: 1000m limits: memory: 1Gi cpu: 1000m diff --git a/docs/kubernetes/mailu/index.rst b/docs/kubernetes/mailu/index.rst new file mode 100644 index 00000000..4b6ba8f7 --- /dev/null +++ b/docs/kubernetes/mailu/index.rst @@ -0,0 +1,195 @@ +.. _kubernetes: + +Kubernetes setup +================ + +Prequisites +----------- + +Structure +~~~~~~~~~ + +There’s chosen to have a double NGINX stack for Mailu, this way the main +ingress can still be used to access other websites/domains on your +cluster. This is the current structure: + +- ``NGINX Ingress controller``: Listens to the nodes ports 80 & 443. We have chosen to have a double NGINX stack for Mailu. +- ``Cert manager``: Creates automatic Lets Encrypt certificates based on an ``Ingress``-objects domain name. +- ``Mailu NGINX Front daemonset``: This daemonset runs in parallel with the Nginx Ingress Controller and only listens on all E-mail specific ports (25, 110, 143, 587,...) +- ``Mailu components``: All Mailu components (imap, smtp, security, webmail,...) are split into separate files to make them more handy to use, you can find the ``YAML`` files in this directory + +What you need +~~~~~~~~~~~~~ + +- A working Kubernetes cluster (tested with 1.10.5) +- A working `cert-manager`_ installation +- A working nginx-ingress controller needed for the lets-encrypt + certificates. You can find those files in the ``nginx`` subfolder + +Cert manager +^^^^^^^^^^^^ + +The ``Cert-manager`` is quite easy to deploy using Helm when reading the +`docs`_. After booting the ``Cert-manager`` you’ll need a +``ClusterIssuer`` which takes care of all required certificates through +``Ingress`` items. We chose to provide a ``clusterIssuer`` so you can provide SSL certificates +for other namespaces (different websites/services), if you don't need this option, you can easily change this by +changing ``clusterIssuer`` to ``Issuer`` and adding the ``namespace: mailu-mailserver`` to the metadata. +An example of a production and a staging ``clusterIssuer``: + +.. code:: yaml + + # This clusterIssuer example uses the staging environment for testing first + apiVersion: certmanager.k8s.io/v1alpha1 + kind: ClusterIssuer + metadata: + name: letsencrypt-stage + spec: + acme: + email: something@example.com + http01: {} + privateKeySecretRef: + name: letsencrypt-stage + server: https://acme-staging-v02.api.letsencrypt.org/directory + +.. code:: yaml + + # This clusterIssuer example uses the production environment + apiVersion: certmanager.k8s.io/v1alpha1 + kind: ClusterIssuer + metadata: + name: letsencrypt-prod + spec: + acme: + email: something@example.com + http01: {} + privateKeySecretRef: + name: letsencrypt-prod + server: https://acme-v02.api.letsencrypt.org/directory + +**IMPORTANT**: All ``*-ingress.yaml`` files use the ``letsencrypt-stage`` ``clusterIssuer``. If you are ready for production, +change this field in all ``*-ingress.yaml`` files to ``letsencrypt-prod`` or whatever name you chose for the production. +If you choose for ``Issuer`` instead of ``clusterIssuer`` you also need to change the annotation to ``certmanager.k8s.io/issuer`` instead of ``certmanager.k8s.io/cluster-issuer`` + +Deploying Mailu +--------------- + +All manifests can be found in the ``mailu`` subdirectory. All commands +below need to be run from this subdirectory + +Personalization +~~~~~~~~~~~~~~~ + +- All services run in the same namespace, currently ``mailu-mailserver``. So if you want to use a different one, change the ``namespace`` value in **every** file +- Check the ``storage-class`` field in the ``pvc.yaml`` file, you can also change the sizes to your liking. Note that you need ``RWX`` (read-write-many) and ``RWO`` (read-write-once) storageclasses. +- Check the ``configmap.yaml`` and adapt it to your needs. Be sure to check the kubernetes DNS values at the end (if you use a different namespace) +- Check the ``*-ingress.yaml`` files and change it to the domain you want (this is for the kubernetes ingress controller to handle the admin, webmail, webdav and auth connections) + +Installation +------------ + +Boot the Mailu components +~~~~~~~~~~~~~~~~~~~~~~~~~ + +To start Mailu, run the following commands from the ``docs/kubernetes/mailu`` directory + +.. code-block:: bash + + kubectl create -f rbac.yaml + kubectl create -f configmap.yaml + kubectl create -f pvc.yaml + kubectl create -f redis.yaml + kubectl create -f front.yaml + kubectl create -f webmail.yaml + kubectl create -f imap.yaml + kubectl create -f security.yaml + kubectl create -f smtp.yaml + kubectl create -f fetchmail.yaml + kubectl create -f admin.yaml + kubectl create -f webdav.yaml + kubectl create -f admin-ingress.yaml + kubectl create -f webdav-ingress.yaml + kubectl create -f security-ingress.yaml + kubectl create -f webmail-ingress.yaml + + +Create the first admin account +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When the cluster is online you need to create you master user to access https://mail.example.com/admin +Enter the main ``admin`` pod to create the root account: + +.. code-block:: bash + + kubectl -n mailu-mailserver get po + kubectl -n mailu-mailserver exec -it mailu-admin-.... /bin/sh + +And in the pod run the following command. The command uses following entries: + +.. code-block:: bash + + python manage.py admin root example.com password + +- ``admin`` Make it an admin user +- ``root`` The first part of the e-mail adres (ROOT@example.com) +- ``example.com`` the domain appendix +- ``password`` the chosen password for the user + + +Now you should be able to login on the mail account: https://mail.example.com/admin + +Adaptations +----------- + +Dovecot +~~~~~~~ + +- If you are using Dovecot on a shared file system (Glusterfs, NFS,...), you need to create a special override otherwise a lot of indexing errors will occur on your Dovecot pod. +- I also higher the number of max connections per IP. Now it's limited to 10. + +Enter the dovecot pod: + +.. code:: bash + + kubectl -n mailu-mailserver get po + kubectl -n mailu-mailserver exec -it mailu-imap-.... /bin/sh + +Create the file ``overrides/dovecot.conf`` + +.. code:: bash + + vi /overrides/dovecot.conf + +And enter following contents: + +.. code:: bash + + mail_nfs_index = yes + mail_nfs_storage = yes + mail_fsync = always + mmap_disable = yes + mail_max_userip_connections=100 + +Save and close the file and delete the imap pod to get it recreated. + +.. code:: bash + + kubectl -n mailu-mailserver delete po/mailu-imap-.... + +Wait for the pod to recreate and you're online! +Happy mailing! + +.. _here: https://github.com/hacor/Mailu/blob/master/core/postfix/conf/main.cf#L35 +.. _cert-manager: https://github.com/jetstack/cert-manager +.. _docs: https://cert-manager.readthedocs.io/en/latest/getting-started/2-installing.html + +Imap login fix +~~~~~~~~~~~~~~ + +If it seems you're not able to login using IMAP on your Mailu accounts, check the logs of the imap container to see whether it's a permissions problem on the database. +This problem can be easily fixed by running following commands: + +.. code:: bash + + kubectl -n mailu-mailserver exec -it mailu-imap-... /bin/sh + chmod 777 /data/main.db diff --git a/docs/kubernetes/1.6/mailu/pvc.yaml b/docs/kubernetes/mailu/pvc.yaml similarity index 100% rename from docs/kubernetes/1.6/mailu/pvc.yaml rename to docs/kubernetes/mailu/pvc.yaml diff --git a/docs/kubernetes/1.6/mailu/rbac.yaml b/docs/kubernetes/mailu/rbac.yaml similarity index 100% rename from docs/kubernetes/1.6/mailu/rbac.yaml rename to docs/kubernetes/mailu/rbac.yaml diff --git a/docs/kubernetes/1.6/mailu/redis.yaml b/docs/kubernetes/mailu/redis.yaml similarity index 100% rename from docs/kubernetes/1.6/mailu/redis.yaml rename to docs/kubernetes/mailu/redis.yaml diff --git a/docs/kubernetes/mailu/security-ingress.yaml b/docs/kubernetes/mailu/security-ingress.yaml new file mode 100644 index 00000000..74ced47e --- /dev/null +++ b/docs/kubernetes/mailu/security-ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mailu-antispam-ingress + namespace: mailu-mailserver + annotations: + kubernetes.io/tls-acme: "true" + certmanager.k8s.io/cluster-issuer: letsencrypt-stage + ingress.kubernetes.io/configuration-snippet: | + rewrite ^/admin/antispam/(.*) /$1 break; + auth_request /internal/auth/admin; + proxy_set_header X-Real-IP ""; + proxy_set_header X-Forwarded-For ""; + labels: + app: mailu + role: mail + tier: frontend +spec: + tls: + - hosts: + - "mail.example.com" + secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt + rules: + - host: "mail.example.com" + http: + paths: + - path: "/admin/antispam" + backend: + serviceName: antispam + servicePort: 11334 \ No newline at end of file diff --git a/docs/kubernetes/1.6/mailu/security.yaml b/docs/kubernetes/mailu/security.yaml similarity index 92% rename from docs/kubernetes/1.6/mailu/security.yaml rename to docs/kubernetes/mailu/security.yaml index c1c1ac0b..80fde812 100644 --- a/docs/kubernetes/1.6/mailu/security.yaml +++ b/docs/kubernetes/mailu/security.yaml @@ -31,6 +31,9 @@ spec: - name: antispam containerPort: 11332 protocol: TCP + - name: antispam-http + containerPort: 11334 + protocol: TCP volumeMounts: - name: filter subPath: filter @@ -87,6 +90,9 @@ spec: - name: antispam port: 11332 protocol: TCP + - name: antispam-http + protocol: TCP + port: 11334 --- diff --git a/docs/kubernetes/1.6/mailu/smtp.yaml b/docs/kubernetes/mailu/smtp.yaml similarity index 95% rename from docs/kubernetes/1.6/mailu/smtp.yaml rename to docs/kubernetes/mailu/smtp.yaml index 454b8ed7..926a2b7c 100644 --- a/docs/kubernetes/1.6/mailu/smtp.yaml +++ b/docs/kubernetes/mailu/smtp.yaml @@ -21,10 +21,10 @@ spec: name: mailu-config resources: requests: - memory: 500Mi - cpu: 200m + memory: 2Gi + cpu: 500m limits: - memory: 1Gi + memory: 2Gi cpu: 500m volumeMounts: - mountPath: /data diff --git a/docs/kubernetes/mailu/webdav-ingress.yaml b/docs/kubernetes/mailu/webdav-ingress.yaml new file mode 100644 index 00000000..3498eb02 --- /dev/null +++ b/docs/kubernetes/mailu/webdav-ingress.yaml @@ -0,0 +1,46 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mailu-webdav-ingress + namespace: mailu-mailserver + annotations: + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + certmanager.k8s.io/cluster-issuer: letsencrypt-stage + #ingress.kubernetes.io/auth-url: http://admin.mailu-mailserver.svc.cluster.local/internal/auth/basic + ingress.kubernetes.io/configuration-snippet: | + rewrite ^/webdav/(.*) /$1 break; + auth_request /internal/auth/basic; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + auth_request_set $user $upstream_http_x_user; + proxy_set_header X-Remote-User $user; + proxy_set_header X-Script-Name /webdav; + ingress.kubernetes.io/server-snippet: | + location /internal { + internal; + + proxy_set_header Authorization $http_authorization; + proxy_pass_header Authorization; + proxy_pass http://admin.mailu-mailserver.svc.cluster.local; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + } + labels: + app: mailu + role: mail + tier: frontend +spec: + tls: + - hosts: + - "mail.example.com" + secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt + rules: + - host: "mail.example.com" + http: + paths: + - path: "/webdav" + backend: + serviceName: webdav + servicePort: 5232 \ No newline at end of file diff --git a/docs/kubernetes/1.6/mailu/webdav.yaml b/docs/kubernetes/mailu/webdav.yaml similarity index 100% rename from docs/kubernetes/1.6/mailu/webdav.yaml rename to docs/kubernetes/mailu/webdav.yaml diff --git a/docs/kubernetes/mailu/webmail-ingress.yaml b/docs/kubernetes/mailu/webmail-ingress.yaml new file mode 100644 index 00000000..40655ca2 --- /dev/null +++ b/docs/kubernetes/mailu/webmail-ingress.yaml @@ -0,0 +1,31 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mailu-webmail-ingress + namespace: mailu-mailserver + annotations: + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + certmanager.k8s.io/cluster-issuer: letsencrypt-stage + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + labels: + app: mailu + role: mail + tier: backend +spec: + tls: + - hosts: + - "webmail.example.com" + secretName: letsencrypt-webmail # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt + rules: + - host: "webmail.example.com" + http: + paths: + - path: "/" + backend: + serviceName: webmail + servicePort: 80 \ No newline at end of file diff --git a/docs/kubernetes/1.6/mailu/webmail.yaml b/docs/kubernetes/mailu/webmail.yaml similarity index 96% rename from docs/kubernetes/1.6/mailu/webmail.yaml rename to docs/kubernetes/mailu/webmail.yaml index 81798782..bbbeb09d 100644 --- a/docs/kubernetes/1.6/mailu/webmail.yaml +++ b/docs/kubernetes/mailu/webmail.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: roundcube - image: mailu/roundcube:1.5 + image: mailu/roundcube:master imagePullPolicy: Always envFrom: - configMapRef: diff --git a/docs/kubernetes/1.6/nginx/default-http-backend.yaml b/docs/kubernetes/nginx/default-http-backend.yaml similarity index 100% rename from docs/kubernetes/1.6/nginx/default-http-backend.yaml rename to docs/kubernetes/nginx/default-http-backend.yaml diff --git a/docs/kubernetes/1.6/nginx/nginx-ingress.yaml b/docs/kubernetes/nginx/nginx-ingress.yaml similarity index 81% rename from docs/kubernetes/1.6/nginx/nginx-ingress.yaml rename to docs/kubernetes/nginx/nginx-ingress.yaml index 90b24f24..d8b71e21 100644 --- a/docs/kubernetes/1.6/nginx/nginx-ingress.yaml +++ b/docs/kubernetes/nginx/nginx-ingress.yaml @@ -2,15 +2,15 @@ apiVersion: v1 kind: Service metadata: # keep it under 24 chars - name: appsynth-lb + name: ingress-lb namespace: kube-ingress labels: - k8s-app: appsynth-lb + k8s-app: ingress-lb component: ingress-controller spec: type: ClusterIP selector: - k8s-app: appsynth-lb + k8s-app: ingress-lb component: ingress-controller ports: - name: http @@ -35,13 +35,6 @@ metadata: name: tcp-services namespace: kube-ingress data: - 25: "mailu-mailserver/front:25" - 110: "mailu-mailserver/front:110" - 465: "mailu-mailserver/front:465" - 587: "mailu-mailserver/front:587" - 143: "mailu-mailserver/front:143" - 993: "mailu-mailserver/front:993" - 995: "mailu-mailserver/front:995" --- apiVersion: v1 @@ -61,7 +54,7 @@ metadata: prometheus.io/port: "10254" prometheus.io/scrape: "true" labels: - k8s-app: appsynth-lb + k8s-app: ingress-lb component: ingress-controller type: nginx spec: @@ -71,13 +64,13 @@ spec: type: RollingUpdate selector: matchLabels: - k8s-app: appsynth-lb + k8s-app: ingress-lb component: ingress-controller type: nginx template: metadata: labels: - k8s-app: appsynth-lb + k8s-app: ingress-lb component: ingress-controller type: nginx spec: @@ -94,14 +87,11 @@ spec: image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2 args: - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/tectonic-custom-error - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - #- --default-ssl-certificate=tectonic-system/tectonic-ingress-tls-secret - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --annotations-prefix=ingress.kubernetes.io - --enable-ssl-passthrough - - --ingress-class=tectonic # use downward API env: - name: POD_NAME @@ -115,10 +105,8 @@ spec: ports: - name: http containerPort: 80 - hostPort: 80 - name: https containerPort: 443 - hostPort: 443 readinessProbe: httpGet: path: /healthz @@ -134,6 +122,6 @@ spec: hostNetwork: true nodeSelector: node-role.kubernetes.io/node: "" - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet restartPolicy: Always terminationGracePeriodSeconds: 60 diff --git a/docs/kubernetes/1.6/nginx/rbac.yaml b/docs/kubernetes/nginx/rbac.yaml similarity index 100% rename from docs/kubernetes/1.6/nginx/rbac.yaml rename to docs/kubernetes/nginx/rbac.yaml diff --git a/docs/kubernetes/stable/index.rst b/docs/kubernetes/stable/index.rst deleted file mode 100644 index efd1ab7c..00000000 --- a/docs/kubernetes/stable/index.rst +++ /dev/null @@ -1,26 +0,0 @@ -Kubernetes setup -================ - -Please note that Kubernetes setup is not yet well supported or documented, all -tests currently run on Docker Compose. The configuration has not yet been updated -to work properly with ngin authentication proxy. - -Prepare the environment ------------------------ - -The resource configurations in this folder assume that you have `Kubernetes Ingress`_ -set up for your cluster. If you are not using the `NGINX Ingress Controller for Kubernetes`_, -please ensure that the configuration specified in the file matches your set up. - -.. _`Kubernetes Ingress`: https://kubernetes.io/docs/concepts/services-networking/ingress/ -.. _`NGINX Ingress Controller for Kubernetes`: https://github.com/kubernetes/ingress/tree/master/controllers/nginx - -Setup the Kubernetes service ----------------------------- - -Using the resource configurations is simple: - -1. ``kubectl apply -f kubernetes-nginx-ingress-controller.yaml`` to configure an ingress controller with the proper settings. (If you have one set up already you may need to port the configuration to your own ingress). -2. ``kubectl apply -f kubernetes-mailu.yaml`` to create the resources required to run Mailu. - -Based on the configuration, your Mailu instance should be available at ``mail..tld/admin`` (note that visiting just ``mail..tld`` will likely result in a 404 error). diff --git a/docs/kubernetes/stable/kubernetes-mailu.yaml b/docs/kubernetes/stable/kubernetes-mailu.yaml deleted file mode 100644 index a7bafccd..00000000 --- a/docs/kubernetes/stable/kubernetes-mailu.yaml +++ /dev/null @@ -1,419 +0,0 @@ ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: mailu-admin-ing - labels: - app: mailu - role: mail - tier: backend -spec: - tls: - - hosts: - - "mail.example.com" - secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt - rules: - - host: "mail.example.com" - http: - paths: - - path: "/admin" - backend: - serviceName: mailu-admin - servicePort: 80 - ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: mailu-redis -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-redis - role: mail - tier: backend - spec: - containers: - - name: redis - image: redis:4.0-alpine - imagePullPolicy: Always - volumeMounts: - - mountPath: /data - name: redisdata - ports: - - containerPort: 6379 - name: redis - protocol: TCP - volumes: - - name: redisdata - hostPath: - path: /var/data/mailu/redisdata - ---- - -apiVersion: v1 -kind: Service -metadata: - name: redis - labels: - app: mailu-redis - role: mail - tier: backend -spec: - selector: - app: mailu - role: mail - tier: backend - ports: - - name: redis - port: 6379 - protocol: TCP - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: mailu-imap -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-imap - role: mail - tier: backend - spec: - containers: - - name: imap - image: mailu/dovecot:stable - imagePullPolicy: Always - env: - - name : DOMAIN - value : example.com - - name : HOSTNAME - value : mail.example.com - - name : POSTMASTER - value : admin - volumeMounts: - - mountPath: /data - name: maildata - - mountPath: /mail - name: mailstate - - mountPath: /overrides - name: overrides - - mountPath: /certs - name: certs - readOnly: true - ports: - - containerPort: 2102 - - containerPort: 2525 - - containerPort: 143 - - containerPort: 993 - - containerPort: 4190 - volumes: - - name: maildata - hostPath: - path: /var/data/mailu/maildata - - name: mailstate - hostPath: - path: /var/data/mailu/mailstate - - name: overrides - hostPath: - path: /var/data/mailu/overrides - - name: certs - secret: - items: - - key: tls.crt - path: cert.pem - - key: tls.key - path: key.pem - secretName: letsencrypt-certs-all - ---- - -apiVersion: v1 -kind: Service -metadata: - name: imap - labels: - app: mailu - role: mail - tier: backend -spec: - selector: - app: mailu-imap - role: mail - tier: backend - ports: - ports: - - name: imap-auth - port: 2102 - protocol: TCP - - name: imap-transport - port: 2525 - protocol: TCP - - name: imap-default - port: 143 - protocol: TCP - - name: imap-ssl - port: 993 - protocol: TCP - - name: sieve - port: 4190 - protocol: TCP - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: mailu-smtp -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-smtp - role: mail - tier: backend - spec: - containers: - - name: smtp - image: mailu/postfix:stable - imagePullPolicy: Always - env: - - name : DOMAIN - value : example.com - - name : HOSTNAME - value : mail.example.com - - name : MESSAGE_SIZE_LIMIT - value : "50000000" - - name : RELAYHOST - value : "" - volumeMounts: - - mountPath: /data - name: maildata - - mountPath: /overrides - name: overrides - - mountPath: /certs - name: certs - readOnly: true - ports: - - name: smtp - containerPort: 25 - protocol: TCP - - name: smtp-ssl - containerPort: 465 - protocol: TCP - - name: smtp-starttls - containerPort: 587 - protocol: TCP - volumes: - - name: maildata - hostPath: - path: /var/data/mailu/maildata - - name: overrides - hostPath: - path: /var/data/mailu/overrides - - name: certs - secret: - items: - - key: tls.crt - path: cert.pem - - key: tls.key - path: key.pem - secretName: letsencrypt-certs-all - ---- - -apiVersion: v1 -kind: Service -metadata: - name: smtp - labels: - app: mailu - role: mail - tier: backend -spec: - selector: - app: mailu-smtp - role: mail - tier: backend - ports: - - name: smtp - port: 25 - protocol: TCP - - name: smtp-ssl - port: 465 - protocol: TCP - - name: smtp-starttls - port: 587 - protocol: TCP - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: mailu-security -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-security - role: mail - tier: backend - spec: - containers: - - name: antispam - image: mailu/rspamd:stable - imagePullPolicy: Always - ports: - - name: antispam - containerPort: 11333 - protocol: TCP - volumeMounts: - - name: filter - mountPath: /var/lib/rspamd - - name: antivirus - image: mailu/clamav:stable - imagePullPolicy: Always - ports: - - name: antivirus - containerPort: 3310 - protocol: TCP - volumeMounts: - - name: filter - mountPath: /data - volumes: - - name: filter - hostPath: - path: /var/data/mailu/filter - ---- - -apiVersion: v1 -kind: Service -metadata: - name: antispam - labels: - app: mailu-antispam - role: mail - tier: backend -spec: - selector: - app: mailu-security - role: mail - tier: backend - ports: - - name: antispam - port: 11333 - protocol: TCP - ---- - -apiVersion: v1 -kind: Service -metadata: - name: antivirus - labels: - app: mailu-antivirus - role: mail - tier: backend -spec: - selector: - app: mailu-security - role: mail - tier: backend - ports: - - name: antivirus - port: 3310 - protocol: TCP - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: mailu-admin -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-admin - role: mail - tier: backend - spec: - containers: - - name: admin - image: mailu/admin:stable - imagePullPolicy: Always - env: - - name : DOMAIN - value : example.com - - name : HOSTNAME - value : mail.example.com - - name : POSTMASTER - value : core - - name : SECRET_KEY - value : pleasereplacethiswithabetterkey - - name : DEBUG - value : "True" - volumeMounts: - - name: maildata - mountPath: /data - - name: dkim - mountPath: /dkim - - name: certs - mountPath: /certs - readOnly: true - # - name: docker - # mountPath: /var/run/docker.sock - # readOnly: true - ports: - - name: http - containerPort: 80 - protocol: TCP - volumes: - - name: maildata - hostPath: - path: /var/data/mailu/maildata - - name: dkim - hostPath: - path: /var/data/mailu/dkim - - name: certs - secret: - items: - - key: tls.crt - path: cert.pem - - key: tls.key - path: key.pem - secretName: letsencrypt-certs-all - # - name: docker - # hostPath: - # path: /var/run/docker.sock - ---- - -apiVersion: v1 -kind: Service -metadata: - name: mailu-admin - labels: - app: mailu-admin - role: mail - tier: backend -spec: - selector: - app: mailu-admin - role: mail - tier: backend - ports: - - name: http - port: 80 - protocol: TCP diff --git a/docs/kubernetes/stable/kubernetes-nginx-ingress-controller.yaml b/docs/kubernetes/stable/kubernetes-nginx-ingress-controller.yaml deleted file mode 100644 index 5ea9790a..00000000 --- a/docs/kubernetes/stable/kubernetes-nginx-ingress-controller.yaml +++ /dev/null @@ -1,84 +0,0 @@ ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: ingress-nginx -data: - 25: "mailu/smtp:25" - 465: "mailu/smtp:465" - 587: "mailu/smtp:587" - 143: "mailu/imap:143" - 993: "mailu/imap:993" - ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: kube-system - labels: - k8s-app: nginx-ingress-controller -spec: - replicas: 1 - template: - metadata: - labels: - k8s-app: nginx-ingress-controller - annotations: - prometheus.io/port: '10254' - prometheus.io/scrape: 'true' - spec: - # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration - # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host - # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used - # like with kubeadm - # hostNetwork: true - terminationGracePeriodSeconds: 60 - containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.11.0 - name: nginx-ingress-controller - args: - - /nginx-ingress-controller - - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --annotations-prefix=nginx.ingress.kubernetes.io - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - timeoutSeconds: 1 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace diff --git a/docs/maintain.rst b/docs/maintain.rst index d570690e..ffb51a50 100644 --- a/docs/maintain.rst +++ b/docs/maintain.rst @@ -28,6 +28,33 @@ Logs are managed by Docker directly. You can easily read your logs using: Docker is able to forward logs to multiple log engines. Read the following documentation for details: https://docs.docker.com/engine/admin/logging/overview/. +.. _external_certs: + +Managing of external Let's encrypt certificates +----------------------------------------------- + +When you are not using the embedded ``letsencrypt`` option from Mailu, +you cannot make use of it's symlink functionality in the ``letsencrypt/live`` directory. +You should take care that after every renewal new certificates are copied to ``/mailu/certs`` and +the *nginx* process in the ``front`` container is reloaded. + +In the case of *certbot* you could write a script to be executed as `deploy hook`_. Example: + +.. code-block:: bash + + #!/bin/sh + cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem || exit 1 + cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem || exit 1 + docker exec mailu_front_1 nginx -s reload + +And the certbot command you will use in crontab would look something like: + +.. code-block:: bash + + 52 0,12 * * * root /usr/bin/certbot renew --deploy-hook /path/to/script.sh + +.. _`deploy hook`: https://certbot.eff.org/docs/using.html#renewing-certificates + Migrating an instance --------------------- diff --git a/docs/swarm/master/README.md b/docs/swarm/master/README.md new file mode 100644 index 00000000..44c19dc7 --- /dev/null +++ b/docs/swarm/master/README.md @@ -0,0 +1,252 @@ +# Install Mailu on a docker swarm + +## Prequisites + +### Swarm + +In order to deploy Mailu on a swarm, you will first need to initialize the swarm: + +The main command will be: +```bash +docker swarm init --advertise-addr +``` +See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ + +If you want to add other managers or workers, please use: +```bash +docker swarm join --token xxxxx +``` +See https://docs.docker.com/engine/swarm/join-nodes/ + +You have now a working swarm, and you can check its status with: +```bash +core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION +xhgeekkrlttpmtgmapt5hyxrb black-pearl Ready Active 18.06.0-ce +sczlqjgfhehsfdjhfhhph1nvb * coreos-01 Ready Active Leader 18.03.1-ce +mzrm9nbdggsfz4sgq6dhs5i6n flying-dutchman Ready Active 18.06.0-ce +``` + +### Volume definition +For data persistance (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm. + +Hereafter we will assume that "Mailu Data" is available on every node at "$ROOT/certs:/certs" (GlusterFS and nfs shares have been successfully used). + +On this example, we are using: +- the mesh routing mode (default mode). With this mode, each service is given a virtual IP adress and docker manages the routing between this virtual IP and the container(s) providing this service. +- the default ingress mode. + +### Allow authentification with the mesh routing +In order to allow every (front & webmail) container to access the other services, we will use the variable POD_ADDRESS_RANGE. + +Let's create the mailu_default network: +```bash +core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default +core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet + "Subnet": "10.0.1.0/24", +``` +In the docker-compose.yml file, we will then use POD_ADDRESS_RANGE = 10.0.1.0/24 +In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set POD_ADDRESS_RANGE to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation... + +### Limitation with the ingress mode +With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network) + +This issue is known and discussed here: + +https://github.com/moby/moby/issues/25526 + +A workaround (using network host mode and global deployment) is discussed here: + +https://github.com/moby/moby/issues/25526#issuecomment-336363408 + +### Don't create an open relay ! +As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-( + + +## Scalability +- smtp and imap are scalable +- front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) +- redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file) + +## Variable substitution and docker-compose.yml +The docker stack deploy command doesn't support variable substitution in the .yml file itself. +As a consequence, we cannot simply use ``` docker stack deploy -c docker.compose.yml mailu ``` +Instead, we will use the following work-around: +``` echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu ``` + +We need also to: +- add a deploy section for every service +- modify the way the ports are defined for the front service +- add the POD_ADDRESS_RANGE definition for imap, smtp and antispam services + +## Docker compose +An example of docker-compose-stack.yml file is available here: + +```yaml + +version: '3.2' + +services: + + front: + image: mailu/nginx:$VERSION + restart: always + env_file: .env + ports: + - target: 80 + published: 80 + - target: 443 + published: 443 + - target: 110 + published: 110 + - target: 143 + published: 143 + - target: 993 + published: 993 + - target: 995 + published: 995 + - target: 25 + published: 25 + - target: 465 + published: 465 + - target: 587 + published: 587 + volumes: + - "$ROOT/certs:/certs" + deploy: + replicas: 2 + + redis: + image: redis:alpine + restart: always + volumes: + - "$ROOT/redis:/data" + deploy: + replicas: 1 + + imap: + image: mailu/dovecot:$VERSION + restart: always + env_file: .env + environment: + - POD_ADDRESS_RANGE=10.0.1.0/24 + volumes: + - "$ROOT/mail:/mail" + - "$ROOT/overrides:/overrides" + depends_on: + - front + deploy: + replicas: 2 + + smtp: + image: mailu/postfix:$VERSION + restart: always + env_file: .env + environment: + - POD_ADDRESS_RANGE=10.0.1.0/24 + volumes: + - "$ROOT/overrides:/overrides" + depends_on: + - front + deploy: + replicas: 2 + + antispam: + image: mailu/rspamd:$VERSION + restart: always + env_file: .env + environment: + - POD_ADDRESS_RANGE=10.0.1.0/24 + volumes: + - "$ROOT/filter:/var/lib/rspamd" + - "$ROOT/dkim:/dkim" + - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" + depends_on: + - front + deploy: + replicas: 1 + + antivirus: + image: mailu/none:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/filter:/data" + deploy: + replicas: 1 + + webdav: + image: mailu/none:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/dav:/data" + deploy: + replicas: 1 + + admin: + image: mailu/admin:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/data:/data" + - "$ROOT/dkim:/dkim" + - /var/run/docker.sock:/var/run/docker.sock:ro + depends_on: + - redis + deploy: + replicas: 1 + + webmail: + image: mailu/roundcube:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/webmail:/data" + depends_on: + - imap + deploy: + replicas: 2 + + fetchmail: + image: mailu/fetchmail:$VERSION + restart: always + env_file: .env + volumes: + deploy: + replicas: 1 + +networks: + default: + external: + name: mailu_default +``` + +## Deploy Mailu on the docker swarm +Run the following command: +```bash +echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu +``` +See how the services are being deployed: +```bash +core@coreos-01 ~ $ docker service ls +ID NAME MODE REPLICAS IMAGE PORTS +ywnsetmtkb1l mailu_antivirus replicated 1/1 mailu/none:master +pqokiaz0q128 mailu_fetchmail replicated 1/1 mailu/fetchmail:master +``` +check a specific service: +```bash +core@coreos-01 ~ $ docker service ps mailu_fetchmail +ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS +tbu8ppgsdffj mailu_fetchmail.1 mailu/fetchmail:master coreos-01 Running Running 11 days ago +``` +You might also have a look on the logs: +```bash +core@coreos-01 ~ $ docker service logs -f mailu_fetchmail +``` + +## Remove the stack +Run the follwoing command: +```bash +core@coreos-01 ~ $ docker stack rm mailu +``` diff --git a/docs/swarm/master/README_nfs_example.md b/docs/swarm/master/README_nfs_example.md new file mode 100644 index 00000000..5cfd0a73 --- /dev/null +++ b/docs/swarm/master/README_nfs_example.md @@ -0,0 +1,357 @@ +# Install Mailu on a docker swarm + +## Prequisites + +### Swarm + +In order to deploy Mailu on a swarm, you will first need to initialize the swarm: + +The main command will be: +```bash +docker swarm init --advertise-addr +``` +See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ + +If you want to add other managers or workers, please use: +```bash +docker swarm join --token xxxxx +``` +See https://docs.docker.com/engine/swarm/join-nodes/ + +You have now a working swarm, and you can check its status with: +```bash +core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION +xhgeekkrlttpmtgmapt5hyxrb black-pearl Ready Active 18.06.0-ce +sczlqjgfhehsfdjhfhhph1nvb * coreos-01 Ready Active Leader 18.03.1-ce +mzrm9nbdggsfz4sgq6dhs5i6n flying-dutchman Ready Active 18.06.0-ce +``` + +### Volume definition +For data persistance (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm. +Hereafter we will use a NFS share: +```bash +core@coreos-01 ~ $ showmount -e 192.168.0.30 +Export list for 192.168.0.30: +/mnt/Pool1/pv 192.168.0.0 +``` + +on the nfs server, I am using the following /etc/exports +```bash +$more /etc/exports +/mnt/Pool1/pv -alldirs -mapall=root -network 192.168.0.0 -mask 255.255.255.0 +``` +on the nfs server, I created the Mailu directory (in fact I copied a working Mailu set-up) +```bash +$mkdir /mnt/Pool1/pv/mailu +``` + +On your manager node, mount the nfs share to check that the share is available: +```bash +core@coreos-01 ~ $ sudo mount -t nfs 192.168.0.30:/mnt/Pool1/pv/mailu /mnt/local/ +``` +If this is ok, you can umount it: +```bash +core@coreos-01 ~ $ sudo umount /mnt/local/ +``` + + +## Networking mode +On this example, we are using: +- the mesh routing mode (default mode). With this mode, each service is given a virtual IP adress and docker manages the routing between this virtual IP and the container(s) providing this service. +- the default ingress mode. + +### Allow authentification with the mesh routing +In order to allow every (front & webmail) container to access the other services, we will use the variable POD_ADDRESS_RANGE. + +Let's create the mailu_default network: +```bash +core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default +core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet + "Subnet": "10.0.1.0/24", +``` +In the docker-compose.yml file, we will then use POD_ADDRESS_RANGE = 10.0.1.0/24 +In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set POD_ADDRESS_RANGE to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation... + +### Limitation with the ingress mode +With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network) + +This issue is known and discussed here: + +https://github.com/moby/moby/issues/25526 + +A workaround (using network host mode and global deployment) is discussed here: + +https://github.com/moby/moby/issues/25526#issuecomment-336363408 + +### Don't create an open relay ! +As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-( + + +## Scalability +- smtp and imap are scalable +- front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) +- redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file) + +## Variable substitution and docker-compose.yml +The docker stack deploy command doesn't support variable substitution in the .yml file itself. As a consequence, we need to use the following work-around: +``` echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu ``` + +We need also to: +- change the way we define the volumes (nfs share in our case) +- add a deploy section for every service +- the way the ports are defined for the front service + +## Docker compose +An example of docker-compose-stack.yml file is available here: + +```yaml + +version: '3.2' + +services: + + front: + image: mailu/nginx:$VERSION + restart: always + env_file: .env + ports: + - target: 80 + published: 80 + - target: 443 + published: 443 + - target: 110 + published: 110 + - target: 143 + published: 143 + - target: 993 + published: 993 + - target: 995 + published: 995 + - target: 25 + published: 25 + - target: 465 + published: 465 + - target: 587 + published: 587 + volumes: +# - "$ROOT/certs:/certs" + - type: volume + source: mailu_certs + target: /certs + deploy: + replicas: 2 + + redis: + image: redis:alpine + restart: always + volumes: +# - "$ROOT/redis:/data" + - type: volume + source: mailu_redis + target: /data + deploy: + replicas: 1 + + imap: + image: mailu/dovecot:$VERSION + restart: always + env_file: .env + environment: + - POD_ADDRESS_RANGE=10.0.1.0/24 + volumes: +# - "$ROOT/mail:/mail" + - type: volume + source: mailu_mail + target: /mail +# - "$ROOT/overrides:/overrides" + - type: volume + source: mailu_overrides + target: /overrides + depends_on: + - front + deploy: + replicas: 2 + + smtp: + image: mailu/postfix:$VERSION + restart: always + env_file: .env + environment: + - POD_ADDRESS_RANGE=10.0.1.0/24 + volumes: +# - "$ROOT/overrides:/overrides" + - type: volume + source: mailu_overrides + target: /overrides + depends_on: + - front + deploy: + replicas: 2 + + antispam: + image: mailu/rspamd:$VERSION + restart: always + env_file: .env + environment: + - POD_ADDRESS_RANGE=10.0.1.0/24 + depends_on: + - front + volumes: +# - "$ROOT/filter:/var/lib/rspamd" + - type: volume + source: mailu_filter + target: /var/lib/rspamd +# - "$ROOT/dkim:/dkim" + - type: volume + source: mailu_dkim + target: /dkim +# - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" + - type: volume + source: mailu_overrides_rspamd + target: /etc/rspamd/override.d + deploy: + replicas: 1 + + antivirus: + image: mailu/none:$VERSION + restart: always + env_file: .env + volumes: +# - "$ROOT/filter:/data" + - type: volume + source: mailu_filter + target: /data + deploy: + replicas: 1 + + webdav: + image: mailu/none:$VERSION + restart: always + env_file: .env + volumes: +# - "$ROOT/dav:/data" + - type: volume + source: mailu_dav + target: /data + deploy: + replicas: 1 + + admin: + image: mailu/admin:$VERSION + restart: always + env_file: .env + volumes: +# - "$ROOT/data:/data" + - type: volume + source: mailu_data + target: /data +# - "$ROOT/dkim:/dkim" + - type: volume + source: mailu_dkim + target: /dkim + - /var/run/docker.sock:/var/run/docker.sock:ro + depends_on: + - redis + deploy: + replicas: 1 + + webmail: + image: mailu/roundcube:$VERSION + restart: always + env_file: .env + volumes: +# - "$ROOT/webmail:/data" + - type: volume + source: mailu_data + target: /data + depends_on: + - imap + deploy: + replicas: 2 + + fetchmail: + image: mailu/fetchmail:$VERSION + restart: always + env_file: .env + volumes: + deploy: + replicas: 1 + +networks: + default: + external: + name: mailu_default + +volumes: + mailu_filter: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/filter" + mailu_dkim: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/dkim" + mailu_overrides_rspamd: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/overrides/rspamd" + mailu_data: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/data" + mailu_mail: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/mail" + mailu_overrides: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/overrides" + mailu_dav: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/dav" + mailu_certs: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/certs" + mailu_redis: + driver_opts: + type: "nfs" + o: "addr=192.168.0.30,soft,rw" + device: ":/mnt/Pool1/pv/mailu/redis" +``` + +## Deploy Mailu on the docker swarm +Run the following command: +```bash +echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu +``` +See how the services are being deployed: +```bash +core@coreos-01 ~ $ docker service ls +ID NAME MODE REPLICAS IMAGE PORTS +ywnsetmtkb1l mailu_antivirus replicated 1/1 mailu/none:master +pqokiaz0q128 mailu_fetchmail replicated 1/1 mailu/fetchmail:master +``` +check a specific service: +```bash +core@coreos-01 ~ $ docker service ps mailu_fetchmail +ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS +tbu8ppgsdffj mailu_fetchmail.1 mailu/fetchmail:master coreos-01 Running Running 11 days ago +``` + +## Remove the stack +Run the follwoing command: +```bash +core@coreos-01 ~ $ docker stack rm mailu +``` diff --git a/optional/clamav/Dockerfile b/optional/clamav/Dockerfile index a27c0eb2..b3df2d45 100644 --- a/optional/clamav/Dockerfile +++ b/optional/clamav/Dockerfile @@ -1,11 +1,18 @@ FROM alpine:3.8 - +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Image specific layers under this line RUN apk add --no-cache clamav rsyslog wget clamav-libunrar COPY conf /etc/clamav -COPY start.sh /start.sh +COPY start.py /start.py +COPY health.sh /health.sh EXPOSE 3310/tcp VOLUME ["/data"] -CMD ["/start.sh"] +CMD /start.py + +HEALTHCHECK CMD /health.sh diff --git a/optional/clamav/health.sh b/optional/clamav/health.sh new file mode 100755 index 00000000..c4c55044 --- /dev/null +++ b/optional/clamav/health.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +if [ "$(echo PING | nc localhost 3310)" = "PONG" ]; then + echo "ping successful" +else + echo "ping failed" + exit 1 +fi diff --git a/optional/clamav/start.py b/optional/clamav/start.py new file mode 100755 index 00000000..d4701d2d --- /dev/null +++ b/optional/clamav/start.py @@ -0,0 +1,12 @@ +#!/usr/bin/python3 + +import os + +# Bootstrap the database if clamav is running for the first time +os.system("[ -f /data/main.cvd ] || freshclam") + +# Run the update daemon +os.system("freshclam -d -c 6") + +# Run clamav +os.system("clamd") diff --git a/optional/clamav/start.sh b/optional/clamav/start.sh deleted file mode 100755 index 214230fd..00000000 --- a/optional/clamav/start.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - -# Bootstrap the database if clamav is running for the first time -[ -f /data/main.cvd ] || freshclam - -# Run the update daemon -freshclam -d -c 6 - -# Run clamav -clamd diff --git a/optional/radicale/Dockerfile b/optional/radicale/Dockerfile index b82a0804..4616d53d 100644 --- a/optional/radicale/Dockerfile +++ b/optional/radicale/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:edge RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ - && apk add --no-cache radicale@testing py-dulwich@testing + && apk add --no-cache radicale@testing py-dulwich@testing curl COPY radicale.conf /radicale.conf @@ -9,3 +9,5 @@ EXPOSE 5232/tcp VOLUME ["/data"] CMD radicale -f -S -C /radicale.conf + +HEALTHCHECK CMD curl -f -L http://localhost:5232/ || exit 1 diff --git a/services/fetchmail/Dockerfile b/services/fetchmail/Dockerfile index 33f8a7de..52f794d5 100644 --- a/services/fetchmail/Dockerfile +++ b/services/fetchmail/Dockerfile @@ -1,7 +1,11 @@ -FROM python:3-alpine - +FROM alpine:3.8 +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Image specific layers under this line RUN apk add --no-cache fetchmail ca-certificates \ - && pip install requests + && pip3 install requests COPY fetchmail.py /fetchmail.py USER fetchmail diff --git a/services/fetchmail/fetchmail.py b/services/fetchmail/fetchmail.py index 8e006f84..9b1bcc4f 100755 --- a/services/fetchmail/fetchmail.py +++ b/services/fetchmail/fetchmail.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python3 import time import os diff --git a/services/rspamd/Dockerfile b/services/rspamd/Dockerfile index 7239ddaf..6d0cb5d0 100644 --- a/services/rspamd/Dockerfile +++ b/services/rspamd/Dockerfile @@ -1,19 +1,24 @@ FROM alpine:3.8 - -RUN apk add --no-cache python py-jinja2 rspamd rspamd-controller rspamd-proxy ca-certificates py-pip \ - && pip install --upgrade pip \ - && pip install tenacity +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Shared layer between rspamd, postfix, dovecot, unbound and nginx +RUN pip3 install jinja2 +# Shared layer between rspamd, postfix, dovecot +RUN pip3 install tenacity +# Image specific layers under this line +RUN apk add --no-cache rspamd rspamd-controller rspamd-proxy rspamd-fuzzy ca-certificates curl RUN mkdir /run/rspamd COPY conf/ /conf COPY start.py /start.py -# Temporary fix to remove references to rspamd-fuzzy for now -RUN sed -i '/fuzzy/,$d' /etc/rspamd/rspamd.conf - -EXPOSE 11332/tcp 11334/tcp +EXPOSE 11332/tcp 11334/tcp 11335/tcp VOLUME ["/var/lib/rspamd"] CMD /start.py + +HEALTHCHECK --start-period=350s CMD curl -f -L http://localhost:11334/ || exit 1 diff --git a/services/rspamd/conf/dkim_signing.conf b/services/rspamd/conf/dkim_signing.conf index 70f7e9b4..e00e8d67 100644 --- a/services/rspamd/conf/dkim_signing.conf +++ b/services/rspamd/conf/dkim_signing.conf @@ -1,3 +1,4 @@ try_fallback = true; path = "/dkim/$domain.$selector.key"; use_esld = false; +allow_username_mismatch = true; diff --git a/services/rspamd/conf/fuzzy_check.conf b/services/rspamd/conf/fuzzy_check.conf new file mode 100644 index 00000000..7c87e1c3 --- /dev/null +++ b/services/rspamd/conf/fuzzy_check.conf @@ -0,0 +1,34 @@ +rule "local" { + # Fuzzy storage server list + servers = "localhost:11335"; + # Default symbol for unknown flags + symbol = "LOCAL_FUZZY_UNKNOWN"; + # Additional mime types to store/check + mime_types = ["application/*"]; + # Hash weight threshold for all maps + max_score = 20.0; + # Whether we can learn this storage + read_only = no; + # Ignore unknown flags + skip_unknown = yes; + # Hash generation algorithm + algorithm = "mumhash"; + + # Map flags to symbols + fuzzy_map = { + LOCAL_FUZZY_DENIED { + # Local threshold + max_score = 20.0; + # Flag to match + flag = 11; + } + LOCAL_FUZZY_PROB { + max_score = 10.0; + flag = 12; + } + LOCAL_FUZZY_WHITE { + max_score = 2.0; + flag = 13; + } + } +} diff --git a/services/rspamd/conf/history_redis.conf b/services/rspamd/conf/history_redis.conf new file mode 100644 index 00000000..fee07024 --- /dev/null +++ b/services/rspamd/conf/history_redis.conf @@ -0,0 +1 @@ +servers = "{{ HOST_REDIS }}"; diff --git a/services/rspamd/conf/metrics.conf b/services/rspamd/conf/metrics.conf new file mode 100644 index 00000000..6a31964f --- /dev/null +++ b/services/rspamd/conf/metrics.conf @@ -0,0 +1,19 @@ +group "fuzzy" { + max_score = 12.0; + symbol "LOCAL_FUZZY_UNKNOWN" { + weight = 5.0; + description = "Generic fuzzy hash match"; + } + symbol "LOCAL_FUZZY_DENIED" { + weight = 12.0; + description = "Denied fuzzy hash"; + } + symbol "LOCAL_FUZZY_PROB" { + weight = 5.0; + description = "Probable fuzzy hash"; + } + symbol "LOCAL_FUZZY_WHITE" { + weight = -2.1; + description = "Whitelisted fuzzy hash"; + } +} diff --git a/services/rspamd/conf/worker-controller.inc b/services/rspamd/conf/worker-controller.inc index 6a020672..b630f7ad 100644 --- a/services/rspamd/conf/worker-controller.inc +++ b/services/rspamd/conf/worker-controller.inc @@ -1,3 +1,4 @@ +type = "controller"; bind_socket = "*:11334"; password = "mailu"; -secure_ip = "{{ FRONT_ADDRESS }}"; +secure_ip = "{% if POD_ADDRESS_RANGE %}{{ POD_ADDRESS_RANGE }}{% else %}{{ FRONT_ADDRESS }}{% endif %}"; diff --git a/services/rspamd/conf/worker-fuzzy.inc b/services/rspamd/conf/worker-fuzzy.inc new file mode 100644 index 00000000..0f71ba32 --- /dev/null +++ b/services/rspamd/conf/worker-fuzzy.inc @@ -0,0 +1,6 @@ +type = "fuzzy"; +bind_socket = "*:11335"; +count = 1; +backend = "redis"; +expire = 90d; +allow_update = ["127.0.0.1"]; diff --git a/services/rspamd/conf/worker-normal.inc b/services/rspamd/conf/worker-normal.inc index a6ee8317..ab996fb8 100644 --- a/services/rspamd/conf/worker-normal.inc +++ b/services/rspamd/conf/worker-normal.inc @@ -1 +1,2 @@ +type = "normal"; enabled = false; diff --git a/services/rspamd/start.py b/services/rspamd/start.py index b979517e..0b3c48a8 100755 --- a/services/rspamd/start.py +++ b/services/rspamd/start.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import jinja2 import os @@ -9,12 +9,11 @@ from tenacity import retry convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ)) -@retry(stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) -def resolve(): - os.environ["FRONT_ADDRESS"] = socket.gethostbyname(os.environ.get("FRONT_ADDRESS", "front")) - # Actual startup script -resolve() +resolve = retry(socket.gethostbyname, stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) + +os.environ["FRONT_ADDRESS"] = resolve(os.environ.get("FRONT_ADDRESS", "front")) + if "HOST_REDIS" not in os.environ: os.environ["HOST_REDIS"] = "redis" for rspamd_file in glob.glob("/conf/*"): diff --git a/services/unbound/Dockerfile b/services/unbound/Dockerfile new file mode 100644 index 00000000..dbf8a3a9 --- /dev/null +++ b/services/unbound/Dockerfile @@ -0,0 +1,23 @@ +FROM alpine:3.8 +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Shared layer between rspamd, postfix, dovecot, unbound and nginx +RUN pip3 install jinja2 +# Image specific layers under this line +RUN apk add --no-cache unbound curl bind-tools \ + && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \ + && chown root:unbound /etc/unbound \ + && chmod 775 /etc/unbound \ + && apk del --no-cache curl \ + && /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true + +COPY start.py /start.py +COPY unbound.conf /unbound.conf + +EXPOSE 53/udp 53/tcp + +CMD /start.py + +HEALTHCHECK CMD dig @127.0.0.1 || exit 1 diff --git a/services/unbound/start.py b/services/unbound/start.py new file mode 100755 index 00000000..6f494762 --- /dev/null +++ b/services/unbound/start.py @@ -0,0 +1,9 @@ +#!/usr/bin/python3 + +import jinja2 +import os + +convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ)) +convert("/unbound.conf", "/etc/unbound/unbound.conf") + +os.execv("/usr/sbin/unbound", ["-c /etc/unbound/unbound.conf"]) diff --git a/services/unbound/unbound.conf b/services/unbound/unbound.conf new file mode 100644 index 00000000..d54cbfbc --- /dev/null +++ b/services/unbound/unbound.conf @@ -0,0 +1,19 @@ +server: + verbosity: 1 + interface: 0.0.0.0 + interface: ::0 + logfile: /dev/stdout + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + do-daemonize: no + access-control: {{ SUBNET }} allow + directory: "/etc/unbound" + username: root + auto-trust-anchor-file: trusted-key.key + root-hints: "/etc/unbound/root.hints" + hide-identity: yes + hide-version: yes + max-udp-size: 4096 + msg-buffer-size: 65552 diff --git a/setup/Dockerfile b/setup/Dockerfile index 1fc808f1..83711af5 100644 --- a/setup/Dockerfile +++ b/setup/Dockerfile @@ -4,15 +4,19 @@ RUN mkdir -p /app WORKDIR /app COPY requirements.txt requirements.txt -RUN apk add --no-cache git \ +RUN apk add --no-cache git curl \ && pip install -r requirements.txt COPY server.py ./server.py COPY setup.py ./setup.py COPY main.py ./main.py +COPY flavors /data/master/flavors +COPY templates /data/master/templates -RUN python setup.py https://github.com/mailu/mailu /data +#RUN python setup.py https://github.com/mailu/mailu /data EXPOSE 80/tcp CMD gunicorn -w 4 -b :80 --access-logfile - --error-logfile - --preload main:app + +HEALTHCHECK CMD curl -f -L http://localhost/ || exit 1 diff --git a/setup/docker-compose.yml b/setup/docker-compose.yml index 9288bb7e..e91332e1 100644 --- a/setup/docker-compose.yml +++ b/setup/docker-compose.yml @@ -9,5 +9,6 @@ services: setup: image: mailu/setup ports: - - "80:80" + - "8000:80" + build: . diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index fcf0c092..81b6bcb2 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -1,124 +1,148 @@ {% set env='mailu.env' %} # This file is auto-generated by the Mailu configuration wizard. # Please read the documentation before attempting any change. +# Generated for {{ flavor }} flavor -version: '2' +version: '3.6' services: # External dependencies redis: image: redis:alpine - restart: always volumes: - - "$ROOT/redis:/data" + - "{{ root }}/redis:/data" # Core services front: image: mailu/nginx:{{ version }} - restart: always env_file: {{ env }} - env: - - TLS_FLAVOR={{ tls_flavor or 'letsencrypt' }} - - ADMIN={{ expose_admin or 'no' }} ports: {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %} {% if bind4 %} - - "$PUBLIC_IPV4:{{ port }}:{{ port }}" + - "{{ bind4 }}:{{ port }}:{{ port }}" {% endif %} {% if bind6 %} - - "$PUBLIC_IPV6:{{ port }}:{{ port }}" + - "{{ bind6 }}:{{ port }}:{{ port }}" {% endif %} {% endfor %} - {% if flavor in ('cert', 'mail') %} volumes: - - "$ROOT/certs:/certs" - {% endif %} + - "{{ root }}/certs:/certs" + + {% if resolver_enabled %} + resolver: + image: mailu/unbound:{{ version }} + env_file: {{ env }} + restart: always + networks: + default: + ipv4_address: {{ dns }} + {% endif %} admin: image: mailu/admin:{{ version }} - restart: always env_file: {{ env }} - {% if not expose_admin %} + {% if not admin_enabled %} ports: - 127.0.0.1:8080:80 {% endif %} volumes: - - "$ROOT/data:/data" - - "$ROOT/dkim:/dkim" + - "{{ root }}/data:/data" + - "{{ root }}/dkim:/dkim" depends_on: - redis imap: image: mailu/dovecot:{{ version }} - restart: always env_file: {{ env }} volumes: - - "$ROOT/data:/data" - - "$ROOT/mail:/mail" - - "$ROOT/overrides:/overrides" + - "{{ root }}/mail:/mail" + - "{{ root }}/overrides:/overrides" depends_on: - front smtp: image: mailu/postfix:{{ version }} - restart: always env_file: {{ env }} volumes: - - "$ROOT/data:/data" - - "$ROOT/overrides:/overrides" + - "{{ root }}/overrides:/overrides" depends_on: - front + {% if resolver_enabled %} + - resolver + dns: + - {{ dns }} + {% endif %} # Optional services - {% if enable_antispam %} + {% if antispam_enabled %} antispam: image: mailu/rspamd:{{ version }} - restart: always env_file: {{ env }} volumes: - - "$ROOT/filter:/var/lib/rspamd" - - "$ROOT/dkim:/dkim" - - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" + - "{{ root }}/filter:/var/lib/rspamd" + - "{{ root }}/dkim:/dkim" + - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d" depends_on: - front + {% if resolver_enabled %} + - resolver + dns: + - {{ dns }} + {% endif %} {% endif %} - {% if enable_antivirus %} + {% if antivirus_enabled %} antivirus: image: mailu/clamav:{{ version }} - restart: always env_file: {{ env }} volumes: - - "$ROOT/filter:/data" + - "{{ root }}/filter:/data" + {% if resolver_enabled %} + depends_on: + - resolver + dns: + - {{ dns }} + {% endif %} {% endif %} - {% if enable_webdav %} + {% if webdav_enabled %} webdav: - image: mailu/radivale:{{ version }} - restart: always + image: mailu/radicale:{{ version }} env_file: {{ env }} volumes: - - "$ROOT/dav:/data" + - "{{ root }}/dav:/data" {% endif %} - {% if enable_fetchmail %} + {% if fetchmail_enabled %} fetchmail: image: mailu/fetchmail:{{ version }} - restart: always env_file: {{ env }} - volumes: - - "$ROOT/data:/data" + {% if resolver_enabled %} + depends_on: + - resolver + dns: + - {{ dns }} + {% endif %} {% endif %} # Webmail - {% if enable_webmail %} + {% if webmail_type != 'none' %} webmail: - image: mailu/{{ webmail }}:{{ version }} - restart: always + image: mailu/{{ webmail_type }}:{{ version }} env_file: {{ env }} volumes: - - "$ROOT/webmail:/data" + - "{{ root }}/webmail:/data" depends_on: - imap {% endif %} + +{% if resolver_enabled %} +networks: + default: + driver: bridge + ipam: + driver: default + config: + - subnet: {{ subnet }} +{% endif %} diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index 24d7b247..4a14de63 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -1,5 +1,7 @@ # Mailu main configuration file # +# Generated for {{ flavor }} flavor +# # This file is autogenerated by the configuration management wizard. # For a detailed list of configuration variables, see the documentation at # https://mailu.io @@ -9,60 +11,121 @@ ################################### # Set this to the path where Mailu data and configuration is stored -ROOT=/mailu +# This variable is now set directly in `docker-compose.yml by the setup utility +# ROOT={{ root }} + +# Mailu version to run (1.0, 1.1, etc. or master) +#VERSION={{ version }} # Set to a randomly generated 16 bytes string SECRET_KEY={{ secret(16) }} # Address where listening ports should bind -{% if bind4 %}PUBLIC_IPV4={{ bind4 }}{% endif %} -{% if bind6 %}PUBLIC_IPV6={{ bind6 }}{% endif %} +# This variables are now set directly in `docker-compose.yml by the setup utility +# PUBLIC_IPV4= {{ bind4 }} (default: 127.0.0.1) +# PUBLIC_IPV6= {{ bind6 }} (default: ::1) -# Mail address of the postmaster -POSTMASTER={{ postmaster }} +# Subnet +SUBNET={{ subnet }} + +# Main mail domain +DOMAIN={{ domain }} # Hostnames for this server, separated with comas HOSTNAMES={{ hostnames }} +# Postmaster local part (will append the main mail domain) +POSTMASTER={{ postmaster }} + +# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt) +TLS_FLAVOR={{ tls_flavor }} + # Authentication rate limit (per source IP address) -AUTH_RATELIMIT={{ auth_ratelimit }} +{% if auth_ratelimit_pm > '0' and auth_ratelimit_ph > '0' %} +AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute;{{ auth_ratelimit_ph }}/hour +{% endif %} # Opt-out of statistics, replace with "True" to opt out -DISABLE_STATISTICS={{ disable_statistics }} +DISABLE_STATISTICS={{ disable_statistics or 'False' }} ################################### -# Server behavior +# Optional features +################################### + +# Expose the admin interface (value: true, false) +ADMIN={{ admin_enabled or 'false' }} + +# Choose which webmail to run if any (values: roundcube, rainloop, none) +WEBMAIL={{ webmail_type }} + +# Dav server implementation (value: radicale, none) +WEBDAV={{ webdav_enabled or 'none' }} + +# Antivirus solution (value: clamav, none) +#ANTIVIRUS={{ antivirus_enabled or 'none' }} + +#Antispam solution +ANTISPAM={{ antispam_enabled or 'none'}} + +################################### +# Mail settings ################################### # Message size limit in bytes # Default: accept messages up to 50MB -MESSAGE_SIZE_LIMIT={{ message_size_limit }} +MESSAGE_SIZE_LIMIT={{ message_size_limit or '50000000' }} # Networks granted relay permissions, make sure that you include your Docker # internal network (default to 172.17.0.0/16) -RELAYNETS={{ relaynets }} +RELAYNETS={{ relaynets or '172.17.0.0/16' }} # Will relay all outgoing mails if configured RELAYHOST={{ relayhost }} # Fetchmail delay -FETCHMAIL_DELAY={{ fetchmail_delay }} +FETCHMAIL_DELAY={{ fetchmail_delay or '600' }} # Recipient delimiter, character used to delimiter localpart from custom address part -RECIPIENT_DELIMITER={{ recipient_delimiter }} +RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }} -{% if dmarc_rua or dmarc_ruf %} # DMARC rua and ruf email -{% if dmarc_rua %}DMARC_RUA={{ dmarc_rua }}{% endif %} -{% if dmarc_ruf %}DMARC_RUF={{ dmarc_ruf }}{% endif %} -{% endif %} +DMARC_RUA={{ dmarc_rua or 'admin' }} +DMARC_RUF={{ dmarc_ruf or 'admin' }} {% if welcome_enabled %} # Welcome email, enable and set a topic and body if you wish to send welcome # emails to all users. -WELCOME={{ welcome_enable }} -WELCOME_SUBJECT={{ welcome_subject }} -WELCOME_BODY={{ welcome_body }} +WELCOME={{ welcome_enable or 'false' }} +WELCOME_SUBJECT={{ welcome_subject or 'Welcome to your new email account' }} +WELCOME_BODY={{ welcome_body or 'Welcome to your new email account, if you can read this, then it is configured properly!' }} +{% endif %} + +# Maildir Compression +# choose compression-method, default: none (value: bz2, gz) +COMPRESSION={{ compression }} +# change compression-level, default: 6 (value: 1-9) +COMPRESSION_LEVEL={{ compression_level }} + +################################### +# Web settings +################################### + +# Path to the admin interface if enabled +WEB_ADMIN={{ admin_path }} + +# Path to the webmail if enabled +WEB_WEBMAIL={{ webmail_path }} + +# Website name +SITENAME={{ site_name }} + +# Linked Website URL +WEBSITE={{ website }} + +{% if recaptcha_public_key and recaptcha_private_key %} +# Registration reCaptcha settings (warning, this has some privacy impact) +# RECAPTCHA_PUBLIC_KEY={{ recaptcha_public_key }} +# RECAPTCHA_PRIVATE_KEY={{ recaptcha_private_key }} {% endif %} {% if domain_registration %} @@ -70,39 +133,28 @@ WELCOME_BODY={{ welcome_body }} DOMAIN_REGISTRATION=true {% endif %} -################################### -# Web settings -################################### - -# Path to the admin interface if enabled -WEB_ADMIN=/admin - -# Path to the webmail if enabled -WEB_WEBMAIL=/webmail - -# Website name -SITENAME=Mailu - -# Linked Website URL -WEBSITE=https://mailu.io - -{% if recaptcha_public_key and recaptcha_private_key %} -# Registration reCaptcha settings (warning, this has some privacy impact) -# RECAPTCHA_PUBLIC_KEY={{ recaptcha_public_key }} -# RECAPTCHA_PRIVATE_KEY={{ recaptcha_private_key }} -{% endif %} - ################################### # Advanced settings ################################### -{% if password_scheme %} -# Specific password storage scheme -PASSWORD_SCHEME={{ password_scheme }} -{% endif %} +# Log driver for front service. Possible values: +# json-file (default) +# journald (On systemd platforms, useful for Fail2Ban integration) +# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) +LOG_DRIVER={{ log_driver or 'json-file' }} + +# Docker-compose project name, this will prepended to containers names. +COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }} + +# Default password scheme used for newly created accounts and changed passwords +# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) +PASSWORD_SCHEME={{ password_scheme or 'BLF-CRYPT' }} # Header to take the real ip from REAL_IP_HEADER={{ real_ip_header }} # IPs for nginx set_real_ip_from (CIDR list separated by commas) REAL_IP_FROM={{ real_ip_from }} + +# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) +REJECT_UNLISTED_RECIPIENT={{ reject_unlisted_recipient }} diff --git a/setup/flavors/compose/setup.html b/setup/flavors/compose/setup.html index e4506e6d..0379ba82 100644 --- a/setup/flavors/compose/setup.html +++ b/setup/flavors/compose/setup.html @@ -4,15 +4,15 @@

Docker Compose expects a project file, named docker-compose.yml in a project directory. First create your project directory.

-
mkdir /mailu
+
mkdir {{ root }}
 

 
 
Then download the project file. A side configuration file makes it easier
 to read and check the configuration variables generated by the wizard.

 
-
cd /mailu
-wget {{ url_for('.file', uid=uid, filepath='docker-compose.yml', _external=True) }}
-wget {{ url_for('.file', uid=uid, filepath='mailu.env', _external=True) }}
+
cd {{ root }}
+curl {{ url_for('.file', uid=uid, filepath='docker-compose.yml', _external=True) }} > docker-compose.yml
+curl {{ url_for('.file', uid=uid, filepath='mailu.env', _external=True) }} > mailu.env
 

 {% endcall %}
 
@@ -30,7 +30,22 @@ files before going any further.

 
To start your compose project, simply run the Docker Compose up
 command.

 
-
cd /mailu
+
cd {{ root }}
 docker-compose up -d
 

+
+Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking:
+
+
docker-compose exec admin python manage.py admin {{ postmaster }} {{ domain }} PASSWORD
+

+
+
Login to the admin interface to change the password for a safe one, at
+{% if admin_enabled %}
+one of the hostnames 
+{{ hostnames.split(',')[0] }}{{ admin_path }}.
+{% else %}
+http://127.0.0.1:8080 (only directly from the host running docker).
+{% endif %}
+And choose the "Update password" option in the left menu.
+

 {% endcall %}
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
new file mode 100644
index 00000000..b9537e94
--- /dev/null
+++ b/setup/flavors/stack/docker-compose.yml
@@ -0,0 +1,153 @@
+{% set env='mailu.env' %}
+# This file is auto-generated by the Mailu configuration wizard.
+# Please read the documentation before attempting any change.
+# Generated for {{ flavor }} flavor
+
+version: '3.6'
+
+services:
+
+# External dependencies
+  redis:
+    image: redis:alpine
+    restart: always
+    volumes:
+      - "{{ root }}/redis:/data"
+
+# Core services
+  front:
+    image: mailu/nginx:{{ version }}
+    env_file: {{ env }}
+    ports:
+    {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %}
+      - target: {{ port }}
+        published: {{ port }}
+        mode: overlay
+    {% endfor %}
+    volumes:
+      - "{{ root }}/certs:/certs"
+    deploy:
+      replicas: 1
+      
+  {% if resolver_enabled %}
+  resolver:
+    image: mailu/unbound:{{ version }}
+    env_file: {{ env }}
+    networks:
+      default:
+        ipv4_address: {{ dns }}
+  {% endif %}
+
+  admin:
+    image: mailu/admin:{{ version }}
+    env_file: {{ env }}
+    {% if not admin_enabled %}
+    ports:
+      - 127.0.0.1:8080:80
+    {% endif %}
+    volumes:
+      - "{{ root }}/data:/data"
+      - "{{ root }}/dkim:/dkim"
+    deploy:
+      replicas: 1
+
+  imap:
+    image: mailu/dovecot:{{ version }}
+    env_file: {{ env }}
+    environment:
+    # Default to 10.0.1.0/24
+      - POD_ADDRESS_RANGE={{ subnet }}
+    volumes:
+      - "{{ root }}/mail:/mail"
+      - "{{ root }}/overrides:/overrides"
+    deploy:
+      replicas: 1
+
+  smtp:
+    image: mailu/postfix:{{ version }}
+    env_file: {{ env }}
+    environment:
+      - POD_ADDRESS_RANGE={{ subnet }}
+    volumes:
+      - "{{ root }}/overrides:/overrides"
+    deploy:
+      replicas: 1
+    {% if resolver_enabled %}
+    dns:
+      - {{ dns }}
+    {% endif %}
+
+  # Optional services
+  {% if antispam_enabled %}
+  antispam:
+    image: mailu/rspamd:{{ version }}
+    env_file: {{ env }}
+    environment:
+      - POD_ADDRESS_RANGE={{ subnet }}
+    volumes:
+      - "{{ root }}/filter:/var/lib/rspamd"
+      - "{{ root }}/dkim:/dkim"
+      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
+    deploy:
+      replicas: 1
+    {% if resolver_enabled %}
+    dns:
+      - {{ dns }}
+    {% endif %}
+  {% endif %}
+
+  {% if antivirus_enabled %}
+  antivirus:
+    image: mailu/clamav:{{ version }}
+    env_file: {{ env }}
+    volumes:
+      - "{{ root }}/filter:/data"
+    deploy:
+      replicas: 1
+    {% if resolver_enabled %}
+    dns:
+      - {{ dns }}
+    {% endif %}
+  {% endif %}
+
+  {% if webdav_enabled %}
+  webdav:
+    image: mailu/none:{{ version }}
+    env_file: {{ env }}
+    volumes:
+      - "{{ root }}/dav:/data"
+    deploy:
+      replicas: 1
+  {% endif %}
+
+  {% if fetchmail_enabled %}
+  fetchmail:
+    image: mailu/fetchmail:{{ version }}
+    env_file: {{ env }}
+    volumes:
+      - "{{ root }}/data:/data"
+    deploy:
+      replicas: 1
+    {% if resolver_enabled %}
+    dns:
+      - {{ dns }}
+    {% endif %}
+  {% endif %}
+
+  {% if webmail_type != 'none' %}
+  webmail:
+    image: mailu/roundcube:{{ version }}
+    env_file: {{ env }}
+    volumes:
+      - "{{ root }}/webmail:/data"
+    deploy:
+      replicas: 1
+  {% endif %}
+
+networks:
+  default:
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ subnet }}
diff --git a/setup/flavors/stack/mailu.env b/setup/flavors/stack/mailu.env
new file mode 120000
index 00000000..7123102b
--- /dev/null
+++ b/setup/flavors/stack/mailu.env
@@ -0,0 +1 @@
+../compose/mailu.env
\ No newline at end of file
diff --git a/setup/flavors/stack/setup.html b/setup/flavors/stack/setup.html
new file mode 100644
index 00000000..d68a6422
--- /dev/null
+++ b/setup/flavors/stack/setup.html
@@ -0,0 +1,60 @@
+{% import "macros.html" as macros %}
+
+{% call macros.panel("info", "Step 1 - Download your configuration files") %}
+
Docker Stack expects a project file, named docker-compose.yml
+in a project directory. First create your project directory.

+
+
mkdir -p /{{ root }}/{redis,certs,data,dkim,mail,overrides/rspamd,filter,dav,webmail}
+

+
+
Then download the project file. A side configuration file makes it easier
+to read and check the configuration variables generated by the wizard.

+
+
cd {{ root }}
+curl {{ url_for('.file', uid=uid, filepath='docker-compose.yml', _external=True) }} > docker-compose.yml
+curl {{ url_for('.file', uid=uid, filepath='mailu.env', _external=True) }} > mailu.env
+

+{% endcall %}
+
+
+{% call macros.panel("info", "Step 2 - Review the configuration") %}
+
We did not insert any malicious code on purpose in the configurations we
+distribute, but your download could have been intercepted, or our wizard
+website could have been compromised, so make sure you check the configuration
+files before going any further.

+
+
When you are done checking them, check them one last time.

+{% endcall %}
+
+{% call macros.panel("info", "Step 3 - Deploy docker stack") %}
+
To deploy the docker stack use the following commands. For more information about setting up docker swarm nodes read the
+	docker documentation

+
+
cd {{ root }}
+docker swarm init
+docker stack deploy -c docker-compose.yml mailu
+

+
+In the docker stack deploy command, mailu is the app name. Feel free to change it.

+In order to display the running container you can use

+
docker ps

+or
+
docker stack ps --no-trunc mailu

+Command for removing docker stack is
+
docker stack rm mailu

+
+Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking:
+
+
docker exec $(docker ps | grep admin | cut -d ' ' -f1) python manage.py admin {{ postmaster }} {{ domain }} PASSWORD 
+

+
+
Login to the admin interface to change the password for a safe one, at
+{% if admin_enabled %}
+one of the hostnames 
+{{ hostnames.split(',')[0] }}{{ admin_path }}.
+{% else %}
+http://127.0.0.1:8080 (only directly from the host running docker).
+{% endif %}
+And choose the "Update password" option in the left menu.
+

+{% endcall %}
diff --git a/setup/server.py b/setup/server.py
index 108f5043..6f60c3c0 100644
--- a/setup/server.py
+++ b/setup/server.py
@@ -7,6 +7,7 @@ import jinja2
 import uuid
 import string
 import random
+import ipaddress
 
 
 app = flask.Flask(__name__)
@@ -32,9 +33,11 @@ def secret(length=16):
 
 def build_app(path):
 
+    #Hardcoded master as the only version for test purposes
     versions = [
-        version for version in os.listdir(path)
-        if os.path.isdir(os.path.join(path, version))
+    #    version for version in os.listdir(path)
+    #    if os.path.isdir(os.path.join(path, version))
+         "master"
     ]
 
     app.jinja_env.trim_blocks = True
@@ -63,10 +66,17 @@ def build_app(path):
         def wizard():
             return flask.render_template('wizard.html')
 
+        @bp.route("/submit_flavor", methods=["POST"])
+        def submit_flavor():
+            data = flask.request.form.copy()
+            steps = sorted(os.listdir(path + "/" + version + "/templates/steps/" + data["flavor"]))
+            return flask.render_template('wizard.html', flavor=data["flavor"], steps=steps)
+
         @bp.route("/submit", methods=["POST"])
         def submit():
             data = flask.request.form.copy()
             data['uid'] = str(uuid.uuid4())
+            data['dns'] = str(ipaddress.IPv4Network(data['subnet'])[-2])
             db.set(data['uid'], json.dumps(data))
             return flask.redirect(flask.url_for('.setup', uid=data['uid']))
 
diff --git a/setup/templates/base.html b/setup/templates/base.html
index d40a4880..5be0b1eb 100644
--- a/setup/templates/base.html
+++ b/setup/templates/base.html
@@ -8,7 +8,7 @@
   
Mailu configuration

   

     Version
-    
       {% for available in versions %}
       
       {% endfor %}
diff --git a/setup/templates/macros.html b/setup/templates/macros.html
index 579800d2..4af20c4e 100644
--- a/setup/templates/macros.html
+++ b/setup/templates/macros.html
@@ -9,10 +9,10 @@
   
 {% endmacro %}
 
-{% macro radio(name, value, emph, text) %}
+{% macro radio(name, value, emph, text, current) %}