From f4ef0eed09a31a5ee609414046a99c8cf0d02be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Fri, 12 Oct 2018 20:48:44 +0300
Subject: [PATCH 1/7] Wrote informational section of the FAQ

---
 docs/faq.rst   | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++
 docs/index.rst |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 docs/faq.rst

diff --git a/docs/faq.rst b/docs/faq.rst
new file mode 100644
index 00000000..8c5b5598
--- /dev/null
+++ b/docs/faq.rst
@@ -0,0 +1,97 @@
+Frequently asked questions
+==========================
+
+Informational
+-------------
+
+Where to ask questions?
+```````````````````````
+
+First, please read this FAQ to check if your question is listed here.
+Simple questions best fit in our `Matrix`_ room.
+For more complex questions, you can always open a `new issue`_ on GitHub.
+We actively monitor the issues list.
+
+
+My installation is broken!
+``````````````````````````
+
+We're sorry to hear that. Please check for common mistakes and troubleshooting
+advice in the `Technical issues`_ section of this page.
+
+I think I found a bug!
+``````````````````````
+
+If you did not manage to solve the issue using this FAQ and there is not any 
+`open issues`_ describing the same problem, you can continue to open a
+`new issue`_ on GitHub.
+
+I want a new feature or enhancement!
+````````````````````````````````````
+
+Great! We are always open for suggestions. We currently maintain two tags:
+
+- `Enhancement issues`_: Typically used for optimization of features in the project.
+- `Feature request issues`_: For implementing new functionality,
+  plugins and applications.
+
+Please check if your idea (or something similar) is already mentioned there.
+If there is one open, you can choose to vote with a thumbs up, so we can
+estimate the popular demand. Please refrain from writing comments like
+*"me too"* as it clobbers the actual discussion.
+
+If you can't find anything similar, you can open a `new issue`_.
+Please also share (where applicable):
+
+- Use case: how does this improve the project?
+- Any research done on the subject. Perhaps some links to upstream website,
+  reference implementations etc.
+
+Why does my feature/bug take so long to solve?
+``````````````````````````````````````````````
+
+You should be aware that creating, maintaining and expanding a mail server
+distribution requires a lot of effort. Mail servers are highly exposed to hacking attempts,
+open relay scanners, spam and malware distributors etc. We need to work in a safe way and
+have to prevent pushing out something quickly.
+
+We currently maintain a strict work flow:
+
+#. Someone writes a solution and sends a pull request;
+#. We use Travis-CI fore some very basic building and testing;
+#. The pull request needs to be code-reviewed and tested by at least two members
+   from the contributors team.
+  
+Please consider that this project is mostly developed in people their free time.
+We thank you for your understanding and patience.
+
+I would to donate (for a feature)
+`````````````````````````````````
+
+Donations are welcome at the `patreon`_ account of the project lead. It will be used to pay
+for infra structure and project related costs. If there are leftovers, it will be distributed
+among the developers.
+
+It is not yet possible to pay for a specific feature. We don't have
+any bounty system implemented. Feel free to come with suggestions in
+our ongoing `project management`_ discussion issue.
+
+
+.. _`Matrix`: https://matrix.to/#/#mailu:tedomum.net
+.. _`open issues`: https://github.com/Mailu/Mailu/issues
+.. _`new issue`: https://github.com/Mailu/Mailu/issues/new
+.. _`Enhancement issues`: https://github.com/Mailu/Mailu/issues?q=is%3Aissue+is%3Aopen+label%3Atype%2Fenhancement
+.. _`Feature request issues`: https://github.com/Mailu/Mailu/issues?q=is%3Aopen+is%3Aissue+label%3Atype%2Ffeature
+.. _`patreon`: https://patreon.com/kaiyou
+.. _`project management`: https://github.com/Mailu/Mailu/issues/508
+
+Deployment related
+------------------
+
+
+Technical issues
+----------------
+
+WIP: Link to `troubleshooting`_ related issues will be in the bottom of this section.
+
+.. _`troubleshooting`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting
diff --git a/docs/index.rst b/docs/index.rst
index 5219145f..0a4aadff 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -44,6 +44,7 @@ the version of Mailu that you are running.
 
    general
    features
+   faq
    releases
    demo
 

From b5693edc63ce11979459c204793a525b4dc57b05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sat, 13 Oct 2018 20:59:14 +0300
Subject: [PATCH 2/7] Include a doc section for external certbot

---
 docs/maintain.rst | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/maintain.rst b/docs/maintain.rst
index d570690e..ffb51a50 100644
--- a/docs/maintain.rst
+++ b/docs/maintain.rst
@@ -28,6 +28,33 @@ Logs are managed by Docker directly. You can easily read your logs using:
 
 Docker is able to forward logs to multiple log engines. Read the following documentation for details: https://docs.docker.com/engine/admin/logging/overview/.
 
+.. _external_certs:
+
+Managing of external Let's encrypt certificates
+-----------------------------------------------
+
+When you are not using the embedded ``letsencrypt`` option from Mailu,
+you cannot make use of it's symlink functionality in the ``letsencrypt/live`` directory.
+You should take care that after every renewal new certificates are copied to ``/mailu/certs`` and
+the *nginx* process in the ``front`` container is reloaded.
+
+In the case of *certbot* you could write a script to be executed as `deploy hook`_.  Example:
+
+.. code-block:: bash
+
+  #!/bin/sh
+  cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem || exit 1
+  cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem || exit 1
+  docker exec mailu_front_1 nginx -s reload
+
+And the certbot command you will use in crontab would look something like:
+
+.. code-block:: bash
+
+  52 0,12 * * * root /usr/bin/certbot renew --deploy-hook /path/to/script.sh
+
+.. _`deploy hook`: https://certbot.eff.org/docs/using.html#renewing-certificates
+
 Migrating an instance
 ---------------------
 

From 13949554479383e09a184bac695e7e6e085350ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sat, 13 Oct 2018 21:13:09 +0300
Subject: [PATCH 3/7] FAQ about TLS issues

---
 docs/faq.rst | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 84 insertions(+), 3 deletions(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 8c5b5598..81d51b86 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -55,6 +55,7 @@ distribution requires a lot of effort. Mail servers are highly exposed to hackin
 open relay scanners, spam and malware distributors etc. We need to work in a safe way and
 have to prevent pushing out something quickly.
 
+**TODO: Move the next section into the contributors part of docs**
 We currently maintain a strict work flow:
 
 #. Someone writes a solution and sends a pull request;
@@ -65,8 +66,8 @@ We currently maintain a strict work flow:
 Please consider that this project is mostly developed in people their free time.
 We thank you for your understanding and patience.
 
-I would to donate (for a feature)
-`````````````````````````````````
+I would like to donate (for a feature)
+``````````````````````````````````````
 
 Donations are welcome at the `patreon`_ account of the project lead. It will be used to pay
 for infra structure and project related costs. If there are leftovers, it will be distributed
@@ -88,10 +89,90 @@ our ongoing `project management`_ discussion issue.
 Deployment related
 ------------------
 
-
 Technical issues
 ----------------
 
+Changes in .env don't propagate
+```````````````````````````````
+
+Variables are sent to the containers at creation time. This means you need to take the project
+down and up again. A container restart is not sufficient.
+
+.. code-block:: bash
+
+  docker-compose down && \
+  docker-compose up -d
+
+*Issue reference:* `615`_,
+
+TLS certificate issues
+``````````````````````
+
+When there are issues with the TLS/SSL certificates, Mailu denies service on secure ports.
+This is a security precaution. Symptoms are:
+
+- 403 browser errors;
+
+These issues are typically caused by four scenarios:
+
+#. ``TLS_FLAVOR=notls`` in ``.env``;
+#. Certificates expired;
+#. When ``TLS_FLAVOR=letsencrypt``, it might be that the *certbot* script is not capable of
+   obtaining the certificates for your domain. See `letsencrypt issues`_
+#. When ``TLS_FLAVOR=certs``, certificates are supposed to be copied to ``/mailu/certs``.
+   Using an external ``letsencrypt`` program, it tends to happen people copy the whole
+   ``letsencrypt/live`` directory containing symlinks. Symlinks do not resolve inside the
+   container and therefore it breaks the TLS implementation.
+
+letsencrypt issues
+..................
+
+In order to determine the exact problem on TLS / Let's encrypt issues, it might be helpful
+to check the logs.
+
+.. code-block:: bash
+
+  docker-compose logs front | less -R
+  docker-compose exec front less /var/log/letsencrypt/letsencrypt.log
+
+Common problems:
+
+- Port 80 not reachable from outside.
+- Faulty DNS records: make sure that all ``HOSTNAMES`` have **A** (IPv4) and **AAAA** (IPv6)
+  records, pointing the the ``BIND_ADDRESS4`` and ``BIND_ADDRESS6``.
+- DNS cache not yet expired. It might be that old / faulty DNS records are stuck in a cache
+  en-route to letsencrypt's server. The time this takes is set by the ``TTL`` field in the
+  records. You'll have to wait at least this time after changing the DNS entries.
+  Don't keep trying, as you might hit `rate-limits`_.
+
+.. _`rate-limits`: https://letsencrypt.org/docs/rate-limits/
+
+Copying certificates
+....................
+
+As mentioned above, care must be taken not to copy symlinks to the ``/mailu/certs`` location.
+
+**The wrong way!:**
+
+.. code-block:: bash
+
+  cp -r /etc/letsencrypt/live/domain.com /mailu/certs
+
+**The right way!:**
+
+.. code-block:: bash
+
+  mkdir -p /mailu/certs
+  cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem
+  cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem
+
+See also :ref:`external_certs`.
+
+*Issue reference:* `426`_, `615`_.
+
+
 WIP: Link to `troubleshooting`_ related issues will be in the bottom of this section.
 
+.. _`426`: https://github.com/Mailu/Mailu/issues/426
+.. _`615`: https://github.com/Mailu/Mailu/issues/615
 .. _`troubleshooting`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting

From 3552c59ff33115d6880439814adfc8e62f9c378e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Mon, 22 Oct 2018 16:11:45 +0300
Subject: [PATCH 4/7] Insert ref link for FAQ, shortened title for display
 purposes

---
 docs/kubernetes/mailu/index.rst | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/kubernetes/mailu/index.rst b/docs/kubernetes/mailu/index.rst
index ef12eb58..8f172179 100644
--- a/docs/kubernetes/mailu/index.rst
+++ b/docs/kubernetes/mailu/index.rst
@@ -1,5 +1,7 @@
-Install Mailu master on kubernetes
-==================================
+.. _kubernetes:
+
+Kubernetes setup
+================
 
 Prequisites
 -----------

From 7c1118df7d7d722af9f41b3127be7efa26cf9708 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Mon, 22 Oct 2018 16:14:54 +0300
Subject: [PATCH 5/7] Extending the FAQ

---
 docs/faq.rst | 104 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 101 insertions(+), 3 deletions(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 81d51b86..745c58f7 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -89,9 +89,80 @@ our ongoing `project management`_ discussion issue.
 Deployment related
 ------------------
 
+How does Mailu scale up?
+````````````````````````
+
+Recent works allow Mailu to be deployed in Docker Swarm and Kubernetes.
+This means it can be scaled horizontally. For more information, refer to :ref:`kubernetes`
+or the `Docker swarm howto`_.
+
+*Issue reference:* `165`_, `520`_.
+
+How to achieve HA / failover?
+`````````````````````````````
+
+The mailboxes and databases for Mailu are kept on the host filesystem under ``$ROOT/``.
+For making the **storage** highly available, all sorts of techniques can be used:
+
+- Local raid-1
+- btrfs in raid configuration
+- Distributed network filesystems such as GlusterFS or CEPH
+
+Note that no storage HA solution can protect against incidental deletes or file corruptions.
+Therefore it is advised to create backups on a regular base!
+
+A backup MX can be configured as **failover**. For this you need a separate server running
+Mailu. On that server, your domains will need to be setup as "Relayed domains", pointing
+to you main server. MX records for the mail domains with a higher priority number will have
+to point to this server. Please be aware that a backup MX can act as a `spam magnet`_.
+
+For **service** HA, please see: `How does Mailu scale up?`_
+
+
+*Issue reference:* `177`_, `591`_.
+
+.. _`spam magnet`: https://blog.zensoftware.co.uk/2012/07/02/why-we-tend-to-recommend-not-having-a-secondary-mx-these-days/
+
+
+Can I run Mailu without host iptables?
+``````````````````````````````````````
+
+When disabling iptables in docker, its forwarding proxy process takes over.
+This creates the situation that every incoming connection on port 25 seems to come from the
+local network (docker's 172.17.x.x) and is accepted. This causes an open relay!
+
+For that reason we do **not** support deployment on Docker hosts without iptables.
+
+*Issue reference:* `332`_.
+
+How can I override settings?
+````````````````````````````
+
+Postfix, dovecot and Rspamd support overriding configuration files. Override files belong in
+``$ROOT/overrides``. Please refer to the official documentation of those programs for the
+correct syntax. The following file names will be taken as override configuration:
+
+- `Postfix`_ - ``postfix.cf``;
+- `Dovecot`_ - ``dovecot.conf``;
+- `Rspamd`_ - All files in the ``rspamd`` sub-directory.
+
+.. _`Postfix`: http://www.postfix.org/postconf.5.html
+.. _`Dovecot`: https://wiki.dovecot.org/ConfigFile
+.. _`Rspamd`: https://www.rspamd.com/doc/configuration/index.html
+
+.. _`Docker swarm howto`: https://github.com/Mailu/Mailu/tree/master/docs/swarm/master
+.. _`165`: https://github.com/Mailu/Mailu/issues/165
+.. _`177`: https://github.com/Mailu/Mailu/issues/177
+.. _`332`: https://github.com/Mailu/Mailu/issues/332
+.. _`520`: https://github.com/Mailu/Mailu/issues/520
+.. _`591`: https://github.com/Mailu/Mailu/issues/591
+
 Technical issues
 ----------------
 
+In this section we are trying to cover the most common problems our users are having.
+If your issue is not listed here, please consult issues with the `troubleshooting tag`_.
+
 Changes in .env don't propagate
 ```````````````````````````````
 
@@ -103,7 +174,7 @@ down and up again. A container restart is not sufficient.
   docker-compose down && \
   docker-compose up -d
 
-*Issue reference:* `615`_,
+*Issue reference:* `615`_.
 
 TLS certificate issues
 ``````````````````````
@@ -170,9 +241,36 @@ See also :ref:`external_certs`.
 
 *Issue reference:* `426`_, `615`_.
 
+Do you support Fail2Ban?
+````````````````````````
+Fail2Ban is not included in Mailu. Fail2Ban needs to modify the host's IP tables in order to
+ban the addresses. We consider such a program should be run on the host system and not
+inside a container. The ``front`` container does use authentication rate limiting to slow
+down brute force attacks.
 
-WIP: Link to `troubleshooting`_ related issues will be in the bottom of this section.
+We *do* provide a possibility to export the logs from the ``front`` service to the host.
+For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log
+manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration.
+Be aware that webmail authentication appears to come form the Docker network,
+so don't ban those addresses!
 
+*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.
+
+Users can't change their password from webmail
+``````````````````````````````````````````````
+
+All users have the abilty to login to the admin interface. Non-admin users
+have only restricted funtionality such as changing their password and the
+spam filter weight settings.
+
+*Issue reference:* `503`_.
+
+.. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting
+.. _`85`: https://github.com/Mailu/Mailu/issues/85
+.. _`116`: https://github.com/Mailu/Mailu/issues/116
+.. _`171`: https://github.com/Mailu/Mailu/issues/171
 .. _`426`: https://github.com/Mailu/Mailu/issues/426
+.. _`503`: https://github.com/Mailu/Mailu/issues/503
+.. _`584`: https://github.com/Mailu/Mailu/issues/584
+.. _`592`: https://github.com/Mailu/Mailu/issues/592
 .. _`615`: https://github.com/Mailu/Mailu/issues/615
-.. _`troubleshooting`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting

From 76e95bd5850e04018654dcc954dbffbd4169768c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20S=C3=A4nger?= <thomas@gecko.space>
Date: Mon, 22 Oct 2018 21:05:55 +0300
Subject: [PATCH 6/7] Fix typo

Co-Authored-By: muhlemmer <muhlemmer@gmail.com>
---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 745c58f7..5d6d9c1b 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -59,7 +59,7 @@ have to prevent pushing out something quickly.
 We currently maintain a strict work flow:
 
 #. Someone writes a solution and sends a pull request;
-#. We use Travis-CI fore some very basic building and testing;
+#. We use Travis-CI for some very basic building and testing;
 #. The pull request needs to be code-reviewed and tested by at least two members
    from the contributors team.
   

From 9412c8e1e9ca51214121b9fc0b9d0fd499026b57 Mon Sep 17 00:00:00 2001
From: hoellen <hoellen@users.noreply.github.com>
Date: Tue, 23 Oct 2018 13:52:43 +0300
Subject: [PATCH 7/7] Correct spelling error

Co-Authored-By: muhlemmer <muhlemmer@gmail.com>
---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 5d6d9c1b..395b739c 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -251,7 +251,7 @@ down brute force attacks.
 We *do* provide a possibility to export the logs from the ``front`` service to the host.
 For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log
 manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration.
-Be aware that webmail authentication appears to come form the Docker network,
+Be aware that webmail authentication appears to come from the Docker network,
 so don't ban those addresses!
 
 *Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.