From d0f759accae612eec2520de97eaad3fa8aebc527 Mon Sep 17 00:00:00 2001
From: Patrick Oberdorf
Date: Wed, 14 Feb 2018 12:15:45 +0100
Subject: [PATCH 01/25] Adding unbound as dns resolver
---
core/unbound/Dockerfile | 14 +++++
core/unbound/unbound.conf | 19 +++++++
docs/compose/.env | 3 ++
docs/compose/docker-compose.yml | 94 ++++++++++++++++++++++++++++++++-
4 files changed, 129 insertions(+), 1 deletion(-)
create mode 100644 core/unbound/Dockerfile
create mode 100644 core/unbound/unbound.conf
diff --git a/core/unbound/Dockerfile b/core/unbound/Dockerfile
new file mode 100644
index 00000000..6ae8a6ee
--- /dev/null
+++ b/core/unbound/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:edge
+
+RUN apk add --no-cache unbound curl \
+ && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
+ && chown root:unbound /etc/unbound \
+ && chmod 775 /etc/unbound \
+ && apk del --no-cache curl \
+ && /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true
+
+COPY unbound.conf /etc/unbound/unbound.conf
+
+EXPOSE 53/udp 53/tcp
+
+CMD /usr/sbin/unbound
diff --git a/core/unbound/unbound.conf b/core/unbound/unbound.conf
new file mode 100644
index 00000000..d2d9ce74
--- /dev/null
+++ b/core/unbound/unbound.conf
@@ -0,0 +1,19 @@
+server:
+ verbosity: 1
+ interface: 0.0.0.0
+ interface: ::0
+ logfile: /dev/stdout
+ do-ip4: yes
+ do-ip6: yes
+ do-udp: yes
+ do-tcp: yes
+ do-daemonize: no
+ access-control: 0.0.0.0/0 allow
+ directory: "/etc/unbound"
+ username: unbound
+ auto-trust-anchor-file: trusted-key.key
+ root-hints: "/etc/unbound/root.hints"
+ hide-identity: yes
+ hide-version: yes
+ max-udp-size: 4096
+ msg-buffer-size: 65552
diff --git a/docs/compose/.env b/docs/compose/.env
index 6f330b64..e4c6dff9 100644
--- a/docs/compose/.env
+++ b/docs/compose/.env
@@ -21,6 +21,9 @@ SECRET_KEY=ChangeMeChangeMe
BIND_ADDRESS4=127.0.0.1
BIND_ADDRESS6=::1
+# Internal Docker network
+IPV4_NETWORK=172.22.1
+
# Main mail domain
DOMAIN=mailu.io
diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml
index 740a5ffc..dc674a2b 100644
--- a/docs/compose/docker-compose.yml
+++ b/docs/compose/docker-compose.yml
@@ -1,4 +1,4 @@
-version: '2'
+version: '2.1'
services:
@@ -27,12 +27,37 @@ services:
- "$BIND_ADDRESS6:587:587"
volumes:
- "$ROOT/certs:/certs"
+ depends_on:
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - front
+
+ unbound:
+ image: mailu/unbound:$VERSION
+ restart: always
+ networks:
+ backend:
+ ipv4_address: ${IPV4_NETWORK:-172.22.1}.254
+ aliases:
+ - unbound
redis:
image: redis:alpine
restart: always
volumes:
- "$ROOT/redis:/data"
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ depends_on:
+ - unbound
+ networks:
+ backend:
+ aliases:
+ - redis
imap:
image: mailu/dovecot:$VERSION
@@ -44,6 +69,13 @@ services:
- "$ROOT/overrides:/overrides"
depends_on:
- front
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - imap
smtp:
image: mailu/postfix:$VERSION
@@ -54,6 +86,13 @@ services:
- "$ROOT/overrides:/overrides"
depends_on:
- front
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - smtp
antispam:
image: mailu/rspamd:$VERSION
@@ -65,6 +104,13 @@ services:
- "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - antispam
antivirus:
image: mailu/$ANTIVIRUS:$VERSION
@@ -72,6 +118,14 @@ services:
env_file: .env
volumes:
- "$ROOT/filter:/data"
+ depends_on:
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - antivirus
webdav:
image: mailu/$WEBDAV:$VERSION
@@ -79,6 +133,14 @@ services:
env_file: .env
volumes:
- "$ROOT/dav:/data"
+ depends_on:
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - webdav
admin:
image: mailu/admin:$VERSION
@@ -90,6 +152,13 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- redis
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - admin
webmail:
image: "mailu/$WEBMAIL:$VERSION"
@@ -99,6 +168,13 @@ services:
- "$ROOT/webmail:/data"
depends_on:
- imap
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - webmail
fetchmail:
image: mailu/fetchmail:$VERSION
@@ -106,3 +182,19 @@ services:
env_file: .env
volumes:
- "$ROOT/data:/data"
+ depends_on:
+ - unbound
+ dns:
+ - ${IPV4_NETWORK:-172.22.1}.254
+ networks:
+ backend:
+ aliases:
+ - fetchmail
+
+networks:
+ backend:
+ driver: bridge
+ ipam:
+ driver: default
+ config:
+ - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
From ada09f7922dd50656bbaa99f0c624ad2f90eb1d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Tue, 9 Oct 2018 12:35:08 +0300
Subject: [PATCH 02/25] Unbound: Use alpine:3.8
---
core/unbound/Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/unbound/Dockerfile b/core/unbound/Dockerfile
index 6ae8a6ee..3c7f0e7a 100644
--- a/core/unbound/Dockerfile
+++ b/core/unbound/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:edge
+FROM alpine:3.8
RUN apk add --no-cache unbound curl \
&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
From 013d02d7264c182db459a7d67acc7d941eb68f4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Tue, 9 Oct 2018 14:11:59 +0300
Subject: [PATCH 03/25] Add unbound to the build directive
---
tests/build.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/build.yml b/tests/build.yml
index 0b6858a0..e0123ca7 100644
--- a/tests/build.yml
+++ b/tests/build.yml
@@ -6,6 +6,10 @@ services:
image: $DOCKER_ORG/nginx:$VERSION
build: ../core/nginx
+ unbound:
+ image: $DOCKER_ORG/unbound:$VERSION
+ build: ../core/unbound
+
imap:
image: $DOCKER_ORG/dovecot:$VERSION
build: ../core/dovecot
From cde22be4c9f4dec9889c75ba1dc7f234b586ba0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Tue, 9 Oct 2018 14:50:09 +0300
Subject: [PATCH 04/25] Some cleanup and changes: - Don't upgrade the
docker-compose file. (Not in the scope of this feature) - No need to use
aliases. Docker already resolves to service names - Use a fixed IP range,
which stays clear of the network ranges used by Docker. (172.xx.0.0/16)
---
docs/compose/.env | 3 --
docs/compose/docker-compose.yml | 72 +++++++--------------------------
2 files changed, 15 insertions(+), 60 deletions(-)
diff --git a/docs/compose/.env b/docs/compose/.env
index 5378d37e..721aaf22 100644
--- a/docs/compose/.env
+++ b/docs/compose/.env
@@ -21,9 +21,6 @@ SECRET_KEY=ChangeMeChangeMe
BIND_ADDRESS4=127.0.0.1
BIND_ADDRESS6=::1
-# Internal Docker network
-IPV4_NETWORK=172.22.1
-
# Main mail domain
DOMAIN=mailu.io
diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml
index dc674a2b..8038a0bf 100644
--- a/docs/compose/docker-compose.yml
+++ b/docs/compose/docker-compose.yml
@@ -1,4 +1,4 @@
-version: '2.1'
+version: '2'
services:
@@ -30,20 +30,14 @@ services:
depends_on:
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - front
+ - 10.177.20.254
unbound:
image: mailu/unbound:$VERSION
restart: always
networks:
- backend:
- ipv4_address: ${IPV4_NETWORK:-172.22.1}.254
- aliases:
- - unbound
+ default:
+ ipv4_address: 10.177.20.254
redis:
image: redis:alpine
@@ -51,13 +45,9 @@ services:
volumes:
- "$ROOT/redis:/data"
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
+ - 10.177.20.254
depends_on:
- unbound
- networks:
- backend:
- aliases:
- - redis
imap:
image: mailu/dovecot:$VERSION
@@ -71,11 +61,7 @@ services:
- front
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - imap
+ - 10.177.20.254
smtp:
image: mailu/postfix:$VERSION
@@ -88,11 +74,7 @@ services:
- front
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - smtp
+ - 10.177.20.254
antispam:
image: mailu/rspamd:$VERSION
@@ -106,11 +88,7 @@ services:
- front
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - antispam
+ - 10.177.20.254
antivirus:
image: mailu/$ANTIVIRUS:$VERSION
@@ -121,11 +99,7 @@ services:
depends_on:
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - antivirus
+ - 10.177.20.254
webdav:
image: mailu/$WEBDAV:$VERSION
@@ -136,11 +110,7 @@ services:
depends_on:
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - webdav
+ - 10.177.20.254
admin:
image: mailu/admin:$VERSION
@@ -154,11 +124,7 @@ services:
- redis
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - admin
+ - 10.177.20.254
webmail:
image: "mailu/$WEBMAIL:$VERSION"
@@ -170,11 +136,7 @@ services:
- imap
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - webmail
+ - 10.177.20.254
fetchmail:
image: mailu/fetchmail:$VERSION
@@ -185,16 +147,12 @@ services:
depends_on:
- unbound
dns:
- - ${IPV4_NETWORK:-172.22.1}.254
- networks:
- backend:
- aliases:
- - fetchmail
+ - 10.177.20.254
networks:
- backend:
+ default:
driver: bridge
ipam:
driver: default
config:
- - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
+ - subnet: 10.177.20.0/24
From f4ef0eed09a31a5ee609414046a99c8cf0d02be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Fri, 12 Oct 2018 20:48:44 +0300
Subject: [PATCH 05/25] Wrote informational section of the FAQ
---
docs/faq.rst | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++
docs/index.rst | 1 +
2 files changed, 98 insertions(+)
create mode 100644 docs/faq.rst
diff --git a/docs/faq.rst b/docs/faq.rst
new file mode 100644
index 00000000..8c5b5598
--- /dev/null
+++ b/docs/faq.rst
@@ -0,0 +1,97 @@
+Frequently asked questions
+==========================
+
+Informational
+-------------
+
+Where to ask questions?
+```````````````````````
+
+First, please read this FAQ to check if your question is listed here.
+Simple questions best fit in our `Matrix`_ room.
+For more complex questions, you can always open a `new issue`_ on GitHub.
+We actively monitor the issues list.
+
+
+My installation is broken!
+``````````````````````````
+
+We're sorry to hear that. Please check for common mistakes and troubleshooting
+advice in the `Technical issues`_ section of this page.
+
+I think I found a bug!
+``````````````````````
+
+If you did not manage to solve the issue using this FAQ and there is not any
+`open issues`_ describing the same problem, you can continue to open a
+`new issue`_ on GitHub.
+
+I want a new feature or enhancement!
+````````````````````````````````````
+
+Great! We are always open for suggestions. We currently maintain two tags:
+
+- `Enhancement issues`_: Typically used for optimization of features in the project.
+- `Feature request issues`_: For implementing new functionality,
+ plugins and applications.
+
+Please check if your idea (or something similar) is already mentioned there.
+If there is one open, you can choose to vote with a thumbs up, so we can
+estimate the popular demand. Please refrain from writing comments like
+*"me too"* as it clobbers the actual discussion.
+
+If you can't find anything similar, you can open a `new issue`_.
+Please also share (where applicable):
+
+- Use case: how does this improve the project?
+- Any research done on the subject. Perhaps some links to upstream website,
+ reference implementations etc.
+
+Why does my feature/bug take so long to solve?
+``````````````````````````````````````````````
+
+You should be aware that creating, maintaining and expanding a mail server
+distribution requires a lot of effort. Mail servers are highly exposed to hacking attempts,
+open relay scanners, spam and malware distributors etc. We need to work in a safe way and
+have to prevent pushing out something quickly.
+
+We currently maintain a strict work flow:
+
+#. Someone writes a solution and sends a pull request;
+#. We use Travis-CI fore some very basic building and testing;
+#. The pull request needs to be code-reviewed and tested by at least two members
+ from the contributors team.
+
+Please consider that this project is mostly developed in people their free time.
+We thank you for your understanding and patience.
+
+I would to donate (for a feature)
+`````````````````````````````````
+
+Donations are welcome at the `patreon`_ account of the project lead. It will be used to pay
+for infra structure and project related costs. If there are leftovers, it will be distributed
+among the developers.
+
+It is not yet possible to pay for a specific feature. We don't have
+any bounty system implemented. Feel free to come with suggestions in
+our ongoing `project management`_ discussion issue.
+
+
+.. _`Matrix`: https://matrix.to/#/#mailu:tedomum.net
+.. _`open issues`: https://github.com/Mailu/Mailu/issues
+.. _`new issue`: https://github.com/Mailu/Mailu/issues/new
+.. _`Enhancement issues`: https://github.com/Mailu/Mailu/issues?q=is%3Aissue+is%3Aopen+label%3Atype%2Fenhancement
+.. _`Feature request issues`: https://github.com/Mailu/Mailu/issues?q=is%3Aopen+is%3Aissue+label%3Atype%2Ffeature
+.. _`patreon`: https://patreon.com/kaiyou
+.. _`project management`: https://github.com/Mailu/Mailu/issues/508
+
+Deployment related
+------------------
+
+
+Technical issues
+----------------
+
+WIP: Link to `troubleshooting`_ related issues will be in the bottom of this section.
+
+.. _`troubleshooting`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting
diff --git a/docs/index.rst b/docs/index.rst
index 5219145f..0a4aadff 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -44,6 +44,7 @@ the version of Mailu that you are running.
general
features
+ faq
releases
demo
From b5693edc63ce11979459c204793a525b4dc57b05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Sat, 13 Oct 2018 20:59:14 +0300
Subject: [PATCH 06/25] Include a doc section for external certbot
---
docs/maintain.rst | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/docs/maintain.rst b/docs/maintain.rst
index d570690e..ffb51a50 100644
--- a/docs/maintain.rst
+++ b/docs/maintain.rst
@@ -28,6 +28,33 @@ Logs are managed by Docker directly. You can easily read your logs using:
Docker is able to forward logs to multiple log engines. Read the following documentation for details: https://docs.docker.com/engine/admin/logging/overview/.
+.. _external_certs:
+
+Managing of external Let's encrypt certificates
+-----------------------------------------------
+
+When you are not using the embedded ``letsencrypt`` option from Mailu,
+you cannot make use of it's symlink functionality in the ``letsencrypt/live`` directory.
+You should take care that after every renewal new certificates are copied to ``/mailu/certs`` and
+the *nginx* process in the ``front`` container is reloaded.
+
+In the case of *certbot* you could write a script to be executed as `deploy hook`_. Example:
+
+.. code-block:: bash
+
+ #!/bin/sh
+ cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem || exit 1
+ cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem || exit 1
+ docker exec mailu_front_1 nginx -s reload
+
+And the certbot command you will use in crontab would look something like:
+
+.. code-block:: bash
+
+ 52 0,12 * * * root /usr/bin/certbot renew --deploy-hook /path/to/script.sh
+
+.. _`deploy hook`: https://certbot.eff.org/docs/using.html#renewing-certificates
+
Migrating an instance
---------------------
From 13949554479383e09a184bac695e7e6e085350ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Sat, 13 Oct 2018 21:13:09 +0300
Subject: [PATCH 07/25] FAQ about TLS issues
---
docs/faq.rst | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 84 insertions(+), 3 deletions(-)
diff --git a/docs/faq.rst b/docs/faq.rst
index 8c5b5598..81d51b86 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -55,6 +55,7 @@ distribution requires a lot of effort. Mail servers are highly exposed to hackin
open relay scanners, spam and malware distributors etc. We need to work in a safe way and
have to prevent pushing out something quickly.
+**TODO: Move the next section into the contributors part of docs**
We currently maintain a strict work flow:
#. Someone writes a solution and sends a pull request;
@@ -65,8 +66,8 @@ We currently maintain a strict work flow:
Please consider that this project is mostly developed in people their free time.
We thank you for your understanding and patience.
-I would to donate (for a feature)
-`````````````````````````````````
+I would like to donate (for a feature)
+``````````````````````````````````````
Donations are welcome at the `patreon`_ account of the project lead. It will be used to pay
for infra structure and project related costs. If there are leftovers, it will be distributed
@@ -88,10 +89,90 @@ our ongoing `project management`_ discussion issue.
Deployment related
------------------
-
Technical issues
----------------
+Changes in .env don't propagate
+```````````````````````````````
+
+Variables are sent to the containers at creation time. This means you need to take the project
+down and up again. A container restart is not sufficient.
+
+.. code-block:: bash
+
+ docker-compose down && \
+ docker-compose up -d
+
+*Issue reference:* `615`_,
+
+TLS certificate issues
+``````````````````````
+
+When there are issues with the TLS/SSL certificates, Mailu denies service on secure ports.
+This is a security precaution. Symptoms are:
+
+- 403 browser errors;
+
+These issues are typically caused by four scenarios:
+
+#. ``TLS_FLAVOR=notls`` in ``.env``;
+#. Certificates expired;
+#. When ``TLS_FLAVOR=letsencrypt``, it might be that the *certbot* script is not capable of
+ obtaining the certificates for your domain. See `letsencrypt issues`_
+#. When ``TLS_FLAVOR=certs``, certificates are supposed to be copied to ``/mailu/certs``.
+ Using an external ``letsencrypt`` program, it tends to happen people copy the whole
+ ``letsencrypt/live`` directory containing symlinks. Symlinks do not resolve inside the
+ container and therefore it breaks the TLS implementation.
+
+letsencrypt issues
+..................
+
+In order to determine the exact problem on TLS / Let's encrypt issues, it might be helpful
+to check the logs.
+
+.. code-block:: bash
+
+ docker-compose logs front | less -R
+ docker-compose exec front less /var/log/letsencrypt/letsencrypt.log
+
+Common problems:
+
+- Port 80 not reachable from outside.
+- Faulty DNS records: make sure that all ``HOSTNAMES`` have **A** (IPv4) and **AAAA** (IPv6)
+ records, pointing the the ``BIND_ADDRESS4`` and ``BIND_ADDRESS6``.
+- DNS cache not yet expired. It might be that old / faulty DNS records are stuck in a cache
+ en-route to letsencrypt's server. The time this takes is set by the ``TTL`` field in the
+ records. You'll have to wait at least this time after changing the DNS entries.
+ Don't keep trying, as you might hit `rate-limits`_.
+
+.. _`rate-limits`: https://letsencrypt.org/docs/rate-limits/
+
+Copying certificates
+....................
+
+As mentioned above, care must be taken not to copy symlinks to the ``/mailu/certs`` location.
+
+**The wrong way!:**
+
+.. code-block:: bash
+
+ cp -r /etc/letsencrypt/live/domain.com /mailu/certs
+
+**The right way!:**
+
+.. code-block:: bash
+
+ mkdir -p /mailu/certs
+ cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem
+ cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem
+
+See also :ref:`external_certs`.
+
+*Issue reference:* `426`_, `615`_.
+
+
WIP: Link to `troubleshooting`_ related issues will be in the bottom of this section.
+.. _`426`: https://github.com/Mailu/Mailu/issues/426
+.. _`615`: https://github.com/Mailu/Mailu/issues/615
.. _`troubleshooting`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting
From 3552c59ff33115d6880439814adfc8e62f9c378e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Mon, 22 Oct 2018 16:11:45 +0300
Subject: [PATCH 08/25] Insert ref link for FAQ, shortened title for display
purposes
---
docs/kubernetes/mailu/index.rst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/docs/kubernetes/mailu/index.rst b/docs/kubernetes/mailu/index.rst
index ef12eb58..8f172179 100644
--- a/docs/kubernetes/mailu/index.rst
+++ b/docs/kubernetes/mailu/index.rst
@@ -1,5 +1,7 @@
-Install Mailu master on kubernetes
-==================================
+.. _kubernetes:
+
+Kubernetes setup
+================
Prequisites
-----------
From 7c1118df7d7d722af9f41b3127be7efa26cf9708 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Mon, 22 Oct 2018 16:14:54 +0300
Subject: [PATCH 09/25] Extending the FAQ
---
docs/faq.rst | 104 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 101 insertions(+), 3 deletions(-)
diff --git a/docs/faq.rst b/docs/faq.rst
index 81d51b86..745c58f7 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -89,9 +89,80 @@ our ongoing `project management`_ discussion issue.
Deployment related
------------------
+How does Mailu scale up?
+````````````````````````
+
+Recent works allow Mailu to be deployed in Docker Swarm and Kubernetes.
+This means it can be scaled horizontally. For more information, refer to :ref:`kubernetes`
+or the `Docker swarm howto`_.
+
+*Issue reference:* `165`_, `520`_.
+
+How to achieve HA / failover?
+`````````````````````````````
+
+The mailboxes and databases for Mailu are kept on the host filesystem under ``$ROOT/``.
+For making the **storage** highly available, all sorts of techniques can be used:
+
+- Local raid-1
+- btrfs in raid configuration
+- Distributed network filesystems such as GlusterFS or CEPH
+
+Note that no storage HA solution can protect against incidental deletes or file corruptions.
+Therefore it is advised to create backups on a regular base!
+
+A backup MX can be configured as **failover**. For this you need a separate server running
+Mailu. On that server, your domains will need to be setup as "Relayed domains", pointing
+to you main server. MX records for the mail domains with a higher priority number will have
+to point to this server. Please be aware that a backup MX can act as a `spam magnet`_.
+
+For **service** HA, please see: `How does Mailu scale up?`_
+
+
+*Issue reference:* `177`_, `591`_.
+
+.. _`spam magnet`: https://blog.zensoftware.co.uk/2012/07/02/why-we-tend-to-recommend-not-having-a-secondary-mx-these-days/
+
+
+Can I run Mailu without host iptables?
+``````````````````````````````````````
+
+When disabling iptables in docker, its forwarding proxy process takes over.
+This creates the situation that every incoming connection on port 25 seems to come from the
+local network (docker's 172.17.x.x) and is accepted. This causes an open relay!
+
+For that reason we do **not** support deployment on Docker hosts without iptables.
+
+*Issue reference:* `332`_.
+
+How can I override settings?
+````````````````````````````
+
+Postfix, dovecot and Rspamd support overriding configuration files. Override files belong in
+``$ROOT/overrides``. Please refer to the official documentation of those programs for the
+correct syntax. The following file names will be taken as override configuration:
+
+- `Postfix`_ - ``postfix.cf``;
+- `Dovecot`_ - ``dovecot.conf``;
+- `Rspamd`_ - All files in the ``rspamd`` sub-directory.
+
+.. _`Postfix`: http://www.postfix.org/postconf.5.html
+.. _`Dovecot`: https://wiki.dovecot.org/ConfigFile
+.. _`Rspamd`: https://www.rspamd.com/doc/configuration/index.html
+
+.. _`Docker swarm howto`: https://github.com/Mailu/Mailu/tree/master/docs/swarm/master
+.. _`165`: https://github.com/Mailu/Mailu/issues/165
+.. _`177`: https://github.com/Mailu/Mailu/issues/177
+.. _`332`: https://github.com/Mailu/Mailu/issues/332
+.. _`520`: https://github.com/Mailu/Mailu/issues/520
+.. _`591`: https://github.com/Mailu/Mailu/issues/591
+
Technical issues
----------------
+In this section we are trying to cover the most common problems our users are having.
+If your issue is not listed here, please consult issues with the `troubleshooting tag`_.
+
Changes in .env don't propagate
```````````````````````````````
@@ -103,7 +174,7 @@ down and up again. A container restart is not sufficient.
docker-compose down && \
docker-compose up -d
-*Issue reference:* `615`_,
+*Issue reference:* `615`_.
TLS certificate issues
``````````````````````
@@ -170,9 +241,36 @@ See also :ref:`external_certs`.
*Issue reference:* `426`_, `615`_.
+Do you support Fail2Ban?
+````````````````````````
+Fail2Ban is not included in Mailu. Fail2Ban needs to modify the host's IP tables in order to
+ban the addresses. We consider such a program should be run on the host system and not
+inside a container. The ``front`` container does use authentication rate limiting to slow
+down brute force attacks.
-WIP: Link to `troubleshooting`_ related issues will be in the bottom of this section.
+We *do* provide a possibility to export the logs from the ``front`` service to the host.
+For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log
+manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration.
+Be aware that webmail authentication appears to come form the Docker network,
+so don't ban those addresses!
+*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.
+
+Users can't change their password from webmail
+``````````````````````````````````````````````
+
+All users have the abilty to login to the admin interface. Non-admin users
+have only restricted funtionality such as changing their password and the
+spam filter weight settings.
+
+*Issue reference:* `503`_.
+
+.. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting
+.. _`85`: https://github.com/Mailu/Mailu/issues/85
+.. _`116`: https://github.com/Mailu/Mailu/issues/116
+.. _`171`: https://github.com/Mailu/Mailu/issues/171
.. _`426`: https://github.com/Mailu/Mailu/issues/426
+.. _`503`: https://github.com/Mailu/Mailu/issues/503
+.. _`584`: https://github.com/Mailu/Mailu/issues/584
+.. _`592`: https://github.com/Mailu/Mailu/issues/592
.. _`615`: https://github.com/Mailu/Mailu/issues/615
-.. _`troubleshooting`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting
From 76e95bd5850e04018654dcc954dbffbd4169768c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20S=C3=A4nger?=
Date: Mon, 22 Oct 2018 21:05:55 +0300
Subject: [PATCH 10/25] Fix typo
Co-Authored-By: muhlemmer
---
docs/faq.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/faq.rst b/docs/faq.rst
index 745c58f7..5d6d9c1b 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -59,7 +59,7 @@ have to prevent pushing out something quickly.
We currently maintain a strict work flow:
#. Someone writes a solution and sends a pull request;
-#. We use Travis-CI fore some very basic building and testing;
+#. We use Travis-CI for some very basic building and testing;
#. The pull request needs to be code-reviewed and tested by at least two members
from the contributors team.
From 40d8e657627a64b3aa8c45784533bc97d4ede69c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Tue, 23 Oct 2018 12:22:36 +0300
Subject: [PATCH 11/25] Revert docker-compose to latest upstream version
---
docs/compose/docker-compose.yml | 51 ---------------------------------
1 file changed, 51 deletions(-)
diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml
index 7e2ac486..b8d15587 100644
--- a/docs/compose/docker-compose.yml
+++ b/docs/compose/docker-compose.yml
@@ -29,27 +29,12 @@ services:
- "$BIND_ADDRESS6:587:587"
volumes:
- "$ROOT/certs:/certs"
- depends_on:
- - unbound
- dns:
- - 10.177.20.254
-
- unbound:
- image: mailu/unbound:$VERSION
- restart: always
- networks:
- default:
- ipv4_address: 10.177.20.254
redis:
image: redis:alpine
restart: always
volumes:
- "$ROOT/redis:/data"
- dns:
- - 10.177.20.254
- depends_on:
- - unbound
imap:
image: mailu/dovecot:$VERSION
@@ -60,9 +45,6 @@ services:
- "$ROOT/overrides:/overrides"
depends_on:
- front
- - unbound
- dns:
- - 10.177.20.254
smtp:
image: mailu/postfix:$VERSION
@@ -72,9 +54,6 @@ services:
- "$ROOT/overrides:/overrides"
depends_on:
- front
- - unbound
- dns:
- - 10.177.20.254
antispam:
image: mailu/rspamd:$VERSION
@@ -86,9 +65,6 @@ services:
- "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- - unbound
- dns:
- - 10.177.20.254
antivirus:
image: mailu/$ANTIVIRUS:$VERSION
@@ -96,10 +72,6 @@ services:
env_file: .env
volumes:
- "$ROOT/filter:/data"
- depends_on:
- - unbound
- dns:
- - 10.177.20.254
webdav:
image: mailu/$WEBDAV:$VERSION
@@ -107,10 +79,6 @@ services:
env_file: .env
volumes:
- "$ROOT/dav:/data"
- depends_on:
- - unbound
- dns:
- - 10.177.20.254
admin:
image: mailu/admin:$VERSION
@@ -122,9 +90,6 @@ services:
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- redis
- - unbound
- dns:
- - 10.177.20.254
webmail:
image: "mailu/$WEBMAIL:$VERSION"
@@ -134,24 +99,8 @@ services:
- "$ROOT/webmail:/data"
depends_on:
- imap
- - unbound
- dns:
- - 10.177.20.254
fetchmail:
image: mailu/fetchmail:$VERSION
restart: always
env_file: .env
- depends_on:
- - unbound
- dns:
- - 10.177.20.254
-
-networks:
- default:
- driver: bridge
- ipam:
- driver: default
- config:
- - subnet: 10.177.20.0/24
-
From 9412c8e1e9ca51214121b9fc0b9d0fd499026b57 Mon Sep 17 00:00:00 2001
From: hoellen
Date: Tue, 23 Oct 2018 13:52:43 +0300
Subject: [PATCH 12/25] Correct spelling error
Co-Authored-By: muhlemmer
---
docs/faq.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/faq.rst b/docs/faq.rst
index 5d6d9c1b..395b739c 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -251,7 +251,7 @@ down brute force attacks.
We *do* provide a possibility to export the logs from the ``front`` service to the host.
For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log
manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration.
-Be aware that webmail authentication appears to come form the Docker network,
+Be aware that webmail authentication appears to come from the Docker network,
so don't ban those addresses!
*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.
From bcfce27ee2beb735049d4597786b3354930cb771 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Tue, 23 Oct 2018 15:07:49 +0300
Subject: [PATCH 13/25] Standarize unbound, prepare for setup inclusion - Use
jinja template for configuration file (start.py) - Limit access to the Mailu
subnet - Implement health checks
---
core/unbound/Dockerfile | 14 --------------
services/unbound/Dockerfile | 18 ++++++++++++++++++
services/unbound/start.py | 9 +++++++++
{core => services}/unbound/unbound.conf | 4 ++--
tests/build.yml | 4 ++--
5 files changed, 31 insertions(+), 18 deletions(-)
delete mode 100644 core/unbound/Dockerfile
create mode 100644 services/unbound/Dockerfile
create mode 100755 services/unbound/start.py
rename {core => services}/unbound/unbound.conf (86%)
diff --git a/core/unbound/Dockerfile b/core/unbound/Dockerfile
deleted file mode 100644
index 3c7f0e7a..00000000
--- a/core/unbound/Dockerfile
+++ /dev/null
@@ -1,14 +0,0 @@
-FROM alpine:3.8
-
-RUN apk add --no-cache unbound curl \
- && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
- && chown root:unbound /etc/unbound \
- && chmod 775 /etc/unbound \
- && apk del --no-cache curl \
- && /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true
-
-COPY unbound.conf /etc/unbound/unbound.conf
-
-EXPOSE 53/udp 53/tcp
-
-CMD /usr/sbin/unbound
diff --git a/services/unbound/Dockerfile b/services/unbound/Dockerfile
new file mode 100644
index 00000000..1b84855c
--- /dev/null
+++ b/services/unbound/Dockerfile
@@ -0,0 +1,18 @@
+FROM python:3-alpine
+
+RUN apk add --no-cache unbound curl bind-tools \
+ && pip3 install jinja2 \
+ && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
+ && chown root:unbound /etc/unbound \
+ && chmod 775 /etc/unbound \
+ && apk del --no-cache curl \
+ && /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true
+
+COPY start.py /start.py
+COPY unbound.conf /unbound.conf
+
+EXPOSE 53/udp 53/tcp
+
+CMD /start.py
+
+HEALTHCHECK CMD dig @127.0.0.1 || exit 1
diff --git a/services/unbound/start.py b/services/unbound/start.py
new file mode 100755
index 00000000..82e017f7
--- /dev/null
+++ b/services/unbound/start.py
@@ -0,0 +1,9 @@
+#!/usr/local/bin/python3
+
+import jinja2
+import os
+
+convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
+convert("/unbound.conf", "/etc/unbound/unbound.conf")
+
+os.execv("/usr/sbin/unbound", ["-c /etc/unbound/unbound.conf"])
diff --git a/core/unbound/unbound.conf b/services/unbound/unbound.conf
similarity index 86%
rename from core/unbound/unbound.conf
rename to services/unbound/unbound.conf
index d2d9ce74..d54cbfbc 100644
--- a/core/unbound/unbound.conf
+++ b/services/unbound/unbound.conf
@@ -8,9 +8,9 @@ server:
do-udp: yes
do-tcp: yes
do-daemonize: no
- access-control: 0.0.0.0/0 allow
+ access-control: {{ SUBNET }} allow
directory: "/etc/unbound"
- username: unbound
+ username: root
auto-trust-anchor-file: trusted-key.key
root-hints: "/etc/unbound/root.hints"
hide-identity: yes
diff --git a/tests/build.yml b/tests/build.yml
index 00323151..8a5cd540 100644
--- a/tests/build.yml
+++ b/tests/build.yml
@@ -6,8 +6,8 @@ services:
image: ${DOCKER_ORG:-mailu}/nginx:${VERSION:-local}
build: ../core/nginx
- unbound:
- image: $DOCKER_ORG/unbound:$VERSION
+ resolver:
+ image: ${DOCKER_ORG:-mailu}/unbound:${VERSION:-local}
build: ../core/unbound
imap:
From 7c07efc216138eb4d7402c530e8f4173787ccf53 Mon Sep 17 00:00:00 2001
From: Ionut Filip
Date: Tue, 23 Oct 2018 15:42:19 +0300
Subject: [PATCH 14/25] Added unbound to setup
- Added checkbox for unbound resolver
- Added subnet variable
- Added dns variable which is generating the ip address based on subnet
---
setup/flavors/compose/docker-compose.yml | 44 ++++++++++++++++++++
setup/flavors/compose/mailu.env | 3 ++
setup/server.py | 2 +
setup/templates/steps/compose/03_expose.html | 13 ++++++
setup/templates/steps/stack/03_expose.html | 3 +-
5 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index b01bb8fd..4fef7468 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -28,6 +28,15 @@ services:
{% endfor %}
volumes:
- "{{ root }}/certs:/certs"
+
+ {% if resolver_enabled %}
+ resolver:
+ image: mailu/resolver:{{ version }}
+ restart: always
+ networks:
+ default:
+ ipv4_address: {{ dns }}
+ {% endif %}
admin:
image: mailu/admin:{{ version }}
@@ -58,6 +67,11 @@ services:
- "{{ root }}/overrides:/overrides"
depends_on:
- front
+ {% if resolver_enabled %}
+ - resolver
+ dns:
+ - {{ dns }}
+ {% endif %}
# Optional services
{% if antispam_enabled %}
@@ -70,6 +84,11 @@ services:
- "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
+ {% if resolver_enabled %}
+ - resolver
+ dns:
+ - {{ dns }}
+ {% endif %}
{% endif %}
{% if antivirus_enabled %}
@@ -78,6 +97,12 @@ services:
env_file: {{ env }}
volumes:
- "{{ root }}/filter:/data"
+ {% if resolver_enabled %}
+ depends_on:
+ - resolver
+ dns:
+ - {{ dns }}
+ {% endif %}
{% endif %}
{% if webdav_enabled %}
@@ -92,6 +117,12 @@ services:
fetchmail:
image: mailu/fetchmail:{{ version }}
env_file: {{ env }}
+ {% if resolver_enabled %}
+ depends_on:
+ - resolver
+ dns:
+ - {{ dns }}
+ {% endif %}
{% endif %}
# Webmail
@@ -103,4 +134,17 @@ services:
- "{{ root }}/webmail:/data"
depends_on:
- imap
+ - resolver
+ dns:
+ - {{ dns }}
{% endif %}
+
+{% if resolver_enabled %}
+networks:
+ default:
+ driver: bridge
+ ipam:
+ driver: default
+ config:
+ - subnet: {{ subnet }}
+{% endif %}
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 9fc1197d..425f4cad 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -25,6 +25,9 @@ SECRET_KEY={{ secret(16) }}
# PUBLIC_IPV4= {{ bind4 }} (default: 127.0.0.1)
# PUBLIC_IPV6= {{ bind6 }} (default: ::1)
+# Subnet
+# SUBNET={{ subnet }}
+
# Main mail domain
DOMAIN={{ domain }}
diff --git a/setup/server.py b/setup/server.py
index bfe5ef15..6f60c3c0 100644
--- a/setup/server.py
+++ b/setup/server.py
@@ -7,6 +7,7 @@ import jinja2
import uuid
import string
import random
+import ipaddress
app = flask.Flask(__name__)
@@ -75,6 +76,7 @@ def build_app(path):
def submit():
data = flask.request.form.copy()
data['uid'] = str(uuid.uuid4())
+ data['dns'] = str(ipaddress.IPv4Network(data['subnet'])[-2])
db.set(data['uid'], json.dumps(data))
return flask.redirect(flask.url_for('.setup', uid=data['uid']))
diff --git a/setup/templates/steps/compose/03_expose.html b/setup/templates/steps/compose/03_expose.html
index df121c7d..783c2037 100644
--- a/setup/templates/steps/compose/03_expose.html
+++ b/setup/templates/steps/compose/03_expose.html
@@ -26,6 +26,19 @@ avoid generic all-interfaces addresses like 0.0.0.0 or ::
+
+
+
+
+
+
+
+
+
You server will be available under a main hostname but may expose multiple public
hostnames. Every e-mail domain that points to this server must have one of the
hostnames in its MX record. Hostnames must be coma-separated.
diff --git a/setup/templates/steps/stack/03_expose.html b/setup/templates/steps/stack/03_expose.html
index a9cffc1c..1cd0cde5 100644
--- a/setup/templates/steps/stack/03_expose.html
+++ b/setup/templates/steps/stack/03_expose.html
@@ -5,7 +5,8 @@ you expose it to the world.
-
+
You server will be available under a main hostname but may expose multiple public
From da37555a3c6af23a28237bf8ba9da7ff34ed5529 Mon Sep 17 00:00:00 2001
From: Ionut Filip
Date: Tue, 23 Oct 2018 15:46:53 +0300
Subject: [PATCH 15/25] Fixed naming error
---
setup/flavors/compose/docker-compose.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 4fef7468..630531fe 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -31,7 +31,7 @@ services:
{% if resolver_enabled %}
resolver:
- image: mailu/resolver:{{ version }}
+ image: mailu/unbound:{{ version }}
restart: always
networks:
default:
From 12d8872a0950173fed22050eb1baad3786f0e3f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Tue, 23 Oct 2018 16:09:59 +0300
Subject: [PATCH 16/25] Fix unbound build path
---
tests/build.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/build.yml b/tests/build.yml
index 8a5cd540..ed5b75fe 100644
--- a/tests/build.yml
+++ b/tests/build.yml
@@ -8,7 +8,7 @@ services:
resolver:
image: ${DOCKER_ORG:-mailu}/unbound:${VERSION:-local}
- build: ../core/unbound
+ build: ../services/unbound
imap:
image: ${DOCKER_ORG:-mailu}/dovecot:${VERSION:-local}
From 6c12e2fffb9990dec70fdbc650245d78796b282c Mon Sep 17 00:00:00 2001
From: Ionut Filip
Date: Tue, 23 Oct 2018 16:39:22 +0300
Subject: [PATCH 17/25] Fixed subnet variable in unbound
---
setup/flavors/compose/docker-compose.yml | 1 +
setup/flavors/compose/mailu.env | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 630531fe..e6b64077 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -32,6 +32,7 @@ services:
{% if resolver_enabled %}
resolver:
image: mailu/unbound:{{ version }}
+ env_file: {{ env }}
restart: always
networks:
default:
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 425f4cad..4a14de63 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -26,7 +26,7 @@ SECRET_KEY={{ secret(16) }}
# PUBLIC_IPV6= {{ bind6 }} (default: ::1)
# Subnet
-# SUBNET={{ subnet }}
+SUBNET={{ subnet }}
# Main mail domain
DOMAIN={{ domain }}
From 120c29eff603850d8bb9573df1ddbc8edc4a56b5 Mon Sep 17 00:00:00 2001
From: Ionut Filip
Date: Tue, 23 Oct 2018 17:46:06 +0300
Subject: [PATCH 18/25] Added unbound for stack flavor
---
setup/flavors/compose/docker-compose.yml | 4 ++--
setup/flavors/stack/docker-compose.yml | 25 ++++++++++++++++++++++
setup/templates/steps/stack/03_expose.html | 7 ++++++
3 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index e6b64077..50fd1705 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -29,7 +29,7 @@ services:
volumes:
- "{{ root }}/certs:/certs"
- {% if resolver_enabled %}
+ {% if resolver_enabled %}
resolver:
image: mailu/unbound:{{ version }}
env_file: {{ env }}
@@ -68,7 +68,7 @@ services:
- "{{ root }}/overrides:/overrides"
depends_on:
- front
- {% if resolver_enabled %}
+ {% if resolver_enabled %}
- resolver
dns:
- {{ dns }}
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index f27b661f..b9537e94 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -28,6 +28,15 @@ services:
- "{{ root }}/certs:/certs"
deploy:
replicas: 1
+
+ {% if resolver_enabled %}
+ resolver:
+ image: mailu/unbound:{{ version }}
+ env_file: {{ env }}
+ networks:
+ default:
+ ipv4_address: {{ dns }}
+ {% endif %}
admin:
image: mailu/admin:{{ version }}
@@ -63,6 +72,10 @@ services:
- "{{ root }}/overrides:/overrides"
deploy:
replicas: 1
+ {% if resolver_enabled %}
+ dns:
+ - {{ dns }}
+ {% endif %}
# Optional services
{% if antispam_enabled %}
@@ -77,6 +90,10 @@ services:
- "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
deploy:
replicas: 1
+ {% if resolver_enabled %}
+ dns:
+ - {{ dns }}
+ {% endif %}
{% endif %}
{% if antivirus_enabled %}
@@ -87,6 +104,10 @@ services:
- "{{ root }}/filter:/data"
deploy:
replicas: 1
+ {% if resolver_enabled %}
+ dns:
+ - {{ dns }}
+ {% endif %}
{% endif %}
{% if webdav_enabled %}
@@ -107,6 +128,10 @@ services:
- "{{ root }}/data:/data"
deploy:
replicas: 1
+ {% if resolver_enabled %}
+ dns:
+ - {{ dns }}
+ {% endif %}
{% endif %}
{% if webmail_type != 'none' %}
diff --git a/setup/templates/steps/stack/03_expose.html b/setup/templates/steps/stack/03_expose.html
index 1cd0cde5..d47390be 100644
--- a/setup/templates/steps/stack/03_expose.html
+++ b/setup/templates/steps/stack/03_expose.html
@@ -3,6 +3,13 @@
and let users access their mailboxes. Mailu has some flexibility in the way
you expose it to the world.
+
+
+
+
Date: Tue, 23 Oct 2018 10:47:31 -0500
Subject: [PATCH 19/25] Fix typo (duplicate self). Fixes #683
---
core/admin/mailu/models.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 3653011f..62c25c81 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -271,7 +271,7 @@ class User(Base, Email):
@property
def destination(self):
if self.forward_enabled:
- result = self.self.forward_destination
+ result = self.forward_destination
if self.forward_keep:
result += ',' + self.email
return result
From b8783b670aa6a299047f280c0c272b68905cbb62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Wed, 24 Oct 2018 12:18:03 +0300
Subject: [PATCH 20/25] Take out DNS entry for webmail
---
setup/flavors/compose/docker-compose.yml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 50fd1705..81b6bcb2 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -135,9 +135,6 @@ services:
- "{{ root }}/webmail:/data"
depends_on:
- imap
- - resolver
- dns:
- - {{ dns }}
{% endif %}
{% if resolver_enabled %}
From fd3a9448500bf6aea4686583d104473e3f96911e Mon Sep 17 00:00:00 2001
From: hoellen
Date: Thu, 25 Oct 2018 13:04:40 +0200
Subject: [PATCH 21/25] fix typo in doc
---
docs/cli.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/cli.rst b/docs/cli.rst
index 4a5250a2..038f1247 100644
--- a/docs/cli.rst
+++ b/docs/cli.rst
@@ -39,7 +39,7 @@ primary difference with simple `user` command is that password is being imported
.. code-block:: bash
- docker-compose run --rm admin python manage.py user --hash_scheme='SHA512-CRYPT' myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce'
+ docker-compose run --rm admin python manage.py user_import --hash_scheme='SHA512-CRYPT' myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce'
user_delete
------------
From 2237e641b04726c1482fc87becd260ed4c374e77 Mon Sep 17 00:00:00 2001
From: Daniel Huber
Date: Sun, 28 Oct 2018 12:26:14 +0100
Subject: [PATCH 22/25] Fix Typo in K8s Docs
---
docs/kubernetes/mailu/index.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/kubernetes/mailu/index.rst b/docs/kubernetes/mailu/index.rst
index ef12eb58..99abd8b1 100644
--- a/docs/kubernetes/mailu/index.rst
+++ b/docs/kubernetes/mailu/index.rst
@@ -189,5 +189,5 @@ This problem can be easily fixed by running following commands:
.. code:: bash
- kubectl -n mailu-mailserver exec -it maolu-imap-... /bin/sh
+ kubectl -n mailu-mailserver exec -it mailu-imap-... /bin/sh
chmod 777 /data/main.db
From 7125077dec76cd5a9e3f1d4d1d03e2100c96cd1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20S=C3=A4nger?=
Date: Mon, 29 Oct 2018 01:41:04 +0100
Subject: [PATCH 23/25] Update roundcube
---
webmails/roundcube/Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 6250e6df..69e0f334 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -1,6 +1,6 @@
FROM php:7.2-apache
-ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.3.7/roundcubemail-1.3.7-complete.tar.gz
+ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.3.8/roundcubemail-1.3.8-complete.tar.gz
RUN apt-get update && apt-get install -y \
zlib1g-dev curl \
From 9ba086fcffad3ec469df910920013757255b3e87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20S=C3=A4nger?=
Date: Tue, 30 Oct 2018 23:28:25 +0100
Subject: [PATCH 24/25] store rspamd history in redis
---
services/rspamd/conf/history_redis.conf | 1 +
1 file changed, 1 insertion(+)
create mode 100644 services/rspamd/conf/history_redis.conf
diff --git a/services/rspamd/conf/history_redis.conf b/services/rspamd/conf/history_redis.conf
new file mode 100644
index 00000000..fee07024
--- /dev/null
+++ b/services/rspamd/conf/history_redis.conf
@@ -0,0 +1 @@
+servers = "{{ HOST_REDIS }}";
From 5fa2aac56945ddaf72323ffff49ae5bbea2c0f83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?=
Date: Wed, 31 Oct 2018 17:47:05 +0200
Subject: [PATCH 25/25] Fix imap login when no webmail selected
---
core/admin/mailu/internal/views/dovecot.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/core/admin/mailu/internal/views/dovecot.py b/core/admin/mailu/internal/views/dovecot.py
index 036140f0..e6e4c10f 100644
--- a/core/admin/mailu/internal/views/dovecot.py
+++ b/core/admin/mailu/internal/views/dovecot.py
@@ -3,7 +3,7 @@ from mailu.internal import internal
import flask
import socket
-
+import os
@internal.route("/dovecot/passdb/")
def dovecot_passdb_dict(user_email):
@@ -13,7 +13,8 @@ def dovecot_passdb_dict(user_email):
app.config.get("POD_ADDRESS_RANGE") or
socket.gethostbyname(app.config["HOST_FRONT"])
)
- allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"]))
+ if os.environ["WEBMAIL"] != "none":
+ allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"]))
print(allow_nets)
return flask.jsonify({
"password": None,