From 4c7cdeb43bfede6d296c9de6132771e647bf0214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 31 Dec 2018 04:13:25 +0200 Subject: [PATCH 1/7] FAQ: Difference between DOMAINS and HOSTNAMES - Closes #742 - Closes #747 --- docs/faq.rst | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 395b739c..7849d7c5 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -89,6 +89,51 @@ our ongoing `project management`_ discussion issue. Deployment related ------------------ +What is the difference between DOMAIN and HOSTNAMES? +```````````````````````````````````````````````````` + +Similair questions: + +- Changing domain doesn't work +- Do I need a certificate for ``DOMAIN``? + +``DOMAIN`` is the main mail domain. Aka, server identification for outgoing mail. DMARC reports point to ``POSTMASTER`` @ ``DOMAIN``. +These are really the only things it is used for. You don't need a cert for ``DOMAIN``, as it is a mail domain only and not used as host in any sense. +However, it is usual that ``DOMAIN`` gets setup as one of the many mail domains. None of the mail domains ever need a certificate. +TLS certificates work on host connection level only. + +``HOSTNAMES`` however, can be used to connect to the server. All host names supplied in this variable will need a certificate. When ``TLS_FLAVOR=letsencrypt`` is set, +a certificate is requested automatically for all those domains. + +So when you have something like this: + +.. code-block:: bash + + DOMAIN=example.com + POSTMASTER=me + HOSTNAMES=mail.example.com,mail.foo.com,bar.com + TLS_FLAVOR=letsencrypt + +- You'll end up with a DMARC address to ``me@example.com``. +- Server identifies itself as the SMTP server of ``@example.com`` when sending mail. Make sure your reverse DNS hostname is part of that domain! +- Your server will have certificates for the 3 hostnames. You will need to create ``A`` and ``AAAA`` records for those names, + pointing to the IP addresses of your server. +- The admin interface generates ``MX`` and ``SPF`` examples which point to the first entry of ``HOSTNAMES`` but these are only examples. + You can modify them to use any other ``HOSTNAMES`` entry. + +You're mail service will be reachable for IMAP, POP3, SMTP and Webmail at the addresses: + +- mail.example.com +- mail.foo.com +- bar.com + +.. note:: + + In this case ``example.com`` is not reachable as a host and will not have a certificate. + It can be used as a mail domain if MX is setup to point to one of the ``HOSTNAMES``. However, it is possible to include ``example.com`` in ``HOSTNAMES``. + +*Issue reference:* `742`_, `747`_. + How does Mailu scale up? ```````````````````````` @@ -154,6 +199,8 @@ correct syntax. The following file names will be taken as override configuration .. _`165`: https://github.com/Mailu/Mailu/issues/165 .. _`177`: https://github.com/Mailu/Mailu/issues/177 .. _`332`: https://github.com/Mailu/Mailu/issues/332 +.. _`742`: https://github.com/Mailu/Mailu/issues/742 +.. _`747`: https://github.com/Mailu/Mailu/issues/747 .. _`520`: https://github.com/Mailu/Mailu/issues/520 .. _`591`: https://github.com/Mailu/Mailu/issues/591 From dc238bb2b33f72db32c8bc6c2908e9ee79f9f9a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 31 Dec 2018 04:33:37 +0200 Subject: [PATCH 2/7] FAQ: Unbound DNS - Closes #554 --- docs/faq.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 7849d7c5..8c1b0685 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -312,12 +312,30 @@ spam filter weight settings. *Issue reference:* `503`_. +rspamd: DNS query blocked on multi.uribl.com +```````````````````````````````````````````` + +This usually relates to the DNS server you are using. Most of the public servers block this query or there is a rate limit. +In order to solve this, you most probably are better off using a root DNS resolver, such as `unbound`_. This can be done in multiple ways: + +- Use the *Mailu/unbound* container. This is an optional include when generating the ``docker-compose.yml`` file with the setup utility. +- Setup unbound on the host and make sure the host's ``/etc/resolve.conf`` points to local host. + Docker will then forward all external DNS requests to the local server. +- Set up an external DNS server with root resolving capabilities. + +In any case, using a dedicated DNS server will improve the performance of your mail server. + +*Issue reference:* `554`_, `681`_. + .. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting .. _`85`: https://github.com/Mailu/Mailu/issues/85 .. _`116`: https://github.com/Mailu/Mailu/issues/116 .. _`171`: https://github.com/Mailu/Mailu/issues/171 .. _`426`: https://github.com/Mailu/Mailu/issues/426 .. _`503`: https://github.com/Mailu/Mailu/issues/503 +.. _`554`: https://github.com/Mailu/Mailu/issues/554 .. _`584`: https://github.com/Mailu/Mailu/issues/584 .. _`592`: https://github.com/Mailu/Mailu/issues/592 .. _`615`: https://github.com/Mailu/Mailu/issues/615 +.. _`681`: https://github.com/Mailu/Mailu/pull/681 +.. _`unbound`: https://nlnetlabs.nl/projects/unbound/about/ From df55b2e9d6f6865a7a59ec8ba338ef234852d9d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 31 Dec 2018 04:38:59 +0200 Subject: [PATCH 3/7] Reference and close #206 --- docs/faq.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 8c1b0685..768bed83 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -191,6 +191,8 @@ correct syntax. The following file names will be taken as override configuration - `Dovecot`_ - ``dovecot.conf``; - `Rspamd`_ - All files in the ``rspamd`` sub-directory. +*Issue reference:* `206`_. + .. _`Postfix`: http://www.postfix.org/postconf.5.html .. _`Dovecot`: https://wiki.dovecot.org/ConfigFile .. _`Rspamd`: https://www.rspamd.com/doc/configuration/index.html @@ -325,12 +327,13 @@ In order to solve this, you most probably are better off using a root DNS resolv In any case, using a dedicated DNS server will improve the performance of your mail server. -*Issue reference:* `554`_, `681`_. +*Issue reference:* `206`_, `554`_, `681`_. .. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting .. _`85`: https://github.com/Mailu/Mailu/issues/85 .. _`116`: https://github.com/Mailu/Mailu/issues/116 .. _`171`: https://github.com/Mailu/Mailu/issues/171 +.. _`206`: https://github.com/Mailu/Mailu/issues/206 .. _`426`: https://github.com/Mailu/Mailu/issues/426 .. _`503`: https://github.com/Mailu/Mailu/issues/503 .. _`554`: https://github.com/Mailu/Mailu/issues/554 From 8dd30a698b56aa4a69c64d00e6155c0dfa8946f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 31 Dec 2018 04:51:12 +0200 Subject: [PATCH 4/7] FAQ: Rancher - Closes #125 --- docs/faq.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 768bed83..6ee1871e 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -168,6 +168,16 @@ For **service** HA, please see: `How does Mailu scale up?`_ .. _`spam magnet`: https://blog.zensoftware.co.uk/2012/07/02/why-we-tend-to-recommend-not-having-a-secondary-mx-these-days/ +Does Mailu run on Rancher? +`````````````````````````` + +There is a rancher catalog for Mailu in the `Mailu/Rancher`_ repository. The user group for Rancher is small, +so we cannot promise any support on this when you're heading into trouble. See the repository README for more details. + +*Issue reference:* `125`_. + +.. _`Mailu/Rancher`: https://github.com/Mailu/Rancher + Can I run Mailu without host iptables? `````````````````````````````````````` @@ -198,6 +208,7 @@ correct syntax. The following file names will be taken as override configuration .. _`Rspamd`: https://www.rspamd.com/doc/configuration/index.html .. _`Docker swarm howto`: https://github.com/Mailu/Mailu/tree/master/docs/swarm/master +.. _`125`: https://github.com/Mailu/Mailu/issues/125 .. _`165`: https://github.com/Mailu/Mailu/issues/165 .. _`177`: https://github.com/Mailu/Mailu/issues/177 .. _`332`: https://github.com/Mailu/Mailu/issues/332 From 4c78785da32f3f7ea31d41b43815004be3e46ead Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 31 Dec 2018 04:57:17 +0200 Subject: [PATCH 5/7] FAQ: DKIM and DMARC generation - Closes #102 --- docs/faq.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 6ee1871e..ef4103c2 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -301,8 +301,18 @@ See also :ref:`external_certs`. *Issue reference:* `426`_, `615`_. +How do I activate DKIM and DMARC? +``````````````````````` +Go into the Domain Panel and choose the Domain you want to enable DKIM for. +Click the first icon on the left side (domain details). +Now click on the top right on the *"Regenerate Keys"* Button. +This will generate the DKIM and DMARC entries for you. + +*Issue reference:* `102`_. + Do you support Fail2Ban? ```````````````````````` + Fail2Ban is not included in Mailu. Fail2Ban needs to modify the host's IP tables in order to ban the addresses. We consider such a program should be run on the host system and not inside a container. The ``front`` container does use authentication rate limiting to slow @@ -342,6 +352,7 @@ In any case, using a dedicated DNS server will improve the performance of your m .. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting .. _`85`: https://github.com/Mailu/Mailu/issues/85 +.. _`102`: https://github.com/Mailu/Mailu/issues/102 .. _`116`: https://github.com/Mailu/Mailu/issues/116 .. _`171`: https://github.com/Mailu/Mailu/issues/171 .. _`206`: https://github.com/Mailu/Mailu/issues/206 From f91b80503e132c1b34ddf3759e08f501204a3bb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 31 Dec 2018 05:11:56 +0200 Subject: [PATCH 6/7] FAQ: Older ciphers - Closes #698 --- docs/faq.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index ef4103c2..545e0427 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -350,12 +350,29 @@ In any case, using a dedicated DNS server will improve the performance of your m *Issue reference:* `206`_, `554`_, `681`_. +Is there a way to support more (older) ciphers? +``````````````````````````````````````````````` + +See `How can I override settings?`_ . +You will need to add the protocols you wish to support in an override for the ``front`` container (Nginx). + +.. code-block:: bash + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ; + +We **strongly** advice against downgrading the TLS version and ciphers! + +*Issue reference:* `363`_, `698`_. + + .. _`troubleshooting tag`: https://github.com/Mailu/Mailu/issues?utf8=%E2%9C%93&q=label%3Afaq%2Ftroubleshooting .. _`85`: https://github.com/Mailu/Mailu/issues/85 .. _`102`: https://github.com/Mailu/Mailu/issues/102 .. _`116`: https://github.com/Mailu/Mailu/issues/116 .. _`171`: https://github.com/Mailu/Mailu/issues/171 .. _`206`: https://github.com/Mailu/Mailu/issues/206 +.. _`363`: https://github.com/Mailu/Mailu/issues/363 .. _`426`: https://github.com/Mailu/Mailu/issues/426 .. _`503`: https://github.com/Mailu/Mailu/issues/503 .. _`554`: https://github.com/Mailu/Mailu/issues/554 @@ -363,4 +380,5 @@ In any case, using a dedicated DNS server will improve the performance of your m .. _`592`: https://github.com/Mailu/Mailu/issues/592 .. _`615`: https://github.com/Mailu/Mailu/issues/615 .. _`681`: https://github.com/Mailu/Mailu/pull/681 +.. _`698`: https://github.com/Mailu/Mailu/issues/698 .. _`unbound`: https://nlnetlabs.nl/projects/unbound/about/ From cd85b4497269596341eb707ae5e3a1dff2e78a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Wed, 2 Jan 2019 19:15:56 +0200 Subject: [PATCH 7/7] Fix typo --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 545e0427..8bd82d95 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -92,7 +92,7 @@ Deployment related What is the difference between DOMAIN and HOSTNAMES? ```````````````````````````````````````````````````` -Similair questions: +Similar questions: - Changing domain doesn't work - Do I need a certificate for ``DOMAIN``?