docker run --rm -it -v $(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination "/var/vmail" }}{{ .Name }}{{ end }}{{ end }}' $(docker-compose ps -q dovecot-mailcow)):/vmail -v ${PWD}:/backup debian:jessie tar cvfz /backup/backup_vmail.tar.gz /vmail
```
You can change the path by adjusting ${PWD} (which equals to the current directory) to any path you have write-access to.
Set the filename `backup_vmail.tar.gz` to any custom name, but leave the path as it is. Example: `[...] tar cvfz /backup/my_own_filename_.tar.gz`
### Restore
```
cd /path/to/mailcow-dockerized
source mailcow.conf
DATE=$(date +"%Y%m%d_%H%M%S")
docker run --rm -it -v $(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination "/var/vmail" }}{{ .Name }}{{ end }}{{ end }}' $(docker-compose ps -q dovecot-mailcow)):/vmail -v ${PWD}:/backup debian:jessie tar xvfz /backup/backup_vmail.tar.gz
```
## Backup and restore maildir (simple tar file)
### Backup
This line backups the vmail directory to a file backup_vmail.tar.gz in the mailcow root directory:
```
cd /path/to/mailcow-dockerized
source mailcow.conf
DATE=$(date +"%Y%m%d_%H%M%S")
docker run --rm -it -v $(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination "/var/vmail" }}{{ .Name }}{{ end }}{{ end }}' $(docker-compose ps -q dovecot-mailcow)):/vmail -v ${PWD}:/backup debian:jessie tar cvfz /backup/backup_vmail.tar.gz /vmail
```
You can change the path by adjusting ${PWD} (which equals to the current directory) to any path you have write-access to.
Set the filename `backup_vmail.tar.gz` to any custom name, but leave the path as it is. Example: `[...] tar cvfz /backup/my_own_filename_.tar.gz`
### Restore
```
cd /path/to/mailcow-dockerized
source mailcow.conf
DATE=$(date +"%Y%m%d_%H%M%S")
docker run --rm -it -v $(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination "/var/vmail" }}{{ .Name }}{{ end }}{{ end }}' $(docker-compose ps -q dovecot-mailcow)):/vmail -v ${PWD}:/backup debian:jessie tar xvfz /backup/backup_vmail.tar.gz
```
## Docker Compose Bash completion
For the tab-tab... :-)
```
curl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
```
## Black and Whitelist
Edit a domain as (domain) administrator to add an item to the filter table.
Beware that a mailbox user can login to mailcow and override a domain policy filter item.
For the tab-tab... :-)
```
curl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
```
## Black and Whitelist
Edit a domain as (domain) administrator to add an item to the filter table.
Beware that a mailbox user can login to mailcow and override a domain policy filter item.
## Change default language
Change `data/conf/sogo/sogo.conf` and replace "English" by your preferred language.
@@ -62,218 +61,218 @@ Create a file `data/web/inc/vars.local.inc.php` and add "DEFAULT_LANG" with eith
<?php
$DEFAULT_LANG = "de";
```
## Change UI theme
mailcow uses [Bootstrap](http://getbootstrap.com/), a HTML, CSS, and JS framework.
Open or create the file `data/web/inc/vars.local.inc.php` and change `DEFAULT_THEME` to either cerulean, cosmo, custom, cyborg, darkly, flatly, journal, paper, readable, sandstone, simplex, slate, spacelab, superhero, united or yeti (see https://bootswatch.com/):
```
<?php
$DEFAULT_THEME = "paper";
```
## Customize Dockerfiles
Make your changes in `data/Dockerfiles/$service` and build the image locally:
mailcow uses [Bootstrap](http://getbootstrap.com/), a HTML, CSS, and JS framework.
Open or create the file `data/web/inc/vars.local.inc.php` and change `DEFAULT_THEME` to either cerulean, cosmo, custom, cyborg, darkly, flatly, journal, paper, readable, sandstone, simplex, slate, spacelab, superhero, united or yeti (see https://bootswatch.com/):
```
<?php
$DEFAULT_THEME = "paper";
```
## Customize Dockerfiles
Make your changes in `data/Dockerfiles/$service` and build the image locally:
This option is not best-practice and should only be implemented when there is no other option available to archive whatever you are trying to do.
Simply create a file `data/conf/postfix/check_sender_access` and enter the following content:
```
user-to-allow-everything@example.com OK
```
Open `data/conf/postfix/main.cf` and find `smtpd_sender_restrictions`. Prepend `check_sasl_access hash:/opt/postfix/conf/check_sender_access` like this:
docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} <backup_file.sql
Open `data/conf/postfix/main.cf` and find `smtpd_sender_restrictions`. Prepend `check_sasl_access hash:/opt/postfix/conf/check_sender_access` like this:
@@ -288,126 +287,126 @@ You can also use Rspamd's web ui to learn ham and/or spam.
### CLI tools
```
docker-composeexecrspamd-mailcowrspamc--help
docker-composeexecrspamd-mailcowrspamadm--help
```
```
docker-composeexecrspamd-mailcowrspamc--help
docker-composeexecrspamd-mailcowrspamadm--help
```
See [Rspamd documentation](https://rspamd.com/doc/index.html)
## Adjust service configurations
## Adjust service configurations
The most important configuration files are mounted from the host into the related containers:
```
data/conf
├──bind9
│└──named.conf
├──dovecot
│├──dovecot.conf
│├──dovecot-master.passwd
│├──sieve_after
│└──sql
│├──dovecot-dict-sql.conf
│└──dovecot-mysql.conf
├──mysql
│└──my.cnf
├──nginx
│├──dynmaps.conf
│├──site.conf
│└──templates
│├──listen_plain.template
│├──listen_ssl.template
│└──server_name.template
├──pdns
│├──pdns_custom.lua
│└──recursor.conf
├──postfix
│├──main.cf
│├──master.cf
│├──postscreen_access.cidr
│├──smtp_dsn_filter
│└──sql
│├──mysql_relay_recipient_maps.cf
│├──mysql_tls_enforce_in_policy.cf
│├──mysql_tls_enforce_out_policy.cf
│├──mysql_virtual_alias_domain_catchall_maps.cf
│├──mysql_virtual_alias_domain_maps.cf
│├──mysql_virtual_alias_maps.cf
│├──mysql_virtual_domains_maps.cf
│├──mysql_virtual_mailbox_maps.cf
│├──mysql_virtual_relay_domain_maps.cf
│├──mysql_virtual_sender_acl.cf
│└──mysql_virtual_spamalias_maps.cf
├──rmilter
│└──rmilter.conf
├──rspamd
│├──dynmaps
││├──authoritative.php
││├──settings.php
││├──tags.php
││└──vars.inc.php-> ../../../web/inc/vars.inc.php
│ ├── local.d
│ │ ├── dkim.conf
│ │ ├── metrics.conf
│ │ ├── options.inc
│ │ ├── redis.conf
│ │ ├── rspamd.conf.local
│ │ └── statistic.conf
│ ├── lua
│ │ └── rspamd.local.lua
│ └── override.d
│ ├── logging.inc
│ ├── worker-controller.inc
│ └── worker-normal.inc
└── sogo
├── sieve.creds
└── sogo.conf
```
Just change the according configuration file on the host and restart the related service:
```
docker-compose restart service-mailcow
```
## Tagging
Mailbox users can tag their mail address like in `me+facebook@example.org` and choose between to setups to handle this tag:
1\. Move this message to a subfolder "facebook" (will be created lower case if not existing)
2\. Prepend the tag to the subject: "[facebook] Subject"
## Two-factor authentication
So far two methods for TFA are implemented. Both work with the fantastic [Yubikey](https://www.yubico.com).
While Yubi OTP needs an active internet connection and an API ID and key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS.
Both methods support multiple YubiKeys.
As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.
The key used to login will be displayed in green, while other keys remain grey.
### Yubi OTP
The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key.
The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.
### U2F
Only Google Chrome (+derivates) and Opera support U2F authentication to this day natively.
For Firefox you will need to install the "U2F Support Add-on" as provided on [mozilla.org](https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/).
```
data/conf
├──bind9
│└──named.conf
├──dovecot
│├──dovecot.conf
│├──dovecot-master.passwd
│├──sieve_after
│└──sql
│├──dovecot-dict-sql.conf
│└──dovecot-mysql.conf
├──mysql
│└──my.cnf
├──nginx
│├──dynmaps.conf
│├──site.conf
│└──templates
│├──listen_plain.template
│├──listen_ssl.template
│└──server_name.template
├──pdns
│├──pdns_custom.lua
│└──recursor.conf
├──postfix
│├──main.cf
│├──master.cf
│├──postscreen_access.cidr
│├──smtp_dsn_filter
│└──sql
│├──mysql_relay_recipient_maps.cf
│├──mysql_tls_enforce_in_policy.cf
│├──mysql_tls_enforce_out_policy.cf
│├──mysql_virtual_alias_domain_catchall_maps.cf
│├──mysql_virtual_alias_domain_maps.cf
│├──mysql_virtual_alias_maps.cf
│├──mysql_virtual_domains_maps.cf
│├──mysql_virtual_mailbox_maps.cf
│├──mysql_virtual_relay_domain_maps.cf
│├──mysql_virtual_sender_acl.cf
│└──mysql_virtual_spamalias_maps.cf
├──rmilter
│└──rmilter.conf
├──rspamd
│├──dynmaps
││├──authoritative.php
││├──settings.php
││├──tags.php
││└──vars.inc.php-> ../../../web/inc/vars.inc.php
│ ├── local.d
│ │ ├── dkim.conf
│ │ ├── metrics.conf
│ │ ├── options.inc
│ │ ├── redis.conf
│ │ ├── rspamd.conf.local
│ │ └── statistic.conf
│ ├── lua
│ │ └── rspamd.local.lua
│ └── override.d
│ ├── logging.inc
│ ├── worker-controller.inc
│ └── worker-normal.inc
└── sogo
├── sieve.creds
└── sogo.conf
```
Just change the according configuration file on the host and restart the related service:
```
docker-compose restart service-mailcow
```
## Tagging
Mailbox users can tag their mail address like in `me+facebook@example.org` and choose between to setups to handle this tag:
1\. Move this message to a subfolder "facebook" (will be created lower case if not existing)
2\. Prepend the tag to the subject: "[facebook] Subject"
## Two-factor authentication
So far two methods for TFA are implemented. Both work with the fantastic [Yubikey](https://www.yubico.com).
While Yubi OTP needs an active internet connection and an API ID and key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS.
Both methods support multiple YubiKeys.
As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.
The key used to login will be displayed in green, while other keys remain grey.
### Yubi OTP
The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key.
The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.
### U2F
Only Google Chrome (+derivates) and Opera support U2F authentication to this day natively.
For Firefox you will need to install the "U2F Support Add-on" as provided on [mozilla.org](https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/).
U2F works without an internet connection.
## Why Bind?
For DNS blacklist lookups and DNSSEC.
Most systems use either a public or a local caching DNS resolver.
That's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics.
Most if not all providers apply a rate limit based on the DNS resolver that is used to query their service.
Using a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon.
For DNS blacklist lookups and DNSSEC.
Most systems use either a public or a local caching DNS resolver.
That's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics.
Most if not all providers apply a rate limit based on the DNS resolver that is used to query their service.
Using a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon.
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
André Peters
GitHub