From d242cf87a3c843980e36bac9e207d5bb49cb127e Mon Sep 17 00:00:00 2001 From: broedli Date: Thu, 2 Mar 2017 21:33:11 +0100 Subject: [PATCH] Update first_steps.md --- docs/first_steps.md | 81 +++++++++++++++++++++++---------------------- 1 file changed, 42 insertions(+), 39 deletions(-) diff --git a/docs/first_steps.md b/docs/first_steps.md index 9cdd53f7..3a87b761 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -13,62 +13,65 @@ mailcow uses 3 domain names that should be covered by your new certificate: This is just an example of how to obtain certificates with certbot. There are several methods! 1. Get the certbot client: -``` -wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot -``` + ``` + wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot + ``` + 2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`. 3. Request the certificate with the webroot method: + ``` + cd /path/to/git/clone/mailcow-dockerized + source mailcow.conf + certbot certonly \ + --webroot \ + -w ${PWD}/data/web \ + -d ${MAILCOW_HOSTNAME} \ + -d autodiscover.example.org \ + -d autoconfig.example.org \ + --email you@example.org \ + --agree-tos + ``` -``` -cd /path/to/git/clone/mailcow-dockerized -source mailcow.conf -certbot certonly \ - --webroot \ - -w ${PWD}/data/web \ - -d ${MAILCOW_HOSTNAME} \ - -d autodiscover.example.org \ - -d autoconfig.example.org \ - --email you@example.org \ - --agree-tos -``` - -3. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: -``` -mv data/assets/ssl/cert.{pem,pem.backup} -mv data/assets/ssl/key.{pem,pem.backup} -ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem -ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem -``` -4. Restart containers which use the certificate: -``` -docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow -``` +4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: + ``` + mv data/assets/ssl/cert.{pem,pem.backup} + mv data/assets/ssl/key.{pem,pem.backup} + ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem + ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem + ``` + +5. Restart containers which use the certificate: + ``` + docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow + ``` + When renewing certificates, run the last two steps (link + restart) as post-hook in a script. -# Rspamd Web UI +# Rspamd UI access At first you may want to setup Rspamds web interface which provides some useful features and information. 1. Generate a Rspamd controller password hash: -``` -docker-compose exec rspamd-mailcow rspamadm pw -``` + ``` + docker-compose exec rspamd-mailcow rspamadm pw + ``` + 2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated: -``` -enable_password = "myhash"; -``` + ``` + enable_password = "myhash"; + ``` + 3. Restart rspamd: - -``` -docker-compose restart rspamd-mailcow -``` + ``` + docker-compose restart rspamd-mailcow + ``` Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login! # Optional: Reverse proxy You don't need to change the Nginx site that comes with mailcow: dockerized. -mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI. +mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamds web ui. Make sure you change HTTP_BIND and HTTPS_BIND to a local address and set the ports accordingly, for example: ```