Initial import ⬇

.envrc.sample

@@ -0,0 +1,151 @@
+export SERVICE=mailu
+export STACK_NAME=mailu
+
+export CERTDUMPER_POST_VERSION=v1
+
+# Main mail domain, NOT main web domain (if they are different)
+export DOMAIN=example.com
+export LETS_ENCRYPT_ENV=production
+
+# Custom settings used by certdumper_post.sh and Traefik
+export WEB_DOMAIN=mail.f0x.link
+export ACME_JSON=${LETS_ENCRYPT_ENV}-acme.json
+
+# Mailu settings
+# https://mailu.io
+
+export TLS_CERT_FILENAME=$WEB_DOMAIN/certificate.crt
+export TLS_KEYPAIR_FILENAME=$WEB_DOMAIN/privatekey.key
+
+export REDIS_ADDRESS=db
+
+# Set to a randomly generated 16 bytes string
+export SECRET_KEY=XXXXXXXXXXXXXXXX
+
+# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
+export SUBNET=192.168.203.0/24
+
+# Hostnames for this server, separated with comas
+export HOSTNAMES=$WEB_DOMAIN
+
+# Postmaster local part (will append the main mail domain)
+export POSTMASTER=admin
+
+# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
+export TLS_FLAVOR=mail
+
+# Authentication rate limit (per source IP address)
+export AUTH_RATELIMIT=10/minute
+
+# Opt-out of statistics, replace with "True" to opt out
+export DISABLE_STATISTICS=False
+
+###################################
+# Optional features
+###################################
+
+# Expose the admin interface (value: true, false)
+export ADMIN=true
+
+# Choose which webmail to run if any (values: roundcube, rainloop, none)
+export WEBMAIL=rainloop
+
+# Dav server implementation (value: radicale, none)
+export WEBDAV=none
+
+# Antivirus solution (value: clamav, none)
+export ANTIVIRUS=none
+
+###################################
+# Mail settings
+###################################
+
+# Message size limit in bytes
+# Default: accept messages up to 50MB
+# Max attachment size will be 33% smaller
+export MESSAGE_SIZE_LIMIT=50000000
+
+# Networks granted relay permissions
+# Use this with care, all hosts in this networks will be able to send mail without authentication!
+export RELAYNETS=
+
+# Will relay all outgoing mails if configured
+export RELAYHOST=
+
+# Fetchmail delay
+export FETCHMAIL_DELAY=600
+
+# Recipient delimiter, character used to delimiter localpart from custom address part
+export RECIPIENT_DELIMITER=+
+
+# DMARC rua and ruf email
+export DMARC_RUA=admin
+export DMARC_RUF=admin
+
+# Welcome email, enable and set a topic and body if you wish to send welcome
+# emails to all users.
+export WELCOME=false
+export WELCOME_SUBJECT=Welcome to your new email account
+export WELCOME_BODY="Welcome to your new email account, if you can read this, then it is configured properly!"
+
+# Maildir Compression
+# choose compression-method, default: none (value: bz2, gz)
+export COMPRESSION=
+# change compression-level, default: 6 (value: 1-9)
+export COMPRESSION_LEVEL=
+
+# IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature.
+# FULL_TEXT_SEARCH=off
+
+###################################
+# Web settings
+###################################
+
+# Path to redirect / to
+export WEBROOT_REDIRECT=/webmail
+
+# Path to the admin interface if enabled
+export WEB_ADMIN=/admin
+
+# Path to the webmail if enabled
+export WEB_WEBMAIL=/webmail
+
+# Website name
+export SITENAME=mymail
+
+# Linked Website URL
+export WEBSITE=https://$DOMAIN
+
+###################################
+# Advanced settings
+###################################
+
+# Log driver for front service. Possible values:
+# json-file (default)
+# journald (On systemd platforms, useful for Fail2Ban integration)
+# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
+# LOG_DRIVER=json-file
+
+# Docker-compose project name, this will prepended to containers names.
+export COMPOSE_PROJECT_NAME=mailu
+
+# Default password scheme used for newly created accounts and changed passwords
+# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
+export PASSWORD_SCHEME=PBKDF2
+
+# Header to take the real ip from
+export REAL_IP_HEADER=
+
+# IPs for nginx set_real_ip_from (CIDR list separated by commas)
+export REAL_IP_FROM=
+
+# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
+export REJECT_UNLISTED_RECIPIENT=
+
+# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
+export LOG_LEVEL=WARNING
+
+###################################
+# Database settings
+###################################
+export DB_FLAVOR=sqlite

certdumper_post.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+cd /output || exit
+
+# shellcheck disable=SC2010
+ls | grep -v private | grep -v "$DOMAIN" | xargs -r rm -r

compose.yml

@@ -0,0 +1,211 @@
+version: '3.6'
+
+x-environment:
+  &default-env
+  - ADMIN
+  - ANTIVIRUS
+  - AUTH_RATELIMIT
+  - COMPOSE_PROJECT_NAME
+  - COMPRESSION
+  - COMPRESSION_LEVEL
+  - DB_FLAVOR
+  - DISABLE_STATISTICS
+  - DMARC_RUA
+  - DMARC_RUF
+  - DOCKER_CONTEXT
+  - DOMAIN
+  - FETCHMAIL_DELAY
+  - FULL_TEXT_SEARCH
+  - HOSTNAMES
+  - LETS_ENCRYPT_ENV
+  - LOG_DRIVER
+  - LOG_LEVEL
+  - MESSAGE_SIZE_LIMIT
+  - PASSWORD_SCHEME
+  - POSTMASTER
+  - REAL_IP_FROM
+  - REAL_IP_HEADER
+  - RECIPIENT_DELIMITER
+  - REDIS_ADDRESS
+  - REJECT_UNLISTED_RECIPIENT
+  - RELAYHOST
+  - RELAYNETS
+  - SECRET_KEY
+  - SITENAME
+  - SUBNET
+  - TLS_CERT_FILENAME
+  - TLS_FLAVOR
+  - TLS_KEYPAIR_FILENAME
+  - WEB_ADMIN
+  - WEBDAV
+  - WEBMAIL
+  - WEBROOT_REDIRECT
+  - WEBSITE
+  - WEB_WEBMAIL
+  - WELCOME
+  - WELCOME_BODY
+  - WELCOME_SUBJECT
+
+services:
+  front:
+    image: mailu/nginx:master
+    logging:
+      driver: json-file
+    networks:
+      - default
+      - proxy
+    environment: *default-env
+    ports:
+      - target: 25
+        published: 25
+        mode: overlay
+      - target: 465
+        published: 465
+        mode: overlay
+      #- target: 587
+      #  published: 587
+      #  mode: overlay
+      - target: 110
+        published: 110
+        mode: overlay
+      - target: 995
+        published: 995
+        mode: overlay
+      - target: 143
+        published: 143
+        mode: overlay
+      - target: 993
+        published: 993
+        mode: overlay
+    volumes:
+      - "certs:/certs"
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${WEB_DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+
+  db:
+    image: redis:alpine
+    volumes:
+      - "redis:/data"
+
+  admin:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-master}
+    environment: *default-env
+    healthcheck:
+      disable: true
+    volumes:
+      - "dkim:/dkim"
+      - "mailu:/data"
+
+  imap:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-master}
+    environment: *default-env
+    volumes:
+      - "mail:/mail"
+    healthcheck:
+      disable: true
+
+  smtp:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-master}
+    environment: *default-env
+    volumes:
+      - "mailqueue:/queue"
+    healthcheck:
+      disable: true
+
+  antispam:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-master}
+    environment: *default-env
+    volumes:
+      - "rspamd:/var/lib/rspamd"
+      - "dkim:/dkim:ro"
+    healthcheck:
+      disable: true
+
+  webmail:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rainloop:${MAILU_VERSION:-master}
+    environment: *default-env
+    volumes:
+      - "webmail:/data"
+    deploy:
+      replicas: 1
+    healthcheck:
+      disable: true
+
+  #certdumper:
+  #  restart: always
+  #  image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}traefik-certdumper:master
+  #  environment:
+  #    - DOMAIN=$DOMAIN
+  #    # Set TRAEFIK_VERSION to v2 in your .env if you're using Traefik v2
+  #    - TRAEFIK_VERSION=${TRAEFIK_VERSION:-v2}
+  #  volumes:
+  #    - "/docker/traefik/letsencrypt/acme.json:/traefik/acme.json"
+  #    - "/docker/traefik/letsencrypt/certs:/tmp/work"
+  #    - "/docker/mailu/certs:/output"
+  #  labels:
+  #    # Set watchtower label
+  #    - "com.centurylinklabs.watchtower.enable=true"
+
+  certdumper:
+    image: ldez/traefik-certs-dumper:v2.7.0
+    entrypoint: sh -c '
+      apk add jq
+      ; while ! [ -e /traefik/production-acme.json ]
+        || ! [ `jq ".production.Certificates | length" /traefik/production-acme.json` != 0 ]; do
+          sleep 1
+      ; done
+      && traefik-certs-dumper file --watch --source /traefik/production-acme.json
+        --dest /output --domain-subdir=true --version v2'
+    environment:
+      # Make sure this is the same as the main=-domain in traefik.toml
+      - DOMAIN=$WEB_DOMAIN
+    volumes:
+      # Folder, which contains the acme.json
+      - "traefik_letsencrypt:/traefik"
+      # Folder, where cert.pem and key.pem will be written
+      - "certs:/output"
+    configs:
+      - source: certdumper_post
+        target: /usr/bin/certdumper_post.sh
+        mode: 0555
+  
+  #certdumper:
+  #  image: humenius/traefik-certs-dumper:latest
+  #  volumes:
+  #   - traefik_letsencrypt:/traefik:ro
+  #   - certs:/output:rw
+  #  environment:
+  #   - DOMAIN=$WEB_DOMAIN
+
+volumes:
+  mailu:
+  rspamd:
+  dkim:
+  webmail:
+  redis:
+  mail:
+  certs:
+  mailqueue:
+  traefik_letsencrypt:
+    external: true
+
+networks:
+  default:
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: 192.168.203.0/24
+  proxy:
+    external: true
+
+configs:
+  certdumper_post:
+    name: ${STACK_NAME}_certdumper_post_${CERTDUMPER_POST_VERSION}
+    file: certdumper_post.sh