From e2c495dc8f93753b39929ab92f52d331fa5d6d2d Mon Sep 17 00:00:00 2001 From: 3wc <3wc.git@doesthisthing.work> Date: Tue, 6 Oct 2020 00:02:20 +0200 Subject: [PATCH] =?UTF-8?q?Initial=20import=20=E2=AC=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .envrc.sample | 151 ++++++++++++++++++++++++++++++++ certdumper_post.sh | 6 ++ compose.yml | 211 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 368 insertions(+) create mode 100644 .envrc.sample create mode 100644 certdumper_post.sh create mode 100644 compose.yml diff --git a/.envrc.sample b/.envrc.sample new file mode 100644 index 0000000..e5ee773 --- /dev/null +++ b/.envrc.sample @@ -0,0 +1,151 @@ +export SERVICE=mailu +export STACK_NAME=mailu + +export CERTDUMPER_POST_VERSION=v1 + +# Main mail domain, NOT main web domain (if they are different) +export DOMAIN=example.com +export LETS_ENCRYPT_ENV=production + +# Custom settings used by certdumper_post.sh and Traefik +export WEB_DOMAIN=mail.f0x.link +export ACME_JSON=${LETS_ENCRYPT_ENV}-acme.json + +# Mailu settings +# https://mailu.io + +export TLS_CERT_FILENAME=$WEB_DOMAIN/certificate.crt +export TLS_KEYPAIR_FILENAME=$WEB_DOMAIN/privatekey.key + +export REDIS_ADDRESS=db + +# Set to a randomly generated 16 bytes string +export SECRET_KEY=XXXXXXXXXXXXXXXX + +# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) +export SUBNET=192.168.203.0/24 + +# Hostnames for this server, separated with comas +export HOSTNAMES=$WEB_DOMAIN + +# Postmaster local part (will append the main mail domain) +export POSTMASTER=admin + +# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt) +export TLS_FLAVOR=mail + +# Authentication rate limit (per source IP address) +export AUTH_RATELIMIT=10/minute + +# Opt-out of statistics, replace with "True" to opt out +export DISABLE_STATISTICS=False + +################################### +# Optional features +################################### + +# Expose the admin interface (value: true, false) +export ADMIN=true + +# Choose which webmail to run if any (values: roundcube, rainloop, none) +export WEBMAIL=rainloop + +# Dav server implementation (value: radicale, none) +export WEBDAV=none + +# Antivirus solution (value: clamav, none) +export ANTIVIRUS=none + +################################### +# Mail settings +################################### + +# Message size limit in bytes +# Default: accept messages up to 50MB +# Max attachment size will be 33% smaller +export MESSAGE_SIZE_LIMIT=50000000 + +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +export RELAYNETS= + +# Will relay all outgoing mails if configured +export RELAYHOST= + +# Fetchmail delay +export FETCHMAIL_DELAY=600 + +# Recipient delimiter, character used to delimiter localpart from custom address part +export RECIPIENT_DELIMITER=+ + +# DMARC rua and ruf email +export DMARC_RUA=admin +export DMARC_RUF=admin + +# Welcome email, enable and set a topic and body if you wish to send welcome +# emails to all users. +export WELCOME=false +export WELCOME_SUBJECT=Welcome to your new email account +export WELCOME_BODY="Welcome to your new email account, if you can read this, then it is configured properly!" + +# Maildir Compression +# choose compression-method, default: none (value: bz2, gz) +export COMPRESSION= +# change compression-level, default: 6 (value: 1-9) +export COMPRESSION_LEVEL= + +# IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature. +# FULL_TEXT_SEARCH=off + +################################### +# Web settings +################################### + +# Path to redirect / to +export WEBROOT_REDIRECT=/webmail + +# Path to the admin interface if enabled +export WEB_ADMIN=/admin + +# Path to the webmail if enabled +export WEB_WEBMAIL=/webmail + +# Website name +export SITENAME=mymail + +# Linked Website URL +export WEBSITE=https://$DOMAIN + +################################### +# Advanced settings +################################### + +# Log driver for front service. Possible values: +# json-file (default) +# journald (On systemd platforms, useful for Fail2Ban integration) +# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) +# LOG_DRIVER=json-file + +# Docker-compose project name, this will prepended to containers names. +export COMPOSE_PROJECT_NAME=mailu + +# Default password scheme used for newly created accounts and changed passwords +# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT) +export PASSWORD_SCHEME=PBKDF2 + +# Header to take the real ip from +export REAL_IP_HEADER= + +# IPs for nginx set_real_ip_from (CIDR list separated by commas) +export REAL_IP_FROM= + +# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) +export REJECT_UNLISTED_RECIPIENT= + +# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET) +export LOG_LEVEL=WARNING + +################################### +# Database settings +################################### +export DB_FLAVOR=sqlite diff --git a/certdumper_post.sh b/certdumper_post.sh new file mode 100644 index 0000000..2277179 --- /dev/null +++ b/certdumper_post.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +cd /output || exit + +# shellcheck disable=SC2010 +ls | grep -v private | grep -v "$DOMAIN" | xargs -r rm -r diff --git a/compose.yml b/compose.yml new file mode 100644 index 0000000..4d66dc9 --- /dev/null +++ b/compose.yml @@ -0,0 +1,211 @@ +version: '3.6' + +x-environment: + &default-env + - ADMIN + - ANTIVIRUS + - AUTH_RATELIMIT + - COMPOSE_PROJECT_NAME + - COMPRESSION + - COMPRESSION_LEVEL + - DB_FLAVOR + - DISABLE_STATISTICS + - DMARC_RUA + - DMARC_RUF + - DOCKER_CONTEXT + - DOMAIN + - FETCHMAIL_DELAY + - FULL_TEXT_SEARCH + - HOSTNAMES + - LETS_ENCRYPT_ENV + - LOG_DRIVER + - LOG_LEVEL + - MESSAGE_SIZE_LIMIT + - PASSWORD_SCHEME + - POSTMASTER + - REAL_IP_FROM + - REAL_IP_HEADER + - RECIPIENT_DELIMITER + - REDIS_ADDRESS + - REJECT_UNLISTED_RECIPIENT + - RELAYHOST + - RELAYNETS + - SECRET_KEY + - SITENAME + - SUBNET + - TLS_CERT_FILENAME + - TLS_FLAVOR + - TLS_KEYPAIR_FILENAME + - WEB_ADMIN + - WEBDAV + - WEBMAIL + - WEBROOT_REDIRECT + - WEBSITE + - WEB_WEBMAIL + - WELCOME + - WELCOME_BODY + - WELCOME_SUBJECT + +services: + front: + image: mailu/nginx:master + logging: + driver: json-file + networks: + - default + - proxy + environment: *default-env + ports: + - target: 25 + published: 25 + mode: overlay + - target: 465 + published: 465 + mode: overlay + #- target: 587 + # published: 587 + # mode: overlay + - target: 110 + published: 110 + mode: overlay + - target: 995 + published: 995 + mode: overlay + - target: 143 + published: 143 + mode: overlay + - target: 993 + published: 993 + mode: overlay + volumes: + - "certs:/certs" + deploy: + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${WEB_DOMAIN}`)" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + + db: + image: redis:alpine + volumes: + - "redis:/data" + + admin: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-master} + environment: *default-env + healthcheck: + disable: true + volumes: + - "dkim:/dkim" + - "mailu:/data" + + imap: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-master} + environment: *default-env + volumes: + - "mail:/mail" + healthcheck: + disable: true + + smtp: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-master} + environment: *default-env + volumes: + - "mailqueue:/queue" + healthcheck: + disable: true + + antispam: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-master} + environment: *default-env + volumes: + - "rspamd:/var/lib/rspamd" + - "dkim:/dkim:ro" + healthcheck: + disable: true + + webmail: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rainloop:${MAILU_VERSION:-master} + environment: *default-env + volumes: + - "webmail:/data" + deploy: + replicas: 1 + healthcheck: + disable: true + + #certdumper: + # restart: always + # image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}traefik-certdumper:master + # environment: + # - DOMAIN=$DOMAIN + # # Set TRAEFIK_VERSION to v2 in your .env if you're using Traefik v2 + # - TRAEFIK_VERSION=${TRAEFIK_VERSION:-v2} + # volumes: + # - "/docker/traefik/letsencrypt/acme.json:/traefik/acme.json" + # - "/docker/traefik/letsencrypt/certs:/tmp/work" + # - "/docker/mailu/certs:/output" + # labels: + # # Set watchtower label + # - "com.centurylinklabs.watchtower.enable=true" + + certdumper: + image: ldez/traefik-certs-dumper:v2.7.0 + entrypoint: sh -c ' + apk add jq + ; while ! [ -e /traefik/production-acme.json ] + || ! [ `jq ".production.Certificates | length" /traefik/production-acme.json` != 0 ]; do + sleep 1 + ; done + && traefik-certs-dumper file --watch --source /traefik/production-acme.json + --dest /output --domain-subdir=true --version v2' + environment: + # Make sure this is the same as the main=-domain in traefik.toml + - DOMAIN=$WEB_DOMAIN + volumes: + # Folder, which contains the acme.json + - "traefik_letsencrypt:/traefik" + # Folder, where cert.pem and key.pem will be written + - "certs:/output" + configs: + - source: certdumper_post + target: /usr/bin/certdumper_post.sh + mode: 0555 + + #certdumper: + # image: humenius/traefik-certs-dumper:latest + # volumes: + # - traefik_letsencrypt:/traefik:ro + # - certs:/output:rw + # environment: + # - DOMAIN=$WEB_DOMAIN + +volumes: + mailu: + rspamd: + dkim: + webmail: + redis: + mail: + certs: + mailqueue: + traefik_letsencrypt: + external: true + +networks: + default: + driver: overlay + ipam: + driver: default + config: + - subnet: 192.168.203.0/24 + proxy: + external: true + +configs: + certdumper_post: + name: ${STACK_NAME}_certdumper_post_${CERTDUMPER_POST_VERSION} + file: certdumper_post.sh