diff --git a/docker-compose.yml b/docker-compose.yml index 482dc03..12e1053 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,159 +3,189 @@ # Generated for compose flavor # # This file was reviewed and edited by titzi -# 2020-06-19 +# 2023-01-20 version: '3.5' networks: webNet: - external: - name: webNet + external: true + name: webNet backend: driver: bridge ipam: driver: default config: - subnet: 192.168.213.0/24 + noinet: + driver: bridge + internal: true services: + # External dependencies redis: image: redis:alpine container_name: redis_mailu - networks: - - backend - restart: unless-stopped - volumes: - - ./_data_/redis:/data - - db_mailu: - image: postgres:13-alpine - container_name: postgres_mailu restart: unless-stopped networks: - backend - environment: - POSTGRES_USER: mailu - POSTGRES_DB: mailu - env_file: - - secret.env + dns: + - 192.168.213.254 volumes: - - ./_data_/db.postgres:/var/lib/postgresql/data - - resolver: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.7} - env_file: mailu.env - restart: unless-stopped - networks: - backend: - ipv4_address: 192.168.213.254 + - ./_data_/redis:/data + depends_on: + - resolver + # Core services front: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-2.0} networks: - backend - webNet + dns: + - 192.168.213.254 restart: unless-stopped - env_file: - - mailu.env - #- secret.env + env_file: mailu.env logging: - #driver: json-file driver: journald + options: + tag: mailu-front + ports: + #- "185.207.106.119:80:80" + #- "185.207.106.119:443:443" + - "185.207.106.119:25:25" + - "185.207.106.119:465:465" + - "185.207.106.119:587:587" + - "185.207.106.119:110:110" + - "185.207.106.119:995:995" + - "185.207.106.119:143:143" + - "185.207.106.119:993:993" expose: - 80 - ports: - - "25:25" - - "465:465" - - "587:587" - - "110:110" - - "995:995" - - "143:143" - - "993:993" volumes: - - "./_data_/certs:/certs" - - "./_data_/overrides/nginx:/overrides" + #- "./_data_/certs:/certs" + #- "/var/docker/nginx-proxy/_data_/certs:/certs:ro" + - "./_data_/overrides/nginx:/overrides:ro" + - type: bind + source: /var/docker/nginx-proxy/_data_/certs/mailu.ckris.de/fullchain.pem + target: /certs/cert.pem + read_only: true + - type: bind + source: /var/docker/nginx-proxy/_data_/certs/mailu.ckris.de/key.pem + target: /certs/key.pem + read_only: true + depends_on: + - resolver environment: - VIRTUAL_HOST: mailu.ckris.de,mail.ckris.de,smtp.ckris.de,imap.ckris.de + VIRTUAL_HOST: mailu.ckris.de,mail.ckris.de,smtp.ckris.de,imap.ckris.de,mail.family-bross.de,imap.family-bross.de,smtp.family-bross.de,imap.krisis-physio-vital.de,mail.krisis-physio-vital.de,smtp.krisis-physio-vital.de VIRTUAL_PORT: 80 - LETSENCRYPT_HOST: mailu.ckris.de,mail.ckris.de,smtp.ckris.de,imap.ckris.de + LETSENCRYPT_HOST: mailu.ckris.de,mail.ckris.de,smtp.ckris.de,imap.ckris.de,mail.family-bross.de,imap.family-bross.de,smtp.family-bross.de,imap.krisis-physio-vital.de,mail.krisis-physio-vital.de,smtp.krisis-physio-vital.de LETSENCRYPT_EMAIL: webmaster@ckris.de LETSENCRYPT_RESTART_CONTAINER: 'true' - #LETSENCRYPT_SINGLE_DOMAIN_CERTS: 'true' - admin: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.7} + + + resolver: + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-2.0} + env_file: mailu.env + restart: unless-stopped networks: - - backend + backend: + ipv4_address: 192.168.213.254 + + admin: + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-2.0} restart: unless-stopped env_file: - mailu.env - secret.env + logging: + driver: journald + options: + tag: mailu-admin volumes: - "./_data_/admin:/data" - "./_data_/dkim:/dkim" depends_on: - redis - - db_mailu - + - resolver + networks: + - backend + dns: + - 192.168.213.254 + imap: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-2.0} networks: - backend + dns: + - 192.168.213.254 restart: unless-stopped - env_file: - - mailu.env - #- secret.env + env_file: mailu.env + logging: + driver: journald + options: + tag: mailu-imap volumes: - "./_data_/mail:/mail" - "./_data_/overrides/dovecot:/overrides" depends_on: - front - - db_mailu - - redis + - resolver smtp: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-2.0} networks: - backend + dns: + - 192.168.213.254 restart: unless-stopped - env_file: - - mailu.env - #- secret.env + env_file: mailu.env + logging: + driver: journald + options: + tag: mailu-smtp volumes: - - "./_data_/overrides/postfix:/overrides" + - "./_data_/mailqueue:/queue" + - "./_data_/overrides/postfix:/overrides:ro" depends_on: - front - resolver - - redis - dns: - - 192.168.213.254 antispam: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-2.0} + hostname: antispam networks: - backend + - noinet + dns: + - 192.168.213.254 restart: unless-stopped env_file: - mailu.env - secret.env + logging: + driver: journald + options: + tag: mailu-antispam volumes: - "./_data_/filter:/var/lib/rspamd" - - "./_data_/dkim:/dkim" - - "./_data_/overrides/rspamd:/etc/rspamd/override.d" + - "./_data_/overrides/rspamd:/override:ro" depends_on: - front - redis + - oletools + - antivirus - resolver - dns: - - 192.168.213.254 antivirus: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-2.0} networks: - backend + dns: + - 192.168.213.254 restart: unless-stopped env_file: - mailu.env @@ -163,51 +193,58 @@ services: volumes: - "./_data_/filter:/data" depends_on: - - redis - resolver - - front + + oletools: + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-2.0} + hostname: oletools + networks: + - noinet dns: - 192.168.213.254 + restart: unless-stopped + depends_on: + - resolver + # Optional services fetchmail: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-2.0} networks: - backend + dns: + - 192.168.213.254 restart: unless-stopped - env_file: - - mailu.env - # - secret.env + env_file: mailu.env + volumes: + - "./_data_/fetchmail:/data" depends_on: + - admin + - smtp + - imap - resolver - dns: - - 192.168.213.254 + # Webmail webmail: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}roundcube:${MAILU_VERSION:-1.7} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}webmail:${MAILU_VERSION:-2.0} networks: - - backend + - webNet restart: unless-stopped env_file: - mailu.env - secret.env volumes: - "./_data_/webmail_roundcube:/data" + - "./_data_/overrides/roundcube:/overrides:ro" depends_on: - - imap - front -# mailu rainloop does not suport sieve filter (Server side filtering) yet -# webmail: -# image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rainloop:${MAILU_VERSION:-1.7} -# networks: -# - backend -# restart: unless-stopped -# env_file: -# - mailu.env -# # - secret.env -# volumes: -# - "./_data_/webmail_rainloop:/data" -# depends_on: -# - imap -# - front -# #command: ["bash", "-c", 'sed -i "/^sieve_allow_raw/s/=.*/= On/" /default.ini; /start.py'] + + + + + + + + + + diff --git a/mailu.env b/mailu.env index eec8a13..3df3032 100644 --- a/mailu.env +++ b/mailu.env @@ -5,24 +5,20 @@ # https://mailu.io # # This file was reviewed and edited by titzi -# 2020-06-19 +# 2023-01-20 ################################### # Common configuration variables ################################### + # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) SUBNET=192.168.213.0/24 # Main mail domain -# Reverse DNS Hostmaane must be part of that domain -# Server identification for outgoing mail DOMAIN=ckris.de # Hostnames for this server, separated with comas -# external server will conect to this server using this hostnames -# Need SSL cert, A/AAAA record -> Server IP and MX Record -> at least one of the hostnames -#HOSTNAMES=ckris.de,mail.ckris.de,smtp.ckris.de,imap.ckris.de HOSTNAMES=mail.ckris.de,smtp.ckris.de,imap.ckris.de # Postmaster local part (will append the main mail domain) @@ -32,11 +28,14 @@ POSTMASTER=postmaster TLS_FLAVOR=mail #TLS_FLAVOR=mail-letsencrypt -# Authentication rate limit (per source IP address) -AUTH_RATELIMIT=10/minute;100/hour +# Authentication rate limit per IP (per /24 on ipv4 and /48 on ipv6) +AUTH_RATELIMIT_IP=5/hour + +# Authentication rate limit per user (regardless of the source-IP) +AUTH_RATELIMIT_USER=50/day # Opt-out of statistics, replace with "True" to opt out -DISABLE_STATISTICS=False +DISABLE_STATISTICS=True ################################### # Optional features @@ -45,10 +44,11 @@ DISABLE_STATISTICS=False # Expose the admin interface (value: true, false) ADMIN=true -# Choose which webmail to run if any (values: roundcube, rainloop, none) -WEBMAIL=rainloop -#WEBMAIL=roundcube -#WEBMAIL=none +# Choose which webmail to run if any (values: roundcube, snappymail, none) +WEBMAIL=roundcube + +# Expose the API interface (value: true, false) +API=false # Dav server implementation (value: radicale, none) WEBDAV=none @@ -56,6 +56,9 @@ WEBDAV=none # Antivirus solution (value: clamav, none) ANTIVIRUS=clamav +# Scan Macros solution (value: true, false) +SCAN_MACROS=true + ################################### # Mail settings ################################### @@ -66,6 +69,9 @@ ANTIVIRUS=clamav # 100MB MESSAGE_SIZE_LIMIT=100000000 +# Message rate limit (per user) +MESSAGE_RATELIMIT=200/day + # Networks granted relay permissions # Use this with care, all hosts in this networks will be able to send mail without authentication! RELAYNETS= @@ -73,6 +79,9 @@ RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= +# Enable fetchmail +FETCHMAIL_ENABLED=true + # Fetchmail delay FETCHMAIL_DELAY=600 @@ -90,26 +99,30 @@ WELCOME_SUBJECT=Welcome to your new email account WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly! # Maildir Compression -# choose compression-method, default: none (value: bz2, gz) +# choose compression-method, default: none (value: gz, bz2, zstd) COMPRESSION= # change compression-level, default: 6 (value: 1-9) COMPRESSION_LEVEL= +# IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature. +# FULL_TEXT_SEARCH=off + ################################### # Web settings ################################### # Path to redirect / to WEBROOT_REDIRECT=/webmail -#WEBROOT_REDIRECT=/config # Path to the admin interface if enabled -#WEB_ADMIN=/admin -WEB_ADMIN=/config +WEB_ADMIN=/admin # Path to the webmail if enabled WEB_WEBMAIL=/webmail +# Path to the API interface if enabled +WEB_API=/api + # Website name SITENAME=CKris Mail Server @@ -122,37 +135,46 @@ WEBSITE=https://mailu.ckris.de # Advanced settings ################################### -# Log driver for front service. Possible values: -# json-file (default) -# journald (On systemd platforms, useful for Fail2Ban integration) -# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) -# LOG_DRIVER=json-file -LOG_DRIVER=journald - # Docker-compose project name, this will prepended to containers names. COMPOSE_PROJECT_NAME=mailu -# Default password scheme used for newly created accounts and changed passwords -# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) -PASSWORD_SCHEME=BLF-CRYPT +# Number of rounds used by the password hashing scheme +CREDENTIAL_ROUNDS=12 # Header to take the real ip from -REAL_IP_HEADER= +REAL_IP_HEADER=X-Real-Ip # IPs for nginx set_real_ip_from (CIDR list separated by commas) -REAL_IP_FROM= +REAL_IP_FROM=172.10.0.3 -# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, NO) +# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) REJECT_UNLISTED_RECIPIENT= # Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET) LOG_LEVEL=WARNING +# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=Etc/UTC + +# Default spam threshold used for new users +DEFAULT_SPAM_THRESHOLD=80 + +# API token required for authenticating to the RESTful API. +# This is a mandatory setting for using the RESTful API. +API_TOKEN= + ################################### # Database settings ################################### #DB_FLAVOR=mysql -DB_FLAVOR=postgresql -DB_USER=mailu -DB_HOST=db_mailu -DB_NAME=mailu +#DB_FLAVOR=postgresql +#DB_USER=mailu +#DB_HOST=db_mailu +#DB_NAME=mailu + +#SQLALCHEMY_DATABASE_URI=postgresql://mailu:Y6PkLqP9s4TF5pGV89qHGfYSS@db_mailu/mailu + + + + +LD_PRELOAD=/usr/lib/libhardened_malloc.so