docs(sync): Add Github Wiki contributions

During the long-lived PR, multiple contributions to the existing Github Wiki were made, this commit applies those here and mentions the files and authors attributed to the changes:

JaapD: dkim.md + forward-only-mailserver-with-ldap-authentication.md

Added corrections to `setup.sh config dkim` command.
Added compatibility warning about 4096-bit key sizes or greater.
Added ldap tip. 

---

fred727-temp: optional-config.md

Added a mention for `user-patches.sh`.

---

Semir Patel: setup.sh.md + debugging.md

Minor corrections. Additionally corrected `tvial` references that had already been updated in this PR series.

---

Stefan Neben: kubernetes.md

> Port 25 proxy protocol configuration in master.cf was missing
docs(sync): Add Github Wiki contributions
> IMAP with STARTTLS is also active, so we need that option here as well
docs(sync): Add Github Wiki contribution
This commit is contained in:
polarathene 2021-03-24 12:44:28 +13:00
parent bbaca9a468
commit 1b971a89cb
6 changed files with 25 additions and 7 deletions

View file

@ -409,12 +409,16 @@ Then, configure both [Postfix][docs-postfix] and [Dovecot][docs-dovecot] to expe
postfix-main.cf: | postfix-main.cf: |
postscreen_upstream_proxy_protocol = haproxy postscreen_upstream_proxy_protocol = haproxy
postfix-master.cf: | postfix-master.cf: |
smtp/inet/postscreen_upstream_proxy_protocol=haproxy
submission/inet/smtpd_upstream_proxy_protocol=haproxy submission/inet/smtpd_upstream_proxy_protocol=haproxy
smtps/inet/smtpd_upstream_proxy_protocol=haproxy smtps/inet/smtpd_upstream_proxy_protocol=haproxy
dovecot.cf: | dovecot.cf: |
# Assuming your ingress controller is bound to 10.0.0.0/8 # Assuming your ingress controller is bound to 10.0.0.0/8
haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8 haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8
service imap-login { service imap-login {
inet_listener imap {
haproxy = yes
}
inet_listener imaps { inet_listener imaps {
haproxy = yes haproxy = yes
} }

View file

@ -38,12 +38,14 @@ This is a list of all configuration files and directories which are optional or
- **amavis.cf:** replaces the `/etc/amavis/conf.d/50-user` file - **amavis.cf:** replaces the `/etc/amavis/conf.d/50-user` file
- **dovecot.cf:** replaces `/etc/dovecot/local.conf`. (Docs: [Override Dovecot Defaults][docs-override-dovecot]) - **dovecot.cf:** replaces `/etc/dovecot/local.conf`. (Docs: [Override Dovecot Defaults][docs-override-dovecot])
- **dovecot-quotas.cf:** list of custom quotas per mailbox. (Docs: [Accounts][docs-accounts-quota]) - **dovecot-quotas.cf:** list of custom quotas per mailbox. (Docs: [Accounts][docs-accounts-quota])
- **user-patches.sh:** this file will be run after all configuration files are set up, but before the postfix, amavis and other daemons are started. (Docs: [FAQ - How to adjust settings with the `user-patches.sh` script][docs-faq-userpatches])
[docs-accounts-quota]: ../../config/user-management/accounts.md#notes [docs-accounts-quota]: ../../config/user-management/accounts.md#notes
[docs-aliases-regex]: ../../config/user-management/aliases.md#configuring-regexp-aliases [docs-aliases-regex]: ../../config/user-management/aliases.md#configuring-regexp-aliases
[docs-dkim]: ../../config/best-practices/dkim.md [docs-dkim]: ../../config/best-practices/dkim.md
[docs-fail2ban]: ../../config/security/fail2ban.md [docs-fail2ban]: ../../config/security/fail2ban.md
[docs-faq-spamrules]: ../../faq.md#how-can-i-manage-my-custom-spamassassin-rules [docs-faq-spamrules]: ../../faq.md#how-can-i-manage-my-custom-spamassassin-rules
[docs-faq-userpatches]: ../../faq.md#how-to-adjust-settings-with-the-user-patchessh-script
[docs-override-postfix]: ./override-defaults/postfix.md [docs-override-postfix]: ./override-defaults/postfix.md
[docs-override-dovecot]: ./override-defaults/dovecot.md [docs-override-dovecot]: ./override-defaults/dovecot.md
[docs-relayhosts-senderauth]: ./mail-forwarding/relay-hosts.md#sender-dependent-authentication [docs-relayhosts-senderauth]: ./mail-forwarding/relay-hosts.md#sender-dependent-authentication

View file

@ -18,13 +18,13 @@ To enable DKIM signature, **you must have created at least one email account**.
After generating DKIM keys, you should restart the mail server. DNS edits may take a few minutes to hours to propagate. The script assumes you're being in the directory where the `config/` directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS provider limits the size), then provide the size as the first parameter of the command: After generating DKIM keys, you should restart the mail server. DNS edits may take a few minutes to hours to propagate. The script assumes you're being in the directory where the `config/` directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS provider limits the size), then provide the size as the first parameter of the command:
```sh ```sh
./setup.sh config dkim <keysize> ./setup.sh config dkim keysize <keysize>
``` ```
For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains):
```sh ```sh
./setup.sh config dkim <key-size> <domain.tld>[,<domain2.tld>] ./setup.sh config dkim keysize <key-size> domain <domain.tld>[,<domain2.tld>]
``` ```
Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone.
@ -78,6 +78,10 @@ SendReports yes
Mode v Mode v
``` ```
## Switch Off DKIM
Simply remove the DKIM key by recreating (not just relaunching) the mailserver container.
## Debugging ## Debugging
- [DKIM-verifer](https://addons.mozilla.org/en-US/thunderbird/addon/dkim-verifier): A add-on for the mail client Thunderbird. - [DKIM-verifer](https://addons.mozilla.org/en-US/thunderbird/addon/dkim-verifier): A add-on for the mail client Thunderbird.
@ -106,6 +110,10 @@ mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA
;; MSG SIZE rcvd: 310 ;; MSG SIZE rcvd: 310
``` ```
## Switch Off DKIM ---
Simply remove the DKIM key by recreating (not just relaunching) the mailserver container. !!! warning "Key sizes >=4096-bit"
Keys of 4096 bits could de denied by some mailservers. According to https://tools.ietf.org/html/rfc6376 keys are preferably between 512 and 2048 bits. See issue [#1854][github-issue-1854].
[github-issue-1854]: https://github.com/docker-mailserver/docker-mailserver/issues/1854

View file

@ -19,7 +19,7 @@ chmod a+x ./setup.sh
## Usage ## Usage
Run `./setup.sh -h` and you'll get some usage information: Run `./setup.sh help` and you'll get some usage information:
```bash ```bash
setup.sh Bootstrapping Script setup.sh Bootstrapping Script
@ -30,7 +30,7 @@ OPTIONS:
-i IMAGE_NAME The name of the docker-mailserver image -i IMAGE_NAME The name of the docker-mailserver image
The default value is The default value is
'docker.io/mailserver/docker-maiserver:latest' 'docker.io/mailserver/docker-mailserver:latest'
-c CONTAINER_NAME The name of the running container. -c CONTAINER_NAME The name of the running container.

View file

@ -53,7 +53,7 @@ fail2ban-client stop dovecot
fail2ban-client stop postfix fail2ban-client stop postfix
``` ```
## Send email is never received ## Sent email is never received
Some hosting provides have a stealth block on port 25. Make sure to check with your hosting provider that traffic on port 25 is allowed Some hosting provides have a stealth block on port 25. Make sure to check with your hosting provider that traffic on port 25 is allowed

View file

@ -105,5 +105,9 @@ You see that besides `query_filter`, I had to customize as well `result_attribut
Another solution that serves as a forward-only mailserver is this: https://gitlab.com/docker-scripts/postfix Another solution that serves as a forward-only mailserver is this: https://gitlab.com/docker-scripts/postfix
!!! tip
One user reports only having success if `ENABLE_LDAP=0` was set.
[github-file-readme-patches]: https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md#custom-user-changes--patches [github-file-readme-patches]: https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md#custom-user-changes--patches
[github-issue-1247]: https://github.com/docker-mailserver/docker-mailserver/issues/1247 [github-issue-1247]: https://github.com/docker-mailserver/docker-mailserver/issues/1247