mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Merge pull request #41 from tomav/letsencrypt
Added Letsencrypt support to docker-mailserver
This commit is contained in:
Thomas VIAL
commit
a0b55531a9
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -2,3 +2,4 @@
|
|||
docker-compose.yml
|
||||
postfix/ssl/*
|
||||
assert.sh*
|
||||
letsencrypt/
|
||||
|
|
|
|||
95
README.md
95
README.md
|
|
@ -26,7 +26,7 @@ Why I created this image: [Simple mail server with Docker](http://tvi.al/simple-
|
|||
- aliases and fowards/redirects are managed in `./postfix/virtual`
|
||||
- antispam rules are managed in `./spamassassin/rules.cf`
|
||||
- files must be mounted to `/tmp` in your container (see `docker-compose.yml` template)
|
||||
- ssl is strongly recommended, you can provide a self-signed certificate, see below
|
||||
- ssl is strongly recommended, read [SSL.md](SSL.md) to use LetsEncrypt or Self-Signed Certificates
|
||||
- [includes integration tests](https://travis-ci.org/tomav/docker-mailserver)
|
||||
- [builds automated on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/)
|
||||
|
||||
|
|
@ -40,23 +40,32 @@ Why I created this image: [Simple mail server with Docker](http://tvi.al/simple-
|
|||
|
||||
## run
|
||||
|
||||
docker run --name mail -v "$(pwd)/postfix":/tmp/postfix -v "$(pwd)/spamassassin":/tmp/spamassassin -p "25:25" -p "143:143" -p "587:587" -p "993:993" -h mail.my-domain.com -t tvial/docker-mailserver
|
||||
docker run --name mail \
|
||||
-v "$(pwd)/postfix":/tmp/postfix \
|
||||
-v "$(pwd)/spamassassin":/tmp/spamassassin \
|
||||
-v "$(pwd)/letsencrypt/etc":/etc/letsencrypt \
|
||||
-p "25:25" -p "143:143" -p "587:587" -p "993:993" \
|
||||
-e DMS_SSL=letsencrypt \
|
||||
-h mail.domain.com \
|
||||
-t tvial/docker-mailserver
|
||||
|
||||
## docker-compose template (recommended)
|
||||
|
||||
mail:
|
||||
# image: tvial/docker-mailserver
|
||||
build: .
|
||||
hostname: mail
|
||||
domainname: my-domain.com
|
||||
ports:
|
||||
- "25:25"
|
||||
- "143:143"
|
||||
- "587:587"
|
||||
- "993:993"
|
||||
volumes:
|
||||
- ./spamassassin:/tmp/spamassassin/
|
||||
- ./postfix:/tmp/postfix/
|
||||
mail:
|
||||
image: tvial/docker-mailserver
|
||||
hostname: mail
|
||||
domainname: domain.com
|
||||
ports:
|
||||
- "25:25"
|
||||
- "143:143"
|
||||
- "587:587"
|
||||
- "993:993"
|
||||
volumes:
|
||||
- ./spamassassin:/tmp/spamassassin/
|
||||
- ./postfix:/tmp/postfix/
|
||||
- ./letsencrypt/etc:/etc/letsencrypt
|
||||
environment:
|
||||
- DMS_SSL=letsencrypt
|
||||
|
||||
Volumes allow to:
|
||||
|
||||
|
|
@ -68,53 +77,21 @@ Volumes allow to:
|
|||
|
||||
docker-compose up -d mail
|
||||
|
||||
# configure ssl
|
||||
|
||||
## generate self-signed ssl certificate
|
||||
|
||||
You can easily generate a self-signed SSL certificate by using the following command:
|
||||
|
||||
docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate
|
||||
|
||||
# Press enter
|
||||
# Enter a password when needed
|
||||
# Fill information like Country, Organisation name
|
||||
# Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
|
||||
# They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
|
||||
# Don't fill extras
|
||||
# Enter same password when needed
|
||||
# Sign the certificate? [y/n]:y
|
||||
# 1 out of 1 certificate requests certified, commit? [y/n]y
|
||||
|
||||
# will generate:
|
||||
# postfix/ssl/mail.my-domain.com-key.pem (used in postfix)
|
||||
# postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files)
|
||||
# postfix/ssl/mail.my-domain.com-cert.pem (used in postfix)
|
||||
# postfix/ssl/mail.my-domain.com-combined.pem (used in courier)
|
||||
# postfix/ssl/demoCA/cacert.pem (certificate authority)
|
||||
|
||||
Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
|
||||
Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
|
||||
|
||||
## configure ssl certificate (convention over configuration)
|
||||
|
||||
If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder.
|
||||
|
||||
# client configuration
|
||||
|
||||
# imap
|
||||
username: <username1@my-domain.com>
|
||||
password: <username1password>
|
||||
server: <your-server-ip-or-hostname>
|
||||
imap port: 143 or 993 with ssl (recommended)
|
||||
imap path prefix: INBOX
|
||||
auth method: md5 challenge-response
|
||||
# imap
|
||||
username: <username1@my-domain.com>
|
||||
password: <username1password>
|
||||
server: <your-server-ip-or-hostname>
|
||||
imap port: 143 or 993 with ssl (recommended)
|
||||
imap path prefix: INBOX
|
||||
auth method: md5 challenge-response
|
||||
|
||||
# smtp
|
||||
smtp port: 25 or 587 with ssl (recommended)
|
||||
username: <username1@my-domain.com>
|
||||
password: <username1password>
|
||||
auth method: md5 challenge-response
|
||||
# smtp
|
||||
smtp port: 25 or 587 with ssl (recommended)
|
||||
username: <username1@my-domain.com>
|
||||
password: <username1password>
|
||||
auth method: md5 challenge-response
|
||||
|
||||
# todo
|
||||
|
||||
|
|
|
|||
49
SSL.md
Normal file
49
SSL.md
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
# docker-mailserver with ssl
|
||||
|
||||
There are multiple options to enable SSL:
|
||||
|
||||
* using [letsencrypt](https://letsencrypt.org/) (recommended)
|
||||
* using self-signed certificates with the provided tool
|
||||
|
||||
After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver).
|
||||
|
||||
## let's encrypt (recommended)
|
||||
|
||||
To enable Let's Encrypt on your mail server, you have to:
|
||||
|
||||
* get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt)
|
||||
* add an environment variable `DMS_SSL` with value `letsencrypt` (see `docker-compose.yml.dist`)
|
||||
* mount your `letsencrypt` folder to `/etc/letsencrypt`
|
||||
|
||||
You don't have anything else to do. Enjoy.
|
||||
|
||||
## self signed certificates
|
||||
|
||||
You can easily generate a self-signed SSL certificate by using the following command:
|
||||
|
||||
docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate
|
||||
|
||||
# Press enter
|
||||
# Enter a password when needed
|
||||
# Fill information like Country, Organisation name
|
||||
# Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
|
||||
# They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
|
||||
# Don't fill extras
|
||||
# Enter same password when needed
|
||||
# Sign the certificate? [y/n]:y
|
||||
# 1 out of 1 certificate requests certified, commit? [y/n]y
|
||||
|
||||
# will generate:
|
||||
# postfix/ssl/mail.my-domain.com-key.pem (used in postfix)
|
||||
# postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files)
|
||||
# postfix/ssl/mail.my-domain.com-cert.pem (used in postfix)
|
||||
# postfix/ssl/mail.my-domain.com-combined.pem (used in courier)
|
||||
# postfix/ssl/demoCA/cacert.pem (certificate authority)
|
||||
|
||||
Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
|
||||
Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
|
||||
|
||||
To use the certificate:
|
||||
|
||||
* add an `DMS_SSL=self-signed` to your container environment variables
|
||||
* if a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder.
|
||||
|
|
@ -10,5 +10,5 @@ openssl req -new -nodes -keyout /ssl/$FQDN-key.pem -out /ssl/$FQDN-req.pem -days
|
|||
# Sign the public key certificate with CA certificate
|
||||
openssl ca -out /ssl/$FQDN-cert.pem -infiles /ssl/$FQDN-req.pem
|
||||
# Combine certificates for courier
|
||||
cat /ssl/$FQDN-key.pem /ssl/$FQDN-cert.pem >> /ssl/$FQDN-combined.pem
|
||||
cat /ssl/$FQDN-key.pem /ssl/$FQDN-cert.pem > /ssl/$FQDN-combined.pem
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ mail:
|
|||
# image: tvial/docker-mailserver
|
||||
build: .
|
||||
hostname: mail
|
||||
domainname: my-domain.com
|
||||
domainname: domain.com
|
||||
ports:
|
||||
- "25:25"
|
||||
- "143:143"
|
||||
|
|
@ -11,3 +11,6 @@ mail:
|
|||
volumes:
|
||||
- ./spamassassin:/tmp/spamassassin/
|
||||
- ./postfix:/tmp/postfix/
|
||||
- ./letsencrypt/etc:/etc/letsencrypt
|
||||
environment:
|
||||
- DMS_SSL=letsencrypt
|
||||
|
|
|
|||
|
|
@ -54,28 +54,50 @@ echo "Postfix configurations"
|
|||
touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
|
||||
touch /etc/postfix/virtual && postmap /etc/postfix/virtual
|
||||
|
||||
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
|
||||
if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \
|
||||
&& [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \
|
||||
&& [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \
|
||||
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then
|
||||
echo "Adding $(hostname) SSL certificate"
|
||||
mkdir -p /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
|
||||
# SSL Configuration
|
||||
case $DMS_SSL in
|
||||
"letsencrypt" )
|
||||
# letsencrypt folders and files mounted in /etc/letsencrypt
|
||||
|
||||
# Postfix configuration
|
||||
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
|
||||
ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem
|
||||
# Postfix configuration
|
||||
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf
|
||||
|
||||
# Courier configuration
|
||||
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl
|
||||
fi
|
||||
# Courier configuration
|
||||
cat /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/letsencrypt/live/$(hostname)/cert.pem > /etc/letsencrypt/live/$(hostname)/combined.pem
|
||||
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/'$(hostname)'\/combined.pem/g' /etc/courier/imapd-ssl
|
||||
|
||||
echo "SSL configured with letsencrypt certificates"
|
||||
|
||||
;;
|
||||
|
||||
"self-signed" )
|
||||
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
|
||||
if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \
|
||||
&& [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \
|
||||
&& [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \
|
||||
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then
|
||||
echo "Adding $(hostname) SSL certificate"
|
||||
mkdir -p /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl
|
||||
cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
|
||||
|
||||
# Postfix configuration
|
||||
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
|
||||
sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
|
||||
ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem
|
||||
|
||||
# Courier configuration
|
||||
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl
|
||||
fi
|
||||
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
echo "Fixing permissions"
|
||||
chown -R 5000:5000 /var/mail
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ assert_raises "docker exec mail grep -- '-> <external1@otherdomain.tld>' /var/lo
|
|||
# Testing that a SPAM is rejected
|
||||
assert_raises "docker exec mail grep 'Blocked SPAM' /var/log/mail.log | grep spam@external.tld"
|
||||
|
||||
# TODO: Testing that a Virus is rejected
|
||||
# Testing that a Virus is rejected
|
||||
assert_raises "docker exec mail grep 'Blocked INFECTED' /var/log/mail.log | grep virus@external.tld"
|
||||
|
||||
# Testing presence of freshclam CRON
|
||||
|
|
|
|||
Loading…
Reference in a new issue