mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
docs: update F2B docs & bind mount links (#3293)
This commit is contained in:
parent
223c766320
commit
f9d55a9384
|
@ -4,78 +4,97 @@ hide:
|
|||
- toc # Hide Table of Contents for this page
|
||||
---
|
||||
|
||||
Fail2Ban is installed automatically and bans IP addresses for 1 week after 2 failed attempts in a time frame of 1 week by default.
|
||||
!!! quote "What is Fail2Ban (F2B)?"
|
||||
|
||||
## Configuration files
|
||||
Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent against brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as \[NFTables\] or TCP Wrapper.
|
||||
|
||||
If you want to change this, you can easily edit our github example file: [`config-examples/fail2ban-jail.cf`][github-file-f2bjail].
|
||||
[Source][wikipedia-fail2ban]
|
||||
|
||||
You can do the same with the values from `fail2ban.conf`, e.g `dbpurgeage`. In that case you need to edit: [`config-examples/fail2ban-fail2ban.cf`][github-file-f2bconfig].
|
||||
[wikipedia-fail2ban]: https://en.wikipedia.org/wiki/Fail2ban
|
||||
|
||||
The configuration files need to be located at the root of the `/tmp/docker-mailserver/` volume bind (usually `./docker-data/dms/config/:/tmp/docker-mailserver/`).
|
||||
## Configuration
|
||||
|
||||
This following configuration files from `/tmp/docker-mailserver/` will be copied during container startup.
|
||||
!!! warning
|
||||
|
||||
- `fail2ban-jail.cf` -> `/etc/fail2ban/jail.d/user-jail.local`
|
||||
- `fail2ban-fail2ban.cf` -> `/etc/fail2ban/fail2ban.local`
|
||||
|
||||
### Docker-compose config
|
||||
|
||||
Example configuration volume bind:
|
||||
|
||||
```yaml
|
||||
volumes:
|
||||
- ./docker-data/dms/config/:/tmp/docker-mailserver/
|
||||
```
|
||||
|
||||
!!! attention
|
||||
|
||||
DMS must be launched with the `NET_ADMIN` capability in order to be able to install the nftables rules that actually ban IP addresses.
|
||||
|
||||
Thus either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in `docker-compose.yml`:
|
||||
DMS must be launched with the `NET_ADMIN` capability in order to be able to install the NFTables rules that actually ban IP addresses. Thus, either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in the `compose.yml`:
|
||||
|
||||
```yaml
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
```
|
||||
|
||||
## Running fail2ban in a rootless container
|
||||
!!! bug "Running Fail2Ban on Older Kernels"
|
||||
|
||||
[`RootlessKit`][rootless::rootless-kit] is the _fakeroot_ implementation for supporting _rootless mode_ in Docker and Podman. By default RootlessKit uses the [`builtin` port forwarding driver][rootless::port-drivers], which does not propagate source IP addresses.
|
||||
DMS configures F2B to use NFTables, not IPTables (legacy). We have observed that older systems, for example NAS systems, do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [``fail2ban-jail.cf``][github-file-f2bjail], see the [section on configuration further down below](#custom-files).
|
||||
|
||||
It is necessary for `fail2ban` to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to [`slirp4netns`][rootless::slirp4netns], which is slower than `builtin` but does preserve the real source IPs.
|
||||
### DMS Defaults
|
||||
|
||||
### Docker with `slirp4netns` port driver
|
||||
DMS will automatically ban IP addresses of hosts that have generated 2 failed attempts over the course of the last week. The bans themselves last for one week.
|
||||
|
||||
For [rootless mode][rootless::docker] in Docker, create `~/.config/systemd/user/docker.service.d/override.conf` with the following content:
|
||||
### Custom Files
|
||||
|
||||
```
|
||||
[Service]
|
||||
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
|
||||
!!! question "What is [`docker-data/dms/config/`][docs-dms-config-volume]?"
|
||||
|
||||
This following configuration files inside the `docker-data/dms/config/` volume will be copied inside the container during startup
|
||||
|
||||
1. `fail2ban-jail.cf` is copied to `/etc/fail2ban/jail.d/user-jail.local`
|
||||
- with this file, you can adjust the configuration of individual jails and their defaults
|
||||
- the is an example provided [in our repository on GitHub][github-file-f2bjail]
|
||||
2. `fail2ban-fail2ban.cf` is copied to `/etc/fail2ban/fail2ban.local`
|
||||
- with this file, you can adjust F2B behavior in general
|
||||
- the is an example provided [in our repository on GitHub][github-file-f2bconfig]
|
||||
|
||||
[docs-dms-config-volume]: ../../faq.md#what-about-the-docker-datadmsconfig-directory
|
||||
[github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf
|
||||
[github-file-f2bconfig]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-fail2ban.cf
|
||||
|
||||
### Managing Bans
|
||||
|
||||
You can manage F2B with the `setup` script. The usage looks like this:
|
||||
|
||||
```bash
|
||||
docker exec <CONTAINER NAME> setup fail2ban [<ban|unban> <IP>]
|
||||
```
|
||||
|
||||
And then restart the daemon:
|
||||
When just running `setup fail2ban`, the script will show all banned IP addresses.
|
||||
|
||||
```console
|
||||
$ systemctl --user daemon-reload
|
||||
$ systemctl --user restart docker
|
||||
```
|
||||
## Running Inside A Rootless Container
|
||||
|
||||
!!! note
|
||||
[`RootlessKit`][rootless::rootless-kit] is the _fakeroot_ implementation for supporting _rootless mode_ in Docker and Podman. By default, RootlessKit uses the [`builtin` port forwarding driver][rootless::port-drivers], which does not propagate source IP addresses.
|
||||
|
||||
This changes the port driver for all rootless containers managed by Docker.
|
||||
It is necessary for F2B to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to [`slirp4netns`][rootless::slirp4netns], which is slower than the builtin driver but does preserve the real source IPs.
|
||||
|
||||
Per container configuration is not supported, if you need that consider Podman instead.
|
||||
[rootless::rootless-kit]: https://github.com/rootless-containers/rootlesskit
|
||||
[rootless::port-drivers]: https://github.com/rootless-containers/rootlesskit/blob/v0.14.5/docs/port.md#port-drivers
|
||||
[rootless::slirp4netns]: https://github.com/rootless-containers/slirp4netns
|
||||
|
||||
### Podman with `slirp4netns` port driver
|
||||
=== "Docker"
|
||||
|
||||
[Rootless Podman][rootless::podman] requires adding the value `slirp4netns:port_handler=slirp4netns` to the `--network` CLI option, or `network_mode` setting in your `docker-compose.yml`.
|
||||
For [rootless mode][rootless::docker] in Docker, create `~/.config/systemd/user/docker.service.d/override.conf` with the following content:
|
||||
|
||||
!!! danger inline end
|
||||
|
||||
You must also add the ENV `NETWORK_INTERFACE=tap0`, because Podman uses a [hard-coded interface name][rootless::podman::interface] for `slirp4netns`.
|
||||
This changes the port driver for all rootless containers managed by Docker. Per container configuration is not supported, if you need that consider Podman instead.
|
||||
|
||||
```cf
|
||||
[Service]
|
||||
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
|
||||
```
|
||||
|
||||
!!! example
|
||||
And then restart the daemon:
|
||||
|
||||
```console
|
||||
$ systemctl --user daemon-reload
|
||||
$ systemctl --user restart docker
|
||||
```
|
||||
|
||||
[rootless::docker]: https://docs.docker.com/engine/security/rootless
|
||||
|
||||
=== "Podman"
|
||||
|
||||
[Rootless Podman][rootless::podman] requires adding the value `slirp4netns:port_handler=slirp4netns` to the `--network` CLI option, or `network_mode` setting in your `compose.yml`:
|
||||
|
||||
!!! example
|
||||
|
||||
```yaml
|
||||
services:
|
||||
|
@ -87,34 +106,7 @@ You must also add the ENV `NETWORK_INTERFACE=tap0`, because Podman uses a [hard-
|
|||
...
|
||||
```
|
||||
|
||||
!!! note
|
||||
You must also add the ENV `NETWORK_INTERFACE=tap0`, because Podman uses a [hard-coded interface name][rootless::podman::interface] for `slirp4netns`. `slirp4netns` is not compatible with user-defined networks!
|
||||
|
||||
`slirp4netns` is not compatible with user-defined networks.
|
||||
|
||||
## Manage bans
|
||||
|
||||
You can also manage and list the banned IPs with the [`setup.sh`][docs-setupsh] script.
|
||||
|
||||
### List bans
|
||||
|
||||
```sh
|
||||
./setup.sh fail2ban
|
||||
```
|
||||
|
||||
### Un-ban
|
||||
|
||||
Here `192.168.1.15` is our banned IP.
|
||||
|
||||
```sh
|
||||
./setup.sh fail2ban unban 192.168.1.15
|
||||
```
|
||||
|
||||
[docs-setupsh]: ../setup.sh.md
|
||||
[github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf
|
||||
[github-file-f2bconfig]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-fail2ban.cf
|
||||
[rootless::rootless-kit]: https://github.com/rootless-containers/rootlesskit
|
||||
[rootless::port-drivers]: https://github.com/rootless-containers/rootlesskit/blob/v0.14.5/docs/port.md#port-drivers
|
||||
[rootless::slirp4netns]: https://github.com/rootless-containers/slirp4netns
|
||||
[rootless::docker]: https://docs.docker.com/engine/security/rootless
|
||||
[rootless::podman]: https://github.com/containers/podman/blob/v3.4.1/docs/source/markdown/podman-run.1.md#--networkmode---net
|
||||
[rootless::podman::interface]: https://github.com/containers/podman/blob/v3.4.1/libpod/networking_slirp4netns.go#L264
|
||||
[rootless::podman]: https://github.com/containers/podman/blob/v3.4.1/docs/source/markdown/podman-run.1.md#--networkmode---net
|
||||
[rootless::podman::interface]: https://github.com/containers/podman/blob/v3.4.1/libpod/networking_slirp4netns.go#L264
|
||||
|
|
|
@ -99,15 +99,15 @@ DMS brings sane default settings for Rspamd. They are located at `/etc/rspamd/lo
|
|||
|
||||
### Manually
|
||||
|
||||
If you want to overwrite the default settings and / or provide your own settings, you can place files at `docker-data/dms/config/rspamd/override.d/` (a directory that is linked to `/etc/rspamd/override.d/`, if it exists) to override Rspamd and DMS default settings.
|
||||
!!! question "What is [`docker-data/dms/config/`][docs-dms-config-volume]?"
|
||||
|
||||
!!! note "What is [`docker-data/dms/config/`][docs-dms-config-volume]?"
|
||||
If you want to overwrite the default settings and / or provide your own settings, you can place files at `docker-data/dms/config/rspamd/override.d/` (a directory that is linked to `/etc/rspamd/override.d/`, if it exists) to override Rspamd and DMS default settings.
|
||||
|
||||
!!! warning "Clashing Overrides"
|
||||
|
||||
Note that when also [using the `rspamd-commands` file](#with-the-help-of-a-custom-file), files in `override.d` may be overwritten in case you adjust them manually and with the help of the file.
|
||||
|
||||
[docs-dms-config-volume]: ../../faq.md#what-about-the-docker-datadmsmail-state-folder
|
||||
[docs-dms-config-volume]: ../../faq.md#what-about-the-docker-datadmsconfig-directory
|
||||
|
||||
### With the Help of a Custom File
|
||||
|
||||
|
|
|
@ -10,6 +10,10 @@ None! No database is required. The filesystem is the database. This image is bas
|
|||
|
||||
Mails are stored in `/var/mail/${domain}/${username}`. Since `v9.0.0` it is possible to add custom `user_attributes` for each accounts to have a different mailbox configuration (See [#1792][github-issue-1792]).
|
||||
|
||||
### What About the `docker-data/dms/config/` Directory?
|
||||
|
||||
This documentation and all example configuration files in the GitHub repository use `docker-data/dms/config/` to refer to the directory in the host that is mounted (e.g. via a bind mount) to `/tmp/docker-mailserver/` inside the container,.
|
||||
|
||||
### How are IMAP mailboxes (_aka IMAP Folders_) set up?
|
||||
|
||||
`INBOX` is setup by default with the special IMAP folders `Drafts`, `Sent`, `Junk` and `Trash`. You can learn how to modify or add your own folders (_including additional special folders like `Archive`_) by visiting our docs page [_Customizing IMAP Folders_](../examples/use-cases/imap-folders) for more information.
|
||||
|
|
|
@ -4,7 +4,7 @@ title: Usage
|
|||
|
||||
This pages explains how to get started with DMS. The guide uses Docker Compose as a reference. In our examples, a volume mounts the host location [`docker-data/dms/config/`][docs-dms-config-volume] to `/tmp/docker-mailserver/` inside the container.
|
||||
|
||||
[docs-dms-config-volume]: ./config/advanced/optional-config.md
|
||||
[docs-dms-config-volume]: ./faq.md#what-about-the-docker-datadmsconfig-directory
|
||||
|
||||
## Preliminary Steps
|
||||
|
||||
|
|
Loading…
Reference in a new issue