Commit graph

72 commits

Author SHA1 Message Date
i-C-o-d-e-r b2cd66fcda
docs: Clarify description of explicit TLS (#3017)
* Fix #3007: Changed description of explicit TLS to indicate that insecure connections are rejected

* Further clarification that description only applies to authentication

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-01-23 01:09:38 +13:00
Y.C.Huang 88715974eb
docs: Provision a cert with the ACME DNS-01 challenge via Certbot + Cloudflare (#2968)
* docs: Certbot cloudflare
Add docs for implement certbot-dns-cloudflare to generate certificate for mail server

* Apply suggestions from code review

* fix: certbot-cloudflare docs

Fix the docker-compose command according to the advice

* feat: DNS-Cloudflare certificate renew
Add docs for implementing renewing certificate with crontab

* Apply suggestions from code review

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-01-07 11:58:50 +13:00
Casper de61d42e68
Add ban feature to fail2ban script (#2538) 2022-04-19 08:44:51 +00:00
Georg Lauterbach a9305a073f
firewall: replace iptables with nftables (#2505)
* first adjustments to use Fail2Ban with nftables

* replace `iptables` -> `nftables` and adjust tests

nftables lists IPs a bit differently , so the order was adjusted for the
tests to be more flexible.

* line correction in mailserver.env

* change from `.conf` -> `.local` and remove redundant config

* revert HEREDOC to `echo`

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-04-05 15:13:59 +02:00
Casper 5b5b444094
docs(fail2ban): Use the correct example config location (#2484) 2022-03-15 14:51:47 +13:00
Casper a8a8c859dc
Rename config examples directory (#2438) 2022-03-02 22:54:14 +00:00
Frederic Werner 358df6ada2
docs(deps): bump mkdocs-material to v8.2.1 (#2422)
* docs(deps): bump mkdocs-material to v8.2.1

* feat(docs): enable mermaid integration

Configuration based on https://squidfunk.github.io/mkdocs-material/reference/diagrams/?h=mermaid#configuration

* fix: allow yaml value mapping

* chore: Adopt mkdocs-material mermaid integration support

Supported by the docs generator now, we no longer need to rely on external image generator or live editor link (both relied on large base64 encoding of mermaid markup). SVG will be rendered by docs now, although a little different style (can be fixed with custom CSS).

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2022-02-19 21:26:56 +01:00
Georg Lauterbach 4cb617f7f9
README.md and Documentation Update (#2389)
* follow up on #2383

Fixes a documentation error by which a list would not be rendered
correctly. This has been taken care of.

* update the `README.md`

I felt the need to update the README for several reasons:

1. LDAP issues that the core maintainers team cannot really resolve
2. Cleaning up the somewhat messy structure near the end

The first point goes without explanantion. The second points includes:

2.1. The tagging convention is now easier to read and understand
2.2. Some bullut points or notes have been inlined to "stick" more to
     the content that it actually belongs to
2.3. The note about the "old" `setup.sh` for DMS `10.1.0` has been
     removed as it is obsolete now. We encourage users to upgrade to
     `10.4.0` anyways.
2.4. The markdown code highlighting is now using `CONSOLE` instead of
     `BASH` because `CONSOLE` is more appropriate.
2.5. Capitalized headings
2.6. Updated the section about `./setup.sh help` to be in one place now
     instead of two
2.7. DKIM key generation does now not interfere with user account
     creation.

* adjusted content to PR suggestions
2022-02-05 10:54:54 +01:00
Twist235 602f6fce06
SSL documentation contains a small bug #2381 (#2383) 2022-01-31 22:12:51 +01:00
Brennan Kinney d3b9746c6f
docs: Fail2Ban - Fix links for rootless podman (#2384)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-01-27 18:13:10 +01:00
Brennan Kinney bdcfe27482
docs(ssl): Add an FQDN section (#2268)
* docs(ssl): Adjust heading levels for provisioning sections

- Group provisioning sections under one heading level.
- Use `attr_list` syntax for headings to make the ToC sidebar entry less verbose.

* docs(ssl): Minor fixes

Typos, formatting.

* docs(ssl): Rephrase Traefik wildcard support

Split the line out into multiple with better phrasing.

* docs(ssl): Add FQDN section

We briefly mention the same info twice on the docs page, but as it applies to all provisioners in general, it's been given it's own detailed section with examples.

Single section to inform users about an FQDN, how it's configured and understood by `docker-mailserver` for both Docker CLI and `docker-compose.yml` variations.

Adds note about wildcard support and bare domains to clear up any confusion configuring FQDN for these two.

Additional note about Certbot using symlinks for it's cert storage.

* chore: Add FQDN comment for `docker-compose.yml` example config
2021-10-31 00:12:39 +13:00
2b ed562a7057
docs(fail2ban): Add info about running in rootless containers (#2252)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-30 21:56:32 +13:00
Brennan Kinney 4f91620a7f
docs: ssl.md - Revise letsencrypt section (#2209)
Below commit messages are roughly equivalent to what is listed on the PR. The PR provides additional linked resources for reference to support commit message statements.

---

* docs: Add CT log warning

- Added a warning to make users aware that using a public CA like _Let's Encrypt_ will publicly log information that may be somewhat sensitive, or undesirable to have historic records made public which cannot be redacted.

* docs: Revise the manual `certbot` guide

- The `letsencrypt` repo that was linked early in this guide now redirects to the [Certbot repo](https://github.com/certbot/certbot).

- More explicit volume mount instruction for CertBot; the local location was a tad vague.

- Better clarified `/etc/letsencrypt/live` contents structure, as well as FQDN info. Removed the misleading `fqdn:` from `docker-compose.yml` example snippet.

* docs: Revise certbot with Docker guide

- General rewrite of the Docker Certbot section with additional tips (_renewals with automation, and using a alternative CA_).

- Generalized tone and paths in content.

- Update volume mount paths to be consistent with recent normalization effort.

- Moved some instructions into inline-comments for script examples instead.

* docs: Revise Docker with `nginx-proxy` and `acme-companion`

- Break apart into individual steps, indenting content into the step as appropriate.

- Use normalized volume paths (`docker-data/<service>/` prefix).

- `letsencrypt-nginx-proxy-companion` has _changed project name to `acme-companion`_, and _transferred to new maintainers and the `nginx-proxy` organization_. This also affects the DockerHub image references.

- `acme-companion` has _switched from using `simp_le` to `acme.sh`_ for provisioning certificates. This requires mounting an additional volume for persisting provisioner state.

- The dummy container (_webmail_) is no longer `library/nginx`, just [`nginx`](https://hub.docker.com/_/nginx). This container also doesn't appear to be required. I've verified that the ENV can be given to the `mailserver` service container directly. Retained for now.

* docs: Revise Docker Compose with `nginx-proxy` and `acme-companion`

Heavy rewrite of this section. Like the previous commit mentions, this content was outdated. It has been simplified with improved documentation and reference links.

It also looks like there was a mistake in the existing config example as it uses the regular `nginx` image instead of `nginx-proxy`.

- The bulk of the `mailserver` service has been removed, users are advised to have an existing `docker-compose.yml` config for `docker-mailserver` and update only what is relevant to integrate with the cert provisioner.

- `DEBUG` is _false_ by default.

- The `networks:` portion of the example appears to be taken from upstream, _which that has since dropped it_. While we could continue to document this, I consider it more of an advanced config detail that we don't need to touch on in our docs.

- The `htpasswd` volume is unnecessary, only relevant if using _"Basic Authentication"_ to protect access to web service endpoints. `conf.d/` is also not required by default, it can be useful for the `standalone` mode (_documented as a `tip`_). Remaining volumes have inline-comments to document their purpose.

- `volumes_from:` is _not supported in v3 Compose format_, _only v2_ and the Docker CLI. I did not want to advise v2, so I've duplicated the volumes between the two containers instead. Internally `acme-companion` would rely on `volumes_from:` to identify the `nginx-proxy` container, it _provides alternative discovery methods_, the label is outdated and refers the legacy label (_their script logic is the same_); using the ENV `NGINX_PROXY_CONTAINER` seemed most appropriate and has been added.

- Upstream `acme-companion` docs only cover support for v2 Compose format. _There is a note regarding `nginx-proxy`_ having _volumes configured in it's Dockerfile_. Providing a volume for `/etc/nginx/dhparam` is required to avoid creating anonymous volumes each run of `nginx-proxy`. I've used a named data volume here to make it stick out more, it's not desirable and upstream should fix this, then we can drop it.

- I've also opted to only demonstrate the _Two Container (Basic) setup_ that upstream documents. Previously our docs have been showing _`docker-gen` with the Three Container (Advanced) setup_, which allows for not having the Docker API socket attached as a volume to a container exposed to the web. This reduces the security a bit, and I have not mentioned that on our docs. I could caution the reader with a link to upstream about the risk, but I don't think we should maintain the `docker-gen` setup.

* docs(fix): Update anchor links

These mismatched the current section headers they were meant to link to.
2021-09-27 12:40:54 +13:00
Brennan Kinney a0ee472501
docs(chore): Normalize for consistency (#2206)
"Brief" summary/overview of changes. See the PR discussion or individual commits from the PR for more details.

---

Only applies to the `docs/content/**` content (_and `setup` command_). `target/` and `test/` can be normalized at a later date.

* Normalize to `example.com`

- Domains normalized to `example.com`: `mywebserver.com`, `myserver.tld`, `domain.com`, `domain.tld`, `mydomain.net`, `my-domain.tld`, `my-domain.com`, `example.org`, `whoami.com`.
- Alternative domains normalized to `not-example.com`: `otherdomain.com`, `otherdomain.tld`, `domain2.tld`, `mybackupmx.com`, `whoareyou.org`.
- Email addresses normalized to `admin@example.com` (in `ssl.md`): `foo@bar.com`, `yourcurrentemail@gmail.com`, `email@email.com`, `admin@domain.tld`.
- Email addresses normalized to `external-account@gmail.com`: `bill@gates321boom.com`, `external@gmail.com`, `myemail@gmail.com`, `real-email-address@external-domain.com`.
- **`faq.md`:** A FAQ entry title with `sample.domain.com` changed to `subdomain.example.com`.
- **`mail-fetchmail.md`:** Config examples with FQDNs for `imap`/`pop3` used `example.com` domain for a third-party, changed to `gmail.com` as more familiar third-party/external MTA.

* Normalize config volume path

- Normalizing local config path references to `./docker-data/dms/config/`: `./config/`, `config/`, \``config`\`, `/etc/` (_volume mount src path prefix_).
- Normalize DMS volume paths to `docker-data/dms/mail-{data,state,log}`: `./mail`, `./mail-state` `./data/mail`, `./data/state`, `./data/logs`, `./data/maildata`, `./data/mailstate`, `./data/maillogs`, (_dropped/converted data volumes: `maildata`, `mailstate`_).
- Other docker images also adopt the `docker-data/{service name}/` prefix.

* `ssl.md` - Use `dms/custom-certs` where appropriate.

* Apply normalizations to README and example `docker-compose.yml`

---

Common terms, sometimes interchangeably used or now invalid depending on context: `mail`, `mail container`, `mail server`, `mail-server`, `mailserver`,`docker-mailserver`, `Docker Mailserver`.

Rough transformations applied to most matches (_conditionally, depending on context_):

- 'Docker Mailserver' => '`docker-mailserver`'
- 'mail container' => '`docker-mailserver`' (_optionally retaining ' container'_)
- 'mail server' => 'mail-server' / '`docker-mailserver`'
- 'mail-server' => '`docker-mailserver`'
- 'mailserver' => 'mail-server' / '`docker-mailserver`'

Additionally I checked `docker run` (_plus `exec`, `logs`, etc, sub-commands_) and `docker-compose` commands. Often finding usage of `mail` instead of the expected `mailserver`

Additionally changes `mailserver` hostname in k8s to `mail` to align with other non-k8s examples.

---

* drive-by revisions

Mostly minor revisions or improvements to docs that aren't related to normalization effort.
2021-09-23 11:29:37 +12:00
William Desportes 4d3fade23b
docs: Update all docker-compose files to use the same version and examples (#2159)
Initial pass for achieving more consistency with docker-compose related configs.

* Set DMS_DEBUG to 0
* align with default docker-compose.yml

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-09-20 19:27:55 +12:00
Brennan Kinney 08cd4d3371
fix: Enable DH parameters (ffdhe4096) by default (#2192)
This feature was originally introduced by the PR: https://github.com/docker-mailserver/docker-mailserver/pull/1463

- Assign default DH params to use via Dockerfile build instead of copy and update at runtime.
- Parameterized service names and paths.
- Refactor postfix and dovecot dh methods to wrap shared dh logic
- I don't see any value in checking the alternative service for dh params file to copy over, so that's now dropped too.
- Another conditional check is dropped and the default fallback message for existing DH params file is no longer relevant.
- Improved the remaining `_notify` messages. Collapsing the warning into a single logged message also seemed relevant.
- There is no apparent need for special handling with `ONE_DIR=1`. Dropped it.

- Refactor DH params  tests
- Combine custom and default DH param tests into single test file
- docs: Add instructions to use custom DH params

There is no official documented support for custom DH parameters. As no guarantee is provided, this is considered an internal change, not a breaking one.
2021-09-15 20:28:04 +12:00
William Desportes 3a38b23a1a
Improve fail2ban docs and fix a typo (#2126)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-08-13 10:30:39 +02:00
Nathan Pierce 9c5d6ad25c
reworked mail_crypt guide to make things way more simple and prepare … (#2043)
* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-06-19 12:33:30 +02:00
Brennan Kinney 2a08385578
docs: SSL - Revise self-signed cert provisioning (#2021)
* docs: SSL - Deprecate internal self-signed cert tool

We no longer support this method with `setup.sh` from v10 onwards, `SSL_TYPE=self-signed` remains supported however. Advice has been revised for users to provide their own self-signed cert or use an external tool with an example provided.

* chore: typo fix

* chore: fix docker cmd

* chore: fix link syntax
2021-06-01 09:56:35 +02:00
Georg Lauterbach 5449efd8d4
chore(docs): outsourcing environment vars to the documentation (#1948)
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-05-11 22:15:34 +12:00
Georg Lauterbach 8313d9753b
Adjusted documentation for service name and Traefik certificate issuance (#1918)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-04-18 15:21:08 +02:00
Nathan Pierce 0fb5251c20
docs: add mail_crypt plugin documentation (#1913)
* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-04-18 00:31:09 +02:00
wernerfred 711b4c9d83 docs(refactor): Convert more content to use admonitions + improvements 2021-03-25 11:49:24 +13:00
wernerfred 463bc967d2 docs(fix): Update wiki references to the new docs url
Additionally replaces old references to `tvial` images with the new `mailserver` docker image name.
2021-03-25 11:49:24 +13:00
polarathene 021e942c4c docs(refactor): Large refactor + additions + fixes
Consistency pass, formatting cleanup and fixes, introduce admonitions, add front-matter.

---

docs: Add front-matter

---

docs: Fix and format links

- Some links were invalid (eg files moved or renamed)
- Some were valid but had invalid section headers (content removed or migrated)
- Some use `http://` instead of `https://` when the website supports a secure connection.
- Some already used the `[name][reference]` convention but often with a number that wasn't as useful for maintenance.
- All referenced docs needed URLs replaced. Opted for the `[name][reference]` approach to group them all clearly at the bottom of the doc, especially with the relative URLs and in some cases many duplicate entries.
- All `tomav` references from the original repo prior to switch to an organization have been corrected.
- Minor cosmetic changes to the `name` part of the URL, such as for referencing issues to be consistent.
- Some small changes to text body, usually due to duplicate URL reference that was unnecessary (open relay, youtous)
- Switched other links to use the `[name][reference]` format when there was a large group of URLs such as wikipedia or kubernetes. Github repos that reference projects related to `docker-mailserver` also got placed here so they're noticed better by maintainers. This also helped quite a bit with `mermaid` external links that are very long.
- There was a Github Wiki supported syntax in use `[[name | link]]` for `fetchmail` page that isn't compatible by default with MkDocs (needs a plugin), converted to `[name][reference]` instead since it's a relative link.

---

docs: Update commit link for LDAP override script

Logic moved to another file, keeping the permalink commit reference so it's unaffected by any changes in the file referenced in future.

---

docs: Heading corrections

Consistency pass. Helps with the Table of Contents (top-right UI) aka Document Outline.
docs: codefence cleanup

---

docs: misc cleanup

---

docs: Add Admonitions

Switches `<details>` usage for collapsible admonitions (`???`) while other text content is switched to the visually more distinct admoniton (`!!!` or `???+`) style.

This does affect editor syntax highlighting a bit and markdown linting as it's custom non-standard markdown syntax.
2021-03-25 11:49:24 +13:00
Germain Masse ee557c9e3f Command-line to verify certificate dates 2020-11-29 20:23:43 +01:00
Germain Masse 77308d269d Moving Caddy pitfall to a dedicated section 2020-11-29 19:44:50 +01:00
Dorian Ayllón 28a5fb6436 Fix example YAML markdown code block 2020-10-21 17:08:34 +02:00
squash 4fc4fe97f7 Update for key_type global option with Caddy v2 for people sharing their LE certs between Caddy and docker-mailserver 2020-10-01 14:06:51 -04:00
Georg Lauterbach 4424495f63 Traefik2's wildcard certificates now work with :stable 2020-09-26 14:52:36 +02:00
Erik Wramner 6dce6c6cf7 Changed stable to latest for Traefik as the code has not been merged into stable yet 2020-08-07 09:54:31 +02:00
Michael 6f04051ffd traefik v2 section added 2020-07-16 21:12:50 +02:00
Brennan Kinney 4a53a2566a Add flowchart for SMTP, expand on inbound/outband SMTP traffic and ports 2020-06-13 20:44:34 +12:00
Brennan Kinney acf3d88d43 Initial more details page to redirect from README on the ports section 2020-06-12 20:19:52 +12:00
Jean-Denis Vauguet 943b4a9f71 Updated Configure SSL (markdown) 2020-05-29 10:25:02 +02:00
Jean-Denis Vauguet bbcc7e3038 better not to keep outdated example, upstream's doc is the way to go 2020-05-29 10:23:58 +02:00
rhyst 087a4ae750 Adding instructions for Caddy V2 2020-05-11 17:52:25 +01:00
Erik Wramner 2e0284ded3 Added note about caddy 2020-05-04 08:01:53 +02:00
youtous 404ac5a438 add ssl doc: traefik 2020-04-23 15:49:52 +02:00
Hans-Cees Speel 88e1d453f0 Updated Configure SSL (markdown) 2020-02-25 14:27:31 +01:00
Hans-Cees Speel 4ca57b8e9e Updated Configure SSL (markdown) 2020-02-25 14:24:36 +01:00
Vilius 2305c464bb Fixed a typo in docker repository name (certbot instead of cerbot) 2019-11-17 11:47:23 +02:00
Germain Masse 2ebea365e6 Replace deliveries/certbot docker image by official certbot/cerbot 2019-11-04 19:36:52 +01:00
Andreas Perhab 37966e425d path for generated certificates has changed 2019-10-11 12:10:23 +02:00
lukas 96524e30b4 Updated Configure SSL (markdown) 2019-08-23 12:35:00 -06:00
lukas eb9c857903 Updated Configure SSL (markdown) 2019-08-22 10:12:23 -06:00
MegaXLR 2df81a970b LetsEncrypt has a http challenge that runs http and https. 2019-04-19 14:15:44 +02:00
Anne 5d29e8e8c9 Updated Configure SSL (markdown) 2019-02-20 15:00:22 +01:00
Anne 225de9aadb Updated Configure SSL (markdown) 2019-02-20 14:50:48 +01:00
Anne 2500b0704c Updated Configure SSL (markdown) 2019-02-20 14:46:54 +01:00