data | ||
.env | ||
.gitignore | ||
docker-compose.yml | ||
mailcow.conf | ||
README.md |
mailcow-dockerized
mailcow dockerized comes with 11 containers linked in a mailcow network: Dovecot, Memcached, Redis, MariaDB, PowerDNS Recursor, PHP-FPM, Postfix, Nginx, Rmilter, Rspamd and SOGo.
All configurations were written with security in mind.
Exposed ports:
Name | Service | Hostname, Alias | External bindings | Internal bindings |
---|---|---|---|---|
postfix-mailcow | Postfix | ${MAILCOW_HOSTNAME}, postfix | 25/tcp, 465/tcp, 587/tcp | 588/tcp |
dovecot-mailcow | Dovecot | ${MAILCOW_HOSTNAME}, dovecot | 110/tcp, 143/tcp, 993/tcp, 995/tcp, 4190/tcp | 24/tcp, 10001/tcp |
nginx-mailcow | Nginx | nginx | 443/tcp | 80/tcp, 8081/tcp |
pdns-mailcow | PowerDNS | pdns | - | 53/udp |
rspamd-mailcow | Rspamd | rspamd | - | 11333/tcp, 11334/tcp |
mariadb-mailcow | MariaDB | mysql | - | 3306/tcp |
rmilter-mailcow | Rmilter | rmilter | - | 9000/tcp |
phpfpm-mailcow | PHP FPM | phpfpm | - | 9000/tcp |
sogo-mailcow | SOGo | sogo | - | 9000/tcp |
redis-mailcow | Redis | redis | - | 6379/tcp |
memcached-mailcow | Memcached | memcached | - | 11211/tcp |
All containers share a network "mailcow-network" with the subnet 172.22.1.0/24 - if you want to change it, set it in the composer file. IPs are dynamic except for PowerDNS resolver which has a static ip address 172.22.1.2.
FAQ
- rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash.
- rspamd auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning)
- You can upgrade SOGo by running
docker-compose up -d sogo-mailcow nginx-mailcow
. - Only Postfix and Rspamd use the PowerDNS resolver for DNSSEC.
- Linking to existing redis and memcached containers will be possible soon
Installation
-
You need Docker and Docker Compose. Most systems can install Docker by running
wget -qO- https://get.docker.com/ | sh
- see this link for installing Docker Compose. -
Clone this repository and configure
mailcow.conf
, do not use special chars in passwords in this file (will be fixed soon). -
docker-compose up -d
- leave the-d
out for a wall of logs in case of debugging.
Done.
You can now access https://${MAILCOW_HOSTNAME} with the default credentials admin
+ password moohoo
. The database will be initialized when you first visit the UI.
Configuration after installation
Rspamd UI access
If you want to use Rspamds web UI, you need to set a Rspamd controller password:
# Generate hash
docker-compose exec rspamd-mailcow rspamadm pw
Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
enable_password = "myhash";
Restart rspamd:
docker-compose restart rspamd-mailcow
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser.
SSL (and: How to use Let's Encrypt)
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in data/assets/ssl
. Please use your own trusted certificates.
Use Let's Encrypt
Get the certbot client:
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
Please disable applications blocking port 80 and run certbot:
certbot-auto certonly \
--standalone \
--standalone-supported-challenges http-01 \
-d ${MAILCOW_HOSTNAME} \
--email you@example.org \
--agree-tos
Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
Restart containers which use the certificate:
docker-compose restart postfix-mailcow
docker-compose restart dovecot-mailcow
docker-compose restart nginx-mailcow
When renewing certificates, run the last two steps (link + restart) as post-hook in certbot.
More useful commands and examples (todo: move to wiki soon)
Logs
You can use docker-compose logs $service-name
for almost all containers. Only rmilter does not log to stdout. You can check rspamd logs for rmilter responses.
MariaDB
Connect to MariaDB database:
source mailcow.conf
docker-compose exec mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}
Init schema (will be auto-installed by mailcow UI, but just in case...):
source mailcow.conf
docker-compose exec mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} < data/web/inc/init.sql
Reset mailcow admin to admin:moohoo
:
source mailcow.conf
docker-compose exec mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin; DROP TABLE domain_admins"
# Open mailcow UI to auto-init the db
Backup and restore database:
source mailcow.conf
# Create
DATE=$(date +"%Y%m%d_%H%M%S")
docker-compose exec mariadb-mailcow mysqldump --default-character-set=utf8mb4 -u${DBUSER} -p${DBPASS} ${DBNAME} > backup_${DBNAME}_${DATE}.sql
# Restore
docker exec -i mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} < ${1}
Redis
Connect to redis key store:
docker-compose exec redis-mailcow redis-cli
Use rspamadm:
docker-compose exec rspamd-mailcow rspamadm --help
Use rspamc:
docker-compose exec rspamd-mailcow rspamc --help
Use doveadm:
docker-compose exec dovecot-mailcow doveadm
Remove persistent data
MariaDB:
docker-compose down
rm -rf data/db/mysql/*
docker-compose up
Redis:
## It is almost always enough to just flush all keys:
docker-compose exec redis-mailcow redis-cli FLUSHALL
Scale it
You can scale services for mailcow:
docker-compose scale rspamd-mailcow=2
docker-compose scale rmilter-mailcow=3
# ...