diff --git a/mailu/README.md b/mailu/README.md index 4bfc9d4..a77eaf3 100644 --- a/mailu/README.md +++ b/mailu/README.md @@ -1,6 +1,8 @@ # Mailu ## Setup +Set the following environment variables: +* `Domain`: the TLD Set the following (sensitive) environment variables: * `RELAYUSER` @@ -11,6 +13,7 @@ Set the following (sensitive) environment variables: apt-get install pwgen pwgen 16 1 ``` +* `API_TOKEN`: a random string of at least 3 characters. Use `pwgen`. Then upload the `mailu.env` file into Portainer and populate the environment. diff --git a/mailu/docker-compose.yml b/mailu/docker-compose.yml index ba01f3f..115ae78 100644 --- a/mailu/docker-compose.yml +++ b/mailu/docker-compose.yml @@ -1,3 +1,6 @@ +# This file is auto-generated by the Mailu configuration wizard. +# Please read the documentation before attempting any change. +# Generated for compose flavor networks: default: @@ -10,7 +13,11 @@ networks: webmail: driver: bridge - noinet: + oletools: + driver: bridge + internal: true + + fts_attachments: driver: bridge internal: true @@ -32,53 +39,38 @@ services: dns: - 172.26.0.254 - resolver: - image: ghcr.io/mailu/unbound:${MAILU_VERSION} - restart: unless-stopped - env_file: mailu.env - networks: - default: - ipv4_address: 172.26.0.254 - - certdumper: - image: ghcr.io/mailu/traefik-certdumper:${MAILU_VERSION} - restart: unless-stopped - dns: - - 172.26.0.254 - environment: - - DOMAIN=${DOMAIN} - - TRAEFIK_VERSION=v2 - volumes: - - "/mnt/ssd-1tb/docker/traefik/letsencrypt/patz.family:/traefik" - - "/mnt/ssd-1tb/docker/mailu/certs:/output" - # Core services front: - image: ghcr.io/mailu/nginx:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-2024.06} restart: unless-stopped - env_file: ../stack.env + env_file: + - ../stack.env + - mailu.env logging: - driver: json-file - depends_on: - - certdumper - - resolver + driver: journald + options: + tag: mailu-front + ports: + - "127.0.0.1:25:25" + - "127.0.0.1:465:465" + - "127.0.0.1:587:587" + - "127.0.0.1:110:110" + - "127.0.0.1:995:995" + - "127.0.0.1:143:143" + - "127.0.0.1:993:993" + # - "127.0.0.1:4190:4190" -> Sieve, not needed networks: - default - traefik - webmail - dns: - - 172.26.0.254 - ports: - - "25:25" - - "110:110" - - "143:143" - - "465:465" - - "587:587" - - "993:993" - - "995:995" volumes: - "/mnt/ssd-1tb/docker/mailu/certs:/certs" - "/mnt/ssd-1tb/docker/mailu/overrides/nginx:/overrides:ro" + depends_on: + - certdumper + - resolver + dns: + - 172.26.0.254 labels: - "traefik.enable=true" - "traefik.http.routers.mailu-front.rule=Host(`mail.${DOMAIN}`) || Host(`mail.patz.app`) || Host(`mail.whynot.holdings`)" @@ -92,10 +84,30 @@ services: - "traefik.http.routers.mailu-front.tls.domains[2].sans=mail.whynot.holdings,smtp.whynot.holdings,imap.whynot.holdings" - "traefik.http.services.mailu-front.loadbalancer.server.port=80" + resolver: + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-2024.06} + env_file: + - ../stack.env + - mailu.env + logging: + driver: journald + options: + tag: mailu-resolver + restart: unless-stopped + networks: + default: + ipv4_address: 172.26.0.254 + admin: - image: ghcr.io/mailu/admin:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-2024.06} restart: unless-stopped - env_file: ../stack.env + env_file: + - ../stack.env + - mailu.env + logging: + driver: journald + options: + tag: mailu-admin volumes: - "/mnt/ssd-1tb/docker/mailu/data:/data" - "/mnt/ssd-1tb/docker/mailu/dkim:/dkim" @@ -106,29 +118,41 @@ services: - 172.26.0.254 imap: - image: ghcr.io/mailu/dovecot:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-2024.06} restart: unless-stopped - env_file: ../stack.env + env_file: + - ../stack.env + - mailu.env + logging: + driver: journald + options: + tag: mailu-imap volumes: - "/mnt/ssd-1tb/docker/mailu/mail:/mail" - "/mnt/ssd-1tb/docker/mailu/overrides/dovecot:/overrides:ro" + networks: + - default + - fts_attachments depends_on: - front + - fts_attachments - resolver - networks: - - default dns: - 172.26.0.254 smtp: - image: ghcr.io/mailu/postfix:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-2024.06} restart: unless-stopped - env_file: ../stack.env + env_file: + - ../stack.env + - mailu.env + logging: + driver: journald + options: + tag: mailu-smtp volumes: - "/mnt/ssd-1tb/docker/mailu/mailqueue:/queue" - "/mnt/ssd-1tb/docker/mailu/overrides/postfix:/overrides:ro" - networks: - - default depends_on: - front - resolver @@ -136,27 +160,58 @@ services: - 172.26.0.254 oletools: - image: ghcr.io/mailu/oletools:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-2024.06} hostname: oletools + logging: + driver: journald + options: + tag: mailu-oletools restart: unless-stopped networks: - - noinet + - oletools depends_on: - resolver dns: - 172.26.0.254 + fts_attachments: + image: apache/tika:2.9.2.1-full + hostname: tika + logging: + driver: journald + options: + tag: mailu-tika + restart: unless-stopped + networks: + - fts_attachments + depends_on: + - resolver + dns: + - 172.26.0.254 + healthcheck: + test: ["CMD-SHELL", "wget -nv -t1 -O /dev/null http://127.0.0.1:9998/tika || exit 1"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 10s + antispam: - image: ghcr.io/mailu/rspamd:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-2024.06} hostname: antispam restart: unless-stopped - env_file: ../stack.env - volumes: - - "/mnt/ssd-1tb/docker/mailu/filter:/var/lib/rspamd" - - "/mnt/ssd-1tb/docker/mailu/overrides/rspamd:/etc/rspamd/override.d" + env_file: + - ../stack.env + - mailu.env + logging: + driver: journald + options: + tag: mailu-antispam networks: - default - - noinet + - oletools + volumes: + - "/mnt/ssd-1tb/docker/mailu/filter:/var/lib/rspamd" + - "/mnt/ssd-1tb/docker/mailu/overrides/rspamd:/overrides:ro" depends_on: - front - redis @@ -165,16 +220,38 @@ services: dns: - 172.26.0.254 + # Optional services + + + + # Webmail webmail: - image: ghcr.io/mailu/webmail:${MAILU_VERSION} + image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}webmail:${MAILU_VERSION:-2024.06} restart: unless-stopped - env_file: ../stack.env - networks: - - webmail + env_file: + - ../stack.env + - mailu.env + logging: + driver: journald + options: + tag: mailu-webmail volumes: - "/mnt/ssd-1tb/docker/mailu/webmail:/data" - "/mnt/ssd-1tb/docker/mailu/overrides/roundcube:/overrides:ro" + networks: + - webmail depends_on: - front + + # Certdumper from Traefik + certdumper: + image: ghcr.io/mailu/traefik-certdumper:${MAILU_VERSION} + restart: unless-stopped dns: - 172.26.0.254 + environment: + - DOMAIN=${DOMAIN} + - TRAEFIK_VERSION=v2 + volumes: + - "/mnt/ssd-1tb/docker/traefik/letsencrypt/patz.family:/traefik" + - "/mnt/ssd-1tb/docker/mailu/certs:/output" diff --git a/mailu/mailu.env b/mailu/mailu.env index 88a41e2..192049e 100644 --- a/mailu/mailu.env +++ b/mailu/mailu.env @@ -8,8 +8,6 @@ # Common configuration variables ################################### -MAILU_VERSION=1.9.46 - # Set to a randomly generated 16 bytes string # SECRET_KEY=key @@ -17,11 +15,10 @@ MAILU_VERSION=1.9.46 SUBNET=172.26.0.0/24 # Main mail domain -DOMAIN=patz.family -TRAEFIK_DOMAIN=mail.patz.family +# DOMAIN= -# Hostnames for this server, separated with comas -HOSTNAMES=mail.patz.family,mail.patz.app,mail.whynot.holdings +# Hostnames for this server, separated with commas +HOSTNAMES=mail.patz.family,mail.patz.app,mail.whynot.holdings,mail.martin-patz.de,mail.fam-patz.de # Postmaster local part (will append the main mail domain) POSTMASTER=martin @@ -29,11 +26,11 @@ POSTMASTER=martin # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt) TLS_FLAVOR=mail -# Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6) -AUTH_RATELIMIT_IP=10/hour +# Authentication rate limit per IP (per /24 on ipv4 and /48 on ipv6) +AUTH_RATELIMIT_IP=5/hour # Authentication rate limit per user (regardless of the source-IP) -AUTH_RATELIMIT_USER=20/day +AUTH_RATELIMIT_USER=50/day # Opt-out of statistics, replace with "True" to opt out DISABLE_STATISTICS=False @@ -45,19 +42,19 @@ DISABLE_STATISTICS=False # Expose the admin interface (value: true, false) ADMIN=true -# Choose which webmail to run if any (values: roundcube, rainloop, none) +# Choose which webmail to run if any (values: roundcube, snappymail, none). To enable this feature, recreate the docker-compose.yml file via setup. WEBMAIL=roundcube # Expose the API interface (value: true, false) -API=false +API=true -# Dav server implementation (value: radicale, none) +# Dav server implementation (value: radicale, none). To enable this feature, recreate the docker-compose.yml file via setup. WEBDAV=none -# Antivirus solution (value: clamav, none) +# Antivirus solution (value: clamav, none). To enable this feature, recreate the docker-compose.yml file via setup. ANTIVIRUS=none -# Scan Macros solution (value: true, false) +# Scan Macros solution (value: true, false). To enable this feature, recreate the docker-compose.yml file via setup. SCAN_MACROS=true ################################### @@ -70,7 +67,7 @@ SCAN_MACROS=true MESSAGE_SIZE_LIMIT=50000000 # Message rate limit (per user) -MESSAGE_RATELIMIT=200/day +MESSAGE_RATELIMIT=300/day # Networks granted relay permissions # Use this with care, all hosts in this networks will be able to send mail without authentication! @@ -79,6 +76,9 @@ RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST=smtp-relay.sendinblue.com:587 +# Enable fetchmail +FETCHMAIL_ENABLED=False + # Fetchmail delay FETCHMAIL_DELAY=600 @@ -101,15 +101,17 @@ COMPRESSION= # change compression-level, default: 6 (value: 1-9) COMPRESSION_LEVEL= -# IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature. -FULL_TEXT_SEARCH=on +# IMAP full-text search is enabled by default. +# Set the following variable to off in order to disable the feature +# or a comma separated list of language codes to support +FULL_TEXT_SEARCH=de,en,es ################################### # Web settings ################################### # Path to redirect / to -WEBROOT_REDIRECT=/webmail +WEBROOT_REDIRECT=/sso/login # Path to the admin interface if enabled WEB_ADMIN=/admin @@ -117,6 +119,9 @@ WEB_ADMIN=/admin # Path to the webmail if enabled WEB_WEBMAIL=/webmail +# Path to the API interface if enabled +WEB_API=/api + # Website name SITENAME=Mailu @@ -124,19 +129,11 @@ SITENAME=Mailu WEBSITE=https://patz.family + ################################### # Advanced settings ################################### -# Log driver for front service. Possible values: -# json-file (default) -# journald (On systemd platforms, useful for Fail2Ban integration) -# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) -# LOG_DRIVER=json-file - -# Docker-compose project name, this will prepended to containers names. -COMPOSE_PROJECT_NAME=mailu - # Number of rounds used by the password hashing scheme CREDENTIAL_ROUNDS=12 @@ -149,13 +146,20 @@ REAL_IP_FROM=172.26.0.0/24 # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) REJECT_UNLISTED_RECIPIENT=no +PROXY_PROTOCOL=443 + # Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET) LOG_LEVEL=WARNING # Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones TZ=Europe/Berlin -################################### -# Database settings -################################### -DB_FLAVOR=sqlite +# Default spam threshold used for new users +DEFAULT_SPAM_THRESHOLD=80 + +# API token required for authenticating to the RESTful API. +# This is a mandatory setting for using the RESTful API. +# API_TOKEN=key + +# Whether tika should be enabled (scan/OCR email attachements). To enable this feature, recreate the docker-compose.yml file via setup. +FULL_TEXT_SEARCH_ATTACHMENTS=true \ No newline at end of file