From a845286b963ef4f33c96fd83cdcafa1f32bb6d2b Mon Sep 17 00:00:00 2001
From: Joerg Lehmann <joerg.lehmann@nbit.ch>
Date: Fri, 4 Feb 2022 17:08:20 +0100
Subject: [PATCH] Initial commit

---
 README.md | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 234 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..72dec98
--- /dev/null
+++ b/README.md
@@ -0,0 +1,234 @@
+# mailserver - Mail Server mail.nbit.ch (mit MailCow)
+
+Spezifikaktion:
+- Ubuntu Server 20.04
+- Hetzner Cloud Server CX31
+  - 2 vCPUs
+  - 8 GB RAM
+  - 80 GB Disk
+- mailcow (Docker-basiert)
+
+## Erstellen des Servers
+
+Mit dem Binary hcloud von:
+https://github.com/hetznercloud/cli
+
+Temporaer einen API Key erstellen (nachher wieder loeschen)
+
+```bash
+$ hcloud context create nbit.ch
+$ hcloud image list                          # zeigt moegliche Images
+$ hcloud server-type list                    # zeigt moegliche Typen
+
+$ hcloud server create --name mail --image ubuntu-20.04 --type cx31 --ssh-key joerg@cinnamon.nbit.ch
+$ hcloud server set-rdns mail --hostname mail.nbit.ch
+$ IPV6="$(hcloud server ip mail -6)"
+$ hcloud server set-rdns mail --ip $IPV6 --hostname mail.nbit.ch
+```
+
+DNS Eintraege erstellen:
+```bash
+$ hcloud server ip mail
+$ hcloud server ip mail -6                     
+```
+
+```bash
+# apt update
+# apt upgrade
+
+Servername setzen:
+# hostnamectl set-hostname mail.nbit.ch
+```
+
+Add Swap Space as documented in Mailcow Doc (but we use 2GB):
+
+```bash
+see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/
+
+root@mail:~# fallocate -l 2G /swapfile
+root@mail:~# chmod 600 /swapfile
+root@mail:~# mkswap /swapfile
+Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
+no label, UUID=1fa59ad9-218c-42d1-8082-e19a6a62a7f2
+root@mail:~# swapon /swapfile
+root@mail:~# echo "/swapfile swap swap defaults 0 0" >>/etc/fstab
+```
+
+```bash
+Root-Passwort setzen (das machen wir von Hand)
+
+ssh-Root-Passwort-Login disablen:
+/etc/ssh/sshd_config:
+PermitRootLogin without-password
+
+
+NTP einrichten:
+# vim /etc/systemd/timesyncd.conf
+[Time]
+Servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
+```
+
+
+## Docker CE Installieren
+
+```bash
+# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+# echo \
+  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
+  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+# apt-get update
+# apt-get install docker-ce docker-ce-cli containerd.io
+```
+
+## Install MailCow
+
+```bash
+# cd /opt
+# apt-get install git
+# apt-get install mailutils
+# curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
+# chmod +x /usr/local/bin/docker-compose
+# git clone https://github.com/mailcow/mailcow-dockerized
+# cd mailcow-dockerized
+# ./generate_config.sh
+
+- change mailcow.conf if needed
+WATCHDOG_NOTIFY_EMAIL=drpuur@gmail.com
+
+# init 6
+# docker-compose pull
+# docker-compose up -d
+
+You can now access https://${MAILCOW_HOSTNAME} with the default credentials admin + password moohoo.
+```
+
+## Install Mailcow CLI
+
+see https://pypi.org/project/python-mailcow/
+
+```bash
+# apt install python3-pip
+# pip install python-mailcow
+# mailcow --create-example-config
+Edit settings in ~/.config/python-mailcow.cfg
+
+# mailcow help 
+```
+
+
+## Firewall
+
+```bash
+# ufw default deny incoming
+# ufw default allow outgoing
+# ufw allow ssh
+# ufw allow http
+# ufw allow https
+# ufw allow smtp
+# ufw allow smtps
+# ufw allow submission
+# ufw allow imap
+# ufw allow imaps
+# ufw allow pop3
+# ufw allow pop3s
+# ufw allow sieve
+# ufw allow ntp
+# ufw enable
+```
+
+## fail2ban auf Host fuer ssh
+
+```bash
+# apt install fail2ban
+# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+edit /etc/fail2ban/jail.local:
+enabled = true unterhalb [sshd]
+
+Check, wer gebanned ist:
+# fail2ban-client status sshd
+```
+
+## Mailcow anpassen
+
+Redirect HTTP to HTTPS, see https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/
+
+```bash
+Relayhosts erlauben in extra.cf:
+mynetworks = 127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128,[fe80::]/10 172.22.1.0/24,[fd4d:6169:6c63:6f77::]/64,65.21.3.242/32,[2a01:4f9:c010:24a0::1]/128,65.21.56.41/32,[2a01:4f9:c010:332f::1]/128,65.21.52.32/32,[2a01:4f9:c010:ef23::1]/128,168.119.240.108/32,[2a01:4f8:c010:7e62::1]/128,95.216.148.212/32,[2a01:4f9:c010:5dd::1]/128,195.201.222.24/32,[2a01:4f8:1c1c:2622::1]/128,23.88.33.113/32,[2a01:4f8:c010:90e1::1]/128
+
+Disable Greylisting:
+data/conf/rspamd/local.d/greylist.conf:
+enabled = false;
+```
+
+siehe https://mailcow.github.io/mailcow-dockerized-docs/firststeps-trust_networks/
+
+## Mails migrieren vom alten Server
+
+Mails transferieren:
+ 
+```bash
+Auf Fedora Workstation:
+# yum install imapsync
+$ imapsync --noauthmd5 --ssl1 --host1 mail9.nbit.ch --user1 'nbitinf' --password1 '123' --ssl2 --host2 pepper.nbit.ch --user2 'nbitinf' --password2 '123'
+
+--dry, um das ganze zu simulieren
+```
+
+
+## Mail Domains und Users einrichten
+
+```bash
+Mailbox erstellen:
+# mailcow mailbox add --domain linux-freelancer.ch --local_part info --password '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg='  --password2 '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --active
+
+Passwort aendern:
+#  mailcow mailbox edit --item info@linux-freelancer.ch --password '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg='  --password2 '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --active
+```
+
+
+## Backup Server
+
+```bash
+# apt install restic
+# mkdir /backup
+# mkdir /backup-restic
+# restic init --repo /backup-restic/restic-repo-$(hostname --short)      # Passwort in Keepass
+# cat /etc/cron.d/backup_mailcow <<HERE
+# Backup Mailcow
+30 4 * * * root MAILCOW_BACKUP_LOCATION=/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 3 >/dev/null
+HERE
+
+Restic Script:
+
+/usr/local/bin/backup-to-disk.sh
+#!/bin/bash
+# Backup der wichtigsten Verzeichnisse nach einem Verzeichnis
+#
+# Es wird restic verwendet.
+#
+PATH=$PATH:/usr/local/bin
+export RESTIC_PASSWORD="$(hostname --short)7355"
+restic backup --quiet --repo /backup-restic/restic-repo-$(hostname --short) /etc /var /opt /var/lib/docker/volumes /usr/local/bin /backup --exclude=/var/log
+
+if [ $? -eq 0 ]; then
+  restic forget --quiet --repo /backup-restic/restic-repo-$(hostname --short) --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 20 --prune
+else
+  >&2 echo "Problem with restic Backup $(hostname --short)"
+fi
+
+/etc/cron.d/backup-to-disk: 
+#
+# Backup important Files to Disk
+#
+55 4 * * * root /usr/local/bin/backup-to-disk.sh >/dev/null
+
+Backup auf Storag Box:
+
+# cat > /etc/cron.d/rsync-backup-to-other-host <<HERE
+#
+# Rsync /backup-restic to backup space
+#
+20 5 * * * root /usr/bin/rsync -avzH --delete --numeric-ids -e 'ssh -p23' /restic-backup u152662@u152662.your-storagebox.de:mail-backup-restic-rsync >/dev/null
+HERE
+```