# mailserver - Mail Server mail.nbit.ch (mit MailCow)

Spezifikaktion:
- Ubuntu Server 20.04
- Hetzner Cloud Server CX31
  - 2 vCPUs
  - 8 GB RAM
  - 80 GB Disk
- mailcow (Docker-basiert)

## Erstellen des Servers

Mit dem Binary hcloud von:
https://github.com/hetznercloud/cli

Temporaer einen API Key erstellen (nachher wieder loeschen)

```bash
$ hcloud context create nbit.ch
$ hcloud image list                          # zeigt moegliche Images
$ hcloud server-type list                    # zeigt moegliche Typen

$ hcloud server create --name mail --image ubuntu-20.04 --type cx31 --ssh-key joerg@cinnamon.nbit.ch
$ hcloud server set-rdns mail --hostname mail.nbit.ch
$ IPV6="$(hcloud server ip mail -6)"
$ hcloud server set-rdns mail --ip $IPV6 --hostname mail.nbit.ch
```

DNS Eintraege erstellen:
```bash
$ hcloud server ip mail
$ hcloud server ip mail -6                     
```

```bash
# apt update
# apt upgrade

Servername setzen:
# hostnamectl set-hostname mail.nbit.ch
```

Add Swap Space as documented in Mailcow Doc (but we use 2GB):

```bash
see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/

root@mail:~# fallocate -l 2G /swapfile
root@mail:~# chmod 600 /swapfile
root@mail:~# mkswap /swapfile
Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=1fa59ad9-218c-42d1-8082-e19a6a62a7f2
root@mail:~# swapon /swapfile
root@mail:~# echo "/swapfile swap swap defaults 0 0" >>/etc/fstab
```

```bash
Root-Passwort setzen (das machen wir von Hand)

ssh-Root-Passwort-Login disablen:
/etc/ssh/sshd_config:
PermitRootLogin without-password


NTP einrichten:
# vim /etc/systemd/timesyncd.conf
[Time]
Servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
```


## Docker CE Installieren

```bash
# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# apt-get update
# apt-get install docker-ce docker-ce-cli containerd.io
```

## Install MailCow

```bash
# cd /opt
# apt-get install git
# apt-get install mailutils
# curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
# git clone https://github.com/mailcow/mailcow-dockerized
# cd mailcow-dockerized
# ./generate_config.sh

- change mailcow.conf if needed
WATCHDOG_NOTIFY_EMAIL=drpuur@gmail.com

# init 6
# docker-compose pull
# docker-compose up -d

You can now access https://${MAILCOW_HOSTNAME} with the default credentials admin + password moohoo.
```

## Install Mailcow CLI

see https://pypi.org/project/python-mailcow/

```bash
# apt install python3-pip
# pip install python-mailcow
# mailcow --create-example-config
Edit settings in ~/.config/python-mailcow.cfg

# mailcow help 
```


## Firewall

```bash
# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh
# ufw allow http
# ufw allow https
# ufw allow smtp
# ufw allow smtps
# ufw allow submission
# ufw allow imap
# ufw allow imaps
# ufw allow pop3
# ufw allow pop3s
# ufw allow sieve
# ufw allow ntp
# ufw enable
```

## fail2ban auf Host fuer ssh

```bash
# apt install fail2ban
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
edit /etc/fail2ban/jail.local:
enabled = true unterhalb [sshd]

Check, wer gebanned ist:
# fail2ban-client status sshd
```

## Mailcow anpassen

Redirect HTTP to HTTPS, see https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/

```bash
Relayhosts erlauben in extra.cf:
mynetworks = 127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128,[fe80::]/10 172.22.1.0/24,[fd4d:6169:6c63:6f77::]/64,65.21.3.242/32,[2a01:4f9:c010:24a0::1]/128,65.21.56.41/32,[2a01:4f9:c010:332f::1]/128,65.21.52.32/32,[2a01:4f9:c010:ef23::1]/128,168.119.240.108/32,[2a01:4f8:c010:7e62::1]/128,95.216.148.212/32,[2a01:4f9:c010:5dd::1]/128,195.201.222.24/32,[2a01:4f8:1c1c:2622::1]/128,23.88.33.113/32,[2a01:4f8:c010:90e1::1]/128

Disable Greylisting:
data/conf/rspamd/local.d/greylist.conf:
enabled = false;
```

siehe https://mailcow.github.io/mailcow-dockerized-docs/firststeps-trust_networks/

## Mails migrieren vom alten Server

Mails transferieren:
 
```bash
Auf Fedora Workstation:
# yum install imapsync
$ imapsync --noauthmd5 --ssl1 --host1 mail9.nbit.ch --user1 'nbitinf' --password1 '123' --ssl2 --host2 pepper.nbit.ch --user2 'nbitinf' --password2 '123'

--dry, um das ganze zu simulieren
```


## Mail Domains und Users einrichten

```bash
Mailbox erstellen:
# mailcow mailbox add --domain linux-freelancer.ch --local_part info --password '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg='  --password2 '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --active

Passwort aendern:
#  mailcow mailbox edit --item info@linux-freelancer.ch --password '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg='  --password2 '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --active
```


## Backup Server

```bash
# apt install restic
# mkdir /backup
# mkdir /backup-restic
# restic init --repo /backup-restic/restic-repo-$(hostname --short)      # Passwort in Keepass
# cat /etc/cron.d/backup_mailcow <<HERE
# Backup Mailcow
30 4 * * * root MAILCOW_BACKUP_LOCATION=/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 3 >/dev/null
HERE

Restic Script:

/usr/local/bin/backup-to-disk.sh
#!/bin/bash
# Backup der wichtigsten Verzeichnisse nach einem Verzeichnis
#
# Es wird restic verwendet.
#
PATH=$PATH:/usr/local/bin
export RESTIC_PASSWORD="$(hostname --short)7355"
restic backup --quiet --repo /backup-restic/restic-repo-$(hostname --short) /etc /var /opt /var/lib/docker/volumes /usr/local/bin /backup --exclude=/var/log

if [ $? -eq 0 ]; then
  restic forget --quiet --repo /backup-restic/restic-repo-$(hostname --short) --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 20 --prune
else
  >&2 echo "Problem with restic Backup $(hostname --short)"
fi

/etc/cron.d/backup-to-disk: 
#
# Backup important Files to Disk
#
55 4 * * * root /usr/local/bin/backup-to-disk.sh >/dev/null

Backup auf Storag Box:

# cat > /etc/cron.d/rsync-backup-to-other-host <<HERE
#
# Rsync /backup-restic to backup space
#
20 5 * * * root /usr/bin/rsync -avzH --delete --numeric-ids -e 'ssh -p23' /restic-backup u152662@u152662.your-storagebox.de:mail-backup-restic-rsync >/dev/null
HERE
```