drpuur
/
mailserver-mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailserver-mailcow/README.md

235 lines
6.7 KiB
Markdown
Raw Blame History

# mailserver - Mail Server mail.nbit.ch (mit MailCow)
Spezifikaktion:
- Ubuntu Server 20.04
- Hetzner Cloud Server CX31
- 2 vCPUs
- 8 GB RAM
- 80 GB Disk
- mailcow (Docker-basiert)
## Erstellen des Servers
Mit dem Binary hcloud von:
https://github.com/hetznercloud/cli
Temporaer einen API Key erstellen (nachher wieder loeschen)
```bash
$ hcloud context create nbit.ch
$ hcloud image list # zeigt moegliche Images
$ hcloud server-type list # zeigt moegliche Typen
$ hcloud server create --name mail --image ubuntu-20.04 --type cx31 --ssh-key joerg@cinnamon.nbit.ch
$ hcloud server set-rdns mail --hostname mail.nbit.ch
$ IPV6="$(hcloud server ip mail -6)"
$ hcloud server set-rdns mail --ip $IPV6 --hostname mail.nbit.ch
```
DNS Eintraege erstellen:
```bash
$ hcloud server ip mail
$ hcloud server ip mail -6
```
```bash
# apt update
# apt upgrade
Servername setzen:
# hostnamectl set-hostname mail.nbit.ch
```
Add Swap Space as documented in Mailcow Doc (but we use 2GB):
```bash
see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/
root@mail:~# fallocate -l 2G /swapfile
root@mail:~# chmod 600 /swapfile
root@mail:~# mkswap /swapfile
Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=1fa59ad9-218c-42d1-8082-e19a6a62a7f2
root@mail:~# swapon /swapfile
root@mail:~# echo "/swapfile swap swap defaults 0 0" >>/etc/fstab
```
```bash
Root-Passwort setzen (das machen wir von Hand)
ssh-Root-Passwort-Login disablen:
/etc/ssh/sshd_config:
PermitRootLogin without-password
NTP einrichten:
# vim /etc/systemd/timesyncd.conf
[Time]
Servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
```
## Docker CE Installieren
```bash
# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# apt-get update
# apt-get install docker-ce docker-ce-cli containerd.io
```
## Install MailCow
```bash
# cd /opt
# apt-get install git
# apt-get install mailutils
# curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
# git clone https://github.com/mailcow/mailcow-dockerized
# cd mailcow-dockerized
# ./generate_config.sh
- change mailcow.conf if needed
WATCHDOG_NOTIFY_EMAIL=drpuur@gmail.com
# init 6
# docker-compose pull
# docker-compose up -d
You can now access https://${MAILCOW_HOSTNAME} with the default credentials admin + password moohoo.
```
## Install Mailcow CLI
see https://pypi.org/project/python-mailcow/
```bash
# apt install python3-pip
# pip install python-mailcow
# mailcow --create-example-config
Edit settings in ~/.config/python-mailcow.cfg
# mailcow help
```
## Firewall
```bash
# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh
# ufw allow http
# ufw allow https
# ufw allow smtp
# ufw allow smtps
# ufw allow submission
# ufw allow imap
# ufw allow imaps
# ufw allow pop3
# ufw allow pop3s
# ufw allow sieve
# ufw allow ntp
# ufw enable
```
## fail2ban auf Host fuer ssh
```bash
# apt install fail2ban
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
edit /etc/fail2ban/jail.local:
enabled = true unterhalb [sshd]
Check, wer gebanned ist:
# fail2ban-client status sshd
```
## Mailcow anpassen
Redirect HTTP to HTTPS, see https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/
```bash
Relayhosts erlauben in extra.cf:
mynetworks = 127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128,[fe80::]/10 172.22.1.0/24,[fd4d:6169:6c63:6f77::]/64,65.21.3.242/32,[2a01:4f9:c010:24a0::1]/128,65.21.56.41/32,[2a01:4f9:c010:332f::1]/128,65.21.52.32/32,[2a01:4f9:c010:ef23::1]/128,168.119.240.108/32,[2a01:4f8:c010:7e62::1]/128,95.216.148.212/32,[2a01:4f9:c010:5dd::1]/128,195.201.222.24/32,[2a01:4f8:1c1c:2622::1]/128,23.88.33.113/32,[2a01:4f8:c010:90e1::1]/128
Disable Greylisting:
data/conf/rspamd/local.d/greylist.conf:
enabled = false;
```
siehe https://mailcow.github.io/mailcow-dockerized-docs/firststeps-trust_networks/
## Mails migrieren vom alten Server
Mails transferieren:
```bash
Auf Fedora Workstation:
# yum install imapsync
$ imapsync --noauthmd5 --ssl1 --host1 mail9.nbit.ch --user1 'nbitinf' --password1 '123' --ssl2 --host2 pepper.nbit.ch --user2 'nbitinf' --password2 '123'
--dry, um das ganze zu simulieren
```
## Mail Domains und Users einrichten
```bash
Mailbox erstellen:
# mailcow mailbox add --domain linux-freelancer.ch --local_part info --password '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --password2 '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --active
Passwort aendern:
# mailcow mailbox edit --item info@linux-freelancer.ch --password '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --password2 '{SSHA256}eXv7XwV9Uy1vEMYCCYL3IDKcUTmFYPokzAsckPSIuj8xMTQ0MjU4NzU4NTU4MzBkOTJjNjhmYjQuNzMwMTgzNzg=' --active
```
## Backup Server
```bash
# apt install restic
# mkdir /backup
# mkdir /backup-restic
# restic init --repo /backup-restic/restic-repo-$(hostname --short) # Passwort in Keepass
# cat /etc/cron.d/backup_mailcow <<HERE
# Backup Mailcow
30 4 * * * root MAILCOW_BACKUP_LOCATION=/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 3 >/dev/null
HERE
Restic Script:
/usr/local/bin/backup-to-disk.sh
#!/bin/bash
# Backup der wichtigsten Verzeichnisse nach einem Verzeichnis
#
# Es wird restic verwendet.
#
PATH=$PATH:/usr/local/bin
export RESTIC_PASSWORD="$(hostname --short)7355"
restic backup --quiet --repo /backup-restic/restic-repo-$(hostname --short) /etc /var /opt /var/lib/docker/volumes /usr/local/bin /backup --exclude=/var/log
if [ $? -eq 0 ]; then
restic forget --quiet --repo /backup-restic/restic-repo-$(hostname --short) --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 20 --prune
else
>&2 echo "Problem with restic Backup $(hostname --short)"
fi
/etc/cron.d/backup-to-disk:
#
# Backup important Files to Disk
#
55 4 * * * root /usr/local/bin/backup-to-disk.sh >/dev/null
Backup auf Storag Box:
# cat > /etc/cron.d/rsync-backup-to-other-host <<HERE
#
# Rsync /backup-restic to backup space
#
20 5 * * * root /usr/bin/rsync -avzH --delete --numeric-ids -e 'ssh -p23' /restic-backup u152662@u152662.your-storagebox.de:mail-backup-restic-rsync >/dev/null
HERE
```
Reference in New Issue View Git Blame Copy Permalink