search

g4rf / dockerized-mailcow-mailman

This guide aims to install and configure mailcow-dockerized with docker-mailman and to provide some useful scripts.
MIT License
3 stars 3 forks source link

Mailcow without proxy #7

Open rkcreation opened 7 months ago

rkcreation commented 7 months ago

Hi

I have achieved mailcow + mailman setup without the need of Apache reverse-proxy. I instead use custom site on mailcow nginx, so certs are already handled by mailcow.

In /opt/mailcow-dockerized :

nano docker-compose.override.yml
services:
  postfix-mailcow:
    volumes:
      - /opt/mailman:/opt/mailman
    networks:
      - docker-mailman_mailman
  nginx-mailcow:
    volumes:
      - /opt/mailman:/opt/mailman
    networks:
      - docker-mailman_mailman

networks:
  docker-mailman_mailman:
    external: true
nano data/conf/nginx/mailman.conf
server {
  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256>  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  index index.php index.html;
  client_max_body_size 0;
  root /web;
  include /etc/nginx/conf.d/listen_plain.active;
  include /etc/nginx/conf.d/listen_ssl.active;
  server_name lists.bapla.cloud;
  server_tokens off;

  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }

  if ($scheme = http) {
    return 301 https://$host$request_uri;
  }

  location /static/ {
    alias /opt/mailman/web/static/;
  }

  location /favicon.ico {
    alias /opt/mailman/web/static/hyperkitty/img/favicon.ico;
  }

  location / {
    uwsgi_pass mailman-web:8080;
    include uwsgi_params;
    client_max_body_size 0;
  }
}

All other thigs are same as tutorial. Could someone test and give some feedback about that ?

I find this way simpler, and works in more cases than proxying mailcow.

ecdlguy commented 1 month ago

Hi, I like the idea of using mailcows nginx. However, your config file does not pass nginx config test:

nginx: [emerg] invalid number of arguments in "ssl_ciphers" directive in /etc/nginx/conf.d/mailman.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed

Is ssh_chipers really needed? In any case, the following should work:

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;

cheers, Thorsten

ecdlguy commented 1 month ago

Hi, I've found another issue, if the mailman-web container is down, nginx-mailcow does not start: [emerg] 18#18: host not found in upstream "mailman-web" in /etc/nginx/conf.d/mailman.conf

Adding the docker dns as a resolver does not seem to work or I did something wrong.

Edit: this seems to work:

  location / {
    resolver 127.0.0.11 valid=30s;
    set $custom_upstream mailman-web;
    uwsgi_pass $custom_upstream:8080;
    include uwsgi_params;
    client_max_body_size 0;
  }
rkcreation commented 4 weeks ago

You're right, it's a mistake from my own for nginx config, it's ok with this : 

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;

Your second comment also seems to work 👍