Mailcow Nginx Proxy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

69 lines
2.5 KiB

4 years ago
# mailcow-dockerized-proxy
4 years ago
4 years ago
Proxy Setup for Mailcow. Includes a simple and tested VPS deploy script that I use. The script will install and configure Golang-go, Docker CE and docker-compose, harden the VPS including deploying mtls certiciates using cfssl to protect the Docker Socket, setup Auditd, Apparmor, USB Guard, and harden SSH.
## Usage
Deploy a new VPS on either Vultr.com or Digital Ocean, select Ubuntu 20.0.4 LTS, choose IPv6 and User Data. Edit and copy the vps script. Digital Ocean uses VPC private addresses and the NIC will be eth0 and eth1, while Vultr uses ens3. Log into the new VPS and create a new user and add the user to the docker group and setup SSH keys for the new user. Make sure to copy the /root/.docker to $HOME/.docker for the new user. Follow the mailcow documents on setting up and installing mailcow.
## Nginx Proxy
Install and configure Nginx and Letsencrypt.
3 years ago
```bash
sudo apt update
sudo apt install -y nginx certbot python3-certbot python3-certbot-nginx
```
4 years ago
## Advanced configuration
3 years ago
To setup the two iptables files simply use the following commands (Remember to edit the rules to your environment first):
4 years ago
3 years ago
```bash
sudo iptables-restore -n $HOME/mailcow-dockerized-proxy/iptables/rules4.conf
sudo ip6tables-restore -n $HOME/mailcow-dockerized-proxy/iptables/rules6.conf
4 years ago
3 years ago
sudo iptables-save
sudo ip6tables-save
4 years ago
3 years ago
sudo apt install iptables-persistent
4 years ago
```
## Letsencrypt
Setup Letsencrypt and add the following to /etc/crontab.
```nano
00 21 16 * * root /usr/bin/certbot renew --agree-tos --email letsencrypt@example.com -n -c /etc/letsencrypt/cli.ini --deploy-hook /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
```
Example renewal script and configurations.
```bash
sudo nano /etc/letsencrypt/cli.ini
max-log-backups = 0
email = <your_email>
domains = email.example.com, autodiscover.example.com, autoconfig.example.com, webmail.example.com, matrix.example.com, im.example.com, *.im.example.com
non-interactive = True
staple-ocsp = True
rsa-key-size = 4096
webroot-path = /var/lib/letsencrypt/
agree-tos = True
```
Example renewal-hooks.
```bash
sudo nano /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
cp /etc/letsencrypt/live/email.example.com/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem
cp /etc/letsencrypt/live/email.example.com/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem
/usr/sbin/nginx -t && systemctl reload nginx
```