From d1b48b78d847965109a27fc43f2c3993d821d0ce Mon Sep 17 00:00:00 2001 From: dado Date: Sun, 5 Oct 2025 12:27:20 +0200 Subject: [PATCH] update file --- mailcow/docker-compose.yml | 170 ++++++++++++++++++++++++++++++++++--- mailcow/mailcow.conf | 3 +- 2 files changed, 158 insertions(+), 15 deletions(-) diff --git a/mailcow/docker-compose.yml b/mailcow/docker-compose.yml index e894ca5..2519a8f 100644 --- a/mailcow/docker-compose.yml +++ b/mailcow/docker-compose.yml @@ -24,7 +24,7 @@ services: stop_grace_period: 45s volumes: - mysql-vol-1:/var/lib/mysql/ - - mysql-socket-vol-1:/var/run/mysqld/ + - mysql-socket-vol-1:/var/run/mysqld/:z - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z environment: - TZ=${TZ} @@ -65,7 +65,7 @@ services: - redis clamd-mailcow: - image: ghcr.io/mailcow/clamd:1.70 + image: ghcr.io/mailcow/clamd:1.71 restart: always depends_on: unbound-mailcow: @@ -84,7 +84,7 @@ services: - clamd rspamd-mailcow: - image: ghcr.io/mailcow/rspamd:2.2 + image: ghcr.io/mailcow/rspamd:2.3 stop_grace_period: 30s depends_on: - dovecot-mailcow @@ -134,7 +134,7 @@ services: - ./data/web/inc/functions.ratelimit.inc.php:/mailcowauth/functions.ratelimit.inc.php:z - ./data/web/inc/functions.acl.inc.php:/mailcowauth/functions.acl.inc.php:z - rspamd-vol-1:/var/lib/rspamd - - mysql-socket-vol-1:/var/run/mysqld/ + - mysql-socket-vol-1:/var/run/mysqld/:z - ./data/conf/sogo/:/etc/sogo/:z - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z - ./data/conf/phpfpm/crons:/crons:z @@ -200,7 +200,7 @@ services: - phpfpm sogo-mailcow: - image: ghcr.io/mailcow/sogo:1.133 + image: ghcr.io/mailcow/sogo:1.135 environment: - DBNAME=${DBNAME} - DBUSER=${DBUSER} @@ -230,7 +230,7 @@ services: - ./data/conf/sogo/custom-fulllogo.png:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-logo.png:z - ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z - - mysql-socket-vol-1:/var/run/mysqld/ + - mysql-socket-vol-1:/var/run/mysqld/:z - sogo-web-vol-1:/sogo_web - sogo-userdata-backup-vol-1:/sogo_backup labels: @@ -251,7 +251,7 @@ services: - sogo dovecot-mailcow: - image: ghcr.io/mailcow/dovecot:2.33 + image: ghcr.io/mailcow/dovecot:2.35 depends_on: - mysql-mailcow - netfilter-mailcow @@ -272,7 +272,7 @@ services: - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z - ./data/assets/templates:/templates:z - rspamd-vol-1:/var/lib/rspamd - - mysql-socket-vol-1:/var/run/mysqld/ + - mysql-socket-vol-1:/var/run/mysqld/:z environment: - DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-} - DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-} @@ -338,12 +338,14 @@ services: - dovecot postfix-mailcow: - image: ghcr.io/mailcow/postfix:1.80 + image: ghcr.io/mailcow/postfix:1.81 depends_on: mysql-mailcow: condition: service_started unbound-mailcow: condition: service_healthy + postfix-tlspol-mailcow: + condition: service_started volumes: - ./data/hooks/postfix:/hooks:Z - ./data/conf/postfix:/opt/postfix/conf:z @@ -351,7 +353,7 @@ services: - postfix-vol-1:/var/spool/postfix - crypt-vol-1:/var/lib/zeyple - rspamd-vol-1:/var/lib/rspamd - - mysql-socket-vol-1:/var/run/mysqld/ + - mysql-socket-vol-1:/var/run/mysqld/:z environment: - LOG_LINES=${LOG_LINES:-9999} - TZ=${TZ} @@ -378,6 +380,28 @@ services: aliases: - postfix + postfix-tlspol-mailcow: + image: ghcr.io/mailcow/postfix-tlspol:1.0 + depends_on: + unbound-mailcow: + condition: service_healthy + volumes: + - postfix-tlspol-vol-1:/var/lib/postfix-tlspol + environment: + - LOG_LINES=${LOG_LINES:-9999} + - TZ=${TZ} + - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} + - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} + - REDISPASS=${REDISPASS} + - DEV_MODE=${DEV_MODE:-n} + restart: always + dns: + - ${IPV4_NETWORK:-172.22.1}.254 + networks: + mailcow-network: + aliases: + - postfix-tlspol + memcached-mailcow: image: memcached:alpine restart: always @@ -394,7 +418,7 @@ services: - php-fpm-mailcow - sogo-mailcow - rspamd-mailcow - image: ghcr.io/mailcow/nginx:1.03 + image: ghcr.io/mailcow/nginx:1.04 dns: - ${IPV4_NETWORK:-172.22.1}.254 environment: @@ -405,7 +429,7 @@ services: - TZ=${TZ} - SKIP_SOGO=${SKIP_SOGO:-n} - SKIP_RSPAMD=${SKIP_RSPAMD:-n} - - DISABLE_IPv6=${DISABLE_IPv6:-n} + - ENABLE_IPV6=${ENABLE_IPV6:-true} - HTTP_REDIRECT=${HTTP_REDIRECT:-n} - PHPFPMHOST=${PHPFPMHOST:-} - SOGOHOST=${SOGOHOST:-} @@ -434,8 +458,50 @@ services: aliases: - nginx + acme-mailcow: + depends_on: + nginx-mailcow: + condition: service_started + unbound-mailcow: + condition: service_healthy + image: ghcr.io/mailcow/acme:1.94 + dns: + - ${IPV4_NETWORK:-172.22.1}.254 + environment: + - LOG_LINES=${LOG_LINES:-9999} + - ADDITIONAL_SAN=${ADDITIONAL_SAN} + - AUTODISCOVER_SAN=${AUTODISCOVER_SAN:-y} + - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} + - DBNAME=${DBNAME} + - DBUSER=${DBUSER} + - DBPASS=${DBPASS} + - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n} + - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized} + - DIRECTORY_URL=${DIRECTORY_URL:-} + - ENABLE_SSL_SNI=${ENABLE_SSL_SNI:-n} + - SKIP_IP_CHECK=${SKIP_IP_CHECK:-n} + - SKIP_HTTP_VERIFICATION=${SKIP_HTTP_VERIFICATION:-n} + - ONLY_MAILCOW_HOSTNAME=${ONLY_MAILCOW_HOSTNAME:-n} + - LE_STAGING=${LE_STAGING:-n} + - TZ=${TZ} + - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} + - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} + - REDISPASS=${REDISPASS} + - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n} + - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n} + volumes: + - ./data/web/.well-known/acme-challenge:/var/www/acme:z + - ./data/assets/ssl:/var/lib/acme/:z + - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z + - mysql-socket-vol-1:/var/run/mysqld/:z + restart: always + networks: + mailcow-network: + aliases: + - acme + netfilter-mailcow: - image: ghcr.io/mailcow/netfilter:1.61 + image: ghcr.io/mailcow/netfilter:1.62 stop_grace_period: 30s restart: always privileged: true @@ -454,6 +520,81 @@ services: volumes: - /lib/modules:/lib/modules:ro + watchdog-mailcow: + image: ghcr.io/mailcow/watchdog:2.09 + dns: + - ${IPV4_NETWORK:-172.22.1}.254 + tmpfs: + - /tmp + volumes: + - rspamd-vol-1:/var/lib/rspamd + - mysql-socket-vol-1:/var/run/mysqld/:z + - postfix-vol-1:/var/spool/postfix + - ./data/assets/ssl:/etc/ssl/mail/:ro,z + restart: always + depends_on: + - postfix-mailcow + - dovecot-mailcow + - mysql-mailcow + - acme-mailcow + - redis-mailcow + environment: + - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} + - LOG_LINES=${LOG_LINES:-9999} + - TZ=${TZ} + - DBNAME=${DBNAME} + - DBUSER=${DBUSER} + - DBPASS=${DBPASS} + - DBROOT=${DBROOT} + - USE_WATCHDOG=${USE_WATCHDOG:-n} + - WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL:-} + - WATCHDOG_NOTIFY_BAN=${WATCHDOG_NOTIFY_BAN:-y} + - WATCHDOG_NOTIFY_START=${WATCHDOG_NOTIFY_START:-y} + - WATCHDOG_SUBJECT=${WATCHDOG_SUBJECT:-Watchdog ALERT} + - WATCHDOG_NOTIFY_WEBHOOK=${WATCHDOG_NOTIFY_WEBHOOK:-} + - WATCHDOG_NOTIFY_WEBHOOK_BODY=${WATCHDOG_NOTIFY_WEBHOOK_BODY:-} + - WATCHDOG_EXTERNAL_CHECKS=${WATCHDOG_EXTERNAL_CHECKS:-n} + - WATCHDOG_MYSQL_REPLICATION_CHECKS=${WATCHDOG_MYSQL_REPLICATION_CHECKS:-n} + - WATCHDOG_VERBOSE=${WATCHDOG_VERBOSE:-n} + - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} + - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized} + - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1} + - IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0} + - CHECK_UNBOUND=${CHECK_UNBOUND:-1} + - SKIP_CLAMD=${SKIP_CLAMD:-n} + - SKIP_OLEFY=${SKIP_OLEFY:-n} + - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n} + - SKIP_SOGO=${SKIP_SOGO:-n} + - HTTPS_PORT=${HTTPS_PORT:-443} + - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} + - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} + - REDISPASS=${REDISPASS} + - EXTERNAL_CHECKS_THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD:-1} + - NGINX_THRESHOLD=${NGINX_THRESHOLD:-5} + - UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5} + - REDIS_THRESHOLD=${REDIS_THRESHOLD:-5} + - MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5} + - MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1} + - SOGO_THRESHOLD=${SOGO_THRESHOLD:-3} + - POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8} + - POSTFIX_TLSPOL_THRESHOLD=${POSTFIX_TLSPOL_THRESHOLD:-8} + - CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15} + - DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12} + - DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20} + - PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5} + - RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1} + - FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1} + - ACME_THRESHOLD=${ACME_THRESHOLD:-1} + - RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5} + - OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5} + - MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20} + - MAILQ_CRIT=${MAILQ_CRIT:-30} + - DEV_MODE=${DEV_MODE:-n} + networks: + mailcow-network: + aliases: + - watchdog + dockerapi-mailcow: image: ghcr.io/mailcow/dockerapi:2.11 security_opt: @@ -519,7 +660,7 @@ networks: driver: bridge driver_opts: com.docker.network.bridge.name: br-mailcow - enable_ipv6: false + enable_ipv6: ${ENABLE_IPV6:-true} ipam: driver: default config: @@ -534,6 +675,7 @@ volumes: redis-vol-1: rspamd-vol-1: postfix-vol-1: + postfix-tlspol-vol-1: crypt-vol-1: sogo-web-vol-1: sogo-userdata-backup-vol-1: diff --git a/mailcow/mailcow.conf b/mailcow/mailcow.conf index dd39a90..16c4ca8 100644 --- a/mailcow/mailcow.conf +++ b/mailcow/mailcow.conf @@ -297,4 +297,5 @@ SPAMHAUS_DQS_KEY= # Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n # CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost -DISABLE_NETFILTER_ISOLATION_RULE=n \ No newline at end of file +DISABLE_NETFILTER_ISOLATION_RULE=n +ENABLE_IPV6=false \ No newline at end of file