Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | #!/usr/bin/env bash |
| 2 | |
| 3 | set -o pipefail |
| 4 | |
| 5 | if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then |
| 6 | echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; |
| 7 | echo "Please update to 5.x or use another distribution." |
| 8 | exit 1 |
| 9 | fi |
| 10 | |
| 11 | if [[ "$(uname -r)" =~ ^4\.4\. ]]; then |
| 12 | if grep -q Ubuntu <<< $(uname -a); then |
| 13 | echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; |
| 14 | echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\"" |
| 15 | fi |
| 16 | exit 1 |
| 17 | fi |
| 18 | |
| 19 | if grep --help 2>&1 | grep -q -i "busybox"; then |
| 20 | echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"" |
| 21 | exit 1 |
| 22 | fi |
| 23 | if cp --help 2>&1 | grep -q -i "busybox"; then |
| 24 | echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\"" |
| 25 | exit 1 |
| 26 | fi |
| 27 | |
| 28 | for bin in openssl curl docker-compose docker git awk sha1sum; do |
| 29 | if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi |
| 30 | done |
| 31 | |
| 32 | if [ -f mailcow.conf ]; then |
| 33 | read -r -p "A config file exists and will be overwritten, are you sure you want to contine? [y/N] " response |
| 34 | case $response in |
| 35 | [yY][eE][sS]|[yY]) |
| 36 | mv mailcow.conf mailcow.conf_backup |
| 37 | chmod 600 mailcow.conf_backup |
| 38 | ;; |
| 39 | *) |
| 40 | exit 1 |
| 41 | ;; |
| 42 | esac |
| 43 | fi |
| 44 | |
| 45 | echo "Press enter to confirm the detected value '[value]' where applicable or enter a custom value." |
| 46 | while [ -z "${MAILCOW_HOSTNAME}" ]; do |
| 47 | read -p "Mail server hostname (FQDN) - this is not your mail domain, but your mail servers hostname: " -e MAILCOW_HOSTNAME |
| 48 | DOTS=${MAILCOW_HOSTNAME//[^.]}; |
| 49 | if [ ${#DOTS} -lt 2 ] && [ ! -z ${MAILCOW_HOSTNAME} ]; then |
| 50 | echo "${MAILCOW_HOSTNAME} is not a FQDN" |
| 51 | MAILCOW_HOSTNAME= |
| 52 | fi |
| 53 | done |
| 54 | |
| 55 | if [ -a /etc/timezone ]; then |
| 56 | DETECTED_TZ=$(cat /etc/timezone) |
| 57 | elif [ -a /etc/localtime ]; then |
| 58 | DETECTED_TZ=$(readlink /etc/localtime|sed -n 's|^.*zoneinfo/||p') |
| 59 | fi |
| 60 | |
| 61 | while [ -z "${MAILCOW_TZ}" ]; do |
| 62 | if [ -z "${DETECTED_TZ}" ]; then |
| 63 | read -p "Timezone: " -e MAILCOW_TZ |
| 64 | else |
| 65 | read -p "Timezone [${DETECTED_TZ}]: " -e MAILCOW_TZ |
| 66 | [ -z "${MAILCOW_TZ}" ] && MAILCOW_TZ=${DETECTED_TZ} |
| 67 | fi |
| 68 | done |
| 69 | |
| 70 | MEM_TOTAL=$(awk '/MemTotal/ {print $2}' /proc/meminfo) |
| 71 | |
| 72 | if [ ${MEM_TOTAL} -le "2621440" ]; then |
| 73 | echo "Installed memory is <= 2.5 GiB. It is recommended to disable ClamAV to prevent out-of-memory situations." |
| 74 | echo "ClamAV can be re-enabled by setting SKIP_CLAMD=n in mailcow.conf." |
| 75 | read -r -p "Do you want to disable ClamAV now? [Y/n] " response |
| 76 | case $response in |
| 77 | [nN][oO]|[nN]) |
| 78 | SKIP_CLAMD=n |
| 79 | ;; |
| 80 | *) |
| 81 | SKIP_CLAMD=y |
| 82 | ;; |
| 83 | esac |
| 84 | else |
| 85 | SKIP_CLAMD=n |
| 86 | fi |
| 87 | |
| 88 | if [ ${MEM_TOTAL} -le "2097152" ]; then |
| 89 | echo "Disabling Solr on low-memory system." |
| 90 | SKIP_SOLR=y |
| 91 | elif [ ${MEM_TOTAL} -le "3670016" ]; then |
| 92 | echo "Installed memory is <= 3.5 GiB. It is recommended to disable Solr to prevent out-of-memory situations." |
| 93 | echo "Solr is a prone to run OOM and should be monitored. The default Solr heap size is 1024 MiB and should be set in mailcow.conf according to your expected load." |
| 94 | echo "Solr can be re-enabled by setting SKIP_SOLR=n in mailcow.conf but will refuse to start with less than 2 GB total memory." |
| 95 | read -r -p "Do you want to disable Solr now? [Y/n] " response |
| 96 | case $response in |
| 97 | [nN][oO]|[nN]) |
| 98 | SKIP_SOLR=n |
| 99 | ;; |
| 100 | *) |
| 101 | SKIP_SOLR=y |
| 102 | ;; |
| 103 | esac |
| 104 | else |
| 105 | SKIP_SOLR=n |
| 106 | fi |
| 107 | |
| 108 | [ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc |
| 109 | |
| 110 | cat << EOF > mailcow.conf |
| 111 | # ------------------------------ |
| 112 | # mailcow web ui configuration |
| 113 | # ------------------------------ |
| 114 | # example.org is _not_ a valid hostname, use a fqdn here. |
| 115 | # Default admin user is "admin" |
| 116 | # Default password is "moohoo" |
| 117 | |
| 118 | MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} |
| 119 | |
| 120 | # Password hash algorithm |
| 121 | # Only certain password hash algorithm are supported. For a fully list of supported schemes, |
| 122 | # see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/ |
| 123 | MAILCOW_PASS_SCHEME=BLF-CRYPT |
| 124 | |
| 125 | # ------------------------------ |
| 126 | # SQL database configuration |
| 127 | # ------------------------------ |
| 128 | |
| 129 | DBNAME=mailcow |
| 130 | DBUSER=mailcow |
| 131 | |
| 132 | # Please use long, random alphanumeric strings (A-Za-z0-9) |
| 133 | |
| 134 | DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 | head -c 28) |
| 135 | DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 | head -c 28) |
| 136 | |
| 137 | # ------------------------------ |
| 138 | # HTTP/S Bindings |
| 139 | # ------------------------------ |
| 140 | |
| 141 | # You should use HTTPS, but in case of SSL offloaded reverse proxies: |
| 142 | # Might be important: This will also change the binding within the container. |
| 143 | # If you use a proxy within Docker, point it to the ports you set below. |
| 144 | # Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT |
| 145 | # IMPORTANT: Do not use port 8081, 9081 or 65510! |
| 146 | |
| 147 | HTTP_PORT=80 |
| 148 | HTTP_BIND=0.0.0.0 |
| 149 | |
| 150 | HTTPS_PORT=443 |
| 151 | HTTPS_BIND=0.0.0.0 |
| 152 | |
| 153 | # ------------------------------ |
| 154 | # Other bindings |
| 155 | # ------------------------------ |
| 156 | # You should leave that alone |
| 157 | # Format: 11.22.33.44:25 or 0.0.0.0:465 etc. |
| 158 | |
| 159 | SMTP_PORT=25 |
| 160 | SMTPS_PORT=465 |
| 161 | SUBMISSION_PORT=587 |
| 162 | IMAP_PORT=143 |
| 163 | IMAPS_PORT=993 |
| 164 | POP_PORT=110 |
| 165 | POPS_PORT=995 |
| 166 | SIEVE_PORT=4190 |
| 167 | DOVEADM_PORT=127.0.0.1:19991 |
| 168 | SQL_PORT=127.0.0.1:13306 |
| 169 | SOLR_PORT=127.0.0.1:18983 |
| 170 | REDIS_PORT=127.0.0.1:7654 |
| 171 | |
| 172 | # Your timezone |
| 173 | # See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones |
| 174 | # Use the row named 'TZ database name' + pay attention for 'Notes' row |
| 175 | |
| 176 | TZ=${MAILCOW_TZ} |
| 177 | |
| 178 | # Fixed project name |
| 179 | # Please use lowercase letters only |
| 180 | |
| 181 | COMPOSE_PROJECT_NAME=mailcowdockerized |
| 182 | |
| 183 | # Set this to "allow" to enable the anyone pseudo user. Disabled by default. |
| 184 | # When enabled, ACL can be created, that apply to "All authenticated users" |
| 185 | # This should probably only be activated on mail hosts, that are used exclusivly by one organisation. |
| 186 | # Otherwise a user might share data with too many other users. |
| 187 | ACL_ANYONE=disallow |
| 188 | |
| 189 | # Garbage collector cleanup |
| 190 | # Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring |
| 191 | # How long should objects remain in the garbage until they are being deleted? (value in minutes) |
| 192 | # Check interval is hourly |
| 193 | |
| 194 | MAILDIR_GC_TIME=7200 |
| 195 | |
| 196 | # Additional SAN for the certificate |
| 197 | # |
| 198 | # You can use wildcard records to create specific names for every domain you add to mailcow. |
| 199 | # Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like: |
| 200 | #ADDITIONAL_SAN=imap.*,smtp.* |
| 201 | # This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net" |
| 202 | # plus every domain you add in the future. |
| 203 | # |
| 204 | # You can also just add static names... |
| 205 | #ADDITIONAL_SAN=srv1.example.net |
| 206 | # ...or combine wildcard and static names: |
| 207 | #ADDITIONAL_SAN=imap.*,srv1.example.com |
| 208 | # |
| 209 | |
| 210 | ADDITIONAL_SAN= |
| 211 | |
| 212 | # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n |
| 213 | |
| 214 | SKIP_LETS_ENCRYPT=n |
| 215 | |
| 216 | # Create seperate certificates for all domains - y/n |
| 217 | # this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames |
| 218 | # see https://wiki.dovecot.org/SSL/SNIClientSupport |
| 219 | ENABLE_SSL_SNI=n |
| 220 | |
| 221 | # Skip IPv4 check in ACME container - y/n |
| 222 | |
| 223 | SKIP_IP_CHECK=n |
| 224 | |
| 225 | # Skip HTTP verification in ACME container - y/n |
| 226 | |
| 227 | SKIP_HTTP_VERIFICATION=n |
| 228 | |
| 229 | # Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n |
| 230 | |
| 231 | SKIP_CLAMD=${SKIP_CLAMD} |
| 232 | |
| 233 | # Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n |
| 234 | |
| 235 | SKIP_SOGO=n |
| 236 | |
| 237 | # Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1. |
| 238 | |
| 239 | SKIP_SOLR=${SKIP_SOLR} |
| 240 | |
| 241 | # Solr heap size in MB, there is no recommendation, please see Solr docs. |
| 242 | # Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended. |
| 243 | |
| 244 | SOLR_HEAP=1024 |
| 245 | |
| 246 | # Allow admins to log into SOGo as email user (without any password) |
| 247 | |
| 248 | ALLOW_ADMIN_EMAIL_LOGIN=n |
| 249 | |
| 250 | # Enable watchdog (watchdog-mailcow) to restart unhealthy containers |
| 251 | |
| 252 | USE_WATCHDOG=y |
| 253 | |
| 254 | # Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME) |
| 255 | # CAUTION: |
| 256 | # 1. You should use external recipients |
| 257 | # 2. Mails are sent unsigned (no DKIM) |
| 258 | # 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME) |
| 259 | # Multiple rcpts allowed, NO quotation marks, NO spaces |
| 260 | |
| 261 | #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com |
| 262 | #WATCHDOG_NOTIFY_EMAIL= |
| 263 | |
| 264 | # Notify about banned IP (includes whois lookup) |
| 265 | WATCHDOG_NOTIFY_BAN=n |
| 266 | |
| 267 | # Checks if mailcow is an open relay. Requires a SAL. More checks will follow. |
| 268 | # https://www.servercow.de/mailcow?lang=en |
| 269 | # https://www.servercow.de/mailcow?lang=de |
| 270 | # No data is collected. Opt-in and anonymous. |
| 271 | # Will only work with unmodified mailcow setups. |
| 272 | WATCHDOG_EXTERNAL_CHECKS=n |
| 273 | |
| 274 | # Max log lines per service to keep in Redis logs |
| 275 | |
| 276 | LOG_LINES=9999 |
| 277 | |
| 278 | # Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24) |
| 279 | # Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses |
| 280 | |
| 281 | IPV4_NETWORK=172.22.1 |
| 282 | |
| 283 | # Internal IPv6 subnet in fc00::/7 |
| 284 | # Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses |
| 285 | |
| 286 | IPV6_NETWORK=fd4d:6169:6c63:6f77::/64 |
| 287 | |
| 288 | # Use this IPv4 for outgoing connections (SNAT) |
| 289 | |
| 290 | #SNAT_TO_SOURCE= |
| 291 | |
| 292 | # Use this IPv6 for outgoing connections (SNAT) |
| 293 | |
| 294 | #SNAT6_TO_SOURCE= |
| 295 | |
| 296 | # Create or override an API key for the web UI |
| 297 | # You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs |
| 298 | # An API key defined as API_KEY has read-write access |
| 299 | # An API key defined as API_KEY_READ_ONLY has read-only access |
| 300 | # Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, - |
| 301 | # You can define API_KEY and/or API_KEY_READ_ONLY |
| 302 | |
| 303 | #API_KEY= |
| 304 | #API_KEY_READ_ONLY= |
| 305 | #API_ALLOW_FROM=172.22.1.1,127.0.0.1 |
| 306 | |
| 307 | # mail_home is ~/Maildir |
| 308 | MAILDIR_SUB=Maildir |
| 309 | |
| 310 | # SOGo session timeout in minutes |
| 311 | SOGO_EXPIRE_SESSION=480 |
| 312 | |
| 313 | # DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars. |
| 314 | # Empty by default to auto-generate master user and password on start. |
| 315 | # User expands to DOVECOT_MASTER_USER@mailcow.local |
| 316 | # LEAVE EMPTY IF UNSURE |
| 317 | DOVECOT_MASTER_USER= |
| 318 | # LEAVE EMPTY IF UNSURE |
| 319 | DOVECOT_MASTER_PASS= |
| 320 | |
| 321 | EOF |
| 322 | |
| 323 | mkdir -p data/assets/ssl |
| 324 | |
| 325 | chmod 600 mailcow.conf |
| 326 | |
| 327 | # copy but don't overwrite existing certificate |
| 328 | echo "Generating snake-oil certificate..." |
| 329 | # Making Willich more popular |
| 330 | openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes |
| 331 | echo "Copying snake-oil certificate..." |
| 332 | cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/ |