参考:mailcow: dockerized documentation
一、配置docker文件
下载mailcow-dockerized源码
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized生成配置文件
./generate_config.sh调整配置文件
vim mailcow.conf作者所使用nginx不参与https加解密,仅负责http的服务提供,外部nginx提供证书申请功能,因此会修改相应的位置如下:
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081, 9082 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
[------] HTTP_PORT=80
[++++++] HTTP_PORT=10080
HTTP_BIND=
[------] HTTPS_PORT=443
[++++++] HTTPS_PORT=10443
HTTPS_BIND=
# Redirect HTTP connections to HTTPS - y/n
[------] HTTP_REDIRECT=y
[++++++] HTTP_REDIRECT=n # 重要:关闭内部强制跳转,交给外部处理
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
[------] SKIP_LETS_ENCRYPT=n
[++++++] SKIP_LETS_ENCRYPT=y
# 为了二避免端口冲突,做了如下修改,转发到公网服务器时,会通过frp映射到原本的端口上
[------] SMTP_PORT=25
[------] SMTPS_PORT=465
[------] SUBMISSION_PORT=587
[------] IMAP_PORT=143
[------] IMAPS_PORT=993
[------] POP_PORT=110
[------] POPS_PORT=995
[------] SIEVE_PORT=4190
[++++++] SMTP_PORT=10025
[++++++] SMTPS_PORT=10465
[++++++] SUBMISSION_PORT=10587
[++++++] IMAP_PORT=10143
[++++++] IMAPS_PORT=10993
[++++++] POP_PORT=10110
[++++++] POPS_PORT=10995
[++++++] SIEVE_PORT=14190配置成功后运行容器
sudo docker compose up -d注意:网络地址建议使用172.22.1保持不变,作者使用172.32.1网段,结果导致DNS一直不通,最终还原为22网段才恢复正常
二、端口转发设置
本人家用电脑部署服务,云服务器仅作流量转发功能,因此需要进行端口转发
frp配置如下:
[SMTP_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10025
remote_port = 25
[SMTPS_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10465
remote_port = 465
[SUBMISSION_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10587
remote_port = 587
[IMAP_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10143
remote_port = 143
[IMAPS_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10993
remote_port = 993
[POP_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10110
remote_port = 110
[POPS_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10995
remote_port = 995
[SIEVE_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 14190
remote_port = 4190外部nginx配置如下:
server{
server_name mail.hopo.dev;
location / {
proxy_pass http://10.44.0.11:10080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0; # 允许大附件上传
}
}配置完成后,还需要激活,可参考: Ubuntu下使用Certbot配置Nginx免费证书
二、修改DNS
The minimal DNS configuration
# Name Type Value
mail IN A 1.2.3.4
autodiscover IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME})
autoconfig IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME})
@ IN MX 10 mail.example.org. (your ${MAILCOW_HOSTNAME})DKIM, SPF and DMARC
# Name Type Value
@ IN TXT "v=spf1 mx a -all"配置DKIM
# Name Type Value
dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..."配置DMARC
# Name Type Value
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org"在云服务器厂商PTR Records (Reverse DNS)
三、配置邮箱
(1) 以admin登录后,需要配置邮箱
1、 电子邮件 -> 配置 -> 新增域名
2、 域名选填,例如使用 hopo.dev,其他选项按需设置,注意:不要选择中继这个域名,否则会导致收不到邮件,完成设置后点击确定
3、此时的dkim._domainkey可以在此页面上找到,将其添加到步骤3的配置中即可
(2) 添加用户
1、电子邮件 -> 配置 -> 信箱
2、添加新增信箱即可新增用户,按需新增即可
四、使用DEMO
网址: mail.hopo.dev
账号: demo@hopo.dev
密码: :&,34,NAtTee
进入mail.hopo.dev网页后,以上述账号密码登录即可体验使用mailcow收发邮件
四、安全漏洞
由于使用了frp反向代理,因此需要添加安全措施
1、修改mailcow.conf文件如下:
# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=n
[++++++] MYNETWORKS=127.0.0.1/8 [::1]/128
# Create separate certificates for all domains - y/n
2、修改 Mailcow 的 Postfix 配置
你需要告诉 Postfix:“25 端口传来的数据头包含 Proxy Protocol,请解析它”。
在 Mailcow 目录下找到 data/conf/postfix/extra.cf
添加以下两行:
postscreen_upstream_proxy_protocol = haproxy
smtpd_upstream_proxy_protocol = haproxy重启 Postfix 容器:
sudo docker compose restart postfix-mailcow3、修改 frpc 配置
在你的内网机器 frpc.ini(或 .toml)中,为 25 端口开启 v2 协议:
[mail-smtp]
type = tcp
local_ip = 127.0.0.1
local_port = 25
remote_port = 25
# 必须加上这一行
proxy_protocol_version = v2
# 为了正常使用邮箱账号,不要设置IMAPS端口的代理,
# 保持 dovecot-mailcow 容器原样即可
[IMAPS_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10993
remote_port = 993
[SUBMISSION_PORT]
type = tcp
local_ip = 10.44.0.11
local_port = 10587
remote_port = 587测试是否可以链接
在终端执行:
telnet [你的云服务器IP] 25连接成功后,请逐行输入:
1. EHLO test.com
2. MAIL FROM:<test@test.com>
3. RCPT TO:<your_real_email@gmail.com>判断结果
如果返回
554 5.7.1 <...>: Relay access denied:恭喜!漏洞彻底堵住了。 你的服务器现在拒绝了未经授权的中继。
如果返回
250 2.1.5 Ok:说明依然是 Open Relay。
测试漏洞命令总结
# 查看链接的ip
sudo docker compose logs -f postfix-mailcow | grep "connect from"
# 删除垃圾邮件
sudo docker exec -it $(sudo docker ps -qf name=postfix-mailcow) postsuper -d ALL
# 查看队列中的邮件
sudo docker exec -it $(sudo docker ps -qf name=postfix-mailcow) postqueue -p
# 查看被删除的邮件都有哪些
sudo docker compose logs postfix-mailcow | grep "removed" -B 2