This document explains the layout of the Mailu websites server, which is running Docker to host the web projects around Mailu. Like documentation, demo and setup.
In this section the running services are explained. There is a crontab file which is a copy of the one used on the server.
It currently has two tasks:
- Run
./demo/admin-pw.shfor frequent admin password reset of the demo server. We had bullies changing the admin user password from time to time. Ths roles it back to the usualletmeinpassword. - Run
update.sh, which updates the images of all services, should there any available.
Treafik is used as reverse proxy and takes care of (sub) domain web routing.
https://mailu.io/<ver>: Documentationhttps://setup.mailu.io/<ver>: Setuphttps://test.mailu.io:Demo server
The compose file and configuration can be found in the ./traefik directory
The documentation docker-compose file is located in the ./docs directory. It defines a service for every release version of Mailu since 1.5, including master.
The setup docker-compose file is located in the ./setup directory. It defines a service for every release version of Mailu since 1.7, including master.
The demo service docker-compose file is located in the ./demo directory. It is a customized version which takes care of resource limiting. It uses the certdumper service to extract TLS certificates from Treafik.
The default network is set to internal. Remainning services that need internet access use the web network.
The front service is bound to the usual ports, except 80 and 443, as these web ports are routed through traefik.
This means that the demo server can:
- Receive SMTP e-mail (both incomming in authenticated)
- Serve authenticated IMAP and POP3 connections from clients
- Provide access to the webmail and admin interfaces
- Have fully functional virusscanner, downloading the appropiate definitions
However, the demo server cannot send any SMTP mail to external hosts. Those mails will remain stuck in the queue forever.
The server is running Ubuntu 18.04.5 LTS, with Docker latest stable from the Docker official APT repositories. ufw firewall is enabled and only allows access to SSH, HTTP and HTTPS. Other ports for services are configured by Docker.
Members of the "Contributors" team can gain access by posting their public keys in ./ssh/<username>. One line per key. The filenames reflect the Github usernames in all lower-case. The users that currently have a file in this repositories, already have a username associated on the system. If additional users must be added, please first send a PR so that the user can be created first, on the server.
Users are in priciple unprivelidged. For example, they are not member of the docker group. It is a small security measure to prevent priviledged access should a private key get compromised. All users are member of the sudo group. On first login an user password must be set by the passwd command.
Keys that are added must use rsa (>= 2048), ecdsa (>=256) or ed25519. We also request to make sure the private key is password protected.
A copy of applicable sshd_config options can be found in ./ssh/sshd_config.
This Mailu/infra repository is cloned in /opt/infra. Write access is only by root/sudo.
- Don't use / abuse the server for anything else then Mailu.
- If there is an issue and you need to get in, please announce it on the
Matrixchannel or on a related issue on Github. This way we prevent multiple people interfering at the same time. - If you need to make changes to
/opt/infra(usingsudo), it is fine for testing. However, you can't commit from there back to Github. Please clone the repository locally (your own PC), apply any changes, commit and push. Always leave the state of/opt/infraclean. (git checkout -- *before you log out!) - If
origin/masteris ahead, please pull before doing anything. - If you loose access to a previously added ssh key. Or you have the slightest suspission it got compromised, please remove it from your key file in this repository!