Mailcow SSL 不起作用

Mailcow SSL 不起作用

我正在使用 Apache/mailcow 设置家庭电子邮件服务器。我遵循了 mailcow dockerized 教程。并且能够连接到我的 mailcow 网站:

http://mail.example.com:8080

我必须使用 8080,因为我的网站也设置在此服务器上。

我在尝试将 nextcloud 客户端连接到邮件服务器时遇到了问题,以为是 SSL 的问题。所以我最终使用 certbot 安装了 ssl。

我有教程告诉我制作redirect.conf和site.conf文件。

我现在无法从以下任何网址访问我的邮件网站。

Mail.example.com
Mail.example.com:8080 or 8443
http://mail.example.com
https://mail.example.com
http(s)://mail.example.com:8080 or 8443

我知道这与重写或“代理”或“反向代理”有关,但我真的不知道这些是什么意思,所以我不知道要检查什么。

我不知道 Apache 如何知道将任何内容发送到哪里,因为 documentroot 值不在配置中。我不知道重定向或站点配置文件的用途。

我遗漏了什么?为什么我无法通过简单的 mail.example.com 访问我的网站。最后,我希望所有上述 URL 都转到/重写到 SSL 安全的 mail.example.com 网站。不,:8080 或 :8443

虚拟主机文件

<VirtualHost *:80>
  ServerName mail.example.com
  ServerAlias autodiscover.*
  ServerAlias autoconfig.*
  RewriteEngine on

  ProxyPass / http://mail.example.com:8080/
  ProxyPassReverse / http://mail.example.com:8080/

  RewriteCond %{HTTPS} off
  RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]

</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName mail.example.com
  ServerAlias autodiscover.*
  ServerAlias autoconfig.*

  # You should proxy to a plain HTTP session to offload SSL processing
  #ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontim>
  #ProxyPassReverse /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync
  ProxyPass / http://mail.example.com:8080/
  ProxyPassReverse / http://mail.example.com:8080/
  ProxyPreserveHost On
  ProxyAddHeaders On
  RequestHeader set X-Forwarded-Proto “https”

  Include /etc/letsencrypt/options-ssl-apache.conf

  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # If you plan to proxy to a HTTPS host:
  #SSLProxyEngine On

  # If you plan to proxy to an untrusted HTTPS host:
  #SSLProxyVerify none
  #SSLProxyCheckPeerCN off
  #SSLProxyCheckPeerName off
  #SSLProxyCheckPeerExpire off
</VirtualHost>
</IfModule>

邮件配置文件

# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is “admin”
# Default password is “moohoo”

MAILCOW_HOSTNAME=mail.example.com

# Password hash algorithm
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/
MAILCOW_PASS_SCHEME=BLF-CRYPT

# ------------------------------
# SQL database configuration
# ------------------------------

DBNAME=example
DBUSER=example

# Please use long, random alphanumeric strings (A-Za-z0-9)

DBPASS=**************
DBROOT=*************

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 and IPv6 leave it empty: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ip_bindings/

HTTP_PORT=8080
HTTP_BIND=

HTTPS_PORT=8443
HTTPS_BIND=

# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.

SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654

# Your timezone
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
# Use the row named ‘TZ database name’ + pay attention for ‘Notes’ row

TZ=****

# Fixed project name
# Please use lowercase letters only

COMPOSE_PROJECT_NAME=mailcowdockerized

# Set this to “allow” to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to “All authenticated users”
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow

# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly

MAILDIR_GC_TIME=7200

# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains “example.com” and “example.net” to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to “imap.example.com”, “smtp.example.com”, “imap.example.net”, “imap.example.net”
# plus every domain you add in the future.
#
# You can also just add static names…
#ADDITIONAL_SAN=srv1.example.net
# …or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#

ADDITIONAL_SAN=

# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

ADDITIONAL_SERVER_NAMES=

# Skip running ACME (acme-mailcow, Let’s Encrypt certs) – y/n

SKIP_LETS_ENCRYPT=y

# Create separate certificates for all domains – y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://wiki.dovecot.org/SSL/SNIClientSupport
ENABLE_SSL_SNI=y

# Skip IPv4 check in ACME container – y/n

SKIP_IP_CHECK=n

# Skip HTTP verification in ACME container – y/n

SKIP_HTTP_VERIFICATION=n

# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) – y/n

SKIP_CLAMD=n

# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) – y/n

SKIP_SOGO=n

# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.

SKIP_SOLR=n

# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.

SOLR_HEAP=1024

# Allow admins to log into SOGo as email user (without any password)

ALLOW_ADMIN_EMAIL_LOGIN=n

# Enable watchdog (watchdog-mailcow) to restart unhealthy containers

USE_WATCHDOG=y

# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy (“v=DMARC1; p=none;” in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces

#[email protected],[email protected],[email protected]
#WATCHDOG_NOTIFY_EMAIL=

# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n

# Subject for watchdog mails. Defaults to “Watchdog ALERT” followed by the error message.
#WATCHDOG_SUBJECT=

# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n

# Enable watchdog verbose logging
WATCHDOG_VERBOSE=n

# Max log lines per service to keep in Redis logs

LOG_LINES=9999

# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

IPV4_NETWORK=172.22.1

# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

# Use this IPv4 for outgoing connections (SNAT)

#SNAT_TO_SOURCE=

# Use this IPv6 for outgoing connections (SNAT)

#SNAT6_TO_SOURCE=

# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY

#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1

# mail_home is ~/Maildir
MAILDIR_SUB=Maildir

# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480

# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to [email protected]
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=

# Let’s Encrypt registration contact information
# Optional: Leave empty for none
# This value is only used on first order!
# Setting it at a later point will require the following steps:
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
ACME_CONTACT=

# WebAuthn device manufacturer verification
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
WEBAUTHN_ONLY_TRUSTED_VENDORS=n

站点配置文件

Server {
Listen 80 default_server;
Listen [::]:80 default_server;
Include /etc/nginx/conf.d/server_name.active;
If ( $request_uri ~* “%0A|%0D” ) { return 403; }
Return 301 https://$host$uri$is_args$args;
}

重定向配置文件

    Server {
  Root /web;
  Listen 80 default_server;
  Listen [::]:80 default_server;
  Include /etc/nginx/conf.d/server_name.active;
  If ( $request_uri ~* “%0A|%0D” ) { return 403; }
  Location ^~ /.well-known/acme-challenge/ {
    Allow all;
    Default_type “text/plain”;
  }
  Location / {
    Return 301 https://$host$uri$is_args$args;
  }
}

相关内容