Update Servers & Workflows/Linux/iRedMail.md
This commit is contained in:
Nicole Rappe
@ -82,43 +82,74 @@ reboot
|
||||
When you deploy iRedMail, it will give you a username and password for the postmaster account. If you accidentally forget to document this, you can log back into the server via SSH and see the credentials at `/root/iRedMail-$VERSION/iRedMail.tips`. This file is critical and contains passwords and DNS information such as DKIM record information as well.
|
||||
|
||||
## Nested Reverse Proxy Configuration
|
||||
In my homelab environment, I run Traefik reverse proxy in front of everything, which includes the NGINX reverse proxy that iRedMail creates. In my scenario, I have to make some custom adjustments to the reverse proxy dynamic configuration data to ensure it will allow self-signed certificates from iRedMail to communicate with the Traefik reverse proxy successfully. You will see an example Traefik configuration file below.
|
||||
In my homelab environment, I run Traefik reverse proxy in front of everything, which includes the NGINX reverse proxy that iRedMail creates. In my scenario, I have to make some custom adjustments to the reverse proxy dynamic configuration data to ensure it will step aside and let the NGINX reverse proxy inside of iRedMail handle everything, including handling its own SSL termination with Let's Encrypt.
|
||||
|
||||
``` sh
|
||||
# ROUTER
|
||||
http:
|
||||
tcp:
|
||||
routers:
|
||||
mail:
|
||||
entryPoints:
|
||||
- websecure
|
||||
rule: "Host(`mail.bunny-lab.io`)"
|
||||
service: mail
|
||||
middlewares:
|
||||
- add-real-ip-header
|
||||
- add-host-header
|
||||
mail-tcp-router:
|
||||
rule: "HostSNI(`mail.bunny-lab.io`)"
|
||||
entryPoints: ["websecure"]
|
||||
service: mail-nginx-service
|
||||
tls:
|
||||
certResolver: myresolver
|
||||
passthrough: true
|
||||
|
||||
# MIDDLEWARE (May not actually be necessary)
|
||||
middlewares:
|
||||
add-real-ip-header:
|
||||
headers:
|
||||
customRequestHeaders:
|
||||
X-Real-IP: ""
|
||||
add-host-header:
|
||||
headers:
|
||||
customRequestHeaders:
|
||||
Host: "mail.bunny-lab.io"
|
||||
|
||||
# SERVICE
|
||||
mail:
|
||||
services:
|
||||
mail-nginx-service:
|
||||
loadBalancer:
|
||||
serversTransport: insecureTransport
|
||||
servers:
|
||||
- url: "https://192.168.3.13:443"
|
||||
passHostHeader: true
|
||||
|
||||
# TRANSPORT
|
||||
serversTransports:
|
||||
insecureTransport:
|
||||
insecureSkipVerify: true
|
||||
- address: "192.168.3.13:443"
|
||||
```
|
||||
|
||||
## Let's Encrypt ACME Certbot
|
||||
At this point, we want to set up automatic Let's Encrypt SSL termination inside of iRedMail so we don't have to manually touch this in the future.
|
||||
|
||||
### Generate SSL Certificate
|
||||
=== "Debian/Ubuntu"
|
||||
|
||||
``` sh
|
||||
# Download the Certbot
|
||||
sudo apt update
|
||||
sudo apt install -y certbot
|
||||
sudo certbot certonly --webroot -w /var/www/html -d mail.bunny-lab.io
|
||||
|
||||
# Set up Symbolic Links (Where iRedMail Expects Them)
|
||||
sudo mv /etc/ssl/certs/iRedMail.crt{,.bak}
|
||||
sudo mv /etc/ssl/private/iRedMail.key{,.bak}
|
||||
sudo ln -s /etc/letsencrypt/live/mail.bunny-lab.io/fullchain.pem /etc/ssl/certs/iRedMail.crt
|
||||
sudo ln -s /etc/letsencrypt/live/mail.bunny-lab.io/privkey.pem /etc/ssl/private/iRedMail.key
|
||||
|
||||
# Restart iRedMail Services
|
||||
sudo systemctl restart postfix dovecot nginx
|
||||
```
|
||||
|
||||
=== "CentOS/Rocky/AlmaLinux"
|
||||
|
||||
``` sh
|
||||
# Download the Certbot
|
||||
sudo yum install -y epel-release
|
||||
sudo yum install -y certbot
|
||||
sudo certbot certonly --webroot -w /var/www/html -d mail.bunny-lab.io
|
||||
|
||||
# Set up Symbolic Links (Where iRedMail Expects Them)
|
||||
sudo mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
|
||||
sudo mv /etc/pki/tls/private/iRedMail.key{,.bak}
|
||||
sudo ln -s /etc/letsencrypt/live/mail.bunny-lab.io/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
|
||||
sudo ln -s /etc/letsencrypt/live/mail.bunny-lab.io/privkey.pem /etc/pki/tls/private/iRedMail.key
|
||||
|
||||
# Restart iRedMail Services
|
||||
sudo systemctl restart postfix dovecot nginx
|
||||
```
|
||||
|
||||
### Configure Automatic Renewal
|
||||
To automate the renewal process, set up a cron job that runs the certbot renew command regularly. This command will renew certificates that are due to expire within 30 days.
|
||||
|
||||
Open the crontab editor with the following command:
|
||||
```
|
||||
sudo crontab -e
|
||||
```
|
||||
|
||||
Add the following line to run the renewal process daily at 3:01 AM:
|
||||
```
|
||||
1 3 * * * certbot renew --post-hook 'systemctl restart postfix dovecot nginx'
|
||||
```
|
||||
Reference in New Issue
Block a user