docker
docker copied to clipboard
anonaddy
Add extended Traefik example
Here is a tweaked Traefik example that automatically dumps the ACME certs used by traefik for use by Postfix SMTP(D) TLS including watch & restart of AnonAddy upon renewal. It also provides a feature complete config of AnonAddy (DKIM, DMARC, PGP signing, SMTP(D) TLS) for reference. It also employs Tecnativa's Docker socket proxy for enhanced security.
I'm planning on adding MTA-STSv1 and enforce SSL Cipher Suite preferences in a future PR as well.
Was testing this version. I already used socketproxy and traefik and didn't really understand the TLS part of anonaddy so this was perfect for me. Worked great (at least until issue #104 showed up again for me).
I did have to modify a portion of the anonaddy.env file:
POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/cert.pem
POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/key.pem
Needed to be changed to:
POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/mydomain.com/cert.pem
POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/mydoamin.com/key.pem
as that is the way certdumper exported the files for me.
@youngt2 Thanks for mentioning that. I can rebase and update or maybe split it up into different PRs with further additions (CrowdSec support with Traefik bouncer, watchtower config, restricted cipher suites etc.).
I also wanted to ask what is the purpose of the ports line in the socketproxy? Is it just to obscure the port from the system basically?
ports:
- '30000:2375'
Reading the certdumper documentation a bit closer. Looks like if you include the DOMAIN=mydomain.com environment variable, then it will put the .pem files in the top level /output directory. A bit annoying way to do that, but perhaps that is why you didn't notice this before.
Was testing this version. I already used socketproxy and traefik and didn't really understand the TLS part of anonaddy so this was perfect for me. Worked great (at least until issue #104 showed up again for me).
I did have to modify a portion of the anonaddy.env file:
POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/cert.pem POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/key.pemNeeded to be changed to:
POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/mydomain.com/cert.pem POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/mydoamin.com/key.pemas that is the way certdumper exported the files for me.
I also wanted to ask what is the purpose of the ports line in the socketproxy? Is it just to obscure the port from the system basically?
ports: - '30000:2375'
Because I share a docker network with multiple stacks I just wanted to make sure the proxy port won't collide with any other socket proxy I might declare. So I remapped it to an arbitrary high value. You can ignore that and just map 2375:2375 fine I guess.
Reading the certdumper documentation a bit closer. Looks like if you include the
DOMAIN=mydomain.comenvironment variable, then it will put the .pem files in the top level /output directory. A bit annoying way to do that, but perhaps that is why you didn't notice this before.Was testing this version. I already used socketproxy and traefik and didn't really understand the TLS part of anonaddy so this was perfect for me. Worked great (at least until issue #104 showed up again for me). I did have to modify a portion of the anonaddy.env file:
POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/cert.pem POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/key.pemNeeded to be changed to:
POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/mydomain.com/cert.pem POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/mydoamin.com/key.pemas that is the way certdumper exported the files for me.
Oh I didn't notice that. I'll make sure to adjust that for the updated PR. Thanks for the notice! :)
This PR has been adjusted to the latest developments and further extended with CrowdSec for SPAM and abuse protection as well as Watchtower for automatic image updates (can be configured per container).
@crazy-max This example heavily reflects my own setup and is therefore somewhat up to debate. If you don't like some aspects of it I could remove them or alternatively split them up into further PRs or examples. Also, please let me know if there is anything I could improve. I did not bother to update and test more recent major releases of the Redis and MariaDB containers (for all examples consequently) which I could do for another PR when I get to it.
@Flash1232
I have some question regarding your configuration:
In dynamic.yml, we saw a rspamd service, but there is no service with that name into the docker-compose file. Is it an oversight, or is it attached to the service anonaddy?
Furthermore, in my server, I already have a set of docker-compose files, including one for Traefik. Nevertheless, I wonder if the following services in your file can be generalized to others (and thus taken out of this file, with a network created outside of the file):
- dockerproxy
- crowdsec
- bouncer
In
dynamic.yml, we saw a rspamd service, but there is no service with that name into the docker-compose file. Is it an oversight, or is it attached to the service anonaddy?
As far as I remember, it is indeed a service embedded inside the anonaddy service.
Furthermore, in my server, I already have a set of docker-compose files, including one for Traefik. Nevertheless, I wonder if the following services in your file can be generalized to others (and thus taken out of this file, with a network created outside of the file):
- dockerproxy
- crowdsec
- bouncer
You can very well just define external networks elsewhere and distribute your configuration according to your existing setup by making those services take these other networks.
how to add MTA-STSv1 and DANE record ? Can someone guide me. as by default i couldn't find the path of MTA-STSv1.
