mox/docker-compose.yml

# Before launching mox, run the quickstart to create config files for running as
# user the mox user (create it on the host system first, e.g. "useradd -d $PWD mox"):
#
#	mkdir config data web
# 	docker-compose run mox mox quickstart you@yourdomain.example $(id -u mox)
#
# After following the quickstart instructions you can start mox:
#
# 	docker-compose up

version: '3.7'
services:
  mox:
    # Replace latest with the version you want to run.
    image: docker.io/moxmail/mox:latest
    environment:
      - MOX_DOCKER=yes # Quickstart won't try to write systemd service file.
    # Mox needs host networking because it needs access to the IPs of the
    # machine, and the IPs of incoming connections for spam filtering.
    network_mode: 'host'
    volumes:
      - ./config:/mox/config
      - ./data:/mox/data
      # web is optional but recommended to bind in, useful for serving static files with
      # the webserver.
      - ./web:/mox/web
    working_dir: /mox
    restart: on-failure
    healthcheck:
      test: netstat -nlt | grep ':25 '
      interval: 1s
      timeout: 1s
      retries: 10
change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user makes it easier to run on bsd's, where you cannot (easily?) let non-root users bind to ports <1024. starting as root also paves the way for future improvements with privilege separation. unfortunately, this requires changes to how you start mox. though mox will help by automatically fix up dir/file permissions/ownership. if you start mox from the systemd unit file, you should update it so it starts as root and adds a few additional capabilities: # first update the mox binary, then, as root: ./mox config printservice >mox.service systemctl daemon-reload systemctl restart mox journalctl -f -u mox & # you should see mox start up, with messages about fixing permissions on dirs/files. if you used the recommended config/ and data/ directory, in a directory just for mox, and with the mox user called "mox", this should be enough. if you don't want mox to modify dir/file permissions, set "NoFixPermissions: true" in mox.conf. if you named the mox user something else than mox, e.g. "_mox", add "User: _mox" to mox.conf. if you created a shared service user as originally suggested, you may want to get rid of that as it is no longer useful and may get in the way. e.g. if you had /home/service/mox with a "service" user, that service user can no longer access any files: only mox and root can. this also adds scripts for building mox docker images for alpine-supported platforms. the "restart" subcommand has been removed. it wasn't all that useful and got in the way. and another change: when adding a domain while mtasts isn't enabled, don't add the per-domain mtasts config, as it would cause failure to add the domain. based on report from setting up mox on openbsd from mteege. and based on issue #3. thanks for the feedback! 2023-02-27 14:19:55 +03:00			`# Before launching mox, run the quickstart to create config files for running as`
			`# user the mox user (create it on the host system first, e.g. "useradd -d $PWD mox"):`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00			`#`
make it easier to run with existing webserver - make it easier to run with an existing webserver. the quickstart now has a new option for that, it generates a different mox.conf, and further instructions such as configuring the tls keys/certs and reverse proxy urls. and changes to make autoconfig work in that case too. - when starting up, request a tls cert for the hostname and for the autoconfig endpoint. the first will be requested soon anyway, and the autoconfig cert is needed early so the first autoconfig request doesn't time out (without helpful message to the user by at least thunderbird). and don't request the certificate before the servers are online. the root process was now requesting the certs, before the child process was serving on the tls port. - add examples of configs generated by the quickstart. - enable debug logging in config from quickstart, to give user more info. for issue #5 2023-03-04 02:49:02 +03:00			`# mkdir config data web`
change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user makes it easier to run on bsd's, where you cannot (easily?) let non-root users bind to ports <1024. starting as root also paves the way for future improvements with privilege separation. unfortunately, this requires changes to how you start mox. though mox will help by automatically fix up dir/file permissions/ownership. if you start mox from the systemd unit file, you should update it so it starts as root and adds a few additional capabilities: # first update the mox binary, then, as root: ./mox config printservice >mox.service systemctl daemon-reload systemctl restart mox journalctl -f -u mox & # you should see mox start up, with messages about fixing permissions on dirs/files. if you used the recommended config/ and data/ directory, in a directory just for mox, and with the mox user called "mox", this should be enough. if you don't want mox to modify dir/file permissions, set "NoFixPermissions: true" in mox.conf. if you named the mox user something else than mox, e.g. "_mox", add "User: _mox" to mox.conf. if you created a shared service user as originally suggested, you may want to get rid of that as it is no longer useful and may get in the way. e.g. if you had /home/service/mox with a "service" user, that service user can no longer access any files: only mox and root can. this also adds scripts for building mox docker images for alpine-supported platforms. the "restart" subcommand has been removed. it wasn't all that useful and got in the way. and another change: when adding a domain while mtasts isn't enabled, don't add the per-domain mtasts config, as it would cause failure to add the domain. based on report from setting up mox on openbsd from mteege. and based on issue #3. thanks for the feedback! 2023-02-27 14:19:55 +03:00			`# docker-compose run mox mox quickstart you@yourdomain.example $(id -u mox)`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00			`#`
change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user makes it easier to run on bsd's, where you cannot (easily?) let non-root users bind to ports <1024. starting as root also paves the way for future improvements with privilege separation. unfortunately, this requires changes to how you start mox. though mox will help by automatically fix up dir/file permissions/ownership. if you start mox from the systemd unit file, you should update it so it starts as root and adds a few additional capabilities: # first update the mox binary, then, as root: ./mox config printservice >mox.service systemctl daemon-reload systemctl restart mox journalctl -f -u mox & # you should see mox start up, with messages about fixing permissions on dirs/files. if you used the recommended config/ and data/ directory, in a directory just for mox, and with the mox user called "mox", this should be enough. if you don't want mox to modify dir/file permissions, set "NoFixPermissions: true" in mox.conf. if you named the mox user something else than mox, e.g. "_mox", add "User: _mox" to mox.conf. if you created a shared service user as originally suggested, you may want to get rid of that as it is no longer useful and may get in the way. e.g. if you had /home/service/mox with a "service" user, that service user can no longer access any files: only mox and root can. this also adds scripts for building mox docker images for alpine-supported platforms. the "restart" subcommand has been removed. it wasn't all that useful and got in the way. and another change: when adding a domain while mtasts isn't enabled, don't add the per-domain mtasts config, as it would cause failure to add the domain. based on report from setting up mox on openbsd from mteege. and based on issue #3. thanks for the feedback! 2023-02-27 14:19:55 +03:00			`# After following the quickstart instructions you can start mox:`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00			`#`
change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user makes it easier to run on bsd's, where you cannot (easily?) let non-root users bind to ports <1024. starting as root also paves the way for future improvements with privilege separation. unfortunately, this requires changes to how you start mox. though mox will help by automatically fix up dir/file permissions/ownership. if you start mox from the systemd unit file, you should update it so it starts as root and adds a few additional capabilities: # first update the mox binary, then, as root: ./mox config printservice >mox.service systemctl daemon-reload systemctl restart mox journalctl -f -u mox & # you should see mox start up, with messages about fixing permissions on dirs/files. if you used the recommended config/ and data/ directory, in a directory just for mox, and with the mox user called "mox", this should be enough. if you don't want mox to modify dir/file permissions, set "NoFixPermissions: true" in mox.conf. if you named the mox user something else than mox, e.g. "_mox", add "User: _mox" to mox.conf. if you created a shared service user as originally suggested, you may want to get rid of that as it is no longer useful and may get in the way. e.g. if you had /home/service/mox with a "service" user, that service user can no longer access any files: only mox and root can. this also adds scripts for building mox docker images for alpine-supported platforms. the "restart" subcommand has been removed. it wasn't all that useful and got in the way. and another change: when adding a domain while mtasts isn't enabled, don't add the per-domain mtasts config, as it would cause failure to add the domain. based on report from setting up mox on openbsd from mteege. and based on issue #3. thanks for the feedback! 2023-02-27 14:19:55 +03:00			`# docker-compose up`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00
			`version: '3.7'`
			`services:`
			`mox:`
			`# Replace latest with the version you want to run.`
use full docker hub path in docker-compose.yml 2023-02-27 16:04:45 +03:00			`image: docker.io/moxmail/mox:latest`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00			`environment:`
make it easier to run with existing webserver - make it easier to run with an existing webserver. the quickstart now has a new option for that, it generates a different mox.conf, and further instructions such as configuring the tls keys/certs and reverse proxy urls. and changes to make autoconfig work in that case too. - when starting up, request a tls cert for the hostname and for the autoconfig endpoint. the first will be requested soon anyway, and the autoconfig cert is needed early so the first autoconfig request doesn't time out (without helpful message to the user by at least thunderbird). and don't request the certificate before the servers are online. the root process was now requesting the certs, before the child process was serving on the tls port. - add examples of configs generated by the quickstart. - enable debug logging in config from quickstart, to give user more info. for issue #5 2023-03-04 02:49:02 +03:00			`- MOX_DOCKER=yes # Quickstart won't try to write systemd service file.`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00			`# Mox needs host networking because it needs access to the IPs of the`
			`# machine, and the IPs of incoming connections for spam filtering.`
			`network_mode: 'host'`
			`volumes:`
			`- ./config:/mox/config`
			`- ./data:/mox/data`
improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config - make builtin http handlers serve on specific domains, such as for mta-sts, so e.g. /.well-known/mta-sts.txt isn't served on all domains. - add logging of a few more fields in access logging. - small tweaks/bug fixes in webserver request handling. - add config option for redirecting entire domains to another (common enough). - split httpserver metric into two: one for duration until writing header (i.e. performance of server), another for duration until full response is sent to client (i.e. performance as perceived by users). - add admin ui, a new page for managing the configs. after making changes and hitting "save", the changes take effect immediately. the page itself doesn't look very well-designed (many input fields, makes it look messy). i have an idea to improve it (explained in admin.html as todo) by making the layout look just like the config file. not urgent though. i've already changed my websites/webapps over. the idea of adding a webserver is to take away a (the) reason for folks to want to complicate their mox setup by running an other webserver on the same machine. i think the current webserver implementation can already serve most common use cases. with a few more tweaks (feedback needed!) we should be able to get to 95% of the use cases. the reverse proxy can take care of the remaining 5%. nevertheless, a next step is still to change the quickstart to make it easier for folks to run with an existing webserver, with existing tls certs/keys. that's how this relates to issue #5. 2023-03-02 20:15:54 +03:00			`# web is optional but recommended to bind in, useful for serving static files with`
			`# the webserver.`
			`- ./web:/mox/web`
help run mox with docker in the Dockerfile, allow running on privileged ports and expose those ports. add a docker-compose.yml with instructions for the quickstart. fix running imaptest somewhat. after a short while it will hit the rate limiter. in quickstart, recognize we are running under docker, and print slightly different commands to set permissions, and skip generating the systemd service file. als fix cleaning up the right paths during failure in quickstart. for issue #3 2023-02-24 16:16:51 +03:00			`working_dir: /mox`
			`restart: on-failure`
			`healthcheck:`
			`test: netstat -nlt \| grep ':25 '`
			`interval: 1s`
			`timeout: 1s`
			`retries: 10`