Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update procedure of selfhosting #1909

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update procedure of selfhosting #1909

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1e26049
Update procedure of selfhosting
hoyohayo Oct 7, 2023
e8c67a1
Update README.md
hoyohayo Oct 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 21 additions & 14 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,10 @@ Setting up DKIM is highly recommended to reduce the chance your emails ending up
First you need to generate a private and public key for DKIM:

```bash
openssl genrsa -out dkim.key 1024
openssl genrsa -traditional -out dkim.key 1024
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nguyenkims since dkimpy v1.1.0, PKCS#8 is supported. What about you increase the minimum version instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know if it's compatible with the old key that people generated? I want to make sure that when people upgrade SL, they don't have any issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a try/except trying the old key standard first so still compatible :D.

openssl rsa -in dkim.key -pubout -out dkim.pub.key
```
Note: the `-traditional` flag is only needed if using an openssl version > 3.

You will need the files `dkim.key` and `dkim.pub.key` for the next steps.

Expand Down Expand Up @@ -240,7 +241,7 @@ docker run -d \
-v $(pwd)/sl/db:/var/lib/postgresql/data \
--restart always \
--network="sl-network" \
postgres:12.1
postgres:13
nguyenkims marked this conversation as resolved.
Show resolved Hide resolved
```

To test whether the database operates correctly or not, run the following command:
Expand Down Expand Up @@ -329,8 +330,8 @@ smtpd_recipient_restrictions =
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you have any doc on spamhaus pointing to this change?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not. Sorry, will revert.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @hoyohayo : if using an open resolver almost every email would get blocked (https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update) and the standard return codes are available here.

Copy link

@Metabaron1 Metabaron1 Nov 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm an error when using open resolvers, here is the error:
554 5.7.1 Service unavailable; Client host [xxx] blocked using zen.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/172.71.133.37;
I'm using google DNS for my docker as recommended workaround here
https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/
but I don't really like using google DNS...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Metabaron1 I would recommend something like this alongside a PTR and you're good to go ;)

reject_rbl_client bl.spamcop.net=127.0.0.2,
permit
```

Expand All @@ -351,7 +352,8 @@ password = mypassword
dbname = simplelogin

query = SELECT domain FROM custom_domain WHERE domain='%s' AND verified=true
UNION SELECT '%s' WHERE '%s' = 'mydomain.com' LIMIT 1;
UNION SELECT domain FROM public_domain WHERE domain='%s'
UNION SELECT '%s' WHERE '%s' = 'example.com' LIMIT 1;
```

Create the `/etc/postfix/pgsql-transport-maps.cf` file with the following content.
Expand All @@ -366,7 +368,8 @@ dbname = simplelogin

# forward to smtp:127.0.0.1:20381 for custom domain AND email domain
query = SELECT 'smtp:127.0.0.1:20381' FROM custom_domain WHERE domain = '%s' AND verified=true
UNION SELECT 'smtp:127.0.0.1:20381' WHERE '%s' = 'mydomain.com' LIMIT 1;
UNION SELECT 'smtp:127.0.0.1:20381' FROM public_domain WHERE domain = '%s'
UNION SELECT 'smtp:127.0.0.1:20381' WHERE '%s' = 'example.com' LIMIT 1;
```

Finally, restart Postfix
Expand All @@ -380,7 +383,7 @@ sudo systemctl restart postfix
To run SimpleLogin, you need a config file at `$(pwd)/simplelogin.env`. Below is an example that you can use right away, make sure to

- replace `mydomain.com` by your domain,
- set `FLASK_SECRET` to a secret string,
- set `FLASK_SECRET` to a secret string (e.g. generated by pwgen `pwgen -B -s -y 64 -N 1`),
- update 'myuser' and 'mypassword' with your database credentials used in previous step.

All possible parameters can be found in [config example](example.env). Some are optional and are commented out by default.
Expand Down Expand Up @@ -418,6 +421,12 @@ LOCAL_FILE_UPLOAD=1
POSTFIX_SERVER=10.0.0.1
```

Now it is time to build the latest docker. Replace the tag by latest version released (as of writing 4.35.2).
```bash
docker build https://github.com/simple-login/app.git -t simplelogin/app:tag
```

This command could take a while to build the `simplelogin/app` docker image.

Before running the webapp, you need to prepare the database by running the migration:

Expand All @@ -430,11 +439,9 @@ docker run --rm \
-v $(pwd)/dkim.pub.key:/dkim.pub.key \
-v $(pwd)/simplelogin.env:/code/.env \
--network="sl-network" \
simplelogin/app:3.4.0 flask db upgrade
simplelogin/app:4.35.2 alembic upgrade head
```

This command could take a while to download the `simplelogin/app` docker image.

Init data

```bash
Expand All @@ -445,7 +452,7 @@ docker run --rm \
-v $(pwd)/dkim.key:/dkim.key \
-v $(pwd)/dkim.pub.key:/dkim.pub.key \
--network="sl-network" \
simplelogin/app:3.4.0 python init_app.py
simplelogin/app:4.35.2 python init_app.py
```

Now, it's time to run the `webapp` container!
Expand All @@ -461,7 +468,7 @@ docker run -d \
-p 127.0.0.1:7777:7777 \
--restart always \
--network="sl-network" \
simplelogin/app:3.4.0
simplelogin/app:4.35.2
```

Next run the `email handler`
Expand All @@ -477,7 +484,7 @@ docker run -d \
-p 127.0.0.1:20381:20381 \
--restart always \
--network="sl-network" \
simplelogin/app:3.4.0 python email_handler.py
simplelogin/app:4.35.2 python email_handler.py
```

And finally the `job runner`
Expand All @@ -492,7 +499,7 @@ docker run -d \
-v $(pwd)/dkim.pub.key:/dkim.pub.key \
--restart always \
--network="sl-network" \
simplelogin/app:3.4.0 python job_runner.py
simplelogin/app:4.35.2 python job_runner.py
```

### Nginx
Expand Down