Caddy and Mail in a Box

Installation

Recently I’ve decided to move away from using Vesta CP as my web control panel for my domain, since there hasn’t been any major releases for it in over a year (as of the time of this writing). I also found out that the EC2 instance ran out of disk space, despite me configuring Vesta CP to notify me when this happens. I researched alternative open source control panels and could not find a suitable replacement, so I decided to skip a web control panel all together and configure everything on the box myself. My setup is pretty simple (A WordPress installation, Mail server, and reverse proxy endpoints for my home VPN) so I took the plunge.

Tinc VPN

This was pretty simple, I installed tinc via my package repository and copied over the configuration files from my previous (now defunct) EC2 instance. I configured a systemd service in order to manage the VPN tunnel connection and keep it alive in the background, and the rest is history. Here is my systemd file for tinc:

[Unit] 
Description=Tinc VPN After=network.target 

[Service] 
Type=simple 
WorkingDirectory=/etc/tinc/vpn 
ExecStart=/usr/sbin/tincd -n vpn-D -d3 
ExecReload=/usr/sbin/tincd -n vpn -kHUP 
TimeoutStopSec=5 
Restart=always 
RestartSec=60 

[Install] 
WantedBy=multi-user.target

Mail Server

I have heard good things about Mail-in-a-Box, and wanted to try it. One of the first issues I experience is that it only supports Ubuntu 14.04 and any attempts to use it on a later version causes the script to abort after notifying you that the version is not supported by MIAB. Luckily an Ubuntu 16.04 fork exists that requires you to take a few extra steps in order to get it working, but after that everything ran smoothly. During the installation process, MIAB installs and nginx webserver to be the fronted for managing the installation (adding new users, aliases, webmail access, etc.). It also wipes any pre-existing nginx configuration files and uninstalls apache2, so be wary if you are trying to run this on a box not solely dedicated to email. Once the setup is complete, you can access the following endpoints:

  • Webmail via Roundcube at domain.com/mail
  • Administrative portal via a custom Flask server instance at domain.com/admin
  • Nextcloud instance (for contacts/calendar) at domain.com/cloud/contacts or domain.com/cloud/calendar

It also installs a few other features (DNS resolver, small static site hosting, autodiscover for Outlook/iOS), but more importantly the web endpoints (and nginx) would be clashing with my reverse proxy setup and my intent to use Caddy as a webserver instead.

Caddy

This was new to me, I have been a long time user of nginx and never had any complaints about it. However one of Caddy’s main features is it’s automatic HTTPS. No more dealing with SSL certificates, keys, expiration dates, etc. It was all handled automatically, and was definitely not one of my favorite parts of maintaining a web server. The documentation seemed simple enough, so I decided to migrate from nginx to Caddy as part of my new web server stack. The first issue I had to deal with is nginx and caddy fighting over port 80443. I thought about hosting nginx on a different port and using caddy to reverse proxy traffic to the required nginx port, but ultimately I thought it would be a better learning experience if I rewrote the necessary nginx server blocks into caddy server blocks. I decided to skip over the nextcloud related ones as I would not be actually using the MIAB provided instance of nextcloud, since I run my own instance on my home server. So that leaves roundcube and the administrative panel. After much struggling and consulting the caddy documentation, I was able to successfully access the administrative panel and roundcube using the caddy file below:

mail-time.tpage.io {
      tls user@tpage.io
      gzip

      basicauth / user hunter2

      root /usr/local/lib/roundcubemail/
      fastcgi / /run/php/php7.0-fpm.sock php
}

admin-panel.tpage.io {
      tls user@tpage.io
      gzip

      header / {
            X-Frame-Options "DENY"
            X-Content-Type-Options "nosniff"
            Content-Security-Policy "frame-ancestors 'none';"
            Strict-Transport-Security "max-age=31536000"
      }

      proxy / http://127.0.0.1:10222/ {
            transparent
            websocket
      }
}

Moving forward, I had to setup a WordPress server block for my WordPress installation later on. This time it was pretty easy:

https://www.tpage.io https://tpage.io {
      tls user@tpage.io
      root /var/www/wordpress
      gzip
      fastcgi / /run/php/php7.0-fpm.sock php

      rewrite {
            if {path} not_match ^\/wp-admin
            to {path} {path}/ /index.php?_url={uri}
      }
}

http://www.tpage.io {
      tls user@tpage.io
      redir https://www.tpage.io
}

http://tpage.io {
      tls user@tpage.io
      redir https://tpage.io
}

Note the extra directives for tpage.io and www.tpage.io over HTTP. This is to make Caddy provision/manage TLS certificates for Dovecot/Postfix (which uses the server’s FQDN: tpage.io), instead of Mailinabox. I chose to do it this way because Caddy handles the provisioning of TLS certificates effortlessly and it makes me feel at ease knowing I don’t have to worry about my TLS certificates expiring. Without the extra directives, Caddy doesn’t automatically provision TLS certificates for tpage.io and www.tpage.io, it just redirects them to their HTTPS equivalent.

After configuring the domains and subdomains for automatic TLS certificate provisioning, I then had to modify the TLS certificate paths Dovecot/Postfix use when configured to use TLS (Spoiler: Mailinabox configures them this way). It all came down to editing /etc/dovecot/conf.d/10-ssl.conf and /etc/postfix/main.cf

Then swapping out the TLS/SSL certificate/key paths with the path of where Caddy stores the FQDN (tpage.io) TLS certs, for me this was /etc/ssl/caddy/acme/auto-generated-folder/tpage.io/tpage.io.crt and /etc/ssl/caddy/acme/auto-generated-folder/tpage.io/tpage.io.key

Afterwards I restarted Dovecot/Postfix and everything was golden!

Now for the reverse proxy connections over Tinc VPN. This can be accomplished because web servers bind to 0.0.0.0, which means all interfaces available (including VPN tunnels!). So you can build server blocks that reverse proxy public origin HTTP(S) connections to private web servers via the VPN tunnel. A few sample server blocks for basic services (Plex, HomeAssistant, Nextcloud, etc.) are below:

hass.tpage.io {
      tls user@tpage.io

      proxy / 15.21.5.2:80 {
            websocket
            transparent
      }
}

plex-tv.tpage.io {
      tls user@tpage.io
      gzip
      timeouts none

      proxy / 15.21.5.4:32400 {
            transparent
            websocket
      }
}

nextcloud.tpage.io {
      tls user@tpage.io
      gzip

      proxy / 15.21.5.4:9090 {
            transparent
            websocket
      }
}

guacamole.tpage.io {
      tls user@tpage.io
      gzip

      basicauth / user hunter3

      proxy / 15.21.5.4:8080/guacamole/ {
            transparent
            websocket
      }
}

Wordpress

This part was the easiest, I used cURL to grab the latest package release from WordPress.org and decompressed it into /var/www/. After configuring the rest of my setup, I simply restored my previous WordPress installation with a recent backup and everything just worked! The plugin I use for backup/restores is: All-in-One WP Migration

Edit (3/21/2018): I’ve updated the post to describe how to make Caddy manage/renew the TLS certificates for Dovecot and Postfix

Edit (4/11/2018): Looks like there was a 0-day for Vesta being actively used - https://www.digitalocean.com/community/questions/how-do-i-determine-the-impact-of-vestacp-vulnerability-from-april-8th-2018

Edit (10/27/18): I’ve since migrated away from MIAB to using ProtonMail as my MX server, self-hosting email is too much of a burden for where I’m at in my life right now