The following instructions will take you through installing a locked down, docker driven Mattermost server which uses AD Authentication and denies logged on AD users access to peer to peer or group chats. So all chat is visible to all users.

Why bother? This was a personal requirement to have the chat server but have only 1 Mattermost Team and no private chats.

Install Mattermost


Pre-Requisites

Git, Docker and docker compose would be installed on the server and you will need a user who is able to utilise these tools.

For AD Authentication to work an enterprise 10 licence is needed, a 30 day trial licence and a bit of sales spam are availabe upon request.

Installing Mattermost

git clone https://github.com/mattermost/mattermost-docker.git


cd mattermost-docker


docker-compose build


mkdir -pv ./volumes/app/mattermost/{data,logs,config,plugins,client-plugins}


sudo chown -R 2000:2000 ./volumes/app/mattermost/
docker-compose up -d

The docker-compose network that is created defaults to 172.18.0.0/16. If you need to change the default network this link provides guidelines on how to do that. If the network is already set up with the default, you need to run the following command to remove it. Then, run the command again to regenerate the default network to include the new network setting.

docker network rm mattermost-server_mm-test

To verify the current Docker network use the following command to list it (you can access information about the options here):

docker network ls [OPTIONS]

Install with SSL certificate

Put your SSL certificate as ./volumes/web/cert/cert.pem and the private key that has no password as ./volumes/web/cert/key-no-password.pem. If you don't have them you may generate a self-signed SSL certificate.

Update Mattermost to latest version

First, shutdown your containers to back up your data.

docker-compose down


Back up your mounted volumes to save your data. If you use the default docker-compose.yml file proposed on this repository, your data is on ./volumes/ folder.

Then run the following commands.

git pull
docker-compose build
docker-compose up -d

Your Docker image should now be on the latest Mattermost version.

Open firewall Ports

Ports 80/443 TCP will need to be opened on the box running the docker containers and accessible from endpoints

Port 80 will auto redirect to 443

Login

The first time you login, a local admin user is created, these credentials need to be captured

This user has full sysadmin access to all of Mattermost and will function if the AD Connection fails to work.

Teams/Channels

When the first account logs in there is an opportunity to create a new Team, this can be done here as when we add AD groups they should default into a Lockdown team areas

This Generates the following code in the config.json file (see below)

"TeamSettings": {
       "SiteName": "Mattermost Locked Down",
       "MaxUsersPerTeam": 500,
       "EnableTeamCreation": false,
       "EnableUserCreation": false,
       "EnableOpenServer": false,
       "EnableUserDeactivation": false,
       "RestrictCreationToDomains": "",
       "EnableCustomBrand": false,
       "CustomBrandText": "",
       "CustomDescriptionText": "Secure team wide communications",
       "RestrictDirectMessage": "any",
       "RestrictTeamInvite": "system_admin",
       "RestrictPublicChannelManagement": "system_admin",
       "RestrictPrivateChannelManagement": "system_admin",
       "RestrictPublicChannelCreation": "system_admin",
       "RestrictPrivateChannelCreation": "system_admin",
       "RestrictPublicChannelDeletion": "system_admin",
       "RestrictPrivateChannelDeletion": "system_admin",
       "RestrictPrivateChannelManageMembers": "system_admin",
       "EnableXToLeaveChannelsFromLHS": false,
       "UserStatusAwayTimeout": 300,
       "MaxChannelsPerTeam": 2000,
       "MaxNotificationsPerChannel": 1000000,
       "EnableConfirmNotificationsToChannel": false,
       "TeammateNameDisplay": "username",
       "ExperimentalViewArchivedChannels": false,
       "ExperimentalEnableAutomaticReplies": false,
       "ExperimentalHideTownSquareinLHS": false,
       "ExperimentalTownSquareIsReadOnly": false,
       "LockTeammateNameDisplay": false,
       "ExperimentalPrimaryTeam": "",
       "ExperimentalDefaultChannels": []
   },

in this config, I've changed from all to system_admin several options to restrict the create/modify/delete of Public or Private groups within this team.

Setup AD

The example AD Setup for this howto is very simple

  • The AD Base DN used is Users
  • A security group called mattermost_users has been created
  • Users who will have access to Mattermost using an AD login with be housed within this security group

Mattermost AD/LDAP setup

Using the sysadmin creads when you first logged into Mattermost open the System Console

http://192.168.44.123/admin_console/

In the left hand toolbar open AUTHENTICATION -> AD/LDAP

The following table explains the necessary items which require completing

Note: in the interface the suggestion is that the settings should be surrounded by double quotes AD/LDAP Port "389" this is not correct and using double quotes results in no failier,. but no data being pulled in from AD

Item Setting Notes
Enable sign-in with AD/LDAP: true
Enable Synchronization with AD/LDAP: true
AD/LDAP Server: IP or DNS of AD server
AD/LDAP Port: 389 or 686
Connection Security: none (in this example) non/tls/starttls
Skip Certificate Verification: false in test, should be on in prod
BaseDN: cn=Users,DC=paedave,DC=lan
Bind Username: administrator@paedave.lan should be a service account which can see the BaseDN group
Bind Password: password for above user
User Filter: empty
Guest Filter: empty
Enable Admin Filter false this is a policy decision, i've set this to false to make only use of the
Admin Filter: empty
Group Filter: empty
Group Display Name Attribute: cn
Group ID Attribute: objectGUID
First Name Attribute: givenName
Last Name Attribute: sn
Nickname Attribute: empty
Position Attribute: title
Email Attribute: mail
Profile Picture Attribute: empty
Username Attribute: sAMAccountName
ID Attribute: objectGUID
Login ID Attribute: sAMAccountName
Login Field Name: empty
Synchronization Interval (minutes): 10
Maximum Page Size: empty
Query Timeout (seconds): 60

Click on Save

Once the fields have been complete click on AD Test at the end of the screen

If the test is successful then the Auto Sync should be applied by clicking AD/LDAP Synchronise Now

Would hope to see a number of users and groups been scanned

Linking AD Groups

Where are my imported users?

If you were to head to SYSTEM CONSOLE -> USER MANAGEMENT - Users

No users other than the original sysadmin user will be displayed, user accounts are not displayed here until a user logs in using their AD account. When they do login the account will display as Read Only and should be managed only using AD

To Provide the users access the groups need to be linked to Mattermost.

Open SYSTEM CONSOLE -> USER MANAGEMENT - Groups (Beta)

This will list the groups which were imported using the previous AD/LDAP Sync

Within this list highlight the security group mattermost_users and link

Click on Configure

Only users who have logged in will display here.

Logging in

Open the Mattermost homepage

http://192.168.44.123

Login with your creds it doesn't need @domain.name or \\domain\

Currently when logging in the user will be presented with the following

NOTE: Need to have users open a default team.

Setting Permissions

Using the webGUI

There are countless places where permissions can be set within the WebGUI however as we are locking users to a specific team we can focus on SYSTEM CONSOLE - USER MANAGEMENT - Permissions

Within here there is the ability to change the default Mattermost scheme to to create a team specific override

For the purpose of this guide, we have limited access for AD users to a single team, and as such we can change the System Scheme

This can be done for Members, Team Admins, System Admins

The application is immediate and does not require a reboot.

Using config.json

Under mattermost-docker/volumes/app/mattermost/config is a file config.json

Almost all of the settings for the server are contained here

Using the following links, we can lock down the experience

Direct/manual changes to the config.json require a server restart directly

File Example

{
   "ServiceSettings": {
       "SiteURL": "",
       "WebsocketURL": "",
       "LicenseFileLocation": "",
       "ListenAddress": ":8000",
       "ConnectionSecurity": "",
       "TLSCertFile": "",
       "TLSKeyFile": "",
       "TLSMinVer": "1.2",
       "TLSStrictTransport": false,
       "TLSStrictTransportMaxAge": 63072000,
       "TLSOverwriteCiphers": [],
       "UseLetsEncrypt": false,
       "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
       "Forward80To443": false,
       "TrustedProxyIPHeader": [],
       "ReadTimeout": 300,
       "WriteTimeout": 300,
       "IdleTimeout": 60,
       "MaximumLoginAttempts": 10,
       "GoroutineHealthThreshold": -1,
       "GoogleDeveloperKey": "",
       "EnableOAuthServiceProvider": false,
       "EnableIncomingWebhooks": true,
       "EnableOutgoingWebhooks": true,
       "EnableCommands": true,
       "EnableOnlyAdminIntegrations": true,
       "EnablePostUsernameOverride": false,
       "EnablePostIconOverride": false,
       "EnableLinkPreviews": true,
       "EnableTesting": false,
       "EnableDeveloper": false,
       "EnableOpenTracing": false,
       "EnableSecurityFixAlert": true,
       "EnableInsecureOutgoingConnections": false,
       "AllowedUntrustedInternalConnections": "",
       "EnableMultifactorAuthentication": false,
       "EnforceMultifactorAuthentication": false,
       "EnableUserAccessTokens": false,
       "AllowCorsFrom": "",
       "CorsExposedHeaders": "",
       "CorsAllowCredentials": false,
       "CorsDebug": false,
       "AllowCookiesForSubdomains": false,
       "ExtendSessionLengthWithActivity": true,
       "SessionLengthWebInDays": 30,
       "SessionLengthMobileInDays": 30,
       "SessionLengthSSOInDays": 30,
       "SessionCacheInMinutes": 10,
       "SessionIdleTimeoutInMinutes": 43200,
       "WebsocketSecurePort": 443,
       "WebsocketPort": 80,
       "WebserverMode": "gzip",
       "EnableCustomEmoji": false,
       "EnableEmojiPicker": true,
       "EnableGifPicker": false,
       "GfycatApiKey": "2_KtH_W5",
       "GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof",
       "RestrictCustomEmojiCreation": "all",
       "RestrictPostDelete": "all",
       "AllowEditPost": "always",
       "PostEditTimeLimit": -1,
       "TimeBetweenUserTypingUpdatesMilliseconds": 5000,
       "EnablePostSearch": true,
       "MinimumHashtagLength": 3,
       "EnableUserTypingMessages": true,
       "EnableChannelViewedMessages": true,
       "EnableUserStatuses": true,
       "ExperimentalEnableAuthenticationTransfer": true,
       "ClusterLogTimeoutMilliseconds": 2000,
       "CloseUnusedDirectMessages": false,
       "EnablePreviewFeatures": true,
       "EnableTutorial": true,
       "ExperimentalEnableDefaultChannelLeaveJoinMessages": true,
       "ExperimentalGroupUnreadChannels": "disabled",
       "ExperimentalChannelOrganization": false,
       "ExperimentalChannelSidebarOrganization": "disabled",
       "ImageProxyType": "",
       "ImageProxyURL": "",
       "ImageProxyOptions": "",
       "EnableAPITeamDeletion": false,
       "ExperimentalEnableHardenedMode": false,
       "DisableLegacyMFA": true,
       "ExperimentalStrictCSRFEnforcement": false,
       "EnableEmailInvitations": false,
       "DisableBotsWhenOwnerIsDeactivated": true,
       "EnableBotAccountCreation": false,
       "EnableSVGs": false,
       "EnableLatex": false,
       "EnableLocalMode": false,
       "LocalModeSocketLocation": "/var/tmp/mattermost_local.socket"
   },
   "TeamSettings": {
       "SiteName": "Mattermost",
       "MaxUsersPerTeam": 50,
       "EnableTeamCreation": true,
       "EnableUserCreation": true,
       "EnableOpenServer": false,
       "EnableUserDeactivation": false,
       "RestrictCreationToDomains": "",
       "EnableCustomBrand": false,
       "CustomBrandText": "",
       "CustomDescriptionText": "",
       "RestrictDirectMessage": "any",
       "RestrictTeamInvite": "all",
       "RestrictPublicChannelManagement": "all",
       "RestrictPrivateChannelManagement": "all",
       "RestrictPublicChannelCreation": "all",
       "RestrictPrivateChannelCreation": "all",
       "RestrictPublicChannelDeletion": "all",
       "RestrictPrivateChannelDeletion": "all",
       "RestrictPrivateChannelManageMembers": "all",
       "EnableXToLeaveChannelsFromLHS": false,
       "UserStatusAwayTimeout": 300,
       "MaxChannelsPerTeam": 2000,
       "MaxNotificationsPerChannel": 1000000,
       "EnableConfirmNotificationsToChannel": true,
       "TeammateNameDisplay": "username",
       "ExperimentalViewArchivedChannels": false,
       "ExperimentalEnableAutomaticReplies": false,
       "ExperimentalHideTownSquareinLHS": false,
       "ExperimentalTownSquareIsReadOnly": false,
       "LockTeammateNameDisplay": false,
       "ExperimentalPrimaryTeam": "",
       "ExperimentalDefaultChannels": []
   },
   "ClientRequirements": {
       "AndroidLatestVersion": "",
       "AndroidMinVersion": "",
       "DesktopLatestVersion": "",
       "DesktopMinVersion": "",
       "IosLatestVersion": "",
       "IosMinVersion": ""
   },
   "SqlSettings": {
       "DriverName": "postgres",
       "DataSource": "mmuser:mostest@tcp(localhost:3306)/mattermost_test?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
       "DataSourceReplicas": [],
       "DataSourceSearchReplicas": [],
       "MaxIdleConns": 20,
       "ConnMaxLifetimeMilliseconds": 3600000,
       "MaxOpenConns": 300,
       "Trace": false,
       "AtRestEncryptKey": "fUsVDiWtzvDR4uALIQi2S8bohBK1Ev5MO6xknX8b319u1VB3",
       "QueryTimeout": 30,
       "DisableDatabaseSearch": false
   },
   "LogSettings": {
       "EnableConsole": true,
       "ConsoleLevel": "ERROR",
       "ConsoleJson": true,
       "EnableFile": true,
       "FileLevel": "INFO",
       "FileJson": true,
       "FileLocation": "",
       "EnableWebhookDebugging": true,
       "EnableDiagnostics": true
   },
   "ExperimentalAuditSettings": {
       "SysLogEnabled": false,
       "SysLogIP": "localhost",
       "SysLogPort": 6514,
       "SysLogTag": "",
       "SysLogCert": "",
       "SysLogInsecure": false,
       "SysLogMaxQueueSize": 1000,
       "FileEnabled": false,
       "FileName": "",
       "FileMaxSizeMB": 100,
       "FileMaxAgeDays": 0,
       "FileMaxBackups": 0,
       "FileCompress": false,
       "FileMaxQueueSize": 1000
   },
   "NotificationLogSettings": {
       "EnableConsole": true,
       "ConsoleLevel": "INFO",
       "ConsoleJson": true,
       "EnableFile": true,
       "FileLevel": "INFO",
       "FileJson": true,
       "FileLocation": ""
   },
   "PasswordSettings": {
       "MinimumLength": 10,
       "Lowercase": true,
       "Number": true,
       "Uppercase": true,
       "Symbol": true
   },
   "FileSettings": {
       "EnableFileAttachments": true,
       "EnableMobileUpload": true,
       "EnableMobileDownload": true,
       "MaxFileSize": 52428800,
       "DriverName": "local",
       "Directory": "/mattermost/data/",
       "EnablePublicLink": true,
       "PublicLinkSalt": "65iDJgeXUIwRr4ZK9l9QiYUkG6d7fATEO4HhW5aeOKVIoK1v",
       "InitialFont": "nunito-bold.ttf",
       "AmazonS3AccessKeyId": "",
       "AmazonS3SecretAccessKey": "",
       "AmazonS3Bucket": "",
       "AmazonS3Region": "",
       "AmazonS3Endpoint": "s3.amazonaws.com",
       "AmazonS3SSL": true,
       "AmazonS3SignV2": false,
       "AmazonS3SSE": false,
       "AmazonS3Trace": false
   },
   "EmailSettings": {
       "EnableSignUpWithEmail": true,
       "EnableSignInWithEmail": true,
       "EnableSignInWithUsername": true,
       "SendEmailNotifications": false,
       "UseChannelInEmailNotifications": false,
       "RequireEmailVerification": false,
       "FeedbackName": "",
       "FeedbackEmail": "",
       "ReplyToAddress": "",
       "FeedbackOrganization": "",
       "EnableSMTPAuth": false,
       "SMTPUsername": "",
       "SMTPPassword": "",
       "SMTPServer": "localhost",
       "SMTPPort": "10025",
       "SMTPServerTimeout": 10,
       "ConnectionSecurity": "",
       "SendPushNotifications": true,
       "PushNotificationServer": "https://push-test.mattermost.com",
       "PushNotificationContents": "full",
       "EnableEmailBatching": false,
       "EmailBatchingBufferSize": 256,
       "EmailBatchingInterval": 30,
       "EnablePreviewModeBanner": true,
       "SkipServerCertificateVerification": false,
       "EmailNotificationContentsType": "full",
       "LoginButtonColor": "#0000",
       "LoginButtonBorderColor": "#2389D7",
       "LoginButtonTextColor": "#2389D7"
   },
   "RateLimitSettings": {
       "Enable": true,
       "PerSec": 10,
       "MaxBurst": 100,
       "MemoryStoreSize": 10000,
       "VaryByRemoteAddr": true,
       "VaryByUser": false,
       "VaryByHeader": ""
   },
   "PrivacySettings": {
       "ShowEmailAddress": true,
       "ShowFullName": true
   },
   "SupportSettings": {
       "TermsOfServiceLink": "https://about.mattermost.com/default-terms/",
       "PrivacyPolicyLink": "https://about.mattermost.com/default-privacy-policy/",
       "AboutLink": "https://about.mattermost.com/default-about/",
       "HelpLink": "https://about.mattermost.com/default-help/",
       "ReportAProblemLink": "https://about.mattermost.com/default-report-a-problem/",
       "SupportEmail": "feedback@mattermost.com",
       "CustomTermsOfServiceEnabled": false,
       "CustomTermsOfServiceReAcceptancePeriod": 365
   },
   "AnnouncementSettings": {
       "EnableBanner": false,
       "BannerText": "",
       "BannerColor": "#f2a93b",
       "BannerTextColor": "#333333",
       "AllowBannerDismissal": true
   },
   "ThemeSettings": {
       "EnableThemeSelection": true,
       "DefaultTheme": "default",
       "AllowCustomThemes": true,
       "AllowedThemes": []
   },
   "GitLabSettings": {
       "Enable": false,
       "Secret": "",
       "Id": "",
       "Scope": "",
       "AuthEndpoint": "",
       "TokenEndpoint": "",
       "UserApiEndpoint": ""
   },
   "GoogleSettings": {
       "Enable": false,
       "Secret": "",
       "Id": "",
       "Scope": "profile email",
       "AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
       "TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
       "UserApiEndpoint": "https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata"
   },
   "Office365Settings": {
       "Enable": false,
       "Secret": "",
       "Id": "",
       "Scope": "User.Read",
       "AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
       "TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
       "UserApiEndpoint": "https://graph.microsoft.com/v1.0/me",
       "DirectoryId": ""
   },
   "LdapSettings": {
       "Enable": true,
       "EnableSync": true,
       "LdapServer": "192.168.86.20",
       "LdapPort": 389,
       "ConnectionSecurity": "",
       "BaseDN": "cn=Users,DC=paedave,DC=lan",
       "BindUsername": "administrator@paedave.lan",
       "BindPassword": "J3d!kn!ght",
       "UserFilter": "",
       "GroupFilter": "",
       "GuestFilter": "",
       "EnableAdminFilter": false,
       "AdminFilter": "",
       "GroupDisplayNameAttribute": "cn",
       "GroupIdAttribute": "objectGUID",
       "FirstNameAttribute": "givenName",
       "LastNameAttribute": "sn",
       "EmailAttribute": "mail",
       "UsernameAttribute": "sAMAccountName",
       "NicknameAttribute": "",
       "IdAttribute": "objectGUID",
       "PositionAttribute": "title",
       "LoginIdAttribute": "sAMAccountName",
       "PictureAttribute": "",
       "SyncIntervalMinutes": 60,
       "SkipCertificateVerification": false,
       "QueryTimeout": 60,
       "MaxPageSize": 0,
       "LoginFieldName": "",
       "LoginButtonColor": "#0000",
       "LoginButtonBorderColor": "#2389D7",
       "LoginButtonTextColor": "#2389D7",
       "Trace": false
   },
   "ComplianceSettings": {
       "Enable": false,
       "Directory": "./data/",
       "EnableDaily": false
   },
   "LocalizationSettings": {
       "DefaultServerLocale": "en",
       "DefaultClientLocale": "en",
       "AvailableLocales": ""
   },
   "SamlSettings": {
       "Enable": false,
       "EnableSyncWithLdap": false,
       "EnableSyncWithLdapIncludeAuth": false,
       "Verify": true,
       "Encrypt": true,
       "SignRequest": false,
       "IdpUrl": "",
       "IdpDescriptorUrl": "",
       "IdpMetadataUrl": "",
       "AssertionConsumerServiceURL": "",
       "SignatureAlgorithm": "RSAwithSHA1",
       "CanonicalAlgorithm": "Canonical1.0",
       "ScopingIDPProviderId": "",
       "ScopingIDPName": "",
       "IdpCertificateFile": "",
       "PublicCertificateFile": "",
       "PrivateKeyFile": "",
       "IdAttribute": "",
       "GuestAttribute": "",
       "EnableAdminAttribute": false,
       "AdminAttribute": "",
       "FirstNameAttribute": "",
       "LastNameAttribute": "",
       "EmailAttribute": "",
       "UsernameAttribute": "",
       "NicknameAttribute": "",
       "LocaleAttribute": "",
       "PositionAttribute": "",
       "LoginButtonText": "SAML",
       "LoginButtonColor": "#34a28b",
       "LoginButtonBorderColor": "#2389D7",
       "LoginButtonTextColor": "#ffffff"
   },
   "NativeAppSettings": {
       "AppDownloadLink": "https://mattermost.com/download/#mattermostApps",
       "AndroidAppDownloadLink": "https://about.mattermost.com/mattermost-android-app/",
       "IosAppDownloadLink": "https://about.mattermost.com/mattermost-ios-app/"
   },
   "ClusterSettings": {
       "Enable": false,
       "ClusterName": "",
       "OverrideHostname": "",
       "NetworkInterface": "",
       "BindAddress": "",
       "AdvertiseAddress": "",
       "UseIpAddress": true,
       "UseExperimentalGossip": false,
       "ReadOnlyConfig": true,
       "GossipPort": 8074,
       "StreamingPort": 8075,
       "MaxIdleConns": 100,
       "MaxIdleConnsPerHost": 128,
       "IdleConnTimeoutMilliseconds": 90000
   },
   "MetricsSettings": {
       "Enable": false,
       "BlockProfileRate": 0,
       "ListenAddress": ":8067"
   },
   "ExperimentalSettings": {
       "ClientSideCertEnable": false,
       "ClientSideCertCheck": "secondary",
       "EnableClickToReply": false,
       "LinkMetadataTimeoutMilliseconds": 5000,
       "RestrictSystemAdmin": false,
       "UseNewSAMLLibrary": false
   },
   "AnalyticsSettings": {
       "MaxUsersForStatistics": 2500
   },
   "ElasticsearchSettings": {
       "ConnectionUrl": "http://localhost:9200",
       "Username": "elastic",
       "Password": "changeme",
       "EnableIndexing": false,
       "EnableSearching": false,
       "EnableAutocomplete": false,
       "Sniff": true,
       "PostIndexReplicas": 1,
       "PostIndexShards": 1,
       "ChannelIndexReplicas": 1,
       "ChannelIndexShards": 1,
       "UserIndexReplicas": 1,
       "UserIndexShards": 1,
       "AggregatePostsAfterDays": 365,
       "PostsAggregatorJobStartTime": "03:00",
       "IndexPrefix": "",
       "LiveIndexingBatchSize": 1,
       "BulkIndexingTimeWindowSeconds": 3600,
       "RequestTimeoutSeconds": 30,
       "SkipTLSVerification": false,
       "Trace": ""
   },
   "BleveSettings": {
       "IndexDir": "",
       "EnableIndexing": false,
       "EnableSearching": false,
       "EnableAutocomplete": false,
       "BulkIndexingTimeWindowSeconds": 3600
   },
   "DataRetentionSettings": {
       "EnableMessageDeletion": false,
       "EnableFileDeletion": false,
       "MessageRetentionDays": 365,
       "FileRetentionDays": 365,
       "DeletionJobStartTime": "02:00"
   },
   "MessageExportSettings": {
       "EnableExport": false,
       "ExportFormat": "actiance",
       "DailyRunTime": "01:00",
       "ExportFromTimestamp": 0,
       "BatchSize": 10000,
       "GlobalRelaySettings": {
           "CustomerType": "A9",
           "SmtpUsername": "",
           "SmtpPassword": "",
           "EmailAddress": ""
       }
   },
   "JobSettings": {
       "RunJobs": true,
       "RunScheduler": true
   },
   "PluginSettings": {
       "Enable": true,
       "EnableUploads": false,
       "AllowInsecureDownloadUrl": false,
       "EnableHealthCheck": true,
       "Directory": "/mattermost/plugins/",
       "ClientDirectory": "./client/plugins",
       "Plugins": {},
       "PluginStates": {
           "com.mattermost.nps": {
               "Enable": true
           }
       },
       "EnableMarketplace": true,
       "EnableRemoteMarketplace": true,
       "AutomaticPrepackagedPlugins": true,
       "RequirePluginSignature": false,
       "MarketplaceUrl": "https://api.integrations.mattermost.com",
       "SignaturePublicKeyFiles": []
   },
   "DisplaySettings": {
       "CustomUrlSchemes": [],
       "ExperimentalTimezone": false
   },
   "GuestAccountsSettings": {
       "Enable": false,
       "AllowEmailAccounts": true,
       "EnforceMultifactorAuthentication": false,
       "RestrictCreationToDomains": ""
   },
   "ImageProxySettings": {
       "Enable": false,
       "ImageProxyType": "local",
       "RemoteImageProxyURL": "",
       "RemoteImageProxyOptions": ""
   }
}


Having gone through most of the config settings in the GUI locking down options like file upload, creation of private messaging areas, public links, enabling logging, compliance audits and email  I've ended up with this modified config.json

We can Diff these

{
   "ServiceSettings": {
       "SiteURL": "",
       "WebsocketURL": "",
       "LicenseFileLocation": "",
       "ListenAddress": ":8000",
       "ConnectionSecurity": "",
       "TLSCertFile": "",
       "TLSKeyFile": "",
       "TLSMinVer": "1.2",
       "TLSStrictTransport": false,
       "TLSStrictTransportMaxAge": 63072000,
       "TLSOverwriteCiphers": [],
       "UseLetsEncrypt": false,
       "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
       "Forward80To443": false,
       "TrustedProxyIPHeader": [],
       "ReadTimeout": 300,
       "WriteTimeout": 300,
       "IdleTimeout": 60,
       "MaximumLoginAttempts": 10,
       "GoroutineHealthThreshold": -1,
       "GoogleDeveloperKey": "",
       "EnableOAuthServiceProvider": false,
       "EnableIncomingWebhooks": false,
       "EnableOutgoingWebhooks": false,
       "EnableCommands": false,
       "EnableOnlyAdminIntegrations": true,
       "EnablePostUsernameOverride": false,
       "EnablePostIconOverride": false,
       "EnableLinkPreviews": true,
       "EnableTesting": false,
       "EnableDeveloper": false,
       "EnableOpenTracing": false,
       "EnableSecurityFixAlert": true,
       "EnableInsecureOutgoingConnections": false,
       "AllowedUntrustedInternalConnections": "",
       "EnableMultifactorAuthentication": false,
       "EnforceMultifactorAuthentication": false,
       "EnableUserAccessTokens": false,
       "AllowCorsFrom": "",
       "CorsExposedHeaders": "",
       "CorsAllowCredentials": false,
       "CorsDebug": false,
       "AllowCookiesForSubdomains": false,
       "ExtendSessionLengthWithActivity": true,
       "SessionLengthWebInDays": 1,
       "SessionLengthMobileInDays": 30,
       "SessionLengthSSOInDays": 30,
       "SessionCacheInMinutes": 10,
       "SessionIdleTimeoutInMinutes": 43200,
       "WebsocketSecurePort": 443,
       "WebsocketPort": 80,
       "WebserverMode": "gzip",
       "EnableCustomEmoji": false,
       "EnableEmojiPicker": false,
       "EnableGifPicker": false,
       "GfycatApiKey": "2_KtH_W5",
       "GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof",
       "RestrictCustomEmojiCreation": "all",
       "RestrictPostDelete": "all",
       "AllowEditPost": "always",
       "PostEditTimeLimit": -1,
       "TimeBetweenUserTypingUpdatesMilliseconds": 5000,
       "EnablePostSearch": true,
       "MinimumHashtagLength": 3,
       "EnableUserTypingMessages": true,
       "EnableChannelViewedMessages": true,
       "EnableUserStatuses": true,
       "ExperimentalEnableAuthenticationTransfer": true,
       "ClusterLogTimeoutMilliseconds": 2000,
       "CloseUnusedDirectMessages": false,
       "EnablePreviewFeatures": true,
       "EnableTutorial": true,
       "ExperimentalEnableDefaultChannelLeaveJoinMessages": true,
       "ExperimentalGroupUnreadChannels": "disabled",
       "ExperimentalChannelOrganization": false,
       "ExperimentalChannelSidebarOrganization": "disabled",
       "ImageProxyType": "",
       "ImageProxyURL": "",
       "ImageProxyOptions": "",
       "EnableAPITeamDeletion": false,
       "ExperimentalEnableHardenedMode": false,
       "DisableLegacyMFA": true,
       "ExperimentalStrictCSRFEnforcement": false,
       "EnableEmailInvitations": false,
       "DisableBotsWhenOwnerIsDeactivated": true,
       "EnableBotAccountCreation": false,
       "EnableSVGs": false,
       "EnableLatex": false,
       "EnableLocalMode": false,
       "LocalModeSocketLocation": "/var/tmp/mattermost_local.socket"
   },
   "TeamSettings": {
       "SiteName": "Mattermost Locked Down",
       "MaxUsersPerTeam": 500,
       "EnableTeamCreation": false,
       "EnableUserCreation": false,
       "EnableOpenServer": false,
       "EnableUserDeactivation": false,
       "RestrictCreationToDomains": "",
       "EnableCustomBrand": false,
       "CustomBrandText": "",
       "CustomDescriptionText": "Secure team wide communications",
       "RestrictDirectMessage": "any",
       "RestrictTeamInvite": "system_admin",
       "RestrictPublicChannelManagement": "system_admin",
       "RestrictPrivateChannelManagement": "system_admin",
       "RestrictPublicChannelCreation": "system_admin",
       "RestrictPrivateChannelCreation": "system_admin",
       "RestrictPublicChannelDeletion": "system_admin",
       "RestrictPrivateChannelDeletion": "system_admin",
       "RestrictPrivateChannelManageMembers": "system_admin",
       "EnableXToLeaveChannelsFromLHS": false,
       "UserStatusAwayTimeout": 300,
       "MaxChannelsPerTeam": 2000,
       "MaxNotificationsPerChannel": 1000000,
       "EnableConfirmNotificationsToChannel": false,
       "TeammateNameDisplay": "username",
       "ExperimentalViewArchivedChannels": false,
       "ExperimentalEnableAutomaticReplies": false,
       "ExperimentalHideTownSquareinLHS": false,
       "ExperimentalTownSquareIsReadOnly": false,
       "LockTeammateNameDisplay": false,
       "ExperimentalPrimaryTeam": "",
       "ExperimentalDefaultChannels": []
   },
   "ClientRequirements": {
       "AndroidLatestVersion": "",
       "AndroidMinVersion": "",
       "DesktopLatestVersion": "",
       "DesktopMinVersion": "",
       "IosLatestVersion": "",
       "IosMinVersion": ""
   },
   "SqlSettings": {
       "DriverName": "postgres",
       "DataSource": "mmuser:mostest@tcp(localhost:3306)/mattermost_test?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
       "DataSourceReplicas": [],
       "DataSourceSearchReplicas": [],
       "MaxIdleConns": 20,
       "ConnMaxLifetimeMilliseconds": 3600000,
       "MaxOpenConns": 300,
       "Trace": false,
       "AtRestEncryptKey": "fUsVDiWtzvDR4uALIQi2S8bohBK1Ev5MO6xknX8b319u1VB3",
       "QueryTimeout": 30,
       "DisableDatabaseSearch": false
   },
   "LogSettings": {
       "EnableConsole": true,
       "ConsoleLevel": "ERROR",
       "ConsoleJson": true,
       "EnableFile": true,
       "FileLevel": "INFO",
       "FileJson": false,
       "FileLocation": "",
       "EnableWebhookDebugging": false,
       "EnableDiagnostics": false
   },
   "ExperimentalAuditSettings": {
       "SysLogEnabled": false,
       "SysLogIP": "localhost",
       "SysLogPort": 6514,
       "SysLogTag": "",
       "SysLogCert": "",
       "SysLogInsecure": false,
       "SysLogMaxQueueSize": 1000,
       "FileEnabled": false,
       "FileName": "",
       "FileMaxSizeMB": 100,
       "FileMaxAgeDays": 0,
       "FileMaxBackups": 0,
       "FileCompress": false,
       "FileMaxQueueSize": 1000
   },
   "NotificationLogSettings": {
       "EnableConsole": true,
       "ConsoleLevel": "INFO",
       "ConsoleJson": true,
       "EnableFile": true,
       "FileLevel": "INFO",
       "FileJson": true,
       "FileLocation": ""
   },
   "PasswordSettings": {
       "MinimumLength": 10,
       "Lowercase": true,
       "Number": true,
       "Uppercase": true,
       "Symbol": true
   },
   "FileSettings": {
       "EnableFileAttachments": false,
       "EnableMobileUpload": false,
       "EnableMobileDownload": false,
       "MaxFileSize": 52428800,
       "DriverName": "local",
       "Directory": "/mattermost/data/",
       "EnablePublicLink": false,
       "PublicLinkSalt": "65iDJgeXUIwRr4ZK9l9QiYUkG6d7fATEO4HhW5aeOKVIoK1v",
       "InitialFont": "nunito-bold.ttf",
       "AmazonS3AccessKeyId": "",
       "AmazonS3SecretAccessKey": "",
       "AmazonS3Bucket": "",
       "AmazonS3Region": "",
       "AmazonS3Endpoint": "s3.amazonaws.com",
       "AmazonS3SSL": true,
       "AmazonS3SignV2": false,
       "AmazonS3SSE": false,
       "AmazonS3Trace": false
   },
   "EmailSettings": {
       "EnableSignUpWithEmail": false,
       "EnableSignInWithEmail": false,
       "EnableSignInWithUsername": false,
       "SendEmailNotifications": false,
       "UseChannelInEmailNotifications": false,
       "RequireEmailVerification": false,
       "FeedbackName": "",
       "FeedbackEmail": "",
       "ReplyToAddress": "",
       "FeedbackOrganization": "",
       "EnableSMTPAuth": false,
       "SMTPUsername": "",
       "SMTPPassword": "",
       "SMTPServer": "192.168.86.92",
       "SMTPPort": "25",
       "SMTPServerTimeout": 10,
       "ConnectionSecurity": "",
       "SendPushNotifications": false,
       "PushNotificationServer": "https://push-test.mattermost.com",
       "PushNotificationContents": "full",
       "EnableEmailBatching": false,
       "EmailBatchingBufferSize": 256,
       "EmailBatchingInterval": 30,
       "EnablePreviewModeBanner": true,
       "SkipServerCertificateVerification": true,
       "EmailNotificationContentsType": "full",
       "LoginButtonColor": "#0000",
       "LoginButtonBorderColor": "#2389D7",
       "LoginButtonTextColor": "#2389D7"
   },
   "RateLimitSettings": {
       "Enable": true,
       "PerSec": 10,
       "MaxBurst": 100,
       "MemoryStoreSize": 10000,
       "VaryByRemoteAddr": true,
       "VaryByUser": false,
       "VaryByHeader": ""
   },
   "PrivacySettings": {
       "ShowEmailAddress": true,
       "ShowFullName": true
   },
   "SupportSettings": {
       "TermsOfServiceLink": "https://about.mattermost.com/default-terms/",
       "PrivacyPolicyLink": "",
       "AboutLink": "",
       "HelpLink": "",
       "ReportAProblemLink": "",
       "SupportEmail": "",
       "CustomTermsOfServiceEnabled": false,
       "CustomTermsOfServiceReAcceptancePeriod": 365
   },
   "AnnouncementSettings": {
       "EnableBanner": true,
       "BannerText": "You are entering a restricted space, all mesages posted here are public and monitored, logs are collected and audited.",
       "BannerColor": "#f2a93b",
       "BannerTextColor": "#333333",
       "AllowBannerDismissal": false
   },
   "ThemeSettings": {
       "EnableThemeSelection": true,
       "DefaultTheme": "default",
       "AllowCustomThemes": true,
       "AllowedThemes": []
   },
   "GitLabSettings": {
       "Enable": false,
       "Secret": "",
       "Id": "",
       "Scope": "",
       "AuthEndpoint": "",
       "TokenEndpoint": "",
       "UserApiEndpoint": ""
   },
   "GoogleSettings": {
       "Enable": false,
       "Secret": "",
       "Id": "",
       "Scope": "profile email",
       "AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
       "TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
       "UserApiEndpoint": "https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata"
   },
   "Office365Settings": {
       "Enable": false,
       "Secret": "",
       "Id": "",
       "Scope": "User.Read",
       "AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
       "TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
       "UserApiEndpoint": "https://graph.microsoft.com/v1.0/me",
       "DirectoryId": ""
   },
   "LdapSettings": {
       "Enable": true,
       "EnableSync": true,
       "LdapServer": "192.168.86.20",
       "LdapPort": 389,
       "ConnectionSecurity": "",
       "BaseDN": "cn=Users,DC=paedave,DC=lan",
       "BindUsername": "administrator@paedave.lan",
       "BindPassword": "J3d!kn!ght",
       "UserFilter": "",
       "GroupFilter": "",
       "GuestFilter": "",
       "EnableAdminFilter": false,
       "AdminFilter": "",
       "GroupDisplayNameAttribute": "cn",
       "GroupIdAttribute": "objectGUID",
       "FirstNameAttribute": "givenName",
       "LastNameAttribute": "sn",
       "EmailAttribute": "mail",
       "UsernameAttribute": "sAMAccountName",
       "NicknameAttribute": "",
       "IdAttribute": "objectGUID",
       "PositionAttribute": "title",
       "LoginIdAttribute": "sAMAccountName",
       "PictureAttribute": "",
       "SyncIntervalMinutes": 60,
       "SkipCertificateVerification": false,
       "QueryTimeout": 60,
       "MaxPageSize": 0,
       "LoginFieldName": "",
       "LoginButtonColor": "#0000",
       "LoginButtonBorderColor": "#2389D7",
       "LoginButtonTextColor": "#2389D7",
       "Trace": false
   },
   "ComplianceSettings": {
       "Enable": true,
       "Directory": "./data/",
       "EnableDaily": false
   },
   "LocalizationSettings": {
       "DefaultServerLocale": "en",
       "DefaultClientLocale": "en",
       "AvailableLocales": "en"
   },
   "SamlSettings": {
       "Enable": false,
       "EnableSyncWithLdap": false,
       "EnableSyncWithLdapIncludeAuth": false,
       "Verify": true,
       "Encrypt": true,
       "SignRequest": false,
       "IdpUrl": "",
       "IdpDescriptorUrl": "",
       "IdpMetadataUrl": "",
       "AssertionConsumerServiceURL": "",
       "SignatureAlgorithm": "RSAwithSHA1",
       "CanonicalAlgorithm": "Canonical1.0",
       "ScopingIDPProviderId": "",
       "ScopingIDPName": "",
       "IdpCertificateFile": "",
       "PublicCertificateFile": "",
       "PrivateKeyFile": "",
       "IdAttribute": "",
       "GuestAttribute": "",
       "EnableAdminAttribute": false,
       "AdminAttribute": "",
       "FirstNameAttribute": "",
       "LastNameAttribute": "",
       "EmailAttribute": "",
       "UsernameAttribute": "",
       "NicknameAttribute": "",
       "LocaleAttribute": "",
       "PositionAttribute": "",
       "LoginButtonText": "SAML",
       "LoginButtonColor": "#34a28b",
       "LoginButtonBorderColor": "#2389D7",
       "LoginButtonTextColor": "#ffffff"
   },
   "NativeAppSettings": {
       "AppDownloadLink": "",
       "AndroidAppDownloadLink": "",
       "IosAppDownloadLink": ""
   },
   "ClusterSettings": {
       "Enable": false,
       "ClusterName": "",
       "OverrideHostname": "",
       "NetworkInterface": "",
       "BindAddress": "",
       "AdvertiseAddress": "",
       "UseIpAddress": true,
       "UseExperimentalGossip": false,
       "ReadOnlyConfig": true,
       "GossipPort": 8074,
       "StreamingPort": 8075,
       "MaxIdleConns": 100,
       "MaxIdleConnsPerHost": 128,
       "IdleConnTimeoutMilliseconds": 90000
   },
   "MetricsSettings": {
       "Enable": false,
       "BlockProfileRate": 0,
       "ListenAddress": ":8067"
   },
   "ExperimentalSettings": {
       "ClientSideCertEnable": false,
       "ClientSideCertCheck": "secondary",
       "EnableClickToReply": false,
       "LinkMetadataTimeoutMilliseconds": 5000,
       "RestrictSystemAdmin": false,
       "UseNewSAMLLibrary": false
   },
   "AnalyticsSettings": {
       "MaxUsersForStatistics": 2500
   },
   "ElasticsearchSettings": {
       "ConnectionUrl": "http://localhost:9200",
       "Username": "elastic",
       "Password": "changeme",
       "EnableIndexing": false,
       "EnableSearching": false,
       "EnableAutocomplete": false,
       "Sniff": true,
       "PostIndexReplicas": 1,
       "PostIndexShards": 1,
       "ChannelIndexReplicas": 1,
       "ChannelIndexShards": 1,
       "UserIndexReplicas": 1,
       "UserIndexShards": 1,
       "AggregatePostsAfterDays": 365,
       "PostsAggregatorJobStartTime": "03:00",
       "IndexPrefix": "",
       "LiveIndexingBatchSize": 1,
       "BulkIndexingTimeWindowSeconds": 3600,
       "RequestTimeoutSeconds": 30,
       "SkipTLSVerification": false,
       "Trace": ""
   },
   "BleveSettings": {
       "IndexDir": "",
       "EnableIndexing": false,
       "EnableSearching": false,
       "EnableAutocomplete": false,
       "BulkIndexingTimeWindowSeconds": 3600
   },
   "DataRetentionSettings": {
       "EnableMessageDeletion": false,
       "EnableFileDeletion": false,
       "MessageRetentionDays": 365,
       "FileRetentionDays": 365,
       "DeletionJobStartTime": "02:00"
   },
   "MessageExportSettings": {
       "EnableExport": true,
       "ExportFormat": "csv",
       "DailyRunTime": "01:00",
       "ExportFromTimestamp": 1593186433203,
       "BatchSize": 10000,
       "GlobalRelaySettings": {
           "CustomerType": "A9",
           "SmtpUsername": "",
           "SmtpPassword": "",
           "EmailAddress": ""
       }
   },
   "JobSettings": {
       "RunJobs": true,
       "RunScheduler": true
   },
   "PluginSettings": {
       "Enable": false,
       "EnableUploads": false,
       "AllowInsecureDownloadUrl": false,
       "EnableHealthCheck": true,
       "Directory": "/mattermost/plugins/",
       "ClientDirectory": "./client/plugins",
       "Plugins": {},
       "PluginStates": {
           "com.mattermost.nps": {
               "Enable": true
           }
       },
       "EnableMarketplace": true,
       "EnableRemoteMarketplace": true,
       "AutomaticPrepackagedPlugins": true,
       "RequirePluginSignature": false,
       "MarketplaceUrl": "https://api.integrations.mattermost.com",
       "SignaturePublicKeyFiles": []
   },
   "DisplaySettings": {
       "CustomUrlSchemes": [],
       "ExperimentalTimezone": false
   },
   "GuestAccountsSettings": {
       "Enable": false,
       "AllowEmailAccounts": true,
       "EnforceMultifactorAuthentication": false,
       "RestrictCreationToDomains": ""
   },
   "ImageProxySettings": {
       "Enable": false,
       "ImageProxyType": "local",
       "RemoteImageProxyURL": "",
       "RemoteImageProxyOptions": ""
   }
}

TODO

  • Improve over time
  • Define better config.json snippets
  • Create area for setting up default Team

References