From 8a2ddcdf300a66f59770b81e1caafbbb35d49fec Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sat, 21 Oct 2017 15:54:09 +0200 Subject: [PATCH 01/19] Fix a typo in the nginx config --- nginx/conf/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index 446c039f..dbb82e56 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -43,7 +43,7 @@ http { # Actual logic {% if TLS_ERROR %} location / { - return 403 + return 403; } {% else %} {% if WEBMAIL != 'none' %} @@ -90,7 +90,7 @@ mail { server { listen 25; - {% if TLS_FLAVOR != 'notls' %} + {% if TLS %} starttls on; {% endif %} protocol smtp; From 3230554b0d0680fac25326b457802f5b90522b47 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sat, 21 Oct 2017 18:58:18 +0200 Subject: [PATCH 02/19] Do not enable starttls if no certificate --- nginx/conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index dbb82e56..e0488119 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -90,7 +90,7 @@ mail { server { listen 25; - {% if TLS %} + {% if TLS and not TLS_ERROR %} starttls on; {% endif %} protocol smtp; From 0a74213eae6614b0545a3e4b6cf049d99bec34af Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sat, 21 Oct 2017 19:50:49 +0200 Subject: [PATCH 03/19] Have nginx listen over ipv6 --- nginx/conf/nginx.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index e0488119..61011dc6 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -21,10 +21,12 @@ http { server { listen 80; + listen [::]:80; # TLS configuration {% if TLS and not TLS_ERROR %} listen 443 ssl; + listen [::]:443 ssl; include /etc/nginx/tls.conf; ssl_session_cache shared:SSLHTTP:50m; add_header Strict-Transport-Security max-age=15768000; @@ -90,6 +92,7 @@ mail { server { listen 25; + listen [::]:25; {% if TLS and not TLS_ERROR %} starttls on; {% endif %} @@ -100,6 +103,7 @@ mail { {% if not TLS_ERROR %} server { listen 143; + listen [::]:143; {% if TLS %} starttls only; {% endif %} @@ -110,12 +114,14 @@ mail { {% if TLS %} server { listen 465 ssl; + listen [::]:465 ssl; protocol smtp; smtp_auth plain; } server { - listen 597; + listen 587; + listen [::]:587; starttls only; protocol smtp; smtp_auth plain; @@ -123,6 +129,7 @@ mail { server { listen 993 ssl; + listen [::]:993 ssl; protocol imap; imap_auth plain; } From ec6d5acc188c5341a2c24c18056eea824de2fe20 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 10:49:31 +0200 Subject: [PATCH 04/19] Unescape passwords before cecking --- admin/mailu/internal/nginx.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/admin/mailu/internal/nginx.py b/admin/mailu/internal/nginx.py index a7a8c5b4..1cd7e652 100644 --- a/admin/mailu/internal/nginx.py +++ b/admin/mailu/internal/nginx.py @@ -1,6 +1,7 @@ from mailu import db, models import socket +import urllib SUPPORTED_AUTH_METHODS = ["none", "plain"] @@ -36,8 +37,8 @@ def handle_authentication(headers): } # Authenticated user elif method == "plain": - user_email = headers["Auth-User"] - password = headers["Auth-Pass"] + user_email = urllib.parse.unquote(headers["Auth-User"]) + password = urllib.parse.unquote(headers["Auth-Pass"]) user = models.User.query.get(user_email) if user and user.check_password(password): return { From 04a25fc4e33da6e2181b4af80012660f25fe67d0 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 11:31:32 +0200 Subject: [PATCH 05/19] Add specific unencrypted servers for internal connexions (webmails) --- nginx/conf/nginx.conf | 25 +++++++++++++++++++++++-- rainloop/default.ini | 4 ++-- roundcube/config.inc.php | 4 ++-- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index 61011dc6..d82d4e16 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -20,13 +20,15 @@ http { absolute_redirect off; server { + # Always listen over HTTP listen 80; listen [::]:80; - # TLS configuration + # Only enable HTTPS if TLS is enabled with no error {% if TLS and not TLS_ERROR %} listen 443 ssl; listen [::]:443 ssl; + include /etc/nginx/tls.conf; ssl_session_cache shared:SSLHTTP:50m; add_header Strict-Transport-Security max-age=15768000; @@ -36,18 +38,21 @@ http { } {% endif %} + # In any case, enable the proxy for certbot if the flavor is letsencrypt {% if TLS_FLAVOR == 'letsencrypt' %} location ^~ /.well-known/acme-challenge/ { proxy_pass http://localhost:8000; } {% endif %} - # Actual logic + # If TLS is failing, prevent access to anything except certbot {% if TLS_ERROR %} location / { return 403; } {% else %} + + # Actual logic {% if WEBMAIL != 'none' %} location / { return 301 $scheme://$host/webmail/; @@ -90,6 +95,21 @@ mail { ssl_session_cache shared:SSLMAIL:50m; {% endif %} + # Default SMTP server for the webmail (no encryption, but authentication) + server { + listen 10025; + protocol smtp; + smtp_auth plain; + } + + # Default IMAP server for the webmail (no encryption, but authentication) + server { + listen 10143; + protocol imap; + smtp_auth plain; + } + + # SMTP is always enabled, to avoid losing emails when TLS is failing server { listen 25; listen [::]:25; @@ -100,6 +120,7 @@ mail { smtp_auth none; } + # All other protocols are disabled if TLS is failing {% if not TLS_ERROR %} server { listen 143; diff --git a/rainloop/default.ini b/rainloop/default.ini index 53545bef..0cb96d69 100644 --- a/rainloop/default.ini +++ b/rainloop/default.ini @@ -1,5 +1,5 @@ imap_host = "front" -imap_port = 143 +imap_port = 10143 imap_secure = "None" imap_short_login = Off sieve_use = On @@ -8,7 +8,7 @@ sieve_host = "imap" sieve_port = 4190 sieve_secure = "TLS" smtp_host = "front" -smtp_port = 25 +smtp_port = 10025 smtp_secure = "None" smtp_short_login = Off smtp_auth = On diff --git a/roundcube/config.inc.php b/roundcube/config.inc.php index a867a169..60deb614 100644 --- a/roundcube/config.inc.php +++ b/roundcube/config.inc.php @@ -18,9 +18,9 @@ $config['plugins'] = array( // Mail servers $config['default_host'] = 'front'; -$config['default_port'] = 143; +$config['default_port'] = 10143; $config['smtp_server'] = 'front'; -$config['smtp_port'] = 25; +$config['smtp_port'] = 10025; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; From cac00086c91c62885fd9ae7222f65ceb6dba8dc0 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 11:31:55 +0200 Subject: [PATCH 06/19] Fix the outclean filter which was not embedded anymore --- postfix/conf/master.cf | 2 +- .../conf/{outclean_header_filter => outclean_header_filter.cf} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename postfix/conf/{outclean_header_filter => outclean_header_filter.cf} (100%) diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index 47cb4af6..d8c88379 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -7,7 +7,7 @@ smtp inet n - n - - smtpd # Additional services outclean unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/outclean_header_filter + -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf # Internal postfix services pickup unix n - n 60 1 pickup diff --git a/postfix/conf/outclean_header_filter b/postfix/conf/outclean_header_filter.cf similarity index 100% rename from postfix/conf/outclean_header_filter rename to postfix/conf/outclean_header_filter.cf From ea1d876d9302e67bc8263f7ff71086071e2a1fad Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 15:00:16 +0200 Subject: [PATCH 07/19] Add a specific server for xclient-authenticated connections --- postfix/conf/main.cf | 25 +++++++------------------ postfix/conf/master.cf | 11 +++++++---- postfix/conf/sqlite-reject-spoofed.cf | 5 +++++ 3 files changed, 19 insertions(+), 22 deletions(-) create mode 100644 postfix/conf/sqlite-reject-spoofed.cf diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf index e23dcba7..bb374e7c 100644 --- a/postfix/conf/main.cf +++ b/postfix/conf/main.cf @@ -31,9 +31,6 @@ relayhost = {{ RELAYHOST }} # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} -# XClient for connection from the frontend -smtpd_authorized_xclient_hosts = {{ FRONT_ADDRESS }} - ############### # TLS ############### @@ -79,24 +76,16 @@ smtpd_delay_reject = yes smtpd_sender_login_maps = $virtual_alias_maps # Helo restrictions are specified for smtp only in master.cf +# Restrictions for incoming SMTP, other restrictions are applied in master.cf smtpd_helo_required = yes -# Sender restrictions -smtpd_sender_restrictions = - permit_mynetworks, - reject_non_fqdn_sender, - reject_unknown_sender_domain, - reject_unlisted_sender, - reject_sender_login_mismatch, - permit - -# Recipient restrictions: smtpd_recipient_restrictions = - permit_mynetworks, - reject_unauth_pipelining, - reject_non_fqdn_recipient, - reject_unknown_recipient_domain, - permit + permit_mynetworks, + check_sender_access ${sql}sqlite-reject-spoofed.cf, + reject_non_fqdn_sender, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + permit ############### # Milter diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index d8c88379..8593c0e1 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -1,12 +1,15 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) -# Exposed SMTP services +# Exposed SMTP service smtp inet n - n - - smtpd - -o cleanup_service_name=outclean -# Additional services -outclean unix n - n - 0 cleanup +# Internal SMTP service +10025 inet n - n - - smtpd + -o smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} + -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit + -o cleanup_service_name=outclean +outclean unix n - n - 0 cleanup -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf # Internal postfix services diff --git a/postfix/conf/sqlite-reject-spoofed.cf b/postfix/conf/sqlite-reject-spoofed.cf new file mode 100644 index 00000000..e1d3e754 --- /dev/null +++ b/postfix/conf/sqlite-reject-spoofed.cf @@ -0,0 +1,5 @@ +dbpath = /data/main.db +query = + SELECT 'REJECT' FROM domain WHERE name='%s' + UNION + SELECT 'REJECT' FROM name WHERE name='%s' From 7d348440d80aad09d775655a3e4ba8f9a3c26354 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 15:00:41 +0200 Subject: [PATCH 08/19] Have radicale authenticate against the front --- radicale/radicale.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/radicale/radicale.conf b/radicale/radicale.conf index 0818c8f0..90979320 100644 --- a/radicale/radicale.conf +++ b/radicale/radicale.conf @@ -14,9 +14,9 @@ stock = utf-8 [auth] type = IMAP -imap_hostname = imap -imap_port = 993 -imap_ssl = True +imap_hostname = front +imap_port = 10143 +imap_ssl = False [git] From 2c8810d7d35bda7930db3fc9fdff5c0cdf0470a8 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 15:01:04 +0200 Subject: [PATCH 09/19] Use an HTTP proxy for resolving the admin address dynamically --- nginx/conf/nginx.conf | 26 +++++++++++++++++++------- nginx/config.py | 4 ---- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index d82d4e16..320f4e0c 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -19,6 +19,7 @@ http { server_tokens off; absolute_redirect off; + # Main HTTP server server { # Always listen over HTTP listen 80; @@ -83,11 +84,20 @@ http { {% endif %} {% endif %} } + + # Forwarding authentication server + server { + listen 127.0.0.1:8000; + + location /internal { + proxy_pass http://admin; + } + } } mail { server_name {{ HOSTNAMES.split(",")[0] }}; - auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx; + auth_http http://127.0.0.1:8000/internal/nginx; proxy_pass_error_message on; {% if TLS and not TLS_ERROR %} @@ -132,18 +142,20 @@ mail { imap_auth plain; } - {% if TLS %} server { - listen 465 ssl; - listen [::]:465 ssl; + listen 587; + listen [::]:587; + {% if TLS %} + starttls only; + {% endif %} protocol smtp; smtp_auth plain; } + {% if TLS %} server { - listen 587; - listen [::]:587; - starttls only; + listen 465 ssl; + listen [::]:465 ssl; protocol smtp; smtp_auth plain; } diff --git a/nginx/config.py b/nginx/config.py index 5f1e0355..714ad037 100755 --- a/nginx/config.py +++ b/nginx/config.py @@ -2,15 +2,11 @@ import jinja2 import os -import socket convert = lambda src, dst, args: open(dst, "w").write(jinja2.Template(open(src).read()).render(**args)) args = os.environ.copy() -if "ADMIN_ADDRESS" not in os.environ: - args["ADMIN_ADDRESS"] = socket.gethostbyname("admin") - args["TLS"] = { "cert": ("/certs/cert.pem", "/certs/key.pem"), "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem", From 80d728c233e9ba228d03b0d08ec22e66365730c4 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 15:01:25 +0200 Subject: [PATCH 10/19] Forward SMTP to the xclient-authenticated endpoint --- admin/mailu/internal/nginx.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin/mailu/internal/nginx.py b/admin/mailu/internal/nginx.py index 1cd7e652..23f46f4d 100644 --- a/admin/mailu/internal/nginx.py +++ b/admin/mailu/internal/nginx.py @@ -16,8 +16,8 @@ STATUSES = { SERVER_MAP = { - "imap": ("imap", 143), - "smtp": ("smtp", 25) + "imap": ("imap", 143), # Connect to the generic IMAP port + "smtp": ("smtp", 10025) # Connect to the specific SMTP port } From 690c05ea64d2bcdc019504d952d89544ded27c03 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 15:44:44 +0200 Subject: [PATCH 11/19] Switch behavior if the user is not authenticated --- admin/mailu/internal/nginx.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/admin/mailu/internal/nginx.py b/admin/mailu/internal/nginx.py index 23f46f4d..3856737d 100644 --- a/admin/mailu/internal/nginx.py +++ b/admin/mailu/internal/nginx.py @@ -15,21 +15,15 @@ STATUSES = { } -SERVER_MAP = { - "imap": ("imap", 143), # Connect to the generic IMAP port - "smtp": ("smtp", 10025) # Connect to the specific SMTP port -} - - def handle_authentication(headers): """ Handle an HTTP nginx authentication request See: http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol """ method = headers["Auth-Method"] protocol = headers["Auth-Protocol"] - server, port = get_server(headers["Auth-Protocol"]) # Incoming mail, no authentication if method == "none" and protocol == "smtp": + server, port = get_server(headers["Auth-Protocol"], False) return { "Auth-Status": "OK", "Auth-Server": server, @@ -37,6 +31,7 @@ def handle_authentication(headers): } # Authenticated user elif method == "plain": + server, port = get_server(headers["Auth-Protocol"], True) user_email = urllib.parse.unquote(headers["Auth-User"]) password = urllib.parse.unquote(headers["Auth-Pass"]) user = models.User.query.get(user_email) @@ -65,7 +60,13 @@ def get_status(protocol, status): return status, codes[protocol] -def get_server(protocol): - hostname, port = SERVER_MAP[protocol] +def get_server(protocol, authenticated=False): + if protocol == "imap": + hostname, port = "imap", 143 + elif protocol == "pop3": + hostname, port = "imap", 110 + elif protocol == "smtp": + hostname = "smtp" + port = 10025 if authenticated else 25 address = socket.gethostbyname(hostname) return address, port From 64cbab51048053e294aa722c2d64534644360588 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 15:45:32 +0200 Subject: [PATCH 12/19] Allow xclient even for non authenticated clients --- postfix/conf/main.cf | 4 +++- postfix/conf/master.cf | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf index bb374e7c..60887a47 100644 --- a/postfix/conf/main.cf +++ b/postfix/conf/main.cf @@ -31,6 +31,9 @@ relayhost = {{ RELAYHOST }} # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} +# Only the front server is allowed to perform xclient +smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} + ############### # TLS ############### @@ -75,7 +78,6 @@ smtpd_delay_reject = yes # Allowed senders are: the user or one of the alias destinations smtpd_sender_login_maps = $virtual_alias_maps -# Helo restrictions are specified for smtp only in master.cf # Restrictions for incoming SMTP, other restrictions are applied in master.cf smtpd_helo_required = yes diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index 8593c0e1..c0f68233 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -6,7 +6,6 @@ smtp inet n - n - - smtpd # Internal SMTP service 10025 inet n - n - - smtpd - -o smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit -o cleanup_service_name=outclean outclean unix n - n - 0 cleanup From bb4c5150b57c9a21e12591079aa190fffada6b43 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 16:07:12 +0200 Subject: [PATCH 13/19] Remove the scary warning --- README.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/README.md b/README.md index 076083d5..2932d4fc 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,3 @@ - :warning: Warning -================== - -**Be very careful when using `master`**, especially if you are currently running -`1.4`, development of version `1.5` includes refactoring the frontend and -authentication mechanisms. At best your server will stop working, at worst you -could expose your data to malicious attackers! - -**Do not start using `traefik`** as a frontend server. Traefik was first tested -to replace nginx because certificate generation was a nightmare. As we are in the -process of completely rewriting the frontend and authentication interface, it will -probably be deprecated before `1.5` is out. - ![Logo](logo.png) [Join us and chat about the project.](https://riot.im/app/#/room/#mailu:tedomum.net) From 3c9552a14bf1f4343a3b31ebffe564fe33543f20 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 16:13:13 +0200 Subject: [PATCH 14/19] Make it possible to serve Mailu over ipv6 --- .env.dist | 4 ++-- docker-compose.yml.dist | 27 ++++++++++++++++++--------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/.env.dist b/.env.dist index cb3a97d0..90b1ba0c 100644 --- a/.env.dist +++ b/.env.dist @@ -18,7 +18,8 @@ VERSION=stable SECRET_KEY=ChangeMeChangeMe # Address where listening ports should bind -BIND_ADDRESS=127.0.0.1 +BIND_ADDRESS4=127.0.0.1 +BIND_ADDRESS6=::1 # Main mail domain DOMAIN=mailu.io @@ -94,4 +95,3 @@ COMPOSE_PROJECT_NAME=mailu # Default password scheme used for newly created accounts and changed passwords # (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) PASSWORD_SCHEME=SHA512-CRYPT - diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 35f6ac5f..54b6439f 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -8,15 +8,24 @@ services: restart: always env_file: .env ports: - - "$BIND_ADDRESS:80:80" - - "$BIND_ADDRESS:443:443" - - "$BIND_ADDRESS:110:110" - - "$BIND_ADDRESS:143:143" - - "$BIND_ADDRESS:993:993" - - "$BIND_ADDRESS:995:995" - - "$BIND_ADDRESS:25:25" - - "$BIND_ADDRESS:465:465" - - "$BIND_ADDRESS:587:587" + - "$BIND_ADDRESS4:80:80" + - "$BIND_ADDRESS4:443:443" + - "$BIND_ADDRESS4:110:110" + - "$BIND_ADDRESS4:143:143" + - "$BIND_ADDRESS4:993:993" + - "$BIND_ADDRESS4:995:995" + - "$BIND_ADDRESS4:25:25" + - "$BIND_ADDRESS4:465:465" + - "$BIND_ADDRESS4:587:587" + - "$BIND_ADDRESS6:80:80" + - "$BIND_ADDRESS6:443:443" + - "$BIND_ADDRESS6:110:110" + - "$BIND_ADDRESS6:143:143" + - "$BIND_ADDRESS6:993:993" + - "$BIND_ADDRESS6:995:995" + - "$BIND_ADDRESS6:25:25" + - "$BIND_ADDRESS6:465:465" + - "$BIND_ADDRESS6:587:587" volumes: - "$ROOT/certs:/certs" From ff71e7036044c301324ad9d3166e3a582ed27d06 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 16:43:06 +0200 Subject: [PATCH 15/19] Rename the authentication endpoint --- admin/mailu/internal/nginx.py | 1 + admin/mailu/internal/views.py | 4 +++- nginx/conf/nginx.conf | 6 +++--- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/admin/mailu/internal/nginx.py b/admin/mailu/internal/nginx.py index 3856737d..4c5cc334 100644 --- a/admin/mailu/internal/nginx.py +++ b/admin/mailu/internal/nginx.py @@ -6,6 +6,7 @@ import urllib SUPPORTED_AUTH_METHODS = ["none", "plain"] + STATUSES = { "authentication": ("Authentication credentials invalid", { "imap": "AUTHENTICATIONFAILED", diff --git a/admin/mailu/internal/views.py b/admin/mailu/internal/views.py index 04d3268a..179b0cf5 100644 --- a/admin/mailu/internal/views.py +++ b/admin/mailu/internal/views.py @@ -4,8 +4,10 @@ from mailu.internal import internal, nginx import flask -@internal.route("/nginx") +@internal.route("/auth/email") def nginx_authentication(): + """ Main authentication endpoint for Nginx email server + """ headers = nginx.handle_authentication(flask.request.headers) response = flask.Response() for key, value in headers.items(): diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index 320f4e0c..b684bbec 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -89,15 +89,15 @@ http { server { listen 127.0.0.1:8000; - location /internal { - proxy_pass http://admin; + location / { + proxy_pass http://admin/internal/; } } } mail { server_name {{ HOSTNAMES.split(",")[0] }}; - auth_http http://127.0.0.1:8000/internal/nginx; + auth_http http://127.0.0.1:8000/auth/email; proxy_pass_error_message on; {% if TLS and not TLS_ERROR %} From c94e976f43221361d8a3ccece706ebc91eeea671 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 18:07:36 +0200 Subject: [PATCH 16/19] Fix a typo in the sqlite query --- postfix/conf/sqlite-reject-spoofed.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/conf/sqlite-reject-spoofed.cf b/postfix/conf/sqlite-reject-spoofed.cf index e1d3e754..9cdd6c45 100644 --- a/postfix/conf/sqlite-reject-spoofed.cf +++ b/postfix/conf/sqlite-reject-spoofed.cf @@ -2,4 +2,4 @@ dbpath = /data/main.db query = SELECT 'REJECT' FROM domain WHERE name='%s' UNION - SELECT 'REJECT' FROM name WHERE name='%s' + SELECT 'REJECT' FROM alternative WHERE name='%s' From 47f453e494c690c94e674cdd19a4948698aded0b Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 18:15:28 +0200 Subject: [PATCH 17/19] Allow relaying when using the intenral SMTPd --- postfix/conf/master.cf | 1 + 1 file changed, 1 insertion(+) diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index c0f68233..b89aaac3 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -6,6 +6,7 @@ smtp inet n - n - - smtpd # Internal SMTP service 10025 inet n - n - - smtpd + -o smtpd_relay_restrictions=permit -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit -o cleanup_service_name=outclean outclean unix n - n - 0 cleanup From 05b9ecbb346d4e1b7a7495d8f312128a3e2253c4 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 19:05:51 +0200 Subject: [PATCH 18/19] Remove misinformed open relay for the internal smtp --- postfix/conf/master.cf | 1 - 1 file changed, 1 deletion(-) diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index b89aaac3..c0f68233 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -6,7 +6,6 @@ smtp inet n - n - - smtpd # Internal SMTP service 10025 inet n - n - - smtpd - -o smtpd_relay_restrictions=permit -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit -o cleanup_service_name=outclean outclean unix n - n - 0 cleanup From 6765a17545d62a8965563a6a99bac5aed0248505 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 22 Oct 2017 19:44:58 +0200 Subject: [PATCH 19/19] Explicitely enable sasl_auth for the internal SMTP (Postifx, sigh..) --- postfix/conf/master.cf | 1 + 1 file changed, 1 insertion(+) diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index c0f68233..d64645a1 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -6,6 +6,7 @@ smtp inet n - n - - smtpd # Internal SMTP service 10025 inet n - n - - smtpd + -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit -o cleanup_service_name=outclean outclean unix n - n - 0 cleanup