diff --git a/core/admin/start.py b/core/admin/start.py index 0eff3bbe..529f62d6 100755 --- a/core/admin/start.py +++ b/core/admin/start.py @@ -18,6 +18,34 @@ if account is not None and domain is not None and password is not None: log.info("Creating initial admin accout %s@%s with mode %s",account,domain,mode) os.system("flask mailu admin %s %s '%s' --mode %s" % (account, domain, password, mode)) +def test_DNS(): + import dns.resolver + import dns.exception + import dns.flags + import dns.rdtypes + import dns.rdatatype + import dns.rdataclass + import time + # DNS stub configured to do DNSSEC enabled queries + resolver = dns.resolver.Resolver() + resolver.use_edns(0, 0, 1232) + resolver.flags = dns.flags.AD | dns.flags.RD + nameservers = resolver.nameservers + for ns in nameservers: + resolver.nameservers=[ns] + while True: + try: + result = resolver.query('example.org', dns.rdatatype.A, dns.rdataclass.IN, lifetime=10) + except Exception as e: + log.critical("Your DNS resolver at %s is not working (%s). Please use another resolver or enable unbound via https://setup.mailu.io.", ns, e); + else: + if result.response.flags & dns.flags.AD: + break + log.critical("Your DNS resolver at %s isn't doing DNSSEC validation; Please use another resolver or enable unbound via https://setup.mailu.io.", ns) + time.sleep(5) + +test_DNS() + start_command="".join([ "gunicorn --threads ", str(os.cpu_count()), " -b :80 ", diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index efaa46f0..6dac166b 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -13,6 +13,12 @@ services: restart: always volumes: - "{{ root }}/redis:/data" + {% if resolver_enabled %} + depends_on: + - resolver + dns: + - {{ dns }} + {% endif %} # Core services front: @@ -33,8 +39,12 @@ services: volumes: - "{{ root }}/certs:/certs" - "{{ root }}/overrides/nginx:/overrides:ro" + {% if resolver_enabled %} + depends_on: + - resolver + dns: + - {{ dns }} - {% if resolver_enabled %} resolver: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-{{ version }}} env_file: {{ env }} @@ -42,7 +52,7 @@ services: networks: default: ipv4_address: {{ dns }} - {% endif %} + {% endif %} admin: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-{{ version }}} @@ -57,6 +67,11 @@ services: - "{{ root }}/dkim:/dkim" depends_on: - redis + {% if resolver_enabled %} + - resolver + dns: + - {{ dns }} + {% endif %} imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}} @@ -67,6 +82,11 @@ services: - "{{ root }}/overrides/dovecot:/overrides:ro" depends_on: - front + {% if resolver_enabled %} + - resolver + dns: + - {{ dns }} + {% endif %} smtp: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}} @@ -122,6 +142,12 @@ services: env_file: {{ env }} volumes: - "{{ root }}/dav:/data" + {% if resolver_enabled %} + depends_on: + - resolver + dns: + - {{ dns }} + {% endif %} {% endif %} {% if fetchmail_enabled %} @@ -150,6 +176,11 @@ services: - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro" depends_on: - imap + {% if resolver_enabled %} + - resolver + dns: + - {{ dns }} + {% endif %} {% endif %} networks: diff --git a/setup/templates/steps/compose/03_expose.html b/setup/templates/steps/compose/03_expose.html index c9238f5a..80340f05 100644 --- a/setup/templates/steps/compose/03_expose.html +++ b/setup/templates/steps/compose/03_expose.html @@ -40,10 +40,10 @@ avoid generic all-interfaces addresses like 0.0.0.0 or :: -

The unbound resolver enables Mailu to do DNSsec verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.

+

The unbound resolver enables Mailu to do DNSSEC verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.

diff --git a/tests/compose/core/docker-compose.yml b/tests/compose/core/docker-compose.yml index 195d8a59..06f91f73 100644 --- a/tests/compose/core/docker-compose.yml +++ b/tests/compose/core/docker-compose.yml @@ -40,8 +40,11 @@ services: volumes: - "/mailu/data:/data" - "/mailu/dkim:/dkim" + dns: + - 192.168.203.254 depends_on: - redis + - resolver imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local} @@ -75,7 +78,13 @@ services: # Optional services - + resolver: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local} + env_file: mailu.env + restart: always + networks: + default: + ipv4_address: 192.168.203.254 # Webmail diff --git a/tests/compose/fetchmail/docker-compose.yml b/tests/compose/fetchmail/docker-compose.yml index d31479d4..ed296d3e 100644 --- a/tests/compose/fetchmail/docker-compose.yml +++ b/tests/compose/fetchmail/docker-compose.yml @@ -42,6 +42,9 @@ services: - "/mailu/dkim:/dkim" depends_on: - redis + - resolver + dns: + - 192.168.203.254 imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local} @@ -81,6 +84,15 @@ services: restart: always env_file: mailu.env + resolver: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local} + env_file: mailu.env + restart: always + networks: + default: + ipv4_address: 192.168.203.254 + + # Webmail diff --git a/tests/compose/filters/docker-compose.yml b/tests/compose/filters/docker-compose.yml index 381d3683..09d948df 100644 --- a/tests/compose/filters/docker-compose.yml +++ b/tests/compose/filters/docker-compose.yml @@ -40,8 +40,11 @@ services: volumes: - "/mailu/data:/data" - "/mailu/dkim:/dkim" + dns: + - 192.168.203.254 depends_on: - redis + - resolver imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local} @@ -81,7 +84,13 @@ services: volumes: - "/mailu/filter:/data" - + resolver: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local} + env_file: mailu.env + restart: always + networks: + default: + ipv4_address: 192.168.203.254 # Webmail diff --git a/tests/compose/rainloop/docker-compose.yml b/tests/compose/rainloop/docker-compose.yml index 62d5890f..ca8d70ba 100644 --- a/tests/compose/rainloop/docker-compose.yml +++ b/tests/compose/rainloop/docker-compose.yml @@ -42,6 +42,9 @@ services: - "/mailu/dkim:/dkim" depends_on: - redis + - resolver + dns: + - 192.168.203.254 imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local} @@ -75,7 +78,13 @@ services: # Optional services - + resolver: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local} + env_file: mailu.env + restart: always + networks: + default: + ipv4_address: 192.168.203.254 # Webmail webmail: diff --git a/tests/compose/roundcube/docker-compose.yml b/tests/compose/roundcube/docker-compose.yml index 0bb54e8c..7ac94810 100644 --- a/tests/compose/roundcube/docker-compose.yml +++ b/tests/compose/roundcube/docker-compose.yml @@ -42,6 +42,9 @@ services: - "/mailu/dkim:/dkim" depends_on: - redis + - resolver + dns: + - 192.168.203.254 imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local} @@ -75,7 +78,13 @@ services: # Optional services - + resolver: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local} + env_file: mailu.env + restart: always + networks: + default: + ipv4_address: 192.168.203.254 # Webmail webmail: diff --git a/tests/compose/webdav/docker-compose.yml b/tests/compose/webdav/docker-compose.yml index a597b2d2..7c62c90a 100644 --- a/tests/compose/webdav/docker-compose.yml +++ b/tests/compose/webdav/docker-compose.yml @@ -40,8 +40,11 @@ services: volumes: - "/mailu/data:/data" - "/mailu/dkim:/dkim" + dns: + - 192.168.203.254 depends_on: - redis + - resolver imap: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local} @@ -82,6 +85,13 @@ services: volumes: - "/mailu/dav:/data" + resolver: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local} + env_file: mailu.env + restart: always + networks: + default: + ipv4_address: 192.168.203.254 # Webmail diff --git a/towncrier/newsfragments/2135.bugfix b/towncrier/newsfragments/2135.bugfix new file mode 100644 index 00000000..3062c09f --- /dev/null +++ b/towncrier/newsfragments/2135.bugfix @@ -0,0 +1 @@ +Enable unbound by default. Mailu now requires a DNSSEC validating DNS resolver and experience has shown that this may not be the default everywhere yet.