2144: Enable unbound by default, warn if the DNS resolver doesn't work r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Enable unbound by default, warn if the DNS resolver doesn't work

### Related issue(s)
- close #2135

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
master
bors[bot] 3 years ago committed by GitHub
commit 1e53530164
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -18,6 +18,34 @@ if account is not None and domain is not None and password is not None:
log.info("Creating initial admin accout %s@%s with mode %s",account,domain,mode)
os.system("flask mailu admin %s %s '%s' --mode %s" % (account, domain, password, mode))
def test_DNS():
import dns.resolver
import dns.exception
import dns.flags
import dns.rdtypes
import dns.rdatatype
import dns.rdataclass
import time
# DNS stub configured to do DNSSEC enabled queries
resolver = dns.resolver.Resolver()
resolver.use_edns(0, 0, 1232)
resolver.flags = dns.flags.AD | dns.flags.RD
nameservers = resolver.nameservers
for ns in nameservers:
resolver.nameservers=[ns]
while True:
try:
result = resolver.query('example.org', dns.rdatatype.A, dns.rdataclass.IN, lifetime=10)
except Exception as e:
log.critical("Your DNS resolver at %s is not working (%s). Please use another resolver or enable unbound via https://setup.mailu.io.", ns, e);
else:
if result.response.flags & dns.flags.AD:
break
log.critical("Your DNS resolver at %s isn't doing DNSSEC validation; Please use another resolver or enable unbound via https://setup.mailu.io.", ns)
time.sleep(5)
test_DNS()
start_command="".join([
"gunicorn --threads ", str(os.cpu_count()),
" -b :80 ",

@ -13,6 +13,12 @@ services:
restart: always
volumes:
- "{{ root }}/redis:/data"
{% if resolver_enabled %}
depends_on:
- resolver
dns:
- {{ dns }}
{% endif %}
# Core services
front:
@ -33,8 +39,12 @@ services:
volumes:
- "{{ root }}/certs:/certs"
- "{{ root }}/overrides/nginx:/overrides:ro"
{% if resolver_enabled %}
depends_on:
- resolver
dns:
- {{ dns }}
{% if resolver_enabled %}
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-{{ version }}}
env_file: {{ env }}
@ -42,7 +52,7 @@ services:
networks:
default:
ipv4_address: {{ dns }}
{% endif %}
{% endif %}
admin:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-{{ version }}}
@ -57,6 +67,11 @@ services:
- "{{ root }}/dkim:/dkim"
depends_on:
- redis
{% if resolver_enabled %}
- resolver
dns:
- {{ dns }}
{% endif %}
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
@ -67,6 +82,11 @@ services:
- "{{ root }}/overrides/dovecot:/overrides:ro"
depends_on:
- front
{% if resolver_enabled %}
- resolver
dns:
- {{ dns }}
{% endif %}
smtp:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
@ -122,6 +142,12 @@ services:
env_file: {{ env }}
volumes:
- "{{ root }}/dav:/data"
{% if resolver_enabled %}
depends_on:
- resolver
dns:
- {{ dns }}
{% endif %}
{% endif %}
{% if fetchmail_enabled %}
@ -150,6 +176,11 @@ services:
- "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro"
depends_on:
- imap
{% if resolver_enabled %}
- resolver
dns:
- {{ dns }}
{% endif %}
{% endif %}
networks:

@ -40,10 +40,10 @@ avoid generic all-interfaces addresses like <code>0.0.0.0</code> or <code>::</co
<input class="form-control" type="text" name="subnet6" required value="{{ subnet6 }}:beef::/64">
</div>
<p>The unbound resolver enables Mailu to do DNSsec verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.</p>
<p>The unbound resolver enables Mailu to do DNSSEC verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.</p>
<div class="form-check form-check-inline">
<label class="form-check-label">
<input class="form-check-input" type="checkbox" name="resolver_enabled" value="true">
<input class="form-check-input" type="checkbox" name="resolver_enabled" value="true" checked>
Enable unbound resolver
</label>
</div>

@ -40,8 +40,11 @@ services:
volumes:
- "/mailu/data:/data"
- "/mailu/dkim:/dkim"
dns:
- 192.168.203.254
depends_on:
- redis
- resolver
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
@ -75,7 +78,13 @@ services:
# Optional services
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
env_file: mailu.env
restart: always
networks:
default:
ipv4_address: 192.168.203.254
# Webmail

@ -42,6 +42,9 @@ services:
- "/mailu/dkim:/dkim"
depends_on:
- redis
- resolver
dns:
- 192.168.203.254
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
@ -81,6 +84,15 @@ services:
restart: always
env_file: mailu.env
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
env_file: mailu.env
restart: always
networks:
default:
ipv4_address: 192.168.203.254
# Webmail

@ -40,8 +40,11 @@ services:
volumes:
- "/mailu/data:/data"
- "/mailu/dkim:/dkim"
dns:
- 192.168.203.254
depends_on:
- redis
- resolver
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
@ -81,7 +84,13 @@ services:
volumes:
- "/mailu/filter:/data"
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
env_file: mailu.env
restart: always
networks:
default:
ipv4_address: 192.168.203.254
# Webmail

@ -42,6 +42,9 @@ services:
- "/mailu/dkim:/dkim"
depends_on:
- redis
- resolver
dns:
- 192.168.203.254
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
@ -75,7 +78,13 @@ services:
# Optional services
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
env_file: mailu.env
restart: always
networks:
default:
ipv4_address: 192.168.203.254
# Webmail
webmail:

@ -42,6 +42,9 @@ services:
- "/mailu/dkim:/dkim"
depends_on:
- redis
- resolver
dns:
- 192.168.203.254
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
@ -75,7 +78,13 @@ services:
# Optional services
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
env_file: mailu.env
restart: always
networks:
default:
ipv4_address: 192.168.203.254
# Webmail
webmail:

@ -40,8 +40,11 @@ services:
volumes:
- "/mailu/data:/data"
- "/mailu/dkim:/dkim"
dns:
- 192.168.203.254
depends_on:
- redis
- resolver
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
@ -82,6 +85,13 @@ services:
volumes:
- "/mailu/dav:/data"
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
env_file: mailu.env
restart: always
networks:
default:
ipv4_address: 192.168.203.254
# Webmail

@ -0,0 +1 @@
Enable unbound by default. Mailu now requires a DNSSEC validating DNS resolver and experience has shown that this may not be the default everywhere yet.
Loading…
Cancel
Save