Merge branch 'master' into test-alpine-3.12

core/admin/mailu/utils.py

@@ -40,7 +40,7 @@ class PrefixMiddleware(object):
         return self.app(environ, start_response)
 
     def init_app(self, app):
-        self.app = fixers.ProxyFix(app.wsgi_app)
+        self.app = fixers.ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
         app.wsgi_app = self
 
 proxy = PrefixMiddleware()

core/dovecot/conf/dovecot.conf

@@ -21,7 +21,10 @@ mail_access_groups = mail
 maildir_stat_dirs = yes
 mailbox_list_index = yes
 mail_vsize_bg_after_count = 100
-mail_plugins = $mail_plugins quota quota_clone zlib fts fts_xapian
+mail_plugins = $mail_plugins quota quota_clone zlib{{ ' ' }}
+  {%- if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] -%}
+  fts fts_xapian
+  {%- endif %}
 default_vsz_limit = 2GB
 
 namespace inbox {
@@ -39,11 +42,13 @@ plugin {
   quota_vsizes = yes
   quota_clone_dict = proxy:/tmp/podop.socket:quota
 
+  {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}
   fts = xapian
   fts_xapian = partial=2 full=30
   fts_autoindex = yes
   fts_enforced = yes
   fts_autoindex_exclude = \Trash
+  {% endif %}
 
   {% if COMPRESSION in [ 'gz', 'bz2' ] %}
   zlib_save = {{ COMPRESSION }}

core/dovecot/start.py

@@ -21,13 +21,9 @@ def start_podop():
     ])
 
 # Actual startup script
-
 os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front")
-os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis")
 os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
 os.environ["ANTISPAM_WEBUI_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_WEBUI", "antispam:11334")
-if os.environ["WEBMAIL"] != "none":
-    os.environ["WEBMAIL_ADDRESS"] = system.get_host_address_from_environment("WEBMAIL", "webmail")
 
 for dovecot_file in glob.glob("/conf/*.conf"):
     conf.jinja(dovecot_file, os.environ, os.path.join("/etc/dovecot", os.path.basename(dovecot_file)))

core/postfix/conf/main.cf

@@ -52,9 +52,10 @@ tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:
 tls_preempt_cipherlist = yes
 tls_ssl_options = NO_COMPRESSION
 
-# Outgoing TLS is more flexible because 1. not all receiving servers will
+# By default, outgoing TLS is more flexible because
-# support TLS, 2. not all will have and up-to-date TLS stack.
+# 1. not all receiving servers will support TLS,
-smtp_tls_security_level = may
+# 2. not all will have and up-to-date TLS stack.
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

docs/compose/.env

@@ -102,6 +102,9 @@ COMPRESSION=
 # change compression-level, default: 6 (value: 1-9)
 COMPRESSION_LEVEL=
 
+# IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature.
+# FULL_TEXT_SEARCH=off
+
 ###################################
 # Web settings
 ###################################

docs/compose/docker-compose.yml

@@ -31,7 +31,7 @@ services:
     - "$BIND_ADDRESS6:587:587"
     volumes:
       - "$ROOT/certs:/certs"
-      - "$ROOT/overrides/nginx:/overrides"
+      - "$ROOT/overrides/nginx:/overrides:ro"
 
   redis:
     image: redis:alpine
@@ -45,7 +45,7 @@ services:
     env_file: .env
     volumes:
       - "$ROOT/mail:/mail"
-      - "$ROOT/overrides:/overrides"
+      - "$ROOT/overrides/dovecot:/overrides:ro"
     depends_on:
       - front
 
@@ -54,7 +54,8 @@ services:
     restart: always
     env_file: .env
     volumes:
-      - "$ROOT/overrides:/overrides"
+      - "$ROOT/mailqueue:/queue"
+      - "$ROOT/overrides/postfix:/overrides:ro"
     depends_on:
       - front
 
@@ -64,8 +65,8 @@ services:
     env_file: .env
     volumes:
       - "$ROOT/filter:/var/lib/rspamd"
-      - "$ROOT/dkim:/dkim"
+      - "$ROOT/dkim:/dkim:ro"
-      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
+      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d:ro"
     depends_on:
       - front
 

docs/configuration.rst

@@ -69,6 +69,10 @@ The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
 mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
+By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
+if you are a relayhost that supports TLS.
+
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
 go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you
@@ -83,6 +87,9 @@ later classify incoming mail based on the custom part.
 The ``DMARC_RUA`` and ``DMARC_RUF`` are DMARC protocol specific values. They hold
 the localpart for DMARC rua and ruf email addresses.
 
+Full-text search is enabled for IMAP is enabled by default. This feature can be disabled
+(e.g. for performance reasons) by setting the optional variable ``FULL_TEXT_SEARCH`` to ``off``.
+
 Web settings
 ------------
 

optional/radicale/Dockerfile

@@ -8,13 +8,14 @@ RUN apk add --no-cache \
 
 # Image specific layers under this line
 RUN apk add --no-cache curl \
- && pip3 install radicale==2.1.12
+ && pip3 install radicale~=3.0
+
 
 COPY radicale.conf /radicale.conf
 
 EXPOSE 5232/tcp
 VOLUME ["/data"]
 
-CMD radicale -f -S -C /radicale.conf
+CMD radicale -S -C /radicale.conf
 
 HEALTHCHECK CMD curl -f -L http://localhost:5232/ || exit 1

optional/radicale/radicale.conf

@@ -1,15 +1,13 @@
 [server]
 hosts = 0.0.0.0:5232, [::]:5232
-daemon = False
 ssl = False
-dns_lookup = False
-realm = Radicale - Password Required
 
 [encoding]
 request = utf-8
 stock = utf-8
 
 [auth]
+realm = Radicale - Password Required
 type = http_x_remote_user
 
 [rights]

setup/flavors/compose/mailu.env

@@ -76,8 +76,8 @@ FETCHMAIL_DELAY={{ fetchmail_delay or '600' }}
 RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }}
 
 # DMARC rua and ruf email
-DMARC_RUA={{ dmarc_rua or 'admin' }}
+DMARC_RUA={{ dmarc_rua or postmaster }}
-DMARC_RUF={{ dmarc_ruf or 'admin' }}
+DMARC_RUF={{ dmarc_ruf or postmaster }}
 
 # Welcome email, enable and set a topic and body if you wish to send welcome
 # emails to all users.
@@ -91,6 +91,9 @@ COMPRESSION={{ compression }}
 # change compression-level, default: 6 (value: 1-9)
 COMPRESSION_LEVEL={{ compression_level }}
 
+# IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature.
+# FULL_TEXT_SEARCH=off
+
 ###################################
 # Web settings
 ###################################

setup/flavors/stack/docker-compose.yml

@@ -27,7 +27,7 @@ services:
     {% endfor %}
     volumes:
       - "{{ root }}/certs:/certs"
-      - "{{ root }}/overrides/nginx:/overrides"
+      - "{{ root }}/overrides/nginx:/overrides:ro"
     deploy:
       replicas: {{ front_replicas }}
 
@@ -43,34 +43,42 @@ services:
       - "{{ root }}/dkim:/dkim"
     deploy:
       replicas: {{ admin_replicas }}
+    healthcheck:
+      disable: true
 
   imap:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
     env_file: {{ env }}
     volumes:
       - "{{ root }}/mail:/mail"
-      - "{{ root }}/overrides:/overrides"
+      - "{{ root }}/overrides/dovecot:/overrides:ro"
     deploy:
       replicas: {{ imap_replicas }}
+    healthcheck:
+      disable: true
 
   smtp:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
     env_file: {{ env }}
     volumes:
       - "{{ root }}/mailqueue:/queue"
-      - "{{ root }}/overrides:/overrides"
+      - "{{ root }}/overrides/postfix:/overrides:ro"
     deploy:
       replicas: {{ smtp_replicas }}
+    healthcheck:
+      disable: true
 
   antispam:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim"
+      - "{{ root }}/dkim:/dkim:ro"
-      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
+      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
 
   # Optional services
   {% if antivirus_enabled %}
@@ -81,6 +89,8 @@ services:
       - "{{ root }}/filter:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if webdav_enabled %}
@@ -91,6 +101,8 @@ services:
       - "{{ root }}/dav:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if fetchmail_enabled %}
@@ -101,6 +113,8 @@ services:
       - "{{ root }}/data:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if webmail_type != 'none' %}
@@ -111,6 +125,8 @@ services:
       - "{{ root }}/webmail:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if db_flavor == 'postgresql' and postgresql == 'internal' %}
@@ -119,6 +135,8 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/data/psql_backup:/backup"
+    healthcheck:
+      disable: true
   {% endif %}
 
 networks:

setup/flavors/stack/setup.html

@@ -4,7 +4,7 @@
 <p>Docker Stack expects a project file, named <code>docker-compose.yml</code>
 in a project directory. First create your project directory.</p>
 
-<pre><code>mkdir -p /{{ root }}/{redis,certs,data,dkim,mail,overrides/rspamd,overrides/nginx,filter,dav,webmail}
+<pre><code>mkdir -p {{ root }}/{redis,certs,data,dkim,mail,mailqueue,overrides/rspamd,overrides/postfix,overrides/dovecot,overrides/nginx,filter,dav,webmail}
 </pre></code>
 
 <p>Then download the project file. A side configuration file makes it easier

setup/templates/steps/compose/03_expose.html

@@ -52,7 +52,9 @@ avoid generic all-interfaces addresses like <code>0.0.0.0</code> or <code>::</co
 hostnames. Every e-mail domain that points to this server must have one of the
 hostnames in its <code>MX</code> record. Hostnames must be comma-separated. If you're having
 trouble accessing your admin interface, make sure it is the first entry here (and possibly the
-same as your <code>DOMAIN</code> entry from earlier.</p>
+same as your <code>DOMAIN</code> entry from earlier). Also make sure that the first entry in
+this list resolves to the IP address of your server, and that the reverse DNS entry for
+the IP address of your server resolves to this first entry in this list.</p>
 
 <div class="form-group">
   <label>Public hostnames</label>

setup/templates/steps/stack/04_replicas.html

@@ -22,7 +22,7 @@
 <div class="form-group">
   <input class="form-control" type="number" name=smtp_replicas min="1" required value="1"
   		style="width: 6%; display: inline;">
-  <label>SMPT</label>
+  <label>SMTP</label>
 </div>
 
 {% endcall %}

towncrier/1478.feature

@@ -0,0 +1 @@
+Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.

towncrier/newsfragments/1289.bugfix

@@ -0,0 +1 @@
+Disable Health checks on swarm mode

towncrier/newsfragments/1463.bugfix

@@ -0,0 +1 @@
+Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings

towncrier/newsfragments/1512.misc

@@ -0,0 +1 @@
+Use Radicale 3.x for webdav service

towncrier/newsfragments/1538.feature

@@ -0,0 +1 @@
+Introduce option to disable dovecot full-text-search by an enviroment variable. 

webmails/roundcube/Dockerfile

@@ -16,7 +16,7 @@ RUN apt-get update && apt-get install -y \
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
 RUN pip3 install socrate
 
-ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.3/roundcubemail-1.4.3-complete.tar.gz
+ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.6/roundcubemail-1.4.6-complete.tar.gz
 
 ENV CARDDAV_URL https://github.com/blind-coder/rcmcarddav/releases/download/v3.0.3/carddav-3.0.3.tar.bz2