From c8b39c5d4a4eb30b59a88342b4b428cb0f02c426 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20S=C3=A4nger?= Date: Wed, 10 Oct 2018 19:29:23 +0200 Subject: [PATCH 1/9] support bcrypt and use it as default --- core/admin/mailu/__init__.py | 2 +- core/admin/mailu/models.py | 3 ++- core/admin/requirements-prod.txt | 1 + core/admin/requirements.txt | 1 + docs/compose/.env | 4 ++-- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py index d77420e6..167f04ae 100644 --- a/core/admin/mailu/__init__.py +++ b/core/admin/mailu/__init__.py @@ -57,7 +57,7 @@ default_config = { 'RECAPTCHA_PUBLIC_KEY': '', 'RECAPTCHA_PRIVATE_KEY': '', # Advanced settings - 'PASSWORD_SCHEME': 'SHA512-CRYPT', + 'PASSWORD_SCHEME': 'BLF-CRYPT', # Host settings 'HOST_IMAP': 'imap', 'HOST_POP3': 'imap', diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py index 1bcc4e9f..0c80fd4f 100644 --- a/core/admin/mailu/models.py +++ b/core/admin/mailu/models.py @@ -276,7 +276,8 @@ class User(Base, Email): else: return self.email - scheme_dict = {'SHA512-CRYPT': "sha512_crypt", + scheme_dict = {'BLF-CRYPT': "bcrypt", + 'SHA512-CRYPT': "sha512_crypt", 'SHA256-CRYPT': "sha256_crypt", 'MD5-CRYPT': "md5_crypt", 'CRYPT': "des_crypt"} diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt index 94c28177..e321a4d6 100644 --- a/core/admin/requirements-prod.txt +++ b/core/admin/requirements-prod.txt @@ -1,6 +1,7 @@ alembic==0.9.9 asn1crypto==0.24.0 Babel==2.5.3 +bcrypt==3.1.4 blinker==1.4 certifi==2018.4.16 cffi==1.11.5 diff --git a/core/admin/requirements.txt b/core/admin/requirements.txt index a40e6eb5..d6e7adb1 100644 --- a/core/admin/requirements.txt +++ b/core/admin/requirements.txt @@ -17,3 +17,4 @@ tabulate PyYAML PyOpenSSL dnspython +bcrypt diff --git a/docs/compose/.env b/docs/compose/.env index 721aaf22..cdb48310 100644 --- a/docs/compose/.env +++ b/docs/compose/.env @@ -124,8 +124,8 @@ WEBSITE=https://mailu.io COMPOSE_PROJECT_NAME=mailu # Default password scheme used for newly created accounts and changed passwords -# (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) -PASSWORD_SCHEME=SHA512-CRYPT +# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) +PASSWORD_SCHEME=BLF-CRYPT # Header to take the real ip from REAL_IP_HEADER= From 6aafef88bdc2bae1954d7c7baa9566e2f3807da4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20S=C3=A4nger?= Date: Thu, 11 Oct 2018 02:57:13 +0200 Subject: [PATCH 2/9] remove apk-warning about cache --- core/admin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile index 08de0e88..2e637206 100644 --- a/core/admin/Dockerfile +++ b/core/admin/Dockerfile @@ -7,7 +7,7 @@ COPY requirements-prod.txt requirements.txt RUN apk add --no-cache openssl \ && apk add --no-cache --virtual build-dep openssl-dev libffi-dev python-dev build-base \ && pip install -r requirements.txt \ - && apk del build-dep + && apk del --no-cache build-dep COPY mailu ./mailu COPY migrations ./migrations From f2259c3302ccafe17dc9e8f39ce177ffd19a2b18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20S=C3=A4nger?= Date: Thu, 11 Oct 2018 03:18:35 +0200 Subject: [PATCH 3/9] reduce webmail image-layers/sizes --- webmails/rainloop/Dockerfile | 13 +++++++------ webmails/roundcube/Dockerfile | 15 +++++++-------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/webmails/rainloop/Dockerfile b/webmails/rainloop/Dockerfile index 2da4e672..889c8486 100644 --- a/webmails/rainloop/Dockerfile +++ b/webmails/rainloop/Dockerfile @@ -1,20 +1,21 @@ FROM php:7.2-apache -RUN apt-get update && apt-get install -y \ - unzip python3 python3-jinja2 - ENV RAINLOOP_URL https://github.com/RainLoop/rainloop-webmail/releases/download/v1.12.1/rainloop-community-1.12.1.zip -RUN rm -rf /var/www/html/ \ +RUN apt-get update && apt-get install -y \ + unzip python3 python3-jinja2 \ + && rm -rf /var/www/html/ \ && mkdir /var/www/html \ && cd /var/www/html \ && curl -L -O ${RAINLOOP_URL} \ - && unzip *.zip \ + && unzip -q *.zip \ && rm -f *.zip \ && rm -rf data/ \ && find . -type d -exec chmod 755 {} \; \ && find . -type f -exec chmod 644 {} \; \ - && chown -R www-data: * + && chown -R www-data: * \ + && apt-get purge -y unzip \ + && rm -rf /var/lib/apt/lists COPY include.php /var/www/html/include.php COPY php.ini /usr/local/etc/php/conf.d/rainloop.ini diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile index ad198236..50a58a4f 100644 --- a/webmails/roundcube/Dockerfile +++ b/webmails/roundcube/Dockerfile @@ -1,14 +1,12 @@ FROM php:7.2-apache -RUN apt-get update && apt-get install -y \ - zlib1g-dev \ - && docker-php-ext-install zip - ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.3.7/roundcubemail-1.3.7-complete.tar.gz -RUN echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini - -RUN rm -rf /var/www/html/ \ +RUN apt-get update && apt-get install -y \ + zlib1g-dev \ + && docker-php-ext-install zip \ + && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \ + && rm -rf /var/www/html/ \ && cd /var/www \ && curl -L -O ${ROUNDCUBE_URL} \ && tar -xf *.tar.gz \ @@ -17,7 +15,8 @@ RUN rm -rf /var/www/html/ \ && cd html \ && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer \ && sed -i 's,mod_php5.c,mod_php7.c,g' .htaccess \ - && chown -R www-data: logs temp + && chown -R www-data: logs temp \ + && rm -rf /var/lib/apt/lists COPY php.ini /usr/local/etc/php/conf.d/roundcube.ini From 77e3fc0ebcd7ac4970e8b05f5e8fa9cd5d97992c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Thu, 11 Oct 2018 18:14:37 +0300 Subject: [PATCH 4/9] Some documentation flow refactoring and updates: - Improve advice on IP binding; Follow up on issue #641 - mailradar is dead. Found mxtoolbox instead - Fix some internal linking --- docs/compose/setup.rst | 57 ++++++++++++++++++++++++++++++------------ docs/configuration.rst | 10 +++++++- docs/dns.rst | 2 ++ docs/setup.rst | 7 +++--- 4 files changed, 55 insertions(+), 21 deletions(-) diff --git a/docs/compose/setup.rst b/docs/compose/setup.rst index 8759e2f1..d4fb8014 100644 --- a/docs/compose/setup.rst +++ b/docs/compose/setup.rst @@ -26,35 +26,60 @@ for the ``VERSION_TAG`` branch, use: wget https://mailu.io/VERSION_TAG/_downloads/docker-compose.yml wget https://mailu.io/VERSION_TAG/_downloads/.env -Then open the ``.env`` file to setup the mail server. Modify the ``ROOT`` setting -to match your setup directory if different from ``/mailu``. +Important configuration variables +--------------------------------- -Modify the ``VERSION`` configuration in the ``.env`` file to reflect the version you picked. +Open the ``.env`` file and review the following variable settings: -Set the common configuration values ------------------------------------ +- Change ``ROOT`` if you have your setup directory in a different location then ``/mailu``. +- Check ``VERSION`` to reflect the version you picked. (``master`` or ``1.5``). -Open the ``.env`` file and set configuration settings after reading the configuration -documentation. Some settings are specific to the Docker Compose setup. +Make sure to read the comments in the file and instructions from the :ref:`common_cfg` section. -Modify ``BIND_ADDRESS4`` to match the public IP address assigned to your server. -This address should be configured on one of the network interfaces of the server. -If the address is not configured directly (NAT) on any of the network interfaces or if -you would simply like the server to listen on all interfaces, use ``0.0.0.0``. - -Modify ``BIND_ADDRESS6`` to match the public IPv6 address assigned to your server. -The behavior is identical to ``BIND_ADDRESS4``. +TLS certificates +```````````````` Set the ``TLS_FLAVOR`` to one of the following values: - ``cert`` is the default and requires certificates to be setup manually; -- ``letsencrypt`` will use the Letsencrypt! CA to generate automatic ceriticates; +- ``letsencrypt`` will use the *Letsencrypt!* CA to generate automatic ceriticates; - ``mail`` is similar to ``cert`` except that TLS will only be served for emails (IMAP and SMTP), not HTTP (use it behind reverse proxies); - ``mail-letsencrypt`` is similar to ``letsencrypt`` except that TLS will only be served for emails (IMAP and SMTP), not HTTP (use it behind reverse proxies); -- ``notls`` will disable TLS, this is not recommended except for testing. +- ``notls`` will disable TLS, this is not recommended except for testing + +.. note:: + + When using *Letsencrypt!* you have to make sure that the DNS ``A`` and ``AAAA`` records for the + all hostnames mentioned in the ``HOSTNAMES`` variable match with the ip adresses of you server. + Or else certificate generation will fail! See also: :ref:`dns_setup`. + +Bind address +```````````` + +Modify ``BIND_ADDRESS4`` and ``BIND_ADDRESS6`` to match the public IP addresses assigned to your server. For IPv6 you will need the ```` scope address. + +You can find those addresses by running the following: + +.. code-block:: bash + + [root@mailu ~]$ ifconfig eth0 + eth0: flags=4163 mtu 1500 + inet 125.189.138.127 netmask 255.255.255.0 broadcast 5.189.138.255 + inet6 fd21:aab2:717c:cc5a::1 prefixlen 64 scopeid 0x0 + inet6 fe2f:2a73:43a8:7a1b::1 prefixlen 64 scopeid 0x20 + ether 00:50:56:3c:b2:23 txqueuelen 1000 (Ethernet) + RX packets 174866612 bytes 127773819607 (118.9 GiB) + RX errors 0 dropped 0 overruns 0 frame 0 + TX packets 19905110 bytes 2191519656 (2.0 GiB) + TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 + +If the address is not configured directly (NAT) on any of the network interfaces or if +you would simply like the server to listen on all interfaces, use ``0.0.0.0`` and ``::``. Note that running is this mode is not supported and can lead to `issues`_. + +.. _issues: https://github.com/Mailu/Mailu/issues/641 Enable optional features ------------------------ diff --git a/docs/configuration.rst b/docs/configuration.rst index 62b6f34e..cab30072 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -1,12 +1,20 @@ Mailu configuration settings ============================ +.. _common_cfg: + Common configuration -------------------- The ``SECRET_KEY`` **must** be changed for every setup and set to a 16 bytes randomly generated value. It is intended to secure authentication cookies -among other critical uses. +among other critical uses. This can be generated with a utility such as *pwgen*, +which can be installed on most Linux systems: + +.. code-block:: bash + + apt-get install pwgen + pwgen 16 1 The ``DOMAIN`` holds the main e-mail domain for the server. This email domain is used for bounce emails, for generating the postmaster email and other diff --git a/docs/dns.rst b/docs/dns.rst index 3d94aecb..d2fd4131 100644 --- a/docs/dns.rst +++ b/docs/dns.rst @@ -1,3 +1,5 @@ +.. _dns_setup: + Setting up your DNS =================== diff --git a/docs/setup.rst b/docs/setup.rst index d7d0cc13..9771f886 100644 --- a/docs/setup.rst +++ b/docs/setup.rst @@ -32,7 +32,7 @@ user. Make sure you complete the requirements for the flavor you chose. You should also have at least a DNS hostname and a DNS name for receiving emails. Some instructions are provided on the matter in the article -[Setup your DNS](dns). +:ref:`dns_setup`. .. _`MFAshby's fork`: https://github.com/MFAshby/Mailu @@ -68,10 +68,9 @@ Make sure that you test properly before going live! - Try to receive an email from an external service - Check the logs (``docker-compose logs -f servicenamehere``) to look for warnings or errors -- Use an open relay checker like `mailradar`_ +- Use an open relay checker like `mxtoolbox`_ to ensure you're not contributing to the spam problem on the internet. - All tests there should result in "Relay denied". - If using DMARC, be sure to check the reports you get to verify that legitimate email is getting through and forgeries are being properly blocked. - .. _mailradar: http://www.mailradar.com/openrelay/ + .. _mxtoolbox: https://mxtoolbox.com/diagnostic.aspx From 70c4e42f74d7236abc53b84de1bb4e90d5d30068 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Thu, 11 Oct 2018 18:33:58 +0300 Subject: [PATCH 5/9] Fix small typo --- docs/compose/setup.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/compose/setup.rst b/docs/compose/setup.rst index d4fb8014..64ad7b25 100644 --- a/docs/compose/setup.rst +++ b/docs/compose/setup.rst @@ -48,7 +48,7 @@ values: emails (IMAP and SMTP), not HTTP (use it behind reverse proxies); - ``mail-letsencrypt`` is similar to ``letsencrypt`` except that TLS will only be served for emails (IMAP and SMTP), not HTTP (use it behind reverse proxies); -- ``notls`` will disable TLS, this is not recommended except for testing +- ``notls`` will disable TLS, this is not recommended except for testing. .. note:: From 3f7e7ca3a6fce6041a55f80c0ecd1a8b03633754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 15 Oct 2018 19:36:37 +0300 Subject: [PATCH 6/9] Use defaults in variables, to allow for local builds --- tests/build.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/tests/build.yml b/tests/build.yml index 0b6858a0..5f360ece 100644 --- a/tests/build.yml +++ b/tests/build.yml @@ -3,54 +3,54 @@ version: '3' services: front: - image: $DOCKER_ORG/nginx:$VERSION + image: ${DOCKER_ORG:-mailu}/nginx:${VERSION:-local} build: ../core/nginx imap: - image: $DOCKER_ORG/dovecot:$VERSION + image: ${DOCKER_ORG:-mailu}/dovecot:${VERSION:-local} build: ../core/dovecot smtp: - image: $DOCKER_ORG/postfix:$VERSION + image: ${DOCKER_ORG:-mailu}/postfix:${VERSION:-local} build: ../core/postfix antispam: - image: $DOCKER_ORG/rspamd:$VERSION + image: ${DOCKER_ORG:-mailu}/rspamd:${VERSION:-local} build: ../services/rspamd antivirus: - image: $DOCKER_ORG/clamav:$VERSION + image: ${DOCKER_ORG:-mailu}/clamav:${VERSION:-local} build: ../optional/clamav webdav: - image: $DOCKER_ORG/radicale:$VERSION + image: ${DOCKER_ORG:-mailu}/radicale:${VERSION:-local} build: ../optional/radicale admin: - image: $DOCKER_ORG/admin:$VERSION + image: ${DOCKER_ORG:-mailu}/admin:${VERSION:-local} build: ../core/admin roundcube: - image: $DOCKER_ORG/roundcube:$VERSION + image: ${DOCKER_ORG:-mailu}/roundcube:${VERSION:-local} build: ../webmails/roundcube rainloop: - image: $DOCKER_ORG/rainloop:$VERSION + image: ${DOCKER_ORG:-mailu}/rainloop:${VERSION:-local} build: ../webmails/rainloop fetchmail: - image: $DOCKER_ORG/fetchmail:$VERSION + image: ${DOCKER_ORG:-mailu}/fetchmail:${VERSION:-local} build: ../services/fetchmail none: - image: $DOCKER_ORG/none:$VERSION + image: ${DOCKER_ORG:-mailu}/none:${VERSION:-local} build: ../core/none docs: - image: $DOCKER_ORG/docs:$VERSION + image: ${DOCKER_ORG:-mailu}/docs:${VERSION:-local} build: ../docs setup: - image: $DOCKER_ORG/setup:$VERSION + image: ${DOCKER_ORG:-mailu}/setup:${VERSION:-local} build: ../setup From b38deb18cffe35e3f2e445bd2c3635e11dee6a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 15 Oct 2018 19:37:24 +0300 Subject: [PATCH 7/9] Update Dev-docs to use build.yml for building --- docs/contributors/environment.rst | 66 ++++++++++++++++++------------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/docs/contributors/environment.rst b/docs/contributors/environment.rst index a1cce193..f1f447e2 100644 --- a/docs/contributors/environment.rst +++ b/docs/contributors/environment.rst @@ -5,39 +5,51 @@ Docker containers ----------------- The development environment is quite similar to the production one. You should always use -the ``master`` version when developing. Simply add a build directive to the images -you are working on in the ``docker-compose.yml``: +the ``master`` version when developing. -.. code-block:: yaml +Building images +``````````````` - webdav: - build: ./optional/radicale - image: mailu/$WEBDAV:$VERSION - restart: always - env_file: .env - volumes: - - "$ROOT/dav:/data" - - admin: - build: ./core/admin - image: mailu/admin:$VERSION - restart: always - env_file: .env - volumes: - - "$ROOT/data:/data" - - "$ROOT/dkim:/dkim" - - /var/run/docker.sock:/var/run/docker.sock:ro - depends_on: - - redis - - -The build these containers. +We supply a separate ``test/build.yml`` file for +convenience. To build all Mailu containers: .. code-block:: bash - docker-compose build admin webdav + docker-compose -f tests/build.yml build -Then you can simply start the stack as normal, newly-built images will be used. +The ``build.yml`` file has two variables: + +#. ``$DOCKER_ORG``: First part of the image tag. Defaults to *mailu* and needs to be changed + only when pushing to your own Docker hub account. +#. ``$VERSION``: Last part of the image tag. Defaults to *local* to differentiate from pulled + images. + +To re-build only specific containers at a later time. + +.. code-block:: bash + + docker-compose -f tests/build.yml build admin webdav + +If you have to push the images to Docker Hub for testing in Docker Swarm or a remote +host, you have to define ``DOCKER_ORG`` (usually your Docker user-name) and login to +the hub. + +.. code-block:: bash + + docker login + Username: Foo + Password: Bar + export DOCKER_ORG="Foo" + export VERSION="feat-extra-app" + docker-compose -f tests/build.yml build + docker-compose -f tests/build.yml push + +Running containers +`````````````````` + +To run the newly created images: ``cd`` to your project directory. Edit ``.env`` to set +``VERSION`` to the same value as used during the build, which defaults to ``local``. +After that you can run: .. code-block:: bash From acbb586e71cc148a634961c31709bf36e52b5d1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Tue, 16 Oct 2018 12:38:17 +0300 Subject: [PATCH 8/9] Option to send logs to journald or syslog --- docs/compose/.env | 6 ++++++ docs/compose/docker-compose.yml | 2 ++ tests/compose/core.env | 6 ++++++ tests/compose/run.yml | 2 ++ 4 files changed, 16 insertions(+) diff --git a/docs/compose/.env b/docs/compose/.env index 721aaf22..86896c43 100644 --- a/docs/compose/.env +++ b/docs/compose/.env @@ -120,6 +120,12 @@ WEBSITE=https://mailu.io # Advanced settings ################################### +# Log driver for front service. Possible values: +# json-file (default) +# journald (On systemd platforms, useful for Fail2Ban integration) +# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) +LOG_DRIVER=json-file + # Docker-compose project name, this will prepended to containers names. COMPOSE_PROJECT_NAME=mailu diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml index 6f2da078..b8d15587 100644 --- a/docs/compose/docker-compose.yml +++ b/docs/compose/docker-compose.yml @@ -6,6 +6,8 @@ services: image: mailu/nginx:$VERSION restart: always env_file: .env + logging: + driver: $LOG_DRIVER ports: - "$BIND_ADDRESS4:80:80" - "$BIND_ADDRESS4:443:443" diff --git a/tests/compose/core.env b/tests/compose/core.env index 89120d4f..78c307c0 100644 --- a/tests/compose/core.env +++ b/tests/compose/core.env @@ -120,6 +120,12 @@ WEBSITE=https://mailu.io # Advanced settings ################################### +# Log driver for front service. Possible values: +# json-file (default) +# journald (On systemd platforms, useful for Fail2Ban integration) +# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) +LOG_DRIVER=json-file + # Docker-compose project name, this will prepended to containers names. #COMPOSE_PROJECT_NAME=mailu diff --git a/tests/compose/run.yml b/tests/compose/run.yml index 56ea1627..39ad3dc2 100644 --- a/tests/compose/run.yml +++ b/tests/compose/run.yml @@ -6,6 +6,8 @@ services: image: $DOCKER_ORG/nginx:$VERSION restart: 'no' env_file: $PWD/.env + logging: + driver: journald ports: - "$BIND_ADDRESS4:80:80" - "$BIND_ADDRESS4:443:443" From f3ebf35c75ed2038e01eef4c40863a6a10d29e34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Tue, 16 Oct 2018 12:56:12 +0300 Subject: [PATCH 9/9] Fix autotest --- tests/compose/run.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compose/run.yml b/tests/compose/run.yml index 39ad3dc2..eac35b76 100644 --- a/tests/compose/run.yml +++ b/tests/compose/run.yml @@ -7,7 +7,7 @@ services: restart: 'no' env_file: $PWD/.env logging: - driver: journald + driver: $LOG_DRIVER ports: - "$BIND_ADDRESS4:80:80" - "$BIND_ADDRESS4:443:443"