From 8172f3eab87b52b6547f3e67fedfa30f06fd0d80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 3 Dec 2018 03:16:53 +0200 Subject: [PATCH] Move the Mailu Docker network to a fixed subnet. This will make network configuration and host based authentication more robust, across different deployment platforms. The options `RELAYNETS` and`POD_ADDRESS_RANGE` are kept for compatibility. However, their usage have become optional. --- core/admin/mailu/configuration.py | 1 + core/admin/mailu/internal/views/dovecot.py | 9 +++------ core/postfix/conf/main.cf | 5 +++-- docs/compose/.env | 12 +++++++----- docs/compose/docker-compose.yml | 8 ++++++++ docs/configuration.rst | 11 ++++++++--- services/rspamd/conf/worker-controller.inc | 2 +- setup/flavors/compose/mailu.env | 10 +++++----- setup/flavors/stack/docker-compose.yml | 8 +------- setup/templates/steps/compose/03_expose.html | 4 ++-- setup/templates/steps/stack/03_expose.html | 4 ++-- tests/compose/core/mailu.env | 11 +++++++---- tests/compose/fetchmail/mailu.env | 8 ++++---- tests/compose/filters/mailu.env | 8 ++++---- tests/compose/rainloop/mailu.env | 8 ++++---- tests/compose/roundcube/mailu.env | 8 ++++---- tests/compose/webdav/mailu.env | 8 ++++---- 17 files changed, 68 insertions(+), 57 deletions(-) diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 48599d5e..10bf22ae 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -50,6 +50,7 @@ DEFAULT_CONFIG = { 'HOST_WEBMAIL': 'webmail', 'HOST_FRONT': 'front', 'HOST_AUTHSMTP': os.environ.get('HOST_SMTP', 'smtp'), + 'SUBNET': '192.168.203.0/24', 'POD_ADDRESS_RANGE': None } diff --git a/core/admin/mailu/internal/views/dovecot.py b/core/admin/mailu/internal/views/dovecot.py index bf2ce2e5..762bd941 100644 --- a/core/admin/mailu/internal/views/dovecot.py +++ b/core/admin/mailu/internal/views/dovecot.py @@ -10,12 +10,9 @@ import os def dovecot_passdb_dict(user_email): user = models.User.query.get(user_email) or flask.abort(404) allow_nets = [] - allow_nets.append( - app.config.get("POD_ADDRESS_RANGE") or - socket.gethostbyname(app.config["HOST_FRONT"]) - ) - if os.environ["WEBMAIL"] != "none": - allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"])) + allow_nets.append(app.config["SUBNET"]) + if app.config["POD_ADDRESS_RANGE"]: + allow_nets.append(app.config["POD_ADDRESS_RANGE"]) print(allow_nets) return flask.jsonify({ "password": None, diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index a67eb433..d5d47d19 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -14,7 +14,7 @@ queue_directory = /queue message_size_limit = {{ MESSAGE_SIZE_LIMIT }} # Relayed networks -mynetworks = 127.0.0.1/32 [::1]/128 {{ RELAYNETS }} +mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }} # Empty alias list to override the configuration variable and disable NIS alias_maps = @@ -32,7 +32,8 @@ relayhost = {{ RELAYHOST }} recipient_delimiter = {{ RECIPIENT_DELIMITER }} # Only the front server is allowed to perform xclient -smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} {{ POD_ADDRESS_RANGE }} +# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead. +smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }} ############### # TLS diff --git a/docs/compose/.env b/docs/compose/.env index 2100e27a..c9fce025 100644 --- a/docs/compose/.env +++ b/docs/compose/.env @@ -1,6 +1,5 @@ # Mailu main configuration file -# -# Most configuration variables can be modified through the Web interface, +## Most configuration variables can be modified through the Web interface, # these few settings must however be configured before starting the mail # server and require a restart upon change. @@ -21,6 +20,9 @@ SECRET_KEY=ChangeMeChangeMe BIND_ADDRESS4=127.0.0.1 BIND_ADDRESS6=::1 +# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) +SUBNET=192.168.203.0/24 + # Main mail domain DOMAIN=mailu.io @@ -63,9 +65,9 @@ ANTIVIRUS=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.16.0.0/12 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml index b8d15587..a45e7e10 100644 --- a/docs/compose/docker-compose.yml +++ b/docs/compose/docker-compose.yml @@ -104,3 +104,11 @@ services: image: mailu/fetchmail:$VERSION restart: always env_file: .env + + networks: + default: + driver: bridge + ipam: + driver: default + config: + - subnet: $SUBNET diff --git a/docs/configuration.rst b/docs/configuration.rst index cab30072..2f44b293 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -24,6 +24,11 @@ The ``HOSTNAMES`` are all public hostnames for the mail server. Mailu supports a mail server with multiple hostnames. The first declared hostname is the main hostname and will be exposed over SMTP, IMAP, etc. +The ``SUBNET`` defines the address range of the docker network used by Mailu. +This should not conflict with any networks to which your system is connected. +(Internal and external!). Normally this does not need to be changed, +unless there is a conflict with existing networks. + The ``POSTMASTER`` is the local part of the postmaster email address. It is recommended to setup a generic value and later configure a mail alias for that address. @@ -40,9 +45,9 @@ be too low to avoid dropping legitimate emails and should not be too high to avoid filling the disks with large junk emails. The ``RELAYNETS`` are network addresses for which mail is relayed for free with -no authentication required. This should be used with great care. It is -recommended to include your Docker internal network addresses if other Docker -containers use Mailu as their mail relay. +no authentication required. This should be used with great care. If you want other +Docker services' outbound mail to be relayed, you can set this to ``172.16.0.0/12`` +to include **all** Docker networks. The default is to leave this empty. The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing mail. diff --git a/services/rspamd/conf/worker-controller.inc b/services/rspamd/conf/worker-controller.inc index b630f7ad..933610ed 100644 --- a/services/rspamd/conf/worker-controller.inc +++ b/services/rspamd/conf/worker-controller.inc @@ -1,4 +1,4 @@ type = "controller"; bind_socket = "*:11334"; password = "mailu"; -secure_ip = "{% if POD_ADDRESS_RANGE %}{{ POD_ADDRESS_RANGE }}{% else %}{{ FRONT_ADDRESS }}{% endif %}"; +secure_ip = "{{ POD_ADDRESS_RANGE or SUBNET }}"; diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index 3f67b0dd..d8a99aa6 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -25,8 +25,8 @@ SECRET_KEY={{ secret(16) }} # PUBLIC_IPV4= {{ bind4 }} (default: 127.0.0.1) # PUBLIC_IPV6= {{ bind6 }} (default: ::1) -# Subnet -SUBNET={{ subnet }} +# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) +SUBNET=192.168.203.0/24 # Main mail domain DOMAIN={{ domain }} @@ -75,9 +75,9 @@ ANTISPAM={{ antispam_enabled or 'none'}} # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT={{ message_size_limit or '50000000' }} -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS={{ relaynets or '172.17.0.0/16' }} +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST={{ relayhost }} diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml index 98ba61b1..a083a762 100644 --- a/setup/flavors/stack/docker-compose.yml +++ b/setup/flavors/stack/docker-compose.yml @@ -29,7 +29,7 @@ services: - "{{ root }}/certs:/certs" deploy: replicas: {{ front_replicas }} - + {% if resolver_enabled %} resolver: image: mailu/unbound:{{ version }} @@ -56,8 +56,6 @@ services: image: ${DOCKER_ORG:-mailu}/dovecot:${MAILU_VERSION:-{{ version }}} env_file: {{ env }} environment: - # Default to 10.0.1.0/24 - - POD_ADDRESS_RANGE={{ subnet }} volumes: - "{{ root }}/mail:/mail" - "{{ root }}/overrides:/overrides" @@ -67,8 +65,6 @@ services: smtp: image: ${DOCKER_ORG:-mailu}/postfix:${MAILU_VERSION:-{{ version }}} env_file: {{ env }} - environment: - - POD_ADDRESS_RANGE={{ subnet }} volumes: - "{{ root }}/overrides:/overrides" deploy: @@ -81,8 +77,6 @@ services: antispam: image: ${DOCKER_ORG:-mailu}/rspamd:${MAILU_VERSION:-{{ version }}} env_file: {{ env }} - environment: - - POD_ADDRESS_RANGE={{ subnet }} volumes: - "{{ root }}/filter:/var/lib/rspamd" - "{{ root }}/dkim:/dkim" diff --git a/setup/templates/steps/compose/03_expose.html b/setup/templates/steps/compose/03_expose.html index 783c2037..0c912778 100644 --- a/setup/templates/steps/compose/03_expose.html +++ b/setup/templates/steps/compose/03_expose.html @@ -34,9 +34,9 @@ avoid generic all-interfaces addresses like 0.0.0.0 or ::
- + + value="192.168.203.0/24">

You server will be available under a main hostname but may expose multiple public diff --git a/setup/templates/steps/stack/03_expose.html b/setup/templates/steps/stack/03_expose.html index d47390be..820ff154 100644 --- a/setup/templates/steps/stack/03_expose.html +++ b/setup/templates/steps/stack/03_expose.html @@ -11,9 +11,9 @@ you expose it to the world.

- + + value="192.168.203.0/24">

You server will be available under a main hostname but may expose multiple public diff --git a/tests/compose/core/mailu.env b/tests/compose/core/mailu.env index 9a744e35..d77f3a2d 100644 --- a/tests/compose/core/mailu.env +++ b/tests/compose/core/mailu.env @@ -25,6 +25,9 @@ SECRET_KEY=HGZCYGVI6FVG31HS # PUBLIC_IPV4= 127.0.0.1 (default: 127.0.0.1) # PUBLIC_IPV6= (default: ::1) +# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) +SUBNET=192.168.203.0/24 + # Main mail domain DOMAIN=mailu.io @@ -70,9 +73,9 @@ ANTISPAM=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.17.0.0/16 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= @@ -136,4 +139,4 @@ REAL_IP_HEADER= REAL_IP_FROM= # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) -REJECT_UNLISTED_RECIPIENT= \ No newline at end of file +REJECT_UNLISTED_RECIPIENT= diff --git a/tests/compose/fetchmail/mailu.env b/tests/compose/fetchmail/mailu.env index a987c853..996dbb73 100644 --- a/tests/compose/fetchmail/mailu.env +++ b/tests/compose/fetchmail/mailu.env @@ -70,9 +70,9 @@ ANTISPAM=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.17.0.0/16 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= @@ -136,4 +136,4 @@ REAL_IP_HEADER= REAL_IP_FROM= # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) -REJECT_UNLISTED_RECIPIENT= \ No newline at end of file +REJECT_UNLISTED_RECIPIENT= diff --git a/tests/compose/filters/mailu.env b/tests/compose/filters/mailu.env index 8609a287..c8c99d26 100644 --- a/tests/compose/filters/mailu.env +++ b/tests/compose/filters/mailu.env @@ -70,9 +70,9 @@ ANTISPAM=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.17.0.0/16 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= @@ -136,4 +136,4 @@ REAL_IP_HEADER= REAL_IP_FROM= # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) -REJECT_UNLISTED_RECIPIENT= \ No newline at end of file +REJECT_UNLISTED_RECIPIENT= diff --git a/tests/compose/rainloop/mailu.env b/tests/compose/rainloop/mailu.env index 678ea048..bc9cebbb 100644 --- a/tests/compose/rainloop/mailu.env +++ b/tests/compose/rainloop/mailu.env @@ -70,9 +70,9 @@ ANTISPAM=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.17.0.0/16 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= @@ -136,4 +136,4 @@ REAL_IP_HEADER= REAL_IP_FROM= # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) -REJECT_UNLISTED_RECIPIENT= \ No newline at end of file +REJECT_UNLISTED_RECIPIENT= diff --git a/tests/compose/roundcube/mailu.env b/tests/compose/roundcube/mailu.env index b8a8b266..6eac05ed 100644 --- a/tests/compose/roundcube/mailu.env +++ b/tests/compose/roundcube/mailu.env @@ -70,9 +70,9 @@ ANTISPAM=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.17.0.0/16 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= @@ -136,4 +136,4 @@ REAL_IP_HEADER= REAL_IP_FROM= # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) -REJECT_UNLISTED_RECIPIENT= \ No newline at end of file +REJECT_UNLISTED_RECIPIENT= diff --git a/tests/compose/webdav/mailu.env b/tests/compose/webdav/mailu.env index 21dd3981..96c2b6e9 100644 --- a/tests/compose/webdav/mailu.env +++ b/tests/compose/webdav/mailu.env @@ -70,9 +70,9 @@ ANTISPAM=none # Default: accept messages up to 50MB MESSAGE_SIZE_LIMIT=50000000 -# Networks granted relay permissions, make sure that you include your Docker -# internal network (default to 172.17.0.0/16) -RELAYNETS=172.17.0.0/16 +# Networks granted relay permissions +# Use this with care, all hosts in this networks will be able to send mail without authentication! +RELAYNETS= # Will relay all outgoing mails if configured RELAYHOST= @@ -136,4 +136,4 @@ REAL_IP_HEADER= REAL_IP_FROM= # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no) -REJECT_UNLISTED_RECIPIENT= \ No newline at end of file +REJECT_UNLISTED_RECIPIENT=