diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml index 42be1cb0..344ea8b2 100644 --- a/docs/compose/docker-compose.yml +++ b/docs/compose/docker-compose.yml @@ -100,6 +100,7 @@ services: env_file: .env volumes: - "$ROOT/webmail:/data" + - "$ROOT/overrides/$WEBMAIL:/overrides:ro" depends_on: - imap diff --git a/docs/compose/traefik/docker-compose.yml b/docs/compose/traefik/docker-compose.yml index f295d2f8..25f341df 100644 --- a/docs/compose/traefik/docker-compose.yml +++ b/docs/compose/traefik/docker-compose.yml @@ -128,6 +128,7 @@ services: env_file: .env volumes: - "$ROOT/webmail:/data" + - "$ROOT/overrides/$WEBMAIL:/overrides:ro" depends_on: - imap diff --git a/docs/configuration.rst b/docs/configuration.rst index 6f4ba563..e83b3968 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -263,6 +263,50 @@ The roundcube service stores configurations in a database. - ``ROUNDCUBE_DB_USER``: the database user for roundcube service. (when not ``sqlite``) - ``ROUNDCUBE_DB_NAME``: the database name for roundcube service. (when not ``sqlite``) +Webmail settings +---------------- + +When using roundcube it is possible to select the plugins to be enabled by setting ``ROUNDCUBE_PLUGINS`` to +a comma separated list of plugin-names. Included plugins are: + +- acl (needs configuration) +- additional_message_headers (needs configuration) +- archive +- attachment_reminder +- carddav +- database_attachmentsi +- debug_logger +- emoticons +- enigma +- help +- hide_blockquote +- identicon +- identity_select +- jqueryui +- mailu +- managesieve +- markasjunk +- new_user_dialog +- newmail_notifier +- reconnect +- show_additional_headers (needs configuration) +- subscriptions_option +- vcard_attachments +- zipdownload + +If ``ROUNDCUBE_PLUGINS`` is not set the following plugins are enabled by default: + +- archive +- carddav +- enigma +- mailu +- managesieve +- markasjunk +- zipdownload + +To disable all plugins just set ``ROUNDCUBE_PLUGINS`` to ``mailu``. + +To configure a plugin add php files named ``*.inc`` to roundcube's :ref:`override section `. Mail log settings ----------------- diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index c36004fd..efaa46f0 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -147,6 +147,7 @@ services: env_file: {{ env }} volumes: - "{{ root }}/webmail:/data" + - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro" depends_on: - imap {% endif %} diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml index a9158882..89da923c 100644 --- a/setup/flavors/stack/docker-compose.yml +++ b/setup/flavors/stack/docker-compose.yml @@ -123,6 +123,7 @@ services: env_file: {{ env }} volumes: - "{{ root }}/webmail:/data" + - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro" deploy: replicas: 1 healthcheck: diff --git a/towncrier/newsfragments/2035.enhancement b/towncrier/newsfragments/2035.enhancement new file mode 100644 index 00000000..91345cbd --- /dev/null +++ b/towncrier/newsfragments/2035.enhancement @@ -0,0 +1 @@ +updated roundcube to 1.5 and carddav to 4.2.2 using php8 diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile index f28f316c..7584b558 100644 --- a/webmails/roundcube/Dockerfile +++ b/webmails/roundcube/Dockerfile @@ -1,10 +1,10 @@ -# NOTE: only add file if building for arm +# NOTE: only add qemu-arm-static if building for arm ARG ARCH="" ARG QEMU=other -FROM ${ARCH}php:7.4-apache as build_arm +FROM ${ARCH}php:8.0-apache as build_arm ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static +FROM ${ARCH}php:8.0-apache as build_other -FROM ${ARCH}php:7.4-apache as build_other FROM build_${QEMU} ARG VERSION @@ -12,25 +12,37 @@ ENV TZ Etc/UTC LABEL version=$VERSION -#Shared layer between rainloop and roundcube -RUN apt-get update && apt-get install -y \ - python3 curl python3-pip git python3-multidict tzdata \ - && rm -rf /var/lib/apt/lists \ - && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \ - && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf +RUN set -eu \ + && apt update \ + && echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections \ + && apt install -y --no-install-recommends \ + python3 curl python3-pip git python3-multidict \ + python3-jinja2 gpg tzdata \ + && pip3 install socrate \ + && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \ + && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \ + && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \ +\ + && mark="$(apt-mark showmanual)" \ + && apt install -y --no-install-recommends \ + libfreetype6-dev libicu-dev libjpeg62-turbo-dev libldap2-dev libmagickwand-dev \ + libpng-dev libpq-dev libsqlite3-dev libzip-dev libpspell-dev libonig-dev \ + && ln -s php.ini-production /usr/local/etc/php/php.ini \ + && docker-php-ext-configure gd --with-jpeg --with-freetype \ + && docker-php-ext-install exif gd intl zip pspell pdo_mysql pdo_pgsql pdo_sqlite \ + && pecl install imagick \ + && docker-php-ext-enable imagick opcache \ + && apt-mark auto '.*' >/dev/null \ + && apt-mark manual ${mark} >/dev/null \ + && ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so | awk '/=>/ { print $3 }' | sort -u | \ + xargs -r dpkg-query -S | cut -d: -f1 | sort -u | xargs -r apt-mark manual >/dev/null \ + && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ + && rm -rf /var/lib/apt/lists -# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube -RUN pip3 install socrate +ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz +ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.3.0/carddav-v4.3.0.tar.gz -ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz - -ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz - -RUN apt-get update && apt-get install -y \ - zlib1g-dev libzip4 libzip-dev libpq-dev \ - python3-jinja2 \ - gpg \ - && docker-php-ext-install zip pdo_mysql pdo_pgsql \ +RUN set -eu \ && rm -rf /var/www/html/ \ && cd /var/www \ && curl -sL ${ROUNDCUBE_URL} | tar xz \ @@ -38,27 +50,29 @@ RUN apt-get update && apt-get install -y \ && mv roundcubemail-* html \ && mv carddav html/plugins/ \ && cd html \ - && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \ - && sed -i 's,mod_php5.c,mod_php7.c,g' .htaccess \ - && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \ - && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \ + && rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \ && ln -sf index.php /var/www/html/sso.php \ && ln -sf /dev/stderr /var/www/html/logs/errors.log \ && chown -R root:root . \ && chown www-data:www-data logs temp \ && chmod -R a+rX . \ - && rm -rf /var/lib/apt/lists \ - && a2enmod rewrite deflate expires headers + && a2enmod rewrite deflate expires headers \ + && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \ + && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} + +# enable database_attachments (and memcache?) -COPY php.ini /php.ini -COPY config.inc.php /var/www/html/config/ COPY mailu.php /var/www/html/plugins/mailu/mailu.php -COPY start.py /start.py +COPY php.ini / +COPY config.inc.php / +COPY start.py / EXPOSE 80/tcp -VOLUME ["/data"] +VOLUME /data +VOLUME /overrides CMD /start.py HEALTHCHECK CMD curl -f -L -H 'User-Agent: health' http://localhost/ || exit 1 -RUN echo $VERSION >> /version \ No newline at end of file + +RUN echo $VERSION >> /version diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php index 99f147fc..e5a7e3c6 100644 --- a/webmails/roundcube/config.inc.php +++ b/webmails/roundcube/config.inc.php @@ -3,46 +3,29 @@ $config = array(); // Generals -$config['db_dsnw'] = getenv('DB_DSNW');; +$config['db_dsnw'] = '{{ DB_DSNW }}'; $config['temp_dir'] = '/tmp/'; -$config['des_key'] = getenv('SECRET_KEY') ? getenv('SECRET_KEY') : trim(file_get_contents(getenv('SECRET_KEY_FILE'))); +$config['des_key'] = '{{ SECRET_KEY }}'; $config['cipher_method'] = 'AES-256-CBC'; $config['identities_level'] = 0; $config['reply_all_mode'] = 1; - -// List of active plugins (in plugins/ directory) -$config['plugins'] = array( - 'archive', - 'zipdownload', - 'markasjunk', - 'managesieve', - 'enigma', - 'carddav' -); - -$front = getenv('FRONT_ADDRESS') ? getenv('FRONT_ADDRESS') : 'front'; -$imap = getenv('IMAP_ADDRESS') ? getenv('IMAP_ADDRESS') : 'imap'; +$config['log_driver'] = 'stdout'; +$config['zipdownload_selection'] = true; +$config['enable_spellcheck'] = true; +$config['spellcheck_engine'] = 'pspell'; // Mail servers -$config['default_host'] = $front; +$config['default_host'] = '{{ FRONT_ADDRESS or "front" }}'; $config['default_port'] = 10143; -$config['smtp_server'] = $front; +$config['smtp_server'] = '{{ FRONT_ADDRESS or "front" }}'; $config['smtp_port'] = 10025; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; // Sieve script management -$config['managesieve_host'] = $imap; +$config['managesieve_host'] = '{{ IMAP_ADDRESS or "imap" }}'; $config['managesieve_usetls'] = false; -// Customization settings -if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) { - $config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : ''; -} -$config['product_name'] = 'Mailu Webmail'; -array_push($config['plugins'], 'mailu'); -$config['sso_logout_url'] = '/sso/logout'; - // We access the IMAP and SMTP servers locally with internal names, SSL // will obviously fail but this sounds better than allowing insecure login // from the outter world @@ -56,11 +39,27 @@ $config['imap_conn_options'] = $ssl_no_check; $config['smtp_conn_options'] = $ssl_no_check; $config['managesieve_conn_options'] = $ssl_no_check; +// roundcube customization +$config['product_name'] = 'Mailu Webmail'; +{%- if ADMIN and WEB_ADMIN %} +$config['support_url'] = '../..{{ WEB_ADMIN }}'; +{%- endif %} +$config['plugins'] = array({{ PLUGINS }}); + // skin name: folder from skins/ $config['skin'] = 'elastic'; -// Enigma gpg plugin +// configure mailu sso plugin +$config['sso_logout_url'] = '/sso/logout'; + +// configure enigma gpg plugin $config['enigma_pgp_homedir'] = '/data/gpg'; -// Set From header for DKIM signed message delivery reports +// set From header for DKIM signed message delivery reports $config['mdn_use_from'] = true; + +// includes +{%- for inc in INCLUDES %} +include('{{ inc }}'); +{%- endfor %} + diff --git a/webmails/roundcube/healthcheck.sh b/webmails/roundcube/healthcheck.sh new file mode 100755 index 00000000..97ecf745 --- /dev/null +++ b/webmails/roundcube/healthcheck.sh @@ -0,0 +1,2 @@ +#!/bin/sh +SCRIPT_NAME=/ping SCRIPT_FILENAME=/ping REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 2>/dev/null | grep -qFx pong diff --git a/webmails/roundcube/mailu.php b/webmails/roundcube/mailu.php index f5079e98..0596ca9d 100644 --- a/webmails/roundcube/mailu.php +++ b/webmails/roundcube/mailu.php @@ -15,7 +15,14 @@ class mailu extends rcube_plugin function startup($args) { if (empty($_SESSION['user_id'])) { - $args['action'] = 'login'; + $args['action'] = 'login'; + } + + $ua = $_SERVER['HTTP_USER_AGENT']; + $ra = $_SERVER['REMOTE_ADDR']; + if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) { + print('OK'); + exit(); } return $args; @@ -23,10 +30,16 @@ class mailu extends rcube_plugin function authenticate($args) { - if (!in_array('HTTP_X_REMOTE_USER', $_SERVER) || !in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) { + if (!array_key_exists('HTTP_X_REMOTE_USER', $_SERVER) or !array_key_exists('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) { + if ($_SERVER['PHP_SELF'] == '/sso.php') { header('HTTP/1.0 403 Forbidden'); - die(); + print('mailu sso failure'); + } else { + header('Location: sso.php'); + } + exit(); } + $args['user'] = $_SERVER['HTTP_X_REMOTE_USER']; $args['pass'] = $_SERVER['HTTP_X_REMOTE_USER_TOKEN']; @@ -36,30 +49,25 @@ class mailu extends rcube_plugin return $args; } - function logout($args) { - // Redirect to global SSO logout path. + // Redirect to global SSO logout path. + function logout($args) + { $this->load_config(); - $sso_logout_url = rcmail::get_instance()->config->get('sso_logout_url'); - header("Location: " . $sso_logout_url, true); - exit; + header('Location: ' . $sso_logout_url, true); + exit(); } function login($args) { - header('Location: index.php'); - exit(); + header('Location: index.php'); + exit(); } + function login_failed($args) { - $ua = $_SERVER['HTTP_USER_AGENT']; - $ra = $_SERVER['REMOTE_ADDR']; - if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) { - echo "OK"; - exit; - } - header('Location: sso.php'); - exit(); + header('Location: sso.php'); + exit(); } } diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py index efaac357..13cbdd42 100755 --- a/webmails/roundcube/start.py +++ b/webmails/roundcube/start.py @@ -1,61 +1,105 @@ #!/usr/bin/python3 import os -import logging as log +import logging import sys from socrate import conf import subprocess +import hmac -log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) +env = os.environ -os.environ["MAX_FILESIZE"] = str(int(int(os.environ.get("MESSAGE_SIZE_LIMIT")) * 0.66 / 1048576)) +logging.basicConfig(stream=sys.stderr, level=env.get("LOG_LEVEL", "WARNING")) -db_flavor = os.environ.get("ROUNDCUBE_DB_FLAVOR", "sqlite") +# jinja context +context = {} +context.update(env) + +context["MAX_FILESIZE"] = str(int(int(env.get("MESSAGE_SIZE_LIMIT", "50000000")) * 0.66 / 1048576)) + +db_flavor = env.get("ROUNDCUBE_DB_FLAVOR", "sqlite") if db_flavor == "sqlite": - os.environ["DB_DSNW"] = "sqlite:////data/roundcube.db" + context["DB_DSNW"] = "sqlite:////data/roundcube.db" elif db_flavor == "mysql": - os.environ["DB_DSNW"] = "mysql://%s:%s@%s/%s" % ( - os.environ.get("ROUNDCUBE_DB_USER", "roundcube"), - os.environ.get("ROUNDCUBE_DB_PW"), - os.environ.get("ROUNDCUBE_DB_HOST", "database"), - os.environ.get("ROUNDCUBE_DB_NAME", "roundcube") + context["DB_DSNW"] = "mysql://%s:%s@%s/%s" % ( + env.get("ROUNDCUBE_DB_USER", "roundcube"), + env.get("ROUNDCUBE_DB_PW"), + env.get("ROUNDCUBE_DB_HOST", "database"), + env.get("ROUNDCUBE_DB_NAME", "roundcube") ) elif db_flavor == "postgresql": - os.environ["DB_DSNW"] = "pgsql://%s:%s@%s/%s" % ( - os.environ.get("ROUNDCUBE_DB_USER", "roundcube"), - os.environ.get("ROUNDCUBE_DB_PW"), - os.environ.get("ROUNDCUBE_DB_HOST", "database"), - os.environ.get("ROUNDCUBE_DB_NAME", "roundcube") + context["DB_DSNW"] = "pgsql://%s:%s@%s/%s" % ( + env.get("ROUNDCUBE_DB_USER", "roundcube"), + env.get("ROUNDCUBE_DB_PW"), + env.get("ROUNDCUBE_DB_HOST", "database"), + env.get("ROUNDCUBE_DB_NAME", "roundcube") ) else: - print("Unknown ROUNDCUBE_DB_FLAVOR: %s", db_flavor) + print(f"Unknown ROUNDCUBE_DB_FLAVOR: {db_flavor}", file=sys.stderr) exit(1) -conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/roundcube.ini") +# derive roundcube secret key +secret_key = env.get("SECRET_KEY") +if not secret_key: + try: + secret_key = open(env.get("SECRET_KEY_FILE"), "r").read().strip() + except Exception as exc: + print(f"Can't read SECRET_KEY from file: {exc}", file=sys.stderr) + exit(2) -# Create dirs, setup permissions +context['SECRET_KEY'] = hmac.new(bytearray(secret_key, 'utf-8'), bytearray('ROUNDCUBE_KEY', 'utf-8'), 'sha256').hexdigest() + +# roundcube plugins +# (using "dict" because it is ordered and "set" is not) +plugins = dict((p, None) for p in env.get("ROUNDCUBE_PLUGINS", "").replace(" ", "").split(",") if p and os.path.isdir(os.path.join("/var/www/plugins", p))) +if plugins: + plugins["mailu"] = None +else: + plugins = dict((k, None) for k in ["archive", "zipdownload", "markasjunk", "managesieve", "enigma", "carddav", "mailu"]) + +context["PLUGINS"] = ",".join(f"'{p}'" for p in plugins) + +# add overrides +context["INCLUDES"] = sorted(inc for inc in os.listdir("/overrides") if inc.endswith(".inc")) if os.path.isdir("/overrides") else [] + +# create config files +conf.jinja("/php.ini", context, "/usr/local/etc/php/conf.d/roundcube.ini") +conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php") + +# create dirs os.system("mkdir -p /data/gpg") +print("Initializing database") try: - print("Initializing database") result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"], stderr=subprocess.STDOUT) print(result.decode()) -except subprocess.CalledProcessError as e: - if "already exists" in e.stdout.decode(): +except subprocess.CalledProcessError as exc: + err = exc.stdout.decode() + if "already exists" in err: print("Already initialzed") else: - print(e.stdout.decode()) - quit(1) + print(err) + exit(3) +print("Upgrading database") try: - print("Upgrading database") subprocess.check_call(["/var/www/html/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT) -except subprocess.CalledProcessError as e: - quit(1) +except subprocess.CalledProcessError as exc: + exit(4) +else: + print("Cleaning database") + try: + subprocess.check_call(["/var/www/html/bin/cleandb.sh"], stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as exc: + exit(5) -# Setup database permissions +# setup permissions os.system("chown -R www-data:www-data /data") -# Run apache -os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"]) +# clean env +[env.pop(key, None) for key in env.keys() if key == "SECRET_KEY" or key.startswith("ROUNDCUBE_")] + +# run apache +os.execve("/usr/local/bin/apache2-foreground", ["apache2-foreground"], env) +