diff --git a/README.md b/README.md index 4fa574c1..54045d28 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Main features include: - **Web access**, multiple Webmails and administration interface - **User features**, aliases, auto-reply, auto-forward, fetched accounts - **Admin features**, global admins, announcements, per-domain delegation, quotas -- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, block malicious attachments +- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/), block malicious attachments - **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing - **Freedom**, all FOSS components, no tracker included diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index d282bfc2..b2864b57 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -1,7 +1,6 @@ import os from datetime import timedelta -from socrate import system import ipaddress DEFAULT_CONFIG = { @@ -80,17 +79,9 @@ DEFAULT_CONFIG = { 'TLS_PERMISSIVE': True, 'TZ': 'Etc/UTC', 'DEFAULT_SPAM_THRESHOLD': 80, - # Host settings - 'HOST_IMAP': 'imap', - 'HOST_LMTP': 'imap:2525', - 'HOST_POP3': 'imap', - 'HOST_SMTP': 'smtp', - 'HOST_AUTHSMTP': 'smtp', - 'HOST_ADMIN': 'admin', - 'HOST_WEBMAIL': 'webmail', - 'HOST_WEBDAV': 'webdav:5232', - 'HOST_REDIS': 'redis', - 'HOST_FRONT': 'front', + 'PROXY_AUTH_WHITELIST': '', + 'PROXY_AUTH_HEADER': 'X-Auth-Email', + 'PROXY_AUTH_CREATE': False, 'SUBNET': '192.168.203.0/24', 'SUBNET6': None } @@ -108,19 +99,6 @@ class ConfigManager: def __init__(self): self.config = dict() - def get_host_address(self, name): - # if MYSERVICE_ADDRESS is defined, use this - if f'{name}_ADDRESS' in os.environ: - return os.environ.get(f'{name}_ADDRESS') - # otherwise use the host name and resolve it - return system.resolve_address(self.config[f'HOST_{name}']) - - def resolve_hosts(self): - for key in ['IMAP', 'POP3', 'AUTHSMTP', 'SMTP', 'REDIS']: - self.config[f'{key}_ADDRESS'] = self.get_host_address(key) - if self.config['WEBMAIL'] != 'none': - self.config['WEBMAIL_ADDRESS'] = self.get_host_address('WEBMAIL') - def __get_env(self, key, value): key_file = key + "_FILE" if key_file in os.environ: @@ -141,11 +119,14 @@ class ConfigManager: # get current app config self.config.update(app.config) # get environment variables + for key in os.environ: + if key.endswith('_ADDRESS'): + self.config[key] = os.environ[key] + self.config.update({ key: self.__coerce_value(self.__get_env(key, value)) for key, value in DEFAULT_CONFIG.items() }) - self.resolve_hosts() # automatically set the sqlalchemy string if self.config['DB_FLAVOR']: @@ -162,6 +143,7 @@ class ConfigManager: self.config['SESSION_COOKIE_SECURE'] = self.config['TLS_FLAVOR'] != 'notls' self.config['SESSION_PERMANENT'] = True self.config['SESSION_TIMEOUT'] = int(self.config['SESSION_TIMEOUT']) + self.config['SESSION_KEY_BITS'] = int(self.config['SESSION_KEY_BITS']) self.config['PERMANENT_SESSION_LIFETIME'] = int(self.config['PERMANENT_SESSION_LIFETIME']) self.config['AUTH_RATELIMIT_IP_V4_MASK'] = int(self.config['AUTH_RATELIMIT_IP_V4_MASK']) self.config['AUTH_RATELIMIT_IP_V6_MASK'] = int(self.config['AUTH_RATELIMIT_IP_V6_MASK']) @@ -171,6 +153,7 @@ class ConfigManager: self.config['HOSTNAMES'] = ','.join(hostnames) self.config['HOSTNAME'] = hostnames[0] self.config['DEFAULT_SPAM_THRESHOLD'] = int(self.config['DEFAULT_SPAM_THRESHOLD']) + self.config['PROXY_AUTH_WHITELIST'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['PROXY_AUTH_WHITELIST'].split(',')) if cidr) # update the app config app.config.update(self.config) diff --git a/core/admin/mailu/dkim.py b/core/admin/mailu/dkim.py index e682c64c..7eda45d7 100644 --- a/core/admin/mailu/dkim.py +++ b/core/admin/mailu/dkim.py @@ -2,20 +2,20 @@ They are thus represented as ASCII armored PEM. """ -from OpenSSL import crypto +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import rsa -def gen_key(key_type=crypto.TYPE_RSA, bits=2048): +def gen_key(bits=2048): """ Generate and return a new RSA key. """ - key = crypto.PKey() - key.generate_key(key_type, bits) - return crypto.dump_privatekey(crypto.FILETYPE_PEM, key) + k = rsa.generate_private_key(public_exponent=65537, key_size=bits) + return k.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.PKCS8,encryption_algorithm=serialization.NoEncryption()) def strip_key(pem): """ Return only the b64 part of the ASCII armored PEM. """ - key = crypto.load_privatekey(crypto.FILETYPE_PEM, pem) - public_pem = crypto.dump_publickey(crypto.FILETYPE_PEM, key) + priv_key = serialization.load_pem_private_key(pem, password=None) + public_pem = priv_key.public_key().public_bytes(encoding=serialization.Encoding.PEM,format=serialization.PublicFormat.SubjectPublicKeyInfo) return public_pem.replace(b"\n", b"").split(b"-----")[2] diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py index 43e4dd6a..577e5a44 100644 --- a/core/admin/mailu/internal/nginx.py +++ b/core/admin/mailu/internal/nginx.py @@ -2,7 +2,6 @@ from mailu import models, utils from flask import current_app as app from socrate import system -import re import urllib import ipaddress import sqlalchemy.exc @@ -26,12 +25,14 @@ STATUSES = { }), } +WEBMAIL_PORTS = ['10143', '10025'] + def check_credentials(user, password, ip, protocol=None, auth_port=None): - if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop): + if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop): return False is_ok = False # webmails - if auth_port in ['10143', '10025'] and password.startswith('token-'): + if auth_port in WEBMAIL_PORTS and password.startswith('token-'): if utils.verify_temp_token(user.get_id(), password): is_ok = True # All tokens are 32 characters hex lowercase @@ -126,20 +127,16 @@ def get_status(protocol, status): status, codes = STATUSES[status] return status, codes[protocol] -def extract_host_port(host_and_port, default_port): - host, _, port = re.match('^(.*?)(:([0-9]*))?$', host_and_port).groups() - return host, int(port) if port else default_port - def get_server(protocol, authenticated=False): if protocol == "imap": - hostname, port = extract_host_port(app.config['IMAP_ADDRESS'], 143) + hostname, port = app.config['IMAP_ADDRESS'], 143 elif protocol == "pop3": - hostname, port = extract_host_port(app.config['POP3_ADDRESS'], 110) + hostname, port = app.config['IMAP_ADDRESS'], 110 elif protocol == "smtp": if authenticated: - hostname, port = extract_host_port(app.config['AUTHSMTP_ADDRESS'], 10025) + hostname, port = app.config['SMTP_ADDRESS'], 10025 else: - hostname, port = extract_host_port(app.config['SMTP_ADDRESS'], 25) + hostname, port = app.config['SMTP_ADDRESS'], 25 try: # test if hostname is already resolved to an ip address ipaddress.ip_address(hostname) diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py index 8188270c..62b400d3 100644 --- a/core/admin/mailu/internal/views/postfix.py +++ b/core/admin/mailu/internal/views/postfix.py @@ -143,8 +143,9 @@ def postfix_sender_login(sender): if localpart is None: return flask.jsonify(",".join(wildcard_senders)) if wildcard_senders else flask.abort(404) localpart = localpart[:next((i for i, ch in enumerate(localpart) if ch in flask.current_app.config.get('RECIPIENT_DELIMITER')), None)] - destinations = models.Email.resolve_destination(localpart, domain_name, True) or [] - destinations.extend(wildcard_senders) + destinations = set(models.Email.resolve_destination(localpart, domain_name, True) or []) + destinations.update(wildcard_senders) + destinations.update(i[0] for i in models.User.query.filter_by(allow_spoofing=True).with_entities(models.User.email).all()) if destinations: return flask.jsonify(",".join(idna_encode(destinations))) return flask.abort(404) diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py index 098f1283..32619fe3 100644 --- a/core/admin/mailu/manage.py +++ b/core/admin/mailu/manage.py @@ -385,6 +385,7 @@ def config_export(full=False, secrets=False, color=False, dns=False, output=None 'dns': dns, } + old_umask = os.umask(0o077) try: schema = MailuSchema(only=only, context=context) if as_json: @@ -396,6 +397,8 @@ def config_export(full=False, secrets=False, color=False, dns=False, output=None if msg := log.format_exception(exc): raise click.ClickException(msg) from exc raise + finally: + os.umask(old_umask) @mailu.command() diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py index 20eb6d85..a7d0d006 100644 --- a/core/admin/mailu/models.py +++ b/core/admin/mailu/models.py @@ -421,8 +421,7 @@ class Email(object): """ send an email to the address """ try: f_addr = f'{app.config["POSTMASTER"]}@{idna.encode(app.config["DOMAIN"]).decode("ascii")}' - ip, port = app.config['HOST_LMTP'].rsplit(':') - with smtplib.LMTP(ip, port=port) as lmtp: + with smtplib.LMTP(ip=app.config['IMAP_ADDRESS'], port=2525) as lmtp: to_address = f'{self.localpart}@{idna.encode(self.domain_name).decode("ascii")}' msg = text.MIMEText(body) msg['Subject'] = subject @@ -505,6 +504,7 @@ class User(Base, Email): # Features enable_imap = db.Column(db.Boolean, nullable=False, default=True) enable_pop = db.Column(db.Boolean, nullable=False, default=True) + allow_spoofing = db.Column(db.Boolean, nullable=False, default=False) # Filters forward_enabled = db.Column(db.Boolean, nullable=False, default=False) diff --git a/core/admin/mailu/schemas.py b/core/admin/mailu/schemas.py index ca3530fa..4a9792ec 100644 --- a/core/admin/mailu/schemas.py +++ b/core/admin/mailu/schemas.py @@ -19,7 +19,7 @@ from marshmallow_sqlalchemy.fields import RelatedList from flask_marshmallow import Marshmallow -from OpenSSL import crypto +from cryptography.hazmat.primitives import serialization from pygments import highlight from pygments.token import Token @@ -609,8 +609,8 @@ class DkimKeyField(fields.String): # check key validity try: - crypto.load_privatekey(crypto.FILETYPE_PEM, value) - except crypto.Error as exc: + serialization.load_pem_private_key(bytes(value, "ascii"), password=None) + except (UnicodeEncodeError, ValueError) as exc: raise ValidationError(f'invalid dkim key {bad_key!r}') from exc else: return value diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py index ca124c02..c01ef572 100644 --- a/core/admin/mailu/sso/forms.py +++ b/core/admin/mailu/sso/forms.py @@ -5,7 +5,7 @@ import flask_wtf class LoginForm(flask_wtf.FlaskForm): class Meta: csrf = False - email = fields.StringField(_('E-mail'), [validators.Email(), validators.DataRequired()]) + email = fields.StringField(_('E-mail'), [validators.Email(), validators.DataRequired()], render_kw={'autofocus': True}) pw = fields.PasswordField(_('Password'), [validators.DataRequired()]) pwned = fields.HiddenField(label='', default=-1) submitWebmail = fields.SubmitField(_('Sign in')) diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index 6fa9403f..67f2319a 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -6,6 +6,8 @@ from mailu.ui import access from flask import current_app as app import flask import flask_login +import secrets +import ipaddress @sso.route('/login', methods=['GET', 'POST']) def login(): @@ -57,3 +59,41 @@ def logout(): flask.session.destroy() return flask.redirect(flask.url_for('.login')) + +@sso.route('/proxy', methods=['GET']) +@sso.route('/proxy/', methods=['GET']) +def proxy(target='webmail'): + ip = ipaddress.ip_address(flask.request.remote_addr) + if not any(ip in cidr for cidr in app.config['PROXY_AUTH_WHITELIST']): + return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % flask.request.remote_addr) + + email = flask.request.headers.get(app.config['PROXY_AUTH_HEADER']) + if not email: + return flask.abort(500, 'No %s header' % app.config['PROXY_AUTH_HEADER']) + + user = models.User.get(email) + if user: + flask.session.regenerate() + flask_login.login_user(user) + return flask.redirect(app.config['WEB_ADMIN'] if target=='admin' else app.config['WEB_WEBMAIL']) + + if not app.config['PROXY_AUTH_CREATE']: + return flask.abort(500, 'You don\'t exist. Go away! (%s)' % email) + + client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr) + try: + localpart, desireddomain = email.rsplit('@') + except Exception as e: + flask.current_app.logger.error('Error creating a new user via proxy for %s from %s: %s' % (email, client_ip, str(e)), e) + return flask.abort(500, 'You don\'t exist. Go away! (%s)' % email) + domain = models.Domain.query.get(desireddomain) or flask.abort(500, 'You don\'t exist. Go away! (domain=%s)' % desireddomain) + if not domain.max_users == -1 and len(domain.users) >= domain.max_users: + flask.current_app.logger.warning('Too many users for domain %s' % domain) + return flask.abort(500, 'Too many users in (domain=%s)' % domain) + user = models.User(localpart=localpart, domain=domain) + user.set_password(secrets.token_urlsafe()) + models.db.session.add(user) + models.db.session.commit() + user.send_welcome() + flask.current_app.logger.info(f'Login succeeded by proxy created user: {user} from {client_ip} through {flask.request.remote_addr}.') + return flask.redirect(app.config['WEB_ADMIN'] if target=='admin' else app.config['WEB_WEBMAIL']) diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py index ec19bb0b..959f46b2 100644 --- a/core/admin/mailu/ui/forms.py +++ b/core/admin/mailu/ui/forms.py @@ -94,6 +94,7 @@ class UserForm(flask_wtf.FlaskForm): quota_bytes = fields_.IntegerSliderField(_('Quota'), default=10**9) enable_imap = fields.BooleanField(_('Allow IMAP access'), default=True) enable_pop = fields.BooleanField(_('Allow POP3 access'), default=True) + allow_spoofing = fields.BooleanField(_('Allow the user to spoof the sender (send email as anyone)'), default=False) displayed_name = fields.StringField(_('Displayed name')) comment = fields.StringField(_('Comment')) enabled = fields.BooleanField(_('Enabled'), default=True) diff --git a/core/admin/mailu/ui/templates/client.html b/core/admin/mailu/ui/templates/client.html index fddbe0d2..593fd258 100644 --- a/core/admin/mailu/ui/templates/client.html +++ b/core/admin/mailu/ui/templates/client.html @@ -21,7 +21,7 @@ {% trans %}Server name{% endtrans %} - 
{{ config["HOSTNAMES"] }}
+ 
{{ config["HOSTNAME"] }}
{% trans %}Username{% endtrans %} @@ -46,7 +46,7 @@ {% trans %}Server name{% endtrans %} - 
{{ config["HOSTNAMES"] }}
+ 
{{ config["HOSTNAME"] }}
{% trans %}Username{% endtrans %} diff --git a/core/admin/mailu/ui/templates/domain/create.html b/core/admin/mailu/ui/templates/domain/create.html index bc407d27..f0d5308d 100644 --- a/core/admin/mailu/ui/templates/domain/create.html +++ b/core/admin/mailu/ui/templates/domain/create.html @@ -10,7 +10,7 @@ {{ form.hidden_tag() }} {{ macros.form_field(form.name) }} {{ macros.form_fields((form.max_users, form.max_aliases)) }} - {{ macros.form_field(form.max_quota_bytes, step=10**9, max=50*10**9, data_infinity="true", + {{ macros.form_field(form.max_quota_bytes, step=50*10**6, max=50*10**9, data_infinity="true", prepend=' GB') }} {{ macros.form_field(form.signup_enabled) }} {{ macros.form_field(form.comment) }} diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html index 90084246..31efd0e4 100644 --- a/core/admin/mailu/ui/templates/macros.html +++ b/core/admin/mailu/ui/templates/macros.html @@ -3,7 +3,7 @@ {%- for fieldname, errors in form.errors.items() %} {%- if bootstrap_is_hidden_field(form[fieldname]) %} {%- for error in errors %} -

{{error}}

+

{{error}}

{%- endfor %} {%- endif %} {%- endfor %} @@ -13,7 +13,7 @@ {%- macro form_field_errors(field) %} {%- if field.errors %} {%- for error in field.errors %} -

{{ error }}

+

{{ error }}

{%- endfor %} {%- endif %} {%- endmacro %} @@ -23,7 +23,7 @@
{%- for field in fields %} -
+
{%- if field.__class__.__name__ == 'list' %} {%- for subfield in field %} {{ form_individual_field(subfield, prepend=prepend, append=append, label=label, **kwargs) }} @@ -38,12 +38,13 @@ {%- endmacro %} {%- macro form_individual_field(field, prepend='', append='', label=True, class_="") %} + {%- set fieldclass=" ".join(["form-control"] + ([class_] if class_ else []) + (["is-invalid"] if field.errors else [])) %} {%- if field.type == "BooleanField" %} {{ field(**kwargs) }}  {{ field.label if label else '' }} {%- else %} {{ field.label if label else '' }}{{ form_field_errors(field) }} {%- if prepend %}
{%- elif append %}
{%- endif %} - {{ prepend|safe }}{{ field(class_=("form-control " + class_) if class_ else "form-control", **kwargs) }}{{ append|safe }} + {{ prepend|safe }}{{ field(class_=fieldclass, **kwargs) }}{{ append|safe }} {%- if prepend or append %}
{%- endif %} {%- endif %} {%- endmacro %} diff --git a/core/admin/mailu/ui/templates/user/create.html b/core/admin/mailu/ui/templates/user/create.html index 9a32243d..495e788b 100644 --- a/core/admin/mailu/ui/templates/user/create.html +++ b/core/admin/mailu/ui/templates/user/create.html @@ -21,10 +21,11 @@ {%- endcall %} {%- call macros.card(_("Features and quotas"), theme="success") %} - {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50*10**9), data_infinity="true", + {{ macros.form_field(form.quota_bytes, step=50*10**6, max=(max_quota_bytes or domain.max_quota_bytes or 50*10**9), data_infinity="true", prepend=' GB') }} {{ macros.form_field(form.enable_imap) }} {{ macros.form_field(form.enable_pop) }} + {{ macros.form_field(form.allow_spoofing) }} {%- endcall %} {{ macros.form_field(form.submit) }} diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html index 14626212..1c845062 100644 --- a/core/admin/mailu/ui/templates/user/list.html +++ b/core/admin/mailu/ui/templates/user/list.html @@ -39,9 +39,10 @@   {{ user }} - - {% if user.enable_imap %}imap{% endif %} - {% if user.enable_pop %}pop3{% endif %} + + {% if user.enable_imap %}imap{% endif %} + {% if user.enable_pop %}pop3{% endif %} + {% if user.allow_spoofing %}allow-spoofing{% endif %} {{ user.quota_bytes_used | filesizeformat }} / {{ (user.quota_bytes | filesizeformat) if user.quota_bytes else '∞' }} {{ user.comment or '-' }} diff --git a/core/admin/migrations/versions/7ac252f2bbbf_.py b/core/admin/migrations/versions/7ac252f2bbbf_.py new file mode 100644 index 00000000..039ab8b6 --- /dev/null +++ b/core/admin/migrations/versions/7ac252f2bbbf_.py @@ -0,0 +1,22 @@ +""" Add user.allow_spoofing + +Revision ID: 7ac252f2bbbf +Revises: 8f9ea78776f4 +Create Date: 2022-11-20 08:57:16.879152 + +""" + +# revision identifiers, used by Alembic. +revision = '7ac252f2bbbf' +down_revision = 'f4f0f89e0047' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + op.add_column('user', sa.Column('allow_spoofing', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false())) + + +def downgrade(): + op.drop_column('user', 'allow_spoofing') diff --git a/core/admin/migrations/versions/f4f0f89e0047_.py b/core/admin/migrations/versions/f4f0f89e0047_.py index 8d20063c..da38dffb 100644 --- a/core/admin/migrations/versions/f4f0f89e0047_.py +++ b/core/admin/migrations/versions/f4f0f89e0047_.py @@ -21,5 +21,5 @@ def upgrade(): def downgrade(): with op.batch_alter_table('fetch') as batch: - batch.drop_column('fetch', 'folders') - batch.drop_column('fetch', 'scan') + batch.drop_column('folders') + batch.drop_column('scan') diff --git a/core/admin/run_dev.sh b/core/admin/run_dev.sh index cf05fba3..947ad873 100755 --- a/core/admin/run_dev.sh +++ b/core/admin/run_dev.sh @@ -75,12 +75,15 @@ ENV \ DEBUG_ASSETS="/app/static" \ DEBUG_TB_INTERCEPT_REDIRECTS=False \ \ - IMAP_ADDRESS="127.0.0.1" \ - POP3_ADDRESS="127.0.0.1" \ - AUTHSMTP_ADDRESS="127.0.0.1" \ + ADMIN_ADDRESS="127.0.0.1" \ + FRONT_ADDRESS="127.0.0.1" \ SMTP_ADDRESS="127.0.0.1" \ + IMAP_ADDRESS="127.0.0.1" \ REDIS_ADDRESS="127.0.0.1" \ - WEBMAIL_ADDRESS="127.0.0.1" + ANTIVIRUS_ADDRESS="127.0.0.1" \ + ANTISPAM_ADDRESS="127.0.0.1" \ + WEBMAIL_ADDRESS="127.0.0.1" \ + WEBDAV_ADDRESS="127.0.0.1" CMD ["/bin/bash", "-c", "flask db upgrade &>/dev/null && flask mailu admin '${DEV_ADMIN/@*}' '${DEV_ADMIN#*@}' '${DEV_PASSWORD}' --mode ifmissing >/dev/null; flask --debug run --host=0.0.0.0 --port=8080"] EOF diff --git a/core/admin/start.py b/core/admin/start.py index e2163398..6aa0d1a4 100755 --- a/core/admin/start.py +++ b/core/admin/start.py @@ -4,6 +4,7 @@ import os import logging as log from pwd import getpwnam import sys +from socrate import system os.system("chown mailu:mailu -R /dkim") os.system("find /data | grep -v /fetchmail | xargs -n1 chown mailu:mailu") @@ -12,6 +13,7 @@ os.setgid(mailu_id.pw_gid) os.setuid(mailu_id.pw_uid) log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "INFO")) +system.set_env(['SECRET']) os.system("flask mailu advertise") os.system("flask db upgrade") diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 20e8b055..82c8cb9b 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile-upstream:1.4.3 # base system image (intermediate) -ARG DISTRO=alpine:3.16.3 +ARG DISTRO=alpine:3.17.0 FROM $DISTRO as system ENV TZ=Etc/UTC LANG=C.UTF-8 @@ -15,13 +15,24 @@ RUN set -euxo pipefail \ ; apk add --no-cache bash ca-certificates curl python3 tzdata libcap \ ; machine="$(uname -m)" \ ; ! [[ "${machine}" == x86_64 ]] \ - || apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc + || apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc==11-r0 -ENV LD_PRELOAD=/usr/lib/libhardened_malloc.so -ENV CXXFLAGS="-g -O2 -fdebug-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security -fstack-clash-protection -fexceptions" -ENV CFLAGS="-g -O2 -fdebug-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security -fstack-clash-protection -fexceptions" -ENV CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" -ENV LDFLAGS="-Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now" +ENV \ + LD_PRELOAD="/usr/lib/libhardened_malloc.so" \ + CXXFLAGS="-g -O2 -fdebug-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security -fstack-clash-protection -fexceptions" \ + CFLAGS="-g -O2 -fdebug-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security -fstack-clash-protection -fexceptions" \ + CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" \ + LDFLAGS="-Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now" \ + ADMIN_ADDRESS="admin" \ + FRONT_ADDRESS="front" \ + SMTP_ADDRESS="smtp" \ + IMAP_ADDRESS="imap" \ + OLETOOLS_ADDRESS="oletools" \ + REDIS_ADDRESS="redis" \ + ANTIVIRUS_ADDRESS="antivirus" \ + ANTISPAM_ADDRESS="antispam" \ + WEBMAIL_ADDRESS="webmail" \ + WEBDAV_ADDRESS="webdav" WORKDIR /app @@ -49,29 +60,34 @@ ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" COPY requirements-${MAILU_DEPS}.txt ./ COPY libs/ libs/ -RUN set -euxo pipefail \ - ; pip install -r requirements-${MAILU_DEPS}.txt || \ - { \ - machine="$(uname -m)" \ - ; deps="build-base gcc libffi-dev python3-dev" \ - ; [[ "${machine}" != x86_64 ]] && \ - deps="${deps} cargo git libressl-dev mariadb-connector-c-dev postgresql-dev" \ - ; apk add --virtual .build-deps ${deps} \ - ; [[ "${machine}" == armv7* ]] && \ - mkdir -p /root/.cargo/registry/index && \ - git clone --bare https://github.com/rust-lang/crates.io-index.git /root/.cargo/registry/index/github.com-1285ae84e5963aae \ - ; pip install -r requirements-${MAILU_DEPS}.txt \ - ; apk del -r .build-deps \ - ; rm -rf /root/.cargo /tmp/*.pem \ - ; } \ - ; rm -rf /root/.cache +ARG SNUFFLEUPAGUS_VERSION=0.8.3 +ENV SNUFFLEUPAGUS_URL https://github.com/jvoisin/snuffleupagus/archive/refs/tags/v$SNUFFLEUPAGUS_VERSION.tar.gz +RUN set -euxo pipefail \ + ; machine="$(uname -m)" \ + ; deps="build-base gcc libffi-dev python3-dev" \ + ; [[ "${machine}" != x86_64 ]] && \ + deps="${deps} cargo git libretls-dev mariadb-connector-c-dev postgresql-dev" \ + ; apk add --virtual .build-deps ${deps} \ + ; [[ "${machine}" == armv7* ]] && \ + mkdir -p /root/.cargo/registry/index && \ + git clone --bare https://github.com/rust-lang/crates.io-index.git /root/.cargo/registry/index/github.com-1285ae84e5963aae \ + ; pip install -r requirements-${MAILU_DEPS}.txt \ + ; curl -sL ${SNUFFLEUPAGUS_URL} | tar xz \ + ; cd snuffleupagus-$SNUFFLEUPAGUS_VERSION \ + ; rm -rf src/tests/*php7*/ src/tests/*session*/ src/tests/broken_configuration/ src/tests/*cookie* src/tests/upload_validation/ \ + ; apk add --virtual .build-deps php81-dev php81-cgi php81-simplexml php81-xml pcre-dev build-base php81-pear php81-openssl re2c \ + ; pecl install vld-beta \ + ; make -j $(grep -c processor /proc/cpuinfo) release \ + ; cp src/.libs/snuffleupagus.so /app \ + ; rm -rf /root/.cargo /tmp/*.pem /root/.cache # base mailu image FROM system COPY --from=build /app/venv/ /app/venv/ -RUN setcap 'cap_net_bind_service=+ep' /app/venv/bin/gunicorn +COPY --chown=root:root --from=build /app/snuffleupagus.so /usr/lib/php81/modules/ +RUN setcap 'cap_net_bind_service=+ep' /app/venv/bin/gunicorn 'cap_net_bind_service=+ep' /usr/bin/python3.10 ENV VIRTUAL_ENV=/app/venv ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" diff --git a/core/base/libs/socrate/socrate/system.py b/core/base/libs/socrate/socrate/system.py index d4e3802a..96247158 100644 --- a/core/base/libs/socrate/socrate/system.py +++ b/core/base/libs/socrate/socrate/system.py @@ -1,7 +1,8 @@ +import hmac +import logging as log +import os import socket import tenacity -from os import environ -import logging as log @tenacity.retry(stop=tenacity.stop_after_attempt(100), wait=tenacity.wait_random(min=2, max=5)) @@ -15,24 +16,32 @@ def resolve_hostname(hostname): log.warn("Unable to lookup '%s': %s",hostname,e) raise e +def _coerce_value(value): + if isinstance(value, str) and value.lower() in ('true','yes'): + return True + elif isinstance(value, str) and value.lower() in ('false', 'no'): + return False + return value -def resolve_address(address): - """ This function is identical to ``resolve_hostname`` but also supports - resolving an address, i.e. including a port. - """ - hostname, *rest = address.rsplit(":", 1) - ip_address = resolve_hostname(hostname) - if ":" in ip_address: - ip_address = "[{}]".format(ip_address) - return ip_address + "".join(":" + port for port in rest) +def set_env(required_secrets=[]): + """ This will set all the environment variables and retains only the secrets we need """ + secret_key = os.environ.get('SECRET_KEY') + if not secret_key: + try: + secret_key = open(os.environ.get("SECRET_KEY_FILE"), "r").read().strip() + except Exception as exc: + log.error(f"Can't read SECRET_KEY from file: {exc}") + raise exc + clean_env() + # derive the keys we need + for secret in required_secrets: + os.environ[f'{secret}_KEY'] = hmac.new(bytearray(secret_key, 'utf-8'), bytearray(secret, 'utf-8'), 'sha256').hexdigest() + return { + key: _coerce_value(os.environ.get(key, value)) + for key, value in os.environ.items() + } -def get_host_address_from_environment(name, default): - """ This function looks up an envionment variable ``{{ name }}_ADDRESS``. - If it's defined, it is returned unmodified. If it's undefined, an environment - variable ``HOST_{{ name }}`` is looked up and resolved to an ip address. - If this is also not defined, the default is resolved to an ip address. - """ - if "{}_ADDRESS".format(name) in environ: - return environ.get("{}_ADDRESS".format(name)) - return resolve_address(environ.get("HOST_{}".format(name), default)) +def clean_env(): + """ remove all secret keys """ + [os.environ.pop(key, None) for key in os.environ.keys() if key.endswith("_KEY")] diff --git a/core/base/libs/socrate/test.py b/core/base/libs/socrate/test.py index f6088345..03977685 100644 --- a/core/base/libs/socrate/test.py +++ b/core/base/libs/socrate/test.py @@ -78,40 +78,5 @@ class TestSystem(unittest.TestCase): "2001:db8::f00" ) - - def test_resolve_address(self): - self.assertEqual( - system.resolve_address("1.2.3.4.sslip.io:80"), - "1.2.3.4:80" - ) - self.assertEqual( - system.resolve_address("2001-db8--f00.sslip.io:80"), - "[2001:db8::f00]:80" - ) - - def test_get_host_address_from_environment(self): - if "TEST_ADDRESS" in os.environ: - del os.environ["TEST_ADDRESS"] - if "HOST_TEST" in os.environ: - del os.environ["HOST_TEST"] - # if nothing is set, the default must be resolved - self.assertEqual( - system.get_host_address_from_environment("TEST", "1.2.3.4.sslip.io:80"), - "1.2.3.4:80" - ) - # if HOST is set, the HOST must be resolved - os.environ['HOST_TEST']="1.2.3.5.sslip.io:80" - self.assertEqual( - system.get_host_address_from_environment("TEST", "1.2.3.4.sslip.io:80"), - "1.2.3.5:80" - ) - # if ADDRESS is set, the ADDRESS must be returned unresolved - os.environ['TEST_ADDRESS']="1.2.3.6.sslip.io:80" - self.assertEqual( - system.get_host_address_from_environment("TEST", "1.2.3.4.sslip.io:80"), - "1.2.3.6.sslip.io:80" - ) - - if __name__ == "__main__": unittest.main() diff --git a/core/base/requirements-dev.txt b/core/base/requirements-dev.txt index 70f719cf..5a9df4b1 100644 --- a/core/base/requirements-dev.txt +++ b/core/base/requirements-dev.txt @@ -27,7 +27,6 @@ mysql-connector-python==8.0.29 passlib psycopg2-binary Pygments -pyOpenSSL PyYAML redis SQLAlchemy diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index 7a987582..d9b85172 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -7,6 +7,10 @@ postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }} hostname = {{ HOSTNAMES.split(",")[0] }} submission_host = {{ FRONT_ADDRESS }} +default_internal_user = dovecot +default_login_user = mail +default_internal_group = dovecot + ############### # Mailboxes ############### @@ -80,18 +84,13 @@ userdb { } service auth { - user = dovecot unix_listener auth-userdb { } } service auth-worker { unix_listener auth-worker { - user = dovecot - group = mail - mode = 0660 } - user = mail } ############### @@ -116,9 +115,9 @@ service imap-login { ############### # Delivery ############### +recipient_delimiter = {{ RECIPIENT_DELIMITER }} protocol lmtp { mail_plugins = $mail_plugins sieve - recipient_delimiter = {{ RECIPIENT_DELIMITER }} } service lmtp { diff --git a/core/dovecot/conf/ham.script b/core/dovecot/conf/ham.script index 57112747..7066d170 100755 --- a/core/dovecot/conf/ham.script +++ b/core/dovecot/conf/ham.script @@ -1,9 +1,8 @@ #!/bin/bash -{% set hostname,port = ANTISPAM_WEBUI_ADDRESS.split(':') %} -RSPAMD_HOST="$(getent hosts {{ hostname }}|cut -d\ -f1):{{ port }}" +RSPAMD_HOST="$(getent hosts {{ ANTISPAM_ADDRESS }}|cut -d\ -f1):11334" if [[ $? -ne 0 ]] then - echo "Failed to lookup {{ ANTISPAM_WEBUI_ADDRESS }}" >&2 + echo "Failed to lookup {{ ANTISPAM_ADDRESS }}" >&2 exit 1 fi diff --git a/core/dovecot/conf/spam.script b/core/dovecot/conf/spam.script index 2e3872b0..94d664ae 100755 --- a/core/dovecot/conf/spam.script +++ b/core/dovecot/conf/spam.script @@ -1,9 +1,8 @@ #!/bin/bash -{% set hostname,port = ANTISPAM_WEBUI_ADDRESS.split(':') %} -RSPAMD_HOST="$(getent hosts {{ hostname }}|cut -d\ -f1):{{ port }}" +RSPAMD_HOST="$(getent hosts {{ ANTISPAM_ADDRESS }}|cut -d\ -f1):11334" if [[ $? -ne 0 ]] then - echo "Failed to lookup {{ ANTISPAM_WEBUI_ADDRESS }}" >&2 + echo "Failed to lookup {{ ANTISPAM_ADDRESS }}" >&2 exit 1 fi diff --git a/core/dovecot/start.py b/core/dovecot/start.py index a8c85ebf..4da7a09c 100755 --- a/core/dovecot/start.py +++ b/core/dovecot/start.py @@ -5,14 +5,18 @@ import glob import multiprocessing import logging as log import sys +from pwd import getpwnam from podop import run_server from socrate import system, conf log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) +system.set_env() def start_podop(): - os.setuid(8) + id_mail = getpwnam('mail') + os.setgid(id_mail.pw_gid) + os.setuid(id_mail.pw_uid) url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/dovecot/§" run_server(0, "dovecot", "/tmp/podop.socket", [ ("quota", "url", url ), @@ -21,10 +25,6 @@ def start_podop(): ]) # Actual startup script -os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front") -os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") -os.environ["ANTISPAM_WEBUI_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_WEBUI", "antispam:11334") - for dovecot_file in glob.glob("/conf/*.conf"): conf.jinja(dovecot_file, os.environ, os.path.join("/etc/dovecot", os.path.basename(dovecot_file))) @@ -35,7 +35,8 @@ for script_file in glob.glob("/conf/*.script"): os.chmod(out_file, 0o555) # Run Podop, then postfix -multiprocessing.Process(target=start_podop).start() os.system("chown mail:mail /mail") os.system("chown -R mail:mail /var/lib/dovecot /conf") + +multiprocessing.Process(target=start_podop).start() os.execv("/usr/sbin/dovecot", ["dovecot", "-c", "/etc/dovecot/dovecot.conf", "-F"]) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index f9278f38..b373fb13 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -77,12 +77,12 @@ http { root /static; # Variables for proxifying set $admin {{ ADMIN_ADDRESS }}; - set $antispam {{ ANTISPAM_WEBUI_ADDRESS }}; + set $antispam {{ ANTISPAM_ADDRESS }}:11334; {% if WEBMAIL_ADDRESS %} set $webmail {{ WEBMAIL_ADDRESS }}; {% endif %} {% if WEBDAV_ADDRESS %} - set $webdav {{ WEBDAV_ADDRESS }}; + set $webdav {{ WEBDAV_ADDRESS }}:5232; {% endif %} client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; diff --git a/core/nginx/config.py b/core/nginx/config.py index 7930ff12..cee8bce4 100755 --- a/core/nginx/config.py +++ b/core/nginx/config.py @@ -5,8 +5,8 @@ import logging as log import sys from socrate import system, conf +system.set_env() args = os.environ.copy() - log.basicConfig(stream=sys.stderr, level=args.get("LOG_LEVEL", "WARNING")) args['TLS_PERMISSIVE'] = str(args.get('TLS_PERMISSIVE')).lower() not in ('false', 'no') @@ -17,13 +17,6 @@ with open("/etc/resolv.conf") as handle: resolver = content[content.index("nameserver") + 1] args["RESOLVER"] = f"[{resolver}]" if ":" in resolver else resolver -args["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") -args["ANTISPAM_WEBUI_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_WEBUI", "antispam:11334") -if args["WEBMAIL"] != "none": - args["WEBMAIL_ADDRESS"] = system.get_host_address_from_environment("WEBMAIL", "webmail") -if args["WEBDAV"] != "none": - args["WEBDAV_ADDRESS"] = system.get_host_address_from_environment("WEBDAV", "webdav:5232") - # TLS configuration cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem") keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem") diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index f3b789f9..2f0275b7 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -81,7 +81,7 @@ virtual_mailbox_maps = ${podop}mailbox # Mails are transported if required, then forwarded to Dovecot for delivery relay_domains = ${podop}transport transport_maps = lmdb:/etc/postfix/transport.map, ${podop}transport -virtual_transport = lmtp:inet:{{ LMTP_ADDRESS }} +virtual_transport = lmtp:inet:{{ IMAP_ADDRESS }}:2525 # Sender and recipient canonical maps, mostly for SRS sender_canonical_maps = ${podop}sendermap @@ -126,7 +126,7 @@ unverified_recipient_reject_reason = Address lookup failure # Milter ############### -smtpd_milters = inet:{{ ANTISPAM_MILTER_ADDRESS }} +smtpd_milters = inet:{{ ANTISPAM_ADDRESS }}:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = tempfail diff --git a/core/postfix/start.py b/core/postfix/start.py index 509f961a..b9a058f7 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -13,6 +13,9 @@ from pwd import getpwnam from socrate import system, conf log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) +system.set_env() + +os.system("flock -n /queue/pid/master.pid rm /queue/pid/master.pid") def start_podop(): os.setuid(getpwnam('postfix').pw_uid) @@ -43,10 +46,6 @@ def is_valid_postconf_line(line): # Actual startup script os.environ['DEFER_ON_TLS_ERROR'] = os.environ['DEFER_ON_TLS_ERROR'] if 'DEFER_ON_TLS_ERROR' in os.environ else 'True' -os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front") -os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") -os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332") -os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525") os.environ["POSTFIX_LOG_SYSLOG"] = os.environ.get("POSTFIX_LOG_SYSLOG","local") os.environ["POSTFIX_LOG_FILE"] = os.environ.get("POSTFIX_LOG_FILE", "") diff --git a/core/rspamd/conf/antivirus.conf b/core/rspamd/conf/antivirus.conf index 1d492850..53da0768 100644 --- a/core/rspamd/conf/antivirus.conf +++ b/core/rspamd/conf/antivirus.conf @@ -3,7 +3,7 @@ clamav { scan_mime_parts = true; symbol = "CLAM_VIRUS"; type = "clamav"; - servers = "{{ ANTIVIRUS_ADDRESS }}"; + servers = "{{ ANTIVIRUS_ADDRESS }}:3310"; {% if ANTIVIRUS_ACTION|default('discard') == 'reject' %} action = "reject" {% endif %} diff --git a/core/rspamd/start.py b/core/rspamd/start.py index b285ca03..507da65d 100755 --- a/core/rspamd/start.py +++ b/core/rspamd/start.py @@ -6,19 +6,13 @@ import logging as log import requests import sys import time -from socrate import system, conf +from socrate import system,conf log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) +system.set_env() # Actual startup script -os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis") -os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") -os.environ["OLETOOLS_ADDRESS"] = system.get_host_address_from_environment("OLETOOLS", "oletools:11343") - -if os.environ.get("ANTIVIRUS") == 'clamav': - os.environ["ANTIVIRUS_ADDRESS"] = system.get_host_address_from_environment("ANTIVIRUS", "antivirus:3310") - for rspamd_file in glob.glob("/conf/*"): conf.jinja(rspamd_file, os.environ, os.path.join("/etc/rspamd/local.d", os.path.basename(rspamd_file))) diff --git a/docs/configuration.rst b/docs/configuration.rst index fee15737..5ecfa347 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -255,32 +255,22 @@ virus mails during SMTP dialogue, so the sender will receive a reject message. Infrastructure settings ----------------------- -Various environment variables ``HOST_*`` can be used to run Mailu containers +Various environment variables ``*_ADDRESS`` can be used to run Mailu containers separately from a supported orchestrator. It is used by the various components -to find the location of the other containers it depends on. They can contain an -optional port number. Those variables are: +to find the location of the other containers it depends on. Those variables are: -- ``HOST_IMAP``: the container that is running the IMAP server (default: ``imap``, port 143) -- ``HOST_LMTP``: the container that is running the LMTP server (default: ``imap:2525``) -- ``HOST_HOSTIMAP``: the container that is running the IMAP server for the webmail (default: ``imap``, port 10143) -- ``HOST_POP3``: the container that is running the POP3 server (default: ``imap``, port 110) -- ``HOST_SMTP``: the container that is running the SMTP server (default: ``smtp``, port 25) -- ``HOST_AUTHSMTP``: the container that is running the authenticated SMTP server for the webnmail (default: ``smtp``, port 10025) -- ``HOST_ADMIN``: the container that is running the admin interface (default: ``admin``) -- ``HOST_ANTISPAM_MILTER``: the container that is running the antispam milter service (default: ``antispam:11332``) -- ``HOST_ANTISPAM_WEBUI``: the container that is running the antispam webui service (default: ``antispam:11334``) -- ``HOST_ANTIVIRUS``: the container that is running the antivirus service (default: ``antivirus:3310``) -- ``HOST_WEBMAIL``: the container that is running the webmail (default: ``webmail``) -- ``HOST_WEBDAV``: the container that is running the webdav server (default: ``webdav:5232``) -- ``HOST_REDIS``: the container that is running the redis daemon (default: ``redis``) -- ``HOST_WEBMAIL``: the container that is running the webmail (default: ``webmail``) +- ``ADMIN_ADDRESS`` +- ``ANTISPAM_ADDRESS`` +- ``ANTIVIRUS_ADDRESS`` +- ``FRONT_ADDRESS`` +- ``IMAP_ADDRESS`` +- ``REDIS_ADDRESS`` +- ``SMTP_ADDRESS`` +- ``WEBDAV_ADDRESS`` +- ``WEBMAIL_ADDRESS`` -The startup scripts will resolve ``HOST_*`` to their IP addresses and store the result in ``*_ADDRESS`` for further use. - -Alternatively, ``*_ADDRESS`` can directly be set. In this case, the values of ``*_ADDRESS`` is kept and not -resolved. This can be used to rely on DNS based service discovery with changing services IP addresses. -When using ``*_ADDRESS``, the hostnames must be full-qualified hostnames. Otherwise nginx will not be able to -resolve the hostnames. +These are used for DNS based service discovery with possibly changing services IP addresses. +``*_ADDRESS`` values must be fully qualified domain names without port numbers. .. _db_settings: @@ -368,3 +358,15 @@ It can be configured with the following option: When ``POSTFIX_LOG_FILE`` is enabled, the logrotate program will automatically rotate the logs every week and keep 52 logs. To override the logrotate configuration, create the file logrotate.conf with the desired configuration in the :ref:`Postfix overrides folder`. + + +Header authentication using an external proxy +--------------------------------------------- + +The ``PROXY_AUTH_WHITELIST`` (default: unset/disabled) option allows you to configure a comma separated list of CIDRs of proxies to trust for authentication. This list is separate from ``REAL_IP_FROM`` and any entry in ``PROXY_AUTH_WHITELIST`` should also appear in ``REAL_IP_FROM``. + +Use ``PROXY_AUTH_HEADER`` (default: 'X-Auth-Email') to customize which HTTP header the email address of the user to authenticate as should be and ``PROXY_AUTH_CREATE`` (default: False) to control whether non-existing accounts should be auto-created. Please note that Mailu doesn't currently support creating new users for non-existing domains; you do need to create all the domains that may be used manually. + +Once configured, any request to /sso/proxy will be redirected to the webmail and /sso/proxy/admin to the admin panel. Please check issue `1972` for more details. + +.. _`1972`: https://github.com/Mailu/Mailu/issues/1972 diff --git a/docs/contributors/environment.rst b/docs/contributors/environment.rst index 5949fbe5..25f6fbc0 100644 --- a/docs/contributors/environment.rst +++ b/docs/contributors/environment.rst @@ -130,8 +130,8 @@ To re-build only specific containers at a later time. docker buildx bake -f tests/build.hcl admin webdav -If you have to push the images to Docker Hub for testing in Docker Swarm or a remote -host, you have to define ``DOCKER_ORG`` (usually your Docker user-name) and login to +If you have to push the images to Docker Hub for testing, you have to +define ``DOCKER_ORG`` (usually your Docker user-name) and login to the hub. .. code-block:: bash diff --git a/docs/contributors/guidelines.rst b/docs/contributors/guidelines.rst index d55f9adf..8644d83e 100644 --- a/docs/contributors/guidelines.rst +++ b/docs/contributors/guidelines.rst @@ -54,7 +54,7 @@ Architecture What setups should be supported ``````````````````````````````` -Mailu supports out-of-the-box Docker Compose, Docker Swarm and Kubernetes +Mailu supports out-of-the-box Docker Compose and Kubernetes environments. In those environments, it consists of many containers and supports hosting some of those containers in a separate environment. diff --git a/docs/faq.rst b/docs/faq.rst index 7782e93c..bd0f4d17 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -195,9 +195,8 @@ Mailu will start to function on IPv6: How does Mailu scale up? ```````````````````````` -Recent works allow Mailu to be deployed in Docker Swarm and Kubernetes. -This means it can be scaled horizontally. For more information, refer to :ref:`kubernetes` -or the `Docker swarm howto`_. +Recent works allow Mailu to be deployed in Docker Kubernetes. +This means it can be scaled horizontally. For more information, refer to :ref:`kubernetes`. *Issue reference:* `165`_, `520`_. @@ -360,7 +359,6 @@ How do I use webdav (radicale)? .. _`Rspamd`: https://www.rspamd.com/doc/configuration/index.html .. _`Roundcube`: https://github.com/roundcube/roundcubemail/wiki/Configuration#customize-the-look -.. _`Docker swarm howto`: https://github.com/Mailu/Mailu/tree/master/docs/swarm/master .. _`125`: https://github.com/Mailu/Mailu/issues/125 .. _`165`: https://github.com/Mailu/Mailu/issues/165 .. _`177`: https://github.com/Mailu/Mailu/issues/177 diff --git a/docs/index.rst b/docs/index.rst index bc10bb80..b73bf529 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -28,7 +28,7 @@ Main features include: - **Web access**, multiple Webmails and administration interface - **User features**, aliases, auto-reply, auto-forward, fetched accounts - **Admin features**, global admins, announcements, per-domain delegation, quotas -- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, block malicious attachments +- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/), block malicious attachments - **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing - **Freedom**, all FOSS components, no tracker included diff --git a/docs/swarm/1.5/README.md b/docs/swarm/1.5/README.md deleted file mode 100644 index 5af4c9dd..00000000 --- a/docs/swarm/1.5/README.md +++ /dev/null @@ -1,364 +0,0 @@ -# Install Mailu on a docker swarm - -## Prerequisites - -### Swarm - -In order to deploy Mailu on a swarm, you will first need to initialize the swarm: - -The main command will be: -```bash -docker swarm init --advertise-addr -``` -See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ - -If you want to add other managers or workers, please use: -```bash -docker swarm join --token xxxxx -``` -See https://docs.docker.com/engine/swarm/join-nodes/ - -You have now a working swarm, and you can check its status with: -```bash -core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls -ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION -xhgeekkrlttpmtgmapt5hyxrb black-pearl Ready Active 18.06.0-ce -sczlqjgfhehsfdjhfhhph1nvb * coreos-01 Ready Active Leader 18.03.1-ce -mzrm9nbdggsfz4sgq6dhs5i6n flying-dutchman Ready Active 18.06.0-ce -``` - -### Volume definition -For data persistence (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm. -Hereafter we will use a NFS share: -```bash -core@coreos-01 ~ $ showmount -e 192.168.0.30 -Export list for 192.168.0.30: -/mnt/Pool1/pv 192.168.0.0 -``` - -on the nfs server, I am using the following /etc/exports -```bash -$more /etc/exports -/mnt/Pool1/pv -alldirs -mapall=root -network 192.168.0.0 -mask 255.255.255.0 -``` -on the nfs server, I created the Mailu directory (in fact I copied a working Mailu set-up) -```bash -$mkdir /mnt/Pool1/pv/mailu -``` - -On your manager node, mount the nfs share to check that the share is available: -```bash -core@coreos-01 ~ $ sudo mount -t nfs 192.168.0.30:/mnt/Pool1/pv/mailu /mnt/local/ -``` -If this is ok, you can umount it: -```bash -core@coreos-01 ~ $ sudo umount /mnt/local/ -``` - - -### Networking mode -On a swarm, the services are available (default mode) through a routing mesh managed by docker itself. With this mode, each service is given a virtual IP adress and docker manages the routing between this virtual IP and the container(s) provinding this service. -With this default networking mode, I cannot get login working properly... As found in https://github.com/Mailu/Mailu/issues/375 , a workaround is to use the dnsrr networking mode at least for the front services. - -The main consequence/limitation will be that the front services will *not* be available on every node, but only on the node where it will be deployed. In my case, I have only one manager and I choose to deploy the front service to the manager node, so I know on wich IP the front service will be available (aka the IP adress of my manager node). - -### Variable substitution and docker-compose.yml -The docker stack deploy command doesn't support variable substitution in the .yml file itself (but we still can use .env file to pass variables to the services). As a consequence we need to adjust the docker-compose file in order to : -- remove all variables : $VERSION , $BIND_ADDRESS4 , $BIND_ADDRESS6 , $ANTIVIRUS , $WEBMAIL , etc -- change the way we define the volumes (nfs share in our case) -- add a deploy section for every service - -### Docker compose -An example of docker-compose-stack.yml file is available here: - -```yaml - -version: '3.2' - -services: - - front: - image: mailu/nginx:1.5 - env_file: .env - ports: - - target: 80 - published: 80 - mode: host - - target: 443 - published: 443 - mode: host - - target: 110 - published: 110 - mode: host - - target: 143 - published: 143 - mode: host - - target: 993 - published: 993 - mode: host - - target: 995 - published: 995 - mode: host - - target: 25 - published: 25 - mode: host - - target: 465 - published: 465 - mode: host - - target: 587 - published: 587 - mode: host - volumes: -# - "$ROOT/certs:/certs" - - type: volume - source: mailu_certs - target: /certs - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - redis: - image: redis:alpine - restart: always - volumes: -# - "$ROOT/redis:/data" - - type: volume - source: mailu_redis - target: /data - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - imap: - image: mailu/dovecot:1.5 - restart: always - env_file: .env - volumes: -# - "$ROOT/data:/data" - - type: volume - source: mailu_data - target: /data -# - "$ROOT/mail:/mail" - - type: volume - source: mailu_mail - target: /mail -# - "$ROOT/overrides:/overrides" - - type: volume - source: mailu_overrides - target: /overrides - depends_on: - - front - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - smtp: - image: mailu/postfix:1.5 - restart: always - env_file: .env - volumes: -# - "$ROOT/data:/data" - - type: volume - source: mailu_data - target: /data -# - "$ROOT/overrides:/overrides" - - type: volume - source: mailu_overrides - target: /overrides - depends_on: - - front - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - antispam: - image: mailu/rspamd:1.5 - restart: always - env_file: .env - depends_on: - - front - volumes: -# - "$ROOT/filter:/var/lib/rspamd" - - type: volume - source: mailu_filter - target: /var/lib/rspamd -# - "$ROOT/dkim:/dkim" - - type: volume - source: mailu_dkim - target: /dkim -# - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" - - type: volume - source: mailu_overrides_rspamd - target: /etc/rspamd/override.d - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - antivirus: - image: mailu/none:1.5 - restart: always - env_file: .env - volumes: -# - "$ROOT/filter:/data" - - type: volume - source: mailu_filter - target: /data - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - webdav: - image: mailu/none:1.5 - restart: always - env_file: .env - volumes: -# - "$ROOT/dav:/data" - - type: volume - source: mailu_dav - target: /data - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - admin: - image: mailu/admin:1.5 - restart: always - env_file: .env - volumes: -# - "$ROOT/data:/data" - - type: volume - source: mailu_data - target: /data -# - "$ROOT/dkim:/dkim" - - type: volume - source: mailu_dkim - target: /dkim - - /var/run/docker.sock:/var/run/docker.sock:ro - depends_on: - - redis - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - webmail: - image: "mailu/roundcube:1.5" - restart: always - env_file: .env - volumes: -# - "$ROOT/webmail:/data" - - type: volume - source: mailu_data - target: /data - depends_on: - - imap - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - - fetchmail: - image: mailu/fetchmail:1.5 - restart: always - env_file: .env - volumes: -# - "$ROOT/data:/data" - - type: volume - source: mailu_data - target: /data - logging: - driver: none - deploy: - endpoint_mode: dnsrr - replicas: 1 - placement: - constraints: [node.role == manager] - -volumes: - mailu_filter: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/filter" - mailu_dkim: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/dkim" - mailu_overrides_rspamd: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/overrides/rspamd" - mailu_data: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/data" - mailu_mail: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/mail" - mailu_overrides: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/overrides" - mailu_dav: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/dav" - mailu_certs: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/certs" - mailu_redis: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,nolock,soft,rw" - device: ":/mnt/Pool1/pv/mailu/redis" -``` - -### Deploy Mailu on the docker swarm -Run the following command: -```bash -docker stack deploy -c docker-compose-stack.yml mailu -``` -See how the services are being deployed: -```bash -core@coreos-01 ~ $ docker service ls -ID NAME MODE REPLICAS IMAGE PORTS -ywnsetmtkb1l mailu_antivirus replicated 1/1 mailu/none:1.5 -pqokiaz0q128 mailu_fetchmail replicated 1/1 mailu/fetchmail:1.5 -``` -check a specific service: -```bash -core@coreos-01 ~ $ docker service ps mailu_fetchmail -ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS -tbu8ppgsdffj mailu_fetchmail.1 mailu/fetchmail:1.5 coreos-01 Running Running 11 days ago -``` - -### Remove the stack -Run the following command: -```bash -core@coreos-01 ~ $ docker stack rm mailu -``` diff --git a/docs/swarm/master/README.md b/docs/swarm/master/README.md deleted file mode 100644 index 56cec36d..00000000 --- a/docs/swarm/master/README.md +++ /dev/null @@ -1,337 +0,0 @@ -# Install Mailu on a docker swarm - -## Some warnings - -### How Docker swarm works - -Docker swarm enables replication and fail-over scenarios. As a feature, if a node dies or goes away, Docker will re-schedule it's containers on the remaining nodes. -In order to take this decisions, docker swarm works on a consensus between managers regarding the state of nodes. Therefore it recommends to always have an uneven amount of manager nodes. This will always give a majority on either halve of a potential network split. - -### Storage - -On top of this some of Mailu's containers heavily rely on disk storage. As noted below, every host will need the same dataset on every host where related containers are run. So Dovecot IMAP needs `/mailu/mail` replicated to every node it *may* be scheduled to run. There are various solutions for this like NFS and GlusterFS. - -### When disaster strikes - -So imagine 3 swarm nodes and 3 GlusterFS endpoints: - -``` -node-A -> gluster-A --| -node-B -> gluster-B --|--> Single file system -node-C -> gluster-C --| -``` - -Each node has a connection to the shared file system and maintains connections between the other nodes. Let's say Dovecot is running on `node-A`. Now a network error / outage occurs on the route between `node-A` and the remaining nodes, but stays connected to the `gluster-A` endpoint. `node-B` and `node-C` conclude that `node-A` is down. They reschedule Dovecot to start on either one of them. Dovecot starts reading and writing its indexes to the **shared** filesystem. However, it is possible the Dovecot on `node-A` is still up and handling some client requests. I've seen cases where this situations resulted in: - -- Retained locks -- Corrupted indexes -- Users no longer able to read any of mail -- Lost mail - -### It gets funkier - -Our original deployment also included `main.db` on the GlusterFS. Due to the above we corrupted it once and we decided to move it to local storage and restirct the `admin` container to that host only. This inspired us to put some legwork is supporting different database back-ends like MySQL and PostgreSQL. We highly recommend to use either of them, in favor of sqlite. - -### Conclusion - -Although the above situation is less-likely to occur on a stable (local) network, it does indicate a failure case where there is a probability of data-loss or downtime. It may help to create redundant networks, but the effort might be too much for the actual results. We will need to look into better and safer methods of replicating mail data. For now, we regret to have to inform you that Docker swarm deployment is **unstable** and should be avoided in production environments. - --- @muhlemmer, 17th of January 2019. - -## Prerequisites - -### Swarm - -In order to deploy Mailu on a swarm, you will first need to initialize the swarm: - -The main command will be: -```bash -docker swarm init --advertise-addr -``` -See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ - -If you want to add other managers or workers, please use: -```bash -docker swarm join --token xxxxx -``` -See https://docs.docker.com/engine/swarm/join-nodes/ - -You have now a working swarm, and you can check its status with: -```bash -core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls -ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION -xhgeekkrlttpmtgmapt5hyxrb black-pearl Ready Active 18.06.0-ce -sczlqjgfhehsfdjhfhhph1nvb * coreos-01 Ready Active Leader 18.03.1-ce -mzrm9nbdggsfz4sgq6dhs5i6n flying-dutchman Ready Active 18.06.0-ce -``` - -### Volume definition -For data persistence (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm. - -Hereafter we will assume that "Mailu Data" is available on every node at "$ROOT" (GlusterFS and nfs shares have been successfully used). - -On this example, we are using: -- the mesh routing mode (default mode). With this mode, each service is given a virtual IP adress and docker manages the routing between this virtual IP and the container(s) providing this service. -- the default ingress mode. - -### Allow authentification with the mesh routing -In order to allow every (front & webmail) container to access the other services, we will use the variable SUBNET. - -Let's create the mailu_default network: -```bash -core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default -core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet - "Subnet": "10.0.1.0/24", -``` -In the docker-compose.yml file, we will then use SUBNET = 10.0.1.0/24 -In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set SUBNET to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation... - -### Limitation with the ingress mode -With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network) - -This issue is known and discussed here: - -https://github.com/moby/moby/issues/25526 - -A workaround (using network host mode and global deployment) is discussed here: - -https://github.com/moby/moby/issues/25526#issuecomment-336363408 - -### Don't create an open relay ! -As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-( - -### Ratelimits - -When using ingress mode you probably want to disable rate limits, because all requests originate from the same ip address. Otherwise automatic login attempts can easily DoS the legitimate users. - -## Scalability -- smtp and imap are scalable -- front and webmail are scalable (pending SUBNET is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) -- redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file) - -## Docker secrets -There are DB_PW_FILE and SECRET_KEY_FILE environment variables available to specify files for these variables. These can be used to configure Docker secrets instead of writing the values directly into the `docker-compose.yml` or `mailu.env`. - -## Variable substitution and docker-compose.yml -The docker stack deploy command doesn't support variable substitution in the .yml file itself. -As a consequence, we cannot simply use ``` docker stack deploy -c docker.compose.yml mailu ``` -Instead, we will use the following work-around: -``` echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu ``` - -We need also to: -- add a deploy section for every service -- modify the way the ports are defined for the front service -- add the SUBNET definition for admin (for imap), smtp and antispam services - -## Docker compose -An example of docker-compose-stack.yml file is available here: - -```yaml - -version: '3.2' - -services: - - front: - image: mailu/nginx:$VERSION - restart: always - env_file: .env - ports: - - target: 80 - published: 80 - - target: 443 - published: 443 - - target: 110 - published: 110 - - target: 143 - published: 143 - - target: 993 - published: 993 - - target: 995 - published: 995 - - target: 25 - published: 25 - - target: 465 - published: 465 - - target: 587 - published: 587 - volumes: - - "$ROOT/certs:/certs" - deploy: - replicas: 2 - - redis: - image: redis:alpine - restart: always - volumes: - - "$ROOT/redis:/data" - deploy: - replicas: 1 - - imap: - image: mailu/dovecot:$VERSION - restart: always - env_file: .env - volumes: - - "$ROOT/mail:/mail" - - "$ROOT/overrides:/overrides" - depends_on: - - front - deploy: - replicas: 2 - - smtp: - image: mailu/postfix:$VERSION - restart: always - env_file: .env - environment: - - SUBNET=10.0.1.0/24 - volumes: - - "$ROOT/overrides:/overrides" - depends_on: - - front - deploy: - replicas: 2 - - antispam: - image: mailu/rspamd:$VERSION - restart: always - env_file: .env - environment: - - SUBNET=10.0.1.0/24 - volumes: - - "$ROOT/filter:/var/lib/rspamd" - - "$ROOT/dkim:/dkim" - - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" - depends_on: - - front - deploy: - replicas: 1 - - antivirus: - image: mailu/none:$VERSION - restart: always - env_file: .env - volumes: - - "$ROOT/filter:/data" - deploy: - replicas: 1 - - webdav: - image: mailu/none:$VERSION - restart: always - env_file: .env - volumes: - - "$ROOT/dav:/data" - deploy: - replicas: 1 - - admin: - image: mailu/admin:$VERSION - restart: always - env_file: .env - environment: - - SUBNET=10.0.1.0/24 - volumes: - - "$ROOT/data:/data" - - "$ROOT/dkim:/dkim" - - /var/run/docker.sock:/var/run/docker.sock:ro - depends_on: - - redis - deploy: - replicas: 1 - - webmail: - image: mailu/roundcube:$VERSION - restart: always - env_file: .env - volumes: - - "$ROOT/webmail:/data" - depends_on: - - imap - deploy: - replicas: 2 - - fetchmail: - image: mailu/fetchmail:$VERSION - restart: always - env_file: .env - volumes: - deploy: - replicas: 1 - -networks: - default: - external: - name: mailu_default -``` - -## Deploy Mailu on the docker swarm -Run the following command: -```bash -echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu -``` -See how the services are being deployed: -```bash -core@coreos-01 ~ $ docker service ls -ID NAME MODE REPLICAS IMAGE PORTS -ywnsetmtkb1l mailu_antivirus replicated 1/1 mailu/none:master -pqokiaz0q128 mailu_fetchmail replicated 1/1 mailu/fetchmail:master -``` -check a specific service: -```bash -core@coreos-01 ~ $ docker service ps mailu_fetchmail -ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS -tbu8ppgsdffj mailu_fetchmail.1 mailu/fetchmail:master coreos-01 Running Running 11 days ago -``` -You might also have a look on the logs: -```bash -core@coreos-01 ~ $ docker service logs -f mailu_fetchmail -``` - -## Remove the stack -Run the following command: -```bash -core@coreos-01 ~ $ docker stack rm mailu -``` - -## Notes on unbound resolver - -In Docker compose flavor we currently have the option to include the unbound DNS resolver. This does not work in Docker Swarm, as it in not possible to configure any static IP addresses. There is an [open issue](https://github.com/moby/moby/issues/24170) for this at Docker. However, this doesn't seem to move anywhere since some time now. For that reasons we've chosen not to include the unbound resolver in the stack flavor. - -If you still want to benefit from Unbound as a system resolver, you can install it system-wide. The following procedure was done on a Fedora 28 system and might needs some adjustments for your system. Note that this will need to be done on every swarm node. In this example we will make use of `dnssec-trigger`, which is used to configure unbound. When installing this and running the service, unbound is pulled in as dependency and does not need to be installed, configured or run separately. - -Install required packages(unbound will be installed as dependency): - -``` -sudo dnf install dnssec-trigger -``` - -Enable and start the *dnssec-trigger* daemon: - -``` -sudo systemctl enable --now dnssec-triggerd.service -``` - -Configure NetworkManager to use unbound, create the file `/etc/NetworkManager/conf.d/unbound.conf` with contents: - -``` -[main] -dns=unbound -``` - -You might need to restart NetworkManager for the changes to take effect: - -``` -sudo systemctl restart NetworkManager -``` - -Verify `resolv.conf`: - -``` -$ cat /etc/resolv.conf -# Generated by dnssec-trigger-script -nameserver 127.0.0.1 -``` - -Most of this info was take from this [Fedora Project page](https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#How_To_Test). diff --git a/docs/swarm/master/README_nfs_example.md b/docs/swarm/master/README_nfs_example.md deleted file mode 100644 index 2c4b8145..00000000 --- a/docs/swarm/master/README_nfs_example.md +++ /dev/null @@ -1,357 +0,0 @@ -# Install Mailu on a docker swarm - -## Prequisites - -### Swarm - -In order to deploy Mailu on a swarm, you will first need to initialize the swarm: - -The main command will be: -```bash -docker swarm init --advertise-addr -``` -See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ - -If you want to add other managers or workers, please use: -```bash -docker swarm join --token xxxxx -``` -See https://docs.docker.com/engine/swarm/join-nodes/ - -You have now a working swarm, and you can check its status with: -```bash -core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls -ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION -xhgeekkrlttpmtgmapt5hyxrb black-pearl Ready Active 18.06.0-ce -sczlqjgfhehsfdjhfhhph1nvb * coreos-01 Ready Active Leader 18.03.1-ce -mzrm9nbdggsfz4sgq6dhs5i6n flying-dutchman Ready Active 18.06.0-ce -``` - -### Volume definition -For data persistence (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm. -Hereafter we will use a NFS share: -```bash -core@coreos-01 ~ $ showmount -e 192.168.0.30 -Export list for 192.168.0.30: -/mnt/Pool1/pv 192.168.0.0 -``` - -on the nfs server, I am using the following /etc/exports -```bash -$more /etc/exports -/mnt/Pool1/pv -alldirs -mapall=root -network 192.168.0.0 -mask 255.255.255.0 -``` -on the nfs server, I created the Mailu directory (in fact I copied a working Mailu set-up) -```bash -$mkdir /mnt/Pool1/pv/mailu -``` - -On your manager node, mount the nfs share to check that the share is available: -```bash -core@coreos-01 ~ $ sudo mount -t nfs 192.168.0.30:/mnt/Pool1/pv/mailu /mnt/local/ -``` -If this is ok, you can umount it: -```bash -core@coreos-01 ~ $ sudo umount /mnt/local/ -``` - - -## Networking mode -On this example, we are using: -- the mesh routing mode (default mode). With this mode, each service is given a virtual IP address and docker manages the routing between this virtual IP and the container(s) providing this service. -- the default ingress mode. - -### Allow authentification with the mesh routing -In order to allow every (front & webmail) container to access the other services, we will use the variable SUBNET. - -Let's create the mailu_default network: -```bash -core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default -core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet - "Subnet": "10.0.1.0/24", -``` -In the docker-compose.yml file, we will then use SUBNET = 10.0.1.0/24 -In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set SUBNET to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation... - -### Limitation with the ingress mode -With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network) - -This issue is known and discussed here: - -https://github.com/moby/moby/issues/25526 - -A workaround (using network host mode and global deployment) is discussed here: - -https://github.com/moby/moby/issues/25526#issuecomment-336363408 - -### Don't create an open relay ! -As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-( - - -## Scalability -- smtp and imap are scalable -- front and webmail are scalable (pending SUBNET is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) -- redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file) - -## Variable substitution and docker-compose.yml -The docker stack deploy command doesn't support variable substitution in the .yml file itself. As a consequence, we need to use the following work-around: -``` echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu ``` - -We need also to: -- change the way we define the volumes (nfs share in our case) -- add a deploy section for every service -- the way the ports are defined for the front service - -## Docker compose -An example of docker-compose-stack.yml file is available here: - -```yaml - -version: '3.2' - -services: - - front: - image: mailu/nginx:$VERSION - restart: always - env_file: .env - ports: - - target: 80 - published: 80 - - target: 443 - published: 443 - - target: 110 - published: 110 - - target: 143 - published: 143 - - target: 993 - published: 993 - - target: 995 - published: 995 - - target: 25 - published: 25 - - target: 465 - published: 465 - - target: 587 - published: 587 - volumes: -# - "$ROOT/certs:/certs" - - type: volume - source: mailu_certs - target: /certs - deploy: - replicas: 2 - - redis: - image: redis:alpine - restart: always - volumes: -# - "$ROOT/redis:/data" - - type: volume - source: mailu_redis - target: /data - deploy: - replicas: 1 - - imap: - image: mailu/dovecot:$VERSION - restart: always - env_file: .env - volumes: -# - "$ROOT/mail:/mail" - - type: volume - source: mailu_mail - target: /mail -# - "$ROOT/overrides:/overrides" - - type: volume - source: mailu_overrides - target: /overrides - depends_on: - - front - deploy: - replicas: 2 - - smtp: - image: mailu/postfix:$VERSION - restart: always - env_file: .env - environment: - - SUBNET=10.0.1.0/24 - volumes: -# - "$ROOT/overrides:/overrides" - - type: volume - source: mailu_overrides - target: /overrides - depends_on: - - front - deploy: - replicas: 2 - - antispam: - image: mailu/rspamd:$VERSION - restart: always - env_file: .env - environment: - - SUBNET=10.0.1.0/24 - depends_on: - - front - volumes: -# - "$ROOT/filter:/var/lib/rspamd" - - type: volume - source: mailu_filter - target: /var/lib/rspamd -# - "$ROOT/dkim:/dkim" - - type: volume - source: mailu_dkim - target: /dkim -# - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" - - type: volume - source: mailu_overrides_rspamd - target: /etc/rspamd/override.d - deploy: - replicas: 1 - - antivirus: - image: mailu/none:$VERSION - restart: always - env_file: .env - volumes: -# - "$ROOT/filter:/data" - - type: volume - source: mailu_filter - target: /data - deploy: - replicas: 1 - - webdav: - image: mailu/none:$VERSION - restart: always - env_file: .env - volumes: -# - "$ROOT/dav:/data" - - type: volume - source: mailu_dav - target: /data - deploy: - replicas: 1 - - admin: - image: mailu/admin:$VERSION - restart: always - env_file: .env - environment: - - SUBNET=10.0.1.0/24 - volumes: -# - "$ROOT/data:/data" - - type: volume - source: mailu_data - target: /data -# - "$ROOT/dkim:/dkim" - - type: volume - source: mailu_dkim - target: /dkim - - /var/run/docker.sock:/var/run/docker.sock:ro - depends_on: - - redis - deploy: - replicas: 1 - - webmail: - image: mailu/roundcube:$VERSION - restart: always - env_file: .env - volumes: -# - "$ROOT/webmail:/data" - - type: volume - source: mailu_data - target: /data - depends_on: - - imap - deploy: - replicas: 2 - - fetchmail: - image: mailu/fetchmail:$VERSION - restart: always - env_file: .env - volumes: - deploy: - replicas: 1 - -networks: - default: - external: - name: mailu_default - -volumes: - mailu_filter: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/filter" - mailu_dkim: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/dkim" - mailu_overrides_rspamd: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/overrides/rspamd" - mailu_data: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/data" - mailu_mail: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/mail" - mailu_overrides: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/overrides" - mailu_dav: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/dav" - mailu_certs: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/certs" - mailu_redis: - driver_opts: - type: "nfs" - o: "addr=192.168.0.30,soft,rw" - device: ":/mnt/Pool1/pv/mailu/redis" -``` - -## Deploy Mailu on the docker swarm -Run the following command: -```bash -echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu -``` -See how the services are being deployed: -```bash -core@coreos-01 ~ $ docker service ls -ID NAME MODE REPLICAS IMAGE PORTS -ywnsetmtkb1l mailu_antivirus replicated 1/1 mailu/none:master -pqokiaz0q128 mailu_fetchmail replicated 1/1 mailu/fetchmail:master -``` -check a specific service: -```bash -core@coreos-01 ~ $ docker service ps mailu_fetchmail -ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS -tbu8ppgsdffj mailu_fetchmail.1 mailu/fetchmail:master coreos-01 Running Running 11 days ago -``` - -## Remove the stack -Run the following command: -```bash -core@coreos-01 ~ $ docker stack rm mailu -``` diff --git a/docs/webadministration.rst b/docs/webadministration.rst index fde4a271..7e2a5728 100644 --- a/docs/webadministration.rst +++ b/docs/webadministration.rst @@ -325,7 +325,7 @@ This page also shows an overview of the following settings of an user: * Email. The email address of the user. -* Features. Shows if IMAP or POP3 access is enabled. +* Features. Shows if IMAP or POP3 access is enabled and whether the user should be allowed to spoof emails. * Storage quota. Shows how much assigned storage has been consumed. @@ -361,6 +361,8 @@ For adding a new user the following options can be configured. * Allow POP3 access. When ticked, allows email retrieval via the POP3 protocol. +* Allow the user to spoof the sender. When ticked, allows the user to send email as anyone. + Aliases ``````` diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py index 62bd7124..97622feb 100755 --- a/optional/fetchmail/fetchmail.py +++ b/optional/fetchmail/fetchmail.py @@ -7,7 +7,6 @@ from pwd import getpwnam import tempfile import shlex import subprocess -import re import requests from socrate import system import sys @@ -34,11 +33,6 @@ poll "{host}" proto {protocol} port {port} """ -def extract_host_port(host_and_port, default_port): - host, _, port = re.match('^(.*?)(:([0-9]*))?$', host_and_port).groups() - return host, int(port) if port else default_port - - def escape_rc_string(arg): return "".join("\\x%2x" % ord(char) for char in arg) @@ -54,20 +48,7 @@ def fetchmail(fetchmailrc): def run(debug): try: - os.environ["SMTP_ADDRESS"] = system.get_host_address_from_environment("SMTP", "smtp") - os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") fetches = requests.get(f"http://{os.environ['ADMIN_ADDRESS']}/internal/fetch").json() - smtphost, smtpport = extract_host_port(os.environ["SMTP_ADDRESS"], None) - if smtpport is None: - smtphostport = smtphost - else: - smtphostport = "%s/%d" % (smtphost, smtpport) - os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525") - lmtphost, lmtpport = extract_host_port(os.environ["LMTP_ADDRESS"], None) - if lmtpport is None: - lmtphostport = lmtphost - else: - lmtphostport = "%s/%d" % (lmtphost, lmtpport) for fetch in fetches: fetchmailrc = "" options = "options antispam 501, 504, 550, 553, 554" @@ -79,7 +60,7 @@ def run(debug): protocol=fetch["protocol"], host=escape_rc_string(fetch["host"]), port=fetch["port"], - smtphost=smtphostport if fetch['scan'] else lmtphostport, + smtphost=f'{os.environ["SMTP_ADDRESS"]}' if fetch['scan'] else f'{os.environ["IMAP_ADDRESS"]}/2525', username=escape_rc_string(fetch["username"]), password=escape_rc_string(fetch["password"]), options=options, @@ -118,14 +99,15 @@ if __name__ == "__main__": os.chmod("/data/fetchids", 0o700) os.setgid(id_fetchmail.pw_gid) os.setuid(id_fetchmail.pw_uid) + config = system.set_env() while True: - delay = int(os.environ.get("FETCHMAIL_DELAY", 60)) + delay = int(os.environ.get('FETCHMAIL_DELAY', 60)) print("Sleeping for {} seconds".format(delay)) time.sleep(delay) - if not os.environ.get("FETCHMAIL_ENABLED", 'True') in ('True', 'true'): + if not config.get('FETCHMAIL_ENABLED', True): print("Fetchmail disabled, skipping...") continue - run(os.environ.get("DEBUG", None) == "True") + run(config.get('DEBUG', False)) sys.stdout.flush() diff --git a/optional/unbound/start.py b/optional/unbound/start.py index f3a5bee7..df768092 100755 --- a/optional/unbound/start.py +++ b/optional/unbound/start.py @@ -3,9 +3,10 @@ import os import logging as log import sys -from socrate import conf +from socrate import conf, system log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) +system.set_env() conf.jinja("/unbound.conf", os.environ, "/etc/unbound/unbound.conf") diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index fe766c0d..1c3c968f 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -133,12 +133,15 @@ services: - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro" depends_on: - front -{% if oletools_enabled %} + {% if oletools_enabled %} - oletools -{% endif %} - - redis + {% endif %} + {% if antivirus_enabled %} + - antivirus + {% endif %} {% if resolver_enabled %} - resolver + - redis dns: - {{ dns }} {% endif %} diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml deleted file mode 100644 index 809362df..00000000 --- a/setup/flavors/stack/docker-compose.yml +++ /dev/null @@ -1,139 +0,0 @@ -{% set env='mailu.env' %} -# This file is auto-generated by the Mailu configuration wizard. -# Please read the documentation before attempting any change. -# Generated for {{ flavor }} flavor - -version: '3.6' - -services: - -# External dependencies - redis: - image: redis:alpine - volumes: - - "{{ root }}/redis:/data" - -# Core services - front: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - logging: - driver: {{ log_driver or 'json-file' }} - ports: - {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %} - - target: {{ port }} - published: {{ port }} - mode: overlay - {% endfor %} - volumes: - - "{{ root }}/certs:/certs" - - "{{ root }}/overrides/nginx:/overrides:ro" - deploy: - replicas: 1 - - admin: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - {% if not admin_enabled %} - ports: - - 127.0.0.1:8080:80 - {% endif %} - volumes: - - "{{ root }}/data:/data" - - "{{ root }}/dkim:/dkim" - deploy: - replicas: 1 - healthcheck: - disable: true - - imap: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - volumes: - - "{{ root }}/mail:/mail" - - "{{ root }}/overrides/dovecot:/overrides:ro" - deploy: - replicas: 1 - healthcheck: - disable: true - - smtp: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - volumes: - - "{{ root }}/mailqueue:/queue" - - "{{ root }}/overrides/postfix:/overrides:ro" - deploy: - replicas: 1 - healthcheck: - disable: true - - antispam: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} - hostname: antispam - env_file: {{ env }} - volumes: - - "{{ root }}/filter:/var/lib/rspamd" - - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro" - deploy: - replicas: 1 - healthcheck: - disable: true - - # Optional services - {% if antivirus_enabled %} - antivirus: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - volumes: - - "{{ root }}/filter:/data" - deploy: - replicas: 1 - healthcheck: - disable: true - {% endif %} - - {% if webdav_enabled %} - webdav: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}radicale:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - volumes: - - "{{ root }}/dav:/data" - deploy: - replicas: 1 - healthcheck: - disable: true - {% endif %} - - {% if fetchmail_enabled %} - fetchmail: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - volumes: - - "{{ root }}/data/fetchmail:/data" - deploy: - replicas: 1 - healthcheck: - disable: true - {% endif %} - - {% if webmail_type != 'none' %} - webmail: - image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}webmail:${MAILU_VERSION:-{{ version }}} - env_file: {{ env }} - volumes: - - "{{ root }}/webmail:/data" - - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro" - deploy: - replicas: 1 - healthcheck: - disable: true - {% endif %} - -networks: - default: - driver: overlay - ipam: - driver: default - config: - - subnet: {{ subnet }} diff --git a/setup/flavors/stack/mailu.env b/setup/flavors/stack/mailu.env deleted file mode 120000 index 7123102b..00000000 --- a/setup/flavors/stack/mailu.env +++ /dev/null @@ -1 +0,0 @@ -../compose/mailu.env \ No newline at end of file diff --git a/setup/flavors/stack/setup.html b/setup/flavors/stack/setup.html deleted file mode 100644 index 2a635562..00000000 --- a/setup/flavors/stack/setup.html +++ /dev/null @@ -1,65 +0,0 @@ -{% import "macros.html" as macros %} - -{% call macros.panel("info", "Step 1 - Download your configuration files") %} -

Docker Stack expects a project file, named docker-compose.yml -in a project directory. First create your project directory.

- -
mkdir -p {{ root }}/{redis,certs,data,data/fetchmail,dkim,mail,mailqueue,overrides/rspamd,overrides/postfix,overrides/dovecot,overrides/nginx,filter,dav,webmail}
-
- -

Then download the project file. A side configuration file makes it easier -to read and check the configuration variables generated by the wizard.

- -
cd {{ root }}
-wget {{ url_for('.file', uid=uid, _scheme='https', filepath='docker-compose.yml', _external=True) }}
-wget {{ url_for('.file', uid=uid, _scheme='https', filepath='mailu.env', _external=True) }}
-
-{% endcall %} - - -{% call macros.panel("info", "Step 2 - Review the configuration") %} -

We did not insert any malicious code on purpose in the configurations we -distribute, but your download could have been intercepted, or our wizard -website could have been compromised, so make sure you check the configuration -files before going any further.

- -

When you are done checking them, check them one last time.

-{% endcall %} - -{% call macros.panel("info", "Step 3 - Deploy docker stack") %} -

To deploy the docker stack use the following commands. For more information about setting up docker swarm nodes read the - docker documentation

- -
cd {{ root }}
-docker swarm init
-docker stack deploy -c docker-compose.yml mailu
-
- -In the docker stack deploy command, mailu is the app name. Feel free to change it.
-In order to display the running container you can use
-
docker ps
-or -
docker stack ps --no-trunc mailu
-Command for removing docker stack is -
docker stack rm mailu
- -Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking: - -
docker exec $(docker ps | grep admin | cut -d ' ' -f1) flask mailu admin {{ postmaster }} {{ domain }} PASSWORD
-
- -

Login to the admin interface to change the password for a safe one, at -{% if admin_enabled %} -one of the hostnames -{{ hostnames.split(',')[0] }}{{ admin_path }}. -{% else %} -http://127.0.0.1:8080/ui (only directly from the host running docker). -If you run mailu on a remote server, and wish to access the admin interface via a SSH tunnel, you can create a port-forward from your local machine to your server like -

ssh -L 127.0.0.1:8080:127.0.0.1:8080 <user>@<server>
-
-And access the above URL from your local machine. -
-{% endif %} -Also, choose the "Update password" option in the left menu. -

-{% endcall %} diff --git a/setup/server.py b/setup/server.py index 5be1fc83..622905ed 100644 --- a/setup/server.py +++ b/setup/server.py @@ -78,15 +78,12 @@ def build_app(path): @prefix_bp.route("/") @root_bp.route("/") def wizard(): - return flask.render_template('wizard.html') - - @prefix_bp.route("/submit_flavor", methods=["POST"]) - @root_bp.route("/submit_flavor", methods=["POST"]) - def submit_flavor(): - data = flask.request.form.copy() - subnet6 = random_ipv6_subnet() - steps = sorted(os.listdir(os.path.join(path, "templates", "steps", data["flavor"]))) - return flask.render_template('wizard.html', flavor=data["flavor"], steps=steps, subnet6=subnet6) + return flask.render_template( + 'wizard.html', + flavor="compose", + steps=sorted(os.listdir(os.path.join(path, "templates", "steps", "compose"))), + subnet6=random_ipv6_subnet() + ) @prefix_bp.route("/submit", methods=["POST"]) @root_bp.route("/submit", methods=["POST"]) diff --git a/setup/templates/steps/compose/02_services.html b/setup/templates/steps/compose/02_services.html index cb9ba807..2311e4a3 100644 --- a/setup/templates/steps/compose/02_services.html +++ b/setup/templates/steps/compose/02_services.html @@ -1,4 +1,4 @@ -{% call macros.panel("info", "Step 3 - Pick some features") %} +{% call macros.panel("info", "Step 2 - Pick some features") %}

Mailu comes with multiple base features, including a specific admin interface, Web email clients, antispam, antivirus, etc. In this section you can enable the services to you liking.

diff --git a/setup/templates/steps/compose/03_expose.html b/setup/templates/steps/compose/03_expose.html index 201ac3eb..c1d3ca8c 100644 --- a/setup/templates/steps/compose/03_expose.html +++ b/setup/templates/steps/compose/03_expose.html @@ -1,4 +1,4 @@ -{% call macros.panel("info", "Step 4 - expose Mailu to the world") %} +{% call macros.panel("info", "Step 3 - expose Mailu to the world") %}

A mail server must be exposed to the world to receive emails, send emails, and let users access their mailboxes. Mailu has some flexibility in the way you expose it to the world.

diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html index 601bd740..5e503230 100644 --- a/setup/templates/steps/config.html +++ b/setup/templates/steps/config.html @@ -1,15 +1,4 @@ -{% if flavor == "stack" %} -{% call macros.panel("danger", "Docker stack / swarm is experimental") %} -Setup is capable of generating a somewhat decent docker-compose.yml, -for the docker stack flavor. However its usage is for advanced users only and is experimental. -Expect many challenges such as shared mail storage and fail-over scenarios! Some user experiences -have been shared on GitHub. -For this reason also think very hard about using a replica count higher than 1. This cannot be used with the default config. -Manual post-configuration is required for using a replica count higher than 1. -{% endcall %} -{% endif %} - -{% call macros.panel("info", "Step 2 - Initial configuration") %} +{% call macros.panel("info", "Step 1 - Initial configuration") %}

Before starting, some variables must be set.

diff --git a/setup/templates/steps/flavor.html b/setup/templates/steps/flavor.html deleted file mode 100644 index 9ef16aa0..00000000 --- a/setup/templates/steps/flavor.html +++ /dev/null @@ -1,13 +0,0 @@ -{% call macros.panel("info", "Step 1 - Pick a flavor") %} -

Mailu comes in multiple "flavors". It was originally -designed to run on top of Docker Compose but now offers multiple options -including Docker Stack, Rancher, Kubernetes.

-

Please note that "official" support, that is provided by the most active -developers will mostly cover Compose and Stack, while other flavors are -maintained by specific contributors.

- -
- {{ macros.radio("flavor", "compose", "Compose", "simply using Docker Compose manager", flavor) }} - {{ macros.radio("flavor", "stack", "Stack", "using stack deployments in a Swarm cluster", flavor) }} -
-{% endcall %} diff --git a/setup/templates/steps/stack/02_services.html b/setup/templates/steps/stack/02_services.html deleted file mode 100644 index 68519fa8..00000000 --- a/setup/templates/steps/stack/02_services.html +++ /dev/null @@ -1,62 +0,0 @@ -{% call macros.panel("info", "Step 3 - Pick some features") %} -

Mailu comes with multiple base features, including a specific admin -interface, Web email clients, antispam, antivirus, etc. -In this section you can enable the services to you liking.

- - -

A Webmail is a Web interface exposing an email client. Mailu webmails are -bound to the internal IMAP and SMTP server for users to access their mailbox through -the Web. By exposing a complex application such as a Webmail, you should be aware of -the security implications caused by such an increase of attack surface.

-

- -
- -

-
- -
-
- - -
- - - An antivirus server helps fighting large scale virus spreading campaigns that leverage - e-mail for initial infection. Make sure that you have at least 1GB of memory for ClamAV to - load its signature database. -
- - -
- - - A Webdav server exposes a Dav interface over HTTP so that clients can store - contacts or calendars using the mail account. -
- - -
- - - Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox. -
- - - - - -{% endcall %} diff --git a/setup/templates/steps/stack/03_expose.html b/setup/templates/steps/stack/03_expose.html deleted file mode 100644 index 85b5e022..00000000 --- a/setup/templates/steps/stack/03_expose.html +++ /dev/null @@ -1,24 +0,0 @@ -{% call macros.panel("info", "Step 4 - expose Mailu to the world") %} -

A mail server must be exposed to the world to receive emails, send emails, -and let users access their mailboxes. Mailu has some flexibility in the way -you expose it to the world.

- -
- - -
- -

You server will be available under a main hostname but may expose multiple public -hostnames. Every e-mail domain that points to this server must have one of the -hostnames in its MX record. Hostnames must be comma-separated. If you're having -trouble accessing your admin interface, make sure it is the first entry here (and possibly the -same as your DOMAIN entry from earlier.

- -
- - - -
-{% endcall %} diff --git a/setup/templates/wizard.html b/setup/templates/wizard.html index e618b716..c98672a6 100644 --- a/setup/templates/wizard.html +++ b/setup/templates/wizard.html @@ -8,11 +8,6 @@ ready when using this wizard. {% endcall %} -
- {% include "steps/flavor.html" %} - -
- {% if flavor %}
{% include "steps/config.html" %} @@ -21,6 +16,5 @@ {% endfor %} {% include "steps/database.html" %} - {% endif %}
{% endblock %} diff --git a/towncrier/newsfragments/1341.misc b/towncrier/newsfragments/1341.misc new file mode 100644 index 00000000..53f8df91 --- /dev/null +++ b/towncrier/newsfragments/1341.misc @@ -0,0 +1,4 @@ +Remove HOST_* variables, use *_ADDRESS everywhere instead. Please note that those should only contain a FQDN (no port number). +Derive a different key for admin/SECRET_KEY; this will invalidate existing sessions +Ensure that rspamd starts after clamav +Only display a single HOSTNAME on the client configuration page diff --git a/towncrier/newsfragments/1483.bugfix b/towncrier/newsfragments/1483.bugfix new file mode 100644 index 00000000..16e28f39 --- /dev/null +++ b/towncrier/newsfragments/1483.bugfix @@ -0,0 +1 @@ +Remove postfix's master.pid on startup if there is no other instance running diff --git a/towncrier/newsfragments/1972.feature b/towncrier/newsfragments/1972.feature new file mode 100644 index 00000000..4efe45c9 --- /dev/null +++ b/towncrier/newsfragments/1972.feature @@ -0,0 +1 @@ +Implement Header authentication via external proxy diff --git a/towncrier/newsfragments/2242.misc b/towncrier/newsfragments/2242.misc new file mode 100644 index 00000000..cc03e55e --- /dev/null +++ b/towncrier/newsfragments/2242.misc @@ -0,0 +1 @@ +Make quotas adjustable in 50MiB increments diff --git a/towncrier/newsfragments/2372.feature b/towncrier/newsfragments/2372.feature new file mode 100644 index 00000000..ec2c5bef --- /dev/null +++ b/towncrier/newsfragments/2372.feature @@ -0,0 +1 @@ +Create a GUI for WILDCARD_SENDERS diff --git a/towncrier/newsfragments/2451.bugfix b/towncrier/newsfragments/2451.bugfix new file mode 100644 index 00000000..d7e821ea --- /dev/null +++ b/towncrier/newsfragments/2451.bugfix @@ -0,0 +1 @@ +Fix a bug preventing users without IMAP access to access the webmails diff --git a/towncrier/newsfragments/2550.misc b/towncrier/newsfragments/2550.misc new file mode 100644 index 00000000..fcd5dacf --- /dev/null +++ b/towncrier/newsfragments/2550.misc @@ -0,0 +1 @@ +Add Snuffleupagus to protect webmails (a Suhosin replacement) diff --git a/towncrier/newsfragments/2570.misc b/towncrier/newsfragments/2570.misc new file mode 100644 index 00000000..ec31181e --- /dev/null +++ b/towncrier/newsfragments/2570.misc @@ -0,0 +1 @@ +Upgrade to Alpine 3.17.0 diff --git a/towncrier/newsfragments/2577.misc b/towncrier/newsfragments/2577.misc new file mode 100644 index 00000000..a9c467cf --- /dev/null +++ b/towncrier/newsfragments/2577.misc @@ -0,0 +1 @@ +Autofocus the login form on /sso/login diff --git a/webmails/Dockerfile b/webmails/Dockerfile index 5d0bc23b..cf70abe8 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -7,22 +7,23 @@ LABEL version=$VERSION COPY snappymail/pubkey.asc /tmp/snappymail.asc COPY roundcube/pubkey.asc /tmp/roundcube.asc +COPY roundcube/roundcube.diff /tmp/roundcube.diff RUN set -euxo pipefail \ ; apk add --no-cache \ - nginx gpg gpg-agent \ + nginx gpg gpg-agent patch \ php81 php81-fpm php81-mbstring php81-zip php81-xml php81-simplexml php81-pecl-apcu \ - php81-dom php81-curl php81-exif gd php81-gd php81-iconv php81-intl php81-openssl \ + php81-dom php81-curl php81-exif gd php81-gd php81-iconv php81-intl php81-openssl php81-ctype \ php81-pdo_sqlite php81-pdo_mysql php81-pdo_pgsql php81-pdo php81-sodium libsodium php81-tidy php81-pecl-uuid \ - php81-pspell php81-pecl-imagick php81-opcache php81-session php81-sockets php81-fileinfo \ + php81-pspell php81-pecl-imagick php81-opcache php81-session php81-sockets php81-fileinfo php81-xmlreader php81-xmlwriter \ aspell-uk aspell-ru aspell-fr aspell-de aspell-en \ ; rm /etc/nginx/http.d/default.conf \ ; rm /etc/php81/php-fpm.d/www.conf \ - ; ln -s /usr/bin/php81 /usr/bin/php \ ; gpg --import /tmp/snappymail.asc \ ; gpg --import /tmp/roundcube.asc \ - ; mkdir -p /run/nginx \ - ; mkdir -p /conf + ; echo extension=snuffleupagus > /etc/php81/conf.d/snuffleupagus.ini \ + ; rm -f /tmp/roundcube.asc /tmp/snappymail.asc \ + ; mkdir -p /run/nginx /conf # roundcube ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.5.3/roundcubemail-1.5.3-complete.tar.gz @@ -41,7 +42,9 @@ RUN set -euxo pipefail \ ; cd roundcube \ ; rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \ ; ln -sf index.php /var/www/roundcube/public_html/sso.php \ - ; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} + ; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} \ + ; patch -p0 < /tmp/roundcube.diff \ + ; rm /tmp/roundcube.diff COPY roundcube/config/config.inc.php /conf/ COPY roundcube/login/mailu.php /var/www/roundcube/plugins/mailu/ @@ -81,6 +84,7 @@ COPY start.py / COPY php.ini /defaults/ COPY php-webmail.conf /etc/php81/php-fpm.d/ COPY nginx-webmail.conf /conf/ +COPY snuffleupagus.rules /etc/snuffleupagus.rules.tpl EXPOSE 80/tcp VOLUME /data diff --git a/webmails/php.ini b/webmails/php.ini index d9ba892c..87660288 100644 --- a/webmails/php.ini +++ b/webmails/php.ini @@ -11,3 +11,5 @@ log_errors=On zlib.output_compression=Off access.log = /dev/fd/2 error_log = /dev/fd/2 +module=snuffleupagus.so +sp.configuration_file=/etc/snuffleupagus.rules diff --git a/webmails/roundcube/config/config.inc.php b/webmails/roundcube/config/config.inc.php index 6e5ea0bd..e8aedeff 100644 --- a/webmails/roundcube/config/config.inc.php +++ b/webmails/roundcube/config/config.inc.php @@ -5,7 +5,7 @@ $config = array(); // Generals $config['db_dsnw'] = '{{ DB_DSNW }}'; $config['temp_dir'] = '/dev/shm/'; -$config['des_key'] = '{{ SECRET_KEY }}'; +$config['des_key'] = '{{ ROUNDCUBE_KEY }}'; $config['cipher_method'] = 'AES-256-CBC'; $config['identities_level'] = 0; $config['reply_all_mode'] = 1; diff --git a/webmails/roundcube/roundcube.diff b/webmails/roundcube/roundcube.diff new file mode 100644 index 00000000..1aece369 --- /dev/null +++ b/webmails/roundcube/roundcube.diff @@ -0,0 +1,47 @@ +--- plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php ++++ plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +@@ -529,28 +529,13 @@ + // get request size limits (#1488648) + $max_post = max([ + ini_get('max_input_vars'), +- ini_get('suhosin.request.max_vars'), +- ini_get('suhosin.post.max_vars'), + ]); +- $max_depth = max([ +- ini_get('suhosin.request.max_array_depth'), +- ini_get('suhosin.post.max_array_depth'), +- ]); + + // check request size limit + if ($max_post && count($_POST, COUNT_RECURSIVE) >= $max_post) { + rcube::raise_error([ + 'code' => 500, 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Request size limit exceeded (one of max_input_vars/suhosin.request.max_vars/suhosin.post.max_vars)" +- ], true, false +- ); +- $this->rc->output->show_message('managesieve.filtersaveerror', 'error'); +- } +- // check request depth limits +- else if ($max_depth && count($_POST['_header']) > $max_depth) { +- rcube::raise_error([ +- 'code' => 500, 'file' => __FILE__, 'line' => __LINE__, +- 'message' => "Request size limit exceeded (one of suhosin.request.max_array_depth/suhosin.post.max_array_depth)" + ], true, false + ); + $this->rc->output->show_message('managesieve.filtersaveerror', 'error'); +--- program/lib/Roundcube/bootstrap.php ++++ program/lib/Roundcube/bootstrap.php +@@ -32,13 +32,11 @@ + // Some users are not using Installer, so we'll check some + // critical PHP settings here. Only these, which doesn't provide + // an error/warning in the logs later. See (#1486307). +- 'mbstring.func_overload' => 0, + ]; + + // check these additional ini settings if not called via CLI + if (php_sapi_name() != 'cli') { + $config += [ +- 'suhosin.session.encrypt' => false, + 'file_uploads' => true, + 'session.auto_start' => false, + 'zlib.output_compression' => false, diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules new file mode 100644 index 00000000..fbb8a776 --- /dev/null +++ b/webmails/snuffleupagus.rules @@ -0,0 +1,134 @@ +# This is based on default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io), +# for php8. +# It contains "reasonable" defaults that won't break your websites, +# and a lot of commented directives that you can enable if you want to +# have a better protection. + +# Harden the PRNG +sp.harden_random.enable(); + +# Disabled XXE +sp.xxe_protection.enable(); + +# Global configuration variables +sp.global.secret_key("{{ SNUFFLEUPAGUS_KEY }}"); + +# Globally activate strict mode +# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict +sp.global_strict.enable(); + +# Prevent unserialize-related exploits +# sp.unserialize_hmac.enable(); + +# Only allow execution of read-only files. This is a low-hanging fruit that you should enable. +sp.readonly_exec.enable(); + +# PHP has a lot of wrappers, most of them aren't usually useful, you should +# only enable the ones you're using. +sp.wrappers_whitelist.list("file,php,phar,mailsosubstreams"); + +# Prevent sloppy comparisons. +sp.sloppy_comparison.enable(); + +# Use SameSite on session cookie +# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery +sp.cookie.name("PHPSESSID").samesite("lax"); + +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("permissions").value("438").drop(); +sp.disable_function.function("chmod").param("permissions").value("511").drop(); + +# Prevent various `mail`-related vulnerabilities +sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); + +# Since it's now burned, me might as well mitigate it publicly +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() + +# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() + +# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector +sp.disable_function.function("extract").param("array").value_r("^_").drop() +sp.disable_function.function("extract").param("flags").value("0").drop() + +# This is also burned: +# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); +# Since we have no way of matching on two parameters at the same time, we're +# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. +# Moreover, there are non-public bypasses that are also using this vector ;) +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() + +# Prevent various `include`-related vulnerabilities +sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require_once").drop() +sp.disable_function.function("include_once").drop() +sp.disable_function.function("require").drop() +sp.disable_function.function("include").drop() + +# Prevent `system`-related injections +sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +# This is **very** broad but doing better is non-straightforward +sp.disable_function.function("proc_open").param("command").value_r("^gpg ").allow(); +sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); + +# Prevent runtime modification of interesting things +sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("option").value("include_path").drop(); +sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); + +# Detect some backdoors via environment recon +sp.disable_function.function("ini_get").filename("/var/www/roundcube/vendor/guzzlehttp/guzzle/src/functions.php").param("option").value("allow_url_fopen").allow(); +sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); +sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); +sp.disable_function.function("function_exists").param("function").value("eval").drop(); +sp.disable_function.function("function_exists").param("function").value("exec").drop(); +sp.disable_function.function("function_exists").param("function").value("system").drop(); +sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); +sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); +sp.disable_function.function("function_exists").param("function").value("passthru").drop(); +sp.disable_function.function("is_callable").param("value").value("eval").drop(); +sp.disable_function.function("is_callable").param("value").value("exec").drop(); +sp.disable_function.function("is_callable").param("value").value("system").drop(); +sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); +sp.disable_function.function("is_callable").filename_r("^/var/www/snappymail/snappymail/v/\d+\.\d+\.\d+/app/libraries/snappymail/pgp/gpg\.php$").param("value").value("proc_open").allow(); +sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); +sp.disable_function.function("is_callable").param("value").value("passthru").drop(); + +# Ghetto error-based sqli detection +#sp.disable_function.function("mysql_query").ret("FALSE").drop(); +#sp.disable_function.function("mysqli_query").ret("FALSE").drop(); +#sp.disable_function.function("PDO::query").ret("FALSE").drop(); + +# Ensure that certificates are properly verified +sp.disable_function.function("curl_setopt").param("value").value("1").allow(); +sp.disable_function.function("curl_setopt").param("value").value("2").allow(); +# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER +sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); +sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); + +# File upload +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); + +# Logging lockdown +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() + +sp.auto_cookie_secure.enable(); +# TODO: consider encrypting the cookies? +# TODO: ensure this is up to date +sp.cookie.name("roundcube_sessauth").samesite("strict"); +sp.cookie.name("roundcube_sessid").samesite("strict"); +sp.ini_protection.policy_silent_fail(); + +# roundcube uses unserialize() everywhere. +# This should do the job until https://github.com/jvoisin/snuffleupagus/issues/438 is implemented. +sp.disable_function.function("unserialize").param("data").value_r("[cCoO]:\d+:[\"{]").drop(); diff --git a/webmails/start.py b/webmails/start.py index 06b90351..954c8407 100755 --- a/webmails/start.py +++ b/webmails/start.py @@ -2,6 +2,7 @@ import os import logging +from pwd import getpwnam import sys import subprocess import shutil @@ -12,14 +13,13 @@ from socrate import conf, system env = os.environ logging.basicConfig(stream=sys.stderr, level=env.get("LOG_LEVEL", "WARNING")) +system.set_env(['ROUNDCUBE','SNUFFLEUPAGUS']) # jinja context context = {} context.update(env) context["MAX_FILESIZE"] = str(int(int(env.get("MESSAGE_SIZE_LIMIT", "50000000")) * 0.66 / 1048576)) -context["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front") -context["IMAP_ADDRESS"] = system.get_host_address_from_environment("IMAP", "imap") db_flavor = env.get("ROUNDCUBE_DB_FLAVOR", "sqlite") if db_flavor == "sqlite": @@ -42,16 +42,7 @@ else: print(f"Unknown ROUNDCUBE_DB_FLAVOR: {db_flavor}", file=sys.stderr) exit(1) -# derive roundcube secret key -secret_key = env.get("SECRET_KEY") -if not secret_key: - try: - secret_key = open(env.get("SECRET_KEY_FILE"), "r").read().strip() - except Exception as exc: - print(f"Can't read SECRET_KEY from file: {exc}", file=sys.stderr) - exit(2) - -context['SECRET_KEY'] = hmac.new(bytearray(secret_key, 'utf-8'), bytearray('ROUNDCUBE_KEY', 'utf-8'), 'sha256').hexdigest() +conf.jinja("/etc/snuffleupagus.rules.tpl", context, "/etc/snuffleupagus.rules") # roundcube plugins # (using "dict" because it is ordered and "set" is not) @@ -75,31 +66,6 @@ conf.jinja("/conf/config.inc.php", context, "/var/www/roundcube/config/config.in # create dirs os.system("mkdir -p /data/gpg") -print("Initializing database") -try: - result = subprocess.check_output(["/var/www/roundcube/bin/initdb.sh", "--dir", "/var/www/roundcube/SQL"], - stderr=subprocess.STDOUT) - print(result.decode()) -except subprocess.CalledProcessError as exc: - err = exc.stdout.decode() - if "already exists" in err: - print("Already initialized") - else: - print(err) - exit(3) - -print("Upgrading database") -try: - subprocess.check_call(["/var/www/roundcube/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT) -except subprocess.CalledProcessError as exc: - exit(4) -else: - print("Cleaning database") - try: - subprocess.check_call(["/var/www/roundcube/bin/cleandb.sh"], stderr=subprocess.STDOUT) - except subprocess.CalledProcessError as exc: - exit(5) - base = "/data/_data_/_default_/" shutil.rmtree(base + "domains/", ignore_errors=True) os.makedirs(base + "domains", exist_ok=True) @@ -112,13 +78,44 @@ conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini") # setup permissions os.system("chown -R mailu:mailu /data") +def demote(user_uid, user_gid): + def result(): + os.setgid(user_gid) + os.setuid(user_uid) + return result +id_mailu = getpwnam('mailu') + +print("Initializing database") +try: + result = subprocess.check_output(["/var/www/roundcube/bin/initdb.sh", "--dir", "/var/www/roundcube/SQL"], + stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid)) + print(result.decode()) +except subprocess.CalledProcessError as exc: + err = exc.stdout.decode() + if "already exists" in err: + print("Already initialized") + else: + print(err) + exit(3) + +print("Upgrading database") +try: + subprocess.check_call(["/var/www/roundcube/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid)) +except subprocess.CalledProcessError as exc: + exit(4) +else: + print("Cleaning database") + try: + subprocess.check_call(["/var/www/roundcube/bin/cleandb.sh"], stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid)) + except subprocess.CalledProcessError as exc: + exit(5) + # Configure nginx conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf") if os.path.exists("/var/run/nginx.pid"): os.system("nginx -s reload") -# clean env -[env.pop(key, None) for key in env.keys() if key == "SECRET_KEY" or key.startswith("ROUNDCUBE_")] +system.clean_env() # run nginx os.system("php-fpm81")