From 9d2046f43f925933d2718c8f2520dd27be652991 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Jan 2023 16:59:09 +0100 Subject: [PATCH 1/5] Upgrade webmails --- towncrier/newsfragments/2634.misc | 1 + webmails/Dockerfile | 6 +++--- webmails/roundcube/config/config.inc.php | 20 +------------------- 3 files changed, 5 insertions(+), 22 deletions(-) create mode 100644 towncrier/newsfragments/2634.misc diff --git a/towncrier/newsfragments/2634.misc b/towncrier/newsfragments/2634.misc new file mode 100644 index 00000000..e018497a --- /dev/null +++ b/towncrier/newsfragments/2634.misc @@ -0,0 +1 @@ +Upgrade webmails: snappymail to 2.25.0, roundcube to 1.6.1 and carddav to 5.0.1 diff --git a/webmails/Dockerfile b/webmails/Dockerfile index 9dc3514a..b6408d86 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -26,8 +26,8 @@ RUN set -euxo pipefail \ ; mkdir -p /run/nginx /conf # roundcube -ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.5.3/roundcubemail-1.5.3-complete.tar.gz -ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.4.3/carddav-v4.4.3.tar.gz +ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.1/roundcubemail-1.6.1-complete.tar.gz +ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.0.1/carddav-v5.0.1.tar.gz RUN set -euxo pipefail \ ; cd /var/www \ @@ -52,7 +52,7 @@ COPY roundcube/config/config.inc.carddav.php /var/www/roundcube/plugins/carddav/ # snappymail -ENV SNAPPYMAIL_URL https://github.com/the-djmaze/snappymail/releases/download/v2.21.3/snappymail-2.21.3.tar.gz +ENV SNAPPYMAIL_URL https://github.com/the-djmaze/snappymail/releases/download/v2.25.0/snappymail-2.25.0.tar.gz RUN set -euxo pipefail \ ; mkdir /var/www/snappymail \ diff --git a/webmails/roundcube/config/config.inc.php b/webmails/roundcube/config/config.inc.php index f271eebc..72db545c 100644 --- a/webmails/roundcube/config/config.inc.php +++ b/webmails/roundcube/config/config.inc.php @@ -14,6 +14,7 @@ $config['zipdownload_selection'] = true; $config['enable_spellcheck'] = true; $config['spellcheck_engine'] = 'pspell'; $config['session_lifetime'] = {{ SESSION_TIMEOUT_MINUTES | int }}; +$config['request_path'] = '{{ WEB_WEBMAIL or "none" }}'; // Mail servers $config['imap_host'] = '{{ FRONT_ADDRESS or "front" }}:10143'; @@ -21,28 +22,9 @@ $config['smtp_host'] = '{{ FRONT_ADDRESS or "front" }}:10025'; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; -#old deprecated settings will be replaced from roundcube 1.6. -$config['smtp_server'] = '{{ FRONT_ADDRESS or "front" }}'; -$config['smtp_port'] = '10025'; -$config['default_host'] = '{{ FRONT_ADDRESS or "front" }}'; -$config['default_port'] = '10143'; - // Sieve script management $config['managesieve_host'] = '{{ FRONT_ADDRESS or "front" }}:14190'; -// We access the IMAP and SMTP servers locally with internal names, SSL -// will obviously fail but this sounds better than allowing insecure login -// from the outter world -$ssl_no_check = array( - 'ssl' => array( - 'verify_peer' => false, - 'verify_peer_name' => false, - ), -); -$config['imap_conn_options'] = $ssl_no_check; -$config['smtp_conn_options'] = $ssl_no_check; -$config['managesieve_conn_options'] = $ssl_no_check; - // roundcube customization $config['product_name'] = 'Mailu Webmail'; {%- if ADMIN and WEB_ADMIN %} From 760ec301e3696e7de28c784aa875a685464a8baa Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Jan 2023 17:22:52 +0100 Subject: [PATCH 2/5] harden the trusted hosts --- webmails/roundcube/config/config.inc.php | 1 + 1 file changed, 1 insertion(+) diff --git a/webmails/roundcube/config/config.inc.php b/webmails/roundcube/config/config.inc.php index 72db545c..3ced13e7 100644 --- a/webmails/roundcube/config/config.inc.php +++ b/webmails/roundcube/config/config.inc.php @@ -15,6 +15,7 @@ $config['enable_spellcheck'] = true; $config['spellcheck_engine'] = 'pspell'; $config['session_lifetime'] = {{ SESSION_TIMEOUT_MINUTES | int }}; $config['request_path'] = '{{ WEB_WEBMAIL or "none" }}'; +$config['trusted_host_patterns'] = [ {{ HOSTNAMES.split(",") | map("tojson") | join(',') }}]; // Mail servers $config['imap_host'] = '{{ FRONT_ADDRESS or "front" }}:10143'; From 6533f41f48c6d2cb1fe80a11d4561f230501b9db Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Jan 2023 17:37:16 +0100 Subject: [PATCH 3/5] Trust the IP address from the local subnet This will only work when SUBNET autodetection is merged --- webmails/nginx-webmail.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf index 1794a635..1bc00912 100644 --- a/webmails/nginx-webmail.conf +++ b/webmails/nginx-webmail.conf @@ -26,6 +26,14 @@ server { add_header X-Permitted-Cross-Domain-Policies "none" always; add_header Referrer-Policy "no-referrer" always; + real_ip_header X-Real-IP; + {% for from_ip in SUBNET.split(',') %} + set_real_ip_from {{ from_ip }}; + {% endfor %} + {% if SUBNET6 %}{% for from_ip in SUBNET6.split(',') %} + set_real_ip_from {{ from_ip }}; + {% endfor %}{% endif %} + location / { try_files $uri $uri/ /index.php$args; } From 9803c51d5591cd322dc9f48403818e2402941983 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Jan 2023 18:23:10 +0100 Subject: [PATCH 4/5] Use a hostname --- webmails/nginx-webmail.conf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf index 1bc00912..fde7adfd 100644 --- a/webmails/nginx-webmail.conf +++ b/webmails/nginx-webmail.conf @@ -1,6 +1,7 @@ server { listen 80 default_server; listen [::]:80 default_server; + resolver {{ RESOLVER }} valid=30s; {% if WEBMAIL == 'roundcube' %} root /var/www/{{ WEBMAIL }}/public_html; @@ -27,12 +28,7 @@ server { add_header Referrer-Policy "no-referrer" always; real_ip_header X-Real-IP; - {% for from_ip in SUBNET.split(',') %} - set_real_ip_from {{ from_ip }}; - {% endfor %} - {% if SUBNET6 %}{% for from_ip in SUBNET6.split(',') %} - set_real_ip_from {{ from_ip }}; - {% endfor %}{% endif %} + set_real_ip_from {{ FRONT_ADDRESS or "front" }}; location / { try_files $uri $uri/ /index.php$args; From 926570f1ca0d2a8595f4841023c96b79e7f8a977 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Jan 2023 18:30:33 +0100 Subject: [PATCH 5/5] Need this too --- webmails/start.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/webmails/start.py b/webmails/start.py index 84d05654..7a8d6bf2 100755 --- a/webmails/start.py +++ b/webmails/start.py @@ -20,6 +20,12 @@ context.update(env) context["MAX_FILESIZE"] = str(int(int(env.get("MESSAGE_SIZE_LIMIT", "50000000")) * 0.66 / 1048576)) +# Get the first DNS server +with open("/etc/resolv.conf") as handle: + content = handle.read().split() + resolver = content[content.index("nameserver") + 1] + context["RESOLVER"] = f"[{resolver}]" if ":" in resolver else resolver + db_flavor = env.get("ROUNDCUBE_DB_FLAVOR", "sqlite") if db_flavor == "sqlite": context["DB_DSNW"] = "sqlite:////data/roundcube.db"