You've already forked Mailu
mirror of
https://github.com/Mailu/Mailu.git
synced 2025-07-17 01:32:29 +02:00
Merge #2144
2144: Enable unbound by default, warn if the DNS resolver doesn't work r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? Enable unbound by default, warn if the DNS resolver doesn't work ### Related issue(s) - close #2135 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
This commit is contained in:
@ -18,6 +18,34 @@ if account is not None and domain is not None and password is not None:
|
||||
log.info("Creating initial admin accout %s@%s with mode %s",account,domain,mode)
|
||||
os.system("flask mailu admin %s %s '%s' --mode %s" % (account, domain, password, mode))
|
||||
|
||||
def test_DNS():
|
||||
import dns.resolver
|
||||
import dns.exception
|
||||
import dns.flags
|
||||
import dns.rdtypes
|
||||
import dns.rdatatype
|
||||
import dns.rdataclass
|
||||
import time
|
||||
# DNS stub configured to do DNSSEC enabled queries
|
||||
resolver = dns.resolver.Resolver()
|
||||
resolver.use_edns(0, 0, 1232)
|
||||
resolver.flags = dns.flags.AD | dns.flags.RD
|
||||
nameservers = resolver.nameservers
|
||||
for ns in nameservers:
|
||||
resolver.nameservers=[ns]
|
||||
while True:
|
||||
try:
|
||||
result = resolver.query('example.org', dns.rdatatype.A, dns.rdataclass.IN, lifetime=10)
|
||||
except Exception as e:
|
||||
log.critical("Your DNS resolver at %s is not working (%s). Please use another resolver or enable unbound via https://setup.mailu.io.", ns, e);
|
||||
else:
|
||||
if result.response.flags & dns.flags.AD:
|
||||
break
|
||||
log.critical("Your DNS resolver at %s isn't doing DNSSEC validation; Please use another resolver or enable unbound via https://setup.mailu.io.", ns)
|
||||
time.sleep(5)
|
||||
|
||||
test_DNS()
|
||||
|
||||
start_command="".join([
|
||||
"gunicorn --threads ", str(os.cpu_count()),
|
||||
" -b :80 ",
|
||||
|
@ -13,6 +13,12 @@ services:
|
||||
restart: always
|
||||
volumes:
|
||||
- "{{ root }}/redis:/data"
|
||||
{% if resolver_enabled %}
|
||||
depends_on:
|
||||
- resolver
|
||||
dns:
|
||||
- {{ dns }}
|
||||
{% endif %}
|
||||
|
||||
# Core services
|
||||
front:
|
||||
@ -33,8 +39,12 @@ services:
|
||||
volumes:
|
||||
- "{{ root }}/certs:/certs"
|
||||
- "{{ root }}/overrides/nginx:/overrides:ro"
|
||||
{% if resolver_enabled %}
|
||||
depends_on:
|
||||
- resolver
|
||||
dns:
|
||||
- {{ dns }}
|
||||
|
||||
{% if resolver_enabled %}
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-{{ version }}}
|
||||
env_file: {{ env }}
|
||||
@ -42,7 +52,7 @@ services:
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: {{ dns }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
admin:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-{{ version }}}
|
||||
@ -57,6 +67,11 @@ services:
|
||||
- "{{ root }}/dkim:/dkim"
|
||||
depends_on:
|
||||
- redis
|
||||
{% if resolver_enabled %}
|
||||
- resolver
|
||||
dns:
|
||||
- {{ dns }}
|
||||
{% endif %}
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
|
||||
@ -67,6 +82,11 @@ services:
|
||||
- "{{ root }}/overrides/dovecot:/overrides:ro"
|
||||
depends_on:
|
||||
- front
|
||||
{% if resolver_enabled %}
|
||||
- resolver
|
||||
dns:
|
||||
- {{ dns }}
|
||||
{% endif %}
|
||||
|
||||
smtp:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
|
||||
@ -122,6 +142,12 @@ services:
|
||||
env_file: {{ env }}
|
||||
volumes:
|
||||
- "{{ root }}/dav:/data"
|
||||
{% if resolver_enabled %}
|
||||
depends_on:
|
||||
- resolver
|
||||
dns:
|
||||
- {{ dns }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if fetchmail_enabled %}
|
||||
@ -150,6 +176,11 @@ services:
|
||||
- "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro"
|
||||
depends_on:
|
||||
- imap
|
||||
{% if resolver_enabled %}
|
||||
- resolver
|
||||
dns:
|
||||
- {{ dns }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
networks:
|
||||
|
@ -40,10 +40,10 @@ avoid generic all-interfaces addresses like <code>0.0.0.0</code> or <code>::</co
|
||||
<input class="form-control" type="text" name="subnet6" required value="{{ subnet6 }}:beef::/64">
|
||||
</div>
|
||||
|
||||
<p>The unbound resolver enables Mailu to do DNSsec verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.</p>
|
||||
<p>The unbound resolver enables Mailu to do DNSSEC verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.</p>
|
||||
<div class="form-check form-check-inline">
|
||||
<label class="form-check-label">
|
||||
<input class="form-check-input" type="checkbox" name="resolver_enabled" value="true">
|
||||
<input class="form-check-input" type="checkbox" name="resolver_enabled" value="true" checked>
|
||||
Enable unbound resolver
|
||||
</label>
|
||||
</div>
|
||||
|
@ -40,8 +40,11 @@ services:
|
||||
volumes:
|
||||
- "/mailu/data:/data"
|
||||
- "/mailu/dkim:/dkim"
|
||||
dns:
|
||||
- 192.168.203.254
|
||||
depends_on:
|
||||
- redis
|
||||
- resolver
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
|
||||
@ -75,7 +78,13 @@ services:
|
||||
|
||||
# Optional services
|
||||
|
||||
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
|
||||
env_file: mailu.env
|
||||
restart: always
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: 192.168.203.254
|
||||
|
||||
# Webmail
|
||||
|
||||
|
@ -42,6 +42,9 @@ services:
|
||||
- "/mailu/dkim:/dkim"
|
||||
depends_on:
|
||||
- redis
|
||||
- resolver
|
||||
dns:
|
||||
- 192.168.203.254
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
|
||||
@ -81,6 +84,15 @@ services:
|
||||
restart: always
|
||||
env_file: mailu.env
|
||||
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
|
||||
env_file: mailu.env
|
||||
restart: always
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: 192.168.203.254
|
||||
|
||||
|
||||
# Webmail
|
||||
|
||||
|
||||
|
@ -40,8 +40,11 @@ services:
|
||||
volumes:
|
||||
- "/mailu/data:/data"
|
||||
- "/mailu/dkim:/dkim"
|
||||
dns:
|
||||
- 192.168.203.254
|
||||
depends_on:
|
||||
- redis
|
||||
- resolver
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
|
||||
@ -81,7 +84,13 @@ services:
|
||||
volumes:
|
||||
- "/mailu/filter:/data"
|
||||
|
||||
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
|
||||
env_file: mailu.env
|
||||
restart: always
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: 192.168.203.254
|
||||
|
||||
# Webmail
|
||||
|
||||
|
@ -42,6 +42,9 @@ services:
|
||||
- "/mailu/dkim:/dkim"
|
||||
depends_on:
|
||||
- redis
|
||||
- resolver
|
||||
dns:
|
||||
- 192.168.203.254
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
|
||||
@ -75,7 +78,13 @@ services:
|
||||
|
||||
# Optional services
|
||||
|
||||
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
|
||||
env_file: mailu.env
|
||||
restart: always
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: 192.168.203.254
|
||||
|
||||
# Webmail
|
||||
webmail:
|
||||
|
@ -42,6 +42,9 @@ services:
|
||||
- "/mailu/dkim:/dkim"
|
||||
depends_on:
|
||||
- redis
|
||||
- resolver
|
||||
dns:
|
||||
- 192.168.203.254
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
|
||||
@ -75,7 +78,13 @@ services:
|
||||
|
||||
# Optional services
|
||||
|
||||
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
|
||||
env_file: mailu.env
|
||||
restart: always
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: 192.168.203.254
|
||||
|
||||
# Webmail
|
||||
webmail:
|
||||
|
@ -40,8 +40,11 @@ services:
|
||||
volumes:
|
||||
- "/mailu/data:/data"
|
||||
- "/mailu/dkim:/dkim"
|
||||
dns:
|
||||
- 192.168.203.254
|
||||
depends_on:
|
||||
- redis
|
||||
- resolver
|
||||
|
||||
imap:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${PINNED_MAILU_VERSION:-local}
|
||||
@ -82,6 +85,13 @@ services:
|
||||
volumes:
|
||||
- "/mailu/dav:/data"
|
||||
|
||||
resolver:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-local}
|
||||
env_file: mailu.env
|
||||
restart: always
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: 192.168.203.254
|
||||
|
||||
# Webmail
|
||||
|
||||
|
1
towncrier/newsfragments/2135.bugfix
Normal file
1
towncrier/newsfragments/2135.bugfix
Normal file
@ -0,0 +1 @@
|
||||
Enable unbound by default. Mailu now requires a DNSSEC validating DNS resolver and experience has shown that this may not be the default everywhere yet.
|
Reference in New Issue
Block a user