Merge #3307

3307: ports not in PORTS should not be bound r=nextgens a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure we only bind ports that do feature in PORTS.
Previously we would bind ports 110 and 143 even though we shouldn't have.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>

core/admin/mailu/configuration.py

@@ -87,6 +87,7 @@ DEFAULT_CONFIG = {
     'TLS_PERMISSIVE': True,
     'TZ': 'Etc/UTC',
     'DEFAULT_SPAM_THRESHOLD': 80,
+    'PORTS': '25,80,443,465,993,995,4190',
     'PROXY_AUTH_WHITELIST': '',
     'PROXY_AUTH_HEADER': 'X-Auth-Email',
     'PROXY_AUTH_CREATE': False,

core/admin/mailu/models.py

@@ -257,6 +257,7 @@ class Domain(Base):
     @cached_property
     def dns_autoconfig(self):
         """ return list of auto configuration records (RFC6186) """
+        ports = {int(port.strip()) for port in app.config['PORTS'].split(',')}.union({465, 993})
         hostname = app.config['HOSTNAME']
         protocols = [
             ('imap', 143, 20),
@@ -272,7 +273,7 @@ class Domain(Base):
             ])
 
         return [
-            f'_{proto}._tcp.{self.name}. 600 IN SRV {prio} 1 {port} {hostname}.'
+            f'_{proto}._tcp.{self.name}. 600 IN SRV {prio} 1 {port} {hostname}.' if port in ports else f'_{proto}._tcp.{self.name}. 600 IN SRV 0 0 0 .'
             for proto, port, prio
             in protocols
         ]+[f'autoconfig.{self.name}. 600 IN CNAME {hostname}.']

core/nginx/dovecot/proxy.conf

@@ -96,15 +96,13 @@ protocol imap {
 }
 
 service imap-login {
-{%- if PORT_143 %}
   inet_listener imap {
-    port = 143
+    port = {% if PORT_143 %}143{% else %}0{% endif %}
 {%- if PROXY_PROTOCOL_143 %}
     haproxy = yes
 {% endif %}
   }
-{% endif %}
-{%- if TLS_993 and PORT_993 %}
+{%- if TLS_993 %}
   inet_listener imaps {
     port = 993
     ssl = yes
@@ -119,14 +117,12 @@ service imap-login {
 }
 
 service pop3-login {
-{%- if PORT_110 %}
   inet_listener pop3 {
-    port = 110
+    port = {% if PORT_110 %}110{% else %}0{% endif %}
 {%- if PROXY_PROTOCOL_110 %}
     haproxy = yes
 {% endif %}
   }
-{% endif %}
 {%- if TLS_995 and PORT_995 %}
   inet_listener pop3s {
     port = 995
@@ -148,17 +144,12 @@ service lmtp {
 
 service submission-login {
    inet_listener submission {
-{%- if PORT_587 %}
-    port = 587
+    port = {% if PORT_587 %}587{% else %}0{% endif %}
 {%- if PROXY_PROTOCOL_587 %}
     haproxy = yes
-{% endif %}
-{%- else %}
-# if the section is unset the port is bound anyways
-   port = 0
 {% endif %}
    }
-{%- if TLS_465 and PORT_465 %}
+{%- if TLS_465 %}
    inet_listener submissions {
     port = 465
     ssl = yes

docs/configuration.rst

@@ -280,7 +280,7 @@ The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usua
 
 
 The ``PORTS`` (default: '25,80,443,465,993,995,4190') setting determines which services should be enabled. It is a comma delimited list of ports numbers.
-If you need to re-enable IMAP, POP3 and Submission, you can append '110,143,587' to that list.
+If you need to re-enable IMAP, POP3 and Submission, you can append '110,143,587' to that list. Please note that ports 25,465 and 993 cannot be disabled.
 
 The ``PROXY_PROTOCOL`` (default: unset) setting allows the the front container to receive TCP and HTTP connections with
 the `PROXY protocol`_ (originally introduced in HAProxy, now also configurable in other proxy servers).

towncrier/newsfragments/3307.bugfix

@@ -0,0 +1 @@
+Ensure that ports that do not feature in PORTS are not bound