mirror of
https://github.com/Mailu/Mailu.git
synced 2024-12-14 10:53:30 +02:00
Merge branch 'master' into AdminLTE-3
This commit is contained in:
commit
df64601b28
431
.github/workflows/CI.yml
vendored
Normal file
431
.github/workflows/CI.yml
vendored
Normal file
@ -0,0 +1,431 @@
|
||||
name: CI
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- staging
|
||||
- testing
|
||||
- '1.5'
|
||||
- '1.6'
|
||||
- '1.7'
|
||||
- '1.8'
|
||||
- master
|
||||
# version tags, e.g. 1.7.1
|
||||
- '[1-9].[0-9].[0-9]'
|
||||
# pre-releases, e.g. 1.8-pre1
|
||||
- 1.8-pre[0-9]
|
||||
# test branches, e.g. test-debian
|
||||
- test-*
|
||||
|
||||
###############################################
|
||||
# REQUIRED secrets
|
||||
# DOCKER_UN: ${{ secrets.Docker_Login }}
|
||||
# Username of docker login for pushing the images to repo $DOCKER_ORG
|
||||
# DOCKER_PW: ${{ secrets.Docker_Password }}
|
||||
# Password of docker login for pushing the images to repo $DOCKER_ORG
|
||||
# DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
# The docker repository where the images are pushed to.
|
||||
# DOCKER_ORG_TESTS: ${{ secrets.DOCKER_ORG_TESTS }}
|
||||
# The docker repository for test images. Only used for the branch TESTING (BORS try).
|
||||
# Add the above secrets to your github repo to determine where the images will be pushed.
|
||||
################################################
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build images
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
#For branch TESTING, we set the image tag to PR-xxxx
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Check docker-compose version
|
||||
run: docker-compose -v
|
||||
- name: Login docker
|
||||
env:
|
||||
DOCKER_UN: ${{ secrets.Docker_Login }}
|
||||
DOCKER_PW: ${{ secrets.Docker_Password }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
run: echo "$DOCKER_PW" | docker login --username $DOCKER_UN --password-stdin
|
||||
- name: Build all docker images
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
run: docker-compose -f tests/build.yml build
|
||||
- name: Save all docker images
|
||||
run: docker save ${{ secrets.DOCKER_ORG }}/admin ${{ secrets.DOCKER_ORG }}/clamav ${{ secrets.DOCKER_ORG }}/docs ${{ secrets.DOCKER_ORG }}/dovecot ${{ secrets.DOCKER_ORG }}/fetchmail ${{ secrets.DOCKER_ORG }}/nginx ${{ secrets.DOCKER_ORG }}/none ${{ secrets.DOCKER_ORG }}/postfix ${{ secrets.DOCKER_ORG }}/postgresql ${{ secrets.DOCKER_ORG }}/radicale ${{ secrets.DOCKER_ORG }}/rainloop ${{ secrets.DOCKER_ORG }}/roundcube ${{ secrets.DOCKER_ORG }}/rspamd ${{ secrets.DOCKER_ORG }}/setup ${{ secrets.DOCKER_ORG }}/traefik-certdumper ${{ secrets.DOCKER_ORG }}/unbound -o /images/images.tar.gz
|
||||
|
||||
test-core:
|
||||
name: Perform core tests
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Install python packages
|
||||
run: python3 -m pip install -r tests/requirements.txt
|
||||
- name: Copy all certs
|
||||
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
- name: Test core suite
|
||||
run: python tests/compose/test.py core 2
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
|
||||
test-fetchmail:
|
||||
name: Perform fetchmail tests
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Install python packages
|
||||
run: python3 -m pip install -r tests/requirements.txt
|
||||
- name: Copy all certs
|
||||
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
- name: Test fetch
|
||||
run: python tests/compose/test.py fetchmail 2
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
|
||||
test-filters:
|
||||
name: Perform filter tests
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Install python packages
|
||||
run: python3 -m pip install -r tests/requirements.txt
|
||||
- name: Copy all certs
|
||||
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
- name: Test clamvav
|
||||
run: python tests/compose/test.py filters 3
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
|
||||
test-rainloop:
|
||||
name: Perform rainloop tests
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Install python packages
|
||||
run: python3 -m pip install -r tests/requirements.txt
|
||||
- name: Copy all certs
|
||||
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
- name: Test rainloop
|
||||
run: python tests/compose/test.py rainloop 2
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
|
||||
test-roundcube:
|
||||
name: Perform roundcube tests
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Install python packages
|
||||
run: python3 -m pip install -r tests/requirements.txt
|
||||
- name: Copy all certs
|
||||
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
- name: Test roundcube
|
||||
run: python tests/compose/test.py roundcube 2
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
|
||||
test-webdav:
|
||||
name: Perform webdav tests
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Install python packages
|
||||
run: python3 -m pip install -r tests/requirements.txt
|
||||
- name: Copy all certs
|
||||
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
- name: Test webdav
|
||||
run: python tests/compose/test.py webdav 2
|
||||
env:
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
|
||||
deploy:
|
||||
name: Deploy images
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- build
|
||||
- test-core
|
||||
- test-fetchmail
|
||||
- test-filters
|
||||
- test-rainloop
|
||||
- test-roundcube
|
||||
- test-webdav
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Extract branch name
|
||||
shell: bash
|
||||
run: |
|
||||
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
|
||||
#For branch TESTING, we set the image tag to PR-xxxx
|
||||
- name: Derive MAILU_VERSION for branch testing
|
||||
if: ${{ env.BRANCH == 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
|
||||
- name: Derive MAILU_VERSION for other branches than testing
|
||||
if: ${{ env.BRANCH != 'testing' }}
|
||||
shell: bash
|
||||
env:
|
||||
MAILU_BRANCH: ${{ env.BRANCH }}
|
||||
run: |
|
||||
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
|
||||
- name: Create folder for storing images
|
||||
run: |
|
||||
sudo mkdir -p /images
|
||||
sudo chmod 777 /images
|
||||
- name: Configure images folder for caching
|
||||
# For staging we do not deploy images. So we do not have to load them from cache.
|
||||
if: ${{ env.BRANCH != 'staging' }}
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /images
|
||||
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
|
||||
- name: Load docker images
|
||||
if: ${{ env.BRANCH != 'staging' }}
|
||||
run: docker load -i /images/images.tar.gz
|
||||
- name: Deploy built docker images
|
||||
env:
|
||||
DOCKER_UN: ${{ secrets.Docker_Login }}
|
||||
DOCKER_PW: ${{ secrets.Docker_Password }}
|
||||
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
|
||||
DOCKER_ORG_TESTS: ${{ secrets.DOCKER_ORG_TESTS }}
|
||||
MAILU_VERSION: ${{ env.MAILU_VERSION }}
|
||||
TRAVIS_BRANCH: ${{ env.BRANCH }}
|
||||
run: bash tests/deploy.sh
|
||||
|
||||
# This job is watched by bors. It only complets if building,testing and deploy worked.
|
||||
ci-success:
|
||||
name: CI-Done
|
||||
#Returns true when none of the **previous** steps have failed or been canceled.
|
||||
if: ${{ success() }}
|
||||
needs:
|
||||
- deploy
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: CI/CD succeeded.
|
||||
run: exit 0
|
@ -27,7 +27,7 @@ pull_request_rules:
|
||||
|
||||
- name: Trusted author and 1 approved review; trigger bors r+
|
||||
conditions:
|
||||
- author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|adi90x|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0)$
|
||||
- author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0|3-w-c|decentral1se|ghostwheel42|nextgens|parisni)$
|
||||
- -title~=(WIP|wip)
|
||||
- -label~=^(status/wip|status/blocked|review/need2)$
|
||||
- "#approved-reviews-by>=1"
|
||||
|
56
.travis.yml
56
.travis.yml
@ -1,56 +0,0 @@
|
||||
branches:
|
||||
only:
|
||||
- staging
|
||||
- testing
|
||||
- '1.5'
|
||||
- '1.6'
|
||||
- '1.7'
|
||||
- '1.8'
|
||||
- master
|
||||
# version tags, e.g. 1.7.1
|
||||
- /^1\.[5678]\.\d+$/
|
||||
# pre-releases, e.g. 1.8-pre1
|
||||
- /^1\.8-pre\d+$/
|
||||
# test branches, e.g. test-debian
|
||||
- /^test-[\w\-\.]+$/
|
||||
|
||||
sudo: required
|
||||
services: docker
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- docker-ce
|
||||
|
||||
env:
|
||||
- MAILU_VERSION=${TRAVIS_BRANCH////-}
|
||||
|
||||
language: python
|
||||
python:
|
||||
- "3.6"
|
||||
install:
|
||||
- pip install -r tests/requirements.txt
|
||||
- sudo curl -L https://github.com/docker/compose/releases/download/1.23.0-rc3/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
|
||||
- sudo chmod +x /usr/local/bin/docker-compose
|
||||
|
||||
before_script:
|
||||
- docker-compose -v
|
||||
- echo "$DOCKER_PW" | docker login --username $DOCKER_UN --password-stdin
|
||||
- docker-compose -f tests/build.yml build
|
||||
- sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
|
||||
|
||||
|
||||
script:
|
||||
# test.py, test name and timeout between start and tests.
|
||||
- python tests/compose/test.py core 1
|
||||
- python tests/compose/test.py fetchmail 1
|
||||
- travis_wait python tests/compose/test.py filters 10
|
||||
- python tests/compose/test.py rainloop 1
|
||||
- python tests/compose/test.py roundcube 1
|
||||
- python tests/compose/test.py webdav 1
|
||||
|
||||
deploy:
|
||||
provider: script
|
||||
script: bash tests/deploy.sh
|
||||
on:
|
||||
all_branches: true
|
||||
condition: -n $DOCKER_UN
|
43
CHANGELOG.md
43
CHANGELOG.md
@ -4,18 +4,49 @@ Changelog
|
||||
Upgrade should run fine as long as you generate a new compose or stack
|
||||
configuration and upgrade your mailu.env.
|
||||
|
||||
Please note that the current 1.8 is what we call a "soft release": It’s there for everyone to see and use, but to limit possible user-impact of this very big release, it’s not yet the default in the setup-utility for new users. When upgrading, please treat it with some care, and be sure to always have backups!
|
||||
|
||||
There are some changes to the configuration overrides. Override files are now mounted read-only into the containers.
|
||||
The Dovecot and Postfix overrides are moved in their own sub-directory.
|
||||
If there are local override files, they will need to be moved from overrides/ to overrides/dovecot and overrides/postfix/.
|
||||
See https://mailu.io/1.8/faq.html#how-can-i-override-settings for all the mappings.
|
||||
|
||||
Please note that the shipped image for PostgreSQL database is deprecated.
|
||||
We advise to switch to an external database server.
|
||||
One major change for the docker compose file is that the antispam container needs a fixed hostname [#1837](https://github.com/Mailu/Mailu/issues/1837).
|
||||
This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history.
|
||||
This is also handled in the helm-chart repo.
|
||||
|
||||
<!-- TOWNCRIER -->
|
||||
v1.8.0 - 2020-09-28
|
||||
Improvements have been made to protect again session-fixation attacks.
|
||||
To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading.
|
||||
A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
|
||||
|
||||
The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
|
||||
```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
|
||||
|
||||
After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
|
||||
|
||||
Please note that the shipped image for PostgreSQL database is deprecated.
|
||||
We advise to switch to an external PostgreSQL database server.
|
||||
|
||||
|
||||
1.8.0 - 2021-08-06
|
||||
--------------------
|
||||
|
||||
- Features: Update version of roundcube webmail and carddav plugin. This is a security update. ([#1841](https://github.com/Mailu/Mailu/issues/1841))
|
||||
- Features: Update version of rainloop webmail to 1.16.0. This is a security update. ([#1845](https://github.com/Mailu/Mailu/issues/1845))
|
||||
- Features: Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value. ([#1867](https://github.com/Mailu/Mailu/issues/1867))
|
||||
- Features: Update jquery used in setup. Set pinned versions in requirements.txt for setup. This is a security update. ([#1880](https://github.com/Mailu/Mailu/issues/1880))
|
||||
- Bugfixes: Replace PUBLIC_HOSTNAME and PUBLIC_IP in "Received" headers to ensure that no undue spam points are attributed ([#191](https://github.com/Mailu/Mailu/issues/191))
|
||||
- Bugfixes: Don't replace nested headers (typically in attached emails) ([#1660](https://github.com/Mailu/Mailu/issues/1660))
|
||||
- Bugfixes: Fix letsencrypt access to certbot for the mail-letsencrypt flavour ([#1686](https://github.com/Mailu/Mailu/issues/1686))
|
||||
- Bugfixes: Fix CVE-2020-25275 and CVE-2020-24386 by upgrading alpine for
|
||||
dovecot which contains a fixed dovecot version. ([#1720](https://github.com/Mailu/Mailu/issues/1720))
|
||||
- Bugfixes: Antispam service now uses a static hostname. Rspamd history is only retained when the service has a fixed hostname. ([#1837](https://github.com/Mailu/Mailu/issues/1837))
|
||||
- Bugfixes: Fix a bug preventing colons from being used in passwords when using radicale/webdav. ([#1861](https://github.com/Mailu/Mailu/issues/1861))
|
||||
- Bugfixes: Remove dot in blueprint name to prevent critical flask startup error in setup. ([#1874](https://github.com/Mailu/Mailu/issues/1874))
|
||||
- Bugfixes: fix punycode encoding of domain names ([#1891](https://github.com/Mailu/Mailu/issues/1891))
|
||||
- Improved Documentation: Update fail2ban documentation to use systemd backend instead of filepath for journald ([#1857](https://github.com/Mailu/Mailu/issues/1857))
|
||||
- Misc: Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading. ([#1783](https://github.com/Mailu/Mailu/issues/1783))
|
||||
|
||||
|
||||
v1.8.0rc - 2020-09-28
|
||||
--------------------
|
||||
|
||||
- Features: Add support for backward-forwarding using SRS ([#328](https://github.com/Mailu/Mailu/issues/328))
|
||||
|
@ -13,4 +13,4 @@ Before we can consider review and merge, please make sure the following list is
|
||||
If an entry in not applicable, you can check it or remove it from the list.
|
||||
|
||||
- [ ] In case of feature or enhancement: documentation updated accordingly
|
||||
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
|
||||
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
|
||||
|
@ -1,8 +1,9 @@
|
||||
# First stage to build assets
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
ARG ARCH=""
|
||||
FROM ${ARCH}node:15 as assets
|
||||
COPY --from=balenalib/rpi-alpine:3.10 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
|
||||
|
||||
FROM ${ARCH}node:8 as assets
|
||||
COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
|
||||
|
||||
COPY package.json ./
|
||||
RUN npm install
|
||||
@ -24,9 +25,9 @@ RUN mkdir -p /app
|
||||
WORKDIR /app
|
||||
|
||||
COPY requirements-prod.txt requirements.txt
|
||||
RUN apk add --no-cache libressl curl postgresql-libs mariadb-connector-c \
|
||||
RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
|
||||
&& apk add --no-cache --virtual build-dep \
|
||||
libressl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev \
|
||||
openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
|
||||
&& pip3 install -r requirements.txt \
|
||||
&& apk del --no-cache build-dep
|
||||
|
||||
|
@ -1,11 +1,12 @@
|
||||
""" Mailu admin app
|
||||
"""
|
||||
|
||||
import flask
|
||||
import flask_bootstrap
|
||||
import redis
|
||||
from flask_kvsession import KVSessionExtension
|
||||
from simplekv.memory.redisstore import RedisStore
|
||||
|
||||
from mailu import utils, debug, models, manage, configuration
|
||||
|
||||
import hmac
|
||||
|
||||
def create_app_from_config(config):
|
||||
""" Create a new application based on the given configuration
|
||||
@ -20,7 +21,7 @@ def create_app_from_config(config):
|
||||
# Initialize application extensions
|
||||
config.init_app(app)
|
||||
models.db.init_app(app)
|
||||
KVSessionExtension(RedisStore(redis.StrictRedis().from_url('redis://{0}/3'.format(config['REDIS_ADDRESS']))), app).cleanup_sessions(app)
|
||||
utils.session.init_app(app)
|
||||
utils.limiter.init_app(app)
|
||||
utils.babel.init_app(app)
|
||||
utils.login.init_app(app)
|
||||
@ -28,6 +29,8 @@ def create_app_from_config(config):
|
||||
utils.proxy.init_app(app)
|
||||
utils.migrate.init_app(app, models.db)
|
||||
|
||||
app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
|
||||
|
||||
# Initialize debugging tools
|
||||
if app.config.get("DEBUG"):
|
||||
debug.toolbar.init_app(app)
|
||||
@ -57,4 +60,3 @@ def create_app():
|
||||
"""
|
||||
config = configuration.ConfigManager()
|
||||
return create_app_from_config(config)
|
||||
|
||||
|
@ -14,6 +14,7 @@ DEFAULT_CONFIG = {
|
||||
'DEBUG': False,
|
||||
'DOMAIN_REGISTRATION': False,
|
||||
'TEMPLATES_AUTO_RELOAD': True,
|
||||
'MEMORY_SESSIONS': False,
|
||||
# Database settings
|
||||
'DB_FLAVOR': None,
|
||||
'DB_USER': 'mailu',
|
||||
@ -33,8 +34,8 @@ DEFAULT_CONFIG = {
|
||||
'POSTMASTER': 'postmaster',
|
||||
'TLS_FLAVOR': 'cert',
|
||||
'INBOUND_TLS_ENFORCE': False,
|
||||
'AUTH_RATELIMIT': '10/minute;1000/hour',
|
||||
'AUTH_RATELIMIT_SUBNET': True,
|
||||
'AUTH_RATELIMIT': '1000/minute;10000/hour',
|
||||
'AUTH_RATELIMIT_SUBNET': False,
|
||||
'DISABLE_STATISTICS': False,
|
||||
# Mail settings
|
||||
'DMARC_RUA': None,
|
||||
@ -55,6 +56,7 @@ DEFAULT_CONFIG = {
|
||||
'RECAPTCHA_PRIVATE_KEY': '',
|
||||
# Advanced settings
|
||||
'LOG_LEVEL': 'WARNING',
|
||||
'SESSION_KEY_BITS': 128,
|
||||
'SESSION_LIFETIME': 24,
|
||||
'SESSION_COOKIE_SECURE': True,
|
||||
'CREDENTIAL_ROUNDS': 12,
|
||||
@ -65,7 +67,6 @@ DEFAULT_CONFIG = {
|
||||
'HOST_SMTP': 'smtp',
|
||||
'HOST_AUTHSMTP': 'smtp',
|
||||
'HOST_ADMIN': 'admin',
|
||||
'WEBMAIL': 'none',
|
||||
'HOST_WEBMAIL': 'webmail',
|
||||
'HOST_WEBDAV': 'webdav:5232',
|
||||
'HOST_REDIS': 'redis',
|
||||
@ -136,9 +137,9 @@ class ConfigManager(dict):
|
||||
|
||||
self.config['RATELIMIT_STORAGE_URL'] = 'redis://{0}/2'.format(self.config['REDIS_ADDRESS'])
|
||||
self.config['QUOTA_STORAGE_URL'] = 'redis://{0}/1'.format(self.config['REDIS_ADDRESS'])
|
||||
self.config['SESSION_STORAGE_URL'] = 'redis://{0}/3'.format(self.config['REDIS_ADDRESS'])
|
||||
self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
|
||||
self.config['SESSION_COOKIE_HTTPONLY'] = True
|
||||
self.config['SESSION_KEY_BITS'] = 128
|
||||
self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
|
||||
# update the app config itself
|
||||
app.config = self
|
||||
|
@ -7,7 +7,6 @@ import ipaddress
|
||||
import socket
|
||||
import tenacity
|
||||
|
||||
|
||||
SUPPORTED_AUTH_METHODS = ["none", "plain"]
|
||||
|
||||
|
||||
@ -26,8 +25,12 @@ def check_credentials(user, password, ip, protocol=None):
|
||||
if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop):
|
||||
return False
|
||||
is_ok = False
|
||||
# webmails
|
||||
if len(password) == 64 and ip == app.config['WEBMAIL_ADDRESS']:
|
||||
if user.verify_temp_token(password):
|
||||
is_ok = True
|
||||
# All tokens are 32 characters hex lowercase
|
||||
if len(password) == 32:
|
||||
if not is_ok and len(password) == 32:
|
||||
for token in user.tokens:
|
||||
if (token.check_password(password) and
|
||||
(not token.ip or token.ip == ip)):
|
||||
|
@ -43,6 +43,18 @@ def admin_authentication():
|
||||
return ""
|
||||
return flask.abort(403)
|
||||
|
||||
@internal.route("/auth/user")
|
||||
def user_authentication():
|
||||
""" Fails if the user is not authenticated.
|
||||
"""
|
||||
if (not flask_login.current_user.is_anonymous
|
||||
and flask_login.current_user.enabled):
|
||||
response = flask.Response()
|
||||
response.headers["X-User"] = flask_login.current_user.get_id()
|
||||
response.headers["X-User-Token"] = models.User.get_temp_token(flask_login.current_user.get_id())
|
||||
return response
|
||||
return flask.abort(403)
|
||||
|
||||
|
||||
@internal.route("/auth/basic")
|
||||
def basic_authentication():
|
||||
@ -51,7 +63,7 @@ def basic_authentication():
|
||||
authorization = flask.request.headers.get("Authorization")
|
||||
if authorization and authorization.startswith("Basic "):
|
||||
encoded = authorization.replace("Basic ", "")
|
||||
user_email, password = base64.b64decode(encoded).split(b":")
|
||||
user_email, password = base64.b64decode(encoded).split(b":", 1)
|
||||
user = models.User.query.get(user_email.decode("utf8"))
|
||||
if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
|
||||
response = flask.Response()
|
||||
|
@ -2,6 +2,7 @@ from mailu import models
|
||||
from mailu.internal import internal
|
||||
|
||||
import flask
|
||||
import idna
|
||||
import re
|
||||
import srslib
|
||||
|
||||
@ -35,13 +36,67 @@ def postfix_alias_map(alias):
|
||||
def postfix_transport(email):
|
||||
if email == '*' or re.match("(^|.*@)\[.*\]$", email):
|
||||
return flask.abort(404)
|
||||
localpart, domain_name = models.Email.resolve_domain(email)
|
||||
_, domain_name = models.Email.resolve_domain(email)
|
||||
relay = models.Relay.query.get(domain_name) or flask.abort(404)
|
||||
ret = "smtp:[{0}]".format(relay.smtp)
|
||||
if ":" in relay.smtp:
|
||||
split = relay.smtp.split(':')
|
||||
ret = "smtp:[{0}]:{1}".format(split[0], split[1])
|
||||
return flask.jsonify(ret)
|
||||
target = relay.smtp.lower()
|
||||
port = None
|
||||
use_lmtp = False
|
||||
use_mx = False
|
||||
# strip prefixes mx: and lmtp:
|
||||
if target.startswith('mx:'):
|
||||
target = target[3:]
|
||||
use_mx = True
|
||||
elif target.startswith('lmtp:'):
|
||||
target = target[5:]
|
||||
use_lmtp = True
|
||||
# split host:port or [host]:port
|
||||
if target.startswith('['):
|
||||
if use_mx or ']' not in target:
|
||||
# invalid target (mx: and [] or missing ])
|
||||
flask.abort(400)
|
||||
host, rest = target[1:].split(']', 1)
|
||||
if rest.startswith(':'):
|
||||
port = rest[1:]
|
||||
elif rest:
|
||||
# invalid target (rest should be :port)
|
||||
flask.abort(400)
|
||||
else:
|
||||
if ':' in target:
|
||||
host, port = target.rsplit(':', 1)
|
||||
else:
|
||||
host = target
|
||||
# default for empty host part is mx:domain
|
||||
if not host:
|
||||
if not use_lmtp:
|
||||
host = relay.name.lower()
|
||||
use_mx = True
|
||||
else:
|
||||
# lmtp: needs a host part
|
||||
flask.abort(400)
|
||||
# detect ipv6 address or encode host
|
||||
if ':' in host:
|
||||
host = f'ipv6:{host}'
|
||||
else:
|
||||
try:
|
||||
host = idna.encode(host).decode('ascii')
|
||||
except idna.IDNAError:
|
||||
# invalid host (fqdn not encodable)
|
||||
flask.abort(400)
|
||||
# validate port
|
||||
if port is not None:
|
||||
try:
|
||||
port = int(port, 10)
|
||||
except ValueError:
|
||||
# invalid port (should be numeric)
|
||||
flask.abort(400)
|
||||
# create transport
|
||||
transport = 'lmtp' if use_lmtp else 'smtp'
|
||||
# use [] when not using MX lookups or host is an ipv6 address
|
||||
if host.startswith('ipv6:') or (not use_lmtp and not use_mx):
|
||||
host = f'[{host}]'
|
||||
# create port suffix
|
||||
port = '' if port is None else f':{port}'
|
||||
return flask.jsonify(f'{transport}:{host}{port}')
|
||||
|
||||
|
||||
@internal.route("/postfix/recipient/map/<path:recipient>")
|
||||
|
@ -1,40 +1,46 @@
|
||||
from mailu import models
|
||||
""" Mailu command line interface
|
||||
"""
|
||||
|
||||
from flask import current_app as app
|
||||
from flask import cli as flask_cli
|
||||
|
||||
import flask
|
||||
import sys
|
||||
import os
|
||||
import socket
|
||||
import uuid
|
||||
|
||||
import click
|
||||
import yaml
|
||||
|
||||
from flask import current_app as app
|
||||
from flask.cli import FlaskGroup, with_appcontext
|
||||
|
||||
from mailu import models
|
||||
from mailu.schemas import MailuSchema, Logger, RenderJSON
|
||||
|
||||
|
||||
db = models.db
|
||||
|
||||
|
||||
@click.group()
|
||||
def mailu(cls=flask_cli.FlaskGroup):
|
||||
@click.group(cls=FlaskGroup, context_settings={'help_option_names': ['-?', '-h', '--help']})
|
||||
def mailu():
|
||||
""" Mailu command line
|
||||
"""
|
||||
|
||||
|
||||
@mailu.command()
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def advertise():
|
||||
""" Advertise this server against statistic services.
|
||||
"""
|
||||
if os.path.isfile(app.config["INSTANCE_ID_PATH"]):
|
||||
with open(app.config["INSTANCE_ID_PATH"], "r") as handle:
|
||||
if os.path.isfile(app.config['INSTANCE_ID_PATH']):
|
||||
with open(app.config['INSTANCE_ID_PATH'], 'r') as handle:
|
||||
instance_id = handle.read()
|
||||
else:
|
||||
instance_id = str(uuid.uuid4())
|
||||
with open(app.config["INSTANCE_ID_PATH"], "w") as handle:
|
||||
with open(app.config['INSTANCE_ID_PATH'], 'w') as handle:
|
||||
handle.write(instance_id)
|
||||
if not app.config["DISABLE_STATISTICS"]:
|
||||
if not app.config['DISABLE_STATISTICS']:
|
||||
try:
|
||||
socket.gethostbyname(app.config["STATS_ENDPOINT"].format(instance_id))
|
||||
except:
|
||||
socket.gethostbyname(app.config['STATS_ENDPOINT'].format(instance_id))
|
||||
except OSError:
|
||||
pass
|
||||
|
||||
|
||||
@ -43,7 +49,7 @@ def advertise():
|
||||
@click.argument('domain_name')
|
||||
@click.argument('password')
|
||||
@click.option('-m', '--mode')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def admin(localpart, domain_name, password, mode='create'):
|
||||
""" Create an admin user
|
||||
'mode' can be:
|
||||
@ -58,7 +64,7 @@ def admin(localpart, domain_name, password, mode='create'):
|
||||
|
||||
user = None
|
||||
if mode == 'ifmissing' or mode == 'update':
|
||||
email = '{}@{}'.format(localpart, domain_name)
|
||||
email = f'{localpart}@{domain_name}'
|
||||
user = models.User.query.get(email)
|
||||
|
||||
if user and mode == 'ifmissing':
|
||||
@ -86,7 +92,7 @@ def admin(localpart, domain_name, password, mode='create'):
|
||||
@click.argument('localpart')
|
||||
@click.argument('domain_name')
|
||||
@click.argument('password')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def user(localpart, domain_name, password):
|
||||
""" Create a user
|
||||
"""
|
||||
@ -108,16 +114,16 @@ def user(localpart, domain_name, password):
|
||||
@click.argument('localpart')
|
||||
@click.argument('domain_name')
|
||||
@click.argument('password')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def password(localpart, domain_name, password):
|
||||
""" Change the password of an user
|
||||
"""
|
||||
email = '{0}@{1}'.format(localpart, domain_name)
|
||||
email = f'{localpart}@{domain_name}'
|
||||
user = models.User.query.get(email)
|
||||
if user:
|
||||
user.set_password(password)
|
||||
else:
|
||||
print("User " + email + " not found.")
|
||||
print(f'User {email} not found.')
|
||||
db.session.commit()
|
||||
|
||||
|
||||
@ -126,7 +132,7 @@ def password(localpart, domain_name, password):
|
||||
@click.option('-u', '--max-users')
|
||||
@click.option('-a', '--max-aliases')
|
||||
@click.option('-q', '--max-quota-bytes')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def domain(domain_name, max_users=-1, max_aliases=-1, max_quota_bytes=0):
|
||||
""" Create a domain
|
||||
"""
|
||||
@ -142,9 +148,9 @@ def domain(domain_name, max_users=-1, max_aliases=-1, max_quota_bytes=0):
|
||||
@click.argument('localpart')
|
||||
@click.argument('domain_name')
|
||||
@click.argument('password_hash')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def user_import(localpart, domain_name, password_hash):
|
||||
""" Import a user along with password hash.
|
||||
""" Import a user along with password hash
|
||||
"""
|
||||
domain = models.Domain.query.get(domain_name)
|
||||
if not domain:
|
||||
@ -160,14 +166,14 @@ def user_import(localpart, domain_name, password_hash):
|
||||
db.session.commit()
|
||||
|
||||
|
||||
# TODO: remove deprecated config_update function?
|
||||
@mailu.command()
|
||||
@click.option('-v', '--verbose')
|
||||
@click.option('-d', '--delete-objects')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def config_update(verbose=False, delete_objects=False):
|
||||
"""sync configuration with data from YAML-formatted stdin"""
|
||||
import yaml
|
||||
import sys
|
||||
""" Sync configuration with data from YAML (deprecated)
|
||||
"""
|
||||
new_config = yaml.safe_load(sys.stdin)
|
||||
# print new_config
|
||||
domains = new_config.get('domains', [])
|
||||
@ -187,13 +193,13 @@ def config_update(verbose=False, delete_objects=False):
|
||||
max_aliases=max_aliases,
|
||||
max_quota_bytes=max_quota_bytes)
|
||||
db.session.add(domain)
|
||||
print("Added " + str(domain_config))
|
||||
print(f'Added {domain_config}')
|
||||
else:
|
||||
domain.max_users = max_users
|
||||
domain.max_aliases = max_aliases
|
||||
domain.max_quota_bytes = max_quota_bytes
|
||||
db.session.add(domain)
|
||||
print("Updated " + str(domain_config))
|
||||
print(f'Updated {domain_config}')
|
||||
|
||||
users = new_config.get('users', [])
|
||||
tracked_users = set()
|
||||
@ -209,7 +215,7 @@ def config_update(verbose=False, delete_objects=False):
|
||||
domain_name = user_config['domain']
|
||||
password_hash = user_config.get('password_hash', None)
|
||||
domain = models.Domain.query.get(domain_name)
|
||||
email = '{0}@{1}'.format(localpart, domain_name)
|
||||
email = f'{localpart}@{domain_name}'
|
||||
optional_params = {}
|
||||
for k in user_optional_params:
|
||||
if k in user_config:
|
||||
@ -239,13 +245,13 @@ def config_update(verbose=False, delete_objects=False):
|
||||
print(str(alias_config))
|
||||
localpart = alias_config['localpart']
|
||||
domain_name = alias_config['domain']
|
||||
if type(alias_config['destination']) is str:
|
||||
if isinstance(alias_config['destination'], str):
|
||||
destination = alias_config['destination'].split(',')
|
||||
else:
|
||||
destination = alias_config['destination']
|
||||
wildcard = alias_config.get('wildcard', False)
|
||||
domain = models.Domain.query.get(domain_name)
|
||||
email = '{0}@{1}'.format(localpart, domain_name)
|
||||
email = f'{localpart}@{domain_name}'
|
||||
if not domain:
|
||||
domain = models.Domain(name=domain_name)
|
||||
db.session.add(domain)
|
||||
@ -275,7 +281,7 @@ def config_update(verbose=False, delete_objects=False):
|
||||
domain_name = manager_config['domain']
|
||||
user_name = manager_config['user']
|
||||
domain = models.Domain.query.get(domain_name)
|
||||
manageruser = models.User.query.get(user_name + '@' + domain_name)
|
||||
manageruser = models.User.query.get(f'{user_name}@{domain_name}')
|
||||
if manageruser not in domain.managers:
|
||||
domain.managers.append(manageruser)
|
||||
db.session.add(domain)
|
||||
@ -284,26 +290,117 @@ def config_update(verbose=False, delete_objects=False):
|
||||
|
||||
if delete_objects:
|
||||
for user in db.session.query(models.User).all():
|
||||
if not (user.email in tracked_users):
|
||||
if not user.email in tracked_users:
|
||||
if verbose:
|
||||
print("Deleting user: " + str(user.email))
|
||||
print(f'Deleting user: {user.email}')
|
||||
db.session.delete(user)
|
||||
for alias in db.session.query(models.Alias).all():
|
||||
if not (alias.email in tracked_aliases):
|
||||
if not alias.email in tracked_aliases:
|
||||
if verbose:
|
||||
print("Deleting alias: " + str(alias.email))
|
||||
print(f'Deleting alias: {alias.email}')
|
||||
db.session.delete(alias)
|
||||
for domain in db.session.query(models.Domain).all():
|
||||
if not (domain.name in tracked_domains):
|
||||
if not domain.name in tracked_domains:
|
||||
if verbose:
|
||||
print("Deleting domain: " + str(domain.name))
|
||||
print(f'Deleting domain: {domain.name}')
|
||||
db.session.delete(domain)
|
||||
db.session.commit()
|
||||
|
||||
|
||||
@mailu.command()
|
||||
@click.option('-v', '--verbose', count=True, help='Increase verbosity.')
|
||||
@click.option('-s', '--secrets', is_flag=True, help='Show secret attributes in messages.')
|
||||
@click.option('-d', '--debug', is_flag=True, help='Enable debug output.')
|
||||
@click.option('-q', '--quiet', is_flag=True, help='Quiet mode - only show errors.')
|
||||
@click.option('-c', '--color', is_flag=True, help='Force colorized output.')
|
||||
@click.option('-u', '--update', is_flag=True, help='Update mode - merge input with existing config.')
|
||||
@click.option('-n', '--dry-run', is_flag=True, help='Perform a trial run with no changes made.')
|
||||
@click.argument('source', metavar='[FILENAME|-]', type=click.File(mode='r'), default=sys.stdin)
|
||||
@with_appcontext
|
||||
def config_import(verbose=0, secrets=False, debug=False, quiet=False, color=False,
|
||||
update=False, dry_run=False, source=None):
|
||||
""" Import configuration as YAML or JSON from stdin or file
|
||||
"""
|
||||
|
||||
log = Logger(want_color=color or None, can_color=sys.stdout.isatty(), secrets=secrets, debug=debug)
|
||||
log.lexer = 'python'
|
||||
log.strip = True
|
||||
log.verbose = 0 if quiet else verbose
|
||||
log.quiet = quiet
|
||||
|
||||
context = {
|
||||
'import': True,
|
||||
'update': update,
|
||||
'clear': not update,
|
||||
'callback': log.track_serialize,
|
||||
}
|
||||
|
||||
schema = MailuSchema(only=MailuSchema.Meta.order, context=context)
|
||||
|
||||
try:
|
||||
# import source
|
||||
with models.db.session.no_autoflush:
|
||||
config = schema.loads(source)
|
||||
# flush session to show/count all changes
|
||||
if not quiet and (dry_run or verbose):
|
||||
db.session.flush()
|
||||
# check for duplicate domain names
|
||||
config.check()
|
||||
except Exception as exc:
|
||||
if msg := log.format_exception(exc):
|
||||
raise click.ClickException(msg) from exc
|
||||
raise
|
||||
|
||||
# don't commit when running dry
|
||||
if dry_run:
|
||||
log.changes('Dry run. Not committing changes.')
|
||||
db.session.rollback()
|
||||
else:
|
||||
log.changes('Committing changes.')
|
||||
db.session.commit()
|
||||
|
||||
|
||||
@mailu.command()
|
||||
@click.option('-f', '--full', is_flag=True, help='Include attributes with default value.')
|
||||
@click.option('-s', '--secrets', is_flag=True,
|
||||
help='Include secret attributes (dkim-key, passwords).')
|
||||
@click.option('-d', '--dns', is_flag=True, help='Include dns records.')
|
||||
@click.option('-c', '--color', is_flag=True, help='Force colorized output.')
|
||||
@click.option('-o', '--output-file', 'output', default=sys.stdout, type=click.File(mode='w'),
|
||||
help='Save configuration to file.')
|
||||
@click.option('-j', '--json', 'as_json', is_flag=True, help='Export configuration in json format.')
|
||||
@click.argument('only', metavar='[FILTER]...', nargs=-1)
|
||||
@with_appcontext
|
||||
def config_export(full=False, secrets=False, color=False, dns=False, output=None, as_json=False, only=None):
|
||||
""" Export configuration as YAML or JSON to stdout or file
|
||||
"""
|
||||
|
||||
log = Logger(want_color=color or None, can_color=output.isatty())
|
||||
|
||||
only = only or MailuSchema.Meta.order
|
||||
|
||||
context = {
|
||||
'full': full,
|
||||
'secrets': secrets,
|
||||
'dns': dns,
|
||||
}
|
||||
|
||||
try:
|
||||
schema = MailuSchema(only=only, context=context)
|
||||
if as_json:
|
||||
schema.opts.render_module = RenderJSON
|
||||
log.lexer = 'json'
|
||||
log.strip = True
|
||||
print(log.colorize(schema.dumps(models.MailuConfig())), file=output)
|
||||
except Exception as exc:
|
||||
if msg := log.format_exception(exc):
|
||||
raise click.ClickException(msg) from exc
|
||||
raise
|
||||
|
||||
|
||||
@mailu.command()
|
||||
@click.argument('email')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def user_delete(email):
|
||||
"""delete user"""
|
||||
user = models.User.query.get(email)
|
||||
@ -314,7 +411,7 @@ def user_delete(email):
|
||||
|
||||
@mailu.command()
|
||||
@click.argument('email')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def alias_delete(email):
|
||||
"""delete alias"""
|
||||
alias = models.Alias.query.get(email)
|
||||
@ -328,7 +425,7 @@ def alias_delete(email):
|
||||
@click.argument('domain_name')
|
||||
@click.argument('destination')
|
||||
@click.option('-w', '--wildcard', is_flag=True)
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def alias(localpart, domain_name, destination, wildcard=False):
|
||||
""" Create an alias
|
||||
"""
|
||||
@ -341,7 +438,7 @@ def alias(localpart, domain_name, destination, wildcard=False):
|
||||
domain=domain,
|
||||
wildcard=wildcard,
|
||||
destination=destination.split(','),
|
||||
email="%s@%s" % (localpart, domain_name)
|
||||
email=f'{localpart}@{domain_name}'
|
||||
)
|
||||
db.session.add(alias)
|
||||
db.session.commit()
|
||||
@ -352,7 +449,7 @@ def alias(localpart, domain_name, destination, wildcard=False):
|
||||
@click.argument('max_users')
|
||||
@click.argument('max_aliases')
|
||||
@click.argument('max_quota_bytes')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def setlimits(domain_name, max_users, max_aliases, max_quota_bytes):
|
||||
""" Set domain limits
|
||||
"""
|
||||
@ -367,16 +464,12 @@ def setlimits(domain_name, max_users, max_aliases, max_quota_bytes):
|
||||
@mailu.command()
|
||||
@click.argument('domain_name')
|
||||
@click.argument('user_name')
|
||||
@flask_cli.with_appcontext
|
||||
@with_appcontext
|
||||
def setmanager(domain_name, user_name='manager'):
|
||||
""" Make a user manager of a domain
|
||||
"""
|
||||
domain = models.Domain.query.get(domain_name)
|
||||
manageruser = models.User.query.get(user_name + '@' + domain_name)
|
||||
manageruser = models.User.query.get(f'{user_name}@{domain_name}')
|
||||
domain.managers.append(manageruser)
|
||||
db.session.add(domain)
|
||||
db.session.commit()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
cli()
|
||||
|
File diff suppressed because it is too large
Load Diff
1269
core/admin/mailu/schemas.py
Normal file
1269
core/admin/mailu/schemas.py
Normal file
File diff suppressed because it is too large
Load Diff
@ -50,5 +50,17 @@
|
||||
<td><pre>_dmarc.{{ domain.name }}. 600 IN TXT "v=DMARC1; p=reject;{% if config["DMARC_RUA"] %} rua=mailto:{{ config["DMARC_RUA"] }}@{{ config["DOMAIN"] }};{% endif %}{% if config["DMARC_RUF"] %} ruf=mailto:{{ config["DMARC_RUF"] }}@{{ config["DOMAIN"] }};{% endif %} adkim=s; aspf=s"</pre></td>
|
||||
</tr>
|
||||
{% endif %}
|
||||
<tr>
|
||||
<th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
|
||||
<td>
|
||||
<pre style="white-space: pre-wrap; word-wrap: break-word;">_submission._tcp.{{ domain.name }}. 600 IN SRV 1 1 587 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
|
||||
<pre style="white-space: pre-wrap; word-wrap: break-word;">_imap._tcp.{{ domain.name }}. 600 IN SRV 100 1 143 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
|
||||
<pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3._tcp.{{ domain.name }}. 600 IN SRV 100 1 110 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
|
||||
{% if config["TLS_FLAVOR"] != "notls" %}
|
||||
<pre style="white-space: pre-wrap; word-wrap: break-word;">_submissions._tcp.{{ domain.name }}. 600 IN SRV 10 1 465 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
|
||||
<pre style="white-space: pre-wrap; word-wrap: break-word;">_imaps._tcp.{{ domain.name }}. 600 IN SRV 10 1 993 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
|
||||
<pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3s._tcp.{{ domain.name }}. 600 IN SRV 10 1 995 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
|
||||
{% endif %}</td>
|
||||
</tr>
|
||||
{% endcall %}
|
||||
{% endblock %}
|
||||
|
@ -14,7 +14,7 @@
|
||||
{{ form.hidden_tag() }}
|
||||
{{ macros.form_field(form.reply_enabled,
|
||||
onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
|
||||
else{$('#reply_subject,#reply_body,#reply_enddate').attr('readonly', '')}") }}
|
||||
else{$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').attr('readonly', '')}") }}
|
||||
{{ macros.form_field(form.reply_subject,
|
||||
**{("rw" if user.reply_enabled else "readonly"): ""}) }}
|
||||
{{ macros.form_field(form.reply_body, rows=10,
|
||||
|
@ -1,6 +1,7 @@
|
||||
from mailu import models
|
||||
from mailu.ui import ui, forms, access
|
||||
|
||||
from flask import current_app as app
|
||||
import flask
|
||||
import flask_login
|
||||
|
||||
@ -49,6 +50,9 @@ def announcement():
|
||||
flask.flash('Your announcement was sent', 'success')
|
||||
return flask.render_template('announcement.html', form=form)
|
||||
|
||||
@ui.route('/webmail', methods=['GET'])
|
||||
def webmail():
|
||||
return flask.redirect(app.config['WEB_WEBMAIL'])
|
||||
|
||||
@ui.route('/client', methods=['GET'])
|
||||
def client():
|
||||
|
@ -74,6 +74,8 @@ def domain_details(domain_name):
|
||||
def domain_genkeys(domain_name):
|
||||
domain = models.Domain.query.get(domain_name) or flask.abort(404)
|
||||
domain.generate_dkim_key()
|
||||
models.db.session.add(domain)
|
||||
models.db.session.commit()
|
||||
return flask.redirect(
|
||||
flask.url_for(".domain_details", domain_name=domain_name))
|
||||
|
||||
|
@ -1,11 +1,28 @@
|
||||
from mailu import models, limiter
|
||||
""" Mailu admin app utilities
|
||||
"""
|
||||
|
||||
try:
|
||||
import cPickle as pickle
|
||||
except ImportError:
|
||||
import pickle
|
||||
|
||||
import hmac
|
||||
import secrets
|
||||
import time
|
||||
|
||||
from multiprocessing import Value
|
||||
|
||||
from mailu import limiter
|
||||
|
||||
import flask
|
||||
import flask_login
|
||||
import flask_script
|
||||
import flask_migrate
|
||||
import flask_babel
|
||||
import redis
|
||||
|
||||
from flask.sessions import SessionMixin, SessionInterface
|
||||
from itsdangerous.encoding import want_bytes
|
||||
from werkzeug.datastructures import CallbackDict
|
||||
from werkzeug.contrib import fixers
|
||||
|
||||
|
||||
@ -15,6 +32,7 @@ login.login_view = "ui.login"
|
||||
|
||||
@login.unauthorized_handler
|
||||
def handle_needs_login():
|
||||
""" redirect unauthorized requests to login page """
|
||||
return flask.redirect(
|
||||
flask.url_for('ui.login', next=flask.request.endpoint)
|
||||
)
|
||||
@ -27,6 +45,7 @@ babel = flask_babel.Babel()
|
||||
|
||||
@babel.localeselector
|
||||
def get_locale():
|
||||
""" selects locale for translation """
|
||||
translations = list(map(str, babel.list_translations()))
|
||||
flask.session['available_languages'] = translations
|
||||
|
||||
@ -41,6 +60,10 @@ def get_locale():
|
||||
|
||||
# Proxy fixer
|
||||
class PrefixMiddleware(object):
|
||||
""" fix proxy headers """
|
||||
def __init__(self):
|
||||
self.app = None
|
||||
|
||||
def __call__(self, environ, start_response):
|
||||
prefix = environ.get('HTTP_X_FORWARDED_PREFIX', '')
|
||||
if prefix:
|
||||
@ -56,3 +79,384 @@ proxy = PrefixMiddleware()
|
||||
|
||||
# Data migrate
|
||||
migrate = flask_migrate.Migrate()
|
||||
|
||||
|
||||
# session store (inspired by https://github.com/mbr/flask-kvsession)
|
||||
class RedisStore:
|
||||
""" Stores session data in a redis db. """
|
||||
|
||||
has_ttl = True
|
||||
|
||||
def __init__(self, redisstore):
|
||||
self.redis = redisstore
|
||||
|
||||
def get(self, key):
|
||||
""" load item from store. """
|
||||
value = self.redis.get(key)
|
||||
if value is None:
|
||||
raise KeyError(key)
|
||||
return value
|
||||
|
||||
def put(self, key, value, ttl=None):
|
||||
""" save item to store. """
|
||||
if ttl:
|
||||
self.redis.setex(key, int(ttl), value)
|
||||
else:
|
||||
self.redis.set(key, value)
|
||||
|
||||
def delete(self, key):
|
||||
""" delete item from store. """
|
||||
self.redis.delete(key)
|
||||
|
||||
def list(self, prefix=None):
|
||||
""" return list of keys starting with prefix """
|
||||
if prefix:
|
||||
prefix += b'*'
|
||||
return list(self.redis.scan_iter(match=prefix))
|
||||
|
||||
class DictStore:
|
||||
""" Stores session data in a python dict. """
|
||||
|
||||
has_ttl = False
|
||||
|
||||
def __init__(self):
|
||||
self.dict = {}
|
||||
|
||||
def get(self, key):
|
||||
""" load item from store. """
|
||||
return self.dict[key]
|
||||
|
||||
def put(self, key, value, ttl_secs=None):
|
||||
""" save item to store. """
|
||||
self.dict[key] = value
|
||||
|
||||
def delete(self, key):
|
||||
""" delete item from store. """
|
||||
try:
|
||||
del self.dict[key]
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
def list(self, prefix=None):
|
||||
""" return list of keys starting with prefix """
|
||||
if prefix is None:
|
||||
return list(self.dict.keys())
|
||||
return [key for key in self.dict if key.startswith(prefix)]
|
||||
|
||||
class MailuSession(CallbackDict, SessionMixin):
|
||||
""" Custom flask session storage. """
|
||||
|
||||
# default modified to false
|
||||
modified = False
|
||||
|
||||
def __init__(self, key=None, app=None):
|
||||
|
||||
self.app = app or flask.current_app
|
||||
|
||||
initial = None
|
||||
|
||||
key = want_bytes(key)
|
||||
if parsed := self.app.session_config.parse_key(key, self.app):
|
||||
try:
|
||||
initial = pickle.loads(app.session_store.get(key))
|
||||
except (KeyError, EOFError, pickle.UnpicklingError):
|
||||
# either the cookie was manipulated or we did not find the
|
||||
# session in the backend or the pickled data is invalid.
|
||||
# => start new session
|
||||
pass
|
||||
else:
|
||||
(self._uid, self._sid, self._created) = parsed
|
||||
self._key = key
|
||||
|
||||
if initial is None:
|
||||
# start new session
|
||||
self.new = True
|
||||
self._uid = None
|
||||
self._sid = None
|
||||
self._created = self.app.session_config.gen_created()
|
||||
self._key = None
|
||||
|
||||
def _on_update(obj):
|
||||
obj.modified = True
|
||||
|
||||
CallbackDict.__init__(self, initial, _on_update)
|
||||
|
||||
@property
|
||||
def saved(self):
|
||||
""" this reflects if the session was saved. """
|
||||
return self._key is not None
|
||||
|
||||
@property
|
||||
def sid(self):
|
||||
""" this reflects the session's id. """
|
||||
if self._sid is None or self._uid is None or self._created is None:
|
||||
return None
|
||||
return b''.join([self._uid, self._sid, self._created])
|
||||
|
||||
def destroy(self):
|
||||
""" destroy session for security reasons. """
|
||||
|
||||
self.delete()
|
||||
|
||||
self._uid = None
|
||||
self._sid = None
|
||||
self._created = None
|
||||
|
||||
self.clear()
|
||||
|
||||
self.modified = True
|
||||
self.new = False
|
||||
|
||||
def regenerate(self):
|
||||
""" generate new id for session to avoid `session fixation`. """
|
||||
|
||||
self.delete()
|
||||
|
||||
self._sid = None
|
||||
self._created = self.app.session_config.gen_created()
|
||||
|
||||
self.modified = True
|
||||
|
||||
def delete(self):
|
||||
""" Delete stored session. """
|
||||
if self.saved:
|
||||
self.app.session_store.delete(self._key)
|
||||
self._key = None
|
||||
|
||||
def save(self):
|
||||
""" Save session to store. """
|
||||
|
||||
set_cookie = False
|
||||
|
||||
# set uid from dict data
|
||||
if self._uid is None:
|
||||
self._uid = self.app.session_config.gen_uid(self.get('user_id', ''))
|
||||
|
||||
# create new session id for new or regenerated sessions and force setting the cookie
|
||||
if self._sid is None:
|
||||
self._sid = self.app.session_config.gen_sid()
|
||||
set_cookie = True
|
||||
|
||||
# get new session key
|
||||
key = self.sid
|
||||
|
||||
# delete old session if key has changed
|
||||
if key != self._key:
|
||||
self.delete()
|
||||
|
||||
# remember time to refresh
|
||||
self['_refresh'] = int(time.time()) + self.app.permanent_session_lifetime.total_seconds()/2
|
||||
|
||||
# save session
|
||||
self.app.session_store.put(
|
||||
key,
|
||||
pickle.dumps(dict(self)),
|
||||
self.app.permanent_session_lifetime.total_seconds()
|
||||
)
|
||||
|
||||
self._key = key
|
||||
|
||||
self.new = False
|
||||
self.modified = False
|
||||
|
||||
return set_cookie
|
||||
|
||||
def needs_refresh(self):
|
||||
""" Checks if server side session needs to be refreshed. """
|
||||
|
||||
return int(time.time()) > self.get('_refresh', 0)
|
||||
|
||||
class MailuSessionConfig:
|
||||
""" Stores sessions crypto config """
|
||||
|
||||
# default size of session key parts
|
||||
uid_bits = 64 # default if SESSION_KEY_BITS is not set in config
|
||||
sid_bits = 128 # for now. must be multiple of 8!
|
||||
time_bits = 32 # for now. must be multiple of 8!
|
||||
|
||||
def __init__(self, app=None):
|
||||
|
||||
if app is None:
|
||||
app = flask.current_app
|
||||
|
||||
bits = app.config.get('SESSION_KEY_BITS', self.uid_bits)
|
||||
if not 64 <= bits <= 256:
|
||||
raise ValueError('SESSION_KEY_BITS must be between 64 and 256!')
|
||||
|
||||
uid_bytes = bits//8 + (bits%8>0)
|
||||
sid_bytes = self.sid_bits//8
|
||||
|
||||
key = want_bytes(app.secret_key)
|
||||
|
||||
self._hmac = hmac.new(hmac.digest(key, b'SESSION_UID_HASH', digest='sha256'), digestmod='sha256')
|
||||
self._uid_len = uid_bytes
|
||||
self._uid_b64 = len(self._encode(bytes(uid_bytes)))
|
||||
self._sid_len = sid_bytes
|
||||
self._sid_b64 = len(self._encode(bytes(sid_bytes)))
|
||||
self._key_min = self._uid_b64 + self._sid_b64
|
||||
self._key_max = self._key_min + len(self._encode(bytes(self.time_bits//8)))
|
||||
|
||||
def gen_sid(self):
|
||||
""" Generate random session id. """
|
||||
return self._encode(secrets.token_bytes(self._sid_len))
|
||||
|
||||
def gen_uid(self, uid):
|
||||
""" Generate hashed user id part of session key. """
|
||||
_hmac = self._hmac.copy()
|
||||
_hmac.update(want_bytes(uid))
|
||||
return self._encode(_hmac.digest()[:self._uid_len])
|
||||
|
||||
def gen_created(self, now=None):
|
||||
""" Generate base64 representation of creation time. """
|
||||
return self._encode(int(now or time.time()).to_bytes(8, byteorder='big').lstrip(b'\0'))
|
||||
|
||||
def parse_key(self, key, app=None, validate=False, now=None):
|
||||
""" Split key into sid, uid and creation time. """
|
||||
|
||||
if not (isinstance(key, bytes) and self._key_min <= len(key) <= self._key_max):
|
||||
return None
|
||||
|
||||
uid = key[:self._uid_b64]
|
||||
sid = key[self._uid_b64:self._key_min]
|
||||
crt = key[self._key_min:]
|
||||
|
||||
# validate if parts are decodeable
|
||||
created = self._decode(crt)
|
||||
if created is None or self._decode(uid) is None or self._decode(sid) is None:
|
||||
return None
|
||||
|
||||
# validate creation time when requested or store does not support ttl
|
||||
if validate or not app.session_store.has_ttl:
|
||||
if now is None:
|
||||
now = int(time.time())
|
||||
created = int.from_bytes(created, byteorder='big')
|
||||
if not created < now < created + app.permanent_session_lifetime.total_seconds():
|
||||
return None
|
||||
|
||||
return (uid, sid, crt)
|
||||
|
||||
def _encode(self, value):
|
||||
return secrets.base64.urlsafe_b64encode(value).rstrip(b'=')
|
||||
|
||||
def _decode(self, value):
|
||||
try:
|
||||
return secrets.base64.urlsafe_b64decode(value + b'='*(4-len(value)%4))
|
||||
except secrets.binascii.Error:
|
||||
return None
|
||||
|
||||
class MailuSessionInterface(SessionInterface):
|
||||
""" Custom flask session interface. """
|
||||
|
||||
def open_session(self, app, request):
|
||||
""" Load or create session. """
|
||||
return MailuSession(request.cookies.get(app.config['SESSION_COOKIE_NAME'], None), app)
|
||||
|
||||
def save_session(self, app, session, response):
|
||||
""" Save modified session. """
|
||||
|
||||
# If the session is modified to be empty, remove the cookie.
|
||||
# If the session is empty, return without setting the cookie.
|
||||
if not session:
|
||||
if session.modified:
|
||||
session.delete()
|
||||
response.delete_cookie(
|
||||
app.session_cookie_name,
|
||||
domain=self.get_cookie_domain(app),
|
||||
path=self.get_cookie_path(app),
|
||||
)
|
||||
return
|
||||
|
||||
# Add a "Vary: Cookie" header if the session was accessed
|
||||
if session.accessed:
|
||||
response.vary.add('Cookie')
|
||||
|
||||
set_cookie = session.permanent and app.config['SESSION_REFRESH_EACH_REQUEST']
|
||||
need_refresh = session.needs_refresh()
|
||||
|
||||
# save modified session or refresh unmodified session
|
||||
if session.modified or need_refresh:
|
||||
set_cookie |= session.save()
|
||||
|
||||
# set cookie on refreshed permanent sessions
|
||||
if need_refresh and session.permanent:
|
||||
set_cookie = True
|
||||
|
||||
# set or update cookie if necessary
|
||||
if set_cookie:
|
||||
response.set_cookie(
|
||||
app.session_cookie_name,
|
||||
session.sid,
|
||||
expires=self.get_expiration_time(app, session),
|
||||
httponly=self.get_cookie_httponly(app),
|
||||
domain=self.get_cookie_domain(app),
|
||||
path=self.get_cookie_path(app),
|
||||
secure=self.get_cookie_secure(app),
|
||||
samesite=self.get_cookie_samesite(app)
|
||||
)
|
||||
|
||||
class MailuSessionExtension:
|
||||
""" Server side session handling """
|
||||
|
||||
@staticmethod
|
||||
def cleanup_sessions(app=None):
|
||||
""" Remove invalid or expired sessions. """
|
||||
|
||||
app = app or flask.current_app
|
||||
now = int(time.time())
|
||||
|
||||
count = 0
|
||||
for key in app.session_store.list():
|
||||
if not app.session_config.parse_key(key, app, validate=True, now=now):
|
||||
app.session_store.delete(key)
|
||||
count += 1
|
||||
|
||||
return count
|
||||
|
||||
@staticmethod
|
||||
def prune_sessions(uid=None, keep=None, app=None):
|
||||
""" Remove sessions
|
||||
uid: remove all sessions (NONE) or sessions belonging to a specific user
|
||||
keep: keep listed sessions
|
||||
"""
|
||||
|
||||
keep = keep or set()
|
||||
app = app or flask.current_app
|
||||
|
||||
prefix = None if uid is None else app.session_config.gen_uid(uid)
|
||||
|
||||
count = 0
|
||||
for key in app.session_store.list(prefix):
|
||||
if key not in keep:
|
||||
app.session_store.delete(key)
|
||||
count += 1
|
||||
|
||||
return count
|
||||
|
||||
def init_app(self, app):
|
||||
""" Replace session management of application. """
|
||||
|
||||
if app.config.get('MEMORY_SESSIONS'):
|
||||
# in-memory session store for use in development
|
||||
app.session_store = DictStore()
|
||||
|
||||
else:
|
||||
# redis-based session store for use in production
|
||||
app.session_store = RedisStore(
|
||||
redis.StrictRedis().from_url(app.config['SESSION_STORAGE_URL'])
|
||||
)
|
||||
|
||||
# clean expired sessions oonce on first use in case lifetime was changed
|
||||
def cleaner():
|
||||
with cleaned.get_lock():
|
||||
if not cleaned.value:
|
||||
cleaned.value = True
|
||||
flask.current_app.logger.error('cleaning')
|
||||
MailuSessionExtension.cleanup_sessions(app)
|
||||
|
||||
app.before_first_request(cleaner)
|
||||
|
||||
app.session_config = MailuSessionConfig(app)
|
||||
app.session_interface = MailuSessionInterface()
|
||||
|
||||
cleaned = Value('i', False)
|
||||
session = MailuSessionExtension()
|
||||
|
@ -2,30 +2,31 @@
|
||||
"name": "mailu",
|
||||
"version": "1.0.0",
|
||||
"description": "Mailu admin assets",
|
||||
"main": "assest/index.js",
|
||||
"main": "assets/index.js",
|
||||
"directories": {
|
||||
"lib": "lib"
|
||||
},
|
||||
"scripts": {
|
||||
"test": "echo \"Error: no test specified\" && exit 1"
|
||||
},
|
||||
"author": "",
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
"@babel/core": "^7.4.4",
|
||||
"@babel/preset-env": "^7.4.4",
|
||||
"@babel/core": "^7.14.6",
|
||||
"@babel/preset-env": "^7.14.7",
|
||||
"admin-lte": "^3.1.0",
|
||||
"babel-loader": "^8.0.5",
|
||||
"babel-loader": "^8.0.6",
|
||||
"css-loader": "^2.1.1",
|
||||
"expose-loader": "^0.7.5",
|
||||
"file-loader": "^3.0.1",
|
||||
"jQuery": "^1.7.4",
|
||||
"less": "^3.9.0",
|
||||
"jquery": "^3.6.0",
|
||||
"less": "^3.13.1",
|
||||
"less-loader": "^5.0.0",
|
||||
"mini-css-extract-plugin": "^0.6.0",
|
||||
"node-sass": "^4.12.0",
|
||||
"popper.js": "^1.15.0",
|
||||
"sass-loader": "^7.1.0",
|
||||
"style-loader": "^0.23.1",
|
||||
"url-loader": "^1.1.2",
|
||||
"webpack": "^4.30.0",
|
||||
"webpack-cli": "^3.3.2"
|
||||
"mini-css-extract-plugin": "^1.2.1",
|
||||
"node-sass": "^4.13.1",
|
||||
"sass-loader": "^7.3.1",
|
||||
"select2": "^4.0.13",
|
||||
"url-loader": "^2.3.0",
|
||||
"webpack": "^4.33.0",
|
||||
"webpack-cli": "^3.3.12"
|
||||
}
|
||||
}
|
||||
|
@ -5,7 +5,7 @@ bcrypt==3.1.6
|
||||
blinker==1.4
|
||||
cffi==1.12.3
|
||||
Click==7.0
|
||||
cryptography==3.2
|
||||
cryptography==3.4.7
|
||||
decorator==4.4.0
|
||||
dnspython==1.16.0
|
||||
dominate==2.3.5
|
||||
@ -13,9 +13,9 @@ Flask==1.0.2
|
||||
Flask-Babel==0.12.2
|
||||
Flask-Bootstrap==3.3.7.1
|
||||
Flask-DebugToolbar==0.10.1
|
||||
Flask-KVSession==0.6.2
|
||||
Flask-Limiter==1.0.1
|
||||
Flask-Login==0.4.1
|
||||
flask-marshmallow==0.14.0
|
||||
Flask-Migrate==2.4.0
|
||||
Flask-Script==2.0.6
|
||||
Flask-SQLAlchemy==2.4.0
|
||||
@ -25,19 +25,22 @@ idna==2.8
|
||||
infinity==1.4
|
||||
intervals==0.8.1
|
||||
itsdangerous==1.1.0
|
||||
Jinja2==2.10.1
|
||||
Jinja2==2.11.3
|
||||
limits==1.3
|
||||
Mako==1.0.9
|
||||
MarkupSafe==1.1.1
|
||||
mysqlclient==1.4.2.post1
|
||||
marshmallow==3.10.0
|
||||
marshmallow-sqlalchemy==0.24.1
|
||||
passlib==1.7.4
|
||||
psycopg2==2.8.2
|
||||
pycparser==2.19
|
||||
pyOpenSSL==19.0.0
|
||||
Pygments==2.8.1
|
||||
pyOpenSSL==20.0.1
|
||||
python-dateutil==2.8.0
|
||||
python-editor==1.0.4
|
||||
pytz==2019.1
|
||||
PyYAML==5.1
|
||||
PyYAML==5.4.1
|
||||
redis==3.2.1
|
||||
#alpine3:12 provides six==1.15.0
|
||||
#six==1.12.0
|
||||
|
@ -3,7 +3,6 @@ Flask-Login
|
||||
Flask-SQLAlchemy
|
||||
Flask-bootstrap
|
||||
Flask-Babel
|
||||
Flask-KVSession
|
||||
Flask-migrate
|
||||
Flask-script
|
||||
Flask-wtf
|
||||
@ -17,6 +16,7 @@ gunicorn
|
||||
tabulate
|
||||
PyYAML
|
||||
PyOpenSSL
|
||||
Pygments
|
||||
dnspython
|
||||
bcrypt
|
||||
tenacity
|
||||
@ -24,3 +24,6 @@ mysqlclient
|
||||
psycopg2
|
||||
idna
|
||||
srslib
|
||||
marshmallow
|
||||
flask-marshmallow
|
||||
marshmallow-sqlalchemy
|
||||
|
@ -19,7 +19,8 @@ if account is not None and domain is not None and password is not None:
|
||||
os.system("flask mailu admin %s %s '%s' --mode %s" % (account, domain, password, mode))
|
||||
|
||||
start_command="".join([
|
||||
"gunicorn -w 4 -b :80 ",
|
||||
"gunicorn --threads ", str(os.cpu_count()),
|
||||
" -b :80 ",
|
||||
"--access-logfile - " if (log.root.level<=log.INFO) else "",
|
||||
"--error-logfile - ",
|
||||
"--preload ",
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.13
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO as builder
|
||||
WORKDIR /tmp
|
||||
RUN apk add git build-base automake autoconf libtool dovecot-dev xapian-core-dev icu-dev
|
||||
|
@ -21,7 +21,10 @@ mail_access_groups = mail
|
||||
maildir_stat_dirs = yes
|
||||
mailbox_list_index = yes
|
||||
mail_vsize_bg_after_count = 100
|
||||
mail_plugins = $mail_plugins quota quota_clone zlib{{ ' ' }}
|
||||
mail_plugins = $mail_plugins quota quota_clone{{ ' ' }}
|
||||
{%- if COMPRESSION -%}
|
||||
zlib{{ ' ' }}
|
||||
{%- endif %}
|
||||
{%- if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] -%}
|
||||
fts fts_xapian
|
||||
{%- endif %}
|
||||
@ -50,7 +53,7 @@ plugin {
|
||||
fts_autoindex_exclude = \Trash
|
||||
{% endif %}
|
||||
|
||||
{% if COMPRESSION in [ 'gz', 'bz2' ] %}
|
||||
{% if COMPRESSION in [ 'gz', 'bz2', 'lz4', 'zstd' ] %}
|
||||
zlib_save = {{ COMPRESSION }}
|
||||
{% endif %}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
# python3 shared with most images
|
||||
RUN apk add --no-cache \
|
||||
|
@ -117,7 +117,7 @@ http {
|
||||
include /overrides/*.conf;
|
||||
|
||||
# Actual logic
|
||||
{% if WEB_WEBMAIL != '/' %}
|
||||
{% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
|
||||
location / {
|
||||
{% if WEBROOT_REDIRECT %}
|
||||
try_files $uri {{ WEBROOT_REDIRECT }};
|
||||
@ -136,9 +136,33 @@ http {
|
||||
include /etc/nginx/proxy.conf;
|
||||
client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
|
||||
proxy_pass http://$webmail;
|
||||
{% if ADMIN == 'true' %}
|
||||
auth_request /internal/auth/user;
|
||||
error_page 403 @webmail_login;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location {{ WEB_WEBMAIL }}/sso.php {
|
||||
{% if WEB_WEBMAIL != '/' %}
|
||||
rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
|
||||
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
|
||||
{% endif %}
|
||||
include /etc/nginx/proxy.conf;
|
||||
client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
|
||||
auth_request /internal/auth/user;
|
||||
auth_request_set $user $upstream_http_x_user;
|
||||
auth_request_set $token $upstream_http_x_user_token;
|
||||
proxy_set_header X-Remote-User $user;
|
||||
proxy_set_header X-Remote-User-Token $token;
|
||||
proxy_pass http://$webmail;
|
||||
error_page 403 @webmail_login;
|
||||
}
|
||||
|
||||
location @webmail_login {
|
||||
return 302 {{ WEB_ADMIN }}/ui/login?next=ui.webmail;
|
||||
}
|
||||
{% else %}
|
||||
}
|
||||
{% endif %}{% endif %}
|
||||
{% if ADMIN == 'true' %}
|
||||
location {{ WEB_ADMIN }} {
|
||||
return 301 {{ WEB_ADMIN }}/ui;
|
||||
|
@ -1,6 +1,6 @@
|
||||
# This is an idle image to dynamically replace any component if disabled.
|
||||
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
|
||||
CMD sleep 1000000d
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
# python3 shared with most images
|
||||
RUN apk add --no-cache \
|
||||
@ -12,7 +12,7 @@ RUN pip3 install socrate==0.2.0
|
||||
RUN pip3 install "podop>0.2.5"
|
||||
|
||||
# Image specific layers under this line
|
||||
RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-plain cyrus-sasl-login
|
||||
RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
|
||||
|
||||
COPY conf /conf
|
||||
COPY start.py /start.py
|
||||
|
@ -32,7 +32,7 @@ mydestination =
|
||||
relayhost = {{ RELAYHOST }}
|
||||
{% if RELAYUSER %}
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
|
||||
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
|
||||
smtp_sasl_security_options = noanonymous
|
||||
{% endif %}
|
||||
|
||||
@ -58,7 +58,7 @@ tls_ssl_options = NO_COMPRESSION
|
||||
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
|
||||
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
||||
smtp_tls_protocols =!SSLv2,!SSLv3
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
|
||||
|
||||
###############
|
||||
# Virtual
|
||||
|
@ -4,7 +4,7 @@
|
||||
# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header
|
||||
# because OpenDKIM requires that a header be present when signing outbound mail. The first line is
|
||||
# where the user's home IP address would be.
|
||||
/^\s*Received:[^\n]*(.*)/ REPLACE Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])$1
|
||||
/^\s*Received:[^\n]*(.*)/ REPLACE Received: from authenticated-user ({{OUTCLEAN}} [{{OUTCLEAN_ADDRESS}}])$1
|
||||
|
||||
# Remove other typically private information.
|
||||
/^\s*User-Agent:/ IGNORE
|
||||
|
@ -1 +1,2 @@
|
||||
{{ RELAYHOST }} {{ RELAYUSER }}:{{ RELAYPASSWORD }}
|
||||
|
||||
|
@ -8,12 +8,13 @@ import logging as log
|
||||
import sys
|
||||
|
||||
from podop import run_server
|
||||
from pwd import getpwnam
|
||||
from socrate import system, conf
|
||||
|
||||
log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
|
||||
|
||||
def start_podop():
|
||||
os.setuid(100)
|
||||
os.setuid(getpwnam('postfix').pw_uid)
|
||||
url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
|
||||
# TODO: Remove verbosity setting from Podop?
|
||||
run_server(0, "postfix", "/tmp/podop.socket", [
|
||||
@ -36,6 +37,15 @@ os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT",
|
||||
os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
|
||||
os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332")
|
||||
os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525")
|
||||
os.environ["OUTCLEAN"] = os.environ["HOSTNAMES"].split(",")[0]
|
||||
try:
|
||||
_to_lookup = os.environ["OUTCLEAN"]
|
||||
# Ensure we lookup a FQDN: @see #1884
|
||||
if not _to_lookup.endswith('.'):
|
||||
_to_lookup += '.'
|
||||
os.environ["OUTCLEAN_ADDRESS"] = system.resolve_hostname(_to_lookup)
|
||||
except:
|
||||
os.environ["OUTCLEAN_ADDRESS"] = "10.10.10.10"
|
||||
|
||||
for postfix_file in glob.glob("/conf/*.cf"):
|
||||
conf.jinja(postfix_file, os.environ, os.path.join("/etc/postfix", os.path.basename(postfix_file)))
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
# python3 shared with most images
|
||||
RUN apk add --no-cache \
|
||||
|
@ -10,7 +10,6 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
|
||||
|
||||
# Actual startup script
|
||||
|
||||
os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front")
|
||||
os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis")
|
||||
|
||||
if os.environ.get("ANTIVIRUS") == 'clamav':
|
||||
|
@ -1,20 +1,28 @@
|
||||
ARG DISTRO=alpine:3.8
|
||||
FROM $DISTRO
|
||||
|
||||
COPY requirements.txt /requirements.txt
|
||||
# Convert .rst files to .html in temporary build container
|
||||
FROM python:3.8-alpine3.14 AS build
|
||||
|
||||
ARG version=master
|
||||
ENV VERSION=$version
|
||||
|
||||
RUN apk add --no-cache nginx curl python3 \
|
||||
&& pip3 install -r /requirements.txt \
|
||||
&& mkdir /run/nginx
|
||||
|
||||
COPY ./nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY requirements.txt /requirements.txt
|
||||
COPY . /docs
|
||||
|
||||
RUN mkdir -p /build/$VERSION \
|
||||
&& sphinx-build -W /docs /build/$VERSION
|
||||
RUN apk add --no-cache --virtual .build-deps \
|
||||
gcc musl-dev \
|
||||
&& pip3 install -r /requirements.txt \
|
||||
&& mkdir -p /build/$VERSION \
|
||||
&& sphinx-build -W /docs /build/$VERSION \
|
||||
&& apk del .build-deps
|
||||
|
||||
|
||||
# Build nginx deployment image including generated html
|
||||
FROM nginx:1.21-alpine
|
||||
|
||||
ARG version=master
|
||||
ENV VERSION=$version
|
||||
|
||||
COPY ./nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --from=build /build/$VERSION /build/$VERSION
|
||||
|
||||
EXPOSE 80/tcp
|
||||
|
||||
|
197
docs/cli.rst
197
docs/cli.rst
@ -11,6 +11,8 @@ Managing users and aliases can be done from CLI using commands:
|
||||
* user-import
|
||||
* user-delete
|
||||
* config-update
|
||||
* config-export
|
||||
* config-import
|
||||
|
||||
alias
|
||||
-----
|
||||
@ -62,7 +64,7 @@ primary difference with simple `user` command is that password is being imported
|
||||
docker-compose run --rm admin flask mailu user-import myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce' 'SHA512-CRYPT'
|
||||
|
||||
user-delete
|
||||
------------
|
||||
-----------
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
@ -94,7 +96,7 @@ where mail-config.yml looks like:
|
||||
without ``--delete-object`` option config-update will only add/update new values but will *not* remove any entries missing in provided YAML input.
|
||||
|
||||
Users
|
||||
-----
|
||||
^^^^^
|
||||
|
||||
following are additional parameters that could be defined for users:
|
||||
|
||||
@ -113,8 +115,197 @@ following are additional parameters that could be defined for users:
|
||||
* spam_threshold
|
||||
|
||||
Alias
|
||||
-----
|
||||
^^^^^
|
||||
|
||||
additional fields:
|
||||
|
||||
* wildcard
|
||||
|
||||
config-export
|
||||
-------------
|
||||
|
||||
The purpose of this command is to export the complete configuration in YAML or JSON format.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ docker-compose exec admin flask mailu config-export --help
|
||||
|
||||
Usage: flask mailu config-export [OPTIONS] [FILTER]...
|
||||
|
||||
Export configuration as YAML or JSON to stdout or file
|
||||
|
||||
Options:
|
||||
-f, --full Include attributes with default value.
|
||||
-s, --secrets Include secret attributes (dkim-key, passwords).
|
||||
-d, --dns Include dns records.
|
||||
-c, --color Force colorized output.
|
||||
-o, --output-file FILENAME Save configuration to file.
|
||||
-j, --json Export configuration in json format.
|
||||
-?, -h, --help Show this message and exit.
|
||||
|
||||
Only non-default attributes are exported. If you want to export all attributes use ``--full``.
|
||||
If you want to export plain-text secrets (dkim-keys, passwords) you have to add the ``--secrets`` option.
|
||||
To include dns records (mx, spf, dkim and dmarc) add the ``--dns`` option.
|
||||
|
||||
By default all configuration objects are exported (domain, user, alias, relay). You can specify
|
||||
filters to export only some objects or attributes (try: ``user`` or ``domain.name``).
|
||||
Attributes explicitly specified in filters are automatically exported: there is no need to add ``--secrets`` or ``--full``.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ docker-compose exec admin flask mailu config-export --output mail-config.yml
|
||||
|
||||
$ docker-compose exec admin flask mailu config-export domain.dns_mx domain.dns_spf
|
||||
|
||||
$ docker-compose exec admin flask mailu config-export user.spam_threshold
|
||||
|
||||
config-import
|
||||
-------------
|
||||
|
||||
This command imports configuration data from an external YAML or JSON source.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ docker-compose exec admin flask mailu config-import --help
|
||||
|
||||
Usage: flask mailu config-import [OPTIONS] [FILENAME|-]
|
||||
|
||||
Import configuration as YAML or JSON from stdin or file
|
||||
|
||||
Options:
|
||||
-v, --verbose Increase verbosity.
|
||||
-s, --secrets Show secret attributes in messages.
|
||||
-q, --quiet Quiet mode - only show errors.
|
||||
-c, --color Force colorized output.
|
||||
-u, --update Update mode - merge input with existing config.
|
||||
-n, --dry-run Perform a trial run with no changes made.
|
||||
-?, -h, --help Show this message and exit.
|
||||
|
||||
The current version of docker-compose exec does not pass stdin correctly, so you have to user docker exec instead:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
docker exec -i $(docker-compose ps -q admin) flask mailu config-import -nv < mail-config.yml
|
||||
|
||||
mail-config.yml contains the configuration and looks like this:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
domain:
|
||||
- name: example.com
|
||||
alternatives:
|
||||
- alternative.example.com
|
||||
|
||||
user:
|
||||
- email: foo@example.com
|
||||
password_hash: '$2b$12$...'
|
||||
hash_scheme: MD5-CRYPT
|
||||
|
||||
alias:
|
||||
- email: alias1@example.com
|
||||
destination:
|
||||
- user1@example.com
|
||||
- user2@example.com
|
||||
|
||||
relay:
|
||||
- name: relay.example.com
|
||||
comment: test
|
||||
smtp: mx.example.com
|
||||
|
||||
config-import shows the number of created/modified/deleted objects after import.
|
||||
To suppress all messages except error messages use ``--quiet``.
|
||||
By adding the ``--verbose`` switch the import gets more detailed and shows exactly what attributes changed.
|
||||
In all log messages plain-text secrets (dkim-keys, passwords) are hidden by default. Use ``--secrets`` to log secrets.
|
||||
If you want to test what would be done when importing without committing any changes, use ``--dry-run``.
|
||||
|
||||
By default config-import replaces the whole configuration. ``--update`` allows to modify the existing configuration instead.
|
||||
New elements will be added and existing elements will be modified.
|
||||
It is possible to delete a single element or prune all elements from lists and associative arrays using a special notation:
|
||||
|
||||
+-----------------------------+------------------+--------------------------+
|
||||
| Delete what? | notation | example |
|
||||
+=============================+==================+==========================+
|
||||
| specific array object | ``- -key: id`` | ``- -name: example.com`` |
|
||||
+-----------------------------+------------------+--------------------------+
|
||||
| specific list item | ``- -id`` | ``- -user1@example.com`` |
|
||||
+-----------------------------+------------------+--------------------------+
|
||||
| all remaining array objects | ``- -key: null`` | ``- -email: null`` |
|
||||
+-----------------------------+------------------+--------------------------+
|
||||
| all remaining list items | ``- -prune-`` | ``- -prune-`` |
|
||||
+-----------------------------+------------------+--------------------------+
|
||||
|
||||
The ``-key: null`` notation can also be used to reset an attribute to its default.
|
||||
To reset *spam_threshold* to it's default *80* use ``-spam_threshold: null``.
|
||||
|
||||
A new dkim key can be generated when adding or modifying a domain, by using the special value
|
||||
``dkim_key: -generate-``.
|
||||
|
||||
This is a complete YAML template with all additional parameters that can be defined:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
domain:
|
||||
- name: example.com
|
||||
alternatives:
|
||||
- alternative.tld
|
||||
comment: ''
|
||||
dkim_key: ''
|
||||
max_aliases: -1
|
||||
max_quota_bytes: 0
|
||||
max_users: -1
|
||||
signup_enabled: false
|
||||
|
||||
user:
|
||||
- email: postmaster@example.com
|
||||
comment: ''
|
||||
displayed_name: 'Postmaster'
|
||||
enable_imap: true
|
||||
enable_pop: false
|
||||
enabled: true
|
||||
fetches:
|
||||
- id: 1
|
||||
comment: 'test fetch'
|
||||
error: null
|
||||
host: other.example.com
|
||||
keep: true
|
||||
last_check: '2020-12-29T17:09:48.200179'
|
||||
password: 'secret'
|
||||
hash_password: true
|
||||
port: 993
|
||||
protocol: imap
|
||||
tls: true
|
||||
username: fetch-user
|
||||
forward_destination:
|
||||
- address@remote.example.com
|
||||
forward_enabled: true
|
||||
forward_keep: true
|
||||
global_admin: true
|
||||
manager_of:
|
||||
- example.com
|
||||
password: '$2b$12$...'
|
||||
hash_password: true
|
||||
quota_bytes: 1000000000
|
||||
reply_body: ''
|
||||
reply_enabled: false
|
||||
reply_enddate: '2999-12-31'
|
||||
reply_startdate: '1900-01-01'
|
||||
reply_subject: ''
|
||||
spam_enabled: true
|
||||
spam_threshold: 80
|
||||
tokens:
|
||||
- id: 1
|
||||
comment: email-client
|
||||
ip: 192.168.1.1
|
||||
password: '$5$rounds=1$...'
|
||||
|
||||
aliases:
|
||||
- email: email@example.com
|
||||
comment: ''
|
||||
destination:
|
||||
- address@example.com
|
||||
wildcard: false
|
||||
|
||||
relay:
|
||||
- name: relay.example.com
|
||||
comment: ''
|
||||
smtp: mx.example.com
|
||||
|
@ -97,7 +97,7 @@ WELCOME_SUBJECT=Welcome to your new email account
|
||||
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
import os
|
||||
|
||||
extensions = ['sphinx.ext.imgmath', 'sphinx.ext.viewcode']
|
||||
extensions = ['sphinx.ext.imgmath', 'sphinx.ext.viewcode', 'sphinx_rtd_theme']
|
||||
templates_path = ['_templates']
|
||||
source_suffix = '.rst'
|
||||
master_doc = 'index'
|
||||
@ -36,7 +36,7 @@ html_context = {
|
||||
'github_user': 'mailu',
|
||||
'github_repo': 'mailu',
|
||||
'github_version': version,
|
||||
'stable_version': '1.7',
|
||||
'stable_version': '1.8',
|
||||
'versions': [
|
||||
('1.5', '/1.5/'),
|
||||
('1.6', '/1.6/'),
|
||||
|
@ -41,7 +41,7 @@ The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
|
||||
try to guess user passwords. The value is the limit of failed authentication attempts
|
||||
that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
|
||||
|
||||
If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT``
|
||||
If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (default: False), the ``AUTH_RATELIMIT``
|
||||
rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
|
||||
If you disable this, ensure that the rate limit on the webmail is enforced in a different
|
||||
way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
|
||||
@ -99,14 +99,19 @@ the localpart for DMARC rua and ruf email addresses.
|
||||
Full-text search is enabled for IMAP is enabled by default. This feature can be disabled
|
||||
(e.g. for performance reasons) by setting the optional variable ``FULL_TEXT_SEARCH`` to ``off``.
|
||||
|
||||
.. _web_settings:
|
||||
|
||||
Web settings
|
||||
------------
|
||||
|
||||
The ``WEB_ADMIN`` contains the path to the main admin interface, while
|
||||
``WEB_WEBMAIL`` contains the path to the Web email client.
|
||||
The ``WEBROOT_REDIRECT`` redirects all non-found queries to the set path.
|
||||
An empty ``WEBROOT_REDIRECT`` value disables redirecting and enables classic
|
||||
behavior of a 404 result when not found.
|
||||
- ``WEB_ADMIN`` contains the path to the main admin interface
|
||||
|
||||
- ``WEB_WEBMAIL`` contains the path to the Web email client.
|
||||
|
||||
- ``WEBROOT_REDIRECT`` redirects all non-found queries to the set path.
|
||||
An empty ``WEBROOT_REDIRECT`` value disables redirecting and enables classic behavior of a 404 result when not found.
|
||||
Alternatively, ``WEBROOT_REDIRECT`` can be set to ``none`` if you are using an Nginx override for ``location /``.
|
||||
|
||||
All three options need a leading slash (``/``) to work.
|
||||
|
||||
.. note:: ``WEBROOT_REDIRECT`` has to point to a valid path on the webserver.
|
||||
@ -195,4 +200,24 @@ resolved. This can be used to rely on DNS based service discovery with changing
|
||||
When using ``*_ADDRESS``, the hostnames must be full-qualified hostnames. Otherwise nginx will not be able to
|
||||
resolve the hostnames.
|
||||
|
||||
Database settings
|
||||
-----------------
|
||||
|
||||
|
||||
The admin service stores configurations in a database.
|
||||
|
||||
- ``DB_FLAVOR``: the database type for mailu admin service. (``sqlite``, ``postgresql``, ``mysql``)
|
||||
- ``DB_HOST``: the database host for mailu admin service. (when not ``sqlite``)
|
||||
- ``DB_PORT``: the database port for mailu admin service. (when not ``sqlite``)
|
||||
- ``DB_PW``: the database password for mailu admin service. (when not ``sqlite``)
|
||||
- ``DB_USER``: the database user for mailu admin service. (when not ``sqlite``)
|
||||
- ``DB_NAME``: the database name for mailu admin service. (when not ``sqlite``)
|
||||
|
||||
The roundcube service stores configurations in a database.
|
||||
|
||||
- ``ROUNDCUBE_DB_FLAVOR``: the database type for roundcube service. (``sqlite``, ``postgresql``, ``mysql``)
|
||||
- ``ROUNDCUBE_DB_HOST``: the database host for roundcube service. (when not ``sqlite``)
|
||||
- ``ROUNDCUBE_DB_PORT``: the database port for roundcube service. (when not ``sqlite``)
|
||||
- ``ROUNDCUBE_DB_PW``: the database password for roundcube service. (when not ``sqlite``)
|
||||
- ``ROUNDCUBE_DB_USER``: the database user for roundcube service. (when not ``sqlite``)
|
||||
- ``ROUNDCUBE_DB_NAME``: the database name for roundcube service. (when not ``sqlite``)
|
||||
|
@ -178,9 +178,9 @@ In the case of a PR from a fellow team member, a single review is enough
|
||||
to initiate merging. In all other cases, two approving reviews are required.
|
||||
There is also a possibility to set the ``review/need2`` to require a second review.
|
||||
|
||||
After Travis successfully tests the PR and the required amount of reviews are acquired,
|
||||
After the Github Action workflow successfully tests the PR and the required amount of reviews are acquired,
|
||||
Mergify will trigger with a ``bors r+`` command. Bors will batch any approved PR's,
|
||||
merges them with master in a staging branch where Travis builds and tests the result.
|
||||
merges them with master in a staging branch where the Github Action workflow builds and tests the result.
|
||||
After a successful test, the actual master gets fast-forwarded to that point.
|
||||
|
||||
System requirements
|
||||
@ -201,16 +201,16 @@ us on `Matrix`_.
|
||||
Test images
|
||||
```````````
|
||||
|
||||
All PR's automatically get build by Travis, controlled by `bors-ng`_.
|
||||
All PR's automatically get build by a Github Action workflow, controlled by `bors-ng`_.
|
||||
Some primitive auto testing is done.
|
||||
The resulting images get uploaded to Docker hub, under the
|
||||
tag name ``mailutest/<name>:pr-<no>``.
|
||||
tag name ``mailuci/<name>:pr-<no>``.
|
||||
|
||||
For example, to test PR #500 against master, reviewers can use:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
export DOCKER_ORG="mailutest"
|
||||
export DOCKER_ORG="mailuci"
|
||||
export MAILU_VERSION="pr-500"
|
||||
docker-compose pull
|
||||
docker-compose up -d
|
||||
@ -232,8 +232,8 @@ after Bors confirms a successful build.
|
||||
When bors try fails
|
||||
```````````````````
|
||||
|
||||
Sometimes Travis fails when another PR triggers a ``bors try`` command,
|
||||
before Travis cloned the git repository.
|
||||
Sometimes the Github Action workflow fails when another PR triggers a ``bors try`` command,
|
||||
before the Github Action workflow cloned the git repository.
|
||||
Inspect the build log in the link provided by *bors-ng* to find out the cause.
|
||||
If you see something like the following error on top of the logs,
|
||||
feel free to write a comment with ``bors retry``.
|
||||
|
@ -41,7 +41,7 @@ PR Workflow
|
||||
-----------
|
||||
|
||||
All pull requests have to be against the main ``master`` branch.
|
||||
The PR gets build by Travis and some primitive auto-testing is done.
|
||||
The PR gets build by a Github Action workflow and some primitive auto-testing is done.
|
||||
Test images get uploaded to a separate section in Docker hub.
|
||||
Reviewers will check the PR and test the resulting images.
|
||||
See the :ref:`testing` section for more info.
|
||||
|
@ -8,7 +8,8 @@ This functionality should still be considered experimental!
|
||||
Mailu Postgresql
|
||||
----------------
|
||||
|
||||
Mailu optionally comes with a pre-configured Postgresql image.
|
||||
Mailu optionally comes with a pre-configured Postgresql image, which as of 1.8, is deprecated
|
||||
and will be removed in 1.9.
|
||||
This images has the following features:
|
||||
|
||||
- Automatic creation of users, db, extensions and password;
|
||||
|
11
docs/faq.rst
11
docs/faq.rst
@ -61,7 +61,7 @@ have to prevent pushing out something quickly.
|
||||
We currently maintain a strict work flow:
|
||||
|
||||
#. Someone writes a solution and sends a pull request;
|
||||
#. We use Travis-CI for some very basic building and testing;
|
||||
#. We use Github actions for some very basic building and testing;
|
||||
#. The pull request needs to be code-reviewed and tested by at least two members
|
||||
from the contributors team.
|
||||
|
||||
@ -261,10 +261,14 @@ correct syntax. The following file names will be taken as override configuration
|
||||
- ``main.cf`` as ``$ROOT/overrides/postfix/postfix.cf``
|
||||
- ``master.cf`` as ``$ROOT/overrides/postfix/postfix.master``
|
||||
- All ``$ROOT/overrides/postfix/*.map`` files
|
||||
- For both ``postfix.cf`` and ``postfix.master``, you need to put one configuration per line, as they are fed line-by-line
|
||||
to postfix.
|
||||
- `Dovecot`_ - ``dovecot.conf`` in dovecot sub-directory;
|
||||
- `Nginx`_ - All ``*.conf`` files in the ``nginx`` sub-directory;
|
||||
- `Rspamd`_ - All files in the ``rspamd`` sub-directory.
|
||||
|
||||
To override the root location (``/``) in Nginx ``WEBROOT_REDIRECT`` needs to be set to ``none`` in the env file (see :ref:`web settings <web_settings>`).
|
||||
|
||||
*Issue reference:* `206`_, `1368`_.
|
||||
|
||||
I want to integrate Nextcloud 15 (and newer) with Mailu
|
||||
@ -495,6 +499,8 @@ follow these steps:
|
||||
|
||||
logging:
|
||||
driver: journald
|
||||
options:
|
||||
tag: mailu-front
|
||||
|
||||
2. Add the /etc/fail2ban/filter.d/bad-auth.conf
|
||||
|
||||
@ -504,6 +510,7 @@ follow these steps:
|
||||
[Definition]
|
||||
failregex = .* client login failed: .+ client:\ <HOST>
|
||||
ignoreregex =
|
||||
journalmatch = CONTAINER_TAG=mailu-front
|
||||
|
||||
3. Add the /etc/fail2ban/jail.d/bad-auth.conf
|
||||
|
||||
@ -511,8 +518,8 @@ follow these steps:
|
||||
|
||||
[bad-auth]
|
||||
enabled = true
|
||||
backend = systemd
|
||||
filter = bad-auth
|
||||
logpath = /var/log/messages
|
||||
bantime = 604800
|
||||
findtime = 300
|
||||
maxretry = 10
|
||||
|
@ -1,4 +1,4 @@
|
||||
apiVersion: apps/v1beta2
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: mailu-front
|
||||
|
@ -3,6 +3,10 @@
|
||||
Kubernetes setup
|
||||
================
|
||||
|
||||
> Hold up!
|
||||
> These instructions are not recommended for setting up Mailu in a production Kubernetes environment.
|
||||
> Please see [the Helm Chart documentation](https://github.com/Mailu/helm-charts/blob/master/mailu/README.md).
|
||||
|
||||
Prequisites
|
||||
-----------
|
||||
|
||||
|
@ -1,8 +1,81 @@
|
||||
Release notes
|
||||
=============
|
||||
|
||||
Mailu 1.8 - 2020-10-02
|
||||
----------------------
|
||||
Mailu 1.8 - 2021-08-7
|
||||
---------------------
|
||||
|
||||
The full 1.8 release is finally ready. There have been some changes in the contributors team. Many people from the contributors team have stepped back due to changed priorities in their life.
|
||||
We are very grateful for all their contributions and hope we will see them back again in the future.
|
||||
This is the main reason why it took so long for 1.8 to be fully released.
|
||||
|
||||
Fortunately more people have decided to join the project. Some very nice contributions have been made which will become part of the next 1.9 release.
|
||||
We hope that future Mailu releases will be released more quickly now we have more active contributors again.
|
||||
|
||||
For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section further on this page. It contains important information for the people who use the overrides folder.
|
||||
|
||||
New Functionality & Improvements
|
||||
````````````````````````````````
|
||||
|
||||
Here’s a short summary of new features:
|
||||
|
||||
- Roundcube and Rainloop have been updated.
|
||||
- All dependencies have been updated to the latest security update.
|
||||
- Fail2ban documentation has been improved.
|
||||
- Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading.
|
||||
- Full-text-search is back after having been disabled for a while due to nasty bugs. It can still be disabled via the mailu.env file.
|
||||
- Tons of documentation improvements, especially geared towards new users.
|
||||
- (Experimental) support for different architectures, such as ARM.
|
||||
- Improvements around webmails, such as CardDAV, GPG and a new skin for an updated roundcube, and support for MySQL for it. Updated Rainloop, too.
|
||||
- Improvements around relaying, such as AUTH LOGIN and non-standard port support.
|
||||
- Update to alpine:3.14 as baseimage for most containers.
|
||||
- Setup warns users about compose-IPv6 deployments which have caused open relays in the past.
|
||||
- Improved handling of upper-vs-lowercase aliases and user-addresses.
|
||||
- Improved rate-limiting system.
|
||||
- Support for SRS.
|
||||
- Japanese localisation is now available.
|
||||
|
||||
|
||||
Upgrading
|
||||
`````````
|
||||
|
||||
Upgrade should run fine as long as you generate a new compose or stack
|
||||
configuration and upgrade your mailu.env.
|
||||
|
||||
Please note that the shipped image for PostgreSQL database is deprecated.
|
||||
The shipped image for PostgreSQL is not maintained anymore from release 1.8.
|
||||
We recommend switching to an external PostgreSQL image as soon as possible.
|
||||
|
||||
Override location changes
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
|
||||
Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
|
||||
|
||||
Recreate SECRET_KEY after upgrading
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Improvements have been made to protect again session-fixation attacks.
|
||||
To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading.
|
||||
A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
|
||||
|
||||
The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
|
||||
```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
|
||||
|
||||
After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
|
||||
|
||||
Update your DNS SPF Records
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….
|
||||
|
||||
Fixed hostname for antispam service
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
For history to be retained in Rspamd, the antispam container requires a static hostname. When you re-generate your docker-compose.yml file (or helm-chart), this will be covered.
|
||||
|
||||
|
||||
Mailu 1.8rc - 2020-10-02
|
||||
------------------------
|
||||
|
||||
Release 1.8 has come a long way again. Due to corona the project slowed down to a crawl. Fortunately new contributors have joined the team what enabled us to still release Mailu 1.8 this year.
|
||||
|
||||
|
@ -2,3 +2,4 @@ recommonmark
|
||||
Sphinx
|
||||
sphinx-autobuild
|
||||
sphinx-rtd-theme
|
||||
docutils==0.16
|
||||
|
@ -154,7 +154,40 @@ Add the respective Traefik labels for your domain/configuration, like
|
||||
If your Traefik is configured to automatically request certificates from *letsencrypt*, then you’ll have a certificate for ``mail.your.doma.in`` now. However,
|
||||
``mail.your.doma.in`` might only be the location where you want the Mailu web-interfaces to live — your mail should be sent/received from ``your.doma.in``,
|
||||
and this is the ``DOMAIN`` in your ``.env``?
|
||||
To support that use-case, Traefik can request ``SANs`` for your domain. Lets add something like
|
||||
To support that use-case, Traefik can request ``SANs`` for your domain. The configuration for this will depend on your Traefik version.
|
||||
|
||||
----
|
||||
|
||||
Traefik 2.x using labels configuration
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Add the appropriate labels for your domain(s) to the ``front`` container in ``docker-compose.yml``.
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
services:
|
||||
front:
|
||||
labels:
|
||||
# Enable TLS
|
||||
- "traefik.http.routers.mailu-secure.tls"
|
||||
# Your main domain
|
||||
- "traefik.http.routers.mailu-secure.tls.domains[0].main=your.doma.in"
|
||||
# Optional SANs for your main domain
|
||||
- "traefik.http.routers.mailu-secure.tls.domains[0].sans=mail.your.doma.in,webmail.your.doma.in,smtp.your.doma.in"
|
||||
# Optionally add other domains
|
||||
- "traefik.http.routers.mailu-secure.tls.domains[1].main=mail.other.doma.in"
|
||||
- "traefik.http.routers.mailu-secure.tls.domains[1].sans=mail2.other.doma.in,mail3.other.doma.in"
|
||||
# Your ACME certificate resolver
|
||||
- "traefik.http.routers.mailu-secure.tls.certResolver=foo"
|
||||
|
||||
Of course, be sure to define the Certificate Resolver ``foo`` in the static configuration as well.
|
||||
|
||||
Alternatively, you can define SANs in the Traefik static configuration using routers, or in the static configuration using entrypoints. Refer to the Traefik documentation for more details.
|
||||
|
||||
Traefik 1.x with TOML configuration
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Lets add something like
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
@ -163,7 +196,11 @@ To support that use-case, Traefik can request ``SANs`` for your domain. Lets add
|
||||
main = "your.doma.in" # this is the same as $TRAEFIK_DOMAIN!
|
||||
sans = ["mail.your.doma.in", "webmail.your.doma.in", "smtp.your.doma.in"]
|
||||
|
||||
to your ``traefik.toml``. You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
|
||||
to your ``traefik.toml``.
|
||||
|
||||
----
|
||||
|
||||
You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
|
||||
|
||||
You will need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container.
|
||||
One such example is ``mailu/traefik-certdumper``, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:
|
||||
|
@ -215,22 +215,29 @@ On the new relayed domain page the following options can be entered for a new re
|
||||
* Relayed domain name. The domain name that is relayed. Email messages addressed to this domain (To: John@example.com), will be forwarded to this domain.
|
||||
No authentication is required.
|
||||
|
||||
* Remote host (optional). The SMPT server that will be used for relaying the email message.
|
||||
When this field is blank, the Mailu server will directly send the email message to the relayed domain.
|
||||
As value can be entered either a hostname or IP address of the SMPT server.
|
||||
By default port 25 is used. To use a different port append ":port number" to the Remote Host. For example:
|
||||
123.45.67.90:2525.
|
||||
* Remote host (optional). The host that will be used for relaying the email message.
|
||||
When this field is blank, the Mailu server will directly send the email message to the mail server of the relayed domain.
|
||||
When a remote host is specified it can be prefixed by ``mx:`` or ``lmtp:`` and followed by a port number: ``:port``).
|
||||
|
||||
================ ===================================== =========================
|
||||
Remote host Description postfix transport:nexthop
|
||||
================ ===================================== =========================
|
||||
empty use MX of relay domain smtp:domain
|
||||
:port use MX of relay domain and use port smtp:domain:port
|
||||
target resolve A/AAAA of target smtp:[target]
|
||||
target:port resolve A/AAAA of target and use port smtp:[target]:port
|
||||
mx:target resolve MX of target smtp:target
|
||||
mx:target:port resolve MX of target and use port smtp:target:port
|
||||
lmtp:target resolve A/AAAA of target lmtp:target
|
||||
lmtp:target:port resolve A/AAAA of target and use port lmtp:target:port
|
||||
================ ===================================== =========================
|
||||
|
||||
`target` can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: ``[2001:DB8::]``).
|
||||
|
||||
* Comment. A text field where a comment can be entered to describe the entry.
|
||||
|
||||
Changes are effective immediately after clicking the Save button.
|
||||
|
||||
NOTE: Due to bug `1588`_ email messages fail to be relayed if no Remote Host is configured.
|
||||
As a workaround the HOSTNAME or IP Address of the SMPT server of the relayed domain can be entered as Remote Host.
|
||||
Please note that no MX lookup is performed when entering a hostname as Remote Host. You can use the MX lookup on mxtoolbox.com to find the hostname and IP Address of the SMTP server.
|
||||
|
||||
.. _`1588`: https://github.com/Mailu/Mailu/issues/1588
|
||||
|
||||
Antispam
|
||||
--------
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
# python3 shared with most images
|
||||
RUN apk add --no-cache \
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
|
||||
# python3 shared with most images
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
# python3 shared with most images
|
||||
RUN apk add --no-cache \
|
||||
|
@ -2,7 +2,6 @@
|
||||
|
||||
import anosql
|
||||
import psycopg2
|
||||
import jinja2
|
||||
import glob
|
||||
import os
|
||||
import subprocess
|
||||
@ -38,7 +37,6 @@ if not os.listdir("/data"):
|
||||
rec.write("restore_command = 'gunzip < /backup/wal_archive/%f > %p'\n")
|
||||
rec.write("standby_mode = off\n")
|
||||
os.system("chown postgres:postgres /data/recovery.conf")
|
||||
#os.system("sudo -u postgres pg_ctl start -D /data -o '-h \"''\" '")
|
||||
else:
|
||||
# Bootstrap the database
|
||||
os.system("sudo -u postgres initdb -D /data")
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
|
||||
# python3 shared with most images
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.12
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
# python3 shared with most images
|
||||
RUN apk add --no-cache \
|
||||
|
@ -2,7 +2,7 @@ server:
|
||||
verbosity: 1
|
||||
interface: 0.0.0.0
|
||||
interface: ::0
|
||||
logfile: /dev/stdout
|
||||
logfile: ""
|
||||
do-ip4: yes
|
||||
do-ip6: yes
|
||||
do-udp: yes
|
||||
|
@ -1,4 +1,4 @@
|
||||
ARG DISTRO=alpine:3.10
|
||||
ARG DISTRO=alpine:3.14
|
||||
FROM $DISTRO
|
||||
|
||||
RUN mkdir -p /app
|
||||
|
@ -85,6 +85,7 @@ services:
|
||||
|
||||
antispam:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
|
||||
hostname: antispam
|
||||
restart: always
|
||||
env_file: {{ env }}
|
||||
volumes:
|
||||
|
@ -86,7 +86,7 @@ WELCOME_SUBJECT={{ welcome_subject or 'Welcome to your new email account' }}
|
||||
WELCOME_BODY={{ welcome_body or 'Welcome to your new email account, if you can read this, then it is configured properly!' }}
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION={{ compression }}
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL={{ compression_level }}
|
||||
@ -175,3 +175,10 @@ DB_HOST={{ db_url }}
|
||||
DB_NAME={{ db_name }}
|
||||
{% endif %}
|
||||
|
||||
{% if (postgresql == 'external' or db_flavor == 'mysql') and webmail_type == 'roundcube' %}
|
||||
ROUNDCUBE_DB_FLAVOR={{ db_flavor }}
|
||||
ROUNDCUBE_DB_USER={{ roundcube_db_user }}
|
||||
ROUNDCUBE_DB_PW={{ roundcube_db_pw }}
|
||||
ROUNDCUBE_DB_HOST={{ roundcube_db_url }}
|
||||
ROUNDCUBE_DB_NAME={{ roundcube_db_name }}
|
||||
{% endif %}
|
||||
|
@ -70,6 +70,7 @@ services:
|
||||
|
||||
antispam:
|
||||
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
|
||||
hostname: antispam
|
||||
env_file: {{ env }}
|
||||
volumes:
|
||||
- "{{ root }}/filter:/var/lib/rspamd"
|
||||
|
@ -1,4 +1,4 @@
|
||||
flask
|
||||
flask-bootstrap
|
||||
redis
|
||||
gunicorn
|
||||
Flask==1.0.2
|
||||
Flask-Bootstrap==3.3.7.1
|
||||
gunicorn==19.9.0
|
||||
redis==3.2.1
|
||||
|
@ -58,7 +58,7 @@ def build_app(path):
|
||||
stable_version = os.getenv("stable_version", "master")
|
||||
)
|
||||
|
||||
prefix_bp = flask.Blueprint(version, __name__)
|
||||
prefix_bp = flask.Blueprint(version.replace(".", "_"), __name__)
|
||||
prefix_bp.jinja_loader = jinja2.ChoiceLoader([
|
||||
jinja2.FileSystemLoader(os.path.join(path, "templates")),
|
||||
jinja2.FileSystemLoader(os.path.join(path, "flavors"))
|
||||
|
@ -57,6 +57,13 @@ $(document).ready(function() {
|
||||
$("#db_pw").prop('required',true);
|
||||
$("#db_url").prop('required',true);
|
||||
$("#db_name").prop('required',true);
|
||||
if ($("#webmail").val() == 'roundcube') {
|
||||
$("#roundcube_external_db").show();
|
||||
$("#roundcube_db_user").prop('required',true);
|
||||
$("#roundcube_db_pw").prop('required',true);
|
||||
$("#roundcube_db_url").prop('required',true);
|
||||
$("#roundcube_db_name").prop('required',true);
|
||||
}
|
||||
} else if (this.value == 'mysql') {
|
||||
$("#postgres_db").hide();
|
||||
$("#external_db").show();
|
||||
@ -64,6 +71,13 @@ $(document).ready(function() {
|
||||
$("#db_pw").prop('required',true);
|
||||
$("#db_url").prop('required',true);
|
||||
$("#db_name").prop('required',true);
|
||||
if ($("#webmail").val() == 'roundcube') {
|
||||
$("#roundcube_external_db").show();
|
||||
$("#roundcube_db_user").prop('required',true);
|
||||
$("#roundcube_db_pw").prop('required',true);
|
||||
$("#roundcube_db_url").prop('required',true);
|
||||
$("#roundcube_db_name").prop('required',true);
|
||||
}
|
||||
}
|
||||
});
|
||||
$("#external_psql").change(function() {
|
||||
@ -73,6 +87,13 @@ $(document).ready(function() {
|
||||
$("#db_pw").prop('required',true);
|
||||
$("#db_url").prop('required',true);
|
||||
$("#db_name").prop('required',true);
|
||||
if ($("#webmail").val() == 'roundcube') {
|
||||
$("#roundcube_external_db").show();
|
||||
$("#roundcube_db_user").prop('required',true);
|
||||
$("#roundcube_db_pw").prop('required',true);
|
||||
$("#roundcube_db_url").prop('required',true);
|
||||
$("#roundcube_db_name").prop('required',true);
|
||||
}
|
||||
} else {
|
||||
$("#external_db").hide();
|
||||
}
|
||||
|
@ -59,7 +59,7 @@ the security implications caused by such an increase of attack surface.<p>
|
||||
<i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
|
||||
</div>
|
||||
|
||||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
|
||||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
|
||||
|
||||
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>
|
||||
|
||||
|
@ -50,8 +50,8 @@ Or in plain english: if receivers start to classify your mail as spam, this post
|
||||
<div class="form-group">
|
||||
<label>Authentication rate limit (per source IP address)</label>
|
||||
<!-- Validates number input only -->
|
||||
<p><input class="form-control" style="width: 7%; display: inline;" type="number" name="auth_ratelimit_pm"
|
||||
value="10" required > / minute
|
||||
<p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
|
||||
value="10000" required > / minute
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@ -83,7 +83,7 @@ manage your email domains, users, etc.</p>
|
||||
<input class="form-control" type="text" name="admin_path" id="admin_path" style="display: none">
|
||||
</div>
|
||||
|
||||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
|
||||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
|
||||
|
||||
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
||||
<br/>
|
||||
</div>
|
||||
<div class="form-group" id="external_db" style="display: none">
|
||||
<p>Set external database parameters</p>
|
||||
<p>Set external database parameters for <b>Admin UI</b></p>
|
||||
<label>DB User</label>
|
||||
<input class="form-control" type="text" name="db_user" placeholder="Username" id="db_user">
|
||||
<label>Db Password</label>
|
||||
@ -37,6 +37,18 @@
|
||||
<input class="form-control" type="text" name="db_url" placeholder="URL" id="db_url">
|
||||
<label>Db Name</label>
|
||||
<input class="form-control" type="text" name="db_name" placeholder="Database Name" id="db_name">
|
||||
<br/>
|
||||
<div class="form-group" id="roundcube_external_db" style="display: none">
|
||||
<p>Set external database parameters for <b>Roundcube</b></p>
|
||||
<label>DB User</label>
|
||||
<input class="form-control" type="text" name="roundcube_db_user" placeholder="Username" id="roundcube_db_user">
|
||||
<label>DB Password</label>
|
||||
<input class="form-control" type="password" name="roundcube_db_pw" placeholder="Password" id="roundcube_db_pw">
|
||||
<label>DB URL</label>
|
||||
<input class="form-control" type="text" name="roundcube_db_url" placeholder="URL" id="roundcube_db_url">
|
||||
<label>DB Name</label>
|
||||
<input class="form-control" type="text" name="roundcube_db_name" placeholder="Database Name" id="roundcube_db_name">
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
@ -55,7 +55,7 @@ the security implications caused by such an increase of attack surface.<p>
|
||||
<i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
|
||||
</div>
|
||||
|
||||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
|
||||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
|
||||
|
||||
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash -x
|
||||
|
||||
ALPINE_VER="3.10"
|
||||
ALPINE_VER="3.14"
|
||||
DISTRO="balenalib/rpi-alpine:$ALPINE_VER"
|
||||
# Used for webmails
|
||||
QEMU="arm"
|
||||
|
@ -92,7 +92,7 @@ DMARC_RUF=admin
|
||||
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
@ -92,7 +92,7 @@ DMARC_RUF=admin
|
||||
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
5
tests/compose/filters/00_create_users.sh
Executable file
5
tests/compose/filters/00_create_users.sh
Executable file
@ -0,0 +1,5 @@
|
||||
echo "Creating user required for next test ..."
|
||||
# Should not fail and update the password; update mode
|
||||
docker-compose -f tests/compose/filters/docker-compose.yml exec -T admin flask mailu admin admin mailu.io 'password' --mode=update || exit 1
|
||||
docker-compose -f tests/compose/filters/docker-compose.yml exec -T admin flask mailu user user mailu.io 'password' || exit 1
|
||||
echo "User created successfully"
|
@ -92,7 +92,7 @@ DMARC_RUF=admin
|
||||
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
@ -51,7 +51,7 @@ DISABLE_STATISTICS=False
|
||||
###################################
|
||||
|
||||
# Expose the admin interface (value: true, false)
|
||||
ADMIN=true
|
||||
ADMIN=false
|
||||
|
||||
# Choose which webmail to run if any (values: roundcube, rainloop, none)
|
||||
WEBMAIL=rainloop
|
||||
@ -92,7 +92,7 @@ DMARC_RUF=admin
|
||||
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
@ -51,7 +51,7 @@ DISABLE_STATISTICS=False
|
||||
###################################
|
||||
|
||||
# Expose the admin interface (value: true, false)
|
||||
ADMIN=true
|
||||
ADMIN=false
|
||||
|
||||
# Choose which webmail to run if any (values: roundcube, rainloop, none)
|
||||
WEBMAIL=roundcube
|
||||
@ -92,7 +92,7 @@ DMARC_RUF=admin
|
||||
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
@ -92,7 +92,7 @@ DMARC_RUF=admin
|
||||
|
||||
|
||||
# Maildir Compression
|
||||
# choose compression-method, default: none (value: bz2, gz)
|
||||
# choose compression-method, default: none (value: gz, bz2, lz4, zstd)
|
||||
COMPRESSION=
|
||||
# change compression-level, default: 6 (value: 1-9)
|
||||
COMPRESSION_LEVEL=
|
||||
|
@ -3,14 +3,5 @@
|
||||
# Skip deploy for staging branch
|
||||
[ "$TRAVIS_BRANCH" = "staging" ] && exit 0
|
||||
|
||||
# Retag in case of `bors try`
|
||||
if [ "$TRAVIS_BRANCH" = "testing" ]; then
|
||||
export DOCKER_ORG="mailutest"
|
||||
# Commit message is like "Try #99".
|
||||
# This sets the version tag to "pr-99"
|
||||
export MAILU_VERSION="pr-${TRAVIS_COMMIT_MESSAGE//[!0-9]/}"
|
||||
docker-compose -f tests/build.yml build
|
||||
fi
|
||||
|
||||
docker login -u $DOCKER_UN -p $DOCKER_PW
|
||||
docker-compose -f tests/build.yml push
|
||||
|
1
towncrier/newsfragments/1194.feature
Normal file
1
towncrier/newsfragments/1194.feature
Normal file
@ -0,0 +1 @@
|
||||
Add a credential cache to speedup authentication requests.
|
1
towncrier/newsfragments/1294.bugfix
Normal file
1
towncrier/newsfragments/1294.bugfix
Normal file
@ -0,0 +1 @@
|
||||
Ensure that the podop socket is always owned by the postfix user (wasn't the case when build using non-standard base images... typically for arm64)
|
1
towncrier/newsfragments/1503.doc
Normal file
1
towncrier/newsfragments/1503.doc
Normal file
@ -0,0 +1 @@
|
||||
Add documentation for Traefik 2 in Reverse Proxy
|
1
towncrier/newsfragments/1604.feature
Normal file
1
towncrier/newsfragments/1604.feature
Normal file
@ -0,0 +1 @@
|
||||
Add cli commands config-import and config-export
|
@ -1 +0,0 @@
|
||||
Don't replace nested headers (typically in attached emails)
|
@ -1 +0,0 @@
|
||||
Fix letsencrypt access to certbot for the mail-letsencrypt flavour
|
1
towncrier/newsfragments/1694.feature
Normal file
1
towncrier/newsfragments/1694.feature
Normal file
@ -0,0 +1 @@
|
||||
Support configuring lz4 and zstd compression for dovecot.
|
@ -1,2 +0,0 @@
|
||||
Fix CVE-2020-25275 and CVE-2020-24386 by using alpine 3.13 for
|
||||
dovecot which contains a fixed dovecot version.
|
2
towncrier/newsfragments/1760.bugfix
Normal file
2
towncrier/newsfragments/1760.bugfix
Normal file
@ -0,0 +1,2 @@
|
||||
Fix CVE-2021-23240, CVE-2021-3156 and CVE-2021-23239 for postgresql
|
||||
by force-upgrading sudo.
|
@ -1 +0,0 @@
|
||||
Switch from client side sessions (cookies) to server-side sessions (Redis). This simplies the security model a lot and allows for an easier recovery should a cookie ever land in the hands of an attacker.
|
1
towncrier/newsfragments/1828.misc
Normal file
1
towncrier/newsfragments/1828.misc
Normal file
@ -0,0 +1 @@
|
||||
Switched from Travis to Github actions for CI/CD. Improved CI workflow to perform all tests in parallel.
|
1
towncrier/newsfragments/1830.misc
Normal file
1
towncrier/newsfragments/1830.misc
Normal file
@ -0,0 +1 @@
|
||||
Make CI tests run in parallel.
|
1
towncrier/newsfragments/1831.bugfix
Normal file
1
towncrier/newsfragments/1831.bugfix
Normal file
@ -0,0 +1 @@
|
||||
Fix roundcube environment configuration for databases
|
1
towncrier/newsfragments/1851.feature
Normal file
1
towncrier/newsfragments/1851.feature
Normal file
@ -0,0 +1 @@
|
||||
Remove cyrus-sasl-plain as it's not packaged by alpine anymore. SASL-login is still available and used when relaying.
|
1
towncrier/newsfragments/1917.bugfix
Normal file
1
towncrier/newsfragments/1917.bugfix
Normal file
@ -0,0 +1 @@
|
||||
Alpine has removed support for btree and hash in postfix... please use lmdb instead
|
1
towncrier/newsfragments/224.feature
Normal file
1
towncrier/newsfragments/224.feature
Normal file
@ -0,0 +1 @@
|
||||
Add instructions on how to create DNS records for email client auto-configuration (RFC6186 style)
|
1
towncrier/newsfragments/783.feature
Normal file
1
towncrier/newsfragments/783.feature
Normal file
@ -0,0 +1 @@
|
||||
Centralize the authentication of webmails behind the admin interface
|
@ -3,7 +3,7 @@ ARG QEMU=other
|
||||
|
||||
# NOTE: only add file if building for arm
|
||||
FROM ${ARCH}php:7.4-apache as build_arm
|
||||
ONBUILD COPY --from=balenalib/rpi-alpine:3.10 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
|
||||
ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
|
||||
|
||||
FROM ${ARCH}php:7.4-apache as build_other
|
||||
|
||||
@ -17,7 +17,7 @@ RUN apt-get update && apt-get install -y \
|
||||
# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
|
||||
RUN pip3 install socrate
|
||||
|
||||
ENV RAINLOOP_URL https://github.com/RainLoop/rainloop-webmail/releases/download/v1.14.0/rainloop-community-1.14.0.zip
|
||||
ENV RAINLOOP_URL https://github.com/RainLoop/rainloop-webmail/releases/download/v1.16.0/rainloop-community-1.16.0.zip
|
||||
|
||||
RUN apt-get update && apt-get install -y \
|
||||
unzip python3-jinja2 \
|
||||
@ -35,6 +35,7 @@ RUN apt-get update && apt-get install -y \
|
||||
&& rm -rf /var/lib/apt/lists
|
||||
|
||||
COPY include.php /var/www/html/include.php
|
||||
COPY sso.php /var/www/html/sso.php
|
||||
COPY php.ini /php.ini
|
||||
|
||||
COPY application.ini /application.ini
|
||||
|
@ -8,6 +8,10 @@ allow_admin_panel = Off
|
||||
|
||||
[labs]
|
||||
allow_gravatar = Off
|
||||
{% if ADMIN == "true" %}
|
||||
custom_login_link='sso.php'
|
||||
custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
|
||||
{% endif %}
|
||||
|
||||
[contacts]
|
||||
enable = On
|
||||
|
31
webmails/rainloop/sso.php
Normal file
31
webmails/rainloop/sso.php
Normal file
@ -0,0 +1,31 @@
|
||||
<?php
|
||||
|
||||
$_ENV['RAINLOOP_INCLUDE_AS_API'] = true;
|
||||
if (!defined('APP_VERSION')) {
|
||||
$version = file_get_contents('/data/VERSION');
|
||||
if ($version) {
|
||||
define('APP_VERSION', $version);
|
||||
define('APP_INDEX_ROOT_FILE', __FILE__);
|
||||
define('APP_INDEX_ROOT_PATH', str_replace('\\', '/', rtrim(dirname(__FILE__), '\\/').'/'));
|
||||
}
|
||||
}
|
||||
|
||||
if (file_exists(APP_INDEX_ROOT_PATH.'rainloop/v/'.APP_VERSION.'/include.php')) {
|
||||
include APP_INDEX_ROOT_PATH.'rainloop/v/'.APP_VERSION.'/include.php';
|
||||
} else {
|
||||
echo '[105] Missing version directory';
|
||||
exit(105);
|
||||
}
|
||||
|
||||
// Retrieve email and password
|
||||
if (in_array('HTTP_X_REMOTE_USER', $_SERVER) && in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
|
||||
$email = $_SERVER['HTTP_X_REMOTE_USER'];
|
||||
$password = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];
|
||||
$ssoHash = \RainLoop\Api::GetUserSsoHash($email, $password);
|
||||
|
||||
// redirect to webmail sso url
|
||||
header('Location: index.php?sso&hash='.$ssoHash);
|
||||
}
|
||||
else {
|
||||
header('HTTP/1.0 403 Forbidden');
|
||||
}
|
@ -24,6 +24,7 @@ conf.jinja("/application.ini", os.environ, "/data/_data_/_default_/configs/appli
|
||||
conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/rainloop.ini")
|
||||
|
||||
os.system("chown -R www-data:www-data /data")
|
||||
os.system("chmod -R a+rX /var/www/html/")
|
||||
|
||||
os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
ARG ARCH=""
|
||||
ARG QEMU=other
|
||||
FROM ${ARCH}php:7.4-apache as build_arm
|
||||
ONBUILD COPY --from=balenalib/rpi-alpine:3.10 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
|
||||
ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
|
||||
|
||||
FROM ${ARCH}php:7.4-apache as build_other
|
||||
|
||||
@ -16,9 +16,9 @@ RUN apt-get update && apt-get install -y \
|
||||
# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
|
||||
RUN pip3 install socrate
|
||||
|
||||
ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.6/roundcubemail-1.4.6-complete.tar.gz
|
||||
ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz
|
||||
|
||||
ENV CARDDAV_URL https://github.com/blind-coder/rcmcarddav/releases/download/v3.0.3/carddav-3.0.3.tar.bz2
|
||||
ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz
|
||||
|
||||
RUN apt-get update && apt-get install -y \
|
||||
zlib1g-dev libzip4 libzip-dev libpq-dev \
|
||||
@ -28,12 +28,8 @@ RUN apt-get update && apt-get install -y \
|
||||
&& echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
|
||||
&& rm -rf /var/www/html/ \
|
||||
&& cd /var/www \
|
||||
&& curl -L -O ${ROUNDCUBE_URL} \
|
||||
&& curl -L -O ${CARDDAV_URL} \
|
||||
&& tar -xf *.tar.gz \
|
||||
&& tar -xf *.tar.bz2 \
|
||||
&& rm -f *.tar.gz \
|
||||
&& rm -f *.tar.bz2 \
|
||||
&& curl -sL ${ROUNDCUBE_URL} | tar xz \
|
||||
&& curl -sL ${CARDDAV_URL} | tar xz \
|
||||
&& mv roundcubemail-* html \
|
||||
&& mv carddav html/plugins/ \
|
||||
&& cd html \
|
||||
@ -46,6 +42,7 @@ RUN apt-get update && apt-get install -y \
|
||||
|
||||
COPY php.ini /php.ini
|
||||
COPY config.inc.php /var/www/html/config/
|
||||
COPY mailu.php /var/www/html/plugins/mailu/mailu.php
|
||||
COPY start.py /start.py
|
||||
|
||||
EXPOSE 80/tcp
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user