Commit graph

2041 commits

Author SHA1 Message Date
Brennan Kinney 584577787a
refactor: Internal HOSTNAME and DOMAINNAME configuration (#2280)
Better logical flow, handling and inline documentation.

Despite the verbosity, it's better to make this visible here for maintenance and debugging purposes than trying to dig through issue/PR or commit history for it.

* fix: Panic when HOSTNAME is misconfigured
* chore: Add more comment docs for maintainers
* tests(fix): Use `--domainname` not ENV `DOMAINNAME`

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-11-16 10:50:45 +13:00
Georg Lauterbach 30834eb250
Revise workflow for stalled objects (#2301) 2021-11-15 21:00:25 +01:00
Casper 984acb960d
Update close_stale_issues.yml (#2300) 2021-11-15 09:03:12 +01:00
Casper cac0647250
improve: sort environment variables (#2298) 2021-11-14 09:11:44 +13:00
Brennan Kinney 65120dd934
github(fix): Issues form - Use checkboxes for the experience question (#2297)
Dropdown isn't appropriate. This was meant to be changed to multi-choice for opt-in.
2021-11-14 00:07:54 +13:00
Georg Lauterbach 6c1c669619
make Bash start user-patches.sh (#2295) 2021-11-13 10:19:56 +01:00
Georg Lauterbach cf4682fe5e
remove unnecessary ls from debug log (#2294) 2021-11-12 14:33:04 +01:00
Andreas Egli e436968655
openDMARC: remove quotation marks from setup script (#2291) 2021-11-10 12:21:26 +01:00
Brennan Kinney 917f0f6a9c
fix: Monitor for changes in supported letsencrypt locations (#2279)
Previously we only monitored for `$HOSTNAME` in `/etc/letsencrypt/live` and only for hard-coded `.pem` filenames.

This ensures we check the locations of other locations that may not match `$HOSTNAME`, which we also support. Ideally in future at least the directory to look in would be better known in advance..
2021-11-05 12:08:57 +13:00
Brennan Kinney b1a74bd47a
tests(feat): Refactor test_helper/common.bash common_container methods (#2275)
These are improvements for better supporting the requirements of other tests.

- Opted for passing an array reference instead of an ENV file. This seems to be a better approach and supports more than just ENV changes.
- Likewise, shifted to a `create` + `start` approach, instead of `docker run` for added flexibility.
- Using `TEST_TMP_CONFIG` instead of `PRIVATE_CONFIG` to make the difference in usage with config volume in tests more clear.
- Changed the config volume from read-only volume mount to be read-write instead, which seems required for other tests.
- Added notes about logged failures from a read-only config volume during container startup.
- Added `TEST_CA_CERT` as a default CA cert path for the test files volume. This can be used by default by openssl methods.
2021-11-05 09:35:01 +13:00
Frederic Werner a0bd2c6df9
docs(deps): bump mkdocs-material to 7.3.6 (#2287) 2021-11-05 09:03:12 +13:00
Brennan Kinney e807631a76
refactor: acme.json extraction (#2274)
Split into scoped commits with messages if further details are needed, view those via the associated PR :)

**Commit Summary:**

**`check-for-changes.sh`**

- Prevent `SSL_DOMAIN` silently skipping when value has wildcard prefix `*.` (_at least this was known as a bugfix when originally committed in linked PR_).
- Improved inlined docs for maintainers.
- Additional logging for debugging.

**`helper-functions.sh:_extract_certs_from_acme`**:

- Fail if the input arg (_`$CERT_DOMAIN`, aka the FQDN_) provided for extraction is empty.
- Use `$CERT_DOMAIN` in place of `$HOSTNAME` and `$1` for a consistent value (_previously could mismatch, eg with `SSL_DOMAIN` defined_).
- The conditional is now only for handling extraction failure (_key or cert value is missing from extraction_).
- Log an actual warning or success (debug) based on outcome.
- Don't use `SSL_DOMAIN` with wildcard value for the `mkdir` letsencrypt directory name (_wildcard prefix `*.` is first stripped instead_).

**`acme_extract`** (_new python utility for `acme.json` handling_):

- Extracted out into a python script that can be treated as a utility in the `$PATH` like other helper scripts. It can now be used and optionally tested directly instead of via `helper-functions.sh`.
-Made compatible with Python 3, as Python 2 is EOL and no longer in newer versions of Debian.
2021-11-04 09:28:40 +13:00
Brennan Kinney 936e5d2416
tests(chore): Adjust supported FQDNs in test certs + add wildcard and acme.json configs (#2284)
These files will replace the existing `test/config/letsencrypt` content which has some random provisioned FQDN for letsencrypt that doesn't match the FQDN tested, `acme.json` files with FQDNs that don't match those certs FQDNs and changes to certs that won't expire until 2031. `test/config/letsencrypt` will be removed with the associated test update PR.

The changes amount to:

- Re-configuring the FQDN values that some certs were created for (_needed for flexibility in testing_).
- Adding an `*.example.test` wildcard (_both RSA and ECDSA_).
- Adding `acme.json` encoded versions (_traefik extraction support will use these instead_).
- Updated / new internal docs for maintainers of this content.

For more detailed information on those changes, please see the associated commit messages via the PR.
2021-11-03 20:25:25 +00:00
Brennan Kinney bdb35dd19a
chore: Refactor setup-stack.sh case SSL_TYPE=letsencrypt (#2278)
Mostly cleans up the code and documents it better, although there are some minor fixes for handling `SSL_DOMAIN` ENV and additional logging added for spotting issues related to it in future when troubleshooting.

Commits are scoped with context messages for easing review if necessary. Overview of changes:

Traefik specific:

- Logic extracted out into it's own function.
- Conditional reworked to assist with debugging.
- `SSL_DOMAIN` must not be empty when attempting to extract.
- Added additional notes.

`SSL_TYPE=letsencrypt` case:

- Revised top note block.
- Correct handling for `SSL_DOMAIN`.
- Removed some unnecessary nesting.
- Less repetitive error message for `LETSENCRYPT_DOMAIN`.
- Added use of panics where appropriate (kept `return 1` so failures still exit functionality early).
- Improved inline docs.
2021-11-03 09:12:33 +13:00
Casper ebb081c80f
Add missing SA variables (#2283) 2021-11-02 11:51:36 +01:00
Casper b117cd1423
Improve VIRUSMAILS_DELETE_DELAY usage (#2281) 2021-11-01 22:13:14 +01:00
Casper c7dec1e330
fix(listmailuser): Don't query quota, if ENABLE_QUOTAS is not 1
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-11-01 12:09:47 +01:00
github-actions[bot] 71082cb19e
docs(CONTRIBUTORS): update contributors (#2276)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2021-11-01 16:30:48 +13:00
Georg Lauterbach 537247031f
fix: Make Dovecot aware of basic aliases in userdb for quota support + Use correct hash scheme in passdb configuration (#2248)
Dovecot quota support would log auth failures when Postfix validated incoming mail to accept/reject and the `check_policy_service` for `quota-status` was queried with a recipient that was an account alias.

When Dovecot is not aware of the user account, it will not be able to check a quota and inform Postfix that everything is fine, Postfix will accept the mail and send it to Dovecot, where if the quota is exceeded will result in a bounce back to the sender. This is considered "backscatter" and can be abused by spammers forging the sender address which can get your server blacklisted.

The solution is to either disable quota support `ENABLE_QUOTAS=0`, or as a workaround, add dummy accounts to Dovecot userdb for aliases in `postfix-virtual.cf` (not `postfix-aliases.cf`), these dummy accounts will map to the real user account mailbox (real users are defined in `postfix-accounts.cf`).

The workaround is naive, in that we only check for basic 1-to-1 alias mapping to real accounts. This will still be an issue for aliases that map to another alias or multiple addresses (real or alias). Unfortunately Postfix will not expand aliases until accepting mail where this would be too late.

A better solution is to proxy the `check_policy_service` from Dovecot `quota-status` that Postfix queries in `main.cf:smtpd_recipient_restrictions`, however this requires a fair amount more of additional work and still requires an implementation to recursively query aliases for nested or multiple address mappings, which can then be forwarded to the `quota-status` service configured by Dovecot in `/etc/dovecot/conf.d/90-quota.conf`.

LDAP users are unaffected as quota support is not supported/implemented with `docker-mailserver` at this time, it is always considered disabled when using LDAP.

---

Additionally Dovecot configuration for `passdb` has been fixed to use the correct password hash scheme of `SHA512-CRYPT`. 

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-11-01 14:20:22 +13:00
Brennan Kinney 0c8c936c74
chore: Remove invalid config in Postfix master.cf (#2272)
This was all introduced by the original project author early on, no explanation for it.

- None of the paths they use as `argv` values exist.
- `uucp` doesn't seem relevant to the project. No justification for it, no issues or PRs in project history or codebase.

See associated PR for further details and linked resources.
2021-11-01 14:03:56 +13:00
Brennan Kinney 79617dcc40
fix: ONE_DIR=1 should keep correct permissions for spool-postfix (#2273)
GID of postfix(102) should not be set here. only GID is root(0) and postdrop(103). Ensure root(0) UID matches source location ownership too.
2021-11-01 10:23:00 +13:00
Brennan Kinney fb72f3ad52
ci(docs): Fail when build aborts from broken links (#2266)
Using `set -ex` will exit the script as soon as a non-zero exit code is returned, such as when the docker image fails building the docs due to `build --strict` catching broken links. This also removes the need for `|| exit` when changing directory.

This seems fine for a small script, but AFAIK an alternative fix is just adding `|| exit` to the end of the `docker run` command too? There appears to be advice [against adopting `-e` carelessly](http://mywiki.wooledge.org/BashFAQ/105), while others [encourage `-e`](http://redsymbol.net/articles/unofficial-bash-strict-mode/). I know that several maintainers here have preference towards `set -e` so I've kept the original PR solution.

Additionally:

- `-x` is used to improve command visibility when reviewing the workflow log output.
- `--name` isn't necessary, but was part of the original PR.
- I've chosen not to include `-o pipefail`, only because no pipes are used in this script.

* docs(fix): Fix broken links

* ci(docs): Added inline docs

Extra documentation context for maintainers to quickly grok what's going on.

* chore(docs): Minor typo fix by wernerfred

Added from their related PR by request.
2021-10-31 09:13:18 +13:00
Brennan Kinney 4515feb921
chore: Remove version key from docker-compose.yml (#2271) 2021-10-30 14:12:47 +02:00
Brennan Kinney bdcfe27482
docs(ssl): Add an FQDN section (#2268)
* docs(ssl): Adjust heading levels for provisioning sections

- Group provisioning sections under one heading level.
- Use `attr_list` syntax for headings to make the ToC sidebar entry less verbose.

* docs(ssl): Minor fixes

Typos, formatting.

* docs(ssl): Rephrase Traefik wildcard support

Split the line out into multiple with better phrasing.

* docs(ssl): Add FQDN section

We briefly mention the same info twice on the docs page, but as it applies to all provisioners in general, it's been given it's own detailed section with examples.

Single section to inform users about an FQDN, how it's configured and understood by `docker-mailserver` for both Docker CLI and `docker-compose.yml` variations.

Adds note about wildcard support and bare domains to clear up any confusion configuring FQDN for these two.

Additional note about Certbot using symlinks for it's cert storage.

* chore: Add FQDN comment for `docker-compose.yml` example config
2021-10-31 00:12:39 +13:00
Brennan Kinney 9afaa54f5d
ci(tests): Add timing measurement to output (#2269) 2021-10-30 23:57:21 +13:00
Brennan Kinney d9e8accf5f
chore: Housekeeping on the 'open-dkim' script (#2267) 2021-10-30 10:10:32 +00:00
2b ed562a7057
docs(fail2ban): Add info about running in rootless containers (#2252)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-30 21:56:32 +13:00
Frederic Werner ced1a27a88
docs(deps): bump mkdocs-material to 7.3.5 (#2265) 2021-10-30 15:10:24 +13:00
dependabot[bot] 45e8a7ed80
chore(deps): bump docker/metadata-action from 3.5.0 to 3.6.0 (#2258) 2021-10-26 12:08:19 +02:00
Frederic Werner ab57bca0f0
fix: dependabot config (#2259)
- removing labels that are not available anymore (https://github.com/docker-mailserver/docker-mailserver/pull/2258#issuecomment-950853432)
- updating reviewers name due to name change
2021-10-26 09:59:47 +02:00
Casper 34ba3c2a5b
Add warnings when Amavis is disabled. (#2251)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-10-17 16:18:56 +00:00
Frederic Werner ec6cc3c032
docs(deps): bump mkdocs-material to 7.3.2 (#2244)
* docs(deps): bump mkdocs-material to 7.3.3

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-17 23:50:02 +13:00
Frugan 0cebfde414
Fixed KeyTable refile in opendkim.conf https://serverfault.com/a/861701/377751 (#2249) 2021-10-16 19:04:51 +02:00
Casper 50e629abd0
fix(setup.sh): Add legacy config path check (#2250) 2021-10-16 11:27:17 +02:00
Casper fb77d3f721
Make issue template slimmer (#2246)
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2021-10-12 23:19:24 +02:00
Georg Lauterbach 0a3f954390
release: version v10.2.0 (#2217)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-07 10:44:07 +02:00
Casper cd7677b6f0
Fix quote mistake made in #2236 (#2237) 2021-10-04 08:46:33 +13:00
Georg Lauterbach 972c9b44d6
Update README to reflect changes of v10.2.0 (#2234)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-10-03 15:29:44 +02:00
Casper 61973f731c
Relaxed error handling (#2233) 2021-10-03 12:48:43 +00:00
Amin Vakil a83363a239
Make it compatible with docker compose 2.x (#2236)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-10-03 13:09:42 +02:00
Casper 5cb1815972
Disable name resolution in iptables check (#2235) 2021-10-03 12:41:35 +02:00
Casper e4eca00b25
Run contributors workflow monthly 2021-09-30 06:49:53 +00:00
github-actions[bot] 0fd425d0de
chore: Update CONTRIBUTORS.md (#2228) 2021-09-30 16:16:05 +13:00
Casper 231af0f26d
Fix contributor workflow (#2226) 2021-09-30 00:32:45 +02:00
Brennan Kinney 7b4ce69c3f
ci: Fix lint check status update (#2224)
* ci: Fix lint check status update

The lint workflow is not important for this PR, but a fixed requirement to pass for merging.

As this workflow is triggered by `schedule` or `workflow_dispatch`, it will not trigger other events such as `pull_request` for other workflows to respond to.

Since the linting workflow is not important for this type of PR, we can pretend it was "skipped" and set the check status to "success". This is simpler than running the actual Lint workflow redundantly.

* ci: Remove workflow_run approach

This didn't work out, reverting.
2021-09-29 09:13:58 +13:00
Casper f2c4712c4f
Streamline workflow step seperation (#2222)
* streamline workflow step separation

* doh!

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-09-28 12:37:54 +02:00
dborowy 5966623b1a
Fix typo in docker-compose.yml (#2221)
Leaving the "/" after ":ro" throws out an error when using docker-compose
2021-09-28 00:35:45 +00:00
Brennan Kinney cb6fbf3c58
ci: Allow other workflows to trigger linting (#2220)
This should resolve the issue of the lint workflow not being triggered by PRs opened via another workflow (`contributors.yml`).

This workflow will be triggered after the dependent workflow completes (regardless of status).
2021-09-28 00:49:22 +02:00
Michael Jensen 88a1619dd5
document pre-docker build command (#2164)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-09-27 09:01:41 +02:00
Brennan Kinney b86645fbe5
docs: Revise basic-install.md (#2210)
This was a community contributed guide from the Github Wiki prior to docs migration. I've rewritten it by restructuring the content, introducing numerical steps and revising some of the content, while removing third-party software that was unnecessary (the original authors and content related to their use-case, Moodle).

See the PR for further details and reference links regarding the original documents history.

The PR provides improved diff via separate commits scoping changes at the correct change bounds, unfortunately the full diff doesn't align to those boundaries well making it more difficult to review vs individual commits.
2021-09-27 12:46:46 +13:00