Commit graph

2533 commits

Author SHA1 Message Date
Brennan Kinney 917f0f6a9c
fix: Monitor for changes in supported letsencrypt locations (#2279)
Previously we only monitored for `$HOSTNAME` in `/etc/letsencrypt/live` and only for hard-coded `.pem` filenames.

This ensures we check the locations of other locations that may not match `$HOSTNAME`, which we also support. Ideally in future at least the directory to look in would be better known in advance..
2021-11-05 12:08:57 +13:00
Brennan Kinney b1a74bd47a
tests(feat): Refactor test_helper/common.bash common_container methods (#2275)
These are improvements for better supporting the requirements of other tests.

- Opted for passing an array reference instead of an ENV file. This seems to be a better approach and supports more than just ENV changes.
- Likewise, shifted to a `create` + `start` approach, instead of `docker run` for added flexibility.
- Using `TEST_TMP_CONFIG` instead of `PRIVATE_CONFIG` to make the difference in usage with config volume in tests more clear.
- Changed the config volume from read-only volume mount to be read-write instead, which seems required for other tests.
- Added notes about logged failures from a read-only config volume during container startup.
- Added `TEST_CA_CERT` as a default CA cert path for the test files volume. This can be used by default by openssl methods.
2021-11-05 09:35:01 +13:00
Frederic Werner a0bd2c6df9
docs(deps): bump mkdocs-material to 7.3.6 (#2287) 2021-11-05 09:03:12 +13:00
Brennan Kinney e807631a76
refactor: acme.json extraction (#2274)
Split into scoped commits with messages if further details are needed, view those via the associated PR :)

**Commit Summary:**

**`check-for-changes.sh`**

- Prevent `SSL_DOMAIN` silently skipping when value has wildcard prefix `*.` (_at least this was known as a bugfix when originally committed in linked PR_).
- Improved inlined docs for maintainers.
- Additional logging for debugging.

**`helper-functions.sh:_extract_certs_from_acme`**:

- Fail if the input arg (_`$CERT_DOMAIN`, aka the FQDN_) provided for extraction is empty.
- Use `$CERT_DOMAIN` in place of `$HOSTNAME` and `$1` for a consistent value (_previously could mismatch, eg with `SSL_DOMAIN` defined_).
- The conditional is now only for handling extraction failure (_key or cert value is missing from extraction_).
- Log an actual warning or success (debug) based on outcome.
- Don't use `SSL_DOMAIN` with wildcard value for the `mkdir` letsencrypt directory name (_wildcard prefix `*.` is first stripped instead_).

**`acme_extract`** (_new python utility for `acme.json` handling_):

- Extracted out into a python script that can be treated as a utility in the `$PATH` like other helper scripts. It can now be used and optionally tested directly instead of via `helper-functions.sh`.
-Made compatible with Python 3, as Python 2 is EOL and no longer in newer versions of Debian.
2021-11-04 09:28:40 +13:00
Brennan Kinney 936e5d2416
tests(chore): Adjust supported FQDNs in test certs + add wildcard and acme.json configs (#2284)
These files will replace the existing `test/config/letsencrypt` content which has some random provisioned FQDN for letsencrypt that doesn't match the FQDN tested, `acme.json` files with FQDNs that don't match those certs FQDNs and changes to certs that won't expire until 2031. `test/config/letsencrypt` will be removed with the associated test update PR.

The changes amount to:

- Re-configuring the FQDN values that some certs were created for (_needed for flexibility in testing_).
- Adding an `*.example.test` wildcard (_both RSA and ECDSA_).
- Adding `acme.json` encoded versions (_traefik extraction support will use these instead_).
- Updated / new internal docs for maintainers of this content.

For more detailed information on those changes, please see the associated commit messages via the PR.
2021-11-03 20:25:25 +00:00
Brennan Kinney bdb35dd19a
chore: Refactor setup-stack.sh case SSL_TYPE=letsencrypt (#2278)
Mostly cleans up the code and documents it better, although there are some minor fixes for handling `SSL_DOMAIN` ENV and additional logging added for spotting issues related to it in future when troubleshooting.

Commits are scoped with context messages for easing review if necessary. Overview of changes:

Traefik specific:

- Logic extracted out into it's own function.
- Conditional reworked to assist with debugging.
- `SSL_DOMAIN` must not be empty when attempting to extract.
- Added additional notes.

`SSL_TYPE=letsencrypt` case:

- Revised top note block.
- Correct handling for `SSL_DOMAIN`.
- Removed some unnecessary nesting.
- Less repetitive error message for `LETSENCRYPT_DOMAIN`.
- Added use of panics where appropriate (kept `return 1` so failures still exit functionality early).
- Improved inline docs.
2021-11-03 09:12:33 +13:00
Casper ebb081c80f
Add missing SA variables (#2283) 2021-11-02 11:51:36 +01:00
Casper b117cd1423
Improve VIRUSMAILS_DELETE_DELAY usage (#2281) 2021-11-01 22:13:14 +01:00
Casper c7dec1e330
fix(listmailuser): Don't query quota, if ENABLE_QUOTAS is not 1
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-11-01 12:09:47 +01:00
github-actions[bot] 71082cb19e
docs(CONTRIBUTORS): update contributors (#2276)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2021-11-01 16:30:48 +13:00
Georg Lauterbach 537247031f
fix: Make Dovecot aware of basic aliases in userdb for quota support + Use correct hash scheme in passdb configuration (#2248)
Dovecot quota support would log auth failures when Postfix validated incoming mail to accept/reject and the `check_policy_service` for `quota-status` was queried with a recipient that was an account alias.

When Dovecot is not aware of the user account, it will not be able to check a quota and inform Postfix that everything is fine, Postfix will accept the mail and send it to Dovecot, where if the quota is exceeded will result in a bounce back to the sender. This is considered "backscatter" and can be abused by spammers forging the sender address which can get your server blacklisted.

The solution is to either disable quota support `ENABLE_QUOTAS=0`, or as a workaround, add dummy accounts to Dovecot userdb for aliases in `postfix-virtual.cf` (not `postfix-aliases.cf`), these dummy accounts will map to the real user account mailbox (real users are defined in `postfix-accounts.cf`).

The workaround is naive, in that we only check for basic 1-to-1 alias mapping to real accounts. This will still be an issue for aliases that map to another alias or multiple addresses (real or alias). Unfortunately Postfix will not expand aliases until accepting mail where this would be too late.

A better solution is to proxy the `check_policy_service` from Dovecot `quota-status` that Postfix queries in `main.cf:smtpd_recipient_restrictions`, however this requires a fair amount more of additional work and still requires an implementation to recursively query aliases for nested or multiple address mappings, which can then be forwarded to the `quota-status` service configured by Dovecot in `/etc/dovecot/conf.d/90-quota.conf`.

LDAP users are unaffected as quota support is not supported/implemented with `docker-mailserver` at this time, it is always considered disabled when using LDAP.

---

Additionally Dovecot configuration for `passdb` has been fixed to use the correct password hash scheme of `SHA512-CRYPT`. 

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-11-01 14:20:22 +13:00
Brennan Kinney 0c8c936c74
chore: Remove invalid config in Postfix master.cf (#2272)
This was all introduced by the original project author early on, no explanation for it.

- None of the paths they use as `argv` values exist.
- `uucp` doesn't seem relevant to the project. No justification for it, no issues or PRs in project history or codebase.

See associated PR for further details and linked resources.
2021-11-01 14:03:56 +13:00
Brennan Kinney 79617dcc40
fix: ONE_DIR=1 should keep correct permissions for spool-postfix (#2273)
GID of postfix(102) should not be set here. only GID is root(0) and postdrop(103). Ensure root(0) UID matches source location ownership too.
2021-11-01 10:23:00 +13:00
Brennan Kinney fb72f3ad52
ci(docs): Fail when build aborts from broken links (#2266)
Using `set -ex` will exit the script as soon as a non-zero exit code is returned, such as when the docker image fails building the docs due to `build --strict` catching broken links. This also removes the need for `|| exit` when changing directory.

This seems fine for a small script, but AFAIK an alternative fix is just adding `|| exit` to the end of the `docker run` command too? There appears to be advice [against adopting `-e` carelessly](http://mywiki.wooledge.org/BashFAQ/105), while others [encourage `-e`](http://redsymbol.net/articles/unofficial-bash-strict-mode/). I know that several maintainers here have preference towards `set -e` so I've kept the original PR solution.

Additionally:

- `-x` is used to improve command visibility when reviewing the workflow log output.
- `--name` isn't necessary, but was part of the original PR.
- I've chosen not to include `-o pipefail`, only because no pipes are used in this script.

* docs(fix): Fix broken links

* ci(docs): Added inline docs

Extra documentation context for maintainers to quickly grok what's going on.

* chore(docs): Minor typo fix by wernerfred

Added from their related PR by request.
2021-10-31 09:13:18 +13:00
Brennan Kinney 4515feb921
chore: Remove version key from docker-compose.yml (#2271) 2021-10-30 14:12:47 +02:00
Brennan Kinney bdcfe27482
docs(ssl): Add an FQDN section (#2268)
* docs(ssl): Adjust heading levels for provisioning sections

- Group provisioning sections under one heading level.
- Use `attr_list` syntax for headings to make the ToC sidebar entry less verbose.

* docs(ssl): Minor fixes

Typos, formatting.

* docs(ssl): Rephrase Traefik wildcard support

Split the line out into multiple with better phrasing.

* docs(ssl): Add FQDN section

We briefly mention the same info twice on the docs page, but as it applies to all provisioners in general, it's been given it's own detailed section with examples.

Single section to inform users about an FQDN, how it's configured and understood by `docker-mailserver` for both Docker CLI and `docker-compose.yml` variations.

Adds note about wildcard support and bare domains to clear up any confusion configuring FQDN for these two.

Additional note about Certbot using symlinks for it's cert storage.

* chore: Add FQDN comment for `docker-compose.yml` example config
2021-10-31 00:12:39 +13:00
Brennan Kinney 9afaa54f5d
ci(tests): Add timing measurement to output (#2269) 2021-10-30 23:57:21 +13:00
Brennan Kinney d9e8accf5f
chore: Housekeeping on the 'open-dkim' script (#2267) 2021-10-30 10:10:32 +00:00
2b ed562a7057
docs(fail2ban): Add info about running in rootless containers (#2252)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-30 21:56:32 +13:00
Frederic Werner ced1a27a88
docs(deps): bump mkdocs-material to 7.3.5 (#2265) 2021-10-30 15:10:24 +13:00
dependabot[bot] 45e8a7ed80
chore(deps): bump docker/metadata-action from 3.5.0 to 3.6.0 (#2258) 2021-10-26 12:08:19 +02:00
Frederic Werner ab57bca0f0
fix: dependabot config (#2259)
- removing labels that are not available anymore (https://github.com/docker-mailserver/docker-mailserver/pull/2258#issuecomment-950853432)
- updating reviewers name due to name change
2021-10-26 09:59:47 +02:00
Casper 34ba3c2a5b
Add warnings when Amavis is disabled. (#2251)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-10-17 16:18:56 +00:00
Frederic Werner ec6cc3c032
docs(deps): bump mkdocs-material to 7.3.2 (#2244)
* docs(deps): bump mkdocs-material to 7.3.3

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-17 23:50:02 +13:00
Frugan 0cebfde414
Fixed KeyTable refile in opendkim.conf https://serverfault.com/a/861701/377751 (#2249) 2021-10-16 19:04:51 +02:00
Casper 50e629abd0
fix(setup.sh): Add legacy config path check (#2250) 2021-10-16 11:27:17 +02:00
Casper fb77d3f721
Make issue template slimmer (#2246)
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2021-10-12 23:19:24 +02:00
Georg Lauterbach 0a3f954390
release: version v10.2.0 (#2217)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-10-07 10:44:07 +02:00
Casper cd7677b6f0
Fix quote mistake made in #2236 (#2237) 2021-10-04 08:46:33 +13:00
Georg Lauterbach 972c9b44d6
Update README to reflect changes of v10.2.0 (#2234)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-10-03 15:29:44 +02:00
Casper 61973f731c
Relaxed error handling (#2233) 2021-10-03 12:48:43 +00:00
Amin Vakil a83363a239
Make it compatible with docker compose 2.x (#2236)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-10-03 13:09:42 +02:00
Casper 5cb1815972
Disable name resolution in iptables check (#2235) 2021-10-03 12:41:35 +02:00
Casper e4eca00b25
Run contributors workflow monthly 2021-09-30 06:49:53 +00:00
github-actions[bot] 0fd425d0de
chore: Update CONTRIBUTORS.md (#2228) 2021-09-30 16:16:05 +13:00
Casper 231af0f26d
Fix contributor workflow (#2226) 2021-09-30 00:32:45 +02:00
Brennan Kinney 7b4ce69c3f
ci: Fix lint check status update (#2224)
* ci: Fix lint check status update

The lint workflow is not important for this PR, but a fixed requirement to pass for merging.

As this workflow is triggered by `schedule` or `workflow_dispatch`, it will not trigger other events such as `pull_request` for other workflows to respond to.

Since the linting workflow is not important for this type of PR, we can pretend it was "skipped" and set the check status to "success". This is simpler than running the actual Lint workflow redundantly.

* ci: Remove workflow_run approach

This didn't work out, reverting.
2021-09-29 09:13:58 +13:00
Casper f2c4712c4f
Streamline workflow step seperation (#2222)
* streamline workflow step separation

* doh!

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-09-28 12:37:54 +02:00
dborowy 5966623b1a
Fix typo in docker-compose.yml (#2221)
Leaving the "/" after ":ro" throws out an error when using docker-compose
2021-09-28 00:35:45 +00:00
Brennan Kinney cb6fbf3c58
ci: Allow other workflows to trigger linting (#2220)
This should resolve the issue of the lint workflow not being triggered by PRs opened via another workflow (`contributors.yml`).

This workflow will be triggered after the dependent workflow completes (regardless of status).
2021-09-28 00:49:22 +02:00
Michael Jensen 88a1619dd5
document pre-docker build command (#2164)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-09-27 09:01:41 +02:00
Brennan Kinney b86645fbe5
docs: Revise basic-install.md (#2210)
This was a community contributed guide from the Github Wiki prior to docs migration. I've rewritten it by restructuring the content, introducing numerical steps and revising some of the content, while removing third-party software that was unnecessary (the original authors and content related to their use-case, Moodle).

See the PR for further details and reference links regarding the original documents history.

The PR provides improved diff via separate commits scoping changes at the correct change bounds, unfortunately the full diff doesn't align to those boundaries well making it more difficult to review vs individual commits.
2021-09-27 12:46:46 +13:00
Brennan Kinney 4f91620a7f
docs: ssl.md - Revise letsencrypt section (#2209)
Below commit messages are roughly equivalent to what is listed on the PR. The PR provides additional linked resources for reference to support commit message statements.

---

* docs: Add CT log warning

- Added a warning to make users aware that using a public CA like _Let's Encrypt_ will publicly log information that may be somewhat sensitive, or undesirable to have historic records made public which cannot be redacted.

* docs: Revise the manual `certbot` guide

- The `letsencrypt` repo that was linked early in this guide now redirects to the [Certbot repo](https://github.com/certbot/certbot).

- More explicit volume mount instruction for CertBot; the local location was a tad vague.

- Better clarified `/etc/letsencrypt/live` contents structure, as well as FQDN info. Removed the misleading `fqdn:` from `docker-compose.yml` example snippet.

* docs: Revise certbot with Docker guide

- General rewrite of the Docker Certbot section with additional tips (_renewals with automation, and using a alternative CA_).

- Generalized tone and paths in content.

- Update volume mount paths to be consistent with recent normalization effort.

- Moved some instructions into inline-comments for script examples instead.

* docs: Revise Docker with `nginx-proxy` and `acme-companion`

- Break apart into individual steps, indenting content into the step as appropriate.

- Use normalized volume paths (`docker-data/<service>/` prefix).

- `letsencrypt-nginx-proxy-companion` has _changed project name to `acme-companion`_, and _transferred to new maintainers and the `nginx-proxy` organization_. This also affects the DockerHub image references.

- `acme-companion` has _switched from using `simp_le` to `acme.sh`_ for provisioning certificates. This requires mounting an additional volume for persisting provisioner state.

- The dummy container (_webmail_) is no longer `library/nginx`, just [`nginx`](https://hub.docker.com/_/nginx). This container also doesn't appear to be required. I've verified that the ENV can be given to the `mailserver` service container directly. Retained for now.

* docs: Revise Docker Compose with `nginx-proxy` and `acme-companion`

Heavy rewrite of this section. Like the previous commit mentions, this content was outdated. It has been simplified with improved documentation and reference links.

It also looks like there was a mistake in the existing config example as it uses the regular `nginx` image instead of `nginx-proxy`.

- The bulk of the `mailserver` service has been removed, users are advised to have an existing `docker-compose.yml` config for `docker-mailserver` and update only what is relevant to integrate with the cert provisioner.

- `DEBUG` is _false_ by default.

- The `networks:` portion of the example appears to be taken from upstream, _which that has since dropped it_. While we could continue to document this, I consider it more of an advanced config detail that we don't need to touch on in our docs.

- The `htpasswd` volume is unnecessary, only relevant if using _"Basic Authentication"_ to protect access to web service endpoints. `conf.d/` is also not required by default, it can be useful for the `standalone` mode (_documented as a `tip`_). Remaining volumes have inline-comments to document their purpose.

- `volumes_from:` is _not supported in v3 Compose format_, _only v2_ and the Docker CLI. I did not want to advise v2, so I've duplicated the volumes between the two containers instead. Internally `acme-companion` would rely on `volumes_from:` to identify the `nginx-proxy` container, it _provides alternative discovery methods_, the label is outdated and refers the legacy label (_their script logic is the same_); using the ENV `NGINX_PROXY_CONTAINER` seemed most appropriate and has been added.

- Upstream `acme-companion` docs only cover support for v2 Compose format. _There is a note regarding `nginx-proxy`_ having _volumes configured in it's Dockerfile_. Providing a volume for `/etc/nginx/dhparam` is required to avoid creating anonymous volumes each run of `nginx-proxy`. I've used a named data volume here to make it stick out more, it's not desirable and upstream should fix this, then we can drop it.

- I've also opted to only demonstrate the _Two Container (Basic) setup_ that upstream documents. Previously our docs have been showing _`docker-gen` with the Three Container (Advanced) setup_, which allows for not having the Docker API socket attached as a volume to a container exposed to the web. This reduces the security a bit, and I have not mentioned that on our docs. I could caution the reader with a link to upstream about the risk, but I don't think we should maintain the `docker-gen` setup.

* docs(fix): Update anchor links

These mismatched the current section headers they were meant to link to.
2021-09-27 12:40:54 +13:00
Casper dd33567ec9
Small setup.sh improvements (#2215) 2021-09-26 10:41:01 +02:00
Casper 054ee5bd09
Update "error tracing" doc (#2216) 2021-09-26 10:37:50 +02:00
Casper 23b8523ee3
Update contributor workflow 2021-09-26 10:36:17 +02:00
github-actions[bot] 712bf4a42e
docs(CONTRIBUTORS): update contributors (#2213)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2021-09-26 08:27:46 +13:00
Casper f03fed12a6
Update contributor workflow (#2212)
* Make a PR instead of trying to directly commit to master branch

* add version
2021-09-25 14:49:00 +02:00
Casper c7e9dd2bad
function _defunc removed (#2199)
* function _defunc removed

* _shutdown is better than just notify in that cases

* PANIC_TYPE 'fail-init' introduced

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-09-23 19:49:07 +02:00
Frederic Werner 6715e0bba9
docs(deps): bump mkdocs-material to 7.3.0 (#2207) 2021-09-23 13:37:17 +02:00