Commit graph

2103 commits

Author SHA1 Message Date
Brennan Kinney 598aee166c
refactor: Revised relay.sh helper (#2604)
* chore: Make `_populate_relayhost_map` easier to grok

Changes to `sed` handling that made it quicker to grok, and thus easier for maintainers like myself:
- Switched regex to [extended regex](https://www.gnu.org/software/sed/manual/html_node/Extended-regexps.html).
- Extracted `sed` patterns to be self-descriptive local vars.
- Used a function to reduce noise from intent of loop input (each line as `DOMAIN_PART`).

Input for the loop is filtered through `sort -u` to drop duplicates, reducing iterations.
 
`DOMAIN` loop var renamed to less vague `DOMAIN_PART`. Additional comment in the containing method clarifies what the domain part refers to.

---

`|` regexp syntax needed to be escaped due to switch. Not documented in the earlier link. `-r`/`-E` (ERE) aka extended regexp syntax is [detailed here](https://learnbyexample.github.io/learn_gnused/breere-regular-expressions.html#cheatsheet-and-summary).

* chore: Drop unnecessary postfix parameters

`smtp_tls_note_starttls_offer = yes` - Only adds a log entry to let you know when an unencrypted connection was made, but STARTTLS was offered:
https://www.postfix.org/postconf.5.html#smtp_tls_note_starttls_offer

`smtp_tls_CAfile` is unnecessary. This was added before `smtp_tls_CApath = /etc/ssl/certs` was several months later via a separate PR.

* chore: Move `smtp_` parameters to relevant sections

These have been shifted to relevant logic for now.

---

NOTE: `SASL_PASSWD` previously needed to define `RELAY_HOST` to set `smtp_sasl_password_maps` to enable the `/etc/postfix/sasl_passwd` table. This change now additionally blocks early on in `_relayhost_sasl`. Not likely important due to `RELAY_HOST` logic, user should be using the `RELAY_USER` + `RELAY_PASSWORD` ENV or `postfix-sasl-password.cf` instead.

Especially the sender dependent parameters which are only relevant with user provided configs really.

`SASL_PASSWD` is the oldest ENV for relay support before any other relay feature arrived. It is poorly documented and should not be used.

Potential breakage risk considered acceptable.

* chore: Revise inline docs

Further clarifying current processing logic and adding some additional notes for future work.

* chore: Use a common ENV relay-host getter

The mapping should be in sync between the two configs.

I also wanted to raise awareness of current state of support, which will likely need some refactoring.

This also removes the need for the `RELAY_PORT` fallback method.

The log message was adjusted as configuration is potentially for more than one relay host beyond the currently required ENV config to enable support.

---

NOTE: The ENV `DEFAULT_RELAY_HOST` skips modifying the default transport for an authenticated relay (locked behind `RELAY_HOST` to activate). It presently will only relay mail through a relay host on port 25 instead of delivering directly to the destination. A separate use-case.

* chore: Revise config examples

More verbose example configs with expanded documentation.

Additional doc references for SASL support and cautioning maintainers that may reference popular relay service providers docs. May later be migrated to a "maintainers" section in official docs and link to that.

Brief overview description of what `_populate_relayhost_map` is doing.

* chore: Add notes pertaining to future work

`_populate_relayhost_map` will get some refactoring in future and likely introduce some breaking changes for a future major release.

* chore: Better document relay support inline

This helper now includes a description of it's purpose, links to relevant user docs and supported `setup.sh` commands.

Intent is to keep a maintainer of the feature aware of anything relevant to this feature.
2022-06-05 11:27:15 +12:00
Casper 9a739113f4
chore: Migrate SASLAUTHD_* vars into start-mailserver.sh (#2562) 2022-06-04 19:28:13 +00:00
github-actions[bot] 4e3e16189c
docs(CONTRIBUTORS): update contributors (#2612)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2022-06-03 14:24:08 +12:00
Brennan Kinney 3b4f44e837
tests(fix): Adjust for local testing conditions (#2606)
* tests(fix): Increase some timeouts

Running tests locally via a VM these tests would fail sometimes due to the time from being queued and Amavis actually processing being roughly around 30 seconds.

There should be no harm in raising this to 60 seconds, other than delaying a failure case which will ripple through other time sensitive tests.

It's better to pass when functionality is actually correct but just needs a bit longer to complete.



* tests(fix): Don't setup an invalid hostname

During container startup `helpers/dns.sh` would panic with `hostname -f` failing.

Dropping `--domainname` for this container is fine and does not affect the point of it's test.

---

It's unclear why this does not occur in CI. Possibly changes within the docker daemon since as CI runs docker on Ubuntu 20.04? (2020).

For clarity, this may be equivalent to setting a hostname of `domain.com.domain.com`, or `--hostname` value truncated the NIS domain (`--domainname`) of the same value.

IIRC, it would still fail with both options using different values if `--hostname` was multi-label. I believe I've documented how non-deterministic these options can be across different environments.

`--hostname` should be preferred. There doesn't seem to be any reason to actually need `--domainname` (which is NIS domain name, unrelated to the DNS domain name). We still need to properly investigate reworking our ENV support that `dns.sh` manages.

---

Containers were also not removing themselves after failures either (missing teardown). Which would cause problems when running tests again.



* chore: Normalize white-space

Sets a consistent indent size of 2 spaces. Previously this varied a fair bit, sometimes with tabs or mixed tabs and spaces.

Some formatting with blank lines.

Easier to review with white-space in diff ignored. Some minor edits besides blank lines, but no change in functionality.



* fix: `setup.sh` target container under test

Some of the `setup.sh` commands did not specify the container which was problematic if another `docker-mailserver` container was running, causing test failures.

This probably doesn't help with `test/no_container.bats`, but at least prevents `test/tests.bats` failing at this point.
2022-05-30 12:53:30 +12:00
Georg Lauterbach 05e45c349a
scripts: fix error message caused by grep on first starts (#2591)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-05-28 20:59:31 +02:00
pyy 0d30b92a83
documentation: DOCKER_HOST missing unix:// (#2595) 2022-05-18 12:18:38 +02:00
Georg Lauterbach b7e5d42e09
scripts: more consistency in start-mailserver.sh (#2587)
* consistently name functions (starting with `_`) in `start-mailserver.sh`

Most of the functions that execute the different stacks during startup
were not prefixed with `_`, but all our other functions are. This has
now been fixed.

* cleanup in `start-mailserver.sh`

I adjusted the comments for all sections in the start script so they are
properly displayed again.
2022-05-15 23:37:21 +02:00
Maximilian Hippler 777d4a8cb7
scripts: loglevel warning message fix (#2588)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-13 10:50:45 +02:00
pyy 0b909b2a32
documentation: DOCKER_HOST missing unix:// (#2589) 2022-05-13 09:46:54 +02:00
Naveen 13a194466b
chore: Set permissions for GitHub actions (#2555)
* chore: Set permissions for GitHub actions

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

* Update docs-production-deploy.yml

* added `packages: write` permissions

this is apparently needed by GH so this repository can push new images.

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-05-11 09:51:15 +02:00
dependabot[bot] 28dfb1bd00
chore(deps): Bump docker/setup-qemu-action from 1.2.0 to 2.0.0 (#2580)
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 1.2.0 to 2.0.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v1.2.0...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-10 18:07:49 +02:00
Casper 372e3fe35e
Use color variables instead of escape codes (#2565) 2022-05-10 17:50:33 +02:00
dependabot[bot] 66949604a2
chore(deps): Bump docker/login-action from 1.14.1 to 2.0.0 (#2584)
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.14.1...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-10 08:46:44 +02:00
dependabot[bot] fc454b62ba
chore(deps): Bump docker/metadata-action from 3.8.0 to 4.0.1 (#2581)
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 3.8.0 to 4.0.1.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Upgrade guide](https://github.com/docker/metadata-action/blob/master/UPGRADE.md)
- [Commits](https://github.com/docker/metadata-action/compare/v3.8.0...v4.0.1)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-10 08:45:36 +02:00
dependabot[bot] 18f697970f
chore(deps): Bump docker/build-push-action from 2.10.0 to 3.0.0 (#2582)
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.10.0...v3.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-10 08:43:00 +02:00
dependabot[bot] a7c02365ce
chore(deps): Bump docker/setup-buildx-action from 1.7.0 to 2.0.0 (#2583)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.7.0 to 2.0.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v1.7.0...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-10 08:32:18 +02:00
Andrew Cornford 2f3cbfc144
feat: Support for Dovecot master accounts (#2535)
Dovecot master accounts can now be configured in DMS via `setup.sh`.
A master account is useful for administration purposes, or to perform mailbox backups of every user account over IMAP.
Upstream Docs: https://doc.dovecot.org/configuration_manual/authentication/master_users/

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2022-05-08 00:28:32 +02:00
Casper 2977cb6962
Streamline 'printf' usage and consequently use a format string (#2564) 2022-05-05 17:48:21 +02:00
Casper 18acd7860b
Run sedfile tests in container (#2569) 2022-05-05 12:58:00 +02:00
Casper 628e902233
Remove unnecessary quotes from command substitutions (#2561) 2022-05-05 10:28:38 +02:00
github-actions[bot] b4c49d272f
docs(CONTRIBUTORS): update contributors (#2570)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-03 13:00:59 +02:00
dependabot[bot] 94fff05424
chore(deps): Bump docker/setup-buildx-action from 1.6.0 to 1.7.0 (#2574)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v1.6.0...v1.7.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-05-02 15:52:19 +02:00
dependabot[bot] 25678694b5
chore(deps): Bump docker/metadata-action from 3.7.0 to 3.8.0 (#2573)
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 3.7.0 to 3.8.0.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/v3.7.0...v3.8.0)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-02 15:24:58 +02:00
Casper 32fba30bbc
Don't issue warning when DKIM is not used (#2563) 2022-04-29 19:03:16 +02:00
Georg Lauterbach 49a337ccfa
release: v11.0.0 (#2537)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-04-27 17:39:18 +02:00
ontheair81 377bdb390e
docs: Update FAQ (#2558)
Removed typo "logs".
Removed warning that Docker volumes are strongly recommended, as this can lead new users in the wrong direction (bind mounts are now the default).
Altering line 8, mentioning the default of bind mounts.
2022-04-21 10:11:38 +12:00
Brennan Kinney 182b71d33f
chore: Drop setup.sh DATABASE fallback ENV (#2556)
* chore: Remove `DATABASE` fallback ENV

This was introduced without any mention or need, thus removing until a real use-case requires it.

* chore: Remove `USER_DATABASE` fallback ENV

Likewise, nothing requires this to be customizable.

* chore: Consistently use single quote strings
2022-04-20 12:29:28 +12:00
Casper cbcc3823d3
Fix changedetector restart loop (#2548)
* only restart changedetector, if exit is unexpected.

* prevent supervisord from restarting changedetector on error --> endless loop

* add quotes
2022-04-19 21:09:25 +02:00
Casper de61d42e68
Add ban feature to fail2ban script (#2538) 2022-04-19 08:44:51 +00:00
Brennan Kinney 9aaf15b38f
chore: (setup-stack.sh) Fix a small typo (#2552) 2022-04-19 12:53:45 +12:00
Casper 80dd91ae62
Dockerfile: Remove not needed ENVs and add comment (#2541) 2022-04-18 18:09:06 +02:00
Casper ee0c088b1f
setup.sh/setup: show usage when no argument is given (#2540) 2022-04-18 15:28:12 +02:00
Brennan Kinney 1b1877f025
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods

This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).

As these methods should now return a string value, the `return 1` after a panic is now dropped.

* chore: Update comments

The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.

* refactor: Defer most logic to helper/ssl.sh

The loop is no longer required, extraction is delegated to `_setup_ssl` now.

For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.

`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.

Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.

* fix: Correctly match wildcard results

Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`,  which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.

Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.

Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.

* tests(letsencrypt): Enable remaining tests

These will now pass. Adjusted comments accordingly.

Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 22:52:50 +12:00
Georg Lauterbach 412f675bfe
setup: added grace period for account creation (#2531) 2022-04-18 10:48:48 +02:00
dependabot[bot] 3cb5668b6f
chore(deps): Bump docker/metadata-action from 3.6.2 to 3.7.0 (#2543) 2022-04-11 21:30:15 +02:00
dependabot[bot] f3fe454b43
chore(deps): Bump actions/upload-artifact from 2 to 3 (#2542) 2022-04-11 16:19:53 +02:00
dependabot[bot] 6553f627e8
chore(deps): Bump actions/stale from 4 to 5 (#2544)
Bumps [actions/stale](https://github.com/actions/stale) from 4 to 5.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-04-11 15:29:38 +02:00
Georg Lauterbach a1726dc45a
scripts: added TZ environment variable to set timezone (#2530) 2022-04-06 16:48:41 +02:00
Georg Lauterbach b1594a8b1c
log/scripts: introduce proper log level fallback and env getter function (#2506)
This PR does two small things:

1. The log level, in case it is unset, will now be "calculated" from
   `/etc/dms-settings` and not always default to `info`. This way, we
   can ensure that more often than not, the log level the user chose
   when starting DMS is used everywhere.
2. I noticed that the way I obtained the log level could be used to
   obtain any env variable's log level. I therefore added a function to
   `utils.sh` in case we use it in the future.
2022-04-05 17:10:01 +02:00
Georg Lauterbach c7b16a599c
log: adjust level and message(s) slightly for four messages (#2532)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-04-05 16:21:07 +02:00
Georg Lauterbach a9305a073f
firewall: replace iptables with nftables (#2505)
* first adjustments to use Fail2Ban with nftables

* replace `iptables` -> `nftables` and adjust tests

nftables lists IPs a bit differently , so the order was adjusted for the
tests to be more flexible.

* line correction in mailserver.env

* change from `.conf` -> `.local` and remove redundant config

* revert HEREDOC to `echo`

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-04-05 15:13:59 +02:00
dependabot[bot] 7c150402a0
chore(deps): Bump peterjgrainger/action-create-branch (#2528)
Bumps [peterjgrainger/action-create-branch](https://github.com/peterjgrainger/action-create-branch) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/peterjgrainger/action-create-branch/releases)
- [Commits](https://github.com/peterjgrainger/action-create-branch/compare/v2.1.0...v2.2.0)

---
updated-dependencies:
- dependency-name: peterjgrainger/action-create-branch
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-04-05 10:43:58 +12:00
Georg Lauterbach 21c218ac68
scripts: remove DMS_DEBUG (#2523)
* remove DMS_DEBUG from tests
* remove DMS_DEBUG from doc and scripts
* updated issue template
* re-add description about removal of DMS_DEBUG
2022-04-03 13:29:10 +02:00
Georg Lauterbach 35fb744ffb
scripts: refactored check-for-changes.sh (#2498)
* refactored `check-for-changes.sh`

I refactored `check-for-changes.sh` and used the new log. `_notify` can
therefore be deleted as it is used no more.
I opted to source `/etc/dms-settings` as a whole to
future-proof the script. When the DNS adjustments PRs (that do not exist
by now but will exit in the future) are done, we can then remove
`_obtain_hostname_and_domainname` because we're already writing the
variables to `/etc/dms-settings`. I left instructions in the script in
the form of TODO comments.

Because we now log the date for all messages of the changedetector, we
need to `tail` a bit more log than before.
2022-04-02 19:39:15 +02:00
Georg Lauterbach d651f3bd93
create .github/FUNDING.yml (#2512) 2022-04-02 15:56:29 +02:00
Georg Lauterbach a1ecd781c8
scripts: introduce _log to sedfile (#2507) 2022-04-02 15:52:30 +02:00
Ikko Ashimine 05f680b472
fix: typo in setup-stack.sh (#2521) 2022-04-02 10:41:46 +02:00
Georg Lauterbach 04e452a1ee
tests: disabled "quota exceeded" test (#2511)
* disabled unreliable test

The "quota exceeded" test is unreliable and failed too often lately for
my taste. Therefore, I'd like to disable it because there is no use in
having such a test.

* corrected PR id in URL
2022-04-02 10:13:34 +02:00
github-actions[bot] aeb8cc1900
docs(CONTRIBUTORS): update contributors (#2517) 2022-04-01 19:32:36 +02:00
Georg Lauterbach 2707474361
add compatibility for Bash 4 to setup.sh (#2519)
The command `shopt -s inherit_errexit` does not work in Bash < v4.4. This is now fixed.
2022-04-01 19:10:39 +02:00