Commit graph

1197 commits

Author SHA1 Message Date
polarathene 75aefa3bdf chore: Consistent sed substitution delimiter
My `~` substitution and any usage of `/` within `start-mailserver.sh` has been replaced with the `|` delimiter instead as advised for matching style guide preference. Note there are other `sed` substitution delimiters still in use such as `+`.

Also added warning for empty `SSL_TYPE` ENV var that may result in an internal state config persist bug when changing `SSL_TYPE` depending on how a container is restarted.
2021-02-22 11:55:10 +13:00
Brennan Kinney d02ebc922c
Dual certificate support (eg ECDSA with RSA fallback) (#1801)
* feat: Change Postfix smtpd_tls key and cert files to chain_files

Since Postfix 3.4, `smtpd_tls_cert_file` and `smtpd_tls_key_file` have been deprecated in favor of `smtpd_tls_chain_files` which supports a list of values where a single or sequence of file paths provide a private key followed by it's certificate chain.

* feat: Dual certificate support

`smtpd_tls_chain_files` allows for multiple key+cert bundles so that you can provide different key types, such as ECDSA and RSA.

To maintain compatibility with the current CERT/KEY ENV vars only a 2nd certificate is supported.

Since Dovecot 2.2.31 a related feature is also available, but it is limited to only providing one alternative certificate via separate cert and key settings.

---

This feature enables support for multiple certificates, eg for serving modern ECDSA certs with RSA as fallback.

* chore: Refactor variable names to meet style guide

Improved some comments too.

* chore: Have function definitions respect style guide

* chore: Minor edits to comments

* chore: Expand on comments for maintenance, alert of insecure config

When `SSL_TYPE` isn't properly setup, we're still offering SSL connections but not warning in logs about the insecurity of such, or why a misconfiguration may have occurred.

This commit more clearly communicates to the user that they should look into the issue before considering deploying to production.

The `TODO` comments communicate to any future maintainer to consider treating these improper configs as disabling TLS instead.

* fix: Use `snakeoil` cert

I mistakenly thought this was placeholder text, which broke some tests. This adds the two files in the correct order (private key followed by cert/chain), to fix that issue.

* fix: Disable alt cert for Dovecot if necessary

Certain scenarios may persist state of previously configured alt cert via ENV vars that are removed from a future run. If the config is not reset to original immutable state, this will correctly disable the config from using alt cert unintentionally.

* fix: Satisfy ShellCheck lint

By switching from string var to array / list expansion, this better stores the extracted result and applies it in a manner that ShellCheck linting approves, removing the need to disable the rule.

* feat: Support dual cert test

Few tweaks to the test script allows re-purposing it for covering dual cert support as well.

* chore: Rearranged cert and key lines

A little reorganization, mostly placing private key ahead of related cert lines.

* chore: Refactor `_set_certificate`

This should make the parameters a little less confusing.

Previously was 3 parameters, but the Postfix parameter (1st) may look like two variables if you don't pay attention to the surrounding quotes; while the Dovecot parameters (2nd + 3rd) would have an opposing order. There was also a variant where the `FULLKEYCHAIN` var was passed in three times.

Now it's two params, with the 2nd param as an optional one. If the 2nd param is provided, then the two params are in the order of private key then certificate, otherwise if only a single parameter it's a single PEM file with the full cert chain and private key bundled.

This avoids implying that Postfix and Dovecot might use different files.

* chore: Document current state of `SSL_TYPE` logic better

Inlined for the benefit of anyone else maintaining this section if I'm unable to address the concerns within my own time.

* docs: ENV vars

`TLS_LEVEL=old` isn't in the codebase anymore, not likely to be relevant to retain.

No point in documenting what is considered invalid / unsupported config value in the first place for `SSL_TYPE`.

`SSL_TYPE=manual` was missing documentation for both related file path ENV vars, they've been added along with their alt fallback variants.

* chore: Update Dovecot LMTP SSL test config

Not sure how relevant this is, the file isn't complete sync with the main dovecot `10-ssl.conf` config, adding the support just in case.

* chore: Rename `FULLKEYCHAIN` to avoid confusion

There doesn't appear to be a standardized name for this type of file bundle, and `keychain` may be misleading (fullkeychain often provides macOS keychain  results on search engines).

Opting for a more explicit `KEY_WITH_FULLCHAIN` name instead.

* fix: Invalid var name

`_set_certificate` refactor commit accidentally changed a var name and committed that breaking the dual cert support (thanks tests!).

* test: Refactor `mail_ssl_manual.bats`

Proper test return values instead of `wc -l` based checking.

Tests with dual cert support active, tests that feature (to better detect failure case.

Third test case was unable to verify new self-signed certificate, added new certs signed with self-signed root CA.

Adjusted openssl `CApath` parameter to use `CAfile` instead as `letsencrypt` cert was replaced thus CA cert is missing from the system trust store.

* test: Properly check for files in `mail_ssl_manual.bats`

Fixes lint error.

Also realized I was accidentally asserting a file exists in the test environment, not within the container.

Resolved that and also added an additional test case to ensure the ENV var files are valid when passed in, in the event a change misconfigures them and that the issue is identified earlier.

* chore: Apply PR review feedback

Better format some strings that had mixed quotes when they weren't necessary.

Additionally DRYed up the config path for Postfix and Dovecot within the `_setup_ssl` method.

Co-authored-by: Georg Lauterbach <infrastructure@itbsd.com>
2021-02-21 23:43:41 +01:00
Astro a7ecb0ea8b
feat/enable custom dkim selector (#1811)
* let dkim generator accept selector as parameter

* test dkim-generator with selector parameter

* fix: correct name of domain argument in usage

* fix: adapt command to new syntax

* tests: use different quotes

* tests: use different quotes

* tests: remove domains that were never added

* style: change test name

* refactor: dkim setup

* style: remove trailing whitespace

* tests: remove test of removed dummy file

Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2021-02-21 22:05:35 +01:00
Georg Lauterbach 9efa94ce6f
follow up on ed1bd0cc24 2021-02-19 10:37:28 +01:00
Georg Lauterbach ed1bd0cc24
making 'using the correction version of setup.sh' even clearer 2021-02-19 10:29:26 +01:00
Frederic Werner 788d718fa0
Add manual workflow trigger 2021-02-18 22:56:13 +01:00
Frederic Werner d182d65377
fix: dkim help message test (#1817) 2021-02-18 22:55:17 +01:00
Frederic Werner 6e6b5be1ee
chore: change argument name and parameter shift 2021-02-18 19:20:48 +01:00
Georg Lauterbach d221c585c2
inform about proper setup.sh usage between versions 2021-02-18 14:01:01 +01:00
Georg Lauterbach f3f38db0f9
adjust test to use new script output from openDKIM 2021-02-18 13:11:45 +01:00
Georg Lauterbach 27f6ad73cf
re-write setup.sh's help message to use the new style (#1814) 2021-02-18 11:09:29 +01:00
Georg Lauterbach 6e7ef698d4
re-enable test in Makefile 2021-02-18 10:40:35 +01:00
Georg Lauterbach 1005bb3b09
Provide complete refactoring of openDKIM script (#1812)
* provide complete refactoring of openDKIM usage and tests

* fix leftover linting errors

* correct defualt key size and README usage

* provide independent order for arguments

* added `config` and adjusted usage information

* fixing shift in setup.sh

* adjust usage information to use new style and rename script

* use updated argument keysize instead of size
2021-02-18 10:29:34 +01:00
Brennan Kinney 432f96b3a6
Use best practice cipher suites for 2021 (#1802)
Update cipherlist to sync with OWASP B and Mozilla Intermediate
2021-02-18 10:24:34 +01:00
Georg Lauterbach cb2ecacd56
Rewrite of delmailuser to enable proper account deletion (again) (#1813)
* rewrite to fix docker-mailserver#1808 (again)
* exiting script correctly now
* over-engineered usage information
the usage is now displayed like a man page and the paging mechanism (i.e. the display of the information) is borrowed from batcat
* fix typos
2021-02-17 12:12:51 +01:00
Georg Lauterbach f66c70faa8
Merge pull request #1809 from aendeavor/delmailuser-patch
patching the delmailuser script to function properly (+ refactoring)
2021-02-14 22:35:52 +01:00
Georg Lauterbach ddf2bc2567
exchanging errex with echo 2021-02-14 22:09:33 +01:00
Georg Lauterbach 227719ee0d
patching the delmailuser script to function properly (+ refactoring) 2021-02-14 21:19:58 +01:00
Georg Lauterbach 5a806b9934
Merge pull request #1805 from docker-mailserver/casperklein-patch-1 2021-02-11 10:00:14 +01:00
Frederic Werner d2124a6529
ci: exlude files from triggering workflows (#1804)
* ci: add paths-ignore

* fix: use explicit trigger paths

* fix: revert changes as every file should be linted
2021-02-11 09:48:45 +01:00
Casper 84e83e90b3
Update .dockerignore 2021-02-10 19:33:31 +01:00
Georg Lauterbach 62e93f0dcc
Rename config.yaml to config.yml 2021-02-10 16:53:14 +01:00
Georg Lauterbach b279a002c1
add issue template configuration 2021-02-10 16:52:22 +01:00
Casper f168e3bd71
Merge pull request #1803 from aendeavor/follow-up-#1799
Follow up, style enhancement
2021-02-09 14:13:09 +01:00
Georg Lauterbach 11eb174121
follow up style enhancement 2021-02-09 12:12:36 +01:00
dependabot[bot] e1507f9d5b
Merge pull request #1799 from docker-mailserver/dependabot/github_actions/actions/cache-v2.1.4 2021-02-08 13:19:28 +00:00
Georg Lauterbach 5338433b78
Merge pull request #1798 from aendeavor/fix#1796
Enhancement for function _setup_postfix_sasl fixing #1796 & More
2021-02-08 11:38:05 +01:00
dependabot[bot] 7794aea527
Bump actions/cache from v2 to v2.1.4
Bumps [actions/cache](https://github.com/actions/cache) from v2 to v2.1.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](https://github.com/actions/cache/compare/v2...26968a09c0ea4f3e233fdddbafd1166051a095f6)

Signed-off-by: dependabot[bot] <support@github.com>
2021-02-08 07:01:59 +00:00
Ask Bjørn Hansen 4a3735bced
Support extra user_attributes in accounts configuration (#1792)
This allows you to add for example

    |userdb_mail=mbox:~/mail:INBOX=~/inbox

 to the end of an account to have a different mailbox configuration.
2021-02-07 19:02:09 +01:00
Georg Lauterbach c6c7b8522d
enhancement for function _setup_postfix_sasl fixing #1796 & more 2021-02-07 18:11:33 +01:00
Frederic Werner df3ef4865f
Add PR template (#1795)
* Add PR template

* Add new type of change and reformulate checklist

* Add PR template reference
2021-02-07 11:59:09 +01:00
Georg Lauterbach a6a059ae5a
corrected setup.sh link in README 2021-02-06 18:01:56 +01:00
Georg Lauterbach ff24d6c627
Merge pull request #1793 from abh/clear-config
Remove confusing and unused clear.postfix-accounts.cf test config file
2021-02-06 17:54:15 +01:00
Ask Bjørn Hansen 14eaaa17e1 Remove confusing and unused clear.postfix-accounts.cf test config file 2021-02-06 06:25:29 -08:00
Georg Lauterbach dec7809583
making contribution guidelines even clearer 2021-02-01 18:54:01 +01:00
Georg Lauterbach 0b57a538de
adjusting CHANGELOG and CONTRIBUTING 2021-02-01 18:49:58 +01:00
Georg Lauterbach 6c575adae2
correct application of the new SUPERVISOR_LOGLEVEL variable (#1787)
* correct application of the new SUPERVISOR_LOGLEVEL variable
* correcting default log level adjustment
* replacing grep &>/dev/null with grep -q
2021-02-01 18:39:05 +01:00
Casper 27e68640b6
Merge pull request #1785 from froks/froks-escape-underscore
Escaped the underscore of SCORE
2021-02-01 00:15:53 +01:00
Florian Roks 6f7fff6b32
Escaped the underscore of SCORE
When you read the markdown on github, the underscore by default just causes the word to be italic - when you blindly copy that configuration, it won't work, because you don't see the underscore prefix/suffix.
2021-01-31 21:49:40 +01:00
Georg Lauterbach 12011d8905
Merge pull request #1783 from m-schmoock/fix/servicename
doc: fix service name now mailserver
2021-01-31 18:25:56 +01:00
Michael Schmoock d21a185be0 doc: fix service name now mailserver 2021-01-31 17:50:02 +01:00
Georg Lauterbach 14344bd42a
Merge pull request #1782 from aendeavor/fix-#1781
removing bl.spamcop.net for 8.0.1
2021-01-31 16:36:34 +01:00
Georg Lauterbach 931eab0541
removing bl.spamcop.net for 8.0.1 2021-01-31 16:05:05 +01:00
Casper 70267d89e5
Replace $_ in error trap (#1776) 2021-01-28 14:50:28 +01:00
Georg Lauterbach 7fd6751e89
adding SUPERVISOR_LOGLEVEL to mailserver.env 2021-01-28 10:15:05 +01:00
Georg Lauterbach cc7138e28f
minor adjustments before release 8.0.0 2021-01-27 18:42:39 +01:00
Georg Lauterbach 18544e6453
8.0.0 2021-01-27 17:04:20 +01:00
William Desportes 4616894fbf
Allow manual domains for dkim generator (#1753)
* Allow manual domains for dkim generator

* Document the DKIM manual mode

* Remove unnecessary quotes

* updating default value usage and "" in [[ ]]

* Change parameter expansion

* Add test for manual dkim domains

* Remove obsolete script

* Add manual dkim mode to usage

* Move manual dkim guide into quickstart section

* Cover case that key for domain already exists

* Set default dkim key size to 4096

Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-01-27 14:09:24 +01:00
Casper 23984e3f07
Missing variables added (#1771)
Co-authored-by: casperklein <casperklein@users.noreply.github.com>
2021-01-27 13:35:55 +01:00
Georg Lauterbach fd030644bf
Merge pull request #1770 from casperklein/fix-1769 2021-01-26 13:13:23 +01:00