diff options
author | Alex Auvolat <alex@adnab.me> | 2021-01-16 17:07:01 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2021-01-16 17:07:01 +0100 |
commit | c74dc92febd1841c8ea5ff31caab0f941d57527d (patch) | |
tree | d05a203d95cac988952799667ec43c327a5d9038 /app/email/build | |
parent | 0c4ee40e01c95d7bf73236cbead5cc261f67eb9d (diff) | |
download | infrastructure-c74dc92febd1841c8ea5ff31caab0f941d57527d.tar.gz infrastructure-c74dc92febd1841c8ea5ff31caab0f941d57527d.zip |
Proposal: reorganize app/ folder by modules
Diffstat (limited to 'app/email/build')
21 files changed, 484 insertions, 0 deletions
diff --git a/app/email/build/alps/Dockerfile b/app/email/build/alps/Dockerfile new file mode 100644 index 0000000..647d90d --- /dev/null +++ b/app/email/build/alps/Dockerfile @@ -0,0 +1,21 @@ +FROM golang:1.15.6-buster as builder + +ARG VERSION + +ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64 +WORKDIR /tmp/alps + +RUN git init && \ + git remote add origin https://git.sr.ht/~migadu/alps && \ + git fetch --depth 1 origin ${VERSION} && \ + git checkout FETCH_HEAD + +COPY skipverify.patch skipverify.patch + +RUN git apply skipverify.patch && \ + go build -a -o /usr/local/bin/alps ./cmd/alps + +FROM scratch +COPY --from=builder /usr/local/bin/alps /alps +COPY --from=builder /tmp/alps/themes /themes +ENTRYPOINT ["/alps"] diff --git a/app/email/build/alps/skipverify.patch b/app/email/build/alps/skipverify.patch new file mode 100644 index 0000000..14e14cb --- /dev/null +++ b/app/email/build/alps/skipverify.patch @@ -0,0 +1,55 @@ +From 47765c10f1af2013556f76dc63dfa056167ae5e8 Mon Sep 17 00:00:00 2001 +From: Quentin <quentin@deuxfleurs.fr> +Date: Fri, 4 Dec 2020 13:19:24 +0100 +Subject: [PATCH] Skip CA verification + +--- + imap.go | 3 ++- + smtp.go | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/imap.go b/imap.go +index 7554331..1a4931d 100644 +--- a/imap.go ++++ b/imap.go +@@ -3,6 +3,7 @@ package alps + import ( + "fmt" + ++ "crypto/tls" + "github.com/emersion/go-imap" + imapclient "github.com/emersion/go-imap/client" + "github.com/emersion/go-message/charset" +@@ -16,7 +17,7 @@ func (s *Server) dialIMAP() (*imapclient.Client, error) { + var c *imapclient.Client + var err error + if s.imap.tls { +- c, err = imapclient.DialTLS(s.imap.host, nil) ++ c, err = imapclient.DialTLS(s.imap.host, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return nil, fmt.Errorf("failed to connect to IMAPS server: %v", err) + } +diff --git a/smtp.go b/smtp.go +index 5e178f2..8d22f1d 100644 +--- a/smtp.go ++++ b/smtp.go +@@ -3,6 +3,7 @@ package alps + import ( + "fmt" + ++ "crypto/tls" + "github.com/emersion/go-smtp" + ) + +@@ -14,7 +15,7 @@ func (s *Server) dialSMTP() (*smtp.Client, error) { + var c *smtp.Client + var err error + if s.smtp.tls { +- c, err = smtp.DialTLS(s.smtp.host, nil) ++ c, err = smtp.DialTLS(s.smtp.host, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return nil, fmt.Errorf("failed to connect to SMTPS server: %v", err) + } +-- +2.28.0 + diff --git a/app/email/build/dovecot/.gitignore b/app/email/build/dovecot/.gitignore new file mode 100644 index 0000000..71a04e2 --- /dev/null +++ b/app/email/build/dovecot/.gitignore @@ -0,0 +1 @@ +dovecot-ldap.conf diff --git a/app/email/build/dovecot/Dockerfile b/app/email/build/dovecot/Dockerfile new file mode 100644 index 0000000..9b87627 --- /dev/null +++ b/app/email/build/dovecot/Dockerfile @@ -0,0 +1,17 @@ +FROM amd64/debian:stretch + +RUN apt-get update && \ + apt-get install -y \ + dovecot-antispam \ + dovecot-core \ + dovecot-imapd \ + dovecot-ldap \ + dovecot-managesieved \ + dovecot-sieve \ + dovecot-lmtpd && \ + rm -rf /etc/dovecot/* +RUN useradd mailstore +COPY ./conf/* /etc/dovecot/ +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/email/build/dovecot/README.md b/app/email/build/dovecot/README.md new file mode 100644 index 0000000..8c9f372 --- /dev/null +++ b/app/email/build/dovecot/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_dovecot:v2 . +``` + + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ + -p 993:993 \ + -p 143:143 \ + -p 24:24 \ + -p 1337:1337 \ + -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ + -v /mnt/glusterfs/email/mail:/var/mail \ + -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ + superboum/amd64_dovecot:v1 \ + dovecot -F +``` diff --git a/app/email/build/dovecot/conf/all_before.sieve b/app/email/build/dovecot/conf/all_before.sieve new file mode 100644 index 0000000..7d2e57e --- /dev/null +++ b/app/email/build/dovecot/conf/all_before.sieve @@ -0,0 +1,5 @@ +require ["fileinto", "mailbox"]; +if header :contains "X-Spam-Flag" "YES" { + fileinto :create "Junk"; +} + diff --git a/app/email/build/dovecot/conf/dovecot-ldap.sample.conf b/app/email/build/dovecot/conf/dovecot-ldap.sample.conf new file mode 100644 index 0000000..472d5e8 --- /dev/null +++ b/app/email/build/dovecot/conf/dovecot-ldap.sample.conf @@ -0,0 +1,8 @@ +hosts = ldap.example.com +dn = cn=admin,dc=example,dc=com +dnpass = s3cr3t +base = dc=example,dc=com +scope = subtree +user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) +pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) +user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app/email/build/dovecot/conf/dovecot.conf b/app/email/build/dovecot/conf/dovecot.conf new file mode 100644 index 0000000..0d5068c --- /dev/null +++ b/app/email/build/dovecot/conf/dovecot.conf @@ -0,0 +1,79 @@ +auth_mechanisms = plain login +auth_username_format = %u +log_timestamp = "%Y-%m-%d %H:%M:%S " +mail_location = maildir:/var/mail/%u +mail_privileged_group = mail + +log_path = /dev/stderr +info_log_path = /dev/stdout +debug_log_path = /dev/stdout + +protocols = imap sieve lmtp + +ssl_cert = < /etc/ssl/certs/dovecot.crt +ssl_key = < /etc/ssl/private/dovecot.key + +service auth { + inet_listener { + port = 1337 + } +} + +passdb { + args = /etc/dovecot/dovecot-ldap.conf + driver = ldap +} + +service lmtp { + inet_listener lmtp { + address = 0.0.0.0 + port = 24 + } +} + +service imap-login { + inet_listener imap { + port = 143 + } + inet_listener imaps { + port = 993 + } +} + +userdb { + args = uid=mailstore gid=mailstore home=/var/mail/%u + driver = static +} + +protocol imap { + mail_plugins = $mail_plugins imap_sieve +} + +protocol lda { + auth_socket_path = /var/run/dovecot/auth-master + info_log_path = /var/log/dovecot-deliver.log + log_path = /var/log/dovecot-deliver-errors.log + postmaster_address = postmaster@deuxfleurs.fr + mail_plugins = $mail_plugins sieve +} + +plugin { + sieve = file:~/sieve;active=~/dovecot.sieve + sieve_before = /etc/dovecot/all_before.sieve + + # antispam learn + sieve_plugins = sieve_imapsieve sieve_extprograms + sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment +vnd.dovecot.debug + sieve_pipe_bin_dir = /usr/bin + + imapsieve_mailbox1_name = Junk + imapsieve_mailbox1_causes = COPY FLAG APPEND + imapsieve_mailbox1_before = file:/etc/dovecot/report-spam.sieve + + imapsieve_mailbox2_name = * + imapsieve_mailbox2_from = Spam + imapsieve_mailbox2_causes = COPY APPEND + imapsieve_mailbox2_before = file:/etc/dovecot/report-ham.sieve + +} + diff --git a/app/email/build/dovecot/conf/report-ham.sieve b/app/email/build/dovecot/conf/report-ham.sieve new file mode 100644 index 0000000..c5a994a --- /dev/null +++ b/app/email/build/dovecot/conf/report-ham.sieve @@ -0,0 +1,17 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; + +if environment :matches "imap.mailbox" "*" { + set "mailbox" "${1}"; +} + +if string "${mailbox}" "Trash" { + stop; +} + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn" [ "--ham", "-u", "debian-spamd" ]; +debug_log "ham reported by ${username}"; + diff --git a/app/email/build/dovecot/conf/report-spam.sieve b/app/email/build/dovecot/conf/report-spam.sieve new file mode 100644 index 0000000..1be7389 --- /dev/null +++ b/app/email/build/dovecot/conf/report-spam.sieve @@ -0,0 +1,9 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn" [ "--spam", "-u", "debian-spamd"]; +debug_log "spam reported by ${username}"; + diff --git a/app/email/build/dovecot/entrypoint.sh b/app/email/build/dovecot/entrypoint.sh new file mode 100755 index 0000000..2165d8f --- /dev/null +++ b/app/email/build/dovecot/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp dovecot.crt /etc/ssl/certs/dovecot.crt + cp dovecot.key /etc/ssl/private/dovecot.key + chmod 400 /etc/ssl/certs/dovecot.crt + chmod 400 /etc/ssl/private/dovecot.key +fi + +if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then + chown -R mailstore /var/mail +fi + +exec "$@" diff --git a/app/email/build/opendkim/Dockerfile b/app/email/build/opendkim/Dockerfile new file mode 100644 index 0000000..70a39e4 --- /dev/null +++ b/app/email/build/opendkim/Dockerfile @@ -0,0 +1,8 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y opendkim opendkim-tools + +COPY ./opendkim.conf /etc/opendkim.conf +CMD opendkim -f -v -x /etc/opendkim.conf diff --git a/app/email/build/opendkim/README.md b/app/email/build/opendkim/README.md new file mode 100644 index 0000000..e146125 --- /dev/null +++ b/app/email/build/opendkim/README.md @@ -0,0 +1,12 @@ +``` +sudo docker build -t superboum/amd64_opendkim:v1 . +``` + +``` +sudo docker run -t -i \ + -v `pwd`/conf:/etc/dkim \ + -v /dev/log:/dev/log \ + -p 8999:8999 + superboum/amd64_opendkim:v1 + opendkim -f -v -x /etc/opendkim.conf +``` diff --git a/app/email/build/opendkim/opendkim.conf b/app/email/build/opendkim/opendkim.conf new file mode 100644 index 0000000..0d6465f --- /dev/null +++ b/app/email/build/opendkim/opendkim.conf @@ -0,0 +1,12 @@ +Syslog yes +SyslogSuccess yes +LogWhy yes +UMask 007 +Mode sv +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +KeyTable refile:/etc/dkim/keytable +SigningTable refile:/etc/dkim/signingtable +ExternalIgnoreList refile:/etc/dkim/trusted +InternalHosts refile:/etc/dkim/trusted +Socket inet:8999 diff --git a/app/email/build/postfix/Dockerfile b/app/email/build/postfix/Dockerfile new file mode 100644 index 0000000..0c74fdc --- /dev/null +++ b/app/email/build/postfix/Dockerfile @@ -0,0 +1,13 @@ +FROM amd64/debian:buster + +ARG VERSION + +RUN apt-get update && \ + apt-get install -y \ + postfix=$VERSION \ + postfix-ldap + +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["postfix", "start-fg"] diff --git a/app/email/build/postfix/README.md b/app/email/build/postfix/README.md new file mode 100644 index 0000000..ac44fc0 --- /dev/null +++ b/app/email/build/postfix/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_postfix:v1 . +``` + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ + -e MAILNAME="smtp.deuxfleurs.fr" \ + -p 25:25 \ + -p 465:465 \ + -p 587:587 \ + -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ + -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ + -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ + superboum/amd64_postfix:v1 \ + bash +``` + diff --git a/app/email/build/postfix/entrypoint.sh b/app/email/build/postfix/entrypoint.sh new file mode 100755 index 0000000..fcf1a66 --- /dev/null +++ b/app/email/build/postfix/entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp postfix.crt /etc/ssl/certs/postfix.crt + cp postfix.key /etc/ssl/private/postfix.key + chmod 400 /etc/ssl/certs/postfix.crt + chmod 400 /etc/ssl/private/postfix.key +fi + +# A way to map files inside the postfix folder :s +for file in $(ls /etc/postfix-conf); do + cp /etc/postfix-conf/${file} /etc/postfix/${file} +done + +echo ${MAILNAME} > /etc/mailname +postmap /etc/postfix/transport + +exec "$@" diff --git a/app/email/build/sogo/Dockerfile b/app/email/build/sogo/Dockerfile new file mode 100644 index 0000000..46880dd --- /dev/null +++ b/app/email/build/sogo/Dockerfile @@ -0,0 +1,17 @@ +#FROM amd64/debian:stretch as builder + +FROM amd64/debian:buster + +RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf + +RUN apt-get update && \ + apt-get install -y apt-transport-https gnupg2 sudo nginx && \ + rm -rf /etc/nginx/sites-enabled/* && \ + apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ + echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ + apt-get update && \ + apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client + +COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf +COPY entrypoint /usr/sbin/entrypoint +ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/app/email/build/sogo/README.md b/app/email/build/sogo/README.md new file mode 100644 index 0000000..ea12245 --- /dev/null +++ b/app/email/build/sogo/README.md @@ -0,0 +1,20 @@ +``` +docker build -t superboum/amd64_sogo:v6 . + +# privileged is only for debug +docker run --rm -ti \ + --privileged \ + -p 8080:8080 \ + -v /tmp/sogo/log:/var/log/sogo \ + -v /tmp/sogo/run:/var/run/sogo \ + -v /tmp/sogo/spool:/var/spool/sogo \ + -v /tmp/sogo/tmp:/tmp \ + -v `pwd`/sogo:/etc/sogo:ro \ + superboum/amd64_sogo:v1 +``` + +Password must be url encoded in sogo.conf for postgres +Will need a nginx instance: http://wiki.sogo.nu/nginxSettings + +Might (or might not) be needed: +traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/app/email/build/sogo/entrypoint b/app/email/build/sogo/entrypoint new file mode 100755 index 0000000..8b39def --- /dev/null +++ b/app/email/build/sogo/entrypoint @@ -0,0 +1,13 @@ +#!/bin/bash +mkdir -p /var/log/sogo +mkdir -p /var/run/sogo +mkdir -p /var/spool/sogo +chown sogo /var/log/sogo +chown sogo /var/run/sogo +chown sogo /var/spool/sogo + +nginx -g 'daemon on; master_process on;' +sudo -u sogo memcached -d +sudo -u sogo sogod +sleep 10 +tail -n200 -f /var/log/sogo/sogo.log diff --git a/app/email/build/sogo/sogo.nginx.conf b/app/email/build/sogo/sogo.nginx.conf new file mode 100644 index 0000000..ad920a5 --- /dev/null +++ b/app/email/build/sogo/sogo.nginx.conf @@ -0,0 +1,83 @@ +server { + listen 8080; + server_name default_server; + root /usr/lib/GNUstep/SOGo/WebServerResources/; + + ## requirement to create new calendars in Thunderbird ## + proxy_http_version 1.1; + + # Message size limit + client_max_body_size 50m; + client_body_buffer_size 128k; + + location = / { + rewrite ^ '/SOGo'; + allow all; + } + + location = /principals/ { + rewrite ^ '/SOGo/dav'; + allow all; + } + + location ^~/SOGo { + proxy_pass 'http://127.0.0.1:20000'; + proxy_redirect 'http://127.0.0.1:20000' default; + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_set_header x-webobjects-server-port $server_port; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + break; + } + + location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location ^~ /Microsoft-Server-ActiveSync { + access_log /var/log/nginx/activesync.log; + error_log /var/log/nginx/activesync-error.log; + + proxy_connect_timeout 75; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + proxy_buffers 64 256k; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; + } +} |