Add email support

21 files changed, 393 insertions, 0 deletions

diff --git a/cluster/prod/app/email/build/alps/Dockerfile b/cluster/prod/app/email/build/alps/Dockerfile
new file mode 100644
index 0000000..92b1f14
--- /dev/null
+++ b/cluster/prod/app/email/build/alps/Dockerfile
@@ -0,0 +1,20 @@
+FROM golang:1.15.6-buster as builder
+
+ARG VERSION
+
+ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
+WORKDIR /tmp/alps
+
+RUN git init && \
+    git remote add origin https://git.deuxfleurs.fr/Deuxfleurs/alps.git && \
+    git fetch --depth 1 origin ${VERSION} && \
+    git checkout FETCH_HEAD
+
+RUN go build -a -o /usr/local/bin/alps ./cmd/alps
+
+FROM scratch
+COPY --from=builder /usr/local/bin/alps /alps
+COPY --from=builder /tmp/alps/themes /themes
+COPY --from=builder /tmp/alps/plugins /plugins
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["/alps"]
diff --git a/cluster/prod/app/email/build/docker-compose.yml b/cluster/prod/app/email/build/docker-compose.yml
new file mode 100644
index 0000000..0826142
--- /dev/null
+++ b/cluster/prod/app/email/build/docker-compose.yml
@@ -0,0 +1,36 @@
+version: '3.4'
+services:
+
+  # Email
+  sogo:
+    build:
+      context: ./sogo
+      args:
+        # fake for now
+        VERSION: 5.0.0
+    image: superboum/amd64_sogo:v7
+
+  alps:
+    build:
+      context: ./alps
+      args:
+        VERSION: 9bafa64b9d
+    image: superboum/amd64_alps:v1
+
+  dovecot:
+    build:
+      context: ./dovecot
+    image: superboum/amd64_dovecot:v6
+
+  postfix:
+    build:
+      context: ./postfix
+      args:
+        # https://packages.debian.org/fr/buster/postfix
+        VERSION: 3.4.14-0+deb10u1
+    image: superboum/amd64_postfix:v3
+
+  opendkim:
+    build:
+      context: ./opendkim
+    image: superboum/amd64_opendkim:v6
diff --git a/cluster/prod/app/email/build/dovecot/.gitignore b/cluster/prod/app/email/build/dovecot/.gitignore
new file mode 100644
index 0000000..71a04e2
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/.gitignore
@@ -0,0 +1 @@
+dovecot-ldap.conf
diff --git a/cluster/prod/app/email/build/dovecot/Dockerfile b/cluster/prod/app/email/build/dovecot/Dockerfile
new file mode 100644
index 0000000..cd1fd0d
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/Dockerfile
@@ -0,0 +1,16 @@
+FROM amd64/debian:bullseye
+
+RUN apt-get update && \
+    apt-get install -y \
+      dovecot-antispam \
+      dovecot-core \
+      dovecot-imapd \
+      dovecot-ldap \
+      dovecot-managesieved \
+      dovecot-sieve \
+      dovecot-lmtpd && \
+    rm -rf /etc/dovecot/*
+RUN useradd mailstore
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/cluster/prod/app/email/build/dovecot/README.md b/cluster/prod/app/email/build/dovecot/README.md
new file mode 100644
index 0000000..8c9f372
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/README.md
@@ -0,0 +1,18 @@
+```
+sudo docker build -t superboum/amd64_dovecot:v2 .
+```
+
+
+```
+sudo docker run -t -i \
+  -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \
+  -p 993:993 \
+  -p 143:143 \
+  -p 24:24 \
+  -p 1337:1337 \
+  -v /mnt/glusterfs/email/ssl:/etc/ssl/ \
+  -v /mnt/glusterfs/email/mail:/var/mail \
+  -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \
+  superboum/amd64_dovecot:v1 \
+  dovecot -F
+```
diff --git a/cluster/prod/app/email/build/dovecot/entrypoint.sh b/cluster/prod/app/email/build/dovecot/entrypoint.sh
new file mode 100755
index 0000000..2165d8f
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/entrypoint.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then
+  cd /root
+  openssl req \
+    -new \
+    -newkey rsa:4096 \
+    -days 3650 \
+    -nodes \
+    -x509 \
+    -subj ${TLSINFO} \
+    -keyout dovecot.key \
+    -out dovecot.crt
+  
+  mkdir -p /etc/ssl/{certs,private}/
+
+  cp dovecot.crt /etc/ssl/certs/dovecot.crt 
+  cp dovecot.key /etc/ssl/private/dovecot.key 
+  chmod 400 /etc/ssl/certs/dovecot.crt 
+  chmod 400 /etc/ssl/private/dovecot.key
+fi
+
+if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then
+  chown -R mailstore /var/mail
+fi
+
+exec "$@"
diff --git a/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve b/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve
new file mode 100644
index 0000000..7d2e57e
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve
@@ -0,0 +1,5 @@
+require ["fileinto", "mailbox"];
+if header :contains "X-Spam-Flag" "YES" {
+    fileinto :create "Junk";
+}
+
diff --git a/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf b/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf
new file mode 100644
index 0000000..472d5e8
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf
@@ -0,0 +1,8 @@
+hosts = ldap.example.com
+dn = cn=admin,dc=example,dc=com
+dnpass = s3cr3t
+base = dc=example,dc=com
+scope = subtree
+user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com)))
+pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com)))
+user_attrs = mail=/var/mail/%{ldap:mail}
diff --git a/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve b/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve
new file mode 100644
index 0000000..c5a994a
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve
@@ -0,0 +1,17 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"];
+
+if environment :matches "imap.mailbox" "*" {
+  set "mailbox" "${1}";
+}
+
+if string "${mailbox}" "Trash" {
+  stop;
+}
+
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+
+pipe :copy "sa-learn" [ "--ham", "-u", "debian-spamd" ];
+debug_log "ham reported by ${username}";
+
diff --git a/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve b/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve
new file mode 100644
index 0000000..1be7389
--- /dev/null
+++ b/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve
@@ -0,0 +1,9 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"];
+
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+
+pipe :copy "sa-learn" [ "--spam", "-u", "debian-spamd"];
+debug_log "spam reported by ${username}";
+
diff --git a/cluster/prod/app/email/build/opendkim/Dockerfile b/cluster/prod/app/email/build/opendkim/Dockerfile
new file mode 100644
index 0000000..452d6e8
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/Dockerfile
@@ -0,0 +1,9 @@
+FROM amd64/debian:bullseye
+
+RUN apt-get update && \
+    apt-get dist-upgrade -y && \
+    apt-get install -y opendkim opendkim-tools
+
+COPY ./opendkim.conf /etc/opendkim.conf
+COPY ./entrypoint /entrypoint
+CMD ["/entrypoint"] 
diff --git a/cluster/prod/app/email/build/opendkim/README.md b/cluster/prod/app/email/build/opendkim/README.md
new file mode 100644
index 0000000..e146125
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/README.md
@@ -0,0 +1,12 @@
+```
+sudo docker build -t superboum/amd64_opendkim:v1 .
+```
+
+```
+sudo docker run -t -i \
+  -v `pwd`/conf:/etc/dkim \
+  -v /dev/log:/dev/log \
+  -p 8999:8999
+  superboum/amd64_opendkim:v1
+  opendkim -f -v -x /etc/opendkim.conf
+```
diff --git a/cluster/prod/app/email/build/opendkim/entrypoint b/cluster/prod/app/email/build/opendkim/entrypoint
new file mode 100755
index 0000000..7a1485c
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/entrypoint
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+chown 0:0 /etc/dkim/*
+chown 0:0 /etc/dkim
+chmod 400 /etc/dkim/*
+chmod 700 /etc/dkim
+
+opendkim -f -v -x /etc/opendkim.conf
diff --git a/cluster/prod/app/email/build/opendkim/opendkim.conf b/cluster/prod/app/email/build/opendkim/opendkim.conf
new file mode 100644
index 0000000..0d6465f
--- /dev/null
+++ b/cluster/prod/app/email/build/opendkim/opendkim.conf
@@ -0,0 +1,12 @@
+Syslog			yes
+SyslogSuccess		yes
+LogWhy			yes
+UMask			007
+Mode			sv
+OversignHeaders		From
+TrustAnchorFile       /usr/share/dns/root.key
+KeyTable              refile:/etc/dkim/keytable
+SigningTable          refile:/etc/dkim/signingtable
+ExternalIgnoreList    refile:/etc/dkim/trusted
+InternalHosts	      refile:/etc/dkim/trusted
+Socket                inet:8999
diff --git a/cluster/prod/app/email/build/postfix/Dockerfile b/cluster/prod/app/email/build/postfix/Dockerfile
new file mode 100644
index 0000000..0c74fdc
--- /dev/null
+++ b/cluster/prod/app/email/build/postfix/Dockerfile
@@ -0,0 +1,13 @@
+FROM amd64/debian:buster
+
+ARG VERSION
+
+RUN apt-get update && \
+    apt-get install -y \
+      postfix=$VERSION \
+      postfix-ldap
+
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+CMD ["postfix", "start-fg"]
diff --git a/cluster/prod/app/email/build/postfix/README.md b/cluster/prod/app/email/build/postfix/README.md
new file mode 100644
index 0000000..ac44fc0
--- /dev/null
+++ b/cluster/prod/app/email/build/postfix/README.md
@@ -0,0 +1,18 @@
+```
+sudo docker build -t superboum/amd64_postfix:v1 .
+```
+
+```
+sudo docker run -t -i \
+  -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \
+  -e MAILNAME="smtp.deuxfleurs.fr" \
+  -p 25:25 \
+  -p 465:465 \
+  -p 587:587 \
+  -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \
+  -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \
+  -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \
+  superboum/amd64_postfix:v1 \
+  bash
+```
+
diff --git a/cluster/prod/app/email/build/postfix/entrypoint.sh b/cluster/prod/app/email/build/postfix/entrypoint.sh
new file mode 100755
index 0000000..fcf1a66
--- /dev/null
+++ b/cluster/prod/app/email/build/postfix/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then
+  cd /root
+  openssl req \
+    -new \
+    -newkey rsa:4096 \
+    -days 3650 \
+    -nodes \
+    -x509 \
+    -subj ${TLSINFO} \
+    -keyout postfix.key \
+    -out postfix.crt
+  
+  mkdir -p /etc/ssl/{certs,private}/
+
+  cp postfix.crt /etc/ssl/certs/postfix.crt 
+  cp postfix.key /etc/ssl/private/postfix.key 
+  chmod 400 /etc/ssl/certs/postfix.crt 
+  chmod 400 /etc/ssl/private/postfix.key
+fi
+
+# A way to map files inside the postfix folder :s
+for file in $(ls /etc/postfix-conf); do
+  cp /etc/postfix-conf/${file} /etc/postfix/${file}
+done
+
+echo ${MAILNAME} > /etc/mailname
+postmap /etc/postfix/transport
+
+exec "$@"
diff --git a/cluster/prod/app/email/build/sogo/Dockerfile b/cluster/prod/app/email/build/sogo/Dockerfile
new file mode 100644
index 0000000..46880dd
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/Dockerfile
@@ -0,0 +1,17 @@
+#FROM amd64/debian:stretch as builder
+
+FROM amd64/debian:buster
+
+RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf
+
+RUN apt-get update && \
+    apt-get install -y apt-transport-https gnupg2 sudo nginx && \
+    rm -rf /etc/nginx/sites-enabled/* && \
+    apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \
+    echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \
+    apt-get update && \
+    apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client
+
+COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf
+COPY entrypoint /usr/sbin/entrypoint
+ENTRYPOINT ["/usr/sbin/entrypoint"]
diff --git a/cluster/prod/app/email/build/sogo/README.md b/cluster/prod/app/email/build/sogo/README.md
new file mode 100644
index 0000000..ea12245
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/README.md
@@ -0,0 +1,20 @@
+```
+docker build -t superboum/amd64_sogo:v6 .
+
+# privileged is only for debug
+docker run --rm -ti \
+  --privileged \
+  -p 8080:8080 \
+  -v /tmp/sogo/log:/var/log/sogo \
+  -v /tmp/sogo/run:/var/run/sogo \
+  -v /tmp/sogo/spool:/var/spool/sogo \
+  -v /tmp/sogo/tmp:/tmp \
+  -v `pwd`/sogo:/etc/sogo:ro \
+  superboum/amd64_sogo:v1
+```
+
+Password must be url encoded in sogo.conf for postgres
+Will need a nginx instance: http://wiki.sogo.nu/nginxSettings
+
+Might (or might not) be needed:
+traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr
diff --git a/cluster/prod/app/email/build/sogo/entrypoint b/cluster/prod/app/email/build/sogo/entrypoint
new file mode 100755
index 0000000..8b39def
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/entrypoint
@@ -0,0 +1,13 @@
+#!/bin/bash
+mkdir -p /var/log/sogo
+mkdir -p /var/run/sogo
+mkdir -p /var/spool/sogo
+chown sogo /var/log/sogo
+chown sogo /var/run/sogo
+chown sogo /var/spool/sogo
+
+nginx -g 'daemon on; master_process on;'
+sudo -u sogo memcached -d
+sudo -u sogo sogod
+sleep 10
+tail -n200 -f /var/log/sogo/sogo.log
diff --git a/cluster/prod/app/email/build/sogo/sogo.nginx.conf b/cluster/prod/app/email/build/sogo/sogo.nginx.conf
new file mode 100644
index 0000000..ad920a5
--- /dev/null
+++ b/cluster/prod/app/email/build/sogo/sogo.nginx.conf
@@ -0,0 +1,83 @@
+server {
+  listen 8080;
+  server_name default_server; 
+  root /usr/lib/GNUstep/SOGo/WebServerResources/; 
+
+  ## requirement to create new calendars in Thunderbird ##
+  proxy_http_version 1.1;
+
+  # Message size limit
+  client_max_body_size 50m;
+  client_body_buffer_size 128k;
+
+  location = / {
+    rewrite ^ '/SOGo'; 
+    allow all; 
+  }
+
+  location = /principals/ {
+    rewrite ^ '/SOGo/dav'; 
+    allow all; 
+  }
+
+  location ^~/SOGo {
+    proxy_pass 'http://127.0.0.1:20000'; 
+    proxy_redirect 'http://127.0.0.1:20000' default; 
+    # forward user's IP address 
+    proxy_set_header X-Real-IP $remote_addr; 
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+    proxy_set_header Host $host; 
+    proxy_set_header x-webobjects-server-protocol HTTP/1.0; 
+    proxy_set_header x-webobjects-remote-host 127.0.0.1; 
+    proxy_set_header x-webobjects-server-name $server_name; 
+    proxy_set_header x-webobjects-server-url $scheme://$host; 
+    proxy_set_header x-webobjects-server-port $server_port; 
+    proxy_connect_timeout 90;
+    proxy_send_timeout 90;
+    proxy_read_timeout 90;
+    proxy_buffer_size 4k;
+    proxy_buffers 4 32k;
+    proxy_busy_buffers_size 64k;
+    proxy_temp_file_write_size 64k;
+    break;
+  }
+
+  location /SOGo.woa/WebServerResources/ {
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+    allow all;
+    expires max;
+  }
+
+  location /SOGo/WebServerResources/ {
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/; 
+    allow all;
+    expires max;
+  }
+
+  location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) {
+    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+    expires max;
+  }
+
+  location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
+    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+    expires max;
+  }
+
+  location ^~ /Microsoft-Server-ActiveSync {
+    access_log /var/log/nginx/activesync.log;
+    error_log  /var/log/nginx/activesync-error.log;
+      
+    proxy_connect_timeout 75;
+    proxy_send_timeout 3600;
+    proxy_read_timeout 3600;
+    proxy_buffers 64 256k;
+      
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      
+    proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+    proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /;
+  }
+}