diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-08-25 04:39:44 +0200 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-08-25 04:39:44 +0200 |
commit | ec0e483d99200bda02547e425fb5d08697f6156a (patch) | |
tree | 7d35c9e24d96a2c178a0c4d7322ec7dd124db2b2 /cluster/prod/app/email/build | |
parent | ea1b0e9d19d0e1457fa6f6aee593f56d4347ae32 (diff) | |
download | nixcfg-ec0e483d99200bda02547e425fb5d08697f6156a.tar.gz nixcfg-ec0e483d99200bda02547e425fb5d08697f6156a.zip |
Add email support
Diffstat (limited to 'cluster/prod/app/email/build')
21 files changed, 393 insertions, 0 deletions
diff --git a/cluster/prod/app/email/build/alps/Dockerfile b/cluster/prod/app/email/build/alps/Dockerfile new file mode 100644 index 0000000..92b1f14 --- /dev/null +++ b/cluster/prod/app/email/build/alps/Dockerfile @@ -0,0 +1,20 @@ +FROM golang:1.15.6-buster as builder + +ARG VERSION + +ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64 +WORKDIR /tmp/alps + +RUN git init && \ + git remote add origin https://git.deuxfleurs.fr/Deuxfleurs/alps.git && \ + git fetch --depth 1 origin ${VERSION} && \ + git checkout FETCH_HEAD + +RUN go build -a -o /usr/local/bin/alps ./cmd/alps + +FROM scratch +COPY --from=builder /usr/local/bin/alps /alps +COPY --from=builder /tmp/alps/themes /themes +COPY --from=builder /tmp/alps/plugins /plugins +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt +ENTRYPOINT ["/alps"] diff --git a/cluster/prod/app/email/build/docker-compose.yml b/cluster/prod/app/email/build/docker-compose.yml new file mode 100644 index 0000000..0826142 --- /dev/null +++ b/cluster/prod/app/email/build/docker-compose.yml @@ -0,0 +1,36 @@ +version: '3.4' +services: + + # Email + sogo: + build: + context: ./sogo + args: + # fake for now + VERSION: 5.0.0 + image: superboum/amd64_sogo:v7 + + alps: + build: + context: ./alps + args: + VERSION: 9bafa64b9d + image: superboum/amd64_alps:v1 + + dovecot: + build: + context: ./dovecot + image: superboum/amd64_dovecot:v6 + + postfix: + build: + context: ./postfix + args: + # https://packages.debian.org/fr/buster/postfix + VERSION: 3.4.14-0+deb10u1 + image: superboum/amd64_postfix:v3 + + opendkim: + build: + context: ./opendkim + image: superboum/amd64_opendkim:v6 diff --git a/cluster/prod/app/email/build/dovecot/.gitignore b/cluster/prod/app/email/build/dovecot/.gitignore new file mode 100644 index 0000000..71a04e2 --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/.gitignore @@ -0,0 +1 @@ +dovecot-ldap.conf diff --git a/cluster/prod/app/email/build/dovecot/Dockerfile b/cluster/prod/app/email/build/dovecot/Dockerfile new file mode 100644 index 0000000..cd1fd0d --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/Dockerfile @@ -0,0 +1,16 @@ +FROM amd64/debian:bullseye + +RUN apt-get update && \ + apt-get install -y \ + dovecot-antispam \ + dovecot-core \ + dovecot-imapd \ + dovecot-ldap \ + dovecot-managesieved \ + dovecot-sieve \ + dovecot-lmtpd && \ + rm -rf /etc/dovecot/* +RUN useradd mailstore +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/cluster/prod/app/email/build/dovecot/README.md b/cluster/prod/app/email/build/dovecot/README.md new file mode 100644 index 0000000..8c9f372 --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_dovecot:v2 . +``` + + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ + -p 993:993 \ + -p 143:143 \ + -p 24:24 \ + -p 1337:1337 \ + -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ + -v /mnt/glusterfs/email/mail:/var/mail \ + -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ + superboum/amd64_dovecot:v1 \ + dovecot -F +``` diff --git a/cluster/prod/app/email/build/dovecot/entrypoint.sh b/cluster/prod/app/email/build/dovecot/entrypoint.sh new file mode 100755 index 0000000..2165d8f --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp dovecot.crt /etc/ssl/certs/dovecot.crt + cp dovecot.key /etc/ssl/private/dovecot.key + chmod 400 /etc/ssl/certs/dovecot.crt + chmod 400 /etc/ssl/private/dovecot.key +fi + +if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then + chown -R mailstore /var/mail +fi + +exec "$@" diff --git a/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve b/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve new file mode 100644 index 0000000..7d2e57e --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/legacy/all_before.sieve @@ -0,0 +1,5 @@ +require ["fileinto", "mailbox"]; +if header :contains "X-Spam-Flag" "YES" { + fileinto :create "Junk"; +} + diff --git a/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf b/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf new file mode 100644 index 0000000..472d5e8 --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/legacy/dovecot-ldap.sample.conf @@ -0,0 +1,8 @@ +hosts = ldap.example.com +dn = cn=admin,dc=example,dc=com +dnpass = s3cr3t +base = dc=example,dc=com +scope = subtree +user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) +pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) +user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve b/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve new file mode 100644 index 0000000..c5a994a --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/legacy/report-ham.sieve @@ -0,0 +1,17 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; + +if environment :matches "imap.mailbox" "*" { + set "mailbox" "${1}"; +} + +if string "${mailbox}" "Trash" { + stop; +} + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn" [ "--ham", "-u", "debian-spamd" ]; +debug_log "ham reported by ${username}"; + diff --git a/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve b/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve new file mode 100644 index 0000000..1be7389 --- /dev/null +++ b/cluster/prod/app/email/build/dovecot/legacy/report-spam.sieve @@ -0,0 +1,9 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn" [ "--spam", "-u", "debian-spamd"]; +debug_log "spam reported by ${username}"; + diff --git a/cluster/prod/app/email/build/opendkim/Dockerfile b/cluster/prod/app/email/build/opendkim/Dockerfile new file mode 100644 index 0000000..452d6e8 --- /dev/null +++ b/cluster/prod/app/email/build/opendkim/Dockerfile @@ -0,0 +1,9 @@ +FROM amd64/debian:bullseye + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y opendkim opendkim-tools + +COPY ./opendkim.conf /etc/opendkim.conf +COPY ./entrypoint /entrypoint +CMD ["/entrypoint"] diff --git a/cluster/prod/app/email/build/opendkim/README.md b/cluster/prod/app/email/build/opendkim/README.md new file mode 100644 index 0000000..e146125 --- /dev/null +++ b/cluster/prod/app/email/build/opendkim/README.md @@ -0,0 +1,12 @@ +``` +sudo docker build -t superboum/amd64_opendkim:v1 . +``` + +``` +sudo docker run -t -i \ + -v `pwd`/conf:/etc/dkim \ + -v /dev/log:/dev/log \ + -p 8999:8999 + superboum/amd64_opendkim:v1 + opendkim -f -v -x /etc/opendkim.conf +``` diff --git a/cluster/prod/app/email/build/opendkim/entrypoint b/cluster/prod/app/email/build/opendkim/entrypoint new file mode 100755 index 0000000..7a1485c --- /dev/null +++ b/cluster/prod/app/email/build/opendkim/entrypoint @@ -0,0 +1,8 @@ +#!/bin/bash + +chown 0:0 /etc/dkim/* +chown 0:0 /etc/dkim +chmod 400 /etc/dkim/* +chmod 700 /etc/dkim + +opendkim -f -v -x /etc/opendkim.conf diff --git a/cluster/prod/app/email/build/opendkim/opendkim.conf b/cluster/prod/app/email/build/opendkim/opendkim.conf new file mode 100644 index 0000000..0d6465f --- /dev/null +++ b/cluster/prod/app/email/build/opendkim/opendkim.conf @@ -0,0 +1,12 @@ +Syslog yes +SyslogSuccess yes +LogWhy yes +UMask 007 +Mode sv +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +KeyTable refile:/etc/dkim/keytable +SigningTable refile:/etc/dkim/signingtable +ExternalIgnoreList refile:/etc/dkim/trusted +InternalHosts refile:/etc/dkim/trusted +Socket inet:8999 diff --git a/cluster/prod/app/email/build/postfix/Dockerfile b/cluster/prod/app/email/build/postfix/Dockerfile new file mode 100644 index 0000000..0c74fdc --- /dev/null +++ b/cluster/prod/app/email/build/postfix/Dockerfile @@ -0,0 +1,13 @@ +FROM amd64/debian:buster + +ARG VERSION + +RUN apt-get update && \ + apt-get install -y \ + postfix=$VERSION \ + postfix-ldap + +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["postfix", "start-fg"] diff --git a/cluster/prod/app/email/build/postfix/README.md b/cluster/prod/app/email/build/postfix/README.md new file mode 100644 index 0000000..ac44fc0 --- /dev/null +++ b/cluster/prod/app/email/build/postfix/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_postfix:v1 . +``` + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ + -e MAILNAME="smtp.deuxfleurs.fr" \ + -p 25:25 \ + -p 465:465 \ + -p 587:587 \ + -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ + -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ + -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ + superboum/amd64_postfix:v1 \ + bash +``` + diff --git a/cluster/prod/app/email/build/postfix/entrypoint.sh b/cluster/prod/app/email/build/postfix/entrypoint.sh new file mode 100755 index 0000000..fcf1a66 --- /dev/null +++ b/cluster/prod/app/email/build/postfix/entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp postfix.crt /etc/ssl/certs/postfix.crt + cp postfix.key /etc/ssl/private/postfix.key + chmod 400 /etc/ssl/certs/postfix.crt + chmod 400 /etc/ssl/private/postfix.key +fi + +# A way to map files inside the postfix folder :s +for file in $(ls /etc/postfix-conf); do + cp /etc/postfix-conf/${file} /etc/postfix/${file} +done + +echo ${MAILNAME} > /etc/mailname +postmap /etc/postfix/transport + +exec "$@" diff --git a/cluster/prod/app/email/build/sogo/Dockerfile b/cluster/prod/app/email/build/sogo/Dockerfile new file mode 100644 index 0000000..46880dd --- /dev/null +++ b/cluster/prod/app/email/build/sogo/Dockerfile @@ -0,0 +1,17 @@ +#FROM amd64/debian:stretch as builder + +FROM amd64/debian:buster + +RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf + +RUN apt-get update && \ + apt-get install -y apt-transport-https gnupg2 sudo nginx && \ + rm -rf /etc/nginx/sites-enabled/* && \ + apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ + echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ + apt-get update && \ + apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client + +COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf +COPY entrypoint /usr/sbin/entrypoint +ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/cluster/prod/app/email/build/sogo/README.md b/cluster/prod/app/email/build/sogo/README.md new file mode 100644 index 0000000..ea12245 --- /dev/null +++ b/cluster/prod/app/email/build/sogo/README.md @@ -0,0 +1,20 @@ +``` +docker build -t superboum/amd64_sogo:v6 . + +# privileged is only for debug +docker run --rm -ti \ + --privileged \ + -p 8080:8080 \ + -v /tmp/sogo/log:/var/log/sogo \ + -v /tmp/sogo/run:/var/run/sogo \ + -v /tmp/sogo/spool:/var/spool/sogo \ + -v /tmp/sogo/tmp:/tmp \ + -v `pwd`/sogo:/etc/sogo:ro \ + superboum/amd64_sogo:v1 +``` + +Password must be url encoded in sogo.conf for postgres +Will need a nginx instance: http://wiki.sogo.nu/nginxSettings + +Might (or might not) be needed: +traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/cluster/prod/app/email/build/sogo/entrypoint b/cluster/prod/app/email/build/sogo/entrypoint new file mode 100755 index 0000000..8b39def --- /dev/null +++ b/cluster/prod/app/email/build/sogo/entrypoint @@ -0,0 +1,13 @@ +#!/bin/bash +mkdir -p /var/log/sogo +mkdir -p /var/run/sogo +mkdir -p /var/spool/sogo +chown sogo /var/log/sogo +chown sogo /var/run/sogo +chown sogo /var/spool/sogo + +nginx -g 'daemon on; master_process on;' +sudo -u sogo memcached -d +sudo -u sogo sogod +sleep 10 +tail -n200 -f /var/log/sogo/sogo.log diff --git a/cluster/prod/app/email/build/sogo/sogo.nginx.conf b/cluster/prod/app/email/build/sogo/sogo.nginx.conf new file mode 100644 index 0000000..ad920a5 --- /dev/null +++ b/cluster/prod/app/email/build/sogo/sogo.nginx.conf @@ -0,0 +1,83 @@ +server { + listen 8080; + server_name default_server; + root /usr/lib/GNUstep/SOGo/WebServerResources/; + + ## requirement to create new calendars in Thunderbird ## + proxy_http_version 1.1; + + # Message size limit + client_max_body_size 50m; + client_body_buffer_size 128k; + + location = / { + rewrite ^ '/SOGo'; + allow all; + } + + location = /principals/ { + rewrite ^ '/SOGo/dav'; + allow all; + } + + location ^~/SOGo { + proxy_pass 'http://127.0.0.1:20000'; + proxy_redirect 'http://127.0.0.1:20000' default; + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_set_header x-webobjects-server-port $server_port; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + break; + } + + location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location ^~ /Microsoft-Server-ActiveSync { + access_log /var/log/nginx/activesync.log; + error_log /var/log/nginx/activesync-error.log; + + proxy_connect_timeout 75; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + proxy_buffers 64 256k; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; + } +} |