diff --git a/bin/quickstart.sh b/bin/quickstart.sh --- a/bin/quickstart.sh +++ b/bin/quickstart.sh @@ -83,7 +83,7 @@ npm run dev popd -docker-compose up -d worker +docker-compose up -d worker nginx pushd ${base_dir}/src/ rm -rf database/database.sqlite diff --git a/bin/regen-certs b/bin/regen-certs --- a/bin/regen-certs +++ b/bin/regen-certs @@ -32,7 +32,7 @@ export $(cat ${base_dir}/src/.env | xargs) >/dev/null 2>&1 -for name in kolab.mgmt.com kolab.hosted.com {{admin,meet}.,}${APP_DOMAIN}; do +for name in kolab.mgmt.com kolab.hosted.com imap.hosted.com {{admin,meet}.,}${APP_DOMAIN}; do openssl genrsa -out ${cert_dir}/${name}.key 4096 openssl req \ diff --git a/docker-compose.yml b/docker-compose.yml --- a/docker-compose.yml +++ b/docker-compose.yml @@ -103,6 +103,29 @@ tty: true volumes: - /etc/letsencrypt/:/etc/letsencrypt/:ro + nginx: + build: + context: ./docker/nginx/ + args: + NGINX_AUTH_WEBHOOK: ${APP_DOMAIN}/api/webhooks/nginx + container_name: kolab-nginx + depends_on: + kolab: + condition: service_healthy + hostname: nginx.hosted.com + image: kolab-nginx + network_mode: host + tmpfs: + - /run + - /tmp + - /var/run + - /var/tmp + tty: true + volumes: + - /etc/letsencrypt/:/etc/letsencrypt/:ro + - ./docker/certs/imap.hosted.com.cert:/etc/pki/tls/certs/imap.hosted.com.cert + - ./docker/certs/imap.hosted.com.key:/etc/pki/tls/private/imap.hosted.com.key + - /sys/fs/cgroup:/sys/fs/cgroup:ro proxy: build: context: ./docker/proxy/ diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile --- a/docker/kolab/Dockerfile +++ b/docker/kolab/Dockerfile @@ -77,4 +77,4 @@ CMD ["/lib/systemd/systemd"] -EXPOSE 21/tcp 22/tcp 25/tcp 53/tcp 53/udp 80/tcp 110/tcp 143/tcp 389/tcp 443/tcp 465/tcp 587/tcp 993/tcp 995/tcp 5353/udp 8880/tcp 8443/tcp 8447/tcp +EXPOSE 21/tcp 22/tcp 25/tcp 53/tcp 53/udp 80/tcp 110/tcp 389/tcp 443/tcp 995/tcp 5353/udp 8880/tcp 8443/tcp 8447/tcp 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp diff --git a/docker/kolab/kolab-init.sh b/docker/kolab/kolab-init.sh --- a/docker/kolab/kolab-init.sh +++ b/docker/kolab/kolab-init.sh @@ -17,6 +17,7 @@ ./07-adjust-base-dns.sh && echo "07 done" ./08-disable-amavisd.sh && echo "08 done" ./09-enable-debugging.sh && echo "09 done" +./10-change-port-numbers.sh && echo "10 done" ./10-reset-kolab-service-password.sh && echo "10 done" ./11-reset-cyrus-admin-password.sh && echo "11 done" ./12-create-hosted-kolab-service.sh && echo "12 done" diff --git a/docker/kolab/utils/10-change-port-numbers.sh b/docker/kolab/utils/10-change-port-numbers.sh new file mode 100755 --- /dev/null +++ b/docker/kolab/utils/10-change-port-numbers.sh @@ -0,0 +1,143 @@ +#!/bin/bash + +sed -i -r \ + -e '/allowplaintext/ a\ +guam_allowplaintext: yes' \ + -e '/allowplaintext/ a\ +nginx_allowplaintext: yes' \ + /etc/imapd.conf + +sed -i \ + -e '/SERVICES/ a\ + nginx cmd="imapd" listen=127.0.0.1:12143 prefork=1' \ + -e '/SERVICES/ a\ + guam cmd="imapd" listen=127.0.0.1:13143 prefork=1' \ + -e '/SERVICES/ a\ + imap cmd="imapd" listen=127.0.0.1:11143 prefork=1' \ + -e 's/listen="127.0.0.1:9993"/listen=127.0.0.1:11993/g' \ + /etc/cyrus.conf + +systemctl restart cyrus-imapd + +sed -i -e '/submission/,10d' /etc/postfix/master.cf + +cat >> /etc/postfix/master.cf << EOF +127.0.0.1:10587 inet n - n - - smtpd + -o cleanup_service_name=cleanup_submission + -o syslog_name=postfix/submission + #-o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_authenticated_header=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_data_restrictions=\$submission_data_restrictions + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_sender_restrictions=\$submission_sender_restrictions + +127.0.0.1:10465 inet n - n - - smtpd + -o cleanup_service_name=cleanup_submission + -o rewrite_service_name=rewrite_submission + -o syslog_name=postfix/smtps + -o mydestination= + -o local_recipient_maps= + -o relay_domains= + -o relay_recipient_maps= + #-o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_authenticated_header=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_sender_restrictions=\$submission_sender_restrictions + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_data_restrictions=\$submission_data_restrictions +EOF + +systemctl restart postfix + +cat > /etc/guam/sys.config << EOF +%% Example configuration for Guam. +[ + { + kolab_guam, [ + { + imap_servers, [ + { + imap, [ + { host, "127.0.0.1" }, + { port, 13143 }, + { tls, no } + ] + }, + { + imaps, [ + { host, "127.0.0.1" }, + { port, 11993 }, + { tls, true } + ] + } + ] + }, + { + listeners, [ + { + imap, [ + { port, 9143 }, + { imap_server, imap }, + { + rules, [ + { filter_groupware, [] } + ] + }, + { + tls_config, [ + { certfile, "/etc/pki/cyrus-imapd/cyrus-imapd.pem" } + ] + } + ] + }, + { + imaps, [ + { port, 9993 }, + { implicit_tls, true }, + { imap_server, imaps }, + { + rules, [ + { filter_groupware, [] } + ] + }, + { + tls_config, [ + { certfile, "/etc/pki/cyrus-imapd/cyrus-imapd.pem" } + ] + } + ] + } + ] + } + ] + }, + + { + lager, [ + { + handlers, [ + { lager_console_backend, warning }, + { lager_file_backend, [ { file, "log/error.log"}, { level, error } ] }, + { lager_file_backend, [ { file, "log/console.log"}, { level, info } ] } + ] + } + ] + }, + + %% SASL config + { + sasl, [ + { sasl_error_logger, { file, "log/sasl-error.log" } }, + { errlog_type, error }, + { error_logger_mf_dir, "log/sasl" }, % Log directory + { error_logger_mf_maxbytes, 10485760 }, % 10 MB max file size + { error_logger_mf_maxfiles, 5 } % 5 files max + ] + } +]. +EOF + +systemctl restart guam diff --git a/docker/kolab/utils/18-adjust-kolab-conf.sh b/docker/kolab/utils/18-adjust-kolab-conf.sh --- a/docker/kolab/utils/18-adjust-kolab-conf.sh +++ b/docker/kolab/utils/18-adjust-kolab-conf.sh @@ -16,6 +16,7 @@ -e "/^\[kolab_wap\]/ a\ api_url = http://127.0.0.1/kolab-webadmin/api" \ -e 's/^auth_attributes.*$/auth_attributes = mail, uid/g' \ + -e 's|^uri = imaps.*$|uri = imaps://127.0.0.1:11993|g' \ /etc/kolab/kolab.conf service kolabd restart diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile new file mode 100644 --- /dev/null +++ b/docker/nginx/Dockerfile @@ -0,0 +1,54 @@ +FROM fedora:31 + +MAINTAINER Jeroen van Meeuwen + +ENV container docker +ENV SYSTEMD_PAGER='' + +ARG NGINX_AUTH_WEBHOOK + +RUN dnf -y install \ + --setopt 'tsflags=nodocs' \ + bash-completion \ + bind-utils \ + certbot \ + curl \ + dhcp-client \ + git \ + iproute \ + iptraf-ng \ + iputils \ + less \ + lsof \ + mtr \ + net-tools \ + NetworkManager \ + NetworkManager-tui \ + network-scripts \ + nginx \ + nginx-mod-mail \ + nmap-ncat \ + openssh-clients \ + openssh-server \ + procps-ng \ + python3-certbot-nginx \ + strace \ + systemd-udev \ + tcpdump \ + telnet \ + traceroute \ + vim-enhanced \ + wget && \ + dnf clean all + +RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : + +COPY nginx.conf /etc/nginx/nginx.conf +RUN sed -i -r -e "s|^.*auth_http.*$| auth_http $NGINX_AUTH_WEBHOOK;|g" /etc/nginx/nginx.conf + +RUN systemctl enable nginx + +CMD ["/lib/systemd/systemd", "--system"] +ENTRYPOINT "/lib/systemd/systemd" + +EXPOSE 110/tcp 143/tcp 993/tcp 995/tcp diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf new file mode 100644 --- /dev/null +++ b/docker/nginx/nginx.conf @@ -0,0 +1,72 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log debug; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +mail { + server_name imap.hosted.com; + auth_http 127.0.0.1:8000/api/webhooks/nginx; + + proxy_pass_error_message on; + + server { + listen 143; + protocol imap; + + proxy on; + starttls on; + + ssl_certificate /etc/pki/tls/certs/imap.hosted.com.cert; + ssl_certificate_key /etc/pki/tls/private/imap.hosted.com.key; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + } + + server { + listen 465 ssl; + protocol smtp; + + proxy on; + + ssl_certificate /etc/pki/tls/certs/imap.hosted.com.cert; + ssl_certificate_key /etc/pki/tls/private/imap.hosted.com.key; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + } + + server { + listen 587; + protocol smtp; + + proxy on; + starttls on; + + ssl_certificate /etc/pki/tls/certs/imap.hosted.com.cert; + ssl_certificate_key /etc/pki/tls/private/imap.hosted.com.key; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + } + + server { + listen 993 ssl; + protocol imap; + + proxy on; + + ssl_certificate /etc/pki/tls/certs/imap.hosted.com.cert; + ssl_certificate_key /etc/pki/tls/private/imap.hosted.com.key; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + } +} diff --git a/src/.env.example b/src/.env.example --- a/src/.env.example +++ b/src/.env.example @@ -46,7 +46,7 @@ MFA_TOTP_INTERVAL=30 MFA_TOTP_DIGEST=sha1 -IMAP_URI=ssl://127.0.0.1:993 +IMAP_URI=ssl://127.0.0.1:11993 IMAP_ADMIN_LOGIN=cyrus-admin IMAP_ADMIN_PASSWORD=Welcome2KolabSystems IMAP_VERIFY_HOST=false