diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile index fe6b4550..b16c40c2 100644 --- a/docker/kolab/Dockerfile +++ b/docker/kolab/Dockerfile @@ -1,83 +1,91 @@ FROM almalinux:8 LABEL maintainer="contact@apheleia-it.ch" LABEL dist=centos8 LABEL tier=${TIER} ENV SYSTEMD_PAGER='' ENV DISTRO=centos8 ENV LANG=en_US.utf8 ENV LC_ALL=en_US.utf8 # Add EPEL. RUN dnf -y install dnf-plugin-config-manager && \ dnf config-manager --set-enabled powertools && \ dnf -y install epel-release && \ dnf -y module enable 389-ds:1.4/default && \ dnf -y module enable mariadb:10.3 && \ dnf -y install iputils vim-enhanced bind-utils && \ dnf clean all RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 # Install kolab RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \ rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8.rpm RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \ dnf config-manager --enable kolab-16-testing &&\ - dnf -y --setopt tsflags= install kolab patch &&\ + dnf -y --setopt tsflags= install kolab kolab-webadmin patch &&\ dnf clean all COPY kolab-init.service /etc/systemd/system/kolab-init.service COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service COPY utils /root/utils RUN systemctl disable dnf-makecache.timer dbus; systemctl enable kolab-setenv kolab-init RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : COPY /rootfs / COPY kolab-init.sh /usr/local/sbin/ RUN chmod 750 /usr/local/sbin/kolab-init.sh COPY kolab.conf /etc/kolab/kolab.conf COPY cyrus.conf /etc/cyrus.conf COPY imapd.conf /etc/imapd.conf COPY imapd.annotations.conf /etc/imapd.annotations.conf COPY guam.conf /etc/guam/sys.config ARG DB_KOLAB_DATABASE ARG DB_KOLAB_USERNAME ARG DB_KOLAB_PASSWORD ARG LDAP_HOST ARG LDAP_ADMIN_BIND_DN ARG LDAP_ADMIN_BIND_PW ARG LDAP_SERVICE_BIND_PW ARG IMAP_ADMIN_LOGIN ARG IMAP_ADMIN_PASSWORD RUN sed -i -r \ -e "s|DB_KOLAB_DATABASE|$DB_KOLAB_DATABASE|g" \ -e "s|DB_KOLAB_USERNAME|$DB_KOLAB_USERNAME|g" \ -e "s|DB_KOLAB_PASSWORD|$DB_KOLAB_PASSWORD|g" \ -e "s|LDAP_HOST|$LDAP_HOST|g" \ -e "s|LDAP_ADMIN_BIND_DN|$LDAP_ADMIN_BIND_DN|g" \ -e "s|LDAP_ADMIN_BIND_PW|$LDAP_ADMIN_BIND_PW|g" \ -e "s|LDAP_SERVICE_BIND_PW|$LDAP_SERVICE_BIND_PW|g" \ -e "s|IMAP_ADMIN_LOGIN|$IMAP_ADMIN_LOGIN|g" \ -e "s|IMAP_ADMIN_PASSWORD|$IMAP_ADMIN_PASSWORD|g" \ /etc/kolab/kolab.conf +RUN sed -i -r \ + -e "s|LDAP_HOST|$LDAP_HOST|g" \ + -e "s|LDAP_SERVICE_BIND_PW|$LDAP_SERVICE_BIND_PW|g" \ + /etc/postfix/ldap/* + RUN mkdir -p /imapdata/{spool,lib} && \ rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \ mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \ chmod -R 777 /imapdata && \ chown cyrus:mail /var/spool/imap /var/lib/imap +RUN dnf -y install selinux-policy-minimum +RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config 2>/dev/null || : + VOLUME [ "/sys/fs/cgroup" ] VOLUME [ "/imapdata" ] WORKDIR /root/ CMD ["/lib/systemd/systemd"] EXPOSE 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp diff --git a/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf b/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf index 1ddf6d1d..61e360be 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf @@ -1,14 +1,14 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW query_filter = (&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4))) result_attribute = mail diff --git a/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf index 0b67082a..60ab56b2 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf @@ -1,19 +1,19 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW # This finds the mail enabled distribution group LDAP entry query_filter = (&(|(mail=%s)(alias=%s))(objectClass=kolabgroupofuniquenames)(objectclass=groupofuniquenames)(!(objectclass=groupofurls))) # From this type of group, get all uniqueMember DNs special_result_attribute = uniqueMember # Only from those DNs, get the mail result_attribute = leaf_result_attribute = mail diff --git a/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf index 48233127..09d88b89 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf @@ -1,19 +1,19 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW # This finds the mail enabled dynamic distribution group LDAP entry query_filter = (&(|(mail=%s)(alias=%s))(objectClass=kolabgroupofuniquenames)(objectClass=groupOfURLs)) # From this type of group, get all memberURL searches/references special_result_attribute = memberURL # Only from those DNs, get the mail result_attribute = leaf_result_attribute = mail diff --git a/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf b/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf index 3a0b6489..c3d37187 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf @@ -1,12 +1,12 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = ou=Domains,dc=mgmt,dc=com scope = sub bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW query_filter = (&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4))) result_attribute = associateddomain diff --git a/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf b/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf index 848b9333..2f3e3c03 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf @@ -1,15 +1,15 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW query_filter = (&(|(mailAlternateAddress=%s)(alias=%s)(mail=%s))(objectclass=kolabinetorgperson)) result_attribute = mail result_format = lmtp:unix:/var/lib/imap/socket/lmtp diff --git a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf index 1553f8fb..c32f0614 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf @@ -1,14 +1,14 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW query_filter = (&(|(mail=%s)(alias=%s))(objectclass=kolabinetorgperson)) result_attribute = mail diff --git a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf index 52d9df53..bbb52642 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf @@ -1,14 +1,14 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW query_filter = (&(|(mail=%s)(alias=%s))(objectclass=mailrecipient)(objectclass=inetorgperson)(mailforwardingaddress=*)) result_attribute = mailForwardingAddress diff --git a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf index 85637e36..1c087b69 100644 --- a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf +++ b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf @@ -1,15 +1,15 @@ -server_host = 127.0.0.1 +server_host = LDAP_HOST server_port = 389 version = 3 search_base = dc=hosted,dc=com scope = sub domain = ldap:/etc/postfix/ldap/mydestination.cf bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com -bind_pw = +bind_pw = LDAP_SERVICE_BIND_PW query_filter = (&(|(mail=%s)(alias=%s))(objectclass=kolabsharedfolder)(kolabFolderType=mail)) result_attribute = kolabtargetfolder result_format = "shared+%s" diff --git a/docker/kolab/rootfs/etc/postfix/master.cf b/docker/kolab/rootfs/etc/postfix/master.cf index 5944ff96..06ecf014 100644 --- a/docker/kolab/rootfs/etc/postfix/master.cf +++ b/docker/kolab/rootfs/etc/postfix/master.cf @@ -1,137 +1,137 @@ # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # Do not forget to execute "postfix reload" after editing this file. # ============================================================================== # service type private unpriv chroot wakeup maxproc command # (yes) (yes) (yes) (never) (100) + args # ============================================================================== smtp inet n - n - - smtpd #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup -o header_checks=regexp:/etc/postfix/header_checks.inbound -o mime_header_checks=regexp:/etc/postfix/header_checks.inbound cleanup_internal unix n - n - 0 cleanup -o header_checks=regexp:/etc/postfix/header_checks.internal -o mime_header_checks=regexp:/etc/postfix/header_checks.internal cleanup_submission unix n - n - 0 cleanup -o header_checks=regexp:/etc/postfix/header_checks.submission -o mime_header_checks=regexp:/etc/postfix/header_checks.submission qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # Filter email through Amavisd smtp-amavis unix - - n - 3 smtp -o smtp_data_done_timeout=1800 -o disable_dns_lookups=yes -o smtp_send_xforward_command=yes -o max_use=20 -o smtp_bind_address=127.0.0.1 # Listener to re-inject email from Amavisd into Postfix 127.0.0.1:10025 inet n - n - 100 smtpd -o cleanup_service_name=cleanup_internal -o content_filter=smtp-wallace:[127.0.0.1]:10026 -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 # Filter email through Wallace smtp-wallace unix - - n - 3 smtp -o default_destination_recipient_limit=1 -o smtp_data_done_timeout=1800 -o disable_dns_lookups=yes -o smtp_send_xforward_command=yes -o max_use=20 # Listener to re-inject email from Wallace into Postfix 127.0.0.1:10027 inet n - n - 100 smtpd -o cleanup_service_name=cleanup_internal -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 recipient_policy unix - n n - - spawn user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-recipient recipient_policy_incoming unix - n n - - spawn user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-recipient --allow-unauthenticated sender_policy unix - n n - - spawn user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender sender_policy_incoming unix - n n - - spawn user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender --allow-unauthenticated submission_policy unix - n n - - spawn user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender --verify-recipient -127.0.0.1:10587 inet n - n - - smtpd +0.0.0.0:10587 inet n - n - - smtpd -o cleanup_service_name=cleanup_submission -o syslog_name=postfix/submission #-o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions=$submission_data_restrictions -o smtpd_recipient_restrictions=$submission_recipient_restrictions -o smtpd_sender_restrictions=$submission_sender_restrictions -127.0.0.1:10465 inet n - n - - smtpd +0.0.0.0:10465 inet n - n - - smtpd -o cleanup_service_name=cleanup_submission -o rewrite_service_name=rewrite_submission -o syslog_name=postfix/smtps -o mydestination= -o local_recipient_maps= -o relay_domains= -o relay_recipient_maps= #-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=$submission_sender_restrictions -o smtpd_recipient_restrictions=$submission_recipient_restrictions -o smtpd_data_restrictions=$submission_data_restrictions diff --git a/docker/kolab/utils/03-setup-kolab.sh b/docker/kolab/utils/03-setup-kolab.sh index ba4a65d1..e81aef75 100755 --- a/docker/kolab/utils/03-setup-kolab.sh +++ b/docker/kolab/utils/03-setup-kolab.sh @@ -1,53 +1,72 @@ #!/bin/bash . ./settings.sh echo ${CMD} | tee -a /root/setup-kolab.log echo -n "Wait for MariaDB container: " | tee -a /root/setup-kolab.log while ! mysqladmin -u root ping > /dev/null 2>&1 ; do echo -n '.' sleep 3 done | tee -a /root/setup-kolab.log echo "OK!" | tee -a /root/setup-kolab.log echo -n "Wait for DS389 container: " | tee -a /root/setup-kolab.log while ! ldapsearch -h ${LDAP_HOST} -D "${LDAP_ADMIN_BIND_DN}" -w "${LDAP_ADMIN_BIND_PW}" -b "" -s base > /dev/null 2>&1 ; do echo -n '.' sleep 3 done | tee -a /root/setup-kolab.log echo "OK!" | tee -a /root/setup-kolab.log +# Initialize the db +cat > /tmp/kolab-setup-my.cnf << EOF +[client] +host=${DB_HOST} +user=root +password=${DB_ROOT_PASSWORD} +EOF + +mysql --defaults-file=/tmp/kolab-setup-my.cnf < /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem chown postfix:mail /etc/pki/tls/private/postfix.pem chmod 655 /etc/pki/tls/private/postfix.pem systemctl enable --now postfix systemctl enable --now wallace # setup imap if [ -f "/var/lib/imap/db" ]; then echo "IMAP directory exists, nothing to do" else echo "Initializing IMAP volume" cp -ar /var/lib/imap-bak/* /var/lib/imap/ systemctl start cyrus-imapd fi # Setup httpform auth against kolab sed -i "s/MECH=.*/MECH=httpform/" /etc/sysconfig/saslauthd cat > /etc/saslauthd.conf << EOF httpform_host: services.${APP_DOMAIN} httpform_port: 8000 httpform_uri: /api/webhooks/cyrus-sasl httpform_data: %u %r %p EOF systemctl restart saslauthd systemctl enable --now guam