diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile index 25a88f05..a7ba4fea 100644 --- a/docker/kolab/Dockerfile +++ b/docker/kolab/Dockerfile @@ -1,83 +1,83 @@ FROM quay.io/centos/centos:stream8 LABEL maintainer="contact@apheleia-it.ch" LABEL dist=centos8 LABEL tier=${TIER} ENV SYSTEMD_PAGER='' ENV DISTRO=centos8 ENV LANG=en_US.utf8 ENV LC_ALL=en_US.utf8 # Add EPEL. RUN dnf config-manager --set-enabled powertools && \ dnf -y install \ epel-release epel-next-release && \ dnf -y module enable 389-directory-server:stable/default && \ dnf -y module enable mariadb:10.3 && \ dnf -y install iputils vim-enhanced bind-utils && \ dnf clean all RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 # Install kolab RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \ rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8stream.rpm RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \ dnf config-manager --enable kolab-16-testing &&\ - dnf -y --setopt tsflags= install kolab dnsmasq patch &&\ + dnf -y --setopt tsflags= install kolab kolab-autoconf dnsmasq patch &&\ dnf clean all COPY kolab-init.service /etc/systemd/system/kolab-init.service COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service COPY utils /root/utils RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \ ln -s /etc/systemd/system/kolab-init.service \ /etc/systemd/system/multi-user.target.wants/kolab-init.service && \ ln -s /etc/systemd/system/kolab-setenv.service \ /etc/systemd/system/multi-user.target.wants/kolab-setenv.service RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : RUN sed -i -r -e 's/^Listen 80$/Listen 9080/g' /etc/httpd/conf/httpd.conf #RUN sed -i -r -e 's/^Listen 443$/Listen 9443/g' /etc/httpd/conf/httpd.conf COPY kolab-init.sh /usr/local/sbin/ RUN chmod 750 /usr/local/sbin/kolab-init.sh COPY kolab.conf /etc/kolab/kolab.conf COPY cyrus.conf /etc/cyrus.conf COPY imapd.conf /etc/imapd.conf COPY imapd.annotations.conf /etc/imapd.annotations.conf COPY guam.conf /etc/guam/sys.config ARG DB_KOLAB_DATABASE ARG DB_KOLAB_USERNAME ARG DB_KOLAB_PASSWORD RUN sed -i -r \ -e "s|DB_KOLAB_DATABASE|$DB_KOLAB_DATABASE|g" \ -e "s|DB_KOLAB_USERNAME|$DB_KOLAB_USERNAME|g" \ -e "s|DB_KOLAB_PASSWORD|$DB_KOLAB_PASSWORD|g" \ /etc/kolab/kolab.conf RUN mkdir -p /imapdata/{spool,lib} && \ rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \ mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \ chmod -R 777 /imapdata && \ chown cyrus:mail /var/spool/imap /var/lib/imap RUN mkdir -p /ldapdata/{config,ssca,run} /var/run/dirsrv && \ ln -s /ldapdata/config /etc/dirsrv/slapd-kolab && \ ln -s /ldapdata/ssca /etc/dirsrv/ssca && \ ln -s /ldapdata/run /var/run/dirsrv && \ chmod -R 777 /ldapdata /etc/dirsrv VOLUME [ "/sys/fs/cgroup" ] VOLUME [ "/imapdata" ] VOLUME [ "/ldapdata" ] WORKDIR /root/ CMD ["/lib/systemd/systemd"] EXPOSE 21/tcp 22/tcp 25/tcp 53/tcp 53/udp 80/tcp 110/tcp 389/tcp 443/tcp 995/tcp 5353/udp 8880/tcp 8443/tcp 8447/tcp 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp diff --git a/docker/kolab/kolab.conf b/docker/kolab/kolab.conf index 01681ce1..fd72fb3c 100644 --- a/docker/kolab/kolab.conf +++ b/docker/kolab/kolab.conf @@ -1,83 +1,90 @@ [kolab] primary_domain = mgmt.com auth_mechanism = ldap imap_backend = cyrus-imap default_locale = en_US sync_interval = 300 domain_sync_interval = 600 policy_uid = %(surname)s.lower() daemon_rcpt_policy = False + [imap] virtual_domains = userid [ldap] ldap_uri = ldap://127.0.0.1:389 timeout = 10 supported_controls = 0,2,3 base_dn = dc=mgmt,dc=com bind_dn = cn=Directory Manager bind_pw = service_bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com service_bind_pw = user_base_dn = dc=hosted,dc=com user_scope = sub user_filter = (objectclass=inetorgperson) kolab_user_base_dn = dc=hosted,dc=com kolab_user_filter = (objectclass=kolabinetorgperson) group_base_dn = dc=hosted,dc=com group_filter = (|(objectclass=groupofuniquenames)(objectclass=groupofurls)) group_scope = sub kolab_group_filter = (|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls)) sharedfolder_base_dn = dc=hosted,dc=com sharedfolder_filter = (objectclass=kolabsharedfolder) sharedfolder_acl_entry_attribute = acl resource_base_dn = dc=hosted,dc=com resource_filter = (|%(group_filter)s(objectclass=kolabsharedfolder)) domain_base_dn = ou=Domains,dc=mgmt,dc=com domain_filter = (&(associatedDomain=*)) domain_name_attribute = associateddomain domain_rootdn_attribute = inetdomainbasedn quota_attribute = mailquota modifytimestamp_format = %Y%m%d%H%M%SZ unique_attribute = nsuniqueid mail_attributes = mail, alias mailserver_attribute = mailhost auth_attributes = mail, uid [kolab_smtp_access_policy] cache_uri = mysql://DB_KOLAB_USERNAME:DB_KOLAB_PASSWORD@mariadb/DB_KOLAB_DATABASE cache_retention = 86400 address_search_attrs = mail, alias delegate_sender_header = True alias_sender_header = True sender_header = True xsender_header = True empty_sender_hosts = 3.2.1.0/24, 6.6.6.0/24 [kolab_wap] mgmt_root_dn = dc=mgmt,dc=com hosted_root_dn = dc=hosted,dc=com api_url = http://127.0.0.1:9080/kolab-webadmin/api skin = default sql_uri = mysql://DB_KOLAB_USERNAME:DB_KOLAB_PASSWORD@mariadb/DB_KOLAB_DATABASE ssl_verify_peer = false ssl_verify_host = false [cyrus-imap] uri = imaps://127.0.0.1:11993 admin_login = cyrus-admin admin_password = [cyrus-sasl] result_attribute = mail [wallace] webmail_url = https://%(domain)s/roundcubemail modules = resources, invitationpolicy kolab_invitation_policy = ACT_ACCEPT_IF_NO_CONFLICT:example.org, ACT_MANUAL invitationpolicy_autoupdate_other_attendees_on_reply = false resource_calendar_expire_days = 100 [mgmt.com] default_quota = 1048576 daemon_rcpt_policy = False + +[autodiscover] +;debug_mode = trace +activesync = %d +imap = ssl://%d:993 +smtp = ssl://%d:465 diff --git a/docker/proxy/rootfs/etc/nginx/nginx.conf b/docker/proxy/rootfs/etc/nginx/nginx.conf index 5616e99f..74684026 100644 --- a/docker/proxy/rootfs/etc/nginx/nginx.conf +++ b/docker/proxy/rootfs/etc/nginx/nginx.conf @@ -1,247 +1,256 @@ # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen [::]:443 ssl ipv6only=on; listen 443 ssl; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; server_name APP_WEBSITE_DOMAIN; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_pass http://webapp:8000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; # Mostly for files, swoole has a 10MB limit client_max_body_size 11m; } location /meetmedia { proxy_pass https://meet:12443; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location /meetmedia/api { proxy_pass https://meet:12443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /roundcubemail { proxy_pass http://kolab:9080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /kolab-webadmin { proxy_pass http://kolab:9080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /Microsoft-Server-ActiveSync { auth_request /auth; #auth_request_set $auth_status $upstream_status; proxy_pass http://kolab:9080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_send_timeout 910s; proxy_read_timeout 910s; fastcgi_send_timeout 910s; fastcgi_read_timeout 910s; } - location ~* ^/\\.well-known/(caldav|carddav) { + location ~* ^/\\.well-known/autoconfig { proxy_pass http://kolab:9080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location ~* ^/\\autodiscover/autodiscover.xml { + proxy_pass http://kolab:9080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + rewrite ^/\\.well-known/(caldav|carddav) https://\$server_name/iRony/ redirect; + location /iRony { auth_request /auth; #auth_request_set $auth_status $upstream_status; proxy_pass http://kolab:9080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /auth { internal; proxy_pass http://webapp:8000/api/webhooks/nginx-httpauth; proxy_pass_request_body off; proxy_set_header Host services.APP_WEBSITE_DOMAIN; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } mail { server_name imap.hosted.com; auth_http webapp:8000/api/webhooks/nginx; auth_http_header Host services.APP_WEBSITE_DOMAIN; proxy_pass_error_message on; server { listen 143; protocol imap; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } # Roundcube specific imap endpoint with proxy-protocol enabled server { listen 144 proxy_protocol; protocol imap; auth_http webapp:8000/api/webhooks/nginx-roundcube; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 465 ssl; protocol smtp; proxy on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 587; protocol smtp; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 993 ssl; protocol imap; proxy on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } }