diff --git a/docker/imap/Dockerfile b/docker/imap/Dockerfile index efc52959..ca4f15b5 100644 --- a/docker/imap/Dockerfile +++ b/docker/imap/Dockerfile @@ -1,75 +1,78 @@ FROM apheleia/almalinux9 WORKDIR /root/ RUN dnf -y install \ --setopt 'tsflags=nodocs' \ git \ autoconf \ automake \ bison \ cyrus-sasl-devel \ flex \ gcc \ gcc-c++ \ gperf \ jansson-devel \ libbsd-devel \ libtool \ libicu-devel \ libuuid-devel \ openssl-devel \ pkgconfig \ sqlite-devel \ brotli-devel \ libzstd-devel \ libical-devel \ libxml2-devel \ libnghttp2-devel \ shapelib \ zlib-devel \ pcre-devel \ perl-devel \ cyrus-sasl \ cyrus-sasl-plain \ perl-Cyrus \ rsync && \ dnf clean all ARG GIT_REF=dev/mollekopf ARG GIT_REMOTE=https://git.kolab.org/source/cyrus-imapd ADD build.sh /build.sh RUN /build.sh COPY /rootfs / VOLUME [ "/var/spool/imap" ] VOLUME [ "/var/lib/imap" ] RUN id default || (groupadd -g 1001 default && useradd -d /opt/app-root/ -u 1001 -g 1001 default) RUN mkdir -p /opt/app-root/src RUN PATHS=(/run /run/saslauthd /var/run /var/lib/imap /var/spool/imap /etc/pki/cyrus-imapd /opt/app-root/src) && \ mkdir -p ${PATHS[@]} && \ chmod 777 ${PATHS[@]} && \ chown -R 1001:0 ${PATHS[@]} && \ chmod -R g=u ${PATHS[@]} RUN touch /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem RUN PATHS=(/etc /etc/passwd /etc/saslauthd.conf /etc/cyrus.conf /etc/imapd.conf /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem) && \ chown 1001:0 ${PATHS[@]} && \ chmod g=u ${PATHS[@]} USER 1001 WORKDIR /opt/app-root/src ENV SERVICES_PORT=8000 ENV IMAPD_CONF=/etc/imapd.conf ENV CYRUS_CONF=/etc/cyrus.conf - +ENV SERVERLIST=imap-backend +ENV MUPDATE=imap-mupdate +ENV SERVERNAME=imap-backend +# ENV TLS_SERVER_CA_FILE # ENV APP_SERVICES_DOMAIN CMD ["/init.sh"] EXPOSE 11143/tcp 11993/tcp 11080/tcp 11443/tcp 11024/tcp 4190/tcp diff --git a/docker/imap/rootfs/etc/imapd-frontend.conf b/docker/imap/rootfs/etc/imapd-frontend.conf index f66f855e..1810f637 100644 --- a/docker/imap/rootfs/etc/imapd-frontend.conf +++ b/docker/imap/rootfs/etc/imapd-frontend.conf @@ -1,90 +1,82 @@ -servername: imap-frontend +servername: SERVERNAME configdirectory: /var/lib/imap autocreate_quota: 5242880 idlesocket: /var/lib/imap/socket/idle disable_shared_namespace: 0 disable_user_namespace: 0 duplicate_db_path: /var/lib/imap/deliver.db mboxname_lockpath: /var/lib/imap/lock proc_path: /var/lib/imap/proc # Apparently does not work ##ptscache_db_path: /var/tmp/cyrus-imapd/ptscache.db statuscache_db_path: /var/lib/imap/statuscache.db temp_path: /tmp tls_sessions_db_path: /run/cyrus/db/tls_sessions.db annotation_definitions: /etc/imapd.annotations.conf sendmail: /usr/sbin/sendmail admins: IMAP_ADMIN_LOGIN sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN allowplaintext: yes lmtp_over_quota_perm_failure: 1 -#tls_server_cert: /etc/pki/tls/private/aphy.app.pem -#tls_server_key: /etc/pki/tls/private/aphy.app.pem -#tls_server_ca_file: /etc/pki/tls/certs/zrh1.infra.aphy.app.ca.cert tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem +tls_server_ca_file: TLS_SERVER_CA_FILE tls_client_certs: off - tls_ciphers: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES - tls_prefer_server_ciphers: 1 sieve_tls_versions: tls1_0 tls1_1 tls1_2 tls_versions: tls1_3 maxlogins_per_user: 50 # Disable mailbox referrals for all clients, as the referrals will point # addresses the client cannot reach. proxyd_disable_mailbox_referrals: 1 -serverlist: imap-backend +serverlist: SERVERLIST httpmodules: caldav carddav domainkey freebusy ischedule rss webdav - - unixhierarchysep: 1 virtdomains: userid sieve_extensions: fileinto reject envelope body vacation imap4flags include regex subaddress relational copy date allowallsubscribe: 0 anyoneuseracl: 0 allowusermoves: 1 altnamespace: 1 disconnect_on_vanished_mailbox: 1 hashimapspool: 1 anysievefolder: 1 fulldirhash: 0 sieve_maxscripts: 150 sieve_maxscriptsize: 128 sieveusehomedir: 0 sieve_allowreferrals: 0 sieve_utf8fileinto: 1 lmtp_downcase_rcpt: 1 lmtp_fuzzy_mailbox_match: 1 username_tolower: 1 deletedprefix: DELETED delete_mode: delayed expunge_mode: delayed postuser: shared tcp_keepalive: 1 syslog_prefix: cyrus-imapd - - # mupdate is enabled #mupdate_config: standard -mupdate_server: imap-mupdate +mupdate_server: MUPDATE mupdate_port: 3905 mupdate_authname: IMAP_ADMIN_LOGIN mupdate_username: IMAP_ADMIN_LOGIN mupdate_password: IMAP_ADMIN_PASSWORD # proxy authentication against backends proxy_authname: IMAP_ADMIN_LOGIN proxy_password: IMAP_ADMIN_PASSWORD diff --git a/docker/imap/rootfs/etc/imapd.conf b/docker/imap/rootfs/etc/imapd.conf index 2595b837..423a5fbb 100644 --- a/docker/imap/rootfs/etc/imapd.conf +++ b/docker/imap/rootfs/etc/imapd.conf @@ -1,111 +1,79 @@ -servername: imap-backend +servername: SERVERNAME configdirectory: /var/lib/imap defaultpartition: default metapartition_files: annotations cache expunge header index partition-default: /var/spool/imap/ metapartition-default: /var/spool/imap/ sievedir: /var/lib/imap/sieve annotation_definitions: /etc/imapd.annotations.conf autocreate_quota: 5242880 autocreate_inbox_folders: Drafts | Trash | Sent autocreate_subscribe_folders: Drafts | Trash | Sent # Set specialuse flags xlist-drafts: Drafts xlist-sent: Sent xlist-trash: Trash idlesocket: /var/lib/imap/socket/idle disable_shared_namespace: 0 disable_user_namespace: 0 duplicate_db_path: /run/cyrus/db/deliver.db mboxname_lockpath: /run/cyrus/lock proc_path: /run/cyrus/proc # Apparently does not work ##ptscache_db_path: /var/tmp/cyrus-imapd/ptscache.db statuscache_db_path: /run/cyrus/db/statuscache.db temp_path: /tmp tls_sessions_db_path: /run/cyrus/db/tls_sessions.db sendmail: /usr/sbin/sendmail admins: IMAP_ADMIN_LOGIN sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN sasl_saslauthd_path: /run/saslauthd/mux allowplaintext: yes lmtp_over_quota_perm_failure: 1 -#tls_server_cert: /etc/pki/tls/private/aphy.app.pem -#tls_server_key: /etc/pki/tls/private/aphy.app.pem -#tls_server_ca_file: /etc/pki/tls/certs/zrh1.infra.aphy.app.ca.cert - -# tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem -# tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem - -# tls_client_certs: off - -# tls_ciphers: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES - -# tls_prefer_server_ciphers: 1 -# tls_versions: tls1_3 maxlogins_per_user: 50 proxyd_disable_mailbox_referrals: 0 httpmodules: caldav carddav domainkey freebusy ischedule rss webdav prometheus caldav_allowcalendaradmin: 1 unixhierarchysep: 1 virtdomains: userid sieve_extensions: fileinto reject envelope body vacation imap4flags include regex subaddress relational copy date allowallsubscribe: 0 anyoneuseracl: 0 allowusermoves: 1 altnamespace: 1 disconnect_on_vanished_mailbox: 1 hashimapspool: 1 anysievefolder: 1 fulldirhash: 0 sieve_maxscripts: 150 sieve_maxscriptsize: 128 sieveusehomedir: 0 sieve_allowreferrals: 0 sieve_utf8fileinto: 1 lmtp_downcase_rcpt: 1 lmtp_fuzzy_mailbox_match: 1 username_tolower: 1 deletedprefix: DELETED delete_mode: delayed expunge_mode: delayed postuser: shared tcp_keepalive: 1 prometheus_enabled: 1 syslog_prefix: cyrus-imapd calendar_default_displayname: Calendar addressbook_default_displayname: Addressbook -# mupdate is enabled -# mupdate_config: standard -# mupdate_server: imap-mupdate -# mupdate_port: 3905 -# mupdate_authname: IMAP_ADMIN_LOGIN -# mupdate_username: IMAP_ADMIN_LOGIN -# mupdate_password: IMAP_ADMIN_PASSWORD - -# proxy authentication for these users -# proxyservers: IMAP_ADMIN_LOGIN - -# sync is enabled -#sync_try_imap: 0 -#sync_log_chain: false -#sync_authname: cyrus -#sync_password: simple123 -#sync_log: 1 -#sync_repeat_interval: 10 -#sync_shutdown_file: /var/lib/imap/sync_shutdown debug: 0 chatty: 1 diff --git a/docker/imap/rootfs/init.sh b/docker/imap/rootfs/init.sh index ba3351cd..38050195 100755 --- a/docker/imap/rootfs/init.sh +++ b/docker/imap/rootfs/init.sh @@ -1,45 +1,49 @@ #!/bin/bash set -e sed -i -r \ -e "s|IMAP_ADMIN_LOGIN|$IMAP_ADMIN_LOGIN|g" \ -e "s|IMAP_ADMIN_PASSWORD|$IMAP_ADMIN_PASSWORD|g" \ + -e "s|MUPDATE|$MUPDATE|g" \ + -e "s|SERVERLIST|$SERVERLIST|g" \ + -e "s|SERVERNAME|$SERVERNAME|g" \ + -e "s|TLS_SERVER_CA_FILE|$TLS_SERVER_CA_FILE|g" \ $IMAPD_CONF sed -i -r \ -e "s|APP_SERVICES_DOMAIN|$APP_SERVICES_DOMAIN|g" \ -e "s|SERVICES_PORT|$SERVICES_PORT|g" \ /etc/saslauthd.conf if [[ "$CYRUS_CONF" != "/etc/cyrus.conf" ]]; then cp "$CYRUS_CONF" /etc/cyrus.conf fi if [[ "$IMAPD_CONF" != "/etc/imapd.conf" ]]; then cp "$IMAPD_CONF" /etc/imapd.conf fi mkdir -p /var/lib/imap/socket mkdir -p /var/lib/imap/db if [[ -f ${SSL_CERTIFICATE} ]]; then cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem fi /usr/sbin/saslauthd -m /run/saslauthd -a httpform -d & # Can't run as user because of /dev/ permissions so far. # Cyrus imap only logs to /dev/log, no way around it it seems. # sudo rsyslogd # Cyrus needs an entry in /etc/passwd. THe alternative would be perhaps the nss_wrapper # https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines # FIXME: This probably currently just works because we make /etc/ writable, which I suppose we shouldn't. ID=$(id -u) GID=$(id -g) echo "$ID:x:$ID:$GID::/opt/app-root/:/bin/bash" > /etc/passwd exec env CYRUS_VERBOSE=1 CYRUS_USER="$ID" /usr/libexec/master -D -p /var/run/master.pid