From 42a64b45d7fca9b10e03771774b296dd8501a515 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sat, 10 Dec 2016 21:49:41 +0100
Subject: [PATCH] Fixes, working rspamd settings, generate DKIM keys in PHP

---
 README.md                                  | 31 +++++++++++++++-------
 build-dovecot.sh                           |  6 ++---
 build-nginx.sh                             |  2 ++
 build-rspamd.sh                            |  2 ++
 data/Dockerfiles/postfix/postfix.sh        |  8 +-----
 data/Dockerfiles/rspamd/Dockerfile         |  2 ++
 data/conf/rspamd/local.d/metrics.conf      |  5 ++++
 data/conf/rspamd/local.d/rspamd.conf.local |  1 +
 data/conf/rspamd/lua/rspamd.local.lua      |  2 --
 data/web/inc/functions.inc.php             | 23 +++++++++++-----
 fix-permissions.sh                         |  2 --
 mailcow.conf                               |  8 +++---
 print-status.sh                            |  3 ---
 13 files changed, 58 insertions(+), 37 deletions(-)
 create mode 100644 data/conf/rspamd/local.d/rspamd.conf.local
 delete mode 100755 print-status.sh

diff --git a/README.md b/README.md
index 2ef601ec..b929d1e5 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,12 @@
 # mailcow-dockerized
 
-## Configuration
+## Installation
 
-1. Open mailcow.conf and change stuff, do not touch versions, do not use special chars in passwords for now.
+1. Open mailcow.conf and change stuff, do not use special chars in passwords. This will be fixed soon.
 
-2. ./build-all.sh
+2. Run ./build-all.sh
+
+3. Set a rspamd controller password (see section "rspamd")
 
 Done.
 
@@ -22,6 +24,12 @@ The default username for mailcow is `admin` with password `moohoo`.
 No persistent data is deleted at any time.
 If an image exists, you will be asked wether or not to repull/rebuild it.
 
+### Logs
+
+You can use docker logs $name for almost all containers. Only rmilter does not log to stdout. You can check rspamd logs for rmilter reponses.
+
+When a process dies, the container dies, too. Except for Postfix' container.
+
 ### MySQL
 
 Connect to MySQL database:
@@ -50,23 +58,28 @@ Connect to redis database:
 
 Use rspamadm:
 ```
-docker exec -it rspamd-mailcow /bin/bash -c "rspamadm --help"
+docker exec -it rspamd-mailcow rspamadm --help
 ```
 
 Use rspamc:
 ```
-docker exec -it rspamd-mailcow /bin/bash -c "rspamc --help"
+docker exec -it rspamd-mailcow rspamc --help
 ```
 
 Set rspamd controller password:
 ```
-docker exec -it rspamd-mailcow /bin/bash -c "rspamadm pw"
+# Generate hash
+docker exec -it rspamd-mailcow rspamadm pw
 ```
-Copy given hash to data/conf/rspamd/override.d/worker-controller.inc:
+
+Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
 ```
-...
 enable_password = "myhash";
-....
+```
+
+Restart rspamd:
+```
+docker restart rspamd-mailcow
 ```
 
 ### Remove persistent data
diff --git a/build-dovecot.sh b/build-dovecot.sh
index 6363d698..259a334d 100755
--- a/build-dovecot.sh
+++ b/build-dovecot.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
-. mailcow.conf
-./build-network.sh
+source mailcow.conf
 
 NAME="dovecot-mailcow"
 
@@ -48,5 +47,4 @@ docker run \
 	-h ${MAILCOW_HOSTNAME} \
 	-d dovecot
 
-echo "Fixing permissions..."
-chown -R 5000:5000 data/vmail
+/bin/bash ./fix-permissions.sh
diff --git a/build-nginx.sh b/build-nginx.sh
index 694c9c2b..f4f2c608 100755
--- a/build-nginx.sh
+++ b/build-nginx.sh
@@ -38,3 +38,5 @@ docker run \
 echo "Installaing SOGo web resource files..."
 docker exec -it ${NAME} /bin/bash -c 'apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && apt-get update && apt-get -y --force-yes install apt-transport-https'
 docker exec -it ${NAME} /bin/bash -c 'echo "deb http://packages.inverse.ca/SOGo/nightly/3/debian/ jessie jessie" > /etc/apt/sources.list.d/sogo.list && apt-get update && apt-get -y --force-yes install sogo'
+
+/bin/bash ./fix-permissions.sh
diff --git a/build-rspamd.sh b/build-rspamd.sh
index edee5cf4..006196fc 100755
--- a/build-rspamd.sh
+++ b/build-rspamd.sh
@@ -36,3 +36,5 @@ docker run \
 	--name ${NAME} \
 	-d rspamd
 
+/bin/bash ./fix-permissions.sh
+
diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index eabed030..e2cf2b5b 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -9,10 +9,4 @@ trap "postfix reload" SIGHUP
 # start postfix
 postfix -c /opt/postfix/conf start
 
-# lets give postfix some time to start
-sleep 3
-
-# wait until postfix is dead (triggered by trap)
-while kill -0 $(cat /var/spool/postfix/pid/master.pid); do
-  sleep 5
-done
+sleep infinity
diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile
index 225d9edf..0e965bf9 100644
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -9,6 +9,8 @@ RUN apt-get update \
 	&& apt-get update \
 	&& apt-get --no-install-recommends -y --force-yes install rspamd
 
+RUN echo '.include $LOCAL_CONFDIR/local.d/rspamd.conf.local' > /etc/rspamd/rspamd.conf.local
+
 CMD ["/usr/bin/rspamd","-f", "-u", "_rspamd", "-g", "_rspamd"]
 
 USER _rspamd
diff --git a/data/conf/rspamd/local.d/metrics.conf b/data/conf/rspamd/local.d/metrics.conf
index 4c60ca44..4fd0953c 100644
--- a/data/conf/rspamd/local.d/metrics.conf
+++ b/data/conf/rspamd/local.d/metrics.conf
@@ -1,3 +1,8 @@
+actions {
+	reject = 15;
+	add_header = 5;
+	greylist = 4;
+}
 symbol "MAILCOW_AUTH" {
 	description = "mailcow authenticated";
 	score = -20.0;
diff --git a/data/conf/rspamd/local.d/rspamd.conf.local b/data/conf/rspamd/local.d/rspamd.conf.local
new file mode 100644
index 00000000..4449f091
--- /dev/null
+++ b/data/conf/rspamd/local.d/rspamd.conf.local
@@ -0,0 +1 @@
+settings = "http://nginx:8081/settings.php";
diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index 97c6af3d..292b7d08 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -10,5 +10,3 @@ rspamd_config.MAILCOW_AUTH = {
 rspamd_config.MAILCOW_MOO = function (task)
 	return true
 end
-
-rspamd_config:add_map('http://nginx:8081/settings.php', "settings map", process_map)
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 0b918792..09a258d4 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -160,7 +160,7 @@ function dkim_table($action, $item) {
 		case "add":
 			$domain = preg_replace('/[^A-Za-z0-9._\-]/', '_', $item['dkim']['domain']);
 			$selector = preg_replace('/[^A-Za-z0-9._\-]/', '_', $item['dkim']['selector']);
-			$key_length	= $item['dkim']['key_size'];
+			$key_length	= intval($item['dkim']['key_size']);
             if (!ctype_alnum($selector) || !is_valid_domain_name($domain) || !is_numeric($key_length)) {
                 $_SESSION['return'] = array(
                     'type' => 'danger',
@@ -178,13 +178,22 @@ function dkim_table($action, $item) {
                 break;
             }
 
-			// Should be done native in PHP soon
-			$privKey = shell_exec("openssl genrsa -out /tmp/dkim-private.pem " . escapeshellarg($key_length)  . " -outform PEM && cat /tmp/dkim-private.pem");
-			$pubKey = shell_exec('openssl rsa -in /tmp/dkim-private.pem -pubout -outform PEM 2>/dev/null | sed -e "1d" -e "\$d" | tr -d "\n"');
-			shell_exec('rm /tmp/dkim-private.pem');
-
+			$config = array(
+				"digest_alg" => "sha256",
+				"private_key_bits" => $key_length,
+				"private_key_type" => OPENSSL_KEYTYPE_RSA,
+			);
+			$keypair_ressource = openssl_pkey_new($config);
+			$key_details = openssl_pkey_get_details($keypair_ressource);
+			$pubKey = implode(array_slice(
+					array_filter(
+						explode(PHP_EOL, $key_details['key'])
+					), 1, -1)
+				);
+			// Save public key to file
 			file_put_contents($GLOBALS['MC_DKIM_TXTS'] . '/' . $selector . '_' . $domain, $pubKey);
-			file_put_contents($GLOBALS['MC_DKIM_KEYS'] . '/' . $domain . '.' . $selector, $privKey);
+			// Save private key to file
+			openssl_pkey_export_to_file($keypair_ressource, $GLOBALS['MC_DKIM_KEYS'] . '/' . $domain . '.' . $selector);
 
 			$_SESSION['return'] = array(
 				'type' => 'success',
diff --git a/fix-permissions.sh b/fix-permissions.sh
index 17cfa2a3..7017fd1f 100755
--- a/fix-permissions.sh
+++ b/fix-permissions.sh
@@ -1,4 +1,2 @@
-#!/bin/bash
-
 chown -R 5000:5000 data/vmail
 chown -R 33:33 data/dkim
diff --git a/mailcow.conf b/mailcow.conf
index 73ae16b3..8fee38ed 100644
--- a/mailcow.conf
+++ b/mailcow.conf
@@ -5,13 +5,14 @@
 
 MAILCOW_HOSTNAME=mail.mailcow.de
 
-# mailcow SQL database configuration
-
+# SQL database configuration
 DBNAME=mailcow
 DBUSER=mailcow
 DBPASS=mysafepasswd
 DBROOT=myverysafepasswd
+
 # MySQL
+# Tested with MySQL 5.5
 DBVERS=5.5
 
 # SOGo configuration
@@ -19,11 +20,12 @@ SOGOCHILDS=20
 
 # Webserver configuration
 # Default port binding for Nginx is 443
+# 
 PHPVERS="5.6-fpm"
 NGINXVERS="stable"
 
 # You should leave that alone
-# Can also be 1.2.3.4:25 for specific binding
+# Can also be 11.22.33.44:25 or 0.0.0.0:465 etc. for specific binding
 SMTP_PORT=25
 SMTPS_PORT=465
 SUBMISSION_PORT=587
diff --git a/print-status.sh b/print-status.sh
deleted file mode 100755
index 7e2dc4a0..00000000
--- a/print-status.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-# Soon