Merge pull request #2509 from mhofer117/tls-sni
Different SSL Certificate for each Domain with TLS SNImaster
commit
5d93ae655a
|
@ -0,0 +1,20 @@
|
|||
# EditorConfig helps developers define and maintain consistent
|
||||
# coding styles between different editors and IDEs
|
||||
# editorconfig.org
|
||||
|
||||
root = true
|
||||
|
||||
[*]
|
||||
|
||||
# Change these settings to your own preference
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
|
||||
# We recommend you to keep these unchanged
|
||||
end_of_line = lf
|
||||
charset = utf-8
|
||||
trim_trailing_whitespace = true
|
||||
insert_final_newline = true
|
||||
|
||||
[*.md]
|
||||
trim_trailing_whitespace = false
|
|
@ -6,6 +6,8 @@ data/conf/dovecot/dovecot-master.userdb
|
|||
mailcow.conf
|
||||
mailcow.conf_backup
|
||||
data/conf/nginx/*.active
|
||||
data/conf/postfix/sni.map
|
||||
data/conf/postfix/sni.map.db
|
||||
data/conf/postfix/extra.cf
|
||||
data/conf/postfix/sql
|
||||
data/conf/postfix/allow_mailcow_local.regexp
|
||||
|
@ -14,6 +16,8 @@ data/conf/nextcloud-*.bak
|
|||
data/web/inc/vars.local.inc.php
|
||||
data/assets/ssl/*
|
||||
.vscode/*
|
||||
.idea
|
||||
*.iml
|
||||
data/web/.well-known/acme-challenge
|
||||
data/web/nextcloud*/
|
||||
data/conf/rspamd/local.d/*
|
||||
|
@ -26,6 +30,7 @@ data/conf/nginx/*.custom
|
|||
data/conf/nginx/*.bak
|
||||
data/conf/dovecot/acl_anyone
|
||||
data/conf/dovecot/mail_plugins*
|
||||
data/conf/dovecot/sni.conf
|
||||
data/conf/dovecot/sogo-sso.conf
|
||||
data/conf/dovecot/extra.conf
|
||||
data/conf/dovecot/shared_namespace.conf
|
||||
|
|
|
@ -18,6 +18,11 @@ RUN apk upgrade --no-cache \
|
|||
&& python3 -m pip install acme-tiny
|
||||
|
||||
COPY acme.sh /srv/acme.sh
|
||||
COPY functions.sh /srv/functions.sh
|
||||
COPY obtain-certificate.sh /srv/obtain-certificate.sh
|
||||
COPY reload-configurations.sh /srv/reload-configurations.sh
|
||||
COPY expand6.sh /srv/expand6.sh
|
||||
|
||||
RUN chmod +x /srv/*.sh
|
||||
|
||||
CMD ["/sbin/tini", "-g", "--", "/srv/acme.sh"]
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
set -o pipefail
|
||||
exec 5>&1
|
||||
|
||||
source /srv/functions.sh
|
||||
# Thanks to https://github.com/cvmiller -> https://github.com/cvmiller/expand6
|
||||
source /srv/expand6.sh
|
||||
|
||||
|
@ -15,26 +16,15 @@ if [[ "${SKIP_HTTP_VERIFICATION}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
|||
SKIP_HTTP_VERIFICATION=y
|
||||
fi
|
||||
|
||||
# Request certificate for MAILCOW_HOSTNAME ony
|
||||
# Request certificate for MAILCOW_HOSTNAME only
|
||||
if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||
ONLY_MAILCOW_HOSTNAME=y
|
||||
fi
|
||||
|
||||
log_f() {
|
||||
if [[ ${2} == "no_nl" ]]; then
|
||||
echo -n "$(date) - ${1}"
|
||||
elif [[ ${2} == "no_date" ]]; then
|
||||
echo "${1}"
|
||||
elif [[ ${2} != "redis_only" ]]; then
|
||||
echo "$(date) - ${1}"
|
||||
# Request individual certificate for every domain
|
||||
if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||
ENABLE_SSL_SNI=y
|
||||
fi
|
||||
if [[ ${3} == "b64" ]]; then
|
||||
redis-cli -h redis LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${1}")\"}" > /dev/null
|
||||
else
|
||||
redis-cli -h redis LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" | \
|
||||
tr '%&;$"[]{}-\r\n' ' ')\"}" > /dev/null
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||
log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
|
||||
|
@ -56,97 +46,21 @@ mkdir -p ${ACME_BASE}/acme
|
|||
# Migrate
|
||||
[[ -f ${ACME_BASE}/acme/private/privkey.pem ]] && mv ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/key.pem
|
||||
[[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/account.pem
|
||||
|
||||
reload_configurations(){
|
||||
# Reading container IDs
|
||||
# Wrapping as array to ensure trimmed content when calling $NGINX etc.
|
||||
local NGINX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow")) | .id' | tr "\n" " "))
|
||||
local DOVECOT=($(curl --silent --insecure https://dockerapi/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("dovecot-mailcow")) | .id' | tr "\n" " "))
|
||||
local POSTFIX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("postfix-mailcow")) | .id' | tr "\n" " "))
|
||||
# Reloading
|
||||
echo "Reloading Nginx..."
|
||||
NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
|
||||
[[ ${NGINX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Nginx, restarting container..."; restart_container ${NGINX} ; }
|
||||
echo "Reloading Dovecot..."
|
||||
DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
|
||||
[[ ${DOVECOT_RELOAD_RET} != 'success' ]] && { echo "Could not reload Dovecot, restarting container..."; restart_container ${DOVECOT} ; }
|
||||
echo "Reloading Postfix..."
|
||||
POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
|
||||
[[ ${POSTFIX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Postfix, restarting container..."; restart_container ${POSTFIX} ; }
|
||||
}
|
||||
|
||||
restart_container(){
|
||||
for container in $*; do
|
||||
log_f "Restarting ${container}..." no_nl
|
||||
C_REST_OUT=$(curl -X POST --insecure https://dockerapi/containers/${container}/restart | jq -r '.msg')
|
||||
log_f "${C_REST_OUT}" no_date
|
||||
done
|
||||
}
|
||||
|
||||
array_diff() {
|
||||
# https://stackoverflow.com/questions/2312762, Alex Offshore
|
||||
eval local ARR1=\(\"\${$2[@]}\"\)
|
||||
eval local ARR2=\(\"\${$3[@]}\"\)
|
||||
local IFS=$'\n'
|
||||
mapfile -t $1 < <(comm -23 <(echo "${ARR1[*]}" | sort) <(echo "${ARR2[*]}" | sort))
|
||||
}
|
||||
|
||||
verify_hash_match(){
|
||||
CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
|
||||
KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
|
||||
if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
|
||||
log_f "Certificate and key hashes do not match!"
|
||||
return 1
|
||||
else
|
||||
log_f "Verified hashes."
|
||||
return 0
|
||||
if [[ -f ${ACME_BASE}/acme/key.pem && -f ${ACME_BASE}/acme/cert.pem ]]; then
|
||||
if verify_hash_match ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/key.pem; then
|
||||
log_f "Migrating to SNI folder structure..." no_nl
|
||||
CERT_DOMAIN=($(openssl x509 -noout -text -in ${ACME_BASE}/acme/cert.pem | grep "Subject:" | sed -e 's/\(Subject:\)\|\(CN = \)\|\(CN=\)//g' | sed -e 's/^[[:space:]]*//'))
|
||||
CERT_DOMAINS=(${CERT_DOMAIN} $(openssl x509 -noout -text -in ${ACME_BASE}/acme/cert.pem | grep "DNS:" | sed -e 's/\(DNS:\)\|,//g' | sed "s/${CERT_DOMAIN}//" | sed -e 's/^[[:space:]]*//'))
|
||||
mkdir -p ${ACME_BASE}/${CERT_DOMAIN}
|
||||
mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/${CERT_DOMAIN}/cert.pem
|
||||
# key is only copied, not moved, because it is used by all other requests too
|
||||
cp ${ACME_BASE}/acme/key.pem ${ACME_BASE}/${CERT_DOMAIN}/key.pem
|
||||
chmod 600 ${ACME_BASE}/${CERT_DOMAIN}/key.pem
|
||||
echo -n ${CERT_DOMAINS[*]} > ${ACME_BASE}/${CERT_DOMAIN}/domains
|
||||
mv ${ACME_BASE}/acme/acme.csr ${ACME_BASE}/${CERT_DOMAIN}/acme.csr
|
||||
log_f "OK" no_date
|
||||
fi
|
||||
}
|
||||
|
||||
get_ipv4(){
|
||||
local IPV4=
|
||||
local IPV4_SRCS=
|
||||
local TRY=
|
||||
IPV4_SRCS[0]="ip4.mailcow.email"
|
||||
IPV4_SRCS[1]="ip4.korves.net"
|
||||
until [[ ! -z ${IPV4} ]] || [[ ${TRY} -ge 10 ]]; do
|
||||
IPV4=$(curl --connect-timeout 3 -m 10 -L4s ${IPV4_SRCS[$RANDOM % ${#IPV4_SRCS[@]} ]} | grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
|
||||
[[ ! -z ${TRY} ]] && sleep 1
|
||||
TRY=$((TRY+1))
|
||||
done
|
||||
echo ${IPV4}
|
||||
}
|
||||
|
||||
get_ipv6(){
|
||||
local IPV6=
|
||||
local IPV6_SRCS=
|
||||
local TRY=
|
||||
IPV6_SRCS[0]="ip6.korves.net"
|
||||
IPV6_SRCS[1]="ip6.mailcow.email"
|
||||
until [[ ! -z ${IPV6} ]] || [[ ${TRY} -ge 10 ]]; do
|
||||
IPV6=$(curl --connect-timeout 3 -m 10 -L6s ${IPV6_SRCS[$RANDOM % ${#IPV6_SRCS[@]} ]} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$")
|
||||
[[ ! -z ${TRY} ]] && sleep 1
|
||||
TRY=$((TRY+1))
|
||||
done
|
||||
echo ${IPV6}
|
||||
}
|
||||
|
||||
verify_challenge_path(){
|
||||
if [[ ${SKIP_HTTP_VERIFICATION} == "y" ]]; then
|
||||
echo '(skipping check, returning 0)'
|
||||
return 0
|
||||
fi
|
||||
# verify_challenge_path URL 4|6
|
||||
RANDOM_N=${RANDOM}${RANDOM}${RANDOM}
|
||||
echo ${RANDOM_N} > /var/www/acme/${RANDOM_N}
|
||||
if [[ "$(curl --insecure -${2} -L http://${1}/.well-known/acme-challenge/${RANDOM_N} --silent)" == "${RANDOM_N}" ]]; then
|
||||
rm /var/www/acme/${RANDOM_N}
|
||||
return 0
|
||||
else
|
||||
rm /var/www/acme/${RANDOM_N}
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
[[ ! -f ${ACME_BASE}/dhparams.pem ]] && cp ${SSL_EXAMPLE}/dhparams.pem ${ACME_BASE}/dhparams.pem
|
||||
|
||||
|
@ -158,15 +72,12 @@ if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]] && [[ $(stat
|
|||
exec $(readlink -f "$0")
|
||||
fi
|
||||
else
|
||||
if [[ -f ${ACME_BASE}/acme/cert.pem ]] && [[ -f ${ACME_BASE}/acme/key.pem ]]; then
|
||||
if verify_hash_match ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/key.pem; then
|
||||
if [[ -f ${ACME_BASE}/${MAILCOW_HOSTNAME}/cert.pem ]] && [[ -f ${ACME_BASE}/${MAILCOW_HOSTNAME}/key.pem ]] && verify_hash_match ${ACME_BASE}/${MAILCOW_HOSTNAME}/cert.pem ${ACME_BASE}/${MAILCOW_HOSTNAME}/key.pem; then
|
||||
log_f "Restoring previous acme certificate and restarting script..."
|
||||
cp ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${ACME_BASE}/acme/key.pem ${ACME_BASE}/key.pem
|
||||
cp ${ACME_BASE}/${MAILCOW_HOSTNAME}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${ACME_BASE}/${MAILCOW_HOSTNAME}/key.pem ${ACME_BASE}/key.pem
|
||||
# Restarting with env var set to trigger a restart,
|
||||
exec env TRIGGER_RESTART=1 $(readlink -f "$0")
|
||||
fi
|
||||
ISSUER="mailcow"
|
||||
else
|
||||
log_f "Restoring mailcow snake-oil certificates and restarting script..."
|
||||
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
|
||||
|
@ -174,6 +85,7 @@ else
|
|||
exec env TRIGGER_RESTART=1 $(readlink -f "$0")
|
||||
fi
|
||||
fi
|
||||
|
||||
chmod 600 ${ACME_BASE}/key.pem
|
||||
|
||||
log_f "Waiting for database... " no_nl
|
||||
|
@ -203,10 +115,10 @@ while true; do
|
|||
|
||||
# Re-using previous acme-mailcow account and domain keys
|
||||
if [[ ! -f ${ACME_BASE}/acme/key.pem ]]; then
|
||||
log_f "Generating missing domain private key..."
|
||||
log_f "Generating missing domain private rsa key..."
|
||||
openssl genrsa 4096 > ${ACME_BASE}/acme/key.pem
|
||||
else
|
||||
log_f "Using existing domain key ${ACME_BASE}/acme/key.pem"
|
||||
log_f "Using existing domain rsa key ${ACME_BASE}/acme/key.pem"
|
||||
fi
|
||||
if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
|
||||
log_f "Generating missing Lets Encrypt account key..."
|
||||
|
@ -218,25 +130,34 @@ while true; do
|
|||
chmod 600 ${ACME_BASE}/acme/key.pem
|
||||
chmod 600 ${ACME_BASE}/acme/account.pem
|
||||
|
||||
unset EXISTING_CERTS
|
||||
declare -a EXISTING_CERTS
|
||||
for cert_dir in ${ACME_BASE}/*/ ; do
|
||||
if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
|
||||
continue
|
||||
fi
|
||||
EXISTING_CERTS+=("$(basename ${cert_dir})")
|
||||
done
|
||||
|
||||
# Cleaning up and init validation arrays
|
||||
unset SQL_DOMAIN_ARR
|
||||
unset VALIDATED_CONFIG_DOMAINS
|
||||
unset ADDITIONAL_VALIDATED_SAN
|
||||
unset ADDITIONAL_WC_ARR
|
||||
unset ADDITIONAL_SAN_ARR
|
||||
unset SAN_CHANGE
|
||||
unset SAN_ARRAY_NOW
|
||||
unset ORPHANED_SAN
|
||||
unset ADDED_SAN
|
||||
SAN_CHANGE=0
|
||||
declare -a SAN_ARRAY_NOW
|
||||
declare -a ORPHANED_SAN
|
||||
declare -a ADDED_SAN
|
||||
unset CERT_ERRORS
|
||||
unset CERT_CHANGED
|
||||
unset CERT_AMOUNT_CHANGED
|
||||
unset VALIDATED_CERTIFICATES
|
||||
CERT_ERRORS=0
|
||||
CERT_CHANGED=0
|
||||
CERT_AMOUNT_CHANGED=0
|
||||
declare -a SQL_DOMAIN_ARR
|
||||
declare -a VALIDATED_CONFIG_DOMAINS
|
||||
declare -a ADDITIONAL_VALIDATED_SAN
|
||||
declare -a ADDITIONAL_WC_ARR
|
||||
declare -a ADDITIONAL_SAN_ARR
|
||||
declare -a VALIDATED_CERTIFICATES
|
||||
IFS=',' read -r -a TMP_ARR <<< "${ADDITIONAL_SAN}"
|
||||
for i in "${TMP_ARR[@]}" ; do
|
||||
if [[ "$i" =~ \.\*$ ]]; then
|
||||
|
@ -258,9 +179,9 @@ while true; do
|
|||
MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
|
||||
if [[ ! -z ${MH_CAAS} ]]; then
|
||||
if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
|
||||
echo "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
|
||||
log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
|
||||
else
|
||||
echo "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
|
||||
log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
|
||||
sleep 1h
|
||||
exec $(readlink -f "$0")
|
||||
fi
|
||||
|
@ -268,84 +189,37 @@ while true; do
|
|||
|
||||
#########################################
|
||||
# IP and webroot challenge verification #
|
||||
SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
|
||||
if [[ ! $? -eq 0 ]]; then
|
||||
log_f "Failed to read SQL domains, retrying in 1 minute..."
|
||||
sleep 1m
|
||||
exec $(readlink -f "$0")
|
||||
fi
|
||||
while read domains; do
|
||||
if [[ -z "${domains}" ]]; then
|
||||
# ignore empty lines
|
||||
continue
|
||||
fi
|
||||
SQL_DOMAIN_ARR+=("${domains}")
|
||||
done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
|
||||
done <<< "${SQL_DOMAINS}"
|
||||
|
||||
if [[ ${ONLY_MAILCOW_HOSTNAME} != "y" ]]; then
|
||||
for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
|
||||
unset VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
|
||||
declare -a VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
|
||||
for SUBDOMAIN in "${ADDITIONAL_WC_ARR[@]}"; do
|
||||
if [[ "${SUBDOMAIN}.${SQL_DOMAIN}" != "${MAILCOW_HOSTNAME}" ]]; then
|
||||
A_SUBDOMAIN=$(dig A ${SUBDOMAIN}.${SQL_DOMAIN} +short | tail -n 1)
|
||||
AAAA_SUBDOMAIN=$(dig AAAA ${SUBDOMAIN}.${SQL_DOMAIN} +short | tail -n 1)
|
||||
# Check if CNAME without v6 enabled target
|
||||
if [[ ! -z ${AAAA_SUBDOMAIN} ]] && [[ -z $(echo ${AAAA_SUBDOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
|
||||
AAAA_SUBDOMAIN=
|
||||
fi
|
||||
if [[ ! -z ${AAAA_SUBDOMAIN} ]]; then
|
||||
log_f "Found AAAA record for ${SUBDOMAIN}.${SQL_DOMAIN}: ${AAAA_SUBDOMAIN} - skipping A record check"
|
||||
if [[ $(expand ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}) == $(expand ${AAAA_SUBDOMAIN}) ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${SUBDOMAIN}.${SQL_DOMAIN}" 6; then
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_SUBDOMAIN}, adding SAN"
|
||||
VALIDATED_CONFIG_DOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
|
||||
else
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_SUBDOMAIN}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV6:-NO_IPV6_LINK} against hostname ${SUBDOMAIN}.${SQL_DOMAIN} ($(expand ${AAAA_SUBDOMAIN}))"
|
||||
fi
|
||||
elif [[ ! -z ${A_SUBDOMAIN} ]]; then
|
||||
log_f "Found A record for ${SUBDOMAIN}.${SQL_DOMAIN}: ${A_SUBDOMAIN}"
|
||||
if [[ ${IPV4:-ERR} == ${A_SUBDOMAIN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${SUBDOMAIN}.${SQL_DOMAIN}" 4; then
|
||||
log_f "Confirmed A record ${A_SUBDOMAIN}, adding SAN"
|
||||
VALIDATED_CONFIG_DOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
|
||||
else
|
||||
log_f "Confirmed A record with IP ${A_SUBDOMAIN}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV4} against hostname ${SUBDOMAIN}.${SQL_DOMAIN} (${A_SUBDOMAIN})"
|
||||
fi
|
||||
else
|
||||
log_f "No A or AAAA record found for hostname ${SUBDOMAIN}.${SQL_DOMAIN}"
|
||||
if check_domain "${SUBDOMAIN}.${SQL_DOMAIN}"; then
|
||||
VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
|
||||
fi
|
||||
fi
|
||||
done
|
||||
VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
|
||||
done
|
||||
fi
|
||||
|
||||
A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
|
||||
AAAA_MAILCOW_HOSTNAME=$(dig AAAA ${MAILCOW_HOSTNAME} +short | tail -n 1)
|
||||
# Check if CNAME without v6 enabled target
|
||||
if [[ ! -z ${AAAA_MAILCOW_HOSTNAME} ]] && [[ -z $(echo ${AAAA_MAILCOW_HOSTNAME} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
|
||||
AAAA_MAILCOW_HOSTNAME=
|
||||
fi
|
||||
if [[ ! -z ${AAAA_MAILCOW_HOSTNAME} ]]; then
|
||||
log_f "Found AAAA record for ${MAILCOW_HOSTNAME}: ${AAAA_MAILCOW_HOSTNAME} - skipping A record check"
|
||||
if [[ $(expand ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}) == $(expand ${AAAA_MAILCOW_HOSTNAME}) ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${MAILCOW_HOSTNAME}" 6; then
|
||||
log_f "Confirmed AAAA record ${AAAA_MAILCOW_HOSTNAME}"
|
||||
VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
|
||||
else
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_MAILCOW_HOSTNAME}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV6:-NO_IPV6_LINK} against hostname ${MAILCOW_HOSTNAME} (DNS returned $(expand ${AAAA_MAILCOW_HOSTNAME}))"
|
||||
fi
|
||||
elif [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
|
||||
log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
|
||||
if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${MAILCOW_HOSTNAME}" 4; then
|
||||
log_f "Confirmed A record ${A_MAILCOW_HOSTNAME}"
|
||||
VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
|
||||
else
|
||||
log_f "Confirmed A record with IP ${A_MAILCOW_HOSTNAME}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (DNS returned ${A_MAILCOW_HOSTNAME})"
|
||||
fi
|
||||
else
|
||||
log_f "No A or AAAA record found for hostname ${MAILCOW_HOSTNAME}"
|
||||
if check_domain ${MAILCOW_HOSTNAME}; then
|
||||
VALIDATED_MAILCOW_HOSTNAME="${MAILCOW_HOSTNAME}"
|
||||
fi
|
||||
|
||||
if [[ ${ONLY_MAILCOW_HOSTNAME} != "y" ]]; then
|
||||
|
@ -355,149 +229,132 @@ while true; do
|
|||
SAN_CAAS=( $(dig CAA ${SAN_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
|
||||
if [[ ! -z ${SAN_CAAS} ]]; then
|
||||
if [[ ${SAN_CAAS[@]} =~ "letsencrypt.org" ]]; then
|
||||
echo "Validated CAA for parent domain ${SAN_PARENT_DOMAIN} of ${SAN}"
|
||||
log_f "Validated CAA for parent domain ${SAN_PARENT_DOMAIN} of ${SAN}"
|
||||
else
|
||||
echo "Skipping ACME validation for ${SAN}: Lets Encrypt disallowed for ${SAN} by CAA record"
|
||||
log_f "Skipping ACME validation for ${SAN}: Lets Encrypt disallowed for ${SAN} by CAA record"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
|
||||
continue
|
||||
fi
|
||||
A_SAN=$(dig A ${SAN} +short | tail -n 1)
|
||||
AAAA_SAN=$(dig AAAA ${SAN} +short | tail -n 1)
|
||||
# Check if CNAME without v6 enabled target
|
||||
if [[ ! -z ${AAAA_SAN} ]] && [[ -z $(echo ${AAAA_SAN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
|
||||
AAAA_SAN=
|
||||
fi
|
||||
if [[ ! -z ${AAAA_SAN} ]]; then
|
||||
log_f "Found AAAA record for ${SAN}: ${AAAA_SAN} - skipping A record check"
|
||||
if [[ $(expand ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}) == $(expand ${AAAA_SAN}) ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${SAN}" 6; then
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_SAN}"
|
||||
if check_domain ${SAN}; then
|
||||
ADDITIONAL_VALIDATED_SAN+=("${SAN}")
|
||||
else
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_SAN}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV6:-NO_IPV6_LINK} against hostname ${SAN} (DNS returned $(expand ${AAAA_SAN}))"
|
||||
fi
|
||||
elif [[ ! -z ${A_SAN} ]]; then
|
||||
log_f "Found A record for ${SAN}: ${A_SAN}"
|
||||
if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${SAN}" 4; then
|
||||
log_f "Confirmed A record ${A_SAN}"
|
||||
ADDITIONAL_VALIDATED_SAN+=("${SAN}")
|
||||
else
|
||||
log_f "Confirmed A record with IP ${A_SAN}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV4} against hostname ${SAN} (DNS returned ${A_SAN})"
|
||||
fi
|
||||
else
|
||||
log_f "No A or AAAA record found for hostname ${SAN}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Unique elements
|
||||
ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
|
||||
if [[ -z ${ALL_VALIDATED[*]} ]]; then
|
||||
log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
|
||||
# Unique domains for server certificate
|
||||
if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
|
||||
# create certificate for server name and fqdn SANs only
|
||||
SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
|
||||
else
|
||||
# create certificate for all domains, including all subdomains from other domains [*]
|
||||
SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
|
||||
fi
|
||||
if [[ ! -z ${SERVER_SAN_VALIDATED[*]} ]]; then
|
||||
CERT_NAME=${SERVER_SAN_VALIDATED[0]}
|
||||
VALIDATED_CERTIFICATES+=("${CERT_NAME}")
|
||||
|
||||
# obtain server certificate if required
|
||||
DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
|
||||
RETURN="$?"
|
||||
if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
|
||||
CERT_AMOUNT_CHANGED=1
|
||||
CERT_CHANGED=1
|
||||
elif [[ "$RETURN" == "1" ]]; then # 1 = cert renewed successfully
|
||||
CERT_CHANGED=1
|
||||
elif [[ "$RETURN" == "2" ]]; then # 2 = cert not due for renewal
|
||||
:
|
||||
else
|
||||
CERT_ERRORS=1
|
||||
fi
|
||||
# copy hostname certificate to default/server certificate
|
||||
cp ${ACME_BASE}/${CERT_NAME}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${ACME_BASE}/${CERT_NAME}/key.pem ${ACME_BASE}/key.pem
|
||||
fi
|
||||
|
||||
# individual certificates for SNI [@]
|
||||
if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
|
||||
for VALIDATED_DOMAINS in "${VALIDATED_CONFIG_DOMAINS[@]}"; do
|
||||
VALIDATED_DOMAINS_ARR=(${VALIDATED_DOMAINS})
|
||||
|
||||
unset VALIDATED_DOMAINS_SORTED
|
||||
declare -a VALIDATED_DOMAINS_SORTED
|
||||
VALIDATED_DOMAINS_SORTED=(${VALIDATED_DOMAINS_ARR[0]} $(echo ${VALIDATED_DOMAINS_ARR[@]:1} | xargs -n1 | sort -u | xargs))
|
||||
|
||||
# remove all domain names that are already inside the server certificate (SERVER_SAN_VALIDATED)
|
||||
for domain in "${SERVER_SAN_VALIDATED[@]}"; do
|
||||
for i in "${!VALIDATED_DOMAINS_SORTED[@]}"; do
|
||||
if [[ ${VALIDATED_DOMAINS_SORTED[i]} = $domain ]]; then
|
||||
unset 'VALIDATED_DOMAINS_SORTED[i]'
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [[ ! -z ${VALIDATED_DOMAINS_SORTED[*]} ]]; then
|
||||
CERT_NAME=${VALIDATED_DOMAINS_SORTED[0]}
|
||||
VALIDATED_CERTIFICATES+=("${CERT_NAME}")
|
||||
# obtain certificate if required
|
||||
DOMAINS=${VALIDATED_DOMAINS_SORTED[@]} /srv/obtain-certificate.sh rsa
|
||||
RETURN="$?"
|
||||
if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
|
||||
CERT_AMOUNT_CHANGED=1
|
||||
CERT_CHANGED=1
|
||||
elif [[ "$RETURN" == "1" ]]; then # 1 = cert renewed successfully
|
||||
CERT_CHANGED=1
|
||||
elif [[ "$RETURN" == "2" ]]; then # 2 = cert not due for renewal
|
||||
:
|
||||
else
|
||||
CERT_ERRORS=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ -z ${VALIDATED_CERTIFICATES[*]} ]]; then
|
||||
log_f "Cannot validate any hostnames, skipping Let's Encrypt for 1 hour."
|
||||
log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
|
||||
redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
|
||||
sleep 1h
|
||||
exec $(readlink -f "$0")
|
||||
fi
|
||||
|
||||
# Collecting SANs from active certificate
|
||||
SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
|
||||
if [[ ! -z ${SAN_NAMES} ]]; then
|
||||
IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
|
||||
fi
|
||||
|
||||
# Finding difference in SAN array now vs. SAN array by current configuration
|
||||
array_diff ORPHANED_SAN SAN_ARRAY_NOW ALL_VALIDATED
|
||||
if [[ ! -z ${ORPHANED_SAN[*]} ]]; then
|
||||
log_f "Found orphaned SAN ${ORPHANED_SAN[*]}"
|
||||
SAN_CHANGE=1
|
||||
fi
|
||||
array_diff ADDED_SAN ALL_VALIDATED SAN_ARRAY_NOW
|
||||
if [[ ! -z ${ADDED_SAN[*]} ]]; then
|
||||
log_f "Found new SAN ${ADDED_SAN[*]}"
|
||||
SAN_CHANGE=1
|
||||
fi
|
||||
|
||||
if [[ ${SAN_CHANGE} == 0 ]]; then
|
||||
# Certificate did not change but could be due for renewal (4 weeks)
|
||||
if ! openssl x509 -checkend 2592000 -noout -in ${ACME_BASE}/cert.pem; then
|
||||
log_f "Certificate is due for renewal (< 30 days)"
|
||||
else
|
||||
log_f "Certificate validation done, neither changed nor due for renewal, sleeping for another day."
|
||||
sleep 1d
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
# find orphaned certificates if no errors occurred
|
||||
if [[ "${CERT_ERRORS}" == "0" ]]; then
|
||||
for EXISTING_CERT in "${EXISTING_CERTS[@]}"; do
|
||||
if [[ ! "`printf '_%s_\n' "${VALIDATED_CERTIFICATES[@]}"`" == *"_${EXISTING_CERT}_"* ]]; then
|
||||
DATE=$(date +%Y-%m-%d_%H_%M_%S)
|
||||
log_f "Creating backups in ${ACME_BASE}/backups/${DATE}/ ..."
|
||||
mkdir -p ${ACME_BASE}/backups/${DATE}/
|
||||
[[ -f ${ACME_BASE}/acme/acme.csr ]] && cp ${ACME_BASE}/acme/acme.csr ${ACME_BASE}/backups/${DATE}/
|
||||
[[ -f ${ACME_BASE}/acme/cert.pem ]] && cp ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/backups/${DATE}/
|
||||
[[ -f ${ACME_BASE}/acme/key.pem ]] && cp ${ACME_BASE}/acme/key.pem ${ACME_BASE}/backups/${DATE}/
|
||||
[[ -f ${ACME_BASE}/acme/account.pem ]] && cp ${ACME_BASE}/acme/account.pem ${ACME_BASE}/backups/${DATE}/
|
||||
|
||||
# Generating CSR
|
||||
printf "[SAN]\nsubjectAltName=" > /tmp/_SAN
|
||||
printf "DNS:%s," "${ALL_VALIDATED[@]}" >> /tmp/_SAN
|
||||
sed -i '$s/,$//' /tmp/_SAN
|
||||
openssl req -new -sha256 -key ${ACME_BASE}/acme/key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf /tmp/_SAN) > ${ACME_BASE}/acme/acme.csr
|
||||
|
||||
if [[ "${LE_STAGING}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||
log_f "Using Let's Encrypt staging servers"
|
||||
STAGING_PARAMETER='--directory-url https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
else
|
||||
STAGING_PARAMETER=
|
||||
log_f "Found orphaned certificate: ${EXISTING_CERT} - archiving it at ${ACME_BASE}/backups/${EXISTING_CERT}/"
|
||||
BACKUP_DIR=${ACME_BASE}/backups/${EXISTING_CERT}/${DATE}
|
||||
# archive rsa cert and any other files
|
||||
mv ${ACME_BASE}/${EXISTING_CERT} ${BACKUP_DIR}
|
||||
CERT_CHANGED=1
|
||||
CERT_AMOUNT_CHANGED=1
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# acme-tiny writes info to stderr and ceritifcate to stdout
|
||||
# The redirects will do the following:
|
||||
# - redirect stdout to temp certificate file
|
||||
# - redirect acme-tiny stderr to stdout (logs to variable ACME_RESPONSE)
|
||||
# - tee stderr to get live output and log to dockerd
|
||||
# reload on new or changed certificates
|
||||
if [[ "${CERT_CHANGED}" == "1" ]]; then
|
||||
CERT_AMOUNT_CHANGED=${CERT_AMOUNT_CHANGED} /srv/reload-configurations.sh
|
||||
fi
|
||||
|
||||
ACME_RESPONSE=$(acme-tiny ${STAGING_PARAMETER} \
|
||||
--account-key ${ACME_BASE}/acme/account.pem \
|
||||
--disable-check \
|
||||
--csr ${ACME_BASE}/acme/acme.csr \
|
||||
--acme-dir /var/www/acme/ 2>&1 > /tmp/_cert.pem | tee /dev/fd/5)
|
||||
|
||||
case "$?" in
|
||||
0) # cert requested
|
||||
ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
|
||||
log_f "${ACME_RESPONSE_B64}" redis_only b64
|
||||
log_f "Deploying..."
|
||||
# Deploy the new certificate and key
|
||||
# Moving temp cert to acme/cert.pem
|
||||
if verify_hash_match /tmp/_cert.pem ${ACME_BASE}/acme/key.pem; then
|
||||
mv /tmp/_cert.pem ${ACME_BASE}/acme/cert.pem
|
||||
cp ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${ACME_BASE}/acme/key.pem ${ACME_BASE}/key.pem
|
||||
reload_configurations
|
||||
rm /var/www/acme/* 2> /dev/null
|
||||
log_f "Certificate successfully deployed, removing backup, sleeping 1d"
|
||||
case "$CERT_ERRORS" in
|
||||
0) # all successful
|
||||
if [[ "${CERT_CHANGED}" == "1" ]]; then
|
||||
if [[ "${CERT_AMOUNT_CHANGED}" == "1" ]]; then
|
||||
log_f "Certificates successfully requested and renewed where required, sleeping one day"
|
||||
else
|
||||
log_f "Certificates were successfully renewed where required, sleeping for another day."
|
||||
fi
|
||||
else
|
||||
log_f "Certificates were successfully validated, no changes or renewals required, sleeping for another day."
|
||||
fi
|
||||
sleep 1d
|
||||
else
|
||||
log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, ignoring certificate"
|
||||
log_f "Retrying in 30 minutes..."
|
||||
sleep 30m
|
||||
exec $(readlink -f "$0")
|
||||
fi
|
||||
;;
|
||||
*) # non-zero is non-fun
|
||||
ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
|
||||
log_f "${ACME_RESPONSE_B64}" redis_only b64
|
||||
log_f "Retrying in 30 minutes..."
|
||||
*) # non-zero
|
||||
log_f "Some errors occurred, retrying in 30 minutes..."
|
||||
redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
|
||||
sleep 30m
|
||||
exec $(readlink -f "$0")
|
||||
|
|
|
@ -0,0 +1,112 @@
|
|||
#!/bin/bash
|
||||
|
||||
log_f() {
|
||||
if [[ ${2} == "no_nl" ]]; then
|
||||
echo -n "$(date) - ${1}"
|
||||
elif [[ ${2} == "no_date" ]]; then
|
||||
echo "${1}"
|
||||
elif [[ ${2} != "redis_only" ]]; then
|
||||
echo "$(date) - ${1}"
|
||||
fi
|
||||
if [[ ${3} == "b64" ]]; then
|
||||
redis-cli -h redis LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${1}")\"}" > /dev/null
|
||||
else
|
||||
redis-cli -h redis LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" | \
|
||||
tr '%&;$"[]{}-\r\n' ' ')\"}" > /dev/null
|
||||
fi
|
||||
}
|
||||
|
||||
verify_hash_match(){
|
||||
CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
|
||||
KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
|
||||
if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
|
||||
log_f "Certificate and key hashes do not match!"
|
||||
return 1
|
||||
else
|
||||
log_f "Verified hashes."
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
get_ipv4(){
|
||||
local IPV4=
|
||||
local IPV4_SRCS=
|
||||
local TRY=
|
||||
IPV4_SRCS[0]="ip4.mailcow.email"
|
||||
IPV4_SRCS[1]="ip4.korves.net"
|
||||
until [[ ! -z ${IPV4} ]] || [[ ${TRY} -ge 10 ]]; do
|
||||
IPV4=$(curl --connect-timeout 3 -m 10 -L4s ${IPV4_SRCS[$RANDOM % ${#IPV4_SRCS[@]} ]} | grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
|
||||
[[ ! -z ${TRY} ]] && sleep 1
|
||||
TRY=$((TRY+1))
|
||||
done
|
||||
echo ${IPV4}
|
||||
}
|
||||
|
||||
get_ipv6(){
|
||||
local IPV6=
|
||||
local IPV6_SRCS=
|
||||
local TRY=
|
||||
IPV6_SRCS[0]="ip6.korves.net"
|
||||
IPV6_SRCS[1]="ip6.mailcow.email"
|
||||
until [[ ! -z ${IPV6} ]] || [[ ${TRY} -ge 10 ]]; do
|
||||
IPV6=$(curl --connect-timeout 3 -m 10 -L6s ${IPV6_SRCS[$RANDOM % ${#IPV6_SRCS[@]} ]} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$")
|
||||
[[ ! -z ${TRY} ]] && sleep 1
|
||||
TRY=$((TRY+1))
|
||||
done
|
||||
echo ${IPV6}
|
||||
}
|
||||
|
||||
check_domain(){
|
||||
DOMAIN=$1
|
||||
A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
|
||||
AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
|
||||
# Check if CNAME without v6 enabled target
|
||||
if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
|
||||
AAAA_DOMAIN=
|
||||
fi
|
||||
if [[ ! -z ${AAAA_DOMAIN} ]]; then
|
||||
log_f "Found AAAA record for ${DOMAIN}: ${AAAA_DOMAIN} - skipping A record check"
|
||||
if [[ $(expand ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}) == $(expand ${AAAA_DOMAIN}) ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${DOMAIN}" 6; then
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_DOMAIN}"
|
||||
return 0
|
||||
else
|
||||
log_f "Confirmed AAAA record with IP ${AAAA_DOMAIN}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV6:-NO_IPV6_LINK} against hostname ${DOMAIN} (DNS returned $(expand ${AAAA_DOMAIN}))"
|
||||
fi
|
||||
elif [[ ! -z ${A_DOMAIN} ]]; then
|
||||
log_f "Found A record for ${DOMAIN}: ${A_DOMAIN}"
|
||||
if [[ ${IPV4:-ERR} == ${A_DOMAIN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
|
||||
if verify_challenge_path "${DOMAIN}" 4; then
|
||||
log_f "Confirmed A record ${A_DOMAIN}"
|
||||
return 0
|
||||
else
|
||||
log_f "Confirmed A record with IP ${A_DOMAIN}, but HTTP validation failed"
|
||||
fi
|
||||
else
|
||||
log_f "Cannot match your IP ${IPV4} against hostname ${DOMAIN} (DNS returned ${A_DOMAIN})"
|
||||
fi
|
||||
else
|
||||
log_f "No A or AAAA record found for hostname ${DOMAIN}"
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
verify_challenge_path(){
|
||||
if [[ ${SKIP_HTTP_VERIFICATION} == "y" ]]; then
|
||||
echo '(skipping check, returning 0)'
|
||||
return 0
|
||||
fi
|
||||
# verify_challenge_path URL 4|6
|
||||
RANDOM_N=${RANDOM}${RANDOM}${RANDOM}
|
||||
echo ${RANDOM_N} > /var/www/acme/${RANDOM_N}
|
||||
if [[ "$(curl --insecure -${2} -L http://${1}/.well-known/acme-challenge/${RANDOM_N} --silent)" == "${RANDOM_N}" ]]; then
|
||||
rm /var/www/acme/${RANDOM_N}
|
||||
return 0
|
||||
else
|
||||
rm /var/www/acme/${RANDOM_N}
|
||||
return 1
|
||||
fi
|
||||
}
|
|
@ -0,0 +1,120 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Return values / exit codes
|
||||
# 0 = cert created successfully
|
||||
# 1 = cert renewed successfully
|
||||
# 2 = cert not due for renewal
|
||||
# * = errors
|
||||
|
||||
|
||||
source /srv/functions.sh
|
||||
|
||||
CERT_DOMAINS=(${DOMAINS[@]})
|
||||
CERT_DOMAIN=${CERT_DOMAINS[0]}
|
||||
ACME_BASE=/var/lib/acme
|
||||
|
||||
TYPE=${1}
|
||||
PREFIX=""
|
||||
# only support rsa certificates for now
|
||||
if [[ "${TYPE}" != "rsa" ]]; then
|
||||
log_f "Unknown certificate type '${TYPE}' requested"
|
||||
exit 5
|
||||
fi
|
||||
DOMAINS_FILE=${ACME_BASE}/${CERT_DOMAIN}/domains
|
||||
CERT=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}cert.pem
|
||||
SHARED_KEY=${ACME_BASE}/acme/${PREFIX}key.pem # must already exist
|
||||
KEY=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}key.pem
|
||||
CSR=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}acme.csr
|
||||
|
||||
if [[ -z ${CERT_DOMAINS[*]} ]]; then
|
||||
log_f "Missing CERT_DOMAINS to obtain a certificate"
|
||||
exit 3
|
||||
fi
|
||||
|
||||
if [[ "${LE_STAGING}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||
log_f "Using Let's Encrypt staging servers"
|
||||
STAGING_PARAMETER='--directory-url https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
else
|
||||
STAGING_PARAMETER=
|
||||
fi
|
||||
|
||||
if [[ -f ${DOMAINS_FILE} && "$(cat ${DOMAINS_FILE})" == "${CERT_DOMAINS[*]}" ]]; then
|
||||
if [[ ! -f ${CERT} || ! -f "${KEY}" ]]; then
|
||||
log_f "Certificate ${CERT} doesn't exist yet - start obtaining"
|
||||
# Certificate exists and did not change but could be due for renewal (30 days)
|
||||
elif ! openssl x509 -checkend 2592000 -noout -in ${CERT} > /dev/null; then
|
||||
log_f "Certificate ${CERT} is due for renewal (< 30 days) - start renewing"
|
||||
else
|
||||
log_f "Certificate ${CERT} validation done, neither changed nor due for renewal."
|
||||
exit 2
|
||||
fi
|
||||
else
|
||||
log_f "Certificate ${CERT} missing or changed domains '${CERT_DOMAINS[*]}' - start obtaining"
|
||||
fi
|
||||
|
||||
|
||||
# Make backup
|
||||
if [[ -f ${CERT} ]]; then
|
||||
DATE=$(date +%Y-%m-%d_%H_%M_%S)
|
||||
BACKUP_DIR=${ACME_BASE}/backups/${CERT_DOMAIN}/${PREFIX}${DATE}
|
||||
log_f "Creating backups in ${BACKUP_DIR} ..."
|
||||
mkdir -p ${BACKUP_DIR}/
|
||||
[[ -f ${DOMAINS_FILE} ]] && cp ${DOMAINS_FILE} ${BACKUP_DIR}/
|
||||
[[ -f ${CERT} ]] && cp ${CERT} ${BACKUP_DIR}/
|
||||
[[ -f ${KEY} ]] && cp ${KEY} ${BACKUP_DIR}/
|
||||
[[ -f ${CSR} ]] && cp ${CSR} ${BACKUP_DIR}/
|
||||
fi
|
||||
|
||||
mkdir -p ${ACME_BASE}/${CERT_DOMAIN}
|
||||
if [[ ! -f ${KEY} ]]; then
|
||||
log_f "Copying shared private key for this certificate..."
|
||||
cp ${SHARED_KEY} ${KEY}
|
||||
chmod 600 ${KEY}
|
||||
fi
|
||||
|
||||
# Generating CSR
|
||||
printf "[SAN]\nsubjectAltName=" > /tmp/_SAN
|
||||
printf "DNS:%s," "${CERT_DOMAINS[@]}" >> /tmp/_SAN
|
||||
sed -i '$s/,$//' /tmp/_SAN
|
||||
openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf /tmp/_SAN) > ${CSR}
|
||||
|
||||
# acme-tiny writes info to stderr and ceritifcate to stdout
|
||||
# The redirects will do the following:
|
||||
# - redirect stdout to temp certificate file
|
||||
# - redirect acme-tiny stderr to stdout (logs to variable ACME_RESPONSE)
|
||||
# - tee stderr to get live output and log to dockerd
|
||||
|
||||
ACME_RESPONSE=$(acme-tiny ${STAGING_PARAMETER} \
|
||||
--account-key ${ACME_BASE}/acme/account.pem \
|
||||
--disable-check \
|
||||
--csr ${CSR} \
|
||||
--acme-dir /var/www/acme/ 2>&1 > /tmp/_cert.pem | tee /dev/fd/5; exit ${PIPESTATUS[0]})
|
||||
SUCCESS="$?"
|
||||
ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
|
||||
log_f "${ACME_RESPONSE_B64}" redis_only b64
|
||||
case "$SUCCESS" in
|
||||
0) # cert requested
|
||||
log_f "Deploying certificate ${CERT}..."
|
||||
# Deploy the new certificate and key
|
||||
# Moving temp cert to {domain} folder
|
||||
if verify_hash_match /tmp/_cert.pem ${KEY}; then
|
||||
RETURN=0 # certificate created
|
||||
if [[ -f ${CERT} ]]; then
|
||||
RETURN=1 # certificate renewed
|
||||
fi
|
||||
mv -f /tmp/_cert.pem ${CERT}
|
||||
echo -n ${CERT_DOMAINS[*]} > ${DOMAINS_FILE}
|
||||
rm /var/www/acme/* 2> /dev/null
|
||||
log_f "Certificate successfully obtained"
|
||||
exit ${RETURN}
|
||||
else
|
||||
log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, ignoring certificate"
|
||||
exit 4
|
||||
fi
|
||||
;;
|
||||
*) # non-zero is non-fun
|
||||
log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
|
||||
redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
|
||||
exit 100${SUCCESS}
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,43 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Reading container IDs
|
||||
# Wrapping as array to ensure trimmed content when calling $NGINX etc.
|
||||
NGINX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow")) | .id' | tr "\n" " "))
|
||||
DOVECOT=($(curl --silent --insecure https://dockerapi/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("dovecot-mailcow")) | .id' | tr "\n" " "))
|
||||
POSTFIX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("postfix-mailcow")) | .id' | tr "\n" " "))
|
||||
|
||||
reload_nginx(){
|
||||
echo "Reloading Nginx..."
|
||||
NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
|
||||
[[ ${NGINX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Nginx, restarting container..."; restart_container ${NGINX} ; }
|
||||
}
|
||||
|
||||
reload_dovecot(){
|
||||
echo "Reloading Dovecot..."
|
||||
DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
|
||||
[[ ${DOVECOT_RELOAD_RET} != 'success' ]] && { echo "Could not reload Dovecot, restarting container..."; restart_container ${DOVECOT} ; }
|
||||
}
|
||||
|
||||
reload_postfix(){
|
||||
echo "Reloading Postfix..."
|
||||
POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
|
||||
[[ ${POSTFIX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Postfix, restarting container..."; restart_container ${POSTFIX} ; }
|
||||
}
|
||||
|
||||
restart_container(){
|
||||
for container in $*; do
|
||||
echo "Restarting ${container}..."
|
||||
C_REST_OUT=$(curl -X POST --insecure https://dockerapi/containers/${container}/restart --silent | jq -r '.msg')
|
||||
echo "${C_REST_OUT}"
|
||||
done
|
||||
}
|
||||
|
||||
if [[ "${CERT_AMOUNT_CHANGED}" == "1" ]]; then
|
||||
restart_container ${NGINX}
|
||||
restart_container ${DOVECOT}
|
||||
restart_container ${POSTFIX}
|
||||
else
|
||||
reload_nginx
|
||||
reload_dovecot
|
||||
reload_postfix
|
||||
fi
|
|
@ -142,6 +142,20 @@ if [[ $(stat -c %U /var/attachments) != "vmail" ]] ; then chown -R vmail:vmail /
|
|||
# Cleanup random user maildirs
|
||||
rm -rf /var/vmail/mailcow.local/*
|
||||
|
||||
# create sni configuration
|
||||
echo "" > /etc/dovecot/sni.conf
|
||||
for cert_dir in /etc/ssl/mail/*/ ; do
|
||||
if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
|
||||
continue
|
||||
fi
|
||||
domains=($(cat ${cert_dir}domains))
|
||||
for domain in ${domains[@]}; do
|
||||
echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
|
||||
echo ' ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
|
||||
echo ' ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
|
||||
echo '}' >> /etc/dovecot/sni.conf;
|
||||
done
|
||||
done
|
||||
|
||||
# Create random master for SOGo sieve features
|
||||
RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
|
||||
|
|
|
@ -19,6 +19,20 @@ spam: "|/usr/local/bin/rspamd-pipe-spam"
|
|||
EOF
|
||||
newaliases;
|
||||
|
||||
# create sni configuration
|
||||
echo -n "" > /opt/postfix/conf/sni.map;
|
||||
for cert_dir in /etc/ssl/mail/*/ ; do
|
||||
if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
|
||||
continue;
|
||||
fi
|
||||
IFS=" " read -r -a domains <<< "$(cat "${cert_dir}domains")"
|
||||
for domain in "${domains[@]}"; do
|
||||
echo -n "${domain} ${cert_dir}key.pem ${cert_dir}cert.pem" >> /opt/postfix/conf/sni.map;
|
||||
echo "" >> /opt/postfix/conf/sni.map;
|
||||
done
|
||||
done
|
||||
postmap -F hash:/opt/postfix/conf/sni.map;
|
||||
|
||||
cat <<EOF > /opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
|
||||
# Autogenerated by mailcow
|
||||
user = ${DBUSER}
|
||||
|
|
|
@ -272,6 +272,7 @@ service lmtp {
|
|||
listen = *,[::]
|
||||
ssl_cert = </etc/ssl/mail/cert.pem
|
||||
ssl_key = </etc/ssl/mail/key.pem
|
||||
!include_try /etc/dovecot/sni.conf
|
||||
userdb {
|
||||
driver = passwd-file
|
||||
args = /etc/dovecot/dovecot-master.userdb
|
||||
|
|
|
@ -0,0 +1,207 @@
|
|||
|
||||
include /etc/nginx/mime.types;
|
||||
charset utf-8;
|
||||
override_charset on;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000;";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Referrer-Policy strict-origin;
|
||||
|
||||
index index.php index.html;
|
||||
|
||||
client_max_body_size 0;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied off;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_min_length 256;
|
||||
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
|
||||
|
||||
location ~ ^/(fonts|js|css|img)/ {
|
||||
expires max;
|
||||
add_header Cache-Control public;
|
||||
}
|
||||
|
||||
error_log /var/log/nginx/error.log;
|
||||
access_log /var/log/nginx/access.log;
|
||||
absolute_redirect off;
|
||||
root /web;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @strip-ext;
|
||||
}
|
||||
|
||||
location /qhandler {
|
||||
rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
|
||||
}
|
||||
|
||||
location /edit {
|
||||
rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
|
||||
}
|
||||
|
||||
location @strip-ext {
|
||||
rewrite ^(.*)$ $1.php last;
|
||||
}
|
||||
|
||||
location /api {
|
||||
try_files /_apidocs.html =404;
|
||||
}
|
||||
|
||||
location ~ ^/api/v1/(.*)$ {
|
||||
try_files $uri $uri/ /json_api.php?query=$1;
|
||||
}
|
||||
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
allow all;
|
||||
default_type "text/plain";
|
||||
}
|
||||
|
||||
# If behind reverse proxy, forwards the correct IP
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
set_real_ip_from fc00::/7;
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
|
||||
rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
|
||||
rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
|
||||
|
||||
location ^~ /principals {
|
||||
return 301 /SOGo/dav;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_read_timeout 1200;
|
||||
}
|
||||
|
||||
location /rspamd/ {
|
||||
location /rspamd/auth {
|
||||
# proxy_pass is not inherited
|
||||
proxy_pass http://rspamd:11334/auth;
|
||||
proxy_intercept_errors on;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect off;
|
||||
error_page 403 /_rspamderror.php;
|
||||
}
|
||||
proxy_pass http://rspamd:11334/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect off;
|
||||
}
|
||||
|
||||
location ~* ^/Autodiscover/Autodiscover.xml {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
try_files /autodiscover.php =404;
|
||||
}
|
||||
|
||||
location ~* ^/Autodiscover/Autodiscover.json {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
try_files /autodiscover-json.php =404;
|
||||
}
|
||||
|
||||
location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
try_files /autoconfig.php =404;
|
||||
}
|
||||
|
||||
# auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
|
||||
location /sogo-auth-verify {
|
||||
internal;
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_pass http://127.0.0.1:65510/sogo-auth;
|
||||
proxy_pass_request_body off;
|
||||
}
|
||||
|
||||
location ^~ /Microsoft-Server-ActiveSync {
|
||||
include /etc/nginx/conf.d/sogo_proxy_auth.active;
|
||||
include /etc/nginx/conf.d/sogo_eas.active;
|
||||
proxy_connect_timeout 75;
|
||||
proxy_send_timeout 3600;
|
||||
proxy_read_timeout 3600;
|
||||
proxy_buffers 64 256k;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
client_body_buffer_size 512k;
|
||||
client_max_body_size 0;
|
||||
}
|
||||
|
||||
location ^~ /SOGo {
|
||||
include /etc/nginx/conf.d/sogo_proxy_auth.active;
|
||||
include /etc/nginx/conf.d/sogo.active;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
|
||||
proxy_set_header x-webobjects-remote-host $remote_addr;
|
||||
proxy_set_header x-webobjects-server-name $server_name;
|
||||
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
|
||||
proxy_set_header x-webobjects-server-port $server_port;
|
||||
client_body_buffer_size 128k;
|
||||
client_max_body_size 0;
|
||||
break;
|
||||
}
|
||||
|
||||
location /SOGo.woa/WebServerResources/ {
|
||||
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location /.woa/WebServerResources/ {
|
||||
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location /SOGo/WebServerResources/ {
|
||||
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
||||
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
||||
}
|
||||
|
||||
include /etc/nginx/conf.d/site.*.custom;
|
||||
|
||||
error_page 502 @awaitingupstream;
|
||||
|
||||
location @awaitingupstream {
|
||||
rewrite ^(.*)$ /_status.502.html break;
|
||||
}
|
|
@ -7,218 +7,4 @@ map $http_x_forwarded_proto $client_req_scheme {
|
|||
https https;
|
||||
}
|
||||
|
||||
server {
|
||||
include /etc/nginx/mime.types;
|
||||
charset utf-8;
|
||||
override_charset on;
|
||||
|
||||
ssl_certificate /etc/ssl/mail/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/mail/key.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000;";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Referrer-Policy strict-origin;
|
||||
|
||||
index index.php index.html;
|
||||
|
||||
client_max_body_size 0;
|
||||
|
||||
listen 127.0.0.1:65510;
|
||||
include /etc/nginx/conf.d/listen_plain.active;
|
||||
include /etc/nginx/conf.d/listen_ssl.active;
|
||||
include /etc/nginx/conf.d/server_name.active;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied off;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_min_length 256;
|
||||
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
|
||||
|
||||
location ~ ^/(fonts|js|css|img)/ {
|
||||
expires max;
|
||||
add_header Cache-Control public;
|
||||
}
|
||||
|
||||
error_log /var/log/nginx/error.log;
|
||||
access_log /var/log/nginx/access.log;
|
||||
absolute_redirect off;
|
||||
root /web;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @strip-ext;
|
||||
}
|
||||
|
||||
location /qhandler {
|
||||
rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
|
||||
}
|
||||
|
||||
location /edit {
|
||||
rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
|
||||
}
|
||||
|
||||
location @strip-ext {
|
||||
rewrite ^(.*)$ $1.php last;
|
||||
}
|
||||
|
||||
location /api {
|
||||
try_files /_apidocs.html =404;
|
||||
}
|
||||
|
||||
location ~ ^/api/v1/(.*)$ {
|
||||
try_files $uri $uri/ /json_api.php?query=$1;
|
||||
}
|
||||
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
allow all;
|
||||
default_type "text/plain";
|
||||
}
|
||||
|
||||
# If behind reverse proxy, forwards the correct IP
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
set_real_ip_from fc00::/7;
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
|
||||
rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
|
||||
rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
|
||||
|
||||
location ^~ /principals {
|
||||
return 301 /SOGo/dav;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_read_timeout 1200;
|
||||
}
|
||||
|
||||
location /rspamd/ {
|
||||
location /rspamd/auth {
|
||||
# proxy_pass is not inherited
|
||||
proxy_pass http://rspamd:11334/auth;
|
||||
proxy_intercept_errors on;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect off;
|
||||
error_page 403 /_rspamderror.php;
|
||||
}
|
||||
proxy_pass http://rspamd:11334/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect off;
|
||||
}
|
||||
|
||||
location ~* ^/Autodiscover/Autodiscover.xml {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
try_files /autodiscover.php =404;
|
||||
}
|
||||
|
||||
location ~* ^/Autodiscover/Autodiscover.json {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
try_files /autodiscover-json.php =404;
|
||||
}
|
||||
|
||||
location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass phpfpm:9002;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
try_files /autoconfig.php =404;
|
||||
}
|
||||
|
||||
# auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
|
||||
location /sogo-auth-verify {
|
||||
internal;
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_pass http://127.0.0.1:65510/sogo-auth;
|
||||
proxy_pass_request_body off;
|
||||
}
|
||||
|
||||
location ^~ /Microsoft-Server-ActiveSync {
|
||||
include /etc/nginx/conf.d/sogo_proxy_auth.active;
|
||||
include /etc/nginx/conf.d/sogo_eas.active;
|
||||
proxy_connect_timeout 75;
|
||||
proxy_send_timeout 3600;
|
||||
proxy_read_timeout 3600;
|
||||
proxy_buffers 64 256k;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
client_body_buffer_size 512k;
|
||||
client_max_body_size 0;
|
||||
}
|
||||
|
||||
location ^~ /SOGo {
|
||||
include /etc/nginx/conf.d/sogo_proxy_auth.active;
|
||||
include /etc/nginx/conf.d/sogo.active;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
|
||||
proxy_set_header x-webobjects-remote-host $remote_addr;
|
||||
proxy_set_header x-webobjects-server-name $server_name;
|
||||
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
|
||||
proxy_set_header x-webobjects-server-port $server_port;
|
||||
client_body_buffer_size 128k;
|
||||
client_max_body_size 0;
|
||||
break;
|
||||
}
|
||||
|
||||
location /SOGo.woa/WebServerResources/ {
|
||||
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location /.woa/WebServerResources/ {
|
||||
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location /SOGo/WebServerResources/ {
|
||||
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
||||
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
||||
}
|
||||
|
||||
include /etc/nginx/conf.d/site.*.custom;
|
||||
|
||||
error_page 502 @awaitingupstream;
|
||||
|
||||
location @awaitingupstream {
|
||||
rewrite ^(.*)$ /_status.502.html break;
|
||||
}
|
||||
}
|
||||
include /etc/nginx/conf.d/sites.active;
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
listen ${HTTP_PORT};
|
||||
listen [::]:${HTTP_PORT};
|
|
@ -1,2 +0,0 @@
|
|||
listen ${HTTPS_PORT} ssl http2;
|
||||
listen [::]:${HTTPS_PORT} ssl http2;
|
|
@ -1 +0,0 @@
|
|||
server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;
|
|
@ -0,0 +1,40 @@
|
|||
echo '
|
||||
server {
|
||||
listen 127.0.0.1:65510;
|
||||
listen '${HTTP_PORT}' default_server;
|
||||
listen [::]:'${HTTP_PORT}' default_server;
|
||||
listen '${HTTPS_PORT}' ssl http2 default_server;
|
||||
listen [::]:'${HTTPS_PORT}' ssl http2 default_server;
|
||||
|
||||
ssl_certificate /etc/ssl/mail/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/mail/key.pem;
|
||||
|
||||
server_name '${MAILCOW_HOSTNAME}' autodiscover.* autoconfig.*;
|
||||
|
||||
include /etc/nginx/conf.d/includes/site-defaults.conf;
|
||||
}
|
||||
';
|
||||
for cert_dir in /etc/ssl/mail/*/ ; do
|
||||
if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
|
||||
continue
|
||||
fi
|
||||
# remove hostname to not cause nginx warnings (hostname is covered in default server listen)
|
||||
domains="$(cat ${cert_dir}domains | sed -e "s/\(^\| \)\($(echo ${MAILCOW_HOSTNAME} | sed 's/\./\\./g')\)\( \|$\)/ /g" | sed -e 's/^[[:space:]]*//')"
|
||||
if [[ "${domains}" == "" ]]; then
|
||||
continue
|
||||
fi
|
||||
echo -n '
|
||||
server {
|
||||
listen '${HTTPS_PORT}' ssl http2;
|
||||
listen [::]:'${HTTPS_PORT}' ssl http2;
|
||||
|
||||
ssl_certificate '${cert_dir}'cert.pem;
|
||||
ssl_certificate_key '${cert_dir}'key.pem;
|
||||
';
|
||||
echo -n '
|
||||
server_name '${domains}';
|
||||
|
||||
include /etc/nginx/conf.d/includes/site-defaults.conf;
|
||||
}
|
||||
';
|
||||
done
|
|
@ -5,6 +5,7 @@ biff = no
|
|||
append_dot_mydomain = no
|
||||
smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
|
||||
smtpd_tls_key_file = /etc/ssl/mail/key.pem
|
||||
tls_server_sni_maps = hash:/opt/postfix/conf/sni.map
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_received_header = yes
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
|
|
|
@ -275,12 +275,10 @@ services:
|
|||
image: nginx:mainline-alpine
|
||||
dns:
|
||||
- ${IPV4_NETWORK:-172.22.1}.254
|
||||
command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
|
||||
envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
|
||||
envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
|
||||
envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
|
||||
command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
|
||||
envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active &&
|
||||
. /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active &&
|
||||
. /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active &&
|
||||
nginx -qt &&
|
||||
until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
|
||||
until ping sogo -c1 > /dev/null; do sleep 1; done &&
|
||||
|
@ -325,6 +323,7 @@ services:
|
|||
- DBUSER=${DBUSER}
|
||||
- DBPASS=${DBPASS}
|
||||
- SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
|
||||
- ENABLE_SSL_SNI=${ENABLE_SSL_SNI:-n}
|
||||
- SKIP_IP_CHECK=${SKIP_IP_CHECK:-n}
|
||||
- SKIP_HTTP_VERIFICATION=${SKIP_HTTP_VERIFICATION:-n}
|
||||
- ONLY_MAILCOW_HOSTNAME=${ONLY_MAILCOW_HOSTNAME:-n}
|
||||
|
|
|
@ -191,6 +191,11 @@ ADDITIONAL_SAN=
|
|||
|
||||
SKIP_LETS_ENCRYPT=n
|
||||
|
||||
# Create seperate certificates for all domains - y/n
|
||||
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
|
||||
# see https://wiki.dovecot.org/SSL/SNIClientSupport
|
||||
ENABLE_SSL_SNI=n
|
||||
|
||||
# Skip IPv4 check in ACME container - y/n
|
||||
|
||||
SKIP_IP_CHECK=n
|
||||
|
@ -269,4 +274,4 @@ mkdir -p data/assets/ssl
|
|||
chmod 600 mailcow.conf
|
||||
|
||||
# copy but don't overwrite existing certificate
|
||||
cp -n data/assets/ssl-example/*.pem data/assets/ssl/
|
||||
cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/
|
||||
|
|
11
update.sh
11
update.sh
|
@ -168,6 +168,7 @@ CONFIG_ARRAY=(
|
|||
"ACL_ANYONE"
|
||||
"SOLR_HEAP"
|
||||
"SKIP_SOLR"
|
||||
"ENABLE_SSL_SNI"
|
||||
"ALLOW_ADMIN_EMAIL_LOGIN"
|
||||
"SKIP_HTTP_VERIFICATION"
|
||||
"SOGO_EXPIRE_SESSION"
|
||||
|
@ -276,6 +277,14 @@ for option in ${CONFIG_ARRAY[@]}; do
|
|||
echo '# Disable Solr or if you do not want to store a readable index of your mails in solr-vol-1.' >> mailcow.conf
|
||||
echo "SKIP_SOLR=y" >> mailcow.conf
|
||||
fi
|
||||
elif [[ ${option} == "ENABLE_SSL_SNI" ]]; then
|
||||
if ! grep -q ${option} mailcow.conf; then
|
||||
echo "Adding new option \"${option}\" to mailcow.conf"
|
||||
echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf
|
||||
echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf
|
||||
echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf
|
||||
echo "ENABLE_SSL_SNI=n" >> mailcow.conf
|
||||
fi
|
||||
elif [[ ${option} == "MAILDIR_SUB" ]]; then
|
||||
if ! grep -q ${option} mailcow.conf; then
|
||||
echo "Adding new option \"${option}\" to mailcow.conf"
|
||||
|
@ -407,7 +416,7 @@ docker-compose pull
|
|||
|
||||
# Fix missing SSL, does not overwrite existing files
|
||||
[[ ! -d data/assets/ssl ]] && mkdir -p data/assets/ssl
|
||||
cp -n data/assets/ssl-example/*.pem data/assets/ssl/
|
||||
cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/
|
||||
|
||||
echo -e "Checking IPv6 settings... "
|
||||
if grep -q 'SYSCTL_IPV6_DISABLED=1' mailcow.conf; then
|
||||
|
|
Loading…
Reference in New Issue