paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- More checks for acme-mailcow (verify hashes) 

- Autodiscover configuration file: Merge array from vars.local.inc.php
- Push acme-mailcow to 1.6
master
andryyy 2017-06-28 23:22:51 +02:00
parent 234baf1cb9
commit 6d8438c01c
4 changed files with 83 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
data/Dockerfiles/acme/docker-entrypoint.sh
View File

@ -12,6 +12,18 @@ restart_containers(){
done done
} }
verify_hash_match(){
CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
echo "Certificate and key hashes do not match!"
return 1
else
echo "Verified hashes."
return 0
fi
}
if [[ -f ${ACME_BASE}/cert.pem ]]; then if [[ -f ${ACME_BASE}/cert.pem ]]; then
ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer) ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
@ -28,8 +40,10 @@ if [[ -f ${ACME_BASE}/cert.pem ]]; then
else else
ISSUER="mailcow" ISSUER="mailcow"
if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
fi
else else
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
@ -44,7 +58,7 @@ while true; do
exit 0 exit 0
fi fi
declare -a SQL_DOMAIN_ARR declare -a SQL_DOMAIN_ARR
declare -a VALIDATED_CONFIG_DOMAINS declare -a VALIDATED_CONFIG_DOMAINS
declare -a ADDITIONAL_VALIDATED_SAN declare -a ADDITIONAL_VALIDATED_SAN
IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}" IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
IPV4=$(curl -4s https://mailcow.email/ip.php) IPV4=$(curl -4s https://mailcow.email/ip.php)
@ -61,7 +75,7 @@ while true; do
echo "Confirmed A record autoconfig.${SQL_DOMAIN}" echo "Confirmed A record autoconfig.${SQL_DOMAIN}"
VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}") VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
else else
echo "Cannot match Your IP against hostname autoconfig.${SQL_DOMAIN}" echo "Cannot match your IP against hostname autoconfig.${SQL_DOMAIN}"
fi fi
else else
echo "No A record for autoconfig.${SQL_DOMAIN} found" echo "No A record for autoconfig.${SQL_DOMAIN} found"
@ -69,18 +83,31 @@ while true; do
A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1) A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
if [[ ! -z ${A_DISCOVER} ]]; then if [[ ! -z ${A_DISCOVER} ]]; then
echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_CONFIG}" echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
if [[ ${IPV4} == ${A_DISCOVER} ]]; then if [[ ${IPV4} == ${A_DISCOVER} ]]; then
echo "Confirmed A record autodiscover.${SQL_DOMAIN}" echo "Confirmed A record autodiscover.${SQL_DOMAIN}"
VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}") VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
else else
echo "Cannot match Your IP against hostname autodiscover.${SQL_DOMAIN}" echo "Cannot match your IP against hostname autodiscover.${SQL_DOMAIN}"
fi fi
else else
echo "No A record for autodiscover.${SQL_DOMAIN} found" echo "No A record for autodiscover.${SQL_DOMAIN} found"
fi fi
done done
A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
echo "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
if [[ ${IPV4} == ${A_MAILCOW_HOSTNAME} ]]; then
echo "Confirmed A record ${MAILCOW_HOSTNAME}"
VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
else
echo "Cannot match your IP against hostname ${MAILCOW_HOSTNAME}"
fi
else
echo "No A record for ${MAILCOW_HOSTNAME} found"
fi
for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
A_SAN=$(dig A ${SAN} +short | tail -n 1) A_SAN=$(dig A ${SAN} +short | tail -n 1)
if [[ ! -z ${A_SAN} ]]; then if [[ ! -z ${A_SAN} ]]; then
@ -89,13 +116,19 @@ while true; do
echo "Confirmed A record ${SAN}" echo "Confirmed A record ${SAN}"
ADDITIONAL_VALIDATED_SAN+=("${SAN}") ADDITIONAL_VALIDATED_SAN+=("${SAN}")
else else
echo "Cannot match Your IP against hostname ${SAN}" echo "Cannot match your IP against hostname ${SAN}"
fi fi
else else
echo "No A record for ${SAN} found" echo "No A record for ${SAN} found"
fi fi
done done
ALL_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${VALIDATED_MAILCOW_HOSTNAME}))
if [[ -z ${ALL_VALIDATED[*]} ]]; then
echo "Cannot validate hostnames, skipping Let's Encrypt..."
echo 0
fi
ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u )) ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u ))
if [[ ! -z ${ORPHANED_SAN[*]} ]]; then if [[ ! -z ${ORPHANED_SAN[*]} ]]; then
DATE=$(date +%Y-%m-%d_%H_%M_%S) DATE=$(date +%Y-%m-%d_%H_%M_%S)
@ -112,7 +145,7 @@ while true; do
-f ${ACME_BASE}/acme/private/account.key \ -f ${ACME_BASE}/acme/private/account.key \
-k ${ACME_BASE}/acme/private/privkey.pem \ -k ${ACME_BASE}/acme/private/privkey.pem \
-c ${ACME_BASE}/acme \ -c ${ACME_BASE}/acme \
${MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${VALIDATED_MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]}
case "$?" in case "$?" in
0) # new certs 0) # new certs
@ -121,17 +154,33 @@ while true; do
cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
# restart docker containers # restart docker containers
if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
fi
restart_containers ${CONTAINERS_RESTART} restart_containers ${CONTAINERS_RESTART}
;; ;;
1) # failure 1) # failure
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
fi
exit 1;; exit 1;;
2) # no change 2) # no change
if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
fi
;; ;;
*) # unspecified *) # unspecified
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
if ! verifyhash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
fi
exit 1;; exit 1;;
esac esac

32
data/web/autodiscover.php
View File

@ -1,9 +1,11 @@
<?php <?php
require_once 'inc/vars.inc.php'; require_once 'inc/vars.inc.php';
require_once 'inc/functions.inc.php'; require_once 'inc/functions.inc.php';
$default_autodiscover_config = $autodiscover_config;
if(file_exists('inc/vars.local.inc.php')) { if(file_exists('inc/vars.local.inc.php')) {
include_once 'inc/vars.local.inc.php'; include_once 'inc/vars.local.inc.php';
} }
$configuration = array_merge($default_autodiscover_config, $autodiscover_config);
error_reporting(0); error_reporting(0);
@ -11,13 +13,13 @@ $data = trim(file_get_contents("php://input"));
// Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows // Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows
if (strpos($data, 'autodiscover/outlook/responseschema')) { // desktop client if (strpos($data, 'autodiscover/outlook/responseschema')) { // desktop client
$autodiscover_config['autodiscoverType'] = 'imap'; $configuration['autodiscoverType'] = 'imap';
if ($autodiscover_config['useEASforOutlook'] == 'yes' && if ($configuration['useEASforOutlook'] == 'yes' &&
// Office for macOS does not support EAS // Office for macOS does not support EAS
strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false && strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
// Outlook 2013 (version 15) or higher // Outlook 2013 (version 15) or higher
preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])) { preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])) {
$autodiscover_config['autodiscoverType'] = 'activesync'; $configuration['autodiscoverType'] = 'activesync';
} }
} }
@ -61,7 +63,7 @@ else {
$discover = new SimpleXMLElement($data); $discover = new SimpleXMLElement($data);
$email = $discover->Request->EMailAddress; $email = $discover->Request->EMailAddress;
if ($autodiscover_config['autodiscoverType'] == 'imap') { if ($configuration['autodiscoverType'] == 'imap') {
?> ?>
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User> <User>
@ -72,35 +74,35 @@ else {
<Action>settings</Action> <Action>settings</Action>
<Protocol> <Protocol>
<Type>IMAP</Type> <Type>IMAP</Type>
<Server><?=$autodiscover_config['imap']['server'];?></Server> <Server><?=$configuration['imap']['server'];?></Server>
<Port><?=$autodiscover_config['imap']['port'];?></Port> <Port><?=$configuration['imap']['port'];?></Port>
<DomainRequired>off</DomainRequired> <DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName> <LoginName><?=$email;?></LoginName>
<SPA>off</SPA> <SPA>off</SPA>
<SSL><?=$autodiscover_config['imap']['ssl'];?></SSL> <SSL>on</SSL>
<AuthRequired>on</AuthRequired> <AuthRequired>on</AuthRequired>
</Protocol> </Protocol>
<Protocol> <Protocol>
<Type>SMTP</Type> <Type>SMTP</Type>
<Server><?=$autodiscover_config['smtp']['server'];?></Server> <Server><?=$configuration['smtp']['server'];?></Server>
<Port><?=$autodiscover_config['smtp']['port'];?></Port> <Port><?=$configuration['smtp']['port'];?></Port>
<DomainRequired>off</DomainRequired> <DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName> <LoginName><?=$email;?></LoginName>
<SPA>off</SPA> <SPA>off</SPA>
<SSL><?=$autodiscover_config['smtp']['ssl'];?></SSL> <SSL>on</SSL>
<AuthRequired>on</AuthRequired> <AuthRequired>on</AuthRequired>
<UsePOPAuth>on</UsePOPAuth> <UsePOPAuth>on</UsePOPAuth>
<SMTPLast>off</SMTPLast> <SMTPLast>off</SMTPLast>
</Protocol> </Protocol>
<Protocol> <Protocol>
<Type>CalDAV</Type> <Type>CalDAV</Type>
<Server>https://<?=$mailcow_hostname;?>/SOGo/dav/<?=$email;?>/Calendar</Server> <Server><?=$configuration['caldav']['server'];?>/SOGo/dav/<?=$email;?>/Calendar</Server>
<DomainRequired>off</DomainRequired> <DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName> <LoginName><?=$email;?></LoginName>
</Protocol> </Protocol>
<Protocol> <Protocol>
<Type>CardDAV</Type> <Type>CardDAV</Type>
<Server>https://<?=$mailcow_hostname;?>/SOGo/dav/<?=$email;?>/Contacts</Server> <Server><?=$configuration['carddav']['server'];?>/SOGo/dav/<?=$email;?>/Contacts</Server>
<DomainRequired>off</DomainRequired> <DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName> <LoginName><?=$email;?></LoginName>
</Protocol> </Protocol>
@ -108,7 +110,7 @@ else {
</Response> </Response>
<?php <?php
} }
else if ($autodiscover_config['autodiscoverType'] == 'activesync') { else if ($configuration['autodiscoverType'] == 'activesync') {
$username = trim($email); $username = trim($email);
try { try {
$stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
@ -135,8 +137,8 @@ else {
<Settings> <Settings>
<Server> <Server>
<Type>MobileSync</Type> <Type>MobileSync</Type>
<Url><?=$autodiscover_config['activesync']['url'];?></Url> <Url><?=$configuration['activesync']['url'];?></Url>
<Name><?=$autodiscover_config['activesync']['url'];?></Name> <Name><?=$configuration['activesync']['url'];?></Name>
</Server> </Server>
</Settings> </Settings>
</Action> </Action>

11
data/web/inc/vars.inc.php
View File

@ -23,22 +23,27 @@ $autodiscover_config = array(
'useEASforOutlook' => 'yes', 'useEASforOutlook' => 'yes',
// General autodiscover service type: "activesync" or "imap" // General autodiscover service type: "activesync" or "imap"
'autodiscoverType' => 'activesync', 'autodiscoverType' => 'activesync',
// Please don't use STARTTLS-enabled service ports here.
// The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
'imap' => array( 'imap' => array(
'server' => $mailcow_hostname, 'server' => $mailcow_hostname,
'port' => getenv('IMAPS_PORT'), 'port' => getenv('IMAPS_PORT'),
'ssl' => 'on',
), ),
'smtp' => array( 'smtp' => array(
'server' => $mailcow_hostname, 'server' => $mailcow_hostname,
'port' => getenv('SMTPS_PORT'), 'port' => getenv('SMTPS_PORT'),
'ssl' => 'on'
), ),
'activesync' => array( 'activesync' => array(
'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync' 'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync'
),
'caldav' => array(
'url' => 'https://'.$mailcow_hostname
),
'carddav' => array(
'url' => 'https://'.$mailcow_hostname
) )
); );
// Where to go after adding and editing objects // Where to go after adding and editing objects
// Can be "form" or "previous" // Can be "form" or "previous"
// "form" will stay in the current form, "previous" will redirect to previous page // "form" will stay in the current form, "previous" will redirect to previous page

2
docker-compose.yml
View File

@ -293,7 +293,7 @@ services:
acme-mailcow: acme-mailcow:
depends_on: depends_on:
- nginx-mailcow - nginx-mailcow
image: mailcow/acme:1.5 image: mailcow/acme:1.6
build: ./data/Dockerfiles/acme build: ./data/Dockerfiles/acme
dns: dns:
- 172.22.1.254 - 172.22.1.254