- More checks for acme-mailcow (verify hashes)
- Autodiscover configuration file: Merge array from vars.local.inc.php - Push acme-mailcow to 1.6master
andryyy
parent
234baf1cb9
commit
6d8438c01c
|
|
@ -12,6 +12,18 @@ restart_containers(){
|
|||
done
|
||||
}
|
||||
|
||||
verify_hash_match(){
|
||||
CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
|
||||
KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
|
||||
if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
|
||||
echo "Certificate and key hashes do not match!"
|
||||
return 1
|
||||
else
|
||||
echo "Verified hashes."
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ -f ${ACME_BASE}/cert.pem ]]; then
|
||||
ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
|
||||
if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
|
||||
|
|
@ -28,8 +40,10 @@ if [[ -f ${ACME_BASE}/cert.pem ]]; then
|
|||
else
|
||||
ISSUER="mailcow"
|
||||
if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
|
||||
if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
|
||||
cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
|
||||
cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
|
||||
fi
|
||||
else
|
||||
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
|
||||
|
|
@ -61,7 +75,7 @@ while true; do
|
|||
echo "Confirmed A record autoconfig.${SQL_DOMAIN}"
|
||||
VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
|
||||
else
|
||||
echo "Cannot match Your IP against hostname autoconfig.${SQL_DOMAIN}"
|
||||
echo "Cannot match your IP against hostname autoconfig.${SQL_DOMAIN}"
|
||||
fi
|
||||
else
|
||||
echo "No A record for autoconfig.${SQL_DOMAIN} found"
|
||||
|
|
@ -69,18 +83,31 @@ while true; do
|
|||
|
||||
A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
|
||||
if [[ ! -z ${A_DISCOVER} ]]; then
|
||||
echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_CONFIG}"
|
||||
echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
|
||||
if [[ ${IPV4} == ${A_DISCOVER} ]]; then
|
||||
echo "Confirmed A record autodiscover.${SQL_DOMAIN}"
|
||||
VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
|
||||
else
|
||||
echo "Cannot match Your IP against hostname autodiscover.${SQL_DOMAIN}"
|
||||
echo "Cannot match your IP against hostname autodiscover.${SQL_DOMAIN}"
|
||||
fi
|
||||
else
|
||||
echo "No A record for autodiscover.${SQL_DOMAIN} found"
|
||||
fi
|
||||
done
|
||||
|
||||
A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
|
||||
if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
|
||||
echo "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
|
||||
if [[ ${IPV4} == ${A_MAILCOW_HOSTNAME} ]]; then
|
||||
echo "Confirmed A record ${MAILCOW_HOSTNAME}"
|
||||
VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
|
||||
else
|
||||
echo "Cannot match your IP against hostname ${MAILCOW_HOSTNAME}"
|
||||
fi
|
||||
else
|
||||
echo "No A record for ${MAILCOW_HOSTNAME} found"
|
||||
fi
|
||||
|
||||
for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
|
||||
A_SAN=$(dig A ${SAN} +short | tail -n 1)
|
||||
if [[ ! -z ${A_SAN} ]]; then
|
||||
|
|
@ -89,13 +116,19 @@ while true; do
|
|||
echo "Confirmed A record ${SAN}"
|
||||
ADDITIONAL_VALIDATED_SAN+=("${SAN}")
|
||||
else
|
||||
echo "Cannot match Your IP against hostname ${SAN}"
|
||||
echo "Cannot match your IP against hostname ${SAN}"
|
||||
fi
|
||||
else
|
||||
echo "No A record for ${SAN} found"
|
||||
fi
|
||||
done
|
||||
|
||||
ALL_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${VALIDATED_MAILCOW_HOSTNAME}))
|
||||
if [[ -z ${ALL_VALIDATED[*]} ]]; then
|
||||
echo "Cannot validate hostnames, skipping Let's Encrypt..."
|
||||
echo 0
|
||||
fi
|
||||
|
||||
ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u ))
|
||||
if [[ ! -z ${ORPHANED_SAN[*]} ]]; then
|
||||
DATE=$(date +%Y-%m-%d_%H_%M_%S)
|
||||
|
|
@ -112,7 +145,7 @@ while true; do
|
|||
-f ${ACME_BASE}/acme/private/account.key \
|
||||
-k ${ACME_BASE}/acme/private/privkey.pem \
|
||||
-c ${ACME_BASE}/acme \
|
||||
${MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]}
|
||||
${VALIDATED_MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]}
|
||||
|
||||
case "$?" in
|
||||
0) # new certs
|
||||
|
|
@ -121,17 +154,33 @@ while true; do
|
|||
cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
|
||||
|
||||
# restart docker containers
|
||||
if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
|
||||
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
|
||||
fi
|
||||
restart_containers ${CONTAINERS_RESTART}
|
||||
;;
|
||||
1) # failure
|
||||
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
|
||||
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
|
||||
if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
|
||||
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
|
||||
fi
|
||||
exit 1;;
|
||||
2) # no change
|
||||
if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
|
||||
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
|
||||
fi
|
||||
;;
|
||||
*) # unspecified
|
||||
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
|
||||
[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
|
||||
if ! verifyhash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
|
||||
cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
|
||||
cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
|
||||
fi
|
||||
exit 1;;
|
||||
esac
|
||||
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
<?php
|
||||
require_once 'inc/vars.inc.php';
|
||||
require_once 'inc/functions.inc.php';
|
||||
$default_autodiscover_config = $autodiscover_config;
|
||||
if(file_exists('inc/vars.local.inc.php')) {
|
||||
include_once 'inc/vars.local.inc.php';
|
||||
}
|
||||
$configuration = array_merge($default_autodiscover_config, $autodiscover_config);
|
||||
|
||||
error_reporting(0);
|
||||
|
||||
|
|
@ -11,13 +13,13 @@ $data = trim(file_get_contents("php://input"));
|
|||
|
||||
// Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows
|
||||
if (strpos($data, 'autodiscover/outlook/responseschema')) { // desktop client
|
||||
$autodiscover_config['autodiscoverType'] = 'imap';
|
||||
if ($autodiscover_config['useEASforOutlook'] == 'yes' &&
|
||||
$configuration['autodiscoverType'] = 'imap';
|
||||
if ($configuration['useEASforOutlook'] == 'yes' &&
|
||||
// Office for macOS does not support EAS
|
||||
strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
|
||||
// Outlook 2013 (version 15) or higher
|
||||
preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])) {
|
||||
$autodiscover_config['autodiscoverType'] = 'activesync';
|
||||
$configuration['autodiscoverType'] = 'activesync';
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -61,7 +63,7 @@ else {
|
|||
$discover = new SimpleXMLElement($data);
|
||||
$email = $discover->Request->EMailAddress;
|
||||
|
||||
if ($autodiscover_config['autodiscoverType'] == 'imap') {
|
||||
if ($configuration['autodiscoverType'] == 'imap') {
|
||||
?>
|
||||
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
|
||||
<User>
|
||||
|
|
@ -72,35 +74,35 @@ else {
|
|||
<Action>settings</Action>
|
||||
<Protocol>
|
||||
<Type>IMAP</Type>
|
||||
<Server><?=$autodiscover_config['imap']['server'];?></Server>
|
||||
<Port><?=$autodiscover_config['imap']['port'];?></Port>
|
||||
<Server><?=$configuration['imap']['server'];?></Server>
|
||||
<Port><?=$configuration['imap']['port'];?></Port>
|
||||
<DomainRequired>off</DomainRequired>
|
||||
<LoginName><?=$email;?></LoginName>
|
||||
<SPA>off</SPA>
|
||||
<SSL><?=$autodiscover_config['imap']['ssl'];?></SSL>
|
||||
<SSL>on</SSL>
|
||||
<AuthRequired>on</AuthRequired>
|
||||
</Protocol>
|
||||
<Protocol>
|
||||
<Type>SMTP</Type>
|
||||
<Server><?=$autodiscover_config['smtp']['server'];?></Server>
|
||||
<Port><?=$autodiscover_config['smtp']['port'];?></Port>
|
||||
<Server><?=$configuration['smtp']['server'];?></Server>
|
||||
<Port><?=$configuration['smtp']['port'];?></Port>
|
||||
<DomainRequired>off</DomainRequired>
|
||||
<LoginName><?=$email;?></LoginName>
|
||||
<SPA>off</SPA>
|
||||
<SSL><?=$autodiscover_config['smtp']['ssl'];?></SSL>
|
||||
<SSL>on</SSL>
|
||||
<AuthRequired>on</AuthRequired>
|
||||
<UsePOPAuth>on</UsePOPAuth>
|
||||
<SMTPLast>off</SMTPLast>
|
||||
</Protocol>
|
||||
<Protocol>
|
||||
<Type>CalDAV</Type>
|
||||
<Server>https://<?=$mailcow_hostname;?>/SOGo/dav/<?=$email;?>/Calendar</Server>
|
||||
<Server><?=$configuration['caldav']['server'];?>/SOGo/dav/<?=$email;?>/Calendar</Server>
|
||||
<DomainRequired>off</DomainRequired>
|
||||
<LoginName><?=$email;?></LoginName>
|
||||
</Protocol>
|
||||
<Protocol>
|
||||
<Type>CardDAV</Type>
|
||||
<Server>https://<?=$mailcow_hostname;?>/SOGo/dav/<?=$email;?>/Contacts</Server>
|
||||
<Server><?=$configuration['carddav']['server'];?>/SOGo/dav/<?=$email;?>/Contacts</Server>
|
||||
<DomainRequired>off</DomainRequired>
|
||||
<LoginName><?=$email;?></LoginName>
|
||||
</Protocol>
|
||||
|
|
@ -108,7 +110,7 @@ else {
|
|||
</Response>
|
||||
<?php
|
||||
}
|
||||
else if ($autodiscover_config['autodiscoverType'] == 'activesync') {
|
||||
else if ($configuration['autodiscoverType'] == 'activesync') {
|
||||
$username = trim($email);
|
||||
try {
|
||||
$stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
|
||||
|
|
@ -135,8 +137,8 @@ else {
|
|||
<Settings>
|
||||
<Server>
|
||||
<Type>MobileSync</Type>
|
||||
<Url><?=$autodiscover_config['activesync']['url'];?></Url>
|
||||
<Name><?=$autodiscover_config['activesync']['url'];?></Name>
|
||||
<Url><?=$configuration['activesync']['url'];?></Url>
|
||||
<Name><?=$configuration['activesync']['url'];?></Name>
|
||||
</Server>
|
||||
</Settings>
|
||||
</Action>
|
||||
|
|
|
|||
|
|
@ -23,22 +23,27 @@ $autodiscover_config = array(
|
|||
'useEASforOutlook' => 'yes',
|
||||
// General autodiscover service type: "activesync" or "imap"
|
||||
'autodiscoverType' => 'activesync',
|
||||
// Please don't use STARTTLS-enabled service ports here.
|
||||
// The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
|
||||
'imap' => array(
|
||||
'server' => $mailcow_hostname,
|
||||
'port' => getenv('IMAPS_PORT'),
|
||||
'ssl' => 'on',
|
||||
),
|
||||
'smtp' => array(
|
||||
'server' => $mailcow_hostname,
|
||||
'port' => getenv('SMTPS_PORT'),
|
||||
'ssl' => 'on'
|
||||
),
|
||||
'activesync' => array(
|
||||
'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync'
|
||||
),
|
||||
'caldav' => array(
|
||||
'url' => 'https://'.$mailcow_hostname
|
||||
),
|
||||
'carddav' => array(
|
||||
'url' => 'https://'.$mailcow_hostname
|
||||
)
|
||||
);
|
||||
|
||||
|
||||
// Where to go after adding and editing objects
|
||||
// Can be "form" or "previous"
|
||||
// "form" will stay in the current form, "previous" will redirect to previous page
|
||||
|
|
|
|||
|
|
@ -293,7 +293,7 @@ services:
|
|||
acme-mailcow:
|
||||
depends_on:
|
||||
- nginx-mailcow
|
||||
image: mailcow/acme:1.5
|
||||
image: mailcow/acme:1.6
|
||||
build: ./data/Dockerfiles/acme
|
||||
dns:
|
||||
- 172.22.1.254
|
||||
|
|
|
|||
Loading…
Reference in New Issue