From fe9b9f5dfa5b529711fb715e4fe1b23f8b959eda Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 23 Feb 2019 10:21:13 +0100 Subject: [PATCH 1/5] [ClamAV] Set permission recursively [Compose] Updaet ClamAV image --- data/Dockerfiles/clamd/bootstrap.sh | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh index fcfe0934..eadb8e7e 100755 --- a/data/Dockerfiles/clamd/bootstrap.sh +++ b/data/Dockerfiles/clamd/bootstrap.sh @@ -17,7 +17,7 @@ chown clamav:clamav /var/lib/clamav/whitelist.ign2 mkdir -p /run/clamav /var/lib/clamav chown clamav:clamav /run/clamav /var/lib/clamav chmod 750 /run/clamav -chmod 755 /var/lib/clamav +chmod 755 -R /var/lib/clamav dos2unix /var/lib/clamav/whitelist.ign2 sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2 diff --git a/docker-compose.yml b/docker-compose.yml index 059c0163..f2776bd7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -55,7 +55,7 @@ services: - redis clamd-mailcow: - image: mailcow/clamd:1.21 + image: mailcow/clamd:1.22 build: ./data/Dockerfiles/clamd restart: always environment: From 354ecd727cf61b05089ff31187530f464757135e Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 23 Feb 2019 10:27:13 +0100 Subject: [PATCH 2/5] [ClamAV] More checks and permission fixes --- data/Dockerfiles/clamd/bootstrap.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh index eadb8e7e..0bd2fb26 100755 --- a/data/Dockerfiles/clamd/bootstrap.sh +++ b/data/Dockerfiles/clamd/bootstrap.sh @@ -8,18 +8,24 @@ fi # Prepare whitelist if [[ -s /etc/clamav/whitelist.ign2 ]]; then + echo "Copying non-empty whitelist.ign2 to /var/lib/clamav/whitelist.ign2" cp /etc/clamav/whitelist.ign2 /var/lib/clamav/whitelist.ign2 fi if [[ ! -f /var/lib/clamav/whitelist.ign2 ]]; then + echo "Creating /var/lib/clamav/whitelist.ign2" echo "Example-Signature.Ignore-1" > /var/lib/clamav/whitelist.ign2 fi -chown clamav:clamav /var/lib/clamav/whitelist.ign2 + mkdir -p /run/clamav /var/lib/clamav -chown clamav:clamav /run/clamav /var/lib/clamav + +chown clamav:clamav -R /var/lib/clamav /run/clamav + +chmod 755 /var/lib/clamav +chmod 644 -R /var/lib/clamav/* chmod 750 /run/clamav -chmod 755 -R /var/lib/clamav dos2unix /var/lib/clamav/whitelist.ign2 + sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2 BACKGROUND_TASKS=() @@ -38,7 +44,7 @@ while true; do sleep 2m SANE_MIRRORS="$(dig +ignore +short rsync.sanesecurity.net)" for sane_mirror in ${SANE_MIRRORS}; do - rsync -avp --chown=clamav:clamav --timeout=5 rsync://${sane_mirror}/sanesecurity/ \ + rsync -avp --chown=clamav:clamav --chmod=Du=rwx,Dgo=rx,Fu=rw,Fog=r --timeout=5 rsync://${sane_mirror}/sanesecurity/ \ --include 'blurl.ndb' \ --include 'junk.ndb' \ --include 'jurlbl.ndb' \ From db17a304b00b71be619c2361030a3c81d117edcb Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 23 Feb 2019 10:34:16 +0100 Subject: [PATCH 3/5] [ClamAV] Create directory before handling whitelist --- data/Dockerfiles/clamd/bootstrap.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh index 0bd2fb26..1d49cd20 100755 --- a/data/Dockerfiles/clamd/bootstrap.sh +++ b/data/Dockerfiles/clamd/bootstrap.sh @@ -7,6 +7,9 @@ if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then fi # Prepare whitelist + +mkdir -p /run/clamav /var/lib/clamav + if [[ -s /etc/clamav/whitelist.ign2 ]]; then echo "Copying non-empty whitelist.ign2 to /var/lib/clamav/whitelist.ign2" cp /etc/clamav/whitelist.ign2 /var/lib/clamav/whitelist.ign2 @@ -16,14 +19,15 @@ if [[ ! -f /var/lib/clamav/whitelist.ign2 ]]; then echo "Example-Signature.Ignore-1" > /var/lib/clamav/whitelist.ign2 fi -mkdir -p /run/clamav /var/lib/clamav - chown clamav:clamav -R /var/lib/clamav /run/clamav chmod 755 /var/lib/clamav chmod 644 -R /var/lib/clamav/* chmod 750 /run/clamav +echo "Stating whitelist.ign2" +stat /var/lib/clamav/whitelist.ign2 + dos2unix /var/lib/clamav/whitelist.ign2 sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2 From 108e808d06f5de51a4dce1612c6e3fe4834b9cbe Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 23 Feb 2019 23:46:01 +0100 Subject: [PATCH 4/5] [Rspamd] Reduce SOGO_CONTACT score to -99 --- data/conf/rspamd/dynmaps/settings.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/conf/rspamd/dynmaps/settings.php b/data/conf/rspamd/dynmaps/settings.php index 8bdfb49d..4d78456e 100644 --- a/data/conf/rspamd/dynmaps/settings.php +++ b/data/conf/rspamd/dynmaps/settings.php @@ -179,7 +179,7 @@ foreach (wl_by_sogo() as $user => $contacts) { } ?> apply "default" { - SOGO_CONTACT = -999.0; + SOGO_CONTACT = -99.0; } symbols [ "SOGO_CONTACT" @@ -425,4 +425,4 @@ while ($row = array_shift($rows)) { -} \ No newline at end of file +} From 57312ad605b1e0b2a996b07cde6280299ae8025c Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 25 Feb 2019 00:00:32 +0100 Subject: [PATCH 5/5] [Compose] Add ALLOW_ADMIN_EMAIL_LOGIN to sogo-mailcow to trigger bootstrap on change [Compose] Static IPv4 for Dovecot [SOGo] Remove SOGoIMAPServer from sogo.conf [SOGo] Add SOGoIMAPServer to bootstrap process [Nginx] Disallow editAccount for other accounts than 0 (own) --- data/Dockerfiles/sogo/bootstrap-sogo.sh | 5 +++++ data/conf/nginx/templates/sogo.auth_request.template.sh | 4 +++- data/conf/sogo/sogo.conf | 1 - docker-compose.yml | 7 +++++-- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh index 5072a306..84176ebd 100755 --- a/data/Dockerfiles/sogo/bootstrap-sogo.sh +++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh @@ -85,6 +85,9 @@ done mkdir -p /var/lib/sogo/GNUstep/Defaults/ +# Force-remove lines from sogo.conf +sed -i '/SOGoIMAPServer/d' /etc/sogo/sogo.conf + # Generate plist header with timezone data cat < /var/lib/sogo/GNUstep/Defaults/sogod.plist @@ -93,6 +96,8 @@ cat < /var/lib/sogo/GNUstep/Defaults/sogod.plist OCSAclURL mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl + SOGoIMAPServer + imap://${IPV4_NETWORK}.250:143/?tls=YES OCSCacheFolderURL mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder OCSEMailAlarmsFolderURL diff --git a/data/conf/nginx/templates/sogo.auth_request.template.sh b/data/conf/nginx/templates/sogo.auth_request.template.sh index ae1a3879..d885d9f5 100644 --- a/data/conf/nginx/templates/sogo.auth_request.template.sh +++ b/data/conf/nginx/templates/sogo.auth_request.template.sh @@ -2,5 +2,7 @@ if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' echo 'auth_request /sogo-auth-verify; auth_request_set $user $upstream_http_x_username; proxy_set_header x-webobjects-remote-user $user; -' +if ($args ~* (.*)(account=(?!0))(.*)) { + return 401; +}' fi diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf index a8befc2b..b115d75d 100644 --- a/data/conf/sogo/sogo.conf +++ b/data/conf/sogo/sogo.conf @@ -26,7 +26,6 @@ // (domain3.tld, domain2.tld) // ); - SOGoIMAPServer = "imap://dovecot:143/?tls=YES"; SOGoSieveServer = "sieve://dovecot:4190/?tls=YES"; SOGoSMTPServer = "postfix:588"; WOPort = "0.0.0.0:20000"; diff --git a/docker-compose.yml b/docker-compose.yml index a4a8b9be..c2394909 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -140,7 +140,7 @@ services: - phpfpm sogo-mailcow: - image: mailcow/sogo:1.52 + image: mailcow/sogo:1.53 build: ./data/Dockerfiles/sogo environment: - DBNAME=${DBNAME} @@ -150,6 +150,8 @@ services: - LOG_LINES=${LOG_LINES:-9999} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - ACL_ANYONE=${ACL_ANYONE:-disallow} + - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n} + - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1} volumes: - ./data/conf/sogo/:/etc/sogo/ - ./data/web/inc/init_db.inc.php:/init_db.inc.php @@ -165,7 +167,7 @@ services: - sogo dovecot-mailcow: - image: mailcow/dovecot:1.63 + image: mailcow/dovecot:1.64 build: ./data/Dockerfiles/dovecot cap_add: - NET_BIND_SERVICE @@ -210,6 +212,7 @@ services: hostname: ${MAILCOW_HOSTNAME} networks: mailcow-network: + ipv4_address: ${IPV4_NETWORK:-172.22.1}.250 aliases: - dovecot