[ClamAV] Add whitelist file for ClamAV, fixes #1607

[ACME] Test for CAA before running script, fixes #1632
master
André 2018-08-05 22:35:02 +02:00
parent 73f880ffba
commit ff0b9246b5
2 changed files with 29 additions and 1 deletions

View File

@ -67,7 +67,7 @@ get_ipv4(){
local IPV4_SRCS= local IPV4_SRCS=
local TRY= local TRY=
IPV4_SRCS[0]="api.ipify.org" IPV4_SRCS[0]="api.ipify.org"
IPV4_SRCS[1]="ifconfig.co"- IPV4_SRCS[1]="ifconfig.co"
IPV4_SRCS[2]="icanhazip.com" IPV4_SRCS[2]="icanhazip.com"
IPV4_SRCS[3]="v4.ident.me" IPV4_SRCS[3]="v4.ident.me"
IPV4_SRCS[4]="ipecho.net/plain" IPV4_SRCS[4]="ipecho.net/plain"
@ -153,6 +153,19 @@ while true; do
IPV6=$(get_ipv6) IPV6=$(get_ipv6)
log_f "OK" no_date log_f "OK" no_date
# Hard-fail on CAA errors for MAILCOW_HOSTNAME
MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
if [[ ! -z ${MH_CAAS} ]]; then
if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
echo "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
else
echo "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
sleep 1h
exec $(readlink -f "$0")
fi
fi
# Container ids may have changed # Container ids may have changed
CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " ")) CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
@ -249,6 +262,17 @@ while true; do
fi fi
for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
# Skip on CAA errors for SAN
SAN_PARENT_DOMAIN=$(echo ${SAN} | cut -d. -f2-)
SAN_CAAS=( $(dig CAA ${SAN_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
if [[ ! -z ${SAN_CAAS} ]]; then
if [[ ${SAN_CAAS[@]} =~ "letsencrypt.org" ]]; then
echo "Validated CAA for parent domain ${SAN_PARENT_DOMAIN} of ${SAN}"
else
echo "Skipping ACME validation for ${SAN}: Lets Encrypt disallowed for ${SAN} by CAA record"
continue
fi
fi
if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
continue continue
fi fi

View File

@ -14,6 +14,10 @@ chown root:tty /dev/console
chmod g+rw /dev/console chmod g+rw /dev/console
# Prepare # Prepare
[[ ! -f /var/lib/clamav/whitelist.ign2 ]] && touch /var/lib/clamav/whitelist.ign2
dos2unix /var/lib/clamav/whitelist.ign2
sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2
BACKGROUND_TASKS=() BACKGROUND_TASKS=()
( (