Merge pull request #4643 from mailcow/staging
2022-06a | IMAPSync Hardening + Docker-Compose v2 now needed
This commit is contained in:
Niklas Meyer
GitHub
commit
3d538d4f14
@ -197,7 +197,7 @@ function dkim($_action, $_data = null, $privkey = false) {
|
||||
return false;
|
||||
}
|
||||
try {
|
||||
dkim('delete', (array)$domain);
|
||||
dkim('delete', array('domains' => $domain));
|
||||
$redis->hSet('DKIM_PUB_KEYS', $domain, $pem_public_key);
|
||||
$redis->hSet('DKIM_SELECTORS', $domain, $dkim_selector);
|
||||
$redis->hSet('DKIM_PRIV_KEYS', $dkim_selector . '.' . $domain, $private_key_normalized);
|
||||
|
||||
@ -336,9 +336,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
||||
$mins_interval = $_data['mins_interval'];
|
||||
$enc1 = $_data['enc1'];
|
||||
$custom_params = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']);
|
||||
// Workaround, fixme
|
||||
if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
|
||||
$custom_params = '';
|
||||
|
||||
// validate custom params
|
||||
foreach (explode(' -', $custom_params) as $param){
|
||||
if (str_contains($param, ' ')) {
|
||||
// bad char
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||
'msg' => 'bad character SPACE'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
// extract option
|
||||
if (str_contains($param, '=')) $param = explode('=', $param)[0];
|
||||
// remove first char if first char is -
|
||||
if ($param[0] == '-') $param = ltrim($param, $param[0]);
|
||||
|
||||
// check if param is whitelisted
|
||||
if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
|
||||
// bad option
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||
'msg' => 'bad option '. $param
|
||||
);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (empty($subfolder2)) {
|
||||
$subfolder2 = "";
|
||||
@ -599,7 +624,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
||||
ratelimit('edit', 'domain', array('rl_value' => $_data['rl_value'], 'rl_frame' => $_data['rl_frame'], 'object' => $domain));
|
||||
}
|
||||
if (!empty($_data['key_size']) && !empty($_data['dkim_selector'])) {
|
||||
dkim('add', array('key_size' => $_data['key_size'], 'dkim_selector' => $_data['dkim_selector'], 'domains' => $domain));
|
||||
if (!empty($redis->hGet('DKIM_SELECTORS', $domain))) {
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||
'msg' => 'domain_add_dkim_available'
|
||||
);
|
||||
}
|
||||
else {
|
||||
dkim('add', array('key_size' => $_data['key_size'], 'dkim_selector' => $_data['dkim_selector'], 'domains' => $domain));
|
||||
}
|
||||
}
|
||||
if (!empty($restart_sogo)) {
|
||||
$restart_response = json_decode(docker('post', 'sogo-mailcow', 'restart'), true);
|
||||
@ -929,7 +963,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
||||
ratelimit('edit', 'domain', array('rl_value' => $_data['rl_value'], 'rl_frame' => $_data['rl_frame'], 'object' => $alias_domain));
|
||||
}
|
||||
if (!empty($_data['key_size']) && !empty($_data['dkim_selector'])) {
|
||||
dkim('add', array('key_size' => $_data['key_size'], 'dkim_selector' => $_data['dkim_selector'], 'domains' => $alias_domain));
|
||||
if (!empty($redis->hGet('DKIM_SELECTORS', $alias_domain))) {
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||
'msg' => 'domain_add_dkim_available'
|
||||
);
|
||||
}
|
||||
else {
|
||||
dkim('add', array('key_size' => $_data['key_size'], 'dkim_selector' => $_data['dkim_selector'], 'domains' => $alias_domain));
|
||||
}
|
||||
}
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
@ -1746,8 +1789,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
||||
);
|
||||
continue;
|
||||
}
|
||||
if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) {
|
||||
$custom_params = '';
|
||||
|
||||
// validate custom params
|
||||
foreach (explode(' -', $custom_params) as $param){
|
||||
if (str_contains($param, ' ')) {
|
||||
// bad char
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||
'msg' => 'bad character SPACE'
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
||||
// extract option
|
||||
if (str_contains($param, '=')) $param = explode('=', $param)[0];
|
||||
// remove first char if first char is -
|
||||
if ($param[0] == '-') $param = ltrim($param, $param[0]);
|
||||
|
||||
// check if param is whitelisted
|
||||
if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
|
||||
// bad option
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'danger',
|
||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||
'msg' => 'bad option '. $param
|
||||
);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (empty($subfolder2)) {
|
||||
$subfolder2 = "";
|
||||
|
||||
@ -3,7 +3,7 @@ function init_db_schema() {
|
||||
try {
|
||||
global $pdo;
|
||||
|
||||
$db_version = "20052022_0938";
|
||||
$db_version = "18062022_1153";
|
||||
|
||||
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
|
||||
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
|
||||
@ -440,7 +440,7 @@ function init_db_schema() {
|
||||
"spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'",
|
||||
"spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'",
|
||||
"delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'",
|
||||
"syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
|
||||
"syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'",
|
||||
"eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
|
||||
"sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'",
|
||||
"pushover" => "TINYINT(1) NOT NULL DEFAULT '1'",
|
||||
@ -1228,8 +1228,17 @@ function init_db_schema() {
|
||||
}
|
||||
|
||||
// Mitigate imapsync pipemess issue
|
||||
$pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%' OR `custom_params` LIKE '%pipemes%';");
|
||||
|
||||
$pdo->query("UPDATE `imapsync` SET `custom_params` = ''
|
||||
WHERE `custom_params` LIKE '%pipemess%'
|
||||
OR custom_params LIKE '%skipmess%'
|
||||
OR custom_params LIKE '%delete2foldersonly%'
|
||||
OR custom_params LIKE '%delete2foldersbutnot%'
|
||||
OR custom_params LIKE '%regexflag%'
|
||||
OR custom_params LIKE '%pipemess%'
|
||||
OR custom_params LIKE '%regextrans2%'
|
||||
OR custom_params LIKE '%maxlinelengthcmd%';");
|
||||
|
||||
|
||||
// Migrate webauthn tfa
|
||||
$stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");
|
||||
|
||||
|
||||
@ -228,3 +228,135 @@ $RSPAMD_MAPS = array(
|
||||
'Monitoring Hosts' => 'monitoring_nolog.map'
|
||||
)
|
||||
);
|
||||
|
||||
|
||||
$IMAPSYNC_OPTIONS = array(
|
||||
'whitelist' => array(
|
||||
'log',
|
||||
'showpasswords',
|
||||
'nossl1',
|
||||
'nossl2',
|
||||
'ssl2',
|
||||
'notls1',
|
||||
'notls2',
|
||||
'tls2',
|
||||
'debugssl',
|
||||
'sslargs1',
|
||||
'sslargs2',
|
||||
'authmech1',
|
||||
'authmech2',
|
||||
'authuser1',
|
||||
'authuser2',
|
||||
'proxyauth1',
|
||||
'proxyauth2',
|
||||
'authmd51',
|
||||
'authmd52',
|
||||
'domain1',
|
||||
'domain2',
|
||||
'oauthaccesstoken1',
|
||||
'oauthaccesstoken2',
|
||||
'oauthdirect1',
|
||||
'oauthdirect2',
|
||||
'folder',
|
||||
'folder',
|
||||
'folderrec',
|
||||
'folderrec',
|
||||
'folderfirst',
|
||||
'folderfirst',
|
||||
'folderlast',
|
||||
'folderlast',
|
||||
'nomixfolders',
|
||||
'skipemptyfolders',
|
||||
'include',
|
||||
'include',
|
||||
'subfolder1',
|
||||
'subscribed',
|
||||
'subscribe',
|
||||
'prefix1',
|
||||
'prefix2',
|
||||
'sep1',
|
||||
'sep2',
|
||||
'nofoldersizesatend',
|
||||
'justfoldersizes',
|
||||
'pidfile',
|
||||
'pidfilelocking',
|
||||
'nolog',
|
||||
'logfile',
|
||||
'logdir',
|
||||
'debugcrossduplicates',
|
||||
'disarmreadreceipts',
|
||||
'truncmess',
|
||||
'synclabels',
|
||||
'resynclabels',
|
||||
'resyncflags',
|
||||
'noresyncflags',
|
||||
'filterbuggyflags',
|
||||
'expunge1',
|
||||
'noexpunge1',
|
||||
'delete1emptyfolders',
|
||||
'delete2folders',
|
||||
'noexpunge2',
|
||||
'nouidexpunge2',
|
||||
'syncinternaldates',
|
||||
'idatefromheader',
|
||||
'maxsize',
|
||||
'minsize',
|
||||
'minage',
|
||||
'search',
|
||||
'search1',
|
||||
'search2',
|
||||
'noabletosearch',
|
||||
'noabletosearch1',
|
||||
'noabletosearch2',
|
||||
'maxlinelength',
|
||||
'useheader',
|
||||
'useheader',
|
||||
'syncduplicates',
|
||||
'usecache',
|
||||
'nousecache',
|
||||
'useuid',
|
||||
'syncacls',
|
||||
'nosyncacls',
|
||||
'debug',
|
||||
'debugfolders',
|
||||
'debugcontent',
|
||||
'debugflags',
|
||||
'debugimap1',
|
||||
'debugimap2',
|
||||
'debugimap',
|
||||
'debugmemory',
|
||||
'errorsmax',
|
||||
'tests',
|
||||
'testslive',
|
||||
'testslive6',
|
||||
'gmail1',
|
||||
'gmail2',
|
||||
'office1',
|
||||
'office2',
|
||||
'exchange1',
|
||||
'exchange2',
|
||||
'domino1',
|
||||
'domino2',
|
||||
'keepalive1',
|
||||
'keepalive2',
|
||||
'maxmessagespersecond',
|
||||
'maxbytesafter',
|
||||
'maxsleep',
|
||||
'abort',
|
||||
'exitwhenover',
|
||||
'noid',
|
||||
'justconnect',
|
||||
'justlogin',
|
||||
'justfolders'
|
||||
),
|
||||
'blacklist' => array(
|
||||
'skipmess',
|
||||
'delete2foldersonly',
|
||||
'delete2foldersbutnot',
|
||||
'regexflag',
|
||||
'regexmess',
|
||||
'pipemess',
|
||||
'regextrans2',
|
||||
'maxlinelengthcmd'
|
||||
)
|
||||
);
|
||||
|
||||
@ -921,6 +921,7 @@
|
||||
"deleted_syncjob": "Sync-Jobs-ID %s gelöscht",
|
||||
"deleted_syncjobs": "Sync-Jobs gelöscht: %s",
|
||||
"dkim_added": "DKIM-Key %s wurde hinzugefügt",
|
||||
"domain_add_dkim_available": "Ein DKIM-Key existierte bereits",
|
||||
"dkim_duplicated": "DKIM-Key der Domain %s wurde auf Domain %s kopiert",
|
||||
"dkim_removed": "DKIM-Key %s wurde entfernt",
|
||||
"domain_added": "Domain %s wurde angelegt",
|
||||
|
||||
@ -928,6 +928,7 @@
|
||||
"deleted_syncjob": "Deleted syncjob ID %s",
|
||||
"deleted_syncjobs": "Deleted syncjobs: %s",
|
||||
"dkim_added": "DKIM key %s has been saved",
|
||||
"domain_add_dkim_available": "A DKIM key did already exist",
|
||||
"dkim_duplicated": "DKIM key for domain %s has been copied to %s",
|
||||
"dkim_removed": "DKIM key %s has been removed",
|
||||
"domain_added": "Added domain %s",
|
||||
|
||||
@ -19,7 +19,8 @@
|
||||
"syncjobs": "Trabajos de sincronización",
|
||||
"tls_policy": "Póliza de TLS",
|
||||
"unlimited_quota": "Cuota ilimitada para buzones",
|
||||
"app_passwds": "Gestionar las contraseñas de aplicaciones"
|
||||
"app_passwds": "Gestionar las contraseñas de aplicaciones",
|
||||
"domain_desc": "Cambiar descripción del dominio"
|
||||
},
|
||||
"add": {
|
||||
"activate_filter_warn": "Todos los demás filtros se desactivarán cuando este filtro se active.",
|
||||
|
||||
@ -377,8 +377,8 @@ services:
|
||||
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
|
||||
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
|
||||
ports:
|
||||
- "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
|
||||
- "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
|
||||
- "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
|
||||
- "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
|
||||
restart: always
|
||||
networks:
|
||||
mailcow-network:
|
||||
|
||||
@ -25,29 +25,10 @@ if cp --help 2>&1 | grep -q -i "busybox"; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for bin in openssl curl docker git awk sha1sum; do
|
||||
for bin in openssl curl docker docker-compose git awk sha1sum; do
|
||||
if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
|
||||
done
|
||||
|
||||
echo "checking docker compose version...";
|
||||
if docker compose >/dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then
|
||||
echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m"
|
||||
echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m"
|
||||
echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m"
|
||||
echo
|
||||
echo
|
||||
echo -e "\e[33mContinuing...\e[0m"
|
||||
sleep 3
|
||||
else
|
||||
echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f mailcow.conf ]; then
|
||||
read -r -p "A config file exists and will be overwritten, are you sure you want to continue? [y/N] " response
|
||||
case $response in
|
||||
|
||||
@ -77,33 +77,13 @@ function preflight_local_checks() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for bin in rsync docker grep cut; do
|
||||
for bin in rsync docker docker-compose grep cut; do
|
||||
if [[ -z $(which ${bin}) ]]; then
|
||||
>&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
echo "checking docker compose version...";
|
||||
if docker compose >/dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2 on local machine!\e[0m"
|
||||
elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then
|
||||
echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m"
|
||||
echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m"
|
||||
echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m"
|
||||
echo
|
||||
echo
|
||||
echo -e "\e[33mContinuing...\e[0m"
|
||||
sleep 3
|
||||
else
|
||||
echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then
|
||||
echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m"
|
||||
exit 1
|
||||
@ -131,7 +111,7 @@ function preflight_remote_checks() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for bin in rsync docker; do
|
||||
for bin in rsync docker docker-compose; do
|
||||
if ! ssh -o StrictHostKeyChecking=no \
|
||||
-i "${REMOTE_SSH_KEY}" \
|
||||
${REMOTE_SSH_HOST} \
|
||||
@ -141,39 +121,6 @@ function preflight_remote_checks() {
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
echo "checking docker compose version on remote...";
|
||||
if ssh -q -o StrictHostKeyChecking=no \
|
||||
-i "${REMOTE_SSH_KEY}" \
|
||||
${REMOTE_SSH_HOST} \
|
||||
-p ${REMOTE_SSH_PORT} \
|
||||
-t 'docker compose' >/dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2 on remote!\e[0m"
|
||||
COMPOSE_COMMAND="docker compose"
|
||||
elif ssh -q -o StrictHostKeyChecking=no \
|
||||
-i "${REMOTE_SSH_KEY}" \
|
||||
${REMOTE_SSH_HOST} \
|
||||
-p ${REMOTE_SSH_PORT} \
|
||||
-t 'docker-compose version --short' | grep -m1 "^2" > /dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
elif ssh -q -o StrictHostKeyChecking=no \
|
||||
-i "${REMOTE_SSH_KEY}" \
|
||||
${REMOTE_SSH_HOST} \
|
||||
-p ${REMOTE_SSH_PORT} \
|
||||
-t 'docker-compose version --short' | grep -m1 "^1" > /dev/null 2>&1; then
|
||||
echo -e "\e[33mWARN: The remote is using Docker-Compose v1!\e[0m"
|
||||
echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m"
|
||||
echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2 on remote.\e[0m"
|
||||
echo
|
||||
echo
|
||||
echo -e "\e[33mContinuing...\e[0m"
|
||||
sleep 3
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
else
|
||||
echo -e "\e[31mCannot find Docker-Compose v1 or v2 on the Remote Machine! Please install Docker-Compose v2 on that and re-run the script.\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
preflight_local_checks
|
||||
@ -311,7 +258,7 @@ echo "OK"
|
||||
-i "${REMOTE_SSH_KEY}" \
|
||||
${REMOTE_SSH_HOST} \
|
||||
-p ${REMOTE_SSH_PORT} \
|
||||
$COMPOSE_COMMAND -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then
|
||||
docker-compose -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then
|
||||
>&2 echo -e "\e[31m[ERR]\e[0m - Could not pull images on remote"
|
||||
fi
|
||||
|
||||
|
||||
@ -76,26 +76,12 @@ else
|
||||
CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd "[0-9A-Za-z-_]")
|
||||
fi
|
||||
|
||||
echo "checking docker compose version...";
|
||||
if docker compose >/dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker compose"
|
||||
elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then
|
||||
echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m"
|
||||
echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m"
|
||||
echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m"
|
||||
echo
|
||||
echo
|
||||
echo -e "\e[33mContinuing...\e[0m"
|
||||
sleep 3
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
else
|
||||
echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
for bin in docker docker-compose; do
|
||||
if [[ -z $(which ${bin}) ]]; then
|
||||
>&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then
|
||||
>&2 echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m"
|
||||
@ -253,7 +239,7 @@ function restore() {
|
||||
continue
|
||||
else
|
||||
echo "Stopping mailcow..."
|
||||
${COMPOSE_COMMAND} -f ${COMPOSE_FILE} --env-file ${ENV_FILE} down
|
||||
docker-compose -f ${COMPOSE_FILE} --env-file ${ENV_FILE} down
|
||||
fi
|
||||
#docker stop $(docker ps -qf name=mysql-mailcow)
|
||||
if [[ -d "${RESTORE_LOCATION}/mysql" ]]; then
|
||||
@ -291,7 +277,7 @@ function restore() {
|
||||
sed -i --follow-symlinks "/DBROOT/c\DBROOT=${DBROOT}" ${SCRIPT_DIR}/../mailcow.conf
|
||||
source ${SCRIPT_DIR}/../mailcow.conf
|
||||
echo "Starting mailcow..."
|
||||
${COMPOSE_COMMAND} -f ${COMPOSE_FILE} --env-file ${ENV_FILE} up -d
|
||||
docker-compose -f ${COMPOSE_FILE} --env-file ${ENV_FILE} up -d
|
||||
#docker start $(docker ps -aqf name=mysql-mailcow)
|
||||
fi
|
||||
;;
|
||||
|
||||
140
update.sh
140
update.sh
@ -41,30 +41,21 @@ PATH=$PATH:/opt/bin
|
||||
umask 0022
|
||||
|
||||
for bin in curl docker git awk sha1sum; do
|
||||
if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
|
||||
if [[ -z $(which ${bin}) ]]; then
|
||||
echo "Cannot find ${bin}, exiting..."
|
||||
exit 1;
|
||||
elif [[ -z $(which docker-compose) ]]; then
|
||||
echo "Cannot find docker-compose Standalone. Installing..."
|
||||
sleep 3
|
||||
if [[ -e /etc/alpine-release ]]; then
|
||||
echo -e "\e[33mNot installing latest docker-compose, because you are using Alpine Linux without glibc support. Install docker-compose via apk!\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
curl -#L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
|
||||
chmod +x /usr/local/bin/docker-compose
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
echo "checking docker compose version...";
|
||||
if docker compose >/dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker compose"
|
||||
elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then
|
||||
echo -e "\e[32mFound Compose v2!\e[0m"
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then
|
||||
echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m"
|
||||
echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m"
|
||||
echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m"
|
||||
echo
|
||||
echo
|
||||
echo -e "\e[33mContinuing...\e[0m"
|
||||
sleep 3
|
||||
COMPOSE_COMMAND="docker-compose"
|
||||
else
|
||||
echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
export LC_ALL=C
|
||||
DATE=$(date +%Y-%m-%d_%H_%M_%S)
|
||||
BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)
|
||||
@ -218,6 +209,70 @@ migrate_docker_nat() {
|
||||
fi
|
||||
}
|
||||
|
||||
remove_obsolete_nginx_ports() {
|
||||
# Removing obsolete docker-compose.override.yml
|
||||
for override in docker-compose.override.yml docker-compose.override.yaml; do
|
||||
if [ -s $override ] ; then
|
||||
if cat $override | grep nginx-mailcow > /dev/null 2>&1; then
|
||||
if cat $override | grep -w [::] > /dev/null 2>&1; then
|
||||
if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then
|
||||
sed -i '/nginx-mailcow:$/,/^$/d' $override
|
||||
echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m"
|
||||
if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then
|
||||
mv $override ${override}_backup
|
||||
echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
update_compose(){
|
||||
if [[ ${NO_UPDATE_COMPOSE} == "y" ]]; then
|
||||
echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m"
|
||||
return 0
|
||||
elif [[ -e /etc/alpine-release ]]; then
|
||||
echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m"
|
||||
return 0
|
||||
else
|
||||
echo -e "\e[32mFetching new docker-compose version...\e[0m"
|
||||
echo -e "\e[32mTrying to determine GLIBC version...\e[0m"
|
||||
if ldd --version > /dev/null; then
|
||||
GLIBC_V=$(ldd --version | grep -E '(GLIBC|GNU libc)' | rev | cut -d ' ' -f1 | rev | cut -d '.' -f2)
|
||||
if [ ! -z "${GLIBC_V}" ] && [ ${GLIBC_V} -gt 27 ]; then
|
||||
DC_DL_SUFFIX=
|
||||
else
|
||||
DC_DL_SUFFIX=legacy
|
||||
fi
|
||||
else
|
||||
DC_DL_SUFFIX=legacy
|
||||
fi
|
||||
sleep 1
|
||||
if [[ ! -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then
|
||||
true
|
||||
#prevent breaking a working docker-compose installed with pip
|
||||
elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then
|
||||
LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
|
||||
COMPOSE_VERSION=$(docker-compose version --short)
|
||||
if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
|
||||
COMPOSE_PATH=$(which docker-compose)
|
||||
if [[ -w ${COMPOSE_PATH} ]]; then
|
||||
curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH
|
||||
chmod +x $COMPOSE_PATH
|
||||
else
|
||||
echo -e "\e[33mWARNING: $COMPOSE_PATH is not writable, but new version $LATEST_COMPOSE is available (installed: $COMPOSE_VERSION)\e[0m"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo -e "\e[33mCannot determine latest docker-compose version, skipping...\e[0m"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
while (($#)); do
|
||||
case "${1}" in
|
||||
--check|-c)
|
||||
@ -256,6 +311,9 @@ while (($#)); do
|
||||
echo -e "\e[32mRunning in forced mode...\e[0m"
|
||||
FORCE=y
|
||||
;;
|
||||
--no-update-compose)
|
||||
NO_UPDATE_COMPOSE=y
|
||||
;;
|
||||
--skip-ping-check)
|
||||
SKIP_PING_CHECK=y
|
||||
;;
|
||||
@ -265,6 +323,7 @@ while (($#)); do
|
||||
-c|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates)
|
||||
--ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended!
|
||||
--gc - Run garbage collector to delete old image tags
|
||||
--no-update-compose - Do not update docker-compose
|
||||
--prefetch - Only prefetch new images and exit (useful to prepare updates)
|
||||
--skip-start - Do not start mailcow after update
|
||||
--skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine).
|
||||
@ -281,7 +340,7 @@ source mailcow.conf
|
||||
DOTS=${MAILCOW_HOSTNAME//[^.]};
|
||||
if [ ${#DOTS} -lt 2 ]; then
|
||||
echo "MAILCOW_HOSTNAME (${MAILCOW_HOSTNAME}) is not a FQDN!"
|
||||
echo "Please change it to a FQDN and run ${COMPOSE_COMMAND} down followed by ${COMPOSE_COMMAND} up -d"
|
||||
echo "Please change it to a FQDN and run docker-compose down followed by docker-compose up -d"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -570,7 +629,7 @@ fi
|
||||
echo -e "\e[32mChecking for newer update script...\e[0m"
|
||||
SHA1_1=$(sha1sum update.sh)
|
||||
git fetch origin #${BRANCH}
|
||||
git checkout origin/${BRANCH} update.sh
|
||||
git checkout origin/${BRANCH} update.sh docker-compose.yml
|
||||
SHA1_2=$(sha1sum update.sh)
|
||||
if [[ ${SHA1_1} != ${SHA1_2} ]]; then
|
||||
echo "update.sh changed, please run this script again, exiting."
|
||||
@ -594,14 +653,18 @@ if [ ! $FORCE ]; then
|
||||
migrate_docker_nat
|
||||
fi
|
||||
|
||||
update_compose
|
||||
|
||||
remove_obsolete_nginx_ports
|
||||
|
||||
echo -e "\e[32mValidating docker-compose stack configuration...\e[0m"
|
||||
if ! ${COMPOSE_COMMAND} config -q; then
|
||||
if ! docker-compose config -q; then
|
||||
echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -e "\e[32mChecking for conflicting bridges...\e[0m"
|
||||
MAILCOW_BRIDGE=$(${COMPOSE_COMMAND} config | grep -i com.docker.network.bridge.name | cut -d':' -f2)
|
||||
MAILCOW_BRIDGE=$(docker-compose config | grep -i com.docker.network.bridge.name | cut -d':' -f2)
|
||||
while read NAT_ID; do
|
||||
iptables -t nat -D POSTROUTING $NAT_ID
|
||||
done < <(iptables -L -vn -t nat --line-numbers | grep $IPV4_NETWORK | grep -E 'MASQUERADE.*all' | grep -v ${MAILCOW_BRIDGE} | cut -d' ' -f1)
|
||||
@ -621,8 +684,8 @@ prefetch_images
|
||||
|
||||
echo -e "\e[32mStopping mailcow...\e[0m"
|
||||
sleep 2
|
||||
MAILCOW_CONTAINERS=($(${COMPOSE_COMMAND} ps -q))
|
||||
${COMPOSE_COMMAND} down
|
||||
MAILCOW_CONTAINERS=($(docker-compose ps -q))
|
||||
docker-compose down
|
||||
echo -e "\e[32mChecking for remaining containers...\e[0m"
|
||||
sleep 2
|
||||
for container in "${MAILCOW_CONTAINERS[@]}"; do
|
||||
@ -659,16 +722,13 @@ elif [[ ${MERGE_RETURN} == 1 ]]; then
|
||||
elif [[ ${MERGE_RETURN} != 0 ]]; then
|
||||
echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m"
|
||||
echo
|
||||
echo "Run ${COMPOSE_COMMAND} up -d to restart your stack without updates or try again after fixing the mentioned errors."
|
||||
echo "Run docker-compose up -d to restart your stack without updates or try again after fixing the mentioned errors."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m"
|
||||
sleep 3
|
||||
|
||||
echo -e "\e[32mFetching new images, if any...\e[0m"
|
||||
sleep 2
|
||||
${COMPOSE_COMMAND} pull
|
||||
docker-compose pull
|
||||
|
||||
# Fix missing SSL, does not overwrite existing files
|
||||
[[ ! -d data/assets/ssl ]] && mkdir -p data/assets/ssl
|
||||
@ -723,11 +783,11 @@ else
|
||||
fi
|
||||
|
||||
if [[ ${SKIP_START} == "y" ]]; then
|
||||
echo -e "\e[33mNot starting mailcow, please run \"${COMPOSE_COMMAND} up -d --remove-orphans\" to start mailcow.\e[0m"
|
||||
echo -e "\e[33mNot starting mailcow, please run \"docker-compose up -d --remove-orphans\" to start mailcow.\e[0m"
|
||||
else
|
||||
echo -e "\e[32mStarting mailcow...\e[0m"
|
||||
sleep 2
|
||||
${COMPOSE_COMMAND} up -d --remove-orphans
|
||||
docker-compose up -d --remove-orphans
|
||||
fi
|
||||
|
||||
echo -e "\e[32mCollecting garbage...\e[0m"
|
||||
@ -738,8 +798,8 @@ if [ -f "${SCRIPT_DIR}/post_update_hook.sh" ]; then
|
||||
bash "${SCRIPT_DIR}/post_update_hook.sh"
|
||||
fi
|
||||
|
||||
#echo "In case you encounter any problem, hard-reset to a state before updating mailcow:"
|
||||
#echo
|
||||
#git reflog --color=always | grep "Before update on "
|
||||
#echo
|
||||
#echo "Use \"git reset --hard hash-on-the-left\" and run ${COMPOSE_COMMAND} up -d afterwards."
|
||||
# echo "In case you encounter any problem, hard-reset to a state before updating mailcow:"
|
||||
# echo
|
||||
# git reflog --color=always | grep "Before update on "
|
||||
# echo
|
||||
# echo "Use \"git reset --hard hash-on-the-left\" and run docker-compose up -d afterwards."
|
||||
Loading…
Reference in New Issue
Block a user