From 464b6f2e9328b64b0548deba7ab1c9edb096bf62 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 5 Feb 2024 09:47:19 +0100 Subject: [PATCH 01/10] [Netfilter] fix redis logs --- data/Dockerfiles/netfilter/main.py | 4 ++-- data/Dockerfiles/netfilter/modules/Logger.py | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/data/Dockerfiles/netfilter/main.py b/data/Dockerfiles/netfilter/main.py index f4acd461..62e0dda7 100644 --- a/data/Dockerfiles/netfilter/main.py +++ b/data/Dockerfiles/netfilter/main.py @@ -395,7 +395,7 @@ if __name__ == '__main__': signal.signal(signal.SIGTERM, sigterm_quit) # init Logger - logger = Logger(None) + logger = Logger() # init backend backend = sys.argv[1] @@ -437,7 +437,7 @@ if __name__ == '__main__': time.sleep(3) else: break - Logger.r = r + logger.set_redis(r) # rename fail2ban to netfilter if r.exists('F2B_LOG'): diff --git a/data/Dockerfiles/netfilter/modules/Logger.py b/data/Dockerfiles/netfilter/modules/Logger.py index 2a40de0c..25562965 100644 --- a/data/Dockerfiles/netfilter/modules/Logger.py +++ b/data/Dockerfiles/netfilter/modules/Logger.py @@ -2,7 +2,10 @@ import time import json class Logger: - def __init__(self, redis): + def __init__(self): + self.r = None + + def set_redis(self, redis): self.r = redis def log(self, priority, message): @@ -10,7 +13,7 @@ class Logger: tolog['time'] = int(round(time.time())) tolog['priority'] = priority tolog['message'] = message - if self.r: + if self.r is not None: self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False)) print(message) From 77e6ef218c9d5b0ceeb873b43435aee4173cc86c Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 5 Feb 2024 09:54:16 +0100 Subject: [PATCH 02/10] [Netfilter] Update to 1.57 --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 26a224b5..17559bed 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -441,7 +441,7 @@ services: - acme netfilter-mailcow: - image: mailcow/netfilter:1.56 + image: mailcow/netfilter:1.57 stop_grace_period: 30s restart: always privileged: true From 38cc85fa4ca08723363c7a672a36383fccf259e2 Mon Sep 17 00:00:00 2001 From: vicente Date: Wed, 7 Feb 2024 15:36:04 +0100 Subject: [PATCH 03/10] set strict=False --- data/Dockerfiles/netfilter/modules/NFTables.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/data/Dockerfiles/netfilter/modules/NFTables.py b/data/Dockerfiles/netfilter/modules/NFTables.py index e8e02c47..38b31ebf 100644 --- a/data/Dockerfiles/netfilter/modules/NFTables.py +++ b/data/Dockerfiles/netfilter/modules/NFTables.py @@ -309,8 +309,8 @@ class NFTables: rule_handle = rule["handle"] break - dest_net = ipaddress.ip_network(source_address) - target_net = ipaddress.ip_network(snat_target) + dest_net = ipaddress.ip_network(source_address, strict=False) + target_net = ipaddress.ip_network(snat_target, strict=False) if rule_found: saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"] @@ -321,9 +321,9 @@ class NFTables: target_ip = rule["expr"][3]["snat"]["addr"] - saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len)) - daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len)) - current_target_net = ipaddress.ip_network(target_ip) + saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False) + daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False) + current_target_net = ipaddress.ip_network(target_ip, strict=False) match = all(( dest_net == saddr_net, @@ -417,7 +417,7 @@ class NFTables: json_command = self.get_base_dict() expr_opt = [] - ipaddr_net = ipaddress.ip_network(ipaddr) + ipaddr_net = ipaddress.ip_network(ipaddr, strict=False) right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } } left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} } @@ -466,7 +466,7 @@ class NFTables: current_rule_net = ipaddress.ip_network(current_rule_ip) # ip to ban - candidate_net = ipaddress.ip_network(ipaddr) + candidate_net = ipaddress.ip_network(ipaddr, strict=False) if current_rule_net == candidate_net: rule_handle = _object["rule"]["handle"] From eb91d9905bc1f4dbdde486e635592bea4ee02726 Mon Sep 17 00:00:00 2001 From: vicente Date: Wed, 7 Feb 2024 15:48:49 +0100 Subject: [PATCH 04/10] fix typpo in chain order message --- data/Dockerfiles/netfilter/modules/NFTables.py | 1 + 1 file changed, 1 insertion(+) diff --git a/data/Dockerfiles/netfilter/modules/NFTables.py b/data/Dockerfiles/netfilter/modules/NFTables.py index 38b31ebf..4cb0110a 100644 --- a/data/Dockerfiles/netfilter/modules/NFTables.py +++ b/data/Dockerfiles/netfilter/modules/NFTables.py @@ -41,6 +41,7 @@ class NFTables: exit_code = 2 if chain_position > 0: + chain_position += 1 self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...') err = True exit_code = 2 From 5a9702771cba4fedbc79331e92ff757f734df58e Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 7 Feb 2024 17:18:20 +0100 Subject: [PATCH 05/10] [SOGo] Fixed SOGo crash on older kernels < 5.10.0-X --- data/Dockerfiles/sogo/Dockerfile | 4 ++-- docker-compose.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile index a4601c40..59fc6680 100644 --- a/data/Dockerfiles/sogo/Dockerfile +++ b/data/Dockerfiles/sogo/Dockerfile @@ -1,8 +1,8 @@ -FROM debian:bookworm-slim +FROM debian:bullseye-slim LABEL maintainer "The Infrastructure Company GmbH GmbH " ARG DEBIAN_FRONTEND=noninteractive -ARG DEBIAN_VERSION=bookworm +ARG DEBIAN_VERSION=bullseye ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?.*)$ ARG GOSU_VERSION=1.17 diff --git a/docker-compose.yml b/docker-compose.yml index 17559bed..b36f45b8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -175,7 +175,7 @@ services: - phpfpm sogo-mailcow: - image: mailcow/sogo:1.122 + image: mailcow/sogo:1.122.1 environment: - DBNAME=${DBNAME} - DBUSER=${DBUSER} From d08ccbce789880eb81ebebca48d440637ab36983 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 7 Feb 2024 17:28:49 +0100 Subject: [PATCH 06/10] dovecot: fix wrong timestamps inside logs --- data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf | 1 + data/Dockerfiles/dovecot/syslog-ng.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf b/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf index f7fc20b7..51992895 100644 --- a/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf +++ b/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf @@ -7,6 +7,7 @@ options { use_fqdn(no); owner("root"); group("adm"); perm(0640); stats(freq(0)); + keep_timestamp(no); bad_hostname("^gconfd$"); }; source s_dgram { diff --git a/data/Dockerfiles/dovecot/syslog-ng.conf b/data/Dockerfiles/dovecot/syslog-ng.conf index fcc13587..3e929e7b 100644 --- a/data/Dockerfiles/dovecot/syslog-ng.conf +++ b/data/Dockerfiles/dovecot/syslog-ng.conf @@ -7,6 +7,7 @@ options { use_fqdn(no); owner("root"); group("adm"); perm(0640); stats(freq(0)); + keep_timestamp(no); bad_hostname("^gconfd$"); }; source s_dgram { From 583c5b48a00bb1f1a61cbc411bc90532fce3ca3b Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 7 Feb 2024 17:29:36 +0100 Subject: [PATCH 07/10] dovecot: bump to docker image 1.28.1 --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index b36f45b8..0dfd344b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -222,7 +222,7 @@ services: - sogo dovecot-mailcow: - image: mailcow/dovecot:1.28.1 + image: mailcow/dovecot:1.28.2 depends_on: - mysql-mailcow - netfilter-mailcow From 63bb8e8cefb4afebd50f12a485f6af5d12c98125 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 8 Feb 2024 12:23:46 +0100 Subject: [PATCH 08/10] unbound: increase check interval to 30s --- data/Dockerfiles/unbound/Dockerfile | 4 ++-- docker-compose.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data/Dockerfiles/unbound/Dockerfile b/data/Dockerfiles/unbound/Dockerfile index f56cbc6e..f6d072cc 100644 --- a/data/Dockerfiles/unbound/Dockerfile +++ b/data/Dockerfiles/unbound/Dockerfile @@ -20,10 +20,10 @@ EXPOSE 53/udp 53/tcp COPY docker-entrypoint.sh /docker-entrypoint.sh -# healthcheck (nslookup) +# healthcheck (dig, ping, nc) COPY healthcheck.sh /healthcheck.sh RUN chmod +x /healthcheck.sh -HEALTHCHECK --interval=5s --timeout=30s CMD [ "/healthcheck.sh" ] +HEALTHCHECK --interval=30s --timeout=30s CMD [ "/healthcheck.sh" ] ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/docker-compose.yml b/docker-compose.yml index 0dfd344b..df545c15 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: '2.1' services: unbound-mailcow: - image: mailcow/unbound:1.20 + image: mailcow/unbound:1.21 environment: - TZ=${TZ} - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n} From e184713c67ad0a75d5164237ecd0c97e8a0552aa Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 8 Feb 2024 13:06:02 +0100 Subject: [PATCH 09/10] added action for support label in issues --- .../workflows/check_if_support_labeled.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/check_if_support_labeled.yml diff --git a/.github/workflows/check_if_support_labeled.yml b/.github/workflows/check_if_support_labeled.yml new file mode 100644 index 00000000..87d93ecb --- /dev/null +++ b/.github/workflows/check_if_support_labeled.yml @@ -0,0 +1,37 @@ +name: Check if labeled support, if so send message and close issue +on: + issues: + types: + - labeled +jobs: + add-comment: + if: github.event.label.name == 'support' + runs-on: ubuntu-latest + permissions: + issues: write + steps: + - name: Add comment + run: gh issue comment "$NUMBER" --body "$BODY" + env: + GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + BODY: | + **THIS IS A AUTOMATED MESSAGE!** + + It seems your issue is not a bug. + Therefore we highly advise you to get support! + + You can get support either by: + - ordering a paid [support contract at Servercow](https://www.servercow.de/mailcow?lang=en#support/) (Directly from the developers) or + - using the [community forum](https://community.mailcow.email) (**Based on volunteers! NO guaranteed answer**) or + - using the [Telegram support channel](https://t.me/mailcow) (**Based on volunteers! NO guaranteed answer**) + + This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened. + + - name: Close issue + env: + GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + run: gh issue close "$NUMBER" -r "not planned" \ No newline at end of file From 63426c3cd023922a6e3c5f3aa40c4cc95f1d9fe1 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 8 Feb 2024 15:55:26 +0100 Subject: [PATCH 10/10] unbound: remove netcat check & package --- data/Dockerfiles/unbound/Dockerfile | 3 +-- data/Dockerfiles/unbound/healthcheck.sh | 27 ------------------------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/data/Dockerfiles/unbound/Dockerfile b/data/Dockerfiles/unbound/Dockerfile index f6d072cc..3090895b 100644 --- a/data/Dockerfiles/unbound/Dockerfile +++ b/data/Dockerfiles/unbound/Dockerfile @@ -5,7 +5,6 @@ LABEL maintainer "The Infrastructure Company GmbH GmbH " RUN apk add --update --no-cache \ curl \ bind-tools \ - netcat-openbsd \ unbound \ bash \ openssl \ @@ -20,7 +19,7 @@ EXPOSE 53/udp 53/tcp COPY docker-entrypoint.sh /docker-entrypoint.sh -# healthcheck (dig, ping, nc) +# healthcheck (dig, ping) COPY healthcheck.sh /healthcheck.sh RUN chmod +x /healthcheck.sh HEALTHCHECK --interval=30s --timeout=30s CMD [ "/healthcheck.sh" ] diff --git a/data/Dockerfiles/unbound/healthcheck.sh b/data/Dockerfiles/unbound/healthcheck.sh index a96eaab4..8da79bd7 100644 --- a/data/Dockerfiles/unbound/healthcheck.sh +++ b/data/Dockerfiles/unbound/healthcheck.sh @@ -50,27 +50,6 @@ function check_dns() { } -# Simple Netcat Check to connect to common webports -function check_netcat() { - declare -a domains=("mailcow.email" "github.com" "hub.docker.com") - declare -a ports=("80" "443") - - for domain in "${domains[@]}" ; do - for port in "${ports[@]}" ; do - nc -z -w 2 $domain $port - if [ $? -ne 0 ]; then - log_to_file "Healthcheck: Could not reach $domain on Port $port... Gave up!" - log_to_file "Please check your internet connection or firewall rules to fix this error." - return 1 - fi - done - done - - log_to_file "Healthcheck: Netcat Checks WORKING properly!" - return 0 - -} - if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then log_to_file "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!" exit 0 @@ -89,11 +68,5 @@ if [ $? -ne 0 ]; then exit 1 fi -check_netcat - -if [ $? -ne 0 ]; then - exit 1 -fi - log_to_file "Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!" exit 0 \ No newline at end of file