Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Merge pull request #5717 from mailcow/staging

Browse Source 
2024-01e
This commit is contained in:
Niklas Meyer 2024-02-08 15:58:47 +01:00 committed by GitHub
commit 8ae762a8c8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 62 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
.github/workflows/check_if_support_labeled.yml vendored Normal file
View File

@ -0,0 +1,37 @@
name: Check if labeled support, if so send message and close issue
on:
issues:
types:
- labeled
jobs:
add-comment:
if: github.event.label.name == 'support'
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Add comment
run: gh issue comment "$NUMBER" --body "$BODY"
env:
GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.issue.number }}
BODY: |
**THIS IS A AUTOMATED MESSAGE!**
It seems your issue is not a bug.
Therefore we highly advise you to get support!
You can get support either by:
- ordering a paid [support contract at Servercow](https://www.servercow.de/mailcow?lang=en#support/) (Directly from the developers) or
- using the [community forum](https://community.mailcow.email) (**Based on volunteers! NO guaranteed answer**) or
- using the [Telegram support channel](https://t.me/mailcow) (**Based on volunteers! NO guaranteed answer**)
This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.
- name: Close issue
env:
GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.issue.number }}
run: gh issue close "$NUMBER" -r "not planned"

1
data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
View File

@ -7,6 +7,7 @@ options {
use_fqdn(no); use_fqdn(no);
owner("root"); group("adm"); perm(0640); owner("root"); group("adm"); perm(0640);
stats(freq(0)); stats(freq(0));
keep_timestamp(no);
bad_hostname("^gconfd$"); bad_hostname("^gconfd$");
}; };
source s_dgram { source s_dgram {

1
data/Dockerfiles/dovecot/syslog-ng.conf
View File

@ -7,6 +7,7 @@ options {
use_fqdn(no); use_fqdn(no);
owner("root"); group("adm"); perm(0640); owner("root"); group("adm"); perm(0640);
stats(freq(0)); stats(freq(0));
keep_timestamp(no);
bad_hostname("^gconfd$"); bad_hostname("^gconfd$");
}; };
source s_dgram { source s_dgram {

4
data/Dockerfiles/netfilter/main.py
View File

@ -395,7 +395,7 @@ if __name__ == '__main__':
signal.signal(signal.SIGTERM, sigterm_quit) signal.signal(signal.SIGTERM, sigterm_quit)
# init Logger # init Logger
logger = Logger(None) logger = Logger()
# init backend # init backend
backend = sys.argv[1] backend = sys.argv[1]
@ -437,7 +437,7 @@ if __name__ == '__main__':
time.sleep(3) time.sleep(3)
else: else:
break break
Logger.r = r logger.set_redis(r)
# rename fail2ban to netfilter # rename fail2ban to netfilter
if r.exists('F2B_LOG'): if r.exists('F2B_LOG'):

7
data/Dockerfiles/netfilter/modules/Logger.py
View File

@ -2,7 +2,10 @@ import time
import json import json
class Logger: class Logger:
def __init__(self, redis): def __init__(self):
self.r = None
def set_redis(self, redis):
self.r = redis self.r = redis
def log(self, priority, message): def log(self, priority, message):
@ -10,7 +13,7 @@ class Logger:
tolog['time'] = int(round(time.time())) tolog['time'] = int(round(time.time()))
tolog['priority'] = priority tolog['priority'] = priority
tolog['message'] = message tolog['message'] = message
if self.r: if self.r is not None:
self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False)) self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
print(message) print(message)

15
data/Dockerfiles/netfilter/modules/NFTables.py
View File

@ -41,6 +41,7 @@ class NFTables:
exit_code = 2 exit_code = 2
if chain_position > 0: if chain_position > 0:
chain_position += 1
self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...') self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
err = True err = True
exit_code = 2 exit_code = 2
@ -309,8 +310,8 @@ class NFTables:
rule_handle = rule["handle"] rule_handle = rule["handle"]
break break
dest_net = ipaddress.ip_network(source_address) dest_net = ipaddress.ip_network(source_address, strict=False)
target_net = ipaddress.ip_network(snat_target) target_net = ipaddress.ip_network(snat_target, strict=False)
if rule_found: if rule_found:
saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"] saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@ -321,9 +322,9 @@ class NFTables:
target_ip = rule["expr"][3]["snat"]["addr"] target_ip = rule["expr"][3]["snat"]["addr"]
saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len)) saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len)) daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
current_target_net = ipaddress.ip_network(target_ip) current_target_net = ipaddress.ip_network(target_ip, strict=False)
match = all(( match = all((
dest_net == saddr_net, dest_net == saddr_net,
@ -417,7 +418,7 @@ class NFTables:
json_command = self.get_base_dict() json_command = self.get_base_dict()
expr_opt = [] expr_opt = []
ipaddr_net = ipaddress.ip_network(ipaddr) ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } } right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} } left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@ -466,7 +467,7 @@ class NFTables:
current_rule_net = ipaddress.ip_network(current_rule_ip) current_rule_net = ipaddress.ip_network(current_rule_ip)
# ip to ban # ip to ban
candidate_net = ipaddress.ip_network(ipaddr) candidate_net = ipaddress.ip_network(ipaddr, strict=False)
if current_rule_net == candidate_net: if current_rule_net == candidate_net:
rule_handle = _object["rule"]["handle"] rule_handle = _object["rule"]["handle"]

4
data/Dockerfiles/sogo/Dockerfile
View File

@ -1,8 +1,8 @@
FROM debian:bookworm-slim FROM debian:bullseye-slim
LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>" LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
ARG DEBIAN_FRONTEND=noninteractive ARG DEBIAN_FRONTEND=noninteractive
ARG DEBIAN_VERSION=bookworm ARG DEBIAN_VERSION=bullseye
ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian
# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$ # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
ARG GOSU_VERSION=1.17 ARG GOSU_VERSION=1.17

5
data/Dockerfiles/unbound/Dockerfile
View File

@ -5,7 +5,6 @@ LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
RUN apk add --update --no-cache \ RUN apk add --update --no-cache \
curl \ curl \
bind-tools \ bind-tools \
netcat-openbsd \
unbound \ unbound \
bash \ bash \
openssl \ openssl \
@ -20,10 +19,10 @@ EXPOSE 53/udp 53/tcp
COPY docker-entrypoint.sh /docker-entrypoint.sh COPY docker-entrypoint.sh /docker-entrypoint.sh
# healthcheck (nslookup) # healthcheck (dig, ping)
COPY healthcheck.sh /healthcheck.sh COPY healthcheck.sh /healthcheck.sh
RUN chmod +x /healthcheck.sh RUN chmod +x /healthcheck.sh
HEALTHCHECK --interval=5s --timeout=30s CMD [ "/healthcheck.sh" ] HEALTHCHECK --interval=30s --timeout=30s CMD [ "/healthcheck.sh" ]
ENTRYPOINT ["/docker-entrypoint.sh"] ENTRYPOINT ["/docker-entrypoint.sh"]

27
data/Dockerfiles/unbound/healthcheck.sh
View File

@ -50,27 +50,6 @@ function check_dns() {
} }
# Simple Netcat Check to connect to common webports
function check_netcat() {
declare -a domains=("mailcow.email" "github.com" "hub.docker.com")
declare -a ports=("80" "443")
for domain in "${domains[@]}" ; do
for port in "${ports[@]}" ; do
nc -z -w 2 $domain $port
if [ $? -ne 0 ]; then
log_to_file "Healthcheck: Could not reach $domain on Port $port... Gave up!"
log_to_file "Please check your internet connection or firewall rules to fix this error."
return 1
fi
done
done
log_to_file "Healthcheck: Netcat Checks WORKING properly!"
return 0
}
if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then
log_to_file "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!" log_to_file "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!"
exit 0 exit 0
@ -89,11 +68,5 @@ if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
check_netcat
if [ $? -ne 0 ]; then
exit 1
fi
log_to_file "Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!" log_to_file "Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!"
exit 0 exit 0

8
docker-compose.yml
View File

@ -2,7 +2,7 @@ version: '2.1'
services: services:
unbound-mailcow: unbound-mailcow:
image: mailcow/unbound:1.20 image: mailcow/unbound:1.21
environment: environment:
- TZ=${TZ} - TZ=${TZ}
- SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n} - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n}
@ -175,7 +175,7 @@ services:
- phpfpm - phpfpm
sogo-mailcow: sogo-mailcow:
image: mailcow/sogo:1.122 image: mailcow/sogo:1.122.1
environment: environment:
- DBNAME=${DBNAME} - DBNAME=${DBNAME}
- DBUSER=${DBUSER} - DBUSER=${DBUSER}
@ -222,7 +222,7 @@ services:
- sogo - sogo
dovecot-mailcow: dovecot-mailcow:
image: mailcow/dovecot:1.28.1 image: mailcow/dovecot:1.28.2
depends_on: depends_on:
- mysql-mailcow - mysql-mailcow
- netfilter-mailcow - netfilter-mailcow
@ -441,7 +441,7 @@ services:
- acme - acme
netfilter-mailcow: netfilter-mailcow:
image: mailcow/netfilter:1.56 image: mailcow/netfilter:1.57
stop_grace_period: 30s stop_grace_period: 30s
restart: always restart: always
privileged: true privileged: true