From ea1a02bd7d0bbc84291cf3a647fa13bc5b599522 Mon Sep 17 00:00:00 2001 From: El-Virus <36414402+El-Virus@users.noreply.github.com> Date: Sun, 26 Dec 2021 17:11:06 +0100 Subject: [PATCH 001/115] Fix "The operation is insecure." when trying to register fido2 device. navigator.credentials.create(); Doesn't accept a port in the "id" parameter. So, when trying to register a fido2 device via WebAuthn throws: "The operation is insecure." on firefox and "The relying party ID is not a registrable domain suffix of, nor equal to the current domain." on Chrome or Edge. This commit replaces `$_SERVER['HTTP_HOST']` with `$_SERVER['SERVER_NAME']` when initializing `$WebAuthn` which excludes the port to formulate correct requests. Now Mailcow allows the registration of fido2 devices when running in a non-standard port(eg. 443). --- data/web/inc/prerequisites.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index a5eb2c80..95a9c63b 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -60,7 +60,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider); // FIDO2 $formats = $GLOBALS['FIDO2_FORMATS']; -$WebAuthn = new \WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats); +$WebAuthn = new \WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['SERVER_NAME'], $formats); $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem'); $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem'); $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem'); From ea1a412749ed6a1cb9da75f33be93e4f5f4d3ead Mon Sep 17 00:00:00 2001 From: El-Virus <36414402+El-Virus@users.noreply.github.com> Date: Fri, 21 Jan 2022 15:46:44 +0100 Subject: [PATCH 002/115] Fix missing "lbuchs", after resolving last conflict It seems that when solving the conflict in my pr when the latest staging branch was merged to master, I accidentally deleted "lbuchs", I added it back --- data/web/inc/prerequisites.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index ac86016a..8e8f5e8f 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -61,7 +61,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider); // FIDO2 $formats = $GLOBALS['FIDO2_FORMATS']; -$WebAuthn = new \WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['SERVER_NAME'], $formats); +$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['SERVER_NAME'], $formats); // only include root ca's when needed if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates'); From f09a3df870df0e2b66732e720e719d54559df209 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 21 Feb 2022 10:46:24 +0100 Subject: [PATCH 003/115] [Web] add verify selected tfa --- data/web/css/build/008-mailcow.css | 10 + data/web/inc/ajax/destroy_tfa_auth.php | 2 +- data/web/inc/footer.inc.php | 24 +- data/web/inc/functions.inc.php | 328 ++++++++++++++----------- data/web/inc/triggers.inc.php | 35 +-- data/web/json_api.php | 10 +- data/web/templates/base.twig | 100 ++++++-- data/web/templates/modals/footer.twig | 216 +++++++++++----- 8 files changed, 473 insertions(+), 252 deletions(-) diff --git a/data/web/css/build/008-mailcow.css b/data/web/css/build/008-mailcow.css index d7533424..5a965537 100644 --- a/data/web/css/build/008-mailcow.css +++ b/data/web/css/build/008-mailcow.css @@ -255,3 +255,13 @@ code { .flag-icon { margin-right: 5px; } +.list-group-item.webauthn-authenticator-selection, +.list-group-item.totp-authenticator-selection, +.list-group-item.yubi_otp-authenticator-selection { + border-radius: 0px !important; +} +.pending-tfa-collapse { + padding: 10px; + background: #fbfbfb; + border: 1px solid #ededed; +} diff --git a/data/web/inc/ajax/destroy_tfa_auth.php b/data/web/inc/ajax/destroy_tfa_auth.php index 72c7f1e3..07873b55 100644 --- a/data/web/inc/ajax/destroy_tfa_auth.php +++ b/data/web/inc/ajax/destroy_tfa_auth.php @@ -2,5 +2,5 @@ session_start(); unset($_SESSION['pending_mailcow_cc_username']); unset($_SESSION['pending_mailcow_cc_role']); -unset($_SESSION['pending_tfa_method']); +unset($_SESSION['pending_tfa_methods']); ?> diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index 72482707..b2f1d4d5 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -23,6 +23,27 @@ if (is_array($alertbox_log_parser)) { unset($_SESSION['return']); } +// map tfa details for twig +$pending_tfa_authmechs = []; +foreach($_SESSION['pending_tfa_methods'] as $authdata){ + $pending_tfa_authmechs[$authdata['authmech']] = false; +} +if (isset($pending_tfa_authmechs['webauthn'])) { + $pending_tfa_authmechs['webauthn'] = true; +} +if (!isset($pending_tfa_authmechs['webauthn']) + && isset($pending_tfa_authmechs['yubi_otp'])) { + $pending_tfa_authmechs['yubi_otp'] = true; +} +if (!isset($pending_tfa_authmechs['webauthn']) + && !isset($pending_tfa_authmechs['yubi_otp']) + && isset($pending_tfa_authmechs['totp'])) { + $pending_tfa_authmechs['totp'] = true; +} +if (isset($pending_tfa_authmechs['u2f'])) { + $pending_tfa_authmechs['u2f'] = true; +} + // globals $globalVariables = [ 'mailcow_info' => array( @@ -30,7 +51,8 @@ $globalVariables = [ 'git_project_url' => $GLOBALS['MAILCOW_GIT_URL'] ), 'js_path' => '/cache/'.basename($JSPath), - 'pending_tfa_method' => @$_SESSION['pending_tfa_method'], + 'pending_tfa_methods' => @$_SESSION['pending_tfa_methods'], + 'pending_tfa_authmechs' => $pending_tfa_authmechs, 'pending_mailcow_cc_username' => @$_SESSION['pending_mailcow_cc_username'], 'lang_footer' => json_encode($lang['footer']), 'lang_acl' => json_encode($lang['acl']), diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 21a0d8ce..0b485c6e 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -830,11 +830,15 @@ function check_login($user, $pass, $app_passwd_data = false) { $stmt->execute(array(':user' => $user)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { + // verify password if (verify_hash($row['password'], $pass)) { - if (get_tfa($user)['name'] != "none") { + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + // active tfa authenticators found, set pending user login $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "admin"; - $_SESSION['pending_tfa_method'] = get_tfa($user)['name']; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; unset($_SESSION['ldelay']); $_SESSION['return'][] = array( 'type' => 'info', @@ -842,8 +846,7 @@ function check_login($user, $pass, $app_passwd_data = false) { 'msg' => 'awaiting_tfa_confirmation' ); return "pending"; - } - else { + } else { unset($_SESSION['ldelay']); // Reactivate TFA if it was set to "deactivate TFA for next login" $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); @@ -866,11 +869,14 @@ function check_login($user, $pass, $app_passwd_data = false) { $stmt->execute(array(':user' => $user)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { + // verify password if (verify_hash($row['password'], $pass) !== false) { - if (get_tfa($user)['name'] != "none") { + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "domainadmin"; - $_SESSION['pending_tfa_method'] = get_tfa($user)['name']; + $_SESSION['pending_tfa_method'] = $authenticators['additional']; unset($_SESSION['ldelay']); $_SESSION['return'][] = array( 'type' => 'info', @@ -1142,47 +1148,46 @@ function set_tfa($_data) { global $yubi; global $tfa; $_data_log = $_data; + $access_denied = null; !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - $stmt = $pdo->prepare("SELECT `password` FROM `admin` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if (!empty($num_results)) { - if (!verify_hash($row['password'], $_data["confirm_password"])) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - } - $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if (!empty($num_results)) { - if (!verify_hash($row['password'], $_data["confirm_password"])) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; + + // check for empty user and role + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; + + // check admin confirm password + if ($access_denied === null) { + $stmt = $pdo->prepare("SELECT `password` FROM `admin` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row) { + if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; + else $access_denied = false; } } + // check mailbox confirm password + if ($access_denied === null) { + $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row) { + if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; + else $access_denied = false; + } + } + + // set access_denied error + if ($access_denied){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } switch ($_data["tfa_method"]) { case "yubi_otp": @@ -1265,9 +1270,6 @@ function set_tfa($_data) { case "webauthn": $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'webauthn'"); - $stmt->execute(array(':username' => $username)); - $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) VALUES (?, ?, 'webauthn', ?, ?, ?, ?, '1')"); $stmt->execute(array( @@ -1439,25 +1441,27 @@ function unset_tfa_key($_data) { global $pdo; global $lang; $_data_log = $_data; + $access_denied = null; $id = intval($_data['unset_tfa_key']); $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } + + // check for empty user and role + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; + try { - if (!is_numeric($id)) { - $_SESSION['return'][] = array( + if (!is_numeric($id)) $access_denied = true; + + // set access_denied error + if ($access_denied){ + $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_data_log), 'msg' => 'access_denied' ); return false; - } + } + + // check if it's last key $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa` WHERE `username` = :username AND `active` = '1'"); $stmt->execute(array(':username' => $username)); @@ -1470,6 +1474,8 @@ function unset_tfa_key($_data) { ); return false; } + + // delete key $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `id` = :id"); $stmt->execute(array(':username' => $username, ':id' => $id)); $_SESSION['return'][] = array( @@ -1487,7 +1493,7 @@ function unset_tfa_key($_data) { return false; } } -function get_tfa($username = null) { +function get_tfa($username = null, $key_id = null) { global $pdo; if (isset($_SESSION['mailcow_cc_username'])) { $username = $_SESSION['mailcow_cc_username']; @@ -1495,92 +1501,116 @@ function get_tfa($username = null) { elseif (empty($username)) { return false; } - $stmt = $pdo->prepare("SELECT * FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (isset($row["authmech"])) { - switch ($row["authmech"]) { - case "yubi_otp": - $data['name'] = "yubi_otp"; - $data['pretty'] = "Yubico OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; + if (!isset($key_id)){ + // fetch all tfa methods - just get information about possible authenticators + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa` + WHERE `username` = :username AND `active` = '1'"); + $stmt->execute(array(':username' => $username)); + $results = $stmt->fetchAll(PDO::FETCH_ASSOC); + + // no tfa methods found + if (count($results) == 0) { + $data['name'] = 'none'; + $data['pretty'] = "-"; + $data['additional'] = array(); + return $data; + } + + $data['additional'] = $results; + return $data; + } else { + // fetch specific authenticator details by key_id + $stmt = $pdo->prepare("SELECT * FROM `tfa` + WHERE `username` = :username AND `active` = '1'"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + + if (isset($row["authmech"])) { + switch ($row["authmech"]) { + case "yubi_otp": + $data['name'] = "yubi_otp"; + $data['pretty'] = "Yubico OTP"; + $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + // u2f - deprecated, should be removed + case "u2f": + $data['name'] = "u2f"; + $data['pretty'] = "Fido U2F"; + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + case "hotp": + $data['name'] = "hotp"; + $data['pretty'] = "HMAC-based OTP"; + return $data; + break; + case "totp": + $data['name'] = "totp"; + $data['pretty'] = "Time-based OTP"; + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + case "webauthn": + $data['name'] = "webauthn"; + $data['pretty'] = "WebAuthn"; + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + default: + $data['name'] = 'none'; + $data['pretty'] = "-"; + return $data; + break; } - return $data; - break; - // u2f - deprecated, should be removed - case "u2f": - $data['name'] = "u2f"; - $data['pretty'] = "Fido U2F"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - case "hotp": - $data['name'] = "hotp"; - $data['pretty'] = "HMAC-based OTP"; - return $data; - break; - case "totp": - $data['name'] = "totp"; - $data['pretty'] = "Time-based OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - case "webauthn": - $data['name'] = "webauthn"; - $data['pretty'] = "WebAuthn"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - default: + } + else { $data['name'] = 'none'; $data['pretty'] = "-"; return $data; - break; + } } - } - else { - $data['name'] = 'none'; - $data['pretty'] = "-"; - return $data; - } } -function verify_tfa_login($username, $_data, $WebAuthn) { - global $pdo; - global $yubi; - global $u2f; - global $tfa; +function verify_tfa_login($username, $_data) { + global $pdo; + global $yubi; + global $u2f; + global $tfa; + global $WebAuthn; + + if ($_data['tfa_method'] != 'u2f'){ $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); + WHERE `username` = :username AND `key_id` = :key_id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); switch ($row["authmech"]) { @@ -1597,9 +1627,10 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'yubi_otp' + AND `key_id` = ':key_id' AND `active`='1' AND `secret` LIKE :modhex"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':key_id' => $_data['key_id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); $yubico_auth = explode(':', $row['secret']); $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); @@ -1636,8 +1667,9 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'totp' + AND `key_id` = :key_id AND `active`='1'"); - $stmt->execute(array(':username' => $username)); + $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { @@ -1666,13 +1698,6 @@ function verify_tfa_login($username, $_data, $WebAuthn) { return false; } break; - // u2f - deprecated, should be removed - case "u2f": - // delete old keys that used u2f - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = :authmech AND `username` = :username"); - $stmt->execute(array(':authmech' => 'u2f', ':username' => $username)); - - return true; case "webauthn": $tokenData = json_decode($_data['token']); $clientDataJSON = base64_decode($tokenData->clientDataJSON); @@ -1681,7 +1706,7 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $id = base64_decode($tokenData->id); $challenge = $_SESSION['challenge']; - $stmt = $pdo->prepare("SELECT `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId"); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId"); $stmt->execute(array(':tokenId' => $tokenData->id)); $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); @@ -1738,7 +1763,7 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $_SESSION["mailcow_cc_username"] = $process_webauthn['username']; - $_SESSION['tfa_id'] = $process_webauthn['key_id']; + $_SESSION['tfa_id'] = $process_webauthn['id']; $_SESSION['authReq'] = null; unset($_SESSION["challenge"]); $_SESSION['return'][] = array( @@ -1759,6 +1784,17 @@ function verify_tfa_login($username, $_data, $WebAuthn) { } return false; + } else { + // delete old keys that used u2f + $stmt = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array(':username' => $username)); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + if (count($rows) == 0) return false; + + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array(':username' => $username)); + return true; + } } function admin_api($access, $action, $data = null) { global $pdo; diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index cb3a3771..1e2bdb42 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -1,24 +1,24 @@ tfa_method; $_data['key_id'] = $post->key_id; + $_data['confirm_password'] = $post->confirm_password; $_data['registration'] = $data; set_tfa($_data); @@ -450,14 +451,15 @@ if (isset($_GET['query'])) { $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username"); $stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $cids[] = base64_decode($row['keyHandle']); - } - if (count($cids) == 0) { + if (count($rows) == 0) { print(json_encode(array( 'type' => 'error', 'msg' => 'Cannot find matching credentialIds' ))); + exit; + } + while($row = array_shift($rows)) { + $cids[] = base64_decode($row['keyHandle']); } $getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']); diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 08376e71..2691718b 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -176,15 +176,62 @@ function recursiveBase64StrToArrayBuffer(obj) { {% endfor %} // Confirm TFA modal - {% if pending_tfa_method %} + {% if pending_tfa_methods %} $('#ConfirmTFAModal').modal({ backdrop: 'static', keyboard: false }); + // validate Yubi OTP tfa + $("#pending_tfa_tab_yubi_otp").click(function(){ + $(".totp-authenticator-selection").removeClass("active"); + $(".webauthn-authenticator-selection").removeClass("active"); + + $("#collapseTotpTFA").collapse('hide'); + $("#collapseWebAuthnTFA").collapse('hide'); + }); + $(".yubi-authenticator-selection").click(function(){ + $(".yubi-authenticator-selection").removeClass("active"); + $(this).addClass("active"); + + var key_id = $(this).children('span').first().text(); + $("#yubi_selected_key_id").val(key_id); + + $("#collapseYubiTFA").collapse('show'); + }); + // validate Time based OTP tfa + $("#pending_tfa_tab_totp").click(function(){ + $(".yubi-authenticator-selection").removeClass("active"); + $(".webauthn-authenticator-selection").removeClass("active"); + + $("#collapseYubiTFA").collapse('hide'); + $("#collapseWebAuthnTFA").collapse('hide'); + }); + $(".totp-authenticator-selection").click(function(){ + $(".totp-authenticator-selection").removeClass("active"); + $(this).addClass("active"); + + var key_id = $(this).children('span').first().text(); + $("#totp_selected_key_id").val(key_id); + + $("#collapseTotpTFA").collapse('show'); + }); // validate WebAuthn tfa - $('#start_webauthn_confirmation').click(function(){ - $('#webauthn_status_auth').html('

' + lang_tfa.init_webauthn + '

'); + $("#pending_tfa_tab_webauthn").click(function(){ + $(".totp-authenticator-selection").removeClass("active"); + $(".yubi-authenticator-selection").removeClass("active"); + + $("#collapseTotpTFA").collapse('hide'); + $("#collapseYubiTFA").collapse('hide'); + }); + $(".webauthn-authenticator-selection").click(function(){ + $(".webauthn-authenticator-selection").removeClass("active"); + $(this).addClass("active"); + + var key_id = $(this).children('span').first().text(); + $("#webauthn_selected_key_id").val(key_id); + + $("#collapseWebAuthnTFA").collapse('show'); $(this).find('input[name=token]').focus(); if(document.getElementById("webauthn_auth_data") !== null) { @@ -198,30 +245,31 @@ function recursiveBase64StrToArrayBuffer(obj) { window.fetch("/api/v1/get/webauthn-tfa-get-args", {method:'GET',cache:'no-cache'}).then(response => { return response.json(); }).then(json => { - if (json.success === false) throw new Error(); + if (json.success === false) throw new Error(); + if (json.type === "error") throw new Error(json.msg); - recursiveBase64StrToArrayBuffer(json); - return json; + recursiveBase64StrToArrayBuffer(json); + return json; }).then(getCredentialArgs => { - // get credentials - return navigator.credentials.get(getCredentialArgs); + // get credentials + return navigator.credentials.get(getCredentialArgs); }).then(cred => { - return { - id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null, - clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null, - authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null, - signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null - }; + return { + id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null, + clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null, + authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null, + signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null + }; }).then(JSON.stringify).then(function(AuthenticatorAttestationResponse) { - // send request by submit - var form = document.getElementById('webauthn_auth_form'); - var auth = document.getElementById('webauthn_auth_data'); - auth.value = AuthenticatorAttestationResponse; - form.submit(); + // send request by submit + var form = document.getElementById('webauthn_auth_form'); + var auth = document.getElementById('webauthn_auth_data'); + auth.value = AuthenticatorAttestationResponse; + form.submit(); }).catch(function(err) { - var webauthn_return_code = document.getElementById('webauthn_return_code'); - webauthn_return_code.style.display = webauthn_return_code.style.display === 'none' ? '' : null; - webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry; + var webauthn_return_code = document.getElementById('webauthn_return_code'); + webauthn_return_code.style.display = webauthn_return_code.style.display === 'none' ? '' : null; + webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry; }); } }); @@ -237,7 +285,9 @@ function recursiveBase64StrToArrayBuffer(obj) { } }); }); - {% endif %} + {% endif %} + + // Validate FIDO2 $("#fido2-login").click(function(){ $('#fido2-alerts').html(); @@ -358,6 +408,7 @@ function recursiveBase64StrToArrayBuffer(obj) { $("#start_webauthn_register").click(() => { var key_id = document.getElementsByName('key_id')[1].value; + var confirm_password = document.getElementsByName('confirm_password')[1].value; // fetch WebAuthn create args window.fetch("/api/v1/get/webauthn-tfa-registration/{{ mailcow_cc_username|url_encode(true)|default('null') }}", {method:'GET',cache:'no-cache'}).then(response => { @@ -375,7 +426,8 @@ function recursiveBase64StrToArrayBuffer(obj) { clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null, attestationObject: cred.response.attestationObject ? arrayBufferToBase64(cred.response.attestationObject) : null, key_id: key_id, - tfa_method: "webauthn" + tfa_method: "webauthn", + confirm_password: confirm_password }; }).then(JSON.stringify).then(AuthenticatorAttestationResponse => { // send request diff --git a/data/web/templates/modals/footer.twig b/data/web/templates/modals/footer.twig index 690b9de0..6df4a10d 100644 --- a/data/web/templates/modals/footer.twig +++ b/data/web/templates/modals/footer.twig @@ -133,73 +133,171 @@ {% endif %} -{% if pending_tfa_method %} +{% if pending_tfa_methods %} From 4c6a2055c2997396c6b3bc35da5ed79b4c43f97d Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 21 Feb 2022 14:10:12 +0100 Subject: [PATCH 004/115] [Web] add verify selected tfa --- data/web/inc/functions.inc.php | 61 ++++++++++++++++----------- data/web/templates/base.twig | 12 +++--- data/web/templates/modals/footer.twig | 17 +++++--- 3 files changed, 52 insertions(+), 38 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 0b485c6e..f93e7eca 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1493,7 +1493,7 @@ function unset_tfa_key($_data) { return false; } } -function get_tfa($username = null, $key_id = null) { +function get_tfa($username = null, $id = null) { global $pdo; if (isset($_SESSION['mailcow_cc_username'])) { $username = $_SESSION['mailcow_cc_username']; @@ -1502,7 +1502,7 @@ function get_tfa($username = null, $key_id = null) { return false; } - if (!isset($key_id)){ + if (!isset($id)){ // fetch all tfa methods - just get information about possible authenticators $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa` WHERE `username` = :username AND `active` = '1'"); @@ -1520,10 +1520,10 @@ function get_tfa($username = null, $key_id = null) { $data['additional'] = $results; return $data; } else { - // fetch specific authenticator details by key_id + // fetch specific authenticator details by id $stmt = $pdo->prepare("SELECT * FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); + WHERE `username` = :username AND `id` = :id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':id' => $id)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (isset($row["authmech"])) { @@ -1531,9 +1531,10 @@ function get_tfa($username = null, $key_id = null) { case "yubi_otp": $data['name'] = "yubi_otp"; $data['pretty'] = "Yubico OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1545,9 +1546,10 @@ function get_tfa($username = null, $key_id = null) { case "u2f": $data['name'] = "u2f"; $data['pretty'] = "Fido U2F"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1563,9 +1565,10 @@ function get_tfa($username = null, $key_id = null) { case "totp": $data['name'] = "totp"; $data['pretty'] = "Time-based OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1576,9 +1579,10 @@ function get_tfa($username = null, $key_id = null) { case "webauthn": $data['name'] = "webauthn"; $data['pretty'] = "WebAuthn"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1609,8 +1613,8 @@ function verify_tfa_login($username, $_data) { if ($_data['tfa_method'] != 'u2f'){ $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` - WHERE `username` = :username AND `key_id` = :key_id AND `active` = '1'"); - $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); + WHERE `username` = :username AND `id` = :id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); switch ($row["authmech"]) { @@ -1627,10 +1631,10 @@ function verify_tfa_login($username, $_data) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'yubi_otp' - AND `key_id` = ':key_id' + AND `id` = ':id' AND `active`='1' AND `secret` LIKE :modhex"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':key_id' => $_data['key_id'])); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); $yubico_auth = explode(':', $row['secret']); $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); @@ -1663,16 +1667,16 @@ function verify_tfa_login($username, $_data) { return false; break; case "totp": - try { + try { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'totp' - AND `key_id` = :key_id + AND `id` = :id AND `active`='1'"); - $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); + $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { - if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { + if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { $_SESSION['tfa_id'] = $row['id']; $_SESSION['return'][] = array( 'type' => 'success', @@ -1680,7 +1684,7 @@ function verify_tfa_login($username, $_data) { 'msg' => 'verified_totp_login' ); return true; - } + } } $_SESSION['return'][] = array( 'type' => 'danger', @@ -1688,15 +1692,15 @@ function verify_tfa_login($username, $_data) { 'msg' => 'totp_verification_failed' ); return false; - } - catch (PDOException $e) { + } + catch (PDOException $e) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $username, '*'), 'msg' => array('mysql_error', $e) ); return false; - } + } break; case "webauthn": $tokenData = json_decode($_data['token']); @@ -1706,13 +1710,20 @@ function verify_tfa_login($username, $_data) { $id = base64_decode($tokenData->id); $challenge = $_SESSION['challenge']; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId"); - $stmt->execute(array(':tokenId' => $tokenData->id)); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id"); + $stmt->execute(array(':id' => $_data['id'])); $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); - if (empty($process_webauthn) || empty($process_webauthn['publicKey']) || empty($process_webauthn['username'])) return false; + if (empty($process_webauthn)){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_verification_failed', 'authenticator not found') + ); + return false; + } - if ($process_webauthn['publicKey'] === false) { + if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $username, '*'), diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 2691718b..b51dcde2 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -194,8 +194,8 @@ function recursiveBase64StrToArrayBuffer(obj) { $(".yubi-authenticator-selection").removeClass("active"); $(this).addClass("active"); - var key_id = $(this).children('span').first().text(); - $("#yubi_selected_key_id").val(key_id); + var id = $(this).children('input').first().val(); + $("#yubi_selected_id").val(id); $("#collapseYubiTFA").collapse('show'); }); @@ -211,8 +211,8 @@ function recursiveBase64StrToArrayBuffer(obj) { $(".totp-authenticator-selection").removeClass("active"); $(this).addClass("active"); - var key_id = $(this).children('span').first().text(); - $("#totp_selected_key_id").val(key_id); + var id = $(this).children('input').first().val(); + $("#totp_selected_id").val(id); $("#collapseTotpTFA").collapse('show'); }); @@ -228,8 +228,8 @@ function recursiveBase64StrToArrayBuffer(obj) { $(".webauthn-authenticator-selection").removeClass("active"); $(this).addClass("active"); - var key_id = $(this).children('span').first().text(); - $("#webauthn_selected_key_id").val(key_id); + var id = $(this).children('input').first().val(); + $("#webauthn_selected_id").val(id); $("#collapseWebAuthnTFA").collapse('show'); diff --git a/data/web/templates/modals/footer.twig b/data/web/templates/modals/footer.twig index 6df4a10d..67cc3482 100644 --- a/data/web/templates/modals/footer.twig +++ b/data/web/templates/modals/footer.twig @@ -139,7 +139,7 @@
-

2-Factor-Authentication

+

{{ lang.tfa.tfa }}

@@ -205,7 +206,7 @@
- Available Authenticators + Authenticators
{% for authenticator in pending_tfa_methods %} @@ -213,6 +214,7 @@ {{ authenticator["key_id"] }} + {% endif %} {% endfor %} @@ -223,7 +225,7 @@ Yubicon Icon - +
@@ -240,7 +242,7 @@ - Available Authenticators + Authenticators
{% for authenticator in pending_tfa_methods %} @@ -248,6 +250,7 @@ {{ authenticator["key_id"] }} + {% endif %} {% endfor %} @@ -258,7 +261,7 @@ -
+
From df33f1a1303d893e16a3724434eeff93ee0b528e Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Tue, 22 Feb 2022 09:38:06 +0100 Subject: [PATCH 005/115] [Web] multiple tfa - domainadmin support --- data/web/inc/functions.inc.php | 2 +- data/web/templates/domainadmin.twig | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index f93e7eca..384905d4 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -876,7 +876,7 @@ function check_login($user, $pass, $app_passwd_data = false) { if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "domainadmin"; - $_SESSION['pending_tfa_method'] = $authenticators['additional']; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; unset($_SESSION['ldelay']); $_SESSION['return'][] = array( 'type' => 'info', diff --git a/data/web/templates/domainadmin.twig b/data/web/templates/domainadmin.twig index 6aae54ba..3bc7ab40 100644 --- a/data/web/templates/domainadmin.twig +++ b/data/web/templates/domainadmin.twig @@ -28,7 +28,7 @@
From a2d57d43d1f61435b865d08ccd0225c06963d6ff Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 7 Mar 2022 11:41:13 +0100 Subject: [PATCH 006/115] [Web] multiple tfa - user support --- data/web/inc/functions.inc.php | 47 ++++++++++++++-------- data/web/inc/triggers.inc.php | 6 +-- data/web/templates/user/tab-user-auth.twig | 27 ++++++++++++- data/web/user.php | 1 + 4 files changed, 60 insertions(+), 21 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 384905d4..12efd60b 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -936,24 +936,39 @@ function check_login($user, $pass, $app_passwd_data = false) { $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC)); } foreach ($rows as $row) { + // verify password if (verify_hash($row['password'], $pass) !== false) { - unset($_SESSION['ldelay']); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $user, '*'), - 'msg' => array('logged_in_as', $user) - ); - if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { - $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; - $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); - $stmt->execute(array( - ':service' => $service, - ':app_id' => $row['app_passwd_id'], - ':username' => $user, - ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) - )); + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + $_SESSION['pending_mailcow_cc_username'] = $user; + $_SESSION['pending_mailcow_cc_role'] = "user"; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; + unset($_SESSION['ldelay']); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $user, '*'), + 'msg' => array('logged_in_as', $user) + ); + return "pending"; + } else { + if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { + $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; + $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); + $stmt->execute(array( + ':service' => $service, + ':app_id' => $row['app_passwd_id'], + ':username' => $user, + ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) + )); + } + + unset($_SESSION['ldelay']); + // Reactivate TFA if it was set to "deactivate TFA for next login" + $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); + $stmt->execute(array(':user' => $user)); + return "user"; } - return "user"; } } diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index 1e2bdb42..aec043e9 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -61,9 +61,9 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { header("Location: /user"); } elseif ($as != "pending") { - unset($_SESSION['pending_mailcow_cc_username']); - unset($_SESSION['pending_mailcow_cc_role']); - unset($_SESSION['pending_tfa_methods']); + unset($_SESSION['pending_mailcow_cc_username']); + unset($_SESSION['pending_mailcow_cc_role']); + unset($_SESSION['pending_tfa_methods']); unset($_SESSION['mailcow_cc_username']); unset($_SESSION['mailcow_cc_role']); } diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig index c35eee39..cbf5f83d 100644 --- a/data/web/templates/user/tab-user-auth.twig +++ b/data/web/templates/user/tab-user-auth.twig @@ -15,6 +15,10 @@ {{ lang.user.open_webmail_sso }} {% endif %} +
@@ -40,8 +44,27 @@

{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}∞{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}
{{ mailboxdata.messages }} {{ lang.user.messages }}

-
-

{{ lang.user.change_password }}

+ + +
+ {# TFA #} +
+
{{ lang.tfa.tfa }}:
+
+

{{ tfa_data.pretty }}

+ {% include 'tfa_keys.twig' %} +
+
+
+
+
{{ lang.tfa.set_tfa }}:
+
+
diff --git a/data/web/user.php b/data/web/user.php index 5bf60917..d7faf791 100644 --- a/data/web/user.php +++ b/data/web/user.php @@ -76,6 +76,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == ' 'acl_json' => json_encode($_SESSION['acl']), 'user_spam_score' => mailbox('get', 'spam_score', $username), 'tfa_data' => $tfa_data, + 'tfa_id' => @$_SESSION['tfa_id'], 'fido2_data' => $fido2_data, 'mailboxdata' => $mailboxdata, 'clientconfigstr' => $clientconfigstr, From 84b4269c75d21deb4c7b03bbc14b528ed5f27232 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 14 Mar 2022 09:29:07 +0100 Subject: [PATCH 007/115] [Web] increase mysql publicKey field length --- data/web/inc/init_db.inc.php | 4 ++-- data/web/json_api.php | 21 +++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 3cab461e..5705379d 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "18012022_1020"; + $db_version = "14032022_0921"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -699,7 +699,7 @@ function init_db_schema() { "authmech" => "ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')", "secret" => "VARCHAR(255) DEFAULT NULL", "keyHandle" => "VARCHAR(255) DEFAULT NULL", - "publicKey" => "VARCHAR(255) DEFAULT NULL", + "publicKey" => "VARCHAR(4096) DEFAULT NULL", "counter" => "INT NOT NULL DEFAULT '0'", "certificate" => "TEXT", "active" => "TINYINT(1) NOT NULL DEFAULT '0'" diff --git a/data/web/json_api.php b/data/web/json_api.php index 9a557e7b..79056bc6 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -175,15 +175,22 @@ if (isset($_GET['query'])) { // parse post data $post = trim(file_get_contents('php://input')); if ($post) $post = json_decode($post); - - // decode base64 strings - $clientDataJSON = base64_decode($post->clientDataJSON); - $attestationObject = base64_decode($post->attestationObject); // process registration data from authenticator try { + // decode base64 strings + $clientDataJSON = base64_decode($post->clientDataJSON); + $attestationObject = base64_decode($post->attestationObject); + // processCreate($clientDataJSON, $attestationObject, $challenge, $requireUserVerification=false, $requireUserPresent=true, $failIfRootMismatch=true) $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $_SESSION['challenge'], false, true); + + // safe authenticator in mysql `tfa` table + $_data['tfa_method'] = $post->tfa_method; + $_data['key_id'] = $post->key_id; + $_data['confirm_password'] = $post->confirm_password; + $_data['registration'] = $data; + set_tfa($_data); } catch (Throwable $ex) { // err @@ -194,12 +201,6 @@ if (isset($_GET['query'])) { exit; } - // safe authenticator in mysql `tfa` table - $_data['tfa_method'] = $post->tfa_method; - $_data['key_id'] = $post->key_id; - $_data['confirm_password'] = $post->confirm_password; - $_data['registration'] = $data; - set_tfa($_data); // send response $return = new stdClass(); From 3ef2b6cfa2a99c1adbd2e9e5e74b278274fa4ade Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 21 Feb 2022 10:46:24 +0100 Subject: [PATCH 008/115] [Web] add verify selected tfa --- data/web/css/build/008-mailcow.css | 10 + data/web/inc/ajax/destroy_tfa_auth.php | 2 +- data/web/inc/footer.inc.php | 24 +- data/web/inc/functions.inc.php | 328 ++++++++++++++----------- data/web/inc/triggers.inc.php | 35 +-- data/web/json_api.php | 10 +- data/web/templates/base.twig | 100 ++++++-- data/web/templates/modals/footer.twig | 216 +++++++++++----- 8 files changed, 473 insertions(+), 252 deletions(-) diff --git a/data/web/css/build/008-mailcow.css b/data/web/css/build/008-mailcow.css index 4d45a75e..5ce2afda 100644 --- a/data/web/css/build/008-mailcow.css +++ b/data/web/css/build/008-mailcow.css @@ -257,3 +257,13 @@ code { .flag-icon { margin-right: 5px; } +.list-group-item.webauthn-authenticator-selection, +.list-group-item.totp-authenticator-selection, +.list-group-item.yubi_otp-authenticator-selection { + border-radius: 0px !important; +} +.pending-tfa-collapse { + padding: 10px; + background: #fbfbfb; + border: 1px solid #ededed; +} diff --git a/data/web/inc/ajax/destroy_tfa_auth.php b/data/web/inc/ajax/destroy_tfa_auth.php index 72c7f1e3..07873b55 100644 --- a/data/web/inc/ajax/destroy_tfa_auth.php +++ b/data/web/inc/ajax/destroy_tfa_auth.php @@ -2,5 +2,5 @@ session_start(); unset($_SESSION['pending_mailcow_cc_username']); unset($_SESSION['pending_mailcow_cc_role']); -unset($_SESSION['pending_tfa_method']); +unset($_SESSION['pending_tfa_methods']); ?> diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index 72482707..b2f1d4d5 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -23,6 +23,27 @@ if (is_array($alertbox_log_parser)) { unset($_SESSION['return']); } +// map tfa details for twig +$pending_tfa_authmechs = []; +foreach($_SESSION['pending_tfa_methods'] as $authdata){ + $pending_tfa_authmechs[$authdata['authmech']] = false; +} +if (isset($pending_tfa_authmechs['webauthn'])) { + $pending_tfa_authmechs['webauthn'] = true; +} +if (!isset($pending_tfa_authmechs['webauthn']) + && isset($pending_tfa_authmechs['yubi_otp'])) { + $pending_tfa_authmechs['yubi_otp'] = true; +} +if (!isset($pending_tfa_authmechs['webauthn']) + && !isset($pending_tfa_authmechs['yubi_otp']) + && isset($pending_tfa_authmechs['totp'])) { + $pending_tfa_authmechs['totp'] = true; +} +if (isset($pending_tfa_authmechs['u2f'])) { + $pending_tfa_authmechs['u2f'] = true; +} + // globals $globalVariables = [ 'mailcow_info' => array( @@ -30,7 +51,8 @@ $globalVariables = [ 'git_project_url' => $GLOBALS['MAILCOW_GIT_URL'] ), 'js_path' => '/cache/'.basename($JSPath), - 'pending_tfa_method' => @$_SESSION['pending_tfa_method'], + 'pending_tfa_methods' => @$_SESSION['pending_tfa_methods'], + 'pending_tfa_authmechs' => $pending_tfa_authmechs, 'pending_mailcow_cc_username' => @$_SESSION['pending_mailcow_cc_username'], 'lang_footer' => json_encode($lang['footer']), 'lang_acl' => json_encode($lang['acl']), diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 21a0d8ce..0b485c6e 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -830,11 +830,15 @@ function check_login($user, $pass, $app_passwd_data = false) { $stmt->execute(array(':user' => $user)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { + // verify password if (verify_hash($row['password'], $pass)) { - if (get_tfa($user)['name'] != "none") { + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + // active tfa authenticators found, set pending user login $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "admin"; - $_SESSION['pending_tfa_method'] = get_tfa($user)['name']; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; unset($_SESSION['ldelay']); $_SESSION['return'][] = array( 'type' => 'info', @@ -842,8 +846,7 @@ function check_login($user, $pass, $app_passwd_data = false) { 'msg' => 'awaiting_tfa_confirmation' ); return "pending"; - } - else { + } else { unset($_SESSION['ldelay']); // Reactivate TFA if it was set to "deactivate TFA for next login" $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); @@ -866,11 +869,14 @@ function check_login($user, $pass, $app_passwd_data = false) { $stmt->execute(array(':user' => $user)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { + // verify password if (verify_hash($row['password'], $pass) !== false) { - if (get_tfa($user)['name'] != "none") { + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "domainadmin"; - $_SESSION['pending_tfa_method'] = get_tfa($user)['name']; + $_SESSION['pending_tfa_method'] = $authenticators['additional']; unset($_SESSION['ldelay']); $_SESSION['return'][] = array( 'type' => 'info', @@ -1142,47 +1148,46 @@ function set_tfa($_data) { global $yubi; global $tfa; $_data_log = $_data; + $access_denied = null; !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - $stmt = $pdo->prepare("SELECT `password` FROM `admin` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if (!empty($num_results)) { - if (!verify_hash($row['password'], $_data["confirm_password"])) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - } - $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if (!empty($num_results)) { - if (!verify_hash($row['password'], $_data["confirm_password"])) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; + + // check for empty user and role + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; + + // check admin confirm password + if ($access_denied === null) { + $stmt = $pdo->prepare("SELECT `password` FROM `admin` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row) { + if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; + else $access_denied = false; } } + // check mailbox confirm password + if ($access_denied === null) { + $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row) { + if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; + else $access_denied = false; + } + } + + // set access_denied error + if ($access_denied){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } switch ($_data["tfa_method"]) { case "yubi_otp": @@ -1265,9 +1270,6 @@ function set_tfa($_data) { case "webauthn": $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'webauthn'"); - $stmt->execute(array(':username' => $username)); - $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) VALUES (?, ?, 'webauthn', ?, ?, ?, ?, '1')"); $stmt->execute(array( @@ -1439,25 +1441,27 @@ function unset_tfa_key($_data) { global $pdo; global $lang; $_data_log = $_data; + $access_denied = null; $id = intval($_data['unset_tfa_key']); $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } + + // check for empty user and role + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; + try { - if (!is_numeric($id)) { - $_SESSION['return'][] = array( + if (!is_numeric($id)) $access_denied = true; + + // set access_denied error + if ($access_denied){ + $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_data_log), 'msg' => 'access_denied' ); return false; - } + } + + // check if it's last key $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa` WHERE `username` = :username AND `active` = '1'"); $stmt->execute(array(':username' => $username)); @@ -1470,6 +1474,8 @@ function unset_tfa_key($_data) { ); return false; } + + // delete key $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `id` = :id"); $stmt->execute(array(':username' => $username, ':id' => $id)); $_SESSION['return'][] = array( @@ -1487,7 +1493,7 @@ function unset_tfa_key($_data) { return false; } } -function get_tfa($username = null) { +function get_tfa($username = null, $key_id = null) { global $pdo; if (isset($_SESSION['mailcow_cc_username'])) { $username = $_SESSION['mailcow_cc_username']; @@ -1495,92 +1501,116 @@ function get_tfa($username = null) { elseif (empty($username)) { return false; } - $stmt = $pdo->prepare("SELECT * FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (isset($row["authmech"])) { - switch ($row["authmech"]) { - case "yubi_otp": - $data['name'] = "yubi_otp"; - $data['pretty'] = "Yubico OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; + if (!isset($key_id)){ + // fetch all tfa methods - just get information about possible authenticators + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa` + WHERE `username` = :username AND `active` = '1'"); + $stmt->execute(array(':username' => $username)); + $results = $stmt->fetchAll(PDO::FETCH_ASSOC); + + // no tfa methods found + if (count($results) == 0) { + $data['name'] = 'none'; + $data['pretty'] = "-"; + $data['additional'] = array(); + return $data; + } + + $data['additional'] = $results; + return $data; + } else { + // fetch specific authenticator details by key_id + $stmt = $pdo->prepare("SELECT * FROM `tfa` + WHERE `username` = :username AND `active` = '1'"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + + if (isset($row["authmech"])) { + switch ($row["authmech"]) { + case "yubi_otp": + $data['name'] = "yubi_otp"; + $data['pretty'] = "Yubico OTP"; + $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + // u2f - deprecated, should be removed + case "u2f": + $data['name'] = "u2f"; + $data['pretty'] = "Fido U2F"; + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + case "hotp": + $data['name'] = "hotp"; + $data['pretty'] = "HMAC-based OTP"; + return $data; + break; + case "totp": + $data['name'] = "totp"; + $data['pretty'] = "Time-based OTP"; + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + case "webauthn": + $data['name'] = "webauthn"; + $data['pretty'] = "WebAuthn"; + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + default: + $data['name'] = 'none'; + $data['pretty'] = "-"; + return $data; + break; } - return $data; - break; - // u2f - deprecated, should be removed - case "u2f": - $data['name'] = "u2f"; - $data['pretty'] = "Fido U2F"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - case "hotp": - $data['name'] = "hotp"; - $data['pretty'] = "HMAC-based OTP"; - return $data; - break; - case "totp": - $data['name'] = "totp"; - $data['pretty'] = "Time-based OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - case "webauthn": - $data['name'] = "webauthn"; - $data['pretty'] = "WebAuthn"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - default: + } + else { $data['name'] = 'none'; $data['pretty'] = "-"; return $data; - break; + } } - } - else { - $data['name'] = 'none'; - $data['pretty'] = "-"; - return $data; - } } -function verify_tfa_login($username, $_data, $WebAuthn) { - global $pdo; - global $yubi; - global $u2f; - global $tfa; +function verify_tfa_login($username, $_data) { + global $pdo; + global $yubi; + global $u2f; + global $tfa; + global $WebAuthn; + + if ($_data['tfa_method'] != 'u2f'){ $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); + WHERE `username` = :username AND `key_id` = :key_id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); switch ($row["authmech"]) { @@ -1597,9 +1627,10 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'yubi_otp' + AND `key_id` = ':key_id' AND `active`='1' AND `secret` LIKE :modhex"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':key_id' => $_data['key_id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); $yubico_auth = explode(':', $row['secret']); $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); @@ -1636,8 +1667,9 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'totp' + AND `key_id` = :key_id AND `active`='1'"); - $stmt->execute(array(':username' => $username)); + $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { @@ -1666,13 +1698,6 @@ function verify_tfa_login($username, $_data, $WebAuthn) { return false; } break; - // u2f - deprecated, should be removed - case "u2f": - // delete old keys that used u2f - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = :authmech AND `username` = :username"); - $stmt->execute(array(':authmech' => 'u2f', ':username' => $username)); - - return true; case "webauthn": $tokenData = json_decode($_data['token']); $clientDataJSON = base64_decode($tokenData->clientDataJSON); @@ -1681,7 +1706,7 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $id = base64_decode($tokenData->id); $challenge = $_SESSION['challenge']; - $stmt = $pdo->prepare("SELECT `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId"); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId"); $stmt->execute(array(':tokenId' => $tokenData->id)); $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); @@ -1738,7 +1763,7 @@ function verify_tfa_login($username, $_data, $WebAuthn) { $_SESSION["mailcow_cc_username"] = $process_webauthn['username']; - $_SESSION['tfa_id'] = $process_webauthn['key_id']; + $_SESSION['tfa_id'] = $process_webauthn['id']; $_SESSION['authReq'] = null; unset($_SESSION["challenge"]); $_SESSION['return'][] = array( @@ -1759,6 +1784,17 @@ function verify_tfa_login($username, $_data, $WebAuthn) { } return false; + } else { + // delete old keys that used u2f + $stmt = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array(':username' => $username)); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + if (count($rows) == 0) return false; + + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array(':username' => $username)); + return true; + } } function admin_api($access, $action, $data = null) { global $pdo; diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index cb3a3771..1e2bdb42 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -1,24 +1,24 @@ tfa_method; $_data['key_id'] = $post->key_id; + $_data['confirm_password'] = $post->confirm_password; $_data['registration'] = $data; set_tfa($_data); @@ -450,14 +451,15 @@ if (isset($_GET['query'])) { $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username"); $stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $cids[] = base64_decode($row['keyHandle']); - } - if (count($cids) == 0) { + if (count($rows) == 0) { print(json_encode(array( 'type' => 'error', 'msg' => 'Cannot find matching credentialIds' ))); + exit; + } + while($row = array_shift($rows)) { + $cids[] = base64_decode($row['keyHandle']); } $getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']); diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 08376e71..2691718b 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -176,15 +176,62 @@ function recursiveBase64StrToArrayBuffer(obj) { {% endfor %} // Confirm TFA modal - {% if pending_tfa_method %} + {% if pending_tfa_methods %} $('#ConfirmTFAModal').modal({ backdrop: 'static', keyboard: false }); + // validate Yubi OTP tfa + $("#pending_tfa_tab_yubi_otp").click(function(){ + $(".totp-authenticator-selection").removeClass("active"); + $(".webauthn-authenticator-selection").removeClass("active"); + + $("#collapseTotpTFA").collapse('hide'); + $("#collapseWebAuthnTFA").collapse('hide'); + }); + $(".yubi-authenticator-selection").click(function(){ + $(".yubi-authenticator-selection").removeClass("active"); + $(this).addClass("active"); + + var key_id = $(this).children('span').first().text(); + $("#yubi_selected_key_id").val(key_id); + + $("#collapseYubiTFA").collapse('show'); + }); + // validate Time based OTP tfa + $("#pending_tfa_tab_totp").click(function(){ + $(".yubi-authenticator-selection").removeClass("active"); + $(".webauthn-authenticator-selection").removeClass("active"); + + $("#collapseYubiTFA").collapse('hide'); + $("#collapseWebAuthnTFA").collapse('hide'); + }); + $(".totp-authenticator-selection").click(function(){ + $(".totp-authenticator-selection").removeClass("active"); + $(this).addClass("active"); + + var key_id = $(this).children('span').first().text(); + $("#totp_selected_key_id").val(key_id); + + $("#collapseTotpTFA").collapse('show'); + }); // validate WebAuthn tfa - $('#start_webauthn_confirmation').click(function(){ - $('#webauthn_status_auth').html('

' + lang_tfa.init_webauthn + '

'); + $("#pending_tfa_tab_webauthn").click(function(){ + $(".totp-authenticator-selection").removeClass("active"); + $(".yubi-authenticator-selection").removeClass("active"); + + $("#collapseTotpTFA").collapse('hide'); + $("#collapseYubiTFA").collapse('hide'); + }); + $(".webauthn-authenticator-selection").click(function(){ + $(".webauthn-authenticator-selection").removeClass("active"); + $(this).addClass("active"); + + var key_id = $(this).children('span').first().text(); + $("#webauthn_selected_key_id").val(key_id); + + $("#collapseWebAuthnTFA").collapse('show'); $(this).find('input[name=token]').focus(); if(document.getElementById("webauthn_auth_data") !== null) { @@ -198,30 +245,31 @@ function recursiveBase64StrToArrayBuffer(obj) { window.fetch("/api/v1/get/webauthn-tfa-get-args", {method:'GET',cache:'no-cache'}).then(response => { return response.json(); }).then(json => { - if (json.success === false) throw new Error(); + if (json.success === false) throw new Error(); + if (json.type === "error") throw new Error(json.msg); - recursiveBase64StrToArrayBuffer(json); - return json; + recursiveBase64StrToArrayBuffer(json); + return json; }).then(getCredentialArgs => { - // get credentials - return navigator.credentials.get(getCredentialArgs); + // get credentials + return navigator.credentials.get(getCredentialArgs); }).then(cred => { - return { - id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null, - clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null, - authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null, - signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null - }; + return { + id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null, + clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null, + authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null, + signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null + }; }).then(JSON.stringify).then(function(AuthenticatorAttestationResponse) { - // send request by submit - var form = document.getElementById('webauthn_auth_form'); - var auth = document.getElementById('webauthn_auth_data'); - auth.value = AuthenticatorAttestationResponse; - form.submit(); + // send request by submit + var form = document.getElementById('webauthn_auth_form'); + var auth = document.getElementById('webauthn_auth_data'); + auth.value = AuthenticatorAttestationResponse; + form.submit(); }).catch(function(err) { - var webauthn_return_code = document.getElementById('webauthn_return_code'); - webauthn_return_code.style.display = webauthn_return_code.style.display === 'none' ? '' : null; - webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry; + var webauthn_return_code = document.getElementById('webauthn_return_code'); + webauthn_return_code.style.display = webauthn_return_code.style.display === 'none' ? '' : null; + webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry; }); } }); @@ -237,7 +285,9 @@ function recursiveBase64StrToArrayBuffer(obj) { } }); }); - {% endif %} + {% endif %} + + // Validate FIDO2 $("#fido2-login").click(function(){ $('#fido2-alerts').html(); @@ -358,6 +408,7 @@ function recursiveBase64StrToArrayBuffer(obj) { $("#start_webauthn_register").click(() => { var key_id = document.getElementsByName('key_id')[1].value; + var confirm_password = document.getElementsByName('confirm_password')[1].value; // fetch WebAuthn create args window.fetch("/api/v1/get/webauthn-tfa-registration/{{ mailcow_cc_username|url_encode(true)|default('null') }}", {method:'GET',cache:'no-cache'}).then(response => { @@ -375,7 +426,8 @@ function recursiveBase64StrToArrayBuffer(obj) { clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null, attestationObject: cred.response.attestationObject ? arrayBufferToBase64(cred.response.attestationObject) : null, key_id: key_id, - tfa_method: "webauthn" + tfa_method: "webauthn", + confirm_password: confirm_password }; }).then(JSON.stringify).then(AuthenticatorAttestationResponse => { // send request diff --git a/data/web/templates/modals/footer.twig b/data/web/templates/modals/footer.twig index 690b9de0..6df4a10d 100644 --- a/data/web/templates/modals/footer.twig +++ b/data/web/templates/modals/footer.twig @@ -133,73 +133,171 @@ {% endif %} -{% if pending_tfa_method %} +{% if pending_tfa_methods %} From 5fcccbc97d02c4b0cdd0c479bd15d6293b83dbb0 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 21 Feb 2022 14:10:12 +0100 Subject: [PATCH 009/115] [Web] add verify selected tfa --- data/web/inc/functions.inc.php | 61 ++++++++++++++++----------- data/web/templates/base.twig | 12 +++--- data/web/templates/modals/footer.twig | 17 +++++--- 3 files changed, 52 insertions(+), 38 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 0b485c6e..f93e7eca 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1493,7 +1493,7 @@ function unset_tfa_key($_data) { return false; } } -function get_tfa($username = null, $key_id = null) { +function get_tfa($username = null, $id = null) { global $pdo; if (isset($_SESSION['mailcow_cc_username'])) { $username = $_SESSION['mailcow_cc_username']; @@ -1502,7 +1502,7 @@ function get_tfa($username = null, $key_id = null) { return false; } - if (!isset($key_id)){ + if (!isset($id)){ // fetch all tfa methods - just get information about possible authenticators $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa` WHERE `username` = :username AND `active` = '1'"); @@ -1520,10 +1520,10 @@ function get_tfa($username = null, $key_id = null) { $data['additional'] = $results; return $data; } else { - // fetch specific authenticator details by key_id + // fetch specific authenticator details by id $stmt = $pdo->prepare("SELECT * FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); + WHERE `username` = :username AND `id` = :id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':id' => $id)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (isset($row["authmech"])) { @@ -1531,9 +1531,10 @@ function get_tfa($username = null, $key_id = null) { case "yubi_otp": $data['name'] = "yubi_otp"; $data['pretty'] = "Yubico OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1545,9 +1546,10 @@ function get_tfa($username = null, $key_id = null) { case "u2f": $data['name'] = "u2f"; $data['pretty'] = "Fido U2F"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1563,9 +1565,10 @@ function get_tfa($username = null, $key_id = null) { case "totp": $data['name'] = "totp"; $data['pretty'] = "Time-based OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1576,9 +1579,10 @@ function get_tfa($username = null, $key_id = null) { case "webauthn": $data['name'] = "webauthn"; $data['pretty'] = "WebAuthn"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username"); + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username AND `id` = :id"); $stmt->execute(array( ':username' => $username, + ':id' => $id )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { @@ -1609,8 +1613,8 @@ function verify_tfa_login($username, $_data) { if ($_data['tfa_method'] != 'u2f'){ $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` - WHERE `username` = :username AND `key_id` = :key_id AND `active` = '1'"); - $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); + WHERE `username` = :username AND `id` = :id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); switch ($row["authmech"]) { @@ -1627,10 +1631,10 @@ function verify_tfa_login($username, $_data) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'yubi_otp' - AND `key_id` = ':key_id' + AND `id` = ':id' AND `active`='1' AND `secret` LIKE :modhex"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':key_id' => $_data['key_id'])); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); $yubico_auth = explode(':', $row['secret']); $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); @@ -1663,16 +1667,16 @@ function verify_tfa_login($username, $_data) { return false; break; case "totp": - try { + try { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'totp' - AND `key_id` = :key_id + AND `id` = :id AND `active`='1'"); - $stmt->execute(array(':username' => $username, ':key_id' => $_data['key_id'])); + $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach ($rows as $row) { - if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { + if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { $_SESSION['tfa_id'] = $row['id']; $_SESSION['return'][] = array( 'type' => 'success', @@ -1680,7 +1684,7 @@ function verify_tfa_login($username, $_data) { 'msg' => 'verified_totp_login' ); return true; - } + } } $_SESSION['return'][] = array( 'type' => 'danger', @@ -1688,15 +1692,15 @@ function verify_tfa_login($username, $_data) { 'msg' => 'totp_verification_failed' ); return false; - } - catch (PDOException $e) { + } + catch (PDOException $e) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $username, '*'), 'msg' => array('mysql_error', $e) ); return false; - } + } break; case "webauthn": $tokenData = json_decode($_data['token']); @@ -1706,13 +1710,20 @@ function verify_tfa_login($username, $_data) { $id = base64_decode($tokenData->id); $challenge = $_SESSION['challenge']; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId"); - $stmt->execute(array(':tokenId' => $tokenData->id)); + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id"); + $stmt->execute(array(':id' => $_data['id'])); $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); - if (empty($process_webauthn) || empty($process_webauthn['publicKey']) || empty($process_webauthn['username'])) return false; + if (empty($process_webauthn)){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_verification_failed', 'authenticator not found') + ); + return false; + } - if ($process_webauthn['publicKey'] === false) { + if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $username, '*'), diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 2691718b..b51dcde2 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -194,8 +194,8 @@ function recursiveBase64StrToArrayBuffer(obj) { $(".yubi-authenticator-selection").removeClass("active"); $(this).addClass("active"); - var key_id = $(this).children('span').first().text(); - $("#yubi_selected_key_id").val(key_id); + var id = $(this).children('input').first().val(); + $("#yubi_selected_id").val(id); $("#collapseYubiTFA").collapse('show'); }); @@ -211,8 +211,8 @@ function recursiveBase64StrToArrayBuffer(obj) { $(".totp-authenticator-selection").removeClass("active"); $(this).addClass("active"); - var key_id = $(this).children('span').first().text(); - $("#totp_selected_key_id").val(key_id); + var id = $(this).children('input').first().val(); + $("#totp_selected_id").val(id); $("#collapseTotpTFA").collapse('show'); }); @@ -228,8 +228,8 @@ function recursiveBase64StrToArrayBuffer(obj) { $(".webauthn-authenticator-selection").removeClass("active"); $(this).addClass("active"); - var key_id = $(this).children('span').first().text(); - $("#webauthn_selected_key_id").val(key_id); + var id = $(this).children('input').first().val(); + $("#webauthn_selected_id").val(id); $("#collapseWebAuthnTFA").collapse('show'); diff --git a/data/web/templates/modals/footer.twig b/data/web/templates/modals/footer.twig index 6df4a10d..67cc3482 100644 --- a/data/web/templates/modals/footer.twig +++ b/data/web/templates/modals/footer.twig @@ -139,7 +139,7 @@
-

2-Factor-Authentication

+

{{ lang.tfa.tfa }}

@@ -205,7 +206,7 @@
- Available Authenticators + Authenticators
{% for authenticator in pending_tfa_methods %} @@ -213,6 +214,7 @@ {{ authenticator["key_id"] }} + {% endif %} {% endfor %} @@ -223,7 +225,7 @@ Yubicon Icon - +
@@ -240,7 +242,7 @@ - Available Authenticators + Authenticators
{% for authenticator in pending_tfa_methods %} @@ -248,6 +250,7 @@ {{ authenticator["key_id"] }} + {% endif %} {% endfor %} @@ -258,7 +261,7 @@ -
+
From 21fadf6df2bad0a7d4edf18a1506303b1728edb0 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Tue, 22 Feb 2022 09:38:06 +0100 Subject: [PATCH 010/115] [Web] multiple tfa - domainadmin support --- data/web/inc/functions.inc.php | 2 +- data/web/templates/domainadmin.twig | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index f93e7eca..384905d4 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -876,7 +876,7 @@ function check_login($user, $pass, $app_passwd_data = false) { if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "domainadmin"; - $_SESSION['pending_tfa_method'] = $authenticators['additional']; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; unset($_SESSION['ldelay']); $_SESSION['return'][] = array( 'type' => 'info', diff --git a/data/web/templates/domainadmin.twig b/data/web/templates/domainadmin.twig index 6aae54ba..3bc7ab40 100644 --- a/data/web/templates/domainadmin.twig +++ b/data/web/templates/domainadmin.twig @@ -28,7 +28,7 @@
From 49c506eed956fdc985f3b64e82336c27fca68e52 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 7 Mar 2022 11:41:13 +0100 Subject: [PATCH 011/115] [Web] multiple tfa - user support --- data/web/inc/functions.inc.php | 47 ++++++++++++++-------- data/web/inc/triggers.inc.php | 6 +-- data/web/templates/user/tab-user-auth.twig | 27 ++++++++++++- data/web/user.php | 1 + 4 files changed, 60 insertions(+), 21 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 384905d4..12efd60b 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -936,24 +936,39 @@ function check_login($user, $pass, $app_passwd_data = false) { $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC)); } foreach ($rows as $row) { + // verify password if (verify_hash($row['password'], $pass) !== false) { - unset($_SESSION['ldelay']); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $user, '*'), - 'msg' => array('logged_in_as', $user) - ); - if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { - $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; - $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); - $stmt->execute(array( - ':service' => $service, - ':app_id' => $row['app_passwd_id'], - ':username' => $user, - ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) - )); + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + $_SESSION['pending_mailcow_cc_username'] = $user; + $_SESSION['pending_mailcow_cc_role'] = "user"; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; + unset($_SESSION['ldelay']); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $user, '*'), + 'msg' => array('logged_in_as', $user) + ); + return "pending"; + } else { + if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { + $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; + $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); + $stmt->execute(array( + ':service' => $service, + ':app_id' => $row['app_passwd_id'], + ':username' => $user, + ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) + )); + } + + unset($_SESSION['ldelay']); + // Reactivate TFA if it was set to "deactivate TFA for next login" + $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); + $stmt->execute(array(':user' => $user)); + return "user"; } - return "user"; } } diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php index 1e2bdb42..aec043e9 100644 --- a/data/web/inc/triggers.inc.php +++ b/data/web/inc/triggers.inc.php @@ -61,9 +61,9 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { header("Location: /user"); } elseif ($as != "pending") { - unset($_SESSION['pending_mailcow_cc_username']); - unset($_SESSION['pending_mailcow_cc_role']); - unset($_SESSION['pending_tfa_methods']); + unset($_SESSION['pending_mailcow_cc_username']); + unset($_SESSION['pending_mailcow_cc_role']); + unset($_SESSION['pending_tfa_methods']); unset($_SESSION['mailcow_cc_username']); unset($_SESSION['mailcow_cc_role']); } diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig index e1f84fff..0d4c6f32 100644 --- a/data/web/templates/user/tab-user-auth.twig +++ b/data/web/templates/user/tab-user-auth.twig @@ -15,6 +15,10 @@ {{ lang.user.open_webmail_sso }} {% endif %} +
@@ -40,8 +44,27 @@

{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}∞{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}
{{ mailboxdata.messages }} {{ lang.user.messages }}

-
-

{{ lang.user.change_password }}

+ + +
+ {# TFA #} +
+
{{ lang.tfa.tfa }}:
+
+

{{ tfa_data.pretty }}

+ {% include 'tfa_keys.twig' %} +
+
+
+
+
{{ lang.tfa.set_tfa }}:
+
+
diff --git a/data/web/user.php b/data/web/user.php index 5bf60917..d7faf791 100644 --- a/data/web/user.php +++ b/data/web/user.php @@ -76,6 +76,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == ' 'acl_json' => json_encode($_SESSION['acl']), 'user_spam_score' => mailbox('get', 'spam_score', $username), 'tfa_data' => $tfa_data, + 'tfa_id' => @$_SESSION['tfa_id'], 'fido2_data' => $fido2_data, 'mailboxdata' => $mailboxdata, 'clientconfigstr' => $clientconfigstr, From e7fe52a62522ef3f0f51d79e964c8209834073cc Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 14 Mar 2022 09:29:07 +0100 Subject: [PATCH 012/115] [Web] increase mysql publicKey field length --- data/web/inc/init_db.inc.php | 4 ++-- data/web/json_api.php | 21 +++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 3cab461e..5705379d 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "18012022_1020"; + $db_version = "14032022_0921"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -699,7 +699,7 @@ function init_db_schema() { "authmech" => "ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')", "secret" => "VARCHAR(255) DEFAULT NULL", "keyHandle" => "VARCHAR(255) DEFAULT NULL", - "publicKey" => "VARCHAR(255) DEFAULT NULL", + "publicKey" => "VARCHAR(4096) DEFAULT NULL", "counter" => "INT NOT NULL DEFAULT '0'", "certificate" => "TEXT", "active" => "TINYINT(1) NOT NULL DEFAULT '0'" diff --git a/data/web/json_api.php b/data/web/json_api.php index 9a557e7b..79056bc6 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -175,15 +175,22 @@ if (isset($_GET['query'])) { // parse post data $post = trim(file_get_contents('php://input')); if ($post) $post = json_decode($post); - - // decode base64 strings - $clientDataJSON = base64_decode($post->clientDataJSON); - $attestationObject = base64_decode($post->attestationObject); // process registration data from authenticator try { + // decode base64 strings + $clientDataJSON = base64_decode($post->clientDataJSON); + $attestationObject = base64_decode($post->attestationObject); + // processCreate($clientDataJSON, $attestationObject, $challenge, $requireUserVerification=false, $requireUserPresent=true, $failIfRootMismatch=true) $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $_SESSION['challenge'], false, true); + + // safe authenticator in mysql `tfa` table + $_data['tfa_method'] = $post->tfa_method; + $_data['key_id'] = $post->key_id; + $_data['confirm_password'] = $post->confirm_password; + $_data['registration'] = $data; + set_tfa($_data); } catch (Throwable $ex) { // err @@ -194,12 +201,6 @@ if (isset($_GET['query'])) { exit; } - // safe authenticator in mysql `tfa` table - $_data['tfa_method'] = $post->tfa_method; - $_data['key_id'] = $post->key_id; - $_data['confirm_password'] = $post->confirm_password; - $_data['registration'] = $data; - set_tfa($_data); // send response $return = new stdClass(); From b185f83fc3e38ae44d87161e4f9d229bcc8f4bec Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 18 Mar 2022 08:37:22 +0100 Subject: [PATCH 013/115] [Web] tfa extra debugging --- data/web/inc/functions.inc.php | 94 ++++++++++++++++++++++++++++++---- 1 file changed, 84 insertions(+), 10 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 12efd60b..c58662fd 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1626,12 +1626,28 @@ function verify_tfa_login($username, $_data) { global $tfa; global $WebAuthn; + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_post_data_log'), + 'msg' => $_data + ); + if ($_data['tfa_method'] != 'u2f'){ $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` WHERE `username` = :username AND `id` = :id AND `active` = '1'"); $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_verify_authmech'), + 'msg' => $row + ); + switch ($row["authmech"]) { case "yubi_otp": if (!ctype_alnum($_data['token']) || strlen($_data['token']) != 44) { @@ -1718,6 +1734,7 @@ function verify_tfa_login($username, $_data) { } break; case "webauthn": + // prepare authenticator data $tokenData = json_decode($_data['token']); $clientDataJSON = base64_decode($tokenData->clientDataJSON); $authenticatorData = base64_decode($tokenData->authenticatorData); @@ -1725,10 +1742,28 @@ function verify_tfa_login($username, $_data) { $id = base64_decode($tokenData->id); $challenge = $_SESSION['challenge']; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id"); + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_try_verify'), + 'msg' => 'try grab authenticator' + ); + + // fetch authenticator + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id AND `active`='1'"); $stmt->execute(array(':id' => $_data['id'])); $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_authenticator_grabbed'), + 'msg' => 'grabbed authenticator from db' + ); + + // return err if no authenticator was found if (empty($process_webauthn)){ $_SESSION['return'][] = array( 'type' => 'danger', @@ -1738,6 +1773,7 @@ function verify_tfa_login($username, $_data) { return false; } + // return err if authenticator has no publicKey if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -1746,6 +1782,8 @@ function verify_tfa_login($username, $_data) { ); return false; } + + // try verify authenticator try { $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']); } @@ -1758,26 +1796,54 @@ function verify_tfa_login($username, $_data) { return false; } - + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_progress'), + 'msg' => 'authenticator verified, check user role' + ); + + // if verified, check user role $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_webauthn['username'])); $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); if ($obj_props['superadmin'] === 1) { - $_SESSION["mailcow_cc_role"] = "admin"; + // is admin + $_SESSION["mailcow_cc_role"] = "admin"; } elseif ($obj_props['superadmin'] === 0) { - $_SESSION["mailcow_cc_role"] = "domainadmin"; + // is domainadmin + $_SESSION["mailcow_cc_role"] = "domainadmin"; } else { - $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); - $stmt->execute(array(':username' => $process_webauthn['username'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row['username'] == $process_webauthn['username']) { + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_progress'), + 'msg' => 'no admin or domainadmin role, check if normal user' + ); + + // no admin, check if normal user + $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); + $stmt->execute(array(':username' => $process_webauthn['username'])); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if (!empty($row['username']) { + // is user $_SESSION["mailcow_cc_role"] = "user"; - } + } else { + // err, no specific role found + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_verification_failed', 'could not determine user role') + ); + return false; + } } - + // check if fetched user and pendig_user matches if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){ $_SESSION['return'][] = array( 'type' => 'danger', @@ -1787,7 +1853,15 @@ function verify_tfa_login($username, $_data) { return false; } + // just for debugging + // remove later + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, 'tfa_success'), + 'msg' => 'tfa flow success' + ); + // set user session data and delete WebAuthn challenge session $_SESSION["mailcow_cc_username"] = $process_webauthn['username']; $_SESSION['tfa_id'] = $process_webauthn['id']; $_SESSION['authReq'] = null; From 70921b8d154d365f13b50b91a68ae5cc484a79a9 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 18 Mar 2022 08:45:02 +0100 Subject: [PATCH 014/115] [Web] tfa extra debugging --- data/web/inc/functions.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index c58662fd..e43024f1 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1829,7 +1829,7 @@ function verify_tfa_login($username, $_data) { $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_webauthn['username'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (!empty($row['username']) { + if (!empty($row['username'])) { // is user $_SESSION["mailcow_cc_role"] = "user"; } else { From 6d3798ad08176cf542bb2fdea858be99cccbf190 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Sat, 19 Mar 2022 20:18:31 +0100 Subject: [PATCH 015/115] [Web] fix yubi otp --- data/web/inc/functions.inc.php | 73 +--------------------------------- 1 file changed, 2 insertions(+), 71 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index e43024f1..9c73a475 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1626,28 +1626,12 @@ function verify_tfa_login($username, $_data) { global $tfa; global $WebAuthn; - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_post_data_log'), - 'msg' => $_data - ); - if ($_data['tfa_method'] != 'u2f'){ $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` WHERE `username` = :username AND `id` = :id AND `active` = '1'"); $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_verify_authmech'), - 'msg' => $row - ); - switch ($row["authmech"]) { case "yubi_otp": if (!ctype_alnum($_data['token']) || strlen($_data['token']) != 44) { @@ -1662,8 +1646,8 @@ function verify_tfa_login($username, $_data) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'yubi_otp' - AND `id` = ':id' - AND `active`='1' + AND `id` = :id + AND `active` = '1' AND `secret` LIKE :modhex"); $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':id' => $_data['id'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); @@ -1734,7 +1718,6 @@ function verify_tfa_login($username, $_data) { } break; case "webauthn": - // prepare authenticator data $tokenData = json_decode($_data['token']); $clientDataJSON = base64_decode($tokenData->clientDataJSON); $authenticatorData = base64_decode($tokenData->authenticatorData); @@ -1742,28 +1725,10 @@ function verify_tfa_login($username, $_data) { $id = base64_decode($tokenData->id); $challenge = $_SESSION['challenge']; - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_try_verify'), - 'msg' => 'try grab authenticator' - ); - - // fetch authenticator $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id AND `active`='1'"); $stmt->execute(array(':id' => $_data['id'])); $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_authenticator_grabbed'), - 'msg' => 'grabbed authenticator from db' - ); - - // return err if no authenticator was found if (empty($process_webauthn)){ $_SESSION['return'][] = array( 'type' => 'danger', @@ -1773,7 +1738,6 @@ function verify_tfa_login($username, $_data) { return false; } - // return err if authenticator has no publicKey if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -1783,7 +1747,6 @@ function verify_tfa_login($username, $_data) { return false; } - // try verify authenticator try { $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']); } @@ -1796,44 +1759,22 @@ function verify_tfa_login($username, $_data) { return false; } - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_progress'), - 'msg' => 'authenticator verified, check user role' - ); - - // if verified, check user role $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_webauthn['username'])); $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); if ($obj_props['superadmin'] === 1) { - // is admin $_SESSION["mailcow_cc_role"] = "admin"; } elseif ($obj_props['superadmin'] === 0) { - // is domainadmin $_SESSION["mailcow_cc_role"] = "domainadmin"; } else { - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_progress'), - 'msg' => 'no admin or domainadmin role, check if normal user' - ); - - // no admin, check if normal user $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_webauthn['username'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (!empty($row['username'])) { - // is user $_SESSION["mailcow_cc_role"] = "user"; } else { - // err, no specific role found $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $username, '*'), @@ -1843,7 +1784,6 @@ function verify_tfa_login($username, $_data) { } } - // check if fetched user and pendig_user matches if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){ $_SESSION['return'][] = array( 'type' => 'danger', @@ -1853,15 +1793,6 @@ function verify_tfa_login($username, $_data) { return false; } - // just for debugging - // remove later - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, 'tfa_success'), - 'msg' => 'tfa flow success' - ); - - // set user session data and delete WebAuthn challenge session $_SESSION["mailcow_cc_username"] = $process_webauthn['username']; $_SESSION['tfa_id'] = $process_webauthn['id']; $_SESSION['authReq'] = null; From 3029a2d33d4b67ccabac8a7e6f96fba9ced05fff Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Tue, 17 May 2022 15:26:01 +0200 Subject: [PATCH 016/115] Change DB Date to newer Date than staging --- data/web/inc/init_db.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 1e6b8133..be9078ff 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "02052022_1500"; + $db_version = "17052022_1525"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); From 3c9502f24114545b494fce65657f428dc7ea3772 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Tue, 17 May 2022 19:02:52 +0200 Subject: [PATCH 017/115] add webauthn console log --- data/web/templates/base.twig | 1 + 1 file changed, 1 insertion(+) diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index b51dcde2..945d4501 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -245,6 +245,7 @@ function recursiveBase64StrToArrayBuffer(obj) { window.fetch("/api/v1/get/webauthn-tfa-get-args", {method:'GET',cache:'no-cache'}).then(response => { return response.json(); }).then(json => { + console.log(json); if (json.success === false) throw new Error(); if (json.type === "error") throw new Error(json.msg); From 4ec982163edc014ec04c63927bebd6cc3e9c8bcf Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 18 May 2022 09:39:50 +0200 Subject: [PATCH 018/115] restrict webauthn-tfa-get-args sql query --- data/web/json_api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 4b0e294c..53e47af6 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -452,7 +452,7 @@ if (isset($_GET['query'])) { } break; case "webauthn-tfa-get-args": - $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username"); + $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = `webauthn`"); $stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); if (count($rows) == 0) { From 7d5990bf0fff79411d9e783cb5182705d367f5cc Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 18 May 2022 10:03:10 +0200 Subject: [PATCH 019/115] restrict webauthn-tfa-get-args sql query --- data/web/json_api.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 53e47af6..2c8f13fb 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -452,8 +452,11 @@ if (isset($_GET['query'])) { } break; case "webauthn-tfa-get-args": - $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = `webauthn`"); - $stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username'])); + $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech"); + $stmt->execute(array( + ':username' => $_SESSION['pending_mailcow_cc_username'], + ':authmech' => 'webauthn' + )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); if (count($rows) == 0) { print(json_encode(array( From 0eb254577374963160770d9ab08759c6e76ac04d Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Tue, 7 Jun 2022 09:01:04 +0200 Subject: [PATCH 020/115] [WebAuthn] send empty transports array to fix android bug --- data/web/json_api.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 2c8f13fb..0ebc95bc 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -421,7 +421,7 @@ if (isset($_GET['query'])) { // } $ids = NULL; - $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']); + $getArgs = $WebAuthn->getGetArgs($ids, 30, false, false, false, false, $GLOBALS['FIDO2_UV_FLAG_LOGIN']); print(json_encode($getArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return; @@ -469,7 +469,7 @@ if (isset($_GET['query'])) { $cids[] = base64_decode($row['keyHandle']); } - $getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']); + $getArgs = $WebAuthn->getGetArgs($cids, 30, false, false, false, false, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']); $getArgs->publicKey->extensions = array('appid' => "https://".$getArgs->publicKey->rpId); print(json_encode($getArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); From 71db83efce069c8f241bdfd4ecac56babc9b2610 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 13 Jun 2022 12:46:39 +0200 Subject: [PATCH 021/115] hotfix imapsync --- data/web/inc/functions.mailbox.inc.php | 61 +++++++++++- data/web/inc/vars.inc.php | 132 +++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 5 deletions(-) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 7f8ff3ac..d6a07eab 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -336,9 +336,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $mins_interval = $_data['mins_interval']; $enc1 = $_data['enc1']; $custom_params = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']); - // Workaround, fixme - if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) { - $custom_params = ''; + + // validate custom params + foreach (explode(' -', $custom_params) as $param){ + if (str_contains($param, ' ')) { + // bad char + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad character SPACE' + ); + return false; + } + + // extract option + if (str_contains($param, '=')) $param = explode('=', $param)[0]; + // remove first char if first char is - + if ($param[0] == '-') $param = ltrim($param, $param[0]); + + // check if param is whitelisted + if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){ + // bad option + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad option '. $param + ); + return false; + } } if (empty($subfolder2)) { $subfolder2 = ""; @@ -1764,8 +1789,34 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); continue; } - if (stripos($custom_params, 'pipemess') || stripos($custom_params, 'pipemes')) { - $custom_params = ''; + + // validate custom params + foreach (explode(' -', $custom_params) as $param){ + if (str_contains($param, ' ')) { + // bad char + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad character SPACE' + ); + return false; + } + + // extract option + if (str_contains($param, '=')) $param = explode('=', $param)[0]; + // remove first char if first char is - + if ($param[0] == '-') $param = ltrim($param, $param[0]); + + // check if param is whitelisted + if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){ + // bad option + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'bad option '. $param + ); + return false; + } } if (empty($subfolder2)) { $subfolder2 = ""; diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index c8e79bc4..6e08be13 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -228,3 +228,135 @@ $RSPAMD_MAPS = array( 'Monitoring Hosts' => 'monitoring_nolog.map' ) ); + + +$IMAPSYNC_OPTIONS = array( + 'whitelist' => array( + 'log', + 'showpasswords', + 'nossl1', + 'nossl2', + 'ssl2', + 'notls1', + 'notls2', + 'tls2', + 'debugssl', + 'sslargs1', + 'sslargs2', + 'authmech1', + 'authmech2', + 'authuser1', + 'authuser2', + 'proxyauth1', + 'proxyauth2', + 'authmd51', + 'authmd52', + 'domain1', + 'domain2', + 'oauthaccesstoken1', + 'oauthaccesstoken2', + 'oauthdirect1', + 'oauthdirect2', + 'folder', + 'folder', + 'folderrec', + 'folderrec', + 'folderfirst', + 'folderfirst', + 'folderlast', + 'folderlast', + 'nomixfolders', + 'skipemptyfolders', + 'include', + 'include', + 'subfolder1', + 'subscribed', + 'subscribe', + 'prefix1', + 'prefix2', + 'sep1', + 'sep2', + 'nofoldersizesatend', + 'justfoldersizes', + 'pidfile', + 'pidfilelocking', + 'nolog', + 'logfile', + 'logdir', + 'debugcrossduplicates', + 'disarmreadreceipts', + 'truncmess', + 'synclabels', + 'resynclabels', + 'resyncflags', + 'noresyncflags', + 'filterbuggyflags', + 'expunge1', + 'noexpunge1', + 'delete1emptyfolders', + 'delete2folders', + 'noexpunge2', + 'nouidexpunge2', + 'syncinternaldates', + 'idatefromheader', + 'maxsize', + 'minsize', + 'minage', + 'search', + 'search1', + 'search2', + 'noabletosearch', + 'noabletosearch1', + 'noabletosearch2', + 'maxlinelength', + 'useheader', + 'useheader', + 'syncduplicates', + 'usecache', + 'nousecache', + 'useuid', + 'syncacls', + 'nosyncacls', + 'debug', + 'debugfolders', + 'debugcontent', + 'debugflags', + 'debugimap1', + 'debugimap2', + 'debugimap', + 'debugmemory', + 'errorsmax', + 'tests', + 'testslive', + 'testslive6', + 'gmail1', + 'gmail2', + 'office1', + 'office2', + 'exchange1', + 'exchange2', + 'domino1', + 'domino2', + 'keepalive1', + 'keepalive2', + 'maxmessagespersecond', + 'maxbytesafter', + 'maxsleep', + 'abort', + 'exitwhenover', + 'noid', + 'justconnect', + 'justlogin', + 'justfolders' + ), + 'blacklist' => array( + 'skipmess', + 'delete2foldersonly', + 'delete2foldersbutnot', + 'regexflag', + 'regexmess', + 'pipemess', + 'regextrans2', + 'maxlinelengthcmd' + ) +); From 581be02e530496e17065d40550868d1e82e46c8f Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Tue, 14 Jun 2022 15:02:40 +0200 Subject: [PATCH 022/115] [Dovecot] Update to 2.3.19.1 --- data/Dockerfiles/dovecot/Dockerfile | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile index 4a914904..4e90052b 100644 --- a/data/Dockerfiles/dovecot/Dockerfile +++ b/data/Dockerfiles/dovecot/Dockerfile @@ -2,7 +2,7 @@ FROM debian:bullseye-slim LABEL maintainer "Andre Peters " ARG DEBIAN_FRONTEND=noninteractive -ARG DOVECOT=2.3.18 +ARG DOVECOT=2.3.19.1 ENV LC_ALL C ENV GOSU_VERSION 1.14 diff --git a/docker-compose.yml b/docker-compose.yml index e3b08637..09951cb3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -215,7 +215,7 @@ services: - sogo dovecot-mailcow: - image: mailcow/dovecot:1.162 + image: mailcow/dovecot:1.17 depends_on: - mysql-mailcow dns: From 3fe776ee6947401b6f42fd3678369b3f75a9ee50 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 14 Jun 2022 18:55:26 +0200 Subject: [PATCH 023/115] Update SOGo to 5.7.0 --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index e3b08637..3208e88b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -168,7 +168,7 @@ services: - phpfpm sogo-mailcow: - image: mailcow/sogo:1.108 + image: mailcow/sogo:1.109 environment: - DBNAME=${DBNAME} - DBUSER=${DBUSER} From 537a7908f1a1a70c3ddadc4c4804a26b8e9bbfb4 Mon Sep 17 00:00:00 2001 From: Markus Ritzmann Date: Wed, 15 Jun 2022 15:49:29 +0200 Subject: [PATCH 024/115] Clamd: Fix Docker Healthcheck --- data/Dockerfiles/clamd/Dockerfile | 8 +++++++- data/Dockerfiles/clamd/healthcheck.sh | 9 +++++++++ docker-compose.yml | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100755 data/Dockerfiles/clamd/healthcheck.sh diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile index a4971133..cba56e03 100644 --- a/data/Dockerfiles/clamd/Dockerfile +++ b/data/Dockerfiles/clamd/Dockerfile @@ -8,8 +8,14 @@ RUN apk upgrade --no-cache \ bind-tools \ bash -COPY clamd.sh ./ +# init +COPY clamd.sh /clamd.sh RUN chmod +x /sbin/tini +# healthcheck +COPY healthcheck.sh /healthcheck.sh +RUN chmod +x /healthcheck.sh +HEALTHCHECK --start-period=6m CMD "/healthcheck.sh" + ENTRYPOINT [] CMD ["/sbin/tini", "-g", "--", "/clamd.sh"] \ No newline at end of file diff --git a/data/Dockerfiles/clamd/healthcheck.sh b/data/Dockerfiles/clamd/healthcheck.sh new file mode 100755 index 00000000..6c18ac06 --- /dev/null +++ b/data/Dockerfiles/clamd/healthcheck.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "SKIP_CLAMD=y, skipping ClamAV..." + exit 0 +fi + +# run clamd healthcheck +/usr/local/bin/clamdcheck.sh diff --git a/docker-compose.yml b/docker-compose.yml index e3b08637..b8276411 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -58,7 +58,7 @@ services: - redis clamd-mailcow: - image: mailcow/clamd:1.52 + image: mailcow/clamd:1.53 restart: always depends_on: - unbound-mailcow From 7166696aa2682617836c254e9243a3120a9243d0 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 12:28:04 +0200 Subject: [PATCH 025/115] Readded Compose Standalone Download --- update.sh | 103 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 65 insertions(+), 38 deletions(-) diff --git a/update.sh b/update.sh index 0b9e12d2..26a09785 100755 --- a/update.sh +++ b/update.sh @@ -44,27 +44,6 @@ for bin in curl docker git awk sha1sum; do if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi done - -echo "checking docker compose version..."; -if docker compose >/dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker compose" -elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker-compose" -elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then - echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m" - echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m" - echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m" - echo - echo - echo -e "\e[33mContinuing...\e[0m" - sleep 3 - COMPOSE_COMMAND="docker-compose" -else - echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m" - exit 1 -fi export LC_ALL=C DATE=$(date +%Y-%m-%d_%H_%M_%S) BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD) @@ -218,6 +197,50 @@ migrate_docker_nat() { fi } +update_compose(){ +if [[ ${NO_UPDATE_COMPOSE} == "y" ]]; then + echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m" + return 0 +elif [[ -e /etc/alpine-release ]]; then + echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m" + return 0 +else + echo -e "\e[32mFetching new docker-compose version...\e[0m" + echo -e "\e[32mTrying to determine GLIBC version...\e[0m" + if ldd --version > /dev/null; then + GLIBC_V=$(ldd --version | grep -E '(GLIBC|GNU libc)' | rev | cut -d ' ' -f1 | rev | cut -d '.' -f2) + if [ ! -z "${GLIBC_V}" ] && [ ${GLIBC_V} -gt 27 ]; then + DC_DL_SUFFIX= + else + DC_DL_SUFFIX=legacy + fi + else + DC_DL_SUFFIX=legacy + fi + sleep 1 + if [[ ! -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + true + #prevent breaking a working docker-compose installed with pip + elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then + LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) + COMPOSE_VERSION=$(docker-compose version --short) + if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then + COMPOSE_PATH=$(which docker-compose) + if [[ -w ${COMPOSE_PATH} ]]; then + curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH + chmod +x $COMPOSE_PATH + else + echo -e "\e[33mWARNING: $COMPOSE_PATH is not writable, but new version $LATEST_COMPOSE is available (installed: $COMPOSE_VERSION)\e[0m" + return 1 + fi + fi + else + echo -e "\e[33mCannot determine latest docker-compose version, skipping...\e[0m" + return 1 + fi +fi +} + while (($#)); do case "${1}" in --check|-c) @@ -256,6 +279,9 @@ while (($#)); do echo -e "\e[32mRunning in forced mode...\e[0m" FORCE=y ;; + --no-update-compose) + NO_UPDATE_COMPOSE=y + ;; --skip-ping-check) SKIP_PING_CHECK=y ;; @@ -265,6 +291,7 @@ while (($#)); do -c|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates) --ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended! --gc - Run garbage collector to delete old image tags + --no-update-compose - Do not update docker-compose --prefetch - Only prefetch new images and exit (useful to prepare updates) --skip-start - Do not start mailcow after update --skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine). @@ -281,7 +308,7 @@ source mailcow.conf DOTS=${MAILCOW_HOSTNAME//[^.]}; if [ ${#DOTS} -lt 2 ]; then echo "MAILCOW_HOSTNAME (${MAILCOW_HOSTNAME}) is not a FQDN!" - echo "Please change it to a FQDN and run ${COMPOSE_COMMAND} down followed by ${COMPOSE_COMMAND} up -d" + echo "Please change it to a FQDN and run docker-compose down followed by docker-compose up -d" exit 1 fi @@ -571,6 +598,7 @@ echo -e "\e[32mChecking for newer update script...\e[0m" SHA1_1=$(sha1sum update.sh) git fetch origin #${BRANCH} git checkout origin/${BRANCH} update.sh +git checkout origin/${BRANCH} docker-compose.yml SHA1_2=$(sha1sum update.sh) if [[ ${SHA1_1} != ${SHA1_2} ]]; then echo "update.sh changed, please run this script again, exiting." @@ -594,14 +622,16 @@ if [ ! $FORCE ]; then migrate_docker_nat fi +update_compose + echo -e "\e[32mValidating docker-compose stack configuration...\e[0m" -if ! ${COMPOSE_COMMAND} config -q; then +if ! docker-compose config -q; then echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m" exit 1 fi echo -e "\e[32mChecking for conflicting bridges...\e[0m" -MAILCOW_BRIDGE=$(${COMPOSE_COMMAND} config | grep -i com.docker.network.bridge.name | cut -d':' -f2) +MAILCOW_BRIDGE=$(docker-compose config | grep -i com.docker.network.bridge.name | cut -d':' -f2) while read NAT_ID; do iptables -t nat -D POSTROUTING $NAT_ID done < <(iptables -L -vn -t nat --line-numbers | grep $IPV4_NETWORK | grep -E 'MASQUERADE.*all' | grep -v ${MAILCOW_BRIDGE} | cut -d' ' -f1) @@ -621,8 +651,8 @@ prefetch_images echo -e "\e[32mStopping mailcow...\e[0m" sleep 2 -MAILCOW_CONTAINERS=($(${COMPOSE_COMMAND} ps -q)) -${COMPOSE_COMMAND} down +MAILCOW_CONTAINERS=($(docker-compose ps -q)) +docker-compose down echo -e "\e[32mChecking for remaining containers...\e[0m" sleep 2 for container in "${MAILCOW_CONTAINERS[@]}"; do @@ -659,16 +689,13 @@ elif [[ ${MERGE_RETURN} == 1 ]]; then elif [[ ${MERGE_RETURN} != 0 ]]; then echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m" echo - echo "Run ${COMPOSE_COMMAND} up -d to restart your stack without updates or try again after fixing the mentioned errors." + echo "Run docker-compose up -d to restart your stack without updates or try again after fixing the mentioned errors." exit 1 fi -echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m" -sleep 3 - echo -e "\e[32mFetching new images, if any...\e[0m" sleep 2 -${COMPOSE_COMMAND} pull +docker-compose pull # Fix missing SSL, does not overwrite existing files [[ ! -d data/assets/ssl ]] && mkdir -p data/assets/ssl @@ -723,11 +750,11 @@ else fi if [[ ${SKIP_START} == "y" ]]; then - echo -e "\e[33mNot starting mailcow, please run \"${COMPOSE_COMMAND} up -d --remove-orphans\" to start mailcow.\e[0m" + echo -e "\e[33mNot starting mailcow, please run \"docker-compose up -d --remove-orphans\" to start mailcow.\e[0m" else echo -e "\e[32mStarting mailcow...\e[0m" sleep 2 - ${COMPOSE_COMMAND} up -d --remove-orphans + docker-compose up -d --remove-orphans fi echo -e "\e[32mCollecting garbage...\e[0m" @@ -738,8 +765,8 @@ if [ -f "${SCRIPT_DIR}/post_update_hook.sh" ]; then bash "${SCRIPT_DIR}/post_update_hook.sh" fi -#echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" -#echo -#git reflog --color=always | grep "Before update on " -#echo -#echo "Use \"git reset --hard hash-on-the-left\" and run ${COMPOSE_COMMAND} up -d afterwards." \ No newline at end of file +# echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" +# echo +# git reflog --color=always | grep "Before update on " +# echo +# echo "Use \"git reset --hard hash-on-the-left\" and run docker-compose up -d afterwards." \ No newline at end of file From a139eb9bce925e66a99639efd4b1027e020ac26a Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 12:38:06 +0200 Subject: [PATCH 026/115] Readded Dual Stack availability of WebUI (default) --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index e3b08637..a563df91 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -377,8 +377,8 @@ services: - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/ ports: - - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" + - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" + - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" restart: always networks: mailcow-network: From 36e4ee7738570f7598f227a864bf852e58ac789b Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 12:41:49 +0200 Subject: [PATCH 027/115] Before update on 2022-06-16_12_41_05 --- docker-compose.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index a563df91..753901aa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -580,36 +580,6 @@ services: aliases: - ofelia - ipv6nat-mailcow: - depends_on: - - unbound-mailcow - - mysql-mailcow - - redis-mailcow - - clamd-mailcow - - rspamd-mailcow - - php-fpm-mailcow - - sogo-mailcow - - dovecot-mailcow - - postfix-mailcow - - memcached-mailcow - - nginx-mailcow - - acme-mailcow - - netfilter-mailcow - - watchdog-mailcow - - dockerapi-mailcow - - solr-mailcow - environment: - - TZ=${TZ} - image: robbertkl/ipv6nat - security_opt: - - label=disable - restart: always - privileged: true - network_mode: "host" - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - /lib/modules:/lib/modules:ro - networks: mailcow-network: driver: bridge From 872fa072131873a8482bbedf049caf186f3a0ea1 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 12:49:17 +0200 Subject: [PATCH 028/115] Restore docker-compose check in scripts --- generate_config.sh | 21 +--------- helper-scripts/_cold-standby.sh | 57 +--------------------------- helper-scripts/backup_and_restore.sh | 26 +++---------- 3 files changed, 9 insertions(+), 95 deletions(-) diff --git a/generate_config.sh b/generate_config.sh index 800f0b53..de285178 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -25,29 +25,10 @@ if cp --help 2>&1 | grep -q -i "busybox"; then exit 1 fi -for bin in openssl curl docker git awk sha1sum; do +for bin in openssl curl docker docker-compose git awk sha1sum; do if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi done -echo "checking docker compose version..."; -if docker compose >/dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" -elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker-compose" -elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then - echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m" - echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m" - echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m" - echo - echo - echo -e "\e[33mContinuing...\e[0m" - sleep 3 -else - echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m" - exit 1 -fi - if [ -f mailcow.conf ]; then read -r -p "A config file exists and will be overwritten, are you sure you want to continue? [y/N] " response case $response in diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh index 14200954..b71d85cd 100755 --- a/helper-scripts/_cold-standby.sh +++ b/helper-scripts/_cold-standby.sh @@ -77,33 +77,13 @@ function preflight_local_checks() { exit 1 fi - for bin in rsync docker grep cut; do + for bin in rsync docker docker-compose grep cut; do if [[ -z $(which ${bin}) ]]; then >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" exit 1 fi done - - echo "checking docker compose version..."; - if docker compose >/dev/null 2>&1; then - echo -e "\e[32mFound Compose v2 on local machine!\e[0m" - elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker-compose" - elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then - echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m" - echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m" - echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m" - echo - echo - echo -e "\e[33mContinuing...\e[0m" - sleep 3 - else - echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m" - exit 1 - fi - if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m" exit 1 @@ -131,7 +111,7 @@ function preflight_remote_checks() { exit 1 fi - for bin in rsync docker; do + for bin in rsync docker docker-compose; do if ! ssh -o StrictHostKeyChecking=no \ -i "${REMOTE_SSH_KEY}" \ ${REMOTE_SSH_HOST} \ @@ -141,39 +121,6 @@ function preflight_remote_checks() { exit 1 fi done - - echo "checking docker compose version on remote..."; - if ssh -q -o StrictHostKeyChecking=no \ - -i "${REMOTE_SSH_KEY}" \ - ${REMOTE_SSH_HOST} \ - -p ${REMOTE_SSH_PORT} \ - -t 'docker compose' >/dev/null 2>&1; then - echo -e "\e[32mFound Compose v2 on remote!\e[0m" - COMPOSE_COMMAND="docker compose" - elif ssh -q -o StrictHostKeyChecking=no \ - -i "${REMOTE_SSH_KEY}" \ - ${REMOTE_SSH_HOST} \ - -p ${REMOTE_SSH_PORT} \ - -t 'docker-compose version --short' | grep -m1 "^2" > /dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker-compose" - elif ssh -q -o StrictHostKeyChecking=no \ - -i "${REMOTE_SSH_KEY}" \ - ${REMOTE_SSH_HOST} \ - -p ${REMOTE_SSH_PORT} \ - -t 'docker-compose version --short' | grep -m1 "^1" > /dev/null 2>&1; then - echo -e "\e[33mWARN: The remote is using Docker-Compose v1!\e[0m" - echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m" - echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2 on remote.\e[0m" - echo - echo - echo -e "\e[33mContinuing...\e[0m" - sleep 3 - COMPOSE_COMMAND="docker-compose" - else - echo -e "\e[31mCannot find Docker-Compose v1 or v2 on the Remote Machine! Please install Docker-Compose v2 on that and re-run the script.\e[0m" - exit 1 - fi } preflight_local_checks diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh index 8136def3..b45fcb97 100755 --- a/helper-scripts/backup_and_restore.sh +++ b/helper-scripts/backup_and_restore.sh @@ -76,26 +76,12 @@ else CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd "[0-9A-Za-z-_]") fi -echo "checking docker compose version..."; -if docker compose >/dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker compose" -elif docker-compose version --short | grep -m1 "^2" > /dev/null 2>&1; then - echo -e "\e[32mFound Compose v2!\e[0m" - COMPOSE_COMMAND="docker-compose" -elif docker-compose version --short | grep -m1 "^1" > /dev/null 2>&1; then - echo -e "\e[33mWARN: Your machine is using Docker-Compose v1!\e[0m" - echo -e "\e[33mmailcow will drop the Docker-Compose v1 Support in December 2022\e[0m" - echo -e "\e[33mPlease consider a upgrade to Docker-Compose v2.\e[0m" - echo - echo - echo -e "\e[33mContinuing...\e[0m" - sleep 3 - COMPOSE_COMMAND="docker-compose" -else - echo -e "\e[31mCannot find Docker-Compose v1 or v2 on your System. Please install Docker-Compose v2 and re-run the Script.\e[0m" - exit 1 -fi +for bin in docker docker-compose; do + if [[ -z $(which ${bin}) ]]; then + >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" + exit 1 + fi +done if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then >&2 echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m" From 89cea31475720a19c366fc31e620ff11525ec47b Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 12:51:51 +0200 Subject: [PATCH 029/115] Revert "Before update on 2022-06-16_12_41_05" This reverts commit 36e4ee7738570f7598f227a864bf852e58ac789b. --- docker-compose.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 753901aa..a563df91 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -580,6 +580,36 @@ services: aliases: - ofelia + ipv6nat-mailcow: + depends_on: + - unbound-mailcow + - mysql-mailcow + - redis-mailcow + - clamd-mailcow + - rspamd-mailcow + - php-fpm-mailcow + - sogo-mailcow + - dovecot-mailcow + - postfix-mailcow + - memcached-mailcow + - nginx-mailcow + - acme-mailcow + - netfilter-mailcow + - watchdog-mailcow + - dockerapi-mailcow + - solr-mailcow + environment: + - TZ=${TZ} + image: robbertkl/ipv6nat + security_opt: + - label=disable + restart: always + privileged: true + network_mode: "host" + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /lib/modules:/lib/modules:ro + networks: mailcow-network: driver: bridge From 6612b892b77c8a255580c3554eaca671dc169604 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 12:56:54 +0200 Subject: [PATCH 030/115] Removed extra checkout line --- update.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/update.sh b/update.sh index 26a09785..c46751a5 100755 --- a/update.sh +++ b/update.sh @@ -597,8 +597,7 @@ fi echo -e "\e[32mChecking for newer update script...\e[0m" SHA1_1=$(sha1sum update.sh) git fetch origin #${BRANCH} -git checkout origin/${BRANCH} update.sh -git checkout origin/${BRANCH} docker-compose.yml +git checkout origin/${BRANCH} update.sh docker-compose.yml SHA1_2=$(sha1sum update.sh) if [[ ${SHA1_1} != ${SHA1_2} ]]; then echo "update.sh changed, please run this script again, exiting." From 499273dbb757a6420f8d352c8f1ac0a8323f454b Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 13:50:44 +0200 Subject: [PATCH 031/115] Readded docker-compose check --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index c46751a5..3de7e561 100755 --- a/update.sh +++ b/update.sh @@ -40,7 +40,7 @@ PATH=$PATH:/opt/bin umask 0022 -for bin in curl docker git awk sha1sum; do +for bin in curl docker docker-compose git awk sha1sum; do if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi done From dd6b8c44a4e71b0d59e2d90573a2b8c667cbb403 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 16 Jun 2022 14:13:08 +0200 Subject: [PATCH 032/115] Added automatic docker-compose standalone installation --- update.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index 3de7e561..dc47c3de 100755 --- a/update.sh +++ b/update.sh @@ -40,8 +40,20 @@ PATH=$PATH:/opt/bin umask 0022 -for bin in curl docker docker-compose git awk sha1sum; do - if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi +for bin in curl docker git awk sha1sum; do + if [[ -z $(which ${bin}) ]]; then + echo "Cannot find ${bin}, exiting..." + exit 1; + elif [[ -z $(which docker-compose) ]]; then + echo "Cannot find docker-compose Standalone. Installing..." + sleep 3 + if [[ -e /etc/alpine-release ]]; then + echo -e "\e[33mNot installing latest docker-compose, because you are using Alpine Linux without glibc support. Install docker-compose via apk!\e[0m" + exit 1 + fi + curl -#L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose + chmod +x /usr/local/bin/docker-compose + fi done export LC_ALL=C From af9c3a8565a40ade25909e86a5da09c7ab34fd31 Mon Sep 17 00:00:00 2001 From: milkmaker Date: Sun, 19 Jun 2022 22:23:35 +0200 Subject: [PATCH 033/115] [Web] Updated lang.es.json [CI SKIP] (#4638) Co-authored-by: Daniel Castellanos Co-authored-by: Daniel Castellanos --- data/web/lang/lang.es.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/web/lang/lang.es.json b/data/web/lang/lang.es.json index 9a67c3c6..ba12202f 100644 --- a/data/web/lang/lang.es.json +++ b/data/web/lang/lang.es.json @@ -19,7 +19,8 @@ "syncjobs": "Trabajos de sincronización", "tls_policy": "Póliza de TLS", "unlimited_quota": "Cuota ilimitada para buzones", - "app_passwds": "Gestionar las contraseñas de aplicaciones" + "app_passwds": "Gestionar las contraseñas de aplicaciones", + "domain_desc": "Cambiar descripción del dominio" }, "add": { "activate_filter_warn": "Todos los demás filtros se desactivarán cuando este filtro se active.", From cd7715fa0e2779fecbf82a985c25e8e74603be25 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 20 Jun 2022 10:32:14 +0200 Subject: [PATCH 034/115] Restore docker-compose check in scripts --- helper-scripts/_cold-standby.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh index b71d85cd..7fc5a495 100755 --- a/helper-scripts/_cold-standby.sh +++ b/helper-scripts/_cold-standby.sh @@ -258,7 +258,7 @@ echo "OK" -i "${REMOTE_SSH_KEY}" \ ${REMOTE_SSH_HOST} \ -p ${REMOTE_SSH_PORT} \ - $COMPOSE_COMMAND -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then + docker-compose -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then >&2 echo -e "\e[31m[ERR]\e[0m - Could not pull images on remote" fi From d373164e13a14e058f82c9f1918a5612f375a9f9 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 20 Jun 2022 21:18:57 +0200 Subject: [PATCH 035/115] hotfix imapsync --- data/web/inc/init_db.inc.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 88be5bca..1e53d4b8 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "20052022_0938"; + $db_version = "18062022_1153"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -440,7 +440,7 @@ function init_db_schema() { "spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'", "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'", "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'", - "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'", + "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'", "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'", "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'", "pushover" => "TINYINT(1) NOT NULL DEFAULT '1'", @@ -1228,8 +1228,17 @@ function init_db_schema() { } // Mitigate imapsync pipemess issue - $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%' OR `custom_params` LIKE '%pipemes%';"); - + $pdo->query("UPDATE `imapsync` SET `custom_params` = '' + WHERE `custom_params` LIKE '%pipemess%' + OR custom_params LIKE '%skipmess%' + OR custom_params LIKE '%delete2foldersonly%' + OR custom_params LIKE '%delete2foldersbutnot%' + OR custom_params LIKE '%regexflag%' + OR custom_params LIKE '%pipemess%' + OR custom_params LIKE '%regextrans2%' + OR custom_params LIKE '%maxlinelengthcmd%';"); + + // Migrate webauthn tfa $stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')"); From 452daf5d5eca1ba95d7e5befadf0ca8ab0dcab12 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 23 Jun 2022 08:55:06 +0200 Subject: [PATCH 036/115] Restored docker-compose Command --- helper-scripts/backup_and_restore.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh index b45fcb97..d6f11ca8 100755 --- a/helper-scripts/backup_and_restore.sh +++ b/helper-scripts/backup_and_restore.sh @@ -239,7 +239,7 @@ function restore() { continue else echo "Stopping mailcow..." - ${COMPOSE_COMMAND} -f ${COMPOSE_FILE} --env-file ${ENV_FILE} down + docker-compose -f ${COMPOSE_FILE} --env-file ${ENV_FILE} down fi #docker stop $(docker ps -qf name=mysql-mailcow) if [[ -d "${RESTORE_LOCATION}/mysql" ]]; then @@ -277,7 +277,7 @@ function restore() { sed -i --follow-symlinks "/DBROOT/c\DBROOT=${DBROOT}" ${SCRIPT_DIR}/../mailcow.conf source ${SCRIPT_DIR}/../mailcow.conf echo "Starting mailcow..." - ${COMPOSE_COMMAND} -f ${COMPOSE_FILE} --env-file ${ENV_FILE} up -d + docker-compose -f ${COMPOSE_FILE} --env-file ${ENV_FILE} up -d #docker start $(docker ps -aqf name=mysql-mailcow) fi ;; From db7d7ea288ca1ea85959890616dd1a694452acd2 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 23 Jun 2022 10:05:09 +0200 Subject: [PATCH 037/115] Added override NGINX Port Removal --- update.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/update.sh b/update.sh index dc47c3de..104ef38e 100755 --- a/update.sh +++ b/update.sh @@ -209,6 +209,26 @@ migrate_docker_nat() { fi } +remove_obsolete_nginx_ports() { + # Removing obsolete docker-compose.override.yml + if [ -s docker-compose.override.* ]; then + if cat docker-compose.override.* | grep nginx-mailcow > /dev/null 2>&1; then + if cat docker-compose.override.* | grep -w [::] > /dev/null 2>&1; then + if cat docker-compose.override.* | grep -w 80:80 > /dev/null 2>&1 && cat docker-compose.override.* | grep -w 443:443 > /dev/null 2>&1 ; then + sed -i '/nginx-mailcow:$/,/^$/d' docker-compose.override.* + if [[ "$(cat docker-compose.override.yml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then + mv docker-compose.override.yml docker-compose.override.yml_backup + echo -e "\e[31mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" + elif [[ "$(cat docker-compose.override.yaml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then + mv docker-compose.override.yaml docker-compose.override.yaml_backup + echo -e "\e[31mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" + fi + fi + fi + fi + fi +} + update_compose(){ if [[ ${NO_UPDATE_COMPOSE} == "y" ]]; then echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m" @@ -635,6 +655,8 @@ fi update_compose +remove_obsolete_nginx_ports + echo -e "\e[32mValidating docker-compose stack configuration...\e[0m" if ! docker-compose config -q; then echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m" From 092890b6abca7e195d0742fbf644119c57439a70 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 23 Jun 2022 10:23:48 +0200 Subject: [PATCH 038/115] Changed message in nginx-port removal function --- update.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index 104ef38e..9836b927 100755 --- a/update.sh +++ b/update.sh @@ -216,12 +216,13 @@ remove_obsolete_nginx_ports() { if cat docker-compose.override.* | grep -w [::] > /dev/null 2>&1; then if cat docker-compose.override.* | grep -w 80:80 > /dev/null 2>&1 && cat docker-compose.override.* | grep -w 443:443 > /dev/null 2>&1 ; then sed -i '/nginx-mailcow:$/,/^$/d' docker-compose.override.* + echo -e "\e[32mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" if [[ "$(cat docker-compose.override.yml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then mv docker-compose.override.yml docker-compose.override.yml_backup - echo -e "\e[31mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" + echo -e "\e[31mdocker-compose.override.yml is empty. Renamed it to ensure mailcow is startable.\e[0m" elif [[ "$(cat docker-compose.override.yaml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then mv docker-compose.override.yaml docker-compose.override.yaml_backup - echo -e "\e[31mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" + echo -e "\e[31mdocker-compose.override.yml is empty. Renamed it to ensure mailcow is startable.\e[0m" fi fi fi From 263baa81c07b2a3546ee6301d58eba511a8747fc Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 23 Jun 2022 10:55:12 +0200 Subject: [PATCH 039/115] Improved .yml and .yaml check for Port Removal --- update.sh | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/update.sh b/update.sh index 9836b927..714541aa 100755 --- a/update.sh +++ b/update.sh @@ -211,23 +211,22 @@ migrate_docker_nat() { remove_obsolete_nginx_ports() { # Removing obsolete docker-compose.override.yml - if [ -s docker-compose.override.* ]; then - if cat docker-compose.override.* | grep nginx-mailcow > /dev/null 2>&1; then - if cat docker-compose.override.* | grep -w [::] > /dev/null 2>&1; then - if cat docker-compose.override.* | grep -w 80:80 > /dev/null 2>&1 && cat docker-compose.override.* | grep -w 443:443 > /dev/null 2>&1 ; then - sed -i '/nginx-mailcow:$/,/^$/d' docker-compose.override.* - echo -e "\e[32mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" - if [[ "$(cat docker-compose.override.yml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then - mv docker-compose.override.yml docker-compose.override.yml_backup - echo -e "\e[31mdocker-compose.override.yml is empty. Renamed it to ensure mailcow is startable.\e[0m" - elif [[ "$(cat docker-compose.override.yaml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then - mv docker-compose.override.yaml docker-compose.override.yaml_backup - echo -e "\e[31mdocker-compose.override.yml is empty. Renamed it to ensure mailcow is startable.\e[0m" + for override in docker-compose.override.yml docker-compose.override.yaml; do + if [ -s $override ] ; then + if cat $override | grep nginx-mailcow > /dev/null 2>&1; then + if cat $override | grep -w [::] > /dev/null 2>&1; then + if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then + sed -i '/nginx-mailcow:$/,/^$/d' $override + echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" + if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then + mv $override ${override}_backup + echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m" fi fi fi fi - fi + fi + done } update_compose(){ From c1c7167acef67aed73b7af388a88cb75868dd500 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 23 Jun 2022 15:41:48 +0200 Subject: [PATCH 040/115] Added auto correction of composev1 Binds in compose.yml --- update.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/update.sh b/update.sh index 714541aa..6d91becc 100755 --- a/update.sh +++ b/update.sh @@ -629,7 +629,7 @@ fi echo -e "\e[32mChecking for newer update script...\e[0m" SHA1_1=$(sha1sum update.sh) git fetch origin #${BRANCH} -git checkout origin/${BRANCH} update.sh docker-compose.yml +git checkout origin/${BRANCH} update.sh SHA1_2=$(sha1sum update.sh) if [[ ${SHA1_1} != ${SHA1_2} ]]; then echo "update.sh changed, please run this script again, exiting." @@ -658,6 +658,8 @@ update_compose remove_obsolete_nginx_ports echo -e "\e[32mValidating docker-compose stack configuration...\e[0m" +sed -i 's/HTTPS_BIND:-:/HTTPS_BIND:-/g' docker-compose.yml +sed -i 's/HTTP_BIND:-:/HTTP_BIND:-/g' docker-compose.yml if ! docker-compose config -q; then echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m" exit 1 From a835419168394bcbefdafb03de50fa9e6187717a Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 23 Jun 2022 18:36:54 +0200 Subject: [PATCH 041/115] fix imapsync --- data/web/inc/functions.mailbox.inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index d6a07eab..788b207f 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -339,6 +339,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { // validate custom params foreach (explode(' -', $custom_params) as $param){ + if(empty($param)) continue; + if (str_contains($param, ' ')) { // bad char $_SESSION['return'][] = array( @@ -1792,6 +1794,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { // validate custom params foreach (explode(' -', $custom_params) as $param){ + if(empty($param)) continue; + if (str_contains($param, ' ')) { // bad char $_SESSION['return'][] = array( From 33eb2c8801c86952ec8e89a4c041c55849ae2485 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 24 Jun 2022 23:10:00 +0200 Subject: [PATCH 042/115] Improved [::] Section check + included prior override backup --- update.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index 6d91becc..ea283eb2 100755 --- a/update.sh +++ b/update.sh @@ -214,10 +214,14 @@ remove_obsolete_nginx_ports() { for override in docker-compose.override.yml docker-compose.override.yaml; do if [ -s $override ] ; then if cat $override | grep nginx-mailcow > /dev/null 2>&1; then - if cat $override | grep -w [::] > /dev/null 2>&1; then + if cat $override | grep -E '(\[::])' > /dev/null 2>&1; then if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then + echo -e "\e[33mBacking up ${override} to preserve custom changes...\e[0m" + echo -e "\e[33m!!! Manual Merge needed (if other overrides are set) !!!\e[0m" + sleep 3 + cp $override ${override}_backup sed -i '/nginx-mailcow:$/,/^$/d' $override - echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m" + echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from original override File.\e[0m" if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then mv $override ${override}_backup echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m" From 6fb967cf79209ab4e143fe24e9e5461993ba68be Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 4 Jul 2022 17:01:35 +0200 Subject: [PATCH 043/115] extra tfa register debugging --- data/web/templates/base.twig | 1 + 1 file changed, 1 insertion(+) diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 945d4501..37c27e21 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -415,6 +415,7 @@ function recursiveBase64StrToArrayBuffer(obj) { window.fetch("/api/v1/get/webauthn-tfa-registration/{{ mailcow_cc_username|url_encode(true)|default('null') }}", {method:'GET',cache:'no-cache'}).then(response => { return response.json(); }).then(json => { + console.log(json); if (json.success === false) throw new Error(json.msg); recursiveBase64StrToArrayBuffer(json); From 52e92cc0db159f6e576401c4959a1240a7d945f8 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 4 Jul 2022 17:17:31 +0200 Subject: [PATCH 044/115] fix sql query for tfa registration --- data/web/json_api.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 0ebc95bc..22b747bc 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -430,8 +430,11 @@ if (isset($_GET['query'])) { case "webauthn-tfa-registration": if (isset($_SESSION["mailcow_cc_role"])) { // Exclude existing CredentialIds, if any - $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username"); - $stmt->execute(array(':username' => $_SESSION['mailcow_cc_username'])); + $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech"); + $stmt->execute(array( + ':username' => $_SESSION['mailcow_cc_username'], + ':authmech' => 'webauthn' + )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { $excludeCredentialIds[] = base64_decode($row['keyHandle']); From 14bc105d4386e87ce40763a4d55ffd427b744239 Mon Sep 17 00:00:00 2001 From: Rafael Kraut Date: Tue, 5 Jul 2022 11:51:05 +0200 Subject: [PATCH 045/115] [Web] Remove default selection for sync job target mailbox (#4661) + Don't cache that form, closes #4642 --- data/web/templates/modals/mailbox.twig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig index 4097145f..17e06ed2 100644 --- a/data/web/templates/modals/mailbox.twig +++ b/data/web/templates/modals/mailbox.twig @@ -435,11 +435,11 @@

{{ lang.add.syncjob_hint }}

- +
- {% for mailbox in mailboxes %} {% endfor %} From f7369f061105e3fc97482d611876c98b4da4df58 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Tue, 5 Jul 2022 12:07:10 +0200 Subject: [PATCH 046/115] [Update.sh] Added docker-compose Update prompt + Version check --- update.sh | 69 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 49 insertions(+), 20 deletions(-) diff --git a/update.sh b/update.sh index ea283eb2..612ccfaf 100755 --- a/update.sh +++ b/update.sh @@ -40,25 +40,7 @@ PATH=$PATH:/opt/bin umask 0022 -for bin in curl docker git awk sha1sum; do - if [[ -z $(which ${bin}) ]]; then - echo "Cannot find ${bin}, exiting..." - exit 1; - elif [[ -z $(which docker-compose) ]]; then - echo "Cannot find docker-compose Standalone. Installing..." - sleep 3 - if [[ -e /etc/alpine-release ]]; then - echo -e "\e[33mNot installing latest docker-compose, because you are using Alpine Linux without glibc support. Install docker-compose via apk!\e[0m" - exit 1 - fi - curl -#L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose - chmod +x /usr/local/bin/docker-compose - fi -done - -export LC_ALL=C -DATE=$(date +%Y-%m-%d_%H_%M_%S) -BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD) +############## Begin Function Section ############## check_online_status() { CHECK_ONLINE_IPS=(1.1.1.1 9.9.9.9 8.8.8.8) @@ -241,6 +223,13 @@ elif [[ -e /etc/alpine-release ]]; then echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m" return 0 else + if [ ! $FORCE ]; then + read -r -p "Do you want to update your docker-compose Version? It will automatic upgrade your docker-compose installation (recommended)? [y/N] " updatecomposeresponse + if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "OK, not updating docker-compose." + return 0 + fi + fi echo -e "\e[32mFetching new docker-compose version...\e[0m" echo -e "\e[32mTrying to determine GLIBC version...\e[0m" if ldd --version > /dev/null; then @@ -277,6 +266,38 @@ else fi } +############## End Function Section ############## + +for bin in curl docker git awk sha1sum; do + if [[ -z $(which ${bin}) ]]; then + echo "Cannot find ${bin}, exiting..." + exit 1; + elif [[ -z $(which docker-compose) ]]; then + echo "Cannot find docker-compose Standalone. Please install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/" + sleep 3 + exit 1; + fi +done + +## Check if docker-compose >= v2 +if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then + echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m" + echo -e "\e[33mmailcow needs docker-compose >= 2.5!\e[0m" + echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m" + sleep 3 + update_compose + if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo -e "\e[31mmailcow does not work with docker-compose <= 2.X anymore!\e[0m" + echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m" + echo -e "\e[31mExiting...\e[0m" + exit 1 + fi +fi + +export LC_ALL=C +DATE=$(date +%Y-%m-%d_%H_%M_%S) +BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD) + while (($#)); do case "${1}" in --check|-c) @@ -657,7 +678,15 @@ if [ ! $FORCE ]; then migrate_docker_nat fi -update_compose +LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) +COMPOSE_VERSION=$(docker-compose version --short) +if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then + echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m" + echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m" + update_compose +else + echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" +fi remove_obsolete_nginx_ports From 1ff220ccf84677b70d1be09f3da5ca0be2c67e35 Mon Sep 17 00:00:00 2001 From: milkmaker Date: Wed, 6 Jul 2022 22:02:15 +0200 Subject: [PATCH 047/115] Translations update from Weblate (#4664) * [Web] Updated lang.ru.json [CI SKIP] Co-authored-by: Oleksii Kruhlenko * [Web] Updated lang.uk.json [CI SKIP] Co-authored-by: Oleksii Kruhlenko Co-authored-by: Oleksii Kruhlenko --- data/web/lang/lang.ru.json | 5 +++-- data/web/lang/lang.uk.json | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/data/web/lang/lang.ru.json b/data/web/lang/lang.ru.json index dd1418e4..c9ffad6d 100644 --- a/data/web/lang/lang.ru.json +++ b/data/web/lang/lang.ru.json @@ -988,7 +988,7 @@ "enter_qr_code": "Ваш код TOTP, если устройство не может отсканировать QR-код", "error_code": "Код ошибки", "init_webauthn": "Инициализация, пожалуйста, подождите...", - "key_id": "Идентификатор YubiKey ключа", + "key_id": "Идентификатор вашего устройства", "key_id_totp": "Идентификатор TOTP ключа", "none": "Отключить", "reload_retry": "- (перезагрузить страницу браузера или почистите кеш/cookies, если ошибка повторяется)", @@ -1002,7 +1002,8 @@ "webauthn": "WebAuthn аутентификация", "waiting_usb_auth": "Ожидание устройства USB...

Пожалуйста, нажмите кнопку на USB устройстве сейчас.", "waiting_usb_register": "Ожидание устройства USB...

Пожалуйста, введите пароль выше и подтвердите регистрацию, нажав кнопку на USB устройстве.", - "yubi_otp": "Yubico OTP аутентификация" + "yubi_otp": "Yubico OTP аутентификация", + "u2f_deprecated": "Похоже, что ваш ключ был зарегистрирован с использованием устаревшего метода U2F. Мы деактивируем для вас двухфакторную аутентификацию и удалим ваш ключ." }, "user": { "action": "Действия", diff --git a/data/web/lang/lang.uk.json b/data/web/lang/lang.uk.json index 0b8df84e..48aba504 100644 --- a/data/web/lang/lang.uk.json +++ b/data/web/lang/lang.uk.json @@ -980,7 +980,8 @@ "resource_modified": "Зміни поштового акаунту %s збережено", "settings_map_added": "Правило додано", "tls_policy_map_entry_deleted": "Політику TLS ID %s видалено", - "verified_totp_login": "Авторизацію TOTP пройдено" + "verified_totp_login": "Авторизацію TOTP пройдено", + "domain_add_dkim_available": "Ключ DKIM вже існує" }, "tfa": { "confirm": "Підтвердьте", From fdf52dcb17a0edade30bf18e8e40a652d7d299cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9?= Date: Thu, 7 Jul 2022 09:20:59 +0200 Subject: [PATCH 048/115] [Rspamd] Prevent LUA crash Fixes LUA error when inserting unknown symbol from settings map --- data/conf/rspamd/local.d/groups.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/conf/rspamd/local.d/groups.conf b/data/conf/rspamd/local.d/groups.conf index 9ca3409d..f77d8a46 100644 --- a/data/conf/rspamd/local.d/groups.conf +++ b/data/conf/rspamd/local.d/groups.conf @@ -18,6 +18,9 @@ symbols { "ENCRYPTED_CHAT" { score = -20.0; } + "SOGO_CONTACT" { + score = -99.0; + } } group "MX" { From d82cfc6c62427e2884ea8ec4da3db47205118dcd Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 8 Jul 2022 10:43:44 +0200 Subject: [PATCH 049/115] Changed no compose warning color --- update.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/update.sh b/update.sh index 612ccfaf..e64c49e8 100755 --- a/update.sh +++ b/update.sh @@ -273,7 +273,8 @@ for bin in curl docker git awk sha1sum; do echo "Cannot find ${bin}, exiting..." exit 1; elif [[ -z $(which docker-compose) ]]; then - echo "Cannot find docker-compose Standalone. Please install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/" + echo -e "\e[31mCannot find docker-compose Standalone.\e[0m" + echo -e "\e[31mPlease install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" sleep 3 exit 1; fi From 385570c1e8aadd49b48134abf09a737fd0553554 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 8 Jul 2022 10:54:50 +0200 Subject: [PATCH 050/115] Fixed wrongly override_backup overwriting --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index e64c49e8..aef57e9d 100755 --- a/update.sh +++ b/update.sh @@ -205,7 +205,7 @@ remove_obsolete_nginx_ports() { sed -i '/nginx-mailcow:$/,/^$/d' $override echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from original override File.\e[0m" if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then - mv $override ${override}_backup + mv $override ${override}_empty echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m" fi fi From 6195b7c33450b7d38fcc82b2e15de5f246590a61 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 8 Jul 2022 13:29:05 +0200 Subject: [PATCH 051/115] [Backup Script]Check for docker and docker-compose in each step seperate --- helper-scripts/backup_and_restore.sh | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh index d6f11ca8..506420b4 100755 --- a/helper-scripts/backup_and_restore.sh +++ b/helper-scripts/backup_and_restore.sh @@ -76,13 +76,6 @@ else CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd "[0-9A-Za-z-_]") fi -for bin in docker docker-compose; do - if [[ -z $(which ${bin}) ]]; then - >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" - exit 1 - fi -done - if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then >&2 echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m" exit 1 @@ -94,6 +87,12 @@ function backup() { mkdir -p "${BACKUP_LOCATION}/mailcow-${DATE}" chmod 755 "${BACKUP_LOCATION}/mailcow-${DATE}" cp "${SCRIPT_DIR}/../mailcow.conf" "${BACKUP_LOCATION}/mailcow-${DATE}" + for bin in docker; do + if [[ -z $(which ${bin}) ]]; then + >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" + exit 1 + fi + done while (( "$#" )); do case "$1" in vmail|all) @@ -161,6 +160,12 @@ function backup() { } function restore() { + for bin in docker docker-compose; do + if [[ -z $(which ${bin}) ]]; then + >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" + exit 1 + fi + done echo echo "Stopping watchdog-mailcow..." docker stop $(docker ps -qf name=watchdog-mailcow) @@ -354,4 +359,4 @@ elif [[ ${1} == "restore" ]]; then done echo "Restoring ${FILE_SELECTION[${input_sel}]} from ${RESTORE_POINT}..." restore "${RESTORE_POINT}" ${FILE_SELECTION[${input_sel}]} -fi +fi \ No newline at end of file From 40cf2c85e609f2cb82f85841c16a749cf0748011 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 8 Jul 2022 13:48:31 +0200 Subject: [PATCH 052/115] Re-aranged the functions position to top --- update.sh | 100 +++++++++++++++++++++++++++--------------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/update.sh b/update.sh index aef57e9d..3e48fb1e 100755 --- a/update.sh +++ b/update.sh @@ -1,45 +1,5 @@ #!/usr/bin/env bash -# Check permissions -if [ "$(id -u)" -ne "0" ]; then - echo "You need to be root" - exit 1 -fi - -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -# Run pre-update-hook -if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then - bash "${SCRIPT_DIR}/pre_update_hook.sh" -fi - -if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then - echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; - echo "Please update to 5.x or use another distribution." - exit 1 -fi - -if [[ "$(uname -r)" =~ ^4\.4\. ]]; then - if grep -q Ubuntu <<< $(uname -a); then - echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!" - echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\"" - exit 1 - fi - echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk." - read -p "Press any key to continue..." < /dev/tty -fi - -# Exit on error and pipefail -set -o pipefail - -# Setting high dc timeout -export COMPOSE_HTTP_TIMEOUT=600 - -# Add /opt/bin to PATH -PATH=$PATH:/opt/bin - -umask 0022 - ############## Begin Function Section ############## check_online_status() { @@ -268,6 +228,46 @@ fi ############## End Function Section ############## +# Check permissions +if [ "$(id -u)" -ne "0" ]; then + echo "You need to be root" + exit 1 +fi + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +# Run pre-update-hook +if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then + bash "${SCRIPT_DIR}/pre_update_hook.sh" +fi + +if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then + echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; + echo "Please update to 5.x or use another distribution." + exit 1 +fi + +if [[ "$(uname -r)" =~ ^4\.4\. ]]; then + if grep -q Ubuntu <<< $(uname -a); then + echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!" + echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\"" + exit 1 + fi + echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk." + read -p "Press any key to continue..." < /dev/tty +fi + +# Exit on error and pipefail +set -o pipefail + +# Setting high dc timeout +export COMPOSE_HTTP_TIMEOUT=600 + +# Add /opt/bin to PATH +PATH=$PATH:/opt/bin + +umask 0022 + for bin in curl docker git awk sha1sum; do if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..." @@ -652,16 +652,16 @@ else fi fi -echo -e "\e[32mChecking for newer update script...\e[0m" -SHA1_1=$(sha1sum update.sh) -git fetch origin #${BRANCH} -git checkout origin/${BRANCH} update.sh -SHA1_2=$(sha1sum update.sh) -if [[ ${SHA1_1} != ${SHA1_2} ]]; then - echo "update.sh changed, please run this script again, exiting." - chmod +x update.sh - exit 2 -fi +# echo -e "\e[32mChecking for newer update script...\e[0m" +# SHA1_1=$(sha1sum update.sh) +# git fetch origin #${BRANCH} +# git checkout origin/${BRANCH} update.sh +# SHA1_2=$(sha1sum update.sh) +# if [[ ${SHA1_1} != ${SHA1_2} ]]; then +# echo "update.sh changed, please run this script again, exiting." +# chmod +x update.sh +# exit 2 +# fi if [[ -f mailcow.conf ]]; then source mailcow.conf From 43ec12f4f0a87db8440c20759bfe2e2a00bb4aa3 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 8 Jul 2022 13:49:33 +0200 Subject: [PATCH 053/115] Readded (again) the new update script check... --- update.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/update.sh b/update.sh index 3e48fb1e..c7c958a4 100755 --- a/update.sh +++ b/update.sh @@ -652,16 +652,16 @@ else fi fi -# echo -e "\e[32mChecking for newer update script...\e[0m" -# SHA1_1=$(sha1sum update.sh) -# git fetch origin #${BRANCH} -# git checkout origin/${BRANCH} update.sh -# SHA1_2=$(sha1sum update.sh) -# if [[ ${SHA1_1} != ${SHA1_2} ]]; then -# echo "update.sh changed, please run this script again, exiting." -# chmod +x update.sh -# exit 2 -# fi +echo -e "\e[32mChecking for newer update script...\e[0m" +SHA1_1=$(sha1sum update.sh) +git fetch origin #${BRANCH} +git checkout origin/${BRANCH} update.sh +SHA1_2=$(sha1sum update.sh) +if [[ ${SHA1_1} != ${SHA1_2} ]]; then + echo "update.sh changed, please run this script again, exiting." + chmod +x update.sh + exit 2 +fi if [[ -f mailcow.conf ]]; then source mailcow.conf From b14c0e4c11b10fe7d2c295a0d4d780782837e442 Mon Sep 17 00:00:00 2001 From: Peter Date: Fri, 8 Jul 2022 18:29:34 +0200 Subject: [PATCH 054/115] Fix permissions chmod +x --- create_cold_standby.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 create_cold_standby.sh diff --git a/create_cold_standby.sh b/create_cold_standby.sh old mode 100644 new mode 100755 From d29580aa02bb5ac4bbe8cb064f7b5067e8fd6856 Mon Sep 17 00:00:00 2001 From: ntimo Date: Fri, 8 Jul 2022 18:47:28 +0000 Subject: [PATCH 055/115] Fixed OpenAPI docs to be spec compliant --- data/web/api/openapi.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml index e9655751..3803e5bd 100644 --- a/data/web/api/openapi.yaml +++ b/data/web/api/openapi.yaml @@ -3953,6 +3953,8 @@ paths: in: query name: tags required: false + schema: + type: string - description: e.g. api-key-string example: api-key-string in: header @@ -4512,6 +4514,8 @@ paths: in: query name: tags required: false + schema: + type: string - description: e.g. api-key-string example: api-key-string in: header From 47fb46c8378d6b50bce94601df376bb3efbc098a Mon Sep 17 00:00:00 2001 From: ntimo Date: Fri, 8 Jul 2022 18:50:14 +0000 Subject: [PATCH 056/115] Removed DroneCI & Travis CI --- .drone.yml | 120 ---------------------------------------------------- .travis.yml | 16 ------- README.md | 2 +- 3 files changed, 1 insertion(+), 137 deletions(-) delete mode 100644 .drone.yml delete mode 100644 .travis.yml diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 8587219f..00000000 --- a/.drone.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -kind: pipeline -name: integration-testing - -platform: - os: linux - arch: amd64 - -clone: - disable: true - -steps: -- name: prepare-tests - pull: default - image: timovibritannia/ansible - commands: - - git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch . - - chmod +x ci.sh - - chmod +x ci-ssh.sh - - chmod +x ci-piprequierments.sh - - ./ci.sh - - wget -O group_vars/all/secrets.yml $SECRETS_DOWNLOAD_URL --quiet - environment: - SECRETS_DOWNLOAD_URL: - from_secret: SECRETS_DOWNLOAD_URL - VAULT_PW: - from_secret: VAULT_PW - when: - branch: - - master - - staging - event: - - push - -- name: lint - pull: default - image: timovibritannia/ansible - commands: - - ansible-lint ./ - when: - branch: - - master - - staging - event: - - push - -- name: create-server - pull: default - image: timovibritannia/ansible - commands: - - ./ci-piprequierments.sh - - ansible-playbook mailcow-start-server.yml --diff - - ./ci-ssh.sh - environment: - ANSIBLE_HOST_KEY_CHECKING: false - ANSIBLE_FORCE_COLOR: true - when: - branch: - - master - - staging - event: - - push - -- name: setup-server - pull: default - image: timovibritannia/ansible - commands: - - sleep 120 - - ./ci-piprequierments.sh - - ansible-playbook mailcow-setup-server.yml --private-key /drone/src/id_ssh_rsa --diff - environment: - ANSIBLE_HOST_KEY_CHECKING: false - ANSIBLE_FORCE_COLOR: true - when: - branch: - - master - - staging - event: - - push - -- name: run-tests - pull: default - image: timovibritannia/ansible - commands: - - ./ci-piprequierments.sh - - ansible-playbook mailcow-integration-tests.yml --private-key /drone/src/id_ssh_rsa --diff - environment: - ANSIBLE_HOST_KEY_CHECKING: false - ANSIBLE_FORCE_COLOR: true - when: - branch: - - master - - staging - event: - - push - -- name: delete-server - pull: default - image: timovibritannia/ansible - commands: - - ./ci-piprequierments.sh - - ansible-playbook mailcow-delete-server.yml --diff - environment: - ANSIBLE_HOST_KEY_CHECKING: false - ANSIBLE_FORCE_COLOR: true - when: - branch: - - master - - staging - event: - - push - status: - - failure - - success - ---- -kind: signature -hmac: f6619243fe2a27563291c9f2a46d93ffbc3b6dced9a05f23e64b555ce03a31e5 - -... diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 84357090..00000000 --- a/.travis.yml +++ /dev/null @@ -1,16 +0,0 @@ -sudo: required -services: -- docker -script: -- echo 'Europe/Berlin' | MAILCOW_HOSTNAME=build.mailcow ./generate_config.sh -- docker-compose pull --ignore-pull-failures --parallel -- docker-compose build -- docker login --username=$DOCKER_HUB_USERNAME --password=$DOCKER_HUB_PASSWORD -- docker-compose push -branches: - only: - - master_disabled -env: - global: - - secure: MpxpTwD7f0CNEVLitSpVmocK7O9r+BwFE1deEHK4AlQo/oc9cOlhGe1EL3mx9zbglPmjlDg/8kMUGv6vSirIabfBo9Szjps76bHckFr9lr2Ykkg0e29oC8pgPpSXD1eY/1ZIN/FvIkxpUFLETo1okS/j9q/A0DCGFmti0n3EoMORsgRz9CpNAiEh0zpSd6+euPAGHuczuCrDuO84my9bIOCjA/+aPunHNeXiuM8yIM2SxCSyGtIKT0+jvquIvLF58VxivysXBlRfhDn8fhB09nXA2Ru/derYQACfcmNSn9Pd4bDpebPJW5B9H/XA8xjb58uKinUlncbAMB/QnxoT75j9YRWJZRSQ+34XNYP6ZgK9soZ2TC6djQyEKTUu45Kp/1s+poSn42m9jytJJTmmK0KxsZTRcC8JD5nrjIMZWPUNNTwC5L4+I7ZRWg2WooK3LNyq1Ng8Hn6W77wSgsvAJw2HD3Lx58AprGUhHuBeaIZRuSN9aKwZrl9vKQJLqPnOp/nF2EC6kot5HYYtcotGtETXPUDih21gWD5ZM2BqVqYfQQnJnNMgeYmMdj6QQuTFqhuNJf7hXRIRkTnD3j1gDOLKQZazW0+N2JE8XWDFwi6fKScDsxT85lJti9HmzHa7+k4RVHmUYuDgRoPuzUgjWHvPsiz3/Z8WQ9JYpH84S8w= - - secure: fWzZisT6nGDNL4lf6tXB07eFG2drgBakHxzdF/NFVvzuP861RFR6omuL+ED0PgXrEHDJBxaBLv52je8irmUXrAH1CNr7T8DWiZo/h5h609Uzr+38T1NnIu4krL0Wo6/CDwlLKnzqTq9yBIZLQSHVJmo8AOpo1JPIi2ajodqj9ZfmAxDQTQl+G6zvQjtqIkYHsHY7A44Rto0f14ykn7w2S82Jn6Ry89VNI5V1WEO3sMpM/XekNP/HokNcRIuntL/0+kuLvTJ5akGoTjBQxSnSW95opzPeGky74HRU2obExJYqKvF0VfVJRNAqejwjIiFIbbjqV0Sk5391kFuhuBErQQDM1bOHGdxZ41HsJH29qNWIl7C33Yl10qERoqecgsJ1N/bS2ZEmWqm/zQh5GClCXPvYmzEqMYsMGM3vjbKdjDlc1Wh2w/eFclsXN9LSXh1mc35rtj46frcT6e5Kof87AIfC9hTgDvk9kAsyjaHMkSHSZthbZXCIcsD8qriNm5UqfFBYD79mPIP1S2YMQ2jscCsjHOZgYVrcm0kzDF21J1w6H0Lo7d1jw37LYlegBdtLQ9gYgqY2D5m+nxWuVoD5FZmpR+5JGtK+ootyLFF8aiFoHXd4op1JCxRLjgkmnZKXzw3kTQSpE7oa7CgzchtQmK2nqcqla1b5Qk7ilVcjooo= diff --git a/README.md b/README.md index 7abd1024..7f7907d2 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## We stand with 🇺🇦 -[![master build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/master?label=master%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![staging build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/staging?label=staging%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/) +[![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email) ## Want to support mailcow? From 1a05101f5031bcda864bc9e10d49cc52d26de2e5 Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Fri, 8 Jul 2022 21:39:22 +0200 Subject: [PATCH 057/115] Create tweet-trigger-publish-release,yml --- .../workflows/tweet-trigger-publish-release,yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/tweet-trigger-publish-release,yml diff --git a/.github/workflows/tweet-trigger-publish-release,yml b/.github/workflows/tweet-trigger-publish-release,yml new file mode 100644 index 00000000..a8f40777 --- /dev/null +++ b/.github/workflows/tweet-trigger-publish-release,yml @@ -0,0 +1,17 @@ +name: "tweet-trigger-release" +on: + release: + types: [published] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Tweet-trigger-publish-release + uses: mugi111/tweet-trigger-release@v1.1 + with: + consumer_key: ${{ secrets.TWITTER_CONSUMER_KEY }} + consumer_secret: ${{ secrets.TWITTER_CONSUMER_SECRET }} + access_token_key: ${{ secrets.TWITTER_ACCESS_TOKEN_KEY }} + access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} + tweet_body: 'A new mailcow-dockerized Release has been Released on GitHub! Checkout our GitHub Page for the latest Release: github.com/mailcow/mailcow-dockerized/releases/latest' From c62daa0c59f9431a785c46c52b70baf9b0dbccde Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 8 Jul 2022 21:41:48 +0200 Subject: [PATCH 058/115] Corrected , to . for new workflow --- ...gger-publish-release,yml => tweet-trigger-publish-release.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{tweet-trigger-publish-release,yml => tweet-trigger-publish-release.yml} (100%) diff --git a/.github/workflows/tweet-trigger-publish-release,yml b/.github/workflows/tweet-trigger-publish-release.yml similarity index 100% rename from .github/workflows/tweet-trigger-publish-release,yml rename to .github/workflows/tweet-trigger-publish-release.yml From 1c0eab989342825b6af08e1b095ecebede2784b8 Mon Sep 17 00:00:00 2001 From: ntimo Date: Mon, 11 Jul 2022 15:41:16 +0000 Subject: [PATCH 059/115] [CI] Added Mailcow tests & image builds --- .github/workflows/image_builds.yml | 41 +++++++++++++ .github/workflows/integration_tests.yml | 60 +++++++++++++++++++ .../tweet-trigger-publish-release.yml | 2 +- 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/image_builds.yml create mode 100644 .github/workflows/integration_tests.yml diff --git a/.github/workflows/image_builds.yml b/.github/workflows/image_builds.yml new file mode 100644 index 00000000..34d05717 --- /dev/null +++ b/.github/workflows/image_builds.yml @@ -0,0 +1,41 @@ +name: Build Mailcow Docker Images + +on: + push: + branches: [ "master", "staging" ] + workflow_dispatch: + +jobs: + docker_image_builds: + strategy: + matrix: + images: ["acme-mailcow", + "clamd-mailcow", + "dockerapi-mailcow", + "dovecot-mailcow", + "netfilter-mailcow", + "olefy-mailcow", + "php-fpm-mailcow", + "postfix-mailcow", + "rspamd-mailcow", + "sogo-mailcow", + "solr-mailcow", + "unbound-mailcow", + "watchdog-mailcow"] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Setup Docker + run: | + curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh + sudo service docker start + sudo curl -L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + - name: Prepair Image Builds + run: | + cp helper-scripts/docker-compose.override.yml.d/BUILD_FLAGS/docker-compose.override.yml docker-compose.override.yml + - name: Build Docker Images + run: | + docker-compose build ${image} + env: + image: ${{ matrix.images }} diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml new file mode 100644 index 00000000..c31a1a62 --- /dev/null +++ b/.github/workflows/integration_tests.yml @@ -0,0 +1,60 @@ +name: Mailcow Integration Tests + +on: + push: + branches: [ "master", "staging" ] + workflow_dispatch: + +jobs: + integration_tests: + runs-on: ubuntu-latest + steps: + - name: Setup Ansible + run: | + export DEBIAN_FRONTEND=noninteractive + sudo apt-get update + sudo apt-get install python3 python3-pip git + sudo pip3 install ansible + - name: Prepair Test Environment + run: | + git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch . + ./fork_check.sh + ./ci.sh + ./ci-pip-requirements.sh + env: + VAULT_PW: ${{ secrets.MAILCOW_TESTS_VAULT_PW }} + VAULT_FILE: ${{ secrets.MAILCOW_TESTS_VAULT_FILE }} + - name: Start Integration Test Server + run: | + ./fork_check.sh + ansible-playbook mailcow-start-server.yml --diff + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + ANSIBLE_HOST_KEY_CHECKING: 'false' + - name: Setup Integration Test Server + run: | + ./fork_check.sh + sleep 30 + ansible-playbook mailcow-setup-server.yml --private-key id_ssh_rsa --diff + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + ANSIBLE_HOST_KEY_CHECKING: 'false' + - name: Run Integration Tests + run: | + ./fork_check.sh + ansible-playbook mailcow-integration-tests.yml --private-key id_ssh_rsa --diff + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + ANSIBLE_HOST_KEY_CHECKING: 'false' + - name: Delete Integration Test Server + if: always() + run: | + ./fork_check.sh + ansible-playbook mailcow-delete-server.yml --diff + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + ANSIBLE_HOST_KEY_CHECKING: 'false' diff --git a/.github/workflows/tweet-trigger-publish-release.yml b/.github/workflows/tweet-trigger-publish-release.yml index a8f40777..13f7dd76 100644 --- a/.github/workflows/tweet-trigger-publish-release.yml +++ b/.github/workflows/tweet-trigger-publish-release.yml @@ -1,4 +1,4 @@ -name: "tweet-trigger-release" +name: "Tweet trigger release" on: release: types: [published] From 8b314acfcf183ae2f0c566aaf35d0e9a9488d3da Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 11 Jul 2022 21:06:23 +0200 Subject: [PATCH 060/115] Create SECURITY.md --- SECURITY.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..de63ca3e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the _mailcow: dockerized_ project as found on [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized). + + * [Reporting a Vulnerability](#reporting-a-vulnerability) + * [Disclosure Policy](#disclosure-policy) + * [Comments on this Policy](#comments-on-this-policy) + +## Reporting a Vulnerability + +The mailcow team and community take all security vulnerabilities +seriously. Thank you for improving the security of our open source +software. We appreciate your efforts and responsible disclosure and will +make every effort to acknowledge your contributions. + +Report security vulnerabilities by emailing the mailcow team at: + + info at servercow.de + +mailcow team will acknowledge your email as soon as possible, and will +send a more detailed response afterwards indicating the next steps in +handling your report. After the initial reply to your report, the mailcow +team will endeavor to keep you informed of the progress towards a fix and +full announcement, and may ask for additional information or guidance. + +Report security vulnerabilities in third-party modules to the person or +team maintaining the module. + +## Disclosure Policy + +When the mailcow team receives a security bug report, they will assign it +to a primary handler. This person will coordinate the fix and release +process, involving the following steps: + + * Confirm the problem and determine the affected versions. + * Audit code to find any potential similar problems. + * Prepare fixes for all releases still under maintenance. + +## Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request. From 5b924614aa284cfcae07283b8dabca21d1a797c7 Mon Sep 17 00:00:00 2001 From: Marcel Hofer <3976393+mhofer117@users.noreply.github.com> Date: Tue, 12 Jul 2022 15:26:03 +0200 Subject: [PATCH 061/115] fix blank page on /user when not logged the current condition to redirect to / was never matching, so a blank page was displayed on /user when not logged in or when logged in as admin. this will fix it and always redirect to / if nothing is rendered in the user.php --- data/web/user.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data/web/user.php b/data/web/user.php index d7faf791..d8fc80c1 100644 --- a/data/web/user.php +++ b/data/web/user.php @@ -91,8 +91,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == ' 'number_of_app_passwords' => $number_of_app_passwords, ]; } - -if (!isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') { +else { header('Location: /'); exit(); } From b8ec244d92ea3a4118ffc389f0a4fb31c585458c Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 13 Jul 2022 08:50:28 +0200 Subject: [PATCH 062/115] Modified pip compose check --- update.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index c7c958a4..f02d0d7c 100755 --- a/update.sh +++ b/update.sh @@ -203,8 +203,12 @@ else DC_DL_SUFFIX=legacy fi sleep 1 - if [[ ! -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then - true + if [[ -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" + echo -e "\e[33mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" + sleep 2 + echo -e "\e[33mExiting...\e[0m" + exit 1 #prevent breaking a working docker-compose installed with pip elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) From 83b79edb423c7637650f93a4142c1cded304e391 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 13 Jul 2022 08:57:50 +0200 Subject: [PATCH 063/115] Fixed PIP Check --- update.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/update.sh b/update.sh index f02d0d7c..63c50f9f 100755 --- a/update.sh +++ b/update.sh @@ -203,9 +203,9 @@ else DC_DL_SUFFIX=legacy fi sleep 1 - if [[ -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + if [[ ! $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" - echo -e "\e[33mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" + echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" sleep 2 echo -e "\e[33mExiting...\e[0m" exit 1 @@ -292,7 +292,7 @@ if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then sleep 3 update_compose if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo -e "\e[31mmailcow does not work with docker-compose <= 2.X anymore!\e[0m" + echo -e "\e[31mmailcow does not work with docker-compose <= 2.X.X anymore!\e[0m" echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m" echo -e "\e[31mExiting...\e[0m" exit 1 From 65bb808441e4d86e01cf417aff0f36995c312f11 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 13 Jul 2022 11:02:41 +0200 Subject: [PATCH 064/115] Muted which Pip in update_compose --- update.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/update.sh b/update.sh index 63c50f9f..071888a7 100755 --- a/update.sh +++ b/update.sh @@ -203,7 +203,7 @@ else DC_DL_SUFFIX=legacy fi sleep 1 - if [[ ! $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + if [[ ! $(which pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" sleep 2 @@ -656,16 +656,16 @@ else fi fi -echo -e "\e[32mChecking for newer update script...\e[0m" -SHA1_1=$(sha1sum update.sh) -git fetch origin #${BRANCH} -git checkout origin/${BRANCH} update.sh -SHA1_2=$(sha1sum update.sh) -if [[ ${SHA1_1} != ${SHA1_2} ]]; then - echo "update.sh changed, please run this script again, exiting." - chmod +x update.sh - exit 2 -fi +# echo -e "\e[32mChecking for newer update script...\e[0m" +# SHA1_1=$(sha1sum update.sh) +# git fetch origin #${BRANCH} +# git checkout origin/${BRANCH} update.sh +# SHA1_2=$(sha1sum update.sh) +# if [[ ${SHA1_1} != ${SHA1_2} ]]; then +# echo "update.sh changed, please run this script again, exiting." +# chmod +x update.sh +# exit 2 +# fi if [[ -f mailcow.conf ]]; then source mailcow.conf From f07b9ea304af01caa4d991cd4896dc17602d2390 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 13 Jul 2022 15:08:31 +0200 Subject: [PATCH 065/115] Corrected pip check --- update.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/update.sh b/update.sh index 071888a7..d42c91d6 100755 --- a/update.sh +++ b/update.sh @@ -203,7 +203,7 @@ else DC_DL_SUFFIX=legacy fi sleep 1 - if [[ ! $(which pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + if [[ $(which pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(which pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" sleep 2 @@ -656,16 +656,16 @@ else fi fi -# echo -e "\e[32mChecking for newer update script...\e[0m" -# SHA1_1=$(sha1sum update.sh) -# git fetch origin #${BRANCH} -# git checkout origin/${BRANCH} update.sh -# SHA1_2=$(sha1sum update.sh) -# if [[ ${SHA1_1} != ${SHA1_2} ]]; then -# echo "update.sh changed, please run this script again, exiting." -# chmod +x update.sh -# exit 2 -# fi +echo -e "\e[32mChecking for newer update script...\e[0m" +SHA1_1=$(sha1sum update.sh) +git fetch origin #${BRANCH} +git checkout origin/${BRANCH} update.sh +SHA1_2=$(sha1sum update.sh) +if [[ ${SHA1_1} != ${SHA1_2} ]]; then + echo "update.sh changed, please run this script again, exiting." + chmod +x update.sh + exit 2 +fi if [[ -f mailcow.conf ]]; then source mailcow.conf From 586b60b276aaf10942c2a78b5c76289802528a32 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 13 Jul 2022 15:13:14 +0200 Subject: [PATCH 066/115] Unspecified direct compose version (lower then 2.X.X) --- update.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index d42c91d6..e3f3ad09 100755 --- a/update.sh +++ b/update.sh @@ -287,12 +287,12 @@ done ## Check if docker-compose >= v2 if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m" - echo -e "\e[33mmailcow needs docker-compose >= 2.5!\e[0m" + echo -e "\e[33mmailcow needs docker-compose > 2.X.X!\e[0m" echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m" sleep 3 update_compose if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo -e "\e[31mmailcow does not work with docker-compose <= 2.X.X anymore!\e[0m" + echo -e "\e[31mmailcow does not work with docker-compose < 2.X.X anymore!\e[0m" echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m" echo -e "\e[31mExiting...\e[0m" exit 1 From bee762737e14e266e71c5b3a54e4a08e922f4a3b Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 13 Jul 2022 17:02:14 +0200 Subject: [PATCH 067/115] readd imapsync fix --- data/web/inc/functions.mailbox.inc.php | 4 +- data/web/inc/init_db.inc.php | 16 +- data/web/inc/vars.inc.php | 244 ++++++++++++------------- 3 files changed, 134 insertions(+), 130 deletions(-) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 788b207f..3b8531bd 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -341,7 +341,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { foreach (explode(' -', $custom_params) as $param){ if(empty($param)) continue; - if (str_contains($param, ' ')) { + if (str_contains(explode('=', $param)[0], ' ')) { // bad char $_SESSION['return'][] = array( 'type' => 'danger', @@ -1796,7 +1796,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { foreach (explode(' -', $custom_params) as $param){ if(empty($param)) continue; - if (str_contains($param, ' ')) { + if (str_contains(explode('=', $param)[0], ' ')) { // bad char $_SESSION['return'][] = array( 'type' => 'danger', diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index e7d13379..c80c398b 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "04072022_1642"; + $db_version = "13072022_1700"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -440,7 +440,7 @@ function init_db_schema() { "spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'", "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'", "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'", - "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'", + "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'", "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'", "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'", "pushover" => "TINYINT(1) NOT NULL DEFAULT '1'", @@ -1227,8 +1227,16 @@ function init_db_schema() { $pdo->query($create); } - // Mitigate imapsync pipemess issue - $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%';"); + // Mitigate imapsync argument injection issue + $pdo->query("UPDATE `imapsync` SET `custom_params` = '' + WHERE `custom_params` LIKE '%pipemess%' + OR custom_params LIKE '%skipmess%' + OR custom_params LIKE '%delete2foldersonly%' + OR custom_params LIKE '%delete2foldersbutnot%' + OR custom_params LIKE '%regexflag%' + OR custom_params LIKE '%pipemess%' + OR custom_params LIKE '%regextrans2%' + OR custom_params LIKE '%maxlinelengthcmd%';"); // Migrate webauthn tfa $stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')"); diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index 6e08be13..02366c75 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -232,131 +232,127 @@ $RSPAMD_MAPS = array( $IMAPSYNC_OPTIONS = array( 'whitelist' => array( - 'log', - 'showpasswords', - 'nossl1', - 'nossl2', - 'ssl2', - 'notls1', - 'notls2', - 'tls2', - 'debugssl', - 'sslargs1', - 'sslargs2', - 'authmech1', - 'authmech2', - 'authuser1', - 'authuser2', - 'proxyauth1', - 'proxyauth2', - 'authmd51', - 'authmd52', - 'domain1', - 'domain2', - 'oauthaccesstoken1', - 'oauthaccesstoken2', - 'oauthdirect1', - 'oauthdirect2', - 'folder', - 'folder', - 'folderrec', - 'folderrec', - 'folderfirst', - 'folderfirst', - 'folderlast', - 'folderlast', - 'nomixfolders', - 'skipemptyfolders', - 'include', - 'include', - 'subfolder1', - 'subscribed', - 'subscribe', - 'prefix1', - 'prefix2', - 'sep1', - 'sep2', - 'nofoldersizesatend', - 'justfoldersizes', - 'pidfile', - 'pidfilelocking', - 'nolog', - 'logfile', - 'logdir', - 'debugcrossduplicates', - 'disarmreadreceipts', - 'truncmess', - 'synclabels', - 'resynclabels', - 'resyncflags', - 'noresyncflags', - 'filterbuggyflags', - 'expunge1', - 'noexpunge1', - 'delete1emptyfolders', - 'delete2folders', - 'noexpunge2', - 'nouidexpunge2', - 'syncinternaldates', - 'idatefromheader', - 'maxsize', - 'minsize', - 'minage', - 'search', - 'search1', - 'search2', - 'noabletosearch', - 'noabletosearch1', - 'noabletosearch2', - 'maxlinelength', - 'useheader', - 'useheader', - 'syncduplicates', - 'usecache', - 'nousecache', - 'useuid', - 'syncacls', - 'nosyncacls', - 'debug', - 'debugfolders', - 'debugcontent', - 'debugflags', - 'debugimap1', - 'debugimap2', - 'debugimap', - 'debugmemory', - 'errorsmax', - 'tests', - 'testslive', - 'testslive6', - 'gmail1', - 'gmail2', - 'office1', - 'office2', - 'exchange1', - 'exchange2', - 'domino1', - 'domino2', - 'keepalive1', - 'keepalive2', - 'maxmessagespersecond', - 'maxbytesafter', - 'maxsleep', - 'abort', - 'exitwhenover', - 'noid', - 'justconnect', - 'justlogin', - 'justfolders' + 'authmech1', + 'authmech2', + 'authuser1', + 'authuser2', + 'debugcontent', + 'disarmreadreceipts', + 'logdir', + 'debugcrossduplicates', + 'maxsize', + 'minsize', + 'minage', + 'search', + 'noabletosearch', + 'pidfile', + 'pidfilelocking', + 'search1', + 'search2', + 'sslargs1', + 'sslargs2', + 'syncduplicates', + 'usecache', + 'synclabels', + 'truncmess', + 'domino2', + 'expunge1', + 'filterbuggyflags', + 'justconnect', + 'justfolders', + 'maxlinelength', + 'useheader', + 'noabletosearch1', + 'nolog', + 'prefix1', + 'prefix2', + 'sep1', + 'sep2', + 'nofoldersizesatend', + 'justfoldersizes', + 'proxyauth1', + 'skipemptyfolders', + 'include', + 'subfolder1', + 'subscribed', + 'subscribe', + 'debug', + 'debugimap2', + 'domino1', + 'exchange1', + 'exchange2', + 'justlogin', + 'keepalive1', + 'keepalive2', + 'noabletosearch2', + 'noexpunge2', + 'noresyncflags', + 'nossl1', + 'nouidexpunge2', + 'syncinternaldates', + 'idatefromheader', + 'useuid', + 'debugflags', + 'debugimap', + 'delete1emptyfolders', + 'delete2folders', + 'gmail2', + 'office1', + 'testslive6', + 'debugimap1', + 'errorsmax', + 'tests', + 'gmail1', + 'maxmessagespersecond', + 'maxbytesafter', + 'maxsleep', + 'abort', + 'resyncflags', + 'resynclabels', + 'syncacls', + 'nosyncacls', + 'nousecache', + 'office2', + 'testslive', + 'debugmemory', + 'exitwhenover', + 'noid', + 'noexpunge1', + 'authmd51', + 'logfile', + 'proxyauth2', + 'domain1', + 'domain2', + 'oauthaccesstoken1', + 'oauthaccesstoken2', + 'oauthdirect1', + 'oauthdirect2', + 'folder', + 'folderrec', + 'folderfirst', + 'folderlast', + 'nomixfolders', + 'authmd52', + 'debugfolders', + 'nossl2', + 'ssl2', + 'tls2', + 'notls2', + 'debugssl', + 'notls1', + 'inet4', + 'inet6', + 'log', + 'showpasswords' ), 'blacklist' => array( - 'skipmess', - 'delete2foldersonly', - 'delete2foldersbutnot', - 'regexflag', - 'regexmess', - 'pipemess', - 'regextrans2', - 'maxlinelengthcmd' + 'skipmess', + 'delete2foldersonly', + 'delete2foldersbutnot', + 'regexflag', + 'regexmess', + 'pipemess', + 'regextrans2', + 'maxlinelengthcmd' ) ); From f7246628747121886d13bd022b8d7d46a0a91d43 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 13 Jul 2022 17:13:25 +0200 Subject: [PATCH 068/115] readd imapsync fix --- data/web/inc/functions.mailbox.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 3b8531bd..7560d2bf 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -338,7 +338,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $custom_params = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']); // validate custom params - foreach (explode(' -', $custom_params) as $param){ + foreach (explode('-', $custom_params) as $param){ if(empty($param)) continue; if (str_contains(explode('=', $param)[0], ' ')) { @@ -1793,7 +1793,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } // validate custom params - foreach (explode(' -', $custom_params) as $param){ + foreach (explode('-', $custom_params) as $param){ if(empty($param)) continue; if (str_contains(explode('=', $param)[0], ' ')) { From cd02483b19f25dcce08fc09cee775cab66d6a5e0 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 14 Jul 2022 09:38:44 +0200 Subject: [PATCH 069/115] prevent auth wipe out at yubi otp registration --- data/web/inc/functions.inc.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 9c73a475..08963888 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1240,8 +1240,7 @@ function set_tfa($_data) { $yubico_modhex_id = substr($_data["otp_token"], 0, 12); $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username - AND (`authmech` != 'yubi_otp') - OR (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)"); + AND (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)"); $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); $stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES (:key_id, :username, 'yubi_otp', '1', :secret)"); From 223ba44b6151f62a98779711a9173aa23876bd8a Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 14 Jul 2022 09:39:24 +0200 Subject: [PATCH 070/115] rearrange custom params validation --- data/web/inc/functions.mailbox.inc.php | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 7560d2bf..2cf9f6c6 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -341,7 +341,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { foreach (explode('-', $custom_params) as $param){ if(empty($param)) continue; - if (str_contains(explode('=', $param)[0], ' ')) { + // extract option + if (str_contains($param, '=')) $param = explode('=', $param)[0]; + else $param = rtrim($param, ' '); + // remove first char if first char is - + if ($param[0] == '-') $param = ltrim($param, $param[0]); + + if (str_contains($param, ' ')) { // bad char $_SESSION['return'][] = array( 'type' => 'danger', @@ -351,11 +357,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } - // extract option - if (str_contains($param, '=')) $param = explode('=', $param)[0]; - // remove first char if first char is - - if ($param[0] == '-') $param = ltrim($param, $param[0]); - // check if param is whitelisted if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){ // bad option @@ -1796,7 +1797,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { foreach (explode('-', $custom_params) as $param){ if(empty($param)) continue; - if (str_contains(explode('=', $param)[0], ' ')) { + // extract option + if (str_contains($param, '=')) $param = explode('=', $param)[0]; + else $param = rtrim($param, ' '); + // remove first char if first char is - + if ($param[0] == '-') $param = ltrim($param, $param[0]); + + if (str_contains($param, ' ')) { // bad char $_SESSION['return'][] = array( 'type' => 'danger', @@ -1806,11 +1813,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } - // extract option - if (str_contains($param, '=')) $param = explode('=', $param)[0]; - // remove first char if first char is - - if ($param[0] == '-') $param = ltrim($param, $param[0]); - // check if param is whitelisted if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){ // bad option From 753cde0b859336090f98b4ba3daabfc32194c65e Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 14 Jul 2022 09:40:02 +0200 Subject: [PATCH 071/115] parse host from url for webauthn library --- data/web/inc/prerequisites.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index 2e563077..2897444b 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -66,8 +66,9 @@ $qrprovider = new RobThree\Auth\Providers\Qr\QRServerProvider(); $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider); // FIDO2 +$server_name = parse_url('https://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST); $formats = $GLOBALS['FIDO2_FORMATS']; -$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['SERVER_NAME'], $formats); +$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $server_name, $formats); // only include root ca's when needed if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates'); From 7d72ae3449366fb2f317fd49edf906eb7e669f9d Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 14 Jul 2022 11:29:38 +0200 Subject: [PATCH 072/115] Added update-compose to update.sh and create-coldstandby --- helper-scripts/_cold-standby.sh | 9 +++++++++ update.sh | 20 +++++++++++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh index 7fc5a495..fadee6f6 100755 --- a/helper-scripts/_cold-standby.sh +++ b/helper-scripts/_cold-standby.sh @@ -271,4 +271,13 @@ if ! ssh -o StrictHostKeyChecking=no \ >&2 echo -e "\e[31m[ERR]\e[0m - Could not cleanup old images on remote" fi +echo -e "\033[1mExecuting update script and checking for new docker-compose Version on remote...\033[0m" +if ! ssh -o StrictHostKeyChecking=no \ + -i "${REMOTE_SSH_KEY}" \ + ${REMOTE_SSH_HOST} \ + -p ${REMOTE_SSH_PORT} \ + ${SCRIPT_DIR}/../update.sh -f --update-compose ; then + >&2 echo -e "\e[31m[ERR]\e[0m - Could not fetch docker-compose on remote" +fi + echo -e "\e[32mDone\e[0m" diff --git a/update.sh b/update.sh index e3f3ad09..cd9d4fb6 100755 --- a/update.sh +++ b/update.sh @@ -344,19 +344,33 @@ while (($#)); do --no-update-compose) NO_UPDATE_COMPOSE=y ;; + --update-compose) + LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) + COMPOSE_VERSION=$(docker-compose version --short) + if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then + echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m" + echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m" + update_compose + echo -e "\e[32mYour docker-compose Version is now up to date!\e[0m" + else + echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" + fi + exit 0 + ;; --skip-ping-check) SKIP_PING_CHECK=y ;; --help|-h) - echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help] + echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help] -c|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates) --ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended! --gc - Run garbage collector to delete old image tags - --no-update-compose - Do not update docker-compose + --no-update-compose - Skip the docker-compose Updates during the mailcow Update process + --update-compose - Only run the docker-compose Update process (don´t updates your mailcow itself) --prefetch - Only prefetch new images and exit (useful to prepare updates) --skip-start - Do not start mailcow after update - --skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine). + --skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine) -f|--force - Force update, do not ask questions ' exit 1 From be08742653f1678addbf7dc4a612c1f7e94dbea5 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 14 Jul 2022 18:37:21 +0200 Subject: [PATCH 073/115] exclude oauth clients & app passwords from mailbox tfa --- data/web/inc/functions.inc.php | 38 +++++++++++++++++------------- data/web/inc/prerequisites.inc.php | 2 +- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 08963888..b2c5eee5 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -807,7 +807,7 @@ function verify_hash($hash, $password) { } return false; } -function check_login($user, $pass, $app_passwd_data = false) { +function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) { global $pdo; global $redis; global $imap_server; @@ -938,19 +938,22 @@ function check_login($user, $pass, $app_passwd_data = false) { foreach ($rows as $row) { // verify password if (verify_hash($row['password'], $pass) !== false) { - // check for tfa authenticators - $authenticators = get_tfa($user); - if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { - $_SESSION['pending_mailcow_cc_username'] = $user; - $_SESSION['pending_mailcow_cc_role'] = "user"; - $_SESSION['pending_tfa_methods'] = $authenticators['additional']; - unset($_SESSION['ldelay']); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $user, '*'), - 'msg' => array('logged_in_as', $user) - ); - return "pending"; + + if ($app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true && !$skip_tfa){ + // check for tfa authenticators + $authenticators = get_tfa($user); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + $_SESSION['pending_mailcow_cc_username'] = $user; + $_SESSION['pending_mailcow_cc_role'] = "user"; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; + unset($_SESSION['ldelay']); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $user, '*'), + 'msg' => array('logged_in_as', $user) + ); + return "pending"; + } } else { if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; @@ -961,12 +964,13 @@ function check_login($user, $pass, $app_passwd_data = false) { ':username' => $user, ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) )); + } elseif (!$skip_tfa) { + // Reactivate TFA if it was set to "deactivate TFA for next login" + $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); + $stmt->execute(array(':user' => $user)); } unset($_SESSION['ldelay']); - // Reactivate TFA if it was set to "deactivate TFA for next login" - $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); - $stmt->execute(array(':user' => $user)); return "user"; } } diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index 2897444b..cb02ba16 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -131,7 +131,7 @@ class mailcowPdo extends OAuth2\Storage\Pdo { $this->config['user_table'] = 'mailbox'; } public function checkUserCredentials($username, $password) { - if (check_login($username, $password) == 'user') { + if (check_login($username, $password, false, true) == 'user') { return true; } return false; From 0342ae926c8c02b13f02ec5f711b9d4d81d29334 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 14 Jul 2022 18:55:35 +0200 Subject: [PATCH 074/115] exclude oauth clients & app passwords from mailbox tfa --- data/web/inc/functions.inc.php | 40 +++++++++++++++++----------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index b2c5eee5..f705af03 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -834,7 +834,7 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) if (verify_hash($row['password'], $pass)) { // check for tfa authenticators $authenticators = get_tfa($user); - if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$skip_tfa) { // active tfa authenticators found, set pending user login $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "admin"; @@ -873,7 +873,7 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) if (verify_hash($row['password'], $pass) !== false) { // check for tfa authenticators $authenticators = get_tfa($user); - if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$skip_tfa) { $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "domainadmin"; $_SESSION['pending_tfa_methods'] = $authenticators['additional']; @@ -954,25 +954,25 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) ); return "pending"; } - } else { - if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { - $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; - $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); - $stmt->execute(array( - ':service' => $service, - ':app_id' => $row['app_passwd_id'], - ':username' => $user, - ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) - )); - } elseif (!$skip_tfa) { - // Reactivate TFA if it was set to "deactivate TFA for next login" - $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); - $stmt->execute(array(':user' => $user)); - } - - unset($_SESSION['ldelay']); - return "user"; } + + if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { + $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; + $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); + $stmt->execute(array( + ':service' => $service, + ':app_id' => $row['app_passwd_id'], + ':username' => $user, + ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) + )); + } elseif (!$skip_tfa) { + // Reactivate TFA if it was set to "deactivate TFA for next login" + $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); + $stmt->execute(array(':user' => $user)); + } + + unset($_SESSION['ldelay']); + return "user"; } } From c8ccf080f314fc09a1c6e1458f07658e06e675c3 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 14 Jul 2022 20:01:38 +0200 Subject: [PATCH 075/115] Add Integration Tests badge --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7f7907d2..313fa13b 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ ## We stand with 🇺🇦 +[![Mailcow Integration Tests](https://github.com/mailcow/mailcow-dockerized/actions/workflows/integration_tests.yml/badge.svg?branch=master)](https://github.com/mailcow/mailcow-dockerized/actions/workflows/integration_tests.yml) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email) From 7aab2c55ff4f7286b0efd7409a13e9298b73705b Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 15 Jul 2022 10:30:01 +0200 Subject: [PATCH 076/115] Changed which to command -v + seperated compose check from for loop --- update.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/update.sh b/update.sh index cd9d4fb6..3184579f 100755 --- a/update.sh +++ b/update.sh @@ -203,7 +203,7 @@ else DC_DL_SUFFIX=legacy fi sleep 1 - if [[ $(which pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(which pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + if [[ $(command -v pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(command -v pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" sleep 2 @@ -214,7 +214,7 @@ else LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) COMPOSE_VERSION=$(docker-compose version --short) if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then - COMPOSE_PATH=$(which docker-compose) + COMPOSE_PATH=$(command -v docker-compose) if [[ -w ${COMPOSE_PATH} ]]; then curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH chmod +x $COMPOSE_PATH @@ -273,16 +273,18 @@ PATH=$PATH:/opt/bin umask 0022 for bin in curl docker git awk sha1sum; do - if [[ -z $(which ${bin}) ]]; then + if [[ -z $(command -v ${bin}) ]]; then echo "Cannot find ${bin}, exiting..." exit 1; - elif [[ -z $(which docker-compose) ]]; then + fi +done + +if [[ -z $(command -v docker-compose) ]]; then echo -e "\e[31mCannot find docker-compose Standalone.\e[0m" echo -e "\e[31mPlease install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" sleep 3 exit 1; - fi -done +fi ## Check if docker-compose >= v2 if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then From 94f4ec8b966db57e6623b37ea4a62cc18e113c53 Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Fri, 15 Jul 2022 10:53:51 +0200 Subject: [PATCH 077/115] Update tweet-trigger-publish-release.yml --- .github/workflows/tweet-trigger-publish-release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tweet-trigger-publish-release.yml b/.github/workflows/tweet-trigger-publish-release.yml index 13f7dd76..82f1dc3a 100644 --- a/.github/workflows/tweet-trigger-publish-release.yml +++ b/.github/workflows/tweet-trigger-publish-release.yml @@ -10,8 +10,8 @@ jobs: - name: Tweet-trigger-publish-release uses: mugi111/tweet-trigger-release@v1.1 with: - consumer_key: ${{ secrets.TWITTER_CONSUMER_KEY }} - consumer_secret: ${{ secrets.TWITTER_CONSUMER_SECRET }} - access_token_key: ${{ secrets.TWITTER_ACCESS_TOKEN_KEY }} - access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} + consumer_key: ${{ secrets.CONSUMER_KEY }} + consumer_secret: ${{ secrets.CONSUMER_SECRET }} + access_token_key: ${{ secrets.ACCESS_TOKEN_KEY }} + access_token_secret: ${{ secrets.ACCESS_TOKEN_SECRET }} tweet_body: 'A new mailcow-dockerized Release has been Released on GitHub! Checkout our GitHub Page for the latest Release: github.com/mailcow/mailcow-dockerized/releases/latest' From 1ca566f670d31280b37378fb76b40338436a9866 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 15 Jul 2022 13:02:13 +0200 Subject: [PATCH 078/115] autoselect authenticator if only one exists --- data/web/css/build/008-mailcow.css | 1 + data/web/templates/base.twig | 51 ++++++++++++++++++++++++++++-- 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/data/web/css/build/008-mailcow.css b/data/web/css/build/008-mailcow.css index f557084f..b118ca01 100644 --- a/data/web/css/build/008-mailcow.css +++ b/data/web/css/build/008-mailcow.css @@ -269,6 +269,7 @@ code { padding: 10px; background: #fbfbfb; border: 1px solid #ededed; + min-height: 110px; } .tag-box { diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 37c27e21..482b4e24 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -182,13 +182,21 @@ function recursiveBase64StrToArrayBuffer(obj) { keyboard: false }); + // validate Yubi OTP tfa $("#pending_tfa_tab_yubi_otp").click(function(){ $(".totp-authenticator-selection").removeClass("active"); $(".webauthn-authenticator-selection").removeClass("active"); - $("#collapseTotpTFA").collapse('hide'); $("#collapseWebAuthnTFA").collapse('hide'); + + // select default if only one authenticator exists + if ($('.yubi-authenticator-selection').length == 1){ + $('.yubi-authenticator-selection').addClass("active"); + var id = $('.yubi-authenticator-selection').children('input').first().val(); + $("#yubi_selected_id").val(id); + $("#collapseYubiTFA").collapse('show'); + } }); $(".yubi-authenticator-selection").click(function(){ $(".yubi-authenticator-selection").removeClass("active"); @@ -198,14 +206,37 @@ function recursiveBase64StrToArrayBuffer(obj) { $("#yubi_selected_id").val(id); $("#collapseYubiTFA").collapse('show'); + $("#collapseYubiTFA").children('input[name="token"]').focus(); + }); + if ($('.yubi-authenticator-selection').length == 1 && + $('.webauthn-authenticator-selection').length == 0){ + + // select default if only one authenticator exists + $('.yubi-authenticator-selection').addClass("active"); + + var id = $('.yubi-authenticator-selection').children('input').first().val(); + $("#yubi_selected_id").val(id); + + $("#collapseYubiTFA").collapse('show'); + } + $('#collapseYubiTFA').on('shown.bs.collapse', function() { + // autofocus + setTimeout(function() { $("#collapseYubiTFA").find('input[name="token"]').focus(); }, 200); }); // validate Time based OTP tfa $("#pending_tfa_tab_totp").click(function(){ $(".yubi-authenticator-selection").removeClass("active"); $(".webauthn-authenticator-selection").removeClass("active"); - $("#collapseYubiTFA").collapse('hide'); $("#collapseWebAuthnTFA").collapse('hide'); + + // select default if only one authenticator exists + if ($('.totp-authenticator-selection').length == 1){ + $('.totp-authenticator-selection').addClass("active"); + var id = $('.totp-authenticator-selection').children('input').first().val(); + $("#totp_selected_id").val(id); + $("#collapseTotpTFA").collapse('show'); + } }); $(".totp-authenticator-selection").click(function(){ $(".totp-authenticator-selection").removeClass("active"); @@ -216,6 +247,22 @@ function recursiveBase64StrToArrayBuffer(obj) { $("#collapseTotpTFA").collapse('show'); }); + if ($('.totp-authenticator-selection').length == 1 && + $('.yubi-authenticator-selection').length == 0 && + $('.webauthn-authenticator-selection').length == 0){ + + // select default if only one authenticator exists + $('.totp-authenticator-selection').addClass("active"); + + var id = $('.totp-authenticator-selection').children('input').first().val(); + $("#totp_selected_id").val(id); + + $("#collapseTotpTFA").collapse('show'); + } + $('#collapseTotpTFA').on('shown.bs.collapse', function() { + // autofocus + setTimeout(function() { $("#collapseTotpTFA").find('input[name="token"]').focus(); }, 200); + }); // validate WebAuthn tfa $("#pending_tfa_tab_webauthn").click(function(){ $(".totp-authenticator-selection").removeClass("active"); From c8620a066d447ed6aaf6054b184fd16146574e5b Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 15 Jul 2022 16:45:28 +0200 Subject: [PATCH 079/115] yubi_otp undo authenticator selection --- data/web/inc/functions.inc.php | 9 +--- data/web/templates/base.twig | 60 ++++++--------------------- data/web/templates/modals/footer.twig | 15 +------ 3 files changed, 17 insertions(+), 67 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index f705af03..ca371303 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1630,12 +1630,8 @@ function verify_tfa_login($username, $_data) { global $WebAuthn; if ($_data['tfa_method'] != 'u2f'){ - $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa` - WHERE `username` = :username AND `id` = :id AND `active` = '1'"); - $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - switch ($row["authmech"]) { + switch ($_data["tfa_method"]) { case "yubi_otp": if (!ctype_alnum($_data['token']) || strlen($_data['token']) != 44) { $_SESSION['return'][] = array( @@ -1649,10 +1645,9 @@ function verify_tfa_login($username, $_data) { $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` WHERE `username` = :username AND `authmech` = 'yubi_otp' - AND `id` = :id AND `active` = '1' AND `secret` LIKE :modhex"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':id' => $_data['id'])); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); $row = $stmt->fetch(PDO::FETCH_ASSOC); $yubico_auth = explode(':', $row['secret']); $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 482b4e24..770decde 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -183,51 +183,9 @@ function recursiveBase64StrToArrayBuffer(obj) { }); - // validate Yubi OTP tfa - $("#pending_tfa_tab_yubi_otp").click(function(){ - $(".totp-authenticator-selection").removeClass("active"); - $(".webauthn-authenticator-selection").removeClass("active"); - $("#collapseTotpTFA").collapse('hide'); - $("#collapseWebAuthnTFA").collapse('hide'); - - // select default if only one authenticator exists - if ($('.yubi-authenticator-selection').length == 1){ - $('.yubi-authenticator-selection').addClass("active"); - var id = $('.yubi-authenticator-selection').children('input').first().val(); - $("#yubi_selected_id").val(id); - $("#collapseYubiTFA").collapse('show'); - } - }); - $(".yubi-authenticator-selection").click(function(){ - $(".yubi-authenticator-selection").removeClass("active"); - $(this).addClass("active"); - - var id = $(this).children('input').first().val(); - $("#yubi_selected_id").val(id); - - $("#collapseYubiTFA").collapse('show'); - $("#collapseYubiTFA").children('input[name="token"]').focus(); - }); - if ($('.yubi-authenticator-selection').length == 1 && - $('.webauthn-authenticator-selection').length == 0){ - - // select default if only one authenticator exists - $('.yubi-authenticator-selection').addClass("active"); - - var id = $('.yubi-authenticator-selection').children('input').first().val(); - $("#yubi_selected_id").val(id); - - $("#collapseYubiTFA").collapse('show'); - } - $('#collapseYubiTFA').on('shown.bs.collapse', function() { - // autofocus - setTimeout(function() { $("#collapseYubiTFA").find('input[name="token"]').focus(); }, 200); - }); // validate Time based OTP tfa $("#pending_tfa_tab_totp").click(function(){ - $(".yubi-authenticator-selection").removeClass("active"); $(".webauthn-authenticator-selection").removeClass("active"); - $("#collapseYubiTFA").collapse('hide'); $("#collapseWebAuthnTFA").collapse('hide'); // select default if only one authenticator exists @@ -248,9 +206,9 @@ function recursiveBase64StrToArrayBuffer(obj) { $("#collapseTotpTFA").collapse('show'); }); if ($('.totp-authenticator-selection').length == 1 && - $('.yubi-authenticator-selection').length == 0 && + $('#pending_tfa_tab_yubi_otp').length == 0 && $('.webauthn-authenticator-selection').length == 0){ - + // select default if only one authenticator exists $('.totp-authenticator-selection').addClass("active"); @@ -258,18 +216,26 @@ function recursiveBase64StrToArrayBuffer(obj) { $("#totp_selected_id").val(id); $("#collapseTotpTFA").collapse('show'); + setTimeout(function() { $("#collapseTotpTFA").find('input[name="token"]').focus(); }, 1000); } - $('#collapseTotpTFA').on('shown.bs.collapse', function() { + $('#pending_tfa_tab_totp').on('shown.bs.tab', function() { // autofocus setTimeout(function() { $("#collapseTotpTFA").find('input[name="token"]').focus(); }, 200); + }); + // validate Yubi OTP tfa + if ($('.webauthn-authenticator-selection').length == 0){ + // autofocus + setTimeout(function() { $("#collapseYubiTFA").find('input[name="token"]').focus(); }, 1000); + } + $('#pending_tfa_tab_yubi_otp').on('shown.bs.tab', function() { + // autofocus + $("#collapseYubiTFA").find('input[name="token"]').focus(); }); // validate WebAuthn tfa $("#pending_tfa_tab_webauthn").click(function(){ $(".totp-authenticator-selection").removeClass("active"); - $(".yubi-authenticator-selection").removeClass("active"); $("#collapseTotpTFA").collapse('hide'); - $("#collapseYubiTFA").collapse('hide'); }); $(".webauthn-authenticator-selection").click(function(){ $(".webauthn-authenticator-selection").removeClass("active"); diff --git a/data/web/templates/modals/footer.twig b/data/web/templates/modals/footer.twig index 67cc3482..52e89e00 100644 --- a/data/web/templates/modals/footer.twig +++ b/data/web/templates/modals/footer.twig @@ -206,20 +206,9 @@ - Authenticators + Authenticate -
- {% for authenticator in pending_tfa_methods %} - {% if authenticator["authmech"] == "yubi_otp" %} - - - {{ authenticator["key_id"] }} - - - {% endif %} - {% endfor %} -
-
+
Yubicon Icon From ceaf1423f4a7d9e4beb99c3b3280600f1265687c Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Mon, 18 Jul 2022 10:39:17 +0200 Subject: [PATCH 080/115] Moved general compose v2 check below the parameter section to respect --force --- update.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/update.sh b/update.sh index 3184579f..6659de55 100755 --- a/update.sh +++ b/update.sh @@ -286,21 +286,6 @@ if [[ -z $(command -v docker-compose) ]]; then exit 1; fi -## Check if docker-compose >= v2 -if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then - echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m" - echo -e "\e[33mmailcow needs docker-compose > 2.X.X!\e[0m" - echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m" - sleep 3 - update_compose - if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo -e "\e[31mmailcow does not work with docker-compose < 2.X.X anymore!\e[0m" - echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m" - echo -e "\e[31mExiting...\e[0m" - exit 1 - fi -fi - export LC_ALL=C DATE=$(date +%Y-%m-%d_%H_%M_%S) BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD) @@ -380,6 +365,21 @@ while (($#)); do shift done +# Check if Docker-Compose is older then v2 before continuing +if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then + echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m" + echo -e "\e[33mmailcow needs docker-compose > 2.X.X!\e[0m" + echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m" + sleep 3 + update_compose + if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]] && [[ ! ${FORCE} ]]; then + echo -e "\e[31mmailcow does not work with docker-compose < 2.X.X anymore!\e[0m" + echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m" + echo -e "\e[31mExiting...\e[0m" + exit 1 + fi +fi + [[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing"; exit 1;} chmod 600 mailcow.conf source mailcow.conf From 263cb96786c01ceb0c17ab303559bb7297f8eca3 Mon Sep 17 00:00:00 2001 From: l-with <53109379+l-with@users.noreply.github.com> Date: Tue, 19 Jul 2022 20:22:45 +0200 Subject: [PATCH 081/115] Improve domain api schema (#4689) * change response of add domain to array * add tags to request body of add domain * add gal to request body of add domain * add relay_unknown_only to request body of add domain * add relay_unknown_only to request body of edit domain * add rl_frame, rl_value to request body of edit domain * fix indentation * add tags to request body of edit domain * change response of edit domain to array * Revert "change response of edit domain to array" This reverts commit 692384e21b6dad5fcfeab8b5be572404981dce5b. * change response type of edit domain to application/json * change response type of edit domain * change items in body of edit domain to array of strings * change response of edit domain to array * fix indentation * revert changing response type of edit domain-admin * change response type of edit domain to array * fix response type of edit domains * change msg in response of edit domains to array * change items in body of delete domain to array of strings * change request body of delete domain to array of strings * fix * remove properties * change request body of delete domain to array of strings (fix) * change reponse type of delete domain to array --- data/web/api/openapi.yaml | 142 ++++++++++++++++++++++++-------------- 1 file changed, 91 insertions(+), 51 deletions(-) diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml index 3803e5bd..8fb6245c 100644 --- a/data/web/api/openapi.yaml +++ b/data/web/api/openapi.yaml @@ -518,21 +518,23 @@ paths: - domain.tld type: success schema: - properties: - log: - description: contains request object - items: {} - type: array - msg: - items: {} - type: array - type: - enum: - - success - - danger - - error - type: string - type: object + type: array + items: + type: object + properties: + log: + description: contains request object + items: {} + type: array + msg: + items: {} + type: array + type: + enum: + - success + - danger + - error + type: string description: OK headers: {} tags: @@ -579,6 +581,11 @@ paths: domain: description: Fully qualified domain name type: string + gal: + description: >- + is domain global address list active or not, it enables + shared contacts accross domain in SOGo webmail + type: boolean mailboxes: description: limit count of mailboxes associated with this domain type: number @@ -596,6 +603,9 @@ paths: if not, them you have to create "dummy" mailbox for each address to relay type: boolean + relay_unknown_only: + description: Relay non-existing mailboxes only. Existing mailboxes will be delivered locally. + type: boolean rl_frame: enum: - s @@ -606,6 +616,11 @@ paths: rl_value: description: rate limit value type: number + tags: + description: tags for this Domain + type: array + items: + type: string type: object summary: Create domain /api/v1/add/domain-admin: @@ -1952,21 +1967,23 @@ paths: - domain2.tld type: success schema: - properties: - log: - description: contains request object - items: {} - type: array - msg: - items: {} - type: array - type: - enum: - - success - - danger - - error - type: string - type: object + type: array + items: + type: object + properties: + log: + description: contains request object + items: {} + type: array + msg: + items: {} + type: array + type: + enum: + - success + - danger + - error + type: string description: OK headers: {} tags: @@ -1977,14 +1994,15 @@ paths: content: application/json: schema: + type: object example: - domain.tld - domain2.tld properties: - items: - description: contains list of domains you want to delete - type: object - type: object + items: + type: array + items: + type: string summary: Delete domain /api/v1/delete/domain-admin: post: @@ -2972,23 +2990,25 @@ paths: $ref: "#/components/responses/Unauthorized" "200": content: - "*/*": + application/json: schema: - properties: - log: - description: contains request object - items: {} - type: array - msg: - items: {} - type: array - type: - enum: - - success - - danger - - error - type: string - type: object + type: array + items: + type: object + properties: + log: + type: array + description: contains request object + items: {} + msg: + type: array + items: {} + type: + enum: + - success + - danger + - error + type: string description: OK headers: {} tags: @@ -3056,13 +3076,33 @@ paths: if not, them you have to create "dummy" mailbox for each address to relay type: boolean + relay_unknown_only: + description: Relay non-existing mailboxes only. Existing mailboxes will be delivered locally. + type: boolean relayhost: description: id of relayhost type: number + rl_frame: + enum: + - s + - m + - h + - d + type: string + rl_value: + description: rate limit value + type: number + tags: + description: tags for this Domain + type: array + items: + type: string type: object items: description: contains list of domain names you want update - type: object + type: array + items: + type: string type: object summary: Update domain /api/v1/edit/fail2ban: From 7c7c67948efc79b169ed013a7b42da50f0b5ae44 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 19 Jul 2022 20:24:24 +0200 Subject: [PATCH 082/115] Use yaml list style in docker build workflow (#4688) * Use yaml list style * Mailcow -> mailcow --- .github/workflows/image_builds.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/image_builds.yml b/.github/workflows/image_builds.yml index 34d05717..007b1014 100644 --- a/.github/workflows/image_builds.yml +++ b/.github/workflows/image_builds.yml @@ -1,4 +1,4 @@ -name: Build Mailcow Docker Images +name: Build mailcow Docker Images on: push: @@ -9,19 +9,20 @@ jobs: docker_image_builds: strategy: matrix: - images: ["acme-mailcow", - "clamd-mailcow", - "dockerapi-mailcow", - "dovecot-mailcow", - "netfilter-mailcow", - "olefy-mailcow", - "php-fpm-mailcow", - "postfix-mailcow", - "rspamd-mailcow", - "sogo-mailcow", - "solr-mailcow", - "unbound-mailcow", - "watchdog-mailcow"] + images: + - "acme-mailcow" + - "clamd-mailcow" + - "dockerapi-mailcow" + - "dovecot-mailcow" + - "netfilter-mailcow" + - "olefy-mailcow" + - "php-fpm-mailcow" + - "postfix-mailcow" + - "rspamd-mailcow" + - "sogo-mailcow" + - "solr-mailcow" + - "unbound-mailcow" + - "watchdog-mailcow" runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From 4bf38bf00fe960261dc5097fffb01a0b579d7735 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 19 Jul 2022 20:31:25 +0200 Subject: [PATCH 083/115] Mailcow -> mailcow (#4687) --- .github/workflows/integration_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index c31a1a62..7d6c4ac2 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -1,4 +1,4 @@ -name: Mailcow Integration Tests +name: mailcow Integration Tests on: push: From c9ab8b2eff5f326c496179056768b738c681e2eb Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 19 Jul 2022 21:43:24 +0200 Subject: [PATCH 084/115] [GH-Actions][stale] Upgrade to v5.1.0 and add close-issue-reason --- .github/workflows/close_old_issues_and_prs.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/close_old_issues_and_prs.yml b/.github/workflows/close_old_issues_and_prs.yml index e746bc6f..93472049 100644 --- a/.github/workflows/close_old_issues_and_prs.yml +++ b/.github/workflows/close_old_issues_and_prs.yml @@ -14,7 +14,7 @@ jobs: pull-requests: write steps: - name: Mark/Close Stale Issues and Pull Requests 🗑️ - uses: actions/stale@v5.0.0 + uses: actions/stale@v5.1.0 with: repo-token: ${{ secrets.STALE_ACTION_PAT }} days-before-stale: 60 @@ -30,6 +30,7 @@ jobs: stale-issue-label: "stale" stale-pr-label: "stale" exempt-draft-pr: "true" + close-issue-reason: "not_planned" operations-per-run: "250" ascending: "true" #DRY-RUN From 4c10525078724dbc65422704617b52582928198f Mon Sep 17 00:00:00 2001 From: Erisa A Date: Tue, 26 Jul 2022 08:16:23 +0100 Subject: [PATCH 085/115] [Web] Update keyHandle max length to 1023 (#4696) https://w3c.github.io/webauthn/#credential-id Co-authored-by: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> --- data/web/inc/init_db.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index c80c398b..b47bd5c2 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "13072022_1700"; + $db_version = "25072022_2300"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -738,7 +738,7 @@ function init_db_schema() { "username" => "VARCHAR(255) NOT NULL", "authmech" => "ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')", "secret" => "VARCHAR(255) DEFAULT NULL", - "keyHandle" => "VARCHAR(255) DEFAULT NULL", + "keyHandle" => "VARCHAR(1023) DEFAULT NULL", "publicKey" => "VARCHAR(4096) DEFAULT NULL", "counter" => "INT NOT NULL DEFAULT '0'", "certificate" => "TEXT", From 44a6f09a095b946487c5fa569edd6803d4754fea Mon Sep 17 00:00:00 2001 From: Niklas Meyer Date: Fri, 29 Jul 2022 14:08:26 +0200 Subject: [PATCH 086/115] [CLAMAV] Update to 0.105.1 --- data/Dockerfiles/clamd/Dockerfile | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile index cba56e03..efbc6a4d 100644 --- a/data/Dockerfiles/clamd/Dockerfile +++ b/data/Dockerfiles/clamd/Dockerfile @@ -1,4 +1,4 @@ -FROM clamav/clamav:0.105.0_base +FROM clamav/clamav:0.105.1_base LABEL maintainer "André Peters " diff --git a/docker-compose.yml b/docker-compose.yml index 65a9d3e4..91266e00 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -58,7 +58,7 @@ services: - redis clamd-mailcow: - image: mailcow/clamd:1.53 + image: mailcow/clamd:1.54 restart: always depends_on: - unbound-mailcow From 9b32151ab50acaa3923fe106ba02f041950eb9d7 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 2 Aug 2022 19:04:05 +0200 Subject: [PATCH 087/115] [GH-Actions][stale] Update to v5.1.1 --- .github/workflows/close_old_issues_and_prs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/close_old_issues_and_prs.yml b/.github/workflows/close_old_issues_and_prs.yml index 93472049..58cfdccd 100644 --- a/.github/workflows/close_old_issues_and_prs.yml +++ b/.github/workflows/close_old_issues_and_prs.yml @@ -14,7 +14,7 @@ jobs: pull-requests: write steps: - name: Mark/Close Stale Issues and Pull Requests 🗑️ - uses: actions/stale@v5.1.0 + uses: actions/stale@v5.1.1 with: repo-token: ${{ secrets.STALE_ACTION_PAT }} days-before-stale: 60 From 4322c98f730756cdb28ea1750e6f9a7ec6ea5a70 Mon Sep 17 00:00:00 2001 From: Niklas Meyer Date: Fri, 5 Aug 2022 14:12:25 +0200 Subject: [PATCH 088/115] [UI] Moved PWChange Button for users back to original place --- data/web/templates/user/tab-user-auth.twig | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig index 675c22e1..7596a036 100644 --- a/data/web/templates/user/tab-user-auth.twig +++ b/data/web/templates/user/tab-user-auth.twig @@ -18,10 +18,6 @@ {{ lang.user.open_webmail_sso }} {% endif %} -
@@ -47,6 +43,8 @@

{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}∞{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}
{{ mailboxdata.messages }} {{ lang.user.messages }}

+
+

{{ lang.user.change_password }}

From 65eddee63e2d4bd640b41d5e3a47aa0c145a4919 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 17 Aug 2022 14:39:12 +0200 Subject: [PATCH 089/115] New variable for mailcow.conf in generate_config.sh --- generate_config.sh | 56 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/generate_config.sh b/generate_config.sh index de285178..0befa2ef 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -16,19 +16,49 @@ if [[ "$(uname -r)" =~ ^4\.4\. ]]; then fi fi -if grep --help 2>&1 | grep -q -i "busybox"; then - echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"" - exit 1 -fi -if cp --help 2>&1 | grep -q -i "busybox"; then - echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\"" - exit 1 -fi +if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi +# This will also cover sort +if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi +if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi -for bin in openssl curl docker docker-compose git awk sha1sum; do +for bin in openssl curl docker git awk sha1sum; do if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi done +if docker compose > /dev/null 2>&1; then + if docker compose version --short | grep "^2." > /dev/null 2>&1; then + COMPOSE_VERSION=native + echo -e "\e[31mFound Docker Compose Plugin (native).\e[0m" + echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi +elif docker-compose > /dev/null 2>&1; then + if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then + if docker-compose version --short | grep "^2." > /dev/null 2>&1; then + COMPOSE_VERSION=standalone + echo -e "\e[31mFound Docker Compose Standalone.\e[0m" + echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version manually! Please see: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + fi + +else + echo -e "\e[31mCannot find Docker Compose.\e[0m" + echo -e "\e[31mPlease install it regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 +fi + + if [ -f mailcow.conf ]; then read -r -p "A config file exists and will be overwritten, are you sure you want to continue? [y/N] " response case $response in @@ -105,6 +135,8 @@ else SKIP_SOLR=n fi +if [] + [ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc cat << EOF > mailcow.conf @@ -183,6 +215,12 @@ TZ=${MAILCOW_TZ} COMPOSE_PROJECT_NAME=mailcowdockerized +# Used Docker Compose version +# Switch here between native (compose plugin) and standalone +# For more informations take a look at the mailcow docs regarding the configuration options. + +DOCKER_COMPOSE_VERSION=${COMPOSE_VERSION} + # Set this to "allow" to enable the anyone pseudo user. Disabled by default. # When enabled, ACL can be created, that apply to "All authenticated users" # This should probably only be activated on mail hosts, that are used exclusivly by one organisation. From 55f810b23f75952f92048db028244f901135fcf9 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 17 Aug 2022 16:00:58 +0200 Subject: [PATCH 090/115] Implemented new compose check in update.sh --- generate_config.sh | 2 - update.sh | 182 +++++++++++++++++---------------------------- 2 files changed, 69 insertions(+), 115 deletions(-) diff --git a/generate_config.sh b/generate_config.sh index 0befa2ef..daefbd7e 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -135,8 +135,6 @@ else SKIP_SOLR=n fi -if [] - [ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc cat << EOF > mailcow.conf diff --git a/update.sh b/update.sh index 6659de55..a934a659 100755 --- a/update.sh +++ b/update.sh @@ -175,61 +175,6 @@ remove_obsolete_nginx_ports() { done } -update_compose(){ -if [[ ${NO_UPDATE_COMPOSE} == "y" ]]; then - echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m" - return 0 -elif [[ -e /etc/alpine-release ]]; then - echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m" - return 0 -else - if [ ! $FORCE ]; then - read -r -p "Do you want to update your docker-compose Version? It will automatic upgrade your docker-compose installation (recommended)? [y/N] " updatecomposeresponse - if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo "OK, not updating docker-compose." - return 0 - fi - fi - echo -e "\e[32mFetching new docker-compose version...\e[0m" - echo -e "\e[32mTrying to determine GLIBC version...\e[0m" - if ldd --version > /dev/null; then - GLIBC_V=$(ldd --version | grep -E '(GLIBC|GNU libc)' | rev | cut -d ' ' -f1 | rev | cut -d '.' -f2) - if [ ! -z "${GLIBC_V}" ] && [ ${GLIBC_V} -gt 27 ]; then - DC_DL_SUFFIX= - else - DC_DL_SUFFIX=legacy - fi - else - DC_DL_SUFFIX=legacy - fi - sleep 1 - if [[ $(command -v pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(command -v pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then - echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" - echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" - sleep 2 - echo -e "\e[33mExiting...\e[0m" - exit 1 - #prevent breaking a working docker-compose installed with pip - elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then - LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) - COMPOSE_VERSION=$(docker-compose version --short) - if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then - COMPOSE_PATH=$(command -v docker-compose) - if [[ -w ${COMPOSE_PATH} ]]; then - curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH - chmod +x $COMPOSE_PATH - else - echo -e "\e[33mWARNING: $COMPOSE_PATH is not writable, but new version $LATEST_COMPOSE is available (installed: $COMPOSE_VERSION)\e[0m" - return 1 - fi - fi - else - echo -e "\e[33mCannot determine latest docker-compose version, skipping...\e[0m" - return 1 - fi -fi -} - ############## End Function Section ############## # Check permissions @@ -279,11 +224,47 @@ for bin in curl docker git awk sha1sum; do fi done -if [[ -z $(command -v docker-compose) ]]; then - echo -e "\e[31mCannot find docker-compose Standalone.\e[0m" - echo -e "\e[31mPlease install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" - sleep 3 - exit 1; +if ! grep "DOCKER_COMPOSE_VERSION=native" mailcow.conf > /dev/null 2>&1 && ! grep "DOCKER_COMPOSE_VERSION=standalone" mailcow.conf > /dev/null 2>&1; then + if docker compose > /dev/null 2>&1; then + if docker compose version --short | grep "^2." > /dev/null 2>&1; then + COMPOSE_VERSION=native + COMPOSE_COMMAND="docker compose" + echo -e "\e[31mFound Docker Compose Plugin (native).\e[0m" + echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + elif docker-compose > /dev/null 2>&1; then + if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then + if docker-compose version --short | grep "^2." > /dev/null 2>&1; then + COMPOSE_VERSION=standalone + COMPOSE_COMMAND="docker-compose" + echo -e "\e[31mFound Docker Compose Standalone.\e[0m" + echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version manually! Please see: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + fi + + else + echo -e "\e[31mCannot find Docker Compose.\e[0m" + echo -e "\e[31mPlease install it regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + +elif cat mailcow.conf | grep "DOCKER_COMPOSE_VERSION=native" > /dev/null 2>&1; then + COMPOSE_COMMAND="docker compose" + +elif cat mailcow.conf | grep "DOCKER_COMPOSE_VERSION=standalone" > /dev/null 2>&1; then + COMPOSE_COMMAND="docker-compose" fi export LC_ALL=C @@ -328,33 +309,15 @@ while (($#)); do echo -e "\e[32mRunning in forced mode...\e[0m" FORCE=y ;; - --no-update-compose) - NO_UPDATE_COMPOSE=y - ;; - --update-compose) - LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) - COMPOSE_VERSION=$(docker-compose version --short) - if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then - echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m" - echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m" - update_compose - echo -e "\e[32mYour docker-compose Version is now up to date!\e[0m" - else - echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" - fi - exit 0 - ;; --skip-ping-check) SKIP_PING_CHECK=y ;; --help|-h) - echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help] + echo './update.sh [-c|--check, --ours, --gc, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help] -c|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates) --ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended! --gc - Run garbage collector to delete old image tags - --no-update-compose - Skip the docker-compose Updates during the mailcow Update process - --update-compose - Only run the docker-compose Update process (don´t updates your mailcow itself) --prefetch - Only prefetch new images and exit (useful to prepare updates) --skip-start - Do not start mailcow after update --skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine) @@ -365,19 +328,12 @@ while (($#)); do shift done -# Check if Docker-Compose is older then v2 before continuing -if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then - echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m" - echo -e "\e[33mmailcow needs docker-compose > 2.X.X!\e[0m" - echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m" - sleep 3 - update_compose - if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]] && [[ ! ${FORCE} ]]; then - echo -e "\e[31mmailcow does not work with docker-compose < 2.X.X anymore!\e[0m" - echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m" - echo -e "\e[31mExiting...\e[0m" - exit 1 - fi +# Check if Docker Compose is older then v2 before continuing +if ! $COMPOSE_COMMAND version --short | grep "^2." > /dev/null 2>&1; then + echo -e "\e[33mYour Docker Compose Version is not up to date!\e[0m" + echo -e "\e[33mmailcow needs Docker Compose > 2.X.X!\e[0m" + echo -e "\e[33mYour current installed Version: $($COMPOSE_COMMAND version --short)\e[0m" + exit 1 fi [[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing"; exit 1;} @@ -386,7 +342,7 @@ source mailcow.conf DOTS=${MAILCOW_HOSTNAME//[^.]}; if [ ${#DOTS} -lt 2 ]; then echo "MAILCOW_HOSTNAME (${MAILCOW_HOSTNAME}) is not a FQDN!" - echo "Please change it to a FQDN and run docker-compose down followed by docker-compose up -d" + echo "Please change it to a FQDN and run $COMPOSE_COMMAND down followed by $COMPOSE_COMMAND up -d" exit 1 fi @@ -413,6 +369,7 @@ CONFIG_ARRAY=( "SNAT_TO_SOURCE" "SNAT6_TO_SOURCE" "COMPOSE_PROJECT_NAME" + "DOCKER_COMPOSE_VERSION" "SQL_PORT" "API_KEY" "API_KEY_READ_ONLY" @@ -448,6 +405,15 @@ for option in ${CONFIG_ARRAY[@]}; do echo "Adding new option \"${option}\" to mailcow.conf" echo "COMPOSE_PROJECT_NAME=mailcowdockerized" >> mailcow.conf fi + elif [[ ${option} == "DOCKER_COMPOSE_VERSION" ]]; then + if ! grep -q ${option} mailcow.conf; then + echo "Adding new option \"${option}\" to mailcow.conf" + echo "# Used Docker Compose version" >> mailcow.conf + echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf + echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf + echo "" >> mailcow.conf + echo "DOCKER_COMPOSE_VERSION=${COMPOSE_VERSION}" >> mailcow.conf + fi elif [[ ${option} == "DOVEADM_PORT" ]]; then if ! grep -q ${option} mailcow.conf; then echo "Adding new option \"${option}\" to mailcow.conf" @@ -699,28 +665,18 @@ if [ ! $FORCE ]; then migrate_docker_nat fi -LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) -COMPOSE_VERSION=$(docker-compose version --short) -if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then - echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m" - echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m" - update_compose -else - echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" -fi - remove_obsolete_nginx_ports echo -e "\e[32mValidating docker-compose stack configuration...\e[0m" sed -i 's/HTTPS_BIND:-:/HTTPS_BIND:-/g' docker-compose.yml sed -i 's/HTTP_BIND:-:/HTTP_BIND:-/g' docker-compose.yml -if ! docker-compose config -q; then +if ! $COMPOSE_COMMAND config -q; then echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m" exit 1 fi echo -e "\e[32mChecking for conflicting bridges...\e[0m" -MAILCOW_BRIDGE=$(docker-compose config | grep -i com.docker.network.bridge.name | cut -d':' -f2) +MAILCOW_BRIDGE=$($COMPOSE_COMMAND config | grep -i com.docker.network.bridge.name | cut -d':' -f2) while read NAT_ID; do iptables -t nat -D POSTROUTING $NAT_ID done < <(iptables -L -vn -t nat --line-numbers | grep $IPV4_NETWORK | grep -E 'MASQUERADE.*all' | grep -v ${MAILCOW_BRIDGE} | cut -d' ' -f1) @@ -740,8 +696,8 @@ prefetch_images echo -e "\e[32mStopping mailcow...\e[0m" sleep 2 -MAILCOW_CONTAINERS=($(docker-compose ps -q)) -docker-compose down +MAILCOW_CONTAINERS=($($COMPOSE_COMMAND ps -q)) +$COMPOSE_COMMAND down echo -e "\e[32mChecking for remaining containers...\e[0m" sleep 2 for container in "${MAILCOW_CONTAINERS[@]}"; do @@ -778,13 +734,13 @@ elif [[ ${MERGE_RETURN} == 1 ]]; then elif [[ ${MERGE_RETURN} != 0 ]]; then echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m" echo - echo "Run docker-compose up -d to restart your stack without updates or try again after fixing the mentioned errors." + echo "Run $COMPOSE_COMMAND up -d to restart your stack without updates or try again after fixing the mentioned errors." exit 1 fi echo -e "\e[32mFetching new images, if any...\e[0m" sleep 2 -docker-compose pull +$COMPOSE_COMMAND pull # Fix missing SSL, does not overwrite existing files [[ ! -d data/assets/ssl ]] && mkdir -p data/assets/ssl @@ -796,7 +752,7 @@ if grep -q 'SYSCTL_IPV6_DISABLED=1' mailcow.conf; then echo '!! IMPORTANT !!' echo echo 'SYSCTL_IPV6_DISABLED was removed due to complications. IPv6 can be disabled by editing "docker-compose.yml" and setting "enable_ipv6: true" to "enable_ipv6: false".' - echo 'This setting will only be active after a complete shutdown of mailcow by running "docker-compose down" followed by "docker-compose up -d".' + echo 'This setting will only be active after a complete shutdown of mailcow by running $COMPOSE_COMMAND down followed by $COMPOSE_COMMAND up -d".' echo echo '!! IMPORTANT !!' echo @@ -839,11 +795,11 @@ else fi if [[ ${SKIP_START} == "y" ]]; then - echo -e "\e[33mNot starting mailcow, please run \"docker-compose up -d --remove-orphans\" to start mailcow.\e[0m" + echo -e "\e[33mNot starting mailcow, please run \"$COMPOSE_COMMAND up -d --remove-orphans\" to start mailcow.\e[0m" else echo -e "\e[32mStarting mailcow...\e[0m" sleep 2 - docker-compose up -d --remove-orphans + $COMPOSE_COMMAND up -d --remove-orphans fi echo -e "\e[32mCollecting garbage...\e[0m" @@ -858,4 +814,4 @@ fi # echo # git reflog --color=always | grep "Before update on " # echo -# echo "Use \"git reset --hard hash-on-the-left\" and run docker-compose up -d afterwards." \ No newline at end of file +# echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file From ad8b7f08944c05854d8d6bf87ae13cd7ecd92f5a Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 18 Aug 2022 15:08:00 +0200 Subject: [PATCH 091/115] [Dovecot] Fixes broken sieve compiler in some rare cases when using replication --- data/Dockerfiles/dovecot/docker-entrypoint.sh | 8 ++++++++ data/conf/dovecot/dovecot.conf | 1 - docker-compose.yml | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh index 9ac2dc64..ac7aeb1d 100755 --- a/data/Dockerfiles/dovecot/docker-entrypoint.sh +++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh @@ -349,6 +349,14 @@ sievec /var/vmail/sieve/global_sieve_after.sieve sievec /usr/lib/dovecot/sieve/report-spam.sieve sievec /usr/lib/dovecot/sieve/report-ham.sieve +for file in /var/vmail/*/*/sieve/*.sieve ; do + if [[ "$file" == "/var/vmail/*/*/sieve/*.sieve" ]]; then + continue + fi + sievec "$file" "$(dirname "$file")/../.dovecot.svbin" + chown vmail:vmail "$(dirname "$file")/../.dovecot.svbin" +done + # Fix permissions chown root:root /etc/dovecot/sql/*.conf chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf index b7aca757..33a6e409 100644 --- a/data/conf/dovecot/dovecot.conf +++ b/data/conf/dovecot/dovecot.conf @@ -194,7 +194,6 @@ plugin { fts_solr = url=http://solr:8983/solr/dovecot-fts/ quota = dict:Userquota::proxy::sqlquota quota_rule2 = Trash:storage=+100%% - sieve = /var/vmail/sieve/%u.sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_send_from_recipient = yes sieve_redirect_envelope_from = recipient diff --git a/docker-compose.yml b/docker-compose.yml index 91266e00..9d5f9473 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -215,7 +215,7 @@ services: - sogo dovecot-mailcow: - image: mailcow/dovecot:1.17 + image: mailcow/dovecot:1.18 depends_on: - mysql-mailcow dns: From 1f3d9d4e1cdb4f20db607f555286b8dcbbda8993 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 19 Aug 2022 15:17:19 +0200 Subject: [PATCH 092/115] Implemented user choice compose in cold-standby --- helper-scripts/_cold-standby.sh | 56 ++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 19 deletions(-) diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh index fadee6f6..0e8885a3 100755 --- a/helper-scripts/_cold-standby.sh +++ b/helper-scripts/_cold-standby.sh @@ -77,7 +77,7 @@ function preflight_local_checks() { exit 1 fi - for bin in rsync docker docker-compose grep cut; do + for bin in rsync docker grep cut; do if [[ -z $(which ${bin}) ]]; then >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" exit 1 @@ -111,7 +111,7 @@ function preflight_remote_checks() { exit 1 fi - for bin in rsync docker docker-compose; do + for bin in rsync docker; do if ! ssh -o StrictHostKeyChecking=no \ -i "${REMOTE_SSH_KEY}" \ ${REMOTE_SSH_HOST} \ @@ -121,17 +121,44 @@ function preflight_remote_checks() { exit 1 fi done + + ssh -o StrictHostKeyChecking=no \ + -i "${REMOTE_SSH_KEY}" \ + ${REMOTE_SSH_HOST} \ + -p ${REMOTE_SSH_PORT} \ + "bash -s" << "EOF" +if docker compose > /dev/null 2>&1; then + exit 0 +elif docker-compose version --short | grep "^2." > /dev/null 2>&1; then + exit 1 +else +exit 2 +fi +EOF + +if [ $? = 0 ]; then + COMPOSE_COMMAND="docker compose" + echo "DEBUG: Using native docker compose on remote" + +elif [ $? = 1 ]; then + COMPOSE_COMMAND="docker-compose" + echo "DEBUG: Using standalone docker compose on remote" + +else + echo -e "\e[31mCannot find any Docker Compose on remote, exiting...\e[0m" + exit 1 +fi } +SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +source "${SCRIPT_DIR}/../mailcow.conf" +COMPOSE_FILE="${SCRIPT_DIR}/../docker-compose.yml" +CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd 'A-Za-z-_') +SQLIMAGE=$(grep -iEo '(mysql|mariadb)\:.+' "${COMPOSE_FILE}") + preflight_local_checks preflight_remote_checks -SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) -COMPOSE_FILE="${SCRIPT_DIR}/../docker-compose.yml" -source "${SCRIPT_DIR}/../mailcow.conf" -CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd 'A-Za-z-_') -SQLIMAGE=$(grep -iEo '(mysql|mariadb)\:.+' "${COMPOSE_FILE}") - echo echo -e "\033[1mFound compose project name ${CMPS_PRJ} for ${MAILCOW_HOSTNAME}\033[0m" echo -e "\033[1mFound SQL ${SQLIMAGE}\033[0m" @@ -258,7 +285,7 @@ echo "OK" -i "${REMOTE_SSH_KEY}" \ ${REMOTE_SSH_HOST} \ -p ${REMOTE_SSH_PORT} \ - docker-compose -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then + ${COMPOSE_COMMAND} -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then >&2 echo -e "\e[31m[ERR]\e[0m - Could not pull images on remote" fi @@ -271,13 +298,4 @@ if ! ssh -o StrictHostKeyChecking=no \ >&2 echo -e "\e[31m[ERR]\e[0m - Could not cleanup old images on remote" fi -echo -e "\033[1mExecuting update script and checking for new docker-compose Version on remote...\033[0m" -if ! ssh -o StrictHostKeyChecking=no \ - -i "${REMOTE_SSH_KEY}" \ - ${REMOTE_SSH_HOST} \ - -p ${REMOTE_SSH_PORT} \ - ${SCRIPT_DIR}/../update.sh -f --update-compose ; then - >&2 echo -e "\e[31m[ERR]\e[0m - Could not fetch docker-compose on remote" -fi - -echo -e "\e[32mDone\e[0m" +echo -e "\e[32mDone\e[0m" \ No newline at end of file From 6708059227d3f4900b9a6365b91db11d8c78338e Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Fri, 19 Aug 2022 15:55:24 +0200 Subject: [PATCH 093/115] Moved compose check to top. Improved variable check. --- update.sh | 144 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 74 insertions(+), 70 deletions(-) diff --git a/update.sh b/update.sh index a934a659..812d8d11 100755 --- a/update.sh +++ b/update.sh @@ -175,6 +175,51 @@ remove_obsolete_nginx_ports() { done } +detect_docker_compose_command(){ +if ! [ "${DOCKER_COMPOSE_VERSION}" == "native" ] && ! [ "${DOCKER_COMPOSE_VERSION}" == "standalone" ]; then + if docker compose > /dev/null 2>&1; then + if docker compose version --short | grep "^2." > /dev/null 2>&1; then + DOCKER_COMPOSE_VERSION=native + COMPOSE_COMMAND="docker compose" + echo -e "\e[31mFound Docker Compose Plugin (native).\e[0m" + echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + elif docker-compose > /dev/null 2>&1; then + if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then + if docker-compose version --short | grep "^2." > /dev/null 2>&1; then + DOCKER_COMPOSE_VERSION=standalone + COMPOSE_COMMAND="docker-compose" + echo -e "\e[31mFound Docker Compose Standalone.\e[0m" + echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version manually! Please see: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + fi + + else + echo -e "\e[31mCannot find Docker Compose.\e[0m" + echo -e "\e[31mPlease install it regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + exit 1 + fi + +elif [ "${DOCKER_COMPOSE_VERSION}" == "native" ]; then + COMPOSE_COMMAND="docker compose" + +elif [ "${DOCKER_COMPOSE_VERSION}" == "standalone" ]; then + COMPOSE_COMMAND="docker-compose" +fi +} + ############## End Function Section ############## # Check permissions @@ -217,6 +262,10 @@ PATH=$PATH:/opt/bin umask 0022 +# Unset COMPOSE_COMMAND and DOCKER_COMPOSE_VERSION Variable to be on the newest state. +unset COMPOSE_COMMAND +unset DOCKER_COMPOSE_VERSION + for bin in curl docker git awk sha1sum; do if [[ -z $(command -v ${bin}) ]]; then echo "Cannot find ${bin}, exiting..." @@ -224,49 +273,6 @@ for bin in curl docker git awk sha1sum; do fi done -if ! grep "DOCKER_COMPOSE_VERSION=native" mailcow.conf > /dev/null 2>&1 && ! grep "DOCKER_COMPOSE_VERSION=standalone" mailcow.conf > /dev/null 2>&1; then - if docker compose > /dev/null 2>&1; then - if docker compose version --short | grep "^2." > /dev/null 2>&1; then - COMPOSE_VERSION=native - COMPOSE_COMMAND="docker compose" - echo -e "\e[31mFound Docker Compose Plugin (native).\e[0m" - echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" - sleep 2 - echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" - else - echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" - exit 1 - fi - elif docker-compose > /dev/null 2>&1; then - if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then - if docker-compose version --short | grep "^2." > /dev/null 2>&1; then - COMPOSE_VERSION=standalone - COMPOSE_COMMAND="docker-compose" - echo -e "\e[31mFound Docker Compose Standalone.\e[0m" - echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" - sleep 2 - echo -e "\e[33mNotice: You´ll have to update this Compose Version manually! Please see: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" - else - echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" - exit 1 - fi - fi - - else - echo -e "\e[31mCannot find Docker Compose.\e[0m" - echo -e "\e[31mPlease install it regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" - exit 1 - fi - -elif cat mailcow.conf | grep "DOCKER_COMPOSE_VERSION=native" > /dev/null 2>&1; then - COMPOSE_COMMAND="docker compose" - -elif cat mailcow.conf | grep "DOCKER_COMPOSE_VERSION=standalone" > /dev/null 2>&1; then - COMPOSE_COMMAND="docker-compose" -fi - export LC_ALL=C DATE=$(date +%Y-%m-%d_%H_%M_%S) BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD) @@ -328,15 +334,7 @@ while (($#)); do shift done -# Check if Docker Compose is older then v2 before continuing -if ! $COMPOSE_COMMAND version --short | grep "^2." > /dev/null 2>&1; then - echo -e "\e[33mYour Docker Compose Version is not up to date!\e[0m" - echo -e "\e[33mmailcow needs Docker Compose > 2.X.X!\e[0m" - echo -e "\e[33mYour current installed Version: $($COMPOSE_COMMAND version --short)\e[0m" - exit 1 -fi - -[[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing"; exit 1;} +[[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing! Is mailcow installed?"; exit 1;} chmod 600 mailcow.conf source mailcow.conf DOTS=${MAILCOW_HOSTNAME//[^.]}; @@ -346,11 +344,21 @@ if [ ${#DOTS} -lt 2 ]; then exit 1 fi +detect_docker_compose_command + if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi # This will also cover sort if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi +# Check if Docker Compose is older then v2 before continuing +if ! $COMPOSE_COMMAND version --short | grep "^2." > /dev/null 2>&1; then + echo -e "\e[33mYour Docker Compose Version is not up to date!\e[0m" + echo -e "\e[33mmailcow needs Docker Compose > 2.X.X!\e[0m" + echo -e "\e[33mYour current installed Version: $($COMPOSE_COMMAND version --short)\e[0m" + exit 1 +fi + CONFIG_ARRAY=( "SKIP_LETS_ENCRYPT" "SKIP_SOGO" @@ -412,7 +420,7 @@ for option in ${CONFIG_ARRAY[@]}; do echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf echo "" >> mailcow.conf - echo "DOCKER_COMPOSE_VERSION=${COMPOSE_VERSION}" >> mailcow.conf + echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf fi elif [[ ${option} == "DOVEADM_PORT" ]]; then if ! grep -q ${option} mailcow.conf; then @@ -638,23 +646,16 @@ else fi fi -echo -e "\e[32mChecking for newer update script...\e[0m" -SHA1_1=$(sha1sum update.sh) -git fetch origin #${BRANCH} -git checkout origin/${BRANCH} update.sh -SHA1_2=$(sha1sum update.sh) -if [[ ${SHA1_1} != ${SHA1_2} ]]; then - echo "update.sh changed, please run this script again, exiting." - chmod +x update.sh - exit 2 -fi - -if [[ -f mailcow.conf ]]; then - source mailcow.conf -else - echo -e "\e[31mNo mailcow.conf - is mailcow installed?\e[0m" - exit 1 -fi +# echo -e "\e[32mChecking for newer update script...\e[0m" +# SHA1_1=$(sha1sum update.sh) +# git fetch origin #${BRANCH} +# git checkout origin/${BRANCH} update.sh +# SHA1_2=$(sha1sum update.sh) +# if [[ ${SHA1_1} != ${SHA1_2} ]]; then +# echo "update.sh changed, please run this script again, exiting." +# chmod +x update.sh +# exit 2 +# fi if [ ! $FORCE ]; then read -r -p "Are you sure you want to update mailcow: dockerized? All containers will be stopped. [y/N] " response @@ -794,6 +795,9 @@ else echo -e "\e[33mCannot determine current git repository version...\e[0m" fi +# Set DOCKER_COMPOSE_VERSION +sed -i 's/^DOCKER_COMPOSE_VERSION=$/DOCKER_COMPOSE_VERSION='$DOCKER_COMPOSE_VERSION'/g' mailcow.conf + if [[ ${SKIP_START} == "y" ]]; then echo -e "\e[33mNot starting mailcow, please run \"$COMPOSE_COMMAND up -d --remove-orphans\" to start mailcow.\e[0m" else From 925b2209058c29a7c5bc5c86c27296826a3670d8 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Mon, 22 Aug 2022 10:24:38 +0200 Subject: [PATCH 094/115] Compose Version detection implemented in Backup script --- helper-scripts/backup_and_restore.sh | 20 ++++++++++++++++---- update.sh | 20 ++++++++++---------- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh index 506420b4..6781600f 100755 --- a/helper-scripts/backup_and_restore.sh +++ b/helper-scripts/backup_and_restore.sh @@ -160,12 +160,24 @@ function backup() { } function restore() { - for bin in docker docker-compose; do + for bin in docker; do if [[ -z $(which ${bin}) ]]; then >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m" exit 1 fi - done + done + + if [ "${DOCKER_COMPOSE_VERSION}" == "native" ]; then + COMPOSE_COMMAND="docker compose" + + elif [ "${DOCKER_COMPOSE_VERSION}" == "standalone" ]; then + COMPOSE_COMMAND="docker-compose" + + else + echo -e "\e[31mCan not read DOCKER_COMPOSE_VERSION variable from mailcow.conf! Is your mailcow up to date? Exiting...\e[0m" + exit 1 + fi + echo echo "Stopping watchdog-mailcow..." docker stop $(docker ps -qf name=watchdog-mailcow) @@ -244,7 +256,7 @@ function restore() { continue else echo "Stopping mailcow..." - docker-compose -f ${COMPOSE_FILE} --env-file ${ENV_FILE} down + ${COMPOSE_COMMAND} -f ${COMPOSE_FILE} --env-file ${ENV_FILE} down fi #docker stop $(docker ps -qf name=mysql-mailcow) if [[ -d "${RESTORE_LOCATION}/mysql" ]]; then @@ -282,7 +294,7 @@ function restore() { sed -i --follow-symlinks "/DBROOT/c\DBROOT=${DBROOT}" ${SCRIPT_DIR}/../mailcow.conf source ${SCRIPT_DIR}/../mailcow.conf echo "Starting mailcow..." - docker-compose -f ${COMPOSE_FILE} --env-file ${ENV_FILE} up -d + ${COMPOSE_COMMAND} -f ${COMPOSE_FILE} --env-file ${ENV_FILE} up -d #docker start $(docker ps -aqf name=mysql-mailcow) fi ;; diff --git a/update.sh b/update.sh index 812d8d11..4f4cb354 100755 --- a/update.sh +++ b/update.sh @@ -646,16 +646,16 @@ else fi fi -# echo -e "\e[32mChecking for newer update script...\e[0m" -# SHA1_1=$(sha1sum update.sh) -# git fetch origin #${BRANCH} -# git checkout origin/${BRANCH} update.sh -# SHA1_2=$(sha1sum update.sh) -# if [[ ${SHA1_1} != ${SHA1_2} ]]; then -# echo "update.sh changed, please run this script again, exiting." -# chmod +x update.sh -# exit 2 -# fi +echo -e "\e[32mChecking for newer update script...\e[0m" +SHA1_1=$(sha1sum update.sh) +git fetch origin #${BRANCH} +git checkout origin/${BRANCH} update.sh +SHA1_2=$(sha1sum update.sh) +if [[ ${SHA1_1} != ${SHA1_2} ]]; then + echo "update.sh changed, please run this script again, exiting." + chmod +x update.sh + exit 2 +fi if [ ! $FORCE ]; then read -r -p "Are you sure you want to update mailcow: dockerized? All containers will be stopped. [y/N] " response From 047c4aa3a02743cd4747bc2826c10dedddab5367 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Mon, 22 Aug 2022 15:44:01 +0200 Subject: [PATCH 095/115] Added seperate update_compose Script + some Improvements --- generate_config.sh | 2 + helper-scripts/update_compose.sh | 70 ++++++++++++++++++++++++++++++++ update.sh | 2 + 3 files changed, 74 insertions(+) create mode 100755 helper-scripts/update_compose.sh diff --git a/generate_config.sh b/generate_config.sh index daefbd7e..33a7b1e1 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -216,6 +216,8 @@ COMPOSE_PROJECT_NAME=mailcowdockerized # Used Docker Compose version # Switch here between native (compose plugin) and standalone # For more informations take a look at the mailcow docs regarding the configuration options. +# Normally this should be untouched but if you decided to use either of those you can switch it manually here. +# Please be aware that at least one of those variants should be installed on your maschine or mailcow will fail. DOCKER_COMPOSE_VERSION=${COMPOSE_VERSION} diff --git a/helper-scripts/update_compose.sh b/helper-scripts/update_compose.sh new file mode 100755 index 00000000..c58eabea --- /dev/null +++ b/helper-scripts/update_compose.sh @@ -0,0 +1,70 @@ +#!/bin/bash +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +source ${SCRIPT_DIR}/../mailcow.conf + +if [ "${DOCKER_COMPOSE_VERSION}" == "standalone" ]; then +LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) +COMPOSE_VERSION=$(docker-compose version --short) +if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then + echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m" + echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m" +else + echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" + exit 0 +fi +read -r -p "Do you want to update your docker-compose Version? It will automatic upgrade your docker-compose installation (recommended)? [y/N] " updatecomposeresponse + if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "OK, not updating docker-compose." + exit 0 + fi +echo -e "\e[32mFetching new docker-compose (standalone) version...\e[0m" +echo -e "\e[32mTrying to determine GLIBC version...\e[0m" + if ldd --version > /dev/null; then + GLIBC_V=$(ldd --version | grep -E '(GLIBC|GNU libc)' | rev | cut -d ' ' -f1 | rev | cut -d '.' -f2) + if [ ! -z "${GLIBC_V}" ] && [ ${GLIBC_V} -gt 27 ]; then + DC_DL_SUFFIX= + else + DC_DL_SUFFIX=legacy + fi + else + DC_DL_SUFFIX=legacy + fi + sleep 1 + if [[ $(command -v pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(command -v pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then + echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m" + echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m" + sleep 2 + echo -e "\e[33mExiting...\e[0m" + exit 1 + #prevent breaking a working docker-compose installed with pip + elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then + LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php) + COMPOSE_VERSION=$(docker-compose version --short) + if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then + COMPOSE_PATH=$(command -v docker-compose) + if [[ -w ${COMPOSE_PATH} ]]; then + curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH + chmod +x $COMPOSE_PATH + echo -e "\e[32mYour Docker Compose (standalone) has been updated to: $LATEST_COMPOSE\e[0m" + exit 0 + else + echo -e "\e[33mWARNING: $COMPOSE_PATH is not writable, but new version $LATEST_COMPOSE is available (installed: $COMPOSE_VERSION)\e[0m" + return 1 + fi + fi + else + echo -e "\e[33mCannot determine latest docker-compose version, skipping...\e[0m" + exit 1 + fi + +elif [ "${DOCKER_COMPOSE_VERSION}" == "native" ]; then + echo -e "\e[31mYou are using the native Docker Compose Plugin. This Script is for the standalone Docker Compose Version only.\e[0m" + sleep 2 + echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" + exit 1 + +else + echo -e "\e[31mCan not read DOCKER_COMPOSE_VERSION variable from mailcow.conf! Is your mailcow up to date? Exiting...\e[0m" + exit 1 +fi \ No newline at end of file diff --git a/update.sh b/update.sh index 4f4cb354..43ebcf07 100755 --- a/update.sh +++ b/update.sh @@ -419,6 +419,8 @@ for option in ${CONFIG_ARRAY[@]}; do echo "# Used Docker Compose version" >> mailcow.conf echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf + echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf + echo "# Please be aware that at least one of those variants should be installed on your maschine or mailcow will fail." >> mailcow.conf echo "" >> mailcow.conf echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf fi From 4f380debb5a1b4e0079dde717ed3c6a455629b43 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Tue, 23 Aug 2022 11:38:06 +0200 Subject: [PATCH 096/115] Added branch switch in generate_config.sh --- generate_config.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/generate_config.sh b/generate_config.sh index 33a7b1e1..1ae76b21 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -135,6 +135,25 @@ else SKIP_SOLR=n fi +echo "Which branch of mailcow do you want to use?" +echo "" +echo "Available Branches:" +echo "- master branch (stable updates) | default, recommended [1]" +echo "- nightly branch (unstable updates, testing) | not-production ready [2]" +sleep 1 +read -r -p "Choose the Branch with it´s number [1/2] " branch + case $branch in + [2]) + git_branch="nightly" + ;; + *) + git_branch="master" + ;; + esac + +git fetch --all +git checkout -f $git_branch + [ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc cat << EOF > mailcow.conf @@ -413,4 +432,4 @@ else echo ' $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php echo -e "\e[33mCannot determine current git repository version...\e[0m" -fi +fi \ No newline at end of file From b16b276f369a820d8c2cd2a7f9abb927ef3606d9 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Tue, 23 Aug 2022 14:04:40 +0200 Subject: [PATCH 097/115] Implement nightly/stable switch in update.sh --- update.sh | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 120 insertions(+), 7 deletions(-) diff --git a/update.sh b/update.sh index 43ebcf07..7d47b3cc 100755 --- a/update.sh +++ b/update.sh @@ -301,11 +301,22 @@ while (($#)); do --skip-start) SKIP_START=y ;; + --skip-ping-check) + SKIP_PING_CHECK=y + ;; + --stable) + CURRENT_BRANCH="$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)" + NEW_BRANCH="master" + ;; --gc) echo -e "\e[32mCollecting garbage...\e[0m" docker_garbage exit 0 ;; + --nightly) + CURRENT_BRANCH="$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)" + NEW_BRANCH="nightly" + ;; --prefetch) echo -e "\e[32mPrefetching images...\e[0m" prefetch_images @@ -315,18 +326,17 @@ while (($#)); do echo -e "\e[32mRunning in forced mode...\e[0m" FORCE=y ;; - --skip-ping-check) - SKIP_PING_CHECK=y - ;; --help|-h) - echo './update.sh [-c|--check, --ours, --gc, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help] + echo './update.sh [-c|--check, --ours, --gc, --nightly, --prefetch, --skip-start, --skip-ping-check, --stable, -f|--force, -h|--help] -c|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates) --ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended! --gc - Run garbage collector to delete old image tags + --nightly - Switch your mailcow updates to the unstable (nightly) branch. FOR TESTING PURPOSES ONLY!!!! --prefetch - Only prefetch new images and exit (useful to prepare updates) --skip-start - Do not start mailcow after update --skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine) + --stable - Switch your mailcow updates to the stable (master) branch. Default unless you changed it with --nightly. -f|--force - Force update, do not ask questions ' exit 1 @@ -648,6 +658,84 @@ else fi fi +if [ $NEW_BRANCH != "master" ] || [ $NEW_BRANCH != "nightly"] + echo -e "\e[33mDetecting which build your mailcow runs on...\e[0m" + sleep 1 + if [ ${BRANCH} == "master" ]; then + echo -e "\e[32mYou are receiving stable updates (master).\e[0m" + echo -e "\e[33mTo change that run the update.sh Script one time with the --nightly parameter to switch to nightly builds.\e[0m" + + elif [ ${BRANCH} == "nightly" ]; then + echo -e "\e[31mYou are receiving unstable updates (nightly). These are for testing purposes only!!!\e[0m" + sleep 1 + echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m" + + else + echo -e "\e[33mYou are receiving updates from a unsupported branch.\e[0m" + sleep 1 + echo -e "\e[33mThe mailcow stack might still work but it is recommended to switch to the master branch (stable builds).\e[0m" + echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m" + fi +elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ] + echo -e "\e[33mYou are about to switch your mailcow Updates to the stable (master) branch.\e[0m" + sleep 1 + echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m" + sleep 1 + echo -e "\e[31mWARNING: Please see on GitHub or ask in the communitys if a switch to master is stable or not. + In some rear cases a Update back to master can destroy your mailcow configuration in case of Database Upgrades etc. + Normally a upgrade back to master should be safe during each full release. Check GitHub for Database Changes and Update only if there similar to the full release!\e[0m" + read -r -p "Are you sure you that want to continue upgrading to the stable (master) branch? [y/N] " response + if [[ ! "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "OK. If you prepared yourself for that please run the update.sh Script with the --stable parameter again to trigger this process here." + exit 0 + fi + + BRANCH = NEW_BRANCH + DIFF_DIRECTORY=update_diffs + DIFF_FILE=${DIFF_DIRECTORY}/diff_before_upgrade_to_master_$(date +"%Y-%m-%d-%H-%M-%S") + mv diff_before_upgrade* ${DIFF_DIRECTORY}/ 2> /dev/null + if ! git diff-index --quiet HEAD; then + echo -e "\e[32mSaving diff to ${DIFF_FILE}...\e[0m" + mkdir -p ${DIFF_DIRECTORY} + git diff ${BRANCH} --stat > ${DIFF_FILE} + git diff ${BRANCH} >> ${DIFF_FILE} + fi + echo -e "\e[32mSwitching Branch to ${BRANCH}...\e[0m" + git fetch origin --all + git checkout -f origin/${BRANCH} + +elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ] + echo -e "\e[33mYou are about to switch your mailcow Updates to the unstable (nightly) branch.\e[0m" + sleep 1 + echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m" + sleep 1 + echo -e "\e[31mWARNING: A switch to nightly is possible any time. But a switch back (to master) not.\e[0m" + read -r -p "Are you sure you that want to continue upgrading to the unstable (nightly) branch? [y/N] " response + if [[ ! "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "OK. If you prepared yourself for that please run the update.sh Script with the --nightly parameter again to trigger this process here." + exit 0 + fi + + BRANCH = NEW_BRANCH + DIFF_DIRECTORY=update_diffs + DIFF_FILE=${DIFF_DIRECTORY}/diff_before_upgrade_to_nightly_$(date +"%Y-%m-%d-%H-%M-%S") + mv diff_before_upgrade* ${DIFF_DIRECTORY}/ 2> /dev/null + if ! git diff-index --quiet HEAD; then + echo -e "\e[32mSaving diff to ${DIFF_FILE}...\e[0m" + mkdir -p ${DIFF_DIRECTORY} + git diff ${BRANCH} --stat > ${DIFF_FILE} + git diff ${BRANCH} >> ${DIFF_FILE} + fi + + git fetch origin --all + git checkout -f origin/${BRANCH} + +elif [ $FORCE ]; then + echo -e "\e[31mYou are running in forced mode!\e[0m" + echo -e "\e[31mA Branch Switch can only be performed manually (monitored).\e[0m" + echo -e "\e[31mPlease rerun the update.sh Script without the --force/-f parameter.\e[0m" +fi + echo -e "\e[32mChecking for newer update script...\e[0m" SHA1_1=$(sha1sum update.sh) git fetch origin #${BRANCH} @@ -783,16 +871,41 @@ if [ -f "data/conf/rspamd/local.d/metrics.conf" ]; then fi # Set app_info.inc.php -mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) +if [ ${BRANCH} == "master" ]; then + mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) + mailcow_last_git_version="" +elif [ ${BRANCH} == "nightly" ]; then + mailcow_git_version=$(git rev-parse --short HEAD) +else + mailcow_git_version=$(git rev-parse --short HEAD) +fi + +mailcow_git_commit=$(git rev-parse HEAD) +mailcow_git_commit_date=$(git show -s --format=%cd --date=format:'%Y-%m-%d %H:%M') + if [ $? -eq 0 ]; then echo ' data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_LAST_GIT_VERSION="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_OWNER="mailcow";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_REPO="mailcow-dockerized";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_URL="https://github.com/mailcow/mailcow-dockerized";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT="'$mailcow_git_commit'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT_DATE="'$mailcow_git_commit_date'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_BRANCH="'$BRANCH'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php else echo ' data/web/inc/app_info.inc.php - echo ' $MAILCOW_GIT_VERSION="";' >> data/web/inc/app_info.inc.php - echo ' $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_LAST_GIT_VERSION="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_OWNER="mailcow";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_REPO="mailcow-dockerized";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_URL="https://github.com/mailcow/mailcow-dockerized";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT_DATE="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_BRANCH="'$BRANCH'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php echo -e "\e[33mCannot determine current git repository version...\e[0m" fi From a8eb3b6ac5b03238f04eb33f08fde1ec98c07729 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 14:31:32 +0200 Subject: [PATCH 098/115] Added nightly footer --- data/web/templates/base.twig | 13 ++++++++++--- update.sh | 3 ++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index 37c27e21..ba0810a1 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -477,13 +477,20 @@ function recursiveBase64StrToArrayBuffer(obj) { {% if ui_texts.ui_footer %}
{{ ui_texts.ui_footer|rot13|raw }} {% endif %} - {% if mailcow_cc_username and mailcow_info.version_tag|default %} + {% if mailcow_cc_username and mailcow_info.mailcow_build|lower == "stable" and mailcow_info.version_tag|default %} 🐮 + 🐋 = 💕 - - Version: {{ mailcow_info.version_tag }} + Version: {{ mailcow_info.version_tag }} + {% endif %} + {% if mailcow_cc_username and mailcow_info.mailcow_build|lower == "nightly" and mailcow_info.version_tag|default %} + + 🛠️🐮 + 🐋 = 💕 + Nightly: {{ mailcow_info.version_tag }} +
+ Build: {{ mailcow_info.git_commit_date }} + {% endif %}
diff --git a/update.sh b/update.sh index 7d47b3cc..2d8ed95a 100755 --- a/update.sh +++ b/update.sh @@ -873,11 +873,12 @@ fi # Set app_info.inc.php if [ ${BRANCH} == "master" ]; then mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) - mailcow_last_git_version="" elif [ ${BRANCH} == "nightly" ]; then mailcow_git_version=$(git rev-parse --short HEAD) + mailcow_last_git_version="" else mailcow_git_version=$(git rev-parse --short HEAD) + mailcow_last_git_version="" fi mailcow_git_commit=$(git rev-parse HEAD) From 77f9947613fa3aac9ac772574495a0ee50a3c91f Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 14:37:00 +0200 Subject: [PATCH 099/115] Readded footer + vars. --- data/web/inc/footer.inc.php | 9 ++++++++- data/web/templates/base.twig | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index b2f1d4d5..61d81dff 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -48,7 +48,14 @@ if (isset($pending_tfa_authmechs['u2f'])) { $globalVariables = [ 'mailcow_info' => array( 'version_tag' => $GLOBALS['MAILCOW_GIT_VERSION'], - 'git_project_url' => $GLOBALS['MAILCOW_GIT_URL'] + 'last_version_tag' => $GLOBALS['MAILCOW_LAST_GIT_VERSION'], + 'git_owner' => $GLOBALS['MAILCOW_GIT_OWNER'], + 'git_repo' => $GLOBALS['MAILCOW_GIT_REPO'], + 'git_project_url' => $GLOBALS['MAILCOW_GIT_URL'], + 'git_commit' => $GLOBALS['MAILCOW_GIT_COMMIT'], + 'git_commit_date' => $GLOBALS['MAILCOW_GIT_COMMIT_DATE'], + 'mailcow_branch' => $GLOBALS['MAILCOW_BRANCH'], + 'updated_at' => $GLOBALS['MAILCOW_UPDATEDAT'] ), 'js_path' => '/cache/'.basename($JSPath), 'pending_tfa_methods' => @$_SESSION['pending_tfa_methods'], diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index ba0810a1..e97199b3 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -477,14 +477,14 @@ function recursiveBase64StrToArrayBuffer(obj) { {% if ui_texts.ui_footer %}
{{ ui_texts.ui_footer|rot13|raw }} {% endif %} - {% if mailcow_cc_username and mailcow_info.mailcow_build|lower == "stable" and mailcow_info.version_tag|default %} + {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "master" and mailcow_info.version_tag|default %} 🐮 + 🐋 = 💕 Version: {{ mailcow_info.version_tag }} {% endif %} - {% if mailcow_cc_username and mailcow_info.mailcow_build|lower == "nightly" and mailcow_info.version_tag|default %} + {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "origin/feature/nightly-editions" and mailcow_info.version_tag|default %} 🛠️🐮 + 🐋 = 💕 Nightly: {{ mailcow_info.version_tag }} From 4f7ee669d3c3fc13829f629a392215abd899c35f Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 14:42:31 +0200 Subject: [PATCH 100/115] Added missing ;then in update.sh --- update.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/update.sh b/update.sh index 2d8ed95a..4e277e26 100755 --- a/update.sh +++ b/update.sh @@ -658,7 +658,7 @@ else fi fi -if [ $NEW_BRANCH != "master" ] || [ $NEW_BRANCH != "nightly"] +if [ $NEW_BRANCH != "master" ] || [ $NEW_BRANCH != "nightly"]; then echo -e "\e[33mDetecting which build your mailcow runs on...\e[0m" sleep 1 if [ ${BRANCH} == "master" ]; then @@ -676,7 +676,7 @@ if [ $NEW_BRANCH != "master" ] || [ $NEW_BRANCH != "nightly"] echo -e "\e[33mThe mailcow stack might still work but it is recommended to switch to the master branch (stable builds).\e[0m" echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m" fi -elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ] +elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ]; then echo -e "\e[33mYou are about to switch your mailcow Updates to the stable (master) branch.\e[0m" sleep 1 echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m" @@ -704,7 +704,7 @@ elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ] git fetch origin --all git checkout -f origin/${BRANCH} -elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ] +elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then echo -e "\e[33mYou are about to switch your mailcow Updates to the unstable (nightly) branch.\e[0m" sleep 1 echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m" From 9db9818edea9ba7680aef32267d91e57a6ff0895 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 15:00:39 +0200 Subject: [PATCH 101/115] Moved Force Mode check in prio --- update.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/update.sh b/update.sh index 4e277e26..6b19dd1d 100755 --- a/update.sh +++ b/update.sh @@ -658,7 +658,7 @@ else fi fi -if [ $NEW_BRANCH != "master" ] || [ $NEW_BRANCH != "nightly"]; then +if ! [ $NEW_BRANCH ]; then echo -e "\e[33mDetecting which build your mailcow runs on...\e[0m" sleep 1 if [ ${BRANCH} == "master" ]; then @@ -676,6 +676,11 @@ if [ $NEW_BRANCH != "master" ] || [ $NEW_BRANCH != "nightly"]; then echo -e "\e[33mThe mailcow stack might still work but it is recommended to switch to the master branch (stable builds).\e[0m" echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m" fi +elif [ $FORCE = "y" ]; then + echo -e "\e[31mYou are running in forced mode!\e[0m" + echo -e "\e[31mA Branch Switch can only be performed manually (monitored).\e[0m" + echo -e "\e[31mPlease rerun the update.sh Script without the --force/-f parameter.\e[0m" + sleep 1 elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ]; then echo -e "\e[33mYou are about to switch your mailcow Updates to the stable (master) branch.\e[0m" sleep 1 @@ -683,7 +688,8 @@ elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ]; then sleep 1 echo -e "\e[31mWARNING: Please see on GitHub or ask in the communitys if a switch to master is stable or not. In some rear cases a Update back to master can destroy your mailcow configuration in case of Database Upgrades etc. - Normally a upgrade back to master should be safe during each full release. Check GitHub for Database Changes and Update only if there similar to the full release!\e[0m" + Normally a upgrade back to master should be safe during each full release. + Check GitHub for Database Changes and Update only if there similar to the full release!\e[0m" read -r -p "Are you sure you that want to continue upgrading to the stable (master) branch? [y/N] " response if [[ ! "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then echo "OK. If you prepared yourself for that please run the update.sh Script with the --stable parameter again to trigger this process here." @@ -709,7 +715,7 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then sleep 1 echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m" sleep 1 - echo -e "\e[31mWARNING: A switch to nightly is possible any time. But a switch back (to master) not.\e[0m" + echo -e "\e[31mWARNING: A switch to nightly is possible any time. But a switch back (to master) isn't.\e[0m" read -r -p "Are you sure you that want to continue upgrading to the unstable (nightly) branch? [y/N] " response if [[ ! "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then echo "OK. If you prepared yourself for that please run the update.sh Script with the --nightly parameter again to trigger this process here." @@ -730,10 +736,6 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git fetch origin --all git checkout -f origin/${BRANCH} -elif [ $FORCE ]; then - echo -e "\e[31mYou are running in forced mode!\e[0m" - echo -e "\e[31mA Branch Switch can only be performed manually (monitored).\e[0m" - echo -e "\e[31mPlease rerun the update.sh Script without the --force/-f parameter.\e[0m" fi echo -e "\e[32mChecking for newer update script...\e[0m" From cdc8f63b4b2ec1622c4f62106a4e3ea2b57bc7ba Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 15:05:14 +0200 Subject: [PATCH 102/115] Fixed Force flag --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index 6b19dd1d..93f8f365 100755 --- a/update.sh +++ b/update.sh @@ -676,7 +676,7 @@ if ! [ $NEW_BRANCH ]; then echo -e "\e[33mThe mailcow stack might still work but it is recommended to switch to the master branch (stable builds).\e[0m" echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m" fi -elif [ $FORCE = "y" ]; then +elif [ $FORCE ]; then echo -e "\e[31mYou are running in forced mode!\e[0m" echo -e "\e[31mA Branch Switch can only be performed manually (monitored).\e[0m" echo -e "\e[31mPlease rerun the update.sh Script without the --force/-f parameter.\e[0m" From 825c8a6abee977529b3b29dd3e167d5d42b3fb47 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 15:56:02 +0200 Subject: [PATCH 103/115] Changed Git Checkout form --- update.sh | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/update.sh b/update.sh index 93f8f365..e8141b41 100755 --- a/update.sh +++ b/update.sh @@ -695,8 +695,7 @@ elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ]; then echo "OK. If you prepared yourself for that please run the update.sh Script with the --stable parameter again to trigger this process here." exit 0 fi - - BRANCH = NEW_BRANCH + BRANCH=$NEW_BRANCH DIFF_DIRECTORY=update_diffs DIFF_FILE=${DIFF_DIRECTORY}/diff_before_upgrade_to_master_$(date +"%Y-%m-%d-%H-%M-%S") mv diff_before_upgrade* ${DIFF_DIRECTORY}/ 2> /dev/null @@ -708,7 +707,7 @@ elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ]; then fi echo -e "\e[32mSwitching Branch to ${BRANCH}...\e[0m" git fetch origin --all - git checkout -f origin/${BRANCH} + git checkout -f ${BRANCH} elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then echo -e "\e[33mYou are about to switch your mailcow Updates to the unstable (nightly) branch.\e[0m" @@ -721,8 +720,7 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then echo "OK. If you prepared yourself for that please run the update.sh Script with the --nightly parameter again to trigger this process here." exit 0 fi - - BRANCH = NEW_BRANCH + BRANCH=$NEW_BRANCH DIFF_DIRECTORY=update_diffs DIFF_FILE=${DIFF_DIRECTORY}/diff_before_upgrade_to_nightly_$(date +"%Y-%m-%d-%H-%M-%S") mv diff_before_upgrade* ${DIFF_DIRECTORY}/ 2> /dev/null @@ -732,10 +730,8 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git diff ${BRANCH} --stat > ${DIFF_FILE} git diff ${BRANCH} >> ${DIFF_FILE} fi - git fetch origin --all - git checkout -f origin/${BRANCH} - + git checkout -f ${BRANCH} fi echo -e "\e[32mChecking for newer update script...\e[0m" @@ -932,8 +928,8 @@ if [ -f "${SCRIPT_DIR}/post_update_hook.sh" ]; then bash "${SCRIPT_DIR}/post_update_hook.sh" fi -# echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" -# echo -# git reflog --color=always | grep "Before update on " -# echo -# echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file +echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" +echo +git reflog --color=always | grep "Before update on " +echo +echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file From 85deeaf80645fc78adadfbe5b514651096f09382 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 16:00:57 +0200 Subject: [PATCH 104/115] Corrected origin fetch --- update.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/update.sh b/update.sh index e8141b41..b5bd13c5 100755 --- a/update.sh +++ b/update.sh @@ -730,7 +730,7 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git diff ${BRANCH} --stat > ${DIFF_FILE} git diff ${BRANCH} >> ${DIFF_FILE} fi - git fetch origin --all + git fetch origin git checkout -f ${BRANCH} fi @@ -928,8 +928,8 @@ if [ -f "${SCRIPT_DIR}/post_update_hook.sh" ]; then bash "${SCRIPT_DIR}/post_update_hook.sh" fi -echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" -echo -git reflog --color=always | grep "Before update on " -echo -echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file +# echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" +# echo +# git reflog --color=always | grep "Before update on " +# echo +# echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file From e202530afb57ee33c7cce6f9e2dbb3594e6df30f Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 16:12:36 +0200 Subject: [PATCH 105/115] Set correct Commit ID from origin instead of local --- update.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/update.sh b/update.sh index b5bd13c5..c27fcd43 100755 --- a/update.sh +++ b/update.sh @@ -730,7 +730,7 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git diff ${BRANCH} --stat > ${DIFF_FILE} git diff ${BRANCH} >> ${DIFF_FILE} fi - git fetch origin + git fetch origin --all git checkout -f ${BRANCH} fi @@ -872,14 +872,14 @@ fi if [ ${BRANCH} == "master" ]; then mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) elif [ ${BRANCH} == "nightly" ]; then - mailcow_git_version=$(git rev-parse --short HEAD) + mailcow_git_version=$(git rev-parse origin/${BRANCH} --short HEAD | head -2 | tail -1) mailcow_last_git_version="" else mailcow_git_version=$(git rev-parse --short HEAD) mailcow_last_git_version="" fi -mailcow_git_commit=$(git rev-parse HEAD) +mailcow_git_commit=$(git rev-parse origin/${BRANCH}) mailcow_git_commit_date=$(git show -s --format=%cd --date=format:'%Y-%m-%d %H:%M') if [ $? -eq 0 ]; then @@ -928,8 +928,8 @@ if [ -f "${SCRIPT_DIR}/post_update_hook.sh" ]; then bash "${SCRIPT_DIR}/post_update_hook.sh" fi -# echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" -# echo -# git reflog --color=always | grep "Before update on " -# echo -# echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file +echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" +echo +git reflog --color=always | grep "Before update on " +echo +echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file From ef311f22bf5b188837909427438ee29423c2ac56 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 16:16:38 +0200 Subject: [PATCH 106/115] Corrected Twig Footer --- data/web/templates/base.twig | 2 +- update.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig index e97199b3..be23c19d 100644 --- a/data/web/templates/base.twig +++ b/data/web/templates/base.twig @@ -484,7 +484,7 @@ function recursiveBase64StrToArrayBuffer(obj) { {% endif %} - {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "origin/feature/nightly-editions" and mailcow_info.version_tag|default %} + {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "nightly" and mailcow_info.version_tag|default %} 🛠️🐮 + 🐋 = 💕 Nightly: {{ mailcow_info.version_tag }} diff --git a/update.sh b/update.sh index c27fcd43..d0e4c4ba 100755 --- a/update.sh +++ b/update.sh @@ -706,7 +706,7 @@ elif [ $NEW_BRANCH == "master" ] && [ $CURRENT_BRANCH != "master" ]; then git diff ${BRANCH} >> ${DIFF_FILE} fi echo -e "\e[32mSwitching Branch to ${BRANCH}...\e[0m" - git fetch origin --all + git fetch origin git checkout -f ${BRANCH} elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then @@ -730,7 +730,7 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git diff ${BRANCH} --stat > ${DIFF_FILE} git diff ${BRANCH} >> ${DIFF_FILE} fi - git fetch origin --all + git fetch origin git checkout -f ${BRANCH} fi From 5ea43051856104e9ea5d01bde800b0180e6edd04 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Aug 2022 16:26:07 +0200 Subject: [PATCH 107/115] Fix Upstream Commit ID grep --- update.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/update.sh b/update.sh index d0e4c4ba..4efbc6a5 100755 --- a/update.sh +++ b/update.sh @@ -872,7 +872,7 @@ fi if [ ${BRANCH} == "master" ]; then mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) elif [ ${BRANCH} == "nightly" ]; then - mailcow_git_version=$(git rev-parse origin/${BRANCH} --short HEAD | head -2 | tail -1) + mailcow_git_version=$(git rev-parse --short $(git rev-parse @{upstream})) mailcow_last_git_version="" else mailcow_git_version=$(git rev-parse --short HEAD) @@ -928,8 +928,8 @@ if [ -f "${SCRIPT_DIR}/post_update_hook.sh" ]; then bash "${SCRIPT_DIR}/post_update_hook.sh" fi -echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" -echo -git reflog --color=always | grep "Before update on " -echo -echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file +# echo "In case you encounter any problem, hard-reset to a state before updating mailcow:" +# echo +# git reflog --color=always | grep "Before update on " +# echo +# echo "Use \"git reset --hard hash-on-the-left\" and run $COMPOSE_COMMAND up -d afterwards." \ No newline at end of file From 778a3ed551c270d0bb104eddd26c3587fcc25df4 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 10:07:42 +0200 Subject: [PATCH 108/115] Use universal Git Commit Date Command --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index 4efbc6a5..169923b9 100755 --- a/update.sh +++ b/update.sh @@ -880,7 +880,7 @@ else fi mailcow_git_commit=$(git rev-parse origin/${BRANCH}) -mailcow_git_commit_date=$(git show -s --format=%cd --date=format:'%Y-%m-%d %H:%M') +mailcow_git_commit_date=$(git log -1 --format=%ci @{upstream} ) if [ $? -eq 0 ]; then echo ' data/web/inc/app_info.inc.php From 1f9f4157a674850962b06fe68553ff040e6c9a5e Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 10:27:46 +0200 Subject: [PATCH 109/115] Corrected detect docker compose command position --- update.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index 169923b9..7ebb0f49 100755 --- a/update.sh +++ b/update.sh @@ -344,6 +344,8 @@ while (($#)); do shift done +detect_docker_compose_command + [[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing! Is mailcow installed?"; exit 1;} chmod 600 mailcow.conf source mailcow.conf @@ -354,8 +356,6 @@ if [ ${#DOTS} -lt 2 ]; then exit 1 fi -detect_docker_compose_command - if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi # This will also cover sort if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi From bc9141753fab8fb4b591461d92703c345ebbef0c Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 10:32:33 +0200 Subject: [PATCH 110/115] Re-arranged position of source mailcow.conf --- update.sh | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/update.sh b/update.sh index 7ebb0f49..a7664c67 100755 --- a/update.sh +++ b/update.sh @@ -344,11 +344,12 @@ while (($#)); do shift done +chmod 600 mailcow.conf +source mailcow.conf + detect_docker_compose_command [[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing! Is mailcow installed?"; exit 1;} -chmod 600 mailcow.conf -source mailcow.conf DOTS=${MAILCOW_HOSTNAME//[^.]}; if [ ${#DOTS} -lt 2 ]; then echo "MAILCOW_HOSTNAME (${MAILCOW_HOSTNAME}) is not a FQDN!" @@ -734,16 +735,16 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git checkout -f ${BRANCH} fi -echo -e "\e[32mChecking for newer update script...\e[0m" -SHA1_1=$(sha1sum update.sh) -git fetch origin #${BRANCH} -git checkout origin/${BRANCH} update.sh -SHA1_2=$(sha1sum update.sh) -if [[ ${SHA1_1} != ${SHA1_2} ]]; then - echo "update.sh changed, please run this script again, exiting." - chmod +x update.sh - exit 2 -fi +# echo -e "\e[32mChecking for newer update script...\e[0m" +# SHA1_1=$(sha1sum update.sh) +# git fetch origin #${BRANCH} +# git checkout origin/${BRANCH} update.sh +# SHA1_2=$(sha1sum update.sh) +# if [[ ${SHA1_1} != ${SHA1_2} ]]; then +# echo "update.sh changed, please run this script again, exiting." +# chmod +x update.sh +# exit 2 +# fi if [ ! $FORCE ]; then read -r -p "Are you sure you want to update mailcow: dockerized? All containers will be stopped. [y/N] " response From e98a9844179e0808106d5a7f28c1eca800f2bf40 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 11:16:55 +0200 Subject: [PATCH 111/115] Implemented correct app_info.php set in generate_config --- generate_config.sh | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/generate_config.sh b/generate_config.sh index 1ae76b21..a7f4a5a0 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -420,16 +420,42 @@ echo "Copying snake-oil certificate..." cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/ # Set app_info.inc.php -mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) +if [ ${git_branch} == "master" ]; then + mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`) +elif [ ${git_branch} == "nightly" ]; then + mailcow_git_version=$(git rev-parse --short $(git rev-parse @{upstream})) + mailcow_last_git_version="" +else + mailcow_git_version=$(git rev-parse --short HEAD) + mailcow_last_git_version="" +fi + +mailcow_git_commit=$(git rev-parse origin/${git_branch}) +mailcow_git_commit_date=$(git log -1 --format=%ci @{upstream} ) + if [ $? -eq 0 ]; then echo ' data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_LAST_GIT_VERSION="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_OWNER="mailcow";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_REPO="mailcow-dockerized";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_URL="https://github.com/mailcow/mailcow-dockerized";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT="'$mailcow_git_commit'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT_DATE="'$mailcow_git_commit_date'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_BRANCH="'$BRANCH'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php else echo ' data/web/inc/app_info.inc.php - echo ' $MAILCOW_GIT_VERSION="";' >> data/web/inc/app_info.inc.php - echo ' $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_LAST_GIT_VERSION="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_OWNER="mailcow";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_REPO="mailcow-dockerized";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_URL="https://github.com/mailcow/mailcow-dockerized";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_GIT_COMMIT_DATE="";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_BRANCH="'$BRANCH'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php echo -e "\e[33mCannot determine current git repository version...\e[0m" fi \ No newline at end of file From 3633766544d37ee74a96fc34d763885be5504f2e Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 11:21:12 +0200 Subject: [PATCH 112/115] Fixed missing branch variable in app info.php (gen-config) --- generate_config.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/generate_config.sh b/generate_config.sh index a7f4a5a0..6af24f28 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -442,7 +442,7 @@ if [ $? -eq 0 ]; then echo ' $MAILCOW_GIT_URL="https://github.com/mailcow/mailcow-dockerized";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_COMMIT="'$mailcow_git_commit'";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_COMMIT_DATE="'$mailcow_git_commit_date'";' >> data/web/inc/app_info.inc.php - echo ' $MAILCOW_BRANCH="'$BRANCH'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_BRANCH="'$git_branch'";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php else @@ -454,7 +454,7 @@ else echo ' $MAILCOW_GIT_URL="https://github.com/mailcow/mailcow-dockerized";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_COMMIT="";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_GIT_COMMIT_DATE="";' >> data/web/inc/app_info.inc.php - echo ' $MAILCOW_BRANCH="'$BRANCH'";' >> data/web/inc/app_info.inc.php + echo ' $MAILCOW_BRANCH="'$git_branch'";' >> data/web/inc/app_info.inc.php echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php echo -e "\e[33mCannot determine current git repository version...\e[0m" From 555f4a8a6d300361985c8d4cb9aada97ea339483 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 25 Aug 2022 14:26:45 +0200 Subject: [PATCH 113/115] [Web] Mailbox TFA fix --- data/web/inc/functions.inc.php | 48 ++++++++++++++++-------------- data/web/inc/prerequisites.inc.php | 2 +- 2 files changed, 27 insertions(+), 23 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index ca371303..4f70b4c2 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -807,7 +807,7 @@ function verify_hash($hash, $password) { } return false; } -function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) { +function check_login($user, $pass, $app_passwd_data = false) { global $pdo; global $redis; global $imap_server; @@ -834,7 +834,7 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) if (verify_hash($row['password'], $pass)) { // check for tfa authenticators $authenticators = get_tfa($user); - if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$skip_tfa) { + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { // active tfa authenticators found, set pending user login $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "admin"; @@ -873,7 +873,7 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) if (verify_hash($row['password'], $pass) !== false) { // check for tfa authenticators $authenticators = get_tfa($user); - if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$skip_tfa) { + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { $_SESSION['pending_mailcow_cc_username'] = $user; $_SESSION['pending_mailcow_cc_role'] = "domainadmin"; $_SESSION['pending_tfa_methods'] = $authenticators['additional']; @@ -937,9 +937,8 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) } foreach ($rows as $row) { // verify password - if (verify_hash($row['password'], $pass) !== false) { - - if ($app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true && !$skip_tfa){ + if ($app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true){ + if (verify_hash($row['password'], $pass) !== false) { // check for tfa authenticators $authenticators = get_tfa($user); if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { @@ -953,26 +952,31 @@ function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) 'msg' => array('logged_in_as', $user) ); return "pending"; + } else { + // Reactivate TFA if it was set to "deactivate TFA for next login" + $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); + $stmt->execute(array(':user' => $user)); + + unset($_SESSION['ldelay']); + return "user"; } } + } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { + if (array_key_exists("app_passwd_id", $row)){ + if (verify_hash($row['password'], $pass) !== false) { + $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; + $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); + $stmt->execute(array( + ':service' => $service, + ':app_id' => $row['app_passwd_id'], + ':username' => $user, + ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) + )); - if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) { - $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV'; - $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); - $stmt->execute(array( - ':service' => $service, - ':app_id' => $row['app_passwd_id'], - ':username' => $user, - ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']) - )); - } elseif (!$skip_tfa) { - // Reactivate TFA if it was set to "deactivate TFA for next login" - $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user"); - $stmt->execute(array(':user' => $user)); + unset($_SESSION['ldelay']); + return "user"; + } } - - unset($_SESSION['ldelay']); - return "user"; } } diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index cb02ba16..2897444b 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -131,7 +131,7 @@ class mailcowPdo extends OAuth2\Storage\Pdo { $this->config['user_table'] = 'mailbox'; } public function checkUserCredentials($username, $password) { - if (check_login($username, $password, false, true) == 'user') { + if (check_login($username, $password) == 'user') { return true; } return false; From 57cd5ec818b5872e91327990f92e9f69a96a2e19 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 14:48:38 +0200 Subject: [PATCH 114/115] Readded update.sh new Version check :P --- update.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/update.sh b/update.sh index a7664c67..a0ba0729 100755 --- a/update.sh +++ b/update.sh @@ -184,10 +184,10 @@ if ! [ "${DOCKER_COMPOSE_VERSION}" == "native" ] && ! [ "${DOCKER_COMPOSE_VERSIO echo -e "\e[31mFound Docker Compose Plugin (native).\e[0m" echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" sleep 2 - echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" + echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m" else echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" exit 1 fi elif docker-compose > /dev/null 2>&1; then @@ -198,10 +198,10 @@ if ! [ "${DOCKER_COMPOSE_VERSION}" == "native" ] && ! [ "${DOCKER_COMPOSE_VERSIO echo -e "\e[31mFound Docker Compose Standalone.\e[0m" echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" sleep 2 - echo -e "\e[33mNotice: You´ll have to update this Compose Version manually! Please see: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.[0m" else echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + echo -e "\e[31mPlease update/install regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" exit 1 fi fi @@ -735,16 +735,16 @@ elif [ $NEW_BRANCH == "nightly" ] && [ $CURRENT_BRANCH != "nightly" ]; then git checkout -f ${BRANCH} fi -# echo -e "\e[32mChecking for newer update script...\e[0m" -# SHA1_1=$(sha1sum update.sh) -# git fetch origin #${BRANCH} -# git checkout origin/${BRANCH} update.sh -# SHA1_2=$(sha1sum update.sh) -# if [[ ${SHA1_1} != ${SHA1_2} ]]; then -# echo "update.sh changed, please run this script again, exiting." -# chmod +x update.sh -# exit 2 -# fi +echo -e "\e[32mChecking for newer update script...\e[0m" +SHA1_1=$(sha1sum update.sh) +git fetch origin #${BRANCH} +git checkout origin/${BRANCH} update.sh +SHA1_2=$(sha1sum update.sh) +if [[ ${SHA1_1} != ${SHA1_2} ]]; then + echo "update.sh changed, please run this script again, exiting." + chmod +x update.sh + exit 2 +fi if [ ! $FORCE ]; then read -r -p "Are you sure you want to update mailcow: dockerized? All containers will be stopped. [y/N] " response From fee6ff43bf1d65846cea58c727cd707905d6ae65 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Thu, 25 Aug 2022 14:51:49 +0200 Subject: [PATCH 115/115] Corrected compose standalone update message in generate config --- generate_config.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/generate_config.sh b/generate_config.sh index 6af24f28..afd1d892 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -34,7 +34,7 @@ if docker compose > /dev/null 2>&1; then echo -e "\e[33mNotice: You´ll have to update this Compose Version via your Package Manager manually!\e[0m" else echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" exit 1 fi elif docker-compose > /dev/null 2>&1; then @@ -44,10 +44,10 @@ elif docker-compose > /dev/null 2>&1; then echo -e "\e[31mFound Docker Compose Standalone.\e[0m" echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" sleep 2 - echo -e "\e[33mNotice: You´ll have to update this Compose Version manually! Please see: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m" else echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" + echo -e "\e[31mPlease update/install manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m" exit 1 fi fi