# SOGo built from source to enable security patch application # Repository: https://github.com/Alinto/sogo # Version: SOGo-5.12.4 # # Applied security patches: # - 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb: XSS vulnerability in theme parameter # # To add new patches, modify SOGO_SECURITY_PATCHES ARG below with space-separated commit hashes FROM debian:bookworm LABEL maintainer="The Infrastructure Company GmbH " ARG DEBIAN_FRONTEND=noninteractive ARG SOGO_VERSION=SOGo-5.12.4 ARG SOPE_VERSION=SOPE-5.12.4 # Security patches to apply (space-separated commit hashes) ARG SOGO_SECURITY_PATCHES="16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb" # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?.*)$ ARG GOSU_VERSION=1.19 ENV LC_ALL=C # Install dependencies, build SOPE and SOGo, then clean up (all in one layer to minimize image size) RUN apt-get update && apt-get install -y --no-install-recommends \ # Build dependencies git \ build-essential \ gobjc \ gnustep-make \ gnustep-base-runtime \ libgnustep-base-dev \ libxml2-dev \ libldap2-dev \ libssl-dev \ zlib1g-dev \ libpq-dev \ libmariadb-dev-compat \ libmemcached-dev \ libsodium-dev \ libcurl4-openssl-dev \ libzip-dev \ libytnef0-dev \ curl \ ca-certificates \ # Runtime dependencies apt-transport-https \ gettext \ gnupg \ mariadb-client \ rsync \ supervisor \ syslog-ng \ syslog-ng-core \ syslog-ng-mod-redis \ dirmngr \ netcat-traditional \ psmisc \ wget \ patch \ libobjc4 \ libxml2 \ libldap-2.5-0 \ libssl3 \ zlib1g \ libmariadb3 \ libmemcached11 \ libsodium23 \ libcurl4 \ libzip4 \ libytnef0 \ # Download gosu && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \ && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \ && chmod +x /usr/local/bin/gosu \ && gosu nobody true \ # Build SOPE && git clone --depth 1 --branch ${SOPE_VERSION} https://github.com/Alinto/sope.git /tmp/sope \ && cd /tmp/sope \ && rm -rf .git \ && . /usr/share/GNUstep/Makefiles/GNUstep.sh \ && ./configure --prefix=/usr --disable-debug --disable-strip \ && make -j$(nproc) \ && make install \ && cd / \ && rm -rf /tmp/sope \ # Build SOGo with security patches && git clone --depth 1 --branch ${SOGO_VERSION} https://github.com/Alinto/sogo.git /tmp/sogo \ && cd /tmp/sogo \ && git config user.email "builder@mailcow.local" \ && git config user.name "SOGo Builder" \ && for patch in ${SOGO_SECURITY_PATCHES}; do \ echo "Applying security patch: ${patch}"; \ git fetch origin ${patch} && git cherry-pick ${patch}; \ done \ && rm -rf .git \ && . /usr/share/GNUstep/Makefiles/GNUstep.sh \ && ./configure --disable-debug --disable-strip \ && make -j$(nproc) \ && make install \ && cd / \ && rm -rf /tmp/sogo \ # Strip binaries && strip --strip-unneeded /usr/local/sbin/sogod 2>/dev/null || true \ && strip --strip-unneeded /usr/local/sbin/sogo-tool 2>/dev/null || true \ && strip --strip-unneeded /usr/local/sbin/sogo-ealarms-notify 2>/dev/null || true \ && strip --strip-unneeded /usr/local/sbin/sogo-slapd-sockd 2>/dev/null || true \ # Remove build dependencies and clean up && apt-get purge -y --auto-remove \ git \ build-essential \ gobjc \ gnustep-make \ libgnustep-base-dev \ libxml2-dev \ libldap2-dev \ libssl-dev \ zlib1g-dev \ libpq-dev \ libmariadb-dev-compat \ libmemcached-dev \ libsodium-dev \ libcurl4-openssl-dev \ libzip-dev \ libytnef0-dev \ curl \ && apt-get autoremove -y \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ && rm -rf /usr/share/doc/* \ && rm -rf /usr/share/man/* \ && rm -rf /var/cache/debconf/* \ && rm -rf /tmp/* \ && rm -rf /root/.cache \ && find /usr/local/lib -name '*.a' -delete \ && find /usr/lib -name '*.a' -delete \ && mkdir -p /usr/share/doc/sogo \ && touch /usr/share/doc/sogo/empty.sh \ && touch /etc/default/locale # Configure library paths RUN echo "/usr/lib64" > /etc/ld.so.conf.d/sogo.conf \ && echo "/usr/local/lib/sogo" >> /etc/ld.so.conf.d/sogo.conf \ && echo "/usr/local/lib/GNUstep/Frameworks/SOGo.framework/Versions/5/sogo" >> /etc/ld.so.conf.d/sogo.conf \ && ldconfig # Create sogo user and group RUN groupadd -r -g 999 sogo \ && useradd -r -u 999 -g sogo -d /var/lib/sogo -s /bin/bash -c "SOGo Daemon" sogo \ && mkdir -p /var/lib/sogo /var/run/sogo /var/log/sogo \ && chown -R sogo:sogo /var/lib/sogo /var/run/sogo /var/log/sogo # Create symlinks for SOGo binaries RUN ln -s /usr/local/sbin/sogod /usr/sbin/sogod \ && ln -s /usr/local/sbin/sogo-tool /usr/sbin/sogo-tool \ && ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify \ && ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd # Copy configuration files and scripts COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf COPY supervisord.conf /etc/supervisor/supervisord.conf COPY acl.diff /acl.diff COPY navMailcowBtns.diff /navMailcowBtns.diff COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh COPY docker-entrypoint.sh / RUN chmod +x /bootstrap-sogo.sh \ /usr/local/sbin/stop-supervisor.sh ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]