git subrepo commit (merge) mailcow/src/mailcow-dockerized
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "02ae5285"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "649a5c01"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: I870ad468fba026cc5abf3c5699ed1e12ff28b32b
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/Dockerfile b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/Dockerfile
index 8369ce3..a19c434 100644
--- a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/Dockerfile
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.11
+FROM alpine:3.13
LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
@@ -14,8 +14,9 @@
tini \
tzdata \
python3 \
- && python3 -m pip install --upgrade pip \
- && python3 -m pip install acme-tiny
+ py3-pip \
+ && pip3 install --upgrade pip \
+ && pip3 install acme-tiny
COPY acme.sh /srv/acme.sh
COPY functions.sh /srv/functions.sh
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh
index 5d5da1e..4f5cb80 100755
--- a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh
@@ -155,6 +155,18 @@
fi
if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
log_f "Generating missing Lets Encrypt account key..."
+ if [[ ! -z ${ACME_CONTACT} ]]; then
+ if ! verify_email "${ACME_CONTACT}"; then
+ log_f "Invalid email address, will not start registration!"
+ sleep 365d
+ exec $(readlink -f "$0")
+ else
+ ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
+ log_f "Valid email address, using ${ACME_CONTACT} for registration"
+ fi
+ else
+ ACME_CONTACT_PARAMETER=""
+ fi
openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
else
log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
@@ -207,22 +219,9 @@
IPV6=$(get_ipv6)
log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
- # Hard-fail on CAA errors for MAILCOW_HOSTNAME
- MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
- MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
- if [[ ! -z ${MH_CAAS} ]]; then
- if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
- log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
- else
- log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
- sleep 1h
- exec $(readlink -f "$0")
- fi
- fi
-
#########################################
# IP and webroot challenge verification #
- SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
+ SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
if [[ ! $? -eq 0 ]]; then
log_f "Failed to read SQL domains, retrying in 1 minute..."
sleep 1m
@@ -290,7 +289,7 @@
VALIDATED_CERTIFICATES+=("${CERT_NAME}")
# obtain server certificate if required
- DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
+ ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
RETURN="$?"
if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
CERT_AMOUNT_CHANGED=1
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh
index 454946d..183be01 100644
--- a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh
@@ -16,6 +16,15 @@
fi
}
+verify_email(){
+ regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
+ if [[ $1 =~ ${regex} ]]; then
+ return 0
+ else
+ return 1
+ fi
+}
+
verify_hash_match(){
CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
@@ -33,7 +42,7 @@
local IPV4_SRCS=
local TRY=
IPV4_SRCS[0]="ip4.mailcow.email"
- IPV4_SRCS[1]="ip4.korves.net"
+ IPV4_SRCS[1]="ip4.nevondo.com"
until [[ ! -z ${IPV4} ]] || [[ ${TRY} -ge 10 ]]; do
IPV4=$(curl --connect-timeout 3 -m 10 -L4s ${IPV4_SRCS[$RANDOM % ${#IPV4_SRCS[@]} ]} | grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
[[ ! -z ${TRY} ]] && sleep 1
@@ -46,8 +55,8 @@
local IPV6=
local IPV6_SRCS=
local TRY=
- IPV6_SRCS[0]="ip6.korves.net"
- IPV6_SRCS[1]="ip6.mailcow.email"
+ IPV6_SRCS[0]="ip6.mailcow.email"
+ IPV6_SRCS[1]="ip6.nevondo.com"
until [[ ! -z ${IPV6} ]] || [[ ${TRY} -ge 10 ]]; do
IPV6=$(curl --connect-timeout 3 -m 10 -L6s ${IPV6_SRCS[$RANDOM % ${#IPV6_SRCS[@]} ]} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$")
[[ ! -z ${TRY} ]] && sleep 1
@@ -60,6 +69,17 @@
DOMAIN=$1
A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
+ # Hard-fail on CAA errors for MAILCOW_HOSTNAME
+ PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
+ CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
+ if [[ ! -z ${CAAS} ]]; then
+ if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then
+ log_f "Validated CAA for parent domain ${PARENT_DOMAIN}"
+ else
+ log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record"
+ return 1
+ fi
+ fi
# Check if CNAME without v6 enabled target
if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
AAAA_DOMAIN=
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/obtain-certificate.sh b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/obtain-certificate.sh
index 8264a2c..a151dff 100644
--- a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/obtain-certificate.sh
@@ -93,8 +93,8 @@
sleep 2
done
log_f "Resolver OK"
-
-ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
+log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
+ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
--account-key ${ACME_BASE}/acme/account.pem \
--disable-check \
--csr ${CSR} \