commit 7b2a3a1c374b0a853b379f41561dcf2796c55986
author Matthias Andreas Benkard <code@mail.matthias.benkard.de> Mon Aug 16 10:57:25 2021 +0200
committer Matthias Andreas Benkard <code@mail.matthias.benkard.de> Mon Aug 16 10:57:25 2021 +0200
tree 28fe5b17bb86fa7f276e64c6981ab05401a84038
parent 8bb60d08ffa0baf1a0e81e705342d6f25dd8511c

git subrepo commit (merge) mailcow/src/mailcow-dockerized

subrepo: subdir:   "mailcow/src/mailcow-dockerized"
  merged:   "02ae5285"
upstream: origin:   "https://github.com/mailcow/mailcow-dockerized.git"
  branch:   "master"
  commit:   "649a5c01"
git-subrepo: version:  "0.4.3"
  origin:   "???"
  commit:   "???"
Change-Id: I870ad468fba026cc5abf3c5699ed1e12ff28b32b

mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh

diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh
index 454946d..183be01 100644
--- a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/functions.sh
@@ -16,6 +16,15 @@
   fi
 }
 
+verify_email(){
+  regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
+  if [[ $1 =~ ${regex} ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
 verify_hash_match(){
   CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
   KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
@@ -33,7 +42,7 @@
   local IPV4_SRCS=
   local TRY=
   IPV4_SRCS[0]="ip4.mailcow.email"
-  IPV4_SRCS[1]="ip4.korves.net"
+  IPV4_SRCS[1]="ip4.nevondo.com"
   until [[ ! -z ${IPV4} ]] || [[ ${TRY} -ge 10 ]]; do
     IPV4=$(curl --connect-timeout 3 -m 10 -L4s ${IPV4_SRCS[$RANDOM % ${#IPV4_SRCS[@]} ]} | grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
     [[ ! -z ${TRY} ]] && sleep 1
@@ -46,8 +55,8 @@
   local IPV6=
   local IPV6_SRCS=
   local TRY=
-  IPV6_SRCS[0]="ip6.korves.net"
-  IPV6_SRCS[1]="ip6.mailcow.email"
+  IPV6_SRCS[0]="ip6.mailcow.email"
+  IPV6_SRCS[1]="ip6.nevondo.com"
   until [[ ! -z ${IPV6} ]] || [[ ${TRY} -ge 10 ]]; do
     IPV6=$(curl --connect-timeout 3 -m 10 -L6s ${IPV6_SRCS[$RANDOM % ${#IPV6_SRCS[@]} ]} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$")
     [[ ! -z ${TRY} ]] && sleep 1
@@ -60,6 +69,17 @@
     DOMAIN=$1
     A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
     AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
+    # Hard-fail on CAA errors for MAILCOW_HOSTNAME
+    PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
+    CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
+    if [[ ! -z ${CAAS} ]]; then
+      if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then
+        log_f "Validated CAA for parent domain ${PARENT_DOMAIN}"
+      else
+        log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record"
+        return 1
+      fi
+    fi
     # Check if CNAME without v6 enabled target
     if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
       AAAA_DOMAIN=