blob: 9c626fa906a5fadeb71e1ea3e941475f508eab3a [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +01001#!/bin/bash
2set -e
3
4# Wait for MySQL to warm-up
5while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
6 echo "Waiting for database to come up..."
7 sleep 2
8done
9
10until dig +short mailcow.email @unbound > /dev/null; do
11 echo "Waiting for DNS..."
12 sleep 1
13done
14
15# Do not attempt to write to slave
16if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
17 REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
18else
19 REDIS_CMDLINE="redis-cli -h redis -p 6379"
20fi
21
22until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
23 echo "Waiting for Redis..."
24 sleep 2
25done
26
27${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
28
29# Create missing directories
30[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
31[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
32[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
33[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
34[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
35[[ ! -d /var/volatile ]] && mkdir -p /var/volatile
36
37# Set Dovecot sql config parameters, escape " in db password
38DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
39
40# Create quota dict for Dovecot
41if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
42 QUOTA_TABLE=quota2
43else
44 QUOTA_TABLE=quota2replica
45fi
46cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
47# Autogenerated by mailcow
48connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
49map {
50 pattern = priv/quota/storage
51 table = ${QUOTA_TABLE}
52 username_field = username
53 value_field = bytes
54}
55map {
56 pattern = priv/quota/messages
57 table = ${QUOTA_TABLE}
58 username_field = username
59 value_field = messages
60}
61EOF
62
63# Write last logins to Redis
64if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
65 cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
66 echo -n "redis:host=${REDIS_SLAVEOF_IP}:port=${REDIS_SLAVEOF_PORT}" > /etc/dovecot/last_login
67else
68 echo -n "redis:host=${IPV4_NETWORK}.249:port=6379" > /etc/dovecot/last_login
69fi
70
71# Create dict used for sieve pre and postfilters
72cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
73# Autogenerated by mailcow
74connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
75map {
76 pattern = priv/sieve/name/\$script_name
77 table = sieve_before
78 username_field = username
79 value_field = id
80 fields {
81 script_name = \$script_name
82 }
83}
84map {
85 pattern = priv/sieve/data/\$id
86 table = sieve_before
87 username_field = username
88 value_field = script_data
89 fields {
90 id = \$id
91 }
92}
93EOF
94
95cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
96# Autogenerated by mailcow
97connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
98map {
99 pattern = priv/sieve/name/\$script_name
100 table = sieve_after
101 username_field = username
102 value_field = id
103 fields {
104 script_name = \$script_name
105 }
106}
107map {
108 pattern = priv/sieve/data/\$id
109 table = sieve_after
110 username_field = username
111 value_field = script_data
112 fields {
113 id = \$id
114 }
115}
116EOF
117
118echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
119
120if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
121echo -n 'quota acl zlib listescape mail_crypt mail_crypt_acl mail_log notify replication last_login' > /etc/dovecot/mail_plugins
122echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve listescape mail_crypt mail_crypt_acl notify replication mail_log last_login' > /etc/dovecot/mail_plugins_imap
123echo -n 'quota sieve acl zlib listescape mail_crypt mail_crypt_acl notify replication' > /etc/dovecot/mail_plugins_lmtp
124else
125echo -n 'quota acl zlib listescape mail_crypt mail_crypt_acl mail_log notify fts fts_solr replication last_login' > /etc/dovecot/mail_plugins
126echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve listescape mail_crypt mail_crypt_acl notify mail_log fts fts_solr replication last_login' > /etc/dovecot/mail_plugins_imap
127echo -n 'quota sieve acl zlib listescape mail_crypt mail_crypt_acl fts fts_solr notify replication' > /etc/dovecot/mail_plugins_lmtp
128fi
129chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
130
131cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
132# Autogenerated by mailcow
133driver = mysql
134connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
135user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
136iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
137EOF
138
139# Create pass dict for Dovecot
140cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-passdb.conf
141# Autogenerated by mailcow
142driver = mysql
143connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
144default_pass_scheme = ${MAILCOW_PASS_SCHEME}
145password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) != '1' AND (JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')) = '1' OR ('%s' != 'imap' AND '%s' != 'pop3'))
146EOF
147
148cat <<EOF > /etc/dovecot/lua/app-passdb.lua
149function auth_password_verify(req, pass)
150 if req.domain == nil then
151 return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
152 end
153 if cur == nil then
154 script_init()
155 end
156 local cur,errorString = con:execute(string.format([[SELECT mailbox, password FROM app_passwd
157 WHERE mailbox = '%s'
158 AND active = '1'
159 AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.domain)))
160 local row = cur:fetch ({}, "a")
161 while row do
162 if req.password_verify(req, row.password, pass) == 1 then
163 cur:close()
164 return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
165 end
166 row = cur:fetch (row, "a")
167 end
168 return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
169end
170
171function auth_passdb_lookup(req)
172 return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
173end
174
175function script_init()
176 mysql = require "luasql.mysql"
177 env = mysql.mysql()
178 con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
179 return 0
180end
181
182function script_deinit()
183 con:close()
184 env:close()
185end
186EOF
187
188# Migrate old sieve_after file
189[[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
190# Create global sieve scripts
191cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve
192cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve
193
194# Check permissions of vmail/index/garbage directories.
195# Do not do this every start-up, it may take a very long time. So we use a stat check here.
196if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
197if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi
198if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi
199
200# Cleanup random user maildirs
201rm -rf /var/vmail/mailcow.local/*
202
203# create sni configuration
204echo "" > /etc/dovecot/sni.conf
205for cert_dir in /etc/ssl/mail/*/ ; do
206 if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
207 continue
208 fi
209 domains=($(cat ${cert_dir}domains))
210 for domain in ${domains[@]}; do
211 echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
212 echo ' ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
213 echo ' ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
214 echo '}' >> /etc/dovecot/sni.conf;
215 done
216done
217
218# Create random master for SOGo sieve features
219RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
220RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
221
222if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then
223 RAND_USER=${DOVECOT_MASTER_USER}
224 RAND_PASS=${DOVECOT_MASTER_PASS}
225fi
226echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd
227echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb
228echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
229
230if [[ -z ${MAILDIR_SUB} ]]; then
231 MAILDIR_SUB_SHARED=
232else
233 MAILDIR_SUB_SHARED=/${MAILDIR_SUB}
234fi
235cat <<EOF > /etc/dovecot/shared_namespace.conf
236# Autogenerated by mailcow
237namespace {
238 type = shared
239 separator = /
240 prefix = Shared/%%u/
241 location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
242 subscriptions = no
243 list = children
244}
245EOF
246
247cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
248# Autogenerated by mailcow
249remote ${IPV4_NETWORK}.248 {
250 disable_plaintext_auth = no
251}
252EOF
253
254if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
255 # Create random master Password for SOGo 'login as user' via proxy auth
256 RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
257 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
258 cat <<EOF > /etc/dovecot/sogo-sso.conf
259# Autogenerated by mailcow
260passdb {
261 driver = static
262 args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
263}
264EOF
265else
266 rm -f /etc/dovecot/sogo-sso.pass
267 rm -f /etc/dovecot/sogo-sso.conf
268fi
269
270# Hard-code env vars to scripts due to cron not passing them to the scripts
271sed -i "s/__DBUSER__/${DBUSER}/g" /usr/local/bin/imapsync_cron.pl /usr/local/bin/quarantine_notify.py /usr/local/bin/clean_q_aged.sh /etc/dovecot/lua/app-passdb.lua
272sed -i "s/__DBPASS__/${DBPASS}/g" /usr/local/bin/imapsync_cron.pl /usr/local/bin/quarantine_notify.py /usr/local/bin/clean_q_aged.sh /etc/dovecot/lua/app-passdb.lua
273sed -i "s/__DBNAME__/${DBNAME}/g" /usr/local/bin/imapsync_cron.pl /usr/local/bin/quarantine_notify.py /usr/local/bin/clean_q_aged.sh /etc/dovecot/lua/app-passdb.lua
274sed -i "s/__MAILCOW_HOSTNAME__/${MAILCOW_HOSTNAME}/g" /usr/local/bin/quarantine_notify.py
275sed -i "s/__LOG_LINES__/${LOG_LINES}/g" /usr/local/bin/trim_logs.sh
276if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
277# Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
278cat <<'EOF' > /usr/local/bin/quota_notify.py
279#!/usr/bin/python3
280import sys
281sys.exit()
282EOF
283fi
284
285# 401 is user dovecot
286if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
287 openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
288 openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
289 chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
290else
291 chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
292fi
293
294# Compile sieve scripts
295sievec /var/vmail/sieve/global_sieve_before.sieve
296sievec /var/vmail/sieve/global_sieve_after.sieve
297sievec /usr/lib/dovecot/sieve/report-spam.sieve
298sievec /usr/lib/dovecot/sieve/report-ham.sieve
299
300# Fix permissions
301chown root:root /etc/dovecot/sql/*.conf
302chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/app-passdb.lua
303chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/app-passdb.lua
304chown -R vmail:vmail /var/vmail/sieve
305chown -R vmail:vmail /var/volatile
306chown -R vmail:vmail /var/vmail_index
307adduser vmail tty
308chmod g+rw /dev/console
309chown root:tty /dev/console
310chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
311 /usr/lib/dovecot/sieve/rspamd-pipe-spam \
312 /usr/local/bin/imapsync_cron.pl \
313 /usr/local/bin/postlogin.sh \
314 /usr/local/bin/imapsync \
315 /usr/local/bin/trim_logs.sh \
316 /usr/local/bin/sa-rules.sh \
317 /usr/local/bin/clean_q_aged.sh \
318 /usr/local/bin/maildir_gc.sh \
319 /usr/local/sbin/stop-supervisor.sh \
320 /usr/local/bin/quota_notify.py \
321 /usr/local/bin/repl_health.sh
322
323if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
324# Setup cronjobs
325echo '* * * * * nobody /usr/local/bin/imapsync_cron.pl 2>&1 | /usr/bin/logger' > /etc/cron.d/imapsync
326#echo '30 3 * * * vmail /usr/local/bin/doveadm quota recalc -A' > /etc/cron.d/dovecot-sync
327echo '* * * * * vmail /usr/local/bin/trim_logs.sh >> /dev/console 2>&1' > /etc/cron.d/trim_logs
328echo '25 * * * * vmail /usr/local/bin/maildir_gc.sh >> /dev/console 2>&1' > /etc/cron.d/maildir_gc
329echo '30 1 * * * root /usr/local/bin/sa-rules.sh >> /dev/console 2>&1' > /etc/cron.d/sa-rules
330echo '0 2 * * * root /usr/bin/curl http://solr:8983/solr/dovecot-fts/update?optimize=true >> /dev/console 2>&1' > /etc/cron.d/solr-optimize
331echo '*/20 * * * * vmail /usr/local/bin/quarantine_notify.py >> /dev/console 2>&1' > /etc/cron.d/quarantine_notify
332echo '15 4 * * * vmail /usr/local/bin/clean_q_aged.sh >> /dev/console 2>&1' > /etc/cron.d/clean_q_aged
333echo '*/5 * * * * vmail /usr/local/bin/repl_health.sh >> /dev/console 2>&1' > /etc/cron.d/repl_health
334else
335echo '25 * * * * vmail /usr/local/bin/maildir_gc.sh >> /dev/console 2>&1' > /etc/cron.d/maildir_gc
336echo '30 1 * * * root /usr/local/bin/sa-rules.sh >> /dev/console 2>&1' > /etc/cron.d/sa-rules
337echo '0 2 * * * root /usr/bin/curl http://solr:8983/solr/dovecot-fts/update?optimize=true >> /dev/console 2>&1' > /etc/cron.d/solr-optimize
338echo '*/5 * * * * vmail /usr/local/bin/repl_health.sh >> /dev/console 2>&1' > /etc/cron.d/repl_health
339fi
340
341# Fix more than 1 hardlink issue
342touch /etc/crontab /etc/cron.*/*
343
344# Prepare environment file for cronjobs
345printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
346
347# Clean old PID if any
348[[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid
349
350# Clean stopped imapsync jobs
351rm -f /tmp/imapsync_busy.lock
352IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
353[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
354
355# Envsubst maildir_gc
356echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
357
358# GUID generation
359while [[ ${VERSIONS_OK} != 'OK' ]]; do
360 if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
361 VERSIONS_OK=OK
362 else
363 echo "Waiting for versions table to be created..."
364 sleep 3
365 fi
366done
367PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2)
368if [ -f ${PUBKEY_MCRYPT} ]; then
369 GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
370 if [ ${#GUID} -eq 64 ]; then
371 mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
372REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
373EOF
374 else
375 mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
376REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
377EOF
378 fi
379fi
380
381# Collect SA rules once now
382/usr/local/bin/sa-rules.sh
383
384# Run hooks
385for file in /hooks/*; do
386 if [ -x "${file}" ]; then
387 echo "Running hook ${file}"
388 "${file}"
389 fi
390done
391
392# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
393# May be related to something inside Docker, I seriously don't know
394touch /etc/dovecot/lua/app-passdb.lua
395
396exec "$@"