Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | set -e |
| 3 | |
| 4 | # Wait for MySQL to warm-up |
| 5 | while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do |
| 6 | echo "Waiting for database to come up..." |
| 7 | sleep 2 |
| 8 | done |
| 9 | |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 10 | until dig +short mailcow.email > /dev/null; do |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 11 | echo "Waiting for DNS..." |
| 12 | sleep 1 |
| 13 | done |
| 14 | |
| 15 | # Do not attempt to write to slave |
| 16 | if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then |
| 17 | REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}" |
| 18 | else |
| 19 | REDIS_CMDLINE="redis-cli -h redis -p 6379" |
| 20 | fi |
| 21 | |
| 22 | until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do |
| 23 | echo "Waiting for Redis..." |
| 24 | sleep 2 |
| 25 | done |
| 26 | |
| 27 | ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null |
| 28 | |
| 29 | # Create missing directories |
| 30 | [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/ |
| 31 | [[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/ |
| 32 | [[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage |
| 33 | [[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve |
| 34 | [[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo |
| 35 | [[ ! -d /var/volatile ]] && mkdir -p /var/volatile |
| 36 | |
| 37 | # Set Dovecot sql config parameters, escape " in db password |
| 38 | DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g') |
| 39 | |
| 40 | # Create quota dict for Dovecot |
| 41 | if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then |
| 42 | QUOTA_TABLE=quota2 |
| 43 | else |
| 44 | QUOTA_TABLE=quota2replica |
| 45 | fi |
| 46 | cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf |
| 47 | # Autogenerated by mailcow |
| 48 | connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}" |
| 49 | map { |
| 50 | pattern = priv/quota/storage |
| 51 | table = ${QUOTA_TABLE} |
| 52 | username_field = username |
| 53 | value_field = bytes |
| 54 | } |
| 55 | map { |
| 56 | pattern = priv/quota/messages |
| 57 | table = ${QUOTA_TABLE} |
| 58 | username_field = username |
| 59 | value_field = messages |
| 60 | } |
| 61 | EOF |
| 62 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 63 | # Create dict used for sieve pre and postfilters |
| 64 | cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf |
| 65 | # Autogenerated by mailcow |
| 66 | connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}" |
| 67 | map { |
| 68 | pattern = priv/sieve/name/\$script_name |
| 69 | table = sieve_before |
| 70 | username_field = username |
| 71 | value_field = id |
| 72 | fields { |
| 73 | script_name = \$script_name |
| 74 | } |
| 75 | } |
| 76 | map { |
| 77 | pattern = priv/sieve/data/\$id |
| 78 | table = sieve_before |
| 79 | username_field = username |
| 80 | value_field = script_data |
| 81 | fields { |
| 82 | id = \$id |
| 83 | } |
| 84 | } |
| 85 | EOF |
| 86 | |
| 87 | cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf |
| 88 | # Autogenerated by mailcow |
| 89 | connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}" |
| 90 | map { |
| 91 | pattern = priv/sieve/name/\$script_name |
| 92 | table = sieve_after |
| 93 | username_field = username |
| 94 | value_field = id |
| 95 | fields { |
| 96 | script_name = \$script_name |
| 97 | } |
| 98 | } |
| 99 | map { |
| 100 | pattern = priv/sieve/data/\$id |
| 101 | table = sieve_after |
| 102 | username_field = username |
| 103 | value_field = script_data |
| 104 | fields { |
| 105 | id = \$id |
| 106 | } |
| 107 | } |
| 108 | EOF |
| 109 | |
| 110 | echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone |
| 111 | |
| 112 | if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 113 | echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins |
| 114 | echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap |
| 115 | echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 116 | else |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 117 | echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication' > /etc/dovecot/mail_plugins |
| 118 | echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap |
| 119 | echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 120 | fi |
| 121 | chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl |
| 122 | |
| 123 | cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf |
| 124 | # Autogenerated by mailcow |
| 125 | driver = mysql |
| 126 | connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}" |
| 127 | user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2') |
| 128 | iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2'; |
| 129 | EOF |
| 130 | |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 131 | cat <<EOF > /etc/dovecot/lua/passwd-verify.lua |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 132 | function auth_password_verify(req, pass) |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 133 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 134 | if req.domain == nil then |
| 135 | return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user" |
| 136 | end |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 137 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 138 | if cur == nil then |
| 139 | script_init() |
| 140 | end |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 141 | |
| 142 | if req.user == nil then |
| 143 | req.user = '' |
| 144 | end |
| 145 | |
| 146 | respbody = {} |
| 147 | |
| 148 | -- check against mailbox passwds |
| 149 | local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox |
| 150 | WHERE username = '%s' |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 151 | AND active = '1' |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 152 | AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1') |
| 153 | AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1' |
| 154 | AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service))) |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 155 | local row = cur:fetch ({}, "a") |
| 156 | while row do |
| 157 | if req.password_verify(req, row.password, pass) == 1 then |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 158 | con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip) |
| 159 | VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))) |
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 160 | cur:close() |
| 161 | con:close() |
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 162 | return dovecot.auth.PASSDB_RESULT_OK, "" |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 163 | end |
| 164 | row = cur:fetch (row, "a") |
| 165 | end |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 166 | |
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 167 | -- check against app passwds for imap and smtp |
| 168 | -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl |
| 169 | if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then |
| 170 | local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd |
| 171 | INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox |
| 172 | WHERE mailbox = '%s' |
| 173 | AND app_passwd.active = '1' |
| 174 | AND mailbox.active = '1' |
| 175 | AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain))) |
| 176 | local row = cur:fetch ({}, "a") |
| 177 | while row do |
| 178 | if req.password_verify(req, row.password, pass) == 1 then |
| 179 | -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed |
| 180 | if tostring(req.real_rip) == "__IPV4_SOGO__" then |
| 181 | cur:close() |
| 182 | con:close() |
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 183 | return dovecot.auth.PASSDB_RESULT_OK, "" |
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 184 | elseif row.has_prot_access == "1" then |
| 185 | con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip) |
| 186 | VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip))) |
| 187 | cur:close() |
| 188 | con:close() |
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 189 | return dovecot.auth.PASSDB_RESULT_OK, "" |
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 190 | end |
| 191 | end |
| 192 | row = cur:fetch (row, "a") |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 193 | end |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 194 | end |
| 195 | |
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 196 | cur:close() |
| 197 | con:close() |
| 198 | |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 199 | return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate" |
| 200 | |
| 201 | -- PoC |
| 202 | -- local reqbody = string.format([[{ |
| 203 | -- "success":0, |
| 204 | -- "service":"%s", |
| 205 | -- "app_password":false, |
| 206 | -- "username":"%s", |
| 207 | -- "real_rip":"%s" |
| 208 | -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)) |
| 209 | -- http.request { |
| 210 | -- method = "POST", |
| 211 | -- url = "http://nginx:8081/sasl_log.php", |
| 212 | -- source = ltn12.source.string(reqbody), |
| 213 | -- headers = { |
| 214 | -- ["content-type"] = "application/json", |
| 215 | -- ["content-length"] = tostring(#reqbody) |
| 216 | -- }, |
| 217 | -- sink = ltn12.sink.table(respbody) |
| 218 | -- } |
| 219 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 220 | end |
| 221 | |
| 222 | function auth_passdb_lookup(req) |
| 223 | return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "" |
| 224 | end |
| 225 | |
| 226 | function script_init() |
| 227 | mysql = require "luasql.mysql" |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 228 | http = require "socket.http" |
| 229 | http.TIMEOUT = 5 |
| 230 | ltn12 = require "ltn12" |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 231 | env = mysql.mysql() |
| 232 | con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost") |
| 233 | return 0 |
| 234 | end |
| 235 | |
| 236 | function script_deinit() |
| 237 | con:close() |
| 238 | env:close() |
| 239 | end |
| 240 | EOF |
| 241 | |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 242 | # Replace patterns in app-passdb.lua |
| 243 | sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua |
| 244 | sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua |
| 245 | sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua |
Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 246 | sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 247 | |
| 248 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 249 | # Migrate old sieve_after file |
| 250 | [[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after |
| 251 | # Create global sieve scripts |
| 252 | cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve |
| 253 | cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve |
| 254 | |
| 255 | # Check permissions of vmail/index/garbage directories. |
| 256 | # Do not do this every start-up, it may take a very long time. So we use a stat check here. |
| 257 | if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi |
| 258 | if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi |
| 259 | if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi |
| 260 | |
| 261 | # Cleanup random user maildirs |
| 262 | rm -rf /var/vmail/mailcow.local/* |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 263 | # Cleanup PIDs |
| 264 | [[ -f /tmp/quarantine_notify.pid ]] && rm /tmp/quarantine_notify.pid |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 265 | |
| 266 | # create sni configuration |
| 267 | echo "" > /etc/dovecot/sni.conf |
| 268 | for cert_dir in /etc/ssl/mail/*/ ; do |
| 269 | if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then |
| 270 | continue |
| 271 | fi |
| 272 | domains=($(cat ${cert_dir}domains)) |
| 273 | for domain in ${domains[@]}; do |
| 274 | echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf; |
| 275 | echo ' ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf; |
| 276 | echo ' ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf; |
| 277 | echo '}' >> /etc/dovecot/sni.conf; |
| 278 | done |
| 279 | done |
| 280 | |
| 281 | # Create random master for SOGo sieve features |
| 282 | RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1) |
| 283 | RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1) |
| 284 | |
| 285 | if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then |
| 286 | RAND_USER=${DOVECOT_MASTER_USER} |
| 287 | RAND_PASS=${DOVECOT_MASTER_PASS} |
| 288 | fi |
| 289 | echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd |
| 290 | echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb |
| 291 | echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds |
| 292 | |
| 293 | if [[ -z ${MAILDIR_SUB} ]]; then |
| 294 | MAILDIR_SUB_SHARED= |
| 295 | else |
| 296 | MAILDIR_SUB_SHARED=/${MAILDIR_SUB} |
| 297 | fi |
| 298 | cat <<EOF > /etc/dovecot/shared_namespace.conf |
| 299 | # Autogenerated by mailcow |
| 300 | namespace { |
| 301 | type = shared |
| 302 | separator = / |
| 303 | prefix = Shared/%%u/ |
| 304 | location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u |
| 305 | subscriptions = no |
| 306 | list = children |
| 307 | } |
| 308 | EOF |
| 309 | |
Matthias Andreas Benkard | 1ba5381 | 2022-12-27 17:32:58 +0100 | [diff] [blame] | 310 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 311 | cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf |
| 312 | # Autogenerated by mailcow |
| 313 | remote ${IPV4_NETWORK}.248 { |
| 314 | disable_plaintext_auth = no |
| 315 | } |
| 316 | EOF |
| 317 | |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 318 | # Create random master Password for SOGo SSO |
| 319 | RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1) |
| 320 | echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass |
| 321 | cat <<EOF > /etc/dovecot/sogo-sso.conf |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 322 | # Autogenerated by mailcow |
| 323 | passdb { |
| 324 | driver = static |
| 325 | args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS} |
| 326 | } |
| 327 | EOF |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 328 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 329 | if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 330 | # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated |
| 331 | cat <<'EOF' > /usr/local/bin/quota_notify.py |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 332 | #!/usr/bin/python3 |
| 333 | import sys |
| 334 | sys.exit() |
| 335 | EOF |
| 336 | fi |
| 337 | |
| 338 | # 401 is user dovecot |
| 339 | if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then |
| 340 | openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem |
| 341 | openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem |
| 342 | chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem |
| 343 | else |
| 344 | chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem |
| 345 | fi |
| 346 | |
| 347 | # Compile sieve scripts |
| 348 | sievec /var/vmail/sieve/global_sieve_before.sieve |
| 349 | sievec /var/vmail/sieve/global_sieve_after.sieve |
| 350 | sievec /usr/lib/dovecot/sieve/report-spam.sieve |
| 351 | sievec /usr/lib/dovecot/sieve/report-ham.sieve |
| 352 | |
Matthias Andreas Benkard | 1ba5381 | 2022-12-27 17:32:58 +0100 | [diff] [blame] | 353 | for file in /var/vmail/*/*/sieve/*.sieve ; do |
| 354 | if [[ "$file" == "/var/vmail/*/*/sieve/*.sieve" ]]; then |
| 355 | continue |
| 356 | fi |
| 357 | sievec "$file" "$(dirname "$file")/../.dovecot.svbin" |
| 358 | chown vmail:vmail "$(dirname "$file")/../.dovecot.svbin" |
| 359 | done |
| 360 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 361 | # Fix permissions |
| 362 | chown root:root /etc/dovecot/sql/*.conf |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 363 | chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua |
| 364 | chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 365 | chown -R vmail:vmail /var/vmail/sieve |
| 366 | chown -R vmail:vmail /var/volatile |
| 367 | chown -R vmail:vmail /var/vmail_index |
| 368 | adduser vmail tty |
| 369 | chmod g+rw /dev/console |
| 370 | chown root:tty /dev/console |
| 371 | chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \ |
| 372 | /usr/lib/dovecot/sieve/rspamd-pipe-spam \ |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 373 | /usr/local/bin/imapsync_runner.pl \ |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 374 | /usr/local/bin/imapsync \ |
| 375 | /usr/local/bin/trim_logs.sh \ |
| 376 | /usr/local/bin/sa-rules.sh \ |
| 377 | /usr/local/bin/clean_q_aged.sh \ |
| 378 | /usr/local/bin/maildir_gc.sh \ |
| 379 | /usr/local/sbin/stop-supervisor.sh \ |
| 380 | /usr/local/bin/quota_notify.py \ |
| 381 | /usr/local/bin/repl_health.sh |
| 382 | |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 383 | # Prepare environment file for cronjobs |
| 384 | printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh |
| 385 | |
| 386 | # Clean old PID if any |
| 387 | [[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid |
| 388 | |
| 389 | # Clean stopped imapsync jobs |
| 390 | rm -f /tmp/imapsync_busy.lock |
| 391 | IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs) |
| 392 | [[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'" |
| 393 | |
| 394 | # Envsubst maildir_gc |
| 395 | echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh |
| 396 | |
| 397 | # GUID generation |
| 398 | while [[ ${VERSIONS_OK} != 'OK' ]]; do |
| 399 | if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then |
| 400 | VERSIONS_OK=OK |
| 401 | else |
| 402 | echo "Waiting for versions table to be created..." |
| 403 | sleep 3 |
| 404 | fi |
| 405 | done |
| 406 | PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2) |
| 407 | if [ -f ${PUBKEY_MCRYPT} ]; then |
| 408 | GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ") |
| 409 | if [ ${#GUID} -eq 64 ]; then |
| 410 | mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF |
| 411 | REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}"); |
| 412 | EOF |
| 413 | else |
| 414 | mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF |
| 415 | REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID"); |
| 416 | EOF |
| 417 | fi |
| 418 | fi |
| 419 | |
| 420 | # Collect SA rules once now |
| 421 | /usr/local/bin/sa-rules.sh |
| 422 | |
| 423 | # Run hooks |
| 424 | for file in /hooks/*; do |
| 425 | if [ -x "${file}" ]; then |
| 426 | echo "Running hook ${file}" |
| 427 | "${file}" |
| 428 | fi |
| 429 | done |
| 430 | |
| 431 | # For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth |
| 432 | # May be related to something inside Docker, I seriously don't know |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 433 | touch /etc/dovecot/lua/passwd-verify.lua |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 434 | |
| 435 | exec "$@" |