Merge branch 'master' of https://github.com/andryyy/mailcow-dockerized into recipient_map

Conflicts:
	data/web/inc/init_db.inc.php

data/conf/clamav/clamd.conf

@@ -0,0 +1,47 @@
+LogFile /tmp/logpipe_clamd
+LogTime yes
+LogClean yes
+ExtendedDetectionInfo yes
+PidFile /run/clamav/clamd.pid
+OfficialDatabaseOnly no
+LocalSocket /run/clamav/clamd.sock
+TCPSocket 3310
+StreamMaxLength 25M
+MaxThreads 10
+ReadTimeout 10
+CommandReadTimeout 3
+SendBufTimeout 200
+MaxQueue 80
+IdleTimeout 20
+SelfCheck 3600
+User clamav
+AllowSupplementaryGroups yes
+Foreground yes
+DetectPUA yes
+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md
+#ExcludePUA NetTool
+#ExcludePUA PWTool
+#IncludePUA Spy
+#IncludePUA Scanner
+#IncludePUA RAT
+AlgorithmicDetection yes
+ScanOLE2 yes
+OLE2BlockMacros yes
+ScanPDF yes
+ScanSWF yes
+ScanXMLDOCS yes
+ScanHWP3 yes
+ScanMail yes
+PhishingSignatures no
+PhishingScanURLs no
+HeuristicScanPrecedence yes
+ScanHTML yes
+ScanArchive yes
+MaxScanSize 50M
+MaxFileSize 25M
+MaxRecursion 5
+MaxFiles 200
+ScanOnAccess no
+Bytecode yes
+BytecodeSecurity TrustSigned
+BytecodeTimeout 1000

data/conf/clamav/freshclam.conf

@@ -0,0 +1,17 @@
+UpdateLogFile /tmp/logpipe_freshclam
+LogTime yes
+PidFile /run/clamav/freshclam.pid
+DatabaseOwner clamav
+AllowSupplementaryGroups yes
+DNSDatabaseInfo current.cvd.clamav.net
+DatabaseMirror database.clamav.net
+MaxAttempts 4
+ScriptedUpdates yes
+Checks 6
+NotifyClamd /etc/clamav/clamd.conf
+Foreground yes
+ConnectTimeout 20
+ReceiveTimeout 20
+TestDatabases yes
+Bytecode yes
+

data/conf/nginx/dynmaps.conf

@@ -10,7 +10,7 @@ server {
   location ~ \.php$ {
     try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9001;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

data/conf/nginx/site.conf

@@ -7,6 +7,13 @@ map $http_x_forwarded_proto $client_req_scheme {
      https https;
 }
 
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  include /etc/nginx/conf.d/server_name.active;
+  return 301 https://$host$request_uri;
+}
+
 server {
   include /etc/nginx/mime.types;
   charset utf-8;
@@ -17,6 +24,7 @@ server {
   add_header X-XSS-Protection "1; mode=block";
   add_header X-Robots-Tag none;
   add_header X-Download-Options noopen;
+  add_header X-Frame-Options "SAMEORIGIN";
   add_header X-Permitted-Cross-Domain-Policies none;
 
   index index.php index.html;
@@ -39,7 +47,10 @@ server {
   }
 
   # If behind reverse proxy, forwards the correct IP
-  set_real_ip_from 172.22.1.1;
+  set_real_ip_from 10.0.0.0/8;
+  set_real_ip_from 172.16.0.0/12;
+  set_real_ip_from 192.168.0.0/16;
+  set_real_ip_from fd00::/8;
   real_ip_header X-Forwarded-For;
   real_ip_recursive on;
 
@@ -65,7 +76,7 @@ server {
   }
 
   location /rspamd/ {
-    proxy_pass       http://172.22.1.253:11334/;
+    proxy_pass       http://rspamd:11334/;
     proxy_set_header Host      $http_host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Real-IP $remote_addr;
@@ -97,7 +108,7 @@ server {
   }
 
   location ^~ /Microsoft-Server-ActiveSync {
-    proxy_pass http://172.22.1.252:20000/SOGo/Microsoft-Server-ActiveSync;
+    proxy_pass http://sogo:20000/SOGo/Microsoft-Server-ActiveSync;
     proxy_connect_timeout 1000;
     proxy_next_upstream timeout error;
     proxy_send_timeout 1000;
@@ -119,7 +130,7 @@ server {
   }
 
   location ^~ /SOGo {
-    proxy_pass http://172.22.1.252:20000;
+    proxy_pass http://sogo:20000;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
@@ -134,7 +145,7 @@ server {
   }
 
   location /SOGo.woa/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_pass http://sogo:9192/WebServerResources/;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -144,7 +155,7 @@ server {
   }
 
   location /.woa/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_pass http://sogo:9192/WebServerResources/;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -154,7 +165,7 @@ server {
   }
 
   location /SOGo/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_pass http://sogo:9192/WebServerResources/;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -164,7 +175,7 @@ server {
   }
 
   location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {
-    proxy_pass http://172.22.1.252:9192/$1.SOGo/Resources/$2;
+    proxy_pass http://sogo:9192/$1.SOGo/Resources/$2;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -195,6 +206,7 @@ server {
   add_header X-XSS-Protection "1; mode=block";
   add_header X-Robots-Tag none;
   add_header X-Download-Options noopen;
+  add_header X-Frame-Options "SAMEORIGIN";
   add_header X-Permitted-Cross-Domain-Policies none;
 
   index index.php index.html;
@@ -217,7 +229,10 @@ server {
   }
 
   # If behind reverse proxy, forwards the correct IP
-  set_real_ip_from 172.22.1.1;
+  set_real_ip_from 10.0.0.0/8;
+  set_real_ip_from 172.16.0.0/12;
+  set_real_ip_from 192.168.0.0/16;
+  set_real_ip_from fd00::/8;
   real_ip_header X-Forwarded-For;
   real_ip_recursive on;
 
@@ -243,7 +258,7 @@ server {
   }
 
   location /rspamd/ {
-    proxy_pass       http://172.22.1.253:11334/;
+    proxy_pass       http://rspamd:11334/;
     proxy_set_header Host      $http_host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Real-IP $remote_addr;
@@ -275,7 +290,7 @@ server {
   }
 
   location ^~ /Microsoft-Server-ActiveSync {
-    proxy_pass http://172.22.1.252:20000/SOGo/Microsoft-Server-ActiveSync;
+    proxy_pass http://sogo:20000/SOGo/Microsoft-Server-ActiveSync;
     proxy_connect_timeout 1000;
     proxy_next_upstream timeout error;
     proxy_send_timeout 1000;
@@ -297,7 +312,7 @@ server {
   }
 
   location ^~ /SOGo {
-    proxy_pass http://172.22.1.252:20000;
+    proxy_pass http://sogo:20000;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
@@ -312,7 +327,7 @@ server {
   }
 
   location /SOGo.woa/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_pass http://sogo:9192/WebServerResources/;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -322,7 +337,7 @@ server {
   }
 
   location /.woa/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_pass http://sogo:9192/WebServerResources/;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -332,7 +347,7 @@ server {
   }
 
   location /SOGo/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_pass http://sogo:9192/WebServerResources/;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;
@@ -342,7 +357,7 @@ server {
   }
 
   location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {
-    proxy_pass http://172.22.1.252:9192/$1.SOGo/Resources/$2;
+    proxy_pass http://sogo:9192/$1.SOGo/Resources/$2;
     proxy_set_header Host $http_host;
     proxy_cache sogo;
     proxy_cache_valid 200 1d;

data/conf/phpfpm/php-conf.d/opcache-recommended.ini

@@ -0,0 +1,7 @@
+opcache.enable=1
+opcache.enable_cli=1
+opcache.interned_strings_buffer=8
+opcache.max_accelerated_files=10000
+opcache.memory_consumption=128
+opcache.save_comments=1
+opcache.revalidate_freq=1

data/conf/phpfpm/php-fpm.d/system.conf

@@ -0,0 +1,12 @@
+[system]
+user = www-data
+group = www-data
+pm = dynamic
+pm.max_children = 10
+pm.start_servers = 2
+pm.min_spare_servers = 2
+pm.max_spare_servers = 4
+listen = [::]:9001
+access.log = /proc/self/fd/2
+clear_env = no
+catch_workers_output = yes

data/conf/phpfpm/php-fpm.d/www.conf

@@ -0,0 +1,11 @@
+[www]
+user = www-data
+group = www-data
+pm = ondemand
+pm.max_children = 20
+pm.process_idle_timeout = 20s
+pm.max_requests = 800
+listen = [::]:9000
+access.log = /proc/self/fd/2
+clear_env = no
+catch_workers_output = yes

data/conf/postfix/main.cf

@@ -9,7 +9,7 @@ smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_una
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 relayhost =
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [fd4d:6169:6c63:6f77::]/64
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [fd::]/8
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all

data/conf/rspamd/dynmaps/settings.php

@@ -196,7 +196,7 @@ while ($row = array_shift($rows)) {
 	}
 	whitelist_header_<?=$username_sane;?> {
 <?php
-	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(CONCAT('^', `value`, '$'), '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
+	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(CONCAT('\<', `value`, '\>'), '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
 		WHERE `object`= :object
 			AND `option` = 'whitelist_from'");
 	$stmt->execute(array(':object' => $row['object']));
@@ -288,7 +288,7 @@ while ($row = array_shift($rows)) {
 	}
 	blacklist_header_<?=$username_sane;?> {
 <?php
-	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(CONCAT('^', `value`, '$'), '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
+	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(CONCAT('\<', `value`, '\>'), '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
 		WHERE `object`= :object
 			AND `option` = 'blacklist_from'");
 	$stmt->execute(array(':object' => $row['object']));

data/conf/rspamd/local.d/greylist.conf

@@ -1 +1 @@
-whitelisted_ip = "http://172.22.1.251:8081/forwardinghosts.php";
+whitelisted_ip = "http://nginx:8081/forwardinghosts.php";

data/conf/rspamd/override.d/worker-controller.inc

@@ -4,6 +4,6 @@ secure_ip = "172.16.0.0/12";
 secure_ip = "10.0.0.0/8";
 secure_ip = "127.0.0.1";
 secure_ip = "::1";
-secure_ip = "fd4d:6169:6c63:6f77::/64"
+secure_ip = "fd00::/8"
 .include(try=true; priority=10) "$CONFDIR/override.d/worker-controller-password.inc"
 .include(try=true; priority=20) "$CONFDIR/override.d/worker-controller.custom.inc" 

data/conf/sogo/sogo.conf

@@ -5,7 +5,7 @@
         PrivateDAndTViewer
     );
 
-    WOWorkersCount = "20";
+    WOWorkersCount = "7";
     SOGoACLsSendEMailNotifications = YES;
     SOGoAppointmentSendEMailNotifications = YES;
     SOGoDraftsFolderName = "Drafts";
@@ -36,7 +36,7 @@
     SOGoMailingMechanism = smtp;
     SOGoSMTPAuthenticationType = plain;
 
-    SxVMemLimit = 512;
+    SxVMemLimit = 384;
 
     SOGoMaximumPingInterval = 354;
 

data/conf/unbound/unbound.conf

@@ -8,8 +8,11 @@ server:
   do-udp: yes
   do-tcp: yes
   do-daemonize: no
-  access-control: 172.22.1.0/24 allow
-  access-control: fd4d:6169:6c63:6f77::/64 allow
+  access-control: 10.0.0.0/8 allow
+  access-control: 172.16.0.0/12 allow
+  access-control: 192.168.0.0/16 allow
+  access-control: fd00::/8 allow
+  access-control: fe80::/10 allow
   directory: "/etc/unbound"
   username: unbound
   auto-trust-anchor-file: trusted-key.key
@@ -19,7 +22,6 @@ server:
   private-address: 169.254.0.0/16
   private-address: fd00::/8
   private-address: fe80::/10
-  private-address: fd4d:6169:6c63:6f77::/64
   root-hints: "/etc/unbound/root.hints"
   hide-identity: yes
   hide-version: yes