7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: 7x31:2022-06a
Branches Tags
7x31:master 7x31:renovate/composer-composer-2.x 7x31:staging 7x31:feat/domain-wide-footer 7x31:nightly 7x31:renovate/phpredis-phpredis-6.x 7x31:update/postscreen_access.cidr 7x31:feat/improve-sh-bl-postfix 7x31:renovate/php-pecl-mail-mailparse-3.x 7x31:feat/arm64-cow 7x31:feat/backup_action 7x31:feat/f2b-banlist 7x31:feat/mailbox-sso 7x31:feat/customize-sogo-theme 7x31:feat/mariadb-10.11 7x31:feature/fts-xapian 7x31:feat/ui-improvements 7x31:hotfix
7x31:2023-08 7x31:2023-07a 7x31:2023-07 7x31:2023-05a 7x31:2023-05 7x31:2023-04b 7x31:2023-04a 7x31:2023-04 7x31:2023-03 7x31:2023-02a 7x31:2023-02 7x31:2023-01a 7x31:2023-01 7x31:2022-12b 7x31:2022-12a 7x31:2022-12 7x31:2022-11b 7x31:2022-11a 7x31:2022-11 7x31:2022-10a 7x31:2022-10 7x31:2022-09a 7x31:2022-09 7x31:2022-08b 7x31:2022-08a 7x31:2022-08 7x31:2022-07a 7x31:2022-07 7x31:2022-06b 7x31:2022-06a 7x31:2022-06 7x31:2022-05d 7x31:2022-05c 7x31:2022-05b 7x31:2022-05a 7x31:2022-05 7x31:2022-04 7x31:2022-03a 7x31:2022-03 7x31:2022-01a 7x31:2022-01
...
compare: 7x31:2022-07a
Branches Tags
7x31:renovate/composer-composer-2.x 7x31:staging 7x31:feat/domain-wide-footer 7x31:nightly 7x31:renovate/phpredis-phpredis-6.x 7x31:update/postscreen_access.cidr 7x31:feat/improve-sh-bl-postfix 7x31:renovate/php-pecl-mail-mailparse-3.x 7x31:feat/arm64-cow 7x31:master 7x31:feat/backup_action 7x31:feat/f2b-banlist 7x31:feat/mailbox-sso 7x31:feat/customize-sogo-theme 7x31:feat/mariadb-10.11 7x31:feature/fts-xapian 7x31:feat/ui-improvements 7x31:hotfix
7x31:2023-08 7x31:2023-07a 7x31:2023-07 7x31:2023-05a 7x31:2023-05 7x31:2023-04b 7x31:2023-04a 7x31:2023-04 7x31:2023-03 7x31:2023-02a 7x31:2023-02 7x31:2023-01a 7x31:2023-01 7x31:2022-12b 7x31:2022-12a 7x31:2022-12 7x31:2022-11b 7x31:2022-11a 7x31:2022-11 7x31:2022-10a 7x31:2022-10 7x31:2022-09a 7x31:2022-09 7x31:2022-08b 7x31:2022-08a 7x31:2022-08 7x31:2022-07a 7x31:2022-07 7x31:2022-06b 7x31:2022-06a 7x31:2022-06 7x31:2022-05d 7x31:2022-05c 7x31:2022-05b 7x31:2022-05a 7x31:2022-05 7x31:2022-04 7x31:2022-03a 7x31:2022-03 7x31:2022-01a 7x31:2022-01

89 Commits
2022-06a ... 2022-07a

Author SHA1 Message Date
Niklas Meyer
b51a659515 Merge pull request #4698 from mailcow/staging 
2022-07a
 2022-07-29 14:23:53 +02:00
Niklas Meyer
44a6f09a09 [CLAMAV] Update to 0.105.1 2022-07-29 14:08:26 +02:00
Erisa A
4c10525078 [Web] Update keyHandle max length to 1023 (#4696) 
https://w3c.github.io/webauthn/#credential-id

Co-authored-by: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com>
 2022-07-26 09:16:23 +02:00
Peter
c9ab8b2eff [GH-Actions][stale] Upgrade to v5.1.0 and add close-issue-reason 2022-07-19 21:43:24 +02:00
Peter
4bf38bf00f Mailcow -> mailcow (#4687) 2022-07-19 20:31:25 +02:00
Peter
7c7c67948e Use yaml list style in docker build workflow (#4688) 
* Use yaml list style

* Mailcow -> mailcow
 2022-07-19 20:24:24 +02:00
l-with
263cb96786 Improve domain api schema (#4689) 
* change response of add domain to array

* add tags to request body of add domain

* add gal to request body of add domain

* add relay_unknown_only to request body of add domain

* add relay_unknown_only to request body of edit domain

* add rl_frame, rl_value to request body of edit domain

* fix indentation

* add tags to request body of edit domain

* change response of edit domain to array

* Revert "change response of edit domain to array"

This reverts commit 692384e21b.

* change response type of edit domain to application/json

* change response type of edit domain

* change items in body of edit domain to array of strings

* change response of edit domain to array

* fix indentation

* revert changing response type of edit domain-admin

* change response type of edit domain to array

* fix response type of edit domains

* change msg in response of edit domains to array

* change items in body of delete domain to array of strings

* change request body of delete domain to array of strings

* fix

* remove properties

* change request body of delete domain to array of strings (fix)

* change reponse type of delete domain to array
 2022-07-19 20:22:45 +02:00
Niklas Meyer
b6e3e7a658 Merge pull request #4691 from mailcow/staging 
Merge staging into master
 2022-07-18 10:49:47 +02:00
DerLinkman
ceaf1423f4 Moved general compose v2 check below the parameter section to respect --force 2022-07-18 10:39:17 +02:00
Niklas Meyer
9598b503ec Merge branch 'master' into staging 2022-07-15 14:03:38 +02:00
Niklas Meyer
94f4ec8b96 Update tweet-trigger-publish-release.yml 2022-07-15 10:53:51 +02:00
DerLinkman
7aab2c55ff Changed which to command -v + seperated compose check from for loop 2022-07-15 10:30:01 +02:00
Niklas Meyer
6abb4d34c1 Merge pull request #4682 from mailcow/feature/badge-readme 
Add Integration Tests badge
 2022-07-14 22:45:34 +02:00
Peter
c8ccf080f3 Add Integration Tests badge 2022-07-14 20:01:38 +02:00
Niklas Meyer
528f7da5ef Merge pull request #4680 from mailcow/staging 
Mooly Update 2022 - TFA Flow Update
 2022-07-14 16:28:59 +02:00
DerLinkman
7d72ae3449 Added update-compose to update.sh and create-coldstandby 2022-07-14 11:29:38 +02:00
FreddleSpl0it
753cde0b85 parse host from url for webauthn library 2022-07-14 09:40:02 +02:00
FreddleSpl0it
223ba44b61 rearrange custom params validation 2022-07-14 09:39:24 +02:00
FreddleSpl0it
cd02483b19 prevent auth wipe out at yubi otp registration 2022-07-14 09:38:44 +02:00
FreddleSpl0it
f724662874 readd imapsync fix 2022-07-13 17:13:25 +02:00
FreddleSpl0it
bee762737e readd imapsync fix 2022-07-13 17:02:14 +02:00
Niklas Meyer
83efd3e506 Merge pull request #4662 from mailcow/feature/updatesh-compose-update-prompt 
[Update.sh] Added docker-compose Update prompt + Version check
 2022-07-13 16:04:42 +02:00
Niklas Meyer
2278a6cc73 Merge pull request #4674 from mailcow/feature/SECURITY.md 
Create SECURITY.md
 2022-07-13 16:03:33 +02:00
DerLinkman
586b60b276 Unspecified direct compose version (lower then 2.X.X) 2022-07-13 15:13:14 +02:00
DerLinkman
f07b9ea304 Corrected pip check 2022-07-13 15:08:31 +02:00
Niklas Meyer
09dca5d76c Merge pull request #4677 from mhofer117/patch-1 
fix blank page on /user when not logged
 2022-07-13 15:07:43 +02:00
DerLinkman
65bb808441 Muted which Pip in update_compose 2022-07-13 11:02:41 +02:00
DerLinkman
83b79edb42 Fixed PIP Check 2022-07-13 08:57:50 +02:00
DerLinkman
b8ec244d92 Modified pip compose check 2022-07-13 08:50:28 +02:00
Marcel Hofer
5b924614aa fix blank page on /user when not logged 
the current condition to redirect to / was never matching, so a blank page was displayed on /user when not logged in or when logged in as admin.
this will fix it and always redirect to / if nothing is rendered in the user.php
 2022-07-12 15:26:03 +02:00
Niklas Meyer
43103add47 Merge pull request #4671 from ntimo/task/remove-drone-ci 
Removed DroneCI & Travis CI
 2022-07-12 12:16:29 +02:00
Niklas Meyer
124d5d6bb2 Merge pull request #4673 from ntimo/task/run-tests-using-actions 
[CI] Added Mailcow tests & image builds
 2022-07-12 12:15:18 +02:00
Timo
58fde558f7 Merge pull request #4670 from ntimo/task/fix-open-api-yml 
Fixed OpenAPI docs to be spec compliant
 2022-07-12 09:43:13 +02:00
Peter
8b314acfcf Create SECURITY.md 2022-07-11 21:06:23 +02:00
ntimo
1c0eab9893 [CI] Added Mailcow tests & image builds 2022-07-11 17:06:00 +00:00
DerLinkman
c62daa0c59 Corrected , to . for new workflow 2022-07-08 21:41:48 +02:00
Niklas Meyer
1a05101f50 Create tweet-trigger-publish-release,yml 2022-07-08 21:39:22 +02:00
ntimo
47fb46c837 Removed DroneCI & Travis CI 2022-07-08 18:50:51 +00:00
ntimo
d29580aa02 Fixed OpenAPI docs to be spec compliant 2022-07-08 18:47:28 +00:00
Niklas Meyer
d0fc62ef13 Merge pull request #4669 from mailcow/feature/issue-4668 
Fix permissions of create_cold_standby.sh
 2022-07-08 20:16:30 +02:00
Peter
b14c0e4c11 Fix permissions chmod +x 2022-07-08 18:29:34 +02:00
DerLinkman
43ec12f4f0 Readded (again) the new update script check... 2022-07-08 13:49:33 +02:00
DerLinkman
40cf2c85e6 Re-aranged the functions position to top 2022-07-08 13:48:31 +02:00
DerLinkman
6195b7c334 [Backup Script]Check for docker and docker-compose in each step seperate 2022-07-08 13:29:05 +02:00
DerLinkman
385570c1e8 Fixed wrongly override_backup overwriting 2022-07-08 10:54:50 +02:00
DerLinkman
d82cfc6c62 Changed no compose warning color 2022-07-08 10:43:44 +02:00
André
fdf52dcb17 [Rspamd] Prevent LUA crash 
Fixes LUA error when inserting unknown symbol from settings map
 2022-07-07 09:20:59 +02:00
milkmaker
1ff220ccf8 Translations update from Weblate (#4664) 
* [Web] Updated lang.ru.json [CI SKIP]

Co-authored-by: Oleksii Kruhlenko <a.kruglenko@gmail.com>

* [Web] Updated lang.uk.json [CI SKIP]

Co-authored-by: Oleksii Kruhlenko <a.kruglenko@gmail.com>

Co-authored-by: Oleksii Kruhlenko <a.kruglenko@gmail.com>
 2022-07-06 22:02:15 +02:00
Niklas Meyer
536ab34955 Merge pull request #4634 from opsone-ch/staging 2022-07-05 12:55:10 +02:00
DerLinkman
f7369f0611 [Update.sh] Added docker-compose Update prompt + Version check 2022-07-05 12:07:10 +02:00
Rafael Kraut
14bc105d43 [Web] Remove default selection for sync job target mailbox (#4661) 
+ Don't cache that form, closes #4642
 2022-07-05 11:51:05 +02:00
Niklas Meyer
2efb4365bf Merge pull request #4659 from mailcow/feature/dovecot-2.3.19.1 
[Dovecot] Update to 2.3.19.1
 2022-07-05 09:08:11 +02:00
Niklas Meyer
c1b86fc782 Merge pull request #4632 from mailcow/sogo-5.7.0 
Update SOGo to 5.7.0
 2022-07-05 09:00:22 +02:00
FreddleSpl0it
52e92cc0db fix sql query for tfa registration 2022-07-04 17:17:31 +02:00
FreddleSpl0it
3af2f636a5 Merge branch 'feature/tfa-flow' of https://github.com/mailcow/mailcow-dockerized into feature/tfa-flow 2022-07-04 17:01:41 +02:00
FreddleSpl0it
6fb967cf79 extra tfa register debugging 2022-07-04 17:01:35 +02:00
DerLinkman
03c49ea1f8 Merge branch 'staging' into feature/tfa-flow 2022-07-04 16:43:49 +02:00
Patrick Schult
11700d7ecb Merge pull request #4403 from El-Virus/master 
Fix "The operation is insecure." when trying to register fido2 device.
 2022-06-30 13:55:07 +02:00
DerLinkman
33eb2c8801 Improved [::] Section check + included prior override backup 2022-06-24 23:10:00 +02:00
FreddleSpl0it
a835419168 fix imapsync 2022-06-23 18:36:54 +02:00
Niklas Meyer
4ce16d1ea4 Merge pull request #4644 from mailcow/feature/update-composev2 
Added auto correction of composev1 Binds in compose.yml
 2022-06-23 15:43:49 +02:00
DerLinkman
c1c7167ace Added auto correction of composev1 Binds in compose.yml 2022-06-23 15:41:48 +02:00
Markus Ritzmann
537a7908f1 Clamd: Fix Docker Healthcheck 2022-06-16 09:50:33 +02:00
Peter
3fe776ee69 Update SOGo to 5.7.0 2022-06-14 18:55:26 +02:00
DerLinkman
581be02e53 [Dovecot] Update to 2.3.19.1 2022-06-14 15:02:40 +02:00
FreddleSpl0it
0eb2545773 [WebAuthn] send empty transports array to fix android bug 2022-06-07 09:01:04 +02:00
FreddleSpl0it
7d5990bf0f restrict webauthn-tfa-get-args sql query 2022-05-18 10:03:10 +02:00
FreddleSpl0it
4ec982163e restrict webauthn-tfa-get-args sql query 2022-05-18 09:39:50 +02:00
FreddleSpl0it
3c9502f241 add webauthn console log 2022-05-17 19:02:52 +02:00
Niklas Meyer
63cecb2fd8 Merge pull request #4484 from FreddleSpl0it/selection-tfa 
[Web] change tfa flow
 2022-05-17 15:26:43 +02:00
Niklas Meyer
3029a2d33d Change DB Date to newer Date than staging 2022-05-17 15:26:01 +02:00
Niklas Meyer
fa0d2a959d Merge branch 'feature/tfa-flow' into selection-tfa 2022-05-17 15:23:10 +02:00
FreddleSpl0it
6d3798ad08 [Web] fix yubi otp 2022-03-19 20:18:31 +01:00
FreddleSpl0it
70921b8d15 [Web] tfa extra debugging 2022-03-18 08:45:02 +01:00
FreddleSpl0it
b185f83fc3 [Web] tfa extra debugging 2022-03-18 08:37:22 +01:00
FreddleSpl0it
60af295c0a Merge branch 'selection-tfa' of https://github.com/FreddleSpl0it/mailcow-dockerized into selection-tfa 2022-03-14 10:32:55 +01:00
FreddleSpl0it
e7fe52a625 [Web] increase mysql publicKey field length 2022-03-14 10:31:59 +01:00
FreddleSpl0it
49c506eed9 [Web] multiple tfa - user support 2022-03-14 10:31:59 +01:00
FreddleSpl0it
21fadf6df2 [Web] multiple tfa - domainadmin support 2022-03-14 10:31:58 +01:00
FreddleSpl0it
5fcccbc97d [Web] add verify selected tfa 2022-03-14 10:31:56 +01:00
FreddleSpl0it
3ef2b6cfa2 [Web] add verify selected tfa 2022-03-14 10:31:51 +01:00
FreddleSpl0it
84b4269c75 [Web] increase mysql publicKey field length 2022-03-14 09:29:07 +01:00
FreddleSpl0it
a2d57d43d1 [Web] multiple tfa - user support 2022-03-07 11:41:13 +01:00
FreddleSpl0it
df33f1a130 [Web] multiple tfa - domainadmin support 2022-02-22 09:38:06 +01:00
FreddleSpl0it
4c6a2055c2 [Web] add verify selected tfa 2022-02-21 14:10:12 +01:00
FreddleSpl0it
f09a3df870 [Web] add verify selected tfa 2022-02-21 10:46:24 +01:00
El-Virus
ea1a412749 Fix missing "lbuchs", after resolving last conflict 
It seems that when solving the conflict in my pr when the latest staging branch was merged to master, I accidentally deleted "lbuchs", I added it back
 2022-01-21 15:46:44 +01:00
El-Virus
db82327d9a Merge branch 'staging' into master 2022-01-21 15:40:37 +01:00
El-Virus
ea1a02bd7d Fix "The operation is insecure." when trying to register fido2 device. 
navigator.credentials.create(); Doesn't accept a port in the "id" parameter. So, when trying to register a fido2 device via WebAuthn throws: "The operation is insecure." on firefox and "The relying party ID is not a registrable domain suffix of, nor equal to the current domain." on Chrome or Edge.
This commit replaces `$_SERVER['HTTP_HOST']` with `$_SERVER['SERVER_NAME']` when initializing `$WebAuthn` which excludes the port to formulate correct requests.
Now Mailcow allows the registration of fido2 devices when running in a non-standard port(eg. 443).
 2021-12-26 17:11:06 +01:00
36 changed files with 1179 additions and 730 deletions
Expand all files Collapse all files

120
.drone.yml
View File

@@ -1,120 +0,0 @@
---
kind: pipeline
name: integration-testing
platform:
os: linux
arch: amd64
clone:
disable: true
steps:
- name: prepare-tests
pull: default
image: timovibritannia/ansible
commands:
- git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch .
- chmod +x ci.sh
- chmod +x ci-ssh.sh
- chmod +x ci-piprequierments.sh
- ./ci.sh
- wget -O group_vars/all/secrets.yml $SECRETS_DOWNLOAD_URL --quiet
environment:
SECRETS_DOWNLOAD_URL:
from_secret: SECRETS_DOWNLOAD_URL
VAULT_PW:
from_secret: VAULT_PW
when:
branch:
- master
- staging
event:
- push
- name: lint
pull: default
image: timovibritannia/ansible
commands:
- ansible-lint ./
when:
branch:
- master
- staging
event:
- push
- name: create-server
pull: default
image: timovibritannia/ansible
commands:
- ./ci-piprequierments.sh
- ansible-playbook mailcow-start-server.yml --diff
- ./ci-ssh.sh
environment:
ANSIBLE_HOST_KEY_CHECKING: false
ANSIBLE_FORCE_COLOR: true
when:
branch:
- master
- staging
event:
- push
- name: setup-server
pull: default
image: timovibritannia/ansible
commands:
- sleep 120
- ./ci-piprequierments.sh
- ansible-playbook mailcow-setup-server.yml --private-key /drone/src/id_ssh_rsa --diff
environment:
ANSIBLE_HOST_KEY_CHECKING: false
ANSIBLE_FORCE_COLOR: true
when:
branch:
- master
- staging
event:
- push
- name: run-tests
pull: default
image: timovibritannia/ansible
commands:
- ./ci-piprequierments.sh
- ansible-playbook mailcow-integration-tests.yml --private-key /drone/src/id_ssh_rsa --diff
environment:
ANSIBLE_HOST_KEY_CHECKING: false
ANSIBLE_FORCE_COLOR: true
when:
branch:
- master
- staging
event:
- push
- name: delete-server
pull: default
image: timovibritannia/ansible
commands:
- ./ci-piprequierments.sh
- ansible-playbook mailcow-delete-server.yml --diff
environment:
ANSIBLE_HOST_KEY_CHECKING: false
ANSIBLE_FORCE_COLOR: true
when:
branch:
- master
- staging
event:
- push
status:
- failure
- success
---
kind: signature
hmac: f6619243fe2a27563291c9f2a46d93ffbc3b6dced9a05f23e64b555ce03a31e5
...

3
.github/workflows/close_old_issues_and_prs.yml vendored
View File

@@ -14,7 +14,7 @@ jobs:
pull-requests: write
steps:
- name: Mark/Close Stale Issues and Pull Requests 🗑️
uses: actions/stale@v5.0.0
uses: actions/stale@v5.1.0
with:
repo-token: ${{ secrets.STALE_ACTION_PAT }}
days-before-stale: 60
@@ -30,6 +30,7 @@ jobs:
stale-issue-label: "stale"
stale-pr-label: "stale"
exempt-draft-pr: "true"
close-issue-reason: "not_planned"
operations-per-run: "250"
ascending: "true"
#DRY-RUN

42
.github/workflows/image_builds.yml vendored Normal file
View File

@@ -0,0 +1,42 @@
name: Build mailcow Docker Images
on:
push:
branches: [ "master", "staging" ]
workflow_dispatch:
jobs:
docker_image_builds:
strategy:
matrix:
images:
- "acme-mailcow"
- "clamd-mailcow"
- "dockerapi-mailcow"
- "dovecot-mailcow"
- "netfilter-mailcow"
- "olefy-mailcow"
- "php-fpm-mailcow"
- "postfix-mailcow"
- "rspamd-mailcow"
- "sogo-mailcow"
- "solr-mailcow"
- "unbound-mailcow"
- "watchdog-mailcow"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Docker
run: |
curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
sudo service docker start
sudo curl -L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
- name: Prepair Image Builds
run: |
cp helper-scripts/docker-compose.override.yml.d/BUILD_FLAGS/docker-compose.override.yml docker-compose.override.yml
- name: Build Docker Images
run: |
docker-compose build ${image}
env:
image: ${{ matrix.images }}

60
.github/workflows/integration_tests.yml vendored Normal file
View File

@@ -0,0 +1,60 @@
name: mailcow Integration Tests
on:
push:
branches: [ "master", "staging" ]
workflow_dispatch:
jobs:
integration_tests:
runs-on: ubuntu-latest
steps:
- name: Setup Ansible
run: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install python3 python3-pip git
sudo pip3 install ansible
- name: Prepair Test Environment
run: |
git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch .
./fork_check.sh
./ci.sh
./ci-pip-requirements.sh
env:
VAULT_PW: ${{ secrets.MAILCOW_TESTS_VAULT_PW }}
VAULT_FILE: ${{ secrets.MAILCOW_TESTS_VAULT_FILE }}
- name: Start Integration Test Server
run: |
./fork_check.sh
ansible-playbook mailcow-start-server.yml --diff
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
ANSIBLE_HOST_KEY_CHECKING: 'false'
- name: Setup Integration Test Server
run: |
./fork_check.sh
sleep 30
ansible-playbook mailcow-setup-server.yml --private-key id_ssh_rsa --diff
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
ANSIBLE_HOST_KEY_CHECKING: 'false'
- name: Run Integration Tests
run: |
./fork_check.sh
ansible-playbook mailcow-integration-tests.yml --private-key id_ssh_rsa --diff
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
ANSIBLE_HOST_KEY_CHECKING: 'false'
- name: Delete Integration Test Server
if: always()
run: |
./fork_check.sh
ansible-playbook mailcow-delete-server.yml --diff
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
ANSIBLE_HOST_KEY_CHECKING: 'false'

17
.github/workflows/tweet-trigger-publish-release.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
name: "Tweet trigger release"
on:
release:
types: [published]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Tweet-trigger-publish-release
uses: mugi111/tweet-trigger-release@v1.1
with:
consumer_key: ${{ secrets.CONSUMER_KEY }}
consumer_secret: ${{ secrets.CONSUMER_SECRET }}
access_token_key: ${{ secrets.ACCESS_TOKEN_KEY }}
access_token_secret: ${{ secrets.ACCESS_TOKEN_SECRET }}
tweet_body: 'A new mailcow-dockerized Release has been Released on GitHub! Checkout our GitHub Page for the latest Release: github.com/mailcow/mailcow-dockerized/releases/latest'

16
.travis.yml
View File

@@ -1,16 +0,0 @@
sudo: required
services:
- docker
script:
- echo 'Europe/Berlin' | MAILCOW_HOSTNAME=build.mailcow ./generate_config.sh
- docker-compose pull --ignore-pull-failures --parallel
- docker-compose build
- docker login --username=$DOCKER_HUB_USERNAME --password=$DOCKER_HUB_PASSWORD
- docker-compose push
branches:
only:
- master_disabled
env:
global:
- secure: MpxpTwD7f0CNEVLitSpVmocK7O9r+BwFE1deEHK4AlQo/oc9cOlhGe1EL3mx9zbglPmjlDg/8kMUGv6vSirIabfBo9Szjps76bHckFr9lr2Ykkg0e29oC8pgPpSXD1eY/1ZIN/FvIkxpUFLETo1okS/j9q/A0DCGFmti0n3EoMORsgRz9CpNAiEh0zpSd6+euPAGHuczuCrDuO84my9bIOCjA/+aPunHNeXiuM8yIM2SxCSyGtIKT0+jvquIvLF58VxivysXBlRfhDn8fhB09nXA2Ru/derYQACfcmNSn9Pd4bDpebPJW5B9H/XA8xjb58uKinUlncbAMB/QnxoT75j9YRWJZRSQ+34XNYP6ZgK9soZ2TC6djQyEKTUu45Kp/1s+poSn42m9jytJJTmmK0KxsZTRcC8JD5nrjIMZWPUNNTwC5L4+I7ZRWg2WooK3LNyq1Ng8Hn6W77wSgsvAJw2HD3Lx58AprGUhHuBeaIZRuSN9aKwZrl9vKQJLqPnOp/nF2EC6kot5HYYtcotGtETXPUDih21gWD5ZM2BqVqYfQQnJnNMgeYmMdj6QQuTFqhuNJf7hXRIRkTnD3j1gDOLKQZazW0+N2JE8XWDFwi6fKScDsxT85lJti9HmzHa7+k4RVHmUYuDgRoPuzUgjWHvPsiz3/Z8WQ9JYpH84S8w=
- secure: fWzZisT6nGDNL4lf6tXB07eFG2drgBakHxzdF/NFVvzuP861RFR6omuL+ED0PgXrEHDJBxaBLv52je8irmUXrAH1CNr7T8DWiZo/h5h609Uzr+38T1NnIu4krL0Wo6/CDwlLKnzqTq9yBIZLQSHVJmo8AOpo1JPIi2ajodqj9ZfmAxDQTQl+G6zvQjtqIkYHsHY7A44Rto0f14ykn7w2S82Jn6Ry89VNI5V1WEO3sMpM/XekNP/HokNcRIuntL/0+kuLvTJ5akGoTjBQxSnSW95opzPeGky74HRU2obExJYqKvF0VfVJRNAqejwjIiFIbbjqV0Sk5391kFuhuBErQQDM1bOHGdxZ41HsJH29qNWIl7C33Yl10qERoqecgsJ1N/bS2ZEmWqm/zQh5GClCXPvYmzEqMYsMGM3vjbKdjDlc1Wh2w/eFclsXN9LSXh1mc35rtj46frcT6e5Kof87AIfC9hTgDvk9kAsyjaHMkSHSZthbZXCIcsD8qriNm5UqfFBYD79mPIP1S2YMQ2jscCsjHOZgYVrcm0kzDF21J1w6H0Lo7d1jw37LYlegBdtLQ9gYgqY2D5m+nxWuVoD5FZmpR+5JGtK+ootyLFF8aiFoHXd4op1JCxRLjgkmnZKXzw3kTQSpE7oa7CgzchtQmK2nqcqla1b5Qk7ilVcjooo=

3
README.md
View File

@@ -2,7 +2,8 @@
## We stand with 🇺🇦
[![master build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/master?label=master%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![staging build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/staging?label=staging%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
[![Mailcow Integration Tests](https://github.com/mailcow/mailcow-dockerized/actions/workflows/integration_tests.yml/badge.svg?branch=master)](https://github.com/mailcow/mailcow-dockerized/actions/workflows/integration_tests.yml)
[![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email)
## Want to support mailcow?

42
SECURITY.md Normal file
View File

@@ -0,0 +1,42 @@
# Security Policies and Procedures
This document outlines security procedures and general policies for the _mailcow: dockerized_ project as found on [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized).
* [Reporting a Vulnerability](#reporting-a-vulnerability)
* [Disclosure Policy](#disclosure-policy)
* [Comments on this Policy](#comments-on-this-policy)
## Reporting a Vulnerability
The mailcow team and community take all security vulnerabilities
seriously. Thank you for improving the security of our open source
software. We appreciate your efforts and responsible disclosure and will
make every effort to acknowledge your contributions.
Report security vulnerabilities by emailing the mailcow team at:
info at servercow.de
mailcow team will acknowledge your email as soon as possible, and will
send a more detailed response afterwards indicating the next steps in
handling your report. After the initial reply to your report, the mailcow
team will endeavor to keep you informed of the progress towards a fix and
full announcement, and may ask for additional information or guidance.
Report security vulnerabilities in third-party modules to the person or
team maintaining the module.
## Disclosure Policy
When the mailcow team receives a security bug report, they will assign it
to a primary handler. This person will coordinate the fix and release
process, involving the following steps:
* Confirm the problem and determine the affected versions.
* Audit code to find any potential similar problems.
* Prepare fixes for all releases still under maintenance.
## Comments on this Policy
If you have suggestions on how this process could be improved please submit a
pull request.

0
create_cold_standby.sh Normal file → Executable file
View File

10
data/Dockerfiles/clamd/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM clamav/clamav:0.105.0_base
FROM clamav/clamav:0.105.1_base
LABEL maintainer "André Peters <andre.peters@servercow.de>"
@@ -8,8 +8,14 @@ RUN apk upgrade --no-cache \
bind-tools \
bash
COPY clamd.sh ./
# init
COPY clamd.sh /clamd.sh
RUN chmod +x /sbin/tini
# healthcheck
COPY healthcheck.sh /healthcheck.sh
RUN chmod +x /healthcheck.sh
HEALTHCHECK --start-period=6m CMD "/healthcheck.sh"
ENTRYPOINT []
CMD ["/sbin/tini", "-g", "--", "/clamd.sh"]

9
data/Dockerfiles/clamd/healthcheck.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
echo "SKIP_CLAMD=y, skipping ClamAV..."
exit 0
fi
# run clamd healthcheck
/usr/local/bin/clamdcheck.sh

2
data/Dockerfiles/dovecot/Dockerfile
View File

@@ -2,7 +2,7 @@ FROM debian:bullseye-slim
LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
ARG DEBIAN_FRONTEND=noninteractive
ARG DOVECOT=2.3.18
ARG DOVECOT=2.3.19.1
ENV LC_ALL C
ENV GOSU_VERSION 1.14

3
data/conf/rspamd/local.d/groups.conf
View File

@@ -18,6 +18,9 @@ symbols {
"ENCRYPTED_CHAT" {
score = -20.0;
}
"SOGO_CONTACT" {
score = -99.0;
}
}
group "MX" {

146
data/web/api/openapi.yaml
View File

@@ -518,21 +518,23 @@ paths:
- domain.tld
type: success
schema:
properties:
log:
description: contains request object
items: {}
type: array
msg:
items: {}
type: array
type:
enum:
- success
- danger
- error
type: string
type: object
type: array
items:
type: object
properties:
log:
description: contains request object
items: {}
type: array
msg:
items: {}
type: array
type:
enum:
- success
- danger
- error
type: string
description: OK
headers: {}
tags:
@@ -579,6 +581,11 @@ paths:
domain:
description: Fully qualified domain name
type: string
gal:
description: >-
is domain global address list active or not, it enables
shared contacts accross domain in SOGo webmail
type: boolean
mailboxes:
description: limit count of mailboxes associated with this domain
type: number
@@ -596,6 +603,9 @@ paths:
if not, them you have to create "dummy" mailbox for each
address to relay
type: boolean
relay_unknown_only:
description: Relay non-existing mailboxes only. Existing mailboxes will be delivered locally.
type: boolean
rl_frame:
enum:
- s
@@ -606,6 +616,11 @@ paths:
rl_value:
description: rate limit value
type: number
tags:
description: tags for this Domain
type: array
items:
type: string
type: object
summary: Create domain
/api/v1/add/domain-admin:
@@ -1952,21 +1967,23 @@ paths:
- domain2.tld
type: success
schema:
properties:
log:
description: contains request object
items: {}
type: array
msg:
items: {}
type: array
type:
enum:
- success
- danger
- error
type: string
type: object
type: array
items:
type: object
properties:
log:
description: contains request object
items: {}
type: array
msg:
items: {}
type: array
type:
enum:
- success
- danger
- error
type: string
description: OK
headers: {}
tags:
@@ -1977,14 +1994,15 @@ paths:
content:
application/json:
schema:
type: object
example:
- domain.tld
- domain2.tld
properties:
items:
description: contains list of domains you want to delete
type: object
type: object
items:
type: array
items:
type: string
summary: Delete domain
/api/v1/delete/domain-admin:
post:
@@ -2972,23 +2990,25 @@ paths:
$ref: "#/components/responses/Unauthorized"
"200":
content:
"*/*":
application/json:
schema:
properties:
log:
description: contains request object
items: {}
type: array
msg:
items: {}
type: array
type:
enum:
- success
- danger
- error
type: string
type: object
type: array
items:
type: object
properties:
log:
type: array
description: contains request object
items: {}
msg:
type: array
items: {}
type:
enum:
- success
- danger
- error
type: string
description: OK
headers: {}
tags:
@@ -3056,13 +3076,33 @@ paths:
if not, them you have to create "dummy" mailbox for each
address to relay
type: boolean
relay_unknown_only:
description: Relay non-existing mailboxes only. Existing mailboxes will be delivered locally.
type: boolean
relayhost:
description: id of relayhost
type: number
rl_frame:
enum:
- s
- m
- h
- d
type: string
rl_value:
description: rate limit value
type: number
tags:
description: tags for this Domain
type: array
items:
type: string
type: object
items:
description: contains list of domain names you want update
type: object
type: array
items:
type: string
type: object
summary: Update domain
/api/v1/edit/fail2ban:
@@ -3953,6 +3993,8 @@ paths:
in: query
name: tags
required: false
schema:
type: string
- description: e.g. api-key-string
example: api-key-string
in: header
@@ -4512,6 +4554,8 @@ paths:
in: query
name: tags
required: false
schema:
type: string
- description: e.g. api-key-string
example: api-key-string
in: header

12
data/web/css/build/008-mailcow.css
View File

@@ -260,6 +260,17 @@ code {
margin-right: 5px;
}
.list-group-item.webauthn-authenticator-selection,
.list-group-item.totp-authenticator-selection,
.list-group-item.yubi_otp-authenticator-selection {
border-radius: 0px !important;
}
.pending-tfa-collapse {
padding: 10px;
background: #fbfbfb;
border: 1px solid #ededed;
}
.tag-box {
display: flex;
flex-wrap: wrap;
@@ -296,4 +307,3 @@ code {
align-items: center;
display: inline-flex;
}

2
data/web/inc/ajax/destroy_tfa_auth.php
View File

@@ -2,5 +2,5 @@
session_start();
unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_method']);
unset($_SESSION['pending_tfa_methods']);
?>

24
data/web/inc/footer.inc.php
View File

@@ -23,6 +23,27 @@ if (is_array($alertbox_log_parser)) {
unset($_SESSION['return']);
}
// map tfa details for twig
$pending_tfa_authmechs = [];
foreach($_SESSION['pending_tfa_methods'] as $authdata){
$pending_tfa_authmechs[$authdata['authmech']] = false;
}
if (isset($pending_tfa_authmechs['webauthn'])) {
$pending_tfa_authmechs['webauthn'] = true;
}
if (!isset($pending_tfa_authmechs['webauthn'])
&& isset($pending_tfa_authmechs['yubi_otp'])) {
$pending_tfa_authmechs['yubi_otp'] = true;
}
if (!isset($pending_tfa_authmechs['webauthn'])
&& !isset($pending_tfa_authmechs['yubi_otp'])
&& isset($pending_tfa_authmechs['totp'])) {
$pending_tfa_authmechs['totp'] = true;
}
if (isset($pending_tfa_authmechs['u2f'])) {
$pending_tfa_authmechs['u2f'] = true;
}
// globals
$globalVariables = [
'mailcow_info' => array(
@@ -30,7 +51,8 @@ $globalVariables = [
'git_project_url' => $GLOBALS['MAILCOW_GIT_URL']
),
'js_path' => '/cache/'.basename($JSPath),
'pending_tfa_method' => @$_SESSION['pending_tfa_method'],
'pending_tfa_methods' => @$_SESSION['pending_tfa_methods'],
'pending_tfa_authmechs' => $pending_tfa_authmechs,
'pending_mailcow_cc_username' => @$_SESSION['pending_mailcow_cc_username'],
'lang_footer' => json_encode($lang['footer']),
'lang_acl' => json_encode($lang['acl']),

434
data/web/inc/functions.inc.php
View File

@@ -830,11 +830,15 @@ function check_login($user, $pass, $app_passwd_data = false) {
$stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
// verify password
if (verify_hash($row['password'], $pass)) {
if (get_tfa($user)['name'] != "none") {
// check for tfa authenticators
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
// active tfa authenticators found, set pending user login
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "admin";
$_SESSION['pending_tfa_method'] = get_tfa($user)['name'];
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'info',
@@ -842,8 +846,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
'msg' => 'awaiting_tfa_confirmation'
);
return "pending";
}
else {
} else {
unset($_SESSION['ldelay']);
// Reactivate TFA if it was set to "deactivate TFA for next login"
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
@@ -866,11 +869,14 @@ function check_login($user, $pass, $app_passwd_data = false) {
$stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
// verify password
if (verify_hash($row['password'], $pass) !== false) {
if (get_tfa($user)['name'] != "none") {
// check for tfa authenticators
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "domainadmin";
$_SESSION['pending_tfa_method'] = get_tfa($user)['name'];
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'info',
@@ -930,24 +936,39 @@ function check_login($user, $pass, $app_passwd_data = false) {
$rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
}
foreach ($rows as $row) {
// verify password
if (verify_hash($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
$service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
$stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
$stmt->execute(array(
':service' => $service,
':app_id' => $row['app_passwd_id'],
':username' => $user,
':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
));
// check for tfa authenticators
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "user";
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
return "pending";
} else {
if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
$service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
$stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
$stmt->execute(array(
':service' => $service,
':app_id' => $row['app_passwd_id'],
':username' => $user,
':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
));
}
unset($_SESSION['ldelay']);
// Reactivate TFA if it was set to "deactivate TFA for next login"
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
$stmt->execute(array(':user' => $user));
return "user";
}
return "user";
}
}
@@ -1142,47 +1163,46 @@ function set_tfa($_data) {
global $yubi;
global $tfa;
$_data_log = $_data;
$access_denied = null;
!isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
$username = $_SESSION['mailcow_cc_username'];
if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
}
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `username` = :username");
$stmt->execute(array(':username' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
if (!empty($num_results)) {
if (!verify_hash($row['password'], $_data["confirm_password"])) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
}
}
$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
WHERE `username` = :username");
$stmt->execute(array(':username' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
if (!empty($num_results)) {
if (!verify_hash($row['password'], $_data["confirm_password"])) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
// check for empty user and role
if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true;
// check admin confirm password
if ($access_denied === null) {
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `username` = :username");
$stmt->execute(array(':username' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row) {
if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;
else $access_denied = false;
}
}
// check mailbox confirm password
if ($access_denied === null) {
$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
WHERE `username` = :username");
$stmt->execute(array(':username' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row) {
if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;
else $access_denied = false;
}
}
// set access_denied error
if ($access_denied){
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
}
switch ($_data["tfa_method"]) {
case "yubi_otp":
@@ -1220,8 +1240,7 @@ function set_tfa($_data) {
$yubico_modhex_id = substr($_data["otp_token"], 0, 12);
$stmt = $pdo->prepare("DELETE FROM `tfa`
WHERE `username` = :username
AND (`authmech` != 'yubi_otp')
OR (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)");
AND (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)");
$stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id));
$stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES
(:key_id, :username, 'yubi_otp', '1', :secret)");
@@ -1265,9 +1284,6 @@ function set_tfa($_data) {
case "webauthn":
$key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'webauthn'");
$stmt->execute(array(':username' => $username));
$stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`)
VALUES (?, ?, 'webauthn', ?, ?, ?, ?, '1')");
$stmt->execute(array(
@@ -1439,25 +1455,27 @@ function unset_tfa_key($_data) {
global $pdo;
global $lang;
$_data_log = $_data;
$access_denied = null;
$id = intval($_data['unset_tfa_key']);
$username = $_SESSION['mailcow_cc_username'];
if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
}
// check for empty user and role
if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true;
try {
if (!is_numeric($id)) {
$_SESSION['return'][] = array(
if (!is_numeric($id)) $access_denied = true;
// set access_denied error
if ($access_denied){
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
}
}
// check if it's last key
$stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa`
WHERE `username` = :username AND `active` = '1'");
$stmt->execute(array(':username' => $username));
@@ -1470,6 +1488,8 @@ function unset_tfa_key($_data) {
);
return false;
}
// delete key
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `id` = :id");
$stmt->execute(array(':username' => $username, ':id' => $id));
$_SESSION['return'][] = array(
@@ -1487,7 +1507,7 @@ function unset_tfa_key($_data) {
return false;
}
}
function get_tfa($username = null) {
function get_tfa($username = null, $id = null) {
global $pdo;
if (isset($_SESSION['mailcow_cc_username'])) {
$username = $_SESSION['mailcow_cc_username'];
@@ -1495,92 +1515,120 @@ function get_tfa($username = null) {
elseif (empty($username)) {
return false;
}
$stmt = $pdo->prepare("SELECT * FROM `tfa`
WHERE `username` = :username AND `active` = '1'");
$stmt->execute(array(':username' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (isset($row["authmech"])) {
switch ($row["authmech"]) {
case "yubi_otp":
$data['name'] = "yubi_otp";
$data['pretty'] = "Yubico OTP";
$stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
if (!isset($id)){
// fetch all tfa methods - just get information about possible authenticators
$stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa`
WHERE `username` = :username AND `active` = '1'");
$stmt->execute(array(':username' => $username));
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
// no tfa methods found
if (count($results) == 0) {
$data['name'] = 'none';
$data['pretty'] = "-";
$data['additional'] = array();
return $data;
}
$data['additional'] = $results;
return $data;
} else {
// fetch specific authenticator details by id
$stmt = $pdo->prepare("SELECT * FROM `tfa`
WHERE `username` = :username AND `id` = :id AND `active` = '1'");
$stmt->execute(array(':username' => $username, ':id' => $id));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (isset($row["authmech"])) {
switch ($row["authmech"]) {
case "yubi_otp":
$data['name'] = "yubi_otp";
$data['pretty'] = "Yubico OTP";
$stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username AND `id` = :id");
$stmt->execute(array(
':username' => $username,
':id' => $id
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
// u2f - deprecated, should be removed
case "u2f":
$data['name'] = "u2f";
$data['pretty'] = "Fido U2F";
$stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username AND `id` = :id");
$stmt->execute(array(
':username' => $username,
':id' => $id
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
case "hotp":
$data['name'] = "hotp";
$data['pretty'] = "HMAC-based OTP";
return $data;
break;
case "totp":
$data['name'] = "totp";
$data['pretty'] = "Time-based OTP";
$stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username AND `id` = :id");
$stmt->execute(array(
':username' => $username,
':id' => $id
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
case "webauthn":
$data['name'] = "webauthn";
$data['pretty'] = "WebAuthn";
$stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username AND `id` = :id");
$stmt->execute(array(
':username' => $username,
':id' => $id
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
default:
$data['name'] = 'none';
$data['pretty'] = "-";
return $data;
break;
}
return $data;
break;
// u2f - deprecated, should be removed
case "u2f":
$data['name'] = "u2f";
$data['pretty'] = "Fido U2F";
$stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
case "hotp":
$data['name'] = "hotp";
$data['pretty'] = "HMAC-based OTP";
return $data;
break;
case "totp":
$data['name'] = "totp";
$data['pretty'] = "Time-based OTP";
$stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
case "webauthn":
$data['name'] = "webauthn";
$data['pretty'] = "WebAuthn";
$stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$data['additional'][] = $row;
}
return $data;
break;
default:
}
else {
$data['name'] = 'none';
$data['pretty'] = "-";
return $data;
break;
}
}
}
else {
$data['name'] = 'none';
$data['pretty'] = "-";
return $data;
}
}
function verify_tfa_login($username, $_data, $WebAuthn) {
global $pdo;
global $yubi;
global $u2f;
global $tfa;
function verify_tfa_login($username, $_data) {
global $pdo;
global $yubi;
global $u2f;
global $tfa;
global $WebAuthn;
if ($_data['tfa_method'] != 'u2f'){
$stmt = $pdo->prepare("SELECT `authmech` FROM `tfa`
WHERE `username` = :username AND `active` = '1'");
$stmt->execute(array(':username' => $username));
WHERE `username` = :username AND `id` = :id AND `active` = '1'");
$stmt->execute(array(':username' => $username, ':id' => $_data['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
switch ($row["authmech"]) {
@@ -1597,9 +1645,10 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
$stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa`
WHERE `username` = :username
AND `authmech` = 'yubi_otp'
AND `active`='1'
AND `id` = :id
AND `active` = '1'
AND `secret` LIKE :modhex");
$stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id));
$stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':id' => $_data['id']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$yubico_auth = explode(':', $row['secret']);
$yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]);
@@ -1632,15 +1681,16 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
return false;
break;
case "totp":
try {
try {
$stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa`
WHERE `username` = :username
AND `authmech` = 'totp'
AND `id` = :id
AND `active`='1'");
$stmt->execute(array(':username' => $username));
$stmt->execute(array(':username' => $username, ':id' => $_data['id']));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
if ($tfa->verifyCode($row['secret'], $_data['token']) === true) {
if ($tfa->verifyCode($row['secret'], $_data['token']) === true) {
$_SESSION['tfa_id'] = $row['id'];
$_SESSION['return'][] = array(
'type' => 'success',
@@ -1648,7 +1698,7 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
'msg' => 'verified_totp_login'
);
return true;
}
}
}
$_SESSION['return'][] = array(
'type' => 'danger',
@@ -1656,23 +1706,16 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
'msg' => 'totp_verification_failed'
);
return false;
}
catch (PDOException $e) {
}
catch (PDOException $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $username, '*'),
'msg' => array('mysql_error', $e)
);
return false;
}
}
break;
// u2f - deprecated, should be removed
case "u2f":
// delete old keys that used u2f
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = :authmech AND `username` = :username");
$stmt->execute(array(':authmech' => 'u2f', ':username' => $username));
return true;
case "webauthn":
$tokenData = json_decode($_data['token']);
$clientDataJSON = base64_decode($tokenData->clientDataJSON);
@@ -1681,13 +1724,20 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
$id = base64_decode($tokenData->id);
$challenge = $_SESSION['challenge'];
$stmt = $pdo->prepare("SELECT `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId");
$stmt->execute(array(':tokenId' => $tokenData->id));
$stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id AND `active`='1'");
$stmt->execute(array(':id' => $_data['id']));
$process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC);
if (empty($process_webauthn) || empty($process_webauthn['publicKey']) || empty($process_webauthn['username'])) return false;
if (empty($process_webauthn)){
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $username, '*'),
'msg' => array('webauthn_verification_failed', 'authenticator not found')
);
return false;
}
if ($process_webauthn['publicKey'] === false) {
if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $username, '*'),
@@ -1695,6 +1745,7 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
);
return false;
}
try {
$WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']);
}
@@ -1707,26 +1758,31 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
return false;
}
$stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");
$stmt->execute(array(':username' => $process_webauthn['username']));
$obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
if ($obj_props['superadmin'] === 1) {
$_SESSION["mailcow_cc_role"] = "admin";
$_SESSION["mailcow_cc_role"] = "admin";
}
elseif ($obj_props['superadmin'] === 0) {
$_SESSION["mailcow_cc_role"] = "domainadmin";
$_SESSION["mailcow_cc_role"] = "domainadmin";
}
else {
$stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
$stmt->execute(array(':username' => $process_webauthn['username']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row['username'] == $process_webauthn['username']) {
$stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
$stmt->execute(array(':username' => $process_webauthn['username']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!empty($row['username'])) {
$_SESSION["mailcow_cc_role"] = "user";
}
} else {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $username, '*'),
'msg' => array('webauthn_verification_failed', 'could not determine user role')
);
return false;
}
}
if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){
$_SESSION['return'][] = array(
'type' => 'danger',
@@ -1736,9 +1792,8 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
return false;
}
$_SESSION["mailcow_cc_username"] = $process_webauthn['username'];
$_SESSION['tfa_id'] = $process_webauthn['key_id'];
$_SESSION['tfa_id'] = $process_webauthn['id'];
$_SESSION['authReq'] = null;
unset($_SESSION["challenge"]);
$_SESSION['return'][] = array(
@@ -1759,6 +1814,17 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
}
return false;
} else {
// delete old keys that used u2f
$stmt = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username");
$stmt->execute(array(':username' => $username));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
if (count($rows) == 0) return false;
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username");
$stmt->execute(array(':username' => $username));
return true;
}
}
function admin_api($access, $action, $data = null) {
global $pdo;

30
data/web/inc/functions.mailbox.inc.php
View File

@@ -338,7 +338,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$custom_params = (empty(trim($_data['custom_params']))) ? '' : trim($_data['custom_params']);
// validate custom params
foreach (explode(' -', $custom_params) as $param){
foreach (explode('-', $custom_params) as $param){
if(empty($param)) continue;
// extract option
if (str_contains($param, '=')) $param = explode('=', $param)[0];
else $param = rtrim($param, ' ');
// remove first char if first char is -
if ($param[0] == '-') $param = ltrim($param, $param[0]);
if (str_contains($param, ' ')) {
// bad char
$_SESSION['return'][] = array(
@@ -349,11 +357,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false;
}
// extract option
if (str_contains($param, '=')) $param = explode('=', $param)[0];
// remove first char if first char is -
if ($param[0] == '-') $param = ltrim($param, $param[0]);
// check if param is whitelisted
if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
// bad option
@@ -1791,7 +1794,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
// validate custom params
foreach (explode(' -', $custom_params) as $param){
foreach (explode('-', $custom_params) as $param){
if(empty($param)) continue;
// extract option
if (str_contains($param, '=')) $param = explode('=', $param)[0];
else $param = rtrim($param, ' ');
// remove first char if first char is -
if ($param[0] == '-') $param = ltrim($param, $param[0]);
if (str_contains($param, ' ')) {
// bad char
$_SESSION['return'][] = array(
@@ -1802,11 +1813,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false;
}
// extract option
if (str_contains($param, '=')) $param = explode('=', $param)[0];
// remove first char if first char is -
if ($param[0] == '-') $param = ltrim($param, $param[0]);
// check if param is whitelisted
if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
// bad option

11
data/web/inc/init_db.inc.php
View File

@@ -3,7 +3,7 @@ function init_db_schema() {
try {
global $pdo;
$db_version = "18062022_1153";
$db_version = "25072022_2300";
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -738,8 +738,8 @@ function init_db_schema() {
"username" => "VARCHAR(255) NOT NULL",
"authmech" => "ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')",
"secret" => "VARCHAR(255) DEFAULT NULL",
"keyHandle" => "VARCHAR(255) DEFAULT NULL",
"publicKey" => "VARCHAR(255) DEFAULT NULL",
"keyHandle" => "VARCHAR(1023) DEFAULT NULL",
"publicKey" => "VARCHAR(4096) DEFAULT NULL",
"counter" => "INT NOT NULL DEFAULT '0'",
"certificate" => "TEXT",
"active" => "TINYINT(1) NOT NULL DEFAULT '0'"
@@ -1227,7 +1227,7 @@ function init_db_schema() {
$pdo->query($create);
}
// Mitigate imapsync pipemess issue
// Mitigate imapsync argument injection issue
$pdo->query("UPDATE `imapsync` SET `custom_params` = ''
WHERE `custom_params` LIKE '%pipemess%'
OR custom_params LIKE '%skipmess%'
@@ -1237,8 +1237,7 @@ function init_db_schema() {
OR custom_params LIKE '%pipemess%'
OR custom_params LIKE '%regextrans2%'
OR custom_params LIKE '%maxlinelengthcmd%';");
// Migrate webauthn tfa
$stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");

3
data/web/inc/prerequisites.inc.php
View File

@@ -66,8 +66,9 @@ $qrprovider = new RobThree\Auth\Providers\Qr\QRServerProvider();
$tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
// FIDO2
$server_name = parse_url('https://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST);
$formats = $GLOBALS['FIDO2_FORMATS'];
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $server_name, $formats);
// only include root ca's when needed
if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');

31
data/web/inc/triggers.inc.php
View File

@@ -1,24 +1,24 @@
<?php
if (isset($_POST["verify_tfa_login"])) {
if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST, $WebAuthn)) {
if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
$_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
$_SESSION['mailcow_cc_role'] = $_SESSION['pending_mailcow_cc_role'];
unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_method']);
unset($_SESSION['pending_tfa_methods']);
header("Location: /user");
} else {
unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_method']);
unset($_SESSION['pending_tfa_methods']);
}
}
if (isset($_GET["cancel_tfa_login"])) {
unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_method']);
unset($_SESSION['pending_tfa_methods']);
header("Location: /");
}
@@ -34,6 +34,7 @@ if (isset($_POST["quick_delete"])) {
if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
$login_user = strtolower(trim($_POST["login_user"]));
$as = check_login($login_user, $_POST["pass_user"]);
if ($as == "admin") {
$_SESSION['mailcow_cc_username'] = $login_user;
$_SESSION['mailcow_cc_role'] = "admin";
@@ -47,22 +48,22 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
elseif ($as == "user") {
$_SESSION['mailcow_cc_username'] = $login_user;
$_SESSION['mailcow_cc_role'] = "user";
$http_parameters = explode('&', $_SESSION['index_query_string']);
unset($_SESSION['index_query_string']);
if (in_array('mobileconfig', $http_parameters)) {
if (in_array('only_email', $http_parameters)) {
header("Location: /mobileconfig.php?email_only");
die();
}
header("Location: /mobileconfig.php");
die();
}
$http_parameters = explode('&', $_SESSION['index_query_string']);
unset($_SESSION['index_query_string']);
if (in_array('mobileconfig', $http_parameters)) {
if (in_array('only_email', $http_parameters)) {
header("Location: /mobileconfig.php?email_only");
die();
}
header("Location: /mobileconfig.php");
die();
}
header("Location: /user");
}
elseif ($as != "pending") {
unset($_SESSION['pending_mailcow_cc_username']);
unset($_SESSION['pending_mailcow_cc_role']);
unset($_SESSION['pending_tfa_method']);
unset($_SESSION['pending_tfa_methods']);
unset($_SESSION['mailcow_cc_username']);
unset($_SESSION['mailcow_cc_role']);
}

244
data/web/inc/vars.inc.php
View File

@@ -232,131 +232,127 @@ $RSPAMD_MAPS = array(
$IMAPSYNC_OPTIONS = array(
'whitelist' => array(
'log',
'showpasswords',
'nossl1',
'nossl2',
'ssl2',
'notls1',
'notls2',
'tls2',
'debugssl',
'sslargs1',
'sslargs2',
'authmech1',
'authmech2',
'authuser1',
'authuser2',
'proxyauth1',
'proxyauth2',
'authmd51',
'authmd52',
'domain1',
'domain2',
'oauthaccesstoken1',
'oauthaccesstoken2',
'oauthdirect1',
'oauthdirect2',
'folder',
'folder',
'folderrec',
'folderrec',
'folderfirst',
'folderfirst',
'folderlast',
'folderlast',
'nomixfolders',
'skipemptyfolders',
'include',
'include',
'subfolder1',
'subscribed',
'subscribe',
'prefix1',
'prefix2',
'sep1',
'sep2',
'nofoldersizesatend',
'justfoldersizes',
'pidfile',
'pidfilelocking',
'nolog',
'logfile',
'logdir',
'debugcrossduplicates',
'disarmreadreceipts',
'truncmess',
'synclabels',
'resynclabels',
'resyncflags',
'noresyncflags',
'filterbuggyflags',
'expunge1',
'noexpunge1',
'delete1emptyfolders',
'delete2folders',
'noexpunge2',
'nouidexpunge2',
'syncinternaldates',
'idatefromheader',
'maxsize',
'minsize',
'minage',
'search',
'search1',
'search2',
'noabletosearch',
'noabletosearch1',
'noabletosearch2',
'maxlinelength',
'useheader',
'useheader',
'syncduplicates',
'usecache',
'nousecache',
'useuid',
'syncacls',
'nosyncacls',
'debug',
'debugfolders',
'debugcontent',
'debugflags',
'debugimap1',
'debugimap2',
'debugimap',
'debugmemory',
'errorsmax',
'tests',
'testslive',
'testslive6',
'gmail1',
'gmail2',
'office1',
'office2',
'exchange1',
'exchange2',
'domino1',
'domino2',
'keepalive1',
'keepalive2',
'maxmessagespersecond',
'maxbytesafter',
'maxsleep',
'abort',
'exitwhenover',
'noid',
'justconnect',
'justlogin',
'justfolders'
'authmech1',
'authmech2',
'authuser1',
'authuser2',
'debugcontent',
'disarmreadreceipts',
'logdir',
'debugcrossduplicates',
'maxsize',
'minsize',
'minage',
'search',
'noabletosearch',
'pidfile',
'pidfilelocking',
'search1',
'search2',
'sslargs1',
'sslargs2',
'syncduplicates',
'usecache',
'synclabels',
'truncmess',
'domino2',
'expunge1',
'filterbuggyflags',
'justconnect',
'justfolders',
'maxlinelength',
'useheader',
'noabletosearch1',
'nolog',
'prefix1',
'prefix2',
'sep1',
'sep2',
'nofoldersizesatend',
'justfoldersizes',
'proxyauth1',
'skipemptyfolders',
'include',
'subfolder1',
'subscribed',
'subscribe',
'debug',
'debugimap2',
'domino1',
'exchange1',
'exchange2',
'justlogin',
'keepalive1',
'keepalive2',
'noabletosearch2',
'noexpunge2',
'noresyncflags',
'nossl1',
'nouidexpunge2',
'syncinternaldates',
'idatefromheader',
'useuid',
'debugflags',
'debugimap',
'delete1emptyfolders',
'delete2folders',
'gmail2',
'office1',
'testslive6',
'debugimap1',
'errorsmax',
'tests',
'gmail1',
'maxmessagespersecond',
'maxbytesafter',
'maxsleep',
'abort',
'resyncflags',
'resynclabels',
'syncacls',
'nosyncacls',
'nousecache',
'office2',
'testslive',
'debugmemory',
'exitwhenover',
'noid',
'noexpunge1',
'authmd51',
'logfile',
'proxyauth2',
'domain1',
'domain2',
'oauthaccesstoken1',
'oauthaccesstoken2',
'oauthdirect1',
'oauthdirect2',
'folder',
'folderrec',
'folderfirst',
'folderlast',
'nomixfolders',
'authmd52',
'debugfolders',
'nossl2',
'ssl2',
'tls2',
'notls2',
'debugssl',
'notls1',
'inet4',
'inet6',
'log',
'showpasswords'
),
'blacklist' => array(
'skipmess',
'delete2foldersonly',
'delete2foldersbutnot',
'regexflag',
'regexmess',
'pipemess',
'regextrans2',
'maxlinelengthcmd'
'skipmess',
'delete2foldersonly',
'delete2foldersbutnot',
'regexflag',
'regexmess',
'pipemess',
'regextrans2',
'maxlinelengthcmd'
)
);

47
data/web/json_api.php
View File

@@ -178,15 +178,22 @@ if (isset($_GET['query'])) {
// parse post data
$post = trim(file_get_contents('php://input'));
if ($post) $post = json_decode($post);
// decode base64 strings
$clientDataJSON = base64_decode($post->clientDataJSON);
$attestationObject = base64_decode($post->attestationObject);
// process registration data from authenticator
try {
// decode base64 strings
$clientDataJSON = base64_decode($post->clientDataJSON);
$attestationObject = base64_decode($post->attestationObject);
// processCreate($clientDataJSON, $attestationObject, $challenge, $requireUserVerification=false, $requireUserPresent=true, $failIfRootMismatch=true)
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $_SESSION['challenge'], false, true);
// safe authenticator in mysql `tfa` table
$_data['tfa_method'] = $post->tfa_method;
$_data['key_id'] = $post->key_id;
$_data['confirm_password'] = $post->confirm_password;
$_data['registration'] = $data;
set_tfa($_data);
}
catch (Throwable $ex) {
// err
@@ -197,11 +204,6 @@ if (isset($_GET['query'])) {
exit;
}
// safe authenticator in mysql `tfa` table
$_data['tfa_method'] = $post->tfa_method;
$_data['key_id'] = $post->key_id;
$_data['registration'] = $data;
set_tfa($_data);
// send response
$return = new stdClass();
@@ -419,7 +421,7 @@ if (isset($_GET['query'])) {
// }
$ids = NULL;
$getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
$getArgs = $WebAuthn->getGetArgs($ids, 30, false, false, false, false, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
print(json_encode($getArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge();
return;
@@ -428,8 +430,11 @@ if (isset($_GET['query'])) {
case "webauthn-tfa-registration":
if (isset($_SESSION["mailcow_cc_role"])) {
// Exclude existing CredentialIds, if any
$stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username");
$stmt->execute(array(':username' => $_SESSION['mailcow_cc_username']));
$stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech");
$stmt->execute(array(
':username' => $_SESSION['mailcow_cc_username'],
':authmech' => 'webauthn'
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$excludeCredentialIds[] = base64_decode($row['keyHandle']);
@@ -450,20 +455,24 @@ if (isset($_GET['query'])) {
}
break;
case "webauthn-tfa-get-args":
$stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username");
$stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username']));
$stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech");
$stmt->execute(array(
':username' => $_SESSION['pending_mailcow_cc_username'],
':authmech' => 'webauthn'
));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$cids[] = base64_decode($row['keyHandle']);
}
if (count($cids) == 0) {
if (count($rows) == 0) {
print(json_encode(array(
'type' => 'error',
'msg' => 'Cannot find matching credentialIds'
)));
exit;
}
while($row = array_shift($rows)) {
$cids[] = base64_decode($row['keyHandle']);
}
$getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']);
$getArgs = $WebAuthn->getGetArgs($cids, 30, false, false, false, false, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']);
$getArgs->publicKey->extensions = array('appid' => "https://".$getArgs->publicKey->rpId);
print(json_encode($getArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge();

5
data/web/lang/lang.ru.json
View File

@@ -988,7 +988,7 @@
"enter_qr_code": "Ваш код TOTP, если устройство не может отсканировать QR-код",
"error_code": "Код ошибки",
"init_webauthn": "Инициализация, пожалуйста, подождите...",
"key_id": "Идентификатор YubiKey ключа",
"key_id": "Идентификатор вашего устройства",
"key_id_totp": "Идентификатор TOTP ключа",
"none": "Отключить",
"reload_retry": "- (перезагрузить страницу браузера или почистите кеш/cookies, если ошибка повторяется)",
@@ -1002,7 +1002,8 @@
"webauthn": "WebAuthn аутентификация",
"waiting_usb_auth": "<i>Ожидание устройства USB...</i><br><br>Пожалуйста, нажмите кнопку на USB устройстве сейчас.",
"waiting_usb_register": "<i>Ожидание устройства USB...</i><br><br>Пожалуйста, введите пароль выше и подтвердите регистрацию, нажав кнопку на USB устройстве.",
"yubi_otp": "Yubico OTP аутентификация"
"yubi_otp": "Yubico OTP аутентификация",
"u2f_deprecated": "Похоже, что ваш ключ был зарегистрирован с использованием устаревшего метода U2F. Мы деактивируем для вас двухфакторную аутентификацию и удалим ваш ключ."
},
"user": {
"action": "Действия",

3
data/web/lang/lang.uk.json
View File

@@ -980,7 +980,8 @@
"resource_modified": "Зміни поштового акаунту %s збережено",
"settings_map_added": "Правило додано",
"tls_policy_map_entry_deleted": "Політику TLS ID %s видалено",
"verified_totp_login": "Авторизацію TOTP пройдено"
"verified_totp_login": "Авторизацію TOTP пройдено",
"domain_add_dkim_available": "Ключ DKIM вже існує"
},
"tfa": {
"confirm": "Підтвердьте",

102
data/web/templates/base.twig
View File

@@ -176,15 +176,62 @@ function recursiveBase64StrToArrayBuffer(obj) {
{% endfor %}
// Confirm TFA modal
{% if pending_tfa_method %}
{% if pending_tfa_methods %}
$('#ConfirmTFAModal').modal({
backdrop: 'static',
keyboard: false
});
// validate Yubi OTP tfa
$("#pending_tfa_tab_yubi_otp").click(function(){
$(".totp-authenticator-selection").removeClass("active");
$(".webauthn-authenticator-selection").removeClass("active");
$("#collapseTotpTFA").collapse('hide');
$("#collapseWebAuthnTFA").collapse('hide');
});
$(".yubi-authenticator-selection").click(function(){
$(".yubi-authenticator-selection").removeClass("active");
$(this).addClass("active");
var id = $(this).children('input').first().val();
$("#yubi_selected_id").val(id);
$("#collapseYubiTFA").collapse('show');
});
// validate Time based OTP tfa
$("#pending_tfa_tab_totp").click(function(){
$(".yubi-authenticator-selection").removeClass("active");
$(".webauthn-authenticator-selection").removeClass("active");
$("#collapseYubiTFA").collapse('hide');
$("#collapseWebAuthnTFA").collapse('hide');
});
$(".totp-authenticator-selection").click(function(){
$(".totp-authenticator-selection").removeClass("active");
$(this).addClass("active");
var id = $(this).children('input').first().val();
$("#totp_selected_id").val(id);
$("#collapseTotpTFA").collapse('show');
});
// validate WebAuthn tfa
$('#start_webauthn_confirmation').click(function(){
$('#webauthn_status_auth').html('<p><i class="bi bi-arrow-repeat icon-spin"></i> ' + lang_tfa.init_webauthn + '</p>');
$("#pending_tfa_tab_webauthn").click(function(){
$(".totp-authenticator-selection").removeClass("active");
$(".yubi-authenticator-selection").removeClass("active");
$("#collapseTotpTFA").collapse('hide');
$("#collapseYubiTFA").collapse('hide');
});
$(".webauthn-authenticator-selection").click(function(){
$(".webauthn-authenticator-selection").removeClass("active");
$(this).addClass("active");
var id = $(this).children('input').first().val();
$("#webauthn_selected_id").val(id);
$("#collapseWebAuthnTFA").collapse('show');
$(this).find('input[name=token]').focus();
if(document.getElementById("webauthn_auth_data") !== null) {
@@ -198,30 +245,32 @@ function recursiveBase64StrToArrayBuffer(obj) {
window.fetch("/api/v1/get/webauthn-tfa-get-args", {method:'GET',cache:'no-cache'}).then(response => {
return response.json();
}).then(json => {
if (json.success === false) throw new Error();
console.log(json);
if (json.success === false) throw new Error();
if (json.type === "error") throw new Error(json.msg);
recursiveBase64StrToArrayBuffer(json);
return json;
recursiveBase64StrToArrayBuffer(json);
return json;
}).then(getCredentialArgs => {
// get credentials
return navigator.credentials.get(getCredentialArgs);
// get credentials
return navigator.credentials.get(getCredentialArgs);
}).then(cred => {
return {
id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null,
clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null,
signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null
};
return {
id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null,
clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null,
signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null
};
}).then(JSON.stringify).then(function(AuthenticatorAttestationResponse) {
// send request by submit
var form = document.getElementById('webauthn_auth_form');
var auth = document.getElementById('webauthn_auth_data');
auth.value = AuthenticatorAttestationResponse;
form.submit();
// send request by submit
var form = document.getElementById('webauthn_auth_form');
var auth = document.getElementById('webauthn_auth_data');
auth.value = AuthenticatorAttestationResponse;
form.submit();
}).catch(function(err) {
var webauthn_return_code = document.getElementById('webauthn_return_code');
webauthn_return_code.style.display = webauthn_return_code.style.display === 'none' ? '' : null;
webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry;
var webauthn_return_code = document.getElementById('webauthn_return_code');
webauthn_return_code.style.display = webauthn_return_code.style.display === 'none' ? '' : null;
webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry;
});
}
});
@@ -237,7 +286,9 @@ function recursiveBase64StrToArrayBuffer(obj) {
}
});
});
{% endif %}
{% endif %}
// Validate FIDO2
$("#fido2-login").click(function(){
$('#fido2-alerts').html();
@@ -358,11 +409,13 @@ function recursiveBase64StrToArrayBuffer(obj) {
$("#start_webauthn_register").click(() => {
var key_id = document.getElementsByName('key_id')[1].value;
var confirm_password = document.getElementsByName('confirm_password')[1].value;
// fetch WebAuthn create args
window.fetch("/api/v1/get/webauthn-tfa-registration/{{ mailcow_cc_username|url_encode(true)|default('null') }}", {method:'GET',cache:'no-cache'}).then(response => {
return response.json();
}).then(json => {
console.log(json);
if (json.success === false) throw new Error(json.msg);
recursiveBase64StrToArrayBuffer(json);
@@ -375,7 +428,8 @@ function recursiveBase64StrToArrayBuffer(obj) {
clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
attestationObject: cred.response.attestationObject ? arrayBufferToBase64(cred.response.attestationObject) : null,
key_id: key_id,
tfa_method: "webauthn"
tfa_method: "webauthn",
confirm_password: confirm_password
};
}).then(JSON.stringify).then(AuthenticatorAttestationResponse => {
// send request

2
data/web/templates/domainadmin.twig
View File

@@ -28,7 +28,7 @@
<div class="col-sm-9 col-xs-7">
<select id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
<option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
<option value="u2f">{{ lang.tfa.u2f }}</option>
<option value="webauthn">{{ lang.tfa.webauthn }}</option>
<option value="totp">{{ lang.tfa.totp }}</option>
<option value="none">{{ lang.tfa.none }}</option>
</select>

219
data/web/templates/modals/footer.twig
View File

@@ -133,73 +133,174 @@
</div>
</div>
{% endif %}
{% if pending_tfa_method %}
{% if pending_tfa_methods %}
<div class="modal fade" id="ConfirmTFAModal" tabindex="-1" role="dialog" aria-labelledby="ConfirmTFAModalLabel">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">×</span></button>
<h3 class="modal-title">{{ lang.tfa[pending_tfa_method] }}</h3>
<h3 class="modal-title">{{ lang.tfa.tfa }}</h3>
</div>
<div class="modal-body">
{% if pending_tfa_method == 'yubi_otp' %}
<form role="form" method="post">
<div class="form-group">
<div class="input-group">
<span class="input-group-addon" id="yubi-addon"><img alt="Yubicon Icon" src="/img/yubi.ico"></span>
<input type="text" name="token" class="form-control" autocomplete="off" placeholder="Touch Yubikey" aria-describedby="yubi-addon">
<input type="hidden" name="tfa_method" value="yubi_otp">
</div>
</div>
<button class="btn btn-sm visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-sm btn-default" type="submit" name="verify_tfa_login">{{ lang.login.login }}</button>
</form>
{% endif %}
{% if pending_tfa_method == 'totp' %}
<form role="form" method="post">
<div class="form-group">
<div class="input-group">
<span class="input-group-addon" id="tfa-addon"><i class="bi bi-shield-lock-fill"></i></span>
<input type="number" min="000000" max="999999" name="token" class="form-control" placeholder="123456" autocomplete="one-time-code" aria-describedby="tfa-addon">
<input type="hidden" name="tfa_method" value="totp">
</div>
</div>
<button class="btn btn-sm visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-default" type="submit" name="verify_tfa_login">{{ lang.login.login }}</button>
</form>
{% endif %}
{% if pending_tfa_method == 'hotp' %}
<div class="empty"></div>
{% endif %}
<ul class="nav nav-tabs" id="tabContent">
{% if pending_tfa_authmechs["webauthn"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
<li class="active"><a href="#tfa_tab_webauthn" data-toggle="tab" id="pending_tfa_tab_webauthn"><i class="bi bi-fingerprint"></i> WebAuthn</a></li>
{% endif %}
{% if pending_tfa_method == 'webauthn' %}
<form role="form" method="post" id="webauthn_auth_form">
<center>
<div style="cursor:pointer" id="start_webauthn_confirmation">
<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 24 24">
<path d="M17.81 4.47c-.08 0-.16-.02-.23-.06C15.66 3.42 14 3 12.01 3c-1.98 0-3.86.47-5.57 1.41-.24.13-.54.04-.68-.2-.13-.24-.04-.55.2-.68C7.82 2.52 9.86 2 12.01 2c2.13 0 3.99.47 6.03 1.52.25.13.34.43.21.67-.09.18-.26.28-.44.28zM3.5 9.72c-.1 0-.2-.03-.29-.09-.23-.16-.28-.47-.12-.7.99-1.4 2.25-2.5 3.75-3.27C9.98 4.04 14 4.03 17.15 5.65c1.5.77 2.76 1.86 3.75 3.25.16.22.11.54-.12.7-.23.16-.54.11-.7-.12-.9-1.26-2.04-2.25-3.39-2.94-2.87-1.47-6.54-1.47-9.4.01-1.36.7-2.5 1.7-3.4 2.96-.08.14-.23.21-.39.21zm6.25 12.07c-.13 0-.26-.05-.35-.15-.87-.87-1.34-1.43-2.01-2.64-.69-1.23-1.05-2.73-1.05-4.34 0-2.97 2.54-5.39 5.66-5.39s5.66 2.42 5.66 5.39c0 .28-.22.5-.5.5s-.5-.22-.5-.5c0-2.42-2.09-4.39-4.66-4.39-2.57 0-4.66 1.97-4.66 4.39 0 1.44.32 2.77.93 3.85.64 1.15 1.08 1.64 1.85 2.42.19.2.19.51 0 .71-.11.1-.24.15-.37.15zm7.17-1.85c-1.19 0-2.24-.3-3.1-.89-1.49-1.01-2.38-2.65-2.38-4.39 0-.28.22-.5.5-.5s.5.22.5.5c0 1.41.72 2.74 1.94 3.56.71.48 1.54.71 2.54.71.24 0 .64-.03 1.04-.1.27-.05.53.13.58.41.05.27-.13.53-.41.58-.57.11-1.07.12-1.21.12zM14.91 22c-.04 0-.09-.01-.13-.02-1.59-.44-2.63-1.03-3.72-2.1-1.4-1.39-2.17-3.24-2.17-5.22 0-1.62 1.38-2.94 3.08-2.94 1.7 0 3.08 1.32 3.08 2.94 0 1.07.93 1.94 2.08 1.94s2.08-.87 2.08-1.94c0-3.77-3.25-6.83-7.25-6.83-2.84 0-5.44 1.58-6.61 4.03-.39.81-.59 1.76-.59 2.8 0 .78.07 2.01.67 3.61.1.26-.03.55-.29.64-.26.1-.55-.04-.64-.29-.49-1.31-.73-2.61-.73-3.96 0-1.2.23-2.29.68-3.24 1.33-2.79 4.28-4.6 7.51-4.6 4.55 0 8.25 3.51 8.25 7.83 0 1.62-1.38 2.94-3.08 2.94s-3.08-1.32-3.08-2.94c0-1.07-.93-1.94-2.08-1.94s-2.08.87-2.08 1.94c0 1.71.66 3.31 1.87 4.51.95.94 1.86 1.46 3.27 1.85.27.07.42.35.35.61-.05.23-.26.38-.47.38z"></path>
</svg>
<p>{{ lang.tfa.start_webauthn_validation }}</p>
<hr>
{% if pending_tfa_authmechs["yubi_otp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
<li class="tab-pane {% if pending_tfa_authmechs["yubi_otp"] %}active{% endif %}">
<a href="#tfa_tab_yubi_otp" data-toggle="tab" id="pending_tfa_tab_yubi_otp"><i class="bi bi-usb-drive"></i> Yubi OTP</a>
</li>
{% endif %}
{% if pending_tfa_authmechs["totp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
<li class="tab-pane {% if pending_tfa_authmechs["totp"] %}active{% endif %}">
<a href="#tfa_tab_totp" data-toggle="tab" id="pending_tfa_tab_totp"><i class="bi bi-clock-history"></i> Time based OTP</a>
</li>
{% endif %}
<!-- <li><a href="#tfa_tab_hotp" data-toggle="tab">HOTP</a></li> -->
{% if pending_tfa_authmechs["u2f"] is defined %}
<li class="active"><a href="#tfa_tab_u2f" data-toggle="tab"><i class="bi bi-x-octagon"></i> U2F</a></li>
{% endif %}
</ul>
<div class="tab-content">
{% if pending_tfa_authmechs["webauthn"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
<div role="tabpanel" class="tab-pane active" id="tfa_tab_webauthn">
<div class="panel panel-default" style="margin-bottom: 0px;">
<div class="panel-body">
<form role="form" method="post" id="webauthn_auth_form">
<legend>
<i class="bi bi-shield-fill-check"></i>
Authenticators
</legend>
<div class="list-group">
{% for authenticator in pending_tfa_methods %}
{% if authenticator["authmech"] == "webauthn" %}
<a href="#" class="list-group-item webauthn-authenticator-selection">
<i class="bi bi-key-fill" style="margin-right: 5px"></i>
<span>{{ authenticator["key_id"] }}</span>
<input type="hidden" value="{{ authenticator["id"] }}" /><br/>
</a>
{% endif %}
{% endfor %}
</div>
<div class="collapse pending-tfa-collapse" id="collapseWebAuthnTFA">
<p id="webauthn_status_auth"><p><i class="bi bi-arrow-repeat icon-spin"></i> {{ lang.tfa.init_webauthn }}</p></p>
<div class="alert alert-danger" style="display:none" id="webauthn_return_code"></div>
</div>
<input type="hidden" name="token" id="webauthn_auth_data"/>
<input type="hidden" name="tfa_method" value="webauthn">
<input type="hidden" name="verify_tfa_login"/><br/>
<input type="hidden" name="id" id="webauthn_selected_id" /><br/>
</form>
</div>
</div>
</div>
</center>
<p id="webauthn_status_auth"></p>
<div class="alert alert-danger" style="display:none" id="webauthn_return_code"></div>
<input type="hidden" name="token" id="webauthn_auth_data"/>
<input type="hidden" name="tfa_method" value="webauthn">
<input type="hidden" name="verify_tfa_login"/><br/>
</form>
{% endif %}
{# leave this here to inform users that u2f is deprecated #}
{% if pending_tfa_method == 'u2f' %}
<form role="form" method="post" id="u2f_auth_form">
<p>{{ lang.tfa.u2f_deprecated }}</p>
<p><b>{{ lang.tfa.u2f_deprecated_important }}</b></p>
<input type="hidden" name="token" value="destroy" />
<input type="hidden" name="tfa_method" value="u2f">
<input type="hidden" name="verify_tfa_login"/><br/>
<button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
</form>
{% endif %}
</div>
{% endif %}
{% if pending_tfa_authmechs["yubi_otp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
<div role="tabpanel" class="tab-pane {% if pending_tfa_authmechs["yubi_otp"] %}active{% endif %}" id="tfa_tab_yubi_otp">
<div class="panel panel-default" style="margin-bottom: 0px;">
<div class="panel-body">
<form role="form" method="post">
<legend>
<i class="bi bi-shield-fill-check"></i>
Authenticators
</legend>
<div class="list-group">
{% for authenticator in pending_tfa_methods %}
{% if authenticator["authmech"] == "yubi_otp" %}
<a href="#" class="list-group-item yubi-authenticator-selection">
<i class="bi bi-key-fill" style="margin-right: 5px"></i>
<span>{{ authenticator["key_id"] }}</span>
<input type="hidden" value="{{ authenticator["id"] }}" />
</a>
{% endif %}
{% endfor %}
</div>
<div class="collapse pending-tfa-collapse" id="collapseYubiTFA">
<div class="form-group">
<div class="input-group">
<span class="input-group-addon" id="yubi-addon"><img alt="Yubicon Icon" src="/img/yubi.ico"></span>
<input type="text" name="token" class="form-control" autocomplete="off" placeholder="Touch Yubikey" aria-describedby="yubi-addon">
<input type="hidden" name="tfa_method" value="yubi_otp">
<input type="hidden" name="id" id="yubi_selected_id" />
</div>
</div>
<button class="btn btn-sm visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-sm btn-default" type="submit" name="verify_tfa_login">{{ lang.login.login }}</button>
</div>
</form>
</div>
</div>
</div>
{% endif %}
{% if pending_tfa_authmechs["totp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
<div role="tabpanel" class="tab-pane {% if pending_tfa_authmechs["totp"] %}active{% endif %}" id="tfa_tab_totp">
<div class="panel panel-default" style="margin-bottom: 0px;">
<div class="panel-body">
<form role="form" method="post">
<legend>
<i class="bi bi-shield-fill-check"></i>
Authenticators
</legend>
<div class="list-group">
{% for authenticator in pending_tfa_methods %}
{% if authenticator["authmech"] == "totp" %}
<a href="#" class="list-group-item totp-authenticator-selection">
<i class="bi bi-key-fill" style="margin-right: 5px"></i>
<span>{{ authenticator["key_id"] }}</span>
<input type="hidden" value="{{ authenticator["id"] }}" />
</a>
{% endif %}
{% endfor %}
</div>
<div class="collapse pending-tfa-collapse" id="collapseTotpTFA">
<div class="form-group">
<div class="input-group">
<span class="input-group-addon" id="tfa-addon"><i class="bi bi-shield-lock-fill"></i></span>
<input type="number" min="000000" max="999999" name="token" class="form-control" placeholder="123456" autocomplete="one-time-code" aria-describedby="tfa-addon">
<input type="hidden" name="tfa_method" value="totp">
<input type="hidden" name="id" id="totp_selected_id" /><br/>
</div>
</div>
<button class="btn btn-sm visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-default" type="submit" name="verify_tfa_login">{{ lang.login.login }}</button>
</div>
</form>
</div>
</div>
</div>
{% endif %}
<!--
<div role="tabpanel" class="tab-pane" id="tfa_tab_hotp">
<div class="panel panel-default" style="margin-bottom: 0px;">
<div class="panel-body">
<div class="empty"></div>
</div>
</div>
</div>
-->
{% if pending_tfa_authmechs["u2f"] is defined %}
<div role="tabpanel" class="tab-pane active" id="tfa_tab_u2f">
<div class="panel panel-default" style="margin-bottom: 0px;">
<div class="panel-body">
{# leave this here to inform users that u2f is deprecated #}
<form role="form" method="post" id="u2f_auth_form">
<div>
<p>{{ lang.tfa.u2f_deprecated }}</p>
<p><b>{{ lang.tfa.u2f_deprecated_important }}</b></p>
<input type="hidden" name="token" value="destroy" />
<input type="hidden" name="tfa_method" value="u2f">
<input type="hidden" name="verify_tfa_login"/><br/>
<button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
</div>
</form>
</div>
</div>
</div>
{% endif %}
</div>
</div>
</div>
</div>

4
data/web/templates/modals/mailbox.twig
View File

@@ -435,11 +435,11 @@
</div>
<div class="modal-body">
<p class="help-block">{{ lang.add.syncjob_hint }}</p>
<form class="form-horizontal" data-cached-form="true" role="form" data-id="add_syncjob">
<form class="form-horizontal" data-cached-form="false" role="form" data-id="add_syncjob">
<div class="form-group">
<label class="control-label col-sm-2" for="username">{{ lang.add.username }}</label>
<div class="col-sm-10">
<select data-live-search="true" name="username" required>
<select data-live-search="true" name="username" title="{{ lang.add.select }}" required>
{% for mailbox in mailboxes %}
<option>{{ mailbox }}</option>
{% endfor %}

27
data/web/templates/user/tab-user-auth.twig
View File

@@ -18,6 +18,10 @@
<i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
</a>
{% endif %}
<div>
<hr>
<p><a href="#pwChangeModal" data-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a></p>
</div>
</div>
</div>
<hr>
@@ -43,8 +47,27 @@
</div>
</div>
<p>{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}<br>{{ mailboxdata.messages }} {{ lang.user.messages }}</p>
<hr>
<p><a href="#pwChangeModal" data-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a></p>
</div>
</div>
<hr>
{# TFA #}
<div class="row">
<div class="col-sm-3 col-xs-5 text-right">{{ lang.tfa.tfa }}:</div>
<div class="col-sm-9 col-xs-7">
<p id="tfa_pretty">{{ tfa_data.pretty }}</p>
{% include 'tfa_keys.twig' %}
<br>
</div>
</div>
<div class="row">
<div class="col-sm-3 col-xs-5 text-right">{{ lang.tfa.set_tfa }}:</div>
<div class="col-sm-9 col-xs-7">
<select data-style="btn btn-sm dropdown-toggle bs-placeholder btn-default" data-width="fit" id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
<option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
<option value="webauthn">{{ lang.tfa.webauthn }}</option>
<option value="totp">{{ lang.tfa.totp }}</option>
<option value="none">{{ lang.tfa.none }}</option>
</select>
</div>
</div>
<hr>

4
data/web/user.php
View File

@@ -76,6 +76,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
'acl_json' => json_encode($_SESSION['acl']),
'user_spam_score' => mailbox('get', 'spam_score', $username),
'tfa_data' => $tfa_data,
'tfa_id' => @$_SESSION['tfa_id'],
'fido2_data' => $fido2_data,
'mailboxdata' => $mailboxdata,
'clientconfigstr' => $clientconfigstr,
@@ -90,8 +91,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
'number_of_app_passwords' => $number_of_app_passwords,
];
}
if (!isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
else {
header('Location: /');
exit();
}

6
docker-compose.yml
View File

@@ -58,7 +58,7 @@ services:
- redis
clamd-mailcow:
image: mailcow/clamd:1.52
image: mailcow/clamd:1.54
restart: always
depends_on:
- unbound-mailcow
@@ -168,7 +168,7 @@ services:
- phpfpm
sogo-mailcow:
image: mailcow/sogo:1.108
image: mailcow/sogo:1.109
environment:
- DBNAME=${DBNAME}
- DBUSER=${DBUSER}
@@ -215,7 +215,7 @@ services:
- sogo
dovecot-mailcow:
image: mailcow/dovecot:1.162
image: mailcow/dovecot:1.17
depends_on:
- mysql-mailcow
dns:

9
helper-scripts/_cold-standby.sh
View File

@@ -271,4 +271,13 @@ if ! ssh -o StrictHostKeyChecking=no \
>&2 echo -e "\e[31m[ERR]\e[0m - Could not cleanup old images on remote"
fi
echo -e "\033[1mExecuting update script and checking for new docker-compose Version on remote...\033[0m"
if ! ssh -o StrictHostKeyChecking=no \
-i "${REMOTE_SSH_KEY}" \
${REMOTE_SSH_HOST} \
-p ${REMOTE_SSH_PORT} \
${SCRIPT_DIR}/../update.sh -f --update-compose ; then
>&2 echo -e "\e[31m[ERR]\e[0m - Could not fetch docker-compose on remote"
fi
echo -e "\e[32mDone\e[0m"

21
helper-scripts/backup_and_restore.sh
View File

@@ -76,13 +76,6 @@ else
CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd "[0-9A-Za-z-_]")
fi
for bin in docker docker-compose; do
if [[ -z $(which ${bin}) ]]; then
>&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
exit 1
fi
done
if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then
>&2 echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m"
exit 1
@@ -94,6 +87,12 @@ function backup() {
mkdir -p "${BACKUP_LOCATION}/mailcow-${DATE}"
chmod 755 "${BACKUP_LOCATION}/mailcow-${DATE}"
cp "${SCRIPT_DIR}/../mailcow.conf" "${BACKUP_LOCATION}/mailcow-${DATE}"
for bin in docker; do
if [[ -z $(which ${bin}) ]]; then
>&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
exit 1
fi
done
while (( "$#" )); do
case "$1" in
vmail|all)
@@ -161,6 +160,12 @@ function backup() {
}
function restore() {
for bin in docker docker-compose; do
if [[ -z $(which ${bin}) ]]; then
>&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
exit 1
fi
done
echo
echo "Stopping watchdog-mailcow..."
docker stop $(docker ps -qf name=watchdog-mailcow)
@@ -354,4 +359,4 @@ elif [[ ${1} == "restore" ]]; then
done
echo "Restoring ${FILE_SELECTION[${input_sel}]} from ${RESTORE_POINT}..."
restore "${RESTORE_POINT}" ${FILE_SELECTION[${input_sel}]}
fi
fi

196
update.sh
View File

@@ -1,64 +1,6 @@
#!/usr/bin/env bash
# Check permissions
if [ "$(id -u)" -ne "0" ]; then
echo "You need to be root"
exit 1
fi
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Run pre-update-hook
if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then
bash "${SCRIPT_DIR}/pre_update_hook.sh"
fi
if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
echo "Please update to 5.x or use another distribution."
exit 1
fi
if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
if grep -q Ubuntu <<< $(uname -a); then
echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"
echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
exit 1
fi
echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk."
read -p "Press any key to continue..." < /dev/tty
fi
# Exit on error and pipefail
set -o pipefail
# Setting high dc timeout
export COMPOSE_HTTP_TIMEOUT=600
# Add /opt/bin to PATH
PATH=$PATH:/opt/bin
umask 0022
for bin in curl docker git awk sha1sum; do
if [[ -z $(which ${bin}) ]]; then
echo "Cannot find ${bin}, exiting..."
exit 1;
elif [[ -z $(which docker-compose) ]]; then
echo "Cannot find docker-compose Standalone. Installing..."
sleep 3
if [[ -e /etc/alpine-release ]]; then
echo -e "\e[33mNot installing latest docker-compose, because you are using Alpine Linux without glibc support. Install docker-compose via apk!\e[0m"
exit 1
fi
curl -#L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
fi
done
export LC_ALL=C
DATE=$(date +%Y-%m-%d_%H_%M_%S)
BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)
############## Begin Function Section ##############
check_online_status() {
CHECK_ONLINE_IPS=(1.1.1.1 9.9.9.9 8.8.8.8)
@@ -214,12 +156,16 @@ remove_obsolete_nginx_ports() {
for override in docker-compose.override.yml docker-compose.override.yaml; do
if [ -s $override ] ; then
if cat $override | grep nginx-mailcow > /dev/null 2>&1; then
if cat $override | grep -w [::] > /dev/null 2>&1; then
if cat $override | grep -E '(\[::])' > /dev/null 2>&1; then
if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then
echo -e "\e[33mBacking up ${override} to preserve custom changes...\e[0m"
echo -e "\e[33m!!! Manual Merge needed (if other overrides are set) !!!\e[0m"
sleep 3
cp $override ${override}_backup
sed -i '/nginx-mailcow:$/,/^$/d' $override
echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m"
echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from original override File.\e[0m"
if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then
mv $override ${override}_backup
mv $override ${override}_empty
echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m"
fi
fi
@@ -237,6 +183,13 @@ elif [[ -e /etc/alpine-release ]]; then
echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m"
return 0
else
if [ ! $FORCE ]; then
read -r -p "Do you want to update your docker-compose Version? It will automatic upgrade your docker-compose installation (recommended)? [y/N] " updatecomposeresponse
if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
echo "OK, not updating docker-compose."
return 0
fi
fi
echo -e "\e[32mFetching new docker-compose version...\e[0m"
echo -e "\e[32mTrying to determine GLIBC version...\e[0m"
if ldd --version > /dev/null; then
@@ -250,14 +203,18 @@ else
DC_DL_SUFFIX=legacy
fi
sleep 1
if [[ ! -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then
true
if [[ $(command -v pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(command -v pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then
echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m"
echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m"
sleep 2
echo -e "\e[33mExiting...\e[0m"
exit 1
#prevent breaking a working docker-compose installed with pip
elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then
LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
COMPOSE_VERSION=$(docker-compose version --short)
if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
COMPOSE_PATH=$(which docker-compose)
COMPOSE_PATH=$(command -v docker-compose)
if [[ -w ${COMPOSE_PATH} ]]; then
curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH
chmod +x $COMPOSE_PATH
@@ -273,6 +230,66 @@ else
fi
}
############## End Function Section ##############
# Check permissions
if [ "$(id -u)" -ne "0" ]; then
echo "You need to be root"
exit 1
fi
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Run pre-update-hook
if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then
bash "${SCRIPT_DIR}/pre_update_hook.sh"
fi
if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
echo "Please update to 5.x or use another distribution."
exit 1
fi
if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
if grep -q Ubuntu <<< $(uname -a); then
echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"
echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
exit 1
fi
echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk."
read -p "Press any key to continue..." < /dev/tty
fi
# Exit on error and pipefail
set -o pipefail
# Setting high dc timeout
export COMPOSE_HTTP_TIMEOUT=600
# Add /opt/bin to PATH
PATH=$PATH:/opt/bin
umask 0022
for bin in curl docker git awk sha1sum; do
if [[ -z $(command -v ${bin}) ]]; then
echo "Cannot find ${bin}, exiting..."
exit 1;
fi
done
if [[ -z $(command -v docker-compose) ]]; then
echo -e "\e[31mCannot find docker-compose Standalone.\e[0m"
echo -e "\e[31mPlease install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m"
sleep 3
exit 1;
fi
export LC_ALL=C
DATE=$(date +%Y-%m-%d_%H_%M_%S)
BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)
while (($#)); do
case "${1}" in
--check|-c)
@@ -314,19 +331,33 @@ while (($#)); do
--no-update-compose)
NO_UPDATE_COMPOSE=y
;;
--update-compose)
LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
COMPOSE_VERSION=$(docker-compose version --short)
if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m"
echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m"
update_compose
echo -e "\e[32mYour docker-compose Version is now up to date!\e[0m"
else
echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m"
fi
exit 0
;;
--skip-ping-check)
SKIP_PING_CHECK=y
;;
--help|-h)
echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help]
echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help]
-c|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates)
--ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended!
--gc - Run garbage collector to delete old image tags
--no-update-compose - Do not update docker-compose
--no-update-compose - Skip the docker-compose Updates during the mailcow Update process
--update-compose - Only run the docker-compose Update process (don´t updates your mailcow itself)
--prefetch - Only prefetch new images and exit (useful to prepare updates)
--skip-start - Do not start mailcow after update
--skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine).
--skip-ping-check - Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine)
-f|--force - Force update, do not ask questions
'
exit 1
@@ -334,6 +365,21 @@ while (($#)); do
shift
done
# Check if Docker-Compose is older then v2 before continuing
if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then
echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m"
echo -e "\e[33mmailcow needs docker-compose > 2.X.X!\e[0m"
echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m"
sleep 3
update_compose
if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]] && [[ ! ${FORCE} ]]; then
echo -e "\e[31mmailcow does not work with docker-compose < 2.X.X anymore!\e[0m"
echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m"
echo -e "\e[31mExiting...\e[0m"
exit 1
fi
fi
[[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing"; exit 1;}
chmod 600 mailcow.conf
source mailcow.conf
@@ -629,7 +675,7 @@ fi
echo -e "\e[32mChecking for newer update script...\e[0m"
SHA1_1=$(sha1sum update.sh)
git fetch origin #${BRANCH}
git checkout origin/${BRANCH} update.sh docker-compose.yml
git checkout origin/${BRANCH} update.sh
SHA1_2=$(sha1sum update.sh)
if [[ ${SHA1_1} != ${SHA1_2} ]]; then
echo "update.sh changed, please run this script again, exiting."
@@ -653,11 +699,21 @@ if [ ! $FORCE ]; then
migrate_docker_nat
fi
update_compose
LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
COMPOSE_VERSION=$(docker-compose version --short)
if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m"
echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m"
update_compose
else
echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m"
fi
remove_obsolete_nginx_ports
echo -e "\e[32mValidating docker-compose stack configuration...\e[0m"
sed -i 's/HTTPS_BIND:-:/HTTPS_BIND:-/g' docker-compose.yml
sed -i 's/HTTP_BIND:-:/HTTP_BIND:-/g' docker-compose.yml
if ! docker-compose config -q; then
echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m"
exit 1