First commit

2026-01-11 18:39:24 -06:00 · 2024-08-09 12:50:33 +00:00 · 2024-08-09 12:50:33 +00:00 · 7b58f82156
commit 7b58f82156
21 changed files with 1951 additions and 0 deletions
--- a/build/run/docker-entrypoint/entrypoint.sh
+++ b/build/run/docker-entrypoint/entrypoint.sh
@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Abort if an error is encountered
+set -e
+
+# Exit function
+trap '[ "${?}" -ne 77 ] || exit 77' ERR
+function die
+{
+    local reset="\e[0m"
+    local red="\e[0m\e[0;31m"
+    local yellow="\e[0m\e[0;33m"
+
+	echo -e "${red}
+Error encountered in the following init script:
+${yellow}
+	${@}
+${red}
+Aborting...
+${reset}"
+
+    exit 77
+}
+
+# Reset logs
+echo | tee /var/log/dovecot.log /var/log/postfix.log /usr/share/webapps/roundcube/logs/errors.log >/dev/null
+
+# Run all scripts in init folder
+for file in /docker-entrypoint/init.d/*.sh
+do
+    bash -c ${file} || die ${file}
+done
+
+# Reload services
+dovecot reload &&
+postfix reload &&
+echo -e "\n\e[1;32mMail service is ready\e[0m\n"
+
+# Monitor log
+tail -f /var/log/dovecot.log /var/log/postfix.log /usr/share/webapps/roundcube/logs/errors.log
--- a/build/run/docker-entrypoint/init.d/00-mariadb.sh
+++ b/build/run/docker-entrypoint/init.d/00-mariadb.sh
@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# Exit if any errors pop up
+set -e
+
+# Remove sock
+rm -f /run/mysqld/mysqld.sock
+
+# Abort if setup hasn't been completed yet
+if [ ! -d /var/lib/mysql/mysql/ ]
+then
+	echo "MariaDB does not appear to be properly installed. Exiting..."
+	exit 1
+fi
+
+# Function to wait for temporary mariadb to be ready
+function wait_for_mariadb_start
+{
+	# Start mariadb
+	mariadbd-safe --user=root --datadir=/var/lib/mysql/ &
+    until mariadb --user=root --database=mysql -e "show tables;" >/dev/null
+    do
+        sleep 1
+    done
+}
+# Function to wait for mariadb to fully exit
+function wait_for_mariadb_stop
+{
+    mariadb --user=root -e "shutdown;"
+    until ! mariadb --user=root --database=mysql -e "show tables;" >/dev/null
+    do
+        sleep 1
+    done
+}
+
+# Roundcube database
+if [ ! -d /var/lib/mysql/${MYVEMAIL_ROUNDCUBE_DBNAME}/ ]
+then
+	wait_for_mariadb_start
+
+	mariadb -u root <<- ROUNDCUBE
+	CREATE DATABASE ${MYVEMAIL_ROUNDCUBE_DBNAME} CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
+	GRANT ALL PRIVILEGES ON ${MYVEMAIL_ROUNDCUBE_DBNAME}.* TO '${MYVEMAIL_ROUNDCUBE_DBUSER}'@'localhost' IDENTIFIED BY '${MYVEMAIL_ROUNDCUBE_DBPASS}';
+	flush privileges;
+	ROUNDCUBE
+	mariadb ${MYVEMAIL_ROUNDCUBE_DBNAME} </usr/share/webapps/roundcube/SQL/mysql.initial.sql
+
+	wait_for_mariadb_stop
+fi
+
+# Postfixadmin database
+if [ ! -d /var/lib/mysql/${MYVEMAIL_POSTFIXADMIN_DBNAME}/ ]
+then
+	wait_for_mariadb_start
+	mariadb -u root <<- POSTFIXADMIN
+	CREATE DATABASE ${MYVEMAIL_POSTFIXADMIN_DBNAME};
+	GRANT ALL PRIVILEGES ON ${MYVEMAIL_POSTFIXADMIN_DBNAME}.* to '${MYVEMAIL_POSTFIXADMIN_DBUSER}'@'localhost' IDENTIFIED BY '${MYVEMAIL_POSTFIXADMIN_DBPASS}';
+	flush privileges;
+	POSTFIXADMIN
+
+	wait_for_mariadb_stop
+fi
+
+# Start mariadb
+mariadbd --user=root --datadir=/var/lib/mysql/ &
--- a/build/run/docker-entrypoint/init.d/10-ssl.sh
+++ b/build/run/docker-entrypoint/init.d/10-ssl.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Generate ssl keys
+if [ ! -f /etc/ssl/dovecot/tls.pem ] || [ ! -f /etc/ssl/dovecot/tls.key ]
+then
+    exit 1
+#     mkdir -p /etc/ssl/dovecot/
+#     openssl req \
+#         -x509 \
+#         -newkey rsa:4096 \
+#         -sha512 \
+#         -nodes \
+#         -keyout /etc/ssl/dovecot/tls.key \
+#         -out /etc/ssl/dovecot/tls.pem \
+#         -subj "/CN=${MYVEMAIL_SUBDOMAIN}.${MYVEMAIL_DOMAIN}" \
+#         -days 3650
+fi
+
+# dh.pem
+[ -f /etc/ssl/dovecot/dh.pem ] || openssl dhparam -out /etc/ssl/dovecot/dh.pem 4096
+
+# Permissions
+setfacl -R -m u:${MYVEMAIL_NGINX_USERGROUP}:rx /etc/ssl/dovecot/
--- a/build/run/docker-entrypoint/init.d/15-opendkimmarc.sh
+++ b/build/run/docker-entrypoint/init.d/15-opendkimmarc.sh
@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Grab domain list
+domains=(${MYVEMAIL_DOMAIN})
+domains+=(${MYVEMAIL_ADDMX//,/ })
+
+# Permissions
+chmod go-rw /etc/opendkim/keys
+
+# Remove socks
+rm -f /var/spool/postfix/opendkim/opendkim.sock \
+    /var/spool/postfix/opendmarc/opendmarc.sock
+
+# Opendkim
+# Add domain entries to DKIM tables
+for domain in ${domains[@]}
+do
+    echo "*@${domain}      default._domainkey.${domain}" | tee -a /etc/opendkim/SigningTable >/dev/null
+    echo "default._domainkey.${domain}     ${domain}:default:/etc/opendkim/keys/${domain}/default.private" | tee -a /etc/opendkim/KeyTable >/dev/null
+    echo "*.${domain}" | tee -a /etc/opendkim/trusted.hosts >/dev/null
+
+    # Generate DKIM key
+    if [ ! -f /etc/opendkim/keys/${domain}/default.private ]
+    then
+        mkdir -p /etc/opendkim/keys/${domain}
+        opendkim-genkey -b 2048 -d ${domain} -D /etc/opendkim/keys/${domain} -s default
+
+        # In your DNS manager, create a TXT record, enter default._domainkey in the name field
+        echo -e "\n\e[1;34mUpdate DKIM TXT on DNS registrar and press any key to continue\e[5m...\e[0m"
+        echo -e "\e[3m# Use default._domainkey in the host field"
+        echo -e "# Check with 'opendkim-testkey -d ${domain} -s default'"
+        echo -e "# Or visit https://www.dmarcanalyzer.com/dkim/dkim-checker/\e[0m"
+        cat /etc/opendkim/keys/${domain}/default.txt | sed 's/.*( //' | sed 's/ ).*//' | sed 's/"//g' | sed 's/^[ \t]*//g' | sed ':a;N;$!ba;s/\n//g'
+    fi
+done
+
+# OpenDMARC
+sed -i "s/{{HOSTNAME}}/${MYVEMAIL_SUBDOMAIN}.${MYVEMAIL_DOMAIN}/" ${MYVEMAIL_OPENDMARC_CONF}
+
+# Permissions
+chown opendkim:opendkim /etc/opendkim/keys/*/default.private
+chmod 600 /etc/opendkim/keys/*/default.private
+
+# Start services
+opendkim -x ${MYVEMAIL_OPENDKIM_CONF} -p /var/spool/postfix/opendkim/opendkim.sock
+opendmarc -c ${MYVEMAIL_OPENDMARC_CONF} -p /var/spool/postfix/opendmarc/opendmarc.sock
--- a/build/run/docker-entrypoint/init.d/20-nginx.sh
+++ b/build/run/docker-entrypoint/init.d/20-nginx.sh
@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Roundcube
+if [ ! -f /usr/share/webapps/roundcube/config/config.inc.php ]
+then
+
+echo "<?php
+\$config['db_dsnw'] = 'mysql://${MYVEMAIL_ROUNDCUBE_DBUSER}:${MYVEMAIL_ROUNDCUBE_DBPASS}@localhost/${MYVEMAIL_ROUNDCUBE_DBNAME}';
+
+\$config['imap_host'] = 'ssl://${MYVEMAIL_SUBDOMAIN}.${MYVEMAIL_DOMAIN}';
+\$config['default_port'] = 993;
+
+\$config['smtp_host'] = 'tls://${MYVEMAIL_SUBDOMAIN}.${MYVEMAIL_DOMAIN}';
+\$config['product_name'] = '${MYVEMAIL_SUBDOMAIN}.${MYVEMAIL_DOMAIN}';
+
+\$config['create_default_folders'] = true;
+\$config['support_url'] = '';
+
+\$config['des_key'] = '$(cat /dev/urandom | tr -d -c 'a-zA-Z0-9' | fold -w 24 | head -n 1)';
+
+\$config['plugins'] = [$(printf "'%s', " $(ls /usr/share/webapps/roundcube/plugins | grep -v 'enigma\|database_attachments\|managesieve\|redundant_attachments') | sed "s/\(.*\), /\1/")];" | tee /usr/share/webapps/roundcube/config/config.inc.php >/dev/null
+
+# Password plugin
+roundcubepass_strength_drive=$(cat /dev/urandom | tr -d -c 'a-z' | fold -w 8 | head -n 1)
+sed -e "/^\$config\['password_db_dsn'\]/ s|=.*|= 'mysql://${MYVEMAIL_POSTFIXADMIN_DBUSER}:${MYVEMAIL_POSTFIXADMIN_DBPASS}@localhost/${MYVEMAIL_POSTFIXADMIN_DBNAME}';|" \
+    -e "/^\$config\['password_strength_driver'\]/ s/=.*/= '${roundcubepass_strength_drive}';\\
+\$config['password_"${roundcubepass_strength_drive}"_min_score'] = 5;/" \
+    -i /usr/share/webapps/roundcube/plugins/password/config.inc.php
+
+fi
+
+# Permissions
+setfacl -R -m u:${MYVEMAIL_NGINX_USERGROUP}:rwx /usr/share/webapps/postfixadmin/templates_c/
+chown ${MYVEMAIL_NGINX_USERGROUP}:${MYVEMAIL_NGINX_USERGROUP} /usr/share/webapps/roundcube/{temp,logs}/ -R
+chown ${MYVEMAIL_NGINX_USERGROUP}:${MYVEMAIL_NGINX_USERGROUP} /usr/share/webapps/roundcube/plugins/password/config.inc.php
+chmod 0600 /usr/share/webapps/roundcube/plugins/password/config.inc.php
+
+# Start services
+/usr/sbin/php-fpm* -D
+nginx
+
+# <<- ##appendix
+# \$config['imap_conn_options'] = array(
+#   'ssl'         => array(
+#       'verify_peer'       => true,
+#       'verify_peer_name'  => true,
+#       'allow_self_signed' => true,
+#    ),
+# );
+#
+# \$config['smtp_conn_options'] = array(
+#    'ssl'         => array(
+#        'verify_peer'       => true,
+#        'verify_peer_name'  => true,
+#        'allow_self_signed' => true,
+#    ),
+# );
+# ##appendix
--- a/build/run/docker-entrypoint/init.d/25-dovecot.sh
+++ b/build/run/docker-entrypoint/init.d/25-dovecot.sh
@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# 10-auth.conf
+sed -i "s/{{MYVEMAIL_DOMAIN}}/${MYVEMAIL_DOMAIN}/" /etc/dovecot/conf.d/10-auth.conf
+
+# dovecot-sql.conf.ext
+sed -e "s/{{MYVEMAIL_POSTFIXADMIN_DBNAME}}/${MYVEMAIL_POSTFIXADMIN_DBNAME}/" \
+    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBUSER}}/${MYVEMAIL_POSTFIXADMIN_DBUSER}/" \
+    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBPASS}}/${MYVEMAIL_POSTFIXADMIN_DBPASS}/" \
+    -i /etc/dovecot/dovecot-sql.conf.ext
+
+# Permissions
+chown vmail:vmail /var/vmail/ -R
+
+# Start dovecot
+dovecot
--- a/build/run/docker-entrypoint/init.d/30-postfix.sh
+++ b/build/run/docker-entrypoint/init.d/30-postfix.sh
@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Postfix
+echo ${MYVEMAIL_DOMAIN} >/etc/mailname
+postconf -e "myhostname = ${MYVEMAIL_SUBDOMAIN}.${MYVEMAIL_DOMAIN}"
+postconf -e "mydomain = ${MYVEMAIL_DOMAIN}"
+
+# resolv.conf
+mkdir /var/spool/postfix/etc
+cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
+
+# Whitelist localhost
+sed -i "s/{{LOCAL_IPADDRESS}}/$(wget -q4O- ipv4.icanhazip.com)/" /etc/postfix/postscreen_access.cidr
+
+# Configure backup mail servers
+if [ ${MYVEMAIL_BACKUPMX} ]
+then
+    backupmx+=(${MYVEMAIL_BACKUPMX//,/ })
+
+    postconf -e "$(postconf mynetworks)$(printf ' %s/32' ${backupmx[@]})"
+    postconf -e "smtp_fallback_relay =$(printf ' [%s]:25' ${backupmx[@]})"
+
+    # Whitelist
+    for domain in ${backupmx[@]}
+    do
+        echo "${domain}/32    permit" >>/etc/postfix/postscreen_access.cidr
+    done
+fi
+
+# Whitelist
+addmx=(${MYVEMAIL_DOMAIN})
+addmx+=(${MYVEMAIL_ADDMX//,/ })
+for domain in ${addmx[@]}
+do
+    echo "${domain}    OK" | tee -a /etc/postfix/{helo_access,rbl_override} >/dev/null
+done
+
+# Virtual mailboxes
+sed -e "s/{{MYVEMAIL_POSTFIXADMIN_DBNAME}}/${MYVEMAIL_POSTFIXADMIN_DBNAME}/" \
+    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBUSER}}/${MYVEMAIL_POSTFIXADMIN_DBUSER}/" \
+    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBPASS}}/${MYVEMAIL_POSTFIXADMIN_DBPASS}/" \
+    -i /etc/postfix/sql/*.cf
+
+# Permissions
+setfacl -R -m u:postfix:rx /etc/postfix/sql/
+
+# Start postfix
+postfix start
+postmap /etc/postfix/helo_access /etc/postfix/rbl_override /etc/postfix/smtp_header_checks /etc/postfix/header_checks /etc/postfix/body_checks /etc/postfix/postscreen_access.cidr
--- a/build/run/docker-entrypoint/init.d/50-cron.sh
+++ b/build/run/docker-entrypoint/init.d/50-cron.sh
@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Update Postscreen Whitelists (daily)
+while true
+do
+    sleep 1d
+    /usr/local/bin/postwhite/postwhite
+done &
+
+# Update Yahoo! IPs for Postscreen Whitelists (weekly)
+while true
+do
+    sleep 7d
+    /usr/local/bin/postwhite/scrape_yahoo
+done &
+
+# Roundcube cleanup (daily)
+while true
+do
+    sleep 1d
+    /usr/share/webapps/roundcube/bin/cleandb.sh
+done &
+
+# # Refresh ssl keys daily
+# # https://www.golinuxcloud.com/renew-self-signed-certificate-openssl/
+# while true
+# do
+#     sleep 1d
+#     openssl x509 -x509toreq -in /etc/ssl/dovecot/tls.pem -signkey /etc/ssl/dovecot/tls.key -out /tmp/new-certificate-sign-request.csr
+#     openssl x509 -req -days 3650 -in /tmp/new-certificate-sign-request.csr -signkey /etc/ssl/dovecot/tls.key -out /etc/ssl/dovecot/tls.pem
+#     rm /tmp/new-certificate-sign-request.csr
+#     dovecot reload
+#     postfix reload
+# done &
--- a/build/run/docker-entrypoint/init.d/60-postwhite.sh
+++ b/build/run/docker-entrypoint/init.d/60-postwhite.sh
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Install postwhite
+if [ ! -s /etc/postfix/postscreen_spf_whitelist.cidr ]
+then
+    /usr/local/bin/postwhite/postwhite
+fi
+
+# Permissions
+chown root:root /etc/postfix/postscreen_spf_whitelist.cidr