external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-03 00:07:05 +00:00
Code Issues Releases Wiki Activity

Merge 12f1486141 into 3efd4257b5

Browse Source
This commit is contained in:
bilogic 2025-02-19 11:35:17 +08:00 committed by GitHub
commit 9a1237a29f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 47 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
management/dns_update.py
View File

@ -291,7 +291,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
# Append the DKIM TXT record to the zone as generated by OpenDKIM. # Append the DKIM TXT record to the zone as generated by OpenDKIM.
# Skip if the user has set a DKIM record already. # Skip if the user has set a DKIM record already.
opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt') opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.txt')
with open(opendkim_record_file, encoding="utf-8") as orf: with open(opendkim_record_file, encoding="utf-8") as orf:
m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S) m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
val = "".join(re.findall(r'"([^"]+)"', m.group(2))) val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
@ -752,12 +752,13 @@ def write_opendkim_tables(domains, env):
# Append a record to OpenDKIM's KeyTable and SigningTable for each domain # Append a record to OpenDKIM's KeyTable and SigningTable for each domain
# that we send mail from (zones and all subdomains). # that we send mail from (zones and all subdomains).
opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private') opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.private')
if not os.path.exists(opendkim_key_file): if not os.path.exists(opendkim_key_file):
# Looks like OpenDKIM is not installed. # Looks like OpenDKIM is not installed.
return False return False
selector=env['DKIM_SELECTOR']
config = { config = {
# The SigningTable maps email addresses to a key in the KeyTable that # The SigningTable maps email addresses to a key in the KeyTable that
# specifies signing information for matching email addresses. Here we # specifies signing information for matching email addresses. Here we
@ -777,7 +778,7 @@ def write_opendkim_tables(domains, env):
# signing domain must match the sender's From: domain. # signing domain must match the sender's From: domain.
"KeyTable": "KeyTable":
"".join( "".join(
f"{domain} {domain}:mail:{opendkim_key_file}\n" f"{domain} {domain}:{selector}:{opendkim_key_file}\n"
for domain in domains for domain in domains
), ),
} }

9
setup/dkim.sh
View File

@ -14,7 +14,7 @@ echo "Installing OpenDKIM/OpenDMARC..."
apt_install opendkim opendkim-tools opendmarc apt_install opendkim opendkim-tools opendmarc
# Make sure configuration directories exist. # Make sure configuration directories exist.
mkdir -p /etc/opendkim; mkdir -p /etc/opendkim
mkdir -p "$STORAGE_ROOT/mail/dkim" mkdir -p "$STORAGE_ROOT/mail/dkim"
# Used in InternalHosts and ExternalIgnoreList configuration directives. # Used in InternalHosts and ExternalIgnoreList configuration directives.
@ -30,7 +30,7 @@ if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
true # already done #NODOC true # already done #NODOC
else else
# Add various configuration options to the end of `opendkim.conf`. # Add various configuration options to the end of `opendkim.conf`.
cat >> /etc/opendkim.conf << EOF; cat >>/etc/opendkim.conf <<EOF
Canonicalization relaxed/simple Canonicalization relaxed/simple
MinimumKeyBits 1024 MinimumKeyBits 1024
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
@ -52,8 +52,8 @@ fi
# A 1024-bit key is seen as a minimum standard by several providers # A 1024-bit key is seen as a minimum standard by several providers
# such as Google. But they and others use a 2048 bit key, so we'll # such as Google. But they and others use a 2048 bit key, so we'll
# do the same. Keys beyond 2048 bits may exceed DNS record limits. # do the same. Keys beyond 2048 bits may exceed DNS record limits.
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then if [ ! -f "$STORAGE_ROOT/mail/dkim/$DKIM_SELECTOR.private" ]; then
opendkim-genkey -b 2048 -r -s mail -D "$STORAGE_ROOT/mail/dkim" opendkim-genkey -b 2048 -r -s $DKIM_SELECTOR -D $STORAGE_ROOT/mail/dkim
fi fi
# Ensure files are owned by the opendkim user and are private otherwise. # Ensure files are owned by the opendkim user and are private otherwise.
@ -121,4 +121,3 @@ hide_output systemctl enable opendmarc
restart_service opendkim restart_service opendkim
restart_service opendmarc restart_service opendmarc
restart_service postfix restart_service postfix

26
setup/start.sh
View File

@ -38,13 +38,20 @@ if [ -f /etc/mailinabox.conf ]; then
cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ >/tmp/mailinabox.prev.conf cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ >/tmp/mailinabox.prev.conf
source /tmp/mailinabox.prev.conf source /tmp/mailinabox.prev.conf
rm -f /tmp/mailinabox.prev.conf rm -f /tmp/mailinabox.prev.conf
# Since this is a second run, attempt to read overridden settings from $STORAGE_ROOT/mailinabox.conf
if [ -f $DEFAULT_STORAGE_ROOT/mailinabox.conf ]; then
cat $DEFAULT_STORAGE_ROOT/mailinabox.conf | sed s/^/DEFAULT_/ >/tmp/mailinabox.prev.conf
source /tmp/mailinabox.prev.conf
rm -f /tmp/mailinabox.prev.conf
fi
else else
FIRST_TIME_SETUP=1 FIRST_TIME_SETUP=1
fi fi
# Put a start script in a global location. We tell the user to run 'mailinabox' # Put a start script in a global location. We tell the user to run 'mailinabox'
# in the first dialog prompt, so we should do this before that starts. # in the first dialog prompt, so we should do this before that starts.
cat > /usr/local/bin/mailinabox << EOF; cat >/usr/local/bin/mailinabox <<EOF
#!/bin/bash #!/bin/bash
cd $PWD cd $PWD
source setup/start.sh source setup/start.sh
@ -82,7 +89,10 @@ if [ ! -d "$STORAGE_ROOT" ]; then
mkdir -p "$STORAGE_ROOT" mkdir -p "$STORAGE_ROOT"
fi fi
f=$STORAGE_ROOT f=$STORAGE_ROOT
while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done; while [[ $f != / ]]; do
chmod a+rx "$f"
f=$(dirname "$f")
done
if [ ! -f "$STORAGE_ROOT/mailinabox.version" ]; then if [ ! -f "$STORAGE_ROOT/mailinabox.version" ]; then
setup/migrate.py --current >"$STORAGE_ROOT/mailinabox.version" setup/migrate.py --current >"$STORAGE_ROOT/mailinabox.version"
chown "$STORAGE_USER:$STORAGE_USER" "$STORAGE_ROOT/mailinabox.version" chown "$STORAGE_USER:$STORAGE_USER" "$STORAGE_ROOT/mailinabox.version"
@ -92,7 +102,7 @@ fi
# tools know where to look for data. The default MTA_STS_MODE setting # tools know where to look for data. The default MTA_STS_MODE setting
# is blank unless set by an environment variable, but see web.sh for # is blank unless set by an environment variable, but see web.sh for
# how that is interpreted. # how that is interpreted.
cat > /etc/mailinabox.conf << EOF; cat >/etc/mailinabox.conf <<EOF
STORAGE_USER=$STORAGE_USER STORAGE_USER=$STORAGE_USER
STORAGE_ROOT=$STORAGE_ROOT STORAGE_ROOT=$STORAGE_ROOT
PRIMARY_HOSTNAME=$PRIMARY_HOSTNAME PRIMARY_HOSTNAME=$PRIMARY_HOSTNAME
@ -101,6 +111,7 @@ PUBLIC_IPV6=$PUBLIC_IPV6
PRIVATE_IP=$PRIVATE_IP PRIVATE_IP=$PRIVATE_IP
PRIVATE_IPV6=$PRIVATE_IPV6 PRIVATE_IPV6=$PRIVATE_IPV6
MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce} MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
DKIM_SELECTOR=${DEFAULT_DKIM_SELECTOR:-mail}
EOF EOF
# Start service configuration. # Start service configuration.
@ -120,8 +131,7 @@ source setup/management.sh
source setup/munin.sh source setup/munin.sh
# Wait for the management daemon to start... # Wait for the management daemon to start...
until nc -z -w 4 127.0.0.1 10222 until nc -z -w 4 127.0.0.1 10222; do
do
echo "Waiting for the Mail-in-a-Box management daemon to start..." echo "Waiting for the Mail-in-a-Box management daemon to start..."
sleep 2 sleep 2
done done
@ -166,16 +176,14 @@ if management/status_checks.py --check-primary-hostname; then
echo echo
echo "If you have a DNS problem put the box's IP address in the URL" echo "If you have a DNS problem put the box's IP address in the URL"
echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:" echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\ openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256 | sed "s/SHA256 Fingerprint=//i"
| sed "s/SHA256 Fingerprint=//i"
else else
echo "https://$PUBLIC_IP/admin" echo "https://$PUBLIC_IP/admin"
echo echo
echo "You will be alerted that the website has an invalid certificate. Check that" echo "You will be alerted that the website has an invalid certificate. Check that"
echo "the certificate fingerprint matches:" echo "the certificate fingerprint matches:"
echo echo
openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\ openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256 | sed "s/SHA256 Fingerprint=//i"
| sed "s/SHA256 Fingerprint=//i"
echo echo
echo "Then you can confirm the security exception and continue." echo "Then you can confirm the security exception and continue."
echo echo