From e7ef8f4496d7cb60f6755d4a8ce66e72b59202a5 Mon Sep 17 00:00:00 2001 From: andreas Date: Sun, 9 Apr 2023 20:48:49 +0000 Subject: [PATCH] added build & push --- .gitignore | 3 +- build_push | 14 + core/Dockerfile | 2 +- core/{build.sh => scratchpad.sh} | 4 - docker-compose.yml | 30 +- etc-zntrl/kopano/search.cfg | 11 +- etc-zntrl/kopano/server.cfg | 4 +- etc-zntrl/kopano/webapp/config.php | 6 +- etc-zntrl/z-push/gabsync.conf.php | 4 +- etc-zntrl/z-push/kopano.conf.php | 2 +- etc-zntrl/z-push/z-push.conf.php | 2 +- etc-zntrl/z-push/z-push.conf.php.dist | 375 ------------------ migration.sh => migrate | 0 .../00-create-kopano-user.sql | 5 +- postfix/Dockerfile | 1 - postfix/etc/postfix/main.cf | 12 +- postfix/etc/postfix/vmailbox | 2 + postfix/{build.sh => scratchpad.sh} | 5 +- prep | 10 + ssl/mkcerts | 18 + todo | 9 + webapp/{build.sh => scratchpad.sh} | 4 - z-push/{build.sh => scratchpad.sh} | 4 - 23 files changed, 100 insertions(+), 427 deletions(-) create mode 100644 build_push rename core/{build.sh => scratchpad.sh} (81%) delete mode 100644 etc-zntrl/z-push/z-push.conf.php.dist rename migration.sh => migrate (100%) rename postfix/{build.sh => scratchpad.sh} (78%) create mode 100644 prep create mode 100644 ssl/mkcerts create mode 100644 todo rename webapp/{build.sh => scratchpad.sh} (80%) rename z-push/{build.sh => scratchpad.sh} (81%) diff --git a/.gitignore b/.gitignore index 3e22129..7887a5c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -/dist \ No newline at end of file +/dist +*.tmp \ No newline at end of file diff --git a/build_push b/build_push new file mode 100644 index 0000000..83dfa91 --- /dev/null +++ b/build_push @@ -0,0 +1,14 @@ +#!/usr/bin/bash +# build and push images (using compose) +docker compose build +# docker compose build --no-cache +docker compose push +# build and push images (just with docker) +# find . -name Dockerfile | while read P; do sed -e 's|\./\(.*\)/Dockerfile|\1|'; done >builds.tmp +# export TAG=1.0 +# cat builds.tmp | while read P; do \ +# docker build -t $P ./$P; \ +# docker tag $P:latest baloan/$P:latest; \ +# docker tag $P:latest baloan/$P:$TAG; \ +# docker push baloan/$P:latest; \ +# done \ No newline at end of file diff --git a/core/Dockerfile b/core/Dockerfile index fadf9f7..d9a8f43 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -25,7 +25,7 @@ COPY --chmod=0775 entrypoint.sh /entrypoint.sh #EXPOSE 237 # lmtp (dagent) #EXPOSE 2003 -VOLUME /etc/kopano VOLUME /var/lib/kopano/attachments +VOLUME /var/lib/kopano/search ENTRYPOINT ["/entrypoint.sh"] CMD ["bash"] diff --git a/core/build.sh b/core/scratchpad.sh similarity index 81% rename from core/build.sh rename to core/scratchpad.sh index 6681afb..669f847 100644 --- a/core/build.sh +++ b/core/scratchpad.sh @@ -15,7 +15,3 @@ docker container ls docker container prune docker image ls docker image prune -a -f - -# docker login --username baloan --password 'yZBCUs5&@?:.' -# docker tag -t core:latest ... -# docker push \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index d741798..9d9fb7c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,18 +2,27 @@ services: server: build: ./core - image: core + image: baloan/core depends_on: - mysql ports: - 236:236 volumes: - - attachments:/var/lib/kopano/attachments - ./etc-zntrl/kopano:/etc/kopano:ro + - attachments:/var/lib/kopano/attachments command: /usr/sbin/kopano-server + search: + build: ./core + image: baloan/core + depends_on: + - server + volumes: + - ./etc-zntrl/kopano:/etc/kopano:ro + - search:/var/lib/kopano/search + command: /usr/sbin/kopano-search spooler: build: ./core - image: core + image: baloan/core depends_on: - server volumes: @@ -21,7 +30,7 @@ services: command: /usr/sbin/kopano-spooler dagent: build: ./core - image: core + image: baloan/core volumes: - ./etc-zntrl/kopano:/etc/kopano:ro depends_on: @@ -39,7 +48,7 @@ services: - 3307:3306 webapp: build: ./webapp - image: webapp + image: baloan/webapp labels: - traefik.enable=true - traefik.http.routers.webapp.rule=Host(`$MAIL_DOMAIN`) && PathPrefix(`/webapp`) @@ -56,7 +65,7 @@ services: - traefik z-push: build: ./z-push - image: z-push + image: baloan/z-push labels: - traefik.enable=true - traefik.http.routers.webapp.rule=Host(`$MAIL_DOMAIN`) && PathPrefix(`/Microsoft-Server-ActiveSync`) @@ -74,7 +83,7 @@ services: - traefik postfix: build: ./postfix - image: postfix + image: baloan/postfix ports: - 8025:25 volumes: @@ -86,12 +95,7 @@ networks: volumes: database: attachments: + search: z-push: spool: - # search: - # image: core - # depends_on: - # - db - # - server - # command: /usr/sbin/kopano-search diff --git a/etc-zntrl/kopano/search.cfg b/etc-zntrl/kopano/search.cfg index f14439f..7f0772f 100644 --- a/etc-zntrl/kopano/search.cfg +++ b/etc-zntrl/kopano/search.cfg @@ -5,11 +5,10 @@ # Limit the number of results returned (0 = no limit) #limit_results = 1000 -# Socket to the storage server. # Use https to reach servers over the network -#server_socket = file:///var/run/kopano/server.sock +server_socket = https://server:237 # Login to the storage server using this SSL Key -#sslkey_file = /etc/kopano/ssl/search.pem +sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem # The password of the SSL Key #sslkey_pass = replace-with-server-cert-password @@ -20,10 +19,10 @@ # File with RSA key for SSL, used when server_bind_name uses https://... #ssl_private_key_file = /etc/kopano/search/privkey.pem -#log_method = file +#log_method = auto # Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) -log_level = 5 -log_file = /var/log/kopano/search.log +log_level = 6 +#log_file = /var/log/kopano/search.log #log_timestamp = yes # Number of indexing processes used during initial indexing diff --git a/etc-zntrl/kopano/server.cfg b/etc-zntrl/kopano/server.cfg index 046a676..4950309 100644 --- a/etc-zntrl/kopano/server.cfg +++ b/etc-zntrl/kopano/server.cfg @@ -20,9 +20,9 @@ sslkeys_path = /etc/kopano/sslkeys # Name for identifying the server in a multi-server environment. Need # not be a DNS name, but this name needs to be present on a LDAP # kopano-server object's cn value. -server_name = kopano.server +#server_name = kopano.server # Multi-server -# enable_distributed_kopano = false +#enable_distributed_kopano = false database_engine = mysql mysql_host = mysql diff --git a/etc-zntrl/kopano/webapp/config.php b/etc-zntrl/kopano/webapp/config.php index 2c5a90b..680cd2a 100644 --- a/etc-zntrl/kopano/webapp/config.php +++ b/etc-zntrl/kopano/webapp/config.php @@ -19,7 +19,7 @@ // define("DEFAULT_SERVER", "http://localhost:236/kopano"); // define("DEFAULT_SERVER", "https://localhost:237/kopano"); // define("DEFAULT_SERVER", "file:///var/run/kopano/server.sock"); - define("DEFAULT_SERVER", "http://kopano-server-1:236/kopano"); + define("DEFAULT_SERVER", "http://server:236/kopano"); // When using a Single-Sign-On (SSO) system on your webserver and Kopano Core is on another server // you can use https to access the Kopano server, and authenticate using an SSL certificate. @@ -258,7 +258,7 @@ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. * **************************************************************************************/ - define("LOG_USER_LEVEL", LOGLEVEL_OFF); + define("LOG_USER_LEVEL", LOGLEVEL_INFO); // To save e.g. user activity data only for selected users, provide the username followed by semicolon. // The data will be saved into a dedicated file per user in the LOG_FILE_DIR @@ -296,7 +296,7 @@ // Defines the default time zone if (!ini_get('date.timezone')) { - date_default_timezone_set('Europe/Amsterdam'); + date_default_timezone_set('Europe/Berlin'); } /**************************************\ diff --git a/etc-zntrl/z-push/gabsync.conf.php b/etc-zntrl/z-push/gabsync.conf.php index d9c34c1..5993ef4 100644 --- a/etc-zntrl/z-push/gabsync.conf.php +++ b/etc-zntrl/z-push/gabsync.conf.php @@ -33,7 +33,7 @@ define('SYNCWORKER', 'Kopano'); // Unique id to find a contact from the GAB (value to be supplied by -u on the command line) // Zarafa supports: 'account' and 'smtpAddress' (email) -define('UNIQUEID', 'account'); +define('UNIQUEID', 'smtpAddress'); // Server connection settings // Depending on your setup, it might be advisable to change the lines below to one defined with your @@ -50,7 +50,7 @@ define('UNIQUEID', 'account'); // For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same): // define("SERVER", "file:///var/run/zarafa"); -define('SERVER', 'default:'); +define('SERVER', 'http://server:236/kopano'); define('USERNAME', 'SYSTEM'); define('PASSWORD', ''); diff --git a/etc-zntrl/z-push/kopano.conf.php b/etc-zntrl/z-push/kopano.conf.php index fe98be5..4fa3d98 100644 --- a/etc-zntrl/z-push/kopano.conf.php +++ b/etc-zntrl/z-push/kopano.conf.php @@ -43,7 +43,7 @@ // For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same): // define("MAPI_SERVER", "file:///var/run/zarafa"); -define('MAPI_SERVER', 'http://kopano-server-1:236/kopano'); +define('MAPI_SERVER', 'http://server:236/kopano'); // Read-Only shared folders // When trying to write a change on a read-only folder this data is dropped and replaced on the device of the user. diff --git a/etc-zntrl/z-push/z-push.conf.php b/etc-zntrl/z-push/z-push.conf.php index 49e1540..79c197a 100644 --- a/etc-zntrl/z-push/z-push.conf.php +++ b/etc-zntrl/z-push/z-push.conf.php @@ -50,7 +50,7 @@ * false - use the username only. * true - string the mobile sends as username, e.g. full email address (default). */ - define('USE_FULLEMAIL_FOR_LOGIN', false); + define('USE_FULLEMAIL_FOR_LOGIN', true); /********************************************************************************** * StateMachine setting diff --git a/etc-zntrl/z-push/z-push.conf.php.dist b/etc-zntrl/z-push/z-push.conf.php.dist deleted file mode 100644 index 08bd52b..0000000 --- a/etc-zntrl/z-push/z-push.conf.php.dist +++ /dev/null @@ -1,375 +0,0 @@ -. -* -* Consult LICENSE file for details -************************************************/ - -/********************************************************************************** - * Default settings - */ - // Defines the default time zone, change e.g. to "Europe/London" if necessary - define('TIMEZONE', ''); - - // Defines the base path on the server - define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); - - // Try to set unlimited timeout - define('SCRIPT_TIMEOUT', 0); - - // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP - define('USE_X_FORWARDED_FOR_HEADER', false); - - // When using client certificates, we can check if the login sent matches the owner of the certificate. - // This setting specifies the owner parameter in the certificate to look at. - define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN"); - - /* - * Whether to use the complete email address as a login name - * (e.g. user@company.com) or the username only (user). - * This is required for Z-Push to work properly after autodiscover. - * Possible values: - * false - use the username only. - * true - string the mobile sends as username, e.g. full email address (default). - */ - define('USE_FULLEMAIL_FOR_LOGIN', true); - -/********************************************************************************** - * StateMachine setting - * - * These StateMachines can be used: - * FILE - FileStateMachine (default). Needs STATE_DIR set as well. - * SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored. - * State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa - */ - define('STATE_MACHINE', 'FILE'); - define('STATE_DIR', '/var/lib/z-push/'); - -/********************************************************************************** - * IPC - InterProcessCommunication - * - * Is either provided by using shared memory on a single host or - * using the memcache provider for multi-host environments. - * When another implementation should be used, the class can be set here explicitly. - * If empty Z-Push will try to use available providers. - */ - define('IPC_PROVIDER', ''); - -/********************************************************************************** - * Logging settings - * - * The LOGBACKEND specifies where the logs are sent to. - * Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass. - * filelog and syslog have several options that can be set below. - * For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT - - * Possible LOGLEVEL and LOGUSERLEVEL values are: - * LOGLEVEL_OFF - no logging - * LOGLEVEL_FATAL - log only critical errors - * LOGLEVEL_ERROR - logs events which might require corrective actions - * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future - * LOGLEVEL_INFO - usually completed actions - * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers - * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device - * LOGLEVEL_DEVICEID - also prints the device id for every log entry - * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack - * - * The verbosity increases from top to bottom. More verbose levels include less verbose - * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, - * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. - * - * LOGAUTHFAIL is logged to the LOGBACKEND. - */ - define('LOGBACKEND', 'filelog'); - define('LOGLEVEL', LOGLEVEL_INFO); - define('LOGAUTHFAIL', false); - - // To save e.g. WBXML data only for selected users, add the usernames to the array - // The data will be saved into a dedicated file per user in the LOGFILEDIR - // Users have to be encapusulated in quotes, several users are comma separated, like: - // $specialLogUsers = array('info@domain.com', 'myusername'); - define('LOGUSERLEVEL', LOGLEVEL_DEVICEID); - $specialLogUsers = array(); - - // Filelog settings - define('LOGFILEDIR', '/var/log/z-push/'); - define('LOGFILE', LOGFILEDIR . 'z-push.log'); - define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log'); - - // Syslog settings - // false will log to local syslog, otherwise put the remote syslog IP here - define('LOG_SYSLOG_HOST', false); - // Syslog port - define('LOG_SYSLOG_PORT', 514); - // Program showed in the syslog. Useful if you have more than one instance login to the same syslog - define('LOG_SYSLOG_PROGRAM', 'z-push'); - // Syslog facility - use LOG_USER when running on Windows - define('LOG_SYSLOG_FACILITY', LOG_LOCAL0); - - // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem' - // Uncomment and modify the following line if the validation of the certificates fails. - // define('CAINFO', '/etc/ssl/certs/EmailCA.pem'); - -/********************************************************************************** - * Mobile settings - */ - // Device Provisioning - define('PROVISIONING', true); - - // This option allows the 'loose enforcement' of the provisioning policies for older - // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution - // false (default) - Enforce provisioning for all devices - // true - allow older devices, but enforce policies on devices which support it - define('LOOSE_PROVISIONING', false); - - // The file containing the policies' settings. - // Set a full path or relative to the z-push main directory - define('PROVISIONING_POLICYFILE', 'policies.ini'); - - // Default conflict preference - // Some devices allow to set if the server or PIM (mobile) - // should win in case of a synchronization conflict - // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins - // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default) - define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM); - - // Global limitation of items to be synchronized - // The mobile can define a sync back period for calendar and email items - // For large stores with many items the time period could be limited to a max value - // If the mobile transmits a wider time period, the defined max value is used - // Applicable values: - // SYNC_FILTERTYPE_ALL (default, no limitation) - // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS, - // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS - define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL); - - // Interval in seconds before checking if there are changes on the server when in Ping. - // It means the highest time span before a change is pushed to a mobile. Set it to - // a higher value if you have a high load on the server. - define('PING_INTERVAL', 30); - - // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook. - // It will only affect new/modified contacts on the mobile which then are synced to the server. - // Possible values are: - // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname" - // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename" - // SYNC_FILEAS_COMPANYONLY - fileas will be "Company" - // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)" - // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)" - // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)" - // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)" - // The company-fileas will only be set if a contact has a company set. If one of - // company-fileas is selected and a contact doesn't have a company set, it will default - // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first - // option is selected for company). - // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set - // SYNC_FILEAS_LASTFIRST will be used - define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST); - - // Maximum amount of items to be synchronized per request. - // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100. - // Exporting too much items can cause mobile timeout on busy systems. - // Z-Push will use the lowest provided value, either set here or by the mobile. - // MS Outlook 2013+ request up to 512 items to accelerate the sync process. - // If you detect high load (also on subsystems) you could try a lower setting. - // max: 512 - value used if mobile does not limit amount of items - define('SYNC_MAX_ITEMS', 512); - - // The devices usually send a list of supported properties for calendar and contact - // items. If a device does not includes such a supported property in Sync request, - // it means the property's value will be deleted on the server. - // However some devices do not send a list of supported properties. It is then impossible - // to tell if a property was deleted or it was not set at all if it does not appear in Sync. - // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with - // supported properties. - // See also https://jira.z-hub.io/browse/ZP-302. - // Possible values: - // false - do not unset properties which are not sent during Sync (default) - // true - unset properties which are not sent during Sync - define('UNSET_UNDEFINED_PROPERTIES', false); - - // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked - // in the semantic sanity checks and contacts with larger photos are not synchronized. - // This limitation is not being followed by the ActiveSync clients which set much bigger - // contact photos. You can override the default value of the max photo size. - // default: 5242880 - 5 MB default max photo size in bytes - define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880); - - // Over the WebserviceUsers command it is possible to retrieve a list of all - // known devices and users on this Z-Push system. The authenticated user needs to have - // admin rights and a public folder must exist. - // In multicompany environments this enable an admin user of any company to retrieve - // this full list, so this feature is disabled by default. Enable with care. - define('ALLOW_WEBSERVICE_USERS_ACCESS', false); - - // Users with many folders can use the 'partial foldersync' feature, where the server - // actively stops processing the folder list if it takes too long. Other requests are - // then redirected to the FolderSync to synchronize the remaining items. - // Device compatibility for this procedure is not fully understood. - // NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING. - define('USE_PARTIAL_FOLDERSYNC', false); - - // The minimum accepted time in second that a ping command should last. - // It is strongly advised to keep this config to false. Some device - // might not be able to send a higher value than the one specificied here and thus - // unable to start a push connection. - // If set to false, there will be no lower bound to the ping lifetime. - // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes). - define('PING_LOWER_BOUND_LIFETIME', false); - - // The maximum accepted time in second that a ping command should last. - // If set to false, there will be no higher bound to the ping lifetime. - // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes). - define('PING_HIGHER_BOUND_LIFETIME', false); - - // Maximum response time - // Mobiles implement different timeouts to their TCP/IP connections. Android devices for example - // have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe, - // the answer will not be recieved and the device will send a new one overloading the server. - // There are three categories - // - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types - // - Medium timeout - server has up to 90 seconds to respond - // - Long timeout - server has up to 4 minutes to respond - // If a timeout is almost reached the server will break and sent the results it has until this - // point. You can add DeviceType strings to the categories. - // In general longer timeouts are better, because more data can be streamed at once. - define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI"); - define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail"); - - // Time in seconds the device should wait whenever the service is unavailable, - // e.g. when a backend service is unavailable. - // Z-Push sends a "Retry-After" header in the response with the here defined value. - // It is up to the device to respect or not this directive so even if this option is set, - // the device might not wait requested time frame. - // Number of seconds before retry, to disable set to: false - define('RETRY_AFTER_DELAY', 300); - -/********************************************************************************** - * Backend settings - */ - // the backend data provider - define('BACKEND_PROVIDER', ''); - -/********************************************************************************** - * Search provider settings - * - * Alternative backend to perform SEARCH requests (GAL search) - * By default the main Backend defines the preferred search functionality. - * If set, the Search Provider will always be preferred. - * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php) - */ - define('SEARCH_PROVIDER', ''); - // Time in seconds for the server search. Setting it too high might result in timeout. - // Setting it too low might not return all results. Default is 10. - define('SEARCH_WAIT', 10); - // The maximum number of results to send to the client. Setting it too high - // might result in timeout. Default is 10. - define('SEARCH_MAXRESULTS', 10); - -/********************************************************************************** - * Kopano Outlook Extension - Settings - * - * The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with - * functionality not provided by ActiveSync or not implemented by Outlook. - * For more information, see: https://wiki.z-hub.io/x/z4Aa - */ - // Global Address Book functionality - define('KOE_CAPABILITY_GAB', true); - // Synchronize mail flags from the server to Outlook/KOE - define('KOE_CAPABILITY_RECEIVEFLAGS', true); - // Encode flags when sending from Outlook/KOE - define('KOE_CAPABILITY_SENDFLAGS', true); - // Out-of-office support - define('KOE_CAPABILITY_OOF', true); - // Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF) - define('KOE_CAPABILITY_OOFTIMES', true); - // Notes support - define('KOE_CAPABILITY_NOTES', true); - // Shared folder support - define('KOE_CAPABILITY_SHAREDFOLDER', true); - // Send-As support for Outlook/KOE and mobiles - define('KOE_CAPABILITY_SENDAS', true); - // Secondary Contact folders (own and shared) - define('KOE_CAPABILITY_SECONDARYCONTACTS', true); - // Copy WebApp signature into KOE - define('KOE_CAPABILITY_SIGNATURES', true); - // Delivery receipt requests - define('KOE_CAPABILITY_RECEIPTS', true); - - // To synchronize the GAB KOE, the GAB store and folderid need to be specified. - // Use the gab-sync script to generate this data. The name needs to - // match the config of the gab-sync script. - // More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script) - define('KOE_GAB_STORE', 'SYSTEM'); - define('KOE_GAB_FOLDERID', ''); - define('KOE_GAB_NAME', 'Z-Push-KOE-GAB'); - -/********************************************************************************** - * Synchronize additional folders to all mobiles - * - * With this feature, special folders can be synchronized to all mobiles. - * This is useful for e.g. global company contacts. - * - * This feature is supported only by certain devices, like iPhones. - * Check the compatibility list for supported devices: - * http://z-push.org/compatibility - * - * To synchronize a folder, add a section setting all parameters as below: - * store: the ressource where the folder is located. - * Kopano users use 'SYSTEM' for the 'Public Folder' - * folderid: folder id of the folder to be synchronized - * name: name to be displayed on the mobile device - * type: supported types are: - * SYNC_FOLDER_TYPE_USER_CONTACT - * SYNC_FOLDER_TYPE_USER_APPOINTMENT - * SYNC_FOLDER_TYPE_USER_TASK - * SYNC_FOLDER_TYPE_USER_MAIL - * SYNC_FOLDER_TYPE_USER_NOTE - * - * Additional notes: - * - on Kopano systems use backend/kopano/listfolders.php script to get a list - * of available folders - * - * - all Z-Push users must have at least reading permissions so the configured - * folders can be synchronized to the mobile. Else they are ignored. - * - * - this feature is only partly suitable for multi-tenancy environments, - * as ALL users from ALL tenents need access to the configured store & folder. - * When configuring a public folder, this will cause problems, as each user has - * a different public folder in his tenant, so the folder are not available. - - * - changing this configuration could cause HIGH LOAD on the system, as all - * connected devices will be updated and load the data contained in the - * added/modified folders. - */ - - $additionalFolders = array( - // demo entry for the synchronization of contacts from the public folder. - // uncomment (remove '/*' '*/') and fill in the folderid -/* - array( - 'store' => "SYSTEM", - 'folderid' => "", - 'name' => "Public Contacts", - 'type' => SYNC_FOLDER_TYPE_USER_CONTACT, - ), -*/ - ); diff --git a/migration.sh b/migrate similarity index 100% rename from migration.sh rename to migrate diff --git a/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql b/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql index c3a6403..e9bc804 100644 --- a/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql +++ b/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql @@ -1,2 +1,5 @@ CREATE USER 'kopano' IDENTIFIED BY 'Asdf2345'; -GRANT ALL ON kopano.* TO 'kopano'@'%'; \ No newline at end of file +GRANT ALL ON kopano.* TO 'kopano'@'%'; +flush privileges; +-- database is created by server automatically if not present +-- create database kopano CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; diff --git a/postfix/Dockerfile b/postfix/Dockerfile index 17c316f..2c606f0 100644 --- a/postfix/Dockerfile +++ b/postfix/Dockerfile @@ -10,7 +10,6 @@ apt-get autoclean rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm EOF COPY etc/postfix/ /etc/postfix/ -RUN cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf COPY --chmod=0775 entrypoint.sh /entrypoint.sh EXPOSE 25 VOLUME /var/spool/postfix diff --git a/postfix/etc/postfix/main.cf b/postfix/etc/postfix/main.cf index f4ec60e..6e573bb 100644 --- a/postfix/etc/postfix/main.cf +++ b/postfix/etc/postfix/main.cf @@ -20,32 +20,34 @@ alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = zntrl.de # mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +# trusts all hosts in the kopano docker network mynetworks_style = subnet # virtual domains -virtual_mailbox_domains = zntrl.de +virtual_mailbox_domains = zntrl.de ads64.de virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_alias_maps = hash:/etc/postfix/virtual # virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock virtual_transport = lmtp:dagent:2003 -# default domains +# default outbound transport for all domains, use one relay for all domains +# authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound) default_transport = smtp:[relay.zntrl.de]:465 # SMTPD (inbound) TLS parameters +smtpd_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key +smtpd_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_CAfile = /etc/postfix/ssl/certs/balusign-signing-ca.pem -smtpd_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem -smtpd_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key smtpd_tls_security_level=may smtpd_tls_loglevel = 1 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination # SMTP (outbound) -smtp_tls_CApath=/etc/ssl/certs smtp_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key smtp_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem +smtp_tls_CApath=/etc/ssl/certs smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_wrappermode = yes smtp_tls_security_level = encrypt diff --git a/postfix/etc/postfix/vmailbox b/postfix/etc/postfix/vmailbox index e94879f..a8e24a6 100644 --- a/postfix/etc/postfix/vmailbox +++ b/postfix/etc/postfix/vmailbox @@ -2,5 +2,7 @@ baloan@zntrl.de notused blu3prince@zntrl.de notused fafnir@zntrl.de notused postmaster@zntrl.de notused +andreas@ads64.de notused +postmaster@ads64.de notused # Comment out the entry below to implement a catch-all. # @zntrl.de notused diff --git a/postfix/build.sh b/postfix/scratchpad.sh similarity index 78% rename from postfix/build.sh rename to postfix/scratchpad.sh index b474fe4..7150e81 100644 --- a/postfix/build.sh +++ b/postfix/scratchpad.sh @@ -1,9 +1,8 @@ #!/usr/bin/bash -# docker login --username baloan --password 'yZBCUs5&@?:.' -# docker run -d --name apache -p80:80 -v/root/kopano/dist:/var/www httpd # export DOCKER_BUILDKIT=1 +# docker run -d --name apache -p80:80 -v/root/kopano/dist:/var/www httpd docker build -t postfix . -docker run -d --name postfix -v/root/kopano/postfix/etc/postfix:/etc/postfix postfix +docker run -d --name postfix -v/root/kopano/postfix/etc/postfix:/etc/postfix -p8025:25 postfix docker logs -f postfix docker exec -it postfix sh diff --git a/prep b/prep new file mode 100644 index 0000000..a72d268 --- /dev/null +++ b/prep @@ -0,0 +1,10 @@ +#!/usr/bin/bash +export DOCKER_BUILDKIT=1 +alias up='docker compose up -d' +#alias up='docker compose up -d --build' +alias down='docker compose down' +alias build='docker compose build' +alias push='docker compose push' +docker login --username baloan --password 'yZBCUs5&@?:.' +# access to packages +docker run -d --rm --name dist -p80:80 -v/root/kopano-docker/dist:/usr/local/apache2/htdocs httpd diff --git a/ssl/mkcerts b/ssl/mkcerts new file mode 100644 index 0000000..3456482 --- /dev/null +++ b/ssl/mkcerts @@ -0,0 +1,18 @@ +#!/usr/bin/bash +# create ssl certificates for docker network +# create signing ca (minimal pki) +openssl req -new -config etc/kopano-ca.conf -out ca/kopano-ca.csr -keyout private/kopano-ca.key +openssl ca -selfsign -config etc/kopano-ca.conf -in ca/kopano-ca.csr -out certs/kopano-ca.crt -extensions signing_ca_ext +# create kopano server ssl key (for encryption) +set SAN=DNS:server +openssl req -new -config etc/kopano-server.conf -out certs/kopano-server.csr -keyout private/kopano-server.key +openssl ca -config etc/kopano-ca.conf -in certs/kopano-server.csr -out certs/kopano-server.crt -extensions server_ext + +# create kopano clients ssl key pair (for authentification) +# private key for client, public key for server sslkeys +create-key dagent +create-key spooler +create-key search +create-key webapp +create-key z-push + diff --git a/todo b/todo new file mode 100644 index 0000000..f8e2615 --- /dev/null +++ b/todo @@ -0,0 +1,9 @@ +complete internal SSL key generation and injection +complete relay SSL key generation and injection (manual for distribution to relay) +recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push) +bareos mysql backup (mysqldump, or database shutdown during backup) +remove all etc volume mounts +kopano server and database tuning +check logging for all containers +remove passwords from gitlab & docker +baloghs.de migration \ No newline at end of file diff --git a/webapp/build.sh b/webapp/scratchpad.sh similarity index 80% rename from webapp/build.sh rename to webapp/scratchpad.sh index 651b22b..91ba20b 100644 --- a/webapp/build.sh +++ b/webapp/scratchpad.sh @@ -14,7 +14,3 @@ docker container ls docker container prune docker image ls docker image prune -a -f - -# docker login --username baloan --password 'yZBCUs5&@?:.' -# docker tag -t webapp:latest ... -# docker push \ No newline at end of file diff --git a/z-push/build.sh b/z-push/scratchpad.sh similarity index 81% rename from z-push/build.sh rename to z-push/scratchpad.sh index 841a818..5cdc48c 100644 --- a/z-push/build.sh +++ b/z-push/scratchpad.sh @@ -15,7 +15,3 @@ docker container ls docker container prune docker image ls docker image prune -a -f - -# docker login --username baloan --password 'yZBCUs5&@?:.' -# docker tag -t z-push:latest ... -# docker push \ No newline at end of file