Set HOST env vars

[Web] Add identity_provider option to disable auto-creation of users …

.drone.yml

@@ -1,120 +0,0 @@
----
-kind: pipeline
-name: integration-testing
-
-platform:
-  os: linux
-  arch: amd64
-
-clone:
-  disable: true
-
-steps:
-- name: prepare-tests
-  pull: default
-  image: timovibritannia/ansible
-  commands:
-  - git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch .
-  - chmod +x ci.sh
-  - chmod +x ci-ssh.sh
-  - chmod +x ci-piprequierments.sh
-  - ./ci.sh
-  - wget -O group_vars/all/secrets.yml $SECRETS_DOWNLOAD_URL --quiet
-  environment:
-    SECRETS_DOWNLOAD_URL:
-      from_secret: SECRETS_DOWNLOAD_URL
-    VAULT_PW:
-      from_secret: VAULT_PW
-  when:
-    branch:
-    - master
-    - staging
-    event:
-    - push
-
-- name: lint
-  pull: default
-  image: timovibritannia/ansible
-  commands:
-  - ansible-lint ./
-  when:
-    branch:
-    - master
-    - staging
-    event:
-    - push
-
-- name: create-server
-  pull: default
-  image: timovibritannia/ansible
-  commands:
-  - ./ci-piprequierments.sh
-  - ansible-playbook mailcow-start-server.yml --diff
-  - ./ci-ssh.sh
-  environment:
-    ANSIBLE_HOST_KEY_CHECKING: false
-    ANSIBLE_FORCE_COLOR: true
-  when:
-    branch:
-    - master
-    - staging
-    event:
-    - push
-
-- name: setup-server
-  pull: default
-  image: timovibritannia/ansible
-  commands:
-  - sleep 120
-  - ./ci-piprequierments.sh
-  - ansible-playbook mailcow-setup-server.yml --private-key /drone/src/id_ssh_rsa --diff
-  environment:
-    ANSIBLE_HOST_KEY_CHECKING: false
-    ANSIBLE_FORCE_COLOR: true
-  when:
-    branch:
-    - master
-    - staging
-    event:
-    - push
-
-- name: run-tests
-  pull: default
-  image: timovibritannia/ansible
-  commands:
-  - ./ci-piprequierments.sh
-  - ansible-playbook mailcow-integration-tests.yml --private-key /drone/src/id_ssh_rsa --diff
-  environment:
-    ANSIBLE_HOST_KEY_CHECKING: false
-    ANSIBLE_FORCE_COLOR: true
-  when:
-    branch:
-    - master
-    - staging
-    event:
-    - push
-
-- name: delete-server
-  pull: default
-  image: timovibritannia/ansible
-  commands:
-  - ./ci-piprequierments.sh
-  - ansible-playbook mailcow-delete-server.yml --diff
-  environment:
-    ANSIBLE_HOST_KEY_CHECKING: false
-    ANSIBLE_FORCE_COLOR: true
-  when:
-    branch:
-    - master
-    - staging
-    event:
-    - push
-    status:
-    - failure
-    - success
-
----
-kind: signature
-hmac: f6619243fe2a27563291c9f2a46d93ffbc3b6dced9a05f23e64b555ce03a31e5
-
-...

.github/FUNDING.yml

@@ -1 +1,2 @@
-custom: https://mailcow.github.io/mailcow-dockerized-docs/#help-mailcow
+github: mailcow
+custom: ["https://www.servercow.de/mailcow?lang=en#sal"]

.github/ISSUE_TEMPLATE/Bug_report.yml

@@ -7,8 +7,8 @@ body:
       label: Contribution guidelines
       description: Please read the contribution guidelines before proceeding.
       options:
-        - label: I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree
-          required: true
+      - label: I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree
+        required: true
   - type: checkboxes
     attributes:
       label: I've found a bug and checked that ...
@@ -26,70 +26,142 @@ body:
     attributes:
       label: Description
       description: Please provide a brief description of the bug in 1-2 sentences. If applicable, add screenshots to help explain your problem. Very useful for bugs in mailcow UI.
+      render: plain text
     validations:
       required: true
   - type: textarea
     attributes:
-      label: Logs
-      description: Please take a look at the [official documentation](https://mailcow.github.io/mailcow-dockerized-docs/debug-logs/) and post the last few lines of logs, when the error occurs. For example, docker container logs of affected containers. This will be automatically formatted into code, so no need for backticks.
-      render: bash
+      label: "Logs:"
+      description: "Please take a look at the [official documentation](https://docs.mailcow.email/troubleshooting/debug-logs/) and post the last few lines of logs, when the error occurs. For example, docker container logs of affected containers. This will be automatically formatted into code, so no need for backticks."
+      render: plain text
     validations:
       required: true
   - type: textarea
     attributes:
-      label: Steps to reproduce
-      description: Please describe the steps to reproduce the bug. Screenshots can be added, if helpful.
+      label: "Steps to reproduce:"
+      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
+      render: plain text
       placeholder: |-
         1. ...
         2. ...
         3. ...
     validations:
       required: true
-  - type: textarea
+  - type: markdown
     attributes:
-      label: System information
-      description: In this stage we would kindly ask you to attach general system information about your setup.
-      value: |-
-             | Question | Answer |
-             | --- | --- |
-             | My operating system | I_DO_REPLY_HERE |
-             | Is Apparmor, SELinux or similar active? | I_DO_REPLY_HERE |
-             | Virtualization technology (KVM, VMware, Xen, etc - **LXC and OpenVZ are not supported** | I_DO_REPLY_HERE |
-             | Server/VM specifications (Memory, CPU Cores) | I_DO_REPLY_HERE |
-             | Docker version (`docker version`) | I_DO_REPLY_HERE |
-             | docker-compose version (`docker-compose version`) | I_DO_REPLY_HERE |
-             | mailcow version (```git describe --tags `git rev-list --tags --max-count=1` ```) | I_DO_REPLY_HERE |
-             | Reverse proxy (custom solution) | I_DO_REPLY_HERE |
-
-             Output of `git diff origin/master`, any other changes to the code? If so, **please post them**:
-             ```
-             YOUR OUTPUT GOES HERE
-             ```
-
-             All third-party firewalls and custom iptables rules are unsupported. **Please check the Docker docs about how to use Docker with your own ruleset**. Nevertheless, iptabels output can help us to help you:
-             iptables -L -vn:
-             ```
-             YOUR OUTPUT GOES HERE
-             ```
-
-             ip6tables -L -vn:
-             ```
-             YOUR OUTPUT GOES HERE
-             ```
-
-             iptables -L -vn -t nat:
-             ```
-             YOUR OUTPUT GOES HERE
-             ```
-
-             ip6tables -L -vn -t nat:
-             ```
-             YOUR OUTPUT GOES HERE
-             ```
-
-             DNS problems? Please run `docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254` (set the IP accordingly, if you changed the internal mailcow network) and post the output:
-             ```
-             YOUR OUTPUT GOES HERE
-             ```
+      value: |
+        ## System information
+        ### In this stage we would kindly ask you to attach general system information about your setup.
+  - type: dropdown
+    attributes:
+      label: "Which branch are you using?"
+      description: "#### `git rev-parse --abbrev-ref HEAD`"
+      multiple: false
+      options:
+        - master
+        - nightly
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: "Which architecture are you using?"
+      description: "#### `uname -m`"
+      multiple: false
+      options:
+        - x86
+        - ARM64 (aarch64)
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "Operating System:"
+      placeholder: "e.g. Ubuntu 22.04 LTS"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "Server/VM specifications:"
+      placeholder: "Memory, CPU Cores"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "Is Apparmor, SELinux or similar active?"
+      placeholder: "yes/no"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "Virtualization technology:"
+      placeholder: "KVM, VMware, Xen, etc - **LXC and OpenVZ are not supported**"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "Docker version:"
+      description: "#### `docker version`"
+      placeholder: "20.10.21"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "docker-compose version or docker compose version:"
+      description: "#### `docker-compose version` or `docker compose version`"
+      placeholder: "v2.12.2"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "mailcow version:"
+      description: "#### ```git describe --tags `git rev-list --tags --max-count=1` ```"
+      placeholder: "2022-08"
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: "Reverse proxy:"
+      placeholder: "e.g. Nginx/Traefik"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Logs of git diff:"
+      description: "#### Output of `git diff origin/master`, any other changes to the code? If so, **please post them**:"
+      render: plain text
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Logs of iptables -L -vn:"
+      description: "#### Output of `iptables -L -vn`"
+      render: plain text
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Logs of ip6tables -L -vn:"
+      description: "#### Output of `ip6tables -L -vn`"
+      render: plain text
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Logs of iptables -L -vn -t nat:"
+      description: "#### Output of `iptables -L -vn -t nat`"
+      render: plain text
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Logs of ip6tables -L -vn -t nat:"
+      description: "#### Output of `ip6tables -L -vn -t nat`"
+      render: plain text
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "DNS check:"
+      description: "#### Output of `docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254` (set the IP accordingly, if you changed the internal mailcow network)"
+      render: plain text
     validations:
       required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,11 @@
 blank_issues_enabled: false
 contact_links:
-  - name: ❓ Community-driven support
-    url: https://mailcow.github.io/mailcow-dockerized-docs/#get-support
+  - name: ❓ Community-driven support (Free)
+    url: https://docs.mailcow.email/#community-support-and-chat
     about: Please use the community forum for questions or assistance
+  - name: 🔥 Premium Support (Paid)
+    url: https://www.servercow.de/mailcow?lang=en#support
+    about: Buy a support subscription for any critical issues and get assisted by the mailcow Team. See conditions!
   - name: 🚨 Report a security vulnerability
-    url: https://www.servercow.de/anfrage?lang=en
+    url: "mailto:info@servercow.de?subject=mailcow: dockerized Security Vulnerability"
     about: Please give us appropriate time to verify, respond and fix before disclosure.

.github/ISSUE_TEMPLATE/pr_to_nighty_template.yml

@@ -0,0 +1,3 @@
+## :file_folder:  Modified files
+<!-- Diff files - START -->
+<!-- Diff files - END -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,38 @@
+<!-- _Please make sure to review and check all of these items, otherwise we might refuse your PR:_ -->
+
+## Contribution Guidelines
+
+* [ ] I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree them
+
+<!-- _NOTE: this tickbox is needed to fullfil on order to get your PR reviewed._ -->
+
+## What does this PR include?
+
+### Short Description
+
+<!-- Please write a short description, what your PR does here. -->
+
+###  Affected Containers
+
+<!-- Please list all affected Docker containers here, which you commited changes to -->
+
+<!--
+
+Please list them like this:
+
+- container1
+- container2
+- container3
+etc.
+
+-->
+
+## Did you run tests?
+
+### What did you tested?
+
+<!-- Please write shortly, what you've tested (which components etc.). -->
+
+### What were the final results? (Awaited, got)
+
+<!-- Please write shortly, what your final tests results were. What did you awaited? Was the outcome the awaited one? -->

.github/renovate.json

@@ -0,0 +1,25 @@
+{
+  "enabled": true,
+  "timezone": "Europe/Berlin",
+  "dependencyDashboard": true,
+  "dependencyDashboardTitle": "Renovate Dashboard",
+  "commitBody": "Signed-off-by: milkmaker <milkmaker@mailcow.de>",
+  "rebaseWhen": "auto",
+  "labels": ["renovate"],
+  "assignees": [
+    "@magiccc"
+  ],
+  "baseBranches": ["staging"],
+  "enabledManagers": ["github-actions", "regex", "docker-compose"],
+  "ignorePaths": [
+    "data\/web\/inc\/lib\/vendor\/**"
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": ["(^|/)Dockerfile[^/]*$"],
+      "matchStrings": [
+        "#\\srenovate:\\sdatasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?\\s(ENV|ARG) .*?_VERSION=(?<currentValue>.*)\\s"
+       ]
+    }
+  ]
+}

.github/workflows/check_if_support_labeled.yml

@@ -0,0 +1,37 @@
+name: Check if labeled support, if so send message and close issue
+on:
+  issues:
+    types:
+      - labeled
+jobs:
+  add-comment:
+    if: github.event.label.name == 'support'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Add comment
+        run: gh issue comment "$NUMBER" --body "$BODY"
+        env:
+          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+          BODY: |
+              **THIS IS A AUTOMATED MESSAGE!**
+
+              It seems your issue is not a bug.
+              Therefore we highly advise you to get support!
+              
+              You can get support either by:
+              - ordering a paid [support contract at Servercow](https://www.servercow.de/mailcow?lang=en#support/) (Directly from the developers) or
+              - using the [community forum](https://community.mailcow.email) (**Based on volunteers! NO guaranteed answer**) or
+              - using the [Telegram support channel](https://t.me/mailcow) (**Based on volunteers! NO guaranteed answer**)
+
+              This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.
+
+      - name: Close issue
+        env:
+          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+        run: gh issue close "$NUMBER" -r "not planned"

.github/workflows/check_prs_if_on_staging.yml

@@ -0,0 +1,33 @@
+name: Check PRs if on staging
+on:
+    pull_request_target:
+      types: [opened, edited]
+permissions: {}
+
+jobs:
+  is_not_staging:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.base.ref != 'staging' #check if the target branch is not staging
+    steps:
+      - name: Send message
+        uses: thollander/actions-comment-pull-request@v3.0.1
+        with:
+          github-token: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
+          message: |
+                   Thanks for contributing!
+
+                   I noticed that you didn't select `staging` as your base branch. Please change the base branch to `staging`.
+                   See the attached picture on how to change the base branch to `staging`:
+
+                   ![check_prs_if_on_staging.png](https://raw.githubusercontent.com/mailcow/mailcow-dockerized/master/.github/workflows/assets/check_prs_if_on_staging.png)
+
+      - name: Fail #we want to see failed checks in the PR
+        if: ${{ success() }} #set exit code to 1 even if commenting somehow failed
+        run: exit 1
+
+  is_staging:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.base.ref == 'staging' #check if the target branch is staging
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/close_old_issues_and_prs.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v5.0.0
+        uses: actions/stale@v9.1.0
         with:
           repo-token: ${{ secrets.STALE_ACTION_PAT }}
           days-before-stale: 60
@@ -30,6 +30,7 @@ jobs:
           stale-issue-label: "stale"
           stale-pr-label: "stale"
           exempt-draft-pr: "true"
+          close-issue-reason: "not_planned"
           operations-per-run: "250"
           ascending: "true"
           #DRY-RUN

.github/workflows/image_builds.yml

@@ -0,0 +1,42 @@
+name: Build mailcow Docker Images
+
+on:
+  push:
+    branches: [ "master", "staging" ]
+  workflow_dispatch:
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
+jobs:
+  docker_image_builds:
+    strategy:
+      matrix:
+        images:
+          - "acme-mailcow"
+          - "clamd-mailcow"
+          - "dockerapi-mailcow"
+          - "dovecot-mailcow"
+          - "netfilter-mailcow"
+          - "olefy-mailcow"
+          - "php-fpm-mailcow"
+          - "postfix-mailcow"
+          - "rspamd-mailcow"
+          - "sogo-mailcow"
+          - "unbound-mailcow"
+          - "watchdog-mailcow"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Docker
+        run: |
+          curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
+          sudo service docker start
+      - name: Prepair Image Builds
+        run: |
+          cp helper-scripts/docker-compose.override.yml.d/BUILD_FLAGS/docker-compose.override.yml docker-compose.override.yml
+      - name: Build Docker Images
+        run: |
+          docker compose build ${image}
+        env:
+          image: ${{ matrix.images }}

.github/workflows/pr_to_nightly.yml

@@ -0,0 +1,25 @@
+name: Create PR to merge to nightly from staging
+on:
+  push:
+    branches:
+      - staging
+jobs:
+  action-pull-request:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run the Action
+        uses: devops-infra/action-pull-request@v0.6.0
+        with:
+          github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
+          title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}
+          assignee: DerLinkman
+          source_branch: staging
+          target_branch: nightly
+          reviewer: DerLinkman
+          label: upstream
+          template: .github/ISSUE_TEMPLATE/pr_to_nighty_template.yml
+          get_diff: true

.github/workflows/rebuild_backup_image.yml

@@ -0,0 +1,39 @@
+name: Build mailcow backup image
+
+on:
+  schedule:
+    # At 00:00 on Sunday
+    - cron: "0 0 * * 0"
+  workflow_dispatch: # Allow to run workflow manually
+
+jobs:
+  docker_image_build:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          file: data/Dockerfiles/backup/Dockerfile
+          push: true
+          tags: ghcr.io/mailcow/backup:latest

.github/workflows/update_postscreen_access_list.yml

@@ -0,0 +1,39 @@
+name: Update postscreen_access.cidr
+
+on:
+  schedule:
+    # Monthly
+    - cron: "0 0 1 * *"
+  workflow_dispatch: # Allow to run workflow manually
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  
+  
+jobs:
+  Update-postscreen_access_cidr:
+   runs-on: ubuntu-latest
+   steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Generate postscreen_access.cidr
+      run: |
+          bash helper-scripts/update_postscreen_whitelist.sh
+
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v7
+      with:
+        token: ${{ secrets.mailcow_action_Update_postscreen_access_cidr_pat }}
+        commit-message: update postscreen_access.cidr
+        committer: milkmaker <milkmaker@mailcow.de>
+        author: milkmaker <milkmaker@mailcow.de>
+        signoff: false
+        branch: update/postscreen_access.cidr
+        base: staging
+        delete-branch: true
+        add-paths: |
+          data/conf/postfix/postscreen_access.cidr
+        title: '[Postfix] update postscreen_access.cidr'
+        body: |
+          This PR updates the postscreen_access.cidr using GitHub Actions and [helper-scripts/update_postscreen_whitelist.sh](https://github.com/mailcow/mailcow-dockerized/blob/master/helper-scripts/update_postscreen_whitelist.sh)

.gitignore

@@ -1,6 +1,3 @@
-!data/conf/nginx/dynmaps.conf
-!data/conf/nginx/meta_exporter.conf
-!data/conf/nginx/site.conf
 !/**/.gitkeep
 *.iml
 .idea
@@ -8,44 +5,33 @@
 data/assets/ssl-example/*
 data/assets/ssl/*
 data/conf/borgmatic/
-data/conf/clamav/whitelist.ign2
-data/conf/dovecot/acl_anyone
-data/conf/dovecot/dovecot-master.passwd
-data/conf/dovecot/dovecot-master.userdb
+data/conf/clamav/rendered_configs
 data/conf/dovecot/extra.conf
-data/conf/dovecot/global_sieve_*
-data/conf/dovecot/last_login
-data/conf/dovecot/lua
-data/conf/dovecot/mail_plugins*
-data/conf/dovecot/shared_namespace.conf
-data/conf/dovecot/sni.conf
-data/conf/dovecot/sogo-sso.conf
-data/conf/dovecot/sogo_trusted_ip.conf
-data/conf/dovecot/sql
-data/conf/nextcloud-*.bak
-data/conf/nginx/*.active
-data/conf/nginx/*.bak
-data/conf/nginx/*.conf
-data/conf/nginx/*.custom
+data/conf/dovecot/rendered_configs
+data/conf/nginx/rendered_configs
 data/conf/phpfpm/sogo-sso/sogo-sso.pass
+data/conf/phpfpm/rendered_configs
 data/conf/portainer/
-data/conf/postfix/allow_mailcow_local.regexp
-data/conf/postfix/custom_postscreen_whitelist.cidr
-data/conf/postfix/custom_transport.pcre
 data/conf/postfix/extra.cf
-data/conf/postfix/sni.map
-data/conf/postfix/sni.map.db
-data/conf/postfix/sql
+data/conf/postfix/rendered_configs
 data/conf/rspamd/custom/*
 data/conf/rspamd/local.d/*
 data/conf/rspamd/override.d/*
+data/conf/rspamd/rendered_configs
 data/conf/sogo/custom-theme.js
-data/conf/sogo/plist_ldap
 data/conf/sogo/sieve.creds
-data/conf/sogo/sogo-full.svg
+data/conf/sogo/cron.creds
+data/conf/sogo/custom-fulllogo.svg
+data/conf/sogo/custom-shortlogo.svg
+data/conf/sogo/custom-fulllogo.png
+data/conf/sogo/rendered_configs
+data/conf/mysql/rendered_configs
 data/gitea/
 data/gogs/
+data/hooks/clamd/*
 data/hooks/dovecot/*
+data/hooks/mariadb/*
+data/hooks/nginx/*
 data/hooks/phpfpm/*
 data/hooks/postfix/*
 data/hooks/rspamd/*
@@ -66,3 +52,4 @@ rebuild-images.sh
 refresh_images.sh
 update_diffs/
 create_cold_standby.sh
+!data/conf/nginx/mailcow_auth.conf

.travis.yml

@@ -1,16 +0,0 @@
-sudo: required
-services:
-- docker
-script:
-- echo 'Europe/Berlin' | MAILCOW_HOSTNAME=build.mailcow ./generate_config.sh
-- docker-compose pull --ignore-pull-failures --parallel
-- docker-compose build
-- docker login --username=$DOCKER_HUB_USERNAME --password=$DOCKER_HUB_PASSWORD
-- docker-compose push
-branches:
-  only:
-  - master_disabled
-env:
-  global:
-  - secure: MpxpTwD7f0CNEVLitSpVmocK7O9r+BwFE1deEHK4AlQo/oc9cOlhGe1EL3mx9zbglPmjlDg/8kMUGv6vSirIabfBo9Szjps76bHckFr9lr2Ykkg0e29oC8pgPpSXD1eY/1ZIN/FvIkxpUFLETo1okS/j9q/A0DCGFmti0n3EoMORsgRz9CpNAiEh0zpSd6+euPAGHuczuCrDuO84my9bIOCjA/+aPunHNeXiuM8yIM2SxCSyGtIKT0+jvquIvLF58VxivysXBlRfhDn8fhB09nXA2Ru/derYQACfcmNSn9Pd4bDpebPJW5B9H/XA8xjb58uKinUlncbAMB/QnxoT75j9YRWJZRSQ+34XNYP6ZgK9soZ2TC6djQyEKTUu45Kp/1s+poSn42m9jytJJTmmK0KxsZTRcC8JD5nrjIMZWPUNNTwC5L4+I7ZRWg2WooK3LNyq1Ng8Hn6W77wSgsvAJw2HD3Lx58AprGUhHuBeaIZRuSN9aKwZrl9vKQJLqPnOp/nF2EC6kot5HYYtcotGtETXPUDih21gWD5ZM2BqVqYfQQnJnNMgeYmMdj6QQuTFqhuNJf7hXRIRkTnD3j1gDOLKQZazW0+N2JE8XWDFwi6fKScDsxT85lJti9HmzHa7+k4RVHmUYuDgRoPuzUgjWHvPsiz3/Z8WQ9JYpH84S8w=
-  - secure: fWzZisT6nGDNL4lf6tXB07eFG2drgBakHxzdF/NFVvzuP861RFR6omuL+ED0PgXrEHDJBxaBLv52je8irmUXrAH1CNr7T8DWiZo/h5h609Uzr+38T1NnIu4krL0Wo6/CDwlLKnzqTq9yBIZLQSHVJmo8AOpo1JPIi2ajodqj9ZfmAxDQTQl+G6zvQjtqIkYHsHY7A44Rto0f14ykn7w2S82Jn6Ry89VNI5V1WEO3sMpM/XekNP/HokNcRIuntL/0+kuLvTJ5akGoTjBQxSnSW95opzPeGky74HRU2obExJYqKvF0VfVJRNAqejwjIiFIbbjqV0Sk5391kFuhuBErQQDM1bOHGdxZ41HsJH29qNWIl7C33Yl10qERoqecgsJ1N/bS2ZEmWqm/zQh5GClCXPvYmzEqMYsMGM3vjbKdjDlc1Wh2w/eFclsXN9LSXh1mc35rtj46frcT6e5Kof87AIfC9hTgDvk9kAsyjaHMkSHSZthbZXCIcsD8qriNm5UqfFBYD79mPIP1S2YMQ2jscCsjHOZgYVrcm0kzDF21J1w6H0Lo7d1jw37LYlegBdtLQ9gYgqY2D5m+nxWuVoD5FZmpR+5JGtK+ootyLFF8aiFoHXd4op1JCxRLjgkmnZKXzw3kTQSpE7oa7CgzchtQmK2nqcqla1b5Qk7ilVcjooo=

CONTRIBUTING.md

@@ -1,9 +1,58 @@
-When a problem occurs, then always for a reason! What you want to do in such a case is:
+# Contribution Guidelines
+**_Last modified on 15th August 2024_**
 
+First of all, thank you for wanting to provide a bugfix or a new feature for the mailcow community, it's because of your help that the project can continue to grow!
+
+As we want to keep mailcow's development structured we setup these Guidelines which helps you to create your issue/pull request accordingly.
+
+**PLEASE NOTE, THAT WE MIGHT CLOSE ISSUES/PULL REQUESTS IF THEY DON'T FULLFIL OUR WRITTEN GUIDELINES WRITTEN INSIDE THIS DOCUMENT**. So please check this guidelines before you propose a Issue/Pull Request.
+
+## Topics
+
+- [Pull Requests](#pull-requests)
+- [Issue Reporting](#issue-reporting)
+    - [Guidelines](#issue-reporting-guidelines)
+    - [Issue Report Guide](#issue-report-guide)
+
+## Pull Requests
+**_Last modified on 15th August 2024_**
+
+However, please note the following regarding pull requests:
+
+1. **ALWAYS** create your PR using the staging branch of your locally cloned mailcow instance, as the pull request will end up in said staging branch of mailcow once approved. Ideally, you should simply create a new branch for your pull request that is named after the type of your PR (e.g. `feat/` for function updates or `fix/` for bug fixes) and the actual content (e.g. `sogo-6.0.0` for an update from SOGo to version 6 or `html-escape` for a fix that includes escaping HTML in mailcow).
+2. **ALWAYS** report/request issues/features in the english language, even though mailcow is a german based company. This is done to allow other GitHub users to reply to your issues/requests too which did not speak german or other languages besides english.
+3. Please **keep** this pull request branch **clean** and free of commits that have nothing to do with the changes you have made (e.g. commits from other users from other branches). *If you make changes to the `update.sh` script or other scripts that trigger a commit, there is usually a developer mode for clean working in this case.*
+4. **Test your changes before you commit them as a pull request.** <ins>If possible</ins>, write a small **test log** or demonstrate the functionality with a **screenshot or GIF**. *We will of course also test your pull request ourselves, but proof from you will save us the question of whether you have tested your own changes yourself.*
+5. **Please use** the pull request template we provide once creating a pull request. *HINT: During editing you encounter comments which looks like: `<!-- CONTENT -->`. These can be removed or kept, as they will not rendered later on GitHub! Please only create actual content without the said comments.* 
+6. Please **ALWAYS** create the actual pull request against the staging branch and **NEVER** directly against the master branch. *If you forget to do this, our moobot will remind you to switch the branch to staging.*
+7. Wait for a merge commit: It may happen that we do not accept your pull request immediately or sometimes not at all for various reasons. Please do not be disappointed if this is the case. We always endeavor to incorporate any meaningful changes from the community into the mailcow project.
+8. If you are planning larger and therefore more complex pull requests, it would be advisable to first announce this in a separate issue and then start implementing it after the idea has been accepted in order to avoid unnecessary frustration and effort!
+
+---
+
+## Issue Reporting
+**_Last modified on 15th August 2024_**
+
+If you plan to report a issue within mailcow please read and understand the following rules:
+
+### Issue Reporting Guidelines
+
+1. **ONLY** use the issue tracker for bug reports or improvement requests and NOT for support questions. For support questions you can either contact the [mailcow community on Telegram](https://docs.mailcow.email/#community-support-and-chat) or the mailcow team directly in exchange for a [support fee](https://docs.mailcow.email/#commercial-support).
+2. **ONLY** report an error if you have the **necessary know-how (at least the basics)** for the administration of an e-mail server and the usage of Docker. mailcow is a complex and fully-fledged e-mail server including groupware components on a Docker basement and it requires a bit of technical know-how for debugging and operating.
+3. **ALWAYS** report/request issues/features in the english language, even though mailcow is a german based company. This is done to allow other GitHub users to reply to your issues/requests too which did not speak german or other languages besides english.
+4. **ONLY** report bugs that are contained in the latest mailcow release series. *The definition of the latest release series includes the last major patch (e.g. 2023-12) and all minor patches (revisions) below it (e.g. 2023-12a, b, c etc.).* New issue reports published starting from January 1, 2024 must meet this criterion, as versions below the latest releases are no longer supported by us.
+5. When reporting a problem, please be as detailed as possible and include even the smallest changes to your mailcow installation. Simply fill out the corresponding bug report form in detail and accurately to minimize possible questions.
+6. **Before you open an issue/feature request**, please first check whether a similar request already exists in the mailcow tracker on GitHub. If so, please include yourself in this request.
+7. When you create a issue/feature request: Please note that the creation does <ins>**not guarantee an instant implementation or fix by the mailcow team or the community**</ins>.
+8. Please **ALWAYS** anonymize any sensitive information in your bug report or feature request before submitting it.
+
+### Issue Report Guide
 1. Read your logs; follow them to see what the reason for your problem is.
 2. Follow the leads given to you in your logfiles and start investigating.
 3. Restarting the troubled service or the whole stack to see if the problem persists.
-4. Read the [documentation](https://mailcow.github.io/mailcow-dockerized-docs/) of the troubled service and search its bugtracker for your problem.
+4. Read the [documentation](https://docs.mailcow.email/) of the troubled service and search its bugtracker for your problem.
 5. Search our [issues](https://github.com/mailcow/mailcow-dockerized/issues) for your problem.
 6. [Create an issue](https://github.com/mailcow/mailcow-dockerized/issues/new/choose) over at our GitHub repository if you think your problem might be a bug or a missing feature you badly need. But please make sure, that you include **all the logs** and a full description to your problem.
-7. Ask your questions in our community-driven [support channels](https://mailcow.github.io/mailcow-dockerized-docs/#community-support-and-chat).
+7. Ask your questions in our community-driven [support channels](https://docs.mailcow.email/#community-support-and-chat).
+
+## When creating an issue/feature request or a pull request, you will be asked to confirm these guidelines.

README.md

@@ -1,9 +1,9 @@
 # mailcow: dockerized - 🐮 + 🐋 = 💕
 
-## We stand with 🇺🇦
-
-[![master build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/master?label=master%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![staging build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/staging?label=staging%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
+[![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email)
+![Mastodon Follow](https://img.shields.io/mastodon/follow/109388212176073348?domain=https%3A%2F%2Fmailcow.social&label=Follow%20%40doncow%40mailcow.social&link=https%3A%2F%2Fmailcow.social%2F%40doncow)
+
 
 ## Want to support mailcow?
 
@@ -13,9 +13,25 @@ You can also [get a SAL](https://www.servercow.de/mailcow?lang=en#sal) which is
 
 Or just spread the word: moo.
 
+## Many thanks to our GitHub Sponsors ❤️
+A big thank you to everyone supporting us on GitHub Sponsors—your contributions mean the world to us! Special thanks to the following amazing supporters:
+
+### 100$/Month Sponsors
+  <a href="https://www.colba.net/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/204464723" height="58"
+  /></a>
+  <a href="https://www.maehdros.com/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/173894712" height="58"
+  /></a>
+
+### 50$/Month Sponsors
+  <a href="https://github.com/vnukhr" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/7805987?s=52&v=4" height="58"
+  /></a>
+
 ## Info, documentation and support
 
-Please see [the official documentation](https://mailcow.github.io/mailcow-dockerized-docs/) for installation and support instructions. 🐄
+Please see [the official documentation](https://docs.mailcow.email/) for installation and support instructions. 🐄
 
 🐛 **If you found a critical security issue, please mail us to [info at servercow.de](mailto:info@servercow.de).**
 
@@ -27,7 +43,9 @@ Please see [the official documentation](https://mailcow.github.io/mailcow-docker
 
 [Telegram mailcow Off-Topic channel](https://t.me/mailcowOfftopic)
 
-[Official Twitter Account](https://twitter.com/mailcow_email)
+[Official 𝕏 (Twitter) Account](https://twitter.com/mailcow_email)
+
+[Official Mastodon Account](https://mailcow.social/@doncow)
 
 Telegram desktop clients are available for [multiple platforms](https://desktop.telegram.org). You can search the groups history for keywords.
 
@@ -35,3 +53,9 @@ Telegram desktop clients are available for [multiple platforms](https://desktop.
 
 **Important**: mailcow makes use of various open-source software. Please assure you agree with their license before using mailcow.
 Any part of mailcow itself is released under **GNU General Public License, Version 3**.
+
+mailcow is a registered word mark of The Infrastructure Company GmbH, Parkstr. 42, 47877 Willich, Germany.
+
+The project is managed and maintained by The Infrastructure Company GmbH.
+
+Originated from @andryyy (André)

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the _mailcow: dockerized_ project as found on [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized).
+
+  * [Reporting a Vulnerability](#reporting-a-vulnerability)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Vulnerability 
+
+The mailcow team and community take all security vulnerabilities
+seriously. Thank you for improving the security of our open source 
+software. We appreciate your efforts and responsible disclosure and will
+make every effort to acknowledge your contributions.
+
+Report security vulnerabilities by emailing the mailcow team at:
+    
+    info at servercow.de
+
+mailcow team will acknowledge your email as soon as possible, and will
+send a more detailed response afterwards indicating the next steps in 
+handling your report. After the initial reply to your report, the mailcow
+team will endeavor to keep you informed of the progress towards a fix and
+full announcement, and may ask for additional information or guidance.
+
+Report security vulnerabilities in third-party modules to the person or 
+team maintaining the module.
+
+## Disclosure Policy
+
+When the mailcow team receives a security bug report, they will assign it
+to a primary handler. This person will coordinate the fix and release
+process, involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/Dockerfiles/acme/Dockerfile

@@ -1,6 +1,6 @@
-FROM alpine:3.15
+FROM alpine:3.21
 
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \
@@ -14,9 +14,7 @@ RUN apk upgrade --no-cache \
   tini \
   tzdata \
   python3 \
-  py3-pip \
-  && pip3 install --upgrade pip \
-  && pip3 install acme-tiny
+  acme-tiny
 
 COPY acme.sh /srv/acme.sh
 COPY functions.sh /srv/functions.sh

data/Dockerfiles/acme/acme.sh

@@ -4,9 +4,9 @@ exec 5>&1
 
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi
 
 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -33,6 +33,10 @@ if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   ONLY_MAILCOW_HOSTNAME=y
 fi
 
+if [[ "${AUTODISCOVER_SAN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  AUTODISCOVER_SAN=y
+fi
+
 # Request individual certificate for every domain
 if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   ENABLE_SSL_SNI=y
@@ -113,13 +117,13 @@ fi
 chmod 600 ${ACME_BASE}/key.pem
 
 log_f "Waiting for database..."
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
+while ! /usr/bin/mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
   sleep 2
 done
 log_f "Database OK"
 
 log_f "Waiting for Nginx..."
-until $(curl --output /dev/null --silent --head --fail http://nginx:8081); do
+until $(curl --output /dev/null --silent --head --fail http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network:8081); do
   sleep 2
 done
 log_f "Nginx OK"
@@ -133,8 +137,8 @@ log_f "Resolver OK"
 # Waiting for domain table
 log_f "Waiting for domain table..."
 while [[ -z ${DOMAIN_TABLE} ]]; do
-  curl --silent http://nginx/ >/dev/null 2>&1
-  DOMAIN_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+  curl --silent http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network/ >/dev/null 2>&1
+  DOMAIN_TABLE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
   [[ -z ${DOMAIN_TABLE} ]] && sleep 10
 done
 log_f "OK" no_date
@@ -211,17 +215,23 @@ while true; do
       ADDITIONAL_SAN_ARR+=($i)
     fi
   done
-  ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
 
+  if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
+  # Fetch certs for autoconfig and autodiscover subdomains
+  ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
+  fi
+
+  if [[ ${SKIP_IP_CHECK} != "y" ]]; then
   # Start IP detection
   log_f "Detecting IP addresses..."
   IPV4=$(get_ipv4)
   IPV6=$(get_ipv6)
   log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
+  fi
 
   #########################################
   # IP and webroot challenge verification #
-  SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
+  SQL_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
   if [[ ! $? -eq 0 ]]; then
     log_f "Failed to read SQL domains, retrying in 1 minute..."
     sleep 1m

data/Dockerfiles/acme/obtain-certificate.sh

@@ -124,7 +124,7 @@ case "$SUCCESS" in
     ;;
   *) # non-zero is non-fun
     log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
-    redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
+    redis-cli -h redis -a ${REDISPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
     exit 100${SUCCESS}
     ;;
 esac

data/Dockerfiles/acme/reload-configurations.sh

@@ -2,32 +2,32 @@
 
 # Reading container IDs
 # Wrapping as array to ensure trimmed content when calling $NGINX etc.
-NGINX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
-DOVECOT=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
-POSTFIX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+NGINX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+DOVECOT=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+POSTFIX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
 
 reload_nginx(){
   echo "Reloading Nginx..."
-  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
   [[ ${NGINX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Nginx, restarting container..."; restart_container ${NGINX} ; }
 }
 
 reload_dovecot(){
   echo "Reloading Dovecot..."
-  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
   [[ ${DOVECOT_RELOAD_RET} != 'success' ]] && { echo "Could not reload Dovecot, restarting container..."; restart_container ${DOVECOT} ; }
 }
 
 reload_postfix(){
   echo "Reloading Postfix..."
-  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
   [[ ${POSTFIX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Postfix, restarting container..."; restart_container ${POSTFIX} ; }
 }
 
 restart_container(){
   for container in $*; do
     echo "Restarting ${container}..."
-    C_REST_OUT=$(curl -X POST --insecure https://dockerapi/containers/${container}/restart --silent | jq -r '.msg')
+    C_REST_OUT=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${container}/restart --silent | jq -r '.msg')
     echo "${C_REST_OUT}"
   done
 }

data/Dockerfiles/backup/Dockerfile

@@ -0,0 +1,3 @@
+FROM debian:bookworm-slim
+
+RUN apt update && apt install pigz -y --no-install-recommends

data/Dockerfiles/bootstrap/main.py

@@ -0,0 +1,66 @@
+import os
+import sys
+import signal
+import ipaddress
+
+def handle_sigterm(signum, frame):
+  print("Received SIGTERM, exiting gracefully...")
+  sys.exit(0)
+
+def get_mysql_config(service_name):
+  db_config = {
+    "user": os.getenv("DBUSER") or os.getenv("MYSQL_USER"),
+    "password": os.getenv("DBPASS") or os.getenv("MYSQL_PASSWORD"),
+    "database": os.getenv("DBNAME") or os.getenv("MYSQL_DATABASE"),
+    "connection_timeout": 2,
+    "service_table": "service_settings",
+    "service_types": [service_name]
+  }
+
+  db_host = os.getenv("DB_HOST")
+  if db_host.startswith("/"):
+    db_config["host"] = "localhost"
+    db_config["unix_socket"] = db_host
+  else:
+    db_config["host"] = db_host
+
+  return db_config
+
+def get_redis_config():
+  redis_config = {
+    "read_host": os.getenv("REDIS_HOST"),
+    "read_port": 6379,
+    "write_host": os.getenv("REDIS_SLAVEOF_IP") or os.getenv("REDIS_HOST"),
+    "write_port": int(os.getenv("REDIS_SLAVEOF_PORT") or 6379),
+    "password": os.getenv("REDISPASS"),
+    "db": 0
+  }
+
+  return redis_config
+
+def main():
+  signal.signal(signal.SIGTERM, handle_sigterm)
+
+  container_name = os.getenv("CONTAINER_NAME")
+  service_name = container_name.replace("-mailcow", "").replace("-", "")
+  module_name = f"Bootstrap{service_name.capitalize()}"
+
+  try:
+    mod = __import__(f"modules.{module_name}", fromlist=[module_name])
+    Bootstrap = getattr(mod, module_name)
+  except (ImportError, AttributeError) as e:
+    print(f"Failed to load bootstrap module for: {container_name} → {module_name}")
+    print(str(e))
+    sys.exit(1)
+
+  b = Bootstrap(
+    container=container_name,
+    service=service_name,
+    db_config=get_mysql_config(service_name),
+    redis_config=get_redis_config()
+  )
+
+  b.bootstrap()
+
+if __name__ == "__main__":
+  main()

data/Dockerfiles/bootstrap/modules/BootstrapBase.py

@@ -0,0 +1,827 @@
+import os
+import pwd
+import grp
+import shutil
+import secrets
+import string
+import subprocess
+import time
+import socket
+import re
+import redis
+import hashlib
+import json
+import psutil
+import signal
+from urllib.parse import quote
+from pathlib import Path
+import dns.resolver
+import mysql.connector
+
+class BootstrapBase:
+  def __init__(self, container, service, db_config, redis_config):
+    self.container = container
+    self.service = service
+    self.db_config = db_config
+    self.redis_config = redis_config
+
+    self.env = None
+    self.env_vars = None
+    self.mysql_conn = None
+    self.redis_connr = None
+    self.redis_connw = None
+
+  def render_config(self, config_dir):
+    """
+    Renders multiple Jinja2 templates from a config.json file in a given directory.
+
+    Args:
+      config_dir (str or Path): Path to the directory containing config.json
+
+    Behavior:
+      - Renders each template defined in config.json
+      - Writes the result to the specified output path
+      - Also copies the rendered file to: <config_dir>/rendered_configs/<relative_output_path>
+    """
+
+    config_dir = Path(config_dir)
+    config_path = config_dir / "config.json"
+
+    if not config_path.exists():
+      print(f"config.json not found in: {config_dir}")
+      return
+
+    with config_path.open("r") as f:
+      entries = json.load(f)
+
+    for entry in entries:
+      template_name = entry["template"]
+      output_path = Path(entry["output"])
+      clean_blank_lines = entry.get("clean_blank_lines", False)
+      if_not_exists = entry.get("if_not_exists", False)
+
+      if if_not_exists and output_path.exists():
+        print(f"Skipping {output_path} (already exists)")
+        continue
+
+      output_path.parent.mkdir(parents=True, exist_ok=True)
+
+      try:
+        template = self.env.get_template(template_name)
+      except Exception as e:
+        print(f"Template not found: {template_name} ({e})")
+        continue
+
+      rendered = template.render(self.env_vars)
+
+      if clean_blank_lines:
+        rendered = "\n".join(line for line in rendered.splitlines() if line.strip())
+
+      rendered = rendered.replace('\r\n', '\n').replace('\r', '\n')
+
+      with output_path.open("w") as f:
+        f.write(rendered)
+
+      rendered_copy_path = config_dir / "rendered_configs" / output_path.name
+      rendered_copy_path.parent.mkdir(parents=True, exist_ok=True)
+      self.copy_file(output_path, rendered_copy_path)
+
+      print(f"Rendered {template_name} → {output_path}")
+
+  def prepare_template_vars(self, overwrite_path, extra_vars = None):
+    """
+    Loads and merges environment variables for Jinja2 templates from multiple sources, and registers custom template filters.
+
+    This method combines variables from:
+      1. System environment variables
+      2. The MySQL `service_settings` table (filtered by service type if defined)
+      3. An optional `extra_vars` dictionary
+      4. A JSON overwrite file (if it exists at the given path)
+
+    Also registers custom Jinja2 filters.
+
+    Args:
+        overwrite_path (str or Path): Path to a JSON file containing key-value overrides.
+        extra_vars (dict, optional): Additional variables to merge into the environment.
+
+    Returns:
+        dict: A dictionary containing all resolved template variables.
+
+    Raises:
+        Prints errors if database fetch or JSON parsing fails, but does not raise exceptions.
+    """
+
+    # 1. setup filters
+    self.env.filters['sha1'] = self.sha1_filter
+    self.env.filters['urlencode'] = self.urlencode_filter
+    self.env.filters['escape_quotes'] = self.escape_quotes_filter
+
+    # 2. Load env vars
+    env_vars = dict(os.environ)
+
+    # 3. Load from MySQL
+    try:
+      cursor = self.mysql_conn.cursor()
+
+      if self.db_config['service_types']:
+        placeholders = ','.join(['%s'] * len(self.db_config['service_types']))
+        sql = f"SELECT `key`, `value` FROM {self.db_config['service_table']} WHERE `type` IN ({placeholders})"
+        cursor.execute(sql, self.db_config['service_types'])
+      else:
+        cursor.execute(f"SELECT `key`, `value` FROM {self.db_config['service_table']}")
+
+      for key, value in cursor.fetchall():
+        env_vars[key] = value
+
+      cursor.close()
+    except Exception as e:
+      print(f"Failed to fetch DB service settings: {e}")
+
+    # 4. Load extra vars
+    if extra_vars:
+      env_vars.update(extra_vars)
+
+    # 5. Load overwrites
+    overwrite_path = Path(overwrite_path)
+    if overwrite_path.exists():
+      try:
+        with overwrite_path.open("r") as f:
+          overwrite_data = json.load(f)
+          env_vars.update(overwrite_data)
+      except Exception as e:
+        print(f"Failed to parse overwrites: {e}")
+
+    return env_vars
+
+  def set_timezone(self):
+    """
+    Sets the system timezone based on the TZ environment variable.
+
+    If the TZ variable is set, writes its value to /etc/timezone.
+    """
+
+    timezone = os.getenv("TZ")
+    if timezone:
+      with open("/etc/timezone", "w") as f:
+        f.write(timezone + "\n")
+
+  def set_syslog_redis(self):
+    """
+    Reconfigures syslog-ng to use a Redis slave configuration.
+
+    If the REDIS_SLAVEOF_IP environment variable is set, replaces the syslog-ng config
+    with the Redis slave-specific config.
+    """
+
+    redis_slave_ip = os.getenv("REDIS_SLAVEOF_IP")
+    if redis_slave_ip:
+      shutil.copy("/etc/syslog-ng/syslog-ng-redis_slave.conf", "/etc/syslog-ng/syslog-ng.conf")
+
+  def rsync_file(self, src, dst, recursive=False, owner=None, mode=None):
+    """
+    Copies files or directories using rsync, with optional ownership and permissions.
+
+    Args:
+        src (str or Path): Source file or directory.
+        dst (str or Path): Destination directory.
+        recursive (bool): If True, copies contents recursively.
+        owner (tuple): Tuple of (user, group) to set ownership.
+        mode (int): File mode (e.g., 0o644) to set permissions after sync.
+    """
+
+    src_path = Path(src)
+    dst_path = Path(dst)
+    dst_path.mkdir(parents=True, exist_ok=True)
+
+    rsync_cmd = ["rsync", "-a"]
+    if recursive:
+      rsync_cmd.append(str(src_path) + "/")
+    else:
+      rsync_cmd.append(str(src_path))
+    rsync_cmd.append(str(dst_path))
+
+    try:
+      subprocess.run(rsync_cmd, check=True)
+    except Exception as e:
+      print(f"Rsync failed: {e}")
+
+    if owner:
+      self.set_owner(dst_path, *owner, recursive=True)
+    if mode:
+      self.set_permissions(dst_path, mode)
+
+  def set_permissions(self, path, mode):
+    """
+    Sets file or directory permissions.
+
+    Args:
+        path (str or Path): Path to the file or directory.
+        mode (int): File mode to apply, e.g., 0o644.
+
+    Raises:
+        FileNotFoundError: If the path does not exist.
+    """
+
+    file_path = Path(path)
+    if not file_path.exists():
+      raise FileNotFoundError(f"Cannot chmod: {file_path} does not exist")
+    os.chmod(file_path, mode)
+
+  def set_owner(self, path, user, group=None, recursive=False):
+    """
+    Changes ownership of a file or directory.
+
+    Args:
+        path (str or Path): Path to the file or directory.
+        user (str or int): Username or UID for new owner.
+        group (str or int, optional): Group name or GID; defaults to user's group if not provided.
+        recursive (bool): If True and path is a directory, ownership is applied recursively.
+
+    Raises:
+        FileNotFoundError: If the path does not exist.
+    """
+
+    # Resolve UID
+    uid = int(user) if str(user).isdigit() else pwd.getpwnam(user).pw_uid
+    # Resolve GID
+    if group is not None:
+      gid = int(group) if str(group).isdigit() else grp.getgrnam(group).gr_gid
+    else:
+      gid = uid if isinstance(user, int) or str(user).isdigit() else grp.getgrnam(user).gr_gid
+
+    p = Path(path)
+    if not p.exists():
+      raise FileNotFoundError(f"{path} does not exist")
+
+    if recursive and p.is_dir():
+      for sub_path in p.rglob("*"):
+        os.chown(sub_path, uid, gid)
+    os.chown(p, uid, gid)
+
+  def fix_permissions(self, path, user=None, group=None, mode=None, recursive=False):
+    """
+    Sets owner and/or permissions on a file or directory.
+
+    Args:
+      path (str or Path): Target path.
+      user (str|int, optional): Username or UID.
+      group (str|int, optional): Group name or GID.
+      mode (int, optional): File mode (e.g. 0o644).
+      recursive (bool): Apply recursively if path is a directory.
+    """
+
+    if user or group:
+      self.set_owner(path, user, group, recursive)
+    if mode:
+      self.set_permissions(path, mode)
+
+  def move_file(self, src, dst, overwrite=True):
+    """
+    Moves a file from src to dst, optionally overwriting existing files.
+
+    Args:
+        src (str or Path): Source file path.
+        dst (str or Path): Destination path.
+        overwrite (bool): If False, raises error if dst exists.
+
+    Raises:
+        FileNotFoundError: If the source file does not exist.
+        FileExistsError: If the destination file exists and overwrite is False.
+    """
+
+    src_path = Path(src)
+    dst_path = Path(dst)
+
+    if not src_path.exists():
+      raise FileNotFoundError(f"Source file does not exist: {src}")
+
+    dst_path.parent.mkdir(parents=True, exist_ok=True)
+
+    if dst_path.exists() and not overwrite:
+      raise FileExistsError(f"Destination already exists: {dst} (set overwrite=True to overwrite)")
+
+    shutil.move(str(src_path), str(dst_path))
+
+  def copy_file(self, src, dst, overwrite=True):
+    """
+    Copies a file from src to dst using shutil.
+
+    Args:
+      src (str or Path): Source file path.
+      dst (str or Path): Destination file path.
+      overwrite (bool): Whether to overwrite the destination if it exists.
+
+    Raises:
+      FileNotFoundError: If the source file doesn't exist.
+      FileExistsError: If the destination exists and overwrite is False.
+      IOError: If the copy operation fails.
+    """
+
+    src_path = Path(src)
+    dst_path = Path(dst)
+
+    if not src_path.is_file():
+      raise FileNotFoundError(f"Source file not found: {src_path}")
+
+    if dst_path.exists() and not overwrite:
+      raise FileExistsError(f"Destination exists: {dst_path}")
+
+    dst_path.parent.mkdir(parents=True, exist_ok=True)
+
+    shutil.copy2(src_path, dst_path)
+
+  def remove(self, path, recursive=False, wipe_contents=False, exclude=None):
+    """
+    Removes a file or directory with optional exclusion logic.
+
+    Args:
+      path (str or Path): The file or directory path to remove.
+      recursive (bool): If True, directories will be removed recursively.
+      wipe_contents (bool): If True and path is a directory, only its contents are removed, not the dir itself.
+      exclude (list[str], optional): List of filenames to exclude from deletion.
+
+    Raises:
+      FileNotFoundError: If the path does not exist.
+      ValueError: If a directory is passed without recursive or wipe_contents.
+    """
+
+
+    path = Path(path)
+    exclude = set(exclude or [])
+
+    if not path.exists():
+      raise FileNotFoundError(f"Cannot remove: {path} does not exist")
+
+    if wipe_contents and path.is_dir():
+      for child in path.iterdir():
+        if child.name in exclude:
+          continue
+        if child.is_dir():
+          shutil.rmtree(child)
+        else:
+          child.unlink()
+    elif path.is_file():
+      if path.name not in exclude:
+        path.unlink()
+    elif path.is_dir():
+      if recursive:
+        shutil.rmtree(path)
+      else:
+        raise ValueError(f"{path} is a directory. Use recursive=True or wipe_contents=True to remove it.")
+
+  def create_dir(self, path):
+    """
+    Creates a directory if it does not exist.
+
+    If the directory is missing, it will be created along with any necessary parent directories.
+
+    Args:
+      path (str or Path): The directory path to create.
+    """
+
+    dir_path = Path(path)
+    if not dir_path.exists():
+      print(f"Creating directory: {dir_path}")
+      dir_path.mkdir(parents=True, exist_ok=True)
+
+  def patch_exists(self, target_file, patch_file, reverse=False):
+    """
+    Checks whether a patch can be applied (or reversed) to a target file.
+
+    Args:
+        target_file (str): File to test the patch against.
+        patch_file (str): Patch file to apply.
+        reverse (bool): If True, checks whether the patch can be reversed.
+
+    Returns:
+        bool: True if patch is applicable, False otherwise.
+    """
+
+    cmd = ["patch", "-sfN", "--dry-run", target_file, "<", patch_file]
+    if reverse:
+      cmd.insert(1, "-R")
+    try:
+      result = subprocess.run(
+        " ".join(cmd),
+        shell=True,
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL
+      )
+      return result.returncode == 0
+    except Exception as e:
+      print(f"Patch dry-run failed: {e}")
+      return False
+
+  def apply_patch(self, target_file, patch_file, reverse=False):
+    """
+    Applies a patch file to a target file.
+
+    Args:
+        target_file (str): File to be patched.
+        patch_file (str): Patch file containing the diff.
+        reverse (bool): If True, applies the patch in reverse (rollback).
+
+    Logs:
+        Success or failure of the patching operation.
+    """
+
+    cmd = ["patch", target_file, "<", patch_file]
+    if reverse:
+      cmd.insert(0, "-R")
+    try:
+      subprocess.run(" ".join(cmd), shell=True, check=True)
+      print(f"Applied patch {'(reverse)' if reverse else ''} to {target_file}")
+    except subprocess.CalledProcessError as e:
+      print(f"Patch failed: {e}")
+
+  def isYes(self, value):
+    """
+    Determines whether a given string represents a "yes"-like value.
+
+    Args:
+        value (str): Input string to evaluate.
+
+    Returns:
+        bool: True if value is "yes" or "y" (case-insensitive), otherwise False.
+    """
+    return value.lower() in ["yes", "y"]
+
+  def is_port_open(self, host, port):
+    """
+    Checks whether a TCP port is open on a given host.
+
+    Args:
+        host (str): The hostname or IP address to check.
+        port (int): The TCP port number to test.
+
+    Returns:
+        bool: True if the port is open and accepting connections, False otherwise.
+    """
+
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+      sock.settimeout(1)
+      result = sock.connect_ex((host, port))
+      return result == 0
+
+  def resolve_docker_dns_record(self, hostname, record_type="A"):
+    """
+    Resolves DNS A or AAAA records for a given hostname.
+
+    Args:
+        hostname (str): The domain to query.
+        record_type (str): "A" for IPv4, "AAAA" for IPv6. Default is "A".
+
+    Returns:
+        list[str]: A list of resolved IP addresses.
+
+    Raises:
+        Exception: If resolution fails or no results are found.
+    """
+
+    try:
+      resolver = dns.resolver.Resolver()
+      resolver.nameservers = ["127.0.0.11"]
+      answers = resolver.resolve(hostname, record_type)
+      return [answer.to_text() for answer in answers]
+    except Exception as e:
+      raise Exception(f"Failed to resolve {record_type} record for {hostname}: {e}")
+
+  def kill_proc(self, process_name):
+    """
+    Sends SIGTERM to all running processes matching the given name.
+
+    Args:
+      process_name (str): Name of the process to terminate.
+
+    Returns:
+      int: Number of processes successfully signaled.
+    """
+
+    killed = 0
+    for proc in psutil.process_iter(['name']):
+      try:
+        if proc.info['name'] == process_name:
+          proc.send_signal(signal.SIGTERM)
+          killed += 1
+      except (psutil.NoSuchProcess, psutil.AccessDenied):
+        continue
+    return killed
+
+  def connect_mysql(self, socket=None):
+    """
+    Establishes a connection to the MySQL database using the provided configuration.
+
+    Continuously retries the connection until the database is reachable. Stores
+    the connection in `self.mysql_conn` once successful.
+
+    Logs:
+        Connection status and retry errors to stdout.
+
+    Args:
+      socket (str, optional): Custom UNIX socket path to override the default.
+    """
+
+    print("Connecting to MySQL...")
+    config = {
+      "host": self.db_config['host'],
+      "user": self.db_config['user'],
+      "password": self.db_config['password'],
+      "database": self.db_config['database'],
+      'connection_timeout': self.db_config['connection_timeout']
+    }
+    if self.db_config['unix_socket']:
+      config["unix_socket"] = socket or self.db_config['unix_socket']
+
+    while True:
+      try:
+        self.mysql_conn = mysql.connector.connect(**config)
+        if self.mysql_conn.is_connected():
+          print("MySQL is up and ready!")
+          break
+      except mysql.connector.Error as e:
+        print(f"Waiting for MySQL... ({e})")
+        time.sleep(2)
+
+  def close_mysql(self):
+    """
+    Closes the MySQL connection if it's currently open and connected.
+
+    Safe to call even if the connection has already been closed.
+    """
+
+    if self.mysql_conn and self.mysql_conn.is_connected():
+      self.mysql_conn.close()
+
+  def connect_redis(self, max_retries=10, delay=2):
+    """
+    Connects to both read and write Redis servers and stores the connections.
+
+    Read server: tries indefinitely until successful.
+    Write server: tries up to `max_retries` before giving up.
+
+    Sets:
+      self.redis_connr: Redis client for read
+      self.redis_connw: Redis client for write
+    """
+
+    use_rw = self.redis_config['read_host'] == self.redis_config['write_host'] and self.redis_config['read_port'] == self.redis_config['write_port']
+
+    if use_rw:
+      print("Connecting to Redis read server...")
+    else:
+      print("Connecting to Redis server...")
+
+    while True:
+      try:
+        clientr = redis.Redis(
+          host=self.redis_config['read_host'],
+          port=self.redis_config['read_port'],
+          password=self.redis_config['password'],
+          db=self.redis_config['db'],
+          decode_responses=True
+        )
+        if clientr.ping():
+          self.redis_connr = clientr
+          print("Redis read server is up and ready!")
+          if use_rw:
+            break
+          else:
+            self.redis_connw = clientr
+            return
+      except redis.RedisError as e:
+        print(f"Waiting for Redis read... ({e})")
+        time.sleep(delay)
+
+
+    print("Connecting to Redis write server...")
+    for attempt in range(max_retries):
+      try:
+        clientw = redis.Redis(
+          host=self.redis_config['write_host'],
+          port=self.redis_config['write_port'],
+          password=self.redis_config['password'],
+          db=self.redis_config['db'],
+          decode_responses=True
+        )
+        if clientw.ping():
+          self.redis_connw = clientw
+          print("Redis write server is up and ready!")
+          return
+      except redis.RedisError as e:
+        print(f"Waiting for Redis write... (attempt {attempt + 1}/{max_retries}) ({e})")
+        time.sleep(delay)
+    print("Redis write server is unreachable.")
+
+  def close_redis(self):
+    """
+    Closes the Redis read/write connections if open.
+    """
+
+    if self.redis_connr:
+      try:
+        self.redis_connr.close()
+      except Exception as e:
+        print(f"Error while closing Redis read connection: {e}")
+      finally:
+        self.redis_connr = None
+
+    if self.redis_connw:
+      try:
+        self.redis_connw.close()
+      except Exception as e:
+        print(f"Error while closing Redis write connection: {e}")
+      finally:
+        self.redis_connw = None
+
+  def wait_for_schema_update(self, init_file_path="init_db.inc.php", check_interval=5):
+    """
+    Waits until the current database schema version matches the expected version
+    defined in a PHP initialization file.
+
+    Compares the `version` value in the `versions` table for `application = 'db_schema'`
+    with the `$db_version` value extracted from the specified PHP file.
+
+    Args:
+        init_file_path (str): Path to the PHP file containing the expected version string.
+        check_interval (int): Time in seconds to wait between version checks.
+
+    Logs:
+        Current vs. expected schema versions until they match.
+    """
+
+    print("Checking database schema version...")
+
+    while True:
+      current_version = self._get_current_db_version()
+      expected_version = self._get_expected_schema_version(init_file_path)
+
+      if current_version == expected_version:
+        print(f"DB schema is up to date: {current_version}")
+        break
+
+      print(f"Waiting for schema update... (DB: {current_version}, Expected: {expected_version})")
+      time.sleep(check_interval)
+
+  def wait_for_host(self, host, retry_interval=1.0, count=1):
+    """
+    Waits for a host to respond to ICMP ping.
+
+    Args:
+      host (str): Hostname or IP to ping.
+      retry_interval (float): Seconds to wait between pings.
+      count (int): Number of ping packets to send per check (default 1).
+    """
+    while True:
+      try:
+        result = subprocess.run(
+          ["ping", "-c", str(count), host],
+          stdout=subprocess.DEVNULL,
+          stderr=subprocess.DEVNULL
+        )
+        if result.returncode == 0:
+          print(f"{host} is reachable via ping.")
+          break
+      except Exception:
+        pass
+      print(f"Waiting for {host}...")
+      time.sleep(retry_interval)
+
+  def wait_for_dns(self, domain, retry_interval=1, timeout=30):
+    """
+    Waits until the domain resolves via DNS using pure Python (socket).
+
+    Args:
+      domain (str): The domain to resolve.
+      retry_interval (int): Time (seconds) to wait between attempts.
+      timeout (int): Maximum total wait time (seconds).
+
+    Returns:
+      bool: True if resolved, False if timed out.
+    """
+
+    start = time.time()
+    while True:
+      try:
+        socket.gethostbyname(domain)
+        print(f"{domain} is resolving via DNS.")
+        return True
+      except socket.gaierror:
+        pass
+
+      if time.time() - start > timeout:
+        print(f"DNS resolution for {domain} timed out.")
+        return False
+
+      print(f"Waiting for DNS for {domain}...")
+      time.sleep(retry_interval)
+
+  def _get_current_db_version(self):
+    """
+    Fetches the current schema version from the database.
+
+    Executes a SELECT query on the `versions` table where `application = 'db_schema'`.
+
+    Returns:
+        str or None: The current schema version as a string, or None if not found or on error.
+
+    Logs:
+        Error message if the query fails.
+    """
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute("SELECT version FROM versions WHERE application = 'db_schema'")
+      result = cursor.fetchone()
+      cursor.close()
+      return result[0] if result else None
+    except Exception as e:
+      print(f"Error fetching current DB schema version: {e}")
+      return None
+
+  def _get_expected_schema_version(self, filepath):
+    """
+    Extracts the expected database schema version from a PHP initialization file.
+
+    Looks for a line in the form of: `$db_version = "..."` and extracts the version string.
+
+    Args:
+        filepath (str): Path to the PHP file containing the `$db_version` definition.
+
+    Returns:
+        str or None: The extracted version string, or None if not found or on error.
+
+    Logs:
+        Error message if the file cannot be read or parsed.
+    """
+
+    try:
+      with open(filepath, "r") as f:
+        content = f.read()
+        match = re.search(r'\$db_version\s*=\s*"([^"]+)"', content)
+        if match:
+          return match.group(1)
+    except Exception as e:
+      print(f"Error reading expected schema version from {filepath}: {e}")
+    return None
+
+  def rand_pass(self, length=22):
+    """
+    Generates a secure random password using allowed characters.
+
+    Allowed characters include upper/lowercase letters, digits, underscores, and hyphens.
+
+    Args:
+        length (int): Length of the password to generate. Default is 22.
+
+    Returns:
+        str: A securely generated random password string.
+    """
+
+    allowed_chars = string.ascii_letters + string.digits + "_-"
+    return ''.join(secrets.choice(allowed_chars) for _ in range(length))
+
+  def run_command(self, command, check=True, shell=False, input_stream=None, log_output=True):
+    """
+    Executes a shell command and optionally logs output.
+
+    Args:
+      command (str or list): Command to run.
+      check (bool): Raise if non-zero exit.
+      shell (bool): Run in shell.
+      input_stream: stdin stream.
+      log_output (bool): If True, print output.
+
+    Returns:
+      subprocess.CompletedProcess
+    """
+    try:
+      result = subprocess.run(
+        command,
+        shell=shell,
+        check=check,
+        stdin=input_stream,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True
+      )
+      if log_output:
+        if result.stdout:
+          print(result.stdout.strip())
+        if result.stderr:
+          print(result.stderr.strip())
+      return result
+    except subprocess.CalledProcessError as e:
+      print(f"Command failed with exit code {e.returncode}: {e.cmd}")
+      print(e.stderr.strip())
+      if check:
+        raise
+      return e
+
+  def sha1_filter(self, value):
+    return hashlib.sha1(value.encode()).hexdigest()
+
+  def urlencode_filter(self, value):
+    return quote(value, safe='')
+
+  def escape_quotes_filter(self, value):
+    return value.replace('"', r'\"')

data/Dockerfiles/bootstrap/modules/BootstrapClamd.py

@@ -0,0 +1,60 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import os
+import sys
+import time
+
+class BootstrapClamd(BootstrapBase):
+  def bootstrap(self):
+    # Skip Clamd if set
+    if self.isYes(os.getenv("SKIP_CLAMD", "")):
+      print("SKIP_CLAMD is set, skipping ClamAV startup...")
+      time.sleep(365 * 24 * 60 * 60)
+      sys.exit(1)
+
+    # Connect to MySQL
+    self.connect_mysql()
+
+    print("Cleaning up tmp files...")
+    tmp_files = Path("/var/lib/clamav").glob("clamav-*.tmp")
+    for tmp_file in tmp_files:
+      try:
+        self.remove(tmp_file)
+        print(f"Removed: {tmp_file}")
+      except Exception as e:
+        print(f"Failed to remove {tmp_file}: {e}")
+
+    self.create_dir("/run/clamav")
+    self.create_dir("/var/lib/clamav")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    # Fix permissions
+    self.set_owner("/var/lib/clamav", "clamav", "clamav", recursive=True)
+    self.set_owner("/run/clamav", "clamav", "clamav", recursive=True)
+    self.set_permissions("/var/lib/clamav", 0o755)
+    for item in Path("/var/lib/clamav").glob("*"):
+      self.set_permissions(item, 0o644)
+    self.set_permissions("/run/clamav", 0o750)
+
+    # Copying to /etc/clamav to expose file as-is to administrator
+    self.copy_file("/var/lib/clamav/whitelist.ign2", "/etc/clamav/whitelist.ign2")

data/Dockerfiles/bootstrap/modules/BootstrapDovecot.py

@@ -0,0 +1,289 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import os
+import pwd
+import hashlib
+
+class BootstrapDovecot(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+    self.wait_for_schema_update()
+
+    # Connect to Redis
+    self.connect_redis()
+    if self.redis_connw:
+      self.redis_connw.set("DOVECOT_REPL_HEALTH", 1)
+
+    # Wait for DNS
+    self.wait_for_dns("mailcow.email")
+
+    # Create missing directories
+    self.create_dir("/etc/dovecot/sql/")
+    self.create_dir("/etc/dovecot/auth/")
+    self.create_dir("/var/vmail/_garbage")
+    self.create_dir("/var/vmail/sieve")
+    self.create_dir("/etc/sogo")
+    self.create_dir("/var/volatile")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "VALID_CERT_DIRS": self.get_valid_cert_dirs(),
+      "RAND_USER": self.rand_pass(),
+      "RAND_PASS": self.rand_pass(),
+      "RAND_PASS2": self.rand_pass(),
+      "ENV_VARS": dict(os.environ)
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    files = [
+      "/etc/dovecot/mail_plugins",
+      "/etc/dovecot/mail_plugins_imap",
+      "/etc/dovecot/mail_plugins_lmtp",
+      "/templates/quarantine.tpl"
+    ]
+    for file in files:
+      self.set_permissions(file, 0o644)
+
+    try:
+      # Migrate old sieve_after file
+      self.move_file("/etc/dovecot/sieve_after", "/var/vmail/sieve/global_sieve_after.sieve")
+    except Exception as e:
+      pass
+    try:
+      # Cleanup random user maildirs
+      self.remove("/var/vmail/mailcow.local", wipe_contents=True)
+    except Exception as e:
+      pass
+    try:
+      # Cleanup PIDs
+      self.remove("/tmp/quarantine_notify.pid")
+    except Exception as e:
+      pass
+    try:
+      self.remove("/var/run/dovecot/master.pid")
+    except Exception as e:
+      pass
+
+    # Check permissions of vmail/index/garbage directories.
+    # Do not do this every start-up, it may take a very long time. So we use a stat check here.
+    files = [
+      "/var/vmail",
+      "/var/vmail/_garbage",
+      "/var/vmail_index"
+    ]
+    for file in files:
+      path = Path(file)
+      try:
+        stat_info = path.stat()
+        current_user = pwd.getpwuid(stat_info.st_uid).pw_name
+
+        if current_user != "vmail":
+          print(f"Ownership of {path} is {current_user}, fixing to vmail:vmail...")
+          self.set_owner(path, user="vmail", group="vmail", recursive=True)
+        else:
+          print(f"Ownership of {path} is already correct (vmail)")
+      except Exception as e:
+          print(f"Error checking ownership of {path}: {e}")
+
+    # Compile sieve scripts
+    files = [
+      "/var/vmail/sieve/global_sieve_before.sieve",
+      "/var/vmail/sieve/global_sieve_after.sieve",
+      "/usr/lib/dovecot/sieve/report-spam.sieve",
+      "/usr/lib/dovecot/sieve/report-ham.sieve",
+    ]
+    for file in files:
+      self.run_command(["sievec", file], check=False)
+
+    # Fix permissions
+    for path in Path("/etc/dovecot/sql").glob("*.conf"):
+      self.set_owner(path, "root", "root")
+      self.set_permissions(path, 0o640)
+
+    files = [
+      "/etc/dovecot/auth/passwd-verify.lua",
+      *Path("/etc/dovecot/sql").glob("dovecot-dict-sql-sieve*"),
+      *Path("/etc/dovecot/sql").glob("dovecot-dict-sql-quota*")
+    ]
+    for file in files:
+      self.set_owner(file, "root", "dovecot")
+
+    self.set_permissions("/etc/dovecot/auth/passwd-verify.lua", 0o640)
+
+    for file in ["/var/vmail/sieve", "/var/volatile", "/var/vmail_index"]:
+      self.set_owner(file, "vmail", "vmail", recursive=True)
+
+    self.run_command(["adduser", "vmail", "tty"])
+    self.run_command(["chmod", "g+rw", "/dev/console"])
+    self.set_owner("/dev/console", "root", "tty")
+    files = [
+      "/usr/lib/dovecot/sieve/rspamd-pipe-ham",
+      "/usr/lib/dovecot/sieve/rspamd-pipe-spam",
+      "/usr/local/bin/imapsync_runner.pl",
+      "/usr/local/bin/imapsync",
+      "/usr/local/bin/trim_logs.sh",
+      "/usr/local/bin/sa-rules.sh",
+      "/usr/local/bin/clean_q_aged.sh",
+      "/usr/local/bin/maildir_gc.sh",
+      "/usr/local/sbin/stop-supervisor.sh",
+      "/usr/local/bin/quota_notify.py",
+      "/usr/local/bin/repl_health.sh",
+      "/usr/local/bin/optimize-fts.sh"
+    ]
+    for file in files:
+      self.set_permissions(file, 0o755)
+
+    # Collect SA rules once now
+    self.run_command(["/usr/local/bin/sa-rules.sh"], check=False)
+
+    self.generate_mail_crypt_keys()
+    self.cleanup_imapsync_jobs()
+    self.generate_guid_version()
+
+  def get_valid_cert_dirs(self):
+    """
+    Returns a mapping of domains to their certificate directory path.
+
+    Example:
+        {
+            "example.com": "/etc/ssl/mail/example.com/",
+            "www.example.com": "/etc/ssl/mail/example.com/"
+        }
+    """
+    sni_map = {}
+    base_path = Path("/etc/ssl/mail")
+    if not base_path.exists():
+      return sni_map
+
+    for cert_dir in base_path.iterdir():
+      if not cert_dir.is_dir():
+        continue
+
+      domains_file = cert_dir / "domains"
+      cert_file = cert_dir / "cert.pem"
+      key_file = cert_dir / "key.pem"
+
+      if not (domains_file.exists() and cert_file.exists() and key_file.exists()):
+        continue
+
+      with open(domains_file, "r") as f:
+        domains = [line.strip() for line in f if line.strip()]
+        for domain in domains:
+          sni_map[domain] = str(cert_dir)
+
+    return sni_map
+
+  def generate_mail_crypt_keys(self):
+    """
+    Ensures mail_crypt EC keypair exists. Generates if missing. Adjusts permissions.
+    """
+
+    key_dir = Path("/mail_crypt")
+    priv_key = key_dir / "ecprivkey.pem"
+    pub_key = key_dir / "ecpubkey.pem"
+
+    # Generate keys if they don't exist or are empty
+    if not priv_key.exists() or priv_key.stat().st_size == 0 or \
+      not pub_key.exists() or pub_key.stat().st_size == 0:
+      self.run_command(
+        "openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem",
+        shell=True
+      )
+      self.run_command(
+        "openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem",
+        shell=True
+      )
+
+    # Set ownership to UID 401 (dovecot)
+    self.set_owner(priv_key, user='401')
+    self.set_owner(pub_key, user='401')
+
+  def cleanup_imapsync_jobs(self):
+    """
+    Cleans up stale imapsync locks and resets running status in the database.
+
+    Deletes the imapsync_busy.lock file if present and sets `is_running` to 0
+    in the `imapsync` table, if it exists.
+
+    Logs:
+      Any issues with file operations or SQL execution.
+    """
+
+    lock_file = Path("/tmp/imapsync_busy.lock")
+    if lock_file.exists():
+      try:
+        lock_file.unlink()
+      except Exception as e:
+        print(f"Failed to remove lock file: {e}")
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute("SHOW TABLES LIKE 'imapsync'")
+      result = cursor.fetchone()
+      if result:
+        cursor.execute("UPDATE imapsync SET is_running='0'")
+        self.mysql_conn.commit()
+      cursor.close()
+    except Exception as e:
+      print(f"Error updating imapsync table: {e}")
+
+  def generate_guid_version(self):
+    """
+    Waits for the `versions` table to be created, then generates a GUID
+    based on the mail hostname and Dovecot's public key and inserts it
+    into the `versions` table.
+
+    If the key or hash is missing or malformed, marks it as INVALID.
+    """
+
+    try:
+      result = self.run_command(["doveconf", "-P"], check=True, log_output=False)
+      pubkey_path = None
+      for line in result.stdout.splitlines():
+        if "mail_crypt_global_public_key" in line:
+          parts = line.split('<')
+          if len(parts) > 1:
+            pubkey_path = parts[1].strip()
+            break
+
+      if pubkey_path and Path(pubkey_path).exists():
+        with open(pubkey_path, "rb") as key_file:
+          pubkey_data = key_file.read()
+
+        hostname = self.env_vars.get("MAILCOW_HOSTNAME", "mailcow.local").encode("utf-8")
+        concat = hostname + pubkey_data
+        guid = hashlib.sha256(concat).hexdigest()
+
+        if len(guid) == 64:
+          version_value = guid
+        else:
+          version_value = "INVALID"
+
+        cursor = self.mysql_conn.cursor()
+        cursor.execute(
+          "REPLACE INTO versions (application, version) VALUES (%s, %s)",
+          ("GUID", version_value)
+        )
+        self.mysql_conn.commit()
+        cursor.close()
+      else:
+        print("Public key not found or unreadable. GUID not generated.")
+    except Exception as e:
+      print(f"Failed to generate or store GUID: {e}")

data/Dockerfiles/bootstrap/modules/BootstrapMysql.py

@@ -0,0 +1,163 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+import os
+import time
+import subprocess
+
+class BootstrapMysql(BootstrapBase):
+  def bootstrap(self):
+    dbuser = "root"
+    dbpass = os.getenv("MYSQL_ROOT_PASSWORD", "")
+    socket = "/tmp/mysql-temp.sock"
+
+    # Check if mysql has been initialized
+    if os.path.exists("/var/lib/mysql/mysql/db.frm"):
+      print("Starting temporary mysqld for upgrade...")
+      self.start_temporary(socket)
+
+      self.connect_mysql(socket)
+
+      print("Running mysql_upgrade...")
+      self.upgrade_mysql(dbuser, dbpass, socket)
+      print("Checking timezone support with CONVERT_TZ...")
+      self.check_and_import_timezone_support(dbuser, dbpass, socket)
+
+      print("Shutting down temporary mysqld...")
+      self.close_mysql()
+      self.stop_temporary(dbuser, dbpass, socket)
+
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+  def start_temporary(self, socket):
+    """
+    Starts a temporary mysqld process in the background using the given UNIX socket.
+
+    The server is started with networking disabled (--skip-networking).
+
+    Args:
+      socket (str): Path to the UNIX socket file for MySQL to listen on.
+
+    Returns:
+      subprocess.Popen: The running mysqld process object.
+    """
+
+    return subprocess.Popen([
+      "mysqld",
+      "--user=mysql",
+      "--skip-networking",
+      f"--socket={socket}"
+    ])
+
+  def stop_temporary(self, dbuser, dbpass, socket):
+    """
+    Shuts down the temporary mysqld instance gracefully.
+
+    Uses mariadb-admin to issue a shutdown command to the running server.
+
+    Args:
+      dbuser (str): The MySQL username with shutdown privileges (typically 'root').
+      dbpass (str): The password for the MySQL user.
+      socket (str): Path to the UNIX socket the server is listening on.
+    """
+
+    self.run_command([
+      "mariadb-admin",
+      "shutdown",
+      f"--socket={socket}",
+      "-u", dbuser,
+      f"-p{dbpass}"
+    ])
+
+  def upgrade_mysql(self, dbuser, dbpass, socket, max_retries=5, wait_interval=3):
+    """
+    Executes mysql_upgrade to check and fix any schema or table incompatibilities.
+
+    Retries the upgrade command if it fails, up to a maximum number of attempts.
+
+    Args:
+      dbuser (str): MySQL username with privilege to perform the upgrade.
+      dbpass (str): Password for the MySQL user.
+      socket (str): Path to the MySQL UNIX socket for local communication.
+      max_retries (int): Maximum number of attempts before giving up. Default is 5.
+      wait_interval (int): Number of seconds to wait between retries. Default is 3.
+
+    Returns:
+      bool: True if upgrade succeeded, False if all attempts failed.
+    """
+
+    retries = 0
+    while retries < max_retries:
+      result = self.run_command([
+        "mysql_upgrade",
+        "-u", dbuser,
+        f"-p{dbpass}",
+        f"--socket={socket}"
+      ], check=False)
+
+      if result.returncode == 0:
+        print("mysql_upgrade completed successfully.")
+        break
+      else:
+        print(f"mysql_upgrade failed (try {retries+1}/{max_retries})")
+        retries += 1
+        time.sleep(wait_interval)
+    else:
+      print("mysql_upgrade failed after all retries.")
+      return False
+
+  def check_and_import_timezone_support(self, dbuser, dbpass, socket):
+    """
+    Checks if MySQL supports timezone conversion (CONVERT_TZ).
+    If not, it imports timezone info using mysql_tzinfo_to_sql piped into mariadb.
+    """
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute("SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC')")
+      result = cursor.fetchone()
+      cursor.close()
+
+      if not result or result[0] is None:
+        print("Timezone conversion failed or returned NULL. Importing timezone info...")
+
+        # Use mysql_tzinfo_to_sql piped into mariadb
+        tz_dump = subprocess.Popen(
+          ["mysql_tzinfo_to_sql", "/usr/share/zoneinfo"],
+          stdout=subprocess.PIPE
+        )
+
+        self.run_command([
+          "mariadb",
+          "--socket", socket,
+          "-u", dbuser,
+          f"-p{dbpass}",
+          "mysql"
+        ], input_stream=tz_dump.stdout)
+
+        tz_dump.stdout.close()
+        tz_dump.wait()
+
+        print("Timezone info successfully imported.")
+      else:
+        print(f"Timezone support is working. Sample result: {result[0]}")
+    except Exception as e:
+      print(f"Failed to verify or import timezone info: {e}")

data/Dockerfiles/bootstrap/modules/BootstrapNginx.py

@@ -0,0 +1,65 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+import os
+
+class BootstrapNginx(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # wait for Hosts
+    php_service = os.getenv("PHPFPM_HOST") or "php-fpm-mailcow"
+    rspamd_service = os.getenv("RSPAMD_HOST") or "rspamd-mailcow"
+    sogo_service = os.getenv("SOGO_HOST")
+    self.wait_for_host(php_service)
+    if not self.isYes(os.getenv("SKIP_RSPAMD", False)):
+      self.wait_for_host(rspamd_service)
+    if not self.isYes(os.getenv("SKIP_SOGO", False)):
+      self.wait_for_host(sogo_service)
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "VALID_CERT_DIRS": self.get_valid_cert_dirs(),
+      'TRUSTED_PROXIES': [item.strip() for item in os.getenv("TRUSTED_PROXIES", "").split(",") if item.strip()],
+      'ADDITIONAL_SERVER_NAMES': [item.strip() for item in os.getenv("ADDITIONAL_SERVER_NAMES", "").split(",") if item.strip()],
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+  def get_valid_cert_dirs(self):
+    ssl_dir = '/etc/ssl/mail/'
+    valid_cert_dirs = []
+    for d in os.listdir(ssl_dir):
+      full_path = os.path.join(ssl_dir, d)
+      if not os.path.isdir(full_path):
+        continue
+
+      cert_path = os.path.join(full_path, 'cert.pem')
+      key_path = os.path.join(full_path, 'key.pem')
+      domains_path = os.path.join(full_path, 'domains')
+
+      if os.path.isfile(cert_path) and os.path.isfile(key_path) and os.path.isfile(domains_path):
+        with open(domains_path, 'r') as file:
+          domains = file.read().strip()
+        domains_list = domains.split()
+        if domains_list and os.getenv("MAILCOW_HOSTNAME", "") not in domains_list:
+          valid_cert_dirs.append({
+            'cert_path': full_path + '/',
+            'domains': domains
+          })
+
+    return valid_cert_dirs

data/Dockerfiles/bootstrap/modules/BootstrapPhpfpm.py

@@ -0,0 +1,202 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+import os
+import ipaddress
+
+class BootstrapPhpfpm(BootstrapBase):
+  def bootstrap(self):
+    self.connect_mysql()
+    self.connect_redis()
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    # Prepare Redis and MySQL Database
+    # TODO: move to dockerapi
+    if self.isYes(os.getenv("MASTER", "")):
+      print("We are master, preparing...")
+      self.prepare_redis()
+      self.setup_apikeys(
+        os.getenv("API_ALLOW_FROM", "").strip(),
+        os.getenv("API_KEY", "").strip(),
+        os.getenv("API_KEY_READ_ONLY", "").strip()
+      )
+      self.setup_mysql_events()
+
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    self.copy_file("/usr/local/etc/php/conf.d/opcache-recommended.ini", "/php-conf/opcache-recommended.ini")
+    self.copy_file("/usr/local/etc/php-fpm.d/z-pools.conf", "/php-conf/pools.conf")
+    self.copy_file("/usr/local/etc/php/conf.d/zzz-other.ini", "/php-conf/other.ini")
+    self.copy_file("/usr/local/etc/php/conf.d/upload.ini", "/php-conf/upload.ini")
+    self.copy_file("/usr/local/etc/php/conf.d/session_store.ini", "/php-conf/session_store.ini")
+
+    self.set_owner("/global_sieve", 82, 82, recursive=True)
+    self.set_owner("/web/templates/cache", 82, 82, recursive=True)
+    self.remove("/web/templates/cache", wipe_contents=True, exclude=[".gitkeep"])
+
+    print("Running DB init...")
+    self.run_command(["php", "-c", "/usr/local/etc/php", "-f", "/web/inc/init_db.inc.php"], check=False)
+
+  def prepare_redis(self):
+    print("Setting default Redis keys if missing...")
+
+    # Q_RELEASE_FORMAT
+    if self.redis_connw and self.redis_connr.get("Q_RELEASE_FORMAT") is None:
+        self.redis_connw.set("Q_RELEASE_FORMAT", "raw")
+
+    # Q_MAX_AGE
+    if self.redis_connw and self.redis_connr.get("Q_MAX_AGE") is None:
+      self.redis_connw.set("Q_MAX_AGE", 365)
+
+    # PASSWD_POLICY hash defaults
+    if self.redis_connw and self.redis_connr.hget("PASSWD_POLICY", "length") is None:
+      self.redis_connw.hset("PASSWD_POLICY", mapping={
+        "length": 6,
+        "chars": 0,
+        "special_chars": 0,
+        "lowerupper": 0,
+        "numbers": 0
+      })
+
+    # DOMAIN_MAP
+    print("Rebuilding DOMAIN_MAP from MySQL...")
+    if self.redis_connw:
+      self.redis_connw.delete("DOMAIN_MAP")
+    domains = set()
+    try:
+      cursor = self.mysql_conn.cursor()
+
+      cursor.execute("SELECT domain FROM domain")
+      domains.update(row[0] for row in cursor.fetchall())
+      cursor.execute("SELECT alias_domain FROM alias_domain")
+      domains.update(row[0] for row in cursor.fetchall())
+
+      cursor.close()
+
+      if domains:
+        for domain in domains:
+          if self.redis_connw:
+            self.redis_conn.hset("DOMAIN_MAP", domain, 1)
+        print(f"{len(domains)} domains added to DOMAIN_MAP.")
+      else:
+        print("No domains found to insert into DOMAIN_MAP.")
+    except Exception as e:
+      print(f"Failed to rebuild DOMAIN_MAP: {e}")
+
+  def setup_apikeys(self, api_allow_from, api_key_rw, api_key_ro):
+    if not api_allow_from or api_allow_from == "invalid":
+      return
+
+    print("Validating API_ALLOW_FROM IPs...")
+    ip_list = [ip.strip() for ip in api_allow_from.split(",")]
+    validated_ips = []
+
+    for ip in ip_list:
+      try:
+        ipaddress.ip_network(ip, strict=False)
+        validated_ips.append(ip)
+      except ValueError:
+        continue
+    if not validated_ips:
+      print("No valid IPs found in API_ALLOW_FROM")
+      return
+
+    allow_from_str = ",".join(validated_ips)
+    cursor = self.mysql_conn.cursor()
+    try:
+      if api_key_rw and api_key_rw != "invalid":
+        print("Setting RW API key...")
+        cursor.execute("DELETE FROM api WHERE access = 'rw'")
+        cursor.execute(
+          "INSERT INTO api (api_key, active, allow_from, access) VALUES (%s, %s, %s, %s)",
+          (api_key_rw, 1, allow_from_str, "rw")
+        )
+
+      if api_key_ro and api_key_ro != "invalid":
+        print("Setting RO API key...")
+        cursor.execute("DELETE FROM api WHERE access = 'ro'")
+        cursor.execute(
+          "INSERT INTO api (api_key, active, allow_from, access) VALUES (%s, %s, %s, %s)",
+          (api_key_ro, 1, allow_from_str, "ro")
+        )
+
+      self.mysql_conn.commit()
+      print("API key(s) set successfully.")
+    except Exception as e:
+      print(f"Failed to configure API keys: {e}")
+      self.mysql_conn.rollback()
+    finally:
+      cursor.close()
+
+  def setup_mysql_events(self):
+    print("Creating scheduled MySQL EVENTS...")
+
+    queries = [
+      "DROP EVENT IF EXISTS clean_spamalias;",
+      """
+      CREATE EVENT clean_spamalias
+      ON SCHEDULE EVERY 1 DAY
+      DO
+      DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
+      """,
+      "DROP EVENT IF EXISTS clean_oauth2;",
+      """
+      CREATE EVENT clean_oauth2
+      ON SCHEDULE EVERY 1 DAY
+      DO
+      BEGIN
+        DELETE FROM oauth_refresh_tokens WHERE expires < NOW();
+        DELETE FROM oauth_access_tokens WHERE expires < NOW();
+        DELETE FROM oauth_authorization_codes WHERE expires < NOW();
+      END;
+      """,
+      "DROP EVENT IF EXISTS clean_sasl_log;",
+      """
+      CREATE EVENT clean_sasl_log
+      ON SCHEDULE EVERY 1 DAY
+      DO
+      BEGIN
+        DELETE sasl_log.* FROM sasl_log
+          LEFT JOIN (
+            SELECT username, service, MAX(datetime) AS lastdate
+            FROM sasl_log
+            GROUP BY username, service
+          ) AS last
+          ON sasl_log.username = last.username AND sasl_log.service = last.service
+          WHERE datetime < DATE_SUB(NOW(), INTERVAL 31 DAY)
+            AND datetime < lastdate;
+
+        DELETE FROM sasl_log
+          WHERE username NOT IN (SELECT username FROM mailbox)
+            AND datetime < DATE_SUB(NOW(), INTERVAL 31 DAY);
+      END;
+      """
+    ]
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      for query in queries:
+        cursor.execute(query)
+      self.mysql_conn.commit()
+      cursor.close()
+      print("MySQL EVENTS created successfully.")
+    except Exception as e:
+      print(f"Failed to create MySQL EVENTS: {e}")
+      self.mysql_conn.rollback()

data/Dockerfiles/bootstrap/modules/BootstrapPostfix.py

@@ -0,0 +1,83 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+
+class BootstrapPostfix(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # Wait for DNS
+    self.wait_for_dns("mailcow.email")
+
+    self.create_dir("/opt/postfix/conf/sql/")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "VALID_CERT_DIRS": self.get_valid_cert_dirs()
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Set Syslog redis")
+    self.set_syslog_redis()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    # Create aliases DB
+    self.run_command(["newaliases"])
+
+    # Create SNI Config
+    self.run_command(["postmap", "-F", "hash:/opt/postfix/conf/sni.map"])
+
+    # Fix Postfix permissions
+    self.set_owner("/opt/postfix/conf/sql", user="root", group="postfix", recursive=True)
+    self.set_owner("/opt/postfix/conf/custom_transport.pcre", user="root", group="postfix")
+    for cf_file in Path("/opt/postfix/conf/sql").glob("*.cf"):
+      self.set_permissions(cf_file, 0o640)
+    self.set_permissions("/opt/postfix/conf/custom_transport.pcre", 0o640)
+    self.set_owner("/var/spool/postfix/public", user="root", group="postdrop", recursive=True)
+    self.set_owner("/var/spool/postfix/maildrop", user="root", group="postdrop", recursive=True)
+    self.run_command(["postfix", "set-permissions"], check=False)
+
+    # Checking if there is a leftover of a crashed postfix container before starting a new one
+    pid_file = Path("/var/spool/postfix/pid/master.pid")
+    if pid_file.exists():
+      print(f"Removing stale Postfix PID file: {pid_file}")
+      pid_file.unlink()
+
+  def get_valid_cert_dirs(self):
+    certs = {}
+    base_path = Path("/etc/ssl/mail")
+    if not base_path.exists():
+      return certs
+
+    for cert_dir in base_path.iterdir():
+      if not cert_dir.is_dir():
+        continue
+
+      domains_file = cert_dir / "domains"
+      cert_file = cert_dir / "cert.pem"
+      key_file = cert_dir / "key.pem"
+
+      if not (domains_file.exists() and cert_file.exists() and key_file.exists()):
+        continue
+
+      with open(domains_file, "r") as f:
+        domains = [line.strip() for line in f if line.strip()]
+        if domains:
+          certs[str(cert_dir)] = domains
+
+    return certs

data/Dockerfiles/bootstrap/modules/BootstrapRspamd.py

@@ -0,0 +1,132 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import time
+import platform
+
+class BootstrapRspamd(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # Connect to MySQL
+    self.connect_redis()
+
+    # get dovecot ips
+    dovecot_v4 = []
+    dovecot_v6 = []
+    while not dovecot_v4 and not dovecot_v6:
+      try:
+        dovecot_v4 = self.resolve_docker_dns_record("dovecot-mailcow", "A")
+        dovecot_v6 = self.resolve_docker_dns_record("dovecot-mailcow", "AAAA")
+      except Exception as e:
+        print(e)
+      if not dovecot_v4 and not dovecot_v6:
+        print("Waiting for Dovecot IPs...")
+        time.sleep(3)
+
+    # get rspamd ips
+    rspamd_v4 = []
+    rspamd_v6 = []
+    while not rspamd_v4 and not rspamd_v6:
+      try:
+        rspamd_v4 = self.resolve_docker_dns_record("rspamd-mailcow", "A")
+        rspamd_v6 = self.resolve_docker_dns_record("rspamd-mailcow", "AAAA")
+      except Exception:
+        print(e)
+      if not rspamd_v4 and not rspamd_v6:
+        print("Waiting for Rspamd IPs...")
+        time.sleep(3)
+
+    # wait for Services
+    services = [
+      ["php-fpm-mailcow", 9001],
+      ["php-fpm-mailcow", 9002]
+    ]
+    for service in services:
+      while not self.is_port_open(service[0], service[1]):
+        print(f"Waiting for {service[0]} on port {service[1]}...")
+        time.sleep(1)
+      print(f"Service {service[0]} on port {service[1]} is ready!")
+
+    for dir_path in ["/etc/rspamd/plugins.d", "/etc/rspamd/custom"]:
+      Path(dir_path).mkdir(parents=True, exist_ok=True)
+    for file_path in ["/etc/rspamd/rspamd.conf.local", "/etc/rspamd/rspamd.conf.override"]:
+      Path(file_path).touch(exist_ok=True)
+    self.set_permissions("/var/lib/rspamd", 0o755)
+
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "DOVECOT_V4": dovecot_v4[0],
+      "DOVECOT_V6": dovecot_v6[0],
+      "RSPAMD_V4": rspamd_v4[0],
+      "RSPAMD_V6": rspamd_v6[0],
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    # Fix missing default global maps, if any
+    # These exists in mailcow UI and should not be removed
+    files = [
+      "/etc/rspamd/custom/global_mime_from_blacklist.map",
+      "/etc/rspamd/custom/global_rcpt_blacklist.map",
+      "/etc/rspamd/custom/global_smtp_from_blacklist.map",
+      "/etc/rspamd/custom/global_mime_from_whitelist.map",
+      "/etc/rspamd/custom/global_rcpt_whitelist.map",
+      "/etc/rspamd/custom/global_smtp_from_whitelist.map",
+      "/etc/rspamd/custom/bad_languages.map",
+      "/etc/rspamd/custom/sa-rules",
+      "/etc/rspamd/custom/dovecot_trusted.map",
+      "/etc/rspamd/custom/rspamd_trusted.map",
+      "/etc/rspamd/custom/mailcow_networks.map",
+      "/etc/rspamd/custom/ip_wl.map",
+      "/etc/rspamd/custom/fishy_tlds.map",
+      "/etc/rspamd/custom/bad_words.map",
+      "/etc/rspamd/custom/bad_asn.map",
+      "/etc/rspamd/custom/bad_words_de.map",
+      "/etc/rspamd/custom/bulk_header.map",
+      "/etc/rspamd/custom/bad_header.map"
+    ]
+    for file in files:
+      path = Path(file)
+      path.parent.mkdir(parents=True, exist_ok=True)
+      path.touch(exist_ok=True)
+
+    # Fix permissions
+    paths_rspamd = [
+      "/var/lib/rspamd",
+      "/etc/rspamd/local.d",
+      "/etc/rspamd/override.d",
+      "/etc/rspamd/rspamd.conf.local",
+      "/etc/rspamd/rspamd.conf.override",
+      "/etc/rspamd/plugins.d"
+    ]
+    for path in paths_rspamd:
+      self.set_owner(path, "_rspamd", "_rspamd", recursive=True)
+    self.set_owner("/etc/rspamd/custom", "_rspamd", "_rspamd")
+    self.set_permissions("/etc/rspamd/custom", 0o755)
+
+    custom_path = Path("/etc/rspamd/custom")
+    for child in custom_path.iterdir():
+      if child.is_file():
+        self.set_owner(child, 82, 82)
+        self.set_permissions(child, 0o644)
+
+    # Provide additional lua modules
+    arch = platform.machine()
+    self.run_command(["ln", "-s", f"/usr/lib/{arch}-linux-gnu/liblua5.1-cjson.so.0.0.0", "/usr/lib/rspamd/cjson.so"], check=False)

data/Dockerfiles/bootstrap/modules/BootstrapSogo.py

@@ -0,0 +1,138 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import os
+import sys
+import time
+
+class BootstrapSogo(BootstrapBase):
+  def bootstrap(self):
+    # Skip SOGo if set
+    if self.isYes(os.getenv("SKIP_SOGO", "")):
+      print("SKIP_SOGO is set, skipping SOGo startup...")
+      time.sleep(365 * 24 * 60 * 60)
+      sys.exit(1)
+
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # Wait until port is free
+    while self.is_port_open(os.getenv("SOGO_HOST"), 20000):
+      print("Port 20000 still in use — terminating sogod...")
+      self.kill_proc("sogod")
+      time.sleep(3)
+
+    # Wait for schema to update to expected version
+    self.wait_for_schema_update(init_file_path="init_db.inc.php")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "SQL_DOMAINS": self.get_domains(),
+      "IAM_SETTINGS": self.get_identity_provider_settings()
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Set Syslog redis")
+    self.set_syslog_redis()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    print("Fix permissions")
+    self.set_owner("/var/lib/sogo", "sogo", "sogo", recursive=True)
+    self.set_permissions("/var/lib/sogo/GNUstep/Defaults/sogod.plist", 0o600)
+
+    # Rename custom logo
+    logo_src = Path("/etc/sogo/sogo-full.svg")
+    if logo_src.exists():
+      print("Set Logo")
+      self.move_file(logo_src, "/etc/sogo/custom-fulllogo.svg")
+
+    # Rsync web content
+    print("Syncing web content")
+    self.rsync_file("/usr/lib/GNUstep/SOGo/", "/sogo_web/", recursive=True)
+
+    # Chown backup path
+    self.set_owner("/sogo_backup", "sogo", "sogo", recursive=True)
+
+  def get_domains(self):
+    """
+    Retrieves a list of domains and their GAL (Global Address List) status.
+
+    Executes a SQL query to select:
+      - `domain`
+      - a human-readable GAL status ("YES" or "NO")
+      - `ldap_gal` as a boolean (True/False)
+
+    Returns:
+      list[dict]: A list of dicts with keys: domain, gal_status, ldap_gal.
+                  Example: [{"domain": "example.com", "gal_status": "YES", "ldap_gal": True}]
+
+    Logs:
+      Error messages if the query fails.
+    """
+
+    query = """
+      SELECT domain,
+             CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal_status,
+             ldap_gal = 1 AS ldap_gal
+      FROM domain;
+    """
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute(query)
+      result = cursor.fetchall()
+      cursor.close()
+
+      return [
+        {
+          "domain": row[0],
+          "gal_status": row[1],
+          "ldap_gal": bool(row[2])
+        }
+        for row in result
+      ]
+    except Exception as e:
+      print(f"Error fetching domains: {e}")
+      return []
+
+  def get_identity_provider_settings(self):
+    """
+    Retrieves all key-value identity provider settings.
+
+    Returns:
+      dict: Settings in the format { key: value }
+
+    Logs:
+      Error messages if the query fails.
+    """
+    query = "SELECT `key`, `value` FROM identity_provider;"
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute(query)
+      result = cursor.fetchall()
+      cursor.close()
+
+      iam_settings = {row[0]: row[1] for row in result}
+
+      if iam_settings['authsource'] == "ldap":
+        protocol = "ldaps" if iam_settings.get("use_ssl") else "ldap"
+        starttls = "/????!StartTLS" if iam_settings.get("use_tls") else ""
+        iam_settings['ldap_url'] = f"{protocol}://{iam_settings['host']}:{iam_settings['port']}{starttls}"
+
+      return iam_settings
+    except Exception as e:
+      print(f"Error fetching identity provider settings: {e}")
+      return {}

data/Dockerfiles/clamd/Dockerfile

@@ -1,15 +1,129 @@
-FROM clamav/clamav:0.104.2-2_base
+FROM alpine:3.21 AS builder
 
-LABEL maintainer "André Peters <andre.peters@servercow.de>"
+WORKDIR /src
+ENV CLAMD_VERSION=1.4.2
 
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \
-  rsync \
-  bind-tools \
-  bash 
+    g++ \
+    gcc \
+    gdb \
+    make \
+    cmake \
+    py3-pytest \
+    python3 \
+    valgrind \
+    bzip2-dev \
+    check-dev \
+    curl-dev \
+    json-c-dev \
+    libmilter-dev \
+    libxml2-dev \
+    linux-headers \
+    ncurses-dev \
+    openssl-dev \
+    pcre2-dev \
+    zlib-dev \
+    cargo \
+    rust
 
-COPY clamd.sh ./
-RUN chmod +x /sbin/tini
+RUN wget -P /src https://www.clamav.net/downloads/production/clamav-${CLAMD_VERSION}.tar.gz \
+  && tar xzfv /src/clamav-${CLAMD_VERSION}.tar.gz \
+  && cd /src/clamav-${CLAMD_VERSION} \
+  && cmake . \
+  -D CMAKE_BUILD_TYPE="Release"                                                       \
+  -D CMAKE_INSTALL_PREFIX="/usr"                                                      \
+  -D CMAKE_INSTALL_LIBDIR="/usr/lib"                                                  \
+  -D APP_CONFIG_DIRECTORY="/etc/clamav"                                               \
+  -D DATABASE_DIRECTORY="/var/lib/clamav"                                             \
+  -D ENABLE_CLAMONACC=OFF                                                             \
+  -D ENABLE_EXAMPLES=OFF                                                              \
+  -D ENABLE_MILTER=ON                                                                 \
+  -D ENABLE_MAN_PAGES=OFF                                                             \
+  -D ENABLE_STATIC_LIB=OFF                                                            \
+  -D ENABLE_JSON_SHARED=ON                                                            \
+  && cmake --build . \
+  && make DESTDIR="/clamav" -j$(($(nproc) - 1)) install \
+  && rm -r "/clamav/usr/lib/pkgconfig/" \
+  && sed -e "s|^\(Example\)|\# \1|" \
+    -e "s|.*\(LocalSocket\) .*|\1 /tmp/clamd.sock|" \
+    -e "s|.*\(TCPSocket\) .*|\1 3310|" \
+    -e "s|.*\(TCPAddr\) .*|#\1 0.0.0.0|" \
+    -e "s|.*\(User\) .*|\1 clamav|" \
+    -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/clamd.log|" \
+    -e "s|^\#\(LogTime\).*|\1 yes|" \
+    "/clamav/etc/clamav/clamd.conf.sample" > "/clamav/etc/clamav/clamd.conf" \
+  && sed -e "s|^\(Example\)|\# \1|" \
+    -e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \
+    -e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \
+    -e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \
+    -e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \
+    "/clamav/etc/clamav/freshclam.conf.sample" > "/clamav/etc/clamav/freshclam.conf" \
+  && sed -e "s|^\(Example\)|\# \1|" \
+  -e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \
+  -e "s|.*\(User\) .*|\1 clamav|" \
+  -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \
+  -e "s|^\#\(LogTime\).*|\1 yes|" \
+  -e "s|.*\(\ClamdSocket\) .*|\1 unix:/tmp/clamd.sock|" \
+  "/clamav/etc/clamav/clamav-milter.conf.sample" > "/clamav/etc/clamav/clamav-milter.conf" || exit 1
 
-ENTRYPOINT []
+
+FROM alpine:3.21
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+RUN apk upgrade --no-cache \
+  && apk add --update --no-cache \
+    tzdata \
+    rsync \
+    bind-tools \
+    bash \
+    tini \
+    json-c \
+    libbz2 \
+    libcurl \
+    libmilter \
+    libxml2 \
+    ncurses-libs \
+    pcre2 \
+    zlib \
+    libgcc \
+    py3-pip \
+  && addgroup -S "clamav" && \
+    adduser -D -G "clamav" -h "/var/lib/clamav" -s "/bin/false" -S "clamav" && \
+    install -d -m 755 -g "clamav" -o "clamav" "/var/log/clamav" && \
+    chown -R clamav:clamav /var/lib/clamav
+
+RUN apk add --no-cache --virtual .build-deps \
+      gcc \
+      musl-dev \
+      python3-dev \
+      linux-headers \
+  && pip install --break-system-packages psutil \
+  && apk del .build-deps
+
+RUN pip install --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython
+
+
+COPY --from=builder "/clamav" "/"
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/clamd/docker-entrypoint.sh /docker-entrypoint.sh
+COPY data/Dockerfiles/clamd/clamd.sh /clamd.sh
+COPY data/Dockerfiles/clamd/healthcheck.sh /healthcheck.sh
+COPY data/Dockerfiles/clamd/clamdcheck.sh /usr/local/bin
+HEALTHCHECK --start-period=6m CMD "/healthcheck.sh"
+
+RUN chmod +x /docker-entrypoint.sh \
+  /clamd.sh \
+  /healthcheck.sh \
+  /usr/local/bin/clamdcheck.sh \
+  /sbin/tini
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/sbin/tini", "-g", "--", "/clamd.sh"]

data/Dockerfiles/clamd/clamd.sh

@@ -1,48 +1,5 @@
 #!/bin/bash
 
-if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "SKIP_CLAMD=y, skipping ClamAV..."
-  sleep 365d
-  exit 0
-fi
-
-# Cleaning up garbage
-echo "Cleaning up tmp files..."
-rm -rf /var/lib/clamav/clamav-*.tmp
-
-# Prepare whitelist
-
-mkdir -p /run/clamav /var/lib/clamav
-
-if [[ -s /etc/clamav/whitelist.ign2 ]]; then
-  echo "Copying non-empty whitelist.ign2 to /var/lib/clamav/whitelist.ign2"
-  cp /etc/clamav/whitelist.ign2 /var/lib/clamav/whitelist.ign2
-fi
-
-if [[ ! -f /var/lib/clamav/whitelist.ign2 ]]; then
-  echo "Creating /var/lib/clamav/whitelist.ign2"
-  cat <<EOF > /var/lib/clamav/whitelist.ign2
-# Please restart ClamAV after changing signatures
-Example-Signature.Ignore-1
-PUA.Win.Trojan.EmbeddedPDF-1
-PUA.Pdf.Trojan.EmbeddedJavaScript-1
-PUA.Pdf.Trojan.OpenActionObjectwithJavascript-1
-EOF
-fi
-
-chown clamav:clamav -R /var/lib/clamav /run/clamav
-
-chmod 755 /var/lib/clamav
-chmod 644 -R /var/lib/clamav/*
-chmod 750 /run/clamav
-
-stat /var/lib/clamav/whitelist.ign2
-dos2unix /var/lib/clamav/whitelist.ign2
-sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2
-# Copying to /etc/clamav to expose file as-is to administrator
-cp -p /var/lib/clamav/whitelist.ign2 /etc/clamav/whitelist.ign2
-
-
 BACKGROUND_TASKS=()
 
 echo "Running freshclam..."
@@ -91,6 +48,7 @@ done
 ) &
 BACKGROUND_TASKS+=($!)
 
+echo "$(clamd -V) is starting... please wait a moment."
 nice -n10 clamd &
 BACKGROUND_TASKS+=($!)
 

data/Dockerfiles/clamd/clamdcheck.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -eu
+
+if [ "${CLAMAV_NO_CLAMD:-}" != "false" ]; then
+	if [ "$(echo "PING" | nc localhost 3310)" != "PONG" ]; then
+		echo "ERROR: Unable to contact server"
+		exit 1
+	fi
+
+	echo "Clamd is up"
+fi
+
+exit 0

data/Dockerfiles/clamd/docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Clamd."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting Clamd..."
+exec "$@"

data/Dockerfiles/clamd/healthcheck.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  echo "SKIP_CLAMD=y, skipping ClamAV..."
+  exit 0
+fi
+
+# run clamd healthcheck
+/usr/local/bin/clamdcheck.sh

data/Dockerfiles/dockerapi/Dockerfile

@@ -1,18 +1,27 @@
-FROM alpine:3.15
+FROM alpine:3.21
 
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
+ARG PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /app
 
 RUN apk add --update --no-cache python3 \
   py3-pip \
   openssl \
   tzdata \
+  py3-psutil \
+  py3-redis \
+  py3-async-timeout \
 && pip3 install --upgrade pip \
-  docker \
-  flask \
-  flask-restful
+  fastapi \
+  uvicorn \
+  aiodocker \
+  docker
+RUN mkdir /app/modules
 
-COPY dockerapi.py /app/
+COPY data/Dockerfiles/dockerapi/docker-entrypoint.sh /app/
+COPY data/Dockerfiles/dockerapi/main.py /app/main.py
+COPY data/Dockerfiles/dockerapi/modules/ /app/modules/
 
-CMD ["python3", "-u", "/app/dockerapi.py"]
+ENTRYPOINT ["/bin/sh", "/app/docker-entrypoint.sh"]
+CMD ["python", "main.py"]

data/Dockerfiles/dockerapi/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+`openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
+  -keyout /app/dockerapi_key.pem \
+  -out /app/dockerapi_cert.pem \
+  -subj /CN=dockerapi/O=mailcow \
+  -addext subjectAltName=DNS:dockerapi`
+
+exec "$@"

data/Dockerfiles/dockerapi/dockerapi.py

@@ -1,419 +0,0 @@
-#!/usr/bin/env python3
-
-from flask import Flask
-from flask_restful import Resource, Api
-from flask import jsonify
-from flask import Response
-from flask import request
-from threading import Thread
-import docker
-import uuid
-import signal
-import time
-import os
-import re
-import sys
-import ssl
-import socket
-import subprocess
-import traceback
-
-docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
-app = Flask(__name__)
-api = Api(app)
-
-class containers_get(Resource):
-  def get(self):
-    containers = {}
-    try:
-      for container in docker_client.containers.list(all=True):
-        containers.update({container.attrs['Id']: container.attrs})
-      return containers
-    except Exception as e:
-      return jsonify(type='danger', msg=str(e))
-
-class container_get(Resource):
-  def get(self, container_id):
-    if container_id and container_id.isalnum():
-      try:
-        for container in docker_client.containers.list(all=True, filters={"id": container_id}):
-          return container.attrs
-      except Exception as e:
-          return jsonify(type='danger', msg=str(e))
-    else:
-      return jsonify(type='danger', msg='no or invalid id defined')
-
-class container_post(Resource):
-  def post(self, container_id, post_action):
-    if container_id and container_id.isalnum() and post_action:
-      try:
-        """Dispatch container_post api call"""
-        if post_action == 'exec':
-          if not request.json or not 'cmd' in request.json:
-            return jsonify(type='danger', msg='cmd is missing')
-          if not request.json or not 'task' in request.json:
-            return jsonify(type='danger', msg='task is missing')
-
-          api_call_method_name = '__'.join(['container_post', str(post_action), str(request.json['cmd']), str(request.json['task']) ])
-        else:
-          api_call_method_name = '__'.join(['container_post', str(post_action) ])
-
-        api_call_method = getattr(self, api_call_method_name, lambda container_id: jsonify(type='danger', msg='container_post - unknown api call'))
-
-
-        print("api call: %s, container_id: %s" % (api_call_method_name, container_id))
-        return api_call_method(container_id)
-      except Exception as e:
-        print("error - container_post: %s" % str(e))
-        return jsonify(type='danger', msg=str(e))
-
-    else:
-      return jsonify(type='danger', msg='invalid container id or missing action')
-
-
-  # api call: container_post - post_action: stop
-  def container_post__stop(self, container_id):
-    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
-      container.stop()
-    return jsonify(type='success', msg='command completed successfully')
-
-
-  # api call: container_post - post_action: start
-  def container_post__start(self, container_id):
-    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
-      container.start()
-    return jsonify(type='success', msg='command completed successfully')
-
-
-  # api call: container_post - post_action: restart
-  def container_post__restart(self, container_id):
-    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
-      container.restart()
-    return jsonify(type='success', msg='command completed successfully')
-
-
-  # api call: container_post - post_action: top
-  def container_post__top(self, container_id):
-    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
-      return jsonify(type='success', msg=container.top())
-
-
-  # api call: container_post - post_action: stats
-  def container_post__stats(self, container_id):
-    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
-      for stat in container.stats(decode=True, stream=True):
-        return jsonify(type='success', msg=stat )
-
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: delete
-  def container_post__exec__mailq__delete(self, container_id):
-    if 'items' in request.json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request.json['items'])
-      if filtered_qids:
-        flagged_qids = ['-d %s' % i for i in filtered_qids]
-        sanitized_string = str(' '.join(flagged_qids));
-
-        for container in docker_client.containers.list(filters={"id": container_id}):
-          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
-          return exec_run_handler('generic', postsuper_r)
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: hold
-  def container_post__exec__mailq__hold(self, container_id):
-    if 'items' in request.json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request.json['items'])
-      if filtered_qids:
-        flagged_qids = ['-h %s' % i for i in filtered_qids]
-        sanitized_string = str(' '.join(flagged_qids));
-
-        for container in docker_client.containers.list(filters={"id": container_id}):
-          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
-          return exec_run_handler('generic', postsuper_r)
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: cat
-  def container_post__exec__mailq__cat(self, container_id):
-    if 'items' in request.json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request.json['items'])
-      if filtered_qids:
-        sanitized_string = str(' '.join(filtered_qids));
-
-        for container in docker_client.containers.list(filters={"id": container_id}):
-          postcat_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postcat -q " + sanitized_string], user='postfix')
-        if not postcat_return:
-          postcat_return = 'err: invalid'
-        return exec_run_handler('utf8_text_only', postcat_return)
-
-   # api call: container_post - post_action: exec - cmd: mailq - task: unhold
-  def container_post__exec__mailq__unhold(self, container_id):
-    if 'items' in request.json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request.json['items'])
-      if filtered_qids:
-        flagged_qids = ['-H %s' % i for i in filtered_qids]
-        sanitized_string = str(' '.join(flagged_qids));
-
-        for container in docker_client.containers.list(filters={"id": container_id}):
-          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
-          return exec_run_handler('generic', postsuper_r)
-
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: deliver
-  def container_post__exec__mailq__deliver(self, container_id):
-    if 'items' in request.json:
-      r = re.compile("^[0-9a-fA-F]+$")
-      filtered_qids = filter(r.match, request.json['items'])
-      if filtered_qids:
-        flagged_qids = ['-i %s' % i for i in filtered_qids]
-
-        for container in docker_client.containers.list(filters={"id": container_id}):
-          for i in flagged_qids:
-            postqueue_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postqueue " + i], user='postfix')
-            # todo: check each exit code
-          return jsonify(type='success', msg=str("Scheduled immediate delivery"))
-
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: list
-  def container_post__exec__mailq__list(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      mailq_return = container.exec_run(["/usr/sbin/postqueue", "-j"], user='postfix')
-      return exec_run_handler('utf8_text_only', mailq_return)
-
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: flush
-  def container_post__exec__mailq__flush(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      postqueue_r = container.exec_run(["/usr/sbin/postqueue", "-f"], user='postfix')
-      return exec_run_handler('generic', postqueue_r)
-
-
-  # api call: container_post - post_action: exec - cmd: mailq - task: super_delete
-  def container_post__exec__mailq__super_delete(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      postsuper_r = container.exec_run(["/usr/sbin/postsuper", "-d", "ALL"])
-      return exec_run_handler('generic', postsuper_r)
-
-
-  # api call: container_post - post_action: exec - cmd: system - task: fts_rescan
-  def container_post__exec__system__fts_rescan(self, container_id):
-    if 'username' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -u '" + request.json['username'].replace("'", "'\\''") + "'"], user='vmail')
-        if rescan_return.exit_code == 0:
-          return jsonify(type='success', msg='fts_rescan: rescan triggered')
-        else:
-          return jsonify(type='warning', msg='fts_rescan error')
-
-    if 'all' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -A"], user='vmail')
-        if rescan_return.exit_code == 0:
-          return jsonify(type='success', msg='fts_rescan: rescan triggered')
-        else:
-          return jsonify(type='warning', msg='fts_rescan error')
-
-
-  # api call: container_post - post_action: exec - cmd: system - task: df
-  def container_post__exec__system__df(self, container_id):
-    if 'dir' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        df_return = container.exec_run(["/bin/bash", "-c", "/bin/df -H '" + request.json['dir'].replace("'", "'\\''") + "' | /usr/bin/tail -n1 | /usr/bin/tr -s [:blank:] | /usr/bin/tr ' ' ','"], user='nobody')
-        if df_return.exit_code == 0:
-          return df_return.output.decode('utf-8').rstrip()
-        else:
-          return "0,0,0,0,0,0"
-
-
-  # api call: container_post - post_action: exec - cmd: system - task: mysql_upgrade
-  def container_post__exec__system__mysql_upgrade(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_upgrade -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "'\n"], user='mysql')
-      if sql_return.exit_code == 0:
-        matched = False
-        for line in sql_return.output.decode('utf-8').split("\n"):
-          if 'is already upgraded to' in line:
-            matched = True
-        if matched:
-          return jsonify(type='success', msg='mysql_upgrade: already upgraded', text=sql_return.output.decode('utf-8'))
-        else:
-          container.restart()
-          return jsonify(type='warning', msg='mysql_upgrade: upgrade was applied', text=sql_return.output.decode('utf-8'))
-      else:
-        return jsonify(type='error', msg='mysql_upgrade: error running command', text=sql_return.output.decode('utf-8'))
-
-  # api call: container_post - post_action: exec - cmd: system - task: mysql_tzinfo_to_sql
-  def container_post__exec__system__mysql_tzinfo_to_sql(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /bin/sed 's/Local time zone must be set--see zic manual page/FCTY/' | /usr/bin/mysql -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "' mysql \n"], user='mysql')
-      if sql_return.exit_code == 0:
-        return jsonify(type='info', msg='mysql_tzinfo_to_sql: command completed successfully', text=sql_return.output.decode('utf-8'))
-      else:
-        return jsonify(type='error', msg='mysql_tzinfo_to_sql: error running command', text=sql_return.output.decode('utf-8'))
-
-  # api call: container_post - post_action: exec - cmd: reload - task: dovecot
-  def container_post__exec__reload__dovecot(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/dovecot reload"])
-      return exec_run_handler('generic', reload_return)
-
-
-  # api call: container_post - post_action: exec - cmd: reload - task: postfix
-  def container_post__exec__reload__postfix(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postfix reload"])
-      return exec_run_handler('generic', reload_return)
-
-
-  # api call: container_post - post_action: exec - cmd: reload - task: nginx
-  def container_post__exec__reload__nginx(self, container_id):
-    for container in docker_client.containers.list(filters={"id": container_id}):
-      reload_return = container.exec_run(["/bin/sh", "-c", "/usr/sbin/nginx -s reload"])
-      return exec_run_handler('generic', reload_return)
-
-
-  # api call: container_post - post_action: exec - cmd: sieve - task: list
-  def container_post__exec__sieve__list(self, container_id):
-    if 'username' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        sieve_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm sieve list -u '" + request.json['username'].replace("'", "'\\''") + "'"])
-        return exec_run_handler('utf8_text_only', sieve_return)
-
-
-  # api call: container_post - post_action: exec - cmd: sieve - task: print
-  def container_post__exec__sieve__print(self, container_id):
-    if 'username' in request.json and 'script_name' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        cmd = ["/bin/bash", "-c", "/usr/bin/doveadm sieve get -u '" + request.json['username'].replace("'", "'\\''") + "' '" + request.json['script_name'].replace("'", "'\\''") + "'"]  
-        sieve_return = container.exec_run(cmd)
-        return exec_run_handler('utf8_text_only', sieve_return)
-
-
-  # api call: container_post - post_action: exec - cmd: maildir - task: cleanup
-  def container_post__exec__maildir__cleanup(self, container_id):
-    if 'maildir' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        sane_name = re.sub(r'\W+', '', request.json['maildir'])
-        cmd = ["/bin/bash", "-c", "if [[ -d '/var/vmail/" + request.json['maildir'].replace("'", "'\\''") + "' ]]; then /bin/mv '/var/vmail/" + request.json['maildir'].replace("'", "'\\''") + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "'; fi"]
-        maildir_cleanup = container.exec_run(cmd, user='vmail')
-        return exec_run_handler('generic', maildir_cleanup)
-
-
-
-  # api call: container_post - post_action: exec - cmd: rspamd - task: worker_password
-  def container_post__exec__rspamd__worker_password(self, container_id):
-    if 'raw' in request.json:
-      for container in docker_client.containers.list(filters={"id": container_id}):
-        cmd = "/usr/bin/rspamadm pw -e -p '" + request.json['raw'].replace("'", "'\\''") + "' 2> /dev/null"
-        cmd_response = exec_cmd_container(container, cmd, user="_rspamd")
-        matched = False
-        for line in cmd_response.split("\n"):
-          if '$2$' in line:
-            hash = line.strip()
-            hash_out = re.search('\$2\$.+$', hash).group(0)
-            rspamd_passphrase_hash = re.sub('[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
-
-            rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
-            cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
-            cmd_response = exec_cmd_container(container, cmd, user="_rspamd")
-
-            if rspamd_passphrase_hash.startswith("$2$") and rspamd_passphrase_hash in cmd_response:
-              container.restart()
-              matched = True
-
-        if matched:
-            return jsonify(type='success', msg='command completed successfully')
-        else:
-            return jsonify(type='danger', msg='command did not complete')
-
-def exec_cmd_container(container, cmd, user, timeout=2, shell_cmd="/bin/bash"):
-
-  def recv_socket_data(c_socket, timeout):
-    c_socket.setblocking(0)
-    total_data=[];
-    data='';
-    begin=time.time()
-    while True:
-      if total_data and time.time()-begin > timeout:
-        break
-      elif time.time()-begin > timeout*2:
-        break
-      try:
-        data = c_socket.recv(8192)
-        if data:
-          total_data.append(data.decode('utf-8'))
-          #change the beginning time for measurement
-          begin=time.time()
-        else:
-          #sleep for sometime to indicate a gap
-          time.sleep(0.1)
-          break
-      except:
-        pass
-    return ''.join(total_data)
-
-  try :
-    socket = container.exec_run([shell_cmd], stdin=True, socket=True, user=user).output._sock
-    if not cmd.endswith("\n"):
-      cmd = cmd + "\n"
-    socket.send(cmd.encode('utf-8'))
-    data = recv_socket_data(socket, timeout)
-    socket.close()
-    return data
-
-  except Exception as e:
-    print("error - exec_cmd_container: %s" % str(e))
-    traceback.print_exc(file=sys.stdout)
-
-def exec_run_handler(type, output):
-  if type == 'generic':
-    if output.exit_code == 0:
-      return jsonify(type='success', msg='command completed successfully')
-    else:
-      return jsonify(type='danger', msg='command failed: ' + output.output.decode('utf-8'))
-  if type == 'utf8_text_only':
-    r = Response(response=output.output.decode('utf-8'), status=200, mimetype="text/plain")
-    r.headers["Content-Type"] = "text/plain; charset=utf-8"
-    return r
-
-class GracefulKiller:
-  kill_now = False
-  def __init__(self):
-    signal.signal(signal.SIGINT, self.exit_gracefully)
-    signal.signal(signal.SIGTERM, self.exit_gracefully)
-
-  def exit_gracefully(self, signum, frame):
-    self.kill_now = True
-
-def create_self_signed_cert():
-    process = subprocess.Popen(
-      "openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /app/dockerapi_key.pem -out /app/dockerapi_cert.pem -subj /CN=dockerapi/O=mailcow -addext subjectAltName=DNS:dockerapi".split(),
-      stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell=False
-    )
-    process.wait()
-
-def startFlaskAPI():
-  create_self_signed_cert()
-  try:
-    ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-    ctx.check_hostname = False
-    ctx.load_cert_chain(certfile='/app/dockerapi_cert.pem', keyfile='/app/dockerapi_key.pem')
-  except:
-    print ("Cannot initialize TLS, retrying in 5s...")
-    time.sleep(5)
-  app.run(debug=False, host='0.0.0.0', port=443, threaded=True, ssl_context=ctx)
-
-api.add_resource(containers_get, '/containers/json')
-api.add_resource(container_get,  '/containers/<string:container_id>/json')
-api.add_resource(container_post, '/containers/<string:container_id>/<string:post_action>')
-
-if __name__ == '__main__':
-  api_thread = Thread(target=startFlaskAPI)
-  api_thread.daemon = True
-  api_thread.start()
-  killer = GracefulKiller()
-  while True:
-    time.sleep(1)
-    if killer.kill_now:
-      break
-  print ("Stopping dockerapi-mailcow")

data/Dockerfiles/dockerapi/main.py

@@ -0,0 +1,261 @@
+import os
+import sys
+import uvicorn
+import json
+import uuid
+import async_timeout
+import asyncio
+import aiodocker
+import docker
+import logging
+from logging.config import dictConfig
+from fastapi import FastAPI, Response, Request
+from modules.DockerApi import DockerApi
+from redis import asyncio as aioredis
+from contextlib import asynccontextmanager
+
+dockerapi = None
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+  global dockerapi
+
+  # Initialize a custom logger
+  logger = logging.getLogger("dockerapi")
+  logger.setLevel(logging.INFO)
+  # Configure the logger to output logs to the terminal
+  handler = logging.StreamHandler()
+  handler.setLevel(logging.INFO)
+  formatter = logging.Formatter("%(levelname)s:     %(message)s")
+  handler.setFormatter(formatter)
+  logger.addHandler(handler)
+
+  logger.info("Init APP")
+
+  # Init redis client
+  if os.environ['REDIS_SLAVEOF_IP'] != "":
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0", password=os.environ['REDISPASS'])
+  else:
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_HOST']}:6379/0", password=os.environ['REDISPASS'])
+
+  # Init docker clients
+  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
+  async_docker_client = aiodocker.Docker(url='unix:///var/run/docker.sock')
+
+  dockerapi = DockerApi(redis_client, sync_docker_client, async_docker_client, logger)
+
+  logger.info("Subscribe to redis channel")
+  # Subscribe to redis channel
+  dockerapi.pubsub = redis.pubsub()
+  await dockerapi.pubsub.subscribe("MC_CHANNEL")
+  asyncio.create_task(handle_pubsub_messages(dockerapi.pubsub))
+
+
+  yield
+
+  # Close docker connections
+  dockerapi.sync_docker_client.close()
+  await dockerapi.async_docker_client.close()
+
+  # Close redis
+  await dockerapi.pubsub.unsubscribe("MC_CHANNEL")
+  await dockerapi.redis_client.close()
+
+app = FastAPI(lifespan=lifespan)
+
+# Define Routes
+@app.get("/host/stats")
+async def get_host_update_stats():
+  global dockerapi
+
+  if dockerapi.host_stats_isUpdating == False:
+    asyncio.create_task(dockerapi.get_host_stats())
+    dockerapi.host_stats_isUpdating = True
+
+  while True:
+    if await dockerapi.redis_client.exists('host_stats'):
+      break
+    await asyncio.sleep(1.5)
+
+  stats = json.loads(await dockerapi.redis_client.get('host_stats'))
+  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
+
+@app.get("/containers/{container_id}/json")
+async def get_container(container_id : str):
+  global dockerapi
+
+  if container_id and container_id.isalnum():
+    try:
+      for container in (await dockerapi.async_docker_client.containers.list()):
+        if container._id == container_id:
+          container_info = await container.show()
+          return Response(content=json.dumps(container_info, indent=4), media_type="application/json")
+
+      res = {
+        "type": "danger",
+        "msg": "no container found"
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    except Exception as e:
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  else:
+    res = {
+      "type": "danger",
+      "msg": "no or invalid id defined"
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.get("/containers/json")
+async def get_containers():
+  global dockerapi
+
+  containers = {}
+  try:
+    for container in (await dockerapi.async_docker_client.containers.list()):
+      container_info = await container.show()
+      containers.update({container_info['Id']: container_info})
+    return Response(content=json.dumps(containers, indent=4), media_type="application/json")
+  except Exception as e:
+    res = {
+      "type": "danger",
+      "msg": str(e)
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.post("/containers/{container_id}/{post_action}")
+async def post_containers(container_id : str, post_action : str, request: Request):
+  global dockerapi
+
+  try:
+    request_json = await request.json()
+  except Exception as err:
+    request_json = {}
+
+  if container_id and container_id.isalnum() and post_action:
+    try:
+      """Dispatch container_post api call"""
+      if post_action == 'exec':
+        if not request_json or not 'cmd' in request_json:
+          res = {
+            "type": "danger",
+            "msg": "cmd is missing"
+          }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        if not request_json or not 'task' in request_json:
+          res = {
+            "type": "danger",
+            "msg": "task is missing"
+          }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+        api_call_method_name = '__'.join(['container_post', str(post_action), str(request_json['cmd']), str(request_json['task']) ])
+      else:
+        api_call_method_name = '__'.join(['container_post', str(post_action) ])
+
+      api_call_method = getattr(dockerapi, api_call_method_name, lambda container_id: Response(content=json.dumps({'type': 'danger', 'msg':'container_post - unknown api call' }, indent=4), media_type="application/json"))
+
+      dockerapi.logger.info("api call: %s, container_id: %s" % (api_call_method_name, container_id))
+      return api_call_method(request_json, container_id=container_id)
+    except Exception as e:
+      dockerapi.logger.error("error - container_post: %s" % str(e))
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+  else:
+    res = {
+      "type": "danger",
+      "msg": "invalid container id or missing action"
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.post("/container/{container_id}/stats/update")
+async def post_container_update_stats(container_id : str):
+  global dockerapi
+
+  # start update task for container if no task is running
+  if container_id not in dockerapi.containerIds_to_update:
+    asyncio.create_task(dockerapi.get_container_stats(container_id))
+    dockerapi.containerIds_to_update.append(container_id)
+
+  while True:
+    if await dockerapi.redis_client.exists(container_id + '_stats'):
+      break
+    await asyncio.sleep(1.5)
+
+  stats = json.loads(await dockerapi.redis_client.get(container_id + '_stats'))
+  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
+
+
+# PubSub Handler
+async def handle_pubsub_messages(channel: aioredis.client.PubSub):
+  global dockerapi
+
+  while True:
+    try:
+      async with async_timeout.timeout(60):
+        message = await channel.get_message(ignore_subscribe_messages=True, timeout=30)
+        if message is not None:
+          # Parse message
+          data_json = json.loads(message['data'].decode('utf-8'))
+          dockerapi.logger.info(f"PubSub Received - {json.dumps(data_json)}")
+
+          # Handle api_call
+          if 'api_call' in data_json:
+            # api_call: container_post
+            if data_json['api_call'] == "container_post":
+              if 'post_action' in data_json and 'container_name' in data_json:
+                try:
+                  """Dispatch container_post api call"""
+                  request_json = {}
+                  if data_json['post_action'] == 'exec':
+                    if 'request' in data_json:
+                      request_json = data_json['request']
+                      if 'cmd' in request_json:
+                        if 'task' in request_json:
+                          api_call_method_name = '__'.join(['container_post', str(data_json['post_action']), str(request_json['cmd']), str(request_json['task']) ])
+                        else:
+                          dockerapi.logger.error("api call: task missing")
+                      else:
+                        dockerapi.logger.error("api call: cmd missing")
+                    else:
+                      dockerapi.logger.error("api call: request missing")
+                  else:
+                    api_call_method_name = '__'.join(['container_post', str(data_json['post_action'])])
+
+                  if api_call_method_name:
+                    api_call_method = getattr(dockerapi, api_call_method_name)
+                    if api_call_method:
+                      dockerapi.logger.info("api call: %s, container_name: %s" % (api_call_method_name, data_json['container_name']))
+                      api_call_method(request_json, container_name=data_json['container_name'])
+                    else:
+                      dockerapi.logger.error("api call not found: %s, container_name: %s" % (api_call_method_name, data_json['container_name']))
+                except Exception as e:
+                  dockerapi.logger.error("container_post: %s" % str(e))
+              else:
+                dockerapi.logger.error("api call: missing container_name, post_action or request")
+            else:
+              dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
+          else:
+            dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
+
+        await asyncio.sleep(0.0)
+    except asyncio.TimeoutError:
+      pass
+
+if __name__ == '__main__':
+  uvicorn.run(
+    app,
+    host="0.0.0.0",
+    port=443,
+    ssl_certfile="/app/dockerapi_cert.pem",
+    ssl_keyfile="/app/dockerapi_key.pem",
+    log_level="info",
+    loop="none"
+  )

data/Dockerfiles/dockerapi/modules/DockerApi.py

@@ -0,0 +1,626 @@
+import psutil
+import sys
+import os
+import re
+import time
+import json
+import asyncio
+import platform
+from datetime import datetime
+from fastapi import FastAPI, Response, Request
+
+class DockerApi:
+  def __init__(self, redis_client, sync_docker_client, async_docker_client, logger):
+    self.redis_client = redis_client
+    self.sync_docker_client = sync_docker_client
+    self.async_docker_client = async_docker_client
+    self.logger = logger
+
+    self.host_stats_isUpdating = False
+    self.containerIds_to_update = []
+
+  # api call: container_post - post_action: stop
+  def container_post__stop(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.stop()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: start
+  def container_post__start(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.start()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: restart
+  def container_post__restart(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.restart()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: top
+  def container_post__top(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      res = { 'type': 'success', 'msg': container.top()}
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: stats
+  def container_post__stats(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      for stat in container.stats(decode=True, stream=True):
+        res = { 'type': 'success', 'msg': stat}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: mailq - task: delete
+  def container_post__exec__mailq__delete(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-d %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: hold
+  def container_post__exec__mailq__hold(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-h %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: cat
+  def container_post__exec__mailq__cat(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        sanitized_string = str(' '.join(filtered_qids))
+
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postcat_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postcat -q " + sanitized_string], user='postfix')
+        if not postcat_return:
+          postcat_return = 'err: invalid'
+        return self.exec_run_handler('utf8_text_only', postcat_return)
+  # api call: container_post - post_action: exec - cmd: mailq - task: unhold
+  def container_post__exec__mailq__unhold(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-H %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: deliver
+  def container_post__exec__mailq__deliver(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-i %s' % i for i in filtered_qids]
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          for i in flagged_qids:
+            postqueue_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postqueue " + i], user='postfix')
+            # todo: check each exit code
+          res = { 'type': 'success', 'msg': 'Scheduled immediate delivery'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: mailq - task: list
+  def container_post__exec__mailq__list(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      mailq_return = container.exec_run(["/usr/sbin/postqueue", "-j"], user='postfix')
+      return self.exec_run_handler('utf8_text_only', mailq_return)
+  # api call: container_post - post_action: exec - cmd: mailq - task: flush
+  def container_post__exec__mailq__flush(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      postqueue_r = container.exec_run(["/usr/sbin/postqueue", "-f"], user='postfix')
+      return self.exec_run_handler('generic', postqueue_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: super_delete
+  def container_post__exec__mailq__super_delete(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      postsuper_r = container.exec_run(["/usr/sbin/postsuper", "-d", "ALL"])
+      return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: system - task: fts_rescan
+  def container_post__exec__system__fts_rescan(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -u '" + request_json['username'].replace("'", "'\\''") + "'"], user='vmail')
+        if rescan_return.exit_code == 0:
+          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    if 'all' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -A"], user='vmail')
+        if rescan_return.exit_code == 0:
+          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: system - task: df
+  def container_post__exec__system__df(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'dir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        df_return = container.exec_run(["/bin/bash", "-c", "/bin/df -H '" + request_json['dir'].replace("'", "'\\''") + "' | /usr/bin/tail -n1 | /usr/bin/tr -s [:blank:] | /usr/bin/tr ' ' ','"], user='nobody')
+        if df_return.exit_code == 0:
+          return df_return.output.decode('utf-8').rstrip()
+        else:
+          return "0,0,0,0,0,0"
+  # api call: container_post - post_action: exec - cmd: system - task: mysql_upgrade
+  def container_post__exec__system__mysql_upgrade(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_upgrade -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "'\n"], user='mysql')
+      if sql_return.exit_code == 0:
+        matched = False
+        for line in sql_return.output.decode('utf-8').split("\n"):
+          if 'is already upgraded to' in line:
+            matched = True
+        if matched:
+          res = { 'type': 'success', 'msg':'mysql_upgrade: already upgraded', 'text': sql_return.output.decode('utf-8')}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          container.restart()
+          res = { 'type': 'warning', 'msg':'mysql_upgrade: upgrade was applied', 'text': sql_return.output.decode('utf-8')}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'error', 'msg': 'mysql_upgrade: error running command', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: system - task: mysql_tzinfo_to_sql
+  def container_post__exec__system__mysql_tzinfo_to_sql(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /bin/sed 's/Local time zone must be set--see zic manual page/FCTY/' | /usr/bin/mysql -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "' mysql \n"], user='mysql')
+      if sql_return.exit_code == 0:
+        res = { 'type': 'info', 'msg': 'mysql_tzinfo_to_sql: command completed successfully', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'error', 'msg': 'mysql_tzinfo_to_sql: error running command', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: reload - task: dovecot
+  def container_post__exec__reload__dovecot(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/dovecot reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: reload - task: postfix
+  def container_post__exec__reload__postfix(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postfix reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: reload - task: nginx
+  def container_post__exec__reload__nginx(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/sh", "-c", "/usr/sbin/nginx -s reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: sieve - task: list
+  def container_post__exec__sieve__list(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        sieve_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm sieve list -u '" + request_json['username'].replace("'", "'\\''") + "'"])
+        return self.exec_run_handler('utf8_text_only', sieve_return)
+  # api call: container_post - post_action: exec - cmd: sieve - task: print
+  def container_post__exec__sieve__print(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json and 'script_name' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        cmd = ["/bin/bash", "-c", "/usr/bin/doveadm sieve get -u '" + request_json['username'].replace("'", "'\\''") + "' '" + request_json['script_name'].replace("'", "'\\''") + "'"]
+        sieve_return = container.exec_run(cmd)
+        return self.exec_run_handler('utf8_text_only', sieve_return)
+  # api call: container_post - post_action: exec - cmd: maildir - task: cleanup
+  def container_post__exec__maildir__cleanup(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'maildir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        sane_name = re.sub(r'\W+', '', request_json['maildir'])
+        vmail_name = request_json['maildir'].replace("'", "'\\''")
+        cmd_vmail = "if [[ -d '/var/vmail/" + vmail_name + "' ]]; then /bin/mv '/var/vmail/" + vmail_name + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "'; fi"
+        index_name = request_json['maildir'].split("/")
+        if len(index_name) > 1:
+          index_name = index_name[1].replace("'", "'\\''") + "@" + index_name[0].replace("'", "'\\''")
+          cmd_vmail_index = "if [[ -d '/var/vmail_index/" + index_name + "' ]]; then /bin/mv '/var/vmail_index/" + index_name + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "_index'; fi"
+          cmd = ["/bin/bash", "-c", cmd_vmail + " && " + cmd_vmail_index]
+        else:
+          cmd = ["/bin/bash", "-c", cmd_vmail]
+        maildir_cleanup = container.exec_run(cmd, user='vmail')
+        return self.exec_run_handler('generic', maildir_cleanup)
+  # api call: container_post - post_action: exec - cmd: maildir - task: move
+  def container_post__exec__maildir__move(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'old_maildir' in request_json and 'new_maildir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        vmail_name = request_json['old_maildir'].replace("'", "'\\''")
+        new_vmail_name = request_json['new_maildir'].replace("'", "'\\''")
+        cmd_vmail = f"if [[ -d '/var/vmail/{vmail_name}' ]]; then /bin/mv '/var/vmail/{vmail_name}' '/var/vmail/{new_vmail_name}'; fi"
+
+        index_name = request_json['old_maildir'].split("/")
+        new_index_name = request_json['new_maildir'].split("/")
+        if len(index_name) > 1 and len(new_index_name) > 1:
+          index_name = index_name[1].replace("'", "'\\''") + "@" + index_name[0].replace("'", "'\\''")
+          new_index_name = new_index_name[1].replace("'", "'\\''") + "@" + new_index_name[0].replace("'", "'\\''")
+          cmd_vmail_index = f"if [[ -d '/var/vmail_index/{index_name}' ]]; then /bin/mv '/var/vmail_index/{index_name}' '/var/vmail_index/{new_index_name}_index'; fi"
+          cmd = ["/bin/bash", "-c", cmd_vmail + " && " + cmd_vmail_index]
+        else:
+          cmd = ["/bin/bash", "-c", cmd_vmail]
+        maildir_move = container.exec_run(cmd, user='vmail')
+        return self.exec_run_handler('generic', maildir_move)
+  # api call: container_post - post_action: exec - cmd: rspamd - task: worker_password
+  def container_post__exec__rspamd__worker_password(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'raw' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        cmd = "/usr/bin/rspamadm pw -e -p '" + request_json['raw'].replace("'", "'\\''") + "' 2> /dev/null"
+        cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
+
+        matched = False
+        for line in cmd_response.split("\n"):
+          if '$2$' in line:
+            hash = line.strip()
+            hash_out = re.search(r'\$2\$.+$', hash).group(0)
+            rspamd_passphrase_hash = re.sub(r'[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
+            rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
+            cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
+            cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
+            if rspamd_passphrase_hash.startswith("$2$") and rspamd_passphrase_hash in cmd_response:
+              container.restart()
+              matched = True
+        if matched:
+          res = { 'type': 'success', 'msg': 'command completed successfully' }
+          self.logger.info('success changing Rspamd password')
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          self.logger.error('failed changing Rspamd password')
+          res = { 'type': 'danger', 'msg': 'command did not complete' }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: sogo - task: rename
+  def container_post__exec__sogo__rename_user(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'old_username' in request_json and 'new_username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        old_username = request_json['old_username'].replace("'", "'\\''")
+        new_username = request_json['new_username'].replace("'", "'\\''")
+
+        sogo_return = container.exec_run(["/bin/bash", "-c", f"sogo-tool rename-user '{old_username}' '{new_username}'"], user='sogo')
+        return self.exec_run_handler('generic', sogo_return)
+  # api call: container_post - post_action: exec - cmd: doveadm - task: get_acl
+  def container_post__exec__doveadm__get_acl(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      id = request_json['id'].replace("'", "'\\''")
+
+      shared_folders = container.exec_run(["/bin/bash", "-c", f"doveadm mailbox list -u '{id}'"])
+      shared_folders = shared_folders.output.decode('utf-8')
+      shared_folders = shared_folders.splitlines()
+
+      formatted_acls = []
+      mailbox_seen = []
+      for shared_folder in shared_folders:
+        if "Shared" not in shared_folder:
+          mailbox = shared_folder.replace("'", "'\\''")
+          if mailbox in mailbox_seen:
+            continue
+
+          acls = container.exec_run(["/bin/bash", "-c", f"doveadm acl get -u '{id}' '{mailbox}'"])
+          acls = acls.output.decode('utf-8').strip().splitlines()
+          if len(acls) >= 2:
+            for acl in acls[1:]:
+              user_id, rights = acl.split(maxsplit=1)
+              user_id = user_id.split('=')[1]
+              mailbox_seen.append(mailbox)
+              formatted_acls.append({ 'user': id, 'id': user_id, 'mailbox': mailbox, 'rights': rights.split() })
+        elif "Shared" in shared_folder and "/" in shared_folder:
+          shared_folder = shared_folder.split("/")
+          if len(shared_folder) < 3:
+            continue
+
+          user = shared_folder[1].replace("'", "'\\''")
+          mailbox = '/'.join(shared_folder[2:]).replace("'", "'\\''")
+          if mailbox in mailbox_seen:
+            continue
+
+          acls = container.exec_run(["/bin/bash", "-c", f"doveadm acl get -u '{user}' '{mailbox}'"])
+          acls = acls.output.decode('utf-8').strip().splitlines()
+          if len(acls) >= 2:
+            for acl in acls[1:]:
+              user_id, rights = acl.split(maxsplit=1)
+              user_id = user_id.split('=')[1].replace("'", "'\\''")
+              if user_id == id and mailbox not in mailbox_seen:
+                mailbox_seen.append(mailbox)
+                formatted_acls.append({ 'user': user, 'id': id, 'mailbox': mailbox, 'rights': rights.split() })
+
+      return Response(content=json.dumps(formatted_acls, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: doveadm - task: delete_acl
+  def container_post__exec__doveadm__delete_acl(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      user = request_json['user'].replace("'", "'\\''")
+      mailbox = request_json['mailbox'].replace("'", "'\\''")
+      id = request_json['id'].replace("'", "'\\''")
+
+      if user and mailbox and id:
+        acl_delete_return = container.exec_run(["/bin/bash", "-c", f"doveadm acl delete -u '{user}' '{mailbox}' 'user={id}'"])
+        return self.exec_run_handler('generic', acl_delete_return)
+  # api call: container_post - post_action: exec - cmd: doveadm - task: set_acl
+  def container_post__exec__doveadm__set_acl(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      user = request_json['user'].replace("'", "'\\''")
+      mailbox = request_json['mailbox'].replace("'", "'\\''")
+      id = request_json['id'].replace("'", "'\\''")
+      rights = ""
+
+      available_rights = [
+        "admin",
+        "create",
+        "delete",
+        "expunge",
+        "insert",
+        "lookup",
+        "post",
+        "read",
+        "write",
+        "write-deleted",
+        "write-seen"
+      ]
+      for right in request_json['rights']:
+        right = right.replace("'", "'\\''").lower()
+        if right in available_rights:
+          rights += right + " "
+
+      if user and mailbox and id and rights:
+        acl_set_return = container.exec_run(["/bin/bash", "-c", f"doveadm acl set -u '{user}' '{mailbox}' 'user={id}' {rights}"])
+        return self.exec_run_handler('generic', acl_set_return)
+
+
+  # Collect host stats
+  async def get_host_stats(self, wait=5):
+    try:
+      system_time = datetime.now()
+      host_stats = {
+        "cpu": {
+          "cores": psutil.cpu_count(),
+          "usage": psutil.cpu_percent()
+        },
+        "memory": {
+          "total": psutil.virtual_memory().total,
+          "usage": psutil.virtual_memory().percent,
+          "swap": psutil.swap_memory()
+        },
+        "uptime": time.time() - psutil.boot_time(),
+        "system_time": system_time.strftime("%d.%m.%Y %H:%M:%S"),
+        "architecture": platform.machine()
+      }
+
+      await self.redis_client.set('host_stats', json.dumps(host_stats), ex=10)
+    except Exception as e:
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+
+    await asyncio.sleep(wait)
+    self.host_stats_isUpdating = False
+  # Collect container stats
+  async def get_container_stats(self, container_id, wait=5, stop=False):
+    if container_id and container_id.isalnum():
+      try:
+        for container in (await self.async_docker_client.containers.list()):
+          if container._id == container_id:
+            res = await container.stats(stream=False)
+
+            if await self.redis_client.exists(container_id + '_stats'):
+              stats = json.loads(await self.redis_client.get(container_id + '_stats'))
+            else:
+              stats = []
+            stats.append(res[0])
+            if len(stats) > 3:
+              del stats[0]
+            await self.redis_client.set(container_id + '_stats', json.dumps(stats), ex=60)
+      except Exception as e:
+        res = {
+          "type": "danger",
+          "msg": str(e)
+        }
+    else:
+      res = {
+        "type": "danger",
+        "msg": "no or invalid id defined"
+      }
+
+    await asyncio.sleep(wait)
+    if stop == True:
+      # update task was called second time, stop
+      self.containerIds_to_update.remove(container_id)
+    else:
+      # call update task a second time
+      await self.get_container_stats(container_id, wait=0, stop=True)
+
+  def exec_cmd_container(self, container, cmd, user, timeout=2, shell_cmd="/bin/bash"):
+    def recv_socket_data(c_socket, timeout):
+      c_socket.setblocking(0)
+      total_data=[]
+      data=''
+      begin=time.time()
+      while True:
+        if total_data and time.time()-begin > timeout:
+          break
+        elif time.time()-begin > timeout*2:
+          break
+        try:
+          data = c_socket.recv(8192)
+          if data:
+            total_data.append(data.decode('utf-8'))
+            #change the beginning time for measurement
+            begin=time.time()
+          else:
+            #sleep for sometime to indicate a gap
+            time.sleep(0.1)
+            break
+        except:
+          pass
+      return ''.join(total_data)
+
+    try :
+      socket = container.exec_run([shell_cmd], stdin=True, socket=True, user=user).output._sock
+      if not cmd.endswith("\n"):
+        cmd = cmd + "\n"
+      socket.send(cmd.encode('utf-8'))
+      data = recv_socket_data(socket, timeout)
+      socket.close()
+      return data
+    except Exception as e:
+      self.logger.error("error - exec_cmd_container: %s" % str(e))
+      traceback.print_exc(file=sys.stdout)
+
+  def exec_run_handler(self, type, output):
+    if type == 'generic':
+      if output.exit_code == 0:
+        res = { 'type': 'success', 'msg': 'command completed successfully' }
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'danger', 'msg': 'command failed: ' + output.output.decode('utf-8') }
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    if type == 'utf8_text_only':
+      return Response(content=output.output.decode('utf-8'), media_type="text/plain")

data/Dockerfiles/dovecot/Dockerfile

@@ -1,131 +1,150 @@
-FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM alpine:3.21
 
-ARG DEBIAN_FRONTEND=noninteractive
-ARG DOVECOT=2.3.18
-ENV LC_ALL C
-ENV GOSU_VERSION 1.14
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
+
+# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
+ARG GOSU_VERSION=1.16
+
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
 
 # Add groups and users before installing Dovecot to not break compatibility
-RUN groupadd -g 5000 vmail \
-  && groupadd -g 401 dovecot \
-  && groupadd -g 402 dovenull \
-  && groupadd -g 999 sogo \
-  && usermod -a -G sogo nobody \
-  && useradd -g vmail -u 5000 vmail -d /var/vmail \
-  && useradd -c "Dovecot unprivileged user" -d /dev/null -u 401 -g dovecot -s /bin/false dovecot \
-  && useradd -c "Dovecot login user" -d /dev/null -u 402 -g dovenull -s /bin/false dovenull \
-  && touch /etc/default/locale \
-  && apt-get update \
-  && apt-get -y --no-install-recommends install \
-  apt-transport-https \
+RUN addgroup -g 5000 vmail \
+  && addgroup -g 401 dovecot \
+  && addgroup -g 402 dovenull \
+  && sed -i "s/999/99/" /etc/group \
+  && addgroup -g 999 sogo \
+  && addgroup nobody sogo \
+  && adduser -D -u 5000 -G vmail -h /var/vmail vmail \
+  && adduser -D -G dovecot -u 401 -h /dev/null -s /sbin/nologin dovecot \
+  && adduser -D -G dovenull -u 402 -h /dev/null -s /sbin/nologin dovenull \
+  && apk add --no-cache --update \
+  bash \
+  bind-tools \
+  findutils \
+  envsubst \
   ca-certificates \
-  cpanminus \
   curl \
-  dnsutils \
-  dirmngr \
-  gettext \
-  gnupg2 \
+  coreutils \
   jq \
-  libauthen-ntlm-perl \
-  libcgi-pm-perl \
-  libcrypt-openssl-rsa-perl \
-  libcrypt-ssleay-perl \
-  libdata-uniqid-perl \
-  libdbd-mysql-perl \
-  libdbi-perl \
-  libdigest-hmac-perl \
-  libdist-checkconflicts-perl \
-  libencode-imaputf7-perl \
-  libfile-copy-recursive-perl \
-  libfile-tail-perl \
-  libhtml-parser-perl \
-  libio-compress-perl \
-  libio-socket-inet6-perl \
-  libio-socket-ssl-perl \
-  libio-tee-perl \
-  libipc-run-perl \
-  libjson-webtoken-perl \
-  liblockfile-simple-perl \
-  libmail-imapclient-perl \
-  libmodule-implementation-perl \
-  libmodule-scandeps-perl \
-  libnet-ssleay-perl \
-  libpackage-stash-perl \
-  libpackage-stash-xs-perl \
-  libpar-packer-perl \
-  libparse-recdescent-perl \
-  libproc-processtable-perl \
-  libreadonly-perl \
-  libregexp-common-perl \
-  libsys-meminfo-perl \
-  libterm-readkey-perl \
-  libtest-deep-perl \
-  libtest-fatal-perl \
-  libtest-mock-guard-perl \
-  libtest-mockobject-perl \
-  libtest-nowarnings-perl \
-  libtest-pod-perl \
-  libtest-requires-perl \
-  libtest-simple-perl \
-  libtest-warn-perl \
-  libtry-tiny-perl \
-  libunicode-string-perl \
-  liburi-perl \
-  libwww-perl \
-  lua-sql-mysql \
+  lua \
+  lua-cjson \
   lua-socket \
+  lua-sql-mysql \
+  lua5.3-sql-mysql \
+  icu-data-full \
+  mariadb-connector-c \
+  lua-sec \
+  mariadb-dev \
+  glib-dev \
+  gcompat \
   mariadb-client \
+  perl \
+  perl-dev \
+  perl-ntlm \
+  perl-cgi \
+  perl-crypt-openssl-rsa \
+  perl-utils \
+  perl-crypt-ssleay \
+  perl-data-uniqid \
+  perl-dbd-mysql \
+  perl-dbi \
+  perl-digest-hmac \
+  perl-dist-checkconflicts \
+  perl-encode-imaputf7 \
+  perl-file-copy-recursive \
+  perl-file-tail \
+  perl-io-socket-inet6 \
+  perl-io-gzip \
+  perl-io-socket-ssl \
+  perl-io-tee \
+  perl-ipc-run \
+  perl-json-webtoken \
+  perl-mail-imapclient \
+  perl-module-implementation \
+  perl-module-scandeps \
+  perl-net-ssleay \
+  perl-package-stash \
+  perl-package-stash-xs \
+  perl-par-packer \
+  perl-parse-recdescent \
+  perl-lockfile-simple \
+  libproc2 \
+  perl-readonly \
+  perl-regexp-common \
+  perl-sys-meminfo \
+  perl-term-readkey \
+  perl-test-deep \
+  perl-test-fatal \
+  perl-test-mockobject \
+  perl-test-mock-guard \
+  perl-test-pod \
+  perl-test-requires \
+  perl-test-simple \
+  perl-test-warn \
+  perl-try-tiny \
+  perl-unicode-string \
+  perl-proc-processtable \
+  perl-app-cpanminus \
   procps \
-  python3-pip \
-  redis-server \
-  supervisor \
+  python3 py3-pip python3-dev \
+  py3-html2text \
+  linux-headers \
+  musl-dev \
+  gcc \
+  redis \
   syslog-ng \
-  syslog-ng-core \
-  syslog-ng-mod-redis \
+  syslog-ng-redis \
+  syslog-ng-json \
+  supervisor \
+  tzdata \
   wget \
-  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
-  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
-  && chmod +x /usr/local/bin/gosu \
-  && gosu nobody true \
-  && apt-key adv --fetch-keys https://repo.dovecot.org/DOVECOT-REPO-GPG \
-  && echo "deb https://repo.dovecot.org/ce-${DOVECOT}/debian/bullseye bullseye main" > /etc/apt/sources.list.d/dovecot.list \
-  && apt-get update \
-  && apt-get -y --no-install-recommends install \
-  dovecot-lua \
-  dovecot-managesieved \
-  dovecot-sieve \
+  dovecot \
+  dovecot-dev \
   dovecot-lmtpd \
+  dovecot-lua \
   dovecot-ldap \
   dovecot-mysql \
-  dovecot-core \
+  dovecot-sql \
+  dovecot-submissiond \
+  dovecot-pigeonhole-plugin \
   dovecot-pop3d \
-  dovecot-imapd \
-  dovecot-solr \
-  && pip3 install mysql-connector-python html2text jinja2 redis \
-  && apt-get autoremove --purge -y \
-  && apt-get autoclean \
-  && rm -rf /var/lib/apt/lists/* \
-  && rm -rf /tmp/* /var/tmp/* /root/.cache/
+  dovecot-fts-flatcurve \
+  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
+  && chmod +x /usr/local/bin/gosu \
+  && gosu nobody true
 
-COPY trim_logs.sh /usr/local/bin/trim_logs.sh
-COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY imapsync /usr/local/bin/imapsync
-COPY imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
-COPY report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
-COPY report-ham.sieve /usr/lib/dovecot/sieve/report-ham.sieve
-COPY rspamd-pipe-ham /usr/lib/dovecot/sieve/rspamd-pipe-ham
-COPY rspamd-pipe-spam /usr/lib/dovecot/sieve/rspamd-pipe-spam
-COPY sa-rules.sh /usr/local/bin/sa-rules.sh
-COPY maildir_gc.sh /usr/local/bin/maildir_gc.sh
-COPY docker-entrypoint.sh /
-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY quarantine_notify.py /usr/local/bin/quarantine_notify.py
-COPY quota_notify.py /usr/local/bin/quota_notify.py
-COPY repl_health.sh /usr/local/bin/repl_health.sh
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/dovecot/trim_logs.sh /usr/local/bin/trim_logs.sh
+COPY data/Dockerfiles/dovecot/clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
+COPY data/Dockerfiles/dovecot/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY data/Dockerfiles/dovecot/imapsync /usr/local/bin/imapsync
+COPY data/Dockerfiles/dovecot/imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
+COPY data/Dockerfiles/dovecot/report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
+COPY data/Dockerfiles/dovecot/report-ham.sieve /usr/lib/dovecot/sieve/report-ham.sieve
+COPY data/Dockerfiles/dovecot/rspamd-pipe-ham /usr/lib/dovecot/sieve/rspamd-pipe-ham
+COPY data/Dockerfiles/dovecot/rspamd-pipe-spam /usr/lib/dovecot/sieve/rspamd-pipe-spam
+COPY data/Dockerfiles/dovecot/sa-rules.sh /usr/local/bin/sa-rules.sh
+COPY data/Dockerfiles/dovecot/docker-entrypoint.sh /
+COPY data/Dockerfiles/dovecot/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/dovecot/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY data/Dockerfiles/dovecot/quarantine_notify.py /usr/local/bin/quarantine_notify.py
+COPY data/Dockerfiles/dovecot/quota_notify.py /usr/local/bin/quota_notify.py
+COPY data/Dockerfiles/dovecot/repl_health.sh /usr/local/bin/repl_health.sh
+COPY data/Dockerfiles/dovecot/optimize-fts.sh /usr/local/bin/optimize-fts.sh
+
+RUN chmod +x /docker-entrypoint.sh \
+  /usr/local/sbin/stop-supervisor.sh
+
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/dovecot/clean_q_aged.sh

@@ -2,7 +2,7 @@
 
 source /source_env.sh
 
-MAX_AGE=$(redis-cli --raw -h redis-mailcow GET Q_MAX_AGE)
+MAX_AGE=$(redis-cli --raw -h redis-mailcow -a ${REDISPASS} --no-auth-warning GET Q_MAX_AGE)
 
 if [[ -z ${MAX_AGE} ]]; then
   echo "Max age for quarantine items not defined"
@@ -15,6 +15,6 @@ if ! [[ ${MAX_AGE} =~ ${NUM_REGEXP} ]] ; then
   exit 1
 fi
 
-TO_DELETE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
-mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
+TO_DELETE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
+mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
 echo "Deleted ${TO_DELETE} items from quarantine table (max age is ${MAX_AGE//[!0-9]/} days)"

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -1,415 +1,4 @@
 #!/bin/bash
-set -e
-
-# Wait for MySQL to warm-up
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for database to come up..."
-  sleep 2
-done
-
-until dig +short mailcow.email > /dev/null; do
-  echo "Waiting for DNS..."
-  sleep 1
-done
-
-# Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
-else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
-fi
-
-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
-  sleep 2
-done
-
-${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
-
-# Create missing directories
-[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
-[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
-[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
-[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
-[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
-[[ ! -d /var/volatile ]] && mkdir -p /var/volatile
-
-# Set Dovecot sql config parameters, escape " in db password
-DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
-
-# Create quota dict for Dovecot
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  QUOTA_TABLE=quota2
-else
-  QUOTA_TABLE=quota2replica
-fi
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
-# Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/quota/storage
-  table = ${QUOTA_TABLE}
-  username_field = username
-  value_field = bytes
-}
-map {
-  pattern = priv/quota/messages
-  table = ${QUOTA_TABLE}
-  username_field = username
-  value_field = messages
-}
-EOF
-
-# Create dict used for sieve pre and postfilters
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
-# Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/sieve/name/\$script_name
-  table = sieve_before
-  username_field = username
-  value_field = id
-  fields {
-    script_name = \$script_name
-  }
-}
-map {
-  pattern = priv/sieve/data/\$id
-  table = sieve_before
-  username_field = username
-  value_field = script_data
-  fields {
-    id = \$id
-  }
-}
-EOF
-
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
-# Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/sieve/name/\$script_name
-  table = sieve_after
-  username_field = username
-  value_field = id
-  fields {
-    script_name = \$script_name
-  }
-}
-map {
-  pattern = priv/sieve/data/\$id
-  table = sieve_after
-  username_field = username
-  value_field = script_data
-  fields {
-    id = \$id
-  }
-}
-EOF
-
-echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
-
-if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
-else
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
-fi
-chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
-
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
-# Autogenerated by mailcow
-driver = mysql
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
-iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
-EOF
-
-cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
-function auth_password_verify(req, pass)
-
-  if req.domain == nil then
-    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
-  end
-
-  if cur == nil then
-    script_init()
-  end
-
-  if req.user == nil then
-    req.user = ''
-  end
-
-  respbody = {}
-
-  -- check against mailbox passwds
-  local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox
-    WHERE username = '%s'
-      AND active = '1'
-      AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service)))
-  local row = cur:fetch ({}, "a")
-  while row do
-    if req.password_verify(req, row.password, pass) == 1 then
-      con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-        VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)))
-      cur:close()
-      con:close()
-      return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
-    end
-    row = cur:fetch (row, "a")
-  end
-
-  -- check against app passwds for imap and smtp
-  -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
-  if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
-    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd
-      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
-      WHERE mailbox = '%s'
-        AND app_passwd.active = '1'
-        AND mailbox.active = '1'
-        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain)))
-    local row = cur:fetch ({}, "a")
-    while row do
-      if req.password_verify(req, row.password, pass) == 1 then
-        -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
-        if tostring(req.real_rip) == "__IPV4_SOGO__" then
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
-        elseif row.has_prot_access == "1" then
-          con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-            VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
-        end
-      end
-      row = cur:fetch (row, "a")
-    end
-  end
-
-  cur:close()
-  con:close()
-
-  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
-
-  -- PoC
-  -- local reqbody = string.format([[{
-  --   "success":0,
-  --   "service":"%s",
-  --   "app_password":false,
-  --   "username":"%s",
-  --   "real_rip":"%s"
-  -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))
-  -- http.request {
-  --   method = "POST",
-  --   url = "http://nginx:8081/sasl_log.php",
-  --   source = ltn12.source.string(reqbody),
-  --   headers = {
-  --     ["content-type"] = "application/json",
-  --     ["content-length"] = tostring(#reqbody)
-  --   },
-  --   sink = ltn12.sink.table(respbody)
-  -- }
-
-end
-
-function auth_passdb_lookup(req)
-   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
-end
-
-function script_init()
-  mysql = require "luasql.mysql"
-  http = require "socket.http"
-  http.TIMEOUT = 5
-  ltn12 = require "ltn12"
-  env  = mysql.mysql()
-  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
-  return 0
-end
-
-function script_deinit()
-  con:close()
-  env:close()
-end
-EOF
-
-# Replace patterns in app-passdb.lua
-sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
-
-
-# Migrate old sieve_after file
-[[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
-# Create global sieve scripts
-cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve
-cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve
-
-# Check permissions of vmail/index/garbage directories.
-# Do not do this every start-up, it may take a very long time. So we use a stat check here.
-if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
-if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi
-if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi
-
-# Cleanup random user maildirs
-rm -rf /var/vmail/mailcow.local/*
-# Cleanup PIDs
-[[ -f /tmp/quarantine_notify.pid ]] && rm /tmp/quarantine_notify.pid
-
-# create sni configuration
-echo "" > /etc/dovecot/sni.conf
-for cert_dir in /etc/ssl/mail/*/ ; do
-  if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
-    continue
-  fi
-  domains=($(cat ${cert_dir}domains))
-  for domain in ${domains[@]}; do
-    echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
-    echo '  ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
-    echo '  ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
-    echo '}' >> /etc/dovecot/sni.conf;
-  done
-done
-
-# Create random master for SOGo sieve features
-RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
-RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
-
-if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then
-  RAND_USER=${DOVECOT_MASTER_USER}
-  RAND_PASS=${DOVECOT_MASTER_PASS}
-fi
-echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd
-echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb
-echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
-
-if [[ -z ${MAILDIR_SUB} ]]; then
-  MAILDIR_SUB_SHARED=
-else
-  MAILDIR_SUB_SHARED=/${MAILDIR_SUB}
-fi
-cat <<EOF > /etc/dovecot/shared_namespace.conf
-# Autogenerated by mailcow
-namespace {
-    type = shared
-    separator = /
-    prefix = Shared/%%u/
-    location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
-    subscriptions = no
-    list = children
-}
-EOF
-
-cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
-# Autogenerated by mailcow
-remote ${IPV4_NETWORK}.248 {
-  disable_plaintext_auth = no
-}
-EOF
-
-# Create random master Password for SOGo SSO
-RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
-echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
-cat <<EOF > /etc/dovecot/sogo-sso.conf
-# Autogenerated by mailcow
-passdb {
-  driver = static
-  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
-}
-EOF
-
-if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
-  # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
-  cat <<'EOF' > /usr/local/bin/quota_notify.py
-#!/usr/bin/python3
-import sys
-sys.exit()
-EOF
-fi
-
-# 401 is user dovecot
-if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
-	openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
-	openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
-	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
-else
-	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
-fi
-
-# Compile sieve scripts
-sievec /var/vmail/sieve/global_sieve_before.sieve
-sievec /var/vmail/sieve/global_sieve_after.sieve
-sievec /usr/lib/dovecot/sieve/report-spam.sieve
-sievec /usr/lib/dovecot/sieve/report-ham.sieve
-
-# Fix permissions
-chown root:root /etc/dovecot/sql/*.conf
-chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
-chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
-chown -R vmail:vmail /var/vmail/sieve
-chown -R vmail:vmail /var/volatile
-chown -R vmail:vmail /var/vmail_index
-adduser vmail tty
-chmod g+rw /dev/console
-chown root:tty /dev/console
-chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
-  /usr/lib/dovecot/sieve/rspamd-pipe-spam \
-  /usr/local/bin/imapsync_runner.pl \
-  /usr/local/bin/imapsync \
-  /usr/local/bin/trim_logs.sh \
-  /usr/local/bin/sa-rules.sh \
-  /usr/local/bin/clean_q_aged.sh \
-  /usr/local/bin/maildir_gc.sh \
-  /usr/local/sbin/stop-supervisor.sh \
-  /usr/local/bin/quota_notify.py \
-  /usr/local/bin/repl_health.sh
-
-# Prepare environment file for cronjobs
-printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
-
-# Clean old PID if any
-[[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid
-
-# Clean stopped imapsync jobs
-rm -f /tmp/imapsync_busy.lock
-IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
-[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
-
-# Envsubst maildir_gc
-echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
-
-# GUID generation
-while [[ ${VERSIONS_OK} != 'OK' ]]; do
-  if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
-    VERSIONS_OK=OK
-  else
-    echo "Waiting for versions table to be created..."
-    sleep 3
-  fi
-done
-PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2)
-if [ -f ${PUBKEY_MCRYPT} ]; then
-  GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
-  if [ ${#GUID} -eq 64 ]; then
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
-EOF
-  else
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
-EOF
-  fi
-fi
-
-# Collect SA rules once now
-/usr/local/bin/sa-rules.sh
 
 # Run hooks
 for file in /hooks/*; do
@@ -419,8 +8,24 @@ for file in /hooks/*; do
   fi
 done
 
-# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
-# May be related to something inside Docker, I seriously don't know
-touch /etc/dovecot/lua/passwd-verify.lua
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
 
-exec "$@"
+# Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
+if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
+    sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
+
+    echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
+    echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
+    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
+    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
+    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
+fi
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Dovecot."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting Dovecot..."
+/usr/sbin/dovecot -F

data/Dockerfiles/dovecot/imapsync

@@ -8492,6 +8492,7 @@ sub xoauth2
         require HTML::Entities ;
         require JSON ;
         require JSON::WebToken::Crypt::RSA ;
+        require Crypt::OpenSSL::PKCS12;
         require Crypt::OpenSSL::RSA ;
         require Encode::Byte ;
         require IO::Socket::SSL ;
@@ -8532,8 +8533,9 @@ sub xoauth2
 
             $sync->{ debug } and myprint( "Service account: $iss\nKey file: $keyfile\nKey password: $keypass\n");
 
-            # Get private key from p12 file (would be better in perl...)
-            $key = `openssl pkcs12 -in "$keyfile" -nodes -nocerts -passin pass:$keypass -nomacver`;
+            # Get private key from p12 file
+            my $pkcs12 = Crypt::OpenSSL::PKCS12->new_from_file($keyfile);
+            $key = $pkcs12->private_key($keypass);
 
             $sync->{ debug } and myprint( "Private key:\n$key\n");
         }

data/Dockerfiles/dovecot/imapsync_runner.pl

@@ -51,8 +51,8 @@ sub sig_handler {
   die "sig_handler received signal, preparing to exit...\n";
 };
 
-open my $file, '<', "/etc/sogo/sieve.creds";
-my $creds = <$file>;
+open my $file, '<', "/etc/sogo/sieve.creds"; 
+my $creds = <$file>; 
 close $file;
 my ($master_user, $master_pass) = split /:/, $creds;
 my $sth = $dbh->prepare("SELECT id,
@@ -75,7 +75,8 @@ my $sth = $dbh->prepare("SELECT id,
   custom_params,
   subscribeall,
   timeout1,
-  timeout2
+  timeout2,
+  dry
     FROM imapsync
       WHERE active = 1
         AND is_running = 0
@@ -111,13 +112,16 @@ while ($row = $sth->fetchrow_arrayref()) {
   $subscribeall        = @$row[18];
   $timeout1            = @$row[19];
   $timeout2            = @$row[20];
+  $dry                 = @$row[21];
 
   if ($enc1 eq "TLS") { $enc1 = "--tls1"; } elsif ($enc1 eq "SSL") { $enc1 = "--ssl1"; } else { undef $enc1; }
 
   my $template = $run_dir . '/imapsync.XXXXXXX';
   my $passfile1 = File::Temp->new(TEMPLATE => $template);
   my $passfile2 = File::Temp->new(TEMPLATE => $template);
-
+  
+  binmode( $passfile1, ":utf8" );
+  
   print $passfile1 "$password1\n";
   print $passfile2 trim($master_pass) . "\n";
 
@@ -148,6 +152,7 @@ while ($row = $sth->fetchrow_arrayref()) {
   "--host2", "localhost",
   "--user2", $user2 . '*' . trim($master_user),
   "--passfile2", $passfile2->filename,
+  ($dry eq "1" ? ('--dry') : ()),
   '--no-modulesversion',
   '--noreleasecheck'];
 
@@ -166,17 +171,11 @@ while ($row = $sth->fetchrow_arrayref()) {
       $success = 1;
     }
 
-    $keep_job_active = 1;
-    if (defined $exit_status && $exit_status eq "EXIT_AUTHENTICATION_FAILURE_USER1") {
-      $keep_job_active = 0;
-    }
-
-    $update = $dbh->prepare("UPDATE imapsync SET returned_text = ?, success = ?, exit_status = ?, active = ? WHERE id = ?");
+    $update = $dbh->prepare("UPDATE imapsync SET returned_text = ?, success = ?, exit_status = ? WHERE id = ?");
     $update->bind_param( 1, ${stdout} );
     $update->bind_param( 2, ${success} );
     $update->bind_param( 3, ${exit_status} );
-    $update->bind_param( 4, ${keep_job_active} );
-    $update->bind_param( 5, ${id} );
+    $update->bind_param( 4, ${id} );
     $update->execute();
   } catch {
     $update = $dbh->prepare("UPDATE imapsync SET returned_text = 'Could not start or finish imapsync', success = 0 WHERE id = ?");

data/Dockerfiles/dovecot/maildir_gc.sh

@@ -1,2 +0,0 @@
-#!/bin/bash
-[ -d /var/vmail/_garbage/ ] && /usr/bin/find /var/vmail/_garbage/ -mindepth 1 -maxdepth 1 -type d -cmin +${MAILDIR_GC_TIME} -exec rm -r {} \;

data/Dockerfiles/dovecot/optimize-fts.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [[ "${SKIP_FTS}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    exit 0
+else
+    doveadm fts optimize -A
+fi

data/Dockerfiles/dovecot/quarantine_notify.py

@@ -3,11 +3,10 @@
 import smtplib
 import os
 import sys
-import mysql.connector
+import MySQLdb
 from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 from email.utils import COMMASPACE, formatdate
-import cgi
 import jinja2
 from jinja2 import Template
 import json
@@ -32,7 +31,7 @@ try:
 
   while True:
     try:
-      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
       r.ping()
     except Exception as ex:
       print('%s - trying again...'  % (ex))
@@ -50,7 +49,7 @@ try:
   def query_mysql(query, headers = True, update = False):
     while True:
       try:
-        cnx = mysql.connector.connect(unix_socket = '/var/run/mysqld/mysqld.sock', user=os.environ.get('DBUSER'), passwd=os.environ.get('DBPASS'), database=os.environ.get('DBNAME'), charset="utf8")
+        cnx = MySQLdb.connect(user=os.environ.get('DBUSER'), password=os.environ.get('DBPASS'), database=os.environ.get('DBNAME'), charset="utf8mb4", collation="utf8mb4_general_ci")
       except Exception as ex:
         print('%s - trying again...'  % (ex))
         time.sleep(3)
@@ -166,4 +165,4 @@ try:
       notify_rcpt(record['rcpt'], record['counter'], record['quarantine_acl'], attrs['quarantine_category'])
 
 finally:
-  os.unlink(pidfile)
+  os.unlink(pidfile)

data/Dockerfiles/dovecot/quota_notify.py

@@ -14,6 +14,11 @@ import sys
 import html2text
 from subprocess import Popen, PIPE, STDOUT
 
+
+# Don't run if role is not master
+if os.getenv("MASTER").lower() in ["n", "no"]:
+  sys.exit()
+
 if len(sys.argv) > 2:
   percent = int(sys.argv[1])
   username = str(sys.argv[2])
@@ -23,7 +28,7 @@ else:
 
 while True:
   try:
-    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
     r.ping()
   except Exception as ex:
     print('%s - trying again...'  % (ex))
@@ -55,7 +60,7 @@ try:
   msg.attach(text_part)
   msg.attach(html_part)
   msg['To'] = username
-  p = Popen(['/usr/lib/dovecot/dovecot-lda', '-d', username, '-o', '"plugin/quota=maildir:User quota:noenforcing"'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
+  p = Popen(['/usr/libexec/dovecot/dovecot-lda', '-d', username, '-o', '"plugin/quota=maildir:User quota:noenforcing"'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
   p.communicate(input=bytes(msg.as_string(), 'utf-8'))
 
   domain = username.split("@")[-1]

data/Dockerfiles/dovecot/repl_health.sh

@@ -4,14 +4,14 @@ source /source_env.sh
 
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi
 
 # Is replication active?
 # grep on file is less expensive than doveconf
-if ! grep -qi mail_replica /etc/dovecot/dovecot.conf; then
+if [ -n ${MAILCOW_REPLICA_IP} ]; then
   ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
   exit
 fi

data/Dockerfiles/dovecot/rspamd-pipe-ham

@@ -3,8 +3,8 @@ FILE=/tmp/mail$$
 cat > $FILE
 trap "/bin/rm -f $FILE" 0 1 2 3 13 15
 
-cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzydel
-cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnham
-cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnham
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
 
 exit 0

data/Dockerfiles/dovecot/rspamd-pipe-spam

@@ -3,8 +3,8 @@ FILE=/tmp/mail$$
 cat > $FILE
 trap "/bin/rm -f $FILE" 0 1 2 3 13 15
 
-cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzydel
-cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnspam
-cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnspam
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
 
 exit 0

data/Dockerfiles/dovecot/sa-rules.sh

@@ -11,21 +11,25 @@ else
 fi
 
 # Deploy
-curl --connect-timeout 15 --retry 10 --max-time 30 http://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz
-if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
-  tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
-  cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
+if curl --connect-timeout 15 --retry 5 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
+  if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
+    tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
+    cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
+  fi
+else
+  echo "Failed to download SA rules. Exiting."
+  exit 0 # Must be 0 otherwise dovecot would not start at all
 fi
 
 sed -i -e 's/\([^\\]\)\$\([^\/]\)/\1\\$\2/g' /etc/rspamd/custom/sa-rules
 
 if [[ "$(cat /etc/rspamd/custom/sa-rules | md5sum | cut -d' ' -f1)" != "${HASH_SA_RULES}" ]]; then
   CONTAINER_NAME=rspamd-mailcow
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | \
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | \
     jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | \
     jq -rc "select( .name | tostring | contains(\"${CONTAINER_NAME}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
   if [[ ! -z ${CONTAINER_ID} ]]; then
-    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi/containers/${CONTAINER_ID}/restart
+    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
   fi
 fi
 

data/Dockerfiles/dovecot/supervisord.conf

@@ -11,8 +11,12 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 
-[program:dovecot]
-command=/usr/sbin/dovecot -F
+[program:bootstrap]
+command=/docker-entrypoint.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart=true
 
 [eventlistener:processes]

data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 4.5
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -6,11 +6,12 @@ options {
   use_dns(no);
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
-  stats_freq(0);
+  stats(freq(0));
+  keep_timestamp(no);
   bad_hostname("^gconfd$");
 };
-source s_src {
-  unix-stream("/dev/log");
+source s_dgram {
+  unix-dgram("/dev/log");
   internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
@@ -19,6 +20,7 @@ destination d_redis_ui_log {
     host("`REDIS_SLAVEOF_IP`")
     persist-name("redis1")
     port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
     command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
   );
 };
@@ -27,6 +29,7 @@ destination d_redis_f2b_channel {
     host("`REDIS_SLAVEOF_IP`")
     persist-name("redis2")
     port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
     command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
   );
 };
@@ -35,8 +38,13 @@ filter f_replica {
   not match("User has no mail_replica in userdb" value("MESSAGE"));
   not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
+filter f_dovecot_auth_try {
+  not match("- trying the next passdb" value("MESSAGE")) and
+  not match("- trying the next userdb" value("MESSAGE"));
+};
 log {
-  source(s_src);
+  source(s_dgram);
+  filter(f_dovecot_auth_try);
   filter(f_replica);
   destination(d_stdout);
   filter(f_mail);

data/Dockerfiles/dovecot/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 4.5
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -6,11 +6,12 @@ options {
   use_dns(no);
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
-  stats_freq(0);
+  stats(freq(0));
+  keep_timestamp(no);
   bad_hostname("^gconfd$");
 };
-source s_src {
-  unix-stream("/dev/log");
+source s_dgram {
+  unix-dgram("/dev/log");
   internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
@@ -19,6 +20,7 @@ destination d_redis_ui_log {
     host("redis-mailcow")
     persist-name("redis1")
     port(6379)
+    auth("`REDISPASS`")
     command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
   );
 };
@@ -27,6 +29,7 @@ destination d_redis_f2b_channel {
     host("redis-mailcow")
     persist-name("redis2")
     port(6379)
+    auth("`REDISPASS`")
     command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
   );
 };
@@ -35,8 +38,13 @@ filter f_replica {
   not match("User has no mail_replica in userdb" value("MESSAGE"));
   not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
+filter f_dovecot_auth_try {
+  not match("- trying the next passdb" value("MESSAGE")) and
+  not match("- trying the next userdb" value("MESSAGE"));
+};
 log {
-  source(s_src);
+  source(s_dgram);
+  filter(f_dovecot_auth_try);
   filter(f_replica);
   destination(d_stdout);
   filter(f_mail);

data/Dockerfiles/dovecot/trim_logs.sh

@@ -10,9 +10,9 @@ catch_non_zero() {
 source /source_env.sh
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi
 catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
@@ -23,3 +23,4 @@ catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM CRON_LOG 0 ${LOG_LINES}"

data/Dockerfiles/mariadb/Dockerfile

@@ -0,0 +1,28 @@
+FROM mariadb:10.11
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+
+RUN apt-get update && \
+  apt-get install -y --no-install-recommends \
+    python3 \
+    python3-pip \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN pip install \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/mariadb/docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN chmod +x /docker-entrypoint.sh
+
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["mysqld"]

data/Dockerfiles/mariadb/docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting MariaDB."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting MariaDB..."
+exec /usr/local/bin/docker-entrypoint.sh "$@"

data/Dockerfiles/netfilter/Dockerfile

@@ -1,6 +1,10 @@
-FROM alpine:3.15
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM alpine:3.21
 
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+WORKDIR /app
+
+ARG PIP_BREAK_SYSTEM_PACKAGES=1
 ENV XTABLES_LIBDIR /usr/lib/xtables
 ENV PYTHON_IPTABLES_XTABLES_VERSION 12
 ENV IPTABLES_LIBDIR /usr/lib
@@ -12,12 +16,16 @@ RUN apk add --virtual .build-deps \
   openssl-dev \
 && apk add -U python3 \
   iptables \
+  iptables-dev \
   ip6tables \
   xtables-addons \
+  nftables \
   tzdata \
   py3-pip \
+  py3-nftables \
   musl-dev \
 && pip3 install --ignore-installed --upgrade pip \
+  jsonschema \
   python-iptables \
   redis \
   ipaddress \
@@ -26,5 +34,10 @@ RUN apk add --virtual .build-deps \
 
 #  && pip3 install --upgrade pip python-iptables==0.13.0 redis ipaddress dnspython \
 
-COPY server.py /
-CMD ["python3", "-u", "/server.py"]
+COPY modules /app/modules
+COPY main.py /app/
+COPY ./docker-entrypoint.sh /app/
+
+RUN chmod +x /app/docker-entrypoint.sh
+
+CMD ["/bin/sh", "-c", "/app/docker-entrypoint.sh"]

data/Dockerfiles/netfilter/docker-entrypoint.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+backend=iptables
+
+nft list table ip filter &>/dev/null
+nftables_found=$?
+
+iptables -L -n &>/dev/null
+iptables_found=$?
+
+if [ $nftables_found -lt $iptables_found ]; then
+  backend=nftables
+fi
+
+if [ $nftables_found -gt $iptables_found ]; then
+  backend=iptables
+fi
+
+if [ $nftables_found -eq 0 ] && [ $nftables_found -eq $iptables_found ]; then
+  nftables_lines=$(nft list ruleset | wc -l)
+  iptables_lines=$(iptables-save | wc -l)
+  if [ $nftables_lines -gt $iptables_lines ]; then
+    backend=nftables
+  else
+    backend=iptables
+  fi
+fi
+
+exec python -u /app/main.py $backend

data/Dockerfiles/netfilter/main.py

@@ -0,0 +1,502 @@
+#!/usr/bin/env python3
+
+import re
+import os
+import sys
+import time
+import atexit
+import signal
+import ipaddress
+from collections import Counter
+from random import randint
+from threading import Thread
+from threading import Lock
+import redis
+import json
+import dns.resolver
+import dns.exception
+import uuid
+from modules.Logger import Logger
+from modules.IPTables import IPTables
+from modules.NFTables import NFTables
+
+
+# globals
+WHITELIST = []
+BLACKLIST= []
+bans = {}
+quit_now = False
+exit_code = 0
+lock = Lock()
+chain_name = "MAILCOW"
+r = None
+pubsub = None
+clear_before_quit = False
+
+
+def refreshF2boptions():
+  global f2boptions
+  global quit_now
+  global exit_code
+
+  f2boptions = {}
+
+  if not r.get('F2B_OPTIONS'):
+    f2boptions['ban_time'] = r.get('F2B_BAN_TIME')
+    f2boptions['max_ban_time'] = r.get('F2B_MAX_BAN_TIME')
+    f2boptions['ban_time_increment'] = r.get('F2B_BAN_TIME_INCREMENT')
+    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS')
+    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW')
+    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4')
+    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6')
+  else:
+    try:
+      f2boptions = json.loads(r.get('F2B_OPTIONS'))
+    except ValueError:
+      logger.logCrit('Error loading F2B options: F2B_OPTIONS is not json')
+      quit_now = True
+      exit_code = 2
+
+  verifyF2boptions(f2boptions)
+  r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
+
+def verifyF2boptions(f2boptions):
+  verifyF2boption(f2boptions,'ban_time', 1800)
+  verifyF2boption(f2boptions,'max_ban_time', 10000)
+  verifyF2boption(f2boptions,'ban_time_increment', True)
+  verifyF2boption(f2boptions,'max_attempts', 10)
+  verifyF2boption(f2boptions,'retry_window', 600)
+  verifyF2boption(f2boptions,'netban_ipv4', 32)
+  verifyF2boption(f2boptions,'netban_ipv6', 128)
+  verifyF2boption(f2boptions,'banlist_id', str(uuid.uuid4()))
+  verifyF2boption(f2boptions,'manage_external', 0)
+
+def verifyF2boption(f2boptions, f2boption, f2bdefault):
+  f2boptions[f2boption] = f2boptions[f2boption] if f2boption in f2boptions and f2boptions[f2boption] is not None else f2bdefault
+
+def refreshF2bregex():
+  global f2bregex
+  global quit_now
+  global exit_code
+  if not r.get('F2B_REGEX'):
+    f2bregex = {}
+    f2bregex[1] = r'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
+    f2bregex[2] = r'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
+    f2bregex[3] = r'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
+    f2bregex[4] = r'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
+    f2bregex[5] = r'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
+    f2bregex[6] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): Password mismatch \(SHA1 of given password: [a-f0-9]+\)'
+    f2bregex[7] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): unknown user \(SHA1 of given password: [a-f0-9]+\)'
+    f2bregex[8] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
+    f2bregex[9] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
+    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
+  else:
+    try:
+      f2bregex = {}
+      f2bregex = json.loads(r.get('F2B_REGEX'))
+    except ValueError:
+      logger.logCrit('Error loading F2B options: F2B_REGEX is not json')
+      quit_now = True
+      exit_code = 2
+
+def get_ip(address):
+  ip = ipaddress.ip_address(address)
+  if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:
+    ip = ip.ipv4_mapped
+  if ip.is_private or ip.is_loopback:
+    return False
+
+  return ip
+
+def ban(address):
+  global f2boptions
+  global lock
+
+  refreshF2boptions()
+  MAX_ATTEMPTS = int(f2boptions['max_attempts'])
+  RETRY_WINDOW = int(f2boptions['retry_window'])
+  NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])
+  NETBAN_IPV6 = '/' + str(f2boptions['netban_ipv6'])
+
+  ip = get_ip(address)
+  if not ip: return
+  address = str(ip)
+  self_network = ipaddress.ip_network(address)
+
+  with lock:
+    temp_whitelist = set(WHITELIST)
+  if temp_whitelist:
+    for wl_key in temp_whitelist:
+      wl_net = ipaddress.ip_network(wl_key, False)
+      if wl_net.overlaps(self_network):
+        logger.logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
+        return
+
+  net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
+  net = str(net)
+
+  if not net in bans:
+    bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}
+
+  current_attempt = time.time()
+  if current_attempt - bans[net]['last_attempt'] > RETRY_WINDOW:
+    bans[net]['attempts'] = 0
+
+  bans[net]['attempts'] += 1
+  bans[net]['last_attempt'] = current_attempt
+
+  if bans[net]['attempts'] >= MAX_ATTEMPTS:
+    cur_time = int(round(time.time()))
+    NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
+    logger.logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))
+    if type(ip) is ipaddress.IPv4Address and int(f2boptions['manage_external']) != 1:
+      with lock:
+        tables.banIPv4(net)
+    elif int(f2boptions['manage_external']) != 1:
+      with lock:
+        tables.banIPv6(net)
+
+    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
+  else:
+    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
+
+def unban(net):
+  global lock
+
+  if not net in bans:
+   logger.logInfo('%s is not banned, skipping unban and deleting from queue (if any)' % net)
+   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+   return
+
+  logger.logInfo('Unbanning %s' % net)
+  if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
+    with lock:
+      tables.unbanIPv4(net)
+  else:
+    with lock:
+      tables.unbanIPv6(net)
+
+  r.hdel('F2B_ACTIVE_BANS', '%s' % net)
+  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+  if net in bans:
+    bans[net]['attempts'] = 0
+    bans[net]['ban_counter'] += 1
+
+def permBan(net, unban=False):
+  global f2boptions
+  global lock
+
+  is_unbanned = False
+  is_banned = False
+  if type(ipaddress.ip_network(net, strict=False)) is ipaddress.IPv4Network:
+    with lock:
+      if unban:
+        is_unbanned = tables.unbanIPv4(net)
+      elif int(f2boptions['manage_external']) != 1:
+        is_banned = tables.banIPv4(net)
+  else:
+    with lock:
+      if unban:
+        is_unbanned = tables.unbanIPv6(net)
+      elif int(f2boptions['manage_external']) != 1:
+        is_banned = tables.banIPv6(net)
+
+
+  if is_unbanned:
+    r.hdel('F2B_PERM_BANS', '%s' % net)
+    logger.logCrit('Removed host/network %s from blacklist' % net)
+  elif is_banned:
+    r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
+    logger.logCrit('Added host/network %s to blacklist' % net)
+
+def clear():
+  global lock
+  logger.logInfo('Clearing all bans')
+  for net in bans.copy():
+    unban(net)
+  with lock:
+    tables.clearIPv4Table()
+    tables.clearIPv6Table()
+    try:
+      if r is not None:
+        r.delete('F2B_ACTIVE_BANS')
+        r.delete('F2B_PERM_BANS')
+    except Exception as ex:
+      logger.logWarn('Error clearing redis keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)
+
+def watch():
+  global pubsub
+  global quit_now
+  global exit_code
+
+  logger.logInfo('Watching Redis channel F2B_CHANNEL')
+  pubsub.subscribe('F2B_CHANNEL')
+
+  while not quit_now:
+    try:
+      for item in pubsub.listen():
+        refreshF2bregex()
+        for rule_id, rule_regex in f2bregex.items():
+          if item['data'] and item['type'] == 'message':
+            try:
+              result = re.search(rule_regex, item['data'])
+            except re.error:
+              result = False
+            if result:
+              addr = result.group(1)
+              ip = ipaddress.ip_address(addr)
+              if ip.is_private or ip.is_loopback:
+                continue
+              logger.logWarn('%s matched rule id %s (%s)' % (addr, rule_id, item['data']))
+              ban(addr)
+    except Exception as ex:
+      logger.logWarn('Error reading log line from pubsub: %s' % ex)
+      pubsub = None
+      quit_now = True
+      exit_code = 2
+
+def snat4(snat_target):
+  global lock
+  global quit_now
+
+  while not quit_now:
+    time.sleep(10)
+    with lock:
+      tables.snat4(snat_target, os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24')
+
+def snat6(snat_target):
+  global lock
+  global quit_now
+
+  while not quit_now:
+    time.sleep(10)
+    with lock:
+      tables.snat6(snat_target, os.getenv('IPV6_NETWORK', 'fd4d:6169:6c63:6f77::/64'))
+
+def autopurge():
+  global f2boptions
+
+  while not quit_now:
+    time.sleep(10)
+    refreshF2boptions()
+    MAX_ATTEMPTS = int(f2boptions['max_attempts'])
+    QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
+    if QUEUE_UNBAN:
+      for net in QUEUE_UNBAN:
+        unban(str(net))
+    for net in bans.copy():
+      if bans[net]['attempts'] >= MAX_ATTEMPTS:
+        NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
+        TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']
+        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME:
+          unban(net)
+
+def mailcowChainOrder():
+  global lock
+  global quit_now
+  global exit_code
+  while not quit_now:
+    time.sleep(10)
+    with lock:
+      quit_now, exit_code = tables.checkIPv4ChainOrder()
+      if quit_now: return
+      quit_now, exit_code = tables.checkIPv6ChainOrder()
+
+def calcNetBanTime(ban_counter):
+  global f2boptions
+
+  BAN_TIME = int(f2boptions['ban_time'])
+  MAX_BAN_TIME = int(f2boptions['max_ban_time'])
+  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
+  NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** ban_counter
+  NET_BAN_TIME = max([BAN_TIME, min([NET_BAN_TIME, MAX_BAN_TIME])])
+  return NET_BAN_TIME
+
+def isIpNetwork(address):
+  try:
+    ipaddress.ip_network(address, False)
+  except ValueError:
+    return False
+  return True
+
+def genNetworkList(list):
+  resolver = dns.resolver.Resolver()
+  hostnames = []
+  networks = []
+  for key in list:
+    if isIpNetwork(key):
+      networks.append(key)
+    else:
+      hostnames.append(key)
+  for hostname in hostnames:
+    hostname_ips = []
+    for rdtype in ['A', 'AAAA']:
+      try:
+        answer = resolver.resolve(qname=hostname, rdtype=rdtype, lifetime=3)
+      except dns.exception.Timeout:
+        logger.logInfo('Hostname %s timedout on resolve' % hostname)
+        break
+      except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+        continue
+      except dns.exception.DNSException as dnsexception:
+        logger.logInfo('%s' % dnsexception)
+        continue
+      for rdata in answer:
+        hostname_ips.append(rdata.to_text())
+    networks.extend(hostname_ips)
+  return set(networks)
+
+def whitelistUpdate():
+  global lock
+  global quit_now
+  global WHITELIST
+  while not quit_now:
+    start_time = time.time()
+    list = r.hgetall('F2B_WHITELIST')
+    new_whitelist = []
+    if list:
+      new_whitelist = genNetworkList(list)
+    with lock:
+      if Counter(new_whitelist) != Counter(WHITELIST):
+        WHITELIST = new_whitelist
+        logger.logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
+    time.sleep(60.0 - ((time.time() - start_time) % 60.0))
+
+def blacklistUpdate():
+  global quit_now
+  global BLACKLIST
+  while not quit_now:
+    start_time = time.time()
+    list = r.hgetall('F2B_BLACKLIST')
+    new_blacklist = []
+    if list:
+      new_blacklist = genNetworkList(list)
+    if Counter(new_blacklist) != Counter(BLACKLIST):
+      addban = set(new_blacklist).difference(BLACKLIST)
+      delban = set(BLACKLIST).difference(new_blacklist)
+      BLACKLIST = new_blacklist
+      logger.logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
+      if addban:
+        for net in addban:
+          permBan(net=net)
+      if delban:
+        for net in delban:
+          permBan(net=net, unban=True)
+    time.sleep(60.0 - ((time.time() - start_time) % 60.0))
+
+def sigterm_quit(signum, frame):
+  global clear_before_quit
+  clear_before_quit = True
+  sys.exit(exit_code)
+
+def berfore_quit():
+  if clear_before_quit:
+    clear()
+  if pubsub is not None:
+    pubsub.unsubscribe()
+
+
+if __name__ == '__main__':
+  atexit.register(berfore_quit)
+  signal.signal(signal.SIGTERM, sigterm_quit)
+
+  # init Logger
+  logger = Logger()
+
+  # init backend
+  backend = sys.argv[1]
+  if backend == "nftables":
+    logger.logInfo('Using NFTables backend')
+    tables = NFTables(chain_name, logger)
+  else:
+    logger.logInfo('Using IPTables backend')
+    tables = IPTables(chain_name, logger)
+
+  # In case a previous session was killed without cleanup
+  clear()
+
+  # Reinit MAILCOW chain
+  # Is called before threads start, no locking
+  logger.logInfo("Initializing mailcow netfilter chain")
+  tables.initChainIPv4()
+  tables.initChainIPv6()
+
+  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE").lower() in ("y", "yes"):
+    logger.logInfo(f"Skipping {chain_name} isolation")
+  else:
+    logger.logInfo(f"Setting {chain_name} isolation")
+    tables.create_mailcow_isolation_rule("br-mailcow", [3306, 6379, 8983, 12345], os.getenv("MAILCOW_REPLICA_IP"))
+
+  # connect to redis
+  while True:
+    try:
+      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
+      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
+      if "".__eq__(redis_slaveof_ip):
+        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+      else:
+        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
+      r.ping()
+      pubsub = r.pubsub()
+    except Exception as ex:
+      print('%s - trying again in 3 seconds'  % (ex))
+      time.sleep(3)
+    else:
+      break
+  logger.set_redis(r)
+
+  # rename fail2ban to netfilter
+  if r.exists('F2B_LOG'):
+    r.rename('F2B_LOG', 'NETFILTER_LOG')
+  # clear bans in redis
+  r.delete('F2B_ACTIVE_BANS')
+  r.delete('F2B_PERM_BANS')
+
+  refreshF2boptions()
+
+  watch_thread = Thread(target=watch)
+  watch_thread.daemon = True
+  watch_thread.start()
+
+  if os.getenv('SNAT_TO_SOURCE') and os.getenv('SNAT_TO_SOURCE') != 'n':
+    try:
+      snat_ip = os.getenv('SNAT_TO_SOURCE')
+      snat_ipo = ipaddress.ip_address(snat_ip)
+      if type(snat_ipo) is ipaddress.IPv4Address:
+        snat4_thread = Thread(target=snat4,args=(snat_ip,))
+        snat4_thread.daemon = True
+        snat4_thread.start()
+    except ValueError:
+      print(os.getenv('SNAT_TO_SOURCE') + ' is not a valid IPv4 address')
+
+  if os.getenv('SNAT6_TO_SOURCE') and os.getenv('SNAT6_TO_SOURCE') != 'n':
+    try:
+      snat_ip = os.getenv('SNAT6_TO_SOURCE')
+      snat_ipo = ipaddress.ip_address(snat_ip)
+      if type(snat_ipo) is ipaddress.IPv6Address:
+        snat6_thread = Thread(target=snat6,args=(snat_ip,))
+        snat6_thread.daemon = True
+        snat6_thread.start()
+    except ValueError:
+      print(os.getenv('SNAT6_TO_SOURCE') + ' is not a valid IPv6 address')
+
+  autopurge_thread = Thread(target=autopurge)
+  autopurge_thread.daemon = True
+  autopurge_thread.start()
+
+  mailcowchainwatch_thread = Thread(target=mailcowChainOrder)
+  mailcowchainwatch_thread.daemon = True
+  mailcowchainwatch_thread.start()
+
+  blacklistupdate_thread = Thread(target=blacklistUpdate)
+  blacklistupdate_thread.daemon = True
+  blacklistupdate_thread.start()
+
+  whitelistupdate_thread = Thread(target=whitelistUpdate)
+  whitelistupdate_thread.daemon = True
+  whitelistupdate_thread.start()
+
+  while not quit_now:
+    time.sleep(0.5)
+
+  sys.exit(exit_code)

data/Dockerfiles/netfilter/modules/IPTables.py

@@ -0,0 +1,252 @@
+import iptc
+import time
+import os
+
+class IPTables:
+  def __init__(self, chain_name, logger):
+    self.chain_name = chain_name
+    self.logger = logger
+
+  def initChainIPv4(self):
+    if not iptc.Chain(iptc.Table(iptc.Table.FILTER), self.chain_name) in iptc.Table(iptc.Table.FILTER).chains:
+      iptc.Table(iptc.Table.FILTER).create_chain(self.chain_name)
+    for c in ['FORWARD', 'INPUT']:
+      chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), c)
+      rule = iptc.Rule()
+      rule.src = '0.0.0.0/0'
+      rule.dst = '0.0.0.0/0'
+      target = iptc.Target(rule, self.chain_name)
+      rule.target = target
+      if rule not in chain.rules:
+        chain.insert_rule(rule)
+
+  def initChainIPv6(self):
+    if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER), self.chain_name) in iptc.Table6(iptc.Table6.FILTER).chains:
+      iptc.Table6(iptc.Table6.FILTER).create_chain(self.chain_name)
+    for c in ['FORWARD', 'INPUT']:
+      chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), c)
+      rule = iptc.Rule6()
+      rule.src = '::/0'
+      rule.dst = '::/0'
+      target = iptc.Target(rule, self.chain_name)
+      rule.target = target
+      if rule not in chain.rules:
+        chain.insert_rule(rule)
+
+  def checkIPv4ChainOrder(self):
+    filter_table = iptc.Table(iptc.Table.FILTER)
+    filter_table.refresh()
+    return self.checkChainOrder(filter_table)
+
+  def checkIPv6ChainOrder(self):
+    filter_table = iptc.Table6(iptc.Table6.FILTER)
+    filter_table.refresh()
+    return self.checkChainOrder(filter_table)
+
+  def checkChainOrder(self, filter_table):
+    err = False
+    exit_code = None
+
+    forward_chain = iptc.Chain(filter_table, 'FORWARD')
+    input_chain = iptc.Chain(filter_table, 'INPUT')
+    for chain in [forward_chain, input_chain]:
+      target_found = False
+      for position, item in enumerate(chain.rules):
+        if item.target.name == self.chain_name:
+          target_found = True
+          if position > 2:
+            self.logger.logCrit('Error in %s chain: %s target not found, restarting container' % (chain.name, self.chain_name))
+            err = True
+            exit_code = 2
+      if not target_found:
+        self.logger.logCrit('Error in %s chain: %s target not found, restarting container' % (chain.name, self.chain_name))
+        err = True
+        exit_code = 2
+
+    return err, exit_code
+
+  def clearIPv4Table(self):
+    self.clearTable(iptc.Table(iptc.Table.FILTER))
+
+  def clearIPv6Table(self):
+    self.clearTable(iptc.Table6(iptc.Table6.FILTER))
+
+  def clearTable(self, filter_table):
+    filter_table.autocommit = False
+    forward_chain = iptc.Chain(filter_table, "FORWARD")
+    input_chain = iptc.Chain(filter_table, "INPUT")
+    mailcow_chain = iptc.Chain(filter_table, self.chain_name)
+    if mailcow_chain in filter_table.chains:
+      for rule in mailcow_chain.rules:
+        mailcow_chain.delete_rule(rule)
+      for rule in forward_chain.rules:
+        if rule.target.name == self.chain_name:
+          forward_chain.delete_rule(rule)
+      for rule in input_chain.rules:
+        if rule.target.name == self.chain_name:
+          input_chain.delete_rule(rule)
+      filter_table.delete_chain(self.chain_name)
+    filter_table.commit()
+    filter_table.refresh()
+    filter_table.autocommit = True
+
+  def banIPv4(self, source):
+    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), self.chain_name)
+    rule = iptc.Rule()
+    rule.src = source
+    target = iptc.Target(rule, "REJECT")
+    rule.target = target
+    if rule in chain.rules:
+      return False
+    chain.insert_rule(rule)
+    return True
+
+  def banIPv6(self, source):
+    chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), self.chain_name)
+    rule = iptc.Rule6()
+    rule.src = source
+    target = iptc.Target(rule, "REJECT")
+    rule.target = target
+    if rule in chain.rules:
+      return False
+    chain.insert_rule(rule)
+    return True
+
+  def unbanIPv4(self, source):
+    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), self.chain_name)
+    rule = iptc.Rule()
+    rule.src = source
+    target = iptc.Target(rule, "REJECT")
+    rule.target = target
+    if rule not in chain.rules: 
+      return False
+    chain.delete_rule(rule)
+    return True
+
+  def unbanIPv6(self, source):
+    chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), self.chain_name)
+    rule = iptc.Rule6()
+    rule.src = source
+    target = iptc.Target(rule, "REJECT")
+    rule.target = target
+    if rule not in chain.rules:
+      return False
+    chain.delete_rule(rule)
+    return True
+
+  def snat4(self, snat_target, source):
+    try:
+      table = iptc.Table('nat')
+      table.refresh()
+      chain = iptc.Chain(table, 'POSTROUTING')
+      table.autocommit = False
+      new_rule = self.getSnat4Rule(snat_target, source)
+
+      if not chain.rules:
+        # if there are no rules in the chain, insert the new rule directly
+        self.logger.logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
+        chain.insert_rule(new_rule)
+      else:
+        for position, rule in enumerate(chain.rules):
+          if not hasattr(rule.target, 'parameter'):
+              continue
+          match = all((
+            new_rule.get_src() == rule.get_src(),
+            new_rule.get_dst() == rule.get_dst(),
+            new_rule.target.parameters == rule.target.parameters,
+            new_rule.target.name == rule.target.name
+          ))
+          if position == 0:
+            if not match:
+              self.logger.logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
+              chain.insert_rule(new_rule)
+          else:
+            if match:
+              self.logger.logInfo(f'Remove rule for source network {new_rule.src} to SNAT target {snat_target} from POSTROUTING chain at position {position}')
+              chain.delete_rule(rule)
+
+      table.commit()
+      table.autocommit = True
+      return True
+    except:
+      self.logger.logCrit('Error running SNAT4, retrying...')
+      return False
+
+  def snat6(self, snat_target, source):
+    try:
+      table = iptc.Table6('nat')
+      table.refresh()
+      chain = iptc.Chain(table, 'POSTROUTING')
+      table.autocommit = False
+      new_rule = self.getSnat6Rule(snat_target, source)
+
+      if new_rule not in chain.rules:
+        self.logger.logInfo('Added POSTROUTING rule for source network %s to SNAT target %s' % (new_rule.src, snat_target))
+        chain.insert_rule(new_rule)
+      else:
+        for position, item in enumerate(chain.rules):
+          if item == new_rule:
+            if position != 0:
+              chain.delete_rule(new_rule)
+    
+      table.commit()
+      table.autocommit = True
+    except:
+      self.logger.logCrit('Error running SNAT6, retrying...')
+
+
+  def getSnat4Rule(self, snat_target, source):
+    rule = iptc.Rule()
+    rule.src = source
+    rule.dst = '!' + rule.src
+    target = rule.create_target("SNAT")
+    target.to_source = snat_target
+    match = rule.create_match("comment")
+    match.comment = f'{int(round(time.time()))}'
+    return rule
+
+  def getSnat6Rule(self, snat_target, source):
+    rule = iptc.Rule6()
+    rule.src = source
+    rule.dst = '!' + rule.src
+    target = rule.create_target("SNAT")
+    target.to_source = snat_target
+    return rule
+
+  def create_mailcow_isolation_rule(self, _interface:str, _dports:list, _allow:str = ""):
+    try:
+      chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), self.chain_name)
+
+      # insert mailcow isolation rule
+      rule = iptc.Rule()
+      rule.in_interface = f'!{_interface}'
+      rule.out_interface = _interface
+      rule.protocol = 'tcp'
+      rule.create_target("DROP")
+      match = rule.create_match("multiport")
+      match.dports = ','.join(map(str, _dports))
+
+      if rule in chain.rules:
+        chain.delete_rule(rule)
+      chain.insert_rule(rule, position=0)
+
+      # insert mailcow isolation exception rule
+      if _allow != "":
+        rule = iptc.Rule()
+        rule.src = _allow
+        rule.in_interface = f'!{_interface}'
+        rule.out_interface = _interface
+        rule.protocol = 'tcp'
+        rule.create_target("ACCEPT")
+        match = rule.create_match("multiport")
+        match.dports = ','.join(map(str, _dports))
+
+        if rule in chain.rules:
+          chain.delete_rule(rule)
+        chain.insert_rule(rule, position=0)
+
+
+      return True
+    except Exception as e:
+      self.logger.logCrit(f"Error adding {self.chain_name} isolation: {e}")
+      return False

data/Dockerfiles/netfilter/modules/Logger.py

@@ -0,0 +1,30 @@
+import time
+import json
+
+class Logger:
+  def __init__(self):
+    self.r = None
+
+  def set_redis(self, redis):
+    self.r = redis
+
+  def log(self, priority, message):
+    tolog = {}
+    tolog['time'] = int(round(time.time()))
+    tolog['priority'] = priority
+    tolog['message'] = message
+    print(message)
+    if self.r is not None:
+      try:
+        self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
+      except Exception as ex:
+        print('Failed logging to redis: %s'  % (ex))
+
+  def logWarn(self, message):
+    self.log('warn', message)
+
+  def logCrit(self, message):
+    self.log('crit', message)
+
+  def logInfo(self, message):
+    self.log('info', message)

data/Dockerfiles/netfilter/modules/NFTables.py

@@ -0,0 +1,659 @@
+import nftables
+import ipaddress
+import os
+
+class NFTables:
+  def __init__(self, chain_name, logger):
+    self.chain_name = chain_name
+    self.logger = logger
+
+    self.nft = nftables.Nftables()
+    self.nft.set_json_output(True)
+    self.nft.set_handle_output(True)
+    self.nft_chain_names = {'ip': {'filter': {'input': '', 'forward': ''}, 'nat': {'postrouting': ''} },
+                            'ip6': {'filter': {'input': '', 'forward': ''}, 'nat': {'postrouting': ''} } }
+
+    self.search_current_chains()
+
+  def initChainIPv4(self):
+    self.insert_mailcow_chains("ip")
+
+  def initChainIPv6(self):
+    self.insert_mailcow_chains("ip6")
+
+  def checkIPv4ChainOrder(self):
+    return self.checkChainOrder("ip")
+
+  def checkIPv6ChainOrder(self):
+    return self.checkChainOrder("ip6")
+
+  def checkChainOrder(self, filter_table):
+    err = False
+    exit_code = None
+
+    for chain in ['input', 'forward']:
+      chain_position = self.check_mailcow_chains(filter_table, chain)
+      if chain_position is None: continue
+
+      if chain_position is False:
+        self.logger.logCrit(f'MAILCOW target not found in {filter_table} {chain} table, restarting container to fix it...')
+        err = True
+        exit_code = 2
+
+      if chain_position > 0:
+        chain_position += 1
+        self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
+        err = True
+        exit_code = 2
+
+    return err, exit_code
+
+  def clearIPv4Table(self):
+    self.clearTable("ip")
+
+  def clearIPv6Table(self):
+    self.clearTable("ip6")
+
+  def clearTable(self, _family):
+    is_empty_dict = True
+    json_command = self.get_base_dict()
+    chain_handle = self.get_chain_handle(_family, "filter", self.chain_name)
+    # if no handle, the chain doesn't exists
+    if chain_handle is not None:
+      is_empty_dict = False
+      # flush chain
+      mailcow_chain = {'family': _family, 'table': 'filter', 'name': self.chain_name}
+      flush_chain = {'flush': {'chain': mailcow_chain}}
+      json_command["nftables"].append(flush_chain)
+
+    # remove rule in forward chain
+    # remove rule in input chain
+    chains_family = [self.nft_chain_names[_family]['filter']['input'],
+                    self.nft_chain_names[_family]['filter']['forward'] ]
+
+    for chain_base in chains_family:
+      if not chain_base: continue
+
+      rules_handle = self.get_rules_handle(_family, "filter", chain_base)
+      if rules_handle is not None:
+        for r_handle in rules_handle:
+          is_empty_dict = False
+          mailcow_rule = {'family':_family,
+                          'table': 'filter',
+                          'chain': chain_base,
+                          'handle': r_handle }
+          delete_rules = {'delete': {'rule': mailcow_rule} }
+          json_command["nftables"].append(delete_rules)
+
+    # remove chain
+    # after delete all rules referencing this chain
+    if chain_handle is not None:
+      mc_chain_handle = {'family':_family,
+                        'table': 'filter',
+                        'name': self.chain_name,
+                        'handle': chain_handle }
+      delete_chain = {'delete': {'chain': mc_chain_handle} }
+      json_command["nftables"].append(delete_chain)
+
+    if is_empty_dict == False:
+      if self.nft_exec_dict(json_command):
+        self.logger.logInfo(f"Clear completed: {_family}")
+
+  def banIPv4(self, source):
+    ban_dict = self.get_ban_ip_dict(source, "ip")
+    return self.nft_exec_dict(ban_dict)
+
+  def banIPv6(self, source):
+    ban_dict = self.get_ban_ip_dict(source, "ip6")
+    return self.nft_exec_dict(ban_dict)
+
+  def unbanIPv4(self, source):
+    unban_dict = self.get_unban_ip_dict(source, "ip")
+    if not unban_dict:
+      return False
+    return self.nft_exec_dict(unban_dict)
+
+  def unbanIPv6(self, source):
+    unban_dict = self.get_unban_ip_dict(source, "ip6")
+    if not unban_dict:
+      return False
+    return self.nft_exec_dict(unban_dict)
+
+  def snat4(self, snat_target, source):
+    self.snat_rule("ip", snat_target, source)
+
+  def snat6(self, snat_target, source):
+    self.snat_rule("ip6", snat_target, source)
+
+
+  def nft_exec_dict(self, query: dict):
+    if not query: return False
+
+    rc, output, error = self.nft.json_cmd(query)
+    if rc != 0:
+      #self.logger.logCrit(f"Nftables Error: {error}")
+      return False
+
+    # Prevent returning False or empty string on commands that do not produce output
+    if rc == 0 and len(output) == 0:
+      return True
+
+    return output
+
+  def get_base_dict(self):
+    return {'nftables': [{ 'metainfo': { 'json_schema_version': 1} } ] }
+
+  def search_current_chains(self):
+    nft_chain_priority = {'ip': {'filter': {'input': None, 'forward': None}, 'nat': {'postrouting': None} },
+                      'ip6': {'filter': {'input': None, 'forward': None}, 'nat': {'postrouting': None} } }
+
+    # Command: 'nft list chains'
+    _list = {'list' : {'chains': 'null'} }
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+    kernel_ruleset = self.nft_exec_dict(command)
+    if kernel_ruleset:
+      for _object in kernel_ruleset['nftables']:
+        chain = _object.get("chain")
+        if not chain: continue
+
+        _family = chain['family']
+        _table = chain['table']
+        _hook = chain.get("hook")
+        _priority = chain.get("prio")
+        _name = chain['name']
+
+        if _family not in self.nft_chain_names: continue
+        if _table not in self.nft_chain_names[_family]: continue
+        if _hook not in self.nft_chain_names[_family][_table]: continue
+        if _priority is None: continue
+
+        _saved_priority = nft_chain_priority[_family][_table][_hook]
+        if _saved_priority is None or _priority < _saved_priority:
+          # at this point, we know the chain has:
+          # hook and priority set
+          # and it has the lowest priority
+          nft_chain_priority[_family][_table][_hook] = _priority
+          self.nft_chain_names[_family][_table][_hook] = _name
+
+  def search_for_chain(self, kernel_ruleset: dict, chain_name: str):
+    found = False
+    for _object in kernel_ruleset["nftables"]:
+      chain = _object.get("chain")
+      if not chain:
+        continue
+      ch_name = chain.get("name")
+      if ch_name == chain_name:
+        found = True
+        break
+    return found
+
+  def get_chain_dict(self, _family: str, _name: str):
+    # nft (add | create) chain [<family>] <table> <name> 
+    _chain_opts = {'family': _family, 'table': 'filter', 'name': _name  }
+    _add = {'add': {'chain': _chain_opts} }
+    final_chain = self.get_base_dict()
+    final_chain["nftables"].append(_add)
+    return final_chain
+
+  def get_mailcow_jump_rule_dict(self, _family: str, _chain: str):
+    _jump_rule = self.get_base_dict()
+    _expr_opt=[]
+    _expr_counter = {'family': _family, 'table': 'filter', 'packets': 0, 'bytes': 0}
+    _counter_dict = {'counter': _expr_counter}
+    _expr_opt.append(_counter_dict)
+
+    _jump_opts = {'jump': {'target': self.chain_name} }
+
+    _expr_opt.append(_jump_opts)
+
+    _rule_params = {'family': _family,
+                    'table': 'filter',
+                    'chain': _chain,
+                    'expr': _expr_opt,
+                    'comment': "mailcow" }
+
+    _add_rule = {'insert': {'rule': _rule_params} }
+
+    _jump_rule["nftables"].append(_add_rule)
+
+    return _jump_rule
+
+  def insert_mailcow_chains(self, _family: str):
+    nft_input_chain = self.nft_chain_names[_family]['filter']['input']
+    nft_forward_chain = self.nft_chain_names[_family]['filter']['forward']
+    # Command: 'nft list table <family> filter'
+    _table_opts = {'family': _family, 'name': 'filter'}
+    _list = {'list': {'table': _table_opts} }
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+    kernel_ruleset = self.nft_exec_dict(command)
+    if kernel_ruleset:
+      # chain
+      if not self.search_for_chain(kernel_ruleset, self.chain_name):
+        cadena = self.get_chain_dict(_family, self.chain_name)
+        if self.nft_exec_dict(cadena):
+          self.logger.logInfo(f"MAILCOW {_family} chain created successfully.")
+
+      input_jump_found, forward_jump_found = False, False
+
+      for _object in kernel_ruleset["nftables"]:
+        if not _object.get("rule"):
+          continue
+
+        rule = _object["rule"]
+        if nft_input_chain and rule["chain"] == nft_input_chain:
+          if rule.get("comment") and rule["comment"] == "mailcow":
+            input_jump_found = True
+        if nft_forward_chain and rule["chain"] == nft_forward_chain:
+          if rule.get("comment") and rule["comment"] == "mailcow":
+            forward_jump_found = True
+
+      if not input_jump_found:
+        command = self.get_mailcow_jump_rule_dict(_family, nft_input_chain)
+        self.nft_exec_dict(command)
+
+      if not forward_jump_found:
+        command = self.get_mailcow_jump_rule_dict(_family, nft_forward_chain)
+        self.nft_exec_dict(command)
+
+  def delete_nat_rule(self, _family:str, _chain: str, _handle:str):
+    delete_command = self.get_base_dict()
+    _rule_opts = {'family': _family,
+                  'table': 'nat',
+                  'chain': _chain,
+                  'handle': _handle  }
+    _delete = {'delete': {'rule': _rule_opts} }
+    delete_command["nftables"].append(_delete)
+
+    return self.nft_exec_dict(delete_command)
+
+  def delete_filter_rule(self, _family:str, _chain: str, _handle:str):
+    delete_command = self.get_base_dict()
+    _rule_opts = {'family': _family,
+                  'table': 'filter',
+                  'chain': _chain,
+                  'handle': _handle  }
+    _delete = {'delete': {'rule': _rule_opts} }
+    delete_command["nftables"].append(_delete)
+
+    return self.nft_exec_dict(delete_command)
+
+  def snat_rule(self, _family: str, snat_target: str, source_address: str):
+    chain_name = self.nft_chain_names[_family]['nat']['postrouting']
+
+    # no postrouting chain, may occur if docker has ipv6 disabled.
+    if not chain_name: return
+
+    # Command: nft list chain <family> nat <chain_name>
+    _chain_opts = {'family': _family, 'table': 'nat', 'name': chain_name}
+    _list = {'list':{'chain': _chain_opts} }
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+    kernel_ruleset = self.nft_exec_dict(command)
+    if not kernel_ruleset:
+      return
+
+    rule_position = 0
+    rule_handle = None
+    rule_found = False
+    for _object in kernel_ruleset["nftables"]:
+      if not _object.get("rule"):
+        continue
+
+      rule = _object["rule"]
+      if not rule.get("comment") or not rule["comment"] == "mailcow":
+        rule_position +=1
+        continue
+
+      rule_found = True
+      rule_handle = rule["handle"]
+      break
+
+    dest_net = ipaddress.ip_network(source_address, strict=False)
+    target_net = ipaddress.ip_network(snat_target, strict=False)
+
+    if rule_found:
+      saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
+      saddr_len = int(rule["expr"][0]["match"]["right"]["prefix"]["len"])
+
+      daddr_ip = rule["expr"][1]["match"]["right"]["prefix"]["addr"]
+      daddr_len = int(rule["expr"][1]["match"]["right"]["prefix"]["len"])
+
+      target_ip = rule["expr"][3]["snat"]["addr"]
+
+      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
+      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
+      current_target_net = ipaddress.ip_network(target_ip, strict=False)
+
+      match = all((
+                dest_net == saddr_net,
+                dest_net == daddr_net,
+                target_net == current_target_net
+              ))
+      try:
+        if rule_position == 0:
+          if not match:
+            # Position 0 , it is a mailcow rule , but it does not have the same parameters
+            if self.delete_nat_rule(_family, chain_name, rule_handle):
+              self.logger.logInfo(f'Remove rule for source network {saddr_net} to SNAT target {target_net} from {_family} nat {chain_name} chain, rule does not match configured parameters')
+        else:
+          # Position > 0 and is mailcow rule
+          if self.delete_nat_rule(_family, chain_name, rule_handle):
+            self.logger.logInfo(f'Remove rule for source network {saddr_net} to SNAT target {target_net} from {_family} nat {chain_name} chain, rule is at position {rule_position}')
+      except:
+          self.logger.logCrit(f"Error running SNAT on {_family}, retrying..." )
+    else:
+      # rule not found
+      json_command = self.get_base_dict()
+      try:
+        snat_dict = {'snat': {'addr': str(target_net.network_address)} }
+
+        expr_counter = {'family': _family, 'table': 'nat', 'packets': 0, 'bytes': 0}
+        counter_dict = {'counter': expr_counter}
+
+        prefix_dict = {'prefix': {'addr': str(dest_net.network_address), 'len': int(dest_net.prefixlen)} }
+        payload_dict = {'payload': {'protocol': _family, 'field': "saddr"} }
+        match_dict1 = {'match': {'op': '==', 'left': payload_dict, 'right': prefix_dict} }
+
+        payload_dict2 = {'payload': {'protocol': _family, 'field': "daddr"} }
+        match_dict2 = {'match': {'op': '!=', 'left': payload_dict2, 'right': prefix_dict } }
+        expr_list = [
+                    match_dict1,
+                    match_dict2,
+                    counter_dict,
+                    snat_dict
+                    ]
+        rule_fields = {'family': _family,
+                        'table': 'nat',
+                        'chain': chain_name,
+                        'comment': "mailcow",
+                        'expr': expr_list }
+
+        insert_dict = {'insert': {'rule': rule_fields} }
+        json_command["nftables"].append(insert_dict)
+        if self.nft_exec_dict(json_command):
+          self.logger.logInfo(f'Added {_family} nat {chain_name} rule for source network {dest_net} to {target_net}')
+      except:
+        self.logger.logCrit(f"Error running SNAT on {_family}, retrying...")
+
+  def get_chain_handle(self, _family: str, _table: str, chain_name: str):
+    chain_handle = None
+    # Command: 'nft list chains {family}'
+    _list = {'list': {'chains': {'family': _family} } }
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+    kernel_ruleset = self.nft_exec_dict(command)
+    if kernel_ruleset:
+      for _object in kernel_ruleset["nftables"]:
+        if not _object.get("chain"):
+          continue
+        chain = _object["chain"]
+        if chain["family"] == _family and chain["table"] == _table and chain["name"] == chain_name:
+          chain_handle = chain["handle"]
+          break
+    return chain_handle
+
+  def get_rules_handle(self, _family: str, _table: str, chain_name: str, _comment_filter = "mailcow"):
+    rule_handle = []
+    # Command: 'nft list chain {family} {table} {chain_name}'
+    _chain_opts = {'family': _family, 'table': _table, 'name': chain_name}
+    _list = {'list': {'chain': _chain_opts} }
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+
+    kernel_ruleset = self.nft_exec_dict(command)
+    if kernel_ruleset:
+      for _object in kernel_ruleset["nftables"]:
+        if not _object.get("rule"):
+          continue
+
+        rule = _object["rule"]
+        if rule["family"] == _family and rule["table"] == _table and rule["chain"] == chain_name:
+          if rule.get("comment") and rule["comment"] == _comment_filter:
+            rule_handle.append(rule["handle"])
+    return rule_handle
+
+  def get_ban_ip_dict(self, ipaddr: str, _family: str):
+    json_command = self.get_base_dict()
+
+    expr_opt = []
+    ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
+    right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
+
+    left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
+    match_dict = {'op': '==', 'left': left_dict, 'right': right_dict }
+    expr_opt.append({'match': match_dict})
+
+    counter_dict = {'counter': {'family': _family, 'table': "filter", 'packets': 0, 'bytes': 0} }
+    expr_opt.append(counter_dict)
+
+    expr_opt.append({'drop': "null"})
+
+    rule_dict = {'family': _family, 'table': "filter", 'chain': self.chain_name, 'expr': expr_opt}
+
+    base_dict = {'insert': {'rule': rule_dict} }
+    json_command["nftables"].append(base_dict)
+
+    return json_command
+
+  def get_unban_ip_dict(self, ipaddr:str, _family: str):
+    json_command = self.get_base_dict()
+    # Command: 'nft list chain {s_family} filter  MAILCOW'
+    _chain_opts = {'family': _family, 'table': 'filter', 'name': self.chain_name}
+    _list = {'list': {'chain': _chain_opts} }
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+    kernel_ruleset = self.nft_exec_dict(command)
+    rule_handle = None
+    if kernel_ruleset:
+      for _object in kernel_ruleset["nftables"]:
+        if not _object.get("rule"):
+          continue
+
+        rule = _object["rule"]["expr"][0]["match"]
+        if not "payload" in rule["left"]:
+          continue
+        left_opt = rule["left"]["payload"]
+        if not left_opt["protocol"] == _family:
+          continue
+        if not left_opt["field"] =="saddr":
+          continue
+
+        # ip currently banned
+        rule_right = rule["right"]
+        if isinstance(rule_right, dict):
+          current_rule_ip = rule_right["prefix"]["addr"] + '/' + str(rule_right["prefix"]["len"])
+        else:
+          current_rule_ip = rule_right
+        current_rule_net = ipaddress.ip_network(current_rule_ip)
+
+        # ip to ban
+        candidate_net = ipaddress.ip_network(ipaddr, strict=False)
+
+        if current_rule_net == candidate_net:
+          rule_handle = _object["rule"]["handle"]
+          break
+
+      if rule_handle is not None:
+        mailcow_rule = {'family': _family, 'table': 'filter', 'chain': self.chain_name, 'handle': rule_handle}
+        delete_rule = {'delete': {'rule': mailcow_rule} }
+        json_command["nftables"].append(delete_rule)
+      else:
+        return False
+
+    return json_command
+
+  def check_mailcow_chains(self, family: str, chain: str):
+    position = 0
+    rule_found = False
+    chain_name = self.nft_chain_names[family]['filter'][chain]
+
+    if not chain_name: return None
+
+    _chain_opts = {'family': family, 'table': 'filter', 'name': chain_name}
+    _list = {'list': {'chain': _chain_opts}}
+    command = self.get_base_dict()
+    command['nftables'].append(_list)
+    kernel_ruleset = self.nft_exec_dict(command)
+    if kernel_ruleset:
+      for _object in kernel_ruleset["nftables"]:
+        if not _object.get("rule"):
+          continue
+        rule = _object["rule"]
+        if rule.get("comment") and rule["comment"] == "mailcow":
+          rule_found = True
+          break
+
+        position+=1
+
+    return position if rule_found else False
+
+  def create_mailcow_isolation_rule(self, _interface:str, _dports:list, _allow:str = ""):
+    family = "ip"
+    table = "filter"
+    comment_filter_drop = "mailcow isolation"
+    comment_filter_allow = "mailcow isolation allow"
+    json_command = self.get_base_dict()
+
+    # Delete old mailcow isolation rules
+    handles = self.get_rules_handle(family, table, self.chain_name, comment_filter_drop)
+    for handle in handles:
+      self.delete_filter_rule(family, self.chain_name, handle)
+    handles = self.get_rules_handle(family, table, self.chain_name, comment_filter_allow)
+    for handle in handles:
+      self.delete_filter_rule(family, self.chain_name, handle)
+
+    # insert mailcow isolation rule
+    _match_dict_drop = [
+      {
+        "match": {
+          "op": "!=",
+          "left": {
+            "meta": {
+              "key": "iifname"
+            }
+          },
+          "right": _interface
+        }
+      },
+      {
+        "match": {
+          "op": "==",
+          "left": {
+            "meta": {
+              "key": "oifname"
+            }
+          },
+          "right": _interface
+        }
+      },
+      {
+        "match": {
+          "op": "==",
+          "left": {
+            "payload": {
+              "protocol": "tcp",
+              "field": "dport"
+            }
+          },
+          "right": {
+            "set": _dports
+          }
+        }
+      },
+      {
+        "counter": {
+          "packets": 0,
+          "bytes": 0
+        }
+      },
+      {
+        "drop": None
+      }
+    ]
+    rule_drop = { "insert": { "rule": {
+      "family": family,
+      "table": table,
+      "chain": self.chain_name,
+      "comment": comment_filter_drop,
+      "expr": _match_dict_drop
+    }}}
+    json_command["nftables"].append(rule_drop)
+
+    # insert mailcow isolation allow rule
+    if _allow != "":
+      _match_dict_allow = [
+        {
+          "match": {
+            "op": "==",
+            "left": {
+              "payload": {
+                "protocol": "ip",
+                "field": "saddr"
+              }
+            },
+            "right": _allow
+          }
+        },
+        {
+          "match": {
+            "op": "!=",
+            "left": {
+              "meta": {
+                "key": "iifname"
+              }
+            },
+            "right": _interface
+          }
+        },
+        {
+          "match": {
+            "op": "==",
+            "left": {
+              "meta": {
+                "key": "oifname"
+              }
+            },
+            "right": _interface
+          }
+        },
+        {
+          "match": {
+            "op": "==",
+            "left": {
+              "payload": {
+                "protocol": "tcp",
+                "field": "dport"
+              }
+            },
+            "right": {
+              "set": _dports
+            }
+          }
+        },
+        {
+          "counter": {
+            "packets": 0,
+            "bytes": 0
+          }
+        },
+        {
+          "accept": None
+        }
+      ]
+      rule_allow = { "insert": { "rule": {
+        "family": family,
+        "table": table,
+        "chain": self.chain_name,
+        "comment": comment_filter_allow,
+        "expr": _match_dict_allow
+      }}}
+      json_command["nftables"].append(rule_allow)
+
+    success = self.nft_exec_dict(json_command)
+    if success == False:
+      self.logger.logCrit(f"Error adding {self.chain_name} isolation")
+      return False
+
+    return True

data/Dockerfiles/netfilter/server.py

@@ -1,578 +0,0 @@
-#!/usr/bin/env python3
-
-import re
-import os
-import sys
-import time
-import atexit
-import signal
-import ipaddress
-from collections import Counter
-from random import randint
-from threading import Thread
-from threading import Lock
-import redis
-import json
-import iptc
-import dns.resolver
-import dns.exception
-
-while True:
-  try:
-    redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
-    redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
-    if "".__eq__(redis_slaveof_ip):
-      r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
-    else:
-      r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
-    r.ping()
-  except Exception as ex:
-    print('%s - trying again in 3 seconds'  % (ex))
-    time.sleep(3)
-  else:
-    break
-
-pubsub = r.pubsub()
-
-WHITELIST = []
-BLACKLIST= []
-
-bans = {}
-
-quit_now = False
-exit_code = 0
-lock = Lock()
-
-def log(priority, message):
-  tolog = {}
-  tolog['time'] = int(round(time.time()))
-  tolog['priority'] = priority
-  tolog['message'] = message
-  r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
-  print(message)
-
-def logWarn(message):
-  log('warn', message)
-
-def logCrit(message):
-  log('crit', message)
-
-def logInfo(message):
-  log('info', message)
-
-def refreshF2boptions():
-  global f2boptions
-  global quit_now
-  global exit_code
-  if not r.get('F2B_OPTIONS'):
-    f2boptions = {}
-    f2boptions['ban_time'] = int
-    f2boptions['max_attempts'] = int
-    f2boptions['retry_window'] = int
-    f2boptions['netban_ipv4'] = int
-    f2boptions['netban_ipv6'] = int
-    f2boptions['ban_time'] = r.get('F2B_BAN_TIME') or 1800
-    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS') or 10
-    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW') or 600
-    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4') or 32
-    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6') or 128
-    r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
-  else:
-    try:
-      f2boptions = {}
-      f2boptions = json.loads(r.get('F2B_OPTIONS'))
-    except ValueError:
-      print('Error loading F2B options: F2B_OPTIONS is not json')
-      quit_now = True
-      exit_code = 2
-
-def refreshF2bregex():
-  global f2bregex
-  global quit_now
-  global exit_code
-  if not r.get('F2B_REGEX'):
-    f2bregex = {}
-    f2bregex[1] = 'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
-    f2bregex[2] = 'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
-    f2bregex[3] = 'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
-    f2bregex[4] = 'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
-    f2bregex[5] = 'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
-    f2bregex[6] = '-login: Disconnected \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
-    f2bregex[7] = '-login: Aborted login \(auth failed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[8] = '-login: Aborted login \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[9] = 'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
-    f2bregex[10] = '([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
-    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
-  else:
-    try:
-      f2bregex = {}
-      f2bregex = json.loads(r.get('F2B_REGEX'))
-    except ValueError:
-      print('Error loading F2B options: F2B_REGEX is not json')
-      quit_now = True
-      exit_code = 2
-
-if r.exists('F2B_LOG'):
-  r.rename('F2B_LOG', 'NETFILTER_LOG')
-
-def mailcowChainOrder():
-  global lock
-  global quit_now
-  global exit_code
-  while not quit_now:
-    time.sleep(10)
-    with lock:
-      filter4_table = iptc.Table(iptc.Table.FILTER)
-      filter6_table = iptc.Table6(iptc.Table6.FILTER)
-      filter4_table.refresh()
-      filter6_table.refresh()
-      for f in [filter4_table, filter6_table]:
-        forward_chain = iptc.Chain(f, 'FORWARD')
-        input_chain = iptc.Chain(f, 'INPUT')
-        for chain in [forward_chain, input_chain]:
-          target_found = False
-          for position, item in enumerate(chain.rules):
-            if item.target.name == 'MAILCOW':
-              target_found = True
-              if position > 2:
-                logCrit('Error in %s chain order: MAILCOW on position %d, restarting container' % (chain.name, position))
-                quit_now = True
-                exit_code = 2
-          if not target_found:
-            logCrit('Error in %s chain: MAILCOW target not found, restarting container' % (chain.name))
-            quit_now = True
-            exit_code = 2
-
-def ban(address):
-  global lock
-  refreshF2boptions()
-  BAN_TIME = int(f2boptions['ban_time'])
-  MAX_ATTEMPTS = int(f2boptions['max_attempts'])
-  RETRY_WINDOW = int(f2boptions['retry_window'])
-  NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])
-  NETBAN_IPV6 = '/' + str(f2boptions['netban_ipv6'])
-
-  ip = ipaddress.ip_address(address)
-  if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:
-    ip = ip.ipv4_mapped
-    address = str(ip)
-  if ip.is_private or ip.is_loopback:
-    return
-
-  self_network = ipaddress.ip_network(address)
-
-  with lock:
-    temp_whitelist = set(WHITELIST)
-
-  if temp_whitelist:
-    for wl_key in temp_whitelist:
-      wl_net = ipaddress.ip_network(wl_key, False)
-      if wl_net.overlaps(self_network):
-        logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
-        return
-
-  net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
-  net = str(net)
-
-  if not net in bans or time.time() - bans[net]['last_attempt'] > RETRY_WINDOW:
-    bans[net] = { 'attempts': 0 }
-    active_window = RETRY_WINDOW
-  else:
-    active_window = time.time() - bans[net]['last_attempt']
-
-  bans[net]['attempts'] += 1
-  bans[net]['last_attempt'] = time.time()
-
-  active_window = time.time() - bans[net]['last_attempt']
-
-  if bans[net]['attempts'] >= MAX_ATTEMPTS:
-    cur_time = int(round(time.time()))
-    logCrit('Banning %s for %d minutes' % (net, BAN_TIME / 60))
-    if type(ip) is ipaddress.IPv4Address:
-      with lock:
-        chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
-        rule = iptc.Rule()
-        rule.src = net
-        target = iptc.Target(rule, "REJECT")
-        rule.target = target
-        if rule not in chain.rules:
-          chain.insert_rule(rule)
-    else:
-      with lock:
-        chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
-        rule = iptc.Rule6()
-        rule.src = net
-        target = iptc.Target(rule, "REJECT")
-        rule.target = target
-        if rule not in chain.rules:
-          chain.insert_rule(rule)
-    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + BAN_TIME)
-  else:
-    logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
-
-def unban(net):
-  global lock
-  if not net in bans:
-   logInfo('%s is not banned, skipping unban and deleting from queue (if any)' % net)
-   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
-   return
-  logInfo('Unbanning %s' % net)
-  if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
-    with lock:
-      chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
-      rule = iptc.Rule()
-      rule.src = net
-      target = iptc.Target(rule, "REJECT")
-      rule.target = target
-      if rule in chain.rules:
-        chain.delete_rule(rule)
-  else:
-    with lock:
-      chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
-      rule = iptc.Rule6()
-      rule.src = net
-      target = iptc.Target(rule, "REJECT")
-      rule.target = target
-      if rule in chain.rules:
-        chain.delete_rule(rule)
-  r.hdel('F2B_ACTIVE_BANS', '%s' % net)
-  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
-  if net in bans:
-    del bans[net]
-
-def permBan(net, unban=False):
-  global lock
-  if type(ipaddress.ip_network(net, strict=False)) is ipaddress.IPv4Network:
-    with lock:
-      chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
-      rule = iptc.Rule()
-      rule.src = net
-      target = iptc.Target(rule, "REJECT")
-      rule.target = target
-      if rule not in chain.rules and not unban:
-        logCrit('Add host/network %s to blacklist' % net)
-        chain.insert_rule(rule)
-        r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time()))) 
-      elif rule in chain.rules and unban:
-        logCrit('Remove host/network %s from blacklist' % net)
-        chain.delete_rule(rule)
-        r.hdel('F2B_PERM_BANS', '%s' % net)
-  else:
-    with lock:
-      chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
-      rule = iptc.Rule6()
-      rule.src = net
-      target = iptc.Target(rule, "REJECT")
-      rule.target = target
-      if rule not in chain.rules and not unban:
-        logCrit('Add host/network %s to blacklist' % net)
-        chain.insert_rule(rule)
-        r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time()))) 
-      elif rule in chain.rules and unban:
-        logCrit('Remove host/network %s from blacklist' % net)
-        chain.delete_rule(rule)
-        r.hdel('F2B_PERM_BANS', '%s' % net)
-
-def quit(signum, frame):
-  global quit_now
-  quit_now = True
-
-def clear():
-  global lock
-  logInfo('Clearing all bans')
-  for net in bans.copy():
-    unban(net)
-  with lock:
-    filter4_table = iptc.Table(iptc.Table.FILTER)
-    filter6_table = iptc.Table6(iptc.Table6.FILTER)
-    for filter_table in [filter4_table, filter6_table]:
-      filter_table.autocommit = False
-      forward_chain = iptc.Chain(filter_table, "FORWARD")
-      input_chain = iptc.Chain(filter_table, "INPUT")
-      mailcow_chain = iptc.Chain(filter_table, "MAILCOW")
-      if mailcow_chain in filter_table.chains:
-        for rule in mailcow_chain.rules:
-          mailcow_chain.delete_rule(rule)
-        for rule in forward_chain.rules:
-          if rule.target.name == 'MAILCOW':
-            forward_chain.delete_rule(rule)
-        for rule in input_chain.rules:
-          if rule.target.name == 'MAILCOW':
-            input_chain.delete_rule(rule)
-        filter_table.delete_chain("MAILCOW")
-      filter_table.commit()
-      filter_table.refresh()
-      filter_table.autocommit = True
-    r.delete('F2B_ACTIVE_BANS')
-    r.delete('F2B_PERM_BANS')
-    pubsub.unsubscribe()
-
-def watch():
-  logInfo('Watching Redis channel F2B_CHANNEL')
-  pubsub.subscribe('F2B_CHANNEL')
-
-  global quit_now
-  global exit_code
-
-  while not quit_now:
-    try:
-      for item in pubsub.listen():
-        refreshF2bregex()
-        for rule_id, rule_regex in f2bregex.items():
-          if item['data'] and item['type'] == 'message':
-            try:
-              result = re.search(rule_regex, item['data'])
-            except re.error:
-              result = False
-            if result:
-              addr = result.group(1)
-              ip = ipaddress.ip_address(addr)
-              if ip.is_private or ip.is_loopback:
-                continue
-              logWarn('%s matched rule id %s (%s)' % (addr, rule_id, item['data']))
-              ban(addr)
-    except Exception as ex:
-      logWarn('Error reading log line from pubsub')
-      quit_now = True
-      exit_code = 2
-
-def snat4(snat_target):
-  global lock
-  global quit_now
-
-  def get_snat4_rule():
-    rule = iptc.Rule()
-    rule.src = os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24'
-    rule.dst = '!' + rule.src
-    target = rule.create_target("SNAT")
-    target.to_source = snat_target
-    return rule
-
-  while not quit_now:
-    time.sleep(10)
-    with lock:
-      try:
-        table = iptc.Table('nat')
-        table.refresh()
-        chain = iptc.Chain(table, 'POSTROUTING')
-        table.autocommit = False
-        if get_snat4_rule() not in chain.rules:
-          logCrit('Added POSTROUTING rule for source network %s to SNAT target %s' % (get_snat4_rule().src, snat_target))
-          chain.insert_rule(get_snat4_rule())
-          table.commit()
-        else:
-          for position, item in enumerate(chain.rules):
-            if item == get_snat4_rule():
-              if position != 0:
-                chain.delete_rule(get_snat4_rule())
-          table.commit()
-        table.autocommit = True
-      except:
-        print('Error running SNAT4, retrying...') 
-
-def snat6(snat_target):
-  global lock
-  global quit_now
-
-  def get_snat6_rule():
-    rule = iptc.Rule6()
-    rule.src = os.getenv('IPV6_NETWORK', 'fd4d:6169:6c63:6f77::/64')
-    rule.dst = '!' + rule.src
-    target = rule.create_target("SNAT")
-    target.to_source = snat_target
-    return rule
-
-  while not quit_now:
-    time.sleep(10)
-    with lock:
-      try:
-        table = iptc.Table6('nat')
-        table.refresh()
-        chain = iptc.Chain(table, 'POSTROUTING')
-        table.autocommit = False
-        if get_snat6_rule() not in chain.rules:
-          logInfo('Added POSTROUTING rule for source network %s to SNAT target %s' % (get_snat6_rule().src, snat_target))
-          chain.insert_rule(get_snat6_rule())
-          table.commit()
-        else:
-          for position, item in enumerate(chain.rules):
-            if item == get_snat6_rule():
-              if position != 0:
-                chain.delete_rule(get_snat6_rule())
-          table.commit()
-        table.autocommit = True
-      except:
-        print('Error running SNAT6, retrying...') 
-
-def autopurge():
-  while not quit_now:
-    time.sleep(10)
-    refreshF2boptions()
-    BAN_TIME = int(f2boptions['ban_time'])
-    MAX_ATTEMPTS = int(f2boptions['max_attempts'])
-    QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
-    if QUEUE_UNBAN:
-      for net in QUEUE_UNBAN:
-        unban(str(net))
-    for net in bans.copy():
-      if bans[net]['attempts'] >= MAX_ATTEMPTS:
-        if time.time() - bans[net]['last_attempt'] > BAN_TIME:
-          unban(net)
-
-def isIpNetwork(address):
-  try:
-    ipaddress.ip_network(address, False)
-  except ValueError:
-    return False
-  return True
-
-
-def genNetworkList(list):
-  resolver = dns.resolver.Resolver()
-  hostnames = []
-  networks = []
-  for key in list:
-    if isIpNetwork(key):
-      networks.append(key)
-    else:
-      hostnames.append(key)
-  for hostname in hostnames:
-    hostname_ips = []
-    for rdtype in ['A', 'AAAA']:
-      try:
-        answer = resolver.resolve(qname=hostname, rdtype=rdtype, lifetime=3)
-      except dns.exception.Timeout:
-        logInfo('Hostname %s timedout on resolve' % hostname)
-        break
-      except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
-        continue
-      except dns.exception.DNSException as dnsexception:
-        logInfo('%s' % dnsexception)
-        continue
-      for rdata in answer:
-        hostname_ips.append(rdata.to_text())
-    networks.extend(hostname_ips)
-  return set(networks)
-
-def whitelistUpdate():
-  global lock
-  global quit_now
-  global WHITELIST
-  while not quit_now:
-    start_time = time.time()
-    list = r.hgetall('F2B_WHITELIST')
-    new_whitelist = []
-    if list:
-      new_whitelist = genNetworkList(list)
-    with lock:
-      if Counter(new_whitelist) != Counter(WHITELIST):
-        WHITELIST = new_whitelist
-        logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
-    time.sleep(60.0 - ((time.time() - start_time) % 60.0)) 
-
-def blacklistUpdate():
-  global quit_now
-  global BLACKLIST
-  while not quit_now:
-    start_time = time.time()
-    list = r.hgetall('F2B_BLACKLIST')
-    new_blacklist = []
-    if list:
-      new_blacklist = genNetworkList(list)
-    if Counter(new_blacklist) != Counter(BLACKLIST): 
-      addban = set(new_blacklist).difference(BLACKLIST)
-      delban = set(BLACKLIST).difference(new_blacklist)
-      BLACKLIST = new_blacklist
-      logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
-      if addban:
-        for net in addban:
-          permBan(net=net)
-      if delban:
-        for net in delban:
-          permBan(net=net, unban=True)
-    time.sleep(60.0 - ((time.time() - start_time) % 60.0)) 
-
-def initChain():
-  # Is called before threads start, no locking
-  print("Initializing mailcow netfilter chain")
-  # IPv4
-  if not iptc.Chain(iptc.Table(iptc.Table.FILTER), "MAILCOW") in iptc.Table(iptc.Table.FILTER).chains:
-    iptc.Table(iptc.Table.FILTER).create_chain("MAILCOW")
-  for c in ['FORWARD', 'INPUT']:
-    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), c)
-    rule = iptc.Rule()
-    rule.src = '0.0.0.0/0'
-    rule.dst = '0.0.0.0/0'
-    target = iptc.Target(rule, "MAILCOW")
-    rule.target = target
-    if rule not in chain.rules:
-      chain.insert_rule(rule)
-  # IPv6
-  if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER), "MAILCOW") in iptc.Table6(iptc.Table6.FILTER).chains:
-    iptc.Table6(iptc.Table6.FILTER).create_chain("MAILCOW")
-  for c in ['FORWARD', 'INPUT']:
-    chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), c)
-    rule = iptc.Rule6()
-    rule.src = '::/0'
-    rule.dst = '::/0'
-    target = iptc.Target(rule, "MAILCOW")
-    rule.target = target
-    if rule not in chain.rules:
-      chain.insert_rule(rule)
-
-if __name__ == '__main__':
-
-  # In case a previous session was killed without cleanup
-  clear()
-  # Reinit MAILCOW chain
-  initChain()
-
-  watch_thread = Thread(target=watch)
-  watch_thread.daemon = True
-  watch_thread.start()
-
-  if os.getenv('SNAT_TO_SOURCE') and os.getenv('SNAT_TO_SOURCE') != 'n':
-    try:
-      snat_ip = os.getenv('SNAT_TO_SOURCE')
-      snat_ipo = ipaddress.ip_address(snat_ip)
-      if type(snat_ipo) is ipaddress.IPv4Address:
-        snat4_thread = Thread(target=snat4,args=(snat_ip,))
-        snat4_thread.daemon = True
-        snat4_thread.start()
-    except ValueError:
-      print(os.getenv('SNAT_TO_SOURCE') + ' is not a valid IPv4 address')
-
-  if os.getenv('SNAT6_TO_SOURCE') and os.getenv('SNAT6_TO_SOURCE') != 'n':
-    try:
-      snat_ip = os.getenv('SNAT6_TO_SOURCE')
-      snat_ipo = ipaddress.ip_address(snat_ip)
-      if type(snat_ipo) is ipaddress.IPv6Address:
-        snat6_thread = Thread(target=snat6,args=(snat_ip,))
-        snat6_thread.daemon = True
-        snat6_thread.start()
-    except ValueError:
-      print(os.getenv('SNAT6_TO_SOURCE') + ' is not a valid IPv6 address')
-
-  autopurge_thread = Thread(target=autopurge)
-  autopurge_thread.daemon = True
-  autopurge_thread.start()
-
-  mailcowchainwatch_thread = Thread(target=mailcowChainOrder)
-  mailcowchainwatch_thread.daemon = True
-  mailcowchainwatch_thread.start()
-
-  blacklistupdate_thread = Thread(target=blacklistUpdate)
-  blacklistupdate_thread.daemon = True
-  blacklistupdate_thread.start()
-
-  whitelistupdate_thread = Thread(target=whitelistUpdate)
-  whitelistupdate_thread.daemon = True
-  whitelistupdate_thread.start()
-
-  signal.signal(signal.SIGTERM, quit)
-  atexit.register(clear)
-
-  while not quit_now:
-    time.sleep(0.5)
-
-  sys.exit(exit_code)

data/Dockerfiles/nginx/Dockerfile

@@ -0,0 +1,36 @@
+FROM nginx:alpine
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
+
+ENV PIP_BREAK_SYSTEM_PACKAGES=1
+
+RUN apk add --no-cache nginx \
+  python3 py3-pip \
+  supervisor
+
+RUN apk add --no-cache --virtual .build-deps \
+      gcc \
+      musl-dev \
+      python3-dev \
+      linux-headers \
+  && pip install --break-system-packages psutil \
+  && apk del .build-deps
+
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython
+
+RUN mkdir -p /etc/nginx/includes
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/nginx/docker-entrypoint.sh /
+COPY data/Dockerfiles/nginx/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/nginx/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+
+RUN chmod +x /docker-entrypoint.sh
+RUN chmod +x /usr/local/sbin/stop-supervisor.sh
+
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/nginx/docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Nginx."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting Nginx..."
+nginx -g "daemon off;"

data/Dockerfiles/nginx/stop-supervisor.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+printf "READY\n";
+
+while read line; do
+  echo "Processing Event: $line" >&2;
+  kill -3 $(cat "/var/run/supervisord.pid")
+done < /dev/stdin

data/Dockerfiles/nginx/supervisord.conf

@@ -0,0 +1,27 @@
+[supervisord]
+nodaemon=true
+user=root
+
+[program:syslog-ng]
+command=/usr/sbin/syslog-ng --foreground  --no-caps
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+priority=1
+
+[program:bootstrap]
+command=/docker-entrypoint.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+priority=2
+startretries=10
+autorestart=true
+stopwaitsecs=120
+
+[eventlistener:processes]
+command=/usr/local/sbin/stop-supervisor.sh
+events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL

data/Dockerfiles/olefy/Dockerfile

@@ -1,6 +1,8 @@
-FROM alpine:3.15
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM alpine:3.21
 
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+ARG PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /app
 
 #RUN addgroup -S olefy && adduser -S olefy -G olefy \

data/Dockerfiles/olefy/olefy.py

@@ -32,6 +32,13 @@ import time
 import magic
 import re
 
+skip_olefy = os.getenv('SKIP_OLEFY', '')
+
+if skip_olefy.lower() in ['yes', 'y']:
+    print("SKIP_OLEFY=y, skipping Olefy...")
+    time.sleep(365 * 24 * 60 * 60)
+    sys.exit(0)
+
 # merge variables from /etc/olefy.conf and the defaults
 olefy_listen_addr_string = os.getenv('OLEFY_BINDADDRESS', '127.0.0.1,::1')
 olefy_listen_port = int(os.getenv('OLEFY_BINDPORT', '10050'))
@@ -113,7 +120,7 @@ def oletools( stream, tmp_file_name, lid ):
         out = bytes(out.decode('utf-8', 'ignore').replace('  ', ' ').replace('\t', '').replace('\n', '').replace('XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)', ''), encoding="utf-8")
         failed = False
         if out.__len__() < 30:
-            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode, 
+            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode,
                 out.decode('utf-8', 'ignore'), err.decode('utf-8', 'ignore')))
             out = b'[ { "error": "Unhandled error - too short olevba response" } ]'
             failed = True

data/Dockerfiles/phpfpm/Dockerfile

@@ -1,12 +1,19 @@
-FROM php:8.0-fpm-alpine3.14
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM php:8.2-fpm-alpine3.21
 
-ENV APCU_PECL 5.1.20
-ENV IMAGICK_PECL 3.5.1
-# Mailparse is pulled from master branch
-#ENV MAILPARSE_PECL 3.0.2
-ENV MEMCACHED_PECL 3.1.5
-ENV REDIS_PECL 5.3.4
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+# renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
+ARG APCU_PECL_VERSION=5.1.24
+# renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
+ARG IMAGICK_PECL_VERSION=3.8.0
+# renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
+ARG MAILPARSE_PECL_VERSION=3.1.8
+# renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
+ARG MEMCACHED_PECL_VERSION=3.2.0
+# renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
+ARG REDIS_PECL_VERSION=6.1.0
+# renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
+ARG COMPOSER_VERSION=2.8.6
 
 RUN apk add -U --no-cache autoconf \
   aspell-dev \
@@ -18,6 +25,7 @@ RUN apk add -U --no-cache autoconf \
   freetype-dev \
   g++ \
   git \
+  gettext \
   gettext-dev \
   gmp-dev \
   gnupg \
@@ -27,8 +35,11 @@ RUN apk add -U --no-cache autoconf \
   imagemagick-dev \
   imap-dev \
   jq \
+  libavif \
+  libavif-dev \
   libjpeg-turbo \
   libjpeg-turbo-dev \
+  libmemcached \
   libmemcached-dev \
   libpng \
   libpng-dev \
@@ -38,8 +49,11 @@ RUN apk add -U --no-cache autoconf \
   libtool \
   libwebp-dev \
   libxml2-dev \
+  libxpm \
   libxpm-dev \
+  libzip \
   libzip-dev \
+  linux-headers \
   make \
   mysql-client \
   openldap-dev \
@@ -49,22 +63,25 @@ RUN apk add -U --no-cache autoconf \
   samba-client \
   zlib-dev \
   tzdata \
-  && git clone https://github.com/php/pecl-mail-mailparse \
-  && cd pecl-mail-mailparse \
-  && pecl install package.xml \
-  && cd .. \
-  && rm -r pecl-mail-mailparse \
-  && pecl install redis-${REDIS_PECL} memcached-${MEMCACHED_PECL} APCu-${APCU_PECL} imagick-${IMAGICK_PECL} \
+  python3 py3-pip \
+  && pecl install APCu-${APCU_PECL_VERSION} \
+  && pecl install imagick-${IMAGICK_PECL_VERSION} \
+  && pecl install mailparse-${MAILPARSE_PECL_VERSION} \
+  && pecl install memcached-${MEMCACHED_PECL_VERSION} \
+  && pecl install redis-${REDIS_PECL_VERSION} \
   && docker-php-ext-enable apcu imagick memcached mailparse redis \
   && pecl clear-cache \
   && docker-php-ext-configure intl \
   && docker-php-ext-configure exif \
-  && docker-php-ext-configure gd --with-freetype=/usr/include/ \  
+  && docker-php-ext-configure gd --with-freetype=/usr/include/ \
     --with-jpeg=/usr/include/ \
+    --with-webp \
+    --with-xpm \
+    --with-avif \
   && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets zip bcmath gmp \
   && docker-php-ext-configure imap --with-imap --with-imap-ssl \
   && docker-php-ext-install -j 4 imap \
-  && curl --silent --show-error https://getcomposer.org/installer | php \
+  && curl --silent --show-error https://getcomposer.org/installer | php -- --version=${COMPOSER_VERSION} \
   && mv composer.phar /usr/local/bin/composer \
   && chmod +x /usr/local/bin/composer \
   && apk del --purge autoconf \
@@ -72,20 +89,45 @@ RUN apk add -U --no-cache autoconf \
     cyrus-sasl-dev \
     freetype-dev \
     g++ \
+    gettext-dev \
     icu-dev \
     imagemagick-dev \
     imap-dev \
+    libavif-dev \
     libjpeg-turbo-dev \
+    libmemcached-dev \
     libpng-dev \
     libressl-dev \
     libwebp-dev \
     libxml2-dev \
+    libxpm-dev \
+    libzip-dev \
+    linux-headers \
     make \
+    openldap-dev \
     pcre-dev \
     zlib-dev
 
-COPY ./docker-entrypoint.sh /
+RUN apk add --no-cache --virtual .build-deps \
+      gcc \
+      musl-dev \
+      python3-dev \
+      linux-headers \
+  && pip install --break-system-packages psutil \
+  && apk del .build-deps
+
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/phpfpm/docker-entrypoint.sh /
+
+RUN chmod +x /docker-entrypoint.sh
+
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-
 CMD ["php-fpm"]

data/Dockerfiles/phpfpm/docker-entrypoint.sh

@@ -1,191 +1,5 @@
 #!/bin/bash
 
-function array_by_comma { local IFS=","; echo "$*"; }
-
-# Wait for containers
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for SQL..."
-  sleep 2
-done
-
-# Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
-else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
-fi
-
-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
-  sleep 2
-done
-
-# Check mysql_upgrade (master and slave)
-CONTAINER_ID=
-until [[ ! -z "${CONTAINER_ID}" ]] && [[ "${CONTAINER_ID}" =~ ^[[:alnum:]]*$ ]]; do
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
-  sleep 2
-done
-echo "MySQL @ ${CONTAINER_ID}"
-SQL_LOOP_C=0
-SQL_CHANGED=0
-until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
-  if [ ${SQL_LOOP_C} -gt 4 ]; then
-    echo "Tried to upgrade MySQL and failed, giving up after ${SQL_LOOP_C} retries and starting container (oops, not good)"
-    break
-  fi
-  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
-  SQL_UPGRADE_STATUS=$(echo ${SQL_FULL_UPGRADE_RETURN} | jq -r .type)
-  SQL_LOOP_C=$((SQL_LOOP_C+1))
-  echo "SQL upgrade iteration #${SQL_LOOP_C}"
-  if [[ ${SQL_UPGRADE_STATUS} == 'warning' ]]; then
-    SQL_CHANGED=1
-    echo "MySQL applied an upgrade, debug output:"
-    echo ${SQL_FULL_UPGRADE_RETURN}
-    sleep 3
-    while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-      echo "Waiting for SQL to return, please wait"
-      sleep 2
-    done
-    continue
-  elif [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; then
-    echo "MySQL is up-to-date - debug output:"
-    echo ${SQL_FULL_UPGRADE_RETURN}
-  else
-    echo "No valid reponse for mysql_upgrade was received, debug output:"
-    echo ${SQL_FULL_UPGRADE_RETURN}
-  fi
-done
-
-# doing post-installation stuff, if SQL was upgraded (master and slave)
-if [ ${SQL_CHANGED} -eq 1 ]; then
-  POSTFIX=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
-  if [[ -z "${POSTFIX}" ]] || ! [[ "${POSTFIX}" =~ ^[[:alnum:]]*$ ]]; then
-    echo "Could not determine Postfix container ID, skipping Postfix restart."
-  else
-    echo "Restarting Postfix"
-    curl -X POST --silent --insecure https://dockerapi/containers/${POSTFIX}/restart | jq -r '.msg'
-    echo "Sleeping 5 seconds..."
-    sleep 5
-  fi
-fi
-
-# Check mysql tz import (master and slave)
-TZ_CHECK=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
-if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
-  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
-  echo "MySQL mysql_tzinfo_to_sql - debug output:"
-  echo ${SQL_FULL_TZINFO_IMPORT_RETURN}
-fi
-
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing..."
-  # Set a default release format
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
-  fi
-
-  # Set max age of q items - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_MAX_AGE 365
-  fi
-
-  # Set default password policy - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY length 6
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
-  fi
-
-  # Trigger db init
-  echo "Running DB init..."
-  php -c /usr/local/etc/php -f /web/inc/init_db.inc.php
-
-  # Recreating domain map
-  echo "Rebuilding domain map in Redis..."
-  declare -a DOMAIN_ARR
-    ${REDIS_CMDLINE} DEL DOMAIN_MAP > /dev/null
-  while read line
-  do
-    DOMAIN_ARR+=("$line")
-  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
-  while read line
-  do
-    DOMAIN_ARR+=("$line")
-  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
-
-  if [[ ! -z ${DOMAIN_ARR} ]]; then
-  for domain in "${DOMAIN_ARR[@]}"; do
-    ${REDIS_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
-  done
-  fi
-
-  # Set API options if env vars are not empty
-  if [[ ${API_ALLOW_FROM} != "invalid" ]] && [[ ! -z ${API_ALLOW_FROM} ]]; then
-    IFS=',' read -r -a API_ALLOW_FROM_ARR <<< "${API_ALLOW_FROM}"
-    declare -a VALIDATED_API_ALLOW_FROM_ARR
-    REGEX_IP6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$'
-    REGEX_IP4='^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+(/([0-9]|[1-2][0-9]|3[0-2]))?$'
-    for IP in "${API_ALLOW_FROM_ARR[@]}"; do
-      if [[ ${IP} =~ ${REGEX_IP6} ]] || [[ ${IP} =~ ${REGEX_IP4} ]]; then
-        VALIDATED_API_ALLOW_FROM_ARR+=("${IP}")
-      fi
-    done
-    VALIDATED_IPS=$(array_by_comma ${VALIDATED_API_ALLOW_FROM_ARR[*]})
-    if [[ ! -z ${VALIDATED_IPS} ]]; then
-      if [[ ${API_KEY} != "invalid" ]] && [[ ! -z ${API_KEY} ]]; then
-        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELETE FROM api WHERE access = 'rw';
-INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY}", "1", "${VALIDATED_IPS}", "rw");
-EOF
-      fi
-      if [[ ${API_KEY_READ_ONLY} != "invalid" ]] && [[ ! -z ${API_KEY_READ_ONLY} ]]; then
-        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELETE FROM api WHERE access = 'ro';
-INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY_READ_ONLY}", "1", "${VALIDATED_IPS}", "ro");
-EOF
-      fi
-    fi
-  fi
-
-  # Create events (master only, STATUS for event on slave will be SLAVESIDE_DISABLED)
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DROP EVENT IF EXISTS clean_spamalias;
-DELIMITER //
-CREATE EVENT clean_spamalias
-ON SCHEDULE EVERY 1 DAY DO
-BEGIN
-  DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
-END;
-//
-DELIMITER ;
-DROP EVENT IF EXISTS clean_oauth2;
-DELIMITER //
-CREATE EVENT clean_oauth2
-ON SCHEDULE EVERY 1 DAY DO
-BEGIN
-  DELETE FROM oauth_refresh_tokens WHERE expires < NOW();
-  DELETE FROM oauth_access_tokens WHERE expires < NOW();
-  DELETE FROM oauth_authorization_codes WHERE expires < NOW();
-END;
-//
-DELIMITER ;
-EOF
-fi
-
-# Create dummy for custom overrides of mailcow style
-[[ ! -f /web/css/build/0081-custom-mailcow.css ]] && echo '/* Autogenerated by mailcow */' > /web/css/build/0081-custom-mailcow.css
-
-# Fix permissions for global filters
-chown -R 82:82 /global_sieve/*
-
-# Fix permissions on twig cache folder
-chown -R 82:82 /web/templates/cache
-# Clear cache
-find /web/templates/cache/* -not -name '.gitkeep' -delete
-
 # Run hooks
 for file in /hooks/*; do
   if [ -x "${file}" ]; then
@@ -194,4 +8,13 @@ for file in /hooks/*; do
   fi
 done
 
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting PHP-FPM."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting PHP-FPM..."
 exec "$@"

data/Dockerfiles/postfix/Dockerfile

@@ -1,5 +1,6 @@
-FROM debian:buster-slim
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM debian:bookworm-slim
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL C
@@ -17,10 +18,10 @@ RUN groupadd -g 102 postfix \
 	ca-certificates \
 	curl \
 	dirmngr \
-  dnsutils \
+  	dnsutils \
 	gnupg \
 	libsasl2-modules \
-  mariadb-client \
+  	mariadb-client \
 	perl \
 	postfix \
 	postfix-mysql \
@@ -32,24 +33,32 @@ RUN groupadd -g 102 postfix \
 	syslog-ng \
 	syslog-ng-core \
 	syslog-ng-mod-redis \
-  tzdata \
+  	tzdata \
+	python3 python3-pip \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& touch /etc/default/locale \
   && printf '#!/bin/bash\n/usr/sbin/postconf -c /opt/postfix/conf "$@"' > /usr/local/sbin/postconf \
   && chmod +x /usr/local/sbin/postconf
 
-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY postfix.sh /opt/postfix.sh
-COPY rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
-COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
-COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+	redis \
+	dnspython \
+  psutil
 
-RUN chmod +x /opt/postfix.sh \
-  /usr/local/bin/rspamd-pipe-ham \
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/postfix/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/postfix/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY data/Dockerfiles/postfix/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY data/Dockerfiles/postfix/rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
+COPY data/Dockerfiles/postfix/rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
+COPY data/Dockerfiles/postfix/whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
+COPY data/Dockerfiles/postfix/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY data/Dockerfiles/postfix/docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN chmod +x /usr/local/bin/rspamd-pipe-ham \
+	/docker-entrypoint.sh \
   /usr/local/bin/rspamd-pipe-spam \
   /usr/local/bin/whitelist_forwardinghosts.sh \
   /usr/local/sbin/stop-supervisor.sh
@@ -57,6 +66,5 @@ RUN rm -rf /tmp/* /var/tmp/*
 
 EXPOSE 588
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/postfix/docker-entrypoint.sh

@@ -8,8 +8,33 @@ for file in /hooks/*; do
   fi
 done
 
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Postfix."
+  exit $BOOTSTRAP_EXIT_CODE
 fi
 
-exec "$@"
+# Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
+if grep -qE '\!SSLv2|\!SSLv3|>=TLSv1(\.[0-1])?$' /opt/postfix/conf/main.cf /opt/postfix/conf/extra.cf; then
+    sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
+
+    echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
+    echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
+    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
+    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
+    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
+fi
+
+
+# Start Postfix
+postconf -c /opt/postfix/conf > /dev/null
+if [[ $? != 0 ]]; then
+  echo "Postfix configuration error, refusing to start."
+  exit 1
+else
+  echo "Bootstrap succeeded. Starting Postfix..."
+  postfix -c /opt/postfix/conf start
+  sleep 126144000
+fi

data/Dockerfiles/postfix/postfix.sh

@@ -1,424 +0,0 @@
-#!/bin/bash
-
-trap "postfix stop" EXIT
-
-[[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
-
-# Wait for MySQL to warm-up
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for database to come up..."
-  sleep 2
-done
-
-until dig +short mailcow.email > /dev/null; do
-  echo "Waiting for DNS..."
-  sleep 1
-done
-
-cat <<EOF > /etc/aliases
-# Autogenerated by mailcow
-null: /dev/null
-watchdog: /dev/null
-ham: "|/usr/local/bin/rspamd-pipe-ham"
-spam: "|/usr/local/bin/rspamd-pipe-spam"
-EOF
-newaliases;
-
-# create sni configuration
-if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo -n "" > /opt/postfix/conf/sni.map
-else
-  echo -n "" > /opt/postfix/conf/sni.map;
-  for cert_dir in /etc/ssl/mail/*/ ; do
-    if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
-      continue;
-    fi
-    IFS=" " read -r -a domains <<< "$(cat "${cert_dir}domains")"
-    for domain in "${domains[@]}"; do
-      echo -n "${domain} ${cert_dir}key.pem ${cert_dir}cert.pem" >> /opt/postfix/conf/sni.map;
-      echo "" >> /opt/postfix/conf/sni.map;
-    done
-  done
-fi
-postmap -F hash:/opt/postfix/conf/sni.map;
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_relay_ne.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT IF(EXISTS(SELECT address, domain FROM alias
-      WHERE address = '%s'
-        AND domain IN (
-          SELECT domain FROM domain
-            WHERE backupmx = '1'
-              AND relay_all_recipients = '1'
-              AND relay_unknown_only = '1')
-
-      ), 'lmtp:inet:dovecot:24', NULL) AS 'transport'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT DISTINCT
-  CASE WHEN '%d' IN (
-    SELECT domain FROM domain
-      WHERE relay_all_recipients=1
-        AND domain='%d'
-        AND backupmx=1
-  )
-  THEN '%s' ELSE (
-    SELECT goto FROM alias WHERE address='%s' AND active='1'
-  )
-  END AS result;
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT(policy, ' ', parameters) AS tls_policy FROM tls_policy_override WHERE active = '1' AND dest = '%s'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT IF(EXISTS(
-  SELECT 'TLS_ACTIVE' FROM alias
-    LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
-      WHERE (address='%s'
-        OR address IN (
-          SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
-            WHERE alias_domain='%d'
-        )
-      ) AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_in')) = '1' AND mailbox.active = '1'
-  ), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
-  FROM (
-    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias
-      LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
-        WHERE (address = '%s'
-          OR address IN (
-            SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
-              WHERE alias_domain = '%d'
-          )
-        )
-        AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_out')) = '1'
-        AND mailbox.active = '1'
-    ), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
-    UNION ALL
-    SELECT COALESCE(
-      (SELECT hostname FROM relayhosts
-      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
-        WHERE relayhosts.active = '1'
-          AND (
-            mailbox.username IN (SELECT alias.goto from alias
-              JOIN mailbox ON mailbox.username = alias.goto
-                WHERE alias.active = '1'
-                  AND alias.address = '%s'
-                  AND alias.address NOT LIKE '@%%'
-            )
-          )
-      ),
-      (SELECT hostname FROM relayhosts
-      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
-        WHERE relayhosts.active = '1'
-          AND (domain.domain = '%d'
-            OR domain.domain IN (
-              SELECT target_domain FROM alias_domain
-                WHERE alias_domain = '%d'
-            )
-          )
-      )
-    )
-  ) AS transport_view;
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_transport_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT('smtp_via_transport_maps:', nexthop) AS transport FROM transports
-  WHERE active = '1'
-  AND destination = '%s';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_resource_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT 'null@localhost' FROM mailbox
-  WHERE kind REGEXP 'location|thing|group' AND username = '%s';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts
-  WHERE id IN (
-    SELECT COALESCE(
-      (SELECT id FROM relayhosts
-      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
-      WHERE relayhosts.active = '1'
-        AND (domain.domain = '%d'
-          OR domain.domain IN (
-            SELECT target_domain FROM alias_domain
-            WHERE alias_domain = '%d'
-          )
-        )
-      ),
-      (SELECT id FROM relayhosts
-      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
-      WHERE relayhosts.active = '1'
-        AND (
-          mailbox.username IN (
-            SELECT alias.goto from alias
-              JOIN mailbox ON mailbox.username = alias.goto
-                WHERE alias.active = '1'
-                  AND alias.address = '%s'
-                  AND alias.address NOT LIKE '@%%'
-          )
-        )
-      )
-    )
-  )
-  AND active = '1'
-  AND username != '';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM transports
-  WHERE nexthop = '%s'
-  AND active = '1'
-  AND username != ''
-  LIMIT 1;
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT username FROM mailbox, alias_domain
-  WHERE alias_domain.alias_domain = '%d'
-    AND mailbox.username = CONCAT('%u', '@', alias_domain.target_domain)
-    AND (mailbox.active = '1' OR mailbox.active = '2')
-    AND alias_domain.active='1'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT goto FROM alias
-  WHERE address='%s'
-    AND (active='1' OR active='2');
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT bcc_dest FROM bcc_maps
-  WHERE local_dest='%s'
-    AND type='rcpt'
-    AND active='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT bcc_dest FROM bcc_maps
-  WHERE local_dest='%s'
-    AND type='sender'
-    AND active='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT new_dest FROM recipient_maps
-  WHERE old_dest='%s'
-    AND active='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT alias_domain from alias_domain WHERE alias_domain='%s' AND active='1'
-  UNION
-  SELECT domain FROM domain
-    WHERE domain='%s'
-      AND active = '1'
-      AND backupmx = '0'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%u/') FROM mailbox WHERE username='%s' AND (active = '1' OR active = '2')
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '1' AND active = '1'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-# First select queries domain and alias_domain to determine if domains are active.
-query = SELECT goto FROM alias
-  WHERE address='%s'
-    AND active='1'
-    AND (domain IN
-      (SELECT domain FROM domain
-        WHERE domain='%d'
-          AND active='1')
-      OR domain in (
-        SELECT alias_domain FROM alias_domain
-          WHERE alias_domain='%d'
-            AND active='1'
-      )
-    )
-  UNION
-  SELECT logged_in_as FROM sender_acl
-    WHERE send_as='@%d'
-      OR send_as='%s'
-      OR send_as='*'
-      OR send_as IN (
-        SELECT CONCAT('@',target_domain) FROM alias_domain
-          WHERE alias_domain = '%d')
-      OR send_as IN (
-        SELECT CONCAT('%u','@',target_domain) FROM alias_domain
-          WHERE alias_domain = '%d')
-      AND logged_in_as NOT IN (
-        SELECT goto FROM alias
-          WHERE address='%s')
-  UNION
-  SELECT username FROM mailbox, alias_domain
-    WHERE alias_domain.alias_domain = '%d'
-      AND mailbox.username = CONCAT('%u','@',alias_domain.target_domain)
-      AND (mailbox.active = '1' OR mailbox.active ='2')
-      AND alias_domain.active='1'
-EOF
-
-# MX based routing
-cat <<EOF > /opt/postfix/conf/sql/mysql_mbr_access_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT('FILTER smtp_via_transport_maps:', nexthop) as transport FROM transports
-  WHERE '%s' REGEXP destination
-    AND active='1'
-    AND is_mx_based='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT goto FROM spamalias
-  WHERE address='%s'
-    AND validity >= UNIX_TIMESTAMP()
-EOF
-
-sed -i '/User overrides/q' /opt/postfix/conf/main.cf
-echo >> /opt/postfix/conf/main.cf
-touch /opt/postfix/conf/extra.cf
-sed -i '/myhostname/d' /opt/postfix/conf/extra.cf
-echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf
-
-cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf
-
-if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then
-  echo "Creating dummy custom_transport.pcre"
-  touch /opt/postfix/conf/custom_transport.pcre
-fi
-
-if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
-  echo "Creating dummy custom_postscreen_whitelist.cidr"
-  cat <<EOF > /opt/postfix/conf/custom_postscreen_whitelist.cidr
-# Autogenerated by mailcow
-# Rules are evaluated in the order as specified.
-# Blacklist 192.168.* except 192.168.0.1.
-# 192.168.0.1          permit
-# 192.168.0.0/16       reject
-EOF
-fi
-
-# Fix Postfix permissions
-chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
-chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
-chgrp -R postdrop /var/spool/postfix/public
-chgrp -R postdrop /var/spool/postfix/maildrop
-postfix set-permissions
-
-# Check Postfix configuration
-postconf -c /opt/postfix/conf > /dev/null
-
-if [[ $? != 0 ]]; then
-  echo "Postfix configuration error, refusing to start."
-  exit 1
-else
-  postfix -c /opt/postfix/conf start
-  sleep 126144000
-fi

data/Dockerfiles/postfix/supervisord.conf

@@ -11,13 +11,14 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 
-[program:postfix]
-command=/opt/postfix.sh
+[program:bootstrap]
+command=/docker-entrypoint.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
+startsecs=10
 
 [eventlistener:processes]
 command=/usr/local/sbin/stop-supervisor.sh

data/Dockerfiles/postfix/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.19
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
     host("`REDIS_SLAVEOF_IP`")
     persist-name("redis1")
     port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
     command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
   );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
     host("`REDIS_SLAVEOF_IP`")
     persist-name("redis2")
     port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
     command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
   );
 };

data/Dockerfiles/postfix/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.19
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
     host("redis-mailcow")
     persist-name("redis1")
     port(6379)
+    auth("`REDISPASS`")
     command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
   );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
     host("redis-mailcow")
     persist-name("redis2")
     port(6379)
+    auth("`REDISPASS`")
     command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
   );
 };

data/Dockerfiles/rspamd/Dockerfile

@@ -1,22 +1,28 @@
-FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@tinc.gmbh>"
+FROM debian:bookworm-slim
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CODENAME=bullseye
-ENV LC_ALL C
+ARG RSPAMD_VER=rspamd_3.11.1-1~ab0b44951
+ARG CODENAME=bookworm
+ENV LC_ALL=C
 
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
   tzdata \
   ca-certificates \
   gnupg2 \
   apt-transport-https \
   dnsutils \
-  netcat \
-  && apt-key adv --fetch-keys https://rspamd.com/apt-stable/gpg.key \
-  && echo "deb [arch=amd64] https://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list \
-  && apt-get update \
-  && apt-get --no-install-recommends -y install rspamd redis-tools procps nano \
-  && rm -rf /var/lib/apt/lists/* \
+  netcat-traditional \
+  wget \
+  redis-tools \
+  procps \
+  nano \
+  lua-cjson \
+  python3 python3-pip \
+  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+  && wget -P /tmp https://rspamd.com/apt-stable/pool/main/r/rspamd/${RSPAMD_VER}~${CODENAME}_${arch}.deb\
+  && apt install -y /tmp/${RSPAMD_VER}~${CODENAME}_${arch}.deb \
+  && rm -rf /var/lib/apt/lists/* /tmp/*\
   && apt-get autoremove --purge \
   && apt-get clean \
   && mkdir -p /run/rspamd \
@@ -24,12 +30,20 @@ RUN apt-get update && apt-get install -y \
   && echo 'alias ll="ls -la --color"' >> ~/.bashrc \
   && sed -i 's/#analysis_keyword_table > 0/analysis_cat_table.macro_exist == "M"/g' /usr/share/rspamd/lualib/lua_scanners/oletools.lua
 
-COPY settings.conf /etc/rspamd/settings.conf
-COPY metadata_exporter.lua /usr/share/rspamd/plugins/metadata_exporter.lua
-COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/rspamd/settings.conf /etc/rspamd/settings.conf
+COPY data/Dockerfiles/rspamd/set_worker_password.sh /set_worker_password.sh
+COPY data/Dockerfiles/rspamd/docker-entrypoint.sh /docker-entrypoint.sh
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
 
 STOPSIGNAL SIGTERM
-
+ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]

data/Dockerfiles/rspamd/docker-entrypoint.sh

@@ -1,118 +1,5 @@
 #!/bin/bash
 
-until nc phpfpm 9001 -z; do
-  echo "Waiting for PHP on port 9001..."
-  sleep 3
-done
-
-until nc phpfpm 9002 -z; do
-  echo "Waiting for PHP on port 9002..."
-  sleep 3
-done
-
-mkdir -p /etc/rspamd/plugins.d \
-  /etc/rspamd/custom
-
-touch /etc/rspamd/rspamd.conf.local \
-  /etc/rspamd/rspamd.conf.override
-
-chmod 755 /var/lib/rspamd
-
-
-[[ ! -f /etc/rspamd/override.d/worker-controller-password.inc ]] && echo '# Autogenerated by mailcow' > /etc/rspamd/override.d/worker-controller-password.inc
-
-echo ${IPV4_NETWORK}.0/24 > /etc/rspamd/custom/mailcow_networks.map
-echo ${IPV6_NETWORK} >> /etc/rspamd/custom/mailcow_networks.map
-
-DOVECOT_V4=
-DOVECOT_V6=
-until [[ ! -z ${DOVECOT_V4} ]]; do
-  DOVECOT_V4=$(dig a dovecot +short)
-  DOVECOT_V6=$(dig aaaa dovecot +short)
-  [[ ! -z ${DOVECOT_V4} ]] && break;
-  echo "Waiting for Dovecot..."
-  sleep 3
-done
-echo ${DOVECOT_V4}/32 > /etc/rspamd/custom/dovecot_trusted.map
-if [[ ! -z ${DOVECOT_V6} ]]; then
-  echo ${DOVECOT_V6}/128 >> /etc/rspamd/custom/dovecot_trusted.map
-fi
-
-RSPAMD_V4=
-RSPAMD_V6=
-until [[ ! -z ${RSPAMD_V4} ]]; do
-  RSPAMD_V4=$(dig a rspamd +short)
-  RSPAMD_V6=$(dig aaaa rspamd +short)
-  [[ ! -z ${RSPAMD_V4} ]] && break;
-  echo "Waiting for Rspamd..."
-  sleep 3
-done
-echo ${RSPAMD_V4}/32 > /etc/rspamd/custom/rspamd_trusted.map
-if [[ ! -z ${RSPAMD_V6} ]]; then
-  echo ${RSPAMD_V6}/128 >> /etc/rspamd/custom/rspamd_trusted.map
-fi
-
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cat <<EOF > /etc/rspamd/local.d/redis.conf
-read_servers = "redis:6379";
-write_servers = "${REDIS_SLAVEOF_IP}:${REDIS_SLAVEOF_PORT}";
-timeout = 10;
-EOF
-  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
-    echo "Waiting for Redis @redis-mailcow..."
-    sleep 2
-  done
-  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} PING) == "PONG" ]]; do
-    echo "Waiting for Redis @${REDIS_SLAVEOF_IP}..."
-    sleep 2
-  done
-  redis-cli -h redis-mailcow SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
-else
-  cat <<EOF > /etc/rspamd/local.d/redis.conf
-servers = "redis:6379";
-timeout = 10;
-EOF
-  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
-    echo "Waiting for Redis slave..."
-    sleep 2
-  done
-  redis-cli -h redis-mailcow SLAVEOF NO ONE
-fi
-
-chown -R _rspamd:_rspamd /var/lib/rspamd \
-  /etc/rspamd/local.d \
-  /etc/rspamd/override.d \
-  /etc/rspamd/rspamd.conf.local \
-  /etc/rspamd/rspamd.conf.override \
-  /etc/rspamd/plugins.d
-
-# Fix missing default global maps, if any
-# These exists in mailcow UI and should not be removed
-touch /etc/rspamd/custom/global_mime_from_blacklist.map \
-  /etc/rspamd/custom/global_rcpt_blacklist.map \
-  /etc/rspamd/custom/global_smtp_from_blacklist.map \
-  /etc/rspamd/custom/global_mime_from_whitelist.map \
-  /etc/rspamd/custom/global_rcpt_whitelist.map \
-  /etc/rspamd/custom/global_smtp_from_whitelist.map \
-  /etc/rspamd/custom/bad_languages.map \
-  /etc/rspamd/custom/sa-rules \
-  /etc/rspamd/custom/dovecot_trusted.map \
-  /etc/rspamd/custom/rspamd_trusted.map \
-  /etc/rspamd/custom/mailcow_networks.map \
-  /etc/rspamd/custom/ip_wl.map \
-  /etc/rspamd/custom/fishy_tlds.map \
-  /etc/rspamd/custom/bad_words.map \
-  /etc/rspamd/custom/bad_asn.map \
-  /etc/rspamd/custom/bad_words_de.map \
-  /etc/rspamd/custom/bulk_header.map \
-  /etc/rspamd/custom/bad_header.map
-
-# www-data (82) group needs to write to these files
-chown _rspamd:_rspamd /etc/rspamd/custom/
-chmod 0755 /etc/rspamd/custom/.
-chown -R 82:82 /etc/rspamd/custom/*
-chmod 644 -R /etc/rspamd/custom/*
-
 # Run hooks
 for file in /hooks/*; do
   if [ -x "${file}" ]; then
@@ -121,4 +8,13 @@ for file in /hooks/*; do
   fi
 done
 
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Rspamd."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting Rspamd..."
 exec "$@"

data/Dockerfiles/rspamd/metadata_exporter.lua

@@ -1,632 +0,0 @@
---[[
-Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>
-Copyright (c) 2016, Vsevolod Stakhov <vsevolod@highsecure.ru>
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-]]--
-
-if confighelp then
-  return
-end
-
--- A plugin that pushes metadata (or whole messages) to external services
-
-local redis_params
-local lua_util = require "lua_util"
-local rspamd_http = require "rspamd_http"
-local rspamd_util = require "rspamd_util"
-local rspamd_logger = require "rspamd_logger"
-local ucl = require "ucl"
-local E = {}
-local N = 'metadata_exporter'
-
-local settings = {
-  pusher_enabled = {},
-  pusher_format = {},
-  pusher_select = {},
-  mime_type = 'text/plain',
-  defer = false,
-  mail_from = '',
-  mail_to = 'postmaster@localhost',
-  helo = 'rspamd',
-  email_template = [[From: "Rspamd" <$mail_from>
-To: $mail_to
-Subject: Spam alert
-Date: $date
-MIME-Version: 1.0
-Message-ID: <$our_message_id>
-Content-type: text/plain; charset=utf-8
-Content-Transfer-Encoding: 8bit
-
-Authenticated username: $user
-IP: $ip
-Queue ID: $qid
-SMTP FROM: $from
-SMTP RCPT: $rcpt
-MIME From: $header_from
-MIME To: $header_to
-MIME Date: $header_date
-Subject: $header_subject
-Message-ID: $message_id
-Action: $action
-Score: $score
-Symbols: $symbols]],
-}
-
-local function get_general_metadata(task, flatten, no_content)
-  local r = {}
-  local ip = task:get_from_ip()
-  if ip and ip:is_valid() then
-    r.ip = tostring(ip)
-  else
-    r.ip = 'unknown'
-  end
-  r.user = task:get_user() or 'unknown'
-  r.qid = task:get_queue_id() or 'unknown'
-  r.subject = task:get_subject() or 'unknown'
-  r.action = task:get_metric_action('default')
-
-  local s = task:get_metric_score('default')[1]
-  r.score = flatten and string.format('%.2f', s) or s
-
-  local fuzzy = task:get_mempool():get_variable("fuzzy_hashes", "fstrings")
-  if fuzzy and #fuzzy > 0 then
-    local fz = {}
-    for _,h in ipairs(fuzzy) do
-      table.insert(fz, h)
-    end
-    if not flatten then
-      r.fuzzy = fz
-    else
-      r.fuzzy = table.concat(fz, ', ')
-    end
-  else
-    r.fuzzy = 'unknown'
-  end
-
-  local rcpt = task:get_recipients('smtp')
-  if rcpt then
-    local l = {}
-    for _, a in ipairs(rcpt) do
-      table.insert(l, a['addr'])
-    end
-    if not flatten then
-      r.rcpt = l
-    else
-      r.rcpt = table.concat(l, ', ')
-    end
-  else
-    r.rcpt = 'unknown'
-  end
-  local from = task:get_from('smtp')
-  if ((from or E)[1] or E).addr then
-    r.from = from[1].addr
-  else
-    r.from = 'unknown'
-  end
-  local syminf = task:get_symbols_all()
-  if flatten then
-    local l = {}
-    for _, sym in ipairs(syminf) do
-      local txt
-      if sym.options then
-        local topt = table.concat(sym.options, ', ')
-        txt = sym.name .. '(' .. string.format('%.2f', sym.score) .. ')' .. ' [' .. topt .. ']'
-      else
-        txt = sym.name .. '(' .. string.format('%.2f', sym.score) .. ')'
-      end
-      table.insert(l, txt)
-    end
-    r.symbols = table.concat(l, '\n\t')
-  else
-    r.symbols = syminf
-  end
-  local function process_header(name)
-    local hdr = task:get_header_full(name)
-    if hdr then
-      local l = {}
-      for _, h in ipairs(hdr) do
-        table.insert(l, h.decoded)
-      end
-      if not flatten then
-        return l
-      else
-        return table.concat(l, '\n')
-      end
-    else
-      return 'unknown'
-    end
-  end
-  if not no_content then
-    r.header_from = process_header('from')
-    r.header_to = process_header('to')
-    r.header_subject = process_header('subject')
-    r.header_date = process_header('date')
-    r.message_id = task:get_message_id()
-  end
-  return r
-end
-
-local formatters = {
-  default = function(task)
-    return task:get_content(), {}
-  end,
-  email_alert = function(task, rule, extra)
-    local meta = get_general_metadata(task, true)
-    local display_emails = {}
-    local mail_targets = {}
-    meta.mail_from = rule.mail_from or settings.mail_from
-    local mail_rcpt = rule.mail_to or settings.mail_to
-    if type(mail_rcpt) ~= 'table' then
-      table.insert(display_emails, string.format('<%s>', mail_rcpt))
-      table.insert(mail_targets, mail_rcpt)
-    else
-      for _, e in ipairs(mail_rcpt) do
-        table.insert(display_emails, string.format('<%s>', e))
-        table.insert(mail_targets, mail_rcpt)
-      end
-    end
-    if rule.email_alert_sender then
-      local x = task:get_from('smtp')
-      if x and string.len(x[1].addr) > 0 then
-        table.insert(mail_targets, x)
-        table.insert(display_emails, string.format('<%s>', x[1].addr))
-      end
-    end
-    if rule.email_alert_user then
-      local x = task:get_user()
-      if x then
-        table.insert(mail_targets, x)
-        table.insert(display_emails, string.format('<%s>', x))
-      end
-    end
-    if rule.email_alert_recipients then
-      local x = task:get_recipients('smtp')
-      if x then
-        for _, e in ipairs(x) do
-          if string.len(e.addr) > 0 then
-            table.insert(mail_targets, e.addr)
-            table.insert(display_emails, string.format('<%s>', e.addr))
-          end
-        end
-      end
-    end
-    meta.mail_to = table.concat(display_emails, ', ')
-    meta.our_message_id = rspamd_util.random_hex(12) .. '@rspamd'
-    meta.date = rspamd_util.time_to_string(rspamd_util.get_time())
-    return lua_util.template(rule.email_template or settings.email_template, meta), { mail_targets = mail_targets}
-  end,
-  json = function(task)
-    return ucl.to_format(get_general_metadata(task), 'json-compact')
-  end
-}
-
-local function is_spam(action)
-  return (action == 'reject' or action == 'add header' or action == 'rewrite subject')
-end
-
-local selectors = {
-  default = function(task)
-    return true
-  end,
-  is_spam = function(task)
-    local action = task:get_metric_action('default')
-    return is_spam(action)
-  end,
-  is_spam_authed = function(task)
-    if not task:get_user() then
-      return false
-    end
-    local action = task:get_metric_action('default')
-    return is_spam(action)
-  end,
-  is_reject = function(task)
-    local action = task:get_metric_action('default')
-    return (action == 'reject')
-  end,
-  is_reject_authed = function(task)
-    if not task:get_user() then
-      return false
-    end
-    local action = task:get_metric_action('default')
-    return (action == 'reject')
-  end,
-}
-
-local function maybe_defer(task, rule)
-  if rule.defer then
-    rspamd_logger.warnx(task, 'deferring message')
-    task:set_pre_result('soft reject', 'deferred', N)
-  end
-end
-
-local pushers = {
-  redis_pubsub = function(task, formatted, rule)
-    local _,ret,upstream
-    local function redis_pub_cb(err)
-      if err then
-        rspamd_logger.errx(task, 'got error %s when publishing on server %s',
-            err, upstream:get_addr())
-        return maybe_defer(task, rule)
-      end
-      return true
-    end
-    ret,_,upstream = rspamd_redis_make_request(task,
-      redis_params, -- connect params
-      nil, -- hash key
-      true, -- is write
-      redis_pub_cb, --callback
-      'PUBLISH', -- command
-      {rule.channel, formatted} -- arguments
-    )
-    if not ret then
-      rspamd_logger.errx(task, 'error connecting to redis')
-      maybe_defer(task, rule)
-    end
-  end,
-  http = function(task, formatted, rule)
-    local function http_callback(err, code)
-      if err then
-        rspamd_logger.errx(task, 'got error %s in http callback', err)
-        return maybe_defer(task, rule)
-      end
-      if code ~= 200 then
-        rspamd_logger.errx(task, 'got unexpected http status: %s', code)
-        return maybe_defer(task, rule)
-      end
-      return true
-    end
-    local hdrs = {}
-    if rule.meta_headers then
-      local gm = get_general_metadata(task, false, true)
-      local pfx = rule.meta_header_prefix or 'X-Rspamd-'
-      for k, v in pairs(gm) do
-        if type(v) == 'table' then
-          hdrs[pfx .. k] = ucl.to_format(v, 'json-compact')
-        else
-          hdrs[pfx .. k] = v
-        end
-      end
-    end
-    rspamd_http.request({
-      task=task,
-      url=rule.url,
-      body=formatted,
-      callback=http_callback,
-      mime_type=rule.mime_type or settings.mime_type,
-      headers=hdrs,
-    })
-  end,
-  send_mail = function(task, formatted, rule, extra)
-    local lua_smtp = require "lua_smtp"
-    local function sendmail_cb(ret, err)
-      if not ret then
-        rspamd_logger.errx(task, 'SMTP export error: %s', err)
-        maybe_defer(task, rule)
-      end
-    end
-
-    lua_smtp.sendmail({
-      task = task,
-      host = rule.smtp,
-      port = rule.smtp_port or settings.smtp_port or 25,
-      from = rule.mail_from or settings.mail_from,
-      recipients = extra.mail_targets or rule.mail_to or settings.mail_to,
-      helo = rule.helo or settings.helo,
-      timeout = rule.timeout or settings.timeout,
-    }, formatted, sendmail_cb)
-  end,
-}
-
-local opts = rspamd_config:get_all_opt(N)
-if not opts then return end
-local process_settings = {
-  select = function(val)
-    selectors.custom = assert(load(val))()
-  end,
-  format = function(val)
-    formatters.custom = assert(load(val))()
-  end,
-  push = function(val)
-    pushers.custom = assert(load(val))()
-  end,
-  custom_push = function(val)
-    if type(val) == 'table' then
-      for k, v in pairs(val) do
-        pushers[k] = assert(load(v))()
-      end
-    end
-  end,
-  custom_select = function(val)
-    if type(val) == 'table' then
-      for k, v in pairs(val) do
-        selectors[k] = assert(load(v))()
-      end
-    end
-  end,
-  custom_format = function(val)
-    if type(val) == 'table' then
-      for k, v in pairs(val) do
-        formatters[k] = assert(load(v))()
-      end
-    end
-  end,
-  pusher_enabled = function(val)
-    if type(val) == 'string' then
-      if pushers[val] then
-        settings.pusher_enabled[val] = true
-      else
-        rspamd_logger.errx(rspamd_config, 'Pusher type: %s is invalid', val)
-      end
-    elseif type(val) == 'table' then
-      for _, v in ipairs(val) do
-        if pushers[v] then
-          settings.pusher_enabled[v] = true
-        else
-          rspamd_logger.errx(rspamd_config, 'Pusher type: %s is invalid', val)
-        end
-      end
-    end
-  end,
-}
-for k, v in pairs(opts) do
-  local f = process_settings[k]
-  if f then
-    f(opts[k])
-  else
-    settings[k] = v
-  end
-end
-if type(settings.rules) ~= 'table' then
-  -- Legacy config
-  settings.rules = {}
-  if not next(settings.pusher_enabled) then
-    if pushers.custom then
-      rspamd_logger.infox(rspamd_config, 'Custom pusher implicitly enabled')
-      settings.pusher_enabled.custom = true
-    else
-      -- Check legacy options
-      if settings.url then
-        rspamd_logger.warnx(rspamd_config, 'HTTP pusher implicitly enabled')
-        settings.pusher_enabled.http = true
-      end
-      if settings.channel then
-        rspamd_logger.warnx(rspamd_config, 'Redis Pubsub pusher implicitly enabled')
-        settings.pusher_enabled.redis_pubsub = true
-      end
-      if settings.smtp and settings.mail_to then
-        rspamd_logger.warnx(rspamd_config, 'SMTP pusher implicitly enabled')
-        settings.pusher_enabled.send_mail = true
-      end
-    end
-  end
-  if not next(settings.pusher_enabled) then
-    rspamd_logger.errx(rspamd_config, 'No push backend enabled')
-    return
-  end
-  if settings.formatter then
-    settings.format = formatters[settings.formatter]
-    if not settings.format then
-      rspamd_logger.errx(rspamd_config, 'No such formatter: %s', settings.formatter)
-      return
-    end
-  end
-  if settings.selector then
-    settings.select = selectors[settings.selector]
-    if not settings.select then
-      rspamd_logger.errx(rspamd_config, 'No such selector: %s', settings.selector)
-      return
-    end
-  end
-  for k in pairs(settings.pusher_enabled) do
-    local formatter = settings.pusher_format[k]
-    local selector = settings.pusher_select[k]
-    if not formatter then
-      settings.pusher_format[k] = settings.formatter or 'default'
-      rspamd_logger.infox(rspamd_config, 'Using default formatter for %s pusher', k)
-    else
-      if not formatters[formatter] then
-        rspamd_logger.errx(rspamd_config, 'No such formatter: %s - disabling %s', formatter, k)
-        settings.pusher_enabled.k = nil
-      end
-    end
-    if not selector then
-      settings.pusher_select[k] = settings.selector or 'default'
-      rspamd_logger.infox(rspamd_config, 'Using default selector for %s pusher', k)
-    else
-      if not selectors[selector] then
-        rspamd_logger.errx(rspamd_config, 'No such selector: %s - disabling %s', selector, k)
-        settings.pusher_enabled.k = nil
-      end
-    end
-  end
-  if settings.pusher_enabled.redis_pubsub then
-    redis_params = rspamd_parse_redis_server(N)
-    if not redis_params then
-      rspamd_logger.errx(rspamd_config, 'No redis servers are specified')
-      settings.pusher_enabled.redis_pubsub = nil
-    else
-      local r = {}
-      r.backend = 'redis_pubsub'
-      r.channel = settings.channel
-      r.defer = settings.defer
-      r.selector = settings.pusher_select.redis_pubsub
-      r.formatter = settings.pusher_format.redis_pubsub
-      settings.rules[r.backend:upper()] = r
-    end
-  end
-  if settings.pusher_enabled.http then
-    if not settings.url then
-      rspamd_logger.errx(rspamd_config, 'No URL is specified')
-      settings.pusher_enabled.http = nil
-    else
-      local r = {}
-      r.backend = 'http'
-      r.url = settings.url
-      r.mime_type = settings.mime_type
-      r.defer = settings.defer
-      r.selector = settings.pusher_select.http
-      r.formatter = settings.pusher_format.http
-      settings.rules[r.backend:upper()] = r
-    end
-  end
-  if settings.pusher_enabled.send_mail then
-    if not (settings.mail_to and settings.smtp) then
-      rspamd_logger.errx(rspamd_config, 'No mail_to and/or smtp setting is specified')
-      settings.pusher_enabled.send_mail = nil
-    else
-      local r = {}
-      r.backend = 'send_mail'
-      r.mail_to = settings.mail_to
-      r.mail_from = settings.mail_from
-      r.helo = settings.hello
-      r.smtp = settings.smtp
-      r.smtp_port = settings.smtp_port
-      r.email_template = settings.email_template
-      r.defer = settings.defer
-      r.selector = settings.pusher_select.send_mail
-      r.formatter = settings.pusher_format.send_mail
-      settings.rules[r.backend:upper()] = r
-    end
-  end
-  if not next(settings.pusher_enabled) then
-    rspamd_logger.errx(rspamd_config, 'No push backend enabled')
-    return
-  end
-elseif not next(settings.rules) then
-  lua_util.debugm(N, rspamd_config, 'No rules enabled')
-  return
-end
-if not settings.rules or not next(settings.rules) then
-  rspamd_logger.errx(rspamd_config, 'No rules enabled')
-  return
-end
-local backend_required_elements = {
-  http = {
-    'url',
-  },
-  smtp = {
-    'mail_to',
-    'smtp',
-  },
-  redis_pubsub = {
-    'channel',
-  },
-}
-local check_element = {
-  selector = function(k, v)
-    if not selectors[v] then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid selector %s', k, v)
-      return false
-    else
-      return true
-    end
-  end,
-  formatter = function(k, v)
-    if not formatters[v] then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid formatter %s', k, v)
-      return false
-    else
-      return true
-    end
-  end,
-}
-local backend_check = {
-  default = function(k, rule)
-    local reqset = backend_required_elements[rule.backend]
-    if reqset then
-      for _, e in ipairs(reqset) do
-        if not rule[e] then
-          rspamd_logger.errx(rspamd_config, 'Rule %s misses required setting %s', k, e)
-          settings.rules[k] = nil
-        end
-      end
-    end
-    for sett, v in pairs(rule) do
-      local f = check_element[sett]
-      if f then
-        if not f(sett, v) then
-          settings.rules[k] = nil
-        end
-      end
-    end
-  end,
-}
-backend_check.redis_pubsub = function(k, rule)
-  if not redis_params then
-    redis_params = rspamd_parse_redis_server(N)
-  end
-  if not redis_params then
-    rspamd_logger.errx(rspamd_config, 'No redis servers are specified')
-    settings.rules[k] = nil
-  else
-    backend_check.default(k, rule)
-  end
-end
-setmetatable(backend_check, {
-  __index = function()
-    return backend_check.default
-  end,
-})
-for k, v in pairs(settings.rules) do
-  if type(v) == 'table' then
-    local backend = v.backend
-    if not backend then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has no backend', k)
-      settings.rules[k] = nil
-    elseif not pushers[backend] then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid backend %s', k, backend)
-      settings.rules[k] = nil
-    else
-      local f = backend_check[backend]
-      f(k, v)
-    end
-  else
-    rspamd_logger.errx(rspamd_config, 'Rule %s has bad type: %s', k, type(v))
-    settings.rules[k] = nil
-  end
-end
-
-local function gen_exporter(rule)
-  return function (task)
-    if task:has_flag('skip') then return end
-    local selector = rule.selector or 'default'
-    local selected = selectors[selector](task)
-    if selected then
-      lua_util.debugm(N, task, 'Message selected for processing')
-      local formatter = rule.formatter or 'default'
-      local formatted, extra = formatters[formatter](task, rule)
-      if formatted then
-        pushers[rule.backend](task, formatted, rule, extra)
-      else
-        lua_util.debugm(N, task, 'Formatter [%s] returned non-truthy value [%s]', formatter, formatted)
-      end
-    else
-      lua_util.debugm(N, task, 'Selector [%s] returned non-truthy value [%s]', selector, selected)
-    end
-  end
-end
-
-if not next(settings.rules) then
-  rspamd_logger.errx(rspamd_config, 'No rules enabled')
-  lua_util.disable_module(N, "config")
-end
-for k, r in pairs(settings.rules) do
-  rspamd_config:register_symbol({
-    name = 'EXPORT_METADATA_' .. k,
-    type = 'idempotent',
-    callback = gen_exporter(r),
-    priority = 10,
-    flags = 'empty,explicit_disable,ignore_passthrough',
-  })
-end

data/Dockerfiles/rspamd/set_worker_password.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+password_file='/etc/rspamd/override.d/worker-controller-password.inc'
+password_hash=`/usr/bin/rspamadm pw -e -p $1`
+
+echo 'enable_password = "'$password_hash'";' > $password_file
+
+if grep -q "$password_hash" "$password_file"; then
+    echo "OK"
+else
+    echo "ERROR"
+fi

data/Dockerfiles/sogo/Dockerfile

@@ -1,10 +1,13 @@
-FROM debian:bullseye-slim
-LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+FROM debian:bookworm-slim
+
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG SOGO_DEBIAN_REPOSITORY=http://packages.inverse.ca/SOGo/nightly/5/debian/
-ENV LC_ALL C
-ENV GOSU_VERSION 1.14
+ARG DEBIAN_VERSION=bookworm
+ARG SOGO_DEBIAN_REPOSITORY=https://packagingv2.sogo.nu/sogo-nightly-debian/
+# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
+ARG GOSU_VERSION=1.17
+ENV LC_ALL=C
 
 # Prerequisites
 RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
@@ -20,36 +23,41 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
   syslog-ng-core \
   syslog-ng-mod-redis \
   dirmngr \
-  netcat \
+  netcat-traditional \
   psmisc \
   wget \
   patch \
+  python3 python3-pip \
   && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
   && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
   && chmod +x /usr/local/bin/gosu \
   && gosu nobody true \
   && mkdir /usr/share/doc/sogo \
   && touch /usr/share/doc/sogo/empty.sh \
-  && apt-key adv --keyserver keyserver.ubuntu.com --recv-key 0x810273C4 \
-  && echo "deb ${SOGO_DEBIAN_REPOSITORY} bullseye bullseye" > /etc/apt/sources.list.d/sogo.list \
+  && wget -O- https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 | gpg --dearmor | apt-key add - \
+  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} main" > /etc/apt/sources.list.d/sogo.list \
   && apt-get update && apt-get install -y --no-install-recommends \
     sogo \
     sogo-activesync \
   && apt-get autoclean \
-  && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/sogo.list \
+  && rm -rf /var/lib/apt/lists/* \
   && touch /etc/default/locale
 
-COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY acl.diff /acl.diff
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY docker-entrypoint.sh /
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
 
-RUN chmod +x /bootstrap-sogo.sh \
-  /usr/local/sbin/stop-supervisor.sh
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/sogo/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY data/Dockerfiles/sogo/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY data/Dockerfiles/sogo/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/sogo/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY data/Dockerfiles/sogo/docker-entrypoint.sh /
 
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+RUN chmod +x /usr/local/sbin/stop-supervisor.sh
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/sogo/acl.diff

@@ -1,11 +0,0 @@
---- /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:57.987504204 +0200
-+++ /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:35.918291298 +0200
-@@ -46,7 +46,7 @@
-           </md-item-template>
-         </md-autocomplete>
-       </div>
--      <md-card ng-repeat="user in acl.users | orderBy:['userClass', 'cn']"
-+      <md-card ng-repeat="user in acl.users | filter:{ userClass: 'normal' } | orderBy:['cn']"
-                class="sg-collapsed"
-                ng-class="{ 'sg-expanded': user.uid == acl.selectedUid }">
-         <a class="md-flex md-button" ng-click="acl.selectUser(user, $event)">

data/Dockerfiles/sogo/bootstrap-sogo.sh

@@ -1,247 +0,0 @@
-#!/bin/bash
-
-# Wait for MySQL to warm-up
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for database to come up..."
-  sleep 2
-done
-
-# Wait until port becomes free and send sig
-until ! nc -z sogo-mailcow 20000;
-do
-  killall -TERM sogod
-  sleep 3
-done
-
-# Wait for updated schema
-DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
-DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
-while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
-  echo "Waiting for schema update..."
-  DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
-  DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
-  sleep 5
-done
-echo "DB schema is ${DBV_NOW}"
-
-# Recreate view
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing sogo_view..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP VIEW IF EXISTS sogo_view"
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-CREATE VIEW sogo_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) AS 
-SELECT
-   mailbox.username,
-   mailbox.domain,
-   mailbox.username,
-   IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0', IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'), '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-   mailbox.name,
-   mailbox.username,
-   IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
-   IFNULL(gda.ad_alias, ''),
-   IFNULL(external_acl.send_as_acl, ''),
-   mailbox.kind,
-   mailbox.multiple_bookings
-FROM
-   mailbox
-   LEFT OUTER JOIN
-      grouped_mail_aliases ga
-      ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
-   LEFT OUTER JOIN
-      grouped_domain_alias_address gda
-      ON gda.username = mailbox.username
-   LEFT OUTER JOIN
-      grouped_sender_acl_external external_acl
-      ON external_acl.username = mailbox.username
-WHERE
-   mailbox.active = '1'
-GROUP BY
-   mailbox.username;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Will retry to setup SOGo view in 3s..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Waiting for SOGo view to be created by master..."
-      sleep 3
-    fi
-  done
-fi
-
-# Wait for static view table if missing after update and update content
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing _sogo_static_view..."
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-      echo "Updating _sogo_static_view content..."
-      # If changed, also update init_db.inc.php
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "REPLACE INTO _sogo_static_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) SELECT c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings from sogo_view;"
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "DELETE FROM _sogo_static_view WHERE c_uid NOT IN (SELECT username FROM mailbox WHERE active = '1')"
-    else
-      echo "Waiting for database initialization..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-    else
-      echo "Waiting for database initialization by master..."
-      sleep 3
-    fi
-  done
-fi
-
-
-# Recreate password update trigger
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing update trigger..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
-  while [[ ${TRIGGER_OK} != 'OK' ]]; do
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELIMITER -
-CREATE TRIGGER sogo_update_password AFTER UPDATE ON _sogo_static_view
-FOR EACH ROW
-BEGIN
-UPDATE mailbox SET password = NEW.c_password WHERE NEW.c_uid = username;
-END;
--
-DELIMITER ;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TRIGGERS WHERE TRIGGER_NAME = 'sogo_update_password'") ]]; then
-      TRIGGER_OK=OK
-    else
-      echo "Will retry to setup SOGo password update trigger in 3s"
-      sleep 3
-    fi
-  done
-fi
-
-# cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
-RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)
-
-# Generate plist header with timezone data
-mkdir -p /var/lib/sogo/GNUstep/Defaults/
-cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//GNUstep//DTD plist 0.9//EN" "http://www.gnustep.org/plist-0_9.xml">
-<plist version="0.9">
-<dict>
-    <key>OCSAclURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl</string>
-    <key>SOGoIMAPServer</key>
-    <string>imap://${IPV4_NETWORK}.250:143/?TLS=YES&amp;tlsVerifyMode=none</string>
-    <key>SOGoTrustProxyAuthentication</key>
-    <string>YES</string>
-    <key>SOGoEncryptionKey</key>
-    <string>${RAND_PASS}</string>
-    <key>OCSCacheFolderURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
-    <key>OCSEMailAlarmsFolderURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_alarms_folder</string>
-    <key>OCSFolderInfoURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_folder_info</string>
-    <key>OCSSessionsFolderURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_sessions_folder</string>
-    <key>OCSStoreURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_store</string>
-    <key>SOGoProfileURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_user_profile</string>
-    <key>SOGoTimeZone</key>
-    <string>${TZ}</string>
-    <key>domains</key>
-    <dict>
-EOF
-
-# Generate multi-domain setup
-while read -r line gal
-  do
-  echo "        <key>${line}</key>
-        <dict>
-            <key>SOGoMailDomain</key>
-            <string>${line}</string>
-            <key>SOGoUserSources</key>
-            <array>
-                <dict>
-                    <key>MailFieldNames</key>
-                    <array>
-                        <string>aliases</string>
-                        <string>ad_aliases</string>
-                        <string>ext_acl</string>
-                    </array>
-                    <key>KindFieldName</key>
-                    <string>kind</string>
-                    <key>DomainFieldName</key>
-                    <string>domain</string>
-                    <key>MultipleBookingsFieldName</key>
-                    <string>multiple_bookings</string>
-                    <key>listRequiresDot</key>
-                    <string>NO</string>
-                    <key>canAuthenticate</key>
-                    <string>YES</string>
-                    <key>displayName</key>
-                    <string>GAL ${line}</string>
-                    <key>id</key>
-                    <string>${line}</string>
-                    <key>isAddressBook</key>
-                    <string>${gal}</string>
-                    <key>type</key>
-                    <string>sql</string>
-                    <key>userPasswordAlgorithm</key>
-                    <string>${MAILCOW_PASS_SCHEME}</string>
-                    <key>prependPasswordScheme</key>
-                    <string>YES</string>
-                    <key>viewURL</key>
-                    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/_sogo_static_view</string>
-                </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-  # Generate alternative LDAP authentication dict, when SQL authentication fails
-  # This will nevertheless read attributes from LDAP
-  line=${line} envsubst < /etc/sogo/plist_ldap >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-  echo "            </array>
-        </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
-
-# Generate footer
-echo '    </dict>
-</dict>
-</plist>' >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-
-# Fix permissions
-chown sogo:sogo -R /var/lib/sogo/
-chmod 600 /var/lib/sogo/GNUstep/Defaults/sogod.plist
-
-# Patch ACLs
-#if [[ ${ACL_ANYONE} == 'allow' ]]; then
-#  #enable any or authenticated targets for ACL
-#  if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch -R /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
-#  fi
-#else
-#  #disable any or authenticated targets for ACL
-#  if patch -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
-#  fi
-#fi
-
-# Copy logo, if any
-[[ -f /etc/sogo/sogo-full.svg ]] && cp /etc/sogo/sogo-full.svg /usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg
-
-# Rsync web content
-echo "Syncing web content with named volume"
-rsync -a /usr/lib/GNUstep/SOGo/. /sogo_web/
-
-# Chown backup path
-chown -R sogo:sogo /sogo_backup
-
-exec gosu sogo /usr/sbin/sogod

data/Dockerfiles/sogo/docker-entrypoint.sh

@@ -1,15 +1,5 @@
 #!/bin/bash
 
-if [[ "${SKIP_SOGO}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "SKIP_SOGO=y, skipping SOGo..."
-  sleep 365d
-  exit 0
-fi
-
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
-fi
-
 # Run hooks
 for file in /hooks/*; do
   if [ -x "${file}" ]; then
@@ -18,4 +8,13 @@ for file in /hooks/*; do
   fi
 done
 
-exec "$@"
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting SOGo."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting SOGo..."
+exec gosu sogo /usr/sbin/sogod

data/Dockerfiles/sogo/supervisord.conf

@@ -11,8 +11,8 @@ stderr_logfile_maxbytes=0
 autostart=true
 priority=1
 
-[program:bootstrap-sogo]
-command=/bootstrap-sogo.sh
+[program:bootstrap]
+command=/docker-entrypoint.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr

data/Dockerfiles/sogo/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -22,6 +22,7 @@ destination d_redis_ui_log {
     host("`REDIS_SLAVEOF_IP`")
     persist-name("redis1")
     port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
     command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
   );
 };
@@ -30,6 +31,7 @@ destination d_redis_f2b_channel {
     host("`REDIS_SLAVEOF_IP`")
     persist-name("redis2")
     port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
     command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
   );
 };

data/Dockerfiles/sogo/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -22,6 +22,7 @@ destination d_redis_ui_log {
     host("redis-mailcow")
     persist-name("redis1")
     port(6379)
+    auth("`REDISPASS`")
     command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
   );
 };
@@ -30,6 +31,7 @@ destination d_redis_f2b_channel {
     host("redis-mailcow")
     persist-name("redis2")
     port(6379)
+    auth("`REDISPASS`")
     command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
   );
 };