wip: experimental fetchmail support

..to get DKIM signing working for mailman

.env.sample

@@ -1,66 +1,72 @@
-TYPE=mailu
+# See https://mailu.io/2.0/configuration.html for explanation of (most of) these
+# settings. "Quoted text" in this file comes from that page.
 
-# Main mail domain, NOT main web domain (if they are different)
+###############################################################################
-DOMAIN=example.com
+# BOILERPLATE SETTINGS (shouldn't need to change these)                       #
+###############################################################################
+TYPE=mailu
 LETS_ENCRYPT_ENV=production
-# Run `docker stack ls | grep traefik | cut -f 1 -d " "` on the target machine to get that one
+COMPOSE_FILE="compose.yml"
+
+###############################################################################
+# REQUIRED SETTINGS (always need to change these)                             #
+###############################################################################
+
+# Main web domain, NOT main mail domain (if they are different)
+DOMAIN=mailu.example.com
+
+# "This email domain is used for bounce emails, for generating the postmaster
+# email and other technical addresses."
+MAIL_DOMAIN=mailu.example.com
+
+# Hostnames for this server, separated with commas
+# "The first declared hostname is the main hostname and will be exposed over
+# SMTP, IMAP, etc."
+HOSTNAMES=$DOMAIN
+
+# Run `DOCKER_CONTEXT=<yourserver> docker stack ls | grep traefik | cut -f 1 -d " "` to get that one
 TRAEFIK_STACK_NAME=traefik_example_com
 
-# Custom settings used by certdumper_post.sh and Traefik
+###############################################################################
-WEB_DOMAIN=example.com
+# OPTIONAL SETTINGS                                                           #
-ACME_JSON=${LETS_ENCRYPT_ENV}-acme.json
+###############################################################################
 
-# Mailu settings
+# Name of the instance, displayed in the web UI
-# https://mailu.io
+SITENAME=mymail
 
-TLS_CERT_FILENAME=$WEB_DOMAIN/certificate.crt
+# Linked Website URL
-TLS_KEYPAIR_FILENAME=$WEB_DOMAIN/privatekey.key
+WEBSITE=https://$DOMAIN
-
-REDIS_ADDRESS=db
-
-# Set to a randomly generated 16 bytes string
-SECRET_KEY=XXXXXXXXXXXXXXXX
-
-# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
-SUBNET=192.168.203.0/24
-
-# Hostnames for this server, separated with comas
-HOSTNAMES=$WEB_DOMAIN
 
 # Postmaster local part (will append the main mail domain)
-POSTMASTER=admin
+POSTMASTER=c
-
-# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
-TLS_FLAVOR=mail
 
 # Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
 AUTH_RATELIMIT_IP=60/hour
 
-# Opt-out of statistics, replace with "True" to opt out
+# Opt-in to statistics, change to "False" to opt in
 DISABLE_STATISTICS=True
 
-###################################
+# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
-# Optional features
+LOG_LEVEL=WARNING
-###################################
+
+# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=Etc/UTC
 
 # Expose the admin interface (value: true, false)
 ADMIN=true
 
-# Choose which webmail to run if any (values: roundcube, rainloop, none)
+# Choose which webmail to run if any (values: snappymail, roundcube, none)
 WEBMAIL=snappymail
 
-# Dav server implementation (value: radicale, none)
+# API settings
-WEBDAV=none
+# -------------
 
-# Antivirus solution (value: clamav, none)
+# Authentication token for API requests
-ANTIVIRUS=none
+API=false
+#API_TOKEN=
 
-# Scan Macros solution (value: true, false)
-SCAN_MACROS=true
-
-###################################
 # Mail settings
-###################################
+# -------------
 
 # Message size limit in bytes
 # Default: accept messages up to 50MB
@@ -79,11 +85,13 @@ RELAYHOST=
 
 # Enable fetchmail
 FETCHMAIL_ENABLED=False
+#COMPOSE_FILE="$COMPOSE_FILE:compose.fetchmail.yml"
+#FETCHMAIL_ENABLED=True
 
 # Fetchmail delay
 FETCHMAIL_DELAY=600
 
-# Recipient delimiter, character used to delimiter localpart from custom address part
+# Recipient delimiter, character used to delimit localpart from custom address part
 RECIPIENT_DELIMITER=+
 
 # DMARC rua and ruf email
@@ -103,11 +111,58 @@ COMPRESSION=
 COMPRESSION_LEVEL=
 
 # IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature.
-# FULL_TEXT_SEARCH=off
+#FULL_TEXT_SEARCH=off
+
+# Co-op Cloud settings
+# -------------
+
+# Mailman settings
+# NOTE(3wc): remember to also set RELAYNETS
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailman.yml"
+#MAILMAN_POSTFIX_OVERRIDES=1
+#MAILMAN_CORE_VOLUME=lists_example_com_mailman-core
+#MAILMAN_CORE_NETWORK=lists_example_com_internal
+
+# NOTE(3wc): think this is no longer needed, see https://github.com/Mailu/Mailu/pull/1904
+# SASL account -> MAIL FROM mappings for more liberal MAIL FROM relaying
+# return-path: https://www.rubydoc.info/gems/actionmailer-rack-upgrade-2/2.3.15/ActionMailer/Base
+# logins and MAIL FROM ownership: http://www.postfix.com/postconf.5.html#smtpd_relay_restrictions
+# there is an open ticket with a further discussion also https://github.com/Mailu/Mailu/issues/1096
+#COMPOSE_FILE="$COMPOSE_FILE:compose.senderlogins.yml"
+#SENDER_LOGINS_POSTFIX_OVERRIDES=1
+
+SECRET_SECRET_KEY_VERSION=v1
+
+###############################################################################
+# INFINITE NERD DEPTH SETTINGS (rarely needed)                                #
+###############################################################################
+
+# Traefik certificates filename, used by certdumper
+ACME_JSON=${LETS_ENCRYPT_ENV}-acme.json
+
+TLS_CERT_FILENAME=$DOMAIN/certificate.crt
+TLS_KEYPAIR_FILENAME=$DOMAIN/privatekey.key
+
+# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
+# NOTE(3wc): changing this to "letsencrypt" might (but probably won't) allow
+# this recipe to be deployed standalone without Traefik. "notls" might (but
+# might not) disable encryption for everything except the web interfaces.
+TLS_FLAVOR=mail
+
+# Optional features
+# -------------
+
+# Dav server implementation (value: radicale, none)
+WEBDAV=none
+
+# Antivirus solution (value: clamav, none)
+ANTIVIRUS=none
+
+# Scan Macros solution (value: true, false)
+SCAN_MACROS=true
 
-###################################
 # Web settings
-###################################
+# -------------
 
 # Path to redirect / to
 WEBROOT_REDIRECT=/webmail
@@ -118,24 +173,14 @@ WEB_ADMIN=/admin
 # Path to the webmail if enabled
 WEB_WEBMAIL=/webmail
 
-# Website name
-SITENAME=mymail
-
-# Linked Website URL
-WEBSITE=https://$DOMAIN
-
-###################################
 # Advanced settings
-###################################
+# -------------
 
 # Log driver for front service. Possible values:
 # json-file (default)
 # journald (On systemd platforms, useful for Fail2Ban integration)
 # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
-# LOG_DRIVER=json-file
+#LOG_DRIVER=json-file
-
-# Docker-compose project name, this will prepended to containers names.
-COMPOSE_PROJECT_NAME=mailu
 
 # Number of rounds used by the password hashing scheme
 CREDENTIAL_ROUNDS=12
@@ -149,33 +194,6 @@ REAL_IP_FROM=
 # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
 REJECT_UNLISTED_RECIPIENT=
 
-# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
+# NOTE(3wc): Other values are not supported, as compose.yml does not contain
-LOG_LEVEL=WARNING
+# configuration for them. Pull requests welcome!
-
-# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
-TZ=Etc/UTC
-
-# Authentication token for API requests
-#API_TOKEN=
-
-###################################
-# Database settings
-###################################
 DB_FLAVOR=sqlite
-
-###################################
-# Mailman settings
-###################################
-# COMPOSE_FILE="compose.yml:compose.mailman.yml"
-# MAILMAN_POSTFIX_OVERRIDES=1
-# MAILMAN_CORE_VOLUME=lists_example_com_mailman-core
-# MAILMAN_CORE_NETWORK=lists_example_com_internal
-
-###################################
-# SASL account -> MAIL FROM mappings for more liberal MAIL FROM relaying
-# return-path: https://www.rubydoc.info/gems/actionmailer-rack-upgrade-2/2.3.15/ActionMailer/Base
-# logins and MAIL FROM ownership: http://www.postfix.com/postconf.5.html#smtpd_relay_restrictions
-# there is an open ticket with a further discussion also https://github.com/Mailu/Mailu/issues/1096
-###################################
-# COMPOSE_FILE="compose.yml:compose.senderlogins.yml"
-# SENDER_LOGINS_POSTFIX_OVERRIDES=1

README.md

@@ -27,7 +27,7 @@ host.
 5. `abra app deploy YOURAPPDOMAIN`
 9. Create initial user:
 ```
-abra app YOURAPPDOMAIN run admin flask mailu admin admin YOURDOMAIN YOURPASSWORD
+abra app run YOURDOMAIN admin flask mailu admin admin YOURDOMAIN YOURPASSWORD
 ```
 
 [Mailu]: https://mailu.io/

abra.sh

@@ -1,3 +1,3 @@
 export CERTDUMPER_POST_VERSION=v1
-export POSTFIX_OVERRIDE_VERSION=v15
+export POSTFIX_OVERRIDE_VERSION=v17
 export SENDER_LOGIN_VERSIONS=v2

compose.fetchmail.yml

@@ -0,0 +1,14 @@
+
+services:
+  fetchmail:
+    image: ghcr.io/mailu/fetchmail:2.0.34
+    environment: *default-env
+    volumes:
+      - "fetchmail:/data"
+    depends_on:
+      - app
+    networks:
+      - default
+
+volumes:
+  fetchmail:

compose.mailman.yml

@@ -10,18 +10,12 @@ services:
       - MAILMAN_POSTFIX_OVERRIDES
     networks:
       - default
-      - shared_mailman_network
     volumes:
       - "shared-mailman-core:/opt/mailman/"
     configs:
       - source: postfix_override
         target: /overrides/postfix.cf
 
-networks:
-  shared_mailman_network:
-    external: true
-    name: ${MAILMAN_CORE_NETWORK}
-
 volumes:
   # https://git.autonomic.zone/coop-cloud/mailman3/src/branch/master/compose.yml
   shared-mailman-core:

compose.yml

@@ -5,6 +5,7 @@ x-environment:
   - FRONT_ADDRESS=${STACK_NAME}_app
   - ADMIN
   - ANTIVIRUS
+  - API
   - API_TOKEN
   - AUTH_RATELIMIT_IP
   - MESSAGE_RATELIMIT
@@ -17,6 +18,7 @@ x-environment:
   - DMARC_RUF
   - DOCKER_CONTEXT
   - DOMAIN
+  - FETCHMAIL_ENABLED
   - FETCHMAIL_DELAY
   - FULL_TEXT_SEARCH
   - HOSTNAMES
@@ -29,13 +31,13 @@ x-environment:
   - REAL_IP_FROM
   - REAL_IP_HEADER
   - RECIPIENT_DELIMITER
-  - REDIS_ADDRESS
+  - REDIS_ADDRESS=db
   - REJECT_UNLISTED_RECIPIENT
   - RELAYHOST
   - RELAYNETS
-  - SECRET_KEY
+  - SECRET_KEY_FILE=/run/secrets/secret_key
   - SITENAME
-  - SUBNET
+  - SUBNET=192.168.203.0/24
   - TLS_CERT_FILENAME
   - TLS_FLAVOR
   - TLS_KEYPAIR_FILENAME
@@ -45,6 +47,7 @@ x-environment:
   - WEBROOT_REDIRECT
   - WEBSITE
   - WEB_WEBMAIL
+  - WEB_API=/api
   - WELCOME
   - WELCOME_BODY
   - WELCOME_SUBJECT
@@ -52,7 +55,7 @@ x-environment:
 
 services:
   app:
-    image: ghcr.io/mailu/nginx:2.0.23
+    image: ghcr.io/mailu/nginx:2.0.34
     logging:
       driver: json-file
     networks:
@@ -83,26 +86,30 @@ services:
         mode: host
     volumes:
       - "certs:/certs"
+    secrets:
+      - secret_key
     deploy:
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${WEB_DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.version=1.0.2+2.0.23"
+        - "coop-cloud.${STACK_NAME}.version=1.1.0+2.0.34"
   
   db:
-    image: redis:7.2.0-alpine
+    image: redis:7.2.3-alpine
     volumes:
       - "redis:/data"
 
   admin:
-    image: ghcr.io/mailu/admin:2.0.23
+    image: ghcr.io/mailu/admin:2.0.34
     environment: *default-env
     healthcheck:
       disable: true
+    secrets:
+      - secret_key
     volumes:
       - "dkim:/dkim"
       - "mailu:/data"
@@ -110,8 +117,10 @@ services:
       - default
 
   imap:
-    image: ghcr.io/mailu/dovecot:2.0.23
+    image: ghcr.io/mailu/dovecot:2.0.34
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "mail:/mail"
     healthcheck:
@@ -122,8 +131,10 @@ services:
       - default
 
   smtp:
-    image: ghcr.io/mailu/postfix:2.0.23
+    image: ghcr.io/mailu/postfix:2.0.34
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "mailqueue:/queue"
     healthcheck:
@@ -132,8 +143,10 @@ services:
       - app
 
   antispam:
-    image: ghcr.io/mailu/rspamd:2.0.23
+    image: ghcr.io/mailu/rspamd:2.0.34
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "rspamd:/var/lib/rspamd"
       - "dkim:/dkim:ro"
@@ -141,12 +154,14 @@ services:
       disable: true
 
   webmail:
-    image: ghcr.io/mailu/webmail:2.0.23
+    image: ghcr.io/mailu/webmail:2.0.34
     environment: *default-env
     networks:
       - default
     volumes:
       - "webmail:/data"
+    secrets:
+      - secret_key
     deploy:
       replicas: 1
     healthcheck:
@@ -156,15 +171,15 @@ services:
     image: ldez/traefik-certs-dumper:v2.8.1
     entrypoint: sh -c '
       apk add jq
-      ; while ! [ -e /traefik/production-acme.json ]
+      ; while ! [ -e /traefik/${ACME_JSON} ]
-        || ! [ `jq ".production.Certificates | length" /traefik/production-acme.json` != 0 ]; do
+        || ! [ `jq ".production.Certificates | length" /traefik/${ACME_JSON}` != 0 ]; do
           sleep 1
       ; done
-      && traefik-certs-dumper file --watch --source /traefik/production-acme.json
+      && traefik-certs-dumper file --watch --source /traefik/${ACME_JSON}
-        --dest /output --domain-subdir=true --version v2'
+        --dest /output --domain-subdir=true --version v2
+        --post-hook "sh /usr/bin/certdumper_post.sh"'
     environment:
-      # Make sure this is the same as the main=-domain in traefik.toml
+      - DOMAIN=$DOMAIN
-      - DOMAIN=$WEB_DOMAIN
     volumes:
       # Folder, which contains the acme.json
       - type: volume
@@ -205,3 +220,8 @@ configs:
   certdumper_post:
     name: ${STACK_NAME}_certdumper_post_${CERTDUMPER_POST_VERSION}
     file: certdumper_post.sh
+
+secrets:
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}

postfix.cf.tmpl

@@ -10,9 +10,9 @@
 
 unknown_local_recipient_reject_code = 550
 owner_request_special = no
+virtual_mailbox_maps = regexp:/opt/mailman/var/data/postfix_lmtp, \${podop}mailbox
 transport_maps = regexp:/opt/mailman/var/data/postfix_lmtp \${podop}transport
 local_recipient_maps = regexp:/opt/mailman/var/data/postfix_lmtp
-relay_domains = regexp:/opt/mailman/var/data/postfix_domains \${podop}transport
 {{ end }}
 {{ if eq (env "SENDER_LOGINS_POSTFIX_OVERRIDES") "1" }}
 # https://github.com/Mailu/Mailu/issues/1096

release/1.1.0+2.0.34

@@ -0,0 +1,18 @@
+# Secret key
+
+The secret key is now stored as a docker secret instead of a variable in the
+env file. You need to insert it by running:
+`abra app secret insert <your mailu app> secret_key v1 <SECRETKEYHERE>`
+and you can remove `SECRET_KEY` from your config file.
+
+# `DOMAIN` is now `MAIL_DOMAIN`
+
+This is important! If your main e-mail domain is something else than the
+domain you are reaching the web interface at, you need to make changes.
+I.e. in our setup we have `autonomic.zone` pointing an A record at some server
+and `mail.autonomic.zone` is a separate server, and MX records are pointing
+to the server at `mail.autonomic.zone`.
+In this case:
+  - `DOMAIN` should be `mail.autonomic.zone` - this is what traefik will use to
+  provision a certificate
+  - `MAIL_DOMAIN` should be `autonomic.zone`