Attempt at ARC/DKIM signing for mailman

.drone.yml

@@ -10,7 +10,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -31,9 +31,6 @@ TRAEFIK_STACK_NAME=traefik_example_com
 # OPTIONAL SETTINGS                                                           #
 ###############################################################################
 
-# Uncomment this to reënable STARTTLS, although beware the health warnings here: https://nostarttls.secvuln.info/
-#PORTS=25,80,443,465,993,995,4190,110,143,587
-
 # Name of the instance, displayed in the web UI
 SITENAME=mymail
 

README.md

@@ -25,28 +25,11 @@ host.
 4. `abra app config YOURAPPDOMAIN` - be sure to change `$WEB_DOMAIN` to something that resolves to
    your Docker swarm box
 5. `abra app deploy YOURAPPDOMAIN`
-6. Create initial user:
+9. Create initial user:
 ```
-abra app run YOURDOMAIN admin flask mailu admin admin YOURDOMAIN YOURPASSWORD
+abra app YOURAPPDOMAIN run admin flask mailu admin admin YOURDOMAIN YOURPASSWORD
 ```
 
-## Upgrading the recipe
-
-**NOTE** This section is only intended for [recipe maintainers][maintainers]
-
-Minor/patch updates usually work OK with `abra recipe upgrade` and friends. 
-
-For major updates:
-
-1. Go to https://setup.mailu.io/ and generate a new config
-2. Download the new config and compare it to `compose.yml`. Pay attention to:
-  - New / removed services
-  - Added/removed config options
-  - Changes to networking
-3. Test upgrading from the previous version to the new version
-4. `abra recipe sync` / `abra recipe release` as normal
-
 [Mailu]: https://mailu.io/
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik
-[maintainers]: https://docs.coopcloud.tech/maintainers/

abra.sh

@@ -1,3 +1,5 @@
 export CERTDUMPER_POST_VERSION=v1
-export POSTFIX_OVERRIDE_VERSION=v17
+export POSTFIX_OVERRIDE_VERSION=v15
 export SENDER_LOGIN_VERSIONS=v2
+export ARC_OVERRIDE_VERSION=v8
+export DKIM_IP_MAP_OVERRIDE_VERSION=v2

compose.mailman.yml

@@ -10,20 +10,42 @@ services:
       - MAILMAN_POSTFIX_OVERRIDES
     networks:
       - default
+      - shared_mailman_network
     volumes:
       - "shared-mailman-core:/opt/mailman/"
     configs:
       - source: postfix_override
         target: /overrides/postfix.cf
+  antispam:
+    configs:
+      - source: arc_conf_override
+        target: /overrides/arc.conf
+      - source: dkim_ip_map_override
+        target: /overrides/dkim_ip.map
+    volumes:
+      - "rspam_overrides:/etc/rspamd/override.d"
+
+networks:
+  shared_mailman_network:
+    external: true
+    name: ${MAILMAN_CORE_NETWORK}
 
 volumes:
   # https://git.autonomic.zone/coop-cloud/mailman3/src/branch/master/compose.yml
   shared-mailman-core:
     external: true
     name: ${MAILMAN_CORE_VOLUME}
+  rspam_overrides:
 
 configs:
   postfix_override:
     name: ${STACK_NAME}_postfix_overrides_${POSTFIX_OVERRIDE_VERSION}
-    file: postfix.cf.tmpl
+    file: mailman-postfix.cf.tmpl
+    template_driver: golang
+  arc_conf_override:
+    name: ${STACK_NAME}_arc_conf_override_${ARC_OVERRIDE_VERSION}
+    file: mailman-arc.conf
+  dkim_ip_map_override:
+    name: ${STACK_NAME}_dkim_ip_map_${DKIM_IP_MAP_OVERRIDE_VERSION}
+    file: mailman-dkim_ip.map.tmpl
     template_driver: golang

compose.yml

@@ -51,11 +51,10 @@ x-environment:
   - WELCOME_BODY
   - WELCOME_SUBJECT
   - TZ
-  - PORTS
 
 services:
   app:
-    image: ghcr.io/mailu/nginx:2024.06.27
+    image: ghcr.io/mailu/nginx:2.0.23
     logging:
       driver: json-file
     networks:
@@ -96,15 +95,15 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.version=3.0.0+2024.06.27"
+        - "coop-cloud.${STACK_NAME}.version=1.0.2+2.0.23"
   
   db:
-    image: redis:7.4.1-alpine
+    image: redis:7.2.0-alpine
     volumes:
       - "redis:/data"
 
   admin:
-    image: ghcr.io/mailu/admin:2024.06.27
+    image: ghcr.io/mailu/admin:2.0.23
     environment: *default-env
     healthcheck:
       disable: true
@@ -117,7 +116,7 @@ services:
       - default
 
   imap:
-    image: ghcr.io/mailu/dovecot:2024.06.27
+    image: ghcr.io/mailu/dovecot:2.0.23
     environment: *default-env
     secrets:
       - secret_key
@@ -131,7 +130,7 @@ services:
       - default
 
   smtp:
-    image: ghcr.io/mailu/postfix:2024.06.27
+    image: ghcr.io/mailu/postfix:2.0.23
     environment: *default-env
     secrets:
       - secret_key
@@ -143,7 +142,7 @@ services:
       - app
 
   antispam:
-    image: ghcr.io/mailu/rspamd:2024.06.27
+    image: ghcr.io/mailu/rspamd:2.0.23
     environment: *default-env
     secrets:
       - secret_key
@@ -154,8 +153,7 @@ services:
       disable: true
 
   webmail:
-    image: ghcr.io/mailu/webmail:2024.06.27
-    # entrypoint: "tail -f /dev/null"
+    image: ghcr.io/mailu/webmail:2.0.23
     environment: *default-env
     networks:
       - default
@@ -169,7 +167,7 @@ services:
       disable: true
 
   certdumper:
-    image: ldez/traefik-certs-dumper:v2.9.3
+    image: ldez/traefik-certs-dumper:v2.8.1
     entrypoint: sh -c '
       apk add jq
       ; while ! [ -e /traefik/${ACME_JSON} ]

logging.inc

@@ -0,0 +1,2 @@
+type=console
+debug_modules=dkim

mailman-arc.conf

@@ -0,0 +1,7 @@
+sign_networks = "/overrides/dkim_ip.map";
+path = "/dkim/$domain.$selector.key";
+use_domain = "header";
+#use_vault = false;
+#try_fallback = true;
+#selector_map = "/overrides/dkim_selectors.map";
+#selector = "dkim";

mailman-dkim_ip.map.tmpl

@@ -0,0 +1 @@
+{{ env "RELAYNETS" }}

mailman-postfix.cf.tmpl

@@ -10,9 +10,9 @@
 
 unknown_local_recipient_reject_code = 550
 owner_request_special = no
-virtual_mailbox_maps = regexp:/opt/mailman/var/data/postfix_lmtp, \${podop}mailbox
 transport_maps = regexp:/opt/mailman/var/data/postfix_lmtp \${podop}transport
 local_recipient_maps = regexp:/opt/mailman/var/data/postfix_lmtp
+relay_domains = regexp:/opt/mailman/var/data/postfix_domains \${podop}transport
 {{ end }}
 {{ if eq (env "SENDER_LOGINS_POSTFIX_OVERRIDES") "1" }}
 # https://github.com/Mailu/Mailu/issues/1096

release/1.1.0+2.0.34

@@ -1,18 +0,0 @@
-# Secret key
-
-The secret key is now stored as a docker secret instead of a variable in the
-env file. You need to insert it by running:
-`abra app secret insert <your mailu app> secret_key v1 <SECRETKEYHERE>`
-and you can remove `SECRET_KEY` from your config file.
-
-# `DOMAIN` is now `MAIL_DOMAIN`
-
-This is important! If your main e-mail domain is something else than the
-domain you are reaching the web interface at, you need to make changes.
-I.e. in our setup we have `autonomic.zone` pointing an A record at some server
-and `mail.autonomic.zone` is a separate server, and MX records are pointing
-to the server at `mail.autonomic.zone`.
-In this case:
-  - `DOMAIN` should be `mail.autonomic.zone` - this is what traefik will use to
-  provision a certificate
-  - `MAIL_DOMAIN` should be `autonomic.zone`

release/3.0.0+2024.06.27

@@ -1,3 +0,0 @@
-ALERTA! 🚨 Mailu has dropped support for STARTTLS by default – see details here: https://mailu.io/2024.06/releases.html#starttls-ports-disabled-by-default
-
-If you are relying on STARTTLS, e.g. SMTP port 587, please copy the example `PORTS` variable from `~/.abra/recipes/mailu/.env.example` BEFORE deploying.