mailu / mailu Goto Github PK
View Code? Open in Web Editor NEWInsular email distribution - mail server as Docker images
Home Page: https://mailu.io
License: Other
Insular email distribution - mail server as Docker images
Home Page: https://mailu.io
License: Other
As suggested by @XYUnknown in #40, the TLS configuration should be upgraded.
Some great and consistent documentation: https://bettercrypto.org/static/applied-crypto-hardening.pdf
Many Docker admins are used to running latest
on production and simply updating whenever a new image is available (even using Watchtower).
Because we often commit to master
which then builds to latest
, this leads to many updates, sometimes unstable (which is of course undesireble, especially for something as critical as email). It would be nice to have a separate unstable
or testing
Docker tag, either built from the master
Git branch or a separate unstable
Git branch.
I am not used to this kind of workflow and will look at how large projects handle the matter. Any feedback or opinion is welcome, I would like to switch to a proper workflow before release 1.2
.
My default preferences (mostly because I do not know any other workflow, so please argue with me!):
master
branch for daily commitsI am also wondering what would be the best workflow to manage backported fixes and features, provided that they are not always on separate branches (some quick fixes are committed directly to master).
In the fetchmail configuration, entries seem duplicated.
Currently no authentication is implemented. Multiple issues will have to be tackled:
The Dovecot Antispam (http://wiki2.dovecot.org/Plugins/Antispam) plugin should be enabled and configured for Amavis to update its database based on user feedback.
Many assets are still loaded from remote hosts, mostly due to Flask-Bootstrap and AdminLTE.
Additionally, using BOOTSTRAP_SERVE_LOCAL = True
fails when loading jQuery or Bootstrap stylesheets.
Access control has become a mess in the pas months and would need some proper design, definitions and refactoring. It is still readble for now but will probably become a burden in the near future if the issue is not addressed soon.
Some users will prefer to send outgoing emails through a relay host, because of networking constraints or reputation issues.
A global configuration option should be added that offers to send outgoing emails through a relay host.
Default fetchmail configuration does not enforce certificate checks when using TLS.
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Broken certification chain at: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail.
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
I am thinking about including Watchtower in docker-compose.yml
in order to send notifications to the administrator address about new available images.
A configuration variable could also be set to enable automatic updates for users who know what they are doing.
Rmilter now filters all incoming and outgoing mail. It should be able to apply DKIM signatures.
Provide a way to auto-generate and renew the TLS certificate if none is provided or if it is expired.
I strongly dislike the security measures/ practices which are implemented. In a default Email Server setup, the admin interface is reachable from the web, which wasn't audited for security and is prone to bugs.
Admittedly, I am a proponent of security over usability when it comes to servers. Although freeposte is supposed to be a all-inclusive and easy-setup emailserver stack, The default setup should enforce stronger security requirements:
When building from the latest alpine image, the imap
container fails during startup with:
Fatal: service(auth-worker) Group doesn't exist: dovecot (See service auth-worker { unix_listener /run/dovecot/auth-worker { group } } setting)
I believe Freeposte.io should have an automated testset for future upgrades. The kind of tests that we could easily script:
More complex tests that will probably require some framework:
Most configuration is currently harcoded, which is ok because fine tuning should only be available to advanced users (who can easily mount a configuration file to override some settings).
However, some mandatory settings should be exported as environment variables and documented :
Fetchmail errors are currently only logged to Docker and never displayed to the end user. Authentication failures for instance might go unnoticed.
Messages categorized as Junk by rspamd are not marked as read when moved to the Junk folder.
When editing an alias, the select list is not prefilled with the alias destination.
First, great job with this project!
I configured SES in the postfix container. Then, in my freeposte.db I see with SQLite that I have forward_enabled = 1 and forward_destination filled with my gmail account, but not working. When I send an email, it not forwarded... can you help me?
First of all - great job on this project. I've actually been looking for months for a future proof alternative to a simple mail solution and all the stock solutions like Axigen and Zimbra are terrible overkill for my use case. Poste.io showed up on my radar and I really like what it's doing, but it's too obviously developed closed source by a single developer to rely on it with a business regrettably, besides $349 being terribly overpriced for a beta product. It's also fundamentally flawed in trying to put all services into one big container instead of deploying scalable microservices. Your project has great potential and I think with some proper exposure it could really gain traction as a de facto Dockerized mail stack.
I do however also think the current approach is too monolithic. I have no Python developers in my company, and that blocks us from customizing and extending the admin, while I would love to help there. It would be great if, instead of an admin, you would expose a REST API instead so anyone can write their own admin instead. Same kinda goes for Roundcube, I don't think it belongs in the mail stack itself (I'd prefer Rainloop myself which is also FOSS if unbranded). It would be good to separate webmail and the current admin to optional 'extension' packages.
An added advantage would be that it would become pretty trivial to add a CLI interface for the hardcore sysadmins as well in another container.
Gives admins the ability to make a public announcement to all server users, in the form of an e-mail.
When the configured auto-reply body is a multiline string, the resulting reply email has an empty body.
I am wondering if freeposte.io can create and manage mailing lists ?
If it's not possible yet, I may help to develop this feature :)
First, thank's for your great work.
I want to find an open alternative of poste.io and I found your project.
But I've a problem with the imap container (Dovecot):
Aug 02 19:52:32 imap(*******@******): Error: Couldn't load required plugin /usr/lib/dovecot/lib90_antispam_plugin.so: Module is for different ABI version 2.2.ABIv24(2.2.24) (we have 2.2.ABIv25(2.2.25))
Aug 02 19:52:32 imap(*******@******): Error: Internal error occurred. Refer to server log for more information.
So, I've this message every time I try to access to Roundcube (and I've got this message with Roundcube: Connection to storage server failed.)
How could I repair that ?
Best regards,
Daemons embedded in Freeposte have many configuration options, most of which are not tunable through the usual Freeposte interface. It would be interesting to be able to tune them using specific freeposte.env
entries or configuration files.
In docker for postfix apk add postfix-pcre
In the following conf /etc/postfix/master.cf for submission add:
-o cleanup_service_name=authclean
authclean unix n - n - 0 cleanup
-o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters
Add /etc/postfix/outgoing_mail_header_filters for postmap using something similar to:
https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters
We should include a database migration system before the next schema update.
While logged in as a user with a long email address, the sidebar subtitle breaks the layout because the email address overflows.
Hi,
I got Freeposte up and running but the antivirus docker has this error's:
LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable
LibClamAV Error: cli_loaddbdir(): No supported database files found in /data
ERROR: Can't open file or directory
How I can solve this ?
Regards,
In it's current state the postfix config fails with the message:
postfix/master[28]: fatal: relayhost parameter setting must not contain multiple values: {{ RELAYHOST }}
I am currently setting up a demo/tests server with public access. Any suggestions on how-to manage the machine?
My main questions for now:
When creating admins and managers, the current version uses a tag list, which is fine but misleading.
Using drop-down lists, with autocompletion if required, is a lot mor appropriate.
How to create a catchall alias from the admin interface? '*' doesn't work, and neither does an empty string. Is this even a feature here? If not, why, and if it is, how do I set it up?
When deleting a domain with users and/or aliaes, instead of cascade deletion, the domain i removed and not-null contraints are violated:
sqlalchemy.exc.IntegrityError: (sqlite3.IntegrityError) NOT NULL constraint failed: user.domain_name [SQL: 'UPDATE user SET updated_at=?, domain_name=? WHERE user.email = ?'] [parameters: ('2016-07-31', None, '[email protected]')]
There are two possible fixes:
So this might be a problem just for myself, but I perform hourly backups of containers.
The filter directory has clamav dumping .tmp files within this folder. This causes a huge amount of wasted space on these files that aren't really needed for the operation of the container or rebooting a container. I'm not sure currently since I've not tested if configuring clamav to use /tmp for this will place them there or within /var/lib/rspamd
Files are similar to:
$PATH/filter/clamav-bbcb0575bd5d03b21ebe06ea847906a8.tmp
$PATH/filter/clamav-a6d3a1c3f188f8761b7fe6dd4dee5e9c.tmp
[...]
Some of the containers currently fail to shutdown gracefully when docker stop
is executed. The way signals are handled is probably not forwarding the termination signal.
Most administrative actions use simple requests with no CSRF check. Those should be added to prevent some attack schemes.
When the SQLite database changes, for instance when a new row is inserted for a domain, postfix does not seem to reload the contents and keeps on failing with Relay access denied
.
Same goes when a domain is deleted, postfix accepts the incoming email, then tries to relay it because the domain is not actually referenced in the database (it seems like smtp
is not aware of the change while qmgr
is somehow).
Other services relying on SQLite are just fine (dovecot).
I get the following error when deleting a global admin:
admin_1 | Traceback (most recent call last):
admin_1 | File "/usr/local/lib/python3.5/site-packages/gunicorn/workers/sync.py", line 135, in handle
admin_1 | self.handle_request(listener, req, client, addr)
admin_1 | File "/usr/local/lib/python3.5/site-packages/gunicorn/workers/sync.py", line 176, in handle_request
admin_1 | respiter = self.wsgi(environ, resp.start_response)
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 2000, in __call__
admin_1 | return self.wsgi_app(environ, start_response)
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1991, in wsgi_app
admin_1 | response = self.make_response(self.handle_exception(e))
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1567, in handle_exception
admin_1 | reraise(exc_type, exc_value, tb)
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/_compat.py", line 33, in reraise
admin_1 | raise value
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1988, in wsgi_app
admin_1 | response = self.full_dispatch_request()
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1641, in full_dispatch_request
admin_1 | rv = self.handle_user_exception(e)
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1544, in handle_user_exception
admin_1 | reraise(exc_type, exc_value, tb)
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/_compat.py", line 33, in reraise
admin_1 | raise value
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1639, in full_dispatch_request
admin_1 | rv = self.dispatch_request()
admin_1 | File "/usr/local/lib/python3.5/site-packages/flask/app.py", line 1625, in dispatch_request
admin_1 | return self.view_functions[rule.endpoint](**req.view_args)
admin_1 | File "/app/freeposte/admin/utils.py", line 18, in wrapper
admin_1 | "confirm.html", action=action.format(*args, **kwargs),
admin_1 | KeyError: 'admin '
Two APKs are still being shipped as is in binary:
In addition to being ugly, these cause a lot of headaches when Dovecot ABI version is incremented.
We should:
We should upgrade Roundcube and test with version 1.2.1.
The exact error message when starting Dovecot from the latest build:
doveconf: Error: Couldn't load plugin /usr/lib/dovecot/settings/libmanagesieve_login_settings.so: Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv20(2.2.20))
doveconf: Error: Couldn't load plugin /usr/lib/dovecot/settings/libmanagesieve_settings.so: Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv20(2.2.20))
doveconf: Error: Couldn't load plugin /usr/lib/dovecot/settings/libpigeonhole_settings.so: Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv20(2.2.20))
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: protocols: Unknown protocol: sieve
It seems that the APK shipped is not compatible anymore and should be rebuilt.
After running docker-compose up -d
, I just executed a manage.py
to create an administrator account and I found it always unexpectedly shows up warnings (as of below). I am able to successfully logged in. However, I could not access the Manage Domains page in admin console.
# docker exec -it freeposte_admin_1 python manage.py admin admin example.net admin
/usr/local/lib/python3.5/site-packages/sqlalchemy/ext/declarative/api.py:173: SAWarning: Unmanaged access of declarative attribute domain_name from non-mapped class Email
(desc.fget.__name__, cls.__name__))
/usr/local/lib/python3.5/site-packages/sqlalchemy/ext/declarative/api.py:173: SAWarning: Unmanaged access of declarative attribute email from non-mapped class Email
(desc.fget.__name__, cls.__name__))
After a while investigation, I found that there is an error upgrading from initial database schema.
sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) Cannot add a NOT NULL column with default value NULL [SQL: 'ALTER TABLE alias ADD COLUMN wildcard BOOLEAN NOT NULL']
Hope that might contribute to this project.
Hi, I would like to forward to many destinations, but I don't see that option in the administration interface, when I fill the box with various email addresses (separated by spaces or commas), not working for me.
For another hand, I think that there are a bug in edit alias
page, because when I try to add many email addresses and I save the configuration with Create
button, when I check the aliases again, only one appear.
This can be solved (workaround) with the new config override feature (#29, #31), changing virtual_alias_maps
parameter of main.cf
with a table map file:
/freeposte/overrides/postfix.cf
virtual_alias_maps = hash:/etc/postfix/virtual_alias.map
/freeposte/overrides/virtual_alias.map
Mostly when updating a user object, we are experiencing some very bad SQLite locking issues since around commit ccb37ad.
I have little experience with SQLite locks from SQLAlchemy, will dig into it before releasing 1.0.
User settings mostly consist of spam filtering settings : enabling spam filtering and setting the sensitivity.
These are currently not taken into account as they should be. This will be implemented as pigeonhole extdata attributes and sieve logic.
The fetchmail configuration file is currently displayed in logs, including passwords. This should not happen.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.