Merge remote-tracking branch 'upstream/master' into sessions-tweaks

2025-11-01 18:47:52 +00:00 · 2021-12-19 23:31:58 +01:00
parent dc275db482 c5966b29db
commit 5fe5c80064
11 changed files with 222 additions and 106 deletions
--- a/docs/compose/docker-compose.yml
+++ b/docs/compose/docker-compose.yml
@@ -100,6 +100,7 @@ services:
    env_file: .env
    volumes:
      - "$ROOT/webmail:/data"
+      - "$ROOT/overrides/$WEBMAIL:/overrides:ro"
    depends_on:
      - imap

--- a/docs/compose/traefik/docker-compose.yml
+++ b/docs/compose/traefik/docker-compose.yml
@@ -128,6 +128,7 @@ services:
    env_file: .env
    volumes:
      - "$ROOT/webmail:/data"
+      - "$ROOT/overrides/$WEBMAIL:/overrides:ro"
    depends_on:
      - imap

--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -263,6 +263,50 @@ The roundcube service stores configurations in a database.
 - ``ROUNDCUBE_DB_USER``: the database user for roundcube service. (when not ``sqlite``)
 - ``ROUNDCUBE_DB_NAME``: the database name for roundcube service. (when not ``sqlite``)

+Webmail settings
+----------------
+
+When using roundcube it is possible to select the plugins to be enabled by setting ``ROUNDCUBE_PLUGINS`` to
+a comma separated list of plugin-names. Included plugins are:
+
+- acl (needs configuration)
+- additional_message_headers (needs configuration)
+- archive
+- attachment_reminder
+- carddav
+- database_attachmentsi
+- debug_logger
+- emoticons
+- enigma
+- help
+- hide_blockquote
+- identicon
+- identity_select
+- jqueryui
+- mailu
+- managesieve
+- markasjunk
+- new_user_dialog
+- newmail_notifier
+- reconnect
+- show_additional_headers (needs configuration)
+- subscriptions_option
+- vcard_attachments
+- zipdownload
+
+If ``ROUNDCUBE_PLUGINS`` is not set the following plugins are enabled by default:
+
+- archive
+- carddav
+- enigma
+- mailu
+- managesieve
+- markasjunk
+- zipdownload
+
+To disable all plugins just set ``ROUNDCUBE_PLUGINS`` to ``mailu``.
+
+To configure a plugin add php files named ``*.inc`` to roundcube's :ref:`override section <override-label>`.

 Mail log settings
 -----------------
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -147,6 +147,7 @@ services:
    env_file: {{ env }}
    volumes:
      - "{{ root }}/webmail:/data"
+      - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro"
    depends_on:
      - imap
  {% endif %}
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -123,6 +123,7 @@ services:
    env_file: {{ env }}
    volumes:
      - "{{ root }}/webmail:/data"
+      - "{{ root }}/overrides/{{ webmail_type }}:/overrides:ro"
    deploy:
      replicas: 1
    healthcheck:
--- a/towncrier/newsfragments/2035.enhancement
+++ b/towncrier/newsfragments/2035.enhancement
@@ -0,0 +1 @@
+updated roundcube to 1.5 and carddav to 4.2.2 using php8
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -1,10 +1,10 @@
-# NOTE: only add file if building for arm
+# NOTE: only add qemu-arm-static if building for arm
 ARG ARCH=""
 ARG QEMU=other
-FROM ${ARCH}php:7.4-apache as build_arm
+FROM ${ARCH}php:8.0-apache as build_arm
 ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
+FROM ${ARCH}php:8.0-apache as build_other

-FROM ${ARCH}php:7.4-apache as build_other

 FROM build_${QEMU}
 ARG VERSION
@@ -12,25 +12,37 @@ ENV TZ Etc/UTC

 LABEL version=$VERSION

-#Shared layer between rainloop and roundcube
-RUN apt-get update && apt-get install -y \
-  python3 curl python3-pip git python3-multidict tzdata \
-  && rm -rf /var/lib/apt/lists \
-  && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
-  && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf
+RUN set -eu \
+ && apt update \
+ && echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections \
+ && apt install -y --no-install-recommends \
+      python3 curl python3-pip git python3-multidict \
+      python3-jinja2 gpg tzdata \
+ && pip3 install socrate \
+ && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
+ && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
+ && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \
+\
+ && mark="$(apt-mark showmanual)" \
+ && apt install -y --no-install-recommends \
+      libfreetype6-dev libicu-dev libjpeg62-turbo-dev libldap2-dev libmagickwand-dev \
+      libpng-dev libpq-dev libsqlite3-dev libzip-dev libpspell-dev libonig-dev \
+ && ln -s php.ini-production /usr/local/etc/php/php.ini \
+ && docker-php-ext-configure gd --with-jpeg --with-freetype \
+ && docker-php-ext-install exif gd intl zip pspell pdo_mysql pdo_pgsql pdo_sqlite \
+ && pecl install imagick \
+ && docker-php-ext-enable imagick opcache \
+ && apt-mark auto '.*' >/dev/null \
+ && apt-mark manual ${mark} >/dev/null \
+ && ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so | awk '/=>/ { print $3 }' | sort -u | \
+    xargs -r dpkg-query -S | cut -d: -f1 | sort -u | xargs -r apt-mark manual >/dev/null \
+ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+ && rm -rf /var/lib/apt/lists

-# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
-RUN pip3 install socrate
+ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz
+ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.3.0/carddav-v4.3.0.tar.gz

-ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz
-
-ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz
-
-RUN apt-get update && apt-get install -y \
-      zlib1g-dev libzip4 libzip-dev libpq-dev \
-      python3-jinja2 \
-      gpg \
- && docker-php-ext-install zip pdo_mysql pdo_pgsql \
+RUN set -eu \
 && rm -rf /var/www/html/ \
 && cd /var/www \
 && curl -sL ${ROUNDCUBE_URL} | tar xz \
@@ -38,27 +50,29 @@ RUN apt-get update && apt-get install -y \
 && mv roundcubemail-* html \
 && mv carddav html/plugins/ \
 && cd html \
- && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
- && sed -i 's,mod_php5.c,mod_php7.c,g' .htaccess \
- && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
- && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
+ && rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
 && ln -sf index.php /var/www/html/sso.php \
 && ln -sf /dev/stderr /var/www/html/logs/errors.log \
 && chown -R root:root . \
 && chown www-data:www-data logs temp \
 && chmod -R a+rX . \
- && rm -rf /var/lib/apt/lists \
- && a2enmod rewrite deflate expires headers
+ && a2enmod rewrite deflate expires headers \
+ && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \
+ && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query}
+
+# enable database_attachments (and memcache?)

-COPY php.ini /php.ini
-COPY config.inc.php /var/www/html/config/
 COPY mailu.php /var/www/html/plugins/mailu/mailu.php
-COPY start.py /start.py
+COPY php.ini /
+COPY config.inc.php /
+COPY start.py /

 EXPOSE 80/tcp
-VOLUME ["/data"]
+VOLUME /data
+VOLUME /overrides

 CMD /start.py

 HEALTHCHECK CMD curl -f -L -H 'User-Agent: health' http://localhost/ || exit 1
-RUN echo $VERSION >> /version
+
+RUN echo $VERSION >> /version
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -3,46 +3,29 @@
 $config = array();

 // Generals
-$config['db_dsnw'] = getenv('DB_DSNW');;
+$config['db_dsnw'] = '{{ DB_DSNW }}';
 $config['temp_dir'] = '/tmp/';
-$config['des_key'] = getenv('SECRET_KEY') ? getenv('SECRET_KEY') : trim(file_get_contents(getenv('SECRET_KEY_FILE')));
+$config['des_key'] = '{{ SECRET_KEY }}';
 $config['cipher_method'] = 'AES-256-CBC';
 $config['identities_level'] = 0;
 $config['reply_all_mode'] = 1;
-
-// List of active plugins (in plugins/ directory)
-$config['plugins'] = array(
-    'archive',
-    'zipdownload',
-    'markasjunk',
-    'managesieve',
-    'enigma',
-    'carddav'
-);
-
-$front = getenv('FRONT_ADDRESS') ? getenv('FRONT_ADDRESS') : 'front';
-$imap  = getenv('IMAP_ADDRESS')  ? getenv('IMAP_ADDRESS')  : 'imap';
+$config['log_driver'] = 'stdout';
+$config['zipdownload_selection'] = true;
+$config['enable_spellcheck'] = true;
+$config['spellcheck_engine'] = 'pspell';

 // Mail servers
-$config['default_host'] = $front;
+$config['default_host'] = '{{ FRONT_ADDRESS or "front" }}';
 $config['default_port'] = 10143;
-$config['smtp_server'] = $front;
+$config['smtp_server'] = '{{ FRONT_ADDRESS or "front" }}';
 $config['smtp_port'] = 10025;
 $config['smtp_user'] = '%u';
 $config['smtp_pass'] = '%p';

 // Sieve script management
-$config['managesieve_host'] = $imap;
+$config['managesieve_host'] = '{{ IMAP_ADDRESS or "imap" }}';
 $config['managesieve_usetls'] = false;

-// Customization settings
-if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
-	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';	
-}
-$config['product_name'] = 'Mailu Webmail';
-array_push($config['plugins'], 'mailu');
-$config['sso_logout_url'] = '/sso/logout';
-
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login
 // from the outter world
@@ -56,11 +39,27 @@ $config['imap_conn_options'] = $ssl_no_check;
 $config['smtp_conn_options'] = $ssl_no_check;
 $config['managesieve_conn_options'] = $ssl_no_check;

+// roundcube customization
+$config['product_name'] = 'Mailu Webmail';
+{%- if ADMIN and WEB_ADMIN %}
+$config['support_url'] = '../..{{ WEB_ADMIN }}';
+{%- endif %}
+$config['plugins'] = array({{ PLUGINS }});
+
 // skin name: folder from skins/
 $config['skin'] = 'elastic';

-// Enigma gpg plugin
+// configure mailu sso plugin
+$config['sso_logout_url'] = '/sso/logout';
+
+// configure enigma gpg plugin
 $config['enigma_pgp_homedir'] = '/data/gpg';

-// Set From header for DKIM signed message delivery reports
+// set From header for DKIM signed message delivery reports
 $config['mdn_use_from'] = true;
+
+// includes
+{%- for inc in INCLUDES %}
+include('{{ inc }}');
+{%- endfor %}
+
--- a/webmails/roundcube/healthcheck.sh
+++ b/webmails/roundcube/healthcheck.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+SCRIPT_NAME=/ping SCRIPT_FILENAME=/ping REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 2>/dev/null | grep -qFx pong
--- a/webmails/roundcube/mailu.php
+++ b/webmails/roundcube/mailu.php
@@ -15,7 +15,14 @@ class mailu extends rcube_plugin
  function startup($args)
  {
    if (empty($_SESSION['user_id'])) {
-        $args['action'] = 'login';
+      $args['action'] = 'login';
+    }
+
+    $ua = $_SERVER['HTTP_USER_AGENT'];
+    $ra = $_SERVER['REMOTE_ADDR'];
+    if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
+      print('OK');
+      exit();
    }

    return $args;
@@ -23,10 +30,16 @@ class mailu extends rcube_plugin

  function authenticate($args)
  {
-    if (!in_array('HTTP_X_REMOTE_USER', $_SERVER) || !in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
+    if (!array_key_exists('HTTP_X_REMOTE_USER', $_SERVER) or !array_key_exists('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
+      if ($_SERVER['PHP_SELF'] == '/sso.php') {
        header('HTTP/1.0 403 Forbidden');
-        die();
+        print('mailu sso failure');
+      } else {
+        header('Location: sso.php');
+      }
+      exit();
    }
+
    $args['user'] = $_SERVER['HTTP_X_REMOTE_USER'];
    $args['pass'] = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];

@@ -36,30 +49,25 @@ class mailu extends rcube_plugin
    return $args;
  }

-  function logout($args) {
-    // Redirect to global SSO logout path.
+  // Redirect to global SSO logout path.
+  function logout($args)
+  {
    $this->load_config();
-
    $sso_logout_url = rcmail::get_instance()->config->get('sso_logout_url');
-    header("Location: " . $sso_logout_url, true);
-    exit;
+    header('Location: ' . $sso_logout_url, true);
+    exit();
  }

  function login($args)
  {
-      header('Location: index.php');
-      exit();
+    header('Location: index.php');
+    exit();
  }
+
  function login_failed($args)
  {
-      $ua = $_SERVER['HTTP_USER_AGENT'];
-      $ra = $_SERVER['REMOTE_ADDR'];
-      if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
-        echo "OK";
-        exit;
-      }
-      header('Location: sso.php');
-      exit();
+    header('Location: sso.php');
+    exit();
  }

 }
--- a/webmails/roundcube/start.py
+++ b/webmails/roundcube/start.py
@@ -1,61 +1,105 @@
 #!/usr/bin/python3

 import os
-import logging as log
+import logging
 import sys
 from socrate import conf
 import subprocess
+import hmac

-log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
+env = os.environ

-os.environ["MAX_FILESIZE"] = str(int(int(os.environ.get("MESSAGE_SIZE_LIMIT")) * 0.66 / 1048576))
+logging.basicConfig(stream=sys.stderr, level=env.get("LOG_LEVEL", "WARNING"))

-db_flavor = os.environ.get("ROUNDCUBE_DB_FLAVOR", "sqlite")
+# jinja context
+context = {}
+context.update(env)
+
+context["MAX_FILESIZE"] = str(int(int(env.get("MESSAGE_SIZE_LIMIT", "50000000")) * 0.66 / 1048576))
+
+db_flavor = env.get("ROUNDCUBE_DB_FLAVOR", "sqlite")
 if db_flavor == "sqlite":
-    os.environ["DB_DSNW"] = "sqlite:////data/roundcube.db"
+    context["DB_DSNW"] = "sqlite:////data/roundcube.db"
 elif db_flavor == "mysql":
-    os.environ["DB_DSNW"] = "mysql://%s:%s@%s/%s" % (
-        os.environ.get("ROUNDCUBE_DB_USER", "roundcube"),
-        os.environ.get("ROUNDCUBE_DB_PW"),
-        os.environ.get("ROUNDCUBE_DB_HOST", "database"),
-        os.environ.get("ROUNDCUBE_DB_NAME", "roundcube")
+    context["DB_DSNW"] = "mysql://%s:%s@%s/%s" % (
+        env.get("ROUNDCUBE_DB_USER", "roundcube"),
+        env.get("ROUNDCUBE_DB_PW"),
+        env.get("ROUNDCUBE_DB_HOST", "database"),
+        env.get("ROUNDCUBE_DB_NAME", "roundcube")
    )
 elif db_flavor == "postgresql":
-    os.environ["DB_DSNW"] = "pgsql://%s:%s@%s/%s" % (
-        os.environ.get("ROUNDCUBE_DB_USER", "roundcube"),
-        os.environ.get("ROUNDCUBE_DB_PW"),
-        os.environ.get("ROUNDCUBE_DB_HOST", "database"),
-        os.environ.get("ROUNDCUBE_DB_NAME", "roundcube")
+    context["DB_DSNW"] = "pgsql://%s:%s@%s/%s" % (
+        env.get("ROUNDCUBE_DB_USER", "roundcube"),
+        env.get("ROUNDCUBE_DB_PW"),
+        env.get("ROUNDCUBE_DB_HOST", "database"),
+        env.get("ROUNDCUBE_DB_NAME", "roundcube")
    )
 else:
-    print("Unknown ROUNDCUBE_DB_FLAVOR: %s", db_flavor)
+    print(f"Unknown ROUNDCUBE_DB_FLAVOR: {db_flavor}", file=sys.stderr)
    exit(1)

-conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/roundcube.ini")
+# derive roundcube secret key
+secret_key = env.get("SECRET_KEY")
+if not secret_key:
+    try:
+        secret_key = open(env.get("SECRET_KEY_FILE"), "r").read().strip()
+    except Exception as exc:
+        print(f"Can't read SECRET_KEY from file: {exc}", file=sys.stderr)
+        exit(2)

-# Create dirs, setup permissions
+context['SECRET_KEY'] = hmac.new(bytearray(secret_key, 'utf-8'), bytearray('ROUNDCUBE_KEY', 'utf-8'), 'sha256').hexdigest()
+
+# roundcube plugins
+# (using "dict" because it is ordered and "set" is not)
+plugins = dict((p, None) for p in env.get("ROUNDCUBE_PLUGINS", "").replace(" ", "").split(",") if p and os.path.isdir(os.path.join("/var/www/plugins", p)))
+if plugins:
+    plugins["mailu"] = None
+else:
+    plugins = dict((k, None) for k in ["archive", "zipdownload", "markasjunk", "managesieve", "enigma", "carddav", "mailu"])
+
+context["PLUGINS"] = ",".join(f"'{p}'" for p in plugins)
+
+# add overrides
+context["INCLUDES"] = sorted(inc for inc in os.listdir("/overrides") if inc.endswith(".inc")) if os.path.isdir("/overrides") else []
+
+# create config files
+conf.jinja("/php.ini", context, "/usr/local/etc/php/conf.d/roundcube.ini")
+conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php")
+
+# create dirs
 os.system("mkdir -p /data/gpg")

+print("Initializing database")
 try:
-    print("Initializing database")
    result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"],
                                     stderr=subprocess.STDOUT)
    print(result.decode())
-except subprocess.CalledProcessError as e:
-    if "already exists" in e.stdout.decode():
+except subprocess.CalledProcessError as exc:
+    err = exc.stdout.decode()
+    if "already exists" in err:
        print("Already initialzed")
    else:
-        print(e.stdout.decode())
-        quit(1)
+        print(err)
+        exit(3)

+print("Upgrading database")
 try:
-    print("Upgrading database")
    subprocess.check_call(["/var/www/html/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT)
-except subprocess.CalledProcessError as e:
-    quit(1)
+except subprocess.CalledProcessError as exc:
+    exit(4)
+else:
+    print("Cleaning database")
+    try:
+        subprocess.check_call(["/var/www/html/bin/cleandb.sh"], stderr=subprocess.STDOUT)
+    except subprocess.CalledProcessError as exc:
+        exit(5)

-# Setup database permissions
+# setup permissions
 os.system("chown -R www-data:www-data /data")

-# Run apache
-os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])
+# clean env
+[env.pop(key, None) for key in env.keys() if key == "SECRET_KEY" or key.startswith("ROUNDCUBE_")]
+
+# run apache
+os.execve("/usr/local/bin/apache2-foreground", ["apache2-foreground"], env)
+
				`@@ -0,0 +1 @@`
				`updated roundcube to 1.5 and carddav to 4.2.2 using php8`