Merge branch 'master' into feat-healthchecks

core/admin/mailu/__init__.py

@@ -12,7 +12,7 @@ import docker
 import socket
 import uuid
 
-from werkzeug.contrib import fixers
+from werkzeug.contrib import fixers, profiler
 
 # Create application
 app = flask.Flask(__name__)
@@ -62,7 +62,10 @@ default_config = {
     'HOST_IMAP': 'imap',
     'HOST_POP3': 'imap',
     'HOST_SMTP': 'smtp',
+    'HOST_WEBMAIL': 'webmail',
+    'HOST_FRONT': 'front',
     'HOST_AUTHSMTP': os.environ.get('HOST_SMTP', 'smtp'),
+    'POD_ADDRESS_RANGE': None
 }
 
 # Load configuration from the environment if available
@@ -80,6 +83,10 @@ if app.config.get("DEBUG"):
     import flask_debugtoolbar
     toolbar = flask_debugtoolbar.DebugToolbarExtension(app)
 
+# Profiler
+if app.config.get("DEBUG"):
+    app.wsgi_app = profiler.ProfilerMiddleware(app.wsgi_app, restrictions=[30])
+
 # Manager commnad
 manager = flask_script.Manager(app)
 manager.add_command('db', flask_migrate.MigrateCommand)
@@ -129,4 +136,5 @@ class PrefixMiddleware(object):
             environ['SCRIPT_NAME'] = prefix
         return self.app(environ, start_response)
 
+
 app.wsgi_app = PrefixMiddleware(fixers.ProxyFix(app.wsgi_app))

core/admin/mailu/internal/templates/default.sieve

@@ -32,9 +32,6 @@ if exists "X-Virus" {
   stop;
 }
 
-{% if user.reply_enabled %}
-if currentdate :value "le" "date" "{{ user.reply_enddate }}"
-{
- vacation :days 1 :subject "{{ user.reply_subject }}" "{{ user.reply_body }}";
-}
+{% if user.reply_active  %}
+vacation :days 1 :subject "{{ user.reply_subject }}" "{{ user.reply_body }}";
 {% endif %}

core/admin/mailu/internal/views/dovecot.py

@@ -1,14 +1,24 @@
-from mailu import db, models
+from mailu import db, models, app
 from mailu.internal import internal
 
 import flask
+import socket
 
 
 @internal.route("/dovecot/passdb/<user_email>")
 def dovecot_passdb_dict(user_email):
     user = models.User.query.get(user_email) or flask.abort(404)
+    allow_nets = []
+    allow_nets.append(
+        app.config.get("POD_ADDRESS_RANGE") or
+        socket.gethostbyname(app.config["HOST_FRONT"])
+    )
+    allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"]))
+    print(allow_nets)
     return flask.jsonify({
-        "password": user.password,
+        "password": None,
+        "nopassword": "Y",
+        "allow_nets": ",".join(allow_nets)
     })
 
 

core/admin/mailu/models.py

@@ -250,6 +250,8 @@ class User(Base, Email):
     reply_enabled = db.Column(db.Boolean(), nullable=False, default=False)
     reply_subject = db.Column(db.String(255), nullable=True, default=None)
     reply_body = db.Column(db.Text(), nullable=True, default=None)
+    reply_startdate = db.Column(db.Date, nullable=False,
+        default=date(1900, 1, 1))
     reply_enddate = db.Column(db.Date, nullable=False,
         default=date(2999, 12, 31))
 
@@ -276,7 +278,17 @@ class User(Base, Email):
         else:
             return self.email
 
-    scheme_dict = {'BLF-CRYPT': "bcrypt",
+    @property
+    def reply_active(self):
+        now = date.today()
+        return (
+            self.reply_enabled and
+            self.reply_startdate < now and
+            self.reply_enddate > now
+        )
+
+    scheme_dict = {'PBKDF2': "pbkdf2_sha512",
+                   'BLF-CRYPT': "bcrypt",
                    'SHA512-CRYPT': "sha512_crypt",
                    'SHA256-CRYPT': "sha256_crypt",
                    'MD5-CRYPT': "md5_crypt",
@@ -287,8 +299,14 @@ class User(Base, Email):
     )
 
     def check_password(self, password):
+        context = User.pw_context
         reference = re.match('({[^}]+})?(.*)', self.password).group(2)
-        return User.pw_context.verify(password, reference)
+        result = context.verify(password, reference)
+        if result and context.identify(reference) != context.default_scheme():
+            self.set_password(password)
+            db.session.add(self)
+            db.session.commit()
+        return result
 
     def set_password(self, password, hash_scheme=app.config['PASSWORD_SCHEME'], raw=False):
         """Set password for user with specified encryption scheme

core/admin/mailu/ui/forms.py

@@ -117,6 +117,7 @@ class UserReplyForm(flask_wtf.FlaskForm):
     reply_subject = fields.StringField(_('Reply subject'))
     reply_body = fields.StringField(_('Reply body'),
         widget=widgets.TextArea())
+    reply_startdate = fields.html5.DateField(_('Start of vacation'))
     reply_enddate = fields.html5.DateField(_('End of vacation'))
     submit = fields.SubmitField(_('Update'))
 

core/admin/mailu/ui/templates/user/reply.html

@@ -13,14 +13,17 @@
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.reply_enabled,
-      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate').removeAttr('readonly')}
+      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
                 else{$('#reply_subject,#reply_body,#reply_enddate').attr('readonly', '')}") }}
   {{ macros.form_field(form.reply_subject,
       **{("rw" if user.reply_enabled else "readonly"): ""}) }}
     {{ macros.form_field(form.reply_body, rows=10,
         **{("rw" if user.reply_enabled else "readonly"): ""}) }}
   {{ macros.form_field(form.reply_enddate,
-      **{("rw" if user.reply_enabled else "readonly"): ""}) }}
+        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
+  {{ macros.form_field(form.reply_startdate,
+        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
+
   {{ macros.form_field(form.submit) }}
 </form>
 {% endcall %}

core/admin/migrations/versions/3b281286c7bd_.py

@@ -0,0 +1,24 @@
+""" Add a start day for vacations
+
+Revision ID: 3b281286c7bd
+Revises: 25fd6c7bcb4a
+Create Date: 2018-09-27 22:20:08.158553
+
+"""
+
+revision = '3b281286c7bd'
+down_revision = '25fd6c7bcb4a'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    with op.batch_alter_table('user') as batch:
+        batch.add_column(sa.Column('reply_startdate', sa.Date(), nullable=False,
+            server_default="1900-01-01"))
+
+
+def downgrade():
+    with op.batch_alter_table('user') as batch:
+        batch.drop_column('reply_startdate')

core/dovecot/Dockerfile

@@ -2,7 +2,7 @@ FROM alpine:3.8
 
 RUN apk add --no-cache \
      dovecot dovecot-pigeonhole-plugin dovecot-fts-lucene rspamd-client \
-     python3 py3-pip \
+     bash python3 py3-pip \
  && pip3 install --upgrade pip \
  && pip3 install jinja2 podop tenacity
 

core/dovecot/conf/bin/ham

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+tee >(rspamc -h antispam:11334 -P mailu learn_ham /dev/stdin) \
+    | rspamc -h antispam:11334 -P mailu -f 13 fuzzy_add /dev/stdin

core/dovecot/conf/bin/mailtrain

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-rspamc -h antispam:11334 -P mailu "learn_$1" /dev/stdin <&0

core/dovecot/conf/bin/spam

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+tee >(rspamc -h antispam:11334 -P mailu learn_spam /dev/stdin) \
+    >(rspamc -h antispam:11334 -P mailu -f 11 fuzzy_add /dev/stdin)

core/dovecot/conf/dovecot.conf

@@ -136,7 +136,8 @@ service managesieve {
 }
 
 plugin {
-  sieve = dict:proxy:/tmp/podop.socket:sieve
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+  sieve_before = dict:proxy:/tmp/podop.socket:sieve
   sieve_plugins = sieve_imapsieve sieve_extprograms
   sieve_extensions = +spamtest +spamtestplus +editheader
   sieve_global_extensions = +vnd.dovecot.execute

core/dovecot/conf/report-ham.sieve

@@ -8,4 +8,4 @@ if string "${mailbox}" "Trash" {
   stop;
 }
 
-execute :pipe "mailtrain" "ham";
+execute :pipe "ham";

core/dovecot/conf/report-spam.sieve

@@ -1,3 +1,3 @@
 require "vnd.dovecot.execute";
 
-execute :pipe "mailtrain" "spam";
+execute :pipe "spam";

core/dovecot/start.py

@@ -36,5 +36,5 @@ for dovecot_file in glob.glob("/conf/*.conf"):
 
 # Run Podop, then postfix
 multiprocessing.Process(target=start_podop).start()
-os.system("chown -R mail:mail /mail /var/lib/dovecot")
+os.system("chown -R mail:mail /mail /var/lib/dovecot /conf")
 os.execv("/usr/sbin/dovecot", ["dovecot", "-c", "/etc/dovecot/dovecot.conf", "-F"])

core/nginx/conf/nginx.conf

@@ -34,6 +34,8 @@ http {
       ''      $scheme;
     }
 
+    # Disable the main http server when on kubernetes (port 80 and 443)
+    {% if KUBERNETES_INGRESS != 'true' %}
     # Main HTTP server
     server {
       # Variables for proxifying
@@ -48,8 +50,8 @@ http {
 
       # Only enable HTTPS if TLS is enabled with no error
       {% if TLS and not TLS_ERROR %}
-      listen 443 ssl;
-      listen [::]:443 ssl;
+      listen 443 ssl http2;
+      listen [::]:443 ssl http2;
 
       include /etc/nginx/tls.conf;
       ssl_session_cache shared:SSLHTTP:50m;
@@ -91,8 +93,10 @@ http {
       {% endif %}
 
       location {{ WEB_WEBMAIL }} {
+        {% if WEB_WEBMAIL != '/' %}
         rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
         rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
+        {% endif %}
         include /etc/nginx/proxy.conf;
         client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
         proxy_pass http://$webmail;
@@ -147,6 +151,7 @@ http {
         proxy_set_header Content-Length "";
       }
     }
+    {% endif %}
 
     # Forwarding authentication server
     server {

core/postfix/conf/main.cf

@@ -2,8 +2,6 @@
 # General
 ###############
 
-debug_peer_list = 0.0.0.0/0
-
 # Main domain and hostname
 mydomain = {{ DOMAIN }}
 myhostname = {{ HOSTNAMES.split(",")[0] }}
@@ -34,7 +32,7 @@ relayhost = {{ RELAYHOST }}
 recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 
 # Only the front server is allowed to perform xclient
-smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
+smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} {{ POD_ADDRESS_RANGE }}
 
 ###############
 # TLS