From 69420113f74bacf3264fd5bbb5c93202e4f43be8 Mon Sep 17 00:00:00 2001 From: Markus Machatschek Date: Wed, 6 Aug 2025 08:33:11 +0200 Subject: [PATCH 01/14] rspamd: update rspamd to 3.12.1 (#6643) * rspamd: update rspamd to 3.12.1 * compose: correct rspamd tag + pushed image --------- Co-authored-by: DerLinkman --- data/Dockerfiles/rspamd/Dockerfile | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile index 68b38d3a7..e46981aa4 100644 --- a/data/Dockerfiles/rspamd/Dockerfile +++ b/data/Dockerfiles/rspamd/Dockerfile @@ -2,7 +2,7 @@ FROM debian:bookworm-slim LABEL maintainer="The Infrastructure Company GmbH " ARG DEBIAN_FRONTEND=noninteractive -ARG RSPAMD_VER=rspamd_3.11.1-1~ab0b44951 +ARG RSPAMD_VER=rspamd_3.12.1-1~6dbfca2fa ARG CODENAME=bookworm ENV LC_ALL=C diff --git a/docker-compose.yml b/docker-compose.yml index 02ca8f9a2..e6b5dc20d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -84,7 +84,7 @@ services: - clamd rspamd-mailcow: - image: ghcr.io/mailcow/rspamd:2.2 + image: ghcr.io/mailcow/rspamd:2.3 stop_grace_period: 30s depends_on: - dovecot-mailcow From 1fc36263dce6312b0b7e403089d3880411cb1e1a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 08:33:41 +0200 Subject: [PATCH 02/14] chore(deps): update dependency krakjoe/apcu to v5.1.26 (#6656) Signed-off-by: milkmaker Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- data/Dockerfiles/phpfpm/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile index ff333f5b3..6d0cfdd36 100644 --- a/data/Dockerfiles/phpfpm/Dockerfile +++ b/data/Dockerfiles/phpfpm/Dockerfile @@ -3,7 +3,7 @@ FROM php:8.2-fpm-alpine3.21 LABEL maintainer = "The Infrastructure Company GmbH " # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?.*)$ -ARG APCU_PECL_VERSION=5.1.24 +ARG APCU_PECL_VERSION=5.1.26 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?.*)$ ARG IMAGICK_PECL_VERSION=3.8.0 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?.*)$ From 728fcdb37537eab42bd7f00da30ec35f3a2f1805 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 08:34:30 +0200 Subject: [PATCH 03/14] Update dependency tianon/gosu to v1.17 (#6640) Signed-off-by: milkmaker Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- data/Dockerfiles/dovecot/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile index 9e49d88cc..10e141ab8 100644 --- a/data/Dockerfiles/dovecot/Dockerfile +++ b/data/Dockerfiles/dovecot/Dockerfile @@ -3,7 +3,7 @@ FROM alpine:3.21 LABEL maintainer="The Infrastructure Company GmbH " # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?.*)$ -ARG GOSU_VERSION=1.16 +ARG GOSU_VERSION=1.17 ENV LANG=C.UTF-8 ENV LC_ALL=C.UTF-8 From 14d58c8163b2b8d210e08adc1d1b32e294f6ebcc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 08:34:53 +0200 Subject: [PATCH 04/14] Update dependency phpredis/phpredis to v6.2.0 (#6639) Signed-off-by: milkmaker Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- data/Dockerfiles/phpfpm/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile index 6d0cfdd36..483b90fcb 100644 --- a/data/Dockerfiles/phpfpm/Dockerfile +++ b/data/Dockerfiles/phpfpm/Dockerfile @@ -11,7 +11,7 @@ ARG MAILPARSE_PECL_VERSION=3.1.8 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?.*)$ ARG MEMCACHED_PECL_VERSION=3.2.0 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?.*)$ -ARG REDIS_PECL_VERSION=6.1.0 +ARG REDIS_PECL_VERSION=6.2.0 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?.*)$ ARG COMPOSER_VERSION=2.8.6 From 3803b5d3513ed64177bcef067b768408dab10fc2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 08:35:14 +0200 Subject: [PATCH 05/14] Update dependency php-memcached-dev/php-memcached to v3.3.0 (#6638) Signed-off-by: milkmaker Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- data/Dockerfiles/phpfpm/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile index 483b90fcb..e7b43790b 100644 --- a/data/Dockerfiles/phpfpm/Dockerfile +++ b/data/Dockerfiles/phpfpm/Dockerfile @@ -9,7 +9,7 @@ ARG IMAGICK_PECL_VERSION=3.8.0 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?.*)$ ARG MAILPARSE_PECL_VERSION=3.1.8 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?.*)$ -ARG MEMCACHED_PECL_VERSION=3.2.0 +ARG MEMCACHED_PECL_VERSION=3.3.0 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?.*)$ ARG REDIS_PECL_VERSION=6.2.0 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?.*)$ From 88bf9b02e112bced1d37c69a885d8dbad4cd657a Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 6 Aug 2025 08:36:40 +0200 Subject: [PATCH 06/14] core: modules splitting + ipv6 nat rewrite (#6634) * ipv6: added ipv6 detection + removed ip6 nat container * nginx: renamed DISABLE_IPv6 to ENABLE_IPV6 to align * initial commit for script overhauls * rewrite to scripts after testing (improved error handling) * fixed missing fi in update.sh * fixed/added comments for modules * fix broken EXIT_CODE var handling * added jq as dependancy * fixed docker version check for daemon * improved _modules handling while running * reintegrated module loading (update.sh) * added error handling for blank daemon.json * adapted removal of ACME_CONTACT for nightly * move detect_major_update func to core submodule * removed unnecessary message on every call of function * Update _modules/scripts/new_options.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update _modules/scripts/core.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * improve ENABLE_IPV6 check in nginx bootstrap * improve detection of ENABLE_IPV6 * ip6_controller: moved docker major detection upwards * Update _modules/scripts/new_options.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update _modules/scripts/new_options.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * reuse DOCKER_MAJOR Variable in ip6_controller * fix some smaller typos in update.sh * smaller bugfixes in submodules * completely remove ACME_CONTACT Variable --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- _modules/scripts/core.sh | 223 +++++ _modules/scripts/ipv6_controller.sh | 168 ++++ _modules/scripts/migrate_options.sh | 96 +++ _modules/scripts/new_options.sh | 299 +++++++ data/Dockerfiles/nginx/bootstrap.py | 4 +- docker-compose.yml | 35 +- generate_config.sh | 104 +-- update.sh | 1227 ++------------------------- 8 files changed, 869 insertions(+), 1287 deletions(-) create mode 100644 _modules/scripts/core.sh create mode 100644 _modules/scripts/ipv6_controller.sh create mode 100644 _modules/scripts/migrate_options.sh create mode 100644 _modules/scripts/new_options.sh diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh new file mode 100644 index 000000000..42133aa6b --- /dev/null +++ b/_modules/scripts/core.sh @@ -0,0 +1,223 @@ +#!/usr/bin/env bash +# _modules/scripts/core.sh +# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY! +# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!! + +# ANSI color for red errors +RED='\e[31m' +GREEN='\e[32m' +YELLOW='\e[33m' +BLUE='\e[34m' +MAGENTA='\e[35m' +LIGHT_RED='\e[91m' +LIGHT_GREEN='\e[92m' +NC='\e[0m' + +caller="${BASH_SOURCE[1]##*/}" + +get_installed_tools(){ + for bin in openssl curl docker git awk sha1sum grep cut jq; do + if [[ -z $(command -v ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi + done + + if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"${NC}"; exit 1; fi + # This will also cover sort + if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\"${NC}"; exit 1; fi + if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\"${NC}"; exit 1; fi +} + +get_docker_version(){ + # Check Docker Version (need at least 24.X) + docker_version=$(docker version --format '{{.Server.Version}}' | cut -d '.' -f 1) +} + +get_compose_type(){ + if docker compose > /dev/null 2>&1; then + if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then + COMPOSE_VERSION=native + COMPOSE_COMMAND="docker compose" + if [[ "$caller" == "update.sh" ]]; then + sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf" + fi + echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m" + echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" + sleep 2 + echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m" + exit 1 + fi + elif docker-compose > /dev/null 2>&1; then + if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then + if docker-compose version --short | grep "^2." > /dev/null 2>&1; then + COMPOSE_VERSION=standalone + COMPOSE_COMMAND="docker-compose" + if [[ "$caller" == "update.sh" ]]; then + sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf" + fi + echo -e "\e[33mFound Docker Compose Standalone.\e[0m" + echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" + sleep 2 + echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m" + else + echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" + echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m" + exit 1 + fi + fi + else + echo -e "\e[31mCannot find Docker Compose.\e[0m" + echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m" + exit 1 + fi +} + +detect_bad_asn() { + echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m" + response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email") + if [ "$response" -eq 503 ]; then + if [ -z "$SPAMHAUS_DQS_KEY" ]; then + echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m" + echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m" + sleep 2 + echo "" + echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m" + echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m" + echo "" + sleep 2 + else + echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m" + echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m" + fi + elif [ "$response" -eq 200 ]; then + echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m" + elif [ "$response" -eq 429 ]; then + echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m" + else + echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m" + fi +} + +check_online_status() { + CHECK_ONLINE_DOMAINS=('https://github.com' 'https://hub.docker.com') + for domain in "${CHECK_ONLINE_DOMAINS[@]}"; do + if timeout 6 curl --head --silent --output /dev/null ${domain}; then + return 0 + fi + done + return 1 +} + +prefetch_images() { + [[ -z ${BRANCH} ]] && { echo -e "\e[33m\nUnknown branch...\e[0m"; exit 1; } + git fetch origin #${BRANCH} + while read image; do + RET_C=0 + until docker pull "${image}"; do + RET_C=$((RET_C + 1)) + echo -e "\e[33m\nError pulling $image, retrying...\e[0m" + [ ${RET_C} -gt 3 ] && { echo -e "\e[31m\nToo many failed retries, exiting\e[0m"; exit 1; } + sleep 1 + done + done < <(git show "origin/${BRANCH}:docker-compose.yml" | grep "image:" | awk '{ gsub("image:","", $3); print $2 }') +} + +docker_garbage() { + SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../.." && pwd )" + IMGS_TO_DELETE=() + + declare -A IMAGES_INFO + COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml")) + + for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do + ID=$(echo "$existing_image" | cut -d ':' -f 1) + REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2) + TAG=$(echo "$existing_image" | cut -d ':' -f 3) + + if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then + if [[ "$TAG" != "" ]]; then + continue + fi + fi + + if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then + continue + else + IMGS_TO_DELETE+=("$ID") + IMAGES_INFO["$ID"]="$REPOSITORY:$TAG" + fi + done + + if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then + echo "The following unused mailcow images were found:" + for id in "${IMGS_TO_DELETE[@]}"; do + echo " ${IMAGES_INFO[$id]} ($id)" + done + + if [ -z "$FORCE" ]; then + read -r -p "Do you want to delete them to free up some space? [y/N] " response + if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + docker rmi ${IMGS_TO_DELETE[*]} + else + echo "OK, skipped." + fi + else + echo "Running in forced mode! Force removing old mailcow images..." + docker rmi ${IMGS_TO_DELETE[*]} + fi + echo -e "\e[32mFurther cleanup...\e[0m" + echo "If you want to cleanup further garbage collected by Docker, please make sure all containers are up and running before cleaning your system by executing \"docker system prune\"" + fi +} + +in_array() { + local e match="$1" + shift + for e; do [[ "$e" == "$match" ]] && return 0; done + return 1 +} + +detect_major_update() { + if [ ${BRANCH} == "master" ]; then + # Array with major versions + # Add major versions here + MAJOR_VERSIONS=( + "2025-02" + "2025-03" + ) + + current_version="" + if [[ -f "${SCRIPT_DIR}/data/web/inc/app_info.inc.php" ]]; then + current_version=$(grep 'MAILCOW_GIT_VERSION' ${SCRIPT_DIR}/data/web/inc/app_info.inc.php | sed -E 's/.*MAILCOW_GIT_VERSION="([^"]+)".*/\1/') + fi + if [[ -z "$current_version" ]]; then + return 1 + fi + release_url="https://github.com/mailcow/mailcow-dockerized/releases/tag" + + updates_to_apply=() + + for version in "${MAJOR_VERSIONS[@]}"; do + if [[ "$current_version" < "$version" ]]; then + updates_to_apply+=("$version") + fi + done + + if [[ ${#updates_to_apply[@]} -gt 0 ]]; then + echo -e "\e[33m\nMAJOR UPDATES to be applied:\e[0m" + for update in "${updates_to_apply[@]}"; do + echo "$update - $release_url/$update" + done + + echo -e "\nPlease read the release notes before proceeding." + read -p "Do you want to proceed with the update? [y/n] " response + if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "Proceeding with the update..." + else + echo "Update canceled. Exiting." + exit 1 + fi + fi + fi +} \ No newline at end of file diff --git a/_modules/scripts/ipv6_controller.sh b/_modules/scripts/ipv6_controller.sh new file mode 100644 index 000000000..7fe7d3cbd --- /dev/null +++ b/_modules/scripts/ipv6_controller.sh @@ -0,0 +1,168 @@ +#!/usr/bin/env bash +# _modules/scripts/ipv6_controller.sh +# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY! +# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!! + +# 1) Check if the host supports IPv6 +get_ipv6_support() { + if grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null \ + || ! ip -6 route show default &>/dev/null; then + DETECTED_IPV6=false + echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}" + else + DETECTED_IPV6=true + echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}" + fi +} + +# 2) Ensure Docker daemon.json has (or create) the required IPv6 settings +docker_daemon_edit(){ + DOCKER_DAEMON_CONFIG="/etc/docker/daemon.json" + DOCKER_MAJOR=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1) + MISSING=() + + _has_kv() { grep -Eq "\"$1\"\s*:\s*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; } + + if [[ -f "$DOCKER_DAEMON_CONFIG" ]]; then + + # reject empty or whitespace-only file immediately + if [[ ! -s "$DOCKER_DAEMON_CONFIG" ]] || ! grep -Eq '[{}]' "$DOCKER_DAEMON_CONFIG"; then + echo -e "${RED}ERROR: $DOCKER_DAEMON_CONFIG exists but is empty or contains no JSON braces – please initialize it with valid JSON (e.g. {}).${NC}" + exit 1 + fi + + # Validate JSON if jq is present + if command -v jq &>/dev/null && ! jq empty "$DOCKER_DAEMON_CONFIG" &>/dev/null; then + echo -e "${RED}ERROR: Invalid JSON in $DOCKER_DAEMON_CONFIG – please correct manually.${NC}" + exit 1 + fi + + # Gather missing keys + ! _has_kv ipv6 true && MISSING+=("ipv6: true") + ! grep -Eq '"fixed-cidr-v6"\s*:\s*".+"' "$DOCKER_DAEMON_CONFIG" \ + && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"') + if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -ge 27 ]]; then + _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true") + ! _has_kv experimental true && MISSING+=("experimental: true") + fi + + # Fix if needed + if ((${#MISSING[@]}>0)); then + echo -e "${MAGENTA}Your daemon.json is missing: ${YELLOW}${MISSING[*]}${NC}" + if [[ -n "$FORCE" ]]; then + ans=Y + else + read -p "Would you like to update $DOCKER_DAEMON_CONFIG now? [Y/n] " ans + ans=${ans:-Y} + fi + + if [[ $ans =~ ^[Yy]$ ]]; then + cp "$DOCKER_DAEMON_CONFIG" "${DOCKER_DAEMON_CONFIG}.bak" + if command -v jq &>/dev/null; then + TMP=$(mktemp) + JQ_FILTER='.ipv6 = true | .["fixed-cidr-v6"] = "fd00:dead:beef:c0::/80"' + [[ "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]] \ + && JQ_FILTER+=' | .ip6tables = true | .experimental = true' + jq "$JQ_FILTER" "$DOCKER_DAEMON_CONFIG" >"$TMP" && mv "$TMP" "$DOCKER_DAEMON_CONFIG" + echo -e "${LIGHT_GREEN}daemon.json updated. Restarting Docker...${NC}" + (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart + echo -e "${YELLOW}Docker restarted.${NC}" + else + echo -e "${RED}Please install jq or manually update daemon.json and restart Docker.${NC}" + exit 1 + fi + else + echo -e "${YELLOW}User declined Docker update – please insert these changes manually:${NC}" + echo "${MISSING[*]}" + exit 1 + fi + fi + + else + # Create new daemon.json if missing + if [[ -n "$FORCE" ]]; then + ans=Y + else + read -p "$DOCKER_DAEMON_CONFIG not found. Create it with IPv6 settings? [Y/n] " ans + ans=${ans:-Y} + fi + + if [[ $ans =~ ^[Yy]$ ]]; then + if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then + cat > "$DOCKER_DAEMON_CONFIG" < "$DOCKER_DAEMON_CONFIG" </dev/null && systemctl restart docker) || service docker restart + echo "Docker restarted." + else + echo "User declined to create daemon.json – please manually merge the docker daemon with these configs:" + echo "${MISSING[*]}" + exit 1 + fi + fi +} + +# 3) Main wrapper for generate_config.sh and update.sh +configure_ipv6() { + # detect manual override if mailcow.conf is present + if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]] && grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then + MANUAL_SETTING=$(grep '^ENABLE_IPV6=' "$MAILCOW_CONF" | cut -d= -f2) + elif [[ -z "$MAILCOW_CONF" ]] && [[ ! -z "${ENABLE_IPV6:-}" ]]; then + MANUAL_SETTING="$ENABLE_IPV6" + else + MANUAL_SETTING="" + fi + + get_ipv6_support + + # if user manually set it, check for mismatch + if [[ -n "$MANUAL_SETTING" ]]; then + if [[ "$MANUAL_SETTING" == "false" && "$DETECTED_IPV6" == "true" ]]; then + echo -e "${RED}ERROR: You have ENABLE_IPV6=false but your host and Docker support IPv6.${NC}" + echo -e "${RED}This can create an open relay. Please set ENABLE_IPV6=true in your mailcow.conf and re-run.${NC}" + exit 1 + elif [[ "$MANUAL_SETTING" == "true" && "$DETECTED_IPV6" == "false" ]]; then + echo -e "${RED}ERROR: You have ENABLE_IPV6=true but your host does not support IPv6.${NC}" + echo -e "${RED}Please disable or fix your host/Docker IPv6 support, or set ENABLE_IPV6=false.${NC}" + exit 1 + else + return + fi + fi + + # no manual override: proceed to set or export + if [[ "$DETECTED_IPV6" == "true" ]]; then + docker_daemon_edit + else + echo "Skipping Docker IPv6 configuration because host does not support IPv6." + fi + + # now write into mailcow.conf or export + if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then + LINE="ENABLE_IPV6=$DETECTED_IPV6" + if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then + sed -i "s/^ENABLE_IPV6=.*/$LINE/" "$MAILCOW_CONF" + else + echo "$LINE" >> "$MAILCOW_CONF" + fi + else + export IPV6_BOOL="$DETECTED_IPV6" + fi + + echo "IPv6 configuration complete: ENABLE_IPV6=$DETECTED_IPV6" +} \ No newline at end of file diff --git a/_modules/scripts/migrate_options.sh b/_modules/scripts/migrate_options.sh new file mode 100644 index 000000000..6a584b9f7 --- /dev/null +++ b/_modules/scripts/migrate_options.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# _modules/scripts/migrate_options.sh +# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY! +# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!! + +migrate_config_options() { + + sed -i --follow-symlinks '$a\' mailcow.conf + + KEYS=( + SOLR_HEAP + SKIP_SOLR + SOLR_PORT + FLATCURVE_EXPERIMENTAL + DISABLE_IPv6 + ACME_CONTACT + ) + + for key in "${KEYS[@]}"; do + if grep -q "${key}" mailcow.conf; then + case "${key}" in + SOLR_HEAP) + echo "Removing ${key} in mailcow.conf" + sed -i '/# Solr heap size in MB\b/d' mailcow.conf + sed -i '/# Solr is a prone to run\b/d' mailcow.conf + sed -i '/SOLR_HEAP\b/d' mailcow.conf + ;; + SKIP_SOLR) + echo "Removing ${key} in mailcow.conf" + sed -i '/\bSkip Solr on low-memory\b/d' mailcow.conf + sed -i '/\bSolr is disabled by default\b/d' mailcow.conf + sed -i '/\bDisable Solr or\b/d' mailcow.conf + sed -i '/\bSKIP_SOLR\b/d' mailcow.conf + ;; + SOLR_PORT) + echo "Removing ${key} in mailcow.conf" + sed -i '/\bSOLR_PORT\b/d' mailcow.conf + ;; + FLATCURVE_EXPERIMENTAL) + echo "Removing ${key} in mailcow.conf" + sed -i '/\bFLATCURVE_EXPERIMENTAL\b/d' mailcow.conf + ;; + DISABLE_IPv6) + echo "Migrating ${key} to ENABLE_IPv6 in mailcow.conf" + local old=$(grep '^DISABLE_IPv6=' "mailcow.conf" | cut -d'=' -f2) + local new + if [[ "$old" == "y" ]]; then + new="false" + else + new="true" + fi + sed -i '/^DISABLE_IPv6=/d' "mailcow.conf" + echo "ENABLE_IPV6=$new" >> "mailcow.conf" + ;; + ACME_CONTACT) + echo "Deleting obsoleted ${key} in mailcow.conf" + sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf + sed -i '/^# Optional: Leave empty for none/d' mailcow.conf + sed -i '/^# This value is only used on first order!/d' mailcow.conf + sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf + sed -i '/^# https:\/\/docs.mailcow.email\/troubleshooting\/debug-reset_tls\//d' mailcow.conf + sed -i '/^ACME_CONTACT=.*/d' mailcow.conf + sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf + ;; + esac + fi + done + + solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1) + if [[ -n $solr_volume ]]; then + echo -e "\e[34mSolr has been replaced within mailcow since 2025-01.\nThe volume $solr_volume is unused.\e[0m" + sleep 1 + if [ ! "$FORCE" ]; then + read -r -p "Remove $solr_volume? [y/N] " response + if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo -e "\e[33mRemoving $solr_volume...\e[0m" + docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m" + echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m" + else + echo -e "Not removing $solr_volume. Run \`docker volume rm $solr_volume\` manually if needed." + fi + else + echo -e "\e[33mForce removing $solr_volume...\e[0m" + docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m" + echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m" + fi + fi + + # Delete old fts.conf before forced switch to flatcurve to ensure update is working properly + FTS_CONF_PATH="${SCRIPT_DIR}/data/conf/dovecot/conf.d/fts.conf" + if [[ -f "$FTS_CONF_PATH" ]]; then + if grep -q "Autogenerated by mailcow" "$FTS_CONF_PATH"; then + rm -rf $FTS_CONF_PATH + fi + fi +} \ No newline at end of file diff --git a/_modules/scripts/new_options.sh b/_modules/scripts/new_options.sh new file mode 100644 index 000000000..a3f47dc61 --- /dev/null +++ b/_modules/scripts/new_options.sh @@ -0,0 +1,299 @@ +#!/usr/bin/env bash +# _modules/scripts/new_options.sh +# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY! +# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!! + +adapt_new_options() { + + CONFIG_ARRAY=( + "AUTODISCOVER_SAN" + "SKIP_LETS_ENCRYPT" + "SKIP_SOGO" + "USE_WATCHDOG" + "WATCHDOG_NOTIFY_EMAIL" + "WATCHDOG_NOTIFY_WEBHOOK" + "WATCHDOG_NOTIFY_WEBHOOK_BODY" + "WATCHDOG_NOTIFY_BAN" + "WATCHDOG_NOTIFY_START" + "WATCHDOG_EXTERNAL_CHECKS" + "WATCHDOG_SUBJECT" + "SKIP_CLAMD" + "SKIP_OLEFY" + "SKIP_IP_CHECK" + "ADDITIONAL_SAN" + "DOVEADM_PORT" + "IPV4_NETWORK" + "IPV6_NETWORK" + "LOG_LINES" + "SNAT_TO_SOURCE" + "SNAT6_TO_SOURCE" + "COMPOSE_PROJECT_NAME" + "DOCKER_COMPOSE_VERSION" + "SQL_PORT" + "API_KEY" + "API_KEY_READ_ONLY" + "API_ALLOW_FROM" + "MAILDIR_GC_TIME" + "MAILDIR_SUB" + "ACL_ANYONE" + "FTS_HEAP" + "FTS_PROCS" + "SKIP_FTS" + "ENABLE_SSL_SNI" + "ALLOW_ADMIN_EMAIL_LOGIN" + "SKIP_HTTP_VERIFICATION" + "SOGO_EXPIRE_SESSION" + "REDIS_PORT" + "REDISPASS" + "DOVECOT_MASTER_USER" + "DOVECOT_MASTER_PASS" + "MAILCOW_PASS_SCHEME" + "ADDITIONAL_SERVER_NAMES" + "WATCHDOG_VERBOSE" + "WEBAUTHN_ONLY_TRUSTED_VENDORS" + "SPAMHAUS_DQS_KEY" + "SKIP_UNBOUND_HEALTHCHECK" + "DISABLE_NETFILTER_ISOLATION_RULE" + "HTTP_REDIRECT" + "ENABLE_IPV6" + ) + + sed -i --follow-symlinks '$a\' mailcow.conf + for option in ${CONFIG_ARRAY[@]}; do + if grep -q "${option}" mailcow.conf; then + continue + fi + + echo "Adding new option \"${option}\" to mailcow.conf" + + case "${option}" in + AUTODISCOVER_SAN) + echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf + echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf + echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf + echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf + echo '# in the reverse proxy.' >> mailcow.conf + echo 'AUTODISCOVER_SAN=y' >> mailcow.conf + ;; + + DOCKER_COMPOSE_VERSION) + echo "# Used Docker Compose version" >> mailcow.conf + echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf + echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf + echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf + echo "# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail." >> mailcow.conf + echo "" >> mailcow.conf + echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf + ;; + + DOVEADM_PORT) + echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf + ;; + + LOG_LINES) + echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf + echo "LOG_LINES=9999" >> mailcow.conf + ;; + + IPV4_NETWORK) + echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf + echo "IPV4_NETWORK=172.22.1" >> mailcow.conf + ;; + IPV6_NETWORK) + echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf + echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf + ;; + SQL_PORT) + echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf + echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf + ;; + API_KEY) + echo '# Create or override API key for web UI' >> mailcow.conf + echo "#API_KEY=" >> mailcow.conf + ;; + API_KEY_READ_ONLY) + echo '# Create or override read-only API key for web UI' >> mailcow.conf + echo "#API_KEY_READ_ONLY=" >> mailcow.conf + ;; + API_ALLOW_FROM) + echo '# Must be set for API_KEY to be active' >> mailcow.conf + echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf + echo "#API_ALLOW_FROM=" >> mailcow.conf + ;; + SNAT_TO_SOURCE) + echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf + echo "#SNAT_TO_SOURCE=" >> mailcow.conf + ;; + SNAT6_TO_SOURCE) + echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf + echo "#SNAT6_TO_SOURCE=" >> mailcow.conf + ;; + MAILDIR_GC_TIME) + echo '# Garbage collector cleanup' >> mailcow.conf + echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf + echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf + echo '# Check interval is hourly' >> mailcow.conf + echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf + ;; + ACL_ANYONE) + echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf + echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf + echo '# This should probably only be activated on mail hosts, that are used exclusively by one organisation.' >> mailcow.conf + echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf + echo 'ACL_ANYONE=disallow' >> mailcow.conf + ;; + FTS_HEAP) + echo '# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.' >> mailcow.conf + echo '# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.' >> mailcow.conf + echo '# Please always monitor your Resource consumption!' >> mailcow.conf + echo "FTS_HEAP=128" >> mailcow.conf + ;; + SKIP_FTS) + echo '# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.' >> mailcow.conf + echo "# Dovecot inside mailcow use Flatcurve as FTS Backend." >> mailcow.conf + echo "SKIP_FTS=y" >> mailcow.conf + ;; + FTS_PROCS) + echo '# Controls how many processes the Dovecot indexing process can spawn at max.' >> mailcow.conf + echo '# Too many indexing processes can use a lot of CPU and Disk I/O' >> mailcow.conf + echo '# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations' >> mailcow.conf + echo "FTS_PROCS=1" >> mailcow.conf + ;; + ENABLE_SSL_SNI) + echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf + echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf + echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf + echo "ENABLE_SSL_SNI=n" >> mailcow.conf + ;; + SKIP_SOGO) + echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf + echo "SKIP_SOGO=n" >> mailcow.conf + ;; + MAILDIR_SUB) + echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf + echo "#MAILDIR_SUB=Maildir" >> mailcow.conf + echo "MAILDIR_SUB=" >> mailcow.conf + ;; + WATCHDOG_NOTIFY_WEBHOOK) + echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf + echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf + echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf + ;; + WATCHDOG_NOTIFY_WEBHOOK_BODY) + echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf + echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf + WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}' + echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf + ;; + WATCHDOG_NOTIFY_BAN) + echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf + echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf + ;; + WATCHDOG_NOTIFY_START) + echo '# Send a notification when the watchdog is started.' >> mailcow.conf + echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf + ;; + WATCHDOG_SUBJECT) + echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf + echo "#WATCHDOG_SUBJECT=" >> mailcow.conf + ;; + WATCHDOG_EXTERNAL_CHECKS) + echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf + echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf + echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf + echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf + ;; + SOGO_EXPIRE_SESSION) + echo '# SOGo session timeout in minutes' >> mailcow.conf + echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf + ;; + REDIS_PORT) + echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf + ;; + DOVECOT_MASTER_USER) + echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf + echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf + echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf + echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf + echo "DOVECOT_MASTER_USER=" >> mailcow.conf + ;; + DOVECOT_MASTER_PASS) + echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf + echo "DOVECOT_MASTER_PASS=" >> mailcow.conf + ;; + MAILCOW_PASS_SCHEME) + echo '# Password hash algorithm' >> mailcow.conf + echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf + echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf + echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf + ;; + ADDITIONAL_SERVER_NAMES) + echo '# Additional server names for mailcow UI' >> mailcow.conf + echo '#' >> mailcow.conf + echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf + echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf + echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf + echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf + echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf + echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf + ;; + WEBAUTHN_ONLY_TRUSTED_VENDORS) + echo "# WebAuthn device manufacturer verification" >> mailcow.conf + echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf + echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf + echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf + ;; + SPAMHAUS_DQS_KEY) + echo "# Spamhaus Data Query Service Key" >> mailcow.conf + echo '# Optional: Leave empty for none' >> mailcow.conf + echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf + echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf + echo '# Otherwise it will work as usual.' >> mailcow.conf + echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf + ;; + WATCHDOG_VERBOSE) + echo '# Enable watchdog verbose logging' >> mailcow.conf + echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf + ;; + SKIP_UNBOUND_HEALTHCHECK) + echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf + echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf + ;; + DISABLE_NETFILTER_ISOLATION_RULE) + echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf + echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf + echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf + ;; + HTTP_REDIRECT) + echo '# Redirect HTTP connections to HTTPS - y/n' >> mailcow.conf + echo 'HTTP_REDIRECT=n' >> mailcow.conf + ;; + ENABLE_IPV6) + echo '# IPv6 Controller Section' >> mailcow.conf + echo '# This variable controls the usage of IPv6 within mailcow.' >> mailcow.conf + echo '# Can either be true or false | Defaults to true' >> mailcow.conf + echo '# WARNING: MAKE SURE TO PROPERLY CONFIGURE IPv6 ON YOUR HOST FIRST BEFORE ENABLING THIS AS FAULTY CONFIGURATIONS CAN LEAD TO OPEN RELAYS!' >> mailcow.conf + echo '# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS.' >> mailcow.conf + echo ENABLE_IPV6=${IPV6_BOOL} >> mailcow.conf + ;; + + SKIP_CLAMD) + echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf + echo 'SKIP_CLAMD=n' >> mailcow.conf + ;; + + SKIP_OLEFY) + echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf + echo 'SKIP_OLEFY=n' >> mailcow.conf + ;; + + REDISPASS) + echo "REDISPASS=$(LC_ALL=C /dev/null | head -c 28)" >> mailcow.conf + ;; + + *) + echo "${option}=" >> mailcow.conf + ;; + esac + done +} \ No newline at end of file diff --git a/data/Dockerfiles/nginx/bootstrap.py b/data/Dockerfiles/nginx/bootstrap.py index 11e6fc202..d2d01c0b9 100644 --- a/data/Dockerfiles/nginx/bootstrap.py +++ b/data/Dockerfiles/nginx/bootstrap.py @@ -10,7 +10,7 @@ def includes_conf(env, template_vars): server_name_config = f"server_name {template_vars['MAILCOW_HOSTNAME']} autodiscover.* autoconfig.* {' '.join(template_vars['ADDITIONAL_SERVER_NAMES'])};" listen_plain_config = f"listen {template_vars['HTTP_PORT']};" listen_ssl_config = f"listen {template_vars['HTTPS_PORT']};" - if not template_vars['DISABLE_IPv6']: + if not template_vars['ENABLE_IPV6']: listen_plain_config += f"\nlisten [::]:{template_vars['HTTP_PORT']};" listen_ssl_config += f"\nlisten [::]:{template_vars['HTTPS_PORT']} ssl;" listen_ssl_config += "\nhttp2 on;" @@ -58,7 +58,7 @@ def prepare_template_vars(): 'SOGOHOST': os.getenv("SOGOHOST", ipv4_network + ".248"), 'RSPAMDHOST': os.getenv("RSPAMDHOST", "rspamd-mailcow"), 'PHPFPMHOST': os.getenv("PHPFPMHOST", "php-fpm-mailcow"), - 'DISABLE_IPv6': os.getenv("DISABLE_IPv6", "n").lower() in ("y", "yes"), + 'ENABLE_IPV6': os.getenv("ENABLE_IPV6", "true").lower() != "false", 'HTTP_REDIRECT': os.getenv("HTTP_REDIRECT", "n").lower() in ("y", "yes"), } diff --git a/docker-compose.yml b/docker-compose.yml index e6b5dc20d..c55158dbb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -394,7 +394,7 @@ services: - php-fpm-mailcow - sogo-mailcow - rspamd-mailcow - image: ghcr.io/mailcow/nginx:1.03 + image: ghcr.io/mailcow/nginx:1.04 dns: - ${IPV4_NETWORK:-172.22.1}.254 environment: @@ -405,7 +405,7 @@ services: - TZ=${TZ} - SKIP_SOGO=${SKIP_SOGO:-n} - SKIP_RSPAMD=${SKIP_RSPAMD:-n} - - DISABLE_IPv6=${DISABLE_IPv6:-n} + - ENABLE_IPV6=${ENABLE_IPV6:-true} - HTTP_REDIRECT=${HTTP_REDIRECT:-n} - PHPFPMHOST=${PHPFPMHOST:-} - SOGOHOST=${SOGOHOST:-} @@ -629,41 +629,12 @@ services: aliases: - ofelia - ipv6nat-mailcow: - depends_on: - - unbound-mailcow - - mysql-mailcow - - redis-mailcow - - clamd-mailcow - - rspamd-mailcow - - php-fpm-mailcow - - sogo-mailcow - - dovecot-mailcow - - postfix-mailcow - - memcached-mailcow - - nginx-mailcow - - acme-mailcow - - netfilter-mailcow - - watchdog-mailcow - - dockerapi-mailcow - environment: - - TZ=${TZ} - image: robbertkl/ipv6nat - security_opt: - - label=disable - restart: always - privileged: true - network_mode: "host" - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - /lib/modules:/lib/modules:ro - networks: mailcow-network: driver: bridge driver_opts: com.docker.network.bridge.name: br-mailcow - enable_ipv6: true + enable_ipv6: ${ENABLE_IPV6:-true} ipam: driver: default config: diff --git a/generate_config.sh b/generate_config.sh index 61b72109c..9610bf18d 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -1,32 +1,13 @@ #!/usr/bin/env bash +# Load mailcow Generic Scripts +source _modules/scripts/core.sh +source _modules/scripts/ipv6_controller.sh + set -o pipefail -if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then - echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; - echo "Please update to 5.x or use another distribution." - exit 1 -fi - -if [[ "$(uname -r)" =~ ^4\.4\. ]]; then - if grep -q Ubuntu <<< "$(uname -a)"; then - echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; - echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\"" - exit 1 - fi -fi - -if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi -# This will also cover sort -if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi -if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi - -for bin in openssl curl docker git awk sha1sum grep cut; do - if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi -done - -# Check Docker Version (need at least 24.X) -docker_version=$(docker version --format '{{.Server.Version}}' | cut -d '.' -f 1) +get_installed_tools +get_docker_version if [[ $docker_version -lt 24 ]]; then echo -e "\e[31mCannot find Docker with a Version higher or equals 24.0.0\e[0m" @@ -35,65 +16,7 @@ if [[ $docker_version -lt 24 ]]; then exit 1 fi -if docker compose > /dev/null 2>&1; then - if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then - COMPOSE_VERSION=native - echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m" - echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" - sleep 2 - echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m" - else - echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi -elif docker-compose > /dev/null 2>&1; then - if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then - if docker-compose version --short | grep "^2." > /dev/null 2>&1; then - COMPOSE_VERSION=standalone - echo -e "\e[33mFound Docker Compose Standalone.\e[0m" - echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" - sleep 2 - echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m" - else - echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi - fi - -else - echo -e "\e[31mCannot find Docker Compose.\e[0m" - echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 -fi - -detect_bad_asn() { - echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m" - response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email") - if [ "$response" -eq 503 ]; then - if [ -z "$SPAMHAUS_DQS_KEY" ]; then - echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m" - echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m" - sleep 2 - echo "" - echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m" - echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m" - echo "" - sleep 2 - - else - echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m" - echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m" - fi - elif [ "$response" -eq 200 ]; then - echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m" - elif [ "$response" -eq 429 ]; then - echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m" - else - echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m" - fi -} +detect_bad_asn ### If generate_config.sh is started with --dev or -d it will not check out nightly or master branch and will keep on the current branch if [[ ${1} == "--dev" || ${1} == "-d" ]]; then @@ -217,6 +140,8 @@ if [ ! -z "${MAILCOW_BRANCH}" ]; then git_branch=${MAILCOW_BRANCH} fi +configure_ipv6 + [ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc cat << EOF > mailcow.conf @@ -510,6 +435,13 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n # Otherwise it will work normally. SPAMHAUS_DQS_KEY= +# IPv6 Controller Section +# This variable controls the usage of IPv6 within mailcow. +# Can either be true or false | Defaults to true +# WARNING: MAKE SURE TO PROPERLY CONFIGURE IPv6 ON YOUR HOST FIRST BEFORE ENABLING THIS AS FAULTY CONFIGURATIONS CAN LEAD TO OPEN RELAYS! +# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS. +ENABLE_IPV6=${IPV6_BOOL} + # Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n # CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost DISABLE_NETFILTER_ISOLATION_RULE=n @@ -588,6 +520,4 @@ else echo ' $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php echo '?>' >> data/web/inc/app_info.inc.php echo -e "\e[33mCannot determine current git repository version...\e[0m" -fi - -detect_bad_asn +fi \ No newline at end of file diff --git a/update.sh b/update.sh index b7d22bf8a..89dec3e66 100755 --- a/update.sh +++ b/update.sh @@ -2,775 +2,23 @@ ############## Begin Function Section ############## -check_online_status() { - CHECK_ONLINE_DOMAINS=('https://github.com' 'https://hub.docker.com') - for domain in "${CHECK_ONLINE_DOMAINS[@]}"; do - if timeout 6 curl --head --silent --output /dev/null ${domain}; then - return 0 - fi - done - return 1 -} +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +BRANCH="$(cd "${SCRIPT_DIR}" && git rev-parse --abbrev-ref HEAD)" -prefetch_images() { - [[ -z ${BRANCH} ]] && { echo -e "\e[33m\nUnknown branch...\e[0m"; exit 1; } - git fetch origin #${BRANCH} - while read image; do - if [[ "${image}" == "robbertkl/ipv6nat" ]]; then - if ! grep -qi "ipv6nat-mailcow" docker-compose.yml || grep -qi "enable_ipv6: false" docker-compose.yml; then - continue - fi - fi - RET_C=0 - until docker pull "${image}"; do - RET_C=$((RET_C + 1)) - echo -e "\e[33m\nError pulling $image, retrying...\e[0m" - [ ${RET_C} -gt 3 ] && { echo -e "\e[31m\nToo many failed retries, exiting\e[0m"; exit 1; } - sleep 1 - done - done < <(git show "origin/${BRANCH}:docker-compose.yml" | grep "image:" | awk '{ gsub("image:","", $3); print $2 }') -} - -docker_garbage() { - SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - IMGS_TO_DELETE=() - - declare -A IMAGES_INFO - COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml")) - - for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do - ID=$(echo "$existing_image" | cut -d ':' -f 1) - REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2) - TAG=$(echo "$existing_image" | cut -d ':' -f 3) - - if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then - if [[ "$TAG" != "" ]]; then - continue - fi - fi - - if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then - continue - else - IMGS_TO_DELETE+=("$ID") - IMAGES_INFO["$ID"]="$REPOSITORY:$TAG" - fi - done - - if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then - echo "The following unused mailcow images were found:" - for id in "${IMGS_TO_DELETE[@]}"; do - echo " ${IMAGES_INFO[$id]} ($id)" - done - - if [ -z "$FORCE" ]; then - read -r -p "Do you want to delete them to free up some space? [y/N] " response - if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - docker rmi ${IMGS_TO_DELETE[*]} - else - echo "OK, skipped." - fi - else - echo "Running in forced mode! Force removing old mailcow images..." - docker rmi ${IMGS_TO_DELETE[*]} - fi - echo -e "\e[32mFurther cleanup...\e[0m" - echo "If you want to cleanup further garbage collected by Docker, please make sure all containers are up and running before cleaning your system by executing \"docker system prune\"" - fi -} - -in_array() { - local e match="$1" - shift - for e; do [[ "$e" == "$match" ]] && return 0; done - return 1 -} - -migrate_docker_nat() { - NAT_CONFIG='{"ipv6":true,"fixed-cidr-v6":"fd00:dead:beef:c0::/80","experimental":true,"ip6tables":true}' - # Min Docker version - DOCKERV_REQ=20.10.2 - # Current Docker version - DOCKERV_CUR=$(docker version -f '{{.Server.Version}}') - if grep -qi "ipv6nat-mailcow" docker-compose.yml && grep -qi "enable_ipv6: true" docker-compose.yml; then - echo -e "\e[32mNative IPv6 implementation available.\e[0m" - echo "This will enable experimental features in the Docker daemon and configure Docker to do the IPv6 NATing instead of ipv6nat-mailcow." - echo '!!! This step is recommended !!!' - echo "mailcow will try to roll back the changes if starting Docker fails after modifying the daemon.json configuration file." - read -r -p "Should we try to enable the native IPv6 implementation in Docker now (recommended)? [y/N] " dockernatresponse - if [[ ! "${dockernatresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo "OK, skipping this step." - return 0 - fi - fi - # Sort versions and check if we are running a newer or equal version to req - if [ $(printf "${DOCKERV_REQ}\n${DOCKERV_CUR}" | sort -V | tail -n1) == "${DOCKERV_CUR}" ]; then - # If Dockerd daemon json exists - if [ -s /etc/docker/daemon.json ]; then - IFS=',' read -r -a dockerconfig <<< $(cat /etc/docker/daemon.json | tr -cd '[:alnum:],') - if ! in_array ipv6true "${dockerconfig[@]}" || \ - ! in_array experimentaltrue "${dockerconfig[@]}" || \ - ! in_array ip6tablestrue "${dockerconfig[@]}" || \ - ! grep -qi "fixed-cidr-v6" /etc/docker/daemon.json; then - echo -e "\e[33mWarning:\e[0m You seem to have modified the /etc/docker/daemon.json configuration by yourself and not fully/correctly activated the native IPv6 NAT implementation." - echo "You will need to merge your existing configuration manually or fix/delete the existing daemon.json configuration before trying the update process again." - echo -e "Please merge the following content and restart the Docker daemon:\n" - echo "${NAT_CONFIG}" - return 1 - fi - else - echo "Working on IPv6 NAT, please wait..." - echo "${NAT_CONFIG}" > /etc/docker/daemon.json - ip6tables -F -t nat - [[ -e /etc/rc.conf ]] && rc-service docker restart || systemctl restart docker.service - if [[ $? -ne 0 ]]; then - echo -e "\e[31mError:\e[0m Failed to activate IPv6 NAT! Reverting and exiting." - rm /etc/docker/daemon.json - if [[ -e /etc/rc.conf ]]; then - rc-service docker restart - else - systemctl reset-failed docker.service - systemctl restart docker.service - fi - return 1 - fi - fi - # Removing legacy container - sed -i '/ipv6nat-mailcow:$/,/^$/d' docker-compose.yml - if [ -s docker-compose.override.yml ]; then - sed -i '/ipv6nat-mailcow:$/,/^$/d' docker-compose.override.yml - if [[ "$(cat docker-compose.override.yml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then - mv docker-compose.override.yml docker-compose.override.yml_backup - fi - fi - echo -e "\e[32mGreat! \e[0mNative IPv6 NAT is active.\e[0m" - else - echo -e "\e[31mPlease upgrade Docker to version ${DOCKERV_REQ} or above.\e[0m" - return 0 - fi -} - -remove_obsolete_nginx_ports() { - # Removing obsolete docker-compose.override.yml - for override in docker-compose.override.yml docker-compose.override.yaml; do - if [ -s $override ] ; then - if cat $override | grep nginx-mailcow > /dev/null 2>&1; then - if cat $override | grep -E '(\[::])' > /dev/null 2>&1; then - if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then - echo -e "\e[33mBacking up ${override} to preserve custom changes...\e[0m" - echo -e "\e[33m!!! Manual Merge needed (if other overrides are set) !!!\e[0m" - sleep 3 - cp $override ${override}_backup - sed -i '/nginx-mailcow:$/,/^$/d' $override - echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from original override File.\e[0m" - if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then - mv $override ${override}_empty - echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m" - fi - fi - fi - fi - fi - done -} - -detect_docker_compose_command(){ -if ! [[ "${DOCKER_COMPOSE_VERSION}" =~ ^(native|standalone)$ ]]; then - if docker compose > /dev/null 2>&1; then - if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then - DOCKER_COMPOSE_VERSION=native - COMPOSE_COMMAND="docker compose" - echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m" - echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m" - sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf" - sleep 2 - echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m" - else - echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi - elif docker-compose > /dev/null 2>&1; then - if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then - if docker-compose version --short | grep "^2." > /dev/null 2>&1; then - DOCKER_COMPOSE_VERSION=standalone - COMPOSE_COMMAND="docker-compose" - echo -e "\e[33mFound Docker Compose Standalone.\e[0m" - echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m" - sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf" - sleep 2 - echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m" - else - echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m" - echo -e "\e[31mPlease update/install regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi - fi - - else - echo -e "\e[31mCannot find Docker Compose.\e[0m" - echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi - -elif [ "${DOCKER_COMPOSE_VERSION}" == "native" ]; then - COMPOSE_COMMAND="docker compose" - # Check if Native Compose works and has not been deleted - if ! $COMPOSE_COMMAND > /dev/null 2>&1; then - # IF it not exists/work anymore try the other command - COMPOSE_COMMAND="docker-compose" - if ! $COMPOSE_COMMAND > /dev/null 2>&1 || ! $COMPOSE_COMMAND --version | grep "^2." > /dev/null 2>&1; then - # IF it cannot find Standalone in > 2.X, then script stops - echo -e "\e[31mCannot find Docker Compose or the Version is lower then 2.X.X.\e[0m" - echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi - # If it finds the standalone Plugin it will use this instead and change the mailcow.conf Variable accordingly - echo -e "\e[31mFound different Docker Compose Version then declared in mailcow.conf!\e[0m" - echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable from native to standalone\e[0m" - sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf" - sleep 2 - fi - - -elif [ "${DOCKER_COMPOSE_VERSION}" == "standalone" ]; then - COMPOSE_COMMAND="docker-compose" - # Check if Standalone Compose works and has not been deleted - if ! $COMPOSE_COMMAND > /dev/null 2>&1 && ! $COMPOSE_COMMAND --version > /dev/null 2>&1 | grep "^2." > /dev/null 2>&1; then - # IF it not exists/work anymore try the other command - COMPOSE_COMMAND="docker compose" - if ! $COMPOSE_COMMAND > /dev/null 2>&1; then - # IF it cannot find Native in > 2.X, then script stops - echo -e "\e[31mCannot find Docker Compose.\e[0m" - echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m" - exit 1 - fi - # If it finds the native Plugin it will use this instead and change the mailcow.conf Variable accordingly - echo -e "\e[31mFound different Docker Compose Version then declared in mailcow.conf!\e[0m" - echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable from standalone to native\e[0m" - sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf" - sleep 2 - fi +MODULE_DIR="${SCRIPT_DIR}/_modules" +if [[ ! -d "${MODULE_DIR}" || -z "$(ls -A "${MODULE_DIR}")" ]]; then + echo -e "\e[33m_modules is missing or empty – fetching all Modules from origin/${BRANCH}…\e[0m" + git fetch origin "${BRANCH}" + git checkout "origin/${BRANCH}" -- _modules + echo -e "\e[33mDone. Please restart the script...\e[0m" + exit 2 fi -} -detect_bad_asn() { - echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m" - response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email") - if [ "$response" -eq 503 ]; then - if [ -z "$SPAMHAUS_DQS_KEY" ]; then - echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m" - echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m" - sleep 2 - echo "" - echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m" - echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m" - echo "" - sleep 2 +source _modules/scripts/core.sh +source _modules/scripts/ipv6_controller.sh +source _modules/scripts/new_options.sh +source _modules/scripts/migrate_options.sh - else - echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m" - echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m" - fi - elif [ "$response" -eq 200 ]; then - echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m" - elif [ "$response" -eq 429 ]; then - echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m" - else - echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m" - fi -} - -fix_broken_dnslist_conf() { - -# Fixing issue: #6143. To be removed in a later patch - - local file="${SCRIPT_DIR}/data/conf/postfix/dns_blocklists.cf" - # Check if the file exists - if [[ ! -f "$file" ]]; then - return 1 - fi - - # Check if the file contains the autogenerated comment - if grep -q "# Autogenerated by mailcow" "$file"; then - # Ask the user if custom changes were made - echo -e "\e[91mWARNING!!! \e[31mAn old version of dns_blocklists.cf has been detected which may cause a broken postfix upon startup (see: https://github.com/mailcow/mailcow-dockerized/issues/6143)...\e[0m" - echo -e "\e[31mIf you have any custom settings in there you might copy it away and adapt the changes after the file is regenerated...\e[0m" - read -p "Do you want to delete the file now and let mailcow regenerate it properly? [y/n]" response - if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - rm "$file" - echo -e "\e[32mdns_blocklists.cf has been deleted and will be properly regenerated" - return 0 - else - echo -e "\e[35mOk, not deleting it! Please make sure you take a look at postfix upon start then..." - return 2 - fi - fi - -} - -adapt_new_options() { - - CONFIG_ARRAY=( - "SKIP_LETS_ENCRYPT" - "SKIP_SOGO" - "USE_WATCHDOG" - "WATCHDOG_NOTIFY_EMAIL" - "WATCHDOG_NOTIFY_WEBHOOK" - "WATCHDOG_NOTIFY_WEBHOOK_BODY" - "WATCHDOG_NOTIFY_BAN" - "WATCHDOG_NOTIFY_START" - "WATCHDOG_EXTERNAL_CHECKS" - "WATCHDOG_SUBJECT" - "SKIP_CLAMD" - "SKIP_OLEFY" - "SKIP_IP_CHECK" - "ADDITIONAL_SAN" - "DOVEADM_PORT" - "IPV4_NETWORK" - "IPV6_NETWORK" - "LOG_LINES" - "SNAT_TO_SOURCE" - "SNAT6_TO_SOURCE" - "COMPOSE_PROJECT_NAME" - "DOCKER_COMPOSE_VERSION" - "SQL_PORT" - "API_KEY" - "API_KEY_READ_ONLY" - "API_ALLOW_FROM" - "MAILDIR_GC_TIME" - "MAILDIR_SUB" - "ACL_ANYONE" - "FTS_HEAP" - "FTS_PROCS" - "SKIP_FTS" - "ENABLE_SSL_SNI" - "ALLOW_ADMIN_EMAIL_LOGIN" - "SKIP_HTTP_VERIFICATION" - "SOGO_EXPIRE_SESSION" - "REDIS_PORT" - "DOVECOT_MASTER_USER" - "DOVECOT_MASTER_PASS" - "MAILCOW_PASS_SCHEME" - "ADDITIONAL_SERVER_NAMES" - "WATCHDOG_VERBOSE" - "WEBAUTHN_ONLY_TRUSTED_VENDORS" - "SPAMHAUS_DQS_KEY" - "SKIP_UNBOUND_HEALTHCHECK" - "DISABLE_NETFILTER_ISOLATION_RULE" - "HTTP_REDIRECT" - ) - - sed -i --follow-symlinks '$a\' mailcow.conf - for option in ${CONFIG_ARRAY[@]}; do - if [[ ${option} == "ADDITIONAL_SAN" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "${option}=" >> mailcow.conf - fi - elif [[ ${option} == "COMPOSE_PROJECT_NAME" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "COMPOSE_PROJECT_NAME=mailcowdockerized" >> mailcow.conf - fi - elif [[ ${option} == "DOCKER_COMPOSE_VERSION" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "# Used Docker Compose version" >> mailcow.conf - echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf - echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf - echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf - echo "# Please be aware that at least one of those variants should be installed on your maschine or mailcow will fail." >> mailcow.conf - echo "" >> mailcow.conf - echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf - fi - elif [[ ${option} == "DOVEADM_PORT" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_NOTIFY_EMAIL" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "WATCHDOG_NOTIFY_EMAIL=" >> mailcow.conf - fi - elif [[ ${option} == "LOG_LINES" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf - echo "LOG_LINES=9999" >> mailcow.conf - fi - elif [[ ${option} == "IPV4_NETWORK" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf - echo "IPV4_NETWORK=172.22.1" >> mailcow.conf - fi - elif [[ ${option} == "IPV6_NETWORK" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf - echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf - fi - elif [[ ${option} == "SQL_PORT" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf - echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf - fi - elif [[ ${option} == "API_KEY" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Create or override API key for web UI' >> mailcow.conf - echo "#API_KEY=" >> mailcow.conf - fi - elif [[ ${option} == "API_KEY_READ_ONLY" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Create or override read-only API key for web UI' >> mailcow.conf - echo "#API_KEY_READ_ONLY=" >> mailcow.conf - fi - elif [[ ${option} == "API_ALLOW_FROM" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Must be set for API_KEY to be active' >> mailcow.conf - echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf - echo "#API_ALLOW_FROM=" >> mailcow.conf - fi - elif [[ ${option} == "SNAT_TO_SOURCE" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf - echo "#SNAT_TO_SOURCE=" >> mailcow.conf - fi - elif [[ ${option} == "SNAT6_TO_SOURCE" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf - echo "#SNAT6_TO_SOURCE=" >> mailcow.conf - fi - elif [[ ${option} == "MAILDIR_GC_TIME" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Garbage collector cleanup' >> mailcow.conf - echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf - echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf - echo '# Check interval is hourly' >> mailcow.conf - echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf - fi - elif [[ ${option} == "ACL_ANYONE" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf - echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf - echo '# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.' >> mailcow.conf - echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf - echo 'ACL_ANYONE=disallow' >> mailcow.conf - fi - elif [[ ${option} == "FTS_HEAP" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.' >> mailcow.conf - echo '# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.' >> mailcow.conf - echo '# Please always monitor your Resource consumption!' >> mailcow.conf - echo "FTS_HEAP=128" >> mailcow.conf - fi - elif [[ ${option} == "SKIP_FTS" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.' >> mailcow.conf - echo "# Dovecot inside mailcow use Flatcurve as FTS Backend." >> mailcow.conf - echo "SKIP_FTS=y" >> mailcow.conf - fi - elif [[ ${option} == "FTS_PROCS" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Controls how many processes the Dovecot indexing process can spawn at max.' >> mailcow.conf - echo '# Too many indexing processes can use a lot of CPU and Disk I/O' >> mailcow.conf - echo '# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations' >> mailcow.conf - echo "FTS_PROCS=1" >> mailcow.conf - fi - elif [[ ${option} == "ENABLE_SSL_SNI" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf - echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf - echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf - echo "ENABLE_SSL_SNI=n" >> mailcow.conf - fi - elif [[ ${option} == "SKIP_SOGO" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf - echo "SKIP_SOGO=n" >> mailcow.conf - fi - elif [[ ${option} == "MAILDIR_SUB" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf - echo "#MAILDIR_SUB=Maildir" >> mailcow.conf - echo "MAILDIR_SUB=" >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_NOTIFY_WEBHOOK" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf - echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf - echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_NOTIFY_WEBHOOK_BODY" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf - echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf - WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}' - echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_NOTIFY_BAN" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf - echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_NOTIFY_START" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Send a notification when the watchdog is started.' >> mailcow.conf - echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_SUBJECT" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf - echo "#WATCHDOG_SUBJECT=" >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_EXTERNAL_CHECKS" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf - echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf - echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf - echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf - fi - elif [[ ${option} == "SOGO_EXPIRE_SESSION" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# SOGo session timeout in minutes' >> mailcow.conf - echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf - fi - elif [[ ${option} == "REDIS_PORT" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf - fi - elif [[ ${option} == "DOVECOT_MASTER_USER" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf - echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf - echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf - echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf - echo "DOVECOT_MASTER_USER=" >> mailcow.conf - fi - elif [[ ${option} == "DOVECOT_MASTER_PASS" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf - echo "DOVECOT_MASTER_PASS=" >> mailcow.conf - fi - elif [[ ${option} == "MAILCOW_PASS_SCHEME" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Password hash algorithm' >> mailcow.conf - echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf - echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf - echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf - fi - elif [[ ${option} == "ADDITIONAL_SERVER_NAMES" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Additional server names for mailcow UI' >> mailcow.conf - echo '#' >> mailcow.conf - echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf - echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf - echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf - echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf - echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf - echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf - fi - elif [[ ${option} == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "# WebAuthn device manufacturer verification" >> mailcow.conf - echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf - echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf - echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf - fi - elif [[ ${option} == "SPAMHAUS_DQS_KEY" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "# Spamhaus Data Query Service Key" >> mailcow.conf - echo '# Optional: Leave empty for none' >> mailcow.conf - echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf - echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf - echo '# Otherwise it will work as usual.' >> mailcow.conf - echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf - fi - elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Enable watchdog verbose logging' >> mailcow.conf - echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf - fi - elif [[ ${option} == "SKIP_UNBOUND_HEALTHCHECK" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf - echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf - fi - elif [[ ${option} == "DISABLE_NETFILTER_ISOLATION_RULE" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf - echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf - echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf - fi - elif [[ ${option} == "HTTP_REDIRECT" ]]; then - if ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Redirect HTTP connections to HTTPS - y/n' >> mailcow.conf - echo 'HTTP_REDIRECT=n' >> mailcow.conf - fi - elif ! grep -q ${option} mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "${option}=n" >> mailcow.conf - fi - done -} - -migrate_solr_config_options() { - - sed -i --follow-symlinks '$a\' mailcow.conf - - if grep -q "SOLR_HEAP" mailcow.conf; then - echo "Removing SOLR_HEAP in mailcow.conf" - sed -i '/# Solr heap size in MB\b/d' mailcow.conf - sed -i '/# Solr is a prone to run\b/d' mailcow.conf - sed -i '/SOLR_HEAP\b/d' mailcow.conf - fi - - if grep -q "SKIP_SOLR" mailcow.conf; then - echo "Removing SKIP_SOLR in mailcow.conf" - sed -i '/\bSkip Solr on low-memory\b/d' mailcow.conf - sed -i '/\bSolr is disabled by default\b/d' mailcow.conf - sed -i '/\bDisable Solr or\b/d' mailcow.conf - sed -i '/\bSKIP_SOLR\b/d' mailcow.conf - fi - - if grep -q "SOLR_PORT" mailcow.conf; then - echo "Removing SOLR_PORT in mailcow.conf" - sed -i '/\bSOLR_PORT\b/d' mailcow.conf - fi - - if grep -q "FLATCURVE_EXPERIMENTAL" mailcow.conf; then - echo "Removing FLATCURVE_EXPERIMENTAL in mailcow.conf" - sed -i '/\bFLATCURVE_EXPERIMENTAL\b/d' mailcow.conf - fi - - solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1) - if [[ -n $solr_volume ]]; then - echo -e "\e[34mSolr has been replaced within mailcow since 2025-01.\nThe volume $solr_volume is unused.\e[0m" - sleep 1 - if [ ! "$FORCE" ]; then - read -r -p "Remove $solr_volume? [y/N] " response - if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo -e "\e[33mRemoving $solr_volume...\e[0m" - docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m" - echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m" - else - echo -e "Not removing $solr_volume. Run \`docker volume rm $solr_volume\` manually if needed." - fi - else - echo -e "\e[33mForce removing $solr_volume...\e[0m" - docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m" - echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m" - fi - fi - - # Delete old fts.conf before forced switch to flatcurve to ensure update is working properly - FTS_CONF_PATH="${SCRIPT_DIR}/data/conf/dovecot/conf.d/fts.conf" - if [[ -f "$FTS_CONF_PATH" ]]; then - if grep -q "Autogenerated by mailcow" "$FTS_CONF_PATH"; then - rm -rf $FTS_CONF_PATH - fi - fi -} - -detect_major_update() { - if [ ${BRANCH} == "master" ]; then - # Array with major versions - # Add major versions here - MAJOR_VERSIONS=( - "2025-02" - "2025-03" - ) - - current_version="" - if [[ -f "${SCRIPT_DIR}/data/web/inc/app_info.inc.php" ]]; then - current_version=$(grep 'MAILCOW_GIT_VERSION' ${SCRIPT_DIR}/data/web/inc/app_info.inc.php | sed -E 's/.*MAILCOW_GIT_VERSION="([^"]+)".*/\1/') - fi - if [[ -z "$current_version" ]]; then - return 1 - fi - release_url="https://github.com/mailcow/mailcow-dockerized/releases/tag" - - updates_to_apply=() - - for version in "${MAJOR_VERSIONS[@]}"; do - if [[ "$current_version" < "$version" ]]; then - updates_to_apply+=("$version") - fi - done - - if [[ ${#updates_to_apply[@]} -gt 0 ]]; then - echo -e "\e[33m\nMAJOR UPDATES to be applied:\e[0m" - for update in "${updates_to_apply[@]}"; do - echo "$update - $release_url/$update" - done - - echo -e "\nPlease read the release notes before proceeding." - read -p "Do you want to proceed with the update? [y/n] " response - if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo "Proceeding with the update..." - else - echo "Update canceled. Exiting." - exit 1 - fi - fi - fi -} - -remove_obsolete_options() { - OBSOLETE_OPTIONS=( - "ACME_CONTACT" - ) - - for option in "${OBSOLETE_OPTIONS[@]}"; do - if [[ "$option" == "ACME_CONTACT" ]]; then - sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf - sed -i "/^# Let's Encrypt registration contact information/d" mailcow.conf - sed -i '/^# Optional: Leave empty for none/d' mailcow.conf - sed -i '/^# This value is only used on first order!/d' mailcow.conf - sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf - sed -i '/^# https:\/\/docs.mailcow.email\/troubleshooting\/debug-reset_tls\//d' mailcow.conf - sed -i '/^ACME_CONTACT=.*/d' mailcow.conf - sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf - else - sed -i "/^${option}=.*/d" mailcow.conf - sed -i "/^#${option}=.*/d" mailcow.conf - fi - done -} ############## End Function Section ############## # Check permissions @@ -786,22 +34,6 @@ if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then bash "${SCRIPT_DIR}/pre_update_hook.sh" fi -if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then - echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"; - echo "Please update to 5.x or use another distribution." - exit 1 -fi - -if [[ "$(uname -r)" =~ ^4\.4\. ]]; then - if grep -q Ubuntu <<< "$(uname -a)"; then - echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!" - echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\"" - exit 1 - fi - echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk." - read -p "Press any key to continue..." < /dev/tty -fi - # Exit on error and pipefail set -o pipefail @@ -817,22 +49,9 @@ umask 0022 unset COMPOSE_COMMAND unset DOCKER_COMPOSE_VERSION -for bin in curl docker git awk sha1sum grep cut; do - if [[ -z $(command -v ${bin}) ]]; then - echo "Cannot find ${bin}, exiting..." - exit 1; - fi -done +get_installed_tools -# Check Docker Version (need at least 24.X) -docker_version=$(docker -v | grep -oP '\d+\.\d+\.\d+' | cut -d '.' -f 1 | head -1) - -if [[ $docker_version -lt 24 ]]; then - echo -e "\e[31mCannot find Docker with a Version higher or equals 24.0.0\e[0m" - echo -e "\e[33mmailcow needs a newer Docker version to work properly... continuing on your own risk!\e[0m" - echo -e "\e[31mPlease update your Docker installation... sleeping 10s\e[0m" - sleep 10 -fi +get_docker_version export LC_ALL=C DATE=$(date +%Y-%m-%d_%H_%M_%S) @@ -936,9 +155,7 @@ done chmod 600 mailcow.conf source mailcow.conf -detect_docker_compose_command - -fix_broken_dnslist_conf +get_compose_type DOTS=${MAILCOW_HOSTNAME//[^.]}; if [ ${#DOTS} -lt 1 ]; then @@ -961,349 +178,8 @@ elif [ ${#DOTS} -eq 1 ]; then fi fi -if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi -# This will also cover sort -if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi -if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi - -CONFIG_ARRAY=( - "SKIP_LETS_ENCRYPT" - "SKIP_SOGO" - "USE_WATCHDOG" - "WATCHDOG_NOTIFY_EMAIL" - "WATCHDOG_NOTIFY_WEBHOOK" - "WATCHDOG_NOTIFY_WEBHOOK_BODY" - "WATCHDOG_NOTIFY_BAN" - "WATCHDOG_NOTIFY_START" - "WATCHDOG_EXTERNAL_CHECKS" - "WATCHDOG_SUBJECT" - "SKIP_CLAMD" - "SKIP_OLEFY" - "SKIP_IP_CHECK" - "ADDITIONAL_SAN" - "AUTODISCOVER_SAN" - "DOVEADM_PORT" - "IPV4_NETWORK" - "IPV6_NETWORK" - "LOG_LINES" - "SNAT_TO_SOURCE" - "SNAT6_TO_SOURCE" - "COMPOSE_PROJECT_NAME" - "DOCKER_COMPOSE_VERSION" - "SQL_PORT" - "API_KEY" - "API_KEY_READ_ONLY" - "API_ALLOW_FROM" - "MAILDIR_GC_TIME" - "MAILDIR_SUB" - "ACL_ANYONE" - "ENABLE_SSL_SNI" - "ALLOW_ADMIN_EMAIL_LOGIN" - "SKIP_HTTP_VERIFICATION" - "SOGO_EXPIRE_SESSION" - "REDIS_PORT" - "DOVECOT_MASTER_USER" - "DOVECOT_MASTER_PASS" - "MAILCOW_PASS_SCHEME" - "ADDITIONAL_SERVER_NAMES" - "WATCHDOG_VERBOSE" - "WEBAUTHN_ONLY_TRUSTED_VENDORS" - "SPAMHAUS_DQS_KEY" - "SKIP_UNBOUND_HEALTHCHECK" - "DISABLE_NETFILTER_ISOLATION_RULE" - "REDISPASS" -) - detect_bad_asn -sed -i --follow-symlinks '$a\' mailcow.conf -for option in "${CONFIG_ARRAY[@]}"; do - if [[ ${option} == "ADDITIONAL_SAN" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "${option}=" >> mailcow.conf - fi - elif [[ "${option}" == "COMPOSE_PROJECT_NAME" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "COMPOSE_PROJECT_NAME=mailcowdockerized" >> mailcow.conf - fi - elif [[ "${option}" == "DOCKER_COMPOSE_VERSION" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "# Used Docker Compose version" >> mailcow.conf - echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf - echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf - echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf - echo "# Please be aware that at least one of those variants should be installed on your maschine or mailcow will fail." >> mailcow.conf - echo "" >> mailcow.conf - echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf - fi - elif [[ "${option}" == "DOVEADM_PORT" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_NOTIFY_EMAIL" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "WATCHDOG_NOTIFY_EMAIL=" >> mailcow.conf - fi - elif [[ "${option}" == "LOG_LINES" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf - echo "LOG_LINES=9999" >> mailcow.conf - fi - elif [[ "${option}" == "IPV4_NETWORK" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf - echo "IPV4_NETWORK=172.22.1" >> mailcow.conf - fi - elif [[ "${option}" == "IPV6_NETWORK" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf - echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf - fi - elif [[ "${option}" == "SQL_PORT" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf - echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf - fi - elif [[ "${option}" == "API_KEY" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Create or override API key for web UI' >> mailcow.conf - echo "#API_KEY=" >> mailcow.conf - fi - elif [[ "${option}" == "API_KEY_READ_ONLY" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Create or override read-only API key for web UI' >> mailcow.conf - echo "#API_KEY_READ_ONLY=" >> mailcow.conf - fi - elif [[ "${option}" == "API_ALLOW_FROM" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Must be set for API_KEY to be active' >> mailcow.conf - echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf - echo "#API_ALLOW_FROM=" >> mailcow.conf - fi - elif [[ "${option}" == "SNAT_TO_SOURCE" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf - echo "#SNAT_TO_SOURCE=" >> mailcow.conf - fi - elif [[ "${option}" == "SNAT6_TO_SOURCE" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf - echo "#SNAT6_TO_SOURCE=" >> mailcow.conf - fi - elif [[ "${option}" == "MAILDIR_GC_TIME" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Garbage collector cleanup' >> mailcow.conf - echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf - echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf - echo '# Check interval is hourly' >> mailcow.conf - echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf - fi - elif [[ "${option}" == "ACL_ANYONE" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf - echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf - echo '# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.' >> mailcow.conf - echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf - echo 'ACL_ANYONE=disallow' >> mailcow.conf - fi - elif [[ "${option}" == "ENABLE_SSL_SNI" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf - echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf - echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf - echo "ENABLE_SSL_SNI=n" >> mailcow.conf - fi - elif [[ "${option}" == "SKIP_SOGO" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf - echo "SKIP_SOGO=n" >> mailcow.conf - fi - elif [[ "${option}" == "MAILDIR_SUB" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf - echo "#MAILDIR_SUB=Maildir" >> mailcow.conf - echo "MAILDIR_SUB=" >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_NOTIFY_WEBHOOK" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf - echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf - echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_NOTIFY_WEBHOOK_BODY" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf - echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf - WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}' - echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_NOTIFY_BAN" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf - echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_NOTIFY_START" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Send a notification when the watchdog is started.' >> mailcow.conf - echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_SUBJECT" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf - echo "#WATCHDOG_SUBJECT=" >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_EXTERNAL_CHECKS" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf - echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf - echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf - echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf - fi - elif [[ "${option}" == "SOGO_EXPIRE_SESSION" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# SOGo session timeout in minutes' >> mailcow.conf - echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf - fi - elif [[ "${option}" == "REDIS_PORT" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf - fi - elif [[ "${option}" == "DOVECOT_MASTER_USER" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf - echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf - echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf - echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf - echo "DOVECOT_MASTER_USER=" >> mailcow.conf - fi - elif [[ "${option}" == "DOVECOT_MASTER_PASS" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf - echo "DOVECOT_MASTER_PASS=" >> mailcow.conf - fi - elif [[ "${option}" == "MAILCOW_PASS_SCHEME" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Password hash algorithm' >> mailcow.conf - echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf - echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf - echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf - fi - elif [[ "${option}" == "ADDITIONAL_SERVER_NAMES" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Additional server names for mailcow UI' >> mailcow.conf - echo '#' >> mailcow.conf - echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf - echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf - echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf - echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf - echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf - echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf - fi - - elif [[ "${option}" == "AUTODISCOVER_SAN" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf - echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf - echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf - echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf - echo '# in the reverse proxy.' >> mailcow.conf - echo 'AUTODISCOVER_SAN=y' >> mailcow.conf - fi - elif [[ "${option}" == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "# WebAuthn device manufacturer verification" >> mailcow.conf - echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf - echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf - echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf - fi - elif [[ "${option}" == "SPAMHAUS_DQS_KEY" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "# Spamhaus Data Query Service Key" >> mailcow.conf - echo '# Optional: Leave empty for none' >> mailcow.conf - echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf - echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf - echo '# Otherwise it will work as usual.' >> mailcow.conf - echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf - fi - elif [[ "${option}" == "WATCHDOG_VERBOSE" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Enable watchdog verbose logging' >> mailcow.conf - echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf - fi - elif [[ "${option}" == "SKIP_UNBOUND_HEALTHCHECK" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf - echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf - fi - elif [[ "${option}" == "DISABLE_NETFILTER_ISOLATION_RULE" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf - echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf - echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf - fi - elif [[ "${option}" == "SKIP_CLAMD" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf - echo 'SKIP_CLAMD=n' >> mailcow.conf - fi - elif [[ "${option}" == "SKIP_OLEFY" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf - echo 'SKIP_OLEFY=n' >> mailcow.conf - fi - elif [[ "${option}" == "REDISPASS" ]]; then - if ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo -e '\n# ------------------------------' >> mailcow.conf - echo '# REDIS configuration' >> mailcow.conf - echo -e '# ------------------------------\n' >> mailcow.conf - echo "REDISPASS=$(LC_ALL=C /dev/null | head -c 28)" >> mailcow.conf - fi - elif ! grep -q "${option}" mailcow.conf; then - echo "Adding new option \"${option}\" to mailcow.conf" - echo "${option}=n" >> mailcow.conf - fi -done - if [[ ("${SKIP_PING_CHECK}" == "y") ]]; then echo -e "\e[32mSkipping Ping Check...\e[0m" @@ -1422,16 +298,38 @@ elif [ "$NEW_BRANCH" == "legacy" ] && [ "$CURRENT_BRANCH" != "legacy" ]; then fi if [ ! "$DEV" ]; then + EXIT_COUNT=0 echo -e "\e[32mChecking for newer update script...\e[0m" SHA1_1="$(sha1sum update.sh)" - git fetch origin #${BRANCH} - git checkout "origin/${BRANCH}" update.sh - SHA1_2=$(sha1sum update.sh) + git fetch origin + git checkout "origin/${BRANCH}" -- update.sh + SHA1_2="$(sha1sum update.sh)" if [[ "${SHA1_1}" != "${SHA1_2}" ]]; then - echo "update.sh changed, please run this script again, exiting." chmod +x update.sh + EXIT_COUNT+=1 + fi + + MODULE_DIR="$(dirname "$0")/_modules" + echo -e "\e[32mChecking for updates in _modules...\e[0m" + if [ ! -d "${MODULE_DIR}" ] || [ -z "$(ls -A "${MODULE_DIR}")" ]; then + echo -e "\e[33m_modules missing or empty — fetching from origin...\e[0m" + git checkout "origin/${BRANCH}" -- _modules + else + OLD_SUM="$(find "${MODULE_DIR}" -type f -exec sha1sum {} \; | sort | sha1sum)" + git fetch origin + git checkout "origin/${BRANCH}" -- _modules + NEW_SUM="$(find "${MODULE_DIR}" -type f -exec sha1sum {} \; | sort | sha1sum)" + + if [[ "${OLD_SUM}" != "${NEW_SUM}" ]]; then + EXIT_COUNT+=1 + fi + fi + + if [ ${EXIT_COUNT} -ge 1 ]; then + echo "Changes for the update Script, please run this script again, exiting!" exit 2 fi + fi if [ ! "$FORCE" ]; then @@ -1441,11 +339,8 @@ if [ ! "$FORCE" ]; then exit 0 fi detect_major_update - migrate_docker_nat fi -remove_obsolete_nginx_ports - echo -e "\e[32mValidating docker-compose stack configuration...\e[0m" sed -i 's/HTTPS_BIND:-:/HTTPS_BIND:-/g' docker-compose.yml sed -i 's/HTTP_BIND:-:/HTTP_BIND:-/g' docker-compose.yml @@ -1483,28 +378,28 @@ for container in "${MAILCOW_CONTAINERS[@]}"; do docker rm -f "$container" 2> /dev/null done +configure_ipv6 + [[ -f data/conf/nginx/ZZZ-ejabberd.conf ]] && rm data/conf/nginx/ZZZ-ejabberd.conf -migrate_solr_config_options +migrate_config_options adapt_new_options -remove_obsolete_options -# Silently fixing remote url from andryyy to mailcow -# git remote set-url origin https://github.com/mailcow/mailcow-dockerized - -DEFAULT_REPO="https://github.com/mailcow/mailcow-dockerized" -CURRENT_REPO=$(git config --get remote.origin.url) -if [ "$CURRENT_REPO" != "$DEFAULT_REPO" ]; then - echo "The Repository currently used is not the default Mailcow Repository." - echo "Currently Repository: $CURRENT_REPO" - echo "Default Repository: $DEFAULT_REPO" - if [ ! "$FORCE" ]; then - read -r -p "Should it be changed back to default? [y/N] " repo_response - if [[ "$repo_response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - git remote set-url origin $DEFAULT_REPO +if [ ! "$DEV" ]; then + DEFAULT_REPO="https://github.com/mailcow/mailcow-dockerized" + CURRENT_REPO=$(git config --get remote.origin.url) + if [ "$CURRENT_REPO" != "$DEFAULT_REPO" ]; then + echo "The Repository currently used is not the default mailcow Repository." + echo "Currently Repository: $CURRENT_REPO" + echo "Default Repository: $DEFAULT_REPO" + if [ ! "$FORCE" ]; then + read -r -p "Should it be changed back to default? [y/N] " repo_response + if [[ "$repo_response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + git remote set-url origin $DEFAULT_REPO + fi + else + echo "Running in forced mode... setting Repo to default!" + git remote set-url origin $DEFAULT_REPO fi - else - echo "Running in forced mode... setting Repo to default!" - git remote set-url origin $DEFAULT_REPO fi fi @@ -1538,7 +433,7 @@ if [ ! "$DEV" ]; then echo "Run $COMPOSE_COMMAND up -d to restart your stack without updates or try again after fixing the mentioned errors." exit 1 fi -elif [ "$DEV" ]; then +else echo -e "\e[33mDEVELOPER MODE: Not creating a git diff and commiting it to prevent development stuff within a backup diff...\e[0m" fi From ef5739c32fcf2607d19255fd9ca820e136e975a7 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 6 Aug 2025 08:39:21 +0200 Subject: [PATCH 07/14] add 2025-08 as breaking major release --- _modules/scripts/core.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh index 42133aa6b..ab67f25c6 100644 --- a/_modules/scripts/core.sh +++ b/_modules/scripts/core.sh @@ -185,6 +185,7 @@ detect_major_update() { MAJOR_VERSIONS=( "2025-02" "2025-03" + "2025-08" ) current_version="" From e91d678bd16156ca80e63c16b559a5acd0946830 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 6 Aug 2025 09:36:05 +0200 Subject: [PATCH 08/14] fix docker version detection --- _modules/scripts/ipv6_controller.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_modules/scripts/ipv6_controller.sh b/_modules/scripts/ipv6_controller.sh index 7fe7d3cbd..de5272048 100644 --- a/_modules/scripts/ipv6_controller.sh +++ b/_modules/scripts/ipv6_controller.sh @@ -41,7 +41,7 @@ docker_daemon_edit(){ ! _has_kv ipv6 true && MISSING+=("ipv6: true") ! grep -Eq '"fixed-cidr-v6"\s*:\s*".+"' "$DOCKER_DAEMON_CONFIG" \ && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"') - if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -ge 27 ]]; then + if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -le 27 ]]; then _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true") ! _has_kv experimental true && MISSING+=("experimental: true") fi From 842cb235b610c54f7eb5ae9337ca36cfe997fb40 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Wed, 6 Aug 2025 09:38:22 +0200 Subject: [PATCH 09/14] [Rspamd] Fill module name for set_pre_result actions (#6630) * [Rspamd] Fill module name for postmaster handler * Update rspamd.local.lua --- data/conf/rspamd/lua/rspamd.local.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua index 5f23ef6b8..5fe66f75f 100644 --- a/data/conf/rspamd/lua/rspamd.local.lua +++ b/data/conf/rspamd/lua/rspamd.local.lua @@ -102,7 +102,7 @@ rspamd_config:register_symbol({ local rcpt_split = rspamd_str_split(rcpt['addr'], '@') if #rcpt_split == 2 then if rcpt_split[1] == 'postmaster' then - task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt') + task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt', 'postmaster') return end end @@ -167,7 +167,7 @@ rspamd_config:register_symbol({ for k,v in pairs(data) do if (v and v ~= userdata and v == '1') then rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result") - task:set_pre_result('accept', 'ip matched with forward hosts') + task:set_pre_result('accept', 'ip matched with forward hosts', 'keep_spam') end end end From 1e42b8dd21fb021e1ddcbb2cae94f79146fe4d39 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com> Date: Wed, 6 Aug 2025 09:40:47 +0200 Subject: [PATCH 10/14] [Web] Add delimiter_action to mailbox and mailbox_template add/edit admin forms (#6620) --- data/web/edit.php | 1 + data/web/inc/functions.mailbox.inc.php | 17 ++ data/web/inc/vars.inc.php | 148 +++++++++--------- data/web/js/site/mailbox.js | 18 +++ .../web/templates/edit/mailbox-templates.twig | 17 ++ data/web/templates/edit/mailbox.twig | 31 +++- data/web/templates/modals/mailbox.twig | 34 ++++ 7 files changed, 193 insertions(+), 73 deletions(-) diff --git a/data/web/edit.php b/data/web/edit.php index 9a1e5a5c1..7ce4d0c6a 100644 --- a/data/web/edit.php +++ b/data/web/edit.php @@ -125,6 +125,7 @@ if (isset($_SESSION['mailcow_cc_role'])) { 'mailbox' => $mailbox, 'rl' => $rl, 'pushover_data' => $pushover_data, + 'get_tagging_options' => mailbox('get', 'delimiter_action', $mailbox), 'quarantine_notification' => $quarantine_notification, 'quarantine_category' => $quarantine_category, 'get_tls_policy' => $get_tls_policy, diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index d5daeddcd..6ea4f5717 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -1223,6 +1223,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $stmt->execute(array( ':username' => $username )); + // save delimiter_action + if (isset($_data['tagged_mail_handler'])) { + mailbox('edit', 'delimiter_action', array( + 'username' => $username, + 'tagged_mail_handler' => $_data['tagged_mail_handler'] + )); + } + // save tags foreach($tags as $index => $tag){ if (empty($tag)) continue; @@ -1613,6 +1621,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $attr = array(); $attr["quota"] = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0; $attr['tags'] = (isset($_data['tags'])) ? $_data['tags'] : array(); + $attr["tagged_mail_handler"] = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['tagged_mail_handler']); $attr["quarantine_notification"] = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']); $attr["quarantine_category"] = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']); $attr["rl_frame"] = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : "s"; @@ -3259,6 +3268,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } + // save delimiter_action + if (isset($_data['tagged_mail_handler'])) { + mailbox('edit', 'delimiter_action', array( + 'username' => $username, + 'tagged_mail_handler' => $_data['tagged_mail_handler'] + )); + } // save tags foreach($tags as $index => $tag){ if (empty($tag)) continue; @@ -3604,6 +3620,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $attr = array(); $attr["quota"] = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0; $attr['tags'] = (isset($_data['tags'])) ? $_data['tags'] : $is_now['tags']; + $attr["tagged_mail_handler"] = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : $is_now['tagged_mail_handler']; $attr["quarantine_notification"] = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification']; $attr["quarantine_category"] = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category']; $attr["rl_frame"] = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : $is_now['rl_frame']; diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index 671e20334..568105308 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -186,6 +186,12 @@ $MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update'] = false; // Enable SOGo access - Users will be redirected to SOGo after login (set to false to disable redirect by default) $MAILBOX_DEFAULT_ATTRIBUTES['sogo_access'] = true; +// How to handle tagged emails +// none - No special handling +// subfolder - Create subfolder under INBOX (e.g. "INBOX/Facebook") +// subject - Add tag to subject (e.g. "[Facebook] Subject") +$MAILBOX_DEFAULT_ATTRIBUTES['tagged_mail_handler'] = "none"; + // Send notification when quarantine is not empty (never, hourly, daily, weekly) $MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification'] = 'hourly'; @@ -257,57 +263,57 @@ $RSPAMD_MAPS = array( $IMAPSYNC_OPTIONS = array( 'whitelist' => array( - 'abort', - 'authmd51', - 'authmd52', + 'abort', + 'authmd51', + 'authmd52', 'authmech1', 'authmech2', - 'authuser1', - 'authuser2', - 'debug', - 'debugcontent', - 'debugcrossduplicates', - 'debugflags', - 'debugfolders', - 'debugimap', - 'debugimap1', - 'debugimap2', - 'debugmemory', - 'debugssl', + 'authuser1', + 'authuser2', + 'debug', + 'debugcontent', + 'debugcrossduplicates', + 'debugflags', + 'debugfolders', + 'debugimap', + 'debugimap1', + 'debugimap2', + 'debugmemory', + 'debugssl', 'delete1emptyfolders', - 'delete2folders', - 'disarmreadreceipts', + 'delete2folders', + 'disarmreadreceipts', 'domain1', 'domain2', - 'domino1', - 'domino2', + 'domino1', + 'domino2', 'dry', 'errorsmax', - 'exchange1', - 'exchange2', + 'exchange1', + 'exchange2', 'exitwhenover', 'expunge1', - 'f1f2', - 'filterbuggyflags', + 'f1f2', + 'filterbuggyflags', 'folder', 'folderfirst', 'folderlast', 'folderrec', - 'gmail1', - 'gmail2', - 'idatefromheader', + 'gmail1', + 'gmail2', + 'idatefromheader', 'include', 'inet4', 'inet6', - 'justconnect', - 'justfolders', - 'justfoldersizes', - 'justlogin', - 'keepalive1', - 'keepalive2', + 'justconnect', + 'justfolders', + 'justfoldersizes', + 'justlogin', + 'keepalive1', + 'keepalive2', 'log', 'logdir', - 'logfile', + 'logfile', 'maxbytesafter', 'maxlinelength', 'maxmessagespersecond', @@ -315,62 +321,62 @@ $IMAPSYNC_OPTIONS = array( 'maxsleep', 'minage', 'minsize', - 'noabletosearch', - 'noabletosearch1', - 'noabletosearch2', - 'noexpunge1', - 'noexpunge2', + 'noabletosearch', + 'noabletosearch1', + 'noabletosearch2', + 'noexpunge1', + 'noexpunge2', 'nofoldersizesatend', - 'noid', - 'nolog', - 'nomixfolders', - 'noresyncflags', - 'nossl1', - 'nossl2', - 'nosyncacls', - 'notls1', - 'notls2', - 'nouidexpunge2', - 'nousecache', + 'noid', + 'nolog', + 'nomixfolders', + 'noresyncflags', + 'nossl1', + 'nossl2', + 'nosyncacls', + 'notls1', + 'notls2', + 'nouidexpunge2', + 'nousecache', 'oauthaccesstoken1', 'oauthaccesstoken2', 'oauthdirect1', 'oauthdirect2', - 'office1', - 'office2', - 'pidfile', - 'pidfilelocking', + 'office1', + 'office2', + 'pidfile', + 'pidfilelocking', 'prefix1', 'prefix2', - 'proxyauth1', - 'proxyauth2', - 'resyncflags', - 'resynclabels', - 'search', + 'proxyauth1', + 'proxyauth2', + 'resyncflags', + 'resynclabels', + 'search', 'search1', - 'search2', + 'search2', 'sep1', 'sep2', 'showpasswords', 'skipemptyfolders', - 'ssl2', + 'ssl2', 'sslargs1', - 'sslargs2', + 'sslargs2', 'subfolder1', - 'subscribe', + 'subscribe', 'subscribed', 'syncacls', 'syncduplicates', 'syncinternaldates', - 'synclabels', - 'tests', - 'testslive', - 'testslive6', - 'tls2', - 'truncmess', - 'usecache', - 'useheader', - 'useuid' + 'synclabels', + 'tests', + 'testslive', + 'testslive6', + 'tls2', + 'truncmess', + 'usecache', + 'useheader', + 'useuid' ), 'blacklist' => array( 'skipmess', diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js index 28e6fd284..135ec764a 100644 --- a/data/web/js/site/mailbox.js +++ b/data/web/js/site/mailbox.js @@ -269,6 +269,24 @@ $(document).ready(function() { function setMailboxTemplateData(template){ $("#addInputQuota").val(template.quota / 1048576); + if (template.tagged_mail_handler === "subfolder"){ + $('#tagged_mail_handler_subfolder').prop('checked', true); + $('#tagged_mail_handler_subject').prop('checked', false); + $('#tagged_mail_handler_none').prop('checked', false); + } else if(template.tagged_mail_handler === "subject"){ + $('#tagged_mail_handler_subfolder').prop('checked', false); + $('#tagged_mail_handler_subject').prop('checked', true); + $('#tagged_mail_handler_none').prop('checked', false); + } else if(template.tagged_mail_handler === "none"){ + $('#tagged_mail_handler_subfolder').prop('checked', false); + $('#tagged_mail_handler_subject').prop('checked', false); + $('#tagged_mail_handler_none').prop('checked', true); + } else { + $('#tagged_mail_handler_subfolder').prop('checked', false); + $('#tagged_mail_handler_subject').prop('checked', false); + $('#tagged_mail_handler_none').prop('checked', true); + } + if (template.quarantine_notification === "never"){ $('#quarantine_notification_never').prop('checked', true); $('#quarantine_notification_hourly').prop('checked', false); diff --git a/data/web/templates/edit/mailbox-templates.twig b/data/web/templates/edit/mailbox-templates.twig index 6d150b263..65a83cd2a 100644 --- a/data/web/templates/edit/mailbox-templates.twig +++ b/data/web/templates/edit/mailbox-templates.twig @@ -36,6 +36,23 @@ 0 = ∞ +
+ +
+
+ + + + + + + + +
+

{{ lang.user.tag_help_explain|raw }}

+

{{ lang.user.tag_help_example|raw }}

+
+
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig index 32a3706c1..12c1f3b93 100644 --- a/data/web/templates/edit/mailbox.twig +++ b/data/web/templates/edit/mailbox.twig @@ -117,7 +117,7 @@
- {% for rlyhost in rlyhosts %}
+
+
+ +
+
+ + + +
+

{{ lang.user.tag_help_explain|raw }}

+

{{ lang.user.tag_help_example|raw }}

diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig index 85091da41..0c164332b 100644 --- a/data/web/templates/modals/mailbox.twig +++ b/data/web/templates/modals/mailbox.twig @@ -76,6 +76,23 @@
+
+ +
+
+ + + + + + + + +
+

{{ lang.user.tag_help_explain|raw }}

+

{{ lang.user.tag_help_example|raw }}

+
+
@@ -246,6 +263,23 @@ 0 = ∞
+
+ +
+
+ + + + + + + + +
+

{{ lang.user.tag_help_explain|raw }}

+

{{ lang.user.tag_help_example|raw }}

+
+
From 8cdb0b869e4a239ba760c5b294343f5cad44b043 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Wed, 6 Aug 2025 09:42:43 +0200 Subject: [PATCH 11/14] fixed favicon.png (#6570) --- data/web/favicon.png | Bin 15428 -> 17611 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/data/web/favicon.png b/data/web/favicon.png index 69eb2fcd1f25c33001a6e67f9b2a257a5fc5c8d9..5413613598da70cb968f7597c796422a6f3b9fa4 100644 GIT binary patch literal 17611 zcmdsf`9G9h`2Rgpgz!{CNGgiSk|ax(l7tWj*_D0Ep507O;Yp|nWiKRSD{IzK9($H# ztl8H{b_QeSdri;h^ZNV`-+rmr%W>{=pL4G3dN0@AliS*AhnS8tAqa9v{pNK&1fhd} z(jklo;IDPRo*np$-u|lARRsAM9ki<(iy$Wv_3KwLe#wi&j?ei9UXN_e+KdRgEe4`$ zmUe6JxfW%8%T<_XO(yHcR@>CwDFA<^}HF~{37hM<{8`9 z$uGjD?x<`=9#<~3al2FX@V-?1f!oYZDh4y=lFyWWh@^9#-?ACbt8AlkerA-u?KU%{ zY*f?PKFxa&*7g6%AF&Hb!*z+T)1p~krLMNiTDujcR;YGIX-M6T5{i_%XWJBY>qCnx z9pdg|_%X7>)X}6j_418bm$y2RUp*$zo+T&Bj_gjyc{MiQw@czVf&9{JZ4XpnQxCXx zgROa9vE|3vpK{hFXP+a;b8ctO{I3G1`AUiyY`>aDcoB|=Jh&T@VbcHnp*;2J#G-WC zu6$8|;SDyPCpxPL5)@HdB)R$i!i+(~PW@+bQL1sg(LqUOWRt&Dp6b$Rxprl3OK{KN zw7+o*GlJ8$wpIG@WcwXH6sx$(-!3Y(OVVOPT67G|<`%byBzG8Y%%s}!^CP%|dy8)) zw`)w2gMxnzEMtmUhe{AD>=|rG(JUeUE7dOYzEiIU3c;PpIX~dGUAx`1C!dhr8~EWJ zJuXz?^MfSP=*xA7i_r`SQt)p_TO!qG`NwMc*HOLX&2tM($fn@*%-#sK{wDR&8LUDR z+~%m_-dZ!vs^w;ou-xl+iayAzKu7oH03v^2W036P1q4wJ=p7vR*AHvG{+c<^+*yA= z?jm+j{;!w6(zstUeDBGgnYJY>OUiN=hJ5}!cwGa}GYG*UnHrf;NX0ta#zwrv*v1yw zTy~G*&+WRidzpbyy?QZ0au#u)(IJ|$1Z?@;c=oB+q9!)Ey8Cgpm7Wk+f)Q`5Fl!r{ zrDcl2#o#hZKMZP8vuasGnS#)98UT%_{PTsduO>iC;Gzcn=~jgRcP zu90!617-DFJb)5+VMfU}fA_2U+TLn_+so0wjOtXL>5Y+-;;&w^XzoW4xwQQA=Zs~u z{I)Y=reie>wM7nQXKv*0dI@n3HSMID%MLYj%J0Wj5azb!8((1)3kpjw?uZOi*`~He z%L?idr0YUVgyG1ps~~zIuzl2I*IuPFj~sWykllrJdh4rZ7Ek0iuZ8(rF)n#?d!w=W zF8!WO2vQ=EJJ-)&5J=LDxiEA2*ycKU_(pBnI5HMEQ!aS%d2PO?i>>zfo5IU`Cm0cA z@f~@EpzAub@s6+4WG`bofg!wb!{^YSRr!DATC>a}(ocs~HWMYIW;6`RB zZ~b!Pwt1q`dR(v81u*(uEvuZuFd)iRB3QDU9t(DIxh(l-aajP-9#!Cfrn7DD^1IKr zAvIq<1e8$(xd}a1k9=BI4~8JNFtsT7DAZ@hf{NRp zEr%c`Ne0^){Fz*o)W1KTja#T$nNZ?9u;d|=yLGv6J<#Y7()iudZT(E>n<^#KBs8&* zerlIT;c+IB-F+;#C{Fgz6tM=|{rvcVO~G=>NntLmNk!^{(pp=^2+#3arjyQvGEIdP z796oSigy&v(uNLNxvMhCxnM-cq!PtD^Y%=lp5K`NF=jfXq=GoEH2ujqZN=dDXn~ny z+jNNjc5RqgM_cQU@{)4j2~UD=17c;Vr!6^jT=r`1(hQnnp+NuZ7B^k$qy~bdD-3wo zkG@LQI5ISyASPcf=(rJIS8B9&`9`CV-RyM8QUq$OI$-HVkJqAMmRVx2=q4A(U6^il z�b1ey`icy6Mtp(Hc1db@HRS3aUyc2VOrJ0u?0yL|NosfvY( zA@3*$KZ=R@X6Zxp0mQm}G3rv6U-8DiT@fv_pP$3f#nWp{Y(c8({aw-!KQ8A@_17uB zKf($8J)?`2H*U$}%r4G)!Ey zzP(s_|A69}Ejh^`qV?M|#5Sb#(;L;TNKEqR<>k;_CZk%qlYtv&cYA9)JQ@g^p$S;R ziiwNQ3w8u?;B&6W{x;8+j71YI<8&^P`=VdCxg2QnAcwvViSt3emKHAZST?p@_Fir4 z3uJ0c!xU^C$S!&+V6|33i@xmZ%;Kd~*^uwu zNXhCeLMfXZLhbXdoVQft<;aA>)`H`Brh{ zhvK#$4M^=r=9tPVdtTIAIz2*8s)xSW?GDAA9>uu+u5n4EL%d5gpLW1=7L3oi?JH45 zo_B}g65nnSwBP|UIc(I~xX1R%^Mke|P1mCcqyP!;G}CV;j55@PKfis{^tI`*SEDOw zx8YkEH$^XLKcX(eGLrwLYwy0Qy4JVdQ3Kaaqd%))Ob8OWqVO|veR1`c^El)rY+g8TZeD9sZQ=ZY zQs-MiMER-amy1kW*iv*jp=YKXQ4}4;R@nr_*^kEC@D!l2>xJ_hrnSjh)(9>>_OboZ z6MhzDm2;Scg#o(P3{mQ5By4uDI@8jjdQEpUR0h5to0w8?aVJK;_rAV zI_mFEi>3NDisE$IwubX2<}zX;RpJb`Nd&{`_0D1^W~7TQX8H&dTW!|{EVT|fNmNmm zpk)5IhQr9NSi@!Xe!sI!O>}V`$Pw!ceDwE9w!9NblkYfkM!3%_c!%A6b=2c_KFa+-rzn+_m9^#$rKlp1L7$s1^sb#IuX5NW+??_1yAaN0VfwS6GF z%fl_>JAq`DvX6!QeCN57jZZ#9k0{Gm$&e?TbHqk{HPzU#Im~ppGt(NTaMARYVCl~! z=b4b_S$^a0d#TunaZBv0>S7=w9x=KZ!D1!9!u8==_*JH;viCNR~TSe4t z9|IVv#HGVY*Fn*nw#J@=9Vsao{89BYocduQW_2-tfeu%4oKDDB&TaHg%Ah7Af;(oA z6lesQ@MhTz#)zvrcOi_>lLhfMR4?nwNUF7orQN4b_!O-C^fJK|BIqJ4$;XwpB$*gV z`d|9q>stp=a4=5AZXy9ni^~M@i~AiBjyTZLD;JnG)unXk>}F%|8n~rKt9C`e&zWYMqS>6NQ%=nT6~0ja55J-*${jd zpeHdWSU8-zPlQDReznftFI0dA7A84U=AFEj&dIF?0$%7xVAMwVN50W!k?1RVU+Pi@ zq=;dRNZRD|?m{O$B%<_bv!EmBhULz!(ReL=*9gR&JK>sgOHP6GR`eH@(dRKvH&Rf_ zTlmyq;fCeQFv*u?0t;Oohu?NcT-mSqmWoiE-+0%&2nL?!5I;YVfT7GWL>t`rJZIgy zHJYfdvlxxIb66CVhX~@JRwUUe)GPJ*>I*6O(9zXh$_qsR-C#JydG-9}7CMG*(;;Fx z$&`xS<;yod_fN7=olhcCb!{8?5!XnhIc7^y@LG@w z4@rgyn={^#y8$^%ZDX8zr2K8^_^4N~w3ZJS9qthTw;L8Abva@da_{EG`fQxhv|Ucg z@LYYS&w|zYO#04(WuQmY8rc9DKsFK!%7j!5FZL;-^-0=$&v~665xrqpM`xJt9Gx;# zqxd@}6yQ2IPP41i|LS05_b!&deOiyzgaHzC${LO0y=e!}vB(ky+s+<6LBhNE2xoL4 z>3c7qQ6(Cdw+s^dKQHS%K|ZiHq5+(JSD?>JHuPKehxu;8&E99wN$$>XCW+9nL8Se6 z4ChHC@4E@(GIPDQPfP1rSeSW7Z#Z=zAsHW;U`@J=LZu&!G`cNOp&8=QlOtxleSMrV z8lV5wwuc)j5y@TsxRlLB@!x+$o|~ejj5r*goIZN%mpdEkTM3kyBTxcf00t}V%)u*? zeVfIh02%oTAX48N*x4iD6~18<=wEi))8=AK%H*Z&55va(g(T*MxH*NBt-j=lJ$YB+ zIfmAF`xBxBr)76Ul|M+FxGb*q`yS~sH|ivFqmkpiBrnDfG|Zx?!-#bG8-`*tIJkF_ZM`p6jO!3FyBX|3-sAk8;v@WAvp+|lC71(A9sXL?-Jy({~z zbuyVz3~5G1L6RAbNP5fvp^vXq0gybsYPc_j>6}Jf&c%w+_r!CY2ztnlq;KROqK4LM z+p}lD#zBiCD%PtIXj*5Q(;!6^ef55;CH+VA}u|>&g z7HY2w;&2sG=?@j0IWy{h+kHCa3>VwG!S$nUaM!v|A|>ww7(X@TH}@Xp+m2r=Fh$%& z%Otax>x`1a36{Keq;d#FW;Dxi?jNWjZ9MFo1bZ(#Ur&_>hr!X6I*1n|uTXOB3ywQl0olW&eG$gOUt6%@$6Pd zrpqbQ5O!VBF>(4#Y#}M*qpBnxXY1|SBm>@HOpFH}%};$Hl8sG;R~ytW3i?}zV*U@I zR5}3&P>r?YN4}DOYsI z_Xwm1k=3|;_FEMj}cSaIOm4~z2}`jL`~ zJOKHOV$t;kmA??VI|U`GSx**)uhoekL@6^E^H4NIw0*W8%42x_&tw#Q7+^&BI@lV& zhvV3&S!RaZ^j!fH6z!4f%lYrOuj6UQ_gz1zySDv0`5&~qsq$%A3 z=h}{ur#@&M$CfjxY{Ak2*r&IdF`@jkE9ZL@Rn-V;jEIRDq)64J?A<9#u1bItT@j3k zIb>%Vn{PzR5Q%mpm_M*X`6<4=HfL_%R=NdO2#$8XNLN<%mvq1#dXI6JVegqu`j+`W zU4%JWVUD~LbPrlds@atQG9sdb+O`j$#<^g!H$?)dRUP$&=H(?PdYl*#iuv+=WGI@8 zM;eht^kR}6kd!!klJ6xt1ayam@_jI~sd3-(5ir8nkf@xH)urKZ!Ud+r6ZWJ@W=7=GdGWs7?szGIv47sGh##iI3FRhJUbpg7 zmF}xH0<+WuNL%d4zOBIUnew#2C{;9yp(It$pF#Tfy z5Z>XfIZEmm$O=#;E|5J8=n=En70nHMy48K!J}cc9LK#vM@>N+L2*K57s=lw=#b<*G(9gV!o}x8MhC9rHf1hcSaExoN$5c{ zn^2J>6W}A1Q3lnVA%eF>)#kg^?i0Y{@{llM9f_lMm}57 z4@FF0>jUAthE&$iFBi7g{=__RB(d4`a8({cA?>A=TgSy z%qo)il(R%TCCJ|}Fi+ab(MY8@N%|`~jLP;!G;onWxLuyy8p)q0R=-##!09eZkJy}c zWqdDon6AtJKLJI0D^;Jnp5OQsa#FrgUxHHNS#wz?ZU6wto~3S4(5Z|@+@Y74qbGLG z;@fK$Fm|2_8*LO8tj%Kt=fa&~_3Pjk`)yM|fXQhvpB=i2)E%HHjuR*7CT{+L(hkg=;nePMnpU9$T7?Z+572&^DvUEdgxV{YH!x>G zF$3{pzN2JnYUsTjdbA#^oYi8_Md`l{OQFk{XjaL&rtC-J=}0hm80Eh5Aa3#^dSjfR z*(h%Joy&bc3`&GCz+a{fU#{jjoz!%$S29-oNfRmz28)u$pMgPC_fCXmxbQ!4KvRNb z2u6o&#=9#ygu|#)+T4ZDb?xhje<2@!LYB;t@Gdmf)iXCYj$+5P$3B?WAjlNSk=Gy) z&3I6V=o<;YXH4~5pn8ZF22d73n<)5VIHS)>)!om6EdhVZ))S$ZkjT$e7r2kV*K-L+;tEp zLL9GU9faLyfM=c^#hUK0OYAv8b&QE|Fd2V1+kJ?-0;T-oJd3*;qO1v2=$+NNhx)sf zQ%UFKb~oY7^655~ftVNi<86Wg(_c0a`_UsMQ9Jb*D5NX=IglT@eL}Tgo=TbALF$T_J3%B$uyz1cK`ce)_^FIO-X?{V|0xi>><0VhFjdaKwiRl zkUoQKP^5w=53N30!6e}^+SEvPT<1Rt(Y@hV02@$)Jw^$14u8S=FA-$kTHRB_vqOGl zfb~BB#GnUZmlH-L?KB40b zToi{udc>Q)P~v^}RDrj^SpSwPsZ z=V~wJh9gNfJ=`W*i)8tTXmYBJvo=lrgTk7j!j5$5R+E+YG?XLQ*@KrAt|@cAZ?Aqc zx90}@?b$iFZJ@~TJVS8NG#W2(vTqV&loafBiKZHawHqe+n}7Q@>dO*v14NU!CBmiR zT3ov_qO4|O#3(aC`N^JNC|9cXjR9B=SKzJfTGJvY=6)%7lRq_bO3c5)0zko!DgXs) z8jPrvw=jCzntDx}E%3Mwu=3W85x8u1cBhc^3>Zt30TLFx{-@q6y@=7ck#aW!(@FlL zx@?V8Ga(Dw^>We>)|_9Xcuq+Jyjiuo-v*z@HRURN>UL;r6L#*7?R-69wi5I=ll>^f z{IigOann{!7Lon=y*L?{+SZ&jJYYa!k^Hp~keT4wlY*tpOr48yTHETB384!f{Zk#! z<7mTx&g=Ch%#P@9d|8>fL|<|eHa{^xG@@hCeCsU9@8>I^gKfR>Nj=;}da^6j0%ua8 za3`eq)f^#j`Vt`+9Us-kl)ZV*v3vT5&Gz-Z2Z%tr>cGyj(q6WfyoJ;*n)v0SmfVRh z6L_JU(mCgn2Xiw6-sCiC#p|2{(laoBPygA|jUp(lkAzsMrS(D)??!L)YF*y?q|AI0 z7T%wUcW_FJX}u=Yr1RzC#t@3=63u3`F>a}_JIl?dXehOZpICK~ZeoxIv4gL{f_ztD z*3cm+Tbwo;jVhSE>SdfeH^={p4ckO;OX@kQRr5Aea_PZ|^w7VME?Jki4)X>LU}e0v zOvEg0U{x*df+F|i9k5dEg9+i6!=pI(_U!Rmgb9pYWMTKetQ=}5Jmk&w4E*jtJA9v- zPP>2Hc?L4D3WwI5ue9*2)%v4}2-5IC8m*qQ(@7^salqXq+F5vsT(q$GJf*$;`PJ%P zdBJJ=^Rh%#{yzwA(?0+0>&r*OXOmmWR<}T2iOIq8^!)hxZVHt0KfM6q^{lh(R%kC; z(gLe4dH%Vcp1${#DZZToPxhl}6-sMcNlOHShH-}EXzR(MFJ6Ih%hHU4ypTCML=yK( zozU4Sc-r*;vcB#dW|kJp?xro}u_-4}6|5MeqA!7yuQf!NMyX{$PGxCcO!w6N?S^r2 zvPH;P$5DZk81MVfT%sD@bk#zlvCgf>Za>zKv*b0DsNG|(r=FV31;seTu{%F$UT^OK z&RWUgHi!gsJQ3!=Kl7HDjJc{O`lc9uWA4sbls|AnGj-P7VpJZ28|n&jbjBd9X5Pz= zOsLx7JZ_n_;@Z05;v-j^pMUNO>FXoB;(7N zf_9UR6YVZGH`->)rE|c^#JA3l>iYaVoqfDe;u93UC=M{)uMKfB;NS^Ncc8Lg{4M=PQ?THpk+<<-wEm>FqGz1DMai=cfv7K3X1Y z45uCkBQNlazoj3K8mvnToR9Lg@ry35#!%Rf%2R@~xhc*}^=#*q+{5*?^vv<$NLlm^ z9!Q$`m>Jgh^M3xrZCiz`)N8H9$M;)5Ly!7CH8qCYMee^7^l zY3hrF1@++H6U&dFO3q;P*-$@yQ|P4u*0^R!`YOjYY^69=2aU?Xx-y__z@T}zvN595F)llSlqpn z^~7A#;^R*R4mEzCkOODL(u|}^6WDR_Hvkjlik;B9K-Sz~sO$A$BbflUktawBC7s(D zOUscfJ)87y(Co05@Rel_LEEMpUZ#2=2rpNXl*kM7ow!f6hYlxnq7y?@i#%=wqZXj- zwc*A1^auREB`Cu~U$as#g}w+2qY?b?6Hp^hmRF>&i zRsUL7V&~IZCA)`IhI<4%uJ<~ujW*Xdxk~%ehN@+E%}$)*-7#&zOx}4W!vxA#amk-K z!)MUhkWj9c6^&tL877&8%GzEzpP%nJ@4RqLCL9M;-sCVqqwIijYtZh%YVH5{rXH&m zGR8V9eUXO&dCt=&FV7EcG~PPg3Cpnj4+674c7oqw4oU8d1Jb z#|Lv|!CYXOc;a*1);%{$M~dTVdEr~r8Sd;#U{!k4|2`{r#5XiNRfC0Dl$C*T0G>-X z>3etFrf2iupv7O&0_n$61?khX;NDA$9l{Q|N3E>FzV`Qw6NE;6i~s(3RA6kq(?F4; zQb7(Zukxd$zpWQM*voZf*|PW;9dCJbL8v_=%7Gie#N)x$7EHa;tA63a z0PyqF z8y-6f$5`sPCHQFtQtGotnnk#ZM4htEe|WPHwixV7RK)RA&v2T~1qh3I#QK zK^G&=dzRj+9;SRVv20d3uC$rynI$@KDgMGAsF=MQQ!1@HJ;jf{vi^2W!#}A}2%k)G z+~cF-13PJf##MRwQKNKY1N-v@AAHqOI$RXcny@Dsj-dthmbn0IcE0Wmo(u8#RIBjO z$h{zHmd$B;n5qw0QF1QN-^Jf>{4*yw8frQ5wfRdWbDvuDm?cBhfs%a>#mSZ%NIWco z-Dm$Pt$Km!2LHl8u3;v~N(mhjiJ#X-{K_Z{c^15iB4?0**oNtK!%EWFCt1hqq zO<*vIKl*1bgs4M_er*QMPUT$f!DG)MHNMs?7oDG9UaArPwXxN#_9ERy#4@49jfW$gyur0HH{qI5b$)%D^82bn++b zy&yP2AJV8#p~ew;Tk>0dbKCKMMApK=F?=rVhZgmY%`8fHaI%aTr+xsGVcTP{AQ1w& z+8)3U{?nDDc`o2S5v*915UOjd<(AP)o)DR}EYH}u?*K3_8f05092a?YQ-Qm!VQBSVC|Hy1HZuyZ|I z?=Yi9G}O*k)UIBCGjVz}UYJE#saC7vMbp&AaHd^;sy&(+h<*OxdTvC5qS@BUtpa|dN`@GPTH63^c&CBqoKJJ-E%z6t$>w9` z+&;t;P=COE#9vu+9`G?Uv9w07;oGYV2EQ&OgnVmjo7xeh-Zs&T%eQzQRqvCws{wMu zdzqL$*9gNIjxeZ%w*f?bU;Mbb?R&=hp`)SQ#xsy8m!hxYTbD7 zTP3z%W|*h`8>XyGk2+=PwYz?Y>ytkC2H*-S(3&X96my|sCk<=p`)#8(T(%|asb2HB zD!-p6Z$9}DVHX1UzUAxAwJnk%O(qd>h zpO3dj}I9DK>N<|@;pq+#u$*do z<2|$TLA;UK6A?gimX9IH1DTa_WbluHuSt-T>cpd))B4|K23#d(S>r|1+$~%`%0`l{ z%t9XyO_!76o;-Mgb~OO(02rURT*;g(kS_JnJVfG!BX;gQ{hywZnw&7K#O7lzN;?o$ z(An<*ipMZ_;>%W_OgP9*hg~@&nM$7c2iDQLVU`e}a@x$8<~784G5+(;LSN!z4LaWN zh8Gm;4^QhySNK-V9H0LEtqIKPe^%laDku|WE$Tk%0MXQabk%)~rCAqpcLj+%bSg$e zSG)Wq8xtbMCpn=5)1tr#Uf$yF&5*lYD^GkfUo6yIRprUOvKxQ=5URHqG6*OX^>AC8 z2iX!Z^;oiFD*dRkMJ@HX^Dk^b`l~kbMU$(+e2lqJcs!X<-wQ>c*b`)u9kC8rGN$p8 zv8lfI{j{}cpAd8rXDi(fQG;D z6{Ip&0mMidshc(rBKWoDN+4yu^>tEd#I# z(x^0V{LeqIsSW~^Nh$${4RYj98b%LH_FcR_dkV3NGXShYjMtGh@ZWw&9Jg$KFODSW zbA>2F;YoIyH}xglV#J-HLkx-GRQ2rR;-iJY&%%^Gs7KVZ72M|-{*+m!$Ax`+N+M$FX<$fJXvQUzymzmJG>B&#_Hx6U$(d2ypqa zr$V2sfnZ!Hk^Of2d-0M}bjk@i=Xnin$AhyI!OWiCfwHCioeL!07L35j#6dO2xl>@K z=o!o8wUPz0k56(MB>wok%rN)_WM&0ng49pUu>`Q-D;Z&77|v(V|5G(J%|M&QE;75D zROT&UwPVoI2rjcBcw%(Kh76I;npuo>bv2YrZi=$JDKqNxCw*hyc2FbWY3}qmRwMHr ziQ(n6AHszau)BzK<3J`x$7o49u_Q$yU7zus(YZkszU)NJdaO)F0pcQM z?McJ);?Z)%2Ivj=*~f_DivXvMHV}eFzkQGmq|YvYn)9}_By&ZRaqc!e4`ZsB0}-Nq zsc{Mlf;$CFuwX8zxA*Mv?CkB;!p2Fu_Wdj{P#*?5%oxS+*6K!C64aWP8RSMx7~O*# zv&%e9AhSKjv0g*wPL{^$=pCX;=^WhWV7Xx*{2+@NRUEBk-Bkom-P7Ne^MmQ+#*x#DZ@!I#|OHjs*Mfho~Q$Qnr{Gy0&i>r~$6{d9CgT1tipXM#S}; zSf_}_M{Qq;omVs|3@-MA+5Aw1CIpIwq_;x!RbDfMaWmZyQZ8jzPBfox-57oeM<%B_ z$bQ?{&oXZN5vY{s*^$AUdard9$ZLD$v{|%iSvB!T+$nlqUEA@S5F#M4xt_{_zD^o+ zk)uHu8`3`andx1K6#<%ed z!?NyAavY%18g4qp*7xW#_a~){e_v)1)=Cz3ww$ z?gUBmxC+v50~)?h3$4X21Kdqo)239TxGSWa$2PYnRi$;M_7Z_nJct@kWJHphg*X83 z!L7FX<)O|x>W(~r0f>mHG1Z$DHNNf~k@54_@p=Pj&Um6F0@|j5-fLfc+lE=wGDDXq zAx*}c524czN}9njR(T@q%a{p# za*+KJ?dpNo5b=t5XYr!6G;(Ji_`F(N0~_WwoUxY&X%?CynGm_hH2+j|^aB0A)5h0u zr=k09enQt^W>cQX1p@59tnfIgRzHy_B|#-FUy-L7+^YJ8H>Eq?f9!y?a~t$ccvUa_ z1&ga$Eh(!^DztFtYo)cq>2T2fsYr*QGcdh!{RM350~kkBJz&nv(qnWHr?qW8{O(_( zKf`^gmzxpkyKSoY28cHoS?63D4G8b3Xyt8vDy&ZV*e1N@r^}bYz_J^^-X0n9AaRX}^6U6MB(K(_=KD5r9;ga2w-Ow5(#su{(?7!q3#|qS&U^l8?xMzDblNh6 zZ$vP~a_0-9s^>``ng@&G?mHXpLwcJ?R~6`G#0pbqN`GssB3;>>(e8W{9T_(>6ygx= z6N)q$n9J+-G2py4)e2atBRrA|%!s?IP#<)yoe$~S5J=D6r);K}c5jW5CbdFDIs7Hm zmtp0Z9cc*-2Y-qc*lbS0<~+#6YVzAZ_2YEw)^M`1C4%?@&dzEvmkb%h7#Yho+?%< z$T`*W5PFF5>L1zFn+;X$mK!kcC#_ZbJemzrceV8)seuRhxe7*}rH$nIjAj9`PQcnz z+h=;998=?d3OavP)EE$um6-!cg|^QAn?MRb|7lGgrt-+MG$B*%|?{B}6XWw&iHA9{4DbetI7cS_buZe}rSH`67^B(@%rzqA{uS zKlIcSikGxz(|!b$`_4tM$vtUqD;^NVpDo%CHiiOyKd{FIK2AD05d`>x6G-E3_elGc z6P7h&p%T4}tYi+v!<&HpmDf6v>tF1-2!`Oz;fCIyv%$gd)Hs6Iw9iD za^ZQXkpTskd=#OiMrcMvgS-edZCYxdOP)K;iMnMM?E12d4Ux_fNgPbLN3t~1!NT2| zGx=jpLx-lr4oAcE04QXPu6#&dzHs7T_NSnc95JK8qJW>_<7~+A|CCobV*i<8vZLT4 z50o%)xn`Aupcx!G$I5pV!48dw{>tsU%cbma=`PNTm@dlhcZDTz0E*Rr%^#U7RT~A9 zk^bIU7-N$s_M}}M8j2T4-xGSHbySOxdXMx>_>~oDA5w5082#Gc?$S9uoN2jYc0C5t zgU-hXuYX&2#)sOcK+$r*`=q0g;q2NoA`e3bMx2%e-hh8G78ZK zvqg4^(Uc9f`?4n!^|NNk>uluErAhk|t;yp_3hcb{_oLzbnA)Xd*))9ypwPgl zWG(%Lo+4B_5CMY(MNj<7YA^`n@hgvLQRAHp+2FT8dcf83iUd;7kkRgK1 z(>`HasQH{Dlp_W@)#X_B=Z2d5aX^s_j*a-@FMz;Dt6r(JHH>|S>T?!)raE#&a=sRZ z;Y@A>S2(^#ZX3(IZT)f=aKrLw18kRz1h6i3Xp@u!g66NPziV=ezT`Uc{yYt7Uj^#L zF<-9){l7-gv>i%gUxNR!FMG&Ru`bEF)=|br$Oma--+eUM^Zb+Du1(E_3097(a1veV_ox|+tX`Hazrk1OMXh|XP*=vP}wAE;bXKZhDoSK zQl-b~dROksJw>cCowa?Pzcb+GL!SYXwYtXu+ty_g39@7ofFWRTTEdAT3OxE&)oyankFq?cr;K3XO7P~?XkbdYRTGJe)et@dh*1zTzqTG>5w|R_e!~C(5en%BLFKiyG&Q_ z1G7HA*9hLzrikI8MS`=l=Ao3TW2rtA&Z>29LE7sn&b#F}+Jo7$Ms}XXAuVPa->(dqAjnQZC^jWAxj(82z&p|d*$-kX+|zl{pHkW|tV=2CC%VDlU2 z@zCLNSA#Fh65;bcZCVGV2995b2v9D!$o;2b zi0k%s>(Is%zXKmk7Zq+;Dj;Vz?co#6#urZGXEj8ab2jC~;Cqoj7ASl+1D~Mgc29|M z69DGCR(jt$!BC{GRXQDeh#2EOpX3*jxpr9CJ8{ybm3?n1U@h zIf|_U?JG-^0a`(}KY!9VvcQbGv57q~_z^z!wCr<7xc2nCySetZauQcoTQ@#@WJ8d? zd!E6oPf!1h$lq%i6R#h2p1V@el)B5Npd=-UZL7)ML9_Y-&l}n3-*NI^jbt)aRl1yzWi*+%JVlDT8bZaJ}$guGQo?SaU3tDd^@8NayRmX zwm!DOj{G)~zlUn?8MC6q!{l<_Ip1bD{`djpq*r5tjo8KVd%`&_LL37!dWY2(csA4Q zIa=r4Sc3hxN99YCHiMW8H=Yfi+YU{HW+_DZksd3yWn7@HlP4&^u@_TKIPWZ8)qWB| znxjh}bO`M%IEE2QqS1(R%$9+f%+T)J7nGrm6U^{2gs z5v0yu(9mr*a(j1Qr&<3{)^7d%{I{y*a=$oA;f&Hyy%lgjq)VAEk z-?JjI$Ok(Qw^0QT(e1z(O4$WFnKm!@B<$)v=Z);tgrMDRC1&c>WvsqdklP2b@5l$C z?VN};g)G86_ma|!ZH0K8@!H+{=@{ki{y@AtR+hqBFeUFWr(=Q)pat{6*mLjm6Hya<8_oH9Co8bQ$T zEgIq81Yec|zOKO+PB#NH0|a@K$j7+I1wZrLG&<*lAc9Tof2ger#sv7Kr0w=`7`_@ zD~rkUOPJ%jD}0oD=l}cf|GPO5X{)1cSWDEiPR?|gI`uUF4*x3uPNi`DbeZW&A=AG` z|Ion!l6omCm=kw1;or)i2h1HfzO~cIYsBFd#@YuPryjf+jTYiD6Q3o~?^TfXnLpFl znz@oy{>Yx{6Tgs}`C?FlalPK4bU?2(YHe^C&m!44&1ApJo)LJC_$Gug(m5W}{gI&; zW%Bt`qpxXko=!c5x6f6%&8)P_Yo5Fk@{rjsbm0ZQN+lg@$Ew`p$&W}IqL8L$#;%um zHH?W+fujlWL5<4W9+4ONj?|@j;+Lf)44pK{Jh65W4?}(1}WdV}>1`cV8KqJR-P8KIwG^P3au)eo#F9gnf#XC{U>OPQC*T^rW zgk&BmAh?1@{TsR}QyK-251#a*B}+1>U2BmZ+1|%ccXx0h(Ro=#zD_fmT`HsTY9p%w z^V9Pd^#xwNZ+>VBkF0ukO|m2eP|U&um{jT3A2~kr`Tcq1V&a zgS|ZNPyUS3@jZ`>R*8l`rpJ~>^>vuzb5g~nt59};%xn9PbdI50vLF^V5Ec3S#`-S1+CmVdWf%8H( ztFJ7IDda7HBJym^Su!PcL zUCj7bxO{RgR!_KI?#6M%;{*z+$+M$BFRoi(FV+r0`^|U|EJ{<5l)3r*i zG$J0u#7Z>e>T|@|OiW9(2%vMCVe++X9Ibx5O8w~5zgf4CrAJlgej+MduwI|MC7SeA zXlZ)`t)ih~3*svXD;~b0s2`N7rSg=2nPKnZyIJ(7A~TL2zaxEc{rWSaxCSR7As0a| zoYA7+)snwpwnD4Rz?=;+b_uBz*JYHYG@L4VJFJ|~iTpec_7-a`+}FaM|CYK|-p1{< z|2H#>C`vRy6i_$`Sk%(1!&KVxFZ(cY=i>QeO3xXYzrCCvFs8(Rc$Cy7ni@%Q2cl94*Yw4f_MO z78Mt@ZJ#A>Se(&be(9;`7Q-5qs|~!Tj3NnZ$PjQ~fnaYlp0z=#D?b2V>&snd-(X9x zGtUtkvUKAg%&EXk;>9E~Kh*uxU*GgCP}Z5gV`28jj4UCU3&q|kL!GzjDyO$@-0pKY zWL)d@kmwm%)bQ29N9wf6c9;6rl*H|N&+|%OQgd}?};?3qj1BP2;pB* zjR32&@sjOfDnZL4QJv_Z8T^;<2REM_|7Fx+6t8>xUPV%Y-?ZeyCi64ebtfk@o+^da z$5)Sd9ikly97nqga3SuAGuIX8=idccxLOLa-bA$=K4R^;v`X2oZnpBQ;rq6~U9!5p z>n|&MO@ENfTczX{j2kB>C`U9NAvtESW2u=@ti9NfC#8~I_&u+u=C|k9SMT^czq&gx zS9I&iQZcXZnQ~6Ovd;Ia9t+4K?i{>`@JsPX{B4F+pl5gPfqyww-}Z&-21~(Zrtmy@ z<%7opmjxFh&zY6luI`tJo&9k+vd3!RkJCpfX#yU6h}OUv+pwNj6vo?6H?+)bh4hqr zOr$pWZmZ98q|I2Qux~W2LJtRf2Nn!}NoimQMP7UFl|{ID;mkxzGHboWryj>IQN7&P zLbQ*?nS0!)ttQXS|BzKaaO^L2i4uP;b}#C@iumBWTuuZ9C+L-rH1k+taAA+cluPoh z^UA`5S-&^JzfQz2=;4|aGYSEUj$zAqeT(#C)+s zIWf?}W%RYgFRJDx8-(8)tt>&zjt`WVl|`sAXoOA?U_B^lIegh=@=9+rDf%4hg_70{ zXJcec6!y=Pb*fWw6sw%_^1AIlJ_7kPx^L1Zc77u_U<#EMjz$hXvs+8(@H{WuBOT`_ zh~NF5tI>T;I-%bRO_+o|9C%oWMfMpw!iYaBf#g>$*)Oc0PZy!ixwUGG;yAdF*Tq|j zfAtvW4_i4VUvfhDD@9(PO(Ct`4=6jUIDVostE*P^Wrxlycpi#l&UdK@XsZzdVppj2aPJ%zmz z2O4+TG8g7!{WX%#iXmg1qf}CzL)LEb6*BQ;=DEL*s?g4sXaWM33mx~MOU3L%BG2=j zePQesdb(~Yyam=g>)PCvlpnsOI-2`x4m09g#F6}pDe;B(KUPko5m4c;Q7r0#i+0~9 zG|DX7<(!1wtPA(lAltfS$GR+{wK&LP z!J%+>Y|EXj(&J59e>jUiCVN>T+l_<0`YTKPzx~Y=l0{-ppm0a41zC)5DY=r&Op?wQ+zdufFv;Rcpd?YA+nxBlqgFGi3YF~%8hm0ua;)8-RC4;Gjn z+IZN(zkiDx!E9R;(EugLv88^gKt zFXhcoImKpD4sx*QElY3y4z91~lJz#c%}6!jV?HAD9PIp<66APy{VMCX0-|Rls554V zZZqXMtAAadV^=(yunkoDTqT(}uITM~SCXqyeoEvuE3Dqf3N5@Fo@2WDRAOZz^i2SN zWekO?selM7x(F3_<}{lh<-uiIBEq{%n~7CRyD6E`XkJ2o$M<6ivSWIoV`DTieeeCn3Ho^^1eWG~ zOSEvH7;-#wiAuU1p(T_Ti54b&Gj61{NQ-jo@*=xlLdY=^$(jq`$48)rg~8@^@lcsi z+Yy6sOBi;Zu@^H^k9ovl_6jYYvY=nAfS`&oAr4nGG8LJ1;JS~Ca3NcM9buRRFMHc- z%^6B^$v8hk_H2URS_dtOt_6Ii>L;LkH?4@=tfBi1|MFwrIbyeZ-n*UaXcU^j4SO*y zVC3EGKr_p3K?}QCjG$3uu2Xb?y>Q#$9^@m8&%yJ;iSyntFfi5Sd@G$wUQ=)2mI(RP2TQn4a-SbT8`NF^k$1!h;e8 z6t@a5a`dHEwYg5IeL9&que_jzF%%;R=5osTDInZ?Bk?{8h_sFN@_lA?YV2^cT;&F@ zt*TreIq7qYX7N=rod%D!vvDf&Y_OnLw2lV|Qq9U0%}?h49`*h7afpUafu$RfLw4j#(4&$SH(jJGkt^? zskv6)PwnAXcBN}t!YBO#;yXN!Sd5r!{OI~@`-&<+4oCSST*!s|C>C?QWjxQ!m3rA$ zGT2B*P<{)S%$^aGMqXp2CIU?;b*68=hZf%D$n!m5}lCmkPS58|{fk=|25^eI}Ycp_fIm42ojo03?`V~FC0 z<;x?$9WK%TC(*vw2&Qbw!*HmZtllEbzZp<{ZyjQDYg)EV#1Q7ywmYk>C zm>!0xXtXu@{e@kghEipm1;l;&RRlXLq*poRjE(1DJjJ_9PTe=M*j#5X)=-U)OXk40 z>J&n*Yz=3~sjwu}s~jXpx|2!@d>Wurev!TocM~&4j^0HRa?}{wv1sALvo;skuTV7J zsmbQtTIO4f5WH!C!V%a?IFfL^Wjxi)Z`#y0Bfwb8?vkDu!RXdLl$3csr;L^u!r3Cl z+=M*j2s2ia#E6O|7R%X{h_ z<=^}5Ih>6sE=2F$L57gN3TA060WExNPIm0Xf&pK&0z%ETqsukxUsgcWY<;yd?1G$g z6D;SHf7&i6I9+gwnGMqgdM) zzDGJ+BA2?WIqNotDG`!%*s4n}CW(`J40%cB-;*dKq)?=nRKj*h^qfsPV#rw=AC;0$ z>H+fiOYL6Fr^ir6(S2FxTh>1$h#-8t$mEy~L-T*Sn0S#J!v#`f(x}hUUNA_wn~&fu zyO>0;ksE|dsqo|C9X{((PdY+T1rFKoNiOr00x#i3LFjh4@Lf$kaRNEK#aiYvme!ZYGb9z z0O2`?BG^Idc;J{xi_1NMX5uS{BdB*ut zREXDzn-`a7+mD~oW8hyTN;kdXetH5$Xs_lp)!B{Nk%Wj5T8ejU)OA1zt0VVamC<|; zO%MWw{rhy&*%~6a2A&frqdik(VrYt9H~blPujnHh$%F?7elBMGf5MokIjzi#xO(qL z-CJmHiP&^07M-M!LeqnVDWbTLBFR`sF(i6M*7-pI>4#VwcB>F3dM7XLQW`lMqjMsp zb6D(Tsc@nS_hy)Oo5NH@7V*hP_S}IXdA|#AFbJ?joF^R6f;t64m{~VzQxHVL_ma9L z$w>TtD@0Yr8hwBxu66y(a}dl>;atuZaW0u}9rJZBJ`N z$-H-n!h28MrYvxfkE3w?;JHGB&eq9c+=VZS5zZ>Ie)T6bv+NhD!l`*kV`>nO*10+h zkH!3wy(oYW(N7l>@rFY9s3ih51HZ=#89NU-#04~isHUJFBrhvtu7JFu=zw2Qz{m@S zi6L6KoCLHmmY;PQ?so1rV@siW#DqWTWmJ0!C7gT9QB?H3zKrbNL=%<-T1kzuI}uHI zY$K#M=XX)qn61vcdIIV5)hBc?GWOuHBxPlC;cT~2H*+E3FH#Bpt?NT_m9v{}zg&zB zARPS&pD%&UxVA9mPp3g5d%m?@KQ9JNXta^fvPs_=CGvVnLIGuU92H&A_rPfjHp;KQ zxQ-^c;GH-P;gsbg0%tCAT(BA24{D-ijeZOJZT+WQ<&r&HB6V)=ybBLMy+$T(#roTE z1kp2+19%dBj$^qH4=e5Eit{|%s$)fjw}LNHFfSFwdfBaDkmT6!$wyOFw12!&rzFTOCwL)jG+5+irQ4LLiC@-JCwai*r|F zeBtLsjR~Oj(sYItddSYegLdG^sf2(2s>ddwxdS|$Q<8ng&cLRSNub?2+8~oariOH zxX34P{%5SvyY8cVukhn5B0)(@%w|Mh2i~j7{vIGJ!%A%m-y&^*n$DWJUi^CAal!jy zvZT%l+jcB0qY;J|X}Y+`1#yI=HlddR!C!o%zD9~AKL{Bi+MzF z&qaJO%~%vHx&z<}#^V%IpRzRM*KEGwp&`)i3g7y&RFUZ7+TOmVDY*~z5FaJ+DVM9{C zqb@`I$}KBnqkx3_V3<;pOe&nP=r6L)zZAW*-vUJl#w%ca$NH_;!b!Xa|w^xz?xHEwueg#<-jC zjGGu{^JkmCR3C~9hdacv59~$)Usd7H0ayf=q=30k=HSY?@;|w}dj=Mzj-G}*flc`9 zP_1aTvopj3wqk_GAQ2fZFV~tjvjkyM^|bm}<{t197{CLh-G~w*tztty3 zNG}yoo(f0*Dp5I?l8v1il}0F z3AUi{vUBG(MyV`v&AD|o;e))0NN(LcWW`B1v!eLu=C%^4Xz#6|d zQpkzj5X`G7uFv0A1Q89zi3={q7@~x2`&EiMdnG9imtB-^@BdqggE4_tZP0#;yfzw< z_fSBgc^mh2H{*X9d*iu=z;m_~?FeXm#knKMQD<6SoNJ6TB|qC=im6>HPP5MWsel;m z`JeuT_CE)989=qz!`ry|zogPT`_0}zRVPRE!_C2#H;}Lufmfg~uO8!Z&p`qd4OuN$ z=@R~q@^h)ULNLRYZ-g7yJ~E2bKMGNAOG$!$u}R}zO4v2j+)@^@ZnaUlB};r(UQ_k>`d0Ny#T#)a)YR9 zm72HGMJz+jc8I-s+>5qk#*9-*K5IXk;ljxr9j-+TbO(* z<==?noEJ_L7^7sJ$QU(nE{KPorKNRg??tX0#y>A@ewL%{P;f?7HtHuZ4Nf@9KaCsb zGFF^JY{AKqt)buL-1Md{1fJNT@a6#lZMpWPESgr9BFS8z6Q{|`m;!#$ znUQT|siWSgpwv{5$10=6(x?Puw36oyV+5)udf}X1H={94BZ$l}7dL1Zn>41Wp=%d}N;B3ACu~m%T3I zO!RuOndfJ&Vqmo?(t3uBU@2=fTTRGfTvp1+z6P29D-yvyaBE%ZZ*J>OgYu2mg zvd+y#qpi>NzS9WGAVfcwsXboxXGaV@I!(AHWg~uHACMcYN+HCX*dAJ%T71o0t{_h6 zC{ZM?%PoYxE)rrzSyU0@`{txt@obT*@qZeVejW7`a-2KA$wZHoD*TX9GmB$%otr^? zl=LMr>e}Sz#a`Z$7h4G(N{Ukl85UN6W+&Fq`|L$cGDIeIMEipNJBXG+bT9vH%#6oH zL*zqELH%j4>mS~!X50i6rBm0WV9eFX&ypUD9sb!C+%bB9k$C+d?#R>X22NRa5d*gi zc(X9gBx8+=cXaT2{OO${_{6G&_`N7_9jQ@gzaK9^()v}WPL_&SR>mLZ@?9AdUEEMo zn5#2)Xm88B(UIwEY%k=l34X3n_13d0i=i}8jzhYPM0Hu`VOdI$hAY)3ff=LKc~ln7 zm7~YlAdyDP)$}4+-mTJu(X&6&Ty}yXAf}2Pv6O=W( zh{6|(+Syy8&MVxlLekXtyH>8@|2<>!TM4jV8xRS&);S+oIdZ=t}{)o_p9gW`Kv1fnJti& zH@3G9|NfkG*yQ{=OrtVZ(u4-la|TgakXXuX1(!1OJG2}Uce+IqNf!QeS7QQ;wmVJK zJl)6m<8|~a2uL0q2YZUsw55pI>z=k>$o#h)d9)VQyt(}xjCgT}mfV8q+52xO)vifO zYcHRFKOVUARz|8dx>o~CHWy<*v*+}-XOIMH@oOt`ay3dZ*Us+p*e#`gR$GIS2uVMr z$k8dlPg^&-TpN7qD>FXZPTZ%E-%%|8q$x`fX1-MVzt=T>VwmmKBYyer-LfkD?FrMDP%r9O@}uP%eHw4nh~fSl zl~<=koISN=5eU;{!~ySp3ZnNkv|O)zWY~3RW+RnwXRqqJmGa2T!?%kNo6(Jz7-nJY zaFZNyC6CH)X^q~YEN#YvO9F%I7N@V(TdZQ4eJej}U)9Yk&+o?fdA#4dgZ@JDBc<_1 zhO!u8QClUb@YLh?;qj{qS%I1j6f)Q#*4wbEMeO z-+a+6Vp-~JxIF;1D#vZ%$ztv#-3v)5HQ}W8%vL&p0HLYLSWcbj1 z$aRb8KHn|Ty}Uq43+q^pETVJ0k%7uA>NwZb<#_I>1*Jy z-p<}O^jK)8S3awJU2^i^=RUvtcOYxEW>iD|&PGa?wd$2UBUuf#Eh~8~A(uWBak@jv zIGAW=67gOZ0 zE^K4Ar;CcGi%NXbFL`?Sf+s{8$x)>x1ojC{Rjh0#8^;JtR&@0F#q9zd3^-dCcNB%2 zP9Oa6G?F!{4JLFdp#(%U`5p&wz^e z7hQJih<7LgzAnVf-U2zm`G+MLaDO5a{2IA!_67{kV#SQXLzP3T;#i>02VVc$~PxxlMZdkla^WJw-#hAb_9=7ao>DEzYix-{p~gLcz6 zi&yMkh`0|2=Ic35x_<81-Olp&Te=lWTE&+?!H!OiREw1s-`8%?be(@i2{Hoyb2Qvv zdvkt}CF|SYn{tOGtV4AT3-pCX8h7c|d5Ypk3vMxeJKaO{)le+RrE7*-tj)34l}=Ja z=AT+-IOOBcH<*sN8q6F=sZO<(CFsjBGf%lGU;XPFcK^!&JOJ|Bn&PlF^(de0#G7s9 ztH7wnmmeCJ51mJXX1Njz8Lu+ClYT$NXfv_dEev?Vb{ZM~tP10*o|=AWSm~oCMS8Fl z?L0c|HoBm^p_BIN)>xSC*9|A>WDx{zofkHs&XRwtX5rxj-*g6ZES^^ut1K$X;UgTT zg$6F0FZ^pRtz%&dMTA>TF7E~e>zlcLyGN4w>VOyKv)8$zO1Ie_ZcbaI^G#!LGS-4t zc~=A>f*A@+k19SxTvK}-uiLDzFu6N*@);^MFv`| zFMQc@>d3nTGw?uefOQi`v$oI4_{g1HQhP(`P7EmArs4Hby{s$PEjwdjdC`V-ADzP* z&CDl-EXrtyyzlU+ZVZ0>A@g2$-Li8>!WRAn9VN7kJoqIS3tI$9=TmluPTR3-k`Kq_zb{t z6CtQM#BIvi>+UfUworZzR_%sDYBfPld=}P;J6Ad$2c6f_6|Z{z$2RQ z?mh!qj6k!#2GH*@8?;8&Cl{?v3dqgLgN&%hFNQdYx-G!O#5+v_N?O`W0A8)ZA1VLV zb~fv~0%RoHqXV!OkJtn<++R2!z`9b%L;0%!)m#6nw-lDlaAxmJ0L(gKIwR6pts?@Z zndgUU%T3#DHMFY@{ z>!)JRzJzo+c6R4`;M|u+M^c9?OhXvMmguH9Hh?xfGrL~s|83(6++!avuBqxV0T%o= z&sq7>n7LeJj6=CuU-z|xm%&9qV)7XmQO{5*|*Q zNH{vla`Gz?@{!?ZYqNV%7Y$GZ43jo}vB9z~d$NEPdW97VE{LBOcPCI5hiz{ik2rC0 zU2$XO5kVE$yF(zW-n^Nl<0A7a>Ub`)C$oCT>*{^412SJL+#s4d2mx_7dfgGeUSGKI zY~9VAAJ5?DLgoNK8GGwO2bD~2W+Wb8rkFUow>0WFKw=l=m8X(Nj%m4mw?fy%p_6cv zyMsNO@$bM=7`>3q1(QZ753Te9YrCt~tgl{mw$9>42h=$SkL6h*H_>IBY?>eWUCcl1 zxP#DNczP1V4Cc+miYYs9-8~pCq#OV<`7FA0>)^3^EcBEa<)7`?tZ$ zK`1Q}jVKL@SPuD=S7Gj)Kt-z!k}Wt40T-s7spqV!V;J#3YJ)Q!AVrU>GJt-RZsrEh zVZ0&mv2OF;8*mnEo(7y2V)eKF1%w!70r0--73VU$DXVp*_Xsbp6WCZ&LP_fiyG#>O z1hHiQsgDY%zXnj5g6=9s?TX_gqZ<5pEtpD8Fl5v}wF)z0gmSP5-Hy-{TNlt`z zi(ZjJ5ohI7r9^XkAtoGc=$o3VyiiOG`}uMO$%c`n2ioiF_9|gYCJRh(|Lq)iC?Dlr zi^{f!>R5}%^=7Ie0VMY>v}+V7ZpOf}`G6byrNgLnEFfl)6C1(9q(S5ynwiJxE5apn z=~~p_3#flVrSOy2g`xyASU1ic5D&fR8`WN3=y2lsm?on7FR2RihwTor%&C~+emM|< zNd2L3K>z8pLa3#^P`MS-1TzA4TX&bN{m%6KE*NtO1+wt* z3<24kKrw=9hQn-qn2LwKlscnpovYK6{sEKD4*4P}RiAv1N zo)v!vEte%W$iXFZcNvObF;!hRwlSyC!23IjIQgF%@T9??Y<5Jk+MbQxM*TVz{yrDU z83(T$({3PTOt_C0-acEWw0vr~0~QweLynSzG0ty1eeLXOMU~@eAoL$@(=()>kP}Pc z!s~2z-F`yKxG_cn*=f10`t-<2jUTzPe?CrYK>YBLLGeuw2&o`T6lMcjKX);z+4>wm z{w_2QT>#G+@cU~H;%jxWeSlrG=YQIraZXrV47p2K{l45vS?B`>7L_gf%>?R&sa2tw z_sEHskbCXfVbVx_dmJC~1X=)EpANKI$HIXJ%rLr2Go$#uE^_*|xW!vn21ie4hN*OTPwo_nz35|Bm`7HChV8k^Bg352$W65F6B*B>k2^_ zY#cG=`R-d9kogX<)VsweYDZD-`HR!iYi@s^u0Ti|#fqQ=;XcBS4uTR$rZJ&bCJ2a2XcA zzf*Ro>+q(6Lu|o&4WM{M)nAfHgOj@xz)t~mm6@yzwwHmWXq!?0#Ad3~i;ngAt#F$J zxQ&_w>cEnr4(9x?%2y(Taj?;GfQXkOtC!2WKS?oZ(X%M_c=rql>W*-JiqVk?&n z0?v~-7~F=l7mDVFgzmEv>X^x0m+}jl#xRrx(wb3^&Y7-!)MS z=m%gUnG*tBIb5!Ew@u=4`lOL<%xD3)iOMHg0($HP6ejzrDu3%QI0!|{K$`x+;hJta z*_WK=afV$vaI~>RcBJ($yKb@&$Cp;8lkpi<7-1_m?+0vD!tW66z677MA zHLZC|bf+xo*-8@t`+_y9MVmS5An@TKF2X|hz;A1;SnfJxx%JVCIvd&(PHW1(yf5X@{yp90ozES^_6-7Y7|G|~Zc%XDh&d${njGN8q_Z5Xk^ z*@6~v!qBhn(9kt;RF^RrdmRlWe58UcVu9>Zp-{~1ZQ}!cjlcL5D+8+oYHvV8r!$>H zA3n65y$aPAUCh;QD66Tw8szz;gp@Wr;o&T@y9d&qLld8O*!MJ(PX7|lJtfFA$}_7e z)icoy3Ou7GnZU0v=d@*^rqI11~P$dT`k!lnL+CHlTirqUi z{+wLuTlS#@y;AtwaEcM8ej*QH2SyA>c6X6{7VH^kXnzh-_cA9Q&oqQ#_@Gr#Z}uXd z*h;Nr&T~?ThcxKNZ($BN=?Q&PpUwU-$@=sRTNC@JFoBoxuwQ zw_Q6tOrQSPHoxRnT;^6^@zIoBKax6R4FPvhnu^$9S~8OcwL1t+*>zHPQHXpU6nixJ ze6~7Vtv?6--mEaDQ*l?u+5lFCzRI>Yo%vOw;GXM&c^q_vA1sAL@M#5x01+2K>f1|7a~O*R#l^638LM2RVcl zpnczUQt@4vo~{1Vz$jwHsP~HI*UwJDcN)I3uHFAPd1+Kt2D-^zZ@y{RdCLUK7AGi! zT_868Y_p-OY8vr*XI}`Y?3%Z3bDfP$XqTz=Mo}uef&Iot_Z@sb@x`9~8rBnyhHgJq zmmcVnnu$(qnQ?o?mE)m+;G)u?=6~cuTBzToVs&58WRO-LG5cyUk(Lgo>p@%h;ImfO zCqFDZshU0fMl3(i`r?YpYE3aTH>4rcIe^)MZq_~`%$lEV4?$b3`Lp}&!=B*lr(U+5 zh3lDF`VYl3KUE~TB(J2RipLYR_*su=_HD~pL7XAXn_x*QVKOW@yE~J{qHn+VK&ch4 z-fx5NafkOFOxEI)OH;)kr49b=(iZ8u7gRv3R2$?>Yw$*V*$+qi96IlFB=oA>P+G~< zlX8J4<>SV9{r)cvS!Eh0YlsT(#-^6h$?6i1E^B5@XfeFRH3bO?Iq)(G#U9Pbyhh(> z5F+($`^`+AGYLIse~_CUVoGu0+QBU4V&aWCR_c_T^a0{W&9-V*fs<3ktz!KZm8Pcs z>Nf>C@D%!?_W$eRB9S8rXyk5mzof5Q+RW_X zCm4I*Yw)&97HwTGq*NJo_;PwxYwIS9Ben3RPvTHbj{MKmA;l0Er?*l)%cYkuo1+}0 z@!z$}A5>T&6{s57`v%dm7L)U4JkyfG zUSfn^@WEfM=*?-a1kH4}8O?=+9eF=?3=YY>k)|N73e@h!%#W1cP66I7V*Z-H8@?`C zZ|Kf{(iFpOgTJ|}xlIg||C5>&SdCwhN~o*f`EHMHQqT!fW1|X&Qzifw@<_tJXD8oo z)K_Yp^wjcM#s-&~)1EOmpFp^w2qzr2=3QeU#Jauz!cb-ZC(r468xpnby5Tb{FAk_Q zq4&shd<;`RJv@e_QUi|nZo3V>xFCwj z8X*3~A0QUN8RL#Wb0C6G<AeuT(H#HHjh%8!4Asw#$ohY8c>e$Jf~&~$eP^jGlsvk?CIb<0 Sgg1VXQzy)immYP#^M3$sTufvD From 2b2da1679e7f05a61c268db208c5e1fbacb70a78 Mon Sep 17 00:00:00 2001 From: Christoph Lechleitner Date: Wed, 6 Aug 2025 16:02:25 +0200 Subject: [PATCH 12/14] [DB][Web] optimize qhandler by keeping SHA2 in new column qhash (#6556) * [DB][Web] optimize qhandler by keeping SHA2(id+qid) in new column quarantine.qhash, for feature #6555, might also help with #6361 * rspamd: only add qhash to new entries while passing rspamd not all existing * compose: bump dovecot image + push to registry --------- Co-authored-by: DerLinkman --- data/Dockerfiles/dovecot/quarantine_notify.py | 2 +- data/conf/rspamd/meta_exporter/pipe.php | 3 +++ data/web/inc/functions.quarantine.inc.php | 6 +++--- data/web/inc/init_db.inc.php | 10 +++++++++- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/data/Dockerfiles/dovecot/quarantine_notify.py b/data/Dockerfiles/dovecot/quarantine_notify.py index 824d4092f..a681c1fda 100755 --- a/data/Dockerfiles/dovecot/quarantine_notify.py +++ b/data/Dockerfiles/dovecot/quarantine_notify.py @@ -76,7 +76,7 @@ try: def notify_rcpt(rcpt, msg_count, quarantine_acl, category): if category == "add_header": category = "add header" - meta_query = query_mysql('SELECT SHA2(CONCAT(id, qid), 256) AS qhash, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category)) + meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category)) print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count)) if len(meta_query) == 0: return diff --git a/data/conf/rspamd/meta_exporter/pipe.php b/data/conf/rspamd/meta_exporter/pipe.php index 4d8e2a132..bd5d875bd 100644 --- a/data/conf/rspamd/meta_exporter/pipe.php +++ b/data/conf/rspamd/meta_exporter/pipe.php @@ -236,6 +236,9 @@ foreach ($rcpt_final_mailboxes as $rcpt_final) { ':action' => $action, ':fuzzy_hashes' => $fuzzy )); + $lastId = $pdo->lastInsertId(); + $stmt_update = $pdo->prepare("UPDATE `quarantine` SET `qhash` = SHA2(CONCAT(`id`, `qid`), 256) WHERE `id` = :id"); + $stmt_update->execute(array(':id' => $lastId)); $stmt = $pdo->prepare('DELETE FROM `quarantine` WHERE `rcpt` = :rcpt AND `id` NOT IN ( SELECT `id` FROM ( diff --git a/data/web/inc/functions.quarantine.inc.php b/data/web/inc/functions.quarantine.inc.php index 39606f271..5df86ef33 100644 --- a/data/web/inc/functions.quarantine.inc.php +++ b/data/web/inc/functions.quarantine.inc.php @@ -22,7 +22,7 @@ function quarantine($_action, $_data = null) { return false; } $stmt = $pdo->prepare('SELECT `id` FROM `quarantine` LEFT OUTER JOIN `user_acl` ON `user_acl`.`username` = `rcpt` - WHERE SHA2(CONCAT(`id`, `qid`), 256) = :hash + WHERE `qhash` = :hash AND user_acl.quarantine = 1 AND rcpt IN (SELECT username FROM mailbox)'); $stmt->execute(array(':hash' => $hash)); @@ -65,7 +65,7 @@ function quarantine($_action, $_data = null) { return false; } $stmt = $pdo->prepare('SELECT `id` FROM `quarantine` LEFT OUTER JOIN `user_acl` ON `user_acl`.`username` = `rcpt` - WHERE SHA2(CONCAT(`id`, `qid`), 256) = :hash + WHERE `qhash` = :hash AND `user_acl`.`quarantine` = 1 AND `username` IN (SELECT `username` FROM `mailbox`)'); $stmt->execute(array(':hash' => $hash)); @@ -833,7 +833,7 @@ function quarantine($_action, $_data = null) { ))); return false; } - $stmt = $pdo->prepare('SELECT * FROM `quarantine` WHERE SHA2(CONCAT(`id`, `qid`), 256) = :hash'); + $stmt = $pdo->prepare('SELECT * FROM `quarantine` WHERE `qhash` = :hash'); $stmt->execute(array(':hash' => $hash)); return $stmt->fetch(PDO::FETCH_ASSOC); break; diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 767a0024e..422c3f1aa 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -4,7 +4,7 @@ function init_db_schema() try { global $pdo; - $db_version = "27012025_1555"; + $db_version = "21052025_2215"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -345,10 +345,14 @@ function init_db_schema() "notified" => "TINYINT(1) NOT NULL DEFAULT '0'", "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)", "user" => "VARCHAR(255) NOT NULL DEFAULT 'unknown'", + "qhash" => "VARCHAR(255)", ), "keys" => array( "primary" => array( "" => array("id") + ), + "key" => array( + "qhash" => array("qhash") ) ), "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC" @@ -1482,6 +1486,10 @@ function init_db_schema() 'msg' => 'db_init_complete' ); } + + // fill quarantine.qhash + $pdo->query("UPDATE `quarantine` SET `qhash` = SHA2(CONCAT(`id`, `qid`), 256) WHERE ISNULL(`qhash`)"); + } catch (PDOException $e) { if (php_sapi_name() == "cli") { echo "DB initialization failed: " . print_r($e, true) . PHP_EOL; From 2b93b59cdd006b973b52cdace418b139b72d6940 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 6 Aug 2025 16:11:23 +0200 Subject: [PATCH 13/14] db: change qhash varchar to 64 instead of 255 --- data/web/inc/init_db.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 422c3f1aa..6a9d042a9 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -4,7 +4,7 @@ function init_db_schema() try { global $pdo; - $db_version = "21052025_2215"; + $db_version = "06082025_1611"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -345,7 +345,7 @@ function init_db_schema() "notified" => "TINYINT(1) NOT NULL DEFAULT '0'", "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)", "user" => "VARCHAR(255) NOT NULL DEFAULT 'unknown'", - "qhash" => "VARCHAR(255)", + "qhash" => "VARCHAR(64)", ), "keys" => array( "primary" => array( From af871fdacbff1464668f8e45982e98bfe7ece112 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 13 Aug 2025 18:47:28 +0200 Subject: [PATCH 14/14] chore(deps): update devops-infra/action-pull-request action to v0.6.1 (#6676) Signed-off-by: milkmaker Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/pr_to_nightly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_to_nightly.yml b/.github/workflows/pr_to_nightly.yml index 0cf59eeac..51df14f6e 100644 --- a/.github/workflows/pr_to_nightly.yml +++ b/.github/workflows/pr_to_nightly.yml @@ -12,7 +12,7 @@ jobs: with: fetch-depth: 0 - name: Run the Action - uses: devops-infra/action-pull-request@v0.6.0 + uses: devops-infra/action-pull-request@v0.6.1 with: github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }} title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}