Merge branch 'anonaddy:master' into feature-tls-traefik

anonaddy · Feb 27, 2022 · 491c224 · 491c224
2 parents de5bfa9 + f1ee9f8
commit 491c224
Show file tree

Hide file tree

Showing 32 changed files with 1,162 additions and 779 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1 +1,2 @@
-*	@crazy-max
+*                       @crazy-max
+examples/nginx/         @eleith
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -54,6 +54,13 @@ jobs:
             -e "MYSQL_USER=anonaddy" \
             -e "MYSQL_PASSWORD=anonaddy" \
             mariadb:10.5
+      -
+        name: Generate DKIM private key
+        run: |
+          docker run --rm -t --entrypoint "" \
+            -e "ANONADDY_DOMAIN=example.com" \
+            -v "/tmp/data:/data" \
+            ${{ steps.prep.outputs.build_tag }} gen-dkim
       -
         name: Start container
         run: |
@@ -67,6 +74,8 @@ jobs:
             -e "APP_KEY=base64:Gh8/RWtNfXTmB09pj6iEflt/L6oqDf9ZxXIh4I9MS7A=" \
             -e "ANONADDY_DOMAIN=example.com" \
             -e "ANONADDY_SECRET=0123456789abcdefghijklmnopqrstuvwxyz" \
+            -e "RSPAMD_ENABLE=true" \
+            -v "/tmp/data:/data" \
             ${{ steps.prep.outputs.build_tag }}
       -
         name: Test run

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,33 @@
 # Changelog
 
+## 0.10.1-r0 (2022/02/27)
+
+* AnonAddy 0.10.1 (#115)
+* Drop support for OpenDKIM/OpenDMARC (#116)
+
+## 0.10.0-r1 (2022/02/24)
+
+* Fix Rspamd config (#113)
+
+## 0.10.0-r0 (2022/02/20)
+
+* AnonAddy 0.10.0 (#112)
+
+## 0.9.1-r0 (2022/02/10)
+
+* AnonAddy 0.9.1 (#109)
+
+## 0.9.0-r0 (2022/02/05)
+
+* AnonAddy 0.9.0 (#106)
+
+## 0.8.10-r0 (2022/01/20)
+
+* AnonAddy 0.8.10 (#101)
+* Nginx example for SSL proxying (#99)
+* Split configuration (#98)
+* Support Rspamd (#96 #100)
+
 ## 0.8.9-r1 (2022/01/11)
 
 * Alpine Linux 3.15 (#95)

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG ANONADDY_VERSION=0.8.9
+ARG ANONADDY_VERSION=0.10.1
 
 FROM crazymax/yasu:latest AS yasu
 FROM crazymax/alpine-s6:3.15-2.2.0.3
@@ -14,11 +14,6 @@ RUN apk --update --no-cache add \
     libgd \
     mysql-client \
     nginx \
-    opendkim \
-    opendkim-libs \
-    opendkim-utils \
-    opendmarc \
-    opendmarc-libs \
     openssl \
     php8 \
     php8-cli \
@@ -51,6 +46,9 @@ RUN apk --update --no-cache add \
     php8-zlib \
     postfix \
     postfix-mysql \
+    rspamd \
+    rspamd-controller \
+    rspamd-proxy \
     shadow \
     tar \
     tzdata \
@@ -67,9 +65,6 @@ RUN apk --update --no-cache add \
     php8-pear \
   && ln -s /usr/bin/php8 /usr/bin/php \
   && pecl8 install gnupg \
-  && addgroup opendkim postfix \
-  && addgroup postfix opendkim \
-  && addgroup opendmarc postfix \
   && apk del build-dependencies \
   && rm -rf /tmp/* /var/www/*
 
@@ -89,7 +84,6 @@ RUN apk --update --no-cache add -t build-dependencies \
   && npm --version \
   && addgroup -g ${PGID} anonaddy \
   && adduser -D -h /var/www/anonaddy -u ${PUID} -G anonaddy -s /bin/sh -D anonaddy \
-  && addgroup anonaddy opendkim \
   && addgroup anonaddy mail \
   && curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/bin --filename=composer \
   && git clone --branch v${ANONADDY_VERSION} https://github.com/anonaddy/anonaddy . \
@@ -111,7 +105,7 @@ RUN apk --update --no-cache add -t build-dependencies \
 
 COPY rootfs /
 
-EXPOSE 25 8000
+EXPOSE 25 8000 11334
 VOLUME [ "/data" ]
 
 ENTRYPOINT [ "/init" ]
diff --git a/README.md b/README.md
@@ -29,8 +29,7 @@ ___
   * [Redis](#redis)
   * [Mail](#mail)
   * [Postfix](#postfix)
-  * [DKIM](#dkim)
-  * [DMARC](#dmarc)
+  * [RSPAMD](#rspamd)
 * [Volumes](#volumes)
 * [Ports](#ports)
 * [Usage](#usage)
@@ -160,21 +159,15 @@ Image: anonaddy/anonaddy:latest
 * `POSTFIX_RELAYHOST_USERNAME`: Postfix SMTP Client username for relayhost authentication
 * `POSTFIX_RELAYHOST_PASSWORD`: Postfix SMTP Client password for relayhost authentication
 
-### DKIM
+### RSPAMD
 
-* `DKIM_ENABLE`: Enable OpenDKIM service. (default `false`)
-* `DKIM_REPORT_ADDRESS`: Specifies the string to use in the `From:` header field for outgoing reports (default `postmaster@${ANONADDY_DOMAIN}`)
+* `RSPAMD_ENABLE`: Enable Rspamd service. (default `false`)
+* `RSPAMD_WEB_PASSWORD`: Rspamd web password (default `null`)
 
 > :warning: DKIM private key must be located in `/data/dkim/${ANONADDY_DOMAIN}.private`. You can generate a DKIM
 > private/public keypair by following [this note](#generate-dkim-privatepublic-keypair).
 
-> :warning: OpenDKIM service is disabled if DKIM private key is not found
-
-### DMARC
-
-* `DMARC_ENABLE`: Enable OpenDMARC service. (default `false`)
-* `DMARC_FAILURE_REPORTS`: Enables generation of failure reports when the DMARC test fails (default `false`)
-* `DMARC_MILTER_DEBUG`: Sets the debug level to be requested from the milter library (default `0`)
+> :warning: Rspamd service is disabled if DKIM private key is not found
 
 ## Volumes
 
@@ -185,7 +178,8 @@ Image: anonaddy/anonaddy:latest
 
 ## Ports
 
-* `8000`: HTTP port
+* `8000`: HTTP port (anonaddy web)
+* `11334`: HTTP port (rspamd web dashboard)
 * `25`: SMTP port (postfix)
 
 ## Usage
@@ -237,11 +231,15 @@ docker-compose exec anonaddy anonaddy anonaddy:create-user "username" "webmaster
 ```shell
 docker-compose run --entrypoint '' anonaddy gen-dkim
 ```
+
 ```text
-opendkim-genkey: generating private key
-opendkim-genkey: private key written to example.com.private
-opendkim-genkey: extracting public key
-opendkim-genkey: DNS TXT record written to example.com.txt
+generating private and storing in data/dkim/example.com.private
+generating DNS TXT record with public key and storing it in data/dkim/example.com.txt
+
+default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
+        "p=***"
+        "***"
+) ;
 ```
 
 The keypair will be available in `/data/dkim`.

diff --git a/examples/nginx/README.md b/examples/nginx/README.md
@@ -0,0 +1,25 @@
+# Prerequisites
+
+Read [self-hosting docs](https://anonaddy.com/self-hosting/)
+
+## Let's Encrypt
+
+Generate your certificates and make note of where they are stored. if you use
+certbot, they are generally in `/etc/letsencrypt/live`.
+
+## Generate strong dhparam
+
+```sh
+sudo openssl dhparam -out dhparam.pem 4096
+```
+
+## Configure mounts for nginx
+
+The `docker-compose.yml` may need some adjusting to properly mount your
+specific let's encrypt and dhparam certs.
+
+## Rspamd web ui
+
+This nginx configuration supports rspamd web ui out of the box. if you choose
+to not run rspamd, make sure to remove the `RSPAMD_ENABLE` variable in
+`anonaddy.env` and remove the proxy block in `nginx/templates/default.conf.template`.
diff --git a/examples/nginx/anonaddy.env b/examples/nginx/anonaddy.env
@@ -0,0 +1,37 @@
+TZ=Europe/Paris
+PUID=1000
+PGID=1000
+
+MEMORY_LIMIT=256M
+UPLOAD_MAX_SIZE=16M
+OPCACHE_MEM_SIZE=128
+REAL_IP_FROM=0.0.0.0/32
+REAL_IP_HEADER=X-Forwarded-For
+LOG_IP_VAR=remote_addr
+
+APP_KEY=base64:KJ1LX0w15ItOoMWdC+DNW2Bt0Z4sT98zu0XQ8Zfaf9o=
+APP_DEBUG=false
+APP_URL=http://127.0.0.1:8000
+
+ANONADDY_RETURN_PATH=[email protected]
+ANONADDY_ADMIN_USERNAME=anonaddy
+ANONADDY_ENABLE_REGISTRATION=true
+ANONADDY_DOMAIN=example.com
+ANONADDY_ALL_DOMAINS=example.com
+ANONADDY_HOSTNAME=mail.example.com
+ANONADDY_DNS_RESOLVER=127.0.0.1
+ANONADDY_SECRET=lksjflk2u3j4oij2elkru23oi4uj2lkjflsakfjoi23u4
+ANONADDY_LIMIT=200
+ANONADDY_BANDWIDTH_LIMIT=104857600
+ANONADDY_NEW_ALIAS_LIMIT=10
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=3
+
+MAIL_FROM_NAME=AnonAddy
+MAIL_FROM_ADDRESS=[email protected]
+
+POSTFIX_DEBUG=false
+POSTFIX_SMTPD_TLS=false
+POSTFIX_SMTP_TLS=false
+
+RSPAMD_ENABLE=true
+RSPAMD_WEB_PASSWORD=abc
diff --git a/examples/nginx/docker-compose.yml b/examples/nginx/docker-compose.yml
@@ -0,0 +1,58 @@
+version: "3.5"
+
+services:
+  db:
+    image: mariadb:10.5
+    container_name: anonaddy_db
+    command:
+      - "mysqld"
+      - "--character-set-server=utf8mb4"
+      - "--collation-server=utf8mb4_unicode_ci"
+    volumes:
+      - "./db:/var/lib/mysql"
+    environment:
+      - "MYSQL_ALLOW_EMPTY_PASSWORD=yes"
+      - "MYSQL_DATABASE"
+      - "MYSQL_USER"
+      - "MYSQL_PASSWORD"
+    restart: always
+
+  redis:
+    image: redis:4.0-alpine
+    container_name: anonaddy_redis
+    restart: always
+
+  anonaddy:
+    image: anonaddy/anonaddy:latest
+    container_name: anonaddy
+    depends_on:
+      - db
+      - redis
+    ports:
+      - target: 25
+        published: 25
+        protocol: tcp
+    volumes:
+      - "./data:/data"
+    env_file:
+      - "./anonaddy.env"
+    environment:
+      - "DB_HOST=db"
+      - "DB_DATABASE=${MYSQL_DATABASE}"
+      - "DB_USERNAME=${MYSQL_USER}"
+      - "DB_PASSWORD=${MYSQL_PASSWORD}"
+      - "REDIS_HOST=redis"
+    restart: always
+
+  nginx:
+    image: nginx:1.20.1-alpine
+    container_name: anonaddy_nginx
+    restart: unless-stopped
+    ports:
+      - '443:443'
+    volumes:
+      - /etc/ssl/dhparam.pem:/etc/ssl/dhparam.pem
+      - ./nginx/templates:/etc/nginx/templates
+      - /etc/letsencrypt:/etc/letsencrypt
+    depends_on:
+      - anonaddy
diff --git a/examples/nginx/nginx/templates/default.conf.template b/examples/nginx/nginx/templates/default.conf.template
@@ -0,0 +1,64 @@
+server {
+   listen 80;
+   listen [::]:80;
+
+   server_name example.com;
+   return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name example.com;   
+    server_tokens off;
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'";
+    add_header Referrer-Policy "origin-when-cross-origin";
+    add_header Expect-CT "enforce, max-age=604800";
+
+    charset utf-8;
+
+    ssl_certificate           /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/example.com/privkey.pem;
+    ssl_trusted_certificate 	/etc/letsencrypt/live/example.com/chain.pem;
+
+    ssl_prefer_server_ciphers   on;
+    ssl_session_timeout         5m;
+    ssl_protocols               TLSv1.2 TLSv1.3;
+    ssl_stapling                on;
+    ssl_stapling_verify         on;
+    ssl_ciphers                 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    ssl_ecdh_curve              secp384r1;
+    ssl_session_cache           shared:SSL:20m;
+    ssl_session_tickets         off;
+    ssl_dhparam                 /etc/ssl/dhparam.pem;
+
+    location = /robots.txt {
+  	  add_header  Content-Type  text/plain;
+  	  return 200 "User-agent: *\nDisallow: /\n";
+    }
+
+    location /rspamd {
+    	proxy_pass http://anonaddy:11334;
+
+    	proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location / {
+        proxy_pass http://anonaddy:8000;
+
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 90s;
+     }
+}