diff --git a/README.md b/README.md index c021cdfa726ea47218edbb56f79ec46e1b0db249..35bc7984a1039a21472dc4b1d9239c1f549b417e 100644 --- a/README.md +++ b/README.md @@ -42,9 +42,9 @@ Systemd is required to handle the database backup scripts. ### Create an Ubuntu server instance -The project should work with any Ubuntu server (Virtual Private Server (VPS), dedicated server...) version 20.04 +The project should work with any Ubuntu server (Virtual Private Server (VPS), dedicated server...) version 22.04 latest LTS (Ubuntu 20.04 & 18.04 supported too) -Debian stable 11 works as well, it has been tested, but only once yet (more to come). +Installation on Debian Bullseye (11) stable works as well. Suggestions include (non-exhaustive list): - [Hetzner](https://www.hetzner.com/cloud) @@ -80,8 +80,6 @@ In the following text, `$DOMAIN` refers to the domain (`youdomain.com`) that you Login to the server via ssh as root (on Linux/macOS the ssh client is available out of the box, on Windows you need to use an ssh client like [Putty](https://www.putty.org/) for example). -- Please note that for Ubuntu 20.04+, you will have to add the repository for "SaltStack" using the [instructions](https://repo.saltproject.io/#ubuntu) - Execute these commands and follow the on-screen instructions: ``` diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index e6a4ac10fa9bbabadfeb50b6a7bd9bff79efb15b..00a102c6bc993f5ce6755537ef8d44e020e46655 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -1,5 +1,53 @@ #!/bin/bash +# Install latest salt repo for ubuntu / debian from salt repo +LINUX_VERSION=$(lsb_release -is) +LINUX_RELEASE=$(lsb_release -rs) +case $LINUX_VERSION in + Ubuntu) + echo "Ubuntu detected" + case $LINUX_RELEASE in + 22.04) + curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004/salt-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004 focal main" | tee /etc/apt/sources.list.d/salt.list + ;; + 20.04) + curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004/salt-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004 focal main" | tee /etc/apt/sources.list.d/salt.list + ;; + 18.04) + curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/18.04/amd64/3004/salt-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/3004 bionic main" | tee /etc/apt/sources.list.d/salt.list + ;; + *) + # other ubuntu version, keep salt-minion from original repo + ;; + esac + ;; + Debian) + echo "Debian detected" + case $LINUX_RELEASE in + 11) + curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/amd64/3004/salt-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3004 bullseye main" | tee /etc/apt/sources.list.d/salt.list + # install apparmor as needed for docker + apt install apparmor + ;; + 10) + curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/amd64/3004/salt-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/10/amd64/3004 buster main" | tee /etc/apt/sources.list.d/salt.list + ;; + *) + # other debian version, keep salt-minion from original repo + ;; + esac + ;; + *) + # other linux version + ;; +esac + + ################################################################################ apt-get update && apt install -y --asume-yes true git salt-minion ################################################################################ diff --git a/scripts/init-repo.sh b/scripts/init-repo.sh index d4bbbdc4bcbf40a74bb09fdfb1f7f8ed0e7429c7..f7005c9bafe9ac21092b7133df3eafa960a2adb9 100755 --- a/scripts/init-repo.sh +++ b/scripts/init-repo.sh @@ -138,7 +138,9 @@ do done # Verify DOMAIN lookup forward and reverse (very important) -IP=$(dig mail.$DOMAIN| grep mail.$DOMAIN | grep -v '^;' | awk '{ print $NF }') +# get the AUTHORITATIVE name server for the domain, best to trust +DNS_AUTHORITATIVE=$(dig NS $DOMAIN +short | head -n 1) +IP=$(dig @$DNS_AUTHORITATIVE mail.$DOMAIN +short) if [ -z "$IP" ] then @@ -175,7 +177,7 @@ fi # create nextcloud config mkdir -p /mnt/repo-base/volumes/nextcloud/{html,data,log} -mkdir "/mnt/repo-base/volumes/nextcloud/html/config/" +mkdir -p "/mnt/repo-base/volumes/nextcloud/html/config/" cat /mnt/repo-base/templates/nextcloud/config.php | sed "s/@@@DOMAIN@@@/$DOMAIN/g" | \ sed "s/@@@DRIVE_SMTP_PASSWORD@@@/$DRIVE_SMTP_PASSWORD/g" | sed "s/@@@PFDB_DB@@@/$PFDB_DB/g" | \ sed "s/@@@ECLOUD_ACCOUNTS_SECRET@@@/$ECLOUD_ACCOUNTS_SECRET/g" | \ diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh index 653522efcc9af3d776c1dc28c84c93e665e4da33..bb36407198c4465805ba2ffdf7282442cc102254 100755 --- a/scripts/postinstall.sh +++ b/scripts/postinstall.sh @@ -32,7 +32,7 @@ docker-compose exec -T --user www-data nextcloud php /var/www/html/occ backgroun # add crontab on the server to run cron.php every 5 minutes crontab -l | { cat - echo "*/5 * * * * cd /mnt/repo-base && /usr/bin/docker-compose exec -T -u www-data nextcloud php -f /var/www/html/cron.php 2>&1 | /usr/bin/logger -t NC_CRON" + echo "*/5 * * * * cd /mnt/repo-base && /usr/bin/docker-compose exec -T -u www-data nextcloud php --define apc.enable_cli=1 -f /var/www/html/cron.php 2>&1 | /usr/bin/logger -t NC_CRON" } | crontab - # Update theme @@ -42,21 +42,24 @@ echo "Enabling nextcloud apps" docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable calendar docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable notes docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable user_backend_sql_raw -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable rainloop +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable snappymail docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable quota_warning docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable contacts docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable news docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable email-recovery docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud-accounts docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud-theme-helper +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud-dashboard docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable murena_launcher docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:disable firstrunwizard -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set rainloop rainloop-autologin --value 1 +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set snappymail snappymail-autologin-with-email --value 1 docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install tasks docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install drop_account docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set integrity.check.disabled --value='true' --type=boolean +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set defaultapp --value "ecloud-dashboard,files" + echo "Installing custom ecloud drop account plugin" # Add WELCOME_SECRET from .env file as a system config value, to be used by our ecloud-accounts plugin docker-compose exec -T --user www-data nextcloud php occ config:system:set e_welcome_secret --value="$WELCOME_SECRET" @@ -71,14 +74,26 @@ docker-compose exec -T --user www-data nextcloud php occ maintenance:mode --off echo "Restarting Nextcloud container" docker-compose restart nextcloud -echo "Configuring Rainloop" -mkdir -p "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/" +echo "Configuring Snappymail" +mkdir -p "/mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/domains/" +# Disable all existing domains +echo -n "*," > /mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/domains/disabled +basename -s .json /mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/domains/* | tr "\n" "," >> /mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/domains/disabled + +# Add all our domains echo "$ADD_DOMAINS" | tr "," "\n" | while read add_domain; do - cp "templates/rainloop/domain-config.ini" "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/$add_domain.ini" + cp "templates/snappymail/domain-config.json" "/mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/domains/$add_domain.json" + sed -i "s/@@@DOMAIN@@@/$DOMAIN/g" "/mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/domains/$add_domain.json" done -mkdir "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/configs/" -cat templates/rainloop/application.ini | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/configs/application.ini" +mkdir -p "/mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/configs/" +cat templates/snappymail/application.ini | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "/mnt/repo-base/volumes/nextcloud/data/appdata_snappymail/_data_/_default_/configs/application.ini" + +# Get SnappyMail to regenerate a random admin password +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:disable snappymail +sleep 5 +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable snappymail + chown www-data:www-data /mnt/repo-base/volumes/nextcloud/ -R @@ -127,12 +142,18 @@ systemctl enable mariadb-nc-backup.timer systemctl enable mariadb-pf-backup.timer echo "==> please read docs/SQL_backups.md to start SQL backups" -# display DKIM DNS setup info/instructions to the user +# display DKIM/DMARC/SPF DNS setup info/instructions to the user echo -e "\n\n\n" echo -e "Please add the following records to your domain's DNS configuration:\n" find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line) + DNS_AUTHORITATIVE=$(dig NS $DOMAIN +short | head -n 1) + IP=$(dig @$DNS_AUTHORITATIVE mail.$DOMAIN +short) echo " - DKIM record (TXT) for $DOMAIN:" && sed $'N;s/"\\n\t"//g' $line/mail.public.key + echo " - DMARC record (TXT) for $DOMAIN:" + echo "_dmarc IN TXT 'v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:postmaster@$DOMAIN;ri=86400;aspf=r;adkim=r;fo=1'" + echo " - SPF record (TXT) for $DOMAIN:" + echo "@ IN TXT 'v=spf1 a ip4:$IP ~all'" done echo "=================================================================================================================================" diff --git a/templates/docker-compose/docker-compose.yml b/templates/docker-compose/docker-compose.yml index fc54220865f5530a24f826d53c6eff58cf08b273..0c7e7c17aa30c0d6c902573428a695f545b85900 100644 --- a/templates/docker-compose/docker-compose.yml +++ b/templates/docker-compose/docker-compose.yml @@ -2,7 +2,7 @@ version: '3' services: mailserver: - image: mailserver2/mailserver:1.1.12 + image: mailserver2/mailserver:1.1.13 container_name: mailserver domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. hostname: mail @@ -124,9 +124,10 @@ services: - /mnt/repo-base/config/welcome/apache2/remoteip.conf:/etc/apache2/conf-available/remoteip.conf extra_hosts: - "${DOMAIN}:${NC_HOST_IP}" + - "mail.${DOMAIN}:${NC_HOST_IP}" nextcloud: - image: registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/selfhost:24-0-8-7 + image: registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/selfhost:selfhost-24-0-10 container_name: nextcloud restart: always networks: @@ -167,7 +168,7 @@ services: - /mnt/repo-base/config/automx/automx.conf:/etc/automx.conf nginx: - image: nginx:1.20-alpine + image: nginx:stable-alpine container_name: nginx restart: unless-stopped networks: diff --git a/templates/snappymail/application.ini b/templates/snappymail/application.ini new file mode 100644 index 0000000000000000000000000000000000000000..dd3d2e029cd6dfe1017d25b70156267c577e59fd --- /dev/null +++ b/templates/snappymail/application.ini @@ -0,0 +1,322 @@ +; SnappyMail configuration file +; Please don't add custom parameters here, those will be overwritten + +[webmail] +; Text displayed as page title +title = "Email - /e/" + +; Text displayed on startup +loading_description = "Email" +favicon_url = "" +app_path = "/custom_apps/snappymail/app/" + +; Theme used by default +theme = "Murena@nextcloud" + +; Allow theme selection on settings screen +allow_themes = On +allow_user_background = Off + +; Language used by default +language = "en" + +; Admin Panel interface language +language_admin = "en" + +; Allow language selection on settings screen +allow_languages_on_settings = On +allow_additional_accounts = On +allow_additional_identities = On + +; Number of messages displayed on page by default +messages_per_page = 20 + +; Mark message read after N seconds +message_read_delay = 5 + +; File size limit (MB) for file upload on compose screen +; 0 for unlimited. +attachment_size_limit = 25 + +[interface] +show_attachment_thumbnail = On + +[contacts] +; Enable contacts +enable = On +allow_sync = On +sync_interval = 20 +type = "sqlite" +pdo_dsn = "host=127.0.0.1;port=3306;dbname=snappymail" +pdo_user = "root" +pdo_password = "" +suggestions_limit = 20 + +[security] +custom_server_signature = "SnappyMail" +x_xss_protection_header = "1; mode=block" +openpgp = Off + +; Access settings +allow_admin_panel = On + +; Login and password for web admin panel +admin_login = "admin" +admin_password = "" +admin_totp = "" +admin_panel_host = "" +admin_panel_key = "admin" +force_https = Off +hide_x_mailer_header = On + +; https://en.m.wikipedia.org/wiki/Load_(computing) +max_sys_getloadavg = 0 + +; For example to allow all images use "img-src https:". More info at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives +content_security_policy = "" + +; Report CSP errors to PHP and/or SnappyMail Log +csp_report = Off + +; A valid cipher method from https://php.net/openssl_get_cipher_methods +encrypt_cipher = "aes-256-cbc-hmac-sha1" + +; Strict, Lax or None +cookie_samesite = "Strict" + +; Additional allowed Sec-Fetch combinations separated by ";". +; For example: +; * Allow iframe on same domain in any mode: dest=iframe,site=same-origin +; * Allow navigate to iframe on same domain: mode=navigate,dest=iframe,site=same-origin +; * Allow navigate to iframe on (sub)domain: mode=navigate,dest=iframe,site=same-site +; * Allow navigate to iframe from any domain: mode=navigate,dest=iframe,site=cross-site +; +; Default is "site=same-origin;site=none" +secfetch_allow = "" + +[admin_panel] +allow_update = Off + +[ssl] +; Require verification of SSL certificate used. +verify_certificate = On + +; Allow self-signed certificates. Requires verify_certificate. +allow_self_signed = Off + +; https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html +security_level = 1 + +; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt) +cafile = "" + +; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/) +capath = "" + +; Location of client certificate file (pem format with private key) on local filesystem +local_cert = "" + +; This can help mitigate the CRIME attack vector. +disable_compression = On + +[capa] +quota = On + +; Allow clear folder and delete messages without moving to trash +dangerous_actions = On + +; Allow download attachments as Zip (and optionally others) +attachments_actions = On + +[login] +; If someone logs in without "@domain.tld", this value will be used +; When this value is HTTP_HOST, the $_SERVER["HTTP_HOST"] value is used. +; When this value is SERVER_NAME, the $_SERVER["SERVER_NAME"] value is used. +; When this value is gethostname, the gethostname() value is used. +; +default_domain = "@@@DOMAIN@@@" + +; Allow language selection on webmail login screen +allow_languages_on_login = On + +; Detect language from browser header `Accept-Language` +determine_user_language = On + +; Like default_domain but then HTTP_HOST/SERVER_NAME without www. +determine_user_domain = Off +login_lowercase = On + +; This option allows webmail to remember the logged in user +; once they closed the browser window. +; +; Values: +; "DefaultOff" - can be used, disabled by default; +; "DefaultOn" - can be used, enabled by default; +; "Unused" - cannot be used +sign_me_auto = "DefaultOff" + +[plugins] +; Enable plugin support +enable = On + +; Comma-separated list of enabled plugins +enabled_list = "nextcloud" + +[defaults] +; Editor mode used by default (Plain, Html) +view_editor_type = "Html" + +; layout: 0 - no preview, 1 - side preview, 2 - bottom preview +view_layout = 1 +view_use_checkboxes = On +autologout = 30 +view_html = On +show_images = Off +contacts_autosave = On +mail_use_threads = Off +allow_draft_autosave = On +mail_reply_same_folder = Off + +[logs] +; Enable logging +enable = Off + +; Path where log files will be stored +path = "" + +; Log messages of set RFC 5424 section 6.2.1 Severity level and higher (0 = highest, 7 = lowest). +; 0 = Emergency +; 1 = Alert +; 2 = Critical +; 3 = Error +; 4 = Warning +; 5 = Notice +; 6 = Informational +; 7 = Debug +level = 4 + +; Required for development purposes only. +; Disabling this option is not recommended. +hide_passwords = On +time_zone = "UTC" + +; Log filename. +; For security reasons, some characters are removed from filename. +; Allows for pattern-based folder creation (see examples below). +; +; Patterns: +; {date:Y-m-d} - Replaced by pattern-based date +; Detailed info: http://www.php.net/manual/en/function.date.php +; {user:email} - Replaced by user's email address +; If user is not logged in, value is set to "unknown" +; {user:login} - Replaced by user's login (the user part of an email) +; If user is not logged in, value is set to "unknown" +; {user:domain} - Replaced by user's domain name (the domain part of an email) +; If user is not logged in, value is set to "unknown" +; {user:uid} - Replaced by user's UID regardless of account currently used +; +; {user:ip} +; {request:ip} - Replaced by user's IP address +; +; Others: +; {imap:login} {imap:host} {imap:port} +; {smtp:login} {smtp:host} {smtp:port} +; +; Examples: +; filename = "log-{date:Y-m-d}.txt" +; filename = "{date:Y-m-d}/{user:domain}/{user:email}_{user:uid}.log" +; filename = "{user:email}-{date:Y-m-d}.txt" +; filename = "syslog" +; filename = "stderr" +filename = "log-{date:Y-m-d}.txt" + +; Enable auth logging in a separate file (for fail2ban) +auth_logging = Off +auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt" +auth_logging_format = "[{date:Y-m-d H:i:s}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}" + +; Enable auth logging to syslog for fail2ban +auth_syslog = Off + +[debug] +; Special option required for development purposes +enable = Off +javascript = Off +css = Off + +[cache] +; The section controls caching of the entire application. +; +; Enables caching in the system +enable = On + +; Path where cache files will be stored +path = "" + +; Additional caching key. If changed, cache is purged +index = "v1" + +; Can be: files, APCU, memcache, redis (beta) +fast_cache_driver = "files" + +; Additional caching key. If changed, fast cache is purged +fast_cache_index = "v1" + +; Browser-level cache. If enabled, caching is maintainted without using files +http = On + +; Browser-level cache time (seconds, Expires header) +http_expires = 3600 + +; Caching message UIDs when searching and sorting (threading) +server_uids = On +system_data = On + +[imap] +use_force_selection = Off +use_expunge_all_on_delete = Off +message_list_fast_simple_search = On +message_list_permanent_filter = "" +message_all_headers = Off +show_login_alert = On +fetch_new_messages = On + +[labs] +; Display message RFC 2822 date and time header, instead of the arrival internal date. +date_from_headers = On +allow_message_append = Off + +; When login fails, wait N seconds before responding +login_fault_delay = 5 +log_ajax_response_write_limit = 300 +smtp_show_server_errors = Off +sieve_auth_plain_initial = On +sieve_allow_fileinto_inbox = Off + +; PHP mail() remove To and Subject headers +mail_func_clear_headers = On + +; PHP mail() set -f emailaddress +mail_func_additional_parameters = Off +folders_spec_limit = 50 +curl_proxy = "" +curl_proxy_auth = "" +custom_login_link = "" +custom_logout_link = "" +http_client_ip_check_proxy = Off +fast_cache_memcache_host = "127.0.0.1" +fast_cache_memcache_port = 11211 +fast_cache_redis_host = "127.0.0.1" +fast_cache_redis_port = 6379 +use_local_proxy_for_external_images = On +image_exif_auto_rotate = Off +cookie_default_path = "" +cookie_default_secure = Off +replace_env_in_configuration = "" +boundary_prefix = "" +dev_email = "" +dev_password = "" + +[version] +current = "2.26.3" +saved = "Wed, 29 Mar 2023 13:35:19 +0000" \ No newline at end of file diff --git a/templates/snappymail/domain-config.json b/templates/snappymail/domain-config.json new file mode 100644 index 0000000000000000000000000000000000000000..009caed74251876b6cf7c6114298b6a385249b06 --- /dev/null +++ b/templates/snappymail/domain-config.json @@ -0,0 +1,88 @@ +{ + "name": "@@@DOMAIN@@@", + "IMAP": { + "host": "mailserver", + "port": 993, + "type": 1, + "timeout": 300, + "shortLogin": false, + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], + "ssl": { + "verify_peer": false, + "verify_peer_name": false, + "allow_self_signed": false, + "SNI_enabled": true, + "disable_compression": true, + "security_level": 1 + }, + "disable_list_status": false, + "disable_metadata": false, + "disable_move": false, + "disable_sort": false, + "disable_thread": false, + "use_expunge_all_on_delete": false, + "fast_simple_search": true, + "force_select": false, + "message_all_headers": false, + "message_list_limit": 0, + "search_filter": "" + }, + "SMTP": { + "host": "mailserver", + "port": 587, + "type": 2, + "timeout": 60, + "shortLogin": false, + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], + "ssl": { + "verify_peer": false, + "verify_peer_name": false, + "allow_self_signed": false, + "SNI_enabled": true, + "disable_compression": true, + "security_level": 1 + }, + "useAuth": true, + "setSender": false, + "usePhpMail": false + }, + "Sieve": { + "host": "mailserver", + "port": 4190, + "type": 2, + "timeout": 10, + "shortLogin": false, + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], + "ssl": { + "verify_peer": true, + "verify_peer_name": true, + "allow_self_signed": false, + "SNI_enabled": true, + "disable_compression": true, + "security_level": 1 + }, + "enabled": true + }, + "whiteList": "" +} diff --git a/upgrade-guides/upgrade-to-24.0.10.7.md b/upgrade-guides/upgrade-to-24.0.10.7.md new file mode 100644 index 0000000000000000000000000000000000000000..84b0192c1a36b8e9e80cf35e6e211799492300c8 --- /dev/null +++ b/upgrade-guides/upgrade-to-24.0.10.7.md @@ -0,0 +1,48 @@ +# To upgrade from ecloud 24.0.8.7 to 24.0.10.7 + +- As usual, upgrade your OS with latest patchs, optionally take backup/snapshot + - NB: you may want to filter out incomming email (TCP 25 & 587) during this upgrade, to avoid losing any messages in case of a rollback + +- Go to `/mnt/repo_base`, then run: + - `docker-compose stop` + - `git pull origin master` + +- In your `docker-compose.yml` file update the following: + - Set the mailserver image to `mailserver2/mailserver:1.1.13` + - In welcome "extra_hosts", add `- "mail.${DOMAIN}:${NC_HOST_IP}"` + - Set the nextcloud image to `registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/selfhost:selfhost-24-0-10` + - Set the nginx image to `nginx:stable-alpine` + +- Run `crontab -e`, add `--define apc.enable_cli=1` after `"nextcloud php"` for your NextCloud entry +- Run `docker-compose pull` +- If pulls are OK, run `docker-compose up -d` + +- Examine `docker-compose logs --tail=500 nextcloud` for the following messages: + - `nextcloud | Upgrading nextcloud from x.x.x.x ...` (x.x.x.x is your previous Nextcloud version) + - `nextcloud | Update successful` + +- Run: + - `docker-compose exec -T --user www-data nextcloud php occ db:add-missing-indices` + - `docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set defaultapp --value "ecloud-dashboard,files"` + +- Snappymail is being intorduced in this version, so make sure that rainloop is disabled. + - Run `docker-compose exec -T --user www-data nextcloud php occ app:disable rainloop` + - Enable snappymail `docker-compose exec -T --user www-data nextcloud php occ app:enable snappymail` (you can pass --groups gid to limit access to specific group for testing) + - Set auto-login with `docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set snappymail snappymail-autologin-with-email --value 1` + - Import user data from rainloop to snappymail + - Go to settings > admin > additional and check `Import RainLoop data` and hit save. This will import all user data/settings from rainloop to snappymail + - Now go to snappymail admin panel + - Make sure to change default password + - Set theme to Murena@nextcloud + - Disable all domains except yours + - In your domain settings, disable "Require verification of SSL certificate" in all tabs + - Make changes to other settings where needed and click save + - If contacts address book was enabled in rainloop, you can use the same database for contacts in snappymail + - Go to extensions section then install nextcloud plugin and enable it + + - Advise users that they should review SnappyMail settings: + - Default theme (to be set to Murena) + - Contacts (copy/paste URL from Contacts app, enable) + - Filters + +- Check all settings subsections starting from `/settings/admin/overview` while logged in with the admin user account to identify any issues found post upgrade \ No newline at end of file