Rebase Dovecot on Stretch slim, build from stable source with latest stable Pigeonhole for antispam replacement

data/Dockerfiles/dovecot/Dockerfile

@@ -1,33 +1,30 @@
-FROM ubuntu:xenial
+FROM debian:stretch-slim
+#ubuntu:xenial
 MAINTAINER Andre Peters <andre.peters@servercow.de>
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV LC_ALL C
+ENV DOVECOT_VERSION 2.2.28
+ENV PIGEONHOLE_VERSION 0.4.17
 
-RUN dpkg-divert --local --rename --add /sbin/initctl \
-    && ln -sf /bin/true /sbin/initctl \
-    && dpkg-divert --local --rename --add /usr/bin/ischroot \
-    && ln -sf /bin/true /usr/bin/ischroot
-
-RUN apt-get update
-RUN apt-get -y install dovecot-common \
-	dovecot-core \
-	dovecot-imapd \
-	dovecot-lmtpd \
-	dovecot-managesieved \
-	dovecot-sieve \
-	dovecot-mysql \
-	dovecot-pop3d \
-	dovecot-dev \
+RUN apt-get update \
+	&& apt-get -y install libpam-dev \
+	default-libmysqlclient-dev \
+	lzma-dev \
+	liblz-dev \
+	libbz2-dev \
+	liblz4-dev \
+	liblzma-dev \
+	build-essential \
+	autotools-dev \
+	automake \
 	syslog-ng \
 	syslog-ng-core \
 	ca-certificates \
 	supervisor \
 	wget \
 	curl \
-	build-essential \
-	autotools-dev \
-	automake \
+	libssl-dev \
 	libauthen-ntlm-perl \
 	libcrypt-ssleay-perl \
 	libdigest-hmac-perl \
@@ -52,36 +49,57 @@ RUN apt-get -y install dovecot-common \
 	make \
 	cpanminus
 
+
+RUN wget https://www.dovecot.org/releases/2.2/dovecot-$DOVECOT_VERSION.tar.gz -O - | tar xvz  \
+	&& cd dovecot-$DOVECOT_VERSION \
+	&& ./configure --with-mysql --with-lzma --with-lz4 --with-ssl=openssl --with-notify=inotify --with-storages=mdbox,sdbox,maildir,mbox,imapc,pop3c --with-bzlib --with-zlib \
+	&& make -j3 \
+	&& make install \
+	&& make clean
+
+RUN wget https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-$PIGEONHOLE_VERSION.tar.gz -O - | tar xvz  \
+	&& cd dovecot-2.2-pigeonhole-$PIGEONHOLE_VERSION \
+	&& ./configure \
+	&& make -j3 \
+	&& make install \
+	&& make clean
+
 RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
 RUN cpanm Data::Uniqid Mail::IMAPClient String::Util
 RUN echo '* * * * *   root   /usr/local/bin/imapsync_cron.pl' > /etc/cron.d/imapsync
 RUN echo '30 3 * * *   vmail  /usr/bin/doveadm quota recalc -A' > /etc/cron.d/dovecot-sync
 
-WORKDIR /tmp
-
-RUN wget http://hg.dovecot.org/dovecot-antispam-plugin/archive/tip.tar.gz -O - | tar xvz  \
-	&& cd /tmp/dovecot-antispam* \
-	&& ./autogen.sh \
-	&& ./configure --prefix=/usr \
-	&& make \
-	&& make install
-
 COPY ./imapsync /usr/local/bin/imapsync
 COPY ./postlogin.sh /usr/local/bin/postlogin.sh
 COPY ./imapsync_cron.pl /usr/local/bin/imapsync_cron.pl
-COPY ./rspamd-pipe /usr/local/bin/rspamd-pipe
+COPY ./report-spam.sieve /usr/local/lib/dovecot/sieve/report-spam.sieve
+COPY ./report-ham.sieve /usr/local/lib/dovecot/sieve/report-ham.sieve
+COPY ./rspamd-pipe-ham /usr/local/lib/dovecot/sieve/rspamd-pipe-ham
+COPY ./rspamd-pipe-spam /usr/local/lib/dovecot/sieve/rspamd-pipe-spam
 COPY ./docker-entrypoint.sh /
 COPY ./supervisord.conf /etc/supervisor/supervisord.conf
 
-RUN chmod +x /usr/local/bin/rspamd-pipe
-RUN chmod +x /usr/local/bin/imapsync_cron.pl
+RUN chmod +x /usr/local/lib/dovecot/sieve/rspamd-pipe-ham \
+	/usr/local/lib/dovecot/sieve/rspamd-pipe-spam \
+	/usr/local/bin/imapsync_cron.pl \
+	/usr/local/bin/postlogin.sh \
+	/usr/local/bin/imapsync
 
-RUN groupadd -g 5000 vmail
-RUN useradd -g vmail -u 5000 vmail -d /var/vmail
+RUN groupadd -g 5000 vmail \
+	&& groupadd -g 142 dovecot \
+    && groupadd -g 143 dovenull \
+	&& useradd -g vmail -u 5000 vmail -d /var/vmail \
+	&& useradd -c "Dovecot unprivileged user" -d /dev/null -u 142 -g dovecot -s /bin/false dovecot \
+	&& useradd -c "Dovecot login user" -d /dev/null -u 143 -g dovenull -s /bin/false dovenull
 
 EXPOSE 24 10001
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
 
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+RUN apt-get clean \
+	&& rm -rf /var/lib/apt/lists/* \
+	/tmp/* \
+	/var/tmp/* \
+	/dovecot-2.2-pigeonhole-$PIGEONHOLE_VERSION \
+	/dovecot-$DOVECOT_VERSION

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -6,12 +6,16 @@ sed -i "/^\$DBUSER/c\\\$DBUSER='${DBUSER}';" /usr/local/bin/imapsync_cron.pl
 sed -i "/^\$DBPASS/c\\\$DBPASS='${DBPASS}';" /usr/local/bin/imapsync_cron.pl
 sed -i "/^\$DBNAME/c\\\$DBNAME='${DBNAME}';" /usr/local/bin/imapsync_cron.pl
 
-[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
+# Create SQL dict directory for Dovecot
+[[ ! -d /usr/local/etc/dovecot/sql/ ]] && mkdir -p /usr/local/etc/dovecot/sql/
+[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
+[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
 
 # Set Dovecot sql config parameters, escape " in db password
 DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
 
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql.conf
+# Create quota dict for Dovecot
+cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-dict-sql.conf
 connect = "host=mysql dbname=${DBNAME} user=${DBNAME} password=${DBPASS}"
 map {
   pattern = priv/quota/storage
@@ -27,7 +31,8 @@ map {
 }
 EOF
 
-cat <<EOF > /etc/dovecot/sql/dovecot-mysql.conf
+# Create user and pass dict for Dovecot
+cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-mysql.conf
 driver = mysql
 connect = "host=mysql dbname=${DBNAME} user=${DBNAME} password=${DBPASS}"
 default_pass_scheme = SSHA256
@@ -36,19 +41,32 @@ user_query = SELECT CONCAT('maildir:/var/vmail/',maildir) AS mail, 5000 AS uid,
 iterate_query = SELECT username FROM mailbox WHERE active='1';
 EOF
 
-[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
-[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
-cat /etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve
+# Create global sieve_after script
+cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve
+
+# Compile sieve scripts
 sievec /var/vmail/sieve/global.sieve
+sievec /usr/local/lib/dovecot/sieve/report-spam.sieve
+sievec /usr/local/lib/dovecot/sieve/report-ham.sieve
+
+# Fix sieve permission
 chown -R vmail:vmail /var/vmail/sieve
 
+# Check permissions of vmail directory.
 # Do not do this every start-up, it may take a very long time. So we use a stat check here.
 if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
 
 # Create random master for SOGo sieve features
 RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
 RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
-echo ${RAND_USER}:$(doveadm pw -s SHA1 -p ${RAND_PASS}) > /etc/dovecot/dovecot-master.passwd
+echo ${RAND_USER}:$(doveadm pw -s SHA1 -p ${RAND_PASS}) > /usr/local/etc/dovecot/dovecot-master.passwd
 echo ${RAND_USER}:${RAND_PASS} > /etc/sogo/sieve.creds
 
+if [[ ! -f /mail_crypt/ecprivkey.pem || ! -f /mail_crypt/ecpubkey.pem ]]; then
+	openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
+	openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
+	chown -R dovecot -R /mail_crypt/
+	chattr + /mail_crypt/ecpubkey.pem /mail_crypt/ecprivkey.pem
+fi
+
 exec "$@"

data/Dockerfiles/dovecot/report-ham.sieve

@@ -0,0 +1,11 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+if environment :matches "imap.mailbox" "*" {
+  set "mailbox" "${1}";
+}
+
+if string "${mailbox}" "Trash" {
+  stop;
+}
+
+pipe :copy "rspamd-pipe-ham";

data/Dockerfiles/dovecot/report-spam.sieve

@@ -0,0 +1,3 @@
+require ["vnd.dovecot.pipe", "copy"];
+
+pipe :copy "rspamd-pipe-spam";

data/Dockerfiles/dovecot/rspamd-pipe

@@ -1,8 +0,0 @@
-#!/bin/bash
-if [[ ${2} == "learn_spam" ]]; then
-/usr/bin/curl --data-binary @- http://rspamd:11334/learnspam < /dev/stdin
-elif [[ ${2} == "learn_ham" ]]; then
-/usr/bin/curl --data-binary @- http://rspamd:11334/learnham < /dev/stdin
-fi
-# Always return 0 to satisfy Dovecot...
-exit 0

data/Dockerfiles/dovecot/rspamd-pipe-ham

@@ -0,0 +1,4 @@
+#!/bin/bash
+/usr/bin/curl -s --data-binary @- http://rspamd:11334/learnham < /dev/stdin
+# Always return 0 to satisfy Dovecot...
+exit 0

data/Dockerfiles/dovecot/rspamd-pipe-spam

@@ -0,0 +1,4 @@
+#!/bin/bash
+/usr/bin/curl -s --data-binary @- http://rspamd:11334/learnspam < /dev/stdin
+# Always return 0 to satisfy Dovecot...
+exit 0

data/Dockerfiles/dovecot/supervisord.conf

@@ -8,7 +8,7 @@ autostart=true
 stdout_syslog=true
 
 [program:dovecot]
-command=/usr/sbin/dovecot -F
+command=/usr/local/sbin/dovecot -F
 autorestart=true
 
 [program:logfiles]

docker-compose.yml

@@ -26,6 +26,7 @@ services:
       volumes:
         - mysql-vol-1:/var/lib/mysql/
         - ./data/conf/mysql/:/etc/mysql/conf.d/:ro
+        - ./data/assets/reset_mysql.sh:/reset_mysql.sh
       dns:
         - 172.22.1.254
       dns_search: mailcow-network
@@ -151,14 +152,16 @@ services:
       depends_on:
         - bind9-mailcow
       volumes:
-        - ./data/conf/dovecot:/etc/dovecot
+        - ./data/conf/dovecot:/usr/local/etc/dovecot
         - ./data/assets/ssl:/etc/ssl/mail/:ro
         - ./data/conf/sogo/:/etc/sogo/
         - vmail-vol-1:/var/vmail
+        - crypt-vol-1:/mail_crypt/
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
         - DBPASS=${DBPASS}
+        - MAIL_CRYPT=${MAIL_CRYPT:-NO}
       ports:
         - "${IMAP_PORT:-143}:143"
         - "${IMAPS_PORT:-993}:993"
@@ -266,3 +269,4 @@ volumes:
   redis-vol-1:
   rspamd-vol-1:
   postfix-vol-1:
+  crypt-vol-1: