- More checks for acme-mailcow (verify hashes)

- Autodiscover configuration file: Merge array from vars.local.inc.php
- Push acme-mailcow to 1.6

data/Dockerfiles/acme/docker-entrypoint.sh

@@ -12,6 +12,18 @@ restart_containers(){
 	done
 }
 
+verify_hash_match(){
+	CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
+	KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
+	if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
+		echo "Certificate and key hashes do not match!"
+		return 1
+	else
+		echo "Verified hashes."
+		return 0
+	fi
+}
+
 if [[ -f ${ACME_BASE}/cert.pem ]]; then
 	ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
 	if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
@@ -28,8 +40,10 @@ if [[ -f ${ACME_BASE}/cert.pem ]]; then
 else
 	ISSUER="mailcow"
 	if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-		cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-		cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+		if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
+			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+		fi
 	else
 		cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
 		cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
@@ -44,7 +58,7 @@ while true; do
 		exit 0
 	fi
 	declare -a SQL_DOMAIN_ARR
-    declare -a VALIDATED_CONFIG_DOMAINS
+	declare -a VALIDATED_CONFIG_DOMAINS
 	declare -a ADDITIONAL_VALIDATED_SAN
 	IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
 	IPV4=$(curl -4s https://mailcow.email/ip.php)
@@ -61,7 +75,7 @@ while true; do
 				echo "Confirmed A record autoconfig.${SQL_DOMAIN}"
 				VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
 			else
-				echo "Cannot match Your IP against hostname autoconfig.${SQL_DOMAIN}"
+				echo "Cannot match your IP against hostname autoconfig.${SQL_DOMAIN}"
 			fi
 		else
 			echo "No A record for autoconfig.${SQL_DOMAIN} found"
@@ -69,18 +83,31 @@ while true; do
 
         A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
 		if [[ ! -z ${A_DISCOVER} ]]; then
-			echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_CONFIG}"
+			echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
 			if [[ ${IPV4} == ${A_DISCOVER} ]]; then
 				echo "Confirmed A record autodiscover.${SQL_DOMAIN}"
 				VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
 			else
-				echo "Cannot match Your IP against hostname autodiscover.${SQL_DOMAIN}"
+				echo "Cannot match your IP against hostname autodiscover.${SQL_DOMAIN}"
 			fi
 		else
 			echo "No A record for autodiscover.${SQL_DOMAIN} found"
 		fi
 	done
 
+	A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
+	if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
+		echo "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
+		if [[ ${IPV4} == ${A_MAILCOW_HOSTNAME} ]]; then
+			echo "Confirmed A record ${MAILCOW_HOSTNAME}"
+			VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
+		else
+			echo "Cannot match your IP against hostname ${MAILCOW_HOSTNAME}"
+		fi
+	else
+		echo "No A record for ${MAILCOW_HOSTNAME} found"
+	fi
+
 	for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
 		A_SAN=$(dig A ${SAN} +short | tail -n 1)
 		if [[ ! -z ${A_SAN} ]]; then
@@ -89,13 +116,19 @@ while true; do
 				echo "Confirmed A record ${SAN}"
 				ADDITIONAL_VALIDATED_SAN+=("${SAN}")
 			else
-				echo "Cannot match Your IP against hostname ${SAN}"
+				echo "Cannot match your IP against hostname ${SAN}"
 			fi
 		else
 			echo "No A record for ${SAN} found"
 		fi
 	done
 
+	ALL_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${VALIDATED_MAILCOW_HOSTNAME}))
+	if [[ -z ${ALL_VALIDATED[*]} ]]; then
+		echo "Cannot validate hostnames, skipping Let's Encrypt..."
+		echo 0
+	fi
+
 	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u ))
 	if [[ ! -z ${ORPHANED_SAN[*]} ]]; then
 		DATE=$(date +%Y-%m-%d_%H_%M_%S)
@@ -112,7 +145,7 @@ while true; do
 		-f ${ACME_BASE}/acme/private/account.key \
 		-k ${ACME_BASE}/acme/private/privkey.pem \
 		-c ${ACME_BASE}/acme \
-		${MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]}
+		${VALIDATED_MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]}
 
 	case "$?" in
 		0) # new certs
@@ -121,17 +154,33 @@ while true; do
 			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 
 			# restart docker containers
+			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+			fi
 			restart_containers ${CONTAINERS_RESTART}
 			;;
 		1) # failure
 			[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
 			[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+			fi
 			exit 1;;
 		2) # no change
+			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+			fi
 			;;
 		*) # unspecified
 			[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
 			[[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+			if ! verifyhash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+			fi
 			exit 1;;
 	esac
 

data/web/autodiscover.php

@@ -1,9 +1,11 @@
 <?php
 require_once 'inc/vars.inc.php';
 require_once 'inc/functions.inc.php';
+$default_autodiscover_config = $autodiscover_config;
 if(file_exists('inc/vars.local.inc.php')) {
   include_once 'inc/vars.local.inc.php';
 }
+$configuration = array_merge($default_autodiscover_config, $autodiscover_config);
 
 error_reporting(0);
 
@@ -11,13 +13,13 @@ $data = trim(file_get_contents("php://input"));
 
 // Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows
 if (strpos($data, 'autodiscover/outlook/responseschema')) { // desktop client
-  $autodiscover_config['autodiscoverType'] = 'imap';
-  if ($autodiscover_config['useEASforOutlook'] == 'yes' &&
+  $configuration['autodiscoverType'] = 'imap';
+  if ($configuration['useEASforOutlook'] == 'yes' &&
   // Office for macOS does not support EAS
   strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
   // Outlook 2013 (version 15) or higher
   preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])) {
-    $autodiscover_config['autodiscoverType'] = 'activesync';
+    $configuration['autodiscoverType'] = 'activesync';
   }
 }
 
@@ -61,7 +63,7 @@ else {
       $discover = new SimpleXMLElement($data);
       $email = $discover->Request->EMailAddress;
 
-      if ($autodiscover_config['autodiscoverType'] == 'imap') {
+      if ($configuration['autodiscoverType'] == 'imap') {
 ?>
   <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
     <User>
@@ -72,35 +74,35 @@ else {
       <Action>settings</Action>
       <Protocol>
         <Type>IMAP</Type>
-        <Server><?=$autodiscover_config['imap']['server'];?></Server>
-        <Port><?=$autodiscover_config['imap']['port'];?></Port>
+        <Server><?=$configuration['imap']['server'];?></Server>
+        <Port><?=$configuration['imap']['port'];?></Port>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
         <SPA>off</SPA>
-        <SSL><?=$autodiscover_config['imap']['ssl'];?></SSL>
+        <SSL>on</SSL>
         <AuthRequired>on</AuthRequired>
       </Protocol>
       <Protocol>
         <Type>SMTP</Type>
-        <Server><?=$autodiscover_config['smtp']['server'];?></Server>
-        <Port><?=$autodiscover_config['smtp']['port'];?></Port>
+        <Server><?=$configuration['smtp']['server'];?></Server>
+        <Port><?=$configuration['smtp']['port'];?></Port>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
         <SPA>off</SPA>
-        <SSL><?=$autodiscover_config['smtp']['ssl'];?></SSL>
+        <SSL>on</SSL>
         <AuthRequired>on</AuthRequired>
         <UsePOPAuth>on</UsePOPAuth>
         <SMTPLast>off</SMTPLast>
       </Protocol>
       <Protocol>
         <Type>CalDAV</Type>
-        <Server>https://<?=$mailcow_hostname;?>/SOGo/dav/<?=$email;?>/Calendar</Server>
+        <Server><?=$configuration['caldav']['server'];?>/SOGo/dav/<?=$email;?>/Calendar</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
       <Protocol>
         <Type>CardDAV</Type>
-        <Server>https://<?=$mailcow_hostname;?>/SOGo/dav/<?=$email;?>/Contacts</Server>
+        <Server><?=$configuration['carddav']['server'];?>/SOGo/dav/<?=$email;?>/Contacts</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
@@ -108,7 +110,7 @@ else {
   </Response>
 <?php
       }
-      else if ($autodiscover_config['autodiscoverType'] == 'activesync') {
+      else if ($configuration['autodiscoverType'] == 'activesync') {
         $username = trim($email);
         try {
           $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
@@ -135,8 +137,8 @@ else {
       <Settings>
         <Server>
         <Type>MobileSync</Type>
-        <Url><?=$autodiscover_config['activesync']['url'];?></Url>
-        <Name><?=$autodiscover_config['activesync']['url'];?></Name>
+        <Url><?=$configuration['activesync']['url'];?></Url>
+        <Name><?=$configuration['activesync']['url'];?></Name>
         </Server>
       </Settings>
     </Action>

data/web/inc/vars.inc.php

@@ -23,22 +23,27 @@ $autodiscover_config = array(
   'useEASforOutlook' => 'yes',
   // General autodiscover service type: "activesync" or "imap"
   'autodiscoverType' => 'activesync',
+  // Please don't use STARTTLS-enabled service ports here.
+  // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
   'imap' => array(
     'server' => $mailcow_hostname,
     'port' => getenv('IMAPS_PORT'),
-    'ssl' => 'on',
   ),
   'smtp' => array(
     'server' => $mailcow_hostname,
     'port' => getenv('SMTPS_PORT'),
-    'ssl' => 'on'
   ),
   'activesync' => array(
     'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync'
+  ),
+  'caldav' => array(
+    'url' => 'https://'.$mailcow_hostname
+  ),
+  'carddav' => array(
+    'url' => 'https://'.$mailcow_hostname
   )
 );
 
-
 // Where to go after adding and editing objects
 // Can be "form" or "previous"
 // "form" will stay in the current form, "previous" will redirect to previous page

docker-compose.yml

@@ -293,7 +293,7 @@ services:
     acme-mailcow:
       depends_on:
         - nginx-mailcow
-      image: mailcow/acme:1.5
+      image: mailcow/acme:1.6
       build: ./data/Dockerfiles/acme
       dns:
         - 172.22.1.254