Merge pull request #5717 from mailcow/staging

2024-01e

.github/workflows/check_if_support_labeled.yml

@@ -0,0 +1,37 @@
+name: Check if labeled support, if so send message and close issue
+on:
+  issues:
+    types:
+      - labeled
+jobs:
+  add-comment:
+    if: github.event.label.name == 'support'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Add comment
+        run: gh issue comment "$NUMBER" --body "$BODY"
+        env:
+          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+          BODY: |
+              **THIS IS A AUTOMATED MESSAGE!**
+
+              It seems your issue is not a bug.
+              Therefore we highly advise you to get support!
+              
+              You can get support either by:
+              - ordering a paid [support contract at Servercow](https://www.servercow.de/mailcow?lang=en#support/) (Directly from the developers) or
+              - using the [community forum](https://community.mailcow.email) (**Based on volunteers! NO guaranteed answer**) or
+              - using the [Telegram support channel](https://t.me/mailcow) (**Based on volunteers! NO guaranteed answer**)
+
+              This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.
+
+      - name: Close issue
+        env:
+          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+        run: gh issue close "$NUMBER" -r "not planned"

data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf

@@ -7,6 +7,7 @@ options {
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
   stats(freq(0));
+  keep_timestamp(no);
   bad_hostname("^gconfd$");
 };
 source s_dgram {

data/Dockerfiles/dovecot/syslog-ng.conf

@@ -7,6 +7,7 @@ options {
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
   stats(freq(0));
+  keep_timestamp(no);
   bad_hostname("^gconfd$");
 };
 source s_dgram {

data/Dockerfiles/netfilter/main.py

@@ -395,7 +395,7 @@ if __name__ == '__main__':
   signal.signal(signal.SIGTERM, sigterm_quit)
 
   # init Logger
-  logger = Logger(None)
+  logger = Logger()
 
   # init backend
   backend = sys.argv[1]
@@ -437,7 +437,7 @@ if __name__ == '__main__':
       time.sleep(3)
     else:
       break
-  Logger.r = r
+  logger.set_redis(r)
 
   # rename fail2ban to netfilter
   if r.exists('F2B_LOG'):

data/Dockerfiles/netfilter/modules/Logger.py

@@ -2,7 +2,10 @@ import time
 import json
 
 class Logger:
-  def __init__(self, redis):
+  def __init__(self):
+    self.r = None
+
+  def set_redis(self, redis):
     self.r = redis
 
   def log(self, priority, message):
@@ -10,7 +13,7 @@ class Logger:
     tolog['time'] = int(round(time.time()))
     tolog['priority'] = priority
     tolog['message'] = message
-    if self.r:
+    if self.r is not None:
       self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
     print(message)
 

data/Dockerfiles/netfilter/modules/NFTables.py

@@ -41,6 +41,7 @@ class NFTables:
         exit_code = 2
 
       if chain_position > 0:
+        chain_position += 1
         self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
         err = True
         exit_code = 2
@@ -309,8 +310,8 @@ class NFTables:
       rule_handle = rule["handle"]
       break
 
-    dest_net = ipaddress.ip_network(source_address)
-    target_net = ipaddress.ip_network(snat_target)
+    dest_net = ipaddress.ip_network(source_address, strict=False)
+    target_net = ipaddress.ip_network(snat_target, strict=False)
 
     if rule_found:
       saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@@ -321,9 +322,9 @@ class NFTables:
 
       target_ip = rule["expr"][3]["snat"]["addr"]
 
-      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len))
-      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len))
-      current_target_net = ipaddress.ip_network(target_ip)
+      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
+      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
+      current_target_net = ipaddress.ip_network(target_ip, strict=False)
 
       match = all((
                 dest_net == saddr_net,
@@ -417,7 +418,7 @@ class NFTables:
     json_command = self.get_base_dict()
 
     expr_opt = []
-    ipaddr_net = ipaddress.ip_network(ipaddr)
+    ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
     right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
 
     left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@@ -466,7 +467,7 @@ class NFTables:
         current_rule_net = ipaddress.ip_network(current_rule_ip)
 
         # ip to ban
-        candidate_net = ipaddress.ip_network(ipaddr)
+        candidate_net = ipaddress.ip_network(ipaddr, strict=False)
 
         if current_rule_net == candidate_net:
           rule_handle = _object["rule"]["handle"]

data/Dockerfiles/sogo/Dockerfile

@@ -1,8 +1,8 @@
-FROM debian:bookworm-slim
+FROM debian:bullseye-slim
 LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG DEBIAN_VERSION=bookworm
+ARG DEBIAN_VERSION=bullseye
 ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.17

data/Dockerfiles/unbound/Dockerfile

@@ -5,7 +5,6 @@ LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 RUN apk add --update --no-cache \
 	curl \
 	bind-tools \
-	netcat-openbsd \
 	unbound \
 	bash \
 	openssl \
@@ -20,10 +19,10 @@ EXPOSE 53/udp 53/tcp
 
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
-# healthcheck (nslookup)
+# healthcheck (dig, ping)
 COPY healthcheck.sh /healthcheck.sh
 RUN chmod +x /healthcheck.sh
-HEALTHCHECK --interval=5s --timeout=30s CMD [ "/healthcheck.sh" ]
+HEALTHCHECK --interval=30s --timeout=30s CMD [ "/healthcheck.sh" ]
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 

data/Dockerfiles/unbound/healthcheck.sh

@@ -50,27 +50,6 @@ function check_dns() {
     
 }
 
-# Simple Netcat Check to connect to common webports
-function check_netcat() {
-    declare -a domains=("mailcow.email" "github.com" "hub.docker.com")
-    declare -a ports=("80" "443")
-
-    for domain in "${domains[@]}" ; do
-        for port in "${ports[@]}" ; do
-            nc -z -w 2 $domain $port
-            if [ $? -ne 0 ]; then
-                log_to_file "Healthcheck: Could not reach $domain on Port $port... Gave up!"
-                log_to_file "Please check your internet connection or firewall rules to fix this error."
-                return 1
-            fi
-        done
-    done
-
-    log_to_file "Healthcheck: Netcat Checks WORKING properly!"
-    return 0
-
-}
-
 if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then
     log_to_file "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!"
     exit 0
@@ -89,11 +68,5 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
-check_netcat
-
-if [ $? -ne 0 ]; then
-    exit 1
-fi
-
 log_to_file "Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!"
 exit 0

docker-compose.yml

@@ -2,7 +2,7 @@ version: '2.1'
 services:
 
     unbound-mailcow:
-      image: mailcow/unbound:1.20
+      image: mailcow/unbound:1.21
       environment:
         - TZ=${TZ}
         - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n}
@@ -175,7 +175,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.122
+      image: mailcow/sogo:1.122.1
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -222,7 +222,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:1.28.1
+      image: mailcow/dovecot:1.28.2
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow
@@ -441,7 +441,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: mailcow/netfilter:1.56
+      image: mailcow/netfilter:1.57
       stop_grace_period: 30s
       restart: always
       privileged: true