diff --git a/docker/batch-test.env b/docker/batch-test.env index c44202a6c..047d6a528 100644 --- a/docker/batch-test.env +++ b/docker/batch-test.env @@ -81,6 +81,8 @@ WEBSERVER_PORT=80 WEBSERVER_PORT_TLS=443 WEBSERVER_PORT_IPV6=8080 WEBSERVER_PORT_IPV6_TLS=4443 +SMTPSERVER_PORT=25 +SMTPSERVER_PORT_IPV6=2525 UNBOUND_PORT_TCP=53/tcp UNBOUND_PORT_UDP=53/udp # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error diff --git a/docker/build.env b/docker/build.env index 24b535dc1..e68c294b4 100644 --- a/docker/build.env +++ b/docker/build.env @@ -8,6 +8,8 @@ COMPOSE_PROFILES=monitoring,routinator,run-tests # don't expose HTTP(S) and DNS ports to the outside, this also causes issues due to being privileged ports WEBSERVER_PORT=80 WEBSERVER_PORT_TLS=443 +SMTPSERVER_PORT=25 +SMTPSERVER_PORT_IPV6=2525 UNBOUND_PORT_TCP=53/tcp UNBOUND_PORT_UDP=53/udp # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error diff --git a/docker/compose.yaml b/docker/compose.yaml index ecc66f4c6..3c7b958cc 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -27,6 +27,8 @@ services: - $WEBSERVER_PORT_IPV6/tcp - $WEBSERVER_PORT_IPV6_TLS/tcp - $WEBSERVER_PORT_IPV6_TLS/udp + - $SMTPSERVER_PORT + - $SMTPSERVER_PORT_IPV6 environment: - INTERNETNL_DOMAINNAME diff --git a/docker/defaults.env b/docker/defaults.env index 3c6ff5a8f..ae947533d 100644 --- a/docker/defaults.env +++ b/docker/defaults.env @@ -172,6 +172,8 @@ WEBSERVER_PORT=0.0.0.0:80:80 WEBSERVER_PORT_TLS=0.0.0.0:443:443 WEBSERVER_PORT_IPV6=::0:80:80 WEBSERVER_PORT_IPV6_TLS=::0:443:443 +SMTPSERVER_PORT=0.0.0.0:25:25 +SMTPSERVER_PORT_IPV6=::0:25:25 UNBOUND_PORT_TCP=0.0.0.0:53:53/tcp UNBOUND_PORT_UDP=0.0.0.0:53:53/udp UNBOUND_PORT_IPV6_TCP=::0:53:53/tcp diff --git a/docker/develop.env b/docker/develop.env index 1dfe84f3f..57a18b54b 100644 --- a/docker/develop.env +++ b/docker/develop.env @@ -49,6 +49,8 @@ WEBSERVER_PORT=80 WEBSERVER_PORT_TLS=443 WEBSERVER_PORT_IPV6=8080 WEBSERVER_PORT_IPV6_TLS=4443 +SMTPSERVER_PORT=25 +SMTPSERVER_PORT_IPV6=2525 UNBOUND_PORT_TCP=53/tcp UNBOUND_PORT_UDP=53/udp # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error diff --git a/docker/host-multi-dist.env b/docker/host-multi-dist.env index d57df583f..0f4a3b1c6 100644 --- a/docker/host-multi-dist.env +++ b/docker/host-multi-dist.env @@ -35,6 +35,9 @@ WEBSERVER_PORT_TLS=$IPV4_IP_PUBLIC:443:443 WEBSERVER_PORT_IPV6=$IPV6_IP_PUBLIC:80:80 WEBSERVER_PORT_IPV6_TLS=[$IPV6_IP_PUBLIC]:443:443 +SMTPSERVER_PORT=$IPV4_IP_PUBLIC:25:25 +SMTPSERVER_PORT_IPV6=[$IPV6_IP_PUBLIC]:25:25 + IPV4_SUBNET_PUBLIC=$IPV4_SUBNET_PUBLIC IPV4_SUBNET_INTERNAL=$IPV4_SUBNET_INTERNAL diff --git a/docker/test.env b/docker/test.env index 12156a729..ec0329a5c 100644 --- a/docker/test.env +++ b/docker/test.env @@ -80,6 +80,8 @@ WEBSERVER_PORT=80 WEBSERVER_PORT_TLS=443 WEBSERVER_PORT_IPV6=8080 WEBSERVER_PORT_IPV6_TLS=4443 +SMTPSERVER_PORT=25 +SMTPSERVER_PORT_IPV6=2525 UNBOUND_PORT_TCP=53/tcp UNBOUND_PORT_UDP=53/udp # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile index cc4728625..a35759f2d 100644 --- a/docker/webserver.Dockerfile +++ b/docker/webserver.Dockerfile @@ -20,6 +20,7 @@ RUN mkdir -p /etc/nginx/htpasswd/ RUN touch /etc/nginx/htpasswd/monitoring.htpasswd COPY docker/webserver/10-variables.envsh /docker-entrypoint.d/ +COPY docker/webserver/40-add-mail-include.sh /docker-entrypoint.d/ COPY docker/webserver/tls_init.sh /docker-entrypoint.d/ COPY docker/webserver/authentication.sh /docker-entrypoint.d/ COPY docker/webserver/generate_quic_host_key.sh /docker-entrypoint.d/ diff --git a/docker/webserver/40-add-mail-include.sh b/docker/webserver/40-add-mail-include.sh new file mode 100755 index 000000000..84573a8f0 --- /dev/null +++ b/docker/webserver/40-add-mail-include.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +set -eu + +LC_ALL=C +ME=$(basename "$0") +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +touch /etc/nginx/nginx.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /etc/nginx/nginx.conf (read-only file system?)"; exit 0; } + +sed -i -r -z 's@(\}\n)$@\1# Added by '"$ME"' on '"$(date)"'\nmail {\n include conf.d/*.mail-conf;\n}\n@' /etc/nginx/nginx.conf diff --git a/docker/webserver/nginx_templates/smtp.mail-conf.template b/docker/webserver/nginx_templates/smtp.mail-conf.template new file mode 100644 index 000000000..42a1f1bb9 --- /dev/null +++ b/docker/webserver/nginx_templates/smtp.mail-conf.template @@ -0,0 +1,16 @@ +server_name ${SMTP_EHLO_DOMAIN}; +auth_http http://127.0.0.1:9090/; + +starttls only; + +include conf.d/letsencrypt.conf; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + +server { + listen 25; + listen [::]:25; + protocol smtp; + smtp_capabilities "SIZE 1099511627776" ENHANCEDSTATUSCODES 8BITMIME DSN SMTPUTF8 REQUIRETLS; +} diff --git a/docker/webserver/nginx_templates/smtp_auth_http.conf.template b/docker/webserver/nginx_templates/smtp_auth_http.conf.template new file mode 100644 index 000000000..c024b2dae --- /dev/null +++ b/docker/webserver/nginx_templates/smtp_auth_http.conf.template @@ -0,0 +1,11 @@ +# for mail auth_http +server { + listen 127.0.0.1:9090; + location / { + default_type text/plain; + add_header Auth-Status "Login not supported since this is a dummy nginx smtp handler"; + add_header Auth-Error-Code "550 5.3.5"; + add_header Auth-Wait 1; + return 200; + } +} diff --git a/documentation/Docker-multi-deployment.md b/documentation/Docker-multi-deployment.md index 31dc3d763..0c4660646 100644 --- a/documentation/Docker-multi-deployment.md +++ b/documentation/Docker-multi-deployment.md @@ -37,6 +37,8 @@ Add the following lines to `docker/host.env` and change the IP's to the public I WEBSERVER_PORT_TLS=192.0.2.2:443:443 WEBSERVER_PORT_IPV6=[2001:db8:1::2]:80:80/tcp WEBSERVER_PORT_IPV6_TLS=[2001:db8:1::2]:443:443/tcp + SMTPSERVER_PORT=192.0.2.2:25:25 + SMTPSERVER_PORT_IPV6=[2001:db8:1::2]:25:25 ## Adding a new instance @@ -52,7 +54,7 @@ Modify the `docker/host.env` file with the following steps: - Update `ALLOWED_HOSTS` and `CSP_DEFAULT_SRC` values to the new domain name (eg: `dev2.example.com`) - Change `IPV4_IP_PUBLIC`, `IPV6_IP_PUBLIC`, `IPV6_TEST_ADDR` to the public IPv4/IPv6 addresses specific for this instance - Update `UNBOUND_PORT_TCP`, `UNBOUND_PORT_UDP`, `UNBOUND_PORT_IPV6_TCP` and `UNBOUND_PORT_IPV6_UDP` to the public IPv4/IPv6 addresses for this instance -- Add `WEBSERVER_PORT`, `WEBSERVER_PORT_TLS`, `WEBSERVER_PORT_IPV6`, `WEBSERVER_PORT_IPV6_TLS` with the public IPv4/IPv6 addresses for this instance and the respective ports +- Add `WEBSERVER_PORT`, `WEBSERVER_PORT_TLS`, `WEBSERVER_PORT_IPV6`, `WEBSERVER_PORT_IPV6_TLS`, `SMTPSERVER_PORT`, `SMTPSERVER_PORT_IPV6` with the public IPv4/IPv6 addresses for this instance and the respective ports - Add `IPV4_SUBNET_PUBLIC`, `IPV4_SUBNET_INTERNAL`, `IPV6_SUBNET_PUBLIC` and `IPV6_GATEWAY_PUBLIC` with unique subnet/address from private address space, this should not conflict with the existing instances. Suggested is to iterate over subnets for the existing instance (`172.16.42.0/24`, `192.168.42.0/24`, `fd00:42:1::/48`, `fd00:42:1::1`) so the first ones would become: `172.16.43.0/24`, `192.168.43.0/24`, `fd00:43:1::/48` and `fd00:43:1::1`. - Add a `ROUTINATOR_URL` with a URL to the first instance routinator proxy endpoint, so the extra instances don't have to run a resource heavy extra routinator, eg: `https://example.com/routinator/api/v1/validity`. This also requires removing the `routinator` entry from `COMPOSE_PROFILES` on the extra instance. - Add `INTERNETNL_INSTALL_BASE` with the path to the new instance directory, eg: `/opt/Internet.nl-dev2`