mailcow-dockerized
mailcow-dockerized copied to clipboard
Published
20 hours ago โข
mailcow
mailcow
Wrong Redirections in SOGo when using http/3 Proxy
Contribution guidelines
- [X] I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
- [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
In front of Mailcow a Nginx with http/3 support is running. Excerpt from Nginx rProxy config:
server {
listen 443 ssl;
listen [::]:443 ssl;
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
...
location / {
proxy_pass http://172.22.1.1:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
# The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
# Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
add_header Alt-Svc 'h3=":443"; ma=86400';
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'" always;
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security 'max-age=31536000' always;
}
...
}
http://172.22.1.1:8080/ is internal URL for Mailcow.
If http/3 disabled, which means listen ... quic ... and Alt-Svc are commented out, Mailcow works as expected. If http/3 is enabled, then following happens:
Login into Mailcow works. If SOGo is called, a redirect to https://sogo/so/
### Logs:
```plain text
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:02.415768314Z 172.22.1.5 - - [11/Jan/2024:11:13:02 +0100] "HEAD /forwardinghosts.php HTTP/1.1" 200 0 "-" "rspamd-3.7.4"
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:02.417233475Z 172.22.1.5 - - [11/Jan/2024:11:13:02 +0100] "GET /forwardinghosts.php HTTP/1.1" 200 27 "-" "rspamd-3.7.4"
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:03.020196551Z 172.25.0.1 - - [11/Jan/2024:11:13:03 +0100] "GET /[email protected] HTTP/1.0" 302 0 "https://mail.taunusstein.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:03.053146604Z 127.0.0.1 - - [11/Jan/2024:11:13:03 +0100] "GET /sogo-auth HTTP/1.0" 200 0 "https://mail.taunusstein.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:03.054902156Z 172.25.0.1 - - [11/Jan/2024:11:13:03 +0100] "GET /SOGo/so/[email protected] HTTP/1.0" 302 0 "https://mail.taunusstein.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:03.101407849Z 127.0.0.1 - - [11/Jan/2024:11:13:03 +0100] "GET /sogo-auth HTTP/1.0" 200 0 "https://mail.taunusstein.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
mailcowdockerized-nginx-mailcow-1 | 2024-01-11T10:13:03.104720556Z 172.25.0.1 - - [11/Jan/2024:11:13:03 +0100] "GET /SOGo/so/[email protected]/view HTTP/1.0" 302 0 "https://mail.taunusstein.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
Steps to reproduce:
1. Configure Nginx with http/3 support
1. Connect with a http/3 enabled browser (e.g. latest released Firefox or Chromium)
1. Login into Mailcow
1. Press button "In Webmail einloggen"
Which branch are you using?
master
Operating System:
Debian 12.4 - latest patches installed
Server/VM specifications:
16G, 4 cores
Is Apparmor, SELinux or similar active?
yes
Virtualization technology:
none
Docker version:
24.0.7
docker-compose version or docker compose version:
v2.21.0
mailcow version:
2023-12a
Reverse proxy:
Nginx 1.25.4
Logs of git diff:
diff --git a/create_cold_standby.sh b/create_cold_standby.sh
index 924339af..4368f3ee 100755
--- a/create_cold_standby.sh
+++ b/create_cold_standby.sh
@@ -2,6 +2,6 @@
export REMOTE_SSH_KEY=/root/.ssh/id_rsa
export REMOTE_SSH_PORT=22
-export REMOTE_SSH_HOST=my.remote.host
+export REMOTE_SSH_HOST=spock.ip6.li
-/opt/mailcow-dockerized/helper-scripts/_cold-standby.sh
+/home/cfadm/docker/mailcow-dockerized/helper-scripts/_cold-standby.sh
diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..d29bf6ab 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..5205773a 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+-----END PRIVATE KEY-----
diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index fb40de87..49ee9926 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -7,4 +7,5 @@ map $http_x_forwarded_proto $client_req_scheme {
https https;
}
-include /etc/nginx/conf.d/sites.active;
+#include /etc/nginx/conf.d/sites.active;
+include /etc/nginx/conf.d/sites.cf.active;
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 1dce6a4c..da88c8e5 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -171,3 +171,36 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks
# DO NOT EDIT ANYTHING BELOW #
# Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+ hostkarma.junkemailfilter.com=127.0.0.1*-2
+ list.dnswl.org=127.0.[0..255].0*-2
+ list.dnswl.org=127.0.[0..255].1*-4
+ list.dnswl.org=127.0.[0..255].2*-6
+ list.dnswl.org=127.0.[0..255].3*-8
+ ix.dnsbl.manitu.net*2
+ bl.spamcop.net*2
+ bl.suomispam.net*2
+ hostkarma.junkemailfilter.com=127.0.0.2*3
+ hostkarma.junkemailfilter.com=127.0.0.4*2
+ hostkarma.junkemailfilter.com=127.0.1.2*1
+ backscatter.spameatingmonkey.net*2
+ bl.ipv6.spameatingmonkey.net*2
+ bl.spameatingmonkey.net*2
+ b.barracudacentral.org=127.0.0.2*7
+ bl.mailspike.net=127.0.0.2*5
+ bl.mailspike.net=127.0.0.[10;11;12]*4
+ dnsbl.sorbs.net=127.0.0.10*8
+ dnsbl.sorbs.net=127.0.0.5*6
+ dnsbl.sorbs.net=127.0.0.7*3
+ dnsbl.sorbs.net=127.0.0.8*2
+ dnsbl.sorbs.net=127.0.0.6*2
+ dnsbl.sorbs.net=127.0.0.9*2
+ zen.spamhaus.org=127.0.0.[10;11]*8
+ zen.spamhaus.org=127.0.0.[4..7]*6
+ zen.spamhaus.org=127.0.0.3*4
+ zen.spamhaus.org=127.0.0.2*3
+
+# User Overrides
+myhostname = mail.taunusstein.net
+
diff --git a/data/conf/rspamd/custom/bad_languages.map b/data/conf/rspamd/custom/bad_languages.map
index cf9ce3e1..a02b674d 100644
--- a/data/conf/rspamd/custom/bad_languages.map
+++ b/data/conf/rspamd/custom/bad_languages.map
@@ -1 +1,8 @@
-# Regex! /de/ will also match /de_at/ etc.
+# Regex! /de/ will also match /de_at/ etc.^M
+/zh/i^M
+/es/i^M
+/tl/i^M
+/th/i^M
+/tr/i^M
+/vi/i^M
+/pt/i
diff --git a/data/conf/rspamd/custom/bad_words.map b/data/conf/rspamd/custom/bad_words.map
index 0d9af8be..be1a4d97 100644
--- a/data/conf/rspamd/custom/bad_words.map
+++ b/data/conf/rspamd/custom/bad_words.map
@@ -1,29 +1,30 @@
-/\serotic\s/i
-/\serection\s/i
-/\ssexy\s/i
-/\sass\s/i
-/\sviagra\s/i
-/\stits\s/i
-/\stitty\s/i
-/\stitties\s/i
-/\scum\s/i
-/\ssperm\s/i
-/\sslut\s/i
-/\sporn\s/i
-/\scock\s/i
-/\spharma\s/i
-/\spharmacy\s/i
-/\sseo\s/i
-/\sjackpot\s/i
-/\slottery\s/i
-/bitcoin/i
-/trojaner/i
-/malware/i
-/\sscooter\s/i
-/testost/i
-/web\sdevelopment/i
-/\slottery\s/i
-/\ssex\s/i
-/\svagina\s/i
-/\spenis\s/i
-/\smarketing\s/i
\ No newline at end of file
+/\serotic\s/i^M
+/\serection\s/i^M
+/\ssexy\s/i^M
+/\sass\s/i^M
+/\sviagra\s/i^M
+/\stits\s/i^M
+/\stitty\s/i^M
+/\stitties\s/i^M
+/\scum\s/i^M
+/\ssperm\s/i^M
+/\sslut\s/i^M
+/\sporn\s/i^M
+/\scock\s/i^M
+/\spharma\s/i^M
+/\spharmacy\s/i^M
+/\sseo\s/i^M
+/\sjackpot\s/i^M
+/\slottery\s/i^M
+/bitcoin/i^M
+/trojaner/i^M
+/malware/i^M
+/\sscooter\s/i^M
+/testost/i^M
+/web\sdevelopment/i^M
+/\slottery\s/i^M
+/\ssex\s/i^M
+/\svagina\s/i^M
+/\spenis\s/i^M
+/\smarketing\s/i^M
+/\curso\sen\slรญnea:\s\i
diff --git a/data/conf/rspamd/custom/global_mime_from_blacklist.map b/data/conf/rspamd/custom/global_mime_from_blacklist.map
index 3c872889..2aaadde0 100644
--- a/data/conf/rspamd/custom/global_mime_from_blacklist.map
+++ b/data/conf/rspamd/custom/global_mime_from_blacklist.map
@@ -1 +1,2 @@
-# /.+example\.com/i
+# /.+example\.com/i^M
+/.+cyberport\.de/i
diff --git a/data/conf/rspamd/custom/global_mime_from_whitelist.map b/data/conf/rspamd/custom/global_mime_from_whitelist.map
index 3c872889..3f221daa 100644
--- a/data/conf/rspamd/custom/global_mime_from_whitelist.map
+++ b/data/conf/rspamd/custom/global_mime_from_whitelist.map
@@ -1 +1,2 @@
-# /.+example\.com/i
+# /.+example\.com/i^M
+/.+actalis\.com/i
diff --git a/data/conf/rspamd/local.d/actions.conf b/data/conf/rspamd/local.d/actions.conf
index 3de63a54..55813f0d 100644
--- a/data/conf/rspamd/local.d/actions.conf
+++ b/data/conf/rspamd/local.d/actions.conf
@@ -1,3 +1,4 @@
-reject = 15;
-add_header = 8;
-greylist = 7;
+reject = 8;
+add_header = 5;
+greylist = 3;
+rewrite_subject = 6;
diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index b424efd8..3fcb1ef1 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -90,4 +90,8 @@
//SOGoUIxDebugEnabled = YES;
//WODontZipResponse = YES;
WOLogFile = "/dev/sogo_log";
+
+ // CF Anpassungen
+ SOGoGravatarEnabled = NO;
+ SOGoExternalAvatarsEnabled = NO;
}
diff --git a/docker-compose.yml b/docker-compose.yml
index 2521e816..f43c9f1f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -601,36 +601,6 @@ services:
aliases:
- ofelia
- ipv6nat-mailcow:
- depends_on:
- - unbound-mailcow
- - mysql-mailcow
- - redis-mailcow
- - clamd-mailcow
- - rspamd-mailcow
- - php-fpm-mailcow
- - sogo-mailcow
- - dovecot-mailcow
- - postfix-mailcow
- - memcached-mailcow
- - nginx-mailcow
- - acme-mailcow
- - netfilter-mailcow
- - watchdog-mailcow
- - dockerapi-mailcow
- - solr-mailcow
- environment:
- - TZ=${TZ}
- image: robbertkl/ipv6nat
- security_opt:
- - label=disable
- restart: always
- privileged: true
- network_mode: "host"
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock:ro
- - /lib/modules:/lib/modules:ro
-
networks:
mailcow-network:
driver: bridge
diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh
index ee9f0202..0c3c6a5c 100755
--- a/helper-scripts/backup_and_restore.sh
+++ b/helper-scripts/backup_and_restore.sh
@@ -145,11 +145,11 @@ function backup() {
echo "Using SQL image ${SQLIMAGE}, starting..."
docker run --name mailcow-backup --rm \
--network $(docker network ls -qf name=^${CMPS_PRJ}_mailcow-network$) \
- -v $(docker volume ls -qf name=^${CMPS_PRJ}_mysql-vol-1$):/var/lib/mysql/:ro,z \
+ -v $(pwd)/data/mysql-vol-1/:/var/lib/mysql/:ro,z \
-t --entrypoint= \
--sysctl net.ipv6.conf.all.disable_ipv6=1 \
-v ${BACKUP_LOCATION}/mailcow-${DATE}:/backup:z \
- ${SQLIMAGE} /bin/sh -c "mariabackup --host mysql --user root --password ${DBROOT} --backup --rsync --target-dir=/backup_mariadb ; \
+ ${SQLIMAGE} /bin/sh -c "mariabackup --host mysql --user root --password ${DBROOT} --backup --rsync --no-lock --target-dir=/backup_mariadb ; \
mariabackup --prepare --target-dir=/backup_mariadb ; \
chown -R 999:999 /backup_mariadb ; \
/bin/tar --warning='no-file-ignored' --use-compress-program='gzip --rsyncable' -Pcvpf /backup/backup_mariadb.tar.gz /backup_mariadb ;"
Logs of iptables -L -vn:
not applicable for that problem
Logs of ip6tables -L -vn:
not applicable for that problem
Logs of iptables -L -vn -t nat:
not applicable for that problem
Logs of ip6tables -L -vn -t nat:
not applicable for that problem
DNS check:
172.64.155.249
104.18.32.7
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.