mailu / infra Goto Github PK

Config files for services hosted at https://mailu.io. Docs, demo and setup.

Shell 100.00%

infra's Introduction

Mailu Infra server

This document explains the layout of the Mailu websites server, which is running Docker to host the web projects around Mailu. Like documentation, demo and setup.

Services

In this section the running services are explained. There is a crontab file which is a copy of the one used on the server. It currently has two tasks:

Run ./demo/admin-pw.sh for frequent admin password reset of the demo server. We had bullies changing the admin user password from time to time. Ths roles it back to the usual letmein password.
Run update.sh, which updates the images of all services, should there any available.

Reverse proxy

Treafik is used as reverse proxy and takes care of (sub) domain web routing.

https://mailu.io/<ver>: Documentation
https://setup.mailu.io/<ver>: Setup
https://test.mailu.io: Demo server

The compose file and configuration can be found in the ./traefik directory

Documentation

The documentation docker-compose file is located in the ./docs directory. It defines a service for every release version of Mailu since 1.5, including master.

Setup server

The setup docker-compose file is located in the ./setup directory. It defines a service for every release version of Mailu since 1.7, including master.

Demo server

The demo service docker-compose file is located in the ./demo directory. It is a customized version which takes care of resource limiting. It uses the certdumper service to extract TLS certificates from Treafik.

The default network is set to internal. Remainning services that need internet access use the web network. The front service is bound to the usual ports, except 80 and 443, as these web ports are routed through traefik. This means that the demo server can:

Receive SMTP e-mail (both incomming in authenticated)
Serve authenticated IMAP and POP3 connections from clients
Provide access to the webmail and admin interfaces
Have fully functional virusscanner, downloading the appropiate definitions

However, the demo server cannot send any SMTP mail to external hosts. Those mails will remain stuck in the queue forever.

The server

The server is running Ubuntu 18.04.5 LTS, with Docker latest stable from the Docker official APT repositories. ufw firewall is enabled and only allows access to SSH, HTTP and HTTPS. Other ports for services are configured by Docker.

SSH access

Members of the "Contributors" team can gain access by posting their public keys in ./ssh/<username>. One line per key. The filenames reflect the Github usernames in all lower-case. The users that currently have a file in this repositories, already have a username associated on the system. If additional users must be added, please first send a PR so that the user can be created first, on the server.

Users are in priciple unprivelidged. For example, they are not member of the docker group. It is a small security measure to prevent priviledged access should a private key get compromised. All users are member of the sudo group. On first login an user password must be set by the passwd command.

Keys that are added must use rsa (>= 2048), ecdsa (>=256) or ed25519. We also request to make sure the private key is password protected.

A copy of applicable sshd_config options can be found in ./ssh/sshd_config.

Infra project files

This Mailu/infra repository is cloned in /opt/infra. Write access is only by root/sudo.

Rules of conduct

Don't use / abuse the server for anything else then Mailu.
If there is an issue and you need to get in, please announce it on the Matrix channel or on a related issue on Github. This way we prevent multiple people interfering at the same time.
If you need to make changes to /opt/infra (using sudo), it is fine for testing. However, you can't commit from there back to Github. Please clone the repository locally (your own PC), apply any changes, commit and push. Always leave the state of /opt/infra clean. (git checkout -- * before you log out!)
If origin/master is ahead, please pull before doing anything.
If you loose access to a previously added ssh key. Or you have the slightest suspission it got compromised, please remove it from your key file in this repository!

infra's People

Contributors

Stargazers

Watchers

Forkers

usrpro duypv diman0 nebukadneza nextgens ktechmidas luis198755

infra's Issues

received take down request for test.mailu.io

Hi guys. You didn't hear from me in some years now, but unfortunately I have some bad and urgent news. I've received notice that the demo server has somehow became victim of a botnet. I once donated this small VM to the community years ago and I am still renting it. Access was granted (and used) by a number of contributors in the ./ssh directory, but I haven't actively maintained the server in terms of updates.

I'm also not sure if the host is compromised or if the mail server is used to send spam mail. The latter shouldn't be possible because I remember we were sure to break the outgoing network capabilities of the smtp container. But then again, I don't know what changed over the years.

Abuse mail

Dear Mr Tim Mohlmann,

We have received an abuse report from [[email protected]](mailto:[email protected]).

We are automatically forwarding this complaint on to you, for your information. You do not need to respond, but we do expect you to check the report and to resolve any (potential) issues.

Information:

-----
Good morning/afternoon

Recently, Qakbot botnet infrastructure was taken down[1]. Spamhaus is
working with various law enforcement agencies to help remediate
compromised email accounts[2]. We are contacting you because we believe
that Qakbot may have compromised email accounts located on
hetzner.com's network.

What action do you need to take?

- A list of email accounts that we think are affected on
hetzner.com's network is available below.
- The only action required is to change the passwords for all the affected
accounts.
- This is urgent - please do this as quickly as possible. These breached
accounts may have been shared with other criminals for use with
different active botnets for malicious purposes.

See also:
https://www.spamhaus.org/qakbot/


How has this data been compiled?

- The law enforcement agencies have made available the compromised email
account/addresses to Spamhaus.
- Using this data, we have obtained the primary MX record for the
compromised account's domain and the network responsible for the MX's
IP. We hope this network can directly or indirectly assist in these
remediation efforts.


Thank you for your time and willingness to help!


[1] https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown
[2] https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation


ip, hostname, email

78.47.92.244,test.mailu.io,[[email protected]](mailto:[email protected])

-----

Please note again that this is a notification only, you do not need to respond.

Kind regards

Abuse Team

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831 505-3
[[email protected]](mailto:[email protected])
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis

As immediate action, I have docker-compose down on the demo server in /opt/infra/demo and disable all cron jobs in /etc/crontab to prevent it from coming up again.

If there is someone around that can investigate further and post back here that would be great.

setup 1.7 image

I tried to spin up the setup docker-compose up -d but and the only container that did not start was stable 1.7

so i run it docker-compose up stable and get some python error

File "/usr/local/lib/python3.9/site-packages/flask/blueprints.py", line 195, in init
stable_1 | raise ValueError("'name' may not contain a dot '.' character.")
stable_1 | ValueError: 'name' may not contain a dot '.' character.

the other containers , 'development' and 'testing' are working

I played around with the .env file and putting STABLE=1_7 and fixing the docker-compose.yml to pull the correct image will at least boot. I think the issue is in the python scripts.

  stable:
    image: mailu/setup:1.7

enable DNSSEC capable resolver

Mailu master/1.9 now requires a DNSSEC capable resolver.
We must enable unbound on the infra server

Let's collect public keys

Here we shall collect project managers public keys for accessing the docs and setup machine(s).

Please use a specific ssh keypair so that any any attack on the key you publish here can lead to anything else than Mailu being compromised.

Please use rsa (>= 2048), ecds (>=256) or ed25519.

"mail" certs option didn't add ":ro" for volume mount

Generated configuration was this:

      - "/mailu/certs:/certs"

Though I think this is more appropriate since Mailu is not supposed to generate certificates in this case on its own, thus read-only access should suffice:

      - "/mailu/certs:/certs:ro"

"restart: always" is not a great default

Generally restart: unless-stopped is a better default since some may want to stop container temporarily for whatever reason and having it restarting automatically is inconvenient.

Mailu configuration server not accessible via IPv6

Downloading the generated files via IPv6 doesn't work. The download times out after two minutes and wget reverts to IPv4.

root@localhost:~# wget https://setup.mailu.io/1.8/file/94e9b53e-f43f-4837-bc4c-e841c53cfa31/docker-compose.yml
--2021-08-23 19:03:10--  https://setup.mailu.io/1.8/file/94e9b53e-f43f-4837-bc4c-e841c53cfa31/docker-compose.yml
Resolving setup.mailu.io (setup.mailu.io)... 2a01:4f8:c2c:f707::1, 78.47.92.244
Connecting to setup.mailu.io (setup.mailu.io)|2a01:4f8:c2c:f707::1|:443... failed: Connection timed out.
Connecting to setup.mailu.io (setup.mailu.io)|78.47.92.244|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2316 (2.3K) [application/text]
Saving to: ‘docker-compose.yml’

docker-compose.yml.2  100%[=========================>]   2.26K  --.-KB/s    in 0s      

2021-08-23 19:05:20 (54.0 MB/s) - ‘docker-compose.yml’ saved [2316/2316]

The server responds to ping on IPv6 so the problem is probably related to the web server configuration.

root@localhost:~# ping setup.mailu.io
PING setup.mailu.io(test.mailu.io (2a01:4f8:c2c:f707::1)) 56 data bytes
64 bytes from test.mailu.io (2a01:4f8:c2c:f707::1): icmp_seq=1 ttl=56 time=4.19 ms

The above commands were run on a standard Linode Ubuntu server.

Setup doesn't allow valid paths

I had /abc/x.y.z/mailu specified as path in setup, but setup refused to accept it. I had to use /mailu and edit it afterwards manually. Would be more convenient if it supported the original path though.