first

data/Dockerfiles/dovecot/Dockerfile

@@ -0,0 +1,136 @@
+FROM alpine:3.20
+
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
+
+# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
+ARG GOSU_VERSION=1.16
+
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
+
+# Add groups and users before installing Dovecot to not break compatibility
+RUN addgroup -g 5000 vmail \
+  && addgroup -g 401 dovecot \
+  && addgroup -g 402 dovenull \
+  && sed -i "s/999/99/" /etc/group \
+  && addgroup -g 999 sogo \
+  && addgroup nobody sogo \
+  && adduser -D -u 5000 -G vmail -h /var/vmail vmail \
+  && adduser -D -G dovecot -u 401 -h /dev/null -s /sbin/nologin dovecot \
+  && adduser -D -G dovenull -u 402 -h /dev/null -s /sbin/nologin dovenull \
+  && apk add --no-cache --update \
+  bash \
+  bind-tools \
+  findutils \
+  envsubst \
+  ca-certificates \
+  curl \
+  coreutils \
+  jq \
+  lua \
+  lua-cjson \
+  lua-socket \
+  lua-sql-mysql \
+  lua5.3-sql-mysql \
+  icu-data-full \
+  mariadb-connector-c \
+  gcompat \
+  mariadb-client \
+  perl \
+  perl-ntlm \
+  perl-cgi \
+  perl-crypt-openssl-rsa \
+  perl-utils \
+  perl-crypt-ssleay \
+  perl-data-uniqid \
+  perl-dbd-mysql \
+  perl-dbi \
+  perl-digest-hmac \
+  perl-dist-checkconflicts \
+  perl-encode-imaputf7 \
+  perl-file-copy-recursive \
+  perl-file-tail \
+  perl-io-socket-inet6 \
+  perl-io-gzip \
+  perl-io-socket-ssl \
+  perl-io-tee \
+  perl-ipc-run \
+  perl-json-webtoken \
+  perl-mail-imapclient \
+  perl-module-implementation \
+  perl-module-scandeps \
+  perl-net-ssleay \
+  perl-package-stash \
+  perl-package-stash-xs \
+  perl-par-packer \
+  perl-parse-recdescent \
+  perl-lockfile-simple \
+  libproc \
+  perl-readonly \
+  perl-regexp-common \
+  perl-sys-meminfo \
+  perl-term-readkey \
+  perl-test-deep \
+  perl-test-fatal \
+  perl-test-mockobject \
+  perl-test-mock-guard \
+  perl-test-pod \
+  perl-test-requires \
+  perl-test-simple \
+  perl-test-warn \
+  perl-try-tiny \
+  perl-unicode-string \
+  perl-proc-processtable \
+  perl-app-cpanminus \
+  procps \
+  python3 \
+  py3-mysqlclient \
+  py3-html2text \
+  py3-jinja2 \
+  py3-redis \
+  redis \
+  syslog-ng \
+  syslog-ng-redis \
+  syslog-ng-json \
+  supervisor \
+  tzdata \
+  wget \
+  dovecot \
+  dovecot-dev \
+  dovecot-lmtpd \
+  dovecot-lua \
+  dovecot-ldap \
+  dovecot-mysql \
+  dovecot-sql \
+  dovecot-submissiond \
+  dovecot-pigeonhole-plugin \
+  dovecot-pop3d \
+  dovecot-fts-solr \
+  dovecot-fts-flatcurve \
+  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
+  && chmod +x /usr/local/bin/gosu \
+  && gosu nobody true
+
+COPY trim_logs.sh /usr/local/bin/trim_logs.sh
+COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
+COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY imapsync /usr/local/bin/imapsync
+COPY imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
+COPY report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
+COPY report-ham.sieve /usr/lib/dovecot/sieve/report-ham.sieve
+COPY rspamd-pipe-ham /usr/lib/dovecot/sieve/rspamd-pipe-ham
+COPY rspamd-pipe-spam /usr/lib/dovecot/sieve/rspamd-pipe-spam
+COPY sa-rules.sh /usr/local/bin/sa-rules.sh
+COPY maildir_gc.sh /usr/local/bin/maildir_gc.sh
+COPY docker-entrypoint.sh /
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY quarantine_notify.py /usr/local/bin/quarantine_notify.py
+COPY quota_notify.py /usr/local/bin/quota_notify.py
+COPY repl_health.sh /usr/local/bin/repl_health.sh
+COPY optimize-fts.sh /usr/local/bin/optimize-fts.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/dovecot/clean_q_aged.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+source /source_env.sh
+
+MAX_AGE=$(redis-cli --raw -h redis-mailcow GET Q_MAX_AGE)
+
+if [[ -z ${MAX_AGE} ]]; then
+  echo "Max age for quarantine items not defined"
+  exit 1
+fi
+
+NUM_REGEXP='^[0-9]+$'
+if ! [[ ${MAX_AGE} =~ ${NUM_REGEXP} ]] ; then
+  echo "Max age for quarantine items invalid"
+  exit 1
+fi
+
+TO_DELETE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
+mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
+echo "Deleted ${TO_DELETE} items from quarantine table (max age is ${MAX_AGE//[!0-9]/} days)"

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -0,0 +1,493 @@
+#!/bin/bash
+set -e
+
+# Wait for MySQL to warm-up
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+  echo "Waiting for database to come up..."
+  sleep 2
+done
+
+until dig +short mailcow.email > /dev/null; do
+  echo "Waiting for DNS..."
+  sleep 1
+done
+
+# Do not attempt to write to slave
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+else
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+fi
+
+until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Redis..."
+  sleep 2
+done
+
+${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+
+# Create missing directories
+[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
+[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
+[[ ! -d /etc/dovecot/conf.d/ ]] && mkdir -p /etc/dovecot/conf.d/
+[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
+[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
+[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
+[[ ! -d /var/volatile ]] && mkdir -p /var/volatile
+
+# Set Dovecot sql config parameters, escape " in db password
+DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
+
+# Create quota dict for Dovecot
+if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  QUOTA_TABLE=quota2
+else
+  QUOTA_TABLE=quota2replica
+fi
+cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
+# Autogenerated by mailcow
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+map {
+  pattern = priv/quota/storage
+  table = ${QUOTA_TABLE}
+  username_field = username
+  value_field = bytes
+}
+map {
+  pattern = priv/quota/messages
+  table = ${QUOTA_TABLE}
+  username_field = username
+  value_field = messages
+}
+EOF
+
+# Create dict used for sieve pre and postfilters
+cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
+# Autogenerated by mailcow
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+map {
+  pattern = priv/sieve/name/\$script_name
+  table = sieve_before
+  username_field = username
+  value_field = id
+  fields {
+    script_name = \$script_name
+  }
+}
+map {
+  pattern = priv/sieve/data/\$id
+  table = sieve_before
+  username_field = username
+  value_field = script_data
+  fields {
+    id = \$id
+  }
+}
+EOF
+
+cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
+# Autogenerated by mailcow
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+map {
+  pattern = priv/sieve/name/\$script_name
+  table = sieve_after
+  username_field = username
+  value_field = id
+  fields {
+    script_name = \$script_name
+  }
+}
+map {
+  pattern = priv/sieve/data/\$id
+  table = sieve_after
+  username_field = username
+  value_field = script_data
+  fields {
+    id = \$id
+  }
+}
+EOF
+
+echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
+
+if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY]) ]]; then
+echo -e "\e[33mActivating Flatcurve as FTS Backend...\e[0m"
+echo -e "\e[33mDepending on your previous setup a full reindex might be needed... \e[0m"
+echo -e "\e[34mVisit https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-fts/#fts-related-dovecot-commands to learn how to reindex\e[0m"
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
+elif [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
+else
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
+fi
+chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
+
+cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
+# Autogenerated by mailcow
+driver = mysql
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
+iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
+EOF
+
+cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
+function auth_password_verify(req, pass)
+
+  if req.domain == nil then
+    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
+  end
+
+  if cur == nil then
+    script_init()
+  end
+
+  if req.user == nil then
+    req.user = ''
+  end
+
+  respbody = {}
+
+  -- check against mailbox passwds
+  local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox
+    WHERE username = '%s'
+      AND active = '1'
+      AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')
+      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
+      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service)))
+  local row = cur:fetch ({}, "a")
+  while row do
+    if req.password_verify(req, row.password, pass) == 1 then
+      con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
+        VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)))
+      cur:close()
+      con:close()
+      return dovecot.auth.PASSDB_RESULT_OK, ""
+    end
+    row = cur:fetch (row, "a")
+  end
+
+  -- check against app passwds for imap and smtp
+  -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
+  if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
+    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd
+      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
+      WHERE mailbox = '%s'
+        AND app_passwd.active = '1'
+        AND mailbox.active = '1'
+        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain)))
+    local row = cur:fetch ({}, "a")
+    while row do
+      if req.password_verify(req, row.password, pass) == 1 then
+        -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
+        if tostring(req.real_rip) == "__IPV4_SOGO__" then
+          cur:close()
+          con:close()
+          return dovecot.auth.PASSDB_RESULT_OK, ""
+        elseif row.has_prot_access == "1" then
+          con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
+            VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
+          cur:close()
+          con:close()
+          return dovecot.auth.PASSDB_RESULT_OK, ""
+        end
+      end
+      row = cur:fetch (row, "a")
+    end
+  end
+
+  cur:close()
+  con:close()
+
+  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
+
+  -- PoC
+  -- local reqbody = string.format([[{
+  --   "success":0,
+  --   "service":"%s",
+  --   "app_password":false,
+  --   "username":"%s",
+  --   "real_rip":"%s"
+  -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))
+  -- http.request {
+  --   method = "POST",
+  --   url = "http://nginx:8081/sasl_log.php",
+  --   source = ltn12.source.string(reqbody),
+  --   headers = {
+  --     ["content-type"] = "application/json",
+  --     ["content-length"] = tostring(#reqbody)
+  --   },
+  --   sink = ltn12.sink.table(respbody)
+  -- }
+
+end
+
+function auth_passdb_lookup(req)
+   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
+end
+
+function script_init()
+  mysql = require "luasql.mysql"
+  http = require "socket.http"
+  http.TIMEOUT = 5
+  ltn12 = require "ltn12"
+  env  = mysql.mysql()
+  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
+  return 0
+end
+
+function script_deinit()
+  con:close()
+  env:close()
+end
+EOF
+
+# Temporarily set FTS depending on user choice inside mailcow.conf. Will be removed as soon as Solr is dropped
+if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
+cat <<EOF > /etc/dovecot/conf.d/fts.conf
+# Autogenerated by mailcow
+plugin {
+    fts_autoindex = yes
+    fts_autoindex_exclude = \Junk
+    fts_autoindex_exclude2 = \Trash
+    fts = flatcurve
+
+    # Maximum term length can be set via the 'maxlen' argument (maxlen is
+    # specified in bytes, not number of UTF-8 characters)
+    fts_tokenizer_email_address = maxlen=100
+    fts_tokenizer_generic = algorithm=simple maxlen=30
+
+    # These are not flatcurve settings, but required for Dovecot FTS. See
+    # Dovecot FTS Configuration link above for further information.
+    fts_languages = en es de
+    fts_tokenizers = generic email-address
+
+    # OPTIONAL: Recommended default FTS core configuration
+    fts_filters = normalizer-icu snowball stopwords
+    fts_filters_en = lowercase snowball english-possessive stopwords
+}
+EOF
+elif [[ ! "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
+cat <<EOF > /etc/dovecot/conf.d/fts.conf
+# Autogenerated by mailcow
+plugin {
+  fts = solr
+  fts_autoindex = yes
+  fts_autoindex_exclude = \Junk
+  fts_autoindex_exclude2 = \Trash
+  fts_solr = url=http://solr:8983/solr/dovecot-fts/
+
+  fts_tokenizers = generic email-address
+  fts_tokenizer_generic = algorithm=simple
+
+  fts_filters = normalizer-icu snowball stopwords
+  fts_filters_en = lowercase snowball english-possessive stopwords
+}
+EOF
+fi
+
+
+# Replace patterns in app-passdb.lua
+sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
+sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
+sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
+sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
+
+
+# Migrate old sieve_after file
+[[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
+# Create global sieve scripts
+cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve
+cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve
+
+# Check permissions of vmail/index/garbage directories.
+# Do not do this every start-up, it may take a very long time. So we use a stat check here.
+if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
+if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi
+if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi
+
+# Cleanup random user maildirs
+rm -rf /var/vmail/mailcow.local/*
+# Cleanup PIDs
+[[ -f /tmp/quarantine_notify.pid ]] && rm /tmp/quarantine_notify.pid
+
+# create sni configuration
+echo "" > /etc/dovecot/sni.conf
+for cert_dir in /etc/ssl/mail/*/ ; do
+  if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
+    continue
+  fi
+  domains=($(cat ${cert_dir}domains))
+  for domain in ${domains[@]}; do
+    echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
+    echo '  ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
+    echo '  ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
+    echo '}' >> /etc/dovecot/sni.conf;
+  done
+done
+
+# Create random master for SOGo sieve features
+RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
+RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
+
+if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then
+  RAND_USER=${DOVECOT_MASTER_USER}
+  RAND_PASS=${DOVECOT_MASTER_PASS}
+fi
+echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd
+echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb
+echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
+
+if [[ -z ${MAILDIR_SUB} ]]; then
+  MAILDIR_SUB_SHARED=
+else
+  MAILDIR_SUB_SHARED=/${MAILDIR_SUB}
+fi
+cat <<EOF > /etc/dovecot/shared_namespace.conf
+# Autogenerated by mailcow
+namespace {
+    type = shared
+    separator = /
+    prefix = Shared/%%u/
+    location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
+    subscriptions = no
+    list = children
+}
+EOF
+
+
+cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
+# Autogenerated by mailcow
+remote ${IPV4_NETWORK}.248 {
+  disable_plaintext_auth = no
+}
+EOF
+
+# Create random master Password for SOGo SSO
+RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
+echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
+cat <<EOF > /etc/dovecot/sogo-sso.conf
+# Autogenerated by mailcow
+passdb {
+  driver = static
+  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
+}
+EOF
+
+if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
+  # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
+  cat <<'EOF' > /usr/local/bin/quota_notify.py
+#!/usr/bin/python3
+import sys
+sys.exit()
+EOF
+fi
+
+# Set mail_replica for HA setups
+if [[ -n ${MAILCOW_REPLICA_IP} && -n ${DOVEADM_REPLICA_PORT} ]]; then
+  cat <<EOF > /etc/dovecot/mail_replica.conf
+# Autogenerated by mailcow
+mail_replica = tcp:${MAILCOW_REPLICA_IP}:${DOVEADM_REPLICA_PORT}
+EOF
+fi
+
+# 401 is user dovecot
+if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
+	openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
+	openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
+	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
+else
+	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
+fi
+
+# Compile sieve scripts
+sievec /var/vmail/sieve/global_sieve_before.sieve
+sievec /var/vmail/sieve/global_sieve_after.sieve
+sievec /usr/lib/dovecot/sieve/report-spam.sieve
+sievec /usr/lib/dovecot/sieve/report-ham.sieve
+
+# Fix permissions
+chown root:root /etc/dovecot/sql/*.conf
+chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
+chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
+chown -R vmail:vmail /var/vmail/sieve
+chown -R vmail:vmail /var/volatile
+chown -R vmail:vmail /var/vmail_index
+adduser vmail tty
+chmod g+rw /dev/console
+chown root:tty /dev/console
+chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
+  /usr/lib/dovecot/sieve/rspamd-pipe-spam \
+  /usr/local/bin/imapsync_runner.pl \
+  /usr/local/bin/imapsync \
+  /usr/local/bin/trim_logs.sh \
+  /usr/local/bin/sa-rules.sh \
+  /usr/local/bin/clean_q_aged.sh \
+  /usr/local/bin/maildir_gc.sh \
+  /usr/local/sbin/stop-supervisor.sh \
+  /usr/local/bin/quota_notify.py \
+  /usr/local/bin/repl_health.sh \
+  /usr/local/bin/optimize-fts.sh
+
+# Prepare environment file for cronjobs
+printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
+
+# Clean old PID if any
+[[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid
+
+# Clean stopped imapsync jobs
+rm -f /tmp/imapsync_busy.lock
+IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
+[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
+
+# Envsubst maildir_gc
+echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
+
+# GUID generation
+while [[ ${VERSIONS_OK} != 'OK' ]]; do
+  if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
+    VERSIONS_OK=OK
+  else
+    echo "Waiting for versions table to be created..."
+    sleep 3
+  fi
+done
+PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2)
+if [ -f ${PUBKEY_MCRYPT} ]; then
+  GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
+  if [ ${#GUID} -eq 64 ]; then
+    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
+EOF
+  else
+    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
+EOF
+  fi
+fi
+
+# Collect SA rules once now
+/usr/local/bin/sa-rules.sh
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
+# May be related to something inside Docker, I seriously don't know
+touch /etc/dovecot/lua/passwd-verify.lua
+
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+fi
+
+exec "$@"

data/Dockerfiles/dovecot/imapsync_runner.pl

@@ -0,0 +1,196 @@
+#!/usr/bin/perl
+
+use DBI;
+use LockFile::Simple qw(lock trylock unlock);
+use Proc::ProcessTable;
+use Data::Dumper qw(Dumper);
+use IPC::Run 'run';
+use File::Temp;
+use Try::Tiny;
+use sigtrap 'handler' => \&sig_handler, qw(INT TERM KILL QUIT);
+
+sub trim { my $s = shift; $s =~ s/^\s+|\s+$//g; return $s };
+my $t = Proc::ProcessTable->new;
+my $imapsync_running = grep { $_->{cmndline} =~ /imapsync\s/i } @{$t->table};
+if ($imapsync_running ge 1)
+{
+  print "imapsync is active, exiting...";
+  exit;
+}
+
+sub qqw($) {
+  my @params = ();
+  my @values = split(/(?=--)/, $_[0]);
+  foreach my $val (@values) {
+    my @tmpparam = split(/ /, $val, 2);
+    foreach my $tmpval (@tmpparam) {
+        if ($tmpval ne '') {
+          push @params, $tmpval;
+        }
+    }
+  }
+  foreach my $val (@params) {
+    $val=trim($val);
+  }
+  return @params;
+}
+
+$run_dir="/tmp";
+$dsn = 'DBI:mysql:database=' . $ENV{'DBNAME'} . ';mysql_socket=/var/run/mysqld/mysqld.sock';
+$lock_file = $run_dir . "/imapsync_busy";
+$lockmgr = LockFile::Simple->make(-autoclean => 1, -max => 1);
+$lockmgr->lock($lock_file) || die "can't lock ${lock_file}";
+$dbh = DBI->connect($dsn, $ENV{'DBUSER'}, $ENV{'DBPASS'}, {
+  mysql_auto_reconnect => 1,
+  mysql_enable_utf8mb4 => 1
+});
+$dbh->do("UPDATE imapsync SET is_running = 0");
+
+sub sig_handler {
+  # Send die to force exception in "run"
+  die "sig_handler received signal, preparing to exit...\n";
+};
+
+open my $file, '<', "/etc/sogo/sieve.creds"; 
+my $creds = <$file>; 
+close $file;
+my ($master_user, $master_pass) = split /:/, $creds;
+my $sth = $dbh->prepare("SELECT id,
+  user1,
+  user2,
+  host1,
+  authmech1,
+  password1,
+  exclude,
+  port1,
+  enc1,
+  delete2duplicates,
+  maxage,
+  subfolder2,
+  delete1,
+  delete2,
+  automap,
+  skipcrossduplicates,
+  maxbytespersecond,
+  custom_params,
+  subscribeall,
+  timeout1,
+  timeout2,
+  dry
+    FROM imapsync
+      WHERE active = 1
+        AND is_running = 0
+        AND (
+          UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(last_run) > mins_interval * 60
+          OR
+          last_run IS NULL)
+  ORDER BY last_run");
+
+$sth->execute();
+my $row;
+
+while ($row = $sth->fetchrow_arrayref()) {
+
+  $id                  = @$row[0];
+  $user1               = @$row[1];
+  $user2               = @$row[2];
+  $host1               = @$row[3];
+  $authmech1           = @$row[4];
+  $password1           = @$row[5];
+  $exclude             = @$row[6];
+  $port1               = @$row[7];
+  $enc1                = @$row[8];
+  $delete2duplicates   = @$row[9];
+  $maxage              = @$row[10];
+  $subfolder2          = @$row[11];
+  $delete1             = @$row[12];
+  $delete2             = @$row[13];
+  $automap             = @$row[14];
+  $skipcrossduplicates = @$row[15];
+  $maxbytespersecond   = @$row[16];
+  $custom_params       = @$row[17];
+  $subscribeall        = @$row[18];
+  $timeout1            = @$row[19];
+  $timeout2            = @$row[20];
+  $dry                 = @$row[21];
+
+  if ($enc1 eq "TLS") { $enc1 = "--tls1"; } elsif ($enc1 eq "SSL") { $enc1 = "--ssl1"; } else { undef $enc1; }
+
+  my $template = $run_dir . '/imapsync.XXXXXXX';
+  my $passfile1 = File::Temp->new(TEMPLATE => $template);
+  my $passfile2 = File::Temp->new(TEMPLATE => $template);
+  
+  binmode( $passfile1, ":utf8" );
+  
+  print $passfile1 "$password1\n";
+  print $passfile2 trim($master_pass) . "\n";
+
+  my @custom_params_a = qqw($custom_params);
+  my $custom_params_ref = \@custom_params_a;
+
+  my $generated_cmds = [ "/usr/local/bin/imapsync",
+  "--tmpdir", "/tmp",
+  "--nofoldersizes",
+  "--addheader",
+  ($timeout1 gt "0" ? () : ('--timeout1', $timeout1)),
+  ($timeout2 gt "0" ? () : ('--timeout2', $timeout2)),
+  ($exclude eq "" ? () : ("--exclude", $exclude)),
+  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
+  ($maxage eq "0" ? () : ('--maxage', $maxage)),
+  ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
+  ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
+  ($subscribeall  ne "1" ? () : ('--subscribeall')),
+  ($delete1 ne "1" ? () : ('--delete')),
+  ($delete2 ne "1" ? () : ('--delete2')),
+  ($automap ne "1" ? () : ('--automap')),
+  ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
+  (!defined($enc1) ? () : ($enc1)),
+  "--host1", $host1,
+  "--user1", $user1,
+  "--passfile1", $passfile1->filename,
+  "--port1", $port1,
+  "--host2", "localhost",
+  "--user2", $user2 . '*' . trim($master_user),
+  "--passfile2", $passfile2->filename,
+  ($dry eq "1" ? ('--dry') : ()),
+  '--no-modulesversion',
+  '--noreleasecheck'];
+
+  try {
+    $is_running = $dbh->prepare("UPDATE imapsync SET is_running = 1, success = NULL, exit_status = NULL WHERE id = ?");
+    $is_running->bind_param( 1, ${id} );
+    $is_running->execute();
+
+    run [@$generated_cmds, @$custom_params_ref], '&>', \my $stdout;
+
+    # check exit code and status
+    ($exit_code, $exit_status) = ($stdout =~ m/Exiting\swith\sreturn\svalue\s(\d+)\s\(([^:)]+)/);
+
+    $success = 0;
+    if (defined $exit_code && $exit_code == 0) {
+      $success = 1;
+    }
+
+    $update = $dbh->prepare("UPDATE imapsync SET returned_text = ?, success = ?, exit_status = ? WHERE id = ?");
+    $update->bind_param( 1, ${stdout} );
+    $update->bind_param( 2, ${success} );
+    $update->bind_param( 3, ${exit_status} );
+    $update->bind_param( 4, ${id} );
+    $update->execute();
+  } catch {
+    $update = $dbh->prepare("UPDATE imapsync SET returned_text = 'Could not start or finish imapsync', success = 0 WHERE id = ?");
+    $update->bind_param( 1, ${id} );
+    $update->execute();
+  } finally {
+    $update = $dbh->prepare("UPDATE imapsync SET last_run = NOW(), is_running = 0 WHERE id = ?");
+    $update->bind_param( 1, ${id} );
+    $update->execute();
+  };
+
+
+}
+
+$sth->finish();
+$dbh->disconnect();
+
+$lockmgr->unlock($lock_file);

data/Dockerfiles/dovecot/maildir_gc.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+[ -d /var/vmail/_garbage/ ] && /usr/bin/find /var/vmail/_garbage/ -mindepth 1 -maxdepth 1 -type d -cmin +${MAILDIR_GC_TIME} -exec rm -r {} \;

data/Dockerfiles/dovecot/optimize-fts.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ && ! "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    exit 0
+else
+    doveadm fts optimize -A
+fi

data/Dockerfiles/dovecot/quarantine_notify.py

@@ -0,0 +1,168 @@
+#!/usr/bin/python3
+
+import smtplib
+import os
+import sys
+import MySQLdb
+from email.mime.multipart import MIMEMultipart
+from email.mime.text import MIMEText
+from email.utils import COMMASPACE, formatdate
+import jinja2
+from jinja2 import Template
+import json
+import redis
+import time
+import html2text
+import socket
+
+pid = str(os.getpid())
+pidfile = "/tmp/quarantine_notify.pid"
+
+if os.path.isfile(pidfile):
+  print("%s already exists, exiting" % (pidfile))
+  sys.exit()
+
+pid = str(os.getpid())
+f = open(pidfile, 'w')
+f.write(pid)
+f.close()
+
+try:
+
+  while True:
+    try:
+      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+      r.ping()
+    except Exception as ex:
+      print('%s - trying again...'  % (ex))
+      time.sleep(3)
+    else:
+      break
+
+  time_now = int(time.time())
+  mailcow_hostname = os.environ.get('MAILCOW_HOSTNAME')
+
+  max_score = float(r.get('Q_MAX_SCORE') or "9999.0")
+  if max_score == "":
+    max_score = 9999.0
+
+  def query_mysql(query, headers = True, update = False):
+    while True:
+      try:
+        cnx = MySQLdb.connect(user=os.environ.get('DBUSER'), password=os.environ.get('DBPASS'), database=os.environ.get('DBNAME'), charset="utf8mb4", collation="utf8mb4_general_ci")
+      except Exception as ex:
+        print('%s - trying again...'  % (ex))
+        time.sleep(3)
+      else:
+        break
+    cur = cnx.cursor()
+    cur.execute(query)
+    if not update:
+      result = []
+      columns = tuple( [d[0] for d in cur.description] )
+      for row in cur:
+        if headers:
+          result.append(dict(list(zip(columns, row))))
+        else:
+          result.append(row)
+      cur.close()
+      cnx.close()
+      return result
+    else:
+      cnx.commit()
+      cur.close()
+      cnx.close()
+
+  def notify_rcpt(rcpt, msg_count, quarantine_acl, category):
+    if category == "add_header": category = "add header"
+    meta_query = query_mysql('SELECT SHA2(CONCAT(id, qid), 256) AS qhash, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
+    print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count))
+    if len(meta_query) == 0:
+      return
+    msg_count = len(meta_query)
+    if r.get('Q_HTML'):
+      try:
+        template = Template(r.get('Q_HTML'))
+      except:
+        print("Error: Cannot parse quarantine template, falling back to default template.")
+        with open('/templates/quarantine.tpl') as file_:
+          template = Template(file_.read())
+    else:
+      with open('/templates/quarantine.tpl') as file_:
+        template = Template(file_.read())
+    html = template.render(meta=meta_query, username=rcpt, counter=msg_count, hostname=mailcow_hostname, quarantine_acl=quarantine_acl)
+    text = html2text.html2text(html)
+    count = 0
+    while count < 15:
+      count += 1
+      try:
+        server = smtplib.SMTP('postfix', 590, 'quarantine')
+        server.ehlo()
+        msg = MIMEMultipart('alternative')
+        msg_from = r.get('Q_SENDER') or "quarantine@localhost"
+        # Remove non-ascii chars from field
+        msg['From'] = ''.join([i if ord(i) < 128 else '' for i in msg_from])
+        msg['Subject'] = r.get('Q_SUBJ') or "Spam Quarantine Notification"
+        msg['Date'] = formatdate(localtime = True)
+        text_part = MIMEText(text, 'plain', 'utf-8')
+        html_part = MIMEText(html, 'html', 'utf-8')
+        msg.attach(text_part)
+        msg.attach(html_part)
+        msg['To'] = str(rcpt)
+        bcc = r.get('Q_BCC') or ""
+        redirect = r.get('Q_REDIRECT') or ""
+        text = msg.as_string()
+        if bcc == '':
+          if redirect == '':
+            server.sendmail(msg['From'], str(rcpt), text)
+          else:
+            server.sendmail(msg['From'], str(redirect), text)
+        else:
+          if redirect == '':
+            server.sendmail(msg['From'], [str(rcpt)] + [str(bcc)], text)
+          else:
+            server.sendmail(msg['From'], [str(redirect)] + [str(bcc)], text)
+        server.quit()
+        for res in meta_query:
+         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = "%d"' % (res['id']), update = True)
+        r.hset('Q_LAST_NOTIFIED', record['rcpt'], time_now)
+        break
+      except Exception as ex:
+        server.quit()
+        print('%s'  % (ex))
+        time.sleep(3)
+
+  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %f AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt' % (max_score))
+
+  for record in records:
+    attrs = ''
+    attrs_json = ''
+    time_trans = {
+      "hourly": 3600,
+      "daily": 86400,
+      "weekly": 604800
+    }
+    try:
+      last_notification = int(r.hget('Q_LAST_NOTIFIED', record['rcpt']))
+      if last_notification > time_now:
+        print('Last notification is > time now, assuming never')
+        last_notification = 0
+    except Exception as ex:
+      print('Could not determine last notification for %s, assuming never' % (record['rcpt']))
+      last_notification = 0
+    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = "%s"' % (record['rcpt']))
+    attrs = attrs_json[0]['attributes']
+    if isinstance(attrs, str):
+      # if attr is str then just load it
+      attrs = json.loads(attrs)
+    else:
+      # if it's bytes then decode and load it
+      attrs = json.loads(attrs.decode('utf-8'))
+    if attrs['quarantine_notification'] not in ('hourly', 'daily', 'weekly'):
+      continue
+    if last_notification == 0 or (last_notification + time_trans[attrs['quarantine_notification']]) <= time_now:
+      print("Notifying %s: Considering %d new items in quarantine (policy: %s)" % (record['rcpt'], record['counter'], attrs['quarantine_notification']))
+      notify_rcpt(record['rcpt'], record['counter'], record['quarantine_acl'], attrs['quarantine_category'])
+
+finally:
+  os.unlink(pidfile)

data/Dockerfiles/dovecot/quota_notify.py

@@ -0,0 +1,94 @@
+#!/usr/bin/python3
+
+import smtplib
+import os
+from email.mime.multipart import MIMEMultipart
+from email.mime.text import MIMEText
+from email.utils import COMMASPACE, formatdate
+import jinja2
+from jinja2 import Template
+import redis
+import time
+import json
+import sys
+import html2text
+from subprocess import Popen, PIPE, STDOUT
+
+if len(sys.argv) > 2:
+  percent = int(sys.argv[1])
+  username = str(sys.argv[2])
+else:
+  print("Args missing")
+  sys.exit(1)
+
+while True:
+  try:
+    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+    r.ping()
+  except Exception as ex:
+    print('%s - trying again...'  % (ex))
+    time.sleep(3)
+  else:
+    break
+
+if r.get('QW_HTML'):
+  try:
+    template = Template(r.get('QW_HTML'))
+  except:
+    print("Error: Cannot parse quarantine template, falling back to default template.")
+    with open('/templates/quota.tpl') as file_:
+      template = Template(file_.read())
+else:
+  with open('/templates/quota.tpl') as file_:
+    template = Template(file_.read())
+
+html = template.render(username=username, percent=percent)
+text = html2text.html2text(html)
+
+try:
+  msg = MIMEMultipart('alternative')
+  msg['From'] = r.get('QW_SENDER') or "quota-warning@localhost"
+  msg['Subject'] = r.get('QW_SUBJ') or "Quota warning"
+  msg['Date'] = formatdate(localtime = True)
+  text_part = MIMEText(text, 'plain', 'utf-8')
+  html_part = MIMEText(html, 'html', 'utf-8')
+  msg.attach(text_part)
+  msg.attach(html_part)
+  msg['To'] = username
+  p = Popen(['/usr/libexec/dovecot/dovecot-lda', '-d', username, '-o', '"plugin/quota=maildir:User quota:noenforcing"'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
+  p.communicate(input=bytes(msg.as_string(), 'utf-8'))
+
+  domain = username.split("@")[-1]
+  if domain and r.hget('QW_BCC', domain):
+    bcc_data = json.loads(r.hget('QW_BCC', domain))
+    bcc_rcpts = bcc_data['bcc_rcpts']
+    if bcc_data['active'] == 1:
+      for rcpt in bcc_rcpts:
+        msg = MIMEMultipart('alternative')
+        msg['From'] = username
+        subject = r.get('QW_SUBJ') or "Quota warning"
+        msg['Subject'] = subject + ' (' + username + ')'
+        msg['Date'] = formatdate(localtime = True)
+        text_part = MIMEText(text, 'plain', 'utf-8')
+        html_part = MIMEText(html, 'html', 'utf-8')
+        msg.attach(text_part)
+        msg.attach(html_part)
+        msg['To'] = rcpt
+        server = smtplib.SMTP('postfix', 588, 'quotanotification')
+        server.ehlo()
+        server.sendmail(msg['From'], str(rcpt), msg.as_string())
+        server.quit()
+
+except Exception as ex:
+  print('Failed to send quota notification: %s' % (ex))
+  sys.exit(1)
+
+try:
+  sys.stdout.close()
+except:
+  pass
+
+try:
+  sys.stderr.close()
+except:
+  pass

data/Dockerfiles/dovecot/repl_health.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+source /source_env.sh
+
+# Do not attempt to write to slave
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+else
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+fi
+
+# Is replication active?
+# grep on file is less expensive than doveconf
+if [ -n ${MAILCOW_REPLICA_IP} ]; then
+  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+  exit
+fi
+
+FAILED_SYNCS=$(doveadm replicator status | grep "Waiting 'failed' requests" | grep -oE '[0-9]+')
+
+# Set amount of failed jobs as DOVECOT_REPL_HEALTH
+# 1 failed job for mailcow.local is expected and healthy
+if [[ "${FAILED_SYNCS}" != 0 ]] && [[ "${FAILED_SYNCS}" != 1 ]]; then
+  printf "Dovecot replicator has %d failed jobs\n" "${FAILED_SYNCS}"
+  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH "${FAILED_SYNCS}" > /dev/null
+else
+  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+fi

data/Dockerfiles/dovecot/report-ham.sieve

@@ -0,0 +1,11 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+if environment :matches "imap.mailbox" "*" {
+  set "mailbox" "${1}";
+}
+
+if string "${mailbox}" "Trash" {
+  stop;
+}
+
+pipe :copy "rspamd-pipe-ham";

data/Dockerfiles/dovecot/report-spam.sieve

@@ -0,0 +1,3 @@
+require ["vnd.dovecot.pipe", "copy"];
+
+pipe :copy "rspamd-pipe-spam";

data/Dockerfiles/dovecot/rspamd-pipe-ham

@@ -0,0 +1,10 @@
+#!/bin/bash
+FILE=/tmp/mail$$
+cat > $FILE
+trap "/bin/rm -f $FILE" 0 1 2 3 13 15
+
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnham
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
+
+exit 0

data/Dockerfiles/dovecot/rspamd-pipe-spam

@@ -0,0 +1,10 @@
+#!/bin/bash
+FILE=/tmp/mail$$
+cat > $FILE
+trap "/bin/rm -f $FILE" 0 1 2 3 13 15
+
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnspam
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
+
+exit 0

data/Dockerfiles/dovecot/sa-rules.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Create temp directories
+[[ ! -d /tmp/sa-rules-heinlein ]] && mkdir -p /tmp/sa-rules-heinlein
+
+# Hash current SA rules
+if [[ ! -f /etc/rspamd/custom/sa-rules ]]; then
+  HASH_SA_RULES=0
+else
+  HASH_SA_RULES=$(cat /etc/rspamd/custom/sa-rules | md5sum | cut -d' ' -f1)
+fi
+
+# Deploy
+if curl --connect-timeout 15 --retry 10 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
+  if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
+    tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
+    cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
+  fi
+else
+  echo "Failed to download SA rules. Exiting."
+  exit 0 # Must be 0 otherwise dovecot would not start at all
+fi
+
+sed -i -e 's/\([^\\]\)\$\([^\/]\)/\1\\$\2/g' /etc/rspamd/custom/sa-rules
+
+if [[ "$(cat /etc/rspamd/custom/sa-rules | md5sum | cut -d' ' -f1)" != "${HASH_SA_RULES}" ]]; then
+  CONTAINER_NAME=rspamd-mailcow
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | \
+    jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | \
+    jq -rc "select( .name | tostring | contains(\"${CONTAINER_NAME}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
+  if [[ ! -z ${CONTAINER_ID} ]]; then
+    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
+  fi
+fi
+
+# Cleanup
+rm -rf /tmp/sa-rules-heinlein /tmp/sa-rules-heinlein.tar.gz

data/Dockerfiles/dovecot/stop-supervisor.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+printf "READY\n";
+
+while read line; do
+  echo "Processing Event: $line" >&2;
+  kill -3 $(cat "/var/run/supervisord.pid")
+done < /dev/stdin

data/Dockerfiles/dovecot/supervisord.conf

@@ -0,0 +1,24 @@
+[supervisord]
+nodaemon=true
+user=root
+pidfile=/var/run/supervisord.pid
+
+[program:syslog-ng]
+command=/usr/sbin/syslog-ng --foreground --no-caps
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+
+[program:dovecot]
+command=/usr/sbin/dovecot -F
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=true
+
+[eventlistener:processes]
+command=/usr/local/sbin/stop-supervisor.sh
+events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL

data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf

@@ -0,0 +1,46 @@
+@version: 4.5
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats(freq(0));
+  keep_timestamp(no);
+  bad_hostname("^gconfd$");
+};
+source s_dgram {
+  unix-dgram("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
+  redis(
+    host("`REDIS_SLAVEOF_IP`")
+    persist-name("redis1")
+    port(`REDIS_SLAVEOF_PORT`)
+    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+  );
+};
+destination d_redis_f2b_channel {
+  redis(
+    host("`REDIS_SLAVEOF_IP`")
+    persist-name("redis2")
+    port(`REDIS_SLAVEOF_PORT`)
+    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
+  );
+};
+filter f_mail { facility(mail); };
+filter f_replica {
+  not match("User has no mail_replica in userdb" value("MESSAGE"));
+  not match("Error: sync: Unknown user in remote" value("MESSAGE"));
+};
+log {
+  source(s_dgram);
+  filter(f_replica);
+  destination(d_stdout);
+  filter(f_mail);
+  destination(d_redis_ui_log);
+  destination(d_redis_f2b_channel);
+};

data/Dockerfiles/dovecot/syslog-ng.conf

@@ -0,0 +1,46 @@
+@version: 4.5
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats(freq(0));
+  keep_timestamp(no);
+  bad_hostname("^gconfd$");
+};
+source s_dgram {
+  unix-dgram("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
+  redis(
+    host("redis-mailcow")
+    persist-name("redis1")
+    port(6379)
+    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+  );
+};
+destination d_redis_f2b_channel {
+  redis(
+    host("redis-mailcow")
+    persist-name("redis2")
+    port(6379)
+    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
+  );
+};
+filter f_mail { facility(mail); };
+filter f_replica {
+  not match("User has no mail_replica in userdb" value("MESSAGE"));
+  not match("Error: sync: Unknown user in remote" value("MESSAGE"));
+};
+log {
+  source(s_dgram);
+  filter(f_replica);
+  destination(d_stdout);
+  filter(f_mail);
+  destination(d_redis_ui_log);
+  destination(d_redis_f2b_channel);
+};

data/Dockerfiles/dovecot/trim_logs.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+catch_non_zero() {
+  CMD=${1}
+  ${CMD} > /dev/null
+  EC=$?
+  if [ ${EC} -ne 0 ]; then
+    echo "Command ${CMD} failed to execute, exit code was ${EC}"
+  fi
+}
+source /source_env.sh
+# Do not attempt to write to slave
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+else
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+fi
+catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM DOVECOT_MAILLOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM SOGO_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM NETFILTER_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"