1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/snappymail_ynh.git synced 2024-09-03 20:26:29 +02:00

Merge pull request #111 from YunoHost-Apps/sso

Attempt to SSO
This commit is contained in:
eric_G 2023-09-04 19:17:49 +02:00 committed by GitHub
commit 85ed292c08
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 229 additions and 88 deletions

View file

@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
Simple, modern, lightweight & fast web-based email client. The drastically upgraded & secured fork of RainLoop Webmail Community edition.
**Shipped version:** 2.28.4~ynh1
**Shipped version:** 2.28.4~ynh2
**Demo:** https://snappymail.eu/demo/

View file

@ -18,7 +18,7 @@ Si vous navez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
Client de messagerie Web simple, moderne, léger et rapide. Snappymail est un fork considérablement amélioré et sécurisé de l'édition RainLoop Webmail Community.
**Version incluse :** 2.28.4~ynh1
**Version incluse :** 2.28.4~ynh2
**Démo :** https://snappymail.eu/demo/

View file

@ -8,19 +8,20 @@ title = "SnappyMail Webmail"
; Text displayed on startup
loading_description = "SnappyMail"
favicon_url = ""
app_path = ""
; Theme used by default
theme = "Clear"
theme = "Default"
; Allow theme selection on settings screen
allow_themes = On
allow_user_background = Off
; Language used by default
language = "__LANGUAGE__"
language = "en"
; Admin Panel interface language
language_admin = "__LANGUAGE__"
language_admin = "en"
; Allow language selection on settings screen
allow_languages_on_settings = On
@ -30,54 +31,92 @@ allow_additional_identities = On
; Number of messages displayed on page by default
messages_per_page = 20
; Mark message read after N seconds
message_read_delay = 5
; File size limit (MB) for file upload on compose screen
; 0 for unlimited.
attachment_size_limit = 25
; brotli or gzip compress the output.
; Warning: only enable when server does not do this, else double compression errors occur
compress_output = Off
[interface]
show_attachment_thumbnail = On
new_move_to_folder_button = on
[contacts]
; Enable contacts
enable = On
allow_sharing = On
allow_sync = On
sync_interval = 20
type = "mysql"
pdo_dsn = "mysql:host=127.0.0.1;port=3306;dbname=__DB_NAME__"
pdo_user = "__DB_USER__"
pdo_password = "__DB_PWD__"
suggestions_limit = 30
; PEM format certificate
mysql_ssl_ca = ""
mysql_ssl_verify = On
; HIGH
mysql_ssl_ciphers = ""
suggestions_limit = 20
[security]
; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
csrf_protection = On
custom_server_signature = "SnappyMail"
x_frame_options_header = "DENY"
x_xss_protection_header = "1; mode=block"
openpgp = Off
; Login and password for web admin panel
admin_login = "admin"
admin_password = "12345"
admin_totp = ""
; Access settings
allow_admin_panel = On
hide_x_mailer_header = On
; Login and password for web admin panel
admin_login = "admin"
admin_password = ""
admin_totp = ""
admin_panel_host = ""
admin_panel_key = "admin"
force_https = Off
hide_x_mailer_header = On
; https://en.m.wikipedia.org/wiki/Load_(computing)
max_sys_getloadavg = 0
; For example to allow all images use "img-src https:". More info at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives
content_security_policy = ""
; Report CSP errors to PHP and/or SnappyMail Log
csp_report = Off
; A valid cipher method from https://php.net/openssl_get_cipher_methods
encrypt_cipher = "aes-256-cbc-hmac-sha1"
; Strict, Lax or None
cookie_samesite = "Strict"
; Additional allowed Sec-Fetch combinations separated by ";".
; For example:
; * Allow iframe on same domain in any mode: dest=iframe,site=same-origin
; * Allow navigate to iframe on same domain: mode=navigate,dest=iframe,site=same-origin
; * Allow navigate to iframe on (sub)domain: mode=navigate,dest=iframe,site=same-site
; * Allow navigate to iframe from any domain: mode=navigate,dest=iframe,site=cross-site
;
; Default is "site=same-origin;site=none"
secfetch_allow = ""
[admin_panel]
allow_update = Off
[ssl]
; Require verification of SSL certificate used.
verify_certificate = Off
verify_certificate = On
; Allow self-signed certificates. Requires verify_certificate.
allow_self_signed = On
allow_self_signed = Off
; https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
security_level = 1
; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt)
cafile = ""
@ -85,23 +124,40 @@ cafile = ""
; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/)
capath = ""
; Location of client certificate file (pem format with private key) on local filesystem
local_cert = ""
; This can help mitigate the CRIME attack vector.
disable_compression = On
[capa]
contacts = On
quota = On
help = On
search = On
search_adv = On
; Allow clear folder and delete messages without moving to trash
dangerous_actions = On
; Allow download attachments as Zip (and optionally others)
attachments_actions = On
[login]
; If someone logs in without "@domain.tld", this value will be used
; When this value is HTTP_HOST, the $_SERVER["HTTP_HOST"] value is used.
; When this value is SERVER_NAME, the $_SERVER["SERVER_NAME"] value is used.
; When this value is gethostname, the gethostname() value is used.
;
default_domain = "__DOMAIN__"
; Allow language selection on webmail login screen
allow_languages_on_login = On
; Detect language from browser header `Accept-Language`
determine_user_language = On
; Like default_domain but then HTTP_HOST/SERVER_NAME without www.
determine_user_domain = Off
hide_submit_button = On
login_lowercase = On
; This option allows webmail to remember the logged in user
@ -117,11 +173,11 @@ sign_me_auto = "DefaultOff"
; Enable plugin support
enable = On
; List of enabled plugins
; Comma-separated list of enabled plugins
enabled_list = "ldap-identities"
[defaults]
; Editor mode used by default (Plain, Html, HtmlForced or PlainForced)
; Editor mode used by default (Plain, Html)
view_editor_type = "Html"
; layout: 0 - no preview, 1 - side preview, 2 - bottom preview
@ -139,22 +195,24 @@ mail_reply_same_folder = Off
; Enable logging
enable = Off
; Path where log files will be stored
path = ""
; Log messages of set RFC 5424 section 6.2.1 Severity level and higher (0 = highest, 7 = lowest).
; 0 = Emergency
; 1 = Alert
; 2 = Critical
; 3 = Error
; 4 = Warning
; 5 = Notice
; 6 = Informational
; 7 = Debug
level = 4
; Logs entire request only if error occured (php requred)
write_on_error_only = Off
; Logs entire request only if php error occured
write_on_php_error_only = Off
; Logs entire request only if request timeout (in seconds) occured.
write_on_timeout_only = 0
; Required for development purposes only.
; Disabling this option is not recommended.
hide_passwords = On
time_offset = __TIMEZONE__
session_filter = ""
time_zone = "__TIMEZONE__"
; Log filename.
; For security reasons, some characters are removed from filename.
@ -182,16 +240,23 @@ session_filter = ""
; filename = "log-{date:Y-m-d}.txt"
; filename = "{date:Y-m-d}/{user:domain}/{user:email}_{user:uid}.log"
; filename = "{user:email}-{date:Y-m-d}.txt"
; filename = "syslog"
; filename = "stderr"
filename = "log-{date:Y-m-d}.txt"
; Enable auth logging in a separate file (for fail2ban)
auth_logging = On
auth_logging_filename = "fail2ban/auth-fail.log"
auth_logging_format = "[{date:Y-m-d H:i:s T}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"
auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt"
auth_logging_format = "[{date:Y-m-d H:i:s}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"
; Enable auth logging to syslog for fail2ban
auth_syslog = Off
[debug]
; Special option required for development purposes
enable = Off
javascript = Off
css = Off
[cache]
; The section controls caching of the entire application.
@ -199,10 +264,13 @@ enable = Off
; Enables caching in the system
enable = On
; Path where cache files will be stored
path = ""
; Additional caching key. If changed, cache is purged
index = "v1"
; Can be: files, APC, memcache
; Can be: files, APCU, memcache, redis (beta)
fast_cache_driver = "files"
; Additional caching key. If changed, fast cache is purged
@ -216,58 +284,39 @@ http_expires = 3600
; Caching message UIDs when searching and sorting (threading)
server_uids = On
system_data = On
[imap]
use_force_selection = Off
use_expunge_all_on_delete = Off
message_list_fast_simple_search = On
message_list_permanent_filter = ""
message_all_headers = Off
show_login_alert = On
fetch_new_messages = On
[labs]
allow_prefetch = Off
cache_system_data = On
; Display message RFC 2822 date and time header, instead of the arrival internal date.
date_from_headers = On
autocreate_system_folders = Off
allow_message_append = Off
login_fault_delay = 1
; When login fails, wait N seconds before responding
login_fault_delay = 5
log_ajax_response_write_limit = 300
allow_html_editor_source_button = Off
allow_ctrl_enter_on_compose = On
try_to_detect_hidden_images = Off
use_app_debug_js = Off
use_mobile_version_for_tablets = Off
use_app_debug_css = Off
use_imap_sort = On
use_imap_force_selection = Off
use_imap_thread = On
use_imap_move = Off
use_imap_expunge_all_on_delete = Off
imap_forwarded_flag = "$Forwarded"
imap_read_receipt_flag = "$ReadReceipt"
imap_body_text_limit = 555000
imap_message_list_fast_simple_search = On
imap_message_list_count_limit_trigger = 0
imap_message_list_date_filter = 0
imap_message_list_permanent_filter = ""
imap_message_all_headers = Off
imap_large_thread_limit = 50
imap_folder_list_limit = 200
imap_show_login_alert = On
imap_use_list_status = On
imap_timeout = 300
smtp_show_server_errors = Off
smtp_timeout = 60
sieve_auth_plain_initial = On
sieve_allow_fileinfo_inbox = Off
sieve__timeout = 10
sasl_allow_plain = On
sasl_allow_scram_sha = Off
sasl_allow_cram_md5 = Off
sieve_allow_fileinto_inbox = Off
; PHP mail() remove To and Subject headers
mail_func_clear_headers = On
; PHP mail() set -f emailaddress
mail_func_additional_parameters = Off
favicon_status = On
folders_spec_limit = 50
curl_proxy = ""
curl_proxy_auth = ""
in_iframe = Off
force_https = Off
custom_login_link = ""
custom_logout_link = ""
allow_external_login = Off
custom_login_link=''
custom_logout_link='https://__MAIN_DOMAIN__/yunohost/sso/?action=logout'
http_client_ip_check_proxy = Off
fast_cache_memcache_host = "127.0.0.1"
fast_cache_memcache_port = 11211
@ -277,13 +326,11 @@ use_local_proxy_for_external_images = On
image_exif_auto_rotate = Off
cookie_default_path = ""
cookie_default_secure = Off
check _new_messages = On
replace_env_in_configuration = ""
boundary_prefix = ""
kolab_enabled = Off
dev_email = ""
dev_password = ""
[version]
current = "2.15.0"
saved = "Thu, 21 Apr 2022 15:18:08 +0000"
current = "2.28.1"
saved = "Wed, 21 Jun 2023 06:38:05 +0000"

17
conf/sso.php Normal file
View file

@ -0,0 +1,17 @@
<?php
// Enable SnappyMail Api and include index file
$_ENV['SNAPPYMAIL_INCLUDE_AS_API'] = true;
require 'app/index.php';
// Retrieve email and password
if (isset($_SERVER['HTTP_EMAIL']) && isset($_SERVER['PHP_AUTH_PW'])) {
$email = $_SERVER['HTTP_EMAIL'];
$password = $_SERVER['PHP_AUTH_PW'];
$ssoHash = \RainLoop\Api::CreateUserSsoHash($email, $password);
// redirect to webmail sso url
\header('Location: https://__DOMAIN____PATH__/app/?sso&hash='.$ssoHash);
}
else {
\header('Location: https://__DOMAIN____PATH__/app/');
}

View file

@ -2,6 +2,6 @@ The password-file is created after first opening the admin UI!
Be sure to immediately change the default password!
Open Snappy's admin UI `https://__DOMAIN____PATH__/?admin` to configure your mail server settings. Login with user "admin" and password from the file `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`.
Open Snappy's admin UI `https://__DOMAIN____PATH__/app/?admin` to configure your mail server settings. Login with user "admin" and password from the file `__INSTALL_DIR__/app/data/_data_/_default_/admin_password.txt`.
In particular, to be able to send emails, you need to go to Snappy's admin UI > Domains > __DOMAIN__ > SMTP > Check "Use authentication"

View file

@ -2,6 +2,6 @@ Le fichier de mot de passe est créé après la première ouverture de l'interfa
Assurez-vous de changer immédiatement le mot de passe par défaut !
Ouvrez l'interface d'administration de Snappy `https://__DOMAIN____PATH__/?admin` pour configurer les paramètres de votre serveur de messagerie. Connectez-vous avec l'utilisateur "admin" et le mot de passe du fichier `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`.
Ouvrez l'interface d'administration de Snappy `https://__DOMAIN____PATH__/app/?admin` pour configurer les paramètres de votre serveur de messagerie. Connectez-vous avec l'utilisateur "admin" et le mot de passe du fichier `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`.
En particulier, pour pouvoir envoyer des mails, il vous faut aller dans l'interface d'admin de Snappy > Domaines > __DOMAIN__ > SMTP > Coche "Use authentication"

View file

@ -5,7 +5,7 @@ name = "SnappyMail"
description.en = "Simple, modern, lightweight & fast web-based e-mail client"
description.fr = "Client de messagerie Web simple, moderne, léger et rapide"
version = "2.28.4~ynh1"
version = "2.28.4~ynh2"
maintainers = ["eric_G"]
@ -23,7 +23,7 @@ multi_instance = true
ldap = false
sso = false
disk = "50M"
ram.build = "50M"
ram.build = "100M"
ram.runtime = "50M"
[install]
@ -56,4 +56,8 @@ ram.runtime = "50M"
main.url = "/"
[resources.apt]
packages = "php8.2-sqlite3 php8.2-tidy php8.2-dom php8.2-intl php8.2-mysql php8.2-curl php8.2-gd php8.2-cli php8.2-xml php8.2-mbstring"
packages = "mariadb-server php8.2-sqlite3 php8.2-tidy php8.2-dom php8.2-intl php8.2-mysql php8.2-curl php8.2-gd php8.2-cli php8.2-xml php8.2-mbstring"
[resources.database]
type = "mysql"

View file

@ -4,6 +4,9 @@
# COMMON VARIABLES
#=================================================
main_domain=$(cat /etc/yunohost/current_host)
timezone=$(cat /etc/timezone)
#=================================================
# PERSONAL HELPERS
#=================================================

View file

@ -6,8 +6,26 @@
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# UPDATE A CONFIG FILE
#=================================================
ynh_script_progression --message="Updating a configuration file..." --weight=1
ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini"
chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini"
chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini"
#=================================================
# SETUP SSO
#=================================================
ynh_script_progression --message="Applying SSO patch..." --weight=1
ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php"
#=================================================
# MODIFY URL IN NGINX CONF
#=================================================

View file

@ -31,7 +31,7 @@ ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
ynh_script_progression --message="Setting up source files..." --weight=3
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$install_dir"
ynh_setup_source --dest_dir="$install_dir/app"
chmod -R o-rwx "$install_dir"
chown -R $app:www-data "$install_dir"
@ -50,6 +50,28 @@ ynh_add_nginx_config
# Use logrotate to manage application logfile(s)
ynh_use_logrotate
#=================================================
# APP INITIAL CONFIGURATION
#=================================================
# ADD A CONFIGURATION
#=================================================
ynh_script_progression --message="Adding a configuration file..." --weight=1
mkdir -p "$install_dir/app/data/_data_/_default_/configs"
chown $app:$app -R "$install_dir/app/data/_data_"
ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini"
chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini"
chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini"
#=================================================
# SETUP SSO
#=================================================
ynh_script_progression --message="Applying SSO patch..." --weight=1
ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php"
#=================================================
# END OF SCRIPT
#=================================================

View file

@ -38,6 +38,17 @@ if [ -z "${fpm_usage:-}" ]; then
ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
fi
# Do something when upgrading from 2.3.2~ynh1 or lower
if ynh_compare_current_package_version --comparison le --version 2.28.4~ynh1
then
# Move everything inside a $install_dir/app/ subfolder
# This allows to have a $install_dir/index.php handling the SSO
mkdir -p $install_dir/app
# Ugly way to not return an error when moving everything to a subfolter of the same folder https://stackoverflow.com/a/43262922
find $install_dir -maxdepth 1 -mindepth 1 -not -name app -exec mv -t $install_dir/app {} +
chown $app:root $install_dir/app/
fi
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
@ -47,7 +58,7 @@ then
ynh_script_progression --message="Upgrading source files..." --weight=5
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$install_dir" --keep="data/_data_/_default_/configs/application.ini"
ynh_setup_source --dest_dir="$install_dir/app" --keep="data/_data_/_default_/configs/application.ini"
fi
chmod -R o-rwx "$install_dir"
@ -67,6 +78,25 @@ ynh_add_nginx_config
# Use logrotate to manage app-specific logfile(s)
ynh_use_logrotate --non-append
#=================================================
# RECONFIGURE THE APP (UPDATE CONF, APPLY MIGRATIONS...)
#=================================================
# UPDATE A CONFIG FILE
#=================================================
ynh_script_progression --message="Updating a configuration file..." --weight=1
ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini"
chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini"
chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini"
#=================================================
# SETUP SSO
#=================================================
ynh_script_progression --message="Applying SSO patch..." --weight=1
ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php"
#=================================================
# END OF SCRIPT
#=================================================