Clean up variables

.env

@@ -0,0 +1 @@
+mailroom.env

conf/apparmor/mailroom-inbox

@@ -36,11 +36,10 @@ profile mailroom-inbox flags=(attach_disconnected, mediate_deleted) {
   /sys/fs/cgroup/** r,                     # cgroups (read-only)
 
   ## Capabilities and signals
-  capability dac_override,                 # Required capability for file access
+  capability net_bind_service              # Required capability to bind to port 25
   signal (receive) peer=unconfined,        # Allow signals from unconfined processes
   network inet stream,
   network inet6 dgram,
   network inet6 stream,
   network netlink raw,
-  deny network,
 }

inbox/Dockerfile

@@ -1,26 +1,28 @@
 FROM node:20 AS build
 COPY . /app
 WORKDIR /app
-
+RUN rm entrypoint.sh
 RUN npm i --omit=dev
 
 FROM node:20-alpine
 
-ENV INBOX_PORT="25"
-ENV INBOX_HOST="smtp.example.com"
-ENV INBOX_LOG_FILE="/tmp/inbox.log"
-ENV INBOX_TLS_MIN_VERSION="TLSv1.3"
-ENV INBOX_TLS_KEY_PATH="/certs/inbox/privkey.pem"
-ENV INBOX_TLS_CERT_PATH="/certs/inbox/cert.pem"
+ENV LOG_FILE="/var/log/inbox.log"
+ENV LOG_LEVEL="INFO"
+ENV INBOX_COINTAINER_TLS_KEY="/etc/ssl/inbox/privkey.pem"
+ENV INBOX_COINTAINER_TLS_CERT="/etc/ssl/inbox/cert.pem"
 ENV REDIS_HOST="redis_mail"
-ENV REDIS_PORT="6379"
+ENV REDIS_PORT=6379
+ENV INBOX_MAX_CONNECTIONS=1024
+ENV INBOX_PORT=25
 
-RUN apk add openssl; adduser app -H -D
+RUN apk add openssl
 
 WORKDIR /usr/src/inbox
 
 COPY --from=build /app /usr/src/inbox
+COPY --chmod=500 --chown=1000 entrypoint.sh /entrypoint.sh
+EXPOSE $INBOX_PORT
 
-USER app
-
-ENTRYPOINT "node src/index.js 2>&1 | tee /tmp/inbox.log"
+USER 1000
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["src/index.js"]

inbox/Dockerfile.dev

@@ -1,27 +1,30 @@
 FROM node:20 AS build
 COPY . /app
 WORKDIR /app
-
+RUN rm entrypoint.sh
 RUN npm i --omit=dev
 
 FROM node:20-alpine
 
-ENV INBOX_PORT="25"
-ENV INBOX_HOST="smtp.example.com"
-ENV INBOX_LOG_FILE="/tmp/inbox.log"
-ENV INBOX_TLS_MIN_VERSION="TLSv1.3"
-ENV INBOX_TLS_KEY_PATH="/certs/inbox/privkey.pem"
-ENV INBOX_TLS_CERT_PATH="/certs/inbox/cert.pem"
+ENV LOG_FILE="/var/log/inbox.log"
+ENV LOG_LEVEL="INFO"
+ENV INBOX_COINTAINER_TLS_KEY="/etc/ssl/inbox/privkey.pem"
+ENV INBOX_COINTAINER_TLS_CERT="/etc/ssl/inbox/cert.pem"
 ENV REDIS_HOST="redis_mail"
-ENV REDIS_PORT="6379"
+ENV REDIS_PORT=6379
+ENV INBOX_MAX_CONNECTIONS=1024
+ENV INBOX_PORT=25
 
-RUN apk add openssl; adduser app -H -D
+RUN apk add openssl
 
 WORKDIR /usr/src/inbox
 
 COPY --from=build /app /usr/src/inbox
+COPY --chmod=500 --chown=1000 entrypoint.sh /entrypoint.sh
 COPY ./smtp-server /usr/src/inbox/node_modules/@carlgo11/smtp-server
 
-USER app
+EXPOSE $INBOX_PORT
 
-ENTRYPOINT "node src/index.js 2>&1 | tee /tmp/inbox.log"
+USER 1000
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["src/index.js"]

inbox/entrypoint.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+npm run test &&
+node "$*" 2>&1 | tee "$LOG_FILE"

inbox/package.json

@@ -24,11 +24,8 @@
   "private": true,
   "license": "LGPL-3.0-or-later",
   "scripts": {
-    "start": "node --env-file=../.env src/index.js",
-    "test": "node --test",
-    "lint": "eslint src --ext .js,.mjs",
-    "dev": "node src/index.js --watch-path src/",
-    "prepublishOnly": "npm test && npm run lint"
+    "start": "node src/index.js",
+    "test": "node --test"
   },
   "dependencies": {
     "mailauth": "^4.6.8",

inbox/src/config/tls.js

@@ -1,10 +1,9 @@
 import fs from 'fs';
 
 export const tlsConfig = {
-  key: fs.readFileSync(process.env.INBOX_TLS_KEY_PATH || process.env.TLS_KEY_PATH),
-  cert: fs.readFileSync(process.env.INBOX_TLS_CERT_PATH || process.env.TLS_CERT_PATH),
+  key: fs.readFileSync(process.env.INBOX_COINTAINER_TLS_KEY),
+  cert: fs.readFileSync(process.env.INBOX_COINTAINER_TLS_CERT),
   minVersion: process.env.INBOX_TLS_MIN_VERSION || process.env.TLS_MIN_VERSION,
   maxVersion: process.env.INBOX_TLS_MAX_VERSION || process.env.TLS_MAX_VERSION,
   ciphers: process.env.INBOX_TLS_CIPHERS || process.env.TLS_CIPHERS,
-  handshakeTimeout: 5000,
 };

inbox/src/servers/server.js

@@ -21,13 +21,13 @@ export default function startServer() {
     tlsOptions,
       extensions: ['ENHANCEDSTATUSCODES', 'PIPELINING', 'REQUIRETLS', '8BITMIME'],
       greeting: process.env.INBOX_HOST,
-      onRCPTTO: async (address, session) => await handleRcptTo(address, session),
-      onMAILFROM: async (address, session, ext) => await handleMailFrom(address, session, ext),
-      onEHLO: async (domain, session) => await handleEhlo(domain, session),
-      onDATA: async (message, session) => await handleData(message, session),
-      onConnect: async(session) => await handleConnect(session),
-      logLevel: process.env.LOG_LEVEL || 'INFO',
-      maxConnections: process.env.INBOX_MAX_CONNECTIONS || 100,
+      onRCPTTO: handleRcptTo,
+      onMAILFROM: handleMailFrom,
+      onEHLO: handleEhlo,
+      onDATA: handleData,
+      onConnect: handleConnect,
+      logLevel: process.env.LOG_LEVEL,
+      maxConnections: process.env.INBOX_MAX_CONNECTIONS,
     });
   } catch (e) {
     console.error(e);

installation/compose/backup

@@ -1,7 +1,6 @@
   backup:
     container_name: backup
     image: carlgo11/mailroom-backup:${VERSION:-dev}
-    env_file: mailroom.env
     tmpfs:
       - /tmp
     read_only: true

installation/compose/dovecot

@@ -2,13 +2,13 @@
     container_name: dovecot
     image: dovecot/dovecot
     ports:
-      - "${DOVECOT_BIND:-993}:993/tcp"
+      - "${DOVECOT_IPV4_BIND:-0.0.0.0:993}:993/tcp"
+      - "${DOVECOT_IPV6_BIND:-:::993}:993/tcp"
     volumes:
       - ${CONF_PATH:-./configs}/dovecot:/etc/dovecot/conf.d:ro
-      - ${CERT_PATH:-./certs}/dovecot:/certs/dovecot:ro
-      - ${CERT_PATH:-./certs}/clients:/certs/clients:ro
+      - ${DOVECOT_TLS_KEY}:/certs/dovecot/privkey.pem:ro
+      - ${DOVECOT_TLS_CERT}:/certs/dovecot/cert.pem:ro
       - vhosts:/var/mail/vhosts
-    env_file: mailroom.env
     depends_on:
       - redis
     networks:

installation/compose/inbox

@@ -3,13 +3,18 @@
     image: carlgo11/mailroom-inbox:${VERSION:-dev}
     pull_policy: always
     ports:
-      - "${INBOX_BIND:-25}:25/tcp"
+      - "${INBOX_IPV4_BIND:-0.0.0.0:25}:25/tcp"
+      - "${INBOX_IPV6_BIND:-:::25}:25/tcp"
     volumes:
-      - ${CERT_PATH:-./certs}/inbox:/certs/inbox:ro
-      - ${CERT_PATH:-./certs}/clients/users:/certs/clients/users:ro
+      - ${INBOX_TLS_KEY}:/etc/ssl/inbox/privkey.pem
+      - ${INBOX_TLS_CERT}:/etc/ssl/inbox/cert.pem
+      - ${INBOX_SMIME_PATH}:/etc/ssl/clients/:ro
+      - ${INBOX_LOG}:/var/log/inbox.log
       - vhosts:/var/mail/vhosts
-      - /var/log/inbox.log:/tmp/inbox.log
-    env_file: mailroom.env
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
     depends_on:
       - redis
     networks:

installation/compose/outbox

@@ -2,12 +2,13 @@
     container_name: outbox
     image: carlgo11/mailroom-outbox:${VERSION:-dev}
     ports:
-      - "${OUTBOX_BIND:-587}:587"
+      - "${OUTBOX_IPV4_BIND:-0.0.0.0:587}:587/tcp"
+      - "${OUTBOX_IPV6_BIND:-:::587}:587/tcp"
     volumes:
-      - ${CERT_PATH:-./certs}/outbox:/certs/outbox:ro
-      - ${CERT_PATH:-./certs}/dkim:/certs/dkim:ro
+      - ${OUTBOX_TLS_KEY}:/etc/ssl/outbox/privkey.pem:ro
+      - ${OUTBOX_TLS_CERT}:/etc/ssl/outbox/cert.pem:ro
+      - ${OUTBOX_DKIM_PATH}:/etc/ssl/dkim:ro
       - vhosts:/var/mail/vhosts
-    env_file: mailroom.env
     depends_on:
       - redis
     read_only: true