Revert "Make pip quiet"

This reverts commit 7ccc871da7.

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [modoboa]

.github/ISSUE_TEMPLATE.md

@@ -1,7 +1,7 @@
 # Impacted versions
 
 * Distribution: Debian / Ubuntu / Centos
-* Codename: Jessie / Trusty / Centos 9 Stream / ...
+* Codename: Jessie / Trusty / Centos 7 / ...
 * Arch: 32 Bits / 64 Bits
 * Database: PostgreSQL / MySQL
 

README.rst

@@ -11,12 +11,11 @@ An installer which deploy a complete mail server based on Modoboa.
 
    * Debian Buster (10) / Bullseye (11)
    * Ubuntu Bionic Beaver (18.04) and upper
-   * CentOS 9 Stream
+   * CentOS 7
 
 .. warning::
       
    ``/tmp`` partition must be mounted without the ``noexec`` option.
-   Centos 7 support has been depreceated since modoboa requires python 3.7>=.
 
 .. note::
 

modoboa_installer/compatibility_matrix.py

@@ -20,7 +20,12 @@ COMPATIBILITY_MATRIX = {
         "modoboa-pdfcredentials": ">=1.1.1",
         "modoboa-sievefilters": ">=1.1.1",
         "modoboa-webmail": ">=1.2.0",
-    }
+    },
+    "2.1.0": {
+        "modoboa-pdfcredentials": None,
+        "modoboa-dmarc": None,
+        "modoboa-imap-migration": None,
+    },
 }
 
 EXTENSIONS_AVAILABILITY = {

modoboa_installer/config_dict_template.py

@@ -118,6 +118,31 @@ ConfigDictTemplate = [
             }
         ]
     },
+    {
+        "name": "fail2ban",
+        "values": [
+            {
+                "option": "enabled",
+                "default": "true",
+            },
+            {
+                "option": "config_dir",
+                "default": "/etc/fail2ban"
+            },
+            {
+                "option": "max_retry",
+                "default": "20"
+            },
+            {
+                "option": "ban_time",
+                "default": "3600"
+            },
+            {
+                "option": "find_time",
+                "default": "30"
+            },
+        ]
+    },
     {
         "name": "modoboa",
         "values": [
@@ -158,7 +183,7 @@ ConfigDictTemplate = [
             {
                 "option": "extensions",
                 "default": (
-                    "modoboa-amavis modoboa-pdfcredentials "
+                    "modoboa-amavis "
                     "modoboa-postfix-autoreply modoboa-sievefilters "
                     "modoboa-webmail modoboa-contacts "
                     "modoboa-radicale"
@@ -256,7 +281,7 @@ ConfigDictTemplate = [
             },
             {
                 "option": "user",
-                "default": "vmail",
+                "default": "dovecot",
             },
             {
                 "option": "home_dir",
@@ -321,6 +346,10 @@ ConfigDictTemplate = [
                 "option": "message_size_limit",
                 "default": "11534336",
             },
+            {
+                "option": "dhe_group",
+                "default": "4096"
+            }
         ]
     },
     {

modoboa_installer/database.py

@@ -42,7 +42,7 @@ class PostgreSQL(Database):
     default_port = 5432
     packages = {
         "deb": ["postgresql", "postgresql-server-dev-all"],
-        "rpm": ["postgresql-server", "postgresql-server-devel", "postgresql"]
+        "rpm": ["postgresql-server", "postgresql-devel"]
     }
     service = "postgresql"
 
@@ -54,7 +54,19 @@ class PostgreSQL(Database):
         """Install database if required."""
         name, version = utils.dist_info()
         if "CentOS" in name:
-            initdb_cmd = "postgresql-setup --initdb"
+            if version.startswith("7"):
+                # Install newer version of postgres in this case
+                package.backend.install(
+                    "https://download.postgresql.org/pub/repos/yum/"
+                    "reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm"
+                )
+                self.packages["rpm"] = [
+                    "postgresql10-server", "postgresql10-devel"]
+                self.service = "postgresql-10"
+                initdb_cmd = "/usr/pgsql-10/bin/postgresql-10-setup initdb"
+                cfgfile = "/var/lib/pgsql/10/data/pg_hba.conf"
+            else:
+                initdb_cmd = "postgresql-setup initdb"
                 cfgfile = "/var/lib/pgsql/data/pg_hba.conf"
             package.backend.install_many(self.packages[package.backend.FORMAT])
             utils.exec_cmd(initdb_cmd)
@@ -166,11 +178,15 @@ class MySQL(Database):
         if name.startswith("debian"):
             if version.startswith("8"):
                 self.packages["deb"].append("libmysqlclient-dev")
-            elif version.startswith("11"):
+            elif version.startswith("11") or version.startswith("12"):
                 self.packages["deb"].append("libmariadb-dev")
             else:
                 self.packages["deb"].append("libmariadbclient-dev")
         elif name == "ubuntu":
+            if version.startswith("2"):
+                # Works for Ubuntu 22 and 20
+                self.packages["deb"].append("libmariadb-dev")
+            else:
                 self.packages["deb"].append("libmysqlclient-dev")
         super(MySQL, self).install_package()
         queries = []
@@ -183,7 +199,10 @@ class MySQL(Database):
                     "mariadb-server", "root_password_again", "password",
                     self.dbpassword)
                 return
-            if version.startswith("11"):
+        if (
+            (name.startswith("debian") and (version.startswith("11") or version.startswith("12"))) or
+            (name.startswith("ubuntu") and version.startswith("22"))
+        ):
             queries = [
                 "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('{}')"
                 .format(self.dbpassword),

modoboa_installer/package.py

@@ -46,7 +46,7 @@ class DEBPackage(Package):
         """Update local cache."""
         if self.index_updated:
             return
-        utils.exec_cmd("apt-get update --quiet")
+        utils.exec_cmd("apt-get -o Dpkg::Progress-Fancy=0 update --quiet")
         self.index_updated = True
 
     def preconfigure(self, name, question, qtype, answer):
@@ -57,18 +57,18 @@ class DEBPackage(Package):
     def install(self, name):
         """Install a package."""
         self.update()
-        utils.exec_cmd("apt-get install --quiet --assume-yes {}".format(name))
+        utils.exec_cmd("apt-get -o Dpkg::Progress-Fancy=0 install --quiet --assume-yes {}".format(name))
 
     def install_many(self, names):
         """Install many packages."""
         self.update()
-        return utils.exec_cmd("apt-get install --quiet --assume-yes {}".format(
+        return utils.exec_cmd("apt-get -o Dpkg::Progress-Fancy=0 install --quiet --assume-yes {}".format(
             " ".join(names)))
 
     def get_installed_version(self, name):
         """Get installed package version."""
         code, output = utils.exec_cmd(
-            "dpkg -s {} | grep Version".format(name), capture_output=True)
+            "dpkg -s {} | grep Version".format(name))
         match = re.match(r"Version: (\d:)?(.+)-\d", output.decode())
         if match:
             return match.group(2)
@@ -82,32 +82,22 @@ class RPMPackage(Package):
 
     def __init__(self, dist_name):
         """Initialize backend."""
-        self.dist_name = dist_name
         super(RPMPackage, self).__init__(dist_name)
-
+        if "centos" in dist_name:
-    def prepare_system(self):
-        if "centos" in self.dist_name:
-            utils.exec_cmd("dnf config-manager --set-enabled crb")
             self.install("epel-release")
-        self.update()
-
-    def update(self):
-        """Update the database repo."""
-        utils.exec_cmd("dnf update -y --quiet")
 
     def install(self, name):
         """Install a package."""
-        """Need to add check for rrdtool, sendmail-milter, libmemcached and --enablerepo=crb"""
+        utils.exec_cmd("yum install -y --quiet {}".format(name))
-        utils.exec_cmd("dnf install -y --quiet {}".format(name))
 
     def install_many(self, names):
         """Install many packages."""
-        return utils.exec_cmd("dnf install -y --quiet {}".format(" ".join(names)))
+        return utils.exec_cmd("yum install -y --quiet {}".format(" ".join(names)))
 
     def get_installed_version(self, name):
         """Get installed package version."""
         code, output = utils.exec_cmd(
-            "rpm -qi {} | grep Version".format(name), capture_output=True)
+            "rpm -qi {} | grep Version".format(name))
         match = re.match(r"Version\s+: (.+)", output.decode())
         if match:
             return match.group(1)

modoboa_installer/python.py

@@ -1,6 +1,8 @@
 """Python related tools."""
 
+import json
 import os
+import sys
 
 from . import package
 from . import utils
@@ -45,6 +47,34 @@ def install_packages(names, venv=None, upgrade=False, **kwargs):
     utils.exec_cmd(cmd, **kwargs)
 
 
+def get_package_version(name, venv=None, **kwargs):
+    """Returns the version of an installed package."""
+    cmd = f"{get_pip_path(venv)} list --format json"
+    exit_code, output = utils.exec_cmd(cmd, **kwargs)
+    if exit_code != 0:
+        utils.error(f"Failed to get version of {name}. "
+                    f"Output is: {output}")
+        sys.exit(1)
+
+    print(f"name: {name}, venv: {venv}, cmd: {cmd}, exit_code: {exit_code}, output: {output.decode()}")
+    list_dict = json.loads(output.decode())
+    version_list = []
+    for element in list_dict:
+        if element["name"] == name:
+            version_list = element["version"].split(".")
+            break
+    version_list_clean = []
+    for element in version_list:
+        try:
+            version_list_clean.append(int(element))
+        except ValueError:
+            utils.printcolor(
+                f"Failed to decode some part of the version of {name}",
+                utils.YELLOW)
+            version_list_clean.append(element)
+    return version_list_clean
+
+
 def install_package_from_repository(name, url, vcs="git", venv=None, **kwargs):
     """Install a Python package from its repository."""
     if vcs == "git":
@@ -54,6 +84,16 @@ def install_package_from_repository(name, url, vcs="git", venv=None, **kwargs):
     utils.exec_cmd(cmd, **kwargs)
 
 
+def install_package_from_remote_requirements(url, venv=None, **kwargs):
+    """Install a Python package from a file."""
+    cmd = "{} install {} {}".format(
+        get_pip_path(venv),
+        "-r",
+        url
+    )
+    utils.exec_cmd(cmd, **kwargs)
+
+
 def setup_virtualenv(path, sudo_user=None, python_version=2):
     """Install a virtualenv if needed."""
     if os.path.exists(path):

modoboa_installer/scripts/amavis.py

@@ -21,7 +21,7 @@ class Amavis(base.Installer):
             "unrar-free",
         ],
         "rpm": [
-            "amavis", "arj", "lz4", "lzop", "p7zip",
+            "amavisd-new", "arj", "lz4", "lzop", "p7zip",
         ],
     }
     with_db = True

modoboa_installer/scripts/automx.py

@@ -44,12 +44,12 @@ class Automx(base.Installer):
             sql_query = (
                 "SELECT first_name || ' ' || last_name AS display_name, email"
                 ", SPLIT_PART(email, '@', 2) AS domain "
-                "FROM core_user WHERE email='%s' AND is_active")
+                "FROM core_user WHERE email='%s' AND is_active;")
         else:
             sql_query = (
                 "SELECT concat(first_name, ' ', last_name) AS display_name, "
                 "email, SUBSTRING_INDEX(email, '@', -1) AS domain "
-                "FROM core_user WHERE email='%s' AND is_active=1"
+                "FROM core_user WHERE email='%s' AND is_active=1;"
             )
         context.update({"sql_dsn": sql_dsn, "sql_query": sql_query})
         return context
@@ -59,7 +59,7 @@ class Automx(base.Installer):
         python.setup_virtualenv(
             self.venv_path, sudo_user=self.user, python_version=3)
         packages = [
-            "future", "lxml", "ipaddress", "sqlalchemy", "python-memcached",
+            "future", "lxml", "ipaddress", "sqlalchemy < 2.0", "python-memcached",
             "python-dateutil", "configparser"
         ]
         if self.dbengine == "postgres":

modoboa_installer/scripts/backup.py

@@ -44,8 +44,7 @@ class Backup:
         path_exists = os.path.exists(path)
 
         if path_exists and os.path.isfile(path):
-            utils.printcolor(
+            utils.error("Error, you provided a file instead of a directory!")
-                "Error, you provided a file instead of a directory!", utils.RED)
             return False
 
         if not path_exists:
@@ -58,9 +57,7 @@ class Backup:
                 utils.mkdir_safe(path, stat.S_IRWXU |
                                  stat.S_IRWXG, pw[2], pw[3])
             else:
-                utils.printcolor(
+                utils.error("Error, backup directory not present.")
-                    "Error, backup directory not present.", utils.RED
-                )
                 return False
 
         if len(os.listdir(path)) != 0:
@@ -80,9 +77,7 @@ class Backup:
                 shutil.rmtree(os.path.join(path, "databases"),
                               ignore_errors=False)
             else:
-                utils.printcolor(
+                utils.error("Error: backup directory not clean.")
-                    "Error: backup directory not clean.", utils.RED
-                )
                 return False
 
         self.backup_path = path
@@ -131,8 +126,8 @@ class Backup:
         home_path = self.config.get("dovecot", "home_dir")
 
         if not os.path.exists(home_path) or os.path.isfile(home_path):
-            utils.printcolor("Error backing up Email, provided path "
+            utils.error("Error backing up Email, provided path "
-                             f" ({home_path}) seems not right...", utils.RED)
+                        f" ({home_path}) seems not right...")
 
         else:
             dst = os.path.join(self.backup_path, "mails/")

modoboa_installer/scripts/base.py

@@ -5,11 +5,12 @@ import sys
 
 from .. import database
 from .. import package
+from .. import python
 from .. import system
 from .. import utils
 
 
-class Installer(object):
+class Installer:
     """Simple installer for one application."""
 
     appname = None
@@ -42,6 +43,20 @@ class Installer(object):
         self.dbuser = self.config.get(self.appname, "dbuser")
         self.dbpasswd = self.config.get(self.appname, "dbpassword")
 
+    @property
+    def modoboa_2_2_or_greater(self):
+        # Check if modoboa version > 2.2
+        modoboa_version = python.get_package_version(
+            "modoboa",
+            self.config.get("modoboa", "venv_path"),
+            sudo_user=self.config.get("modoboa", "user")
+            )
+        condition = (
+            (int(modoboa_version[0]) == 2 and int(modoboa_version[1]) >= 2) or
+            int(modoboa_version[0]) > 2
+            )
+        return condition
+
     @property
     def config_dir(self):
         """Return main configuration directory."""
@@ -131,7 +146,7 @@ class Installer(object):
             return
         exitcode, output = package.backend.install_many(packages)
         if exitcode:
-            utils.printcolor("Failed to install dependencies", utils.RED)
+            utils.error("Failed to install dependencies")
             sys.exit(1)
 
     def get_config_files(self):

modoboa_installer/scripts/clamav.py

@@ -15,7 +15,7 @@ class Clamav(base.Installer):
     packages = {
         "deb": ["clamav-daemon"],
         "rpm": [
-            "clamav", "clamav-update", "clamd"
+            "clamav", "clamav-update", "clamav-server", "clamav-server-systemd"
         ],
     }
 
@@ -57,7 +57,7 @@ class Clamav(base.Installer):
             # Check if not present before
             path = "/usr/lib/systemd/system/clamd@.service"
             code, output = utils.exec_cmd(
-                "grep 'WantedBy=multi-user.target' {}".format(path))
+                r"grep 'WantedBy\s*=\s*multi-user.target' {}".format(path))
             if code:
                 utils.exec_cmd(
                     """cat <<EOM >> {}

modoboa_installer/scripts/dovecot.py

@@ -30,6 +30,12 @@ class Dovecot(base.Installer):
         "conf.d/10-master.conf", "conf.d/20-lmtp.conf", "conf.d/10-ssl-keys.try"]
     with_user = True
 
+    def setup_user(self):
+        """Setup mailbox user."""
+        super().setup_user()
+        self.mailboxes_owner = self.app_config["mailboxes_owner"]
+        system.create_user(self.mailboxes_owner, self.home_dir)
+
     def get_config_files(self):
         """Additional config files."""
         return self.config_files + [
@@ -58,7 +64,7 @@ class Dovecot(base.Installer):
     def get_template_context(self):
         """Additional variables."""
         context = super(Dovecot, self).get_template_context()
-        pw = pwd.getpwnam(self.user)
+        pw_mailbox = pwd.getpwnam(self.mailboxes_owner)
         dovecot_package = {"deb": "dovecot-core", "rpm": "dovecot"}
         ssl_protocol_parameter = "ssl_protocols"
         if package.backend.get_installed_version(dovecot_package[package.backend.FORMAT]) > "2.3":
@@ -77,10 +83,12 @@ class Dovecot(base.Installer):
         else:
             # Protocols are automatically guessed on debian/ubuntu
             protocols = ""
+
         context.update({
             "db_driver": self.db_driver,
-            "mailboxes_owner_uid": pw[2],
+            "mailboxes_owner_uid": pw_mailbox[2],
-            "mailboxes_owner_gid": pw[3],
+            "mailboxes_owner_gid": pw_mailbox[3],
+            "mailbox_owner": self.mailboxes_owner,
             "modoboa_user": self.config.get("modoboa", "user"),
             "modoboa_dbname": self.config.get("modoboa", "dbname"),
             "modoboa_dbuser": self.config.get("modoboa", "dbuser"),
@@ -90,7 +98,9 @@ class Dovecot(base.Installer):
             "ssl_protocol_parameter": ssl_protocol_parameter,
             "radicale_user": self.config.get("radicale", "user"),
             "radicale_auth_socket_path": os.path.basename(
-                self.config.get("dovecot", "radicale_auth_socket_path"))
+                self.config.get("dovecot", "radicale_auth_socket_path")),
+            "modoboa_2_2_or_greater": "" if self.modoboa_2_2_or_greater else "#",
+            "not_modoboa_2_2_or_greater": "" if not self.modoboa_2_2_or_greater else "#"
         })
         return context
 
@@ -113,12 +123,12 @@ class Dovecot(base.Installer):
             utils.copy_file(f, "{}/conf.d".format(self.config_dir))
         # Make postlogin script executable
         utils.exec_cmd("chmod +x /usr/local/bin/postlogin.sh")
+        # Only root should have read access to the 10-ssl-keys.try
+        # See https://github.com/modoboa/modoboa/issues/2570
+        utils.exec_cmd("chmod 600 /etc/dovecot/conf.d/10-ssl-keys.try")
         # Add mailboxes user to dovecot group for modoboa mailbox commands.
         # See https://github.com/modoboa/modoboa/issues/2157.
-        system.add_user_to_group(
+        system.add_user_to_group(self.mailboxes_owner, 'dovecot')
-            self.config.get("dovecot", "mailboxes_owner"),
-            'dovecot'
-        )
 
     def restart_daemon(self):
         """Restart daemon process.
@@ -161,10 +171,10 @@ class Dovecot(base.Installer):
             shutil.copytree(mail_dir, home_dir)
             # Resetting permission for vmail
             for dirpath, dirnames, filenames in os.walk(home_dir):
-                shutil.chown(dirpath, self.user, self.user)
+                shutil.chown(dirpath, self.mailboxes_owner, self.mailboxes_owner)
                 for filename in filenames:
                     shutil.chown(os.path.join(dirpath, filename),
-                                 self.user, self.user)
+                                 self.mailboxes_owner, self.mailboxes_owner)
         else:
             utils.printcolor(
                 "It seems that emails were not backed up, skipping restoration.",

modoboa_installer/scripts/fail2ban.py

@@ -0,0 +1,17 @@
+"""fail2ban related functions."""
+
+from . import base
+
+
+class Fail2ban(base.Installer):
+    """Fail2ban installer."""
+
+    appname = "fail2ban"
+    packages = {
+        "deb": ["fail2ban"],
+        "rpm": ["fail2ban"]
+    }
+    config_files = [
+        "jail.d/modoboa.conf",
+        "filter.d/modoboa-auth.conf",
+    ]

modoboa_installer/scripts/files/amavis/amavis_mysql_2.13.X.sql

@@ -0,0 +1,213 @@
+-- Amavis 2.11.0 MySQL schema
+-- Provided by Modoboa
+-- Warning: foreign key creations are enabled
+
+-- local users
+CREATE TABLE users (
+  id         int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,  -- unique id
+  priority   integer      NOT NULL DEFAULT '7',  -- sort field, 0 is low prior.
+  policy_id  integer unsigned NOT NULL DEFAULT '1',  -- JOINs with policy.id
+  email      varbinary(255) NOT NULL UNIQUE,
+  fullname   varchar(255) DEFAULT NULL    -- not used by amavisd-new
+  -- local   char(1)      -- Y/N  (optional field, see note further down)
+);
+
+-- any e-mail address (non- rfc2822-quoted), external or local,
+-- used as senders in wblist
+CREATE TABLE mailaddr (
+  id         int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
+  priority   integer      NOT NULL DEFAULT '7',  -- 0 is low priority
+  email      varbinary(255) NOT NULL UNIQUE
+);
+
+-- per-recipient whitelist and/or blacklist,
+-- puts sender and recipient in relation wb  (white or blacklisted sender)
+CREATE TABLE wblist (
+  rid        integer unsigned NOT NULL,  -- recipient: users.id
+  sid        integer unsigned NOT NULL,  -- sender: mailaddr.id
+  wb         varchar(10)  NOT NULL,  -- W or Y / B or N / space=neutral / score
+  PRIMARY KEY (rid,sid)
+);
+
+CREATE TABLE policy (
+  id  int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
+                                    -- 'id' this is the _only_ required field
+  policy_name      varchar(32),     -- not used by amavisd-new, a comment
+
+  virus_lover           char(1) default NULL,     -- Y/N
+  spam_lover            char(1) default NULL,     -- Y/N
+  unchecked_lover       char(1) default NULL,     -- Y/N
+  banned_files_lover    char(1) default NULL,     -- Y/N
+  bad_header_lover      char(1) default NULL,     -- Y/N
+
+  bypass_virus_checks   char(1) default NULL,     -- Y/N
+  bypass_spam_checks    char(1) default NULL,     -- Y/N
+  bypass_banned_checks  char(1) default NULL,     -- Y/N
+  bypass_header_checks  char(1) default NULL,     -- Y/N
+
+  virus_quarantine_to      varchar(64) default NULL,
+  spam_quarantine_to       varchar(64) default NULL,
+  banned_quarantine_to     varchar(64) default NULL,
+  unchecked_quarantine_to  varchar(64) default NULL,
+  bad_header_quarantine_to varchar(64) default NULL,
+  clean_quarantine_to      varchar(64) default NULL,
+  archive_quarantine_to    varchar(64) default NULL,
+
+  spam_tag_level  float default NULL, -- higher score inserts spam info headers
+  spam_tag2_level float default NULL, -- inserts 'declared spam' header fields
+  spam_tag3_level float default NULL, -- inserts 'blatant spam' header fields
+  spam_kill_level float default NULL, -- higher score triggers evasive actions
+                                      -- e.g. reject/drop, quarantine, ...
+                                     -- (subject to final_spam_destiny setting)
+  spam_dsn_cutoff_level        float default NULL,
+  spam_quarantine_cutoff_level float default NULL,
+
+  addr_extension_virus      varchar(64) default NULL,
+  addr_extension_spam       varchar(64) default NULL,
+  addr_extension_banned     varchar(64) default NULL,
+  addr_extension_bad_header varchar(64) default NULL,
+
+  warnvirusrecip      char(1)     default NULL, -- Y/N
+  warnbannedrecip     char(1)     default NULL, -- Y/N
+  warnbadhrecip       char(1)     default NULL, -- Y/N
+  newvirus_admin      varchar(64) default NULL,
+  virus_admin         varchar(64) default NULL,
+  banned_admin        varchar(64) default NULL,
+  bad_header_admin    varchar(64) default NULL,
+  spam_admin          varchar(64) default NULL,
+  spam_subject_tag    varchar(64) default NULL,
+  spam_subject_tag2   varchar(64) default NULL,
+  spam_subject_tag3   varchar(64) default NULL,
+  message_size_limit  integer     default NULL, -- max size in bytes, 0 disable
+  banned_rulenames    varchar(64) default NULL, -- comma-separated list of ...
+        -- names mapped through %banned_rules to actual banned_filename tables
+  disclaimer_options  varchar(64) default NULL,
+  forward_method      varchar(64) default NULL,
+  sa_userconf         varchar(64) default NULL,
+  sa_username         varchar(64) default NULL
+);
+
+
+-- R/W part of the dataset (optional)
+--   May reside in the same or in a separate database as lookups database;
+--   REQUIRES SUPPORT FOR TRANSACTIONS; specified in @storage_sql_dsn
+--
+--   MySQL note ( http://dev.mysql.com/doc/mysql/en/storage-engines.html ):
+--     ENGINE is the preferred term, but cannot be used before MySQL 4.0.18.
+--     TYPE is available beginning with MySQL 3.23.0, the first version of
+--     MySQL for which multiple storage engines were available. If you omit
+--     the ENGINE or TYPE option, the default storage engine is used.
+--     By default this is MyISAM.
+--
+--  Please create additional indexes on keys when needed, or drop suggested
+--  ones as appropriate to optimize queries needed by a management application.
+--  See your database documentation for further optimization hints. With MySQL
+--  see Chapter 15 of the reference manual. For example the chapter 15.17 says:
+--  InnoDB does not keep an internal count of rows in a table. To process a
+--  SELECT COUNT(*) FROM T statement, InnoDB must scan an index of the table,
+--  which takes some time if the index is not entirely in the buffer pool.
+--
+--        Wayne Smith adds: When using MySQL with InnoDB one might want to
+--  increase buffer size for both pool and log, and might also want
+--  to change flush settings for a little better performance. Example:
+--    innodb_buffer_pool_size = 384M
+--    innodb_log_buffer_size = 8M
+--    innodb_flush_log_at_trx_commit = 0
+--  The big performance increase is the first two, the third just helps with
+--  lowering disk activity. Consider also adjusting the key_buffer_size.
+
+-- provide unique id for each e-mail address, avoids storing copies
+CREATE TABLE maddr (
+  partition_tag integer      DEFAULT 0, -- see $partition_tag
+  id         bigint unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
+  email      varbinary(255)  NOT NULL,  -- full mail address
+  domain     varchar(255)    NOT NULL,  -- only domain part of the email address
+                                        -- with subdomain fields in reverse
+  CONSTRAINT part_email UNIQUE (partition_tag,email)
+) ENGINE=InnoDB;
+
+-- information pertaining to each processed message as a whole;
+-- NOTE: records with NULL msgs.content should be ignored by utilities,
+--   as such records correspond to messages just being processes, or were lost
+-- NOTE: instead of a character field time_iso, one might prefer:
+--   time_iso TIMESTAMP NOT NULL DEFAULT 0,
+--   but the following MUST then be set in amavisd.conf: $timestamp_fmt_mysql=1
+CREATE TABLE msgs (
+  partition_tag integer     DEFAULT 0,   -- see $partition_tag
+  mail_id     varbinary(16) NOT NULL,    -- long-term unique mail id, dflt 12 ch
+  secret_id   varbinary(16) DEFAULT '',  -- authorizes release of mail_id, 12 ch
+  am_id       varchar(20)   NOT NULL,    -- id used in the log
+  time_num    integer unsigned NOT NULL, -- rx_time: seconds since Unix epoch
+  time_iso    char(16)      NOT NULL,    -- rx_time: ISO8601 UTC ascii time
+  sid         bigint unsigned NOT NULL,  -- sender: maddr.id
+  policy      varchar(255)  DEFAULT '',  -- policy bank path (like macro %p)
+  client_addr varchar(255)  DEFAULT '',  -- SMTP client IP address (IPv4 or v6)
+  size        integer unsigned NOT NULL, -- message size in bytes
+  originating char(1) DEFAULT ' ' NOT NULL,  -- sender from inside or auth'd
+  content     char(1),                   -- content type: V/B/U/S/Y/M/H/O/T/C
+    -- virus/banned/unchecked/spam(kill)/spammy(tag2)/
+    -- /bad-mime/bad-header/oversized/mta-err/clean
+    -- is NULL on partially processed mail
+    -- (prior to 2.7.0 the CC_SPAMMY was logged as 's', now 'Y' is used;
+    -- to avoid a need for case-insenstivity in queries)
+  quar_type  char(1),                   -- quarantined as: ' '/F/Z/B/Q/M/L
+                                        --  none/file/zipfile/bsmtp/sql/
+                                        --  /mailbox(smtp)/mailbox(lmtp)
+  quar_loc   varbinary(255) DEFAULT '', -- quarantine location (e.g. file)
+  dsn_sent   char(1),                   -- was DSN sent? Y/N/q (q=quenched)
+  spam_level float,                     -- SA spam level (no boosts)
+  message_id varchar(255)  DEFAULT '',  -- mail Message-ID header field
+  from_addr  varchar(255)  CHARACTER SET utf8mb4 COLLATE utf8mb4_bin  DEFAULT '',
+                                        -- mail From header field,    UTF8
+  subject    varchar(255)  CHARACTER SET utf8mb4 COLLATE utf8mb4_bin  DEFAULT '',
+                                        -- mail Subject header field, UTF8
+  host       varchar(255)  NOT NULL,    -- hostname where amavisd is running
+  PRIMARY KEY (partition_tag,mail_id),
+  FOREIGN KEY (sid) REFERENCES maddr(id) ON DELETE RESTRICT
+) ENGINE=InnoDB;
+CREATE INDEX msgs_idx_sid      ON msgs (sid);
+CREATE INDEX msgs_idx_mess_id  ON msgs (message_id); -- useful with pen pals
+CREATE INDEX msgs_idx_time_num ON msgs (time_num);
+-- alternatively when purging based on time_iso (instead of msgs_idx_time_num):
+CREATE INDEX msgs_idx_time_iso ON msgs (time_iso);
+-- When using FOREIGN KEY contraints, InnoDB requires index on a field
+-- (an the field must be the first field in the index).  Hence create it:
+CREATE INDEX msgs_idx_mail_id  ON msgs (mail_id);
+
+-- per-recipient information related to each processed message;
+-- NOTE: records in msgrcpt without corresponding msgs.mail_id record are
+--  orphaned and should be ignored and eventually deleted by external utilities
+CREATE TABLE msgrcpt (
+  partition_tag integer    DEFAULT 0,    -- see $partition_tag
+  mail_id    varbinary(16) NOT NULL,     -- (must allow duplicates)
+  rseqnum    integer  DEFAULT 0   NOT NULL, -- recip's enumeration within msg
+  rid        bigint unsigned NOT NULL,   -- recipient: maddr.id (dupl. allowed)
+  is_local   char(1)  DEFAULT ' ' NOT NULL, -- recip is: Y=local, N=foreign
+  content    char(1)  DEFAULT ' ' NOT NULL, -- content type V/B/U/S/Y/M/H/O/T/C
+  ds         char(1)  NOT NULL,          -- delivery status: P/R/B/D/T
+                                         -- pass/reject/bounce/discard/tempfail
+  rs         char(1)  NOT NULL,          -- release status: initialized to ' '
+  bl         char(1)  DEFAULT ' ',       -- sender blacklisted by this recip
+  wl         char(1)  DEFAULT ' ',       -- sender whitelisted by this recip
+  bspam_level float,                     -- per-recipient (total) spam level
+  smtp_resp  varchar(255)  DEFAULT '',   -- SMTP response given to MTA
+  PRIMARY KEY (partition_tag,mail_id,rseqnum),
+  FOREIGN KEY (rid)     REFERENCES maddr(id)     ON DELETE RESTRICT,
+  FOREIGN KEY (mail_id) REFERENCES msgs(mail_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+CREATE INDEX msgrcpt_idx_mail_id  ON msgrcpt (mail_id);
+CREATE INDEX msgrcpt_idx_rid      ON msgrcpt (rid);
+-- Additional index on rs since Modoboa uses it to filter its quarantine
+CREATE INDEX msgrcpt_idx_rs       ON msgrcpt (rs);
+
+-- mail quarantine in SQL, enabled by $*_quarantine_method='sql:'
+-- NOTE: records in quarantine without corresponding msgs.mail_id record are
+--  orphaned and should be ignored and eventually deleted by external utilities
+CREATE TABLE quarantine (
+  partition_tag integer    DEFAULT 0,    -- see $partition_tag
+  mail_id    varbinary(16) NOT NULL,     -- long-term unique mail id
+  chunk_ind  integer unsigned NOT NULL,  -- chunk number, starting with 1
+  mail_text  blob          NOT NULL,     -- store mail as chunks of octets
+  PRIMARY KEY (partition_tag,mail_id,chunk_ind),
+  FOREIGN KEY (mail_id) REFERENCES msgs(mail_id) ON DELETE CASCADE
+) ENGINE=InnoDB;

modoboa_installer/scripts/files/amavis/amavis_postgres_2.13.X.sql

@@ -0,0 +1,189 @@
+CREATE TABLE policy (
+  id            serial PRIMARY KEY, -- 'id' is the _only_ required field
+  policy_name   varchar(32),        -- not used by amavisd-new, a comment
+
+  virus_lover           char(1) default NULL,     -- Y/N
+  spam_lover            char(1) default NULL,     -- Y/N
+  unchecked_lover       char(1) default NULL,     -- Y/N
+  banned_files_lover    char(1) default NULL,     -- Y/N
+  bad_header_lover      char(1) default NULL,     -- Y/N
+
+  bypass_virus_checks   char(1) default NULL,     -- Y/N
+  bypass_spam_checks    char(1) default NULL,     -- Y/N
+  bypass_banned_checks  char(1) default NULL,     -- Y/N
+  bypass_header_checks  char(1) default NULL,     -- Y/N
+
+  virus_quarantine_to      varchar(64) default NULL,
+  spam_quarantine_to       varchar(64) default NULL,
+  banned_quarantine_to     varchar(64) default NULL,
+  unchecked_quarantine_to  varchar(64) default NULL,
+  bad_header_quarantine_to varchar(64) default NULL,
+  clean_quarantine_to      varchar(64) default NULL,
+  archive_quarantine_to    varchar(64) default NULL,
+
+  spam_tag_level  real default NULL, -- higher score inserts spam info headers
+  spam_tag2_level real default NULL, -- inserts 'declared spam' header fields
+  spam_tag3_level real default NULL, -- inserts 'blatant spam' header fields
+  spam_kill_level real default NULL, -- higher score triggers evasive actions
+                                     -- e.g. reject/drop, quarantine, ...
+                                     -- (subject to final_spam_destiny setting)
+
+  spam_dsn_cutoff_level        real default NULL,
+  spam_quarantine_cutoff_level real default NULL,
+
+  addr_extension_virus      varchar(64) default NULL,
+  addr_extension_spam       varchar(64) default NULL,
+  addr_extension_banned     varchar(64) default NULL,
+  addr_extension_bad_header varchar(64) default NULL,
+
+  warnvirusrecip      char(1)     default NULL, -- Y/N
+  warnbannedrecip     char(1)     default NULL, -- Y/N
+  warnbadhrecip       char(1)     default NULL, -- Y/N
+  newvirus_admin      varchar(64) default NULL,
+  virus_admin         varchar(64) default NULL,
+  banned_admin        varchar(64) default NULL,
+  bad_header_admin    varchar(64) default NULL,
+  spam_admin          varchar(64) default NULL,
+  spam_subject_tag    varchar(64) default NULL,
+  spam_subject_tag2   varchar(64) default NULL,
+  spam_subject_tag3   varchar(64) default NULL,
+  message_size_limit  integer     default NULL, -- max size in bytes, 0 disable
+  banned_rulenames    varchar(64) default NULL, -- comma-separated list of ...
+        -- names mapped through %banned_rules to actual banned_filename tables
+  disclaimer_options  varchar(64) default NULL,
+  forward_method      varchar(64) default NULL,
+  sa_userconf         varchar(64) default NULL,
+  sa_username         varchar(64) default NULL
+);
+
+-- local users
+CREATE TABLE users (
+  id         serial  PRIMARY KEY,  -- unique id
+  priority   integer NOT NULL DEFAULT 7,  -- sort field, 0 is low prior.
+  policy_id  integer NOT NULL DEFAULT 1 CHECK (policy_id >= 0) REFERENCES policy(id),
+  email      bytea   NOT NULL UNIQUE,     -- email address, non-rfc2822-quoted
+  fullname   varchar(255) DEFAULT NULL    -- not used by amavisd-new
+  -- local   char(1)      -- Y/N  (optional, see SQL section in README.lookups)
+);
+
+-- any e-mail address (non- rfc2822-quoted), external or local,
+-- used as senders in wblist
+CREATE TABLE mailaddr (
+  id         serial  PRIMARY KEY,
+  priority   integer NOT NULL DEFAULT 9,  -- 0 is low priority
+  email      bytea   NOT NULL UNIQUE
+);
+
+-- per-recipient whitelist and/or blacklist,
+-- puts sender and recipient in relation wb  (white or blacklisted sender)
+CREATE TABLE wblist (
+  rid        integer NOT NULL CHECK (rid >= 0) REFERENCES users(id),
+  sid        integer NOT NULL CHECK (sid >= 0) REFERENCES mailaddr(id),
+  wb         varchar(10) NOT NULL,  -- W or Y / B or N / space=neutral / score
+  PRIMARY KEY (rid,sid)
+);
+
+-- grant usage rights:
+GRANT select ON policy   TO amavis;
+GRANT select ON users    TO amavis;
+GRANT select ON mailaddr TO amavis;
+GRANT select ON wblist   TO amavis;
+
+
+-- R/W part of the dataset (optional)
+--   May reside in the same or in a separate database as lookups database;
+--   REQUIRES SUPPORT FOR TRANSACTIONS; specified in @storage_sql_dsn
+--
+--  Please create additional indexes on keys when needed, or drop suggested
+--  ones as appropriate to optimize queries needed by a management application.
+--  See your database documentation for further optimization hints.
+
+-- provide unique id for each e-mail address, avoids storing copies
+CREATE TABLE maddr (
+  id         serial       PRIMARY KEY,
+  partition_tag integer   DEFAULT 0,   -- see $partition_tag
+  email      bytea        NOT NULL,    -- full e-mail address
+  domain     varchar(255) NOT NULL,    -- only domain part of the email address
+                                       -- with subdomain fields in reverse
+  CONSTRAINT part_email UNIQUE (partition_tag,email)
+);
+
+-- information pertaining to each processed message as a whole;
+-- NOTE: records with a NULL msgs.content should be ignored by utilities,
+--   as such records correspond to messages just being processed, or were lost
+CREATE TABLE msgs (
+  partition_tag integer     DEFAULT 0,  -- see $partition_tag
+  mail_id     bytea         NOT NULL,   -- long-term unique mail id, dflt 12 ch
+  secret_id   bytea         DEFAULT '', -- authorizes release of mail_id, 12 ch
+  am_id       varchar(20)   NOT NULL,   -- id used in the log
+  time_num    integer NOT NULL CHECK (time_num >= 0),
+                                        -- rx_time: seconds since Unix epoch
+  time_iso timestamp WITH TIME ZONE NOT NULL,-- rx_time: ISO8601 UTC ascii time
+  sid         integer NOT NULL CHECK (sid >= 0), -- sender: maddr.id
+  policy      varchar(255)  DEFAULT '', -- policy bank path (like macro %p)
+  client_addr varchar(255)  DEFAULT '', -- SMTP client IP address (IPv4 or v6)
+  size        integer NOT NULL CHECK (size >= 0), -- message size in bytes
+  originating char(1) DEFAULT ' ' NOT NULL,  -- sender from inside or auth'd
+  content     char(1),                   -- content type: V/B/U/S/Y/M/H/O/T/C
+    -- virus/banned/unchecked/spam(kill)/spammy(tag2)/
+    -- /bad-mime/bad-header/oversized/mta-err/clean
+    -- is NULL on partially processed mail
+    -- (prior to 2.7.0 the CC_SPAMMY was logged as 's', now 'Y' is used;
+    --- to avoid a need for case-insenstivity in queries)
+  quar_type  char(1),                   -- quarantined as: ' '/F/Z/B/Q/M/L
+                                        --  none/file/zipfile/bsmtp/sql/
+                                        --  /mailbox(smtp)/mailbox(lmtp)
+  quar_loc   varchar(255)  DEFAULT '',  -- quarantine location (e.g. file)
+  dsn_sent   char(1),                   -- was DSN sent? Y/N/q (q=quenched)
+  spam_level real,                      -- SA spam level (no boosts)
+  message_id varchar(255)  DEFAULT '',  -- mail Message-ID header field
+  from_addr  varchar(255)  DEFAULT '',  -- mail From header field,    UTF8
+  subject    varchar(255)  DEFAULT '',  -- mail Subject header field, UTF8
+  host       varchar(255)  NOT NULL,    -- hostname where amavisd is running
+  CONSTRAINT msgs_partition_mail UNIQUE (partition_tag,mail_id),
+  PRIMARY KEY (partition_tag,mail_id)
+--FOREIGN KEY (sid) REFERENCES maddr(id) ON DELETE RESTRICT
+);
+CREATE INDEX msgs_idx_sid      ON msgs (sid);
+CREATE INDEX msgs_idx_mess_id  ON msgs (message_id); -- useful with pen pals
+CREATE INDEX msgs_idx_time_iso ON msgs (time_iso);
+CREATE INDEX msgs_idx_time_num ON msgs (time_num);   -- optional
+
+-- per-recipient information related to each processed message;
+-- NOTE: records in msgrcpt without corresponding msgs.mail_id record are
+--  orphaned and should be ignored and eventually deleted by external utilities
+CREATE TABLE msgrcpt (
+  partition_tag integer DEFAULT 0,  -- see $partition_tag
+  mail_id    bytea    NOT NULL,     -- (must allow duplicates)
+  rseqnum    integer  DEFAULT 0   NOT NULL, -- recip's enumeration within msg
+  rid        integer  NOT NULL,     -- recipient: maddr.id (duplicates allowed)
+  is_local   char(1)  DEFAULT ' ' NOT NULL, -- recip is: Y=local, N=foreign
+  content    char(1)  DEFAULT ' ' NOT NULL, -- content type V/B/U/S/Y/M/H/O/T/C
+  ds         char(1)  NOT NULL,     -- delivery status: P/R/B/D/T
+                                    -- pass/reject/bounce/discard/tempfail
+  rs         char(1)  NOT NULL,     -- release status: initialized to ' '
+  bl         char(1)  DEFAULT ' ',  -- sender blacklisted by this recip
+  wl         char(1)  DEFAULT ' ',  -- sender whitelisted by this recip
+  bspam_level real,                 -- per-recipient (total) spam level
+  smtp_resp  varchar(255) DEFAULT '', -- SMTP response given to MTA
+  CONSTRAINT msgrcpt_partition_mail_rseq UNIQUE (partition_tag,mail_id,rseqnum),
+  PRIMARY KEY (partition_tag,mail_id,rseqnum)
+--FOREIGN KEY (rid)     REFERENCES maddr(id)     ON DELETE RESTRICT,
+--FOREIGN KEY (mail_id) REFERENCES msgs(mail_id) ON DELETE CASCADE
+);
+CREATE INDEX msgrcpt_idx_mail_id  ON msgrcpt (mail_id);
+CREATE INDEX msgrcpt_idx_rid      ON msgrcpt (rid);
+-- Additional index on rs since Modoboa uses it to filter its quarantine
+CREATE INDEX msgrcpt_idx_rs       ON msgrcpt (rs);
+
+-- mail quarantine in SQL, enabled by $*_quarantine_method='sql:'
+-- NOTE: records in quarantine without corresponding msgs.mail_id record are
+--  orphaned and should be ignored and eventually deleted by external utilities
+CREATE TABLE quarantine (
+  partition_tag integer  DEFAULT 0,      -- see $partition_tag
+  mail_id    bytea   NOT NULL,           -- long-term unique mail id
+  chunk_ind  integer NOT NULL CHECK (chunk_ind >= 0), -- chunk number, 1..
+  mail_text  bytea   NOT NULL,           -- store mail as chunks of octects
+  PRIMARY KEY (partition_tag,mail_id,chunk_ind)
+--FOREIGN KEY (mail_id) REFERENCES msgs(mail_id) ON DELETE CASCADE
+);

modoboa_installer/scripts/files/automx/automx.conf.tpl

@@ -2,6 +2,9 @@
 provider = %domain
 domains = *
 
+#debug=yes
+#logfile = /srv/automx/automx.log
+
 # Protect against DoS
 memcache = 127.0.0.1:11211
 memcache_ttl = 600
@@ -16,6 +19,8 @@ host = %sql_dsn
 query = %sql_query
 result_attrs = display_name, email
 
+display_name = ${display_name}
+
 smtp = yes
 smtp_server = %hostname
 smtp_port = 587
@@ -32,10 +37,3 @@ imap_encryption = starttls
 imap_auth = plaintext
 imap_auth_identity = ${email}
 imap_refresh_ttl = 6
-
-pop = yes
-pop_server = %hostname
-pop_port = 110
-pop_encryption = starttls
-pop_auth = plaintext
-pop_auth_identity = ${email}

modoboa_installer/scripts/files/dovecot/conf.d/10-master.conf.tpl

@@ -92,14 +92,14 @@ service postlogin {
 service stats {
   # To allow modoboa to access available cipher list.
   unix_listener stats-reader {
-    user = vmail
+    user = %{mailboxes_owner}
-    group = vmail
+    group = %{mailboxes_owner}
     mode = 0660
   }
 
   unix_listener stats-writer {
-    user = vmail
+    user = %{mailboxes_owner}
-    group = vmail
+    group = %{mailboxes_owner}
     mode = 0660
   }
 }
@@ -120,7 +120,7 @@ service auth {
   # permissions (e.g. 0777 allows everyone full permissions).
   unix_listener auth-userdb {
     #mode = 0666
-    user = vmail
+    user = %{mailboxes_owner}
     #group = 
   }
 
@@ -154,7 +154,7 @@ service dict {
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
   unix_listener dict {
     mode = 0600
-    user = vmail
+    user = %{mailboxes_owner}
     #group = 
   }
 }

modoboa_installer/scripts/files/dovecot/dovecot-sql-mysql.conf.ext.tpl

@@ -123,7 +123,8 @@ connect = host=%dbhost port=%dbport dbname=%modoboa_dbname user=%modoboa_dbuser
 #user_query = \
 #  SELECT home, uid, gid \
 #  FROM users WHERE username = '%%n' AND domain = '%%d'
-user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid, %mailboxes_owner_gid as gid, CONCAT('*:bytes=', mb.quota, 'M') AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id INNER JOIN core_user u ON u.id=mb.user_id WHERE mb.address='%%n' AND dom.name='%%d'
+%{not_modoboa_2_2_or_greater}user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid, %mailboxes_owner_gid as gid, CONCAT('*:bytes=', mb.quota, 'M') AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id INNER JOIN core_user u ON u.id=mb.user_id WHERE mb.address='%%n' AND dom.name='%%d'
+%{modoboa_2_2_or_greater}user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid, %mailboxes_owner_gid as gid, CONCAT('*:bytes=', mb.quota, 'M') AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id INNER JOIN core_user u ON u.id=mb.user_id WHERE (mb.is_send_only=0 OR '%%s' NOT IN ('imap', 'pop3', 'lmtp')) AND mb.address='%%n' AND dom.name='%%d'
 
 # If you wish to avoid two SQL lookups (passdb + userdb), you can use
 # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
@@ -133,7 +134,8 @@ user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid,
 #  SELECT userid AS user, password, \
 #    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
 #  FROM users WHERE userid = '%%u'
-password_query = SELECT email AS user, password, '%{home_dir}/%%d/%%n' AS userdb_home, %mailboxes_owner_uid AS userdb_uid, %mailboxes_owner_gid AS userdb_gid, CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE u.email='%%u' AND u.is_active=1 AND dom.enabled=1
+%{not_modoboa_2_2_or_greater}password_query = SELECT email AS user, password, '%{home_dir}/%%d/%%n' AS userdb_home, %mailboxes_owner_uid AS userdb_uid, %mailboxes_owner_gid AS userdb_gid, CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE u.email='%%u' AND u.is_active=1 AND dom.enabled=1
+%{modoboa_2_2_or_greater}password_query = SELECT email AS user, password, '%{home_dir}/%%d/%%n' AS userdb_home, %mailboxes_owner_uid AS userdb_uid, %mailboxes_owner_gid AS userdb_gid, CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE (mb.is_send_only=0 OR '%%s' NOT IN ('imap', 'pop3')) AND u.email='%%u' AND u.is_active=1 AND dom.enabled=1
 
 # Query to get a list of all usernames.
 #iterate_query = SELECT username AS user FROM users

modoboa_installer/scripts/files/dovecot/dovecot-sql-postgres.conf.ext.tpl

@@ -123,7 +123,8 @@ connect = host=%dbhost port=%dbport dbname=%modoboa_dbname user=%modoboa_dbuser
 #user_query = \
 #  SELECT home, uid, gid \
 #  FROM users WHERE username = '%%n' AND domain = '%%d'
-user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid, %mailboxes_owner_gid as gid, '*:bytes=' || mb.quota || 'M' AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id INNER JOIN core_user u ON u.id=mb.user_id WHERE mb.address='%%n' AND dom.name='%%d'
+%{not_modoboa_2_2_or_greater}user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid, %mailboxes_owner_gid as gid, '*:bytes=' || mb.quota || 'M' AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id INNER JOIN core_user u ON u.id=mb.user_id WHERE mb.address='%%n' AND dom.name='%%d'
+%{modoboa_2_2_or_greater}user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid, %mailboxes_owner_gid as gid, '*:bytes=' || mb.quota || 'M' AS quota_rule FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id INNER JOIN core_user u ON u.id=mb.user_id WHERE (mb.is_send_only IS NOT TRUE OR '%%s' NOT IN ('imap', 'pop3', 'lmtp')) AND mb.address='%%n' AND dom.name='%%d'
 
 # If you wish to avoid two SQL lookups (passdb + userdb), you can use
 # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
@@ -133,7 +134,8 @@ user_query = SELECT '%{home_dir}/%%d/%%n' AS home, %mailboxes_owner_uid as uid,
 #  SELECT userid AS user, password, \
 #    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
 #  FROM users WHERE userid = '%%u'
-password_query = SELECT email AS user, password, '%{home_dir}/%%d/%%n' AS userdb_home, %mailboxes_owner_uid AS userdb_uid, %mailboxes_owner_gid AS userdb_gid, CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE email='%%u' AND is_active AND dom.enabled
+%{not_modoboa_2_2_or_greater}password_query = SELECT email AS user, password, '%{home_dir}/%%d/%%n' AS userdb_home, %mailboxes_owner_uid AS userdb_uid, %mailboxes_owner_gid AS userdb_gid, CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE email='%%u' AND is_active AND dom.enabled
+%{modoboa_2_2_or_greater}password_query = SELECT email AS user, password, '%{home_dir}/%%d/%%n' AS userdb_home, %mailboxes_owner_uid AS userdb_uid, %mailboxes_owner_gid AS userdb_gid, CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom ON mb.domain_id=dom.id WHERE (mb.is_send_only IS NOT TRUE OR '%%s' NOT IN ('imap', 'pop3')) AND email='%%u' AND is_active AND dom.enabled
 
 # Query to get a list of all usernames.
 #iterate_query = SELECT username AS user FROM users

modoboa_installer/scripts/files/fail2ban/filter.d/modoboa-auth.conf.tpl

@@ -0,0 +1,9 @@
+# Fail2Ban filter Modoboa authentication
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = modoboa\.auth: WARNING Failed connection attempt from \'<HOST>\' as user \'.*?\'$

modoboa_installer/scripts/files/fail2ban/jail.d/modoboa.conf.tpl

@@ -0,0 +1,9 @@
+[modoboa]
+enabled = true
+port = http,https
+protocol = tcp
+filter = modoboa-auth
+maxretry = %max_retry
+bantime = %ban_time
+findtime = %find_time
+logpath = /var/log/auth.log

modoboa_installer/scripts/files/modoboa/crontab.tpl

@@ -33,4 +33,4 @@ INSTANCE=%{instance_path}
 %{minutes}       %{hours}       *       *       *       root    $PYTHON $INSTANCE/manage.py communicate_with_public_api
 
 # Generate DKIM keys (they will belong to the user running this job)
-%{opendkim_enabled}*       *       *       *       *       %{opendkim_user}    umask 077 && $PYTHON $INSTANCE/manage.py modo manage_dkim_keys
+%{dkim_cron_enabled}*       *       *       *       *       %{opendkim_user}    umask 077 && $PYTHON $INSTANCE/manage.py modo manage_dkim_keys

modoboa_installer/scripts/files/modoboa/supervisor-rq-base.tpl

@@ -0,0 +1,9 @@
+[program:modoboa-base-worker]
+autostart=true
+autorestart=true
+command=%{venv_path}/bin/python %{home_dir}/instance/manage.py rqworker modoboa
+directory=%{home_dir}
+user=%{user}
+redirect_stderr=true
+numprocs=1
+stopsignal=TERM

modoboa_installer/scripts/files/modoboa/supervisor-rq-dkim.tpl

@@ -0,0 +1,9 @@
+[program:modoboa-dkim-worker]
+autostart=true
+autorestart=true
+command=%{venv_path}/bin/python %{home_dir}/instance/manage.py rqworker dkim
+directory=%{home_dir}
+user=%{opendkim_user}
+redirect_stderr=true
+numprocs=1
+stopsignal=TERM

modoboa_installer/scripts/files/modoboa/supervisor.tpl

@@ -6,3 +6,4 @@ directory=%{home_dir}
 redirect_stderr=true
 user=%{user}
 numprocs=1
+

modoboa_installer/scripts/files/nginx/modoboa.conf.tpl

@@ -10,8 +10,8 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 ssl http2;
-    listen [::]:443 ssl;
+    listen [::]:443 ssl http2;
     server_name %hostname;
     root %app_instance_path;
 

modoboa_installer/scripts/files/postfix/main.cf.tpl

@@ -41,7 +41,7 @@ smtpd_tls_auth_only = no
 smtpd_tls_CApath = /etc/ssl/certs
 smtpd_tls_key_file = %tls_key_file
 smtpd_tls_cert_file = %tls_cert_file
-smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
+smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe%{dhe_group}.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_security_level = may
@@ -57,6 +57,11 @@ smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
 # Enable elliptic curve cryptography
 smtpd_tls_eecdh_grade = strong
 
+# SMTP Smuggling prevention
+# See https://www.postfix.org/smtp-smuggling.html
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_forbid_unauth_pipelining = yes
+
 # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_security_level = may
@@ -67,10 +72,10 @@ smtp_tls_exclude_ciphers = EXPORT, LOW
 #
 %{dovecot_enabled}virtual_transport = lmtp:unix:private/dovecot-lmtp
 
-virtual_mailbox_domains = proxy:%{db_driver}:/etc/postfix/sql-domains.cf
+%{dovecot_enabled}virtual_mailbox_domains = proxy:%{db_driver}:/etc/postfix/sql-domains.cf
-virtual_alias_domains = proxy:%{db_driver}:/etc/postfix/sql-domain-aliases.cf
+%{dovecot_enabled}virtual_alias_domains = proxy:%{db_driver}:/etc/postfix/sql-domain-aliases.cf
-virtual_alias_maps =
+%{dovecot_enabled}virtual_alias_maps =
-        proxy:%{db_driver}:/etc/postfix/sql-aliases.cf
+%{dovecot_enabled}        proxy:%{db_driver}:/etc/postfix/sql-aliases.cf
 
 ## Relay domains
 #

modoboa_installer/scripts/files/postfix/master.cf.tpl

@@ -78,7 +78,7 @@ scache    unix  -       -       -       -       1       scache
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
 #
 maildrop  unix  -       n       n       -       -       pipe
-  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+  flags=DRhu user=%{dovecot_mailboxes_owner} argv=/usr/bin/maildrop -d ${recipient}
 #
 # ====================================================================
 #

modoboa_installer/scripts/modoboa.py

@@ -26,7 +26,8 @@ class Modoboa(base.Installer):
         "deb": [
             "build-essential", "python3-dev", "libxml2-dev", "libxslt-dev",
             "libjpeg-dev", "librrd-dev", "rrdtool", "libffi-dev", "cron",
-            "libssl-dev", "redis-server", "supervisor"
+            "libssl-dev", "redis-server", "supervisor", "pkg-config",
+            "libcairo2-dev"
         ],
         "rpm": [
             "gcc", "gcc-c++", "python3-devel", "libxml2-devel", "libxslt-devel",
@@ -43,7 +44,7 @@ class Modoboa(base.Installer):
 
     def __init__(self, *args, **kwargs):
         """Get configuration."""
-        super(Modoboa, self).__init__(*args, **kwargs)
+        super().__init__(*args, **kwargs)
         self.venv_path = self.config.get("modoboa", "venv_path")
         self.instance_path = self.config.get("modoboa", "instance_path")
         self.extensions = self.config.get("modoboa", "extensions").split()
@@ -60,6 +61,7 @@ class Modoboa(base.Installer):
                 self.extensions.remove("modoboa-radicale")
         self.dovecot_enabled = self.config.getboolean("dovecot", "enabled")
         self.opendkim_enabled = self.config.getboolean("opendkim", "enabled")
+        self.dkim_cron_enabled = False
 
     def is_extension_ok_for_version(self, extension, version):
         """Check if extension can be installed with this modo version."""
@@ -87,36 +89,41 @@ class Modoboa(base.Installer):
                     continue
                 if extension in matrix:
                     req_version = matrix[extension]
+                    if req_version is None:
+                        continue
                     req_version = req_version.replace("<", "\<")
                     req_version = req_version.replace(">", "\>")
                     packages.append("{}{}".format(extension, req_version))
                 else:
                     packages.append(extension)
-        # Temp fix for django-braces
-        python.install_package(
-            "django-braces", self.venv_path, upgrade=self.upgrade,
-            sudo_user=self.user
-        )
-        if self.dbengine == "postgres":
-            packages.append("psycopg2-binary\<2.9")
-        else:
-            packages.append("mysqlclient")
         if sys.version_info.major == 2 and sys.version_info.micro < 9:
             # Add extra packages to fix the SNI issue
             packages += ["pyOpenSSL"]
-        # Temp fix for https://github.com/modoboa/modoboa/issues/2247
-        packages.append("django-webpack-loader==0.7.0")
         python.install_packages(
             packages, self.venv_path,
             upgrade=self.upgrade,
             sudo_user=self.user,
             beta=self.config.getboolean("modoboa", "install_beta")
         )
+
+        # Install version specific modules to the venv
+        modoboa_version = ".".join(str(i) for i in python.get_package_version(
+            "modoboa", self.venv_path, sudo_user=self.user
+        ))
+        # Database:
+        db_file = "postgresql"
+        if self.dbengine != "postgres":
+            db_file = "mysql"
+        db_file += "-requirements.txt"
+
+        python.install_package_from_remote_requirements(
+            f"https://raw.githubusercontent.com/modoboa/modoboa/{modoboa_version}/{db_file}",
+            venv=self.venv_path)
+        # Dev mode:
         if self.devmode:
-            # FIXME: use dev-requirements instead
+            python.install_package_from_remote_requirements(
-            python.install_packages(
+                f"https://raw.githubusercontent.com/modoboa/modoboa/{modoboa_version}/dev-requirements.txt",
-                ["django-bower", "django-debug-toolbar"], self.venv_path,
+                venv=self.venv_path)
-                upgrade=self.upgrade, sudo_user=self.user)
 
     def _deploy_instance(self):
         """Deploy Modoboa."""
@@ -177,7 +184,7 @@ class Modoboa(base.Installer):
         if self.upgrade and self.opendkim_enabled and self.dbengine == "postgres":
             # Restore view previously deleted
             self.backend.load_sql_file(
-                self.dbname, self.dbuser, self.dbpassword,
+                self.dbname, self.dbuser, self.dbpasswd,
                 self.get_file_path("dkim_view_{}.sql".format(self.dbengine))
             )
             self.backend.grant_right_on_table(
@@ -187,7 +194,7 @@ class Modoboa(base.Installer):
 
     def setup_database(self):
         """Additional config."""
-        super(Modoboa, self).setup_database()
+        super().setup_database()
         if not self.amavis_enabled:
             return
         self.backend.grant_access(
@@ -195,7 +202,7 @@ class Modoboa(base.Installer):
 
     def get_packages(self):
         """Include extra packages if needed."""
-        packages = super(Modoboa, self).get_packages()
+        packages = super().get_packages()
         condition = (
             package.backend.FORMAT == "rpm" and
             sys.version_info.major == 2 and
@@ -205,6 +212,10 @@ class Modoboa(base.Installer):
             packages += ["openssl-devel"]
         return packages
 
+    def setup_user(self):
+        super().setup_user()
+        self._setup_venv()
+
     def get_config_files(self):
         """Return appropriate path."""
         config_files = super().get_config_files()
@@ -213,6 +224,13 @@ class Modoboa(base.Installer):
         else:
             path = "supervisor=/etc/supervisord.d/policyd.ini"
         config_files.append(path)
+
+        # Add worker for dkim if needed
+        if self.modoboa_2_2_or_greater:
+            config_files.append(
+                "supervisor-rq-dkim=/etc/supervisor/conf.d/modoboa-dkim-worker.conf")
+            config_files.append(
+                "supervisor-rq-base=/etc/supervisor/conf.d/modoboa-base-worker.conf")
         return config_files
 
     def get_template_context(self):
@@ -221,6 +239,8 @@ class Modoboa(base.Installer):
         extensions = self.config.get("modoboa", "extensions")
         extensions = extensions.split()
         random_hour = random.randint(0, 6)
+        self.dkim_cron_enabled = (not self.modoboa_2_2_or_greater and
+                                  self.opendkim_enabled)
         context.update({
             "sudo_user": (
                 "uwsgi" if package.backend.FORMAT == "rpm" else context["user"]
@@ -231,7 +251,9 @@ class Modoboa(base.Installer):
                 "" if "modoboa-radicale" in extensions else "#"),
             "opendkim_user": self.config.get("opendkim", "user"),
             "minutes": random.randint(1, 59),
-            "hours" : f"{random_hour},{random_hour+12}"
+            "hours": f"{random_hour},{random_hour+12}",
+            "modoboa_2_2_or_greater": "" if self.modoboa_2_2_or_greater else "#",
+            "dkim_cron_enabled": "" if self.dkim_cron_enabled else "#"
         })
         return context
 
@@ -243,7 +265,7 @@ class Modoboa(base.Installer):
             self.instance_path, "media", "webmail")
         pw = pwd.getpwnam(self.user)
         for d in [rrd_root_dir, pdf_storage_dir, webmail_media_dir]:
-            utils.mkdir(d, stat.S_IRWXU | stat.S_IRWXG, pw[2], pw[3])
+            utils.mkdir_safe(d, stat.S_IRWXU | stat.S_IRWXG, pw[2], pw[3])
         settings = {
             "admin": {
                 "handle_mailboxes": True,
@@ -255,7 +277,7 @@ class Modoboa(base.Installer):
             "maillog": {
                 "rrd_rootdir": rrd_root_dir,
             },
-            "modoboa_pdfcredentials": {
+            "pdfcredentials": {
                 "storage_dir": pdf_storage_dir
             },
             "modoboa_radicale": {
@@ -281,17 +303,18 @@ class Modoboa(base.Installer):
 
     def post_run(self):
         """Additional tasks."""
-        self._setup_venv()
+        if 'centos' in utils.dist_name():
+            system.enable_and_start_service("redis")
+        else:
+            system.enable_and_start_service("redis-server")
         self._deploy_instance()
         if not self.upgrade:
             self.apply_settings()
 
         if 'centos' in utils.dist_name():
             supervisor = "supervisord"
-            system.enable_and_start_service("redis")
         else:
             supervisor = "supervisor"
-            system.enable_and_start_service("redis-server")
         # Restart supervisor
         system.enable_service(supervisor)
         utils.exec_cmd("service {} stop".format(supervisor))

modoboa_installer/scripts/opendkim.py

@@ -82,11 +82,13 @@ class Opendkim(base.Installer):
         """Additional tasks.
         Check linux distribution (package deb, rpm), to adapt
         to config file location and syntax.
-        - update opendkim isocket port config for Debian based distro
+        - update opendkim isocket port config
         - make sure opendkim starts after db service started
         """
         if package.backend.FORMAT == "deb":
             params_file = "/etc/default/opendkim"
+        else:
+            params_file = "/etc/opendkim.conf"
         pattern = r"s/^(SOCKET=.*)/#\1/"
         utils.exec_cmd(
             "perl -pi -e '{}' {}".format(pattern, params_file))
@@ -113,19 +115,20 @@ class Opendkim(base.Installer):
         """Restore keys."""
         dkim_keys_backup = os.path.join(
             self.archive_path, "custom/dkim")
+        keys_storage_dir = self.app_config["keys_storage_dir"]
         if os.path.isdir(dkim_keys_backup):
             for file in os.listdir(dkim_keys_backup):
                 file_path = os.path.join(dkim_keys_backup, file)
                 if os.path.isfile(file_path):
-                    utils.copy_file(file_path, self.config.get(
+                    utils.copy_file(file_path, keys_storage_dir)
-                        "opendkim", "keys_storage_dir", fallback="/var/lib/dkim"))
             utils.success("DKIM keys restored from backup")
+        # Setup permissions
+        user = self.config.get("opendkim", "user")
+        utils.exec_cmd(f"chown -R {user}:{user} {keys_storage_dir}")
 
     def custom_backup(self, path):
         """Backup DKIM keys."""
-        storage_dir = self.config.get(
+        if os.path.isdir(self.app_config["keys_storage_dir"]):
-            "opendkim", "keys_storage_dir", fallback="/var/lib/dkim")
+            shutil.copytree(self.app_config["keys_storage_dir"], os.path.join(path, "dkim"))
-        if os.path.isdir(storage_dir):
-            shutil.copytree(storage_dir, os.path.join(path, "dkim"))
             utils.printcolor(
                 "DKIM keys saved!", utils.GREEN)

modoboa_installer/scripts/postfix.py

@@ -14,7 +14,6 @@ from . import backup, install
 
 
 class Postfix(base.Installer):
-
     """Postfix installer."""
 
     appname = "postfix"
@@ -34,13 +33,24 @@ class Postfix(base.Installer):
 
     def install_packages(self):
         """Preconfigure postfix package installation."""
+        if "centos" in utils.dist_name():
+            config = configparser.ConfigParser()
+            with open("/etc/yum.repos.d/CentOS-Base.repo") as fp:
+                config.read_file(fp)
+            config.set("centosplus", "enabled", "1")
+            config.set("centosplus", "includepkgs", "postfix-*")
+            config.set("base", "exclude", "postfix-*")
+            config.set("updates", "exclude", "postfix-*")
+            with open("/etc/yum.repos.d/CentOS-Base.repo", "w") as fp:
+                config.write(fp)
+
         package.backend.preconfigure(
             "postfix", "main_mailer_type", "select", "No configuration")
         super(Postfix, self).install_packages()
 
     def get_template_context(self):
         """Additional variables."""
-        context = super(Postfix, self).get_template_context()
+        context = super().get_template_context()
         context.update({
             "db_driver": self.db_driver,
             "dovecot_mailboxes_owner": self.config.get(
@@ -54,6 +64,13 @@ class Postfix(base.Installer):
         })
         return context
 
+    def check_dhe_group_file(self):
+        group = self.config.get(self.appname, "dhe_group")
+        file_name = f"ffdhe{group}.pem"
+        if not os.path.exists(f"{self.config_dir}/{file_name}"):
+            url = f"https://raw.githubusercontent.com/internetstandards/dhe_groups/main/{file_name}"
+            utils.exec_cmd(f"wget {url}", cwd=self.config_dir)
+
     def post_run(self):
         """Additional tasks."""
         venv_path = self.config.get("modoboa", "venv_path")
@@ -75,10 +92,8 @@ class Postfix(base.Installer):
             if not os.path.exists(path):
                 utils.copy_file(os.path.join("/etc", f), path)
 
-        # Generate EDH parameters
+        # Generate DHE group
-        if not os.path.exists("{}/dh2048.pem".format(self.config_dir)):
+        self.check_dhe_group_file()
-            cmd = "openssl dhparam -dsaparam -out dh2048.pem 2048"
-            utils.exec_cmd(cmd, cwd=self.config_dir)
 
         # Generate /etc/aliases.db file to avoid warnings
         aliases_file = "/etc/aliases"

modoboa_installer/scripts/postwhite.py

@@ -47,8 +47,10 @@ class Postwhite(base.Installer):
         self.install_from_archive(SPF_TOOLS_REPOSITORY, install_dir)
         self.postw_dir = self.install_from_archive(
             POSTWHITE_REPOSITORY, install_dir)
-        postw_bin = os.path.join(self.postw_dir, "postwhite")
+        utils.copy_file(
-        utils.exec_cmd("{} /etc/postwhite.conf".format(postw_bin))
+            os.path.join(self.postw_dir, "postwhite.conf"), self.config_dir)
+        self.postw_bin = os.path.join(self.postw_dir, "postwhite")
+        utils.exec_cmd("{} /etc/postwhite.conf".format(self.postw_bin))
 
     def custom_backup(self, path):
         """Backup custom configuration if any."""
@@ -65,6 +67,3 @@ class Postwhite(base.Installer):
         if os.path.isfile(postwhite_backup_configuration):
             utils.copy_file(postwhite_backup_configuration, self.config_dir)
             utils.success("postwhite.conf restored from backup")
-        else:
-            utils.copy_file(
-                os.path.join(self.postw_dir, "postwhite.conf"), self.config_dir)

modoboa_installer/scripts/restore.py

@@ -13,14 +13,14 @@ class Restore:
         """
 
         if not os.path.isdir(restore):
-            utils.printcolor(
+            utils.error(
-                "Provided path is not a directory !", utils.RED)
+                "Provided path is not a directory !")
             sys.exit(1)
 
         modoba_sql_file = os.path.join(restore, "databases/modoboa.sql")
         if not os.path.isfile(modoba_sql_file):
-            utils.printcolor(
+            utils.error(
-                modoba_sql_file + " not found, please check your backup", utils.RED)
+                modoba_sql_file + " not found, please check your backup")
             sys.exit(1)
 
         # Everything seems alright here, proceeding...

modoboa_installer/scripts/spamassassin.py

@@ -57,9 +57,7 @@ class Spamassassin(base.Installer):
 
     def post_run(self):
         """Additional tasks."""
-        amavis_user = self.config.get("amavis", "user")
+        install("razor", self.config, self.upgrade, self.restore)
-        pw = pwd.getpwnam(amavis_user)
-        install("razor", self.config, self.upgrade, self.archive_path)
         if utils.dist_name() in ["debian", "ubuntu"]:
             utils.exec_cmd(
                 "perl -pi -e 's/^CRON=0/CRON=1/' /etc/cron.daily/spamassassin")

modoboa_installer/scripts/uwsgi.py

@@ -17,7 +17,7 @@ class Uwsgi(base.Installer):
     appname = "uwsgi"
     packages = {
         "deb": ["uwsgi", "uwsgi-plugin-python3"],
-        "rpm": ["uwsgi", "uwsgi-plugin-python3"],
+        "rpm": ["uwsgi", "uwsgi-plugin-python36"],
     }
 
     def get_socket_path(self, app):
@@ -29,7 +29,10 @@ class Uwsgi(base.Installer):
     def get_template_context(self, app):
         """Additionnal variables."""
         context = super(Uwsgi, self).get_template_context()
+        if package.backend.FORMAT == "deb":
             uwsgi_plugin = "python3"
+        else:
+            uwsgi_plugin = "python36"
         context.update({
             "app_user": self.config.get(app, "user"),
             "app_venv_path": self.config.get(app, "venv_path"),

modoboa_installer/ssl.py

@@ -90,14 +90,14 @@ class LetsEncryptCertificate(CertificateBackend):
         elif "centos" in name:
             package.backend.install("certbot")
         else:
-            utils.printcolor("Failed to install certbot, aborting.", utils.RED)
+            utils.printcolor("Failed to install certbot, aborting.")
             sys.exit(1)
         # Nginx plugin certbot
         if (
                 self.config.has_option("nginx", "enabled") and
                 self.config.getboolean("nginx", "enabled")
         ):
-            if name == "ubuntu" or name.startswith("debian") or ("Centos" in name and version.startswith("9")):
+            if name == "ubuntu" or name.startswith("debian"):
                 package.backend.install("python3-certbot-nginx")
 
     def generate_cert(self):

modoboa_installer/utils.py

@@ -42,13 +42,15 @@ def user_input(message):
     return answer
 
 
-def exec_cmd(cmd, sudo_user=None, pinput=None, login=True, **kwargs):
+def exec_cmd(cmd, sudo_user=None, login=True, **kwargs):
-    """Execute a shell command.
+    """
+    Execute a shell command.
+
     Run a command using the current user. Set :keyword:`sudo_user` if
     you need different privileges.
+
     :param str cmd: the command to execute
     :param str sudo_user: a valid system username
-    :param str pinput: data to send to process's stdin
     :rtype: tuple
     :return: return code, command output
     """
@@ -57,23 +59,21 @@ def exec_cmd(cmd, sudo_user=None, pinput=None, login=True, **kwargs):
         cmd = "sudo {}-u {} {}".format("-i " if login else "", sudo_user, cmd)
     if "shell" not in kwargs:
         kwargs["shell"] = True
-    if pinput is not None:
+    capture_output = True
-        kwargs["stdin"] = subprocess.PIPE
-    capture_output = False
     if "capture_output" in kwargs:
         capture_output = kwargs.pop("capture_output")
-    elif not ENV.get("debug"):
-        capture_output = True
     if capture_output:
-        kwargs.update(stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        kwargs.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
-    output = None
+    kwargs["universal_newlines"] = True
-    process = subprocess.Popen(cmd, **kwargs)
+    output: str = ""
-    if pinput or capture_output:
+    with subprocess.Popen(cmd, **kwargs) as process:
-        c_args = [pinput] if pinput is not None else []
+        if capture_output:
-        output = process.communicate(*c_args)[0]
+            for line in process.stdout:
-    else:
+                output += line
-        process.wait()
+                if ENV.get("debug"):
-    return process.returncode, output
+                    sys.stdout.write(line)
+
+    return process.returncode, output.encode()
 
 
 def dist_info():
@@ -135,7 +135,6 @@ def settings(**kwargs):
 
 
 class ConfigFileTemplate(string.Template):
-
     """Custom class for configuration files."""
 
     delimiter = "%"
@@ -177,7 +176,7 @@ def check_config_file(dest, interactive=False, upgrade=False, backup=False, rest
     """Create a new installer config file if needed."""
     is_present = True
     if os.path.exists(dest):
-        return is_present
+        return is_present, update_config(dest, False)
     if upgrade:
         printcolor(
             "You cannot upgrade an existing installation without a "
@@ -198,7 +197,7 @@ def check_config_file(dest, interactive=False, upgrade=False, backup=False, rest
         "Configuration file {} not found, creating new one."
         .format(dest), YELLOW)
     gen_config(dest, interactive)
-    return is_present
+    return is_present, None
 
 
 def has_colours(stream):
@@ -320,8 +319,8 @@ def get_entry_value(entry, interactive):
     return user_value if user_value else default_value
 
 
-def gen_config(dest, interactive=False):
+def load_config_template(interactive):
-    """Create config file from dict template"""
+    """Instantiate a configParser object with the predefined template."""
     tpl_dict = config_dict_template.ConfigDictTemplate
     config = configparser.ConfigParser()
     # only ask about options we need, else still generate default
@@ -337,6 +336,82 @@ def gen_config(dest, interactive=False):
         for config_entry in section["values"]:
             value = get_entry_value(config_entry, interactive_section)
             config.set(section["name"], config_entry["option"], value)
+    return config
+
+
+def update_config(path, apply_update=True):
+    """Update an existing config file."""
+    config = configparser.ConfigParser()
+    with open(path) as fp:
+        config.read_file(fp)
+    new_config = load_config_template(False)
+
+    old_sections = config.sections()
+    new_sections = new_config.sections()
+
+    update = False
+
+    dropped_sections = list(set(old_sections) - set(new_sections))
+    added_sections = list(set(new_sections) - set(old_sections))
+    if len(dropped_sections) > 0 and apply_update:
+        printcolor("Following section(s) will not be ported "
+                   "due to being deleted or renamed: " +
+                   ', '.join(dropped_sections),
+                   RED)
+
+    if len(dropped_sections) + len(added_sections) > 0:
+        update = True
+
+    for section in new_sections:
+        if section in old_sections:
+            new_options = new_config.options(section)
+            old_options = config.options(section)
+
+            dropped_options = list(set(old_options) - set(new_options))
+            added_options = list(set(new_options) - set(old_options))
+            if len(dropped_options) > 0 and apply_update:
+                printcolor(f"Following option(s) from section: {section}, "
+                           "will not be ported due to being "
+                           "deleted or renamed: " +
+                           ', '.join(dropped_options),
+                           RED)
+            if len(dropped_options) + len(added_options) > 0:
+                update = True
+
+            if apply_update:
+                for option in new_options:
+                    if option in old_options:
+                        value = config.get(section, option, raw=True)
+                        if value != new_config.get(section, option, raw=True):
+                            update = True
+                            new_config.set(section, option, value)
+    if apply_update:
+        if update:
+            # Backing up old config file
+            date = datetime.datetime.now().strftime("%Y_%m_%d_%H_%M_%S")
+            dest = f"{os.path.splitext(path)[0]}_{date}.old"
+            shutil.copy(path, dest)
+
+            # Overwritting old config file
+            with open(path, "w") as configfile:
+                new_config.write(configfile)
+
+            # Set file owner to running u+g, and set config file permission to 600
+            current_username = getpass.getuser()
+            current_user = pwd.getpwnam(current_username)
+            os.chown(dest, current_user[2], current_user[3])
+            os.chmod(dest, stat.S_IRUSR | stat.S_IWUSR)
+
+            return dest
+        return None
+    else:
+        # Simply check if current config file is outdated
+        return update
+
+
+def gen_config(dest, interactive=False):
+    """Create config file from dict template"""
+    config = load_config_template(interactive)
 
     with open(dest, "w") as configfile:
         config.write(configfile)

run.py

@@ -22,6 +22,7 @@ from modoboa_installer import utils
 
 PRIMARY_APPS = [
     "amavis",
+    "fail2ban",
     "modoboa",
     "automx",
     "radicale",
@@ -41,7 +42,7 @@ def installation_disclaimer(args, config):
         "Before you start the installation, please make sure the following "
         "DNS records exist for domain '{}':\n"
         "  {} IN A   <IP ADDRESS OF YOUR SERVER>\n"
-        "       IN MX  {}.\n".format(
+        "     @ IN MX  {}.\n".format(
             args.domain,
             hostname.replace(".{}".format(args.domain), ""),
             hostname
@@ -115,6 +116,15 @@ def backup_system(config, args):
         scripts.backup(app, config, backup_path)
 
 
+def config_file_update_complete(backup_location):
+    utils.printcolor("Update complete. It seems successful.",
+                     utils.BLUE)
+    if backup_location is not None:
+        utils.printcolor("You will find your old config file "
+                         f"here: {backup_location}",
+                         utils.BLUE)
+
+
 def main(input_args):
     """Install process."""
     parser = argparse.ArgumentParser()
@@ -152,7 +162,8 @@ def main(input_args):
     parser.add_argument(
         "--silent-backup", action="store_true", default=False,
         help="For script usage, do not require user interaction "
-        "backup will be saved at ./modoboa_backup/Backup_M_Y_d_H_M if --backup-path is not provided")
+        "backup will be saved at ./modoboa_backup/Backup_M_Y_d_H_M "
+        "if --backup-path is not provided")
     parser.add_argument(
         "--restore", type=str, metavar="path",
         help="Restore a previously backup up modoboa instance on a NEW machine. "
@@ -177,7 +188,8 @@ def main(input_args):
             sys.exit(1)
 
     utils.success("Welcome to Modoboa installer!\n")
-    is_config_file_available = utils.check_config_file(
+
+    is_config_file_available, outdate_config = utils.check_config_file(
         args.configfile, args.interactive, args.upgrade, args.backup, is_restoring)
 
     if not is_config_file_available and (
@@ -185,6 +197,20 @@ def main(input_args):
         utils.error("No config file found.")
         return
 
+    # Check if config is outdated and ask user if it needs to be updated
+    if is_config_file_available and outdate_config:
+        answer = utils.user_input("It seems that your config file is outdated. "
+                                  "Would you like to update it? (Y/n) ")
+        if answer.lower().startswith("y"):
+            config_file_update_complete(utils.update_config(args.configfile))
+            if not args.stop_after_configfile_check:
+                answer = utils.user_input("Would you like to stop to review the updated config? (Y/n)")
+                if answer.lower().startswith("y"):
+                    return
+        else:
+            utils.error("You might encounter unexpected errors ! "
+                        "Make sure to update your config before opening an issue!")
+
     if args.stop_after_configfile_check:
         return
 
@@ -238,10 +264,7 @@ def main(input_args):
         ssl_backend.generate_cert()
     for appname in PRIMARY_APPS:
         scripts.install(appname, config, args.upgrade, args.restore)
-    if package.backend.FORMAT == "deb":
     system.restart_service("cron")
-    else:
-        system.restart_service("crond")
     package.backend.restore_system()
     if not args.restore:
         utils.success(

test-requirements.txt

@@ -1,3 +1,2 @@
 codecov
 mock
-six

tests.py

@@ -6,8 +6,13 @@ import sys
 import tempfile
 import unittest
 
-from six import StringIO
+from io import StringIO
-from six.moves import configparser
+from pathlib import Path
+
+try:
+    import configparser
+except ImportError:
+    import ConfigParser as configparser
 try:
     from unittest.mock import patch
 except ImportError:
@@ -57,6 +62,39 @@ class ConfigFileTestCase(unittest.TestCase):
         self.assertEqual(config.get("certificate", "type"), "self-signed")
         self.assertEqual(config.get("database", "engine"), "postgres")
 
+    @patch("modoboa_installer.utils.user_input")
+    def test_updating_configfile(self, mock_user_input):
+        """Check configfile update mechanism."""
+        cfgfile_temp = os.path.join(self.workdir, "installer_old.cfg")
+
+        out = StringIO()
+        sys.stdout = out
+        run.main([
+            "--stop-after-configfile-check",
+            "--configfile", cfgfile_temp,
+            "example.test"])
+        self.assertTrue(os.path.exists(cfgfile_temp))
+
+        # Adding a dummy section
+        with open(cfgfile_temp, "a") as fp:
+            fp.write(
+"""
+[dummy]
+    weird_old_option = "hey
+""")
+        mock_user_input.side_effect = ["y"]
+        out = StringIO()
+        sys.stdout = out
+        run.main([
+            "--stop-after-configfile-check",
+            "--configfile", cfgfile_temp,
+            "example.test"])
+        self.assertIn("dummy", out.getvalue())
+        self.assertTrue(Path(self.workdir).glob("*.old"))
+        self.assertIn("Update complete",
+                      out.getvalue()
+        )
+
     @patch("modoboa_installer.utils.user_input")
     def test_interactive_mode_letsencrypt(self, mock_user_input):
         """Check interactive mode."""
@@ -92,6 +130,9 @@ class ConfigFileTestCase(unittest.TestCase):
             " postwhite spamassassin uwsgi",
             out.getvalue()
         )
+        self.assertNotIn("It seems that your config file is outdated.",
+                         out.getvalue()
+        )
 
     @patch("modoboa_installer.utils.user_input")
     def test_upgrade_mode(self, mock_user_input):