Do not alter global variable

Update MySQL (MariaDB) install to account for Ubuntu 24.04.

.github/workflows/installer.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8, 3.9, '3.10', '3.11']
+        python-version: [3.9, '3.10', '3.11', '3.12']
       fail-fast: false
 
     steps:
@@ -24,19 +24,20 @@ jobs:
         run: |
           pip install -r test-requirements.txt
       - name: Run tests
-        if: ${{ matrix.python-version != '3.11' }}
+        if: ${{ matrix.python-version != '3.12' }}
         run: |
           python tests.py
       - name: Run tests and coverage
-        if: ${{ matrix.python-version == '3.11' }}
+        if: ${{ matrix.python-version == '3.12' }}
         run: |
           coverage run tests.py
       - name: Upload coverage result
-        if: ${{ matrix.python-version == '3.11' }}
+        if: ${{ matrix.python-version == '3.12' }}
         uses: actions/upload-artifact@v4
         with:
           name: coverage-results
           path: .coverage
+          include-hidden-files: true
 
   coverage:
     needs: test
@@ -46,7 +47,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.12'
       - name: Install dependencies
         run: |
           pip install codecov

.gitignore

@@ -58,3 +58,8 @@ target/
 
 # PyCharm
 .idea/
+
+#KDE
+*.kdev4
+
+installer.cfg

README.rst

@@ -9,8 +9,8 @@ An installer which deploy a complete mail server based on Modoboa.
 
    This tool is still in beta stage, it has been tested on:
 
-   * Debian 10 and upper
+   * Debian 12 and upper
-   * Ubuntu Bionic Beaver (18.04) and upper
+   * Ubuntu Focal Fossa (20.04) and upper
 
 .. warning::
 
@@ -43,7 +43,7 @@ The following components are installed by the installer:
 * Nginx and uWSGI
 * Postfix
 * Dovecot
-* Amavis (with SpamAssassin and ClamAV)
+* Amavis (with SpamAssassin and ClamAV) or Rspamd
 * automx (autoconfiguration service)
 * OpenDKIM
 * Radicale (CalDAV and CardDAV server)
@@ -229,6 +229,22 @@ If you want to use already generated certs, simply edit the
     tls_cert_file_path = *path to tls fullchain file*
     tls_key_file_path = *path to tls key file*
 
+Antispam
+========
+
+You have 3 options regarding antispam : disabled, Amavis, Rspamd
+
+Amavis
+------
+
+Amavis
+
+Rspamd
+------
+
+Rspamd
+
+
 .. |workflow| image:: https://github.com/modoboa/modoboa-installer/workflows/Modoboa%20installer/badge.svg
-.. |codecov| image:: http://codecov.io/github/modoboa/modoboa-installer/coverage.svg?branch=master
+.. |codecov| image:: https://codecov.io/gh/modoboa/modoboa-installer/graph/badge.svg?token=Fo2o1GdHZq
-   :target: http://codecov.io/github/modoboa/modoboa-installer?branch=master
+   :target: https://codecov.io/gh/modoboa/modoboa-installer

modoboa_installer/checks.py

@@ -26,7 +26,7 @@ def check_version():
             "Check README file for instructions about how to update.\n"
             "No support will be provided without an up-to-date installer!"
         )
-        answer = utils.user_input("Continue anyway? (Y/n) ")
+        answer = utils.user_input("Continue anyway? (y/N) ")
         if not answer.lower().startswith("y"):
             sys.exit(0)
     else:

modoboa_installer/compatibility_matrix.py

@@ -30,5 +30,17 @@ EXTENSIONS_AVAILABILITY = {
 REMOVED_EXTENSIONS = {
     "modoboa-pdfcredentials": "2.1.0",
     "modoboa-dmarc": "2.1.0",
-    "modoboa-imap-migration": "2.1.0"
+    "modoboa-imap-migration": "2.1.0",
+    "modoboa-sievefilters": "2.3.0",
+    "modoboa-postfix-autoreply": "2.3.0",
+    "modoboa-contacts": "2.4.0",
+    "modoboa-radicale": "2.4.0",
+    "modoboa-webmail": "2.4.0",
+}
+
+APP_INCOMPATIBILITY = {
+    "opendkim": ["rspamd"],
+    "amavis": ["rspamd"],
+    "postwhite": ["rspamd"],
+    "spamassassin": ["rspamd"]
 }

modoboa_installer/config_dict_template.py

@@ -27,6 +27,26 @@ ConfigDictTemplate = [
             }
         ]
     },
+    {
+        "name": "antispam",
+        "values": [
+            {
+                "option": "enabled",
+                "default": "true",
+                "customizable": True,
+                "values": ["true", "false"],
+                "question": "Do you want to setup an antispam utility?"
+            },
+            {
+                "option": "type",
+                "default": "amavis",
+                "customizable": True,
+                "question": "Please select your antispam utility",
+                "values": ["rspamd", "amavis"],
+                "if": ["antispam.enabled=true"]
+            }
+        ]
+    },
     {
         "name": "certificate",
         "values": [
@@ -50,7 +70,7 @@ ConfigDictTemplate = [
     },
     {
         "name": "letsencrypt",
-        "if": "certificate.type=letsencrypt",
+        "if": ["certificate.type=letsencrypt"],
         "values": [
             {
                 "option": "email",
@@ -85,7 +105,7 @@ ConfigDictTemplate = [
     },
     {
         "name": "postgres",
-        "if": "database.engine=postgres",
+        "if": ["database.engine=postgres"],
         "values": [
             {
                 "option": "user",
@@ -101,7 +121,7 @@ ConfigDictTemplate = [
     },
     {
         "name": "mysql",
-        "if": "database.engine=mysql",
+        "if": ["database.engine=mysql"],
         "values": [
             {
                 "option": "user",
@@ -185,14 +205,16 @@ ConfigDictTemplate = [
                 "customizable": True,
                 "question": "Please enter Modoboa db password",
             },
+            {
+                "option": "cron_error_recipient",
+                "default": "root",
+                "customizable": True,
+                "question":
+                    "Please enter a mail recipient for cron error reports"
+            },
             {
                 "option": "extensions",
-                "default": (
+                "default": ""
-                    "modoboa-amavis "
-                    "modoboa-postfix-autoreply modoboa-sievefilters "
-                    "modoboa-webmail modoboa-contacts "
-                    "modoboa-radicale"
-                ),
             },
             {
                 "option": "devmode",
@@ -229,12 +251,60 @@ ConfigDictTemplate = [
             },
         ]
     },
+    {
+        "name": "rspamd",
+        "if": ["antispam.enabled=true", "antispam.type=rspamd"],
+        "values": [
+            {
+                "option": "enabled",
+                "default": ["antispam.enabled=true", "antispam.type=rspamd"],
+            },
+            {
+                "option": "user",
+                "default": "_rspamd",
+            },
+            {
+                "option": "password",
+                "default": make_password,
+                "customizable": True,
+                "question": "Please enter Rspamd interface password",
+            },
+            {
+                "option": "dnsbl",
+                "default": "true",
+            },
+            {
+                "option": "dkim_keys_storage_dir",
+                "default": "/var/lib/dkim"
+            },
+            {
+                "option": "key_map_path",
+                "default": "/var/lib/dkim/keys.path.map"
+            },
+            {
+                "option": "selector_map_path",
+                "default": "/var/lib/dkim/selectors.path.map"
+            },
+            {
+                "option": "greylisting",
+                "default": "true"
+            },
+            {
+                "option": "whitelist_auth",
+                "default": "true"
+            },
+            {
+                "option": "whitelist_auth_weigth",
+                "default": "-5"
+            }
+        ],
+    },
     {
         "name": "amavis",
         "values": [
             {
                 "option": "enabled",
-                "default": "true",
+                "default": ["antispam.enabled=true", "antispam.type=amavis"],
             },
             {
                 "option": "user",
@@ -255,8 +325,6 @@ ConfigDictTemplate = [
             {
                 "option": "dbpassword",
                 "default": make_password,
-                "customizable": True,
-                "question": "Please enter amavis db password"
             },
         ],
     },
@@ -306,7 +374,11 @@ ConfigDictTemplate = [
             },
             {
                 "option": "radicale_auth_socket_path",
-                "default": "/var/run/dovecot/auth-radicale"
+                "default": "/var/run/dovecot/auth-radicale",
+            },
+            {
+                "option": "move_spam_to_junk",
+                "default": "true",
             },
         ]
     },
@@ -328,7 +400,7 @@ ConfigDictTemplate = [
         "values": [
             {
                 "option": "enabled",
-                "default": "true",
+                "default": "false",
             },
             {
                 "option": "config_dir",
@@ -362,7 +434,7 @@ ConfigDictTemplate = [
         "values": [
             {
                 "option": "enabled",
-                "default": "true",
+                "default": ["antispam.enabled=true", "antispam.type=amavis"],
             },
             {
                 "option": "config_dir",
@@ -372,10 +444,11 @@ ConfigDictTemplate = [
     },
     {
         "name": "spamassassin",
+        "if": ["antispam.enabled=true", "antispam.type=amavis"],
         "values": [
             {
                 "option": "enabled",
-                "default": "true",
+                "default": ["antispam.enabled=true", "antispam.type=amavis"],
             },
             {
                 "option": "config_dir",
@@ -410,7 +483,7 @@ ConfigDictTemplate = [
             },
             {
                 "option": "nb_processes",
-                "default": "2",
+                "default": "4",
             },
         ]
     },
@@ -441,10 +514,11 @@ ConfigDictTemplate = [
     },
     {
         "name": "opendkim",
+        "if": ["antispam.enabled=true", "antispam.type=amavis"],
         "values": [
             {
                 "option": "enabled",
-                "default": "true",
+                "default": ["antispam.enabled=true", "antispam.type=amavis"],
             },
             {
                 "option": "user",

modoboa_installer/database.py

@@ -103,7 +103,7 @@ class PostgreSQL(Database):
     def create_database(self, name, owner):
         """Create a database."""
         code, output = utils.exec_cmd(
-            "psql -lqt | cut -d \| -f 1 | grep -w {} | wc -l"
+            "psql -lqt | cut -d \\| -f 1 | grep -w {} | wc -l"
             .format(name), sudo_user=self.dbuser)
         if code:
             return
@@ -184,7 +184,7 @@ class MySQL(Database):
                 self.packages["deb"].append("libmariadbclient-dev")
         elif name == "ubuntu":
             if version.startswith("2"):
-                # Works for Ubuntu 22 and 20
+                # Works for Ubuntu 20, 22, and 24.
                 self.packages["deb"].append("libmariadb-dev")
             else:
                 self.packages["deb"].append("libmysqlclient-dev")
@@ -201,7 +201,7 @@ class MySQL(Database):
                 return
         if (
             (name.startswith("debian") and (version.startswith("11") or version.startswith("12"))) or
-            (name.startswith("ubuntu") and version.startswith("22"))
+            (name.startswith("ubuntu") and int(version[:2]) >= 22)
         ):
             queries = [
                 "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('{}')"

modoboa_installer/disclaimers.py

@@ -0,0 +1,51 @@
+from . import utils
+
+
+def installation_disclaimer(args, config):
+    """Display installation disclaimer."""
+    hostname = config.get("general", "hostname")
+    utils.printcolor(
+        "Notice:\n"
+        "It is recommanded to run this installer on a FRESHLY installed server.\n"
+        "(ie. with nothing special already installed on it)\n",
+        utils.CYAN
+        )
+    utils.printcolor(
+        "Warning:\n"
+        "Before you start the installation, please make sure the following "
+        "DNS records exist for domain '{}':\n"
+        "  {} IN A   <IP ADDRESS OF YOUR SERVER>\n"
+        "     @ IN MX  {}.\n".format(
+            args.domain,
+            hostname.replace(".{}".format(args.domain), ""),
+            hostname
+            ),
+        utils.YELLOW
+        )
+    utils.printcolor(
+            "Your mail server will be installed with the following components:",
+            utils.BLUE)
+
+
+def upgrade_disclaimer(config):
+    """Display upgrade disclaimer."""
+    utils.printcolor(
+        "Your mail server is about to be upgraded and the following components"
+        " will be impacted:", utils.BLUE
+        )
+
+
+def backup_disclaimer():
+    """Display backup disclamer. """
+    utils.printcolor(
+        "Your mail server will be backed up locally.\n"
+        " !! You should really transfer the backup somewhere else...\n"
+        " !! Custom configuration (like for postfix) won't be saved.", utils.BLUE)
+
+
+def restore_disclaimer():
+    """Display restore disclamer. """
+    utils.printcolor(
+        "You are about to restore a previous installation of Modoboa.\n"
+        "If a new version has been released in between, please update your database!",
+        utils.BLUE)

modoboa_installer/package.py

@@ -2,10 +2,12 @@
 
 import re
 
+from os.path import isfile as file_exists
+
 from . import utils
 
 
-class Package(object):
+class Package:
     """Base classe."""
 
     def __init__(self, dist_name):
@@ -29,10 +31,17 @@ class DEBPackage(Package):
     FORMAT = "deb"
 
     def __init__(self, dist_name):
-        super(DEBPackage, self).__init__(dist_name)
+        super().__init__(dist_name)
         self.index_updated = False
         self.policy_file = "/usr/sbin/policy-rc.d"
 
+    def enable_backports(self, codename):
+        code, output = utils.exec_cmd(f"grep {codename}-backports /etc/apt/sources.list")
+        if code:
+            with open(f"/etc/apt/sources.list.d/backports.list", "w") as fp:
+                fp.write(f"deb http://deb.debian.org/debian {codename}-backports main\n")
+            self.update(force=True)
+
     def prepare_system(self):
         """Make sure services don't start at installation."""
         with open(self.policy_file, "w") as fp:
@@ -42,9 +51,32 @@ class DEBPackage(Package):
     def restore_system(self):
         utils.exec_cmd("rm -f {}".format(self.policy_file))
 
-    def update(self):
+    def add_custom_repository(self,
+                              name: str,
+                              url: str,
+                              key_url: str,
+                              codename: str,
+                              with_source: bool = True):
+        key_file = f"/etc/apt/keyrings/{name}.gpg"
+        utils.exec_cmd(
+            f"wget -O - {key_url} | gpg --dearmor | tee {key_file} > /dev/null"
+        )
+        line_types = ["deb"]
+        if with_source:
+            line_types.append("deb-src")
+        for line_type in line_types:
+            line = (
+                f"{line_type} [arch=amd64 signed-by={key_file}] "
+                f"{url} {codename} main"
+            )
+            target_file = f"/etc/apt/sources.list.d/{name}.list"
+            tee_option = "-a" if file_exists(target_file) else ""
+            utils.exec_cmd(f'echo "{line}" | tee {tee_option} {target_file}')
+        self.index_updated = False
+
+    def update(self, force=False):
         """Update local cache."""
-        if self.index_updated:
+        if self.index_updated and not force:
             return
         utils.exec_cmd("apt-get -o Dpkg::Progress-Fancy=0 update --quiet")
         self.index_updated = True
@@ -82,7 +114,7 @@ class RPMPackage(Package):
 
     def __init__(self, dist_name):
         """Initialize backend."""
-        super(RPMPackage, self).__init__(dist_name)
+        super().__init__(dist_name)
         if "centos" in dist_name:
             self.install("epel-release")
 

modoboa_installer/python.py

@@ -89,16 +89,6 @@ def install_package_from_repository(name, url, vcs="git", venv=None, **kwargs):
     utils.exec_cmd(cmd, **kwargs)
 
 
-def install_package_from_remote_requirements(url, venv=None, **kwargs):
-    """Install a Python package from a file."""
-    cmd = "{} install {} {}".format(
-        get_pip_path(venv),
-        "-r",
-        url
-    )
-    utils.exec_cmd(cmd, **kwargs)
-
-
 def setup_virtualenv(path, sudo_user=None):
     """Install a virtualenv if needed."""
     if os.path.exists(path):

modoboa_installer/scripts/backup.py

@@ -142,7 +142,7 @@ class Backup:
         """
         Custom config :
         - DKIM keys: {{keys_storage_dir}}
-        - Radicale collection (calendat, contacts): {{home_dir}}
+        - Radicale collection (calendars, contacts): {{home_dir}}
         - Amavis : /etc/amavis/conf.d/99-custom
         - Postwhite : /etc/postwhite.conf
         Feel free to suggest to add others!

modoboa_installer/scripts/clamav.py

@@ -42,6 +42,7 @@ class Clamav(base.Installer):
         """Additional tasks."""
         if package.backend.FORMAT == "deb":
             user = self.config.get(self.appname, "user")
+            if self.config.getboolean("amavis", "enabled"):
                 system.add_user_to_group(
                     user, self.config.get("amavis", "user")
                 )

modoboa_installer/scripts/dovecot.py

@@ -4,6 +4,8 @@ import glob
 import os
 import pwd
 import shutil
+import stat
+import uuid
 
 from .. import database
 from .. import package
@@ -26,8 +28,14 @@ class Dovecot(base.Installer):
             "dovecot", "dovecot-pigeonhole"]
     }
     config_files = [
-        "dovecot.conf", "dovecot-dict-sql.conf.ext", "conf.d/10-ssl.conf",
+        "dovecot.conf",
-        "conf.d/10-master.conf", "conf.d/20-lmtp.conf", "conf.d/10-ssl-keys.try"]
+        "dovecot-dict-sql.conf.ext",
+        "conf.d/10-ssl.conf",
+        "conf.d/10-master.conf",
+        "conf.d/20-lmtp.conf",
+        "conf.d/10-ssl-keys.try",
+        "conf.d/dovecot-oauth2.conf.ext",
+    ]
     with_user = True
 
     def setup_user(self):
@@ -38,7 +46,15 @@ class Dovecot(base.Installer):
 
     def get_config_files(self):
         """Additional config files."""
-        return self.config_files + [
+        _config_files = self.config_files
+
+        if self.app_config["move_spam_to_junk"]:
+            _config_files += [
+                "conf.d/custom_after_sieve/spam-to-junk.sieve",
+                "conf.d/90-sieve.conf",
+            ]
+
+        return _config_files + [
             "dovecot-sql-{}.conf.ext=dovecot-sql.conf.ext"
             .format(self.dbengine),
             "dovecot-sql-master-{}.conf.ext=dovecot-sql-master.conf.ext"
@@ -53,17 +69,26 @@ class Dovecot(base.Installer):
         if package.backend.FORMAT == "deb":
             if "pop3" in self.config.get("dovecot", "extra_protocols"):
                 packages += ["dovecot-pop3d"]
-        return super(Dovecot, self).get_packages() + packages
+        packages += super().get_packages()
+        backports_codename = getattr(self, "backports_codename", None)
+        if backports_codename:
+            packages = [f"{package}/{backports_codename}-backports" for package in packages]
+        return packages
 
     def install_packages(self):
         """Preconfigure Dovecot if needed."""
+        name, version = utils.dist_info()
+        name = name.lower()
+        if name.startswith("debian") and version.startswith("12"):
+            package.backend.enable_backports("bookworm")
+            self.backports_codename = "bookworm"
         package.backend.preconfigure(
             "dovecot-core", "create-ssl-cert", "boolean", "false")
-        super(Dovecot, self).install_packages()
+        super().install_packages()
 
     def get_template_context(self):
         """Additional variables."""
-        context = super(Dovecot, self).get_template_context()
+        context = super().get_template_context()
         pw_mailbox = pwd.getpwnam(self.mailboxes_owner)
         dovecot_package = {"deb": "dovecot-core", "rpm": "dovecot"}
         ssl_protocol_parameter = "ssl_protocols"
@@ -84,6 +109,14 @@ class Dovecot(base.Installer):
             # Protocols are automatically guessed on debian/ubuntu
             protocols = ""
 
+        oauth2_client_id, oauth2_client_secret = utils.create_oauth2_app(
+            "Dovecot", "dovecot", self.config)
+        hostname = self.config.get("general", "hostname")
+        oauth2_introspection_url = (
+            f"https://{oauth2_client_id}:{oauth2_client_secret}"
+            f"@{hostname}/api/o/introspect/"
+        )
+
         context.update({
             "db_driver": self.db_driver,
             "mailboxes_owner_uid": pw_mailbox[2],
@@ -96,14 +129,24 @@ class Dovecot(base.Installer):
             "protocols": protocols,
             "ssl_protocols": ssl_protocols,
             "ssl_protocol_parameter": ssl_protocol_parameter,
-            "radicale_user": self.config.get("radicale", "user"),
-            "radicale_auth_socket_path": os.path.basename(
-                self.config.get("dovecot", "radicale_auth_socket_path")),
             "modoboa_2_2_or_greater": "" if self.modoboa_2_2_or_greater else "#",
-            "not_modoboa_2_2_or_greater": "" if not self.modoboa_2_2_or_greater else "#"
+            "not_modoboa_2_2_or_greater": "" if not self.modoboa_2_2_or_greater else "#",
+            "do_move_spam_to_junk": "" if self.app_config["move_spam_to_junk"] else "#",
+            "oauth2_introspection_url": oauth2_introspection_url
         })
         return context
 
+    def install_config_files(self):
+        """Create sieve dir if needed."""
+        if self.app_config["move_spam_to_junk"]:
+            utils.mkdir_safe(
+                f"{self.config_dir}/conf.d/custom_after_sieve",
+                stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP |
+                stat.S_IROTH | stat.S_IXOTH,
+                0, 0
+                )
+        super().install_config_files()
+
     def post_run(self):
         """Additional tasks."""
         if self.dbengine == "postgres":
@@ -120,6 +163,7 @@ class Dovecot(base.Installer):
                 self.get_file_path("fix_modoboa_postgres_schema.sql")
             )
         for f in glob.glob("{}/*".format(self.get_file_path("conf.d"))):
+            if os.path.isfile(f):
                 utils.copy_file(f, "{}/conf.d".format(self.config_dir))
         # Make postlogin script executable
         utils.exec_cmd("chmod +x /usr/local/bin/postlogin.sh")
@@ -128,6 +172,10 @@ class Dovecot(base.Installer):
         utils.exec_cmd("chmod 600 /etc/dovecot/conf.d/10-ssl-keys.try")
         # Add mailboxes user to dovecot group for modoboa mailbox commands.
         # See https://github.com/modoboa/modoboa/issues/2157.
+        if self.app_config["move_spam_to_junk"]:
+            # Compile sieve script
+            sieve_file = f"{self.config_dir}/conf.d/custom_after_sieve/spam-to-junk.sieve"
+            utils.exec_cmd(f"/usr/bin/sievec {sieve_file}")
         system.add_user_to_group(self.mailboxes_owner, 'dovecot')
 
     def restart_daemon(self):

modoboa_installer/scripts/files/dovecot/conf.d/10-auth.conf

@@ -96,7 +96,7 @@ auth_master_user_separator = *
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain login
+auth_mechanisms = plain login oauthbearer xoauth2
 
 ##
 ## Password and user databases
@@ -120,6 +120,7 @@ auth_mechanisms = plain login
 
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext
+!include auth-oauth2.conf.ext
 #!include auth-ldap.conf.ext
 #!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext

modoboa_installer/scripts/files/dovecot/conf.d/10-master.conf.tpl

@@ -131,13 +131,6 @@ service auth {
     group = postfix
   }
 
-  # Radicale auth
-  %{radicale_enabled}unix_listener %{radicale_auth_socket_path} {
-  %{radicale_enabled}  mode = 0666
-  %{radicale_enabled}  user = %{radicale_user}
-  %{radicale_enabled}  group = %{radicale_user}
-  %{radicale_enabled}}
-
   # Auth process is run as this user.
   #user = $default_internal_user
 }

modoboa_installer/scripts/files/dovecot/conf.d/90-sieve.conf.tpl

@@ -38,7 +38,7 @@ plugin {
   # Identical to sieve_before, only the specified scripts are executed after the
   # user's script (only when keep is still in effect!). Multiple script file or
   # directory paths can be specified by appending an increasing number.
-  #sieve_after =
+  %{do_move_spam_to_junk}sieve_after = /etc/dovecot/conf.d/custom_after_sieve
   #sieve_after2 = 
   #sieve_after2 = (etc...)
 

modoboa_installer/scripts/files/dovecot/conf.d/auth-oauth2.conf.ext

@@ -0,0 +1,5 @@
+passdb {
+  driver = oauth2
+  mechanisms = xoauth2 oauthbearer
+  args = /etc/dovecot/conf.d/dovecot-oauth2.conf.ext
+}

modoboa_installer/scripts/files/dovecot/conf.d/custom_after_sieve/spam-to-junk.sieve.tpl

@@ -0,0 +1,4 @@
+require "fileinto";
+if header :contains "X-Spam-Status" "Yes" {
+    fileinto "Junk";
+}

modoboa_installer/scripts/files/dovecot/conf.d/dovecot-oauth2.conf.ext.tpl

@@ -0,0 +1,6 @@
+introspection_mode = post
+introspection_url = %{oauth2_introspection_url}
+username_attribute = username
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+active_attribute = active
+active_value = true

modoboa_installer/scripts/files/modoboa/crontab.tpl

@@ -3,6 +3,7 @@
 #
 PYTHON=%{venv_path}/bin/python
 INSTANCE=%{instance_path}
+MAILTO=%{cron_error_recipient}
 
 # Operations on mailboxes
 %{dovecot_enabled}*       *       *       *       *       %{dovecot_mailboxes_owner}   $PYTHON $INSTANCE/manage.py handle_mailbox_operations

modoboa_installer/scripts/files/modoboa/supervisor-rq-dkim.tpl

@@ -3,7 +3,7 @@ autostart=true
 autorestart=true
 command=%{venv_path}/bin/python %{home_dir}/instance/manage.py rqworker dkim
 directory=%{home_dir}
-user=%{opendkim_user}
+user=%{dkim_user}
 redirect_stderr=true
 numprocs=1
 stopsignal=TERM

modoboa_installer/scripts/files/nginx/modoboa.conf.tpl

@@ -37,7 +37,20 @@ server {
         try_files $uri $uri/ =404;
     }
 
-    location ^~ /new-admin {
+%{rspamd_enabled}    location /rspamd/ {
+%{rspamd_enabled}        proxy_pass       http://localhost:11334/;
+%{rspamd_enabled}
+%{rspamd_enabled}        proxy_set_header Host      $host;
+%{rspamd_enabled}        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+%{rspamd_enabled}    }
+
+    location ~ ^/(api|accounts) {
+        include uwsgi_params;
+        uwsgi_param UWSGI_SCRIPT instance.wsgi:application;
+        uwsgi_pass modoboa;
+    }
+
+    location / {
         alias  %{app_instance_path}/frontend/;
         index  index.html;
 
@@ -48,10 +61,5 @@ server {
         try_files $uri $uri/ /index.html = 404;
     }
 
-    location / {
-        include uwsgi_params;
-        uwsgi_param UWSGI_SCRIPT instance.wsgi:application;
-        uwsgi_pass modoboa;
-    }
     %{extra_config}
 }

modoboa_installer/scripts/files/postfix/anonymize_headers.pcre.tpl

@@ -0,0 +1,11 @@
+if /^\s*Received:.*Authenticated sender.*\(Postfix\)/
+/^Received: from .*? \([\w\-.]* \[.*?\]\)(.*|\n.*)\(Authenticated sender: (.+)\)\s+by.+\(Postfix\) with (.*)/
+  REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with $3
+endif
+if /^\s*Received: from .*rspamd.localhost .*\(Postfix\)/
+/^Received: from.* (.*|\n.*)\((.+) (.+)\)\s+by (.+) \(Postfix\) with (.*)/
+  REPLACE Received: from rspamd (rspamd $3) by $4 (Postfix) with $5
+endif
+/^\s*X-Enigmail/        IGNORE
+/^\s*X-Originating-IP/  IGNORE
+/^\s*X-Forward/         IGNORE

modoboa_installer/scripts/files/postfix/main.cf.tpl

@@ -48,11 +48,13 @@ smtpd_tls_security_level = may
 smtpd_tls_received_header = yes
 
 # Disallow SSLv2 and SSLv3, only accept secure ciphers
-smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_mandatory_ciphers = high
-smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
+smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, CAMELLIA, SEED-SHA, AES256-SHA, AES256-SHA256, AES256-GCM-SHA384, AES128-SHA, AES128-SHA256, AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA
-smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
+smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, CAMELLIA, SEED-SHA, AES256-SHA, AES256-SHA256, AES256-GCM-SHA384, AES128-SHA, AES128-SHA256, AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA
+tls_preempt_cipherlist = yes
+tls_ssl_options = NO_COMPRESSION
 
 # Enable elliptic curve cryptography
 smtpd_tls_eecdh_grade = strong
@@ -120,10 +122,19 @@ strict_rfc821_envelopes = yes
 %{opendkim_enabled}milter_default_action = accept
 %{opendkim_enabled}milter_content_timeout = 30s
 
+# Rspamd setup
+%{rspamd_enabled}smtpd_milters = inet:localhost:11332
+%{rspamd_enabled}non_smtpd_milters = inet:localhost:11332
+%{rspamd_enabled}milter_default_action = accept
+%{rspamd_enabled}milter_protocol = 6
+
 # List of authorized senders
 smtpd_sender_login_maps =
         proxy:%{db_driver}:/etc/postfix/sql-sender-login-map.cf
 
+# Add authenticated header to hide public client IP
+smtpd_sasl_authenticated_header = yes
+
 # Recipient restriction rules
 smtpd_recipient_restrictions =
       check_policy_service inet:127.0.0.1:9999
@@ -140,27 +151,27 @@ smtpd_recipient_restrictions =
 
 ## Postcreen settings
 #
-postscreen_access_list =
+%{rspamd_disabled}postscreen_access_list =
-       permit_mynetworks
+%{rspamd_disabled}       permit_mynetworks
-       cidr:/etc/postfix/postscreen_spf_whitelist.cidr
+%{rspamd_disabled}      cidr:/etc/postfix/postscreen_spf_whitelist.cidr
-postscreen_blacklist_action = enforce 
+%{rspamd_disabled}postscreen_blacklist_action = enforce
 
 # Use some DNSBL
-postscreen_dnsbl_sites = 
+%{rspamd_disabled}postscreen_dnsbl_sites =
-	zen.spamhaus.org=127.0.0.[2..11]*3
+%{rspamd_disabled}	zen.spamhaus.org=127.0.0.[2..11]*3
-	bl.spameatingmonkey.net=127.0.0.2*2
+%{rspamd_disabled}	bl.spameatingmonkey.net=127.0.0.2*2
-	bl.spamcop.net=127.0.0.2
+%{rspamd_disabled}	bl.spamcop.net=127.0.0.2
-postscreen_dnsbl_threshold = 3 
+%{rspamd_disabled}postscreen_dnsbl_threshold = 3
-postscreen_dnsbl_action = enforce 
+%{rspamd_disabled}postscreen_dnsbl_action = enforce
 
-postscreen_greet_banner = Welcome, please wait... 
+%{rspamd_disabled}postscreen_greet_banner = Welcome, please wait...
-postscreen_greet_action = enforce
+%{rspamd_disabled}postscreen_greet_action = enforce
 
-postscreen_pipelining_enable = yes
+%{rspamd_disabled}postscreen_pipelining_enable = yes
-postscreen_pipelining_action = enforce
+%{rspamd_disabled}postscreen_pipelining_action = enforce
 
-postscreen_non_smtp_command_enable = yes
+%{rspamd_disabled}postscreen_non_smtp_command_enable = yes
-postscreen_non_smtp_command_action = enforce
+%{rspamd_disabled}postscreen_non_smtp_command_action = enforce
 
-postscreen_bare_newline_enable = yes
+%{rspamd_disabled}postscreen_bare_newline_enable = yes
-postscreen_bare_newline_action = enforce
+%{rspamd_disabled}postscreen_bare_newline_action = enforce

modoboa_installer/scripts/files/postfix/master.cf.tpl

@@ -9,7 +9,8 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       -       -       1       postscreen
+%{rspamd_disabled}smtp      inet  n       -       -       -       1       postscreen
+%{rspamd_enabled}smtp      inet  n       -       -       -       -       smtpd
 smtpd     pass  -       -       -       -       -       smtpd
 %{amavis_enabled}  -o smtpd_proxy_filter=inet:[127.0.0.1]:10024 
 %{amavis_enabled}  -o smtpd_proxy_options=speed_adjust
@@ -26,6 +27,7 @@ submission inet n       -       -       -       -       smtpd
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=reject_sender_login_mismatch
   -o milter_macro_daemon_name=ORIGINATING
+  -o cleanup_service_name=ascleanup
 %{amavis_enabled}  -o smtpd_proxy_filter=inet:[127.0.0.1]:10026
 #smtps     inet  n       -       -       -       -       smtpd
 #  -o syslog_name=postfix/smtps
@@ -41,6 +43,8 @@ submission inet n       -       -       -       -       smtpd
 #628       inet  n       -       -       -       -       qmqpd
 pickup    unix  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
+ascleanup unix  n       -       -       -       0       cleanup
+  -o header_checks=pcre:/etc/postfix/anonymize_headers.pcre
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
@@ -124,11 +128,6 @@ mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
 
-# Modoboa autoreply service
-#
-autoreply unix        -       n       n       -       -       pipe
-  flags= user=%{dovecot_mailboxes_owner}:%{dovecot_mailboxes_owner} argv=%{modoboa_venv_path}/bin/python %{modoboa_instance_path}/manage.py autoreply $sender $mailbox
-
 # Amavis return path
 #
 %{amavis_enabled}127.0.0.1:10025 inet n    -       n       -       -     smtpd 

modoboa_installer/scripts/files/radicale/config.tpl

@@ -71,7 +71,7 @@
 
 # Authentication method
 # Value: none | htpasswd | remote_user | http_x_remote_user
-type = radicale_dovecot_auth 
+type = radicale_modoboa_auth_oauth2
 
 # Htpasswd filename
 # htpasswd_filename = users
@@ -85,7 +85,7 @@ type = radicale_dovecot_auth
 # Incorrect authentication delay (seconds)
 #delay = 1
 
-auth_socket = %{auth_socket_path}
+oauth2_introspection_endpoint = %{oauth2_introspection_url}
 
 
 [rights]

modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl

@@ -0,0 +1,14 @@
+clamav {
+  scan_mime_parts = true;
+  scan_text_mime = true;
+  scan_image_mime = true;
+  retransmits = 2;
+  timeout = 30;
+  symbol = "CLAM_VIRUS";
+  type = "clamav";
+  servers = "127.0.0.1:3310"
+  patterns {
+    # symbol_name = "pattern";
+    JUST_EICAR = "Test.EICAR";
+  }
+}

modoboa_installer/scripts/files/rspamd/local.d/arc.conf.tpl

@@ -0,0 +1,3 @@
+try_fallback = false;
+selector_map = "%selector_map_path";
+path_map = "%key_map_path";

modoboa_installer/scripts/files/rspamd/local.d/dkim_signing.conf.tpl

@@ -0,0 +1,3 @@
+try_fallback = false;
+selector_map = "%selector_map_path";
+path_map = "%key_map_path";

modoboa_installer/scripts/files/rspamd/local.d/dmarc.conf.tpl

@@ -0,0 +1,21 @@
+reporting {
+  # Required attributes
+  enabled = true; # Enable reports in general
+  email = 'postmaster@%hostname'; # Source of DMARC reports
+  domain = '%hostname'; # Domain to serve
+  org_name = '%hostname'; # Organisation
+  # Optional parameters
+  #bcc_addrs = ["postmaster@example.com"]; # additional addresses to copy on reports
+  report_local_controller = false; # Store reports for local/controller scans (for testing only)
+  #helo = 'rspamd.localhost'; # Helo used in SMTP dialog
+  #smtp = '127.0.0.1'; # SMTP server IP
+  #smtp_port = 25; # SMTP server port
+  from_name = '%hostname DMARC REPORT'; # SMTP FROM
+  msgid_from = 'rspamd'; # Msgid format
+  #max_entries = 1k; # Maxiumum amount of entries per domain
+  #keys_expire = 2d; # Expire date for Redis keys
+  #only_domains = '/path/to/map'; # Only store reports from domains or eSLDs listed in this map
+  # Available from 3.3
+  #exclude_domains = '/path/to/map'; # Exclude reports from domains or eSLDs listed in this map
+  #exclude_domains = ["example.com", "another.com"]; # Alternative, use array to exclude reports from domains or eSLDs
+}

modoboa_installer/scripts/files/rspamd/local.d/force_actions.conf.tpl

@@ -0,0 +1,5 @@
+rules {
+  DMARC_POLICY_QUARANTINE {
+    action = "add header";
+  }
+}

modoboa_installer/scripts/files/rspamd/local.d/greylist.conf.tpl

@@ -0,0 +1,2 @@
+%{greylisting_disabled}enabled = false;
+servers = "127.0.0.1:6379";

modoboa_installer/scripts/files/rspamd/local.d/groups.conf.tpl

@@ -0,0 +1,5 @@
+symbols {
+  "WHITELIST_AUTHENTICATED" {
+    weight = %whitelist_auth_weigth;
+  }
+}

modoboa_installer/scripts/files/rspamd/local.d/metrics.conf.tpl

@@ -0,0 +1,20 @@
+actions {
+    reject = 15; # normal value is 15, 150 so it will never be rejected
+    add_header = 6; # set to 0.1 for testing, 6 for normal operation.
+    rewrite_subject = 8; # Default: 8
+    greylist = 4; # Default: 4
+}
+
+group "antivirus" {
+  symbol "JUST_EICAR" {
+    weight = 10;
+    description = "Eicar test signature";
+  }
+  symbol "CLAM_VIRUS_FAIL" {
+    weight = 0;
+  }
+  symbol "CLAM_VIRUS" {
+    weight = 10;
+    description = "ClamAV found a Virus";
+  }
+}

modoboa_installer/scripts/files/rspamd/local.d/milter_headers.conf.tpl

@@ -0,0 +1,16 @@
+use = ["x-spam-status","x-virus","authentication-results" ];
+extended_spam_headers = false;
+skip_local = false;
+skip_authenticated = false;
+
+routines {
+  x-virus {
+    header = "X-Virus";
+    remove = 1;
+    symbols = ["CLAM_VIRUS", "JUST_EICAR"];
+  }
+}
+
+
+
+

modoboa_installer/scripts/files/rspamd/local.d/mx_check.conf.tpl

@@ -0,0 +1 @@
+enabled = true;

modoboa_installer/scripts/files/rspamd/local.d/rbl.conf.tpl

@@ -0,0 +1,6 @@
+# to disable all predefined rules if the user doesn't want dnsbl
+
+url_whitelist = [];
+
+rbls {
+}

modoboa_installer/scripts/files/rspamd/local.d/redis.conf.tpl

@@ -0,0 +1,2 @@
+write_servers = "localhost";
+read_servers = "localhost";

modoboa_installer/scripts/files/rspamd/local.d/settings.conf.tpl

@@ -0,0 +1,8 @@
+authenticated {
+  priority = high;
+  authenticated = yes;
+  apply {
+    groups_disabled = ["rbl", "spf"];
+  }
+%{whitelist_auth_enabled}  symbols ["WHITELIST_AUTHENTICATED"];
+}

modoboa_installer/scripts/files/rspamd/local.d/spf.conf.tpl

@@ -0,0 +1,6 @@
+spf_cache_size = 1k;
+spf_cache_expire = 1d;
+max_dns_nesting = 10;
+max_dns_requests = 30;
+min_cache_ttl = 5m;
+disable_ipv6 = false;

modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc.tpl

@@ -0,0 +1 @@
+enable_password = %controller_password

modoboa_installer/scripts/files/rspamd/local.d/worker-normal.inc.tpl

@@ -0,0 +1 @@
+enabled = false;

modoboa_installer/scripts/files/rspamd/local.d/worker-proxy.inc.tpl

@@ -0,0 +1,3 @@
+upstream "local" {
+  self_scan = yes;
+}

modoboa_installer/scripts/files/uwsgi/modoboa.ini.tpl

@@ -13,3 +13,5 @@ socket = %uwsgi_socket_path
 chmod-socket = 660
 vacuum = true
 single-interpreter = True
+max-requests = 5000
+buffer-size = 8192

modoboa_installer/scripts/modoboa.py

@@ -49,16 +49,7 @@ class Modoboa(base.Installer):
         self.instance_path = self.config.get("modoboa", "instance_path")
         self.extensions = self.config.get("modoboa", "extensions").split()
         self.devmode = self.config.getboolean("modoboa", "devmode")
-        # Sanity check for amavis
+        self.amavis_enabled = self.config.getboolean("amavis", "enabled")
-        self.amavis_enabled = False
-        if "modoboa-amavis" in self.extensions:
-            if self.config.getboolean("amavis", "enabled"):
-                self.amavis_enabled = True
-            else:
-                self.extensions.remove("modoboa-amavis")
-        if "modoboa-radicale" in self.extensions:
-            if not self.config.getboolean("radicale", "enabled"):
-                self.extensions.remove("modoboa-radicale")
         self.dovecot_enabled = self.config.getboolean("dovecot", "enabled")
         self.opendkim_enabled = self.config.getboolean("opendkim", "enabled")
         self.dkim_cron_enabled = False
@@ -81,8 +72,13 @@ class Modoboa(base.Installer):
         python.setup_virtualenv(self.venv_path, sudo_user=self.user)
         packages = ["rrdtool"]
         version = self.config.get("modoboa", "version")
+        extras = "postgresql"
+        if self.dbengine != "postgres":
+            extras = "mysql"
+        if self.devmode:
+            extras += ",dev"
         if version == "latest":
-            packages += ["modoboa"] + self.extensions
+            packages += [f"modoboa[{extras}]"] + self.extensions
             for extension in list(self.extensions):
                 if extension in compatibility_matrix.REMOVED_EXTENSIONS.keys():
                     self.extensions.remove(extension)
@@ -92,7 +88,7 @@ class Modoboa(base.Installer):
             ]
         else:
             matrix = compatibility_matrix.COMPATIBILITY_MATRIX[version]
-            packages.append("modoboa=={}".format(version))
+            packages.append(f"modoboa[{extras}]=={version}")
             for extension in list(self.extensions):
                 if not self.is_extension_ok_for_version(extension, version):
                     self.extensions.remove(extension)
@@ -101,8 +97,8 @@ class Modoboa(base.Installer):
                     req_version = matrix[extension]
                     if req_version is None:
                         continue
-                    req_version = req_version.replace("<", "\<")
+                    req_version = req_version.replace("<", "\\<")
-                    req_version = req_version.replace(">", "\>")
+                    req_version = req_version.replace(">", "\\>")
                     packages.append("{}{}".format(extension, req_version))
                 else:
                     packages.append(extension)
@@ -116,25 +112,6 @@ class Modoboa(base.Installer):
             beta=self.config.getboolean("modoboa", "install_beta")
         )
 
-        # Install version specific modules to the venv
-        modoboa_version = ".".join(str(i) for i in python.get_package_version(
-            "modoboa", self.venv_path, sudo_user=self.user
-        ))
-        # Database:
-        db_file = "postgresql"
-        if self.dbengine != "postgres":
-            db_file = "mysql"
-        db_file += "-requirements.txt"
-
-        python.install_package_from_remote_requirements(
-            f"https://raw.githubusercontent.com/modoboa/modoboa/{modoboa_version}/{db_file}",
-            venv=self.venv_path)
-        # Dev mode:
-        if self.devmode:
-            python.install_package_from_remote_requirements(
-                f"https://raw.githubusercontent.com/modoboa/modoboa/{modoboa_version}/dev-requirements.txt",
-                venv=self.venv_path)
-
     def _deploy_instance(self):
         """Deploy Modoboa."""
         target = os.path.join(self.home_dir, "instance")
@@ -257,9 +234,8 @@ class Modoboa(base.Installer):
             ),
             "dovecot_mailboxes_owner": (
                 self.config.get("dovecot", "mailboxes_owner")),
-            "radicale_enabled": (
-                "" if "modoboa-radicale" in extensions else "#"),
             "opendkim_user": self.config.get("opendkim", "user"),
+            "dkim_user": "_rspamd" if self.config.getboolean("rspamd", "enabled") else self.config.get("opendkim", "user"),
             "minutes": random.randint(1, 59),
             "hours": f"{random_hour},{random_hour+12}",
             "modoboa_2_2_or_greater": "" if self.modoboa_2_2_or_greater else "#",
@@ -290,7 +266,7 @@ class Modoboa(base.Installer):
             "pdfcredentials": {
                 "storage_dir": pdf_storage_dir
             },
-            "modoboa_radicale": {
+            "calendars": {
                 "server_location": "https://{}/radicale/".format(
                     self.config.get("general", "hostname")),
                 "rights_file_path": "{}/rights".format(
@@ -303,6 +279,15 @@ class Modoboa(base.Installer):
         if self.config.getboolean("opendkim", "enabled"):
             settings["admin"]["dkim_keys_storage_dir"] = (
                 self.config.get("opendkim", "keys_storage_dir"))
+
+        if self.config.getboolean("rspamd", "enabled"):
+            settings["admin"]["dkim_keys_storage_dir"] = (
+                self.config.get("rspamd", "dkim_keys_storage_dir"))
+            settings["modoboa_rspamd"] = {
+                "key_map_path": self.config.get("rspamd", "key_map_path"),
+                "selector_map_path": self.config.get("rspamd", "selector_map_path")
+            }
+
         settings = json.dumps(settings)
         query = (
             "UPDATE core_localconfig SET _parameters='{}'"

modoboa_installer/scripts/postfix.py

@@ -18,10 +18,9 @@ class Postfix(base.Installer):
 
     appname = "postfix"
     packages = {
-        "deb": ["postfix"],
+        "deb": ["postfix", "postfix-pcre"],
-        "rpm": ["postfix"],
     }
-    config_files = ["main.cf", "master.cf"]
+    config_files = ["main.cf", "master.cf", "anonymize_headers.pcre"]
 
     def get_packages(self):
         """Additional packages."""
@@ -29,7 +28,7 @@ class Postfix(base.Installer):
             packages = ["postfix-{}".format(self.db_driver)]
         else:
             packages = []
-        return super(Postfix, self).get_packages() + packages
+        return super().get_packages() + packages
 
     def install_packages(self):
         """Preconfigure postfix package installation."""
@@ -46,7 +45,7 @@ class Postfix(base.Installer):
 
         package.backend.preconfigure(
             "postfix", "main_mailer_type", "select", "No configuration")
-        super(Postfix, self).install_packages()
+        super().install_packages()
 
     def get_template_context(self):
         """Additional variables."""
@@ -60,7 +59,9 @@ class Postfix(base.Installer):
             "modoboa_instance_path": self.config.get(
                 "modoboa", "instance_path"),
             "opendkim_port": self.config.get(
-                "opendkim", "port")
+                "opendkim", "port"),
+            "rspamd_disabled": "" if not self.config.getboolean(
+                "rspamd", "enabled") else "#"
         })
         return context
 
@@ -101,8 +102,18 @@ class Postfix(base.Installer):
             utils.exec_cmd("postalias {}".format(aliases_file))
 
         # Postwhite
+        condition = (
+            not self.config.getboolean("rspamd", "enabled") and
+            self.config.getboolean("postwhite", "enabled")
+            )
+        if condition:
             install("postwhite", self.config, self.upgrade, self.archive_path)
 
     def backup(self, path):
         """Launch postwhite backup."""
+        condition = (
+            not self.config.getboolean("rspamd", "enabled") and
+            self.config.getboolean("postwhite", "enabled")
+            )
+        if condition:
             backup("postwhite", self.config, path)

modoboa_installer/scripts/radicale.py

@@ -33,7 +33,7 @@ class Radicale(base.Installer):
         """Prepare a dedicated virtualenv."""
         python.setup_virtualenv(self.venv_path, sudo_user=self.user)
         packages = [
-            "Radicale", "radicale-dovecot-auth", "pytz"
+            "Radicale", "pytz", "radicale-modoboa-auth-oauth2"
         ]
         python.install_packages(packages, self.venv_path, sudo_user=self.user)
         python.install_package_from_repository(
@@ -43,17 +43,22 @@ class Radicale(base.Installer):
 
     def get_template_context(self):
         """Additional variables."""
-        context = super(Radicale, self).get_template_context()
+        context = super().get_template_context()
-        radicale_auth_socket_path = self.config.get(
+        oauth2_client_id, oauth2_client_secret = utils.create_oauth2_app(
-            "dovecot", "radicale_auth_socket_path")
+            "Radicale", "radicale", self.config)
+        hostname = self.config.get("general", "hostname")
+        oauth2_introspection_url = (
+            f"https://{oauth2_client_id}:{oauth2_client_secret}"
+            f"@{hostname}/api/o/introspect/"
+        )
         context.update({
-            "auth_socket_path": radicale_auth_socket_path
+            "oauth2_introspection_url": oauth2_introspection_url,
         })
         return context
 
     def get_config_files(self):
         """Return appropriate path."""
-        config_files = super(Radicale, self).get_config_files()
+        config_files = super().get_config_files()
         if package.backend.FORMAT == "deb":
             path = "supervisor=/etc/supervisor/conf.d/radicale.conf"
         else:

modoboa_installer/scripts/rspamd.py

@@ -0,0 +1,154 @@
+"""Rspamd related functions."""
+
+import os
+import pwd
+import stat
+
+from .. import package
+from .. import utils
+from .. import system
+
+from . import base
+from . import install
+
+
+class Rspamd(base.Installer):
+    """Rspamd installer."""
+
+    appname = "rspamd"
+    packages = {
+        "deb": [
+            "rspamd", "redis"
+        ]
+    }
+    config_files = [
+        "local.d/arc.conf",
+        "local.d/dkim_signing.conf",
+        "local.d/dmarc.conf",
+        "local.d/force_actions.conf",
+        "local.d/greylist.conf",
+        "local.d/metrics.conf",
+        "local.d/milter_headers.conf",
+        "local.d/mx_check.conf",
+        "local.d/redis.conf",
+        "local.d/settings.conf",
+        "local.d/spf.conf",
+        "local.d/worker-normal.inc",
+        "local.d/worker-proxy.inc",
+    ]
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.generate_password_condition = (
+            not self.upgrade or utils.user_input(
+                "Do you want to (re)generate rspamd password ? (y/N)").lower().startswith("y")
+        )
+
+    @property
+    def config_dir(self):
+        """Return appropriate config dir."""
+        return "/etc/rspamd"
+
+    def install_packages(self):
+        debian_based_dist, codename = utils.is_dist_debian_based()
+        if debian_based_dist:
+            utils.mkdir_safe(
+                "/etc/apt/keyrings",
+                stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP |
+                stat.S_IROTH | stat.S_IXOTH,
+                0, 0
+            )
+
+            package.backend.add_custom_repository(
+                "rspamd",
+                "http://rspamd.com/apt-stable/",
+                "https://rspamd.com/apt-stable/gpg.key",
+                codename
+            )
+            package.backend.update()
+
+        return super().install_packages()
+
+    def install_config_files(self):
+        """Make sure config directory exists."""
+        user = self.config.get(self.appname, "user")
+        pw = pwd.getpwnam(user)
+        targets = [
+            [self.app_config["dkim_keys_storage_dir"], pw[2], pw[3]]
+        ]
+        for target in targets:
+            if not os.path.exists(target[0]):
+                utils.mkdir(
+                    target[0],
+                    stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP |
+                    stat.S_IROTH | stat.S_IXOTH,
+                    target[1], target[2]
+                )
+        super().install_config_files()
+
+    def get_config_files(self):
+        """Return appropriate config files."""
+        _config_files = self.config_files
+        if self.config.getboolean("clamav", "enabled"):
+            _config_files.append("local.d/antivirus.conf")
+        if self.app_config["dnsbl"].lower() == "true":
+            _config_files.append("local.d/rbl.conf")
+        if self.app_config["whitelist_auth"].lower() == "true":
+            _config_files.append("local.d/groups.conf")
+        if self.generate_password_condition:
+            _config_files.append("local.d/worker-controller.inc")
+        return _config_files
+
+    def get_template_context(self):
+        _context = super().get_template_context()
+        _context["greylisting_disabled"] = "" if not self.app_config["greylisting"].lower() == "true" else "#"
+        _context["whitelist_auth_enabled"] = "" if self.app_config["whitelist_auth"].lower() == "true" else "#"
+        if self.generate_password_condition:
+            code, controller_password = utils.exec_cmd(
+                r"rspamadm pw -p {}".format(self.app_config["password"]))
+            if code != 0:
+                utils.error("Error setting rspamd password. "
+                            "Please make sure it is not 'q1' or 'q2'."
+                            "Storing the password in plain. See"
+                            "https://rspamd.com/doc/quickstart.html#setting-the-controller-password")
+                _context["controller_password"] = self.app_config["password"]
+            else:
+                controller_password = controller_password.decode().replace("\n", "")
+                _context["controller_password"] = controller_password
+        return _context
+
+    def post_run(self):
+        """Additional tasks."""
+        user = self.config.get(self.appname, "user")
+        system.add_user_to_group(
+            self.config.get("modoboa", "user"),
+            user
+        )
+        if self.config.getboolean("clamav", "enabled"):
+            install("clamav", self.config, self.upgrade, self.archive_path)
+
+    def custom_backup(self, path):
+        """Backup custom configuration if any."""
+        custom_config_dir = os.path.join(self.config_dir,
+                                         "/local.d/")
+        custom_backup_dir = os.path.join(path, "/rspamd/")
+        local_files = [f for f in os.listdir(custom_config_dir)
+                       if os.path.isfile(custom_config_dir, f)
+                       ]
+        for file in local_files:
+            utils.copy_file(file, custom_backup_dir)
+        if len(local_files) != 0:
+            utils.success("Rspamd custom configuration saved!")
+
+    def restore(self):
+        """Restore custom config files."""
+        custom_config_dir = os.path.join(self.config_dir,
+                                         "/local.d/")
+        custom_backup_dir = os.path.join(self.archive_path, "/rspamd/")
+        backed_up_files = [
+            f for f in os.listdir(custom_backup_dir)
+            if os.path.isfile(custom_backup_dir, f)
+        ]
+        for f in backed_up_files:
+            utils.copy_file(f, custom_config_dir)
+        utils.success("Custom Rspamd configuration restored.")

modoboa_installer/utils.py

@@ -1,5 +1,6 @@
 """Utility functions."""
 
+import configparser
 import contextlib
 import datetime
 import getpass
@@ -12,12 +13,10 @@ import stat
 import string
 import subprocess
 import sys
-try:
+import uuid
-    import configparser
-except ImportError:
-    import ConfigParser as configparser
 
 from . import config_dict_template
+from .compatibility_matrix import APP_INCOMPATIBILITY
 
 
 ENV = {}
@@ -33,11 +32,6 @@ class FatalError(Exception):
 
 def user_input(message):
     """Ask something to the user."""
-    try:
-        from builtins import input
-    except ImportError:
-        answer = raw_input(message)
-    else:
     answer = input(message)
     return answer
 
@@ -101,6 +95,17 @@ def dist_name():
     return dist_info()[0].lower()
 
 
+def is_dist_debian_based() -> (bool, str):
+    """Check if current OS is Debian based or not."""
+    status, codename = exec_cmd("lsb_release -c -s")
+    codename = codename.decode().strip().lower()
+    return codename in [
+        "bionic", "bookworm", "bullseye", "buster",
+        "focal", "jammy", "jessie", "sid", "stretch",
+        "trusty", "wheezy", "xenial"
+    ], codename
+
+
 def mkdir(path, mode, uid, gid):
     """Create a directory."""
     if not os.path.exists(path):
@@ -172,25 +177,29 @@ def copy_from_template(template, dest, context):
         fp.write(ConfigFileTemplate(buf).substitute(context))
 
 
-def check_config_file(dest, interactive=False, upgrade=False, backup=False, restore=False):
+def check_config_file(dest,
+                      interactive=False,
+                      upgrade=False,
+                      backup=False,
+                      restore=False):
     """Create a new installer config file if needed."""
     is_present = True
     if os.path.exists(dest):
         return is_present, update_config(dest, False)
     if upgrade:
-        printcolor(
+        error(
             "You cannot upgrade an existing installation without a "
-            "configuration file.", RED)
+            "configuration file.")
         sys.exit(1)
     elif backup:
         is_present = False
-        printcolor(
+        error(
             "Your configuration file hasn't been found. A new one will be generated. "
-            "Please edit it with correct password for the databases !", RED)
+            "Please edit it with correct password for the databases !")
     elif restore:
-        printcolor(
+        error(
             "You cannot restore an existing installation without a "
-            f"configuration file. (file : {dest} has not been found...", RED)
+            f"configuration file. (file : {dest} has not been found...")
         sys.exit(1)
 
     printcolor(
@@ -276,6 +285,16 @@ def random_key(l=16):
             return key
 
 
+def check_if_condition(config, entry):
+    """Check if the "if" directive is present and computes it"""
+    section_if = True
+    for condition in entry:
+        config_key, value = condition.split("=")
+        section_name, option = config_key.split(".")
+        section_if = config.get(section_name, option) == value
+    return section_if
+
+
 def validate(value, config_entry):
     if value is None:
         return False
@@ -296,11 +315,14 @@ def validate(value, config_entry):
         return True
 
 
-def get_entry_value(entry, interactive):
+def get_entry_value(entry: dict, interactive: bool, config: configparser.ConfigParser) -> string:
-    if callable(entry["default"]):
+    default_entry = entry["default"]
+    if type(default_entry) is type(list()):
+        default_value = str(check_if_condition(config, default_entry)).lower()
+    elif callable(default_entry):
         default_value = entry["default"]()
     else:
-        default_value = entry["default"]
+        default_value = default_entry
     user_value = None
     if entry.get("customizable") and interactive:
         while (user_value != '' and not validate(user_value, entry)):
@@ -336,16 +358,22 @@ def load_config_template(interactive):
     config = configparser.ConfigParser()
     # only ask about options we need, else still generate default
     for section in tpl_dict:
-        if "if" in section:
-            config_key, value = section.get("if").split("=")
-            section_name, option = config_key.split(".")
-            interactive_section = (
-                config.get(section_name, option) == value and interactive)
-        else:
         interactive_section = interactive
+        if "if" in section:
+            condition = check_if_condition(config, section["if"])
+            interactive_section = condition and interactive
+
         config.add_section(section["name"])
         for config_entry in section["values"]:
-            value = get_entry_value(config_entry, interactive_section)
+            if config_entry.get("if") is not None:
+                interactive_section = (interactive_section and
+                                       check_if_condition(
+                                           config, config_entry["if"]
+                                           )
+                                       )
+            value = get_entry_value(config_entry,
+                                    interactive_section,
+                                    config)
             config.set(section["name"], config_entry["option"], value)
     return config
 
@@ -445,7 +473,7 @@ def validate_backup_path(path: str, silent_mode: bool):
     if not path_exists:
         if not silent_mode:
             create_dir = input(
-                f"\"{path}\" doesn't exist, would you like to create it? [Y/n]\n"
+                f"\"{path}\" doesn't exist, would you like to create it? [y/N]\n"
             ).lower()
 
         if silent_mode or (not silent_mode and create_dir.startswith("y")):
@@ -460,7 +488,7 @@ def validate_backup_path(path: str, silent_mode: bool):
     if len(os.listdir(path)) != 0:
         if not silent_mode:
             delete_dir = input(
-                "Warning: backup directory is not empty, it will be purged if you continue... [Y/n]\n").lower()
+                "Warning: backup directory is not empty, it will be purged if you continue... [y/N]\n").lower()
 
         if silent_mode or (not silent_mode and delete_dir.startswith("y")):
             try:
@@ -485,3 +513,33 @@ def validate_backup_path(path: str, silent_mode: bool):
         mkdir_safe(os.path.join(backup_path, dir),
                    stat.S_IRWXU | stat.S_IRWXG, pw[2], pw[3])
     return backup_path
+
+
+def create_oauth2_app(app_name: str, client_id: str, config) -> tuple[str, str]:
+    """Create a application for Oauth2 authentication."""
+    # FIXME: how can we check that application already exists ?
+    venv_path = config.get("modoboa", "venv_path")
+    python_path = os.path.join(venv_path, "bin", "python")
+    instance_path = config.get("modoboa", "instance_path")
+    script_path = os.path.join(instance_path, "manage.py")
+    client_secret = str(uuid.uuid4())
+    cmd = (
+        f"{python_path} {script_path} createapplication "
+        f"--name={app_name} --skip-authorization "
+        f"--client-id={client_id} --client-secret={client_secret} "
+        f"confidential client-credentials"
+    )
+    exec_cmd(cmd)
+    return client_id, client_secret
+
+
+def check_app_compatibility(section, config):
+    """Check that the app can be installed in regards to other enabled apps."""
+    incompatible_app = []
+    if section in APP_INCOMPATIBILITY.keys():
+        for app in APP_INCOMPATIBILITY[section]:
+            if config.getboolean(app, "enabled"):
+                error(f"{section} cannot be installed if {app} is enabled. "
+                      "Please disable one of them.")
+                incompatible_app.append(app)
+    return len(incompatible_app) == 0

run.py

@@ -3,15 +3,12 @@
 """An installer for Modoboa."""
 
 import argparse
+import configparser
 import datetime
 import os
-try:
-    import configparser
-except ImportError:
-    import ConfigParser as configparser
 import sys
 
-import checks
+from modoboa_installer import checks
 from modoboa_installer import compatibility_matrix
 from modoboa_installer import constants
 from modoboa_installer import package
@@ -19,75 +16,24 @@ from modoboa_installer import scripts
 from modoboa_installer import ssl
 from modoboa_installer import system
 from modoboa_installer import utils
+from modoboa_installer import disclaimers
 
 
 PRIMARY_APPS = [
-    "amavis",
     "fail2ban",
     "modoboa",
     "automx",
     "radicale",
     "uwsgi",
     "nginx",
-    "opendkim",
     "postfix",
     "dovecot"
 ]
 
 
-def installation_disclaimer(args, config):
-    """Display installation disclaimer."""
-    hostname = config.get("general", "hostname")
-    utils.printcolor(
-        "Notice:\n"
-        "It is recommanded to run this installer on a FRESHLY installed server.\n"
-        "(ie. with nothing special already installed on it)\n",
-        utils.CYAN
-    )
-    utils.printcolor(
-        "Warning:\n"
-        "Before you start the installation, please make sure the following "
-        "DNS records exist for domain '{}':\n"
-        "  {} IN A   <IP ADDRESS OF YOUR SERVER>\n"
-        "     @ IN MX  {}.\n".format(
-            args.domain,
-            hostname.replace(".{}".format(args.domain), ""),
-            hostname
-        ),
-        utils.YELLOW
-    )
-    utils.printcolor(
-        "Your mail server will be installed with the following components:",
-        utils.BLUE)
-
-
-def upgrade_disclaimer(config):
-    """Display upgrade disclaimer."""
-    utils.printcolor(
-        "Your mail server is about to be upgraded and the following components"
-        " will be impacted:", utils.BLUE
-    )
-
-
-def backup_disclaimer():
-    """Display backup disclamer. """
-    utils.printcolor(
-        "Your mail server will be backed up locally.\n"
-        " !! You should really transfer the backup somewhere else...\n"
-        " !! Custom configuration (like for postfix) won't be saved.", utils.BLUE)
-
-
-def restore_disclaimer():
-    """Display restore disclamer. """
-    utils.printcolor(
-        "You are about to restore a previous installation of Modoboa.\n"
-        "If a new version has been released in between, please update your database!",
-        utils.BLUE)
-
-
 def backup_system(config, args):
     """Launch backup procedure."""
-    backup_disclaimer()
+    disclaimers.backup_disclaimer()
     backup_path = None
     if args.silent_backup:
         if not args.backup_path:
@@ -135,8 +81,7 @@ def config_file_update_complete(backup_location):
                          utils.BLUE)
 
 
-def main(input_args):
+def parser_setup(input_args):
-    """Install process."""
     parser = argparse.ArgumentParser()
     versions = (
         ["latest"] + list(compatibility_matrix.COMPATIBILITY_MATRIX.keys())
@@ -181,13 +126,18 @@ def main(input_args):
         "--restore", type=str, metavar="path",
         help="Restore a previously backup up modoboa instance on a NEW machine. "
         "You MUST provide backup directory"
-    ),
+        )
     parser.add_argument(
         "--skip-checks", action="store_true", default=False,
         help="Skip the checks the installer performs initially")
     parser.add_argument("domain", type=str,
                         help="The main domain of your future mail server")
-    args = parser.parse_args(input_args)
+    return parser.parse_args(input_args)
+
+
+def main(input_args):
+    """Install process."""
+    args = parser_setup(input_args)
 
     if args.debug:
         utils.ENV["debug"] = True
@@ -246,28 +196,36 @@ def main(input_args):
     config.set("modoboa", "version", args.version)
     config.set("modoboa", "install_beta", str(args.beta))
 
+    if config.get("antispam", "type") == "amavis":
+        antispam_apps = ["amavis", "opendkim"]
+    else:
+        antispam_apps = ["rspamd"]
+
     if args.backup or args.silent_backup:
         backup_system(config, args)
         return
 
     # Display disclaimer python 3 linux distribution
     if args.upgrade:
-        upgrade_disclaimer(config)
+        disclaimers.upgrade_disclaimer(config)
     elif args.restore:
-        restore_disclaimer()
+        disclaimers.restore_disclaimer()
         scripts.restore_prep(args.restore)
     else:
-        installation_disclaimer(args, config)
+        disclaimers.installation_disclaimer(args, config)
 
     # Show concerned components
     components = []
     for section in config.sections():
-        if section in ["general", "database", "mysql", "postgres",
+        if section in ["general", "antispam", "database", "mysql", "postgres",
                        "certificate", "letsencrypt", "backup"]:
             continue
         if (config.has_option(section, "enabled") and
                 not config.getboolean(section, "enabled")):
             continue
+        incompatible_app_detected = not utils.check_app_compatibility(section, config)
+        if incompatible_app_detected:
+            sys.exit(0)
         components.append(section)
     utils.printcolor(" ".join(components), utils.YELLOW)
     if not args.force:
@@ -284,19 +242,26 @@ def main(input_args):
     ssl_backend = ssl.get_backend(config)
     if ssl_backend and not args.upgrade:
         ssl_backend.generate_cert()
-    for appname in PRIMARY_APPS:
+    for appname in PRIMARY_APPS + antispam_apps:
         scripts.install(appname, config, args.upgrade, args.restore)
     system.restart_service("cron")
     package.backend.restore_system()
+    hostname = config.get("general", "hostname")
     if not args.restore:
         utils.success(
-            "Congratulations! You can enjoy Modoboa at https://{} (admin:password)"
+            f"Congratulations! You can enjoy Modoboa at https://{hostname} "
-            .format(config.get("general", "hostname"))
+            "(admin:password)"
         )
     else:
         utils.success(
-            "Restore complete! You can enjoy Modoboa at https://{} (same credentials as before)"
+            f"Restore complete! You can enjoy Modoboa at https://{hostname} "
-            .format(config.get("general", "hostname"))
+            "(same credentials as before)"
+        )
+    if config.getboolean("rspamd", "enabled"):
+        rspamd_password = config.get("rspamd", "password")
+        utils.success(
+            f"You can also enjoy rspamd at https://{hostname}/rspamd "
+            f"(password: {rspamd_password})"
         )
     utils.success(
         "\n"

tests.py

@@ -47,7 +47,7 @@ class ConfigFileTestCase(unittest.TestCase):
     def test_interactive_mode(self, mock_user_input):
         """Check interactive mode."""
         mock_user_input.side_effect = [
-            "0", "0", "", "", "", "", ""
+            "0", "0", "", "", "", "", "", ""
         ]
         with open(os.devnull, "w") as fp:
             sys.stdout = fp
@@ -99,7 +99,7 @@ class ConfigFileTestCase(unittest.TestCase):
     def test_interactive_mode_letsencrypt(self, mock_user_input):
         """Check interactive mode."""
         mock_user_input.side_effect = [
-            "1", "admin@example.test", "0", "", "", "", "", ""
+            "0", "0", "1", "admin@example.test", "0", "", "", "", ""
         ]
         with open(os.devnull, "w") as fp:
             sys.stdout = fp
@@ -126,11 +126,12 @@ class ConfigFileTestCase(unittest.TestCase):
             "example.test"])
         self.assertTrue(os.path.exists(self.cfgfile))
         self.assertIn(
-            "modoboa automx amavis clamav dovecot nginx razor postfix"
+            "fail2ban modoboa automx amavis clamav dovecot nginx "
-            " postwhite spamassassin uwsgi",
+            "postfix postwhite spamassassin uwsgi radicale opendkim",
             out.getvalue()
         )
-        self.assertNotIn("It seems that your config file is outdated.",
+        self.assertNotIn(
+            "It seems that your config file is outdated.",
             out.getvalue()
         )
 

version.txt

@@ -1 +1 @@
-c1abbe97925917d4ec62ff11a70b375d40be5147
+53669b48de7ce85341a547ed2583380fcb06841b