diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile index ed7e07ed6..1482b8f91 100644 --- a/data/Dockerfiles/sogo/Dockerfile +++ b/data/Dockerfiles/sogo/Dockerfile @@ -1,47 +1,128 @@ -FROM debian:bookworm-slim +# SOGo built from source to enable security patch application +# Repository: https://github.com/Alinto/sogo +# Version: SOGo-5.12.4 +# +# Applied security patches: +# - 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb: XSS vulnerability in theme parameter +# +# To add new patches, modify SOGO_SECURITY_PATCHES ARG below with space-separated commit hashes + +FROM debian:bookworm LABEL maintainer="The Infrastructure Company GmbH " ARG DEBIAN_FRONTEND=noninteractive -ARG DEBIAN_VERSION=bookworm -ARG SOGO_DEBIAN_REPOSITORY=https://packagingv2.sogo.nu/sogo-nightly-debian/ +ARG SOGO_VERSION=SOGo-5.12.4 +ARG SOPE_VERSION=SOPE-5.12.4 +# Security patches to apply (space-separated commit hashes) +ARG SOGO_SECURITY_PATCHES="16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb" # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?.*)$ ARG GOSU_VERSION=1.19 ENV LC_ALL=C -# Prerequisites -RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \ - && apt-get update && apt-get install -y --no-install-recommends \ - apt-transport-https \ - ca-certificates \ - gettext \ - gnupg \ - mariadb-client \ - rsync \ - supervisor \ - syslog-ng \ - syslog-ng-core \ - syslog-ng-mod-redis \ - dirmngr \ - netcat-traditional \ - psmisc \ - wget \ - patch \ +# Install all dependencies (build + runtime) +RUN apt-get update && apt-get install -y --no-install-recommends \ + # Build dependencies + git \ + build-essential \ + gobjc \ + gnustep-make \ + gnustep-base-runtime \ + libgnustep-base-dev \ + libxml2-dev \ + libldap2-dev \ + libssl-dev \ + zlib1g-dev \ + libpq-dev \ + libmariadb-dev-compat \ + libmemcached-dev \ + libsodium-dev \ + libcurl4-openssl-dev \ + libzip-dev \ + libytnef0-dev \ + curl \ + ca-certificates \ + # Runtime dependencies + apt-transport-https \ + gettext \ + gnupg \ + mariadb-client \ + rsync \ + supervisor \ + syslog-ng \ + syslog-ng-core \ + syslog-ng-mod-redis \ + dirmngr \ + netcat-traditional \ + psmisc \ + wget \ + patch \ + libobjc4 \ + libxml2 \ + libldap-2.5-0 \ + libssl3 \ + zlib1g \ + libmariadb3 \ + libmemcached11 \ + libsodium23 \ + libcurl4 \ + libzip4 \ + libytnef0 \ && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \ && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \ && chmod +x /usr/local/bin/gosu \ && gosu nobody true \ - && mkdir /usr/share/doc/sogo \ + && mkdir -p /usr/share/doc/sogo \ && touch /usr/share/doc/sogo/empty.sh \ - && wget -O- https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 | gpg --dearmor | apt-key add - \ - && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} main" > /etc/apt/sources.list.d/sogo.list \ - && apt-get update && apt-get install -y --no-install-recommends \ - sogo \ - sogo-activesync \ && apt-get autoclean \ && rm -rf /var/lib/apt/lists/* \ && touch /etc/default/locale +# Build SOPE (SOGo's framework dependency) +RUN git clone --depth 1 --branch ${SOPE_VERSION} https://github.com/Alinto/sope.git /tmp/sope \ + && cd /tmp/sope \ + && . /usr/share/GNUstep/Makefiles/GNUstep.sh \ + && ./configure --prefix=/usr --enable-debug \ + && make -j$(nproc) \ + && make install \ + && cd / \ + && rm -rf /tmp/sope + +# Build SOGo with security patches +RUN git clone --depth 1 --branch ${SOGO_VERSION} https://github.com/Alinto/sogo.git /tmp/sogo \ + && cd /tmp/sogo \ + && git config user.email "builder@mailcow.local" \ + && git config user.name "SOGo Builder" \ + && for patch in ${SOGO_SECURITY_PATCHES}; do \ + echo "Applying security patch: ${patch}"; \ + git fetch origin ${patch} && git cherry-pick ${patch}; \ + done \ + && . /usr/share/GNUstep/Makefiles/GNUstep.sh \ + && ./configure --enable-debug \ + && make \ + && make install \ + && cd / \ + && rm -rf /tmp/sogo + +# Configure library paths +RUN echo "/usr/lib64" > /etc/ld.so.conf.d/sogo.conf \ + && echo "/usr/local/lib/sogo" >> /etc/ld.so.conf.d/sogo.conf \ + && echo "/usr/local/lib/GNUstep/Frameworks/SOGo.framework/Versions/5/sogo" >> /etc/ld.so.conf.d/sogo.conf \ + && ldconfig + +# Create sogo user and group +RUN groupadd -r -g 999 sogo \ + && useradd -r -u 999 -g sogo -d /var/lib/sogo -s /bin/bash -c "SOGo Daemon" sogo \ + && mkdir -p /var/lib/sogo /var/run/sogo /var/log/sogo \ + && chown -R sogo:sogo /var/lib/sogo /var/run/sogo /var/log/sogo + +# Create symlinks for SOGo binaries +RUN ln -s /usr/local/sbin/sogod /usr/sbin/sogod \ + && ln -s /usr/local/sbin/sogo-tool /usr/sbin/sogo-tool \ + && ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify \ + && ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd + +# Copy configuration files and scripts COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf @@ -56,4 +137,4 @@ RUN chmod +x /bootstrap-sogo.sh \ ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] \ No newline at end of file +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/docker-compose.yml b/docker-compose.yml index 75cca872d..cebdd91c3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -200,7 +200,7 @@ services: - phpfpm sogo-mailcow: - image: ghcr.io/mailcow/sogo:5.12.4-1 + image: ghcr.io/mailcow/sogo:5.12.4-2 environment: - DBNAME=${DBNAME} - DBUSER=${DBUSER}