nginx - activate ocsp if enabled in certificate + dhparam

2022-09-10 rewritten it to extend admin-web and dhparam in another file_location - /etc/ssl/certs/dhparam.pem can be destroyed by some nss/ca zypper update ...

#!/bin/bash
#changed to a file not in /etc/ssl/certs as zypper deletes them with updates?!
DHPARAM=/etc/nginx/dhparam.pem
# shellcheck disable=2207
IFS=$'\n' SSLPARAMS=($(find /usr/share/grom* -iname '*ssl*params.conf'))
# activate dhparam
if [ ! -f $DHPARAM ]; then
  # -dsaparam is faster and should be _safe_ enough
  openssl dhparam -dsaparam -out $DHPARAM 4096
  chmod 640 $DHPARAM
fi

# SPLIT CERT-CHAIN
FULLCHAIN=$(</etc/grommunio-common/ssl/server-bundle.pem)
CERTIFICATE="${FULLCHAIN%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
CHAIN=$(echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d')

# Check if got an ocsp staple in our certificate
check_ocsp () {
  openssl ocsp -issuer <(echo "$CHAIN") -cert <(echo "$CERTIFICATE") -text \
    -url "$(openssl x509 -noout -ocsp_uri -in <(echo "$CERTIFICATE"))" |& \
    grep -q "Response verify OK"
}

for conf in "${SSLPARAMS[@]:-}"; do
  sed -i -e 's/^\# ssl_dhparam \/etc/ssl_dhparam \/etc/g' \
    -e "s|/etc/ssl/certs/dhparam.pem|$DHPARAM|g" "${conf}"
  if check_ocsp; then
    if ! grep -q "^ssl_stapling" "${conf}" ; then
      cat << 'EOF' >> "${conf}"
ssl_stapling on;
ssl_stapling_verify on;
EOF
    fi
  fi
done

Debian

NGINX - Build missing modules

prerequests
mkdir -p ~/src
cd ~/src
apt-get build-dep nginx-full
wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar xfvz nginx-1.18.0.tar.gz
host traffic status
cd ~/src/
git clone https://github.com/vozlt/nginx-module-vts.git
cd nginx-1.18.0/
#Here we look for our prefix..
nginx -V |& grep configure\ arguments |sed 's/.*prefix/--prefix/'
#now use it...
OPTS=$(echo $(nginx -V |& grep configure\ arguments |sed 's/.*prefix/--prefix/') --add-dynamic-module=../nginx-module-vts/)
./configure $OPTS
make modules
cp objs/ngx_http_vhost_traffic_status_module.so /usr/lib/nginx/modules/
echo  "load_module /usr/lib/nginx/modules/ngx_http_vhost_traffic_status_module.so;" > /etc/nginx/modules-available/90-mod-vhost-traffic-status.conf
ln -s /etc/nginx/modules-available/90-mod-vhost-traffic-status.conf /etc/nginx/modules-enabled/
brotli
cd ~/src/
git clone https://github.com/google/ngx_brotli.git
cd nginx-1.18.0/
OPTS=$(echo $(nginx -V |& grep configure\ arguments |sed 's/.*prefix/--prefix/') --add-dynamic-module=../ngx_brotli/)
 ./configure $OPTS
make modules
cp objs/ngx_http_brotli_*.so /usr/lib/nginx/modules/
cat << EOF >> /etc/nginx/modules-available/90-mod-brotli.conf
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
EOF
ln -s /etc/nginx/modules-available/90-mod-brotli.conf /etc/nginx/modules-enabled/
nginx -t && nginx -s reload

Automated version with Configs from RPMs and other sutff

  • crpb replied to this.
    8 days later
    grommunio-admin ldap + dbconf defaults
    #!/bin/sh
#
# This File is a demonstration of dbconf capabilities.
# https://docs.grommunio.com/man/grommunio-admin-dbconf.html
# https://docs.grommunio.com/man/grommunio-admin-mconf.html
#
# shellcheck disable=SC2016
#
# gro-ad-exmdb-store sizes.. 2022/08 
mb() { printf "(%f*1024^1)/1\n" "$1"| bc ; }
gb() { printf "(%f*1024^2)/1\n" "$1"| bc ; }
tb() { printf "(%f*1024^3)/1\n" "$1"| bc ; }

#who likes long command-chains?
cmd=$(which grommunio-admin)
dbset () { $cmd dbconf set "$1" "$2" "$3" "$4" ; } 
#Set only LDAP-Auth via mconf
$cmd mconf modify authmgr set authBackendSelection alywas_ldap
#Set Gromox-Mailbox-Defaults - i think those are all possible values
defaults() { dbset grommunio-admin defaults-system "$1" "$2" ; }
defaults user.lang 'de_DE'
defaults user.pop3_imap true
defaults user.properties.prohibitsendquota    "$(gb 0.4)"
defaults user.properties.prohibitreceivequota "$(gb 0.5)"
defaults user.properties.storagequotalimit    "$(gb 0.6)"
defaults domain.maxUser 25
defaults user.smtp false
defaults domain.chat true
defaults user.changePassword false
defaults user.privChat false
defaults user.privVideo false
defaults user.privFiles false
defaults user.privArchive false
defaults user.chat false

#Now we will use dbconf for postfix-settings
# - Setup dbconf-mechanism for postfix
dbset grommunio-dbconf postfix commit_key 'postconf -e $ENTRY'
#this _should_ also work  -  ¯\_(ツ)_/¯
dbset grommunio-dbconf postfix commit_service 'systemctl reload-or-restart $SERVICE'
#Setup dbconf-postfix-settings
#Helper
postconf() { dbset postfix main.cfg "$1" "$2" ; }
# - Max Message Size - replace mb() to be postfix-compatible
mb() { printf "(%f*1024^2)/1\n" "$1"| bc ; }
postconf message_size_limit "$(mb 50)"
# - various SSL/TLS-Settings
postconf smtp_sasl_auth_enable yes
postconf smtp_sasl_security_options noanonymous
postconf smtp_use_tls yes
postconf smtpd_tls_mandatory_protocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf smtpd_tls_protocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
# - Relay-Host
# postconf smtp_sasl_password_maps 'lmdb:/etc/postfix/sasl_passwd'
# the rest via ./postfix/postfix.sh for now...
    15 days later

    grom_du (disk usage) of all users

    grommunio-admin fs du user will get that sooner or later i guess. I was still too lazy to work my way through there :P.
    FYI: Mailbox-Size differs from Disk-Usage and Disk-Usage differs on $Filesystem - (-)

    alias grom_du='grommunio-admin user query username maildir |sed 1,2d | while read -r user mdir; do printf "%s;%s;%s\n" "$(du -hs ${mdir}|cut -f1)" "$user" "$mdir"; done  |sort -h'

      Autodiscover for all those other Clients.

      WIP!

      bind9 template

      % cat ~/tmpl/srv
; vim:filetype=bindzone
                       TXT              "mailconf=https://grommunio-host.domain.tld/.well-known/autoconfig/mail/config-v1.1.xml"
$ORIGIN domain.tld.
_autodiscover._tcp IN  SRV    0  1  443 grommunio-host.domain.tld.
_caldav._tcp       IN  SRV    0  0  0   .
_caldavs._tcp          TXT              "path=/dav/calendars"
_caldavs._tcp      IN  SRV    0  1  443 grommunio-host.domain.tld.
_carddav._tcp      IN  SRV    0  0  0   .
_carddavs._tcp         TXT              "path=/dav/addressbooks"
_carddavs._tcp     IN  SRV    0  1  443 grommunio-host.domain.tld.
_imap._tcp         IN  SRV    0  1  143 grommunio-host.domain.tld.
_imaps._tcp        IN  SRV    0  1  993 grommunio-host.domain.tld.
_pop3._tcp         IN  SRV    0  1  110 grommunio-host.domain.tld.
_pop3s._tcp        IN  SRV    0  1  995 grommunio-host.domain.tld.
_sieve._tcp        IN  SRV    0  0  0   .
;_sieve._tcp        IN  SRV 0 1 4190  grommunio-host.domain.tld.
_smtp._tcp         IN  SRV    0  1  25  grommunio-host.domain.tld.
_smtps._tcp        IN  SRV    0  0  0   .
;_smtps._tcp        IN  SRV 0 1 465 grommunio-host.domain.tld.
_submission._tcp   IN  SRV    0  1  587 grommunio-host.domain.tld.
autodiscover       IN  CNAME            grommunio-host.domain.tld.

      RFC 2782
      RFC 6186
      RFC 6764

        crpb

        unfortuanetly, this only seems to work for Outlook and iOS. Neither Apple Mail or Thunderbird do seem to care about these. I know that Thunderbird looks for something called Autoconfig and Apple Mail's autodiscover mechanism seems to be even more opaque. It's such a downer, that everyone seems to cook up their own solution for this.

        • crpb replied to this.

            sbudach

            My Claws-Mail at least is happy with those imaps and submission-references.

            EDIT: Did a bit of reading on Thunderbird...
            https://wiki.mozilla.org/Thunderbird:Autoconfiguration
            https://wiki.mozilla.org/Thunderbird:Autoconfiguration:DNSBasedLookup

            Maybe there already is such an app or i think i will write my own little bottle-app to provide a backend for "TXT mailconf=uri.to.app/emaildomain.tld" which then does an SRV-Lookup and generate a config.xml with the corresponding fields...

            OR SOMETHING LIKE THAT o_0..
            Still need to test if those config.xml with "TXT mailconf=" entries even work now. Most references in the mozilla-wiki are dead...

                crpb

                Yeah… I read something about such an app. I wasn't aware, that you can invoke it as a result of a TXT DNS lookup…

                  Well, each domain would just have an DNS TXT Entry Pointing to "mailconf=https://uri.to.app/dnsdomain.tld" to make it possible.
                  For clarification an example with dig

                  # dig +short TXT domainA.tld
"v=spf1 mx -all"
"mailconf=https://ac.my.app/mail/domainA.tld/config.xml"
# dig +short TXT domainB.tld
"v=spf1 mx -all"
"mailconf=https://ac.my.app/mail/domainB.tld/config.xml"

                  EDIT:
                  And internally it should query all those SRV-Entries on "domainA|B|X.tld" and generate a config with the respective DNS-Priorities. So basically as default something like: incomingserver imap+ssl, outgoingserver submission+tls if you use that template from above.

                  Nothing really test so far! Just a thought of how this could be done without all those other "A" subdomains (autoconfig|autodiscover.domain.tld) and no extra configuration needed at company-domain.tld.

                  And after a bit of searching i at least found a few references. But not exactly what i was thinking about.
                  https://rseichter.github.io/automx2/
                  https://github.com/Monogramm/autodiscover-email-settings

                  cheers!

                  a month later

                  BTRFS MAINTENANCE

                  To not have to care so much about doing recommended regularly Maintenance-Tasks on the BTRFS Volumes you can install the Package btrfsmaintenance.

                  There is also an article about disabling btrfsmaintenance but the note "Disabling automatic drive maintenance, in favor of manual maintenance, is desired." without any explanation is nor helpful at all.

                  zypper refresh
zypper install -y btrfsmaintenance
# Let the script do most of the work on all (sub)volumes
sed '/^BTRFS/s/\//auto/g' /etc/sysconfig/btrfsmaintenance -i
systemctl restart btrfsmaintenance-refresh.service

                  By default the Systemd-Timers btrfs.scrub and btrfs-balance are now active. I guess this enough for now.

                  25 days later

                  crpb To find the users and their mail directories, there is a single line command:
                  echo "select maildir,username from users where maildir<>'';" | mysql -N grommunio | sort

                    Hey Walter,

                    that is certainly another Option. Currently i use the following in my scripts.

                    _grom_query_maildir(){
  grommunio-admin user query --filter username="${1}" maildir
}
                    2 months later

                    Learn Ham - Update 2024.04.28 2024.06.26

                    As i was bothered by the Spam-Handling on some Mails from an Mailinglist which always landed in my Junk-Folder i finally got around to create this little Function script.

                    Both scripts can be configured to wait at least N Days before the Mail will be processed by the script.
                    And aswell as in the original you can configure if it should delete the Mail after learning it.

                    The HAM-Runner will mark messages as READ after indexing them if they aren't deleted.

                    Additionally you can now provide optional parameters to rspamc to be able to use another RSPAMD Installation.

                    grommunio-ham-run.sh

                    .service, .timer & installscript in the folder

                    grommunio-spam-run.sh

                    Create HAM-LEARN-FOLDER for all users

                    USERS=$(grommunio-admin user query username status maildir |awk '$2=="0/active" && $3 ~ /\/var\/lib\/gromox/ {print$1}')
# this might say it failed but then the folder just exists already
for USER in $USERS; do 
grommunio-admin exmdb $USER folder create -t IPF.Note --comment "HAM-Training" TRAIN-HAM 9; 
done

                    PS: HowTo Moving mails automatically to Junk-Folder via Inbox-Rule https://community.grommunio.com/d/572-spam-handling/12

                    Autodiscover

                    GPO Copy/Paste

                    <?xml version="1.0" encoding="utf-8"?>
<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}">
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeExplicitO365Endpoint" status="ExcludeExplicitO365Endpoint" image="11" changed="2023-01-06 06:48:06" uid="{3607AC9F-C086-4FF5-AD5E-DC8A2A8EC815}" bypassErrors="1"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeExplicitO365Endpoint" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeLastKnownGoodURL" status="ExcludeLastKnownGoodURL" image="11" changed="2023-01-06 06:47:24" uid="{A4BDDC22-D8C2-40E3-ABA8-2E4C4CE47558}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeLastKnownGoodURL" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeHttpsRootDomain" status="ExcludeHttpsRootDomain" image="11" changed="2023-01-06 06:47:28" uid="{A9023706-376D-4FB9-8E30-4BBBB0FA6981}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeHttpsRootDomain" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeHttpsAutoDiscoverDomain" status="ExcludeHttpsAutoDiscoverDomain" image="11" changed="2023-01-06 06:47:31" uid="{36E47622-6C23-4D1E-8ECB-07A350DFCFD0}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeHttpsAutoDiscoverDomain" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeHttpRedirect" status="ExcludeHttpRedirect" image="11" changed="2023-01-06 06:47:35" uid="{105A60A9-BBAC-40AF-88FC-7AF986D6A568}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeHttpRedirect" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeScpLookup" status="ExcludeScpLookup" image="11" changed="2023-01-06 06:47:39" uid="{699006E9-FB8F-492F-81F4-80472FFE8972}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeScpLookup" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeSrvRecord" status="ExcludeSrvRecord" image="11" changed="2023-01-06 06:47:45" uid="{5B7B8077-42E9-4671-A6B5-FBA0F0B277A7}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeSrvRecord" type="REG_DWORD" value="00000000"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="EnableOffice365ConfigService" status="EnableOffice365ConfigService" image="11" changed="2023-01-06 06:47:51" uid="{194041B7-4A42-49AD-9AB1-BFC997765D6F}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Office\16.0\Outlook\AutoDiscover" name="EnableOffice365ConfigService" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeExplicitO365Endpoint" status="ExcludeExplicitO365Endpoint" image="11" changed="2023-01-06 06:44:28" uid="{5F314DA6-E185-477E-985C-06B23414101E}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeExplicitO365Endpoint" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeLastKnownGoodURL" status="ExcludeLastKnownGoodURL" image="11" changed="2023-01-06 06:44:52" uid="{4E4FA923-0695-44F2-A4C1-8026615BA571}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeLastKnownGoodURL" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeHttpsRootDomain" status="ExcludeHttpsRootDomain" image="11" changed="2023-01-06 06:45:05" uid="{A9B1A99D-16F2-4421-BD93-B8850A6B62C1}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeHttpsRootDomain" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeHttpsAutoDiscoverDomain" status="ExcludeHttpsAutoDiscoverDomain" image="11" changed="2023-01-06 06:45:31" uid="{85F10106-1B5D-49A6-8782-D69355A0719C}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeHttpsAutoDiscoverDomain" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeHttpRedirect" status="ExcludeHttpRedirect" image="11" changed="2023-01-06 06:45:36" uid="{DD799D8D-A86C-4EB4-B0DB-D31A7E0B5E7D}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeHttpRedirect" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeScpLookup" status="ExcludeScpLookup" image="11" changed="2023-01-06 06:45:42" uid="{DC5FA5D9-0ADC-4A87-9525-7A6D436D9957}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeScpLookup" type="REG_DWORD" value="00000001"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ExcludeSrvRecord" status="ExcludeSrvRecord" image="11" changed="2023-01-06 06:45:50" uid="{7232EDBC-B500-4BB7-BB54-87F674C5A5F5}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="ExcludeSrvRecord" type="REG_DWORD" value="00000000"/></Registry>
  <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="EnableOffice365ConfigService" status="EnableOffice365ConfigService" image="11" changed="2023-01-06 06:45:57" uid="{E08FC552-3554-4909-84FE-8D04FF60F921}"><Properties action="R" displayDecimal="1" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover" name="EnableOffice365ConfigService" type="REG_DWORD" value="00000001"/></Registry>
</RegistrySettings>

                    user.reg

                    Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001
"ExcludeLastKnownGoodURL"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"ExcludeHttpsAutoDiscoverDomain"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeScpLookup"=dword:00000001
"ExcludeSrvRecord"=dword:00000000
"EnableOffice365ConfigService"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001
"ExcludeLastKnownGoodURL"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"ExcludeHttpsAutoDiscoverDomain"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeScpLookup"=dword:00000001
"ExcludeSrvRecord"=dword:00000000
"EnableOffice365ConfigService"=dword:00000000

                    I don't like anything other than DNS Records 😛

                    3 months later

                    Get Folder-Permissions a bit quicker than before...

                    exmdb_get_permissions_hr() {
  local OWNER FID PFLDS FOLDER EXMDB SQLQUERY RET
  if [[ "$#" -ne 1 ]]; then
    echo "Usage: ${FUNCNAME[0]} username@domain.tld"
    return 1
  fi
  _grom_users="${_grom_users:=$(grommunio-admin user query username |sed 1d)}"
  # Check for correct Username
  if [[ "$_grom_users" =~ $1 ]]; then
    OWNER="${1}"
    EXMDB="$(grommunio-admin user query maildir --filter username="$OWNER")/exmdb/exchange.sqlite3"
    # grommunio-admin taginfo 805371935
    # 0x3001001f (805371935): DISPLAYNAME, type WSTRING
    SQLQUERY="
-- THIS IS A COMMENT!
-- SELECT DISTINCT(printf('0x%x', p.folder_id)) as hexfid, f1.propval FROM permissions p
-- INNER JOIN folder_properties f1 on f1.folder_id = p.folder_id and f1.proptag = 805371935
SELECT DISTINCT(printf('0x%x', p.folder_id)) as hexfid FROM permissions p
WHERE p.username != 'default';
"
      # True if FILE exists and is readable.
      if [ -r "$EXMDB" ]; then
        PFLDS="$(echo "$SQLQUERY" |sqlite3 --readonly --noheader "$EXMDB")"
        if [ "${#PFLDS}" -eq 0 ]; then 
          echo "No special permissions in MBX: $OWNER"
          return 0
        fi
        grommunio-admin exmdb "$OWNER" folder list -r | while read -r FOLDER; do
          # Leading '\' in front of grep to make sure no aliases are used.
          FID="$(echo "$FOLDER" |\grep -Po '0x(?<=\ \(0x).*(?=\)$)')"
          echo -e "\033[1m${FOLDER}\033[0m"
          if [[ "$PFLDS" =~ $FID ]]; then
            grommunio-admin exmdb "$OWNER" folder permissions "$FID"
          fi
        done
      fi
  fi
}
complete -F _comp_grom_users exmdb_get_permissions_hr

                    Because iterating over a thousand folders with grommunio-admin exmdb user@domain.tld permissions $FOLDERID takes bit too long if nothing is configured anyway..

                    There are some folders which are not listed with grommunio-admin exmdb user@domain.tld folder list -r, so it might print the List in those cases.

                    a month later

                    crpb Automated version with Configs from RPMs and other sutff

                    The script to build and configure traffic-status and brotli now removes all temporary dependencies to keep a small footprint on the Server.

                    alien8.sh

                      a year later

                      /tmp as tmpfs on appliance

                      ref: https://en.opensuse.org/openSUSE:Tmp_on_tmpfs

                      BTRFS SYSTEM OLD

                      btrfs subvolume delete -i $(btrfs subvolume list /  |awk '/@\/tmp/ {print $2}') /
systemctl link /usr/share/systemd/tmp.mount
rm -Rf /tmp
reboot

                      XFS SYSTEM CURRENT

                      rm -Rf /tmp/*
systemctl link /usr/share/systemd/tmp.mount
reboot
                      crpb changed the title to scripting / snippets / notepad .

                      grommunio-spam-run.sh

                      only learn and optional delete with a minimum age of n days

                      #!/bin/bash
# vim:ts=2 sts=2 sw=2 et

if ! [ -e /etc/gromox/spamrun.cfg ]; then
  cat << EOF > /etc/gromox/spamrun.cfg
# Only scan messages which are older than n days.
# Default: SPAMRUN_DAYS=7
SPAMRUN_DAYS=7
# To delete the message after the scan set to 'true' 
# Default: SPAMRUN_DELETE=false
SPAMRUN_DELETE=false
EOF
fi


# source config file
if [ -r /etc/gromox/spamrun.cfg ]; then
  . /etc/gromox/spamrun.cfg
fi
if [ -z ${SPAMRUN_DAYS+x} ]; then
  SQLITE_QUERY='select message_id,mid_string from messages where parent_fid=0x17;'
else
  SQLITE_QUERY="""
  SELECT m.message_id,m.mid_string
  FROM messages m
  INNER JOIN message_properties mp1
  ON mp1.message_id = m.message_id
  AND mp1.proptag = 235274304
  AND (mp1.propval/10000000-11644473600) < unixepoch('now','-$SPAMRUN_DAYS days')
  WHERE m.parent_fid = 0x17;
  """
fi
DO_DEL="${SPAMRUN_DELETE:-"false"}"
# add "-d" to delete junk emails after they have been learned
if [ "$1" = "-d" ]
then
  DO_DEL=true
fi

MYSQL_CFG="/etc/gromox/mysql_adaptor.cfg"

if [ ! -e "${MYSQL_CFG}" ] ; then
  echo "MySQL configuration not found. (${MYSQL_CFG})"
  exit 1
fi

MYSQL_PARAMS="--skip-column-names --skip-line-numbers"
MYSQL_USERNAME=$(sed -ne 's/mysql_username\s*=\s*\(.*\)\s*/-u\1/pI' ${MYSQL_CFG})
MYSQL_PASSWORD=$(sed -ne 's/mysql_password\s*=\s*\(.*\)\s*/-p\1/pI' ${MYSQL_CFG})
MYSQL_DBNAME=$(sed -ne 's/mysql_dbname\s*=\s*\(.*\)\s*/\1/pI' ${MYSQL_CFG})
MYSQL_HOST=$(sed -ne 's/mysql_host\s*=\s*\(.*\)\s*/-h\1/pI' ${MYSQL_CFG})
MYSQL_QUERY="SELECT username,maildir from users where id <> 0 and maildir <> \"\";"
MYSQL_CMD=("mysql" "${MYSQL_PARAMS}" "${MYSQL_USERNAME:=-uroot}" "${MYSQL_PASSWORD:=}" "${MYSQL_HOST:=-hlocalhost}" "${MYSQL_DBNAME:=grommunio}")
# shellcheck disable=SC2068
if ${MYSQL_CMD[@]}<<<"exit"&>/dev/null; then
  echo "${MYSQL_QUERY}" | ${MYSQL_CMD[@]} | while read -r USERNAME MAILDIR ; do
  sqlite3 -readonly -tabs -noheader "${MAILDIR}/exmdb/exchange.sqlite3" "$SQLITE_QUERY" |
    while read -r MESSAGEID MIDSTRING; do
      echo "Learning spam for user ${USERNAME}" | systemd-cat -t grommunio-spam-run
      MSGFILE="$MAILDIR/eml/$MIDSTRING"
      if [[ ! -f "$MSGFILE" ]]; then
        gromox-exm2eml -u "${USERNAME}" "${MESSAGEID}" 2>/dev/null | rspamc learn_spam | systemd-cat -t grommunio-spam-run
      else
        rspamc learn_spam --header 'Learn-Type: bulk' "$MSGFILE" | systemd-cat -t grommunio-spam-run
      fi
      if [ ${DO_DEL} == "true" ]; then
        /usr/sbin/gromox-mbop -u "${USERNAME}" delmsg -f 0x17 "${MESSAGEID}" | systemd-cat -t grommunio-spam-run
      fi
    done
    rm -f "${SPAMLIST}"
  done
else
  echo "MySQL-Connection couldn't be established, please check your configuration." | systemd-cat -t grommunio-spam-run -p err
fi

                      appliance - xfs - dedicated /var/lib/gromox

                      DISK=/dev/sdb
parted -s $DISK mklabel gpt
parted -s $DISK mkpart primary 0GB 100%
pvcreate ${DISK}1
vgcreate gromox ${DISK}1
# use only 80% so we can make use of lvm snapshots for backups
lvcreate gromox -n maildir -l80%VG
# enable bigtime=1 to remove silly messages about 2038
mkfs.xfs -m bigtime=1 /dev/gromox/maildir
#lsblk -f /dev/gromox/maildir --output UUID --noheadings
echo "UUID=$(lsblk -f /dev/gromox/maildir --noheadings --output UUID) /var/lib/gromox xfs defaults 0 0" |tee -a /etc/fstab
mv /var/lib/gromox{,.bak}
mkdir /var/lib/gromox
mount /var/lib/gromox
#cp -a /var/lib/gromox.bak/* /var/lib/gromox/
rsync -av /var/lib/gromox.bak/ /var/lib/gromox
find /var/lib/gromox -ls
#chown gromox:gromox /var/lib/gromox
#chmod 770 /var/lib/gromox
rm -Rf /var/lib/gromox.bak

                      LVM Snapshot for backups - example

                      ##  STOP SERVICES TO CLEANUP midb's
/usr/bin/systemctl stop gromox-midb.service gromox-imap.service gromox-pop3.service
# DO SOME CLEANUP ON THE MAILBOXES
for d in /var/lib/gromox/user/*/*; do
  /usr/sbin/gromox-mbop -d $d vacuum;
  /usr/sbin/gromox-mbop -d $d purge-datafiles;
done
## CREATE LVM SNAPSHOT
/sbin/lvcreate -l10%FREE --snapshot --name s_maildir /dev/gromox/maildir
    Logical volume "s_maildir" created.
## START SERVICES AGAIN (we have a snapshot!)
/usr/bin/systemctl start gromox-midb.service gromox-imap.service gromox-pop3.service
## SHOW THAT WE HAVE A SNAP
/sbin/lvs
  LV        VG        Attr       LSize  Pool Origin  Data%  Meta%  Move Log Cpy%Sync Convert
  LVRoot    grommunio -wi-ao---- 19.68g
  maildir   gromox    owi-aos--- 40.00g
  s_maildir gromox    swi-a-s---  1.00g      maildir 0.00
## TEMPORARY MOUNT POINT
SNAP=$(mktemp --suffix=lvmsnap --directory)
## MOUNT XFS ( we need -o nouuid as xfs doesn't like duplicates of UUIDs )
/usr/bin/mount -o nouuid /dev/gromox/s_maildir $SNAP
## SHOW THE CONTENTS
/usr/bin/find $SNAP -ls
      128      0 drwxrwx---   5 gromox   gromox         45 Apr  1 16:41 /tmp/tmp.xa5jeBj8Rylvmsnap
      131      0 drwxrwx---   2 gromox   gromox          6 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/domain
 33554560      0 drwxrwx---   6 gromox   gromox         56 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/queue
 67149888      0 drwxrwx---   2 gromox   gromox          6 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/queue/mess
100663424      0 drwxrwx---   2 gromox   gromox          6 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/queue/save
      132      0 drwxrwx---   2 gromox   gromox          6 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/queue/timer
 33554561      0 drwxrwx---   2 gromox   gromox          6 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/queue/cache
 67149889      0 drwxrwx---   2 gromox   gromox          6 Mar 30 20:50 /tmp/tmp.xa5jeBj8Rylvmsnap/user
## RUN BACKUP / RSYNC / WHATEVER

## AND AFTER WE ARE FINISHED
/usr/bin/umount $SNAP
/sbin/lvremove /dev/gromox/s_maildir --yes

                      © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice