From wolfgang at rosenauer.org Wed Jan 1 15:01:59 2020 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Wed, 1 Jan 2020 15:01:59 +0100 Subject: ANN: automx2 v2019.0 In-Reply-To: <20191213141201.qo5jvekx2oan2cke@sys4.de> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> Message-ID: <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> Hi, Am 13.12.19 um 15:12 schrieb Patrick Ben Koetter: > We are pleased to announce the release of automx2 v2019.0. > > automx2 is successor to automx. It is a complete rewrite of automx by Ralph > Seichter. It brings Python 3.7+ support, has 100% test coverage and a more > complete documentation. automx2 has been designed to be easier to setup, > easier to configure and easier to use. I started to look into it to migrate away from the earlier version. But just from checking documentation and the provided examples I'm not sure if and how migration of my setup would look like while it appears relatively simple being a static configuration. Here is what I currently use: smtp = yes smtp_server = submission.abc.de smtp_port = 587 smtp_encryption = starttls smtp_auth = plaintext smtp_auth_identity = %s smtp_refresh_ttl = 6 smtp_default = yes imap = yes imap_server = imap.abc.de imap_port = 993 imap_encryption = ssl imap_auth = plaintext imap_auth_identity = %s imap_refresh_ttl = 6 pop = yes pop_server = pop.abc.de pop_port = 995 pop_encryption = ssl pop_auth = plaintext pop_auth_identity = %s pop_refresh_ttl = 6 carddav = yes carddav_server = https://dav.abc.de/ carddav_auth_identity = %s caldav = yes caldav_server = https://dav.abc.de/ caldav_auth_identity = %s ox = yes ox_server = https://ox.abc.de/ ox_auth_identity = %s follow = imap_starttls [imap_starttls] backend = static_append imap = yes imap_server = imap.abc.de imap_port = 143 imap_encryption = starttls imap_auth = plaintext imap_auth_identity = %s imap_refresh_ttl = 6 The examples I have seen do not really explain how to advertise the same service (e.g. imap as above) under different configurations where one is preferred by the ordering. Also the caldav, carddav, and ox services only are supported in the autodiscover protocol. Just from an unexperienced view on the code I'm not sure how and if this is currently possible. Any hints? Thanks, Wolfgang From automx2 at seichter.de Thu Jan 2 19:30:03 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Thu, 02 Jan 2020 19:30:03 +0100 Subject: automx2 v2019.0 In-Reply-To: <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> Message-ID: <875zhthftg.fsf@wedjat.horus-it.com> * Wolfgang Rosenauer: > I'm not sure if and how migration of my setup would look like while it > appears relatively simple being a static configuration. As mentioned in the documentation[1], I have added an utility script that generates the necessary SQL commands for a simple setup as you have shown. Remember to adapt the "user configurable section" according to your needs. [1] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#user-content-database-configuration > Also the caldav, carddav, and ox services only are supported in the > autodiscover protocol. Just from an unexperienced view on the code I'm > not sure how and if this is currently possible. Patrick made a specific note in the documentation[2] that only mailbox configuration is supported. To be precise, that means IMAP and SMTP only at this point in time. [2] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#automatedmailboxconfiguration This is probably not what you wanted to hear, but I hope that the information at least saves you from searching for features that are currently unavailable in automx2. -Ralph From ml_automx at controlc.de Thu Jan 2 21:34:31 2020 From: ml_automx at controlc.de (M. Koehler) Date: Thu, 2 Jan 2020 21:34:31 +0100 Subject: automx2 v2019.0 In-Reply-To: <875zhthftg.fsf@wedjat.horus-it.com> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> Message-ID: Hi Ralph, First: Thanks for your work. > * Wolfgang Rosenauer: > >> I'm not sure if and how migration of my setup would look like while it >> appears relatively simple being a static configuration. > > As mentioned in the documentation[1], I have added an utility script > that generates the necessary SQL commands for a simple setup as you have > shown. Remember to adapt the "user configurable section" according to > your needs. > > [1] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#user-content-database-configuration Just tried it and stumble over an not existing database structure. Could you please add an empty sqlite database file so the script will work ootb? >> Also the caldav, carddav, and ox services only are supported in the >> autodiscover protocol. Just from an unexperienced view on the code I'm >> not sure how and if this is currently possible. > > Patrick made a specific note in the documentation[2] that only mailbox > configuration is supported. To be precise, that means IMAP and SMTP only > at this point in time. > > [2] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#automatedmailboxconfiguration > > This is probably not what you wanted to hear, but I hope that the > information at least saves you from searching for features that are > currently unavailable in automx2. Most of my users are Mac user - is there a website to generate the mobileconfig files to configure iOS/OSX-Clients? Best wishes for 2020, Michael From ml_automx at controlc.de Thu Jan 2 21:43:49 2020 From: ml_automx at controlc.de (M. Koehler) Date: Thu, 2 Jan 2020 21:43:49 +0100 Subject: Automx2 and docker Message-ID: <492C8D15-34F6-4DF5-9129-DEB706449A70@controlc.de> Hi Ralph, I just try to set up a docker container with nginx-proxy [1] in front. But it will not work at all. Nginx is configured to forward all requests from port 443 to port 5000 (as I configured automx2) - but I get an 502 error (in browser and via curl from a different machine). If I execute the curl line [2] in the automx2 container it works. Dockerfile --- FROM python:alpine RUN apk add --no-cache bash \ && mkdir -p /srv/web/automx2 \ && cd /srv/web/automx2 \ && wget -O setupvenv.sh 'https://gitlab.com/automx/automx2/raw/master/contrib/setupvenv.sh?inline=false' \ && chmod u+x setupvenv.sh && ./setupvenv.sh \ && . venv/bin/activate \ && pip install automx2 WORKDIR /srv/web/automx2 CMD ./venv/scripts/flask.sh run --host=0.0.0.0 --port=5000 ? automx2.conf --- [automx2] loglevel = DEBUG db_echo = yes db_uri = sqlite:////var/lib/automx2/db.sqlite proxy_count = 1 ? Nginx configuration --- # automx2.DOMAIN upstream automx2.DOMAIN { # automx2 server 172.20.0.51:5000; } server { server_name automx2.DOMAIN; listen 80 ; listen [::]:80 ; access_log /var/log/nginx/access.log vhost; return 301 https://$host$request_uri; } server { server_name automx2.DOMAIN; listen 443 ssl http2 ; listen [::]:443 ssl http2 ; access_log /var/log/nginx/access.log vhost; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_certificate /etc/nginx/certs/automx2.DOMAIN.crt; ssl_certificate_key /etc/nginx/certs/automx2.DOMAIN.key; ssl_dhparam /etc/nginx/certs/automx2.DOMAIN.dhparam.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/certs/automx2.DOMAIN.chain.pem; add_header Strict-Transport-Security "max-age=31536000" always; include /etc/nginx/vhost.d/default; location / { proxy_pass https://automx2.DOMAIN; } } --- Do you have any ideas how I could find out where the problem is? Best wishes, Michael [1] https://github.com/jwilder/nginx-proxy [2] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#user-content-testing-standalone-automx2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From automx2 at seichter.de Thu Jan 2 23:52:43 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Thu, 02 Jan 2020 23:52:43 +0100 Subject: automx2 v2019.0 In-Reply-To: References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> Message-ID: <87sgkxo4hw.fsf@wedjat.horus-it.com> * M. Koehler: > Could you please add an empty sqlite database file so the script will > work ootb? The database is created and filled with sample data when the "initdb" Route is called for the first time, as described here[1]. [1] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#user-content-testing-standalone-automx2 The application landing page will also report a missing DB structure and present an initialisation link. > Most of my users are Mac user - is there a website to generate the > mobileconfig files to configure iOS/OSX-Clients? Looks like you have found one aspect of the documentation that is not yet finished. ;-) To access macOS/iOS configuration profile data, call http://127.0.0.1:4243/mobileconfig/?emailaddress=abc at example.com . You will be presented with a warning that the profile is unsigned, but that does not prevent you from using it. -Ralph From automx2 at seichter.de Fri Jan 3 00:34:41 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Fri, 03 Jan 2020 00:34:41 +0100 Subject: Automx2 and docker In-Reply-To: <492C8D15-34F6-4DF5-9129-DEB706449A70@controlc.de> References: <492C8D15-34F6-4DF5-9129-DEB706449A70@controlc.de> Message-ID: <87png1o2jy.fsf@wedjat.horus-it.com> * M. Koehler: > proxy_pass https://automx2.DOMAIN; Without log files I can only guess what is happening, but automx2 does not understand HTTPS. I suggest you try HTTP in this directive, as shown in the example[1] configuration. [1] https://gitlab.com/automx/automx2/blob/master/contrib/nginx-sample.conf -Ralph From dan at familybrown.org Fri Jan 3 00:52:38 2020 From: dan at familybrown.org (Dan Brown) Date: Thu, 2 Jan 2020 18:52:38 -0500 Subject: Automx2 vs. automx Message-ID: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> It's good to see some new development on automx; the project had been looking pretty much abandoned based on its GitHub repo.? But reviewing the GitLab page for automx2 leaves me with a number of questions, as it looks like a lot of functionality has been lost in the new version: * CalDav/CardDav have already been mentioned, and I understand they aren't there--are there plans for them to return? * Automx claimed to be able to retrieve a user's full name from LDAP (and probably other backends).? I wasn't able to get this working, but is this feature present in automx2? * A recent message indicates that .mobileconfig files can be generated, but they'll be unsigned.? Automx would sign them (though I wasn't able to make it include the intermediate cert, which caused errors).? Does automx2 support signing .mobileconfig profiles? For the features that are missing, are there plans to bring them back, or are they just gone?? Because right now, between the missing features and the database-based configuration (I'm sure there's a good reason for this change, but I can't think what it would be), I don't think I'm seeing a reason to move from automx.? What am I missing? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From sven at svenhartge.de Fri Jan 3 01:17:38 2020 From: sven at svenhartge.de (Sven Hartge) Date: Fri, 3 Jan 2020 01:17:38 +0100 Subject: Automx2 vs. automx In-Reply-To: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> References: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> Message-ID: <795b3b07-32de-089b-2c2f-7381a3d55044@svenhartge.de> On 03.01.20 00:52, Dan Brown wrote: > Automx claimed to be able to retrieve a user's full name from LDAP (and > probably other backends).? I wasn't able to get this working, but is > this feature present in automx2? I also need this feature, because I need to transform the mail-address entered by the user to a different username for the login. (No, using the mail-address as username for the mailserver is not an option.) It would be very nice if this feature could be implemented in a future version. Gr??e, Sven. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From wolfgang at rosenauer.org Fri Jan 3 11:58:40 2020 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Fri, 3 Jan 2020 11:58:40 +0100 Subject: automx2 v2019.0 In-Reply-To: <875zhthftg.fsf@wedjat.horus-it.com> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> Message-ID: <6a7098c7-f392-9ae1-00d1-953fa7069314@rosenauer.org> Am 02.01.20 um 19:30 schrieb Ralph Seichter: > * Wolfgang Rosenauer: > >> I'm not sure if and how migration of my setup would look like while it >> appears relatively simple being a static configuration. > > As mentioned in the documentation[1], I have added an utility script > that generates the necessary SQL commands for a simple setup as you have > shown. Remember to adapt the "user configurable section" according to > your needs. I've seen it but as mentioned it didn't answer all my questions. Also I'm still not sure how to represent the possibility to offer IMAP via STARTTLS and TLS with one of it preferred. Would it work just by making sure the database uid is smaller and therefore found first and put into the XML? >> Also the caldav, carddav, and ox services only are supported in the >> autodiscover protocol. Just from an unexperienced view on the code I'm >> not sure how and if this is currently possible. > > Patrick made a specific note in the documentation[2] that only mailbox > configuration is supported. To be precise, that means IMAP and SMTP only > at this point in time. > This is probably not what you wanted to hear, but I hope that the > information at least saves you from searching for features that are > currently unavailable in automx2. So currently I understand automx2 is no replacement for my system running automx. In that case my open questions are fully summarized by Dan in the other new thread just to understand what the roadmap is for automx2. Thanks, Wolfgang From ml_automx at controlc.de Fri Jan 3 15:26:34 2020 From: ml_automx at controlc.de (M. Koehler) Date: Fri, 3 Jan 2020 15:26:34 +0100 Subject: Automx2 and docker In-Reply-To: <87png1o2jy.fsf@wedjat.horus-it.com> References: <492C8D15-34F6-4DF5-9129-DEB706449A70@controlc.de> <87png1o2jy.fsf@wedjat.horus-it.com> Message-ID: <98862CB9-470E-4425-B7C5-C0654A59CBBD@controlc.de> Hi Ralph, >> proxy_pass https://automx2.DOMAIN; > > Without log files I can only guess what is happening, but automx2 does > not understand HTTPS. I suggest you try HTTP in this directive, as shown > in the example[1] configuration. > > [1] https://gitlab.com/automx/automx2/blob/master/contrib/nginx-sample.conf Thanks, that was the problem - for the records: this is my docker compose file: automx2: build: context: /srv/docker/automx2 container_name: automx2 hostname: automx2 domainname: DOMAIN expose: - 5000 volumes: - /srv/docker/automx2/automx2.conf:/etc/automx2.conf - /srv/docker/automx2/db.sqlite:/var/lib/automx2/db.sqlite environment: - VIRTUAL_HOST=automx2.DOMAIN - VIRTUAL_PORT=5000 - VIRTUAL_PROTO=http - LETSENCRYPT_HOST=automx2.DOMAIN - LETSENCRYPT_EMAIL=hostmaster at DOMAIN restart: always Now I get access from external. Best wishes, Michael From automx2 at seichter.de Fri Jan 3 21:28:06 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Fri, 03 Jan 2020 21:28:06 +0100 Subject: Automx2 vs. automx In-Reply-To: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> References: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> Message-ID: <87mub48euh.fsf@wedjat.horus-it.com> * Dan Brown: > CalDav/CardDav have already been mentioned, and I understand they > aren't there--are there plans for them to return? Patrick and I have spoken about this. At this stage, automx2 focuses on mail account configuration, which I believe to be the feature most users benefit from. Depending on user demand, more features might be supported, but I cannot make promises right now. I am sure that Patrick will offer his own take on the state of automx2 over the coming days. > Automx claimed to be able to retrieve a user's full name from LDAP > (and probably other backends). I wasn't able to get this working, but > is this feature present in automx2? I opened https://gitlab.com/automx/automx2/issues/10 to allow you and other users interested in this feature to comment on my take on basic- level LDAP support. It is important for me to understand your exact requirements, and to distinguish between must have and nice to have. > Does automx2 support signing .mobileconfig profiles? Not yet. Apple seems to have changed some of the signing mechanics with recent updates. I have Apple's Configurator application on my Mac, and I used to be able to transfer profiles via USB cable to my iOS devices which the Configurator would sign on the fly. That is no longer the case, and my attempts to use other self-signed certificates were not successful either. Looks like Apple wants me to "pay to play" by subscribing as a developer and thereby obtaining an Apple-issued signing certificate. Even if I did that, it would not help other automx2 users, because I obviously won't ship my key material. Each of you would have to be able to provide your own keys and certificates. Given that the typical use case is opening https://foo.example.com/mobileconfig/?emailaddress=x at example.com unsigned profiles are not really an issue, IMO. Server foo.example.com is identified by his certificate, so one can assume that downloading a profile from that host is OK, security-wise. An iOS device would not open foo.example.com if the certificate was considered unsafe. Apple profiles can be sent via email as well, and in that case, signatures have a whole different level of importance, but when downloaded via HTTPS, I am not too worried about the lack of signatures. -Ralph From automx2 at seichter.de Fri Jan 3 22:01:13 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Fri, 03 Jan 2020 22:01:13 +0100 Subject: automx2 v2019.0 In-Reply-To: <6a7098c7-f392-9ae1-00d1-953fa7069314@rosenauer.org> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <6a7098c7-f392-9ae1-00d1-953fa7069314@rosenauer.org> Message-ID: <87k1688dba.fsf@wedjat.horus-it.com> * Wolfgang Rosenauer: > I'm still not sure how to represent the possibility to offer IMAP via > STARTTLS and TLS with one of it preferred. Why would one of those mechanisms be preferred, given that they achieve the same goal, albeit with a small amount of extra data sent in the case of STARTTLS? Define both, have the client pick one. I am aware that the order of entries in the result can indicate order of preference, but currently the returned server records depend wholly on the database backend and/or driver, and clients are not guaranteed to honor order of preference anyway. -Ralph From dan at familybrown.org Sat Jan 4 21:19:05 2020 From: dan at familybrown.org (Dan Brown) Date: Sat, 4 Jan 2020 15:19:05 -0500 Subject: Automx2 vs. automx In-Reply-To: <87mub48euh.fsf@wedjat.horus-it.com> References: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> <87mub48euh.fsf@wedjat.horus-it.com> Message-ID: <0d0834ea-9415-b83b-916e-5b9019bfbdc8@familybrown.org> On 1/3/20 3:28 PM, Ralph Seichter wrote: > I opened https://gitlab.com/automx/automx2/issues/10 to allow you and I commented on this issue, though it really isn't quite what I had in mind. > Looks like Apple wants me to "pay to play" by subscribing as a developer > and thereby obtaining an Apple-issued signing certificate. Even if I did Unless something's changed drastically in the last year or so, .mobileconfig profiles can be signed with any standard TLS certificate.? At that time (before I found automx), I was able to hand-generate a .mobileconfig file, manually sign it (details are hazy, but I'm pretty sure it involved more than one invocation of openssl--I can't say for sure that these are the instructions I used, but they look about right) with a cert from Let's Encrypt, and my iPhone would import it without complaints. This of course means Automx needs access to a cert, including its private key, but it's easy enough to create a dedicated cert for that purpose using Let's Encrypt. Automx supports signing these files, but it doesn't include the intermediate CA cert, even when it's fed that cert as part of the signing cert.? This results in a validation error when the user tries to import the profile. > Given that the typical use case is opening > > https://foo.example.com/mobileconfig/?emailaddress=x at example.com > > unsigned profiles are not really an issue, IMO. Server foo.example.com The last time I tried importing an unsigned .mobileconfig profile, the device complained pretty loudly before importing it.? This could have changed too, I guess, but it was a non-trivial set of warnings. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From automx2 at seichter.de Sat Jan 4 23:12:33 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Sat, 04 Jan 2020 23:12:33 +0100 Subject: Automx2 vs. automx In-Reply-To: <0d0834ea-9415-b83b-916e-5b9019bfbdc8@familybrown.org> References: <52dedd83-3bd7-660b-1466-8e4769b32bf2@familybrown.org> <87mub48euh.fsf@wedjat.horus-it.com> <0d0834ea-9415-b83b-916e-5b9019bfbdc8@familybrown.org> Message-ID: <87eewena5q.fsf@wedjat.horus-it.com> * Dan Brown: > I commented on this issue, though it really isn't quite what I had in > mind. We are at a conceptional stage, and I encourage you to elaborate on your own requirements, if your existing comment does not cover them yet. Other than the email-to-login lookup I mentioned and the real name lookup you proposed, there might be aspects I am missing. I had no need for LDAP support myself so far, and the amount of resources than can currently be invested into automx2 is strictly limited. Patrick and I need to know what is required before making decisions. > Unless something's changed drastically in the last year or so, > .mobileconfig profiles can be signed with any standard TLS > certificate. That's what I thought, and what I used before. I have been operating a certificate authority for my customers since long before the days of Let's Encrypt and have a pretty solid understanding of all the mechanics involved, but I hit unexpected obstacles with macOS Catalina and iOS 13. I have even asked Apple's support, but they effectively told me to subscribe, obtain an "official certificate", and all would be well. I actually use a separate profile, transferred to iOS devices via USB, that contains my own CA's certificate chain, and that used to suffice in the past. > The last time I tried importing an unsigned .mobileconfig profile, the > device complained pretty loudly before importing it. I can see people being put off be the warning, no question about that. My recommendation is to educate users about the popups they are going to experience beforehand, ideally including screenshots. -Ralph From wolfgang at rosenauer.org Mon Jan 6 09:32:45 2020 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Mon, 6 Jan 2020 09:32:45 +0100 Subject: automx2 v2019.0 In-Reply-To: <87k1688dba.fsf@wedjat.horus-it.com> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <6a7098c7-f392-9ae1-00d1-953fa7069314@rosenauer.org> <87k1688dba.fsf@wedjat.horus-it.com> Message-ID: Hi, Am 03.01.20 um 22:01 schrieb Ralph Seichter: > * Wolfgang Rosenauer: > >> I'm still not sure how to represent the possibility to offer IMAP via >> STARTTLS and TLS with one of it preferred. > > Why would one of those mechanisms be preferred, given that they achieve > the same goal, albeit with a small amount of extra data sent in the case > of STARTTLS? Define both, have the client pick one. > > I am aware that the order of entries in the result can indicate order of > preference, but currently the returned server records depend wholly on > the database backend and/or driver, and clients are not guaranteed to > honor order of preference anyway. According to the Mozilla autoconfig specification the order is actually defined (if only for Thunderbird): https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat#Multiple_servers Wolfgang From wolfgang at rosenauer.org Mon Jan 6 09:44:35 2020 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Mon, 6 Jan 2020 09:44:35 +0100 Subject: automx2 distribution packaging Message-ID: <16e8516f-126e-0c0c-5ed6-67d284c32d8a@rosenauer.org> Hi, I understand that automx2 has a certain preference of deployment model which is based on python's venv. But since I manage my systems via package management if at all possible I worked a bit on RPM packaging (primarily for openSUSE) here: https://build.opensuse.org/package/show/home:wrosenauer:devel/automx2 Packages for openSUSE are there and should pretty much work integrated together with Apache. For that I created a hopefully generally usable Apache configuration: https://build.opensuse.org/package/view_file/home:wrosenauer:devel/automx2/automx2-apache.conf?expand=1 and a systemd unit: https://build.opensuse.org/package/view_file/home:wrosenauer:devel/automx2/automx2.service?expand=1 For the earlier automx version I have/had packages also working for RHEL/CentOS and Debian but now due to the grown Python requirements and the fact that I'm not very familiar the python ecosystems there are currently no packages for those available. If anyone wants to help here feel free to submit changes in the buildservice or contact me directly. When more complete the package could be injected into the buildservices server:mail component with repos for RHEL, SUSE, and Debian. If there is interest in the systemd unit and Apache config they can be probably injected into the contrib directory. Wolfgang From automx2 at seichter.de Tue Jan 7 00:14:06 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Tue, 07 Jan 2020 00:14:06 +0100 Subject: automx2 v2019.0 In-Reply-To: References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <6a7098c7-f392-9ae1-00d1-953fa7069314@rosenauer.org> <87k1688dba.fsf@wedjat.horus-it.com> Message-ID: <874kx8fa9t.fsf@wedjat.horus-it.com> * Wolfgang Rosenauer: > https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat#Multiple_servers I have read that before writing the first line of code: [Server entries] may appear several times. They are in order of priority, the first entry should generally be used, unless there's a specific factor or policy which prefers a later config. In RFC terms, SHOULD is not MUST, and one can always expect software to not care about an issue when marked with "should". It would be nice if automx2, at some point in the future, allowed specifying an order of preference for servers, but since clients may not even bother honouring that order, I see this as low priority. -Ralph From automx2 at seichter.de Tue Jan 7 00:20:02 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Tue, 07 Jan 2020 00:20:02 +0100 Subject: automx2 distribution packaging In-Reply-To: <16e8516f-126e-0c0c-5ed6-67d284c32d8a@rosenauer.org> References: <16e8516f-126e-0c0c-5ed6-67d284c32d8a@rosenauer.org> Message-ID: <871rscf9zx.fsf@wedjat.horus-it.com> * Wolfgang Rosenauer: > since I manage my systems via package management if at all possible > I worked a bit on RPM packaging (primarily for openSUSE) here: > https://build.opensuse.org/package/show/home:wrosenauer:devel/automx2 > > Packages for openSUSE are there and should pretty much work integrated > together with Apache. That's very good to hear, thank you for providing this. Patrick, that is probably an issue for your next round of documentation updates? I have recently created a Gentoo Linux ebuild [1] myself and plan to provide a MacPorts port as well. If any of you have prepared additional packages, please announce them here on this mailing list. [1] https://packages.gentoo.org/packages/www-servers/automx2 -Ralph From dave.mehler at gmail.com Wed Jan 8 18:03:28 2020 From: dave.mehler at gmail.com (David Mehler) Date: Wed, 8 Jan 2020 12:03:28 -0500 Subject: automx2 distribution packaging In-Reply-To: <871rscf9zx.fsf@wedjat.horus-it.com> References: <16e8516f-126e-0c0c-5ed6-67d284c32d8a@rosenauer.org> <871rscf9zx.fsf@wedjat.horus-it.com> Message-ID: Hello, Very glad to see automx2! Question, is there going to be a FreeBSD port? I'm using it locally on a Debian vm, but my production mail server is FreeBSD-based. Thanks. Dave. On 1/6/20, Ralph Seichter wrote: > * Wolfgang Rosenauer: > >> since I manage my systems via package management if at all possible >> I worked a bit on RPM packaging (primarily for openSUSE) here: >> https://build.opensuse.org/package/show/home:wrosenauer:devel/automx2 >> >> Packages for openSUSE are there and should pretty much work integrated >> together with Apache. > > That's very good to hear, thank you for providing this. Patrick, that is > probably an issue for your next round of documentation updates? > > I have recently created a Gentoo Linux ebuild [1] myself and plan to > provide a MacPorts port as well. If any of you have prepared additional > packages, please announce them here on this mailing list. > > [1] https://packages.gentoo.org/packages/www-servers/automx2 > > -Ralph > From automx2 at seichter.de Wed Jan 8 23:27:36 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Wed, 08 Jan 2020 23:27:36 +0100 Subject: automx2 distribution packaging In-Reply-To: References: <16e8516f-126e-0c0c-5ed6-67d284c32d8a@rosenauer.org> <871rscf9zx.fsf@wedjat.horus-it.com> Message-ID: <8736cpbn3b.fsf@wedjat.horus-it.com> * David Mehler: > Question, is there going to be a FreeBSD port? As automx2 is a pure python application, it should run as is on any platform that supports Python 3.7 or higher, by means of a virtual Python environment. There is no need for a "port". If you are solely referring to a distribution archive, the FreeBSD community is welcome to create a package that meets their specific requirements. I can offer support in case there are questions, but somebody else needs to create the package. -Ralph From ml_automx at controlc.de Wed Jan 15 20:34:26 2020 From: ml_automx at controlc.de (M. Koehler) Date: Wed, 15 Jan 2020 20:34:26 +0100 Subject: automx2 v2019.0 In-Reply-To: <87sgkxo4hw.fsf@wedjat.horus-it.com> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <87sgkxo4hw.fsf@wedjat.horus-it.com> Message-ID: <21D0A0E6-AA41-4A71-ABBF-B90BC955FA4C@controlc.de> Hi Ralph, >> Could you please add an empty sqlite database file so the script will >> work ootb? > > The database is created and filled with sample data when the "initdb" > Route is called for the first time, as described here[1]. > > [1] https://gitlab.com/automx/automx2/blob/master/doc/automx2.adoc#user-content-testing-standalone-automx2 > > The application landing page will also report a missing DB structure and > present an initialisation link. Yes, that works. >> Most of my users are Mac user - is there a website to generate the >> mobileconfig files to configure iOS/OSX-Clients? > > Looks like you have found one aspect of the documentation that is not > yet finished. ;-) To access macOS/iOS configuration profile data, call > http://127.0.0.1:4243/mobileconfig/?emailaddress=abc at example.com . You > will be presented with a warning that the profile is unsigned, but that > does not prevent you from using it. It works too - is it possible to include ?real name? and "account name? in the generated mobileconfig file? And is it planed to integrate a website with a formular like the one in automx? And could I change the default redirect to mobileconfig creation? Best wishes, Michael From automx2 at seichter.de Fri Jan 17 10:11:08 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Fri, 17 Jan 2020 10:11:08 +0100 Subject: automx2 v2019.0 In-Reply-To: <21D0A0E6-AA41-4A71-ABBF-B90BC955FA4C@controlc.de> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <87sgkxo4hw.fsf@wedjat.horus-it.com> <21D0A0E6-AA41-4A71-ABBF-B90BC955FA4C@controlc.de> Message-ID: <8736cela6r.fsf@wedjat.horus-it.com> * M. Koehler: > is it planed to integrate a website with a formular like the one in > automx? What website are you referring to, specifically? Generally speaking, you can check https://gitlab.com/automx/automx2/issues for enhancements or fixes that have been discussed so far. > could I change the default redirect to mobileconfig creation? I need to ask you for clarification here as well, because I am not sure what "default redirect" you are speaking of? -Ralph From automx2 at seichter.de Fri Jan 17 23:36:08 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Fri, 17 Jan 2020 23:36:08 +0100 Subject: Version 2020.0.dev2 with basic LDAP support is now available for testing Message-ID: <87mualhfs7.fsf@wedjat.horus-it.com> Good evening. I have uploaded the first automx2 developer release[1] with basic LDAP support. If you want to test it, I suggest you create a new database. The updated DB schema is available on GitLab[2]. [1] https://pypi.org/project/automx2/2020.0.dev2/ [2] https://gitlab.com/automx/automx2/blob/master/contrib/sqlite-sample.sql With version 2020.0.dev2 you can create 0..N records in a new table 'ldapserver'. Each Domain record can now contain a 'ldapserver_id' to tie the domain to one of the defined LDAP servers. If that ID is NULL, the domain will not cause LDAP lookups. Example DB content: CREATE TABLE ldapserver ( id INTEGER NOT NULL, name VARCHAR NOT NULL, port INTEGER NOT NULL, use_ssl BOOLEAN NOT NULL, search_base VARCHAR NOT NULL, search_filter VARCHAR NOT NULL, attr_uid VARCHAR NOT NULL, attr_cn VARCHAR, bind_password VARCHAR, bind_user VARCHAR, PRIMARY KEY (id), CHECK (use_ssl IN (0, 1)) ); INSERT INTO ldapserver VALUES(4321, 'ldap.example.com', 636, 1, 'dc=example,dc=com', '(mail={0})', 'uid', 'cn', 'secret', 'cn=automx2,dc=example,dc=com'); I hope that most columns are self-explanatory. The 'search_filter' value should contain a {0} placeholder, which will be replaced with the email address, e.g. '(mail={0})'. 'attr_uid' is mandatory and should contain the name of the UID (Login-ID) attribute. 'attr_cn' is optional, and if defined, it should contain the name of the CN (real name) attribute. If you wish to specify 'bind_user' and 'bind_password', be aware that the password is saved as a cleartext string in the database, so I highly recommend you create a special user for automx2 and use SSL connections. If no user/password is specified, the bind operation will be anonymous. I hope I did not forget anything important. Of course the documentation needs to be updated in the near future. -Ralph From automx2 at seichter.de Sat Jan 18 17:31:18 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Sat, 18 Jan 2020 17:31:18 +0100 Subject: Version 2020.0.dev2 with basic LDAP support is now available for testing In-Reply-To: <87mualhfs7.fsf@wedjat.horus-it.com> References: <87mualhfs7.fsf@wedjat.horus-it.com> Message-ID: <87ftgcloa1.fsf@wedjat.horus-it.com> See https://pypi.org/project/automx2/2020.0.dev3/ for the latest automx2 update. This version is more consistent in terms of HTTP return codes, signalling 204 (no content) if requests that are technically correct do not return valid results. This can for example happen if an LDAP search does not return a match for the given email address, or if the domain part of the request is not found in the database. -Ralph From automx2 at seichter.de Fri Jan 24 16:18:26 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Fri, 24 Jan 2020 16:18:26 +0100 Subject: Announcing automx2 release 2020.0 Message-ID: <87ftg4annh.fsf@wedjat.horus-it.com> The latest automx2 release is now available via https://pypi.org/project/automx2/2020.0/ This release contains basic LDAP lookup support, and the service now accepts requests of types application/xml and text/xml. -Ralph From ml_automx at controlc.de Fri Jan 24 20:30:03 2020 From: ml_automx at controlc.de (M. Koehler) Date: Fri, 24 Jan 2020 20:30:03 +0100 Subject: automx2 v2019.0 In-Reply-To: <8736cela6r.fsf@wedjat.horus-it.com> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <87sgkxo4hw.fsf@wedjat.horus-it.com> <21D0A0E6-AA41-4A71-ABBF-B90BC955FA4C@controlc.de> <8736cela6r.fsf@wedjat.horus-it.com> Message-ID: <865C3175-6651-4BA2-BA57-415C8A7969AF@controlc.de> Hi Ralph, >> Is it planed to integrate a website with a formular like the one in >> automx? > > What website are you referring to, specifically? Generally speaking, you > can check https://gitlab.com/automx/automx2/issues for enhancements or > fixes that have been discussed so far. I talk about the landing page of automx there I could enter email name, address and optional a password to generate a mobileconfig which I could download. >> could I change the default redirect to mobileconfig creation? > > I need to ask you for clarification here as well, because I am not sure > what "default redirect" you are speaking of? In automx2 the landing page says ?Show Thunderbird-style XML configuration for abc at example.com.? - but the most of my users are Mac users so I would be appreciate if the creation of mobileconfig could be the default. This is what I mean. Best wishes Michael From automx2 at seichter.de Sat Jan 25 00:24:22 2020 From: automx2 at seichter.de (Ralph Seichter) Date: Sat, 25 Jan 2020 00:24:22 +0100 Subject: Downloading Mobileconfig data (Re: automx2 v2019.0) In-Reply-To: <865C3175-6651-4BA2-BA57-415C8A7969AF@controlc.de> References: <20191213141201.qo5jvekx2oan2cke@sys4.de> <2719ef48-662d-3d43-1574-832ab13aae54@rosenauer.org> <875zhthftg.fsf@wedjat.horus-it.com> <87sgkxo4hw.fsf@wedjat.horus-it.com> <21D0A0E6-AA41-4A71-ABBF-B90BC955FA4C@controlc.de> <8736cela6r.fsf@wedjat.horus-it.com> <865C3175-6651-4BA2-BA57-415C8A7969AF@controlc.de> Message-ID: <87sgk4a15l.fsf@wedjat.horus-it.com> * M. Koehler: > I talk about the landing page of automx there I could enter email > name, address and optional a password to generate a mobileconfig > which I could download. The current landing page is just a stub. I created a ticket[1] for that, which is why I pointed you to GitLab in my last email. Feel free to add a comment listing your ideas. [1] https://gitlab.com/automx/automx2/issues/2 As for downloading Mobileconfig data, you can already use URLs of the following form: http://server.controlc.de/mobileconfig/?emailaddress=jd at controlc.de&name=John%20Doe Note that due to security concerns there is deliberately no support for specifying a password in the URL. HTTP GET requests will routinely get logged on the server side. -Ralph