- [kopano](src/kopano) Adding support for secure IMAPS, POP3S and ICALS.

- [kopano](src/kopano) Now generate self-signed certs if needed.
- [demo](demo) Enable IMAPS, POP3S, ICALS and SMTPS in demo.

CHANGELOG.md

@@ -1,3 +1,9 @@
+# 1.2.3
+
+- [kopano](src/kopano) Adding support for secure IMAPS, POP3S and ICALS.
+- [kopano](src/kopano) Now generate self-signed certs if needed.
+- [demo](demo) Enable IMAPS, POP3S, ICALS and SMTPS in demo.
+
 # 1.2.2
 
 - [kopano](src/kopano) Adding support for gateway / IMAP iCAL search configuration via envvars in, `50-kopano-apply-envvars`.

Dockerfile

@@ -16,8 +16,9 @@ ENV	DEBIAN_FRONTEND=noninteractive \
 	DOCKER_CONF_DIR1=/etc/kopano \
 	DOCKER_CONF_DIR2=/usr/share/z-push \
 	DOCKER_APPL_LIB=/var/lib/kopano \
+	DOCKER_APPL_SSL_DIR=/etc/kopano/ssl \
 	KOPANO_SPAMD_LIB=/var/lib/kopano/spamd \
-	DOCKER_RUNAS=kopano \
+	DOCKER_APPL_RUNAS=kopano \
 	DOCKER_BUILD_DEB_DIR=/tmp/deb \
 	DOCKER_BUILD_PASSES=1 \
 	DOCKER_UNLOCK_FILE=/etc/kopano/.docker.unlock \
@@ -99,8 +100,9 @@ RUN	mkdir -p $DOCKER_BUILD_DEB_DIR \
 	&& for i in $(seq ${DOCKER_BUILD_PASSES}); do echo "\033[1;36mKOPANO CORE INSTALL PASS: $i\033[0m" \
 	&& dpkg --install --force-depends --skip-same-version --recursive $DOCKER_BUILD_DEB_DIR \
 	&& apt-get install --yes --no-install-recommends --fix-broken; done \
-	&& mkdir -p /var/lib/kopano/attachments && chown $DOCKER_RUNAS: /var/lib/kopano/attachments \
-	&& mkdir -p $KOPANO_SPAMD_LIB/ham && chown $DOCKER_RUNAS: $KOPANO_SPAMD_LIB/ham \
+	&& mkdir -p /var/lib/kopano/attachments && chown $DOCKER_APPL_RUNAS: /var/lib/kopano/attachments \
+	&& mkdir -p $DOCKER_APPL_SSL_DIR \
+	&& mkdir -p $KOPANO_SPAMD_LIB/ham && chown $DOCKER_APPL_RUNAS: $KOPANO_SPAMD_LIB/ham \
 	&& rm -rf $DOCKER_BUILD_DEB_DIR \
 	&& rm $DOCKER_CONF_DIR1/*.cfg \
 	&& docker-service.sh \

README.md

@@ -57,15 +57,18 @@ An example of how to configure an web mail server using docker compose is given
 version: '3'
 
 services:
-  app:
+   app:
     image: mlan/kopano
     networks:
       - backend
     ports:
       - "127.0.0.1:8008:80"    # WebApp & EAS (alt. HTTP)
-      - "127.0.0.1:110:110"    # POP3 (not needed if all devices can use EAS)
       - "127.0.0.1:143:143"    # IMAP (not needed if all devices can use EAS)
-      - "127.0.0.1:8080:8080"  # CalDAV (not needed if all devices can use EAS)
+      - "127.0.0.1:110:110"    # POP3 (not needed if all devices can use EAS)
+      - "127.0.0.1:8080:8080"  # ICAL (not needed if all devices can use EAS)
+      - "127.0.0.1:993:993"    # IMAPS (not needed if all devices can use EAS)
+      - "127.0.0.1:995:995"    # POP3S (not needed if all devices can use EAS)
+      - "127.0.0.1:8443:8443"  # ICALS (not needed if all devices can use EAS)
     depends_on:
       - auth
       - db
@@ -81,9 +84,12 @@ services:
       - MYSQL_DATABASE=${MYSQL_DATABASE-kopano}
       - MYSQL_USER=${MYSQL_USER-kopano}
       - MYSQL_PASSWORD=${MYSQL_PASSWORD-secret}
-      - POP3_LISTEN=*:110                       # also listen to eth0
       - IMAP_LISTEN=*:143                       # also listen to eth0
+      - POP3_LISTEN=*:110                       # also listen to eth0
       - ICAL_LISTEN=*:8080                      # also listen to eth0
+      - IMAPS_LISTEN=*:993                      # enable TLS
+      - POP3S_LISTEN=*:995                      # enable TLS
+      - ICALS_LISTEN=*:8443                     # enable TLS
       - DISABLED_FEATURES=${DISABLED_FEATURES-} # also enable IMAP and POP3
       - SYSLOG_LEVEL=${SYSLOG_LEVEL-3}
     volumes:
@@ -291,7 +297,7 @@ Adds an extra filter to the user search. Default `LDAP_USER_SEARCH_FILTER=`
 
 Hint: Use the `kopanoAccount` attribute in the filter to differentiate between non-kopano and kopano users.
 
-### Enabling IMAP, POP3 and ICAL
+## Enabling IMAP, POP3 and ICAL
 
 By default the IMAP and POP3 services are disabled for all users. Set the environment variable `DISABLED_FEATURES=` to an empty string to enable both IMAP and POP3 for all users.
 
@@ -299,9 +305,23 @@ By default the IMAP and POP3 services are disabled for all users. Set the enviro
 
 The environment variable `DISABLED_FEATURES` take a space separated list of features. Currently it may contain the following features: `imap`, `mobile`, `outlook`, `pop3` and `webapp`. Default: `DISABLED_FEATURES="imap pop3"`
 
-#### `POP3_LISTEN`, `IMAP_LISTEN` and `ICAL_LISTEN`
+#### `IMAP_LISTEN`, `POP3_LISTEN`and `ICAL_LISTEN`
 
-By default the kopano-gateway and kopano-ical services are configured to only listen on the loopback interface. To be able to access these services we need them to listen to any interface. This is achieved by setting `POP3_LISTEN=*:110`, `IMAP_LISTEN=*:143` and `ICAL_LISTEN=*:8080`. These port numbers can be changed if desired.
+By default the kopano-gateway and kopano-ical services are configured to only listen on the loop-back interface. To be able to access these services we need them to listen to any interface. This is achieved by setting `IMAP_LISTEN=*:143`, `POP3_LISTEN=*:110` and `ICAL_LISTEN=*:8080`. These port numbers can be changed if desired.
+
+## Enabling IMAPS, POP3S and ICALS
+
+By default the secure protocols are not enabled.
+
+#### `IMAPS_LISTEN`, `POP3S_LISTEN`and `ICALS_LISTEN`
+
+To enable secure access we need to explicitly define their listening ports. This is achieved by setting any combination of `IMAPS_LISTEN=*:993`, `POP3S_LISTEN=*:995` and `ICALS_LISTEN=*:8443`. These port numbers can be changed if desired.
+
+If any of `IMAPS_LISTEN`, `POP3S_LISTEN` and `ICALS_LISTEN` are explicitly defined but there are no certificate files defined, a self-signed certificate will be generated  when the container is created.
+
+#### `SSL_CERTIFICATE_FILE` and `SSL_PRIVATE_KEY_FILE`
+
+For most deployments a trusted TLS certificate is needed. When such are available, copy the [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) certificate and private key files to the container and  use the envvars  `SSL_CERTIFICATE_FILE` and `SSL_PRIVATE_KEY_FILE` to let the kopano-gateway and kopano-ical services find them. For example `SSL_CERTIFICATE_FILE=/etc/kopano/ssl/cert.pem` and  `SSL_PRIVATE_KEY_FILE=/etc/kopano/ssl/priv_key.pem`. Note that these files need to be readable by the `kopano` user.
 
 ## Logging `SYSLOG_LEVEL`, `LOG_LEVEL`
 
@@ -368,7 +388,7 @@ Here some topics relevant for arranging a mail server are presented.
 
 ## Kopano WebApp HTTP access
 
-The distribution installation of `kopano-webapp` only allow HTTPS access. The `mlan/kopano` image updates the configuration to `define("SECURE_COOKIES", false);` in `/etc/kopano/webapp/config.php` also allowing HTTP access. This can be useful when arranging the `mlan/kopano` container behind a reverse proxy, like [traefik](https://doc.traefik.io/traefik/), which then does the enforcement of HTTPS.
+The distribution installation of `kopano-webapp` only allow HTTPS access. The `mlan/kopano` image updates the configuration to `define("SECURE_COOKIES", false);` in `/etc/kopano/webapp/config.php` also allowing HTTP access. This can be useful when arranging the `mlan/kopano` container behind a reverse proxy, like [traefik](https://doc.traefik.io/traefik/), which then does the enforcement of HTTPS.
 
 ## Mail client configuration
 

demo/.env

@@ -1,12 +1,12 @@
 COMPOSE_PROJECT_NAME=demo
-SYSLOG_LEVEL=5
+SYSLOG_LEVEL=6
+LOG_LEVEL=6
 MAIL_DOMAIN=example.com
 MAIL_SRV=mx
 REGEX_ALIAS='/([^+]+)[+-].*@(.+)/ $1@$2'
 DKIM_SELECTOR=default
 SA_TAG_LEVEL_DEFLT=-999
 SA_DEBUG=0
-LOG_LEVEL=5
 RAZOR_REGISTRATION=
 LDAP_BASE=dc=example,dc=com
 LDAP_USEROU=users

demo/Makefile

@@ -1,7 +1,7 @@
 -include    *.mk .env .init.env
 
 srv_list ?= auth app db mta
-curl_dbg ?= -v
+curl_dbg ?= -v -s
 _ip       = $(shell docker inspect -f \
 	'{{range .NetworkSettings.Networks}}{{println .IPAddress}}{{end}}' \
 	$(1) | head -n1)
@@ -11,11 +11,9 @@ _ip       = $(shell docker inspect -f \
 variables:
 	make -pn | grep -A1 "^# makefile"| grep -v "^#\|^--" | sort | uniq
 
-test: mta-test_quiet mta-test_smtp
+test: all-test_quiet mta-test_smtp
 
-init: auth-init db-up mta-up app-up
-
-auth-init: auth-up wait_11 auth-mod_hash auth-mod_index auth-add_user
+init: auth-init db-init mta-init app-init
 
 ps:
 	docker-compose ps
@@ -58,7 +56,7 @@ $(addsuffix -logs,$(srv_list)):
 	docker-compose logs $(patsubst %-logs,%,$@)
 
 $(addsuffix -sh,$(srv_list)):
-	docker-compose exec $(patsubst %-sh,%,$@) sh
+	docker-compose exec $(patsubst %-sh,%,$@) sh -c 'exec $$(getent passwd root | sed "s/.*://g")'
 
 $(addsuffix -env,$(srv_list)):
 	docker-compose exec $(patsubst %-env,%,$@) env
@@ -75,6 +73,8 @@ wait_%:
 web:
 	firefox localhost:8008 &
 
+auth-init: auth-up wait_11 auth-mod_hash auth-mod_index auth-add_user
+
 auth-show_conf:
 	docker-compose exec auth ldap search -b cn=config "(cn=config)"
 	docker-compose exec auth ldap search -b cn=config olcDatabase={-1}frontend
@@ -101,21 +101,26 @@ auth-mod_hash:
 	printf "dn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nadd: olcPasswordHash\nolcPasswordHash: {CRYPT}\n\ndn: cn=config\nchangetype: modify\nadd: olcPasswordCryptSaltFormat\nolcPasswordCryptSaltFormat: \$$6\$$%%.16s\n" \
 	| docker-compose exec -T auth ldap modify
 
+mta-init: mta-up
+
 mta-bayes:
 	docker-compose exec mta sh -c 'rm -f bayesian.database.gz && wget http://artinvoice.hu/spams/bayesian.database.gz && gunzip bayesian.database.gz && sa-learn --restore bayesian.database && chown -R amavis: /var/amavis/.spamassassin && rm -rf bayesian.database'
 
-mta-test_quiet:
-	$(eval curl_dbg := )
-
 mta-test_smtp:
 	printf "From: A tester <test@example.biz>\nTo: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! You can receive email.\n" \
-	| curl smtp://localhost -s -T - $(curl_dbg) \
-	--mail-from test@example.biz --mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN)
+	| curl smtp://localhost -T - --mail-from test@example.biz \
+	--mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN) $(curl_dbg)
+
+mta-test_smtps:
+	printf "From: A tester <test@example.biz>\nTo: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTPS test message\n\nGreat news! You can receive secure email.\n" \
+	| curl smtps://localhost -T - --mail-from test@example.biz -k \
+	-u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) \
+	--mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN) $(curl_dbg)
 
 mta-test_smtp2:
 	printf "From: A info tester <test-info@example.biz>\nTo: <$(LDAP_TEST_USER)-info@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message \n\nGreat news! $(LDAP_TEST_USER)-info@$(MAIL_DOMAIN) can also receive email.\n" \
-	| curl smtp://localhost -s -T - $(curl_dbg) \
-	--mail-from test@example.biz --mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN)
+	| curl smtp://localhost -T - --mail-from test@example.biz \
+	--mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN) $(curl_dbg)
 
 mta-razor:
 	docker-compose exec mta run amavis_register_razor
@@ -172,9 +177,13 @@ mta-test_rimap:
 mta-test_ldap: mta-debugtools
 	docker-compose exec mta ldapsearch -H ldap://auth:389 -xLLL -s base namingContexts
 
+db-init: db-up
+
 db-test:
 	docker-compose exec db mysqlshow -u $(MYSQL_USER) $(MYSQL_DATABASE) -p$(MYSQL_PASSWORD)
 
+app-init: app-up wait_5 app-public_store
+
 app-debugtools:
 	docker-compose exec app apt-get update
 	docker-compose exec app apt-get install --yes \
@@ -197,15 +206,25 @@ app-test_smtp: mta-test_smtp
 app-test_lmtp: app-hostaddr
 	printf "LHLO mx\nMAIL FROM: <test@example.biz>\nRCPT TO: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDATA\nFrom: A tester <test@example.biz>\nTo: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A LMTP test message from me to you\n\nDelete me, please \n.\nQUIT\n" | nc -C $(myhost) 2003
 
+app-test_proto: all-test_muted app-test_imap app-test_pop3 app-test_ical app-test_imaps app-test_pop3s app-test_icals
+
 app-test_imap: app-hostaddr
-	curl imap://$(myhost) -X CAPABILITY
-	curl imap://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD)
+	curl imap://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) $(curl_dbg)
+
+app-test_imaps: app-hostaddr
+	curl imaps://$(myhost) -k -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) $(curl_dbg)
 
 app-test_pop3: app-hostaddr
-	curl pop3://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD)
+	curl pop3://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) $(curl_dbg)
+
+app-test_pop3s: app-hostaddr
+	curl pop3s://$(myhost) -k -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) $(curl_dbg)
 
 app-test_ical: app-hostaddr
-	curl http://$(myhost):8080 -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD)
+	curl http://$(myhost):8080 -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) $(curl_dbg)
+
+app-test_icals: app-hostaddr
+	curl https://$(myhost):8443 -k -u $(LDAP_TEST_USER):$(LDAP_TEST_PASSWD) $(curl_dbg)
 
 app-show_user1:
 	docker-compose exec app kopano-admin -l
@@ -218,3 +237,12 @@ app-show_sync:
 
 app-create_store:
 	docker-compose exec app kopano-admin --create-store $(LDAP_TEST_USER)
+
+app-public_store:
+	docker-compose exec app kopano-storeadm -h default: -P
+
+all-test_quiet:
+	$(eval curl_dbg := -s -S )
+
+all-test_muted:
+	$(eval curl_dbg := -s -S >/dev/null || true)

demo/docker-compose.yml

@@ -7,9 +7,12 @@ services:
       - backend
     ports:
       - "127.0.0.1:8008:80"    # WebApp & EAS (alt. HTTP)
-      - "127.0.0.1:110:110"    # POP3 (not needed if all devices can use EAS)
       - "127.0.0.1:143:143"    # IMAP (not needed if all devices can use EAS)
-      - "127.0.0.1:8080:8080"  # CalDAV (not needed if all devices can use EAS)
+      - "127.0.0.1:110:110"    # POP3 (not needed if all devices can use EAS)
+      - "127.0.0.1:8080:8080"  # ICAL (not needed if all devices can use EAS)
+      - "127.0.0.1:993:993"    # IMAPS (not needed if all devices can use EAS)
+      - "127.0.0.1:995:995"    # POP3S (not needed if all devices can use EAS)
+      - "127.0.0.1:8443:8443"  # ICALS (not needed if all devices can use EAS)
     depends_on:
       - auth
       - db
@@ -25,9 +28,12 @@ services:
       - MYSQL_DATABASE=${MYSQL_DATABASE-kopano}
       - MYSQL_USER=${MYSQL_USER-kopano}
       - MYSQL_PASSWORD=${MYSQL_PASSWORD-secret}
-      - POP3_LISTEN=*:110                       # also listen to eth0
       - IMAP_LISTEN=*:143                       # also listen to eth0
+      - POP3_LISTEN=*:110                       # also listen to eth0
       - ICAL_LISTEN=*:8080                      # also listen to eth0
+      - IMAPS_LISTEN=*:993                      # enable TLS
+      - POP3S_LISTEN=*:995                      # enable TLS
+      - ICALS_LISTEN=*:8443                     # enable TLS
       - DISABLED_FEATURES=${DISABLED_FEATURES-} # also enable IMAP and POP3
       - SYSLOG_LEVEL=${SYSLOG_LEVEL-3}
     volumes:
@@ -46,6 +52,7 @@ services:
       - backend
     ports:
       - "127.0.0.1:25:25"      # SMTP
+      - "127.0.0.1:465:465"    # SMTPS authentication required
     depends_on:
       - auth
     environment: # Virgin config, ignored on restarts unless FORCE_CONFIG given.
@@ -55,6 +62,7 @@ services:
       - SMTP_RELAY_HOSTAUTH=${SMTP_RELAY_HOSTAUTH-}
       - SMTP_TLS_SECURITY_LEVEL=${SMTP_TLS_SECURITY_LEVEL-}
       - SMTP_TLS_WRAPPERMODE=${SMTP_TLS_WRAPPERMODE-no}
+      - SMTPD_USE_TLS=yes
       - LDAP_USER_BASE=ou=${LDAP_USEROU-users},${LDAP_BASE-dc=example,dc=com}
       - LDAP_QUERY_FILTER_USER=(&(objectclass=${LDAP_USEROBJ-posixAccount})(mail=%s))
       - LDAP_QUERY_ATTRS_PASS=uid=user

src/docker/bin/docker-common.sh

@@ -85,9 +85,20 @@ dc_log_stamp() {
 }
 
 #
-# Tests
+# Tests if pkg is installed
 #
-dc_is_installed() { apk -e info $1 &>/dev/null ;} # true if pkg is installed
+dc_is_command() { [ -x "$(command -v $1)" ] ;}
+
+dc_is_installed() {
+	if dc_is_command apk; then
+		ver_cmd="apk -e info"
+	elif dc_is_command dpkg; then
+		ver_cmd="dpkg -s"
+	else
+		dc_log 5 "No package manager found among: apk dpkg"
+	fi
+	$ver_cmd $1 &>/dev/null
+}
 
 #
 # Update loglevel
@@ -112,14 +123,14 @@ dc_pkg_versions() {
 	local kern=$(uname -r)
 	local host=$(uname -n)
 	dc_log 5 $host $os $kern
-	if [ -x "$(command -v apk)" ]; then
+	if dc_is_command apk; then
 		ver_cmd="apk info -s"
 		sed_flt="s/.*-(.*)-.*/\1/p"
-	elif [ -x "$(command -v apt)" ]; then
-		ver_cmd="apt list --installed"
-		sed_flt="s/[^ ]+ ([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+).*/\1/p"
+	elif dc_is_command dpkg; then
+		ver_cmd="dpkg -s"
+		sed_flt="s/Version: ([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+).*/\1/p"
 	else
-		dc_log 5 "No package manager found among: apk apt"
+		dc_log 5 "No package manager found among: apk dpkg"
 	fi
 	for pkg in $pkgs; do
 		ver=$($ver_cmd $pkg 2> /dev/null | sed -rn "$sed_flt")

src/kopano/entry.d/10-kopano-common

@@ -9,9 +9,10 @@
 #
 # Configuration
 #
-
 DOCKER_CONF_DIR1=${DOCKER_CONF_DIR1-/etc/kopano}
 DOCKER_CONF_DIR2=${DOCKER_CONF_DIR2-/usr/share/z-push}
+DOCKER_APPL_SSL_CERT=${DOCKER_APPL_SSL_CERT-$DOCKER_APPL_SSL_DIR/cert.pem}
+DOCKER_APPL_SSL_KEY=${DOCKER_APPL_SSL_KEY-$DOCKER_APPL_SSL_DIR/priv_key.pem}
 
 dagent_cfg_file=$DOCKER_CONF_DIR1/dagent.cfg
 gateway_cfg_file=$DOCKER_CONF_DIR1/gateway.cfg
@@ -28,11 +29,11 @@ zpush_cfg_file=$DOCKER_CONF_DIR2/config.php
 #
 # Define environment variables
 #
-
+ssl_env_vars="SSL_CERTIFICATE_FILE SSL_CIPHERS SSL_CURVES SSL_PREFER_SERVER_CIPHERS SSL_PRIVATE_KEY_FILE SSL_VERIFY_CLIENT SSL_VERIFY_FILE SSL_VERIFY_PATH TLS_MIN_PROTO"
 dagent_env_vars="LMTP_LISTEN LOG_LEVEL SPAM_HEADER_NAME SPAM_HEADER_VALUE"
-gateway_env_vars="BYPASS_AUTH DISABLE_PLAINTEXT_AUTH HTML_SAFETY_FILTER IMAP_CAPABILITY_IDLE IMAP_EXPUNGE_ON_DELETE IMAP_IGNORE_COMMAND_IDLE IMAP_LISTEN IMAP_MAX_FAIL_COMMANDS IMAP_MAX_MESSAGESIZE IMAP_ONLY_MAILFOLDERS IMAP_PUBLIC_FOLDERS IMAPS_LISTEN POP3_LISTEN POP3S_LISTEN DISABLE_PLAINTEXT_AUTH"
-ical_env_vars="ICAL_LISTEN ICALS_LISTEN ENABLE_ICAL_GET"
-ldap_env_vars="LDAP_URI LDAP_HOST LDAP_PORT LDAP_PROTOCOL LDAP_SEARCH_BASE LDAP_USER_TYPE_ATTRIBUTE_VALUE LDAP_GROUP_TYPE_ATTRIBUTE_VALUE LDAP_USER_SEARCH_FILTER"
+gateway_env_vars="BYPASS_AUTH DISABLE_PLAINTEXT_AUTH HTML_SAFETY_FILTER IMAP_CAPABILITY_IDLE IMAP_EXPUNGE_ON_DELETE IMAP_IGNORE_COMMAND_IDLE IMAP_LISTEN IMAP_MAX_FAIL_COMMANDS IMAP_MAX_MESSAGESIZE IMAP_ONLY_MAILFOLDERS IMAP_PUBLIC_FOLDERS IMAPS_LISTEN POP3_LISTEN POP3S_LISTEN DISABLE_PLAINTEXT_AUTH LOG_LEVEL"
+ical_env_vars="ICAL_LISTEN ICALS_LISTEN ENABLE_ICAL_GET LOG_LEVEL"
+ldap_env_vars="LDAP_URI LDAP_STARTTLS LDAP_BIND_USER LDAP_BIND_PASSWD LDAP_SEARCH_BASE LDAP_USER_TYPE_ATTRIBUTE_VALUE LDAP_GROUP_TYPE_ATTRIBUTE_VALUE LDAP_USER_SEARCH_FILTER"
 search_env_vars="INDEX_PROCESSES INDEX_DRAFTS INDEX_JUNK SUGGESTIONS INDEX_ATTACHMENTS INDEX_ATTACHMENT_MAX_SIZE"
 server_env_vars="MYSQL_HOST MYSQL_PORT MYSQL_DATABASE MYSQL_USER MYSQL_PASSWORD DISABLED_FEATURES USER_PLUGIN LOG_LEVEL SEARCH_TIMEOUT"
 spamd_env_vars="LOG_METHOD SPAM_DIR SPAM_DB HEADER_TAG LEARN_HAM HAM_DIR SA_GROUP"
@@ -77,8 +78,8 @@ _kopano_apply_phpenvvars_gen() {
 
 kopano_apply_envvars() {
 	_kopano_apply_envvars_gen $dagent_cfg_file   $dagent_env_vars
-	_kopano_apply_envvars_gen $gateway_cfg_file  $gateway_env_vars
-	_kopano_apply_envvars_gen $ical_cfg_file     $ical_env_vars
+	_kopano_apply_envvars_gen $gateway_cfg_file  $gateway_env_vars $ssl_env_vars
+	_kopano_apply_envvars_gen $ical_cfg_file     $ical_env_vars    $ssl_env_vars
 	_kopano_apply_envvars_gen $ldap_cfg_file     $ldap_env_vars
 	_kopano_apply_envvars_gen $search_cfg_file   $search_env_vars
 	_kopano_apply_envvars_gen $server_cfg_file   $server_env_vars
@@ -90,3 +91,34 @@ kopano_apply_phpenvvars() {
 	_kopano_apply_phpenvvars_gen $sqlstate_cfg_file $sqlstate_env_vars
 	_kopano_apply_phpenvvars_gen $zpush_cfg_file    $zpush_env_vars
 }
+
+#
+# Update SSL_CERTIFICATE_FILE and SSL_PRIVATE_KEY_FILE.
+# Variables defined in 30-acme-common
+# DOCKER_APPL_SSL_CERT
+# DOCKER_APPL_SSL_KEY
+#
+kopano_export_tls_cert() {
+	if ([ -f "$DOCKER_APPL_SSL_CERT" ] && [ -f "$DOCKER_APPL_SSL_KEY" ]); then
+		export SSL_CERTIFICATE_FILE=${SSL_CERTIFICATE_FILE-$DOCKER_APPL_SSL_CERT}
+		export SSL_PRIVATE_KEY_FILE=${SSL_PRIVATE_KEY_FILE-$DOCKER_APPL_SSL_KEY}
+	fi
+}
+
+#
+# Generate self signed certificate if any of IMAPS_LISTEN, POP3S_LISTEN or
+# ICALS_LISTEN is no-empty but no certificates are given.
+#
+kopano_generate_tls_cert() {
+	for prot in IMAPS_LISTEN POP3S_LISTEN ICALS_LISTEN; do
+		if [ -n "${!prot}" ]; then
+			local secure="$prot=${!prot}"
+			break
+		fi
+	done
+	if ([ -z "$SSL_CERTIFICATE_FILE" ] && [ -n "$secure" ] && dc_is_installed openssl); then
+		dc_log 4 "$secure, but no certs given, so generating self-signed cert for host $HOSTNAME"
+		dc_tls_setup_selfsigned_cert $DOCKER_APPL_SSL_CERT $DOCKER_APPL_SSL_KEY
+		dc_chowncond $DOCKER_APPL_RUNAS $DOCKER_APPL_SSL_DIR
+	fi
+}

src/kopano/entry.d/50-kopano-config

@@ -11,6 +11,9 @@
 # Configure Kopano if it is unlocked.
 #
 if dc_is_unlocked; then
+	kopano_export_tls_cert
+	kopano_generate_tls_cert
+	kopano_export_tls_cert
 	kopano_apply_envvars
 	kopano_apply_phpenvvars
 fi