diff --git a/docs/migrations.md b/docs/migrations.md index e1c78f3f..21b8209d 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -15,6 +15,7 @@ SPDX-License-Identifier: Apache-2.0 * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users) * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc) * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module) + * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour) * [v1.7.0+](#v170) * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170) * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root) @@ -193,6 +194,24 @@ functional: - '<' - '>' ``` +#### Helmfile new default: New groupware settings changing current behaviour + +**Target group:** All openDesk deployments using OX App Suite + +The following options, newly introduced in `functional.yaml.gotmpl`, modify the previous default behavior of openDesk. Please review whether the new defaults are appropriate for your deployment: + +* `functional.groupware.mail.inbound.forward.enabled: false` + This setting prevents users from forwarding all incoming emails to external accounts. + Instead, the new option `functional.groupware.mail.inbound.notify.enabled: true` enables notifications to user-defined email addresses when new messages arrive. + To keep the previous behavior, set `forward` to `true` and `notify` to `false`. + +* `functional.groupware.userProfile.editRealName: false` + This setting prevents users from editing their display name in OX App Suite (e.g. the name shown when sending emails, in addition to the sender address). + The display name is centrally managed by the openDesk IAM. + To allow users to change it within OX App Suite, set this option to `true`. + +> **Note**
+> openDesk v1.8.0 adds even more options under `functional.groupware.*` while retaining the current default behaviour. ## v1.7.0+ diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl index a760c024..eeb44652 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -152,6 +152,7 @@ appsuite: drive-client-windows-ox-route: annotations: {{ .Values.annotations.openxchangeAppsuiteIngress.driveClientWindowsOxRoute | toYaml | nindent 10 }} + {{ if .Values.functional.groupware.mail.encryption.enabled }} guard-api-route: annotations: {{ .Values.annotations.openxchangeAppsuiteIngress.guardApiRoute | toYaml | nindent 10 }} @@ -161,6 +162,7 @@ appsuite: guard-pgp-route: annotations: {{ .Values.annotations.openxchangeAppsuiteIngress.guardPgpRoute | toYaml | nindent 10 }} + {{ end }} http-api-routes-api: annotations: {{ .Values.annotations.openxchangeAppsuiteIngress.httpApiRoutesApi | toYaml | nindent 10 }} @@ -310,7 +312,7 @@ appsuite: # enable admin pack # admin: enabled documents: "disabled" - guard: "enabled" + guard: {{ ternary "enabled" "disabled" .Values.functional.groupware.mail.encryption.enabled }} # disabling admin role breaks webmail # {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }} # admin: "disabled" @@ -347,11 +349,13 @@ appsuite: {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }} serviceAccount: create: false + {{ if .Values.functional.groupware.mail.encryption.enabled }} hooks: beforeAppsuiteStart: create-guard-dir.sh: | mkdir -p /opt/open-xchange/guard-files chown open-xchange:open-xchange /opt/open-xchange/guard-files + {{ end }} packages: status: open-xchange-oidc: "enabled" @@ -377,12 +381,11 @@ appsuite: open-xchange-admin-soap-usercopy: "disabled" open-xchange-admin-user-copy: "disabled" {{- end }} - {{- if .Values.functional.groupware.davSupport.enabled }} - open-xchange-authentication-application-storage-rdb: "enabled" - {{- end }} - open-xchange-mail-categories: "enabled" + open-xchange-authentication-application-storage-rdb: {{ ternary "enabled" "disabled" .Values.functional.groupware.davSupport.enabled }} + open-xchange-mail-categories: {{ ternary "enabled" "disabled" .Values.functional.groupware.mail.categories.enabled }} properties: com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }} + com.openexchange.share.guestHostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }} com.openexchange.UIWebPath: "/appsuite/" com.openexchange.showAdmin: "false" # PDF Export @@ -431,6 +434,7 @@ appsuite: com.openexchange.mail.transport.authType: "xoauth2" com.openexchange.mail.transportServer: "postfix-ox" com.openexchange.mail.transportServerSource: "global" + com.openexchange.mail.maxMailSize: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }} # Mail Login Resolver com.openexchange.mail.login.resolver.enabled: "true" com.openexchange.mail.login.resolver.ldap.enabled: "true" @@ -460,15 +464,13 @@ appsuite: com.openexchange.capability.dynamic-theme: "true" com.openexchange.capability.filestorage_nextcloud: "true" com.openexchange.capability.filestorage_nextcloud_oauth: "true" - com.openexchange.capability.guard: "true" - com.openexchange.capability.guard-mail: "true" - com.openexchange.capability.smime: "true" - com.openexchange.capability.share_links: "false" - com.openexchange.capability.invite_guests: "false" + com.openexchange.capability.guard: {{ .Values.functional.groupware.mail.encryption.enabled | quote }} + com.openexchange.capability.guard-mail: {{ .Values.functional.groupware.mail.encryption.enabled | quote }} + com.openexchange.capability.smime: {{ .Values.functional.groupware.mail.encryption.enabled | quote }} com.openexchange.capability.document_preview: "true" # Mail Categories - # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html - com.openexchange.mail.categories: "true" + com.openexchange.mail.categories: {{ .Values.functional.groupware.mail.categories.enabled | quote }} + {{ if .Values.functional.groupware.mail.categories.enabled }} com.openexchange.mail.categories.general.name.fallback: "General" com.openexchange.mail.categories.general.name.de_DE: "Allgemein" com.openexchange.mail.categories.identifiers: "newsletter,invites,socialmedia" @@ -500,6 +502,16 @@ appsuite: com.openexchange.mail.categories.uc3.flag: "$uc3" com.openexchange.mail.categories.uc3.name.fallback: "Your category 3" com.openexchange.mail.categories.uc3.name.de_DE: "Eigene Kategorie 3" + {{- end }} + # functional.groupware.mail.inbound.* + com.openexchange.capability.public-sector-autonotify: {{ .Values.functional.groupware.mail.inbound.notify.enabled | quote }} + {{- if not .Values.functional.groupware.mail.inbound.forward.enabled }} + com.openexchange.mail.filter.blacklist.actions: "redirect" + {{- end }} + com.openexchange.mail.filter.options.apply.blockedActions: "redirect,notify" + # functional.groupware.externalSharing.* + com.openexchange.capability.share_links: {{ .Values.functional.groupware.externalSharing.shareLinks.enabled | quote }} + com.openexchange.capability.invite_guests: {{ .Values.functional.groupware.externalSharing.inviteGuests.enabled | quote }} # Secondary Accounts com.openexchange.mail.secondary.authType: "XOAUTH2" com.openexchange.mail.transport.secondary.authType: "xoauth2" @@ -511,11 +523,12 @@ appsuite: com.openexchange.conference.element.enabled: "true" com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login - com.openexchange.conference.element.matrixUuidClaimName: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }} + com.openexchange.conference.element.matrixUuidClaimName: {{ ternary "opendesk_useruuid" "opendesk_username" .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }} # GDPR com.openexchange.gdpr.dataexport.enabled: "false" com.openexchange.gdpr.dataexport.active: "false" # Guard + {{- if .Values.functional.groupware.mail.encryption.enabled }} com.openexchange.guard.storage.file.fileStorageType: "file" com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/" com.openexchange.guard.guestSMTPMailFrom: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }} @@ -529,6 +542,7 @@ appsuite: # http = (await import('./io.ox/core/http.js')).default # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } }) com.openexchange.smime.test: {{ .Values.debug.enabled | quote }} + {{- end }} {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }} # Client Onboarding com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }} @@ -632,6 +646,8 @@ appsuite: uiSettings: io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" io.ox.public-sector//ics/url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" + # Is user allowed to edit own display name + io.ox/mail//editRealName: {{ .Values.functional.groupware.userProfile.editRealName | quote }} # Show the Enterprise Picker in the top right corner instead of the launcher drop-down io.ox/core//features/enterprisePicker/showLauncher: "false" io.ox/core//features/enterprisePicker/showTopRightLauncher: "true" @@ -644,7 +660,7 @@ appsuite: io.ox/core//features/managedResources: "true" # Features io.ox/core//features/signatureDesigner: "true" - io.ox/core//features/categories: "true" + io.ox/core//features/categories: {{ .Values.functional.groupware.mail.categories.enabled | quote }} io.ox/core//categories/predefined: > [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }] # Nextcloud integration @@ -671,6 +687,7 @@ appsuite: io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }} # openDesk logo in top bar links to portal io.ox/core//logoAction: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} + {{ if .Values.functional.groupware.mail.encryption.enabled }} secretETCFiles: # Format of the OX Guard master key: # MC+base64(20 random bytes) @@ -678,6 +695,7 @@ appsuite: oxguardpass: | {{ .Values.secrets.oxAppSuite.oxguardMC }} {{ .Values.secrets.oxAppSuite.oxguardRC }} + {{ end }} redis: &redisConfiguration enabled: true mode: "standalone" @@ -947,7 +965,7 @@ appsuite: create: false guard-ui: - enabled: true + enabled: {{ .Values.functional.groupware.mail.encryption.enabled }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} @@ -977,6 +995,7 @@ appsuite: {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }} serviceAccount: create: false + core-spellcheck: enabled: false diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl index 09a40e6d..2f2cd409 100644 --- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl @@ -45,6 +45,7 @@ postfix: domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} hostname: "postfix" inetProtocols: "ipv4" + messageSizeLimit: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }} milterDefaultAction: "tempfail" {{- if .Values.apps.dkimpy.enabled }} dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892" diff --git a/helmfile/environments/default/functional.yaml.gotmpl b/helmfile/environments/default/functional.yaml.gotmpl index 2b38fe49..885f4b52 100644 --- a/helmfile/environments/default/functional.yaml.gotmpl +++ b/helmfile/environments/default/functional.yaml.gotmpl @@ -199,16 +199,57 @@ functional: groupware: # Related settings for the CalDAV and CardCAV support of the groupware module. davSupport: - # Enabled by default it is available at: + # Enabled by default CalDAV and CardDAV support is available at: # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]" # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]" # Can be switched off using the below feature toggle. enabled: true + # Control access for external users to groupware data + # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html + externalSharing: + # Allow anonymous guest users to access resources via share links. + # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html#share-links + shareLinks: + enabled: false + # Allow sharing of resources with guest users created on demand by App Suite. + # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html#invite-guests + inviteGuests: + enabled: false + # Mail related settings + mail: + # Mail categories related settings + # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html + categories: + # Toggle the availability of the mail categories feature. + # Ref.: + enabled: true + # Control options for handling incoming emails + inbound: + # Allow users to configure a notification address that receives a notification whenever a new email arrives + # in their inbox. + # Ref.: https://gitlab.open-xchange.com/extensions/public-sector/-/blob/main/documentation/ui/030_autonotify.md + notify: + enabled: true + # Allow users to automatically forward all incoming emails to an email address of their choice. + forward: + enabled: false + # Email encryption related settings. + encryption: + # Toggle the availability of OX Guard + # Ref.: https://www.open-xchange.com/products/ox-guard/ + enabled: true + # Define the maximum size for emails (including their attachments) in Megabyte + maxSize: 25 quota: # Set the default mail storage quota for users in gigabyte. # Just provide the plain number without quoting. It will allow a quota grace of 10% and +20% in trash storage. # If you need different rules you can use customizing on Dovecot's `quotaRules` and `quotaGrace` templating. default: 1 + # User profile related control options + userProfile: + # The user's display name is managed by openDesk IAM and should not be manually changed by the user. + # Ref.: https://documentation.open-xchange.com/8/ui/configuration/settings-list-of.html#mail-misc + editRealName: false migration: oxAppSuite: