6 Commits

Author SHA1 Message Date
jcabillot d860bbcc0c Merge pull request 'fix: bump alpine 3.24, dynamic python paths, tini via apk' (#21) from fix/alpine-3.24-and-patch-cleanup into master
Main Release / hadolint (push) Successful in 8s
Main Release / test (push) Successful in 19s
Main Release / build (push) Successful in 14s
Main Release / tag (push) Successful in 8s
Tag Release / hadolint (push) Successful in 6s
Tag Release / test (push) Successful in 11s
Tag Release / build-push (push) Successful in 43s
Reviewed-on: #21
2026-07-16 12:58:55 -04:00
Sagent cd51949b47 fix: bump alpine 3.24, dynamic python paths in patch.py, tini via apk
PR Checks / hadolint (pull_request) Successful in 19s
PR Checks / build-test (pull_request) Successful in 28s
- Alpine 3.23 → 3.24 (ships Python 3.14, not 3.12)
- patch.py: use glob + sys.version_info instead of hardcoded python3.12 paths
- Move SSL SECLEVEL=1 sed from Dockerfile into patch.py
- Tini: replace commented-out manual binary download with apk add tini
  (ENTRYPOINT ["/sbin/tini", "--"] as PID 1 for proper signal handling)
- Remove dead TINI_VERSION env and commented-out lines
2026-07-16 16:27:13 +00:00
jcabillot bbdfda3fa1 Merge pull request 'chore(deps): update docker/login-action digest to af1e73f' (#20) from renovate/docker-login-action-digest into master
Main Release / hadolint (push) Successful in 6s
Main Release / test (push) Successful in 14s
Main Release / build (push) Successful in 24s
Main Release / tag (push) Successful in 58s
Tag Release / hadolint (push) Successful in 16s
Tag Release / test (push) Successful in 20s
Tag Release / build-push (push) Successful in 49s
Reviewed-on: #20
2026-07-03 16:20:13 -04:00
renovate 5bb9bf665a chore(deps): update docker/login-action digest to af1e73f
renovate/stability-days Updates have met minimum release age requirement
PR Checks / hadolint (pull_request) Successful in 9s
PR Checks / build-test (pull_request) Successful in 27s
2026-07-03 14:19:47 +00:00
jcabillot a27f44b4ac Merge pull request 'chore(deps): update docker/metadata-action digest to dc80280' (#18) from renovate/docker-metadata-action-digest into master
Main Release / hadolint (push) Successful in 7s
Main Release / test (push) Successful in 30s
Main Release / build (push) Successful in 22s
Main Release / tag (push) Successful in 13s
Tag Release / hadolint (push) Successful in 49s
Tag Release / test (push) Successful in 33s
Tag Release / build-push (push) Successful in 1m51s
Reviewed-on: #18
2026-07-02 09:37:29 -04:00
renovate 72c2c371c0 chore(deps): update docker/metadata-action digest to dc80280
renovate/stability-days Updates have met minimum release age requirement
PR Checks / hadolint (pull_request) Successful in 29s
PR Checks / build-test (pull_request) Successful in 26s
2026-07-02 13:36:35 +00:00
4 changed files with 87 additions and 23 deletions
+2 -2
View File
@@ -26,7 +26,7 @@ jobs:
with:
fetch-depth: 0
- uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4
- uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4
- uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -35,7 +35,7 @@ jobs:
TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
echo "tag=$TAG" >> $GITHUB_OUTPUT
- id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6
with:
images: jcabillot/offlineimap
tags: |
+2 -2
View File
@@ -24,12 +24,12 @@ jobs:
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4
- uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4
- uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6
with:
images: jcabillot/offlineimap
tags: |
+8 -14
View File
@@ -1,27 +1,21 @@
FROM alpine:3.23
FROM alpine:3.24
LABEL maintainer="Cabillot Julien <dockerimages@cabillot.eu>"
COPY entrypoint.sh /entrypoint.sh
COPY patch.py /tmp/patch.py
# hadolint ignore=DL3018
RUN apk add --no-cache offlineimap openssl && \
RUN apk add --no-cache offlineimap openssl tini && \
adduser -D offlineimap && \
# Force SECLEVEL=1 in imaplib2 to allow connecting to servers with weak DH keys (DH_KEY_TOO_SMALL)
# This is required because OpenSSL 3.x in Alpine 3.23 defaults to SECLEVEL=2
sed -i 's/ctx = ssl.SSLContext(ssl_version)/ctx = ssl.SSLContext(ssl_version)\n ctx.set_ciphers("DEFAULT:@SECLEVEL=1")/' /usr/lib/python3.*/site-packages/imaplib2/imaplib2.py && \
# Patch offlineimap email generator bug for defective messages
# Apply post-install patches:
# - UnicodeEncodeError fallback for defective messages (Maildir + IMAP)
# - SSL SECLEVEL=1 in imaplib2 to allow connecting to servers with weak DH keys
# (OpenSSL 3.x defaults to SECLEVEL=2)
python3 /tmp/patch.py && rm /tmp/patch.py
COPY --chown=offlineimap offlineimaprc.*.tmpl /home/offlineimap/
# Add Tini
ENV "TINI_VERSION" "v0.16.1"
#ADD "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini" "/tini"
#RUN chmod +x "/tini"
#ENTRYPOINT ["/tini", "--"]
USER "offlineimap"
#ENTRYPOINT [ "/entrypoint.sh" ]
CMD [ "/entrypoint.sh" ]
ENTRYPOINT ["/sbin/tini", "--"]
CMD [ "/entrypoint.sh" ]
+75 -5
View File
@@ -1,16 +1,52 @@
import sys, os
#!/usr/bin/env python3
"""Post-install patches for offlineimap on Alpine.
Run as root in the Docker build (RUN python3 /tmp/patch.py).
Fixes two upstream issues that persist in offlineimap 8.0.0:
1. UnicodeEncodeError when writing messages with non-ASCII bytes
(Maildir.save thread + IMAP header generation).
2. SSL SECLEVEL=2 in OpenSSL 3.x prevents connecting to servers with
weak DH keys (DH_KEY_TOO_SMALL). Force SECLEVEL=1 in imaplib2.
Paths are resolved dynamically so the patch survives Python version
bumps across Alpine releases (was hardcoded to python3.12).
"""
import glob
import sys
# ---------------------------------------------------------------
# 1. Maildir.py — wrap fd.write(msg.as_bytes(...)) in a try/except
# that falls back to UTF-8 encoded as_string on UnicodeEncodeError
# ---------------------------------------------------------------
maildir_path = glob.glob(
"/usr/lib/python%d.%d/site-packages/offlineimap/folder/Maildir.py"
% (sys.version_info.major, sys.version_info.minor)
)[0]
maildir_path = "/usr/lib/python3.12/site-packages/offlineimap/folder/Maildir.py"
with open(maildir_path, "r") as f:
maildir = f.read()
maildir = maildir.replace(
"fd.write(msg.as_bytes(policy=output_policy))",
"try:\n fd.write(msg.as_bytes(policy=output_policy))\n except UnicodeEncodeError:\n fd.write(msg.as_string(policy=output_policy).encode('utf-8'))"
"try:\n fd.write(msg.as_bytes(policy=output_policy))\n except UnicodeEncodeError:\n fd.write(msg.as_string(policy=output_policy).encode('utf-8'))",
)
with open(maildir_path, "w") as f:
f.write(maildir)
imap_path = "/usr/lib/python3.12/site-packages/offlineimap/folder/IMAP.py"
# ---------------------------------------------------------------
# 2. IMAP.py — add a helper and replace msg.as_bytes(policy=...) calls
# with the helper that falls back on UnicodeEncodeError
# ---------------------------------------------------------------
imap_path = glob.glob(
"/usr/lib/python%d.%d/site-packages/offlineimap/folder/IMAP.py"
% (sys.version_info.major, sys.version_info.minor)
)[0]
with open(imap_path, "r") as f:
imap_py = f.read()
@@ -21,6 +57,40 @@ def get_msg_bytes(msg, policy):
except UnicodeEncodeError:
return msg.as_string(policy=policy).encode('utf-8')
"""
imap_py = imap_patch + imap_py.replace("msg.as_bytes(policy=output_policy)", "get_msg_bytes(msg, output_policy)")
imap_py = imap_patch + imap_py.replace(
"msg.as_bytes(policy=output_policy)", "get_msg_bytes(msg, output_policy)"
)
with open(imap_path, "w") as f:
f.write(imap_py)
# ---------------------------------------------------------------
# 3. imaplib2.py — force SECLEVEL=1 to allow weak DH keys
# (moved here from a sed one-liner in the Dockerfile)
# ---------------------------------------------------------------
imaplib2_paths = glob.glob(
"/usr/lib/python%d.%d/site-packages/imaplib2/imaplib2.py"
% (sys.version_info.major, sys.version_info.minor)
)
if imaplib2_paths:
imaplib2_path = imaplib2_paths[0]
with open(imaplib2_path, "r") as f:
imaplib2_py = f.read()
old = "ctx = ssl.SSLContext(ssl_version)"
new = (
'ctx = ssl.SSLContext(ssl_version)\n'
' ctx.set_ciphers("DEFAULT:@SECLEVEL=1")'
)
if old in imaplib2_py:
imaplib2_py = imaplib2_py.replace(old, new)
with open(imaplib2_path, "w") as f:
f.write(imaplib2_py)
print("Patched imaplib2 SECLEVEL=1")
else:
print("imaplib2 already patched or pattern not found — skipping")
else:
print("imaplib2 not found — skipping SECLEVEL patch")