From 40f85a957f83d87f330e6a7539105ca574510339 Mon Sep 17 00:00:00 2001
From: root <root@mailtrain.mt>
Date: Tue, 25 Dec 2018 10:02:30 +0100
Subject: [PATCH] Updates to install scripts

---
 README.md                      | 137 ++++++++++++++++++++++++++++-----
 setup/functions                |  83 ++++++++++++++------
 setup/install-centos7-https.sh |  13 +++-
 setup/install-centos7-local.sh |   7 +-
 4 files changed, 190 insertions(+), 50 deletions(-)

diff --git a/README.md b/README.md
index dee5172a..73bdffd6 100644
--- a/README.md
+++ b/README.md
@@ -2,15 +2,14 @@
 
 [Mailtrain](http://mailtrain.org) is a self hosted newsletter application built on Node.js (v10+) and MySQL (v8+) or MariaDB (v10+).
 
-![](http://mailtrain.org/mailtrain.png)
+![](https://mailtrain.org/mailtrain.png)
 
 ## Features
 
-* Subscriber list management
+* Subscriber lists management
 * List segmentation
 * Custom fields
 * Email templates (including MJML-based templates)
-* Large CSV list import files
 * Custom reports
 * Automation (triggered and RSS campaigns)
 * Multiple users with granular user permissions and flexible sharing
@@ -20,6 +19,121 @@
 * 1 vCPU
 * 2048 MB RAM
 
+## Quick Start
+
+### Preparation
+Mailtrain creates three URL endpoints, which are referred to as "trusted", "sandbox" and "public". This allows Mailtrain
+to guarantee security and avoid XSS attacks in the multi-user settings. The function of these three endpoints is as follows:
+- *trusted* - This is the main endpoint for the UI that a logged-in user uses to manage lists, send campaigns, etc.
+- *sandbox* - This is an endpoint not directly visible to a user. It is used to host WYSIWYG template editors.
+- *public* - This is an endpoint for subscribers. It is used to host subscription management forms, files and archive.
+
+The recommended deployment of Mailtrain would use 3 DNS entries that all points to the **same** IP address. For example as follows:
+- *lists.example.com* - public endpoint (A record `lists` under `example.com` domain)
+- *mailtrain.example.com* - trusted endpoint (CNAME record `mailtrain` under `example.com` domain that points to `lists`)
+- *sbox.mailtrain.example.com* - sandbox endpoint (CNAME record `sbox.mailtrain` under `example.com` domain that points to `lists`)
+
+
+
+### Installation on fresh CentOS 7 (public website secured by SSL)
+
+This will setup a publicly accessible Mailtrain instance. All endpoints (trusted, sandbox, public) will provide both HTTP (on port 80)
+and HTTPS (on port 443). The HTTP ports just issue HTTP redirect to their HTTPS counterparts.
+
+The script below will also acquire a valid certificate from [Let's Encrypt](https://letsencrypt.org/).
+If you are hosting Mailtrain on AWS or some other cloud provider, make sure that **before** running the installation
+script you allow inbound connection to ports 80 (HTTP) and 443 (HTTPS).
+
+**Note,** that this will automatically accept the Let's Encrypt's Terms of Service.
+Thus, by running this script below, you agree with the Let's Encrypt's Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
+
+
+
+1. Login as root. (I had some problems running npm as root on CentOS 7 on AWS. This seems to be fixed by the seemingly extraneous `su` within `sudo`.)
+    ```
+    sudo su -
+    ```
+
+2. Install git
+    ```
+    yum install -y git
+    ```
+
+3. Download Mailtrain using git to the `/opt/mailtrain` directory
+    ```
+    cd /opt
+    git clone https://github.com/Mailtrain-org/mailtrain.git
+    cd mailtrain
+    git checkout development
+    ```
+
+4. Run the installation script. Replace the urls and your email address with the correct values. **NOTE** that running this script you agree
+   Let's Encrypt's conditions.
+    ```
+    sh setup/install-centos7-https.sh mailtrain.example.com sbox.mailtrain.example.com lists.example.com admin@example.com
+    ```
+
+5. Start Mailtrain and enable to be started by default when your server starts.
+    ```
+    systemctl start mailtrain
+    systemctl enable mailtrain
+    ```
+
+6. Open the trusted endpoint (like `https://mailtrain.example.com`)
+
+7. Authenticate as `admin`:`test`
+
+8. Update your password under admin/Account
+
+9. Update your settings under Administration/Global Settings.
+
+10. If you intend to sign your email by DKIM, set the DKIM key and DKIM selector under Administration/Send Configurations.
+
+
+### Installation on fresh CentOS 7 (local installation)
+
+This will setup a locally accessible Mailtrain instance (primarily for development and testing).
+All endpoints (trusted, sandbox, public) will provide only HTTP as follows:
+- http://localhost:3000 - trusted endpoint
+- http://localhost:3003 - sandbox endpoint
+- http://localhost:3004 - public endpoint
+
+1. Login as root
+    ```
+    sudo -i
+    ```
+
+2. Install git
+    ```
+    yum install -y git
+    ```
+
+3. Download Mailtrain using git to the `/opt/mailtrain` directory
+    ```
+    cd /opt
+    git clone https://github.com/Mailtrain-org/mailtrain.git
+    cd mailtrain
+    git checkout development
+    ```
+
+4. Run the installation script. Replace the urls and your email address with the correct values. **NOTE** that running this script you agree
+   Let's Encrypt's conditions.
+    ```
+    sh setup/install-centos7-local.sh
+    ```
+
+5. Start Mailtrain and enable to be started by default when your server starts.
+    ```
+    systemctl start mailtrain
+    systemctl enable mailtrain
+    ```
+
+6. Open the trusted endpoint http://localhost:3000
+
+7. Authenticate as `admin`:`test`
+
+
+
 ## Quick Start - Deploy with Docker
 #### Requirements:
 
@@ -38,23 +152,6 @@ Depending on how you have configured your system and Docker you may need to prep
 * Navigate to [http://localhost:3000/settings](http://localhost:3000/settings) and update service configuration.
 * Navigate to [http://localhost:3000/users/account](http://localhost:3000/users/account) and update user information and password.
 
-## Quick Start - Manual Install (any OS that supports Node.js)
-
-### Requirements: 
- * Mailtrain requires at least **Node.js v10**.
-
-  1. Download Mailtrain files using git: `git clone git://github.com/Mailtrain-org/mailtrain.git` (or download [zipped repo](https://github.com/Mailtrain-org/mailtrain/archive/master.zip)) and open Mailtrain folder `cd mailtrain`
-  2. Run `npm install --production` in the Mailtrain folder to install required dependencies
-  3. Copy [config/default.toml](config/default.toml) as `config/production.toml` and update MySQL and any other settings in it
-  4. Run the server `NODE_ENV=production npm start`
-  5. Open [http://localhost:3000/](http://localhost:3000/)
-  6. Authenticate as `admin`:`test`
-  7. Navigate to [http://localhost:3000/settings](http://localhost:3000/settings) and update service configuration
-  8. Navigate to [http://localhost:3000/users/account](http://localhost:3000/users/account) and update user information and password
-
-## Read The Docs
-For more information, please [read the docs](http://docs.mailtrain.org/).
-
 
 ## License
 
diff --git a/setup/functions b/setup/functions
index 2076d508..89858159 100644
--- a/setup/functions
+++ b/setup/functions
@@ -4,13 +4,9 @@ if hash firewall-cmd 2>/dev/null; then
     firewallCmdExists=yes
 fi
 
-function installBase {
-    local urlBaseTrusted="$1"
-    local urlBaseSandbox="$2"
-    local urlBasePublic="$3"
-    
+function installPrerequisities {
     yum -y install epel-release
-    
+
     curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
     cat > /etc/yum.repos.d/mongodb-org.repo <<EOT
 [mongodb-org-4.0]
@@ -20,19 +16,26 @@ gpgcheck=1
 enabled=1
 gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
 EOT
-    
-    yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org
-    
+
+    yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org bzip2
+
     systemctl start mariadb
     systemctl enable mariadb
-    
+
     systemctl start redis
     systemctl enable redis
-    
+
     systemctl start mongod
     systemctl enable mongod
-    
-    
+}
+
+
+function installMailtrain {
+    local urlBaseTrusted="$1"
+    local urlBaseSandbox="$2"
+    local urlBasePublic="$3"
+    local wwwHost="$4"
+
     mysqlPassword=`pwgen 12 -1`
     mysqlRoPassword=`pwgen 12 -1`
     
@@ -54,6 +57,7 @@ roUser: nobody
 roGroup: nobody
 
 www:
+  host: $wwwHost
   secret: "`pwgen -1`"
   trustedUrlBase: $urlBaseTrusted
   sandboxUrlBase: $urlBaseSandbox
@@ -67,11 +71,11 @@ redis:
   enabled: true
 
 log:
-  level: warn
+  level: info
 
 builtinZoneMTA:
   log:
-    level: info
+    level: warn
 
 queue:
   processes: 5
@@ -118,10 +122,12 @@ EOT
     systemctl daemon-reload
     
     systemctl start mailtrain.service
-    
+
+    echo
+    echo
     echo "Success! Open http://$urlBaseTrusted/ and login as admin:test"
 
-    if [ -n "$firewallCmdExists" ]; then
+    if [ -z "$firewallCmdExists" ]; then
         echo "Note that firewall was not setup because firewall-cmd is missing on your system. Please make sure your firewall is correctly setup. If you are on AWS, this means to enable HTTPS and HTTP in your security group."
     fi
 }
@@ -144,7 +150,7 @@ function installHttps {
     echo > /etc/httpd/conf.d/mailtrain.conf
 
     cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
-<VirtualHost ${hostTrusted}:80>
+<VirtualHost *:80>
     ServerName ${hostTrusted}
 
     ServerSignature Off
@@ -156,7 +162,7 @@ function installHttps {
     LogLevel warn
 </VirtualHost>
 
-<VirtualHost ${hostSandbox}:80>
+<VirtualHost *:80>
     ServerName ${hostSandbox}
 
     ServerSignature Off
@@ -168,7 +174,7 @@ function installHttps {
     LogLevel warn
 </VirtualHost>
 
-<VirtualHost ${hostPublic}:80>
+<VirtualHost *:80>
     ServerName ${hostPublic}
 
     ServerSignature Off
@@ -179,6 +185,7 @@ function installHttps {
     ErrorLog logs/${hostPublic}_redirect_error.log
     LogLevel warn
 </VirtualHost>
+
 EOT
 
     if [ -n "$firewallCmdExists" ]; then
@@ -187,7 +194,7 @@ EOT
     fi
 
     cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
-<VirtualHost ${hostTrusted}:${portTrusted}>
+<VirtualHost *:${portTrusted}>
     ServerName ${hostTrusted}:${portTrusted}
 
     ErrorLog logs/${hostTrusted}_ssl_error.log
@@ -204,7 +211,7 @@ EOT
     ProxyPassReverse "/" "http://127.0.0.1:3000/"
 </VirtualHost>
 
-<VirtualHost ${hostSandbox}:${portSandbox}>
+<VirtualHost *:${portSandbox}>
     ServerName ${hostSandbox}:${portSandbox}
 
     ErrorLog logs/${hostSandbox}_ssl_error.log
@@ -221,8 +228,8 @@ EOT
     ProxyPassReverse "/" "http://127.0.0.1:3003/"
 </VirtualHost>
 
-<VirtualHost ${hostPublic}:${portPublic}>
-    ServerName ${hostPublic}:${portPublic}
+<VirtualHost *:${portPublic}>
+    ServerName *:${portPublic}
 
     ErrorLog logs/${hostPublic}_ssl_error.log
     TransferLog logs/${hostPublic}_ssl_access.log
@@ -257,6 +264,8 @@ EOT
 
 
 function createCertificates {
+    # This assumes that HTTPD is not yet running
+
     local hostTrusted="$1"
     local hostSandbox="$2"
     local hostPublic="$3"
@@ -271,9 +280,35 @@ function createCertificates {
 
     certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"
 
+    # Install cron
+    echo "0 3 * * * /usr/bin/certbot certonly --apache -n -d \"${hostPublic}\" -d \"${hostTrusted}\" -d \"${hostSandbox}\"" > crontab
+    crontab crontab
+    rm -rf crontab
+
     if [ -n "$firewallCmdExists" ]; then
         # Revert firewall to original state
         firewall-cmd --reload
     fi
 }
 
+
+function installService {
+    cat > /etc/systemd/system/mailtrain.service <<EOT
+[Unit]
+Description=Mailtrain server
+After=syslog.target network.target mariadb.service redis.service mongod.service
+
+[Service]
+Environment="NODE_ENV=production"
+WorkingDirectory=/opt/mailtrain/server
+ExecStart=/usr/bin/node index.js
+Type=simple
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+EOT
+
+    systemctl daemon-reload
+}
diff --git a/setup/install-centos7-https.sh b/setup/install-centos7-https.sh
index c4844631..c5c55c87 100644
--- a/setup/install-centos7-https.sh
+++ b/setup/install-centos7-https.sh
@@ -25,11 +25,12 @@ Installs Mailtrain 2 on CentOS 7. This performs installation for external use. I
 a reverse HTTPS proxy using Apache HTTPD, sets up firewall rules, and obtains a certificate from Letsencrypt.
 
 You have to allocate three endpoints for Mailtrain - trusted (admin UI), sandbox (editors for templates), public (subscription forms and archive).
-These endpoints have to differ in hostname. It's fine to host them all from one IP address.
+These endpoints have to differ in hostname. It's fine to host them all from one IP address. The email parameters is needed by certbot.
 
-The email is needed by certbot. Please note that by running the script, you agree with Letsencrypt's conditions.
+Note, that this will automatically accept the Let's Encrypt's Terms of Service.
+Thus, by running this script below, you agree with the Let's Encrypt's Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
 
-Example: install-centos7-https.sh mailtrain.example.com sbox.mailtrain.example.com mail.example.com admin@example.com
+Example: install-centos7-https.sh mailtrain.example.com sbox.mailtrain.example.com lists.example.com admin@example.com
 EOF
 
   exit 1
@@ -45,8 +46,12 @@ hostSandbox="$2"
 hostPublic="$3"
 email="$4"
 
+installPrerequisities
+
 createCertificates "${hostTrusted}" "${hostSandbox}" "${hostPublic}" "${email}"
 
 installHttps "${hostTrusted}" 443 "${hostSandbox}" 443 "${hostPublic}" 443 "/etc/letsencrypt/live/${hostPublic}/cert.pem" "/etc/letsencrypt/live/${hostPublic}/privkey.pem" "/etc/letsencrypt/live/${hostPublic}/chain.pem" 
 
-installBase "https://${hostTrusted}" "https://${hostSandbox}" "https://${hostPublic}" "${email}"
+installMailtrain "https://${hostTrusted}" "https://${hostSandbox}" "https://${hostPublic}" 127.0.0.1
+
+installService
diff --git a/setup/install-centos7-local.sh b/setup/install-centos7-local.sh
index 692c67d4..55b072dc 100644
--- a/setup/install-centos7-local.sh
+++ b/setup/install-centos7-local.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-set -x
 
 # This installation script works on CentOS 7
 # Run as root!
@@ -36,4 +35,8 @@ if [ $# -lt 0 ]; then
         HELP
 fi
 
-installBase http://localhost:3000 http://localhost:3003 http://localhost:3004
+installPrerequisities
+
+installMailtrain http://localhost:3000 http://localhost:3003 http://localhost:3004 0.0.0.0
+
+installService