Merge branch 'master' into refactor/setup-cli-opendkim
This commit is contained in:
Brennan Kinney
GitHub
commit
0b8cdd70b9
|
|
@ -71,16 +71,16 @@ jobs:
|
|||
cache-buildx-
|
||||
|
||||
- name: 'Set up QEMU'
|
||||
uses: docker/setup-qemu-action@v3.4.0
|
||||
uses: docker/setup-qemu-action@v3.6.0
|
||||
with:
|
||||
platforms: arm64
|
||||
|
||||
- name: 'Set up Docker Buildx'
|
||||
uses: docker/setup-buildx-action@v3.9.0
|
||||
uses: docker/setup-buildx-action@v3.10.0
|
||||
|
||||
# NOTE: AMD64 can build within 2 minutes
|
||||
- name: 'Build images'
|
||||
uses: docker/build-push-action@v6.13.0
|
||||
uses: docker/build-push-action@v6.15.0
|
||||
with:
|
||||
context: .
|
||||
# Build at least the AMD64 image (which runs against the test suite).
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ jobs:
|
|||
|
||||
- name: 'Prepare tags'
|
||||
id: prep
|
||||
uses: docker/metadata-action@v5.6.1
|
||||
uses: docker/metadata-action@v5.7.0
|
||||
with:
|
||||
images: |
|
||||
${{ secrets.DOCKER_REPOSITORY }}
|
||||
|
|
@ -35,12 +35,12 @@ jobs:
|
|||
type=semver,pattern={{major}}.{{minor}}.{{patch}}
|
||||
|
||||
- name: 'Set up QEMU'
|
||||
uses: docker/setup-qemu-action@v3.4.0
|
||||
uses: docker/setup-qemu-action@v3.6.0
|
||||
with:
|
||||
platforms: arm64
|
||||
|
||||
- name: 'Set up Docker Buildx'
|
||||
uses: docker/setup-buildx-action@v3.9.0
|
||||
uses: docker/setup-buildx-action@v3.10.0
|
||||
|
||||
# Try get the cached build layers from a prior `generic_build.yml` job.
|
||||
# NOTE: Until adopting `type=gha` scoped cache exporter (in `docker/build-push-action`),
|
||||
|
|
@ -67,7 +67,7 @@ jobs:
|
|||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: 'Build and publish images'
|
||||
uses: docker/build-push-action@v6.13.0
|
||||
uses: docker/build-push-action@v6.15.0
|
||||
with:
|
||||
context: .
|
||||
build-args: |
|
||||
|
|
|
|||
|
|
@ -38,12 +38,12 @@ jobs:
|
|||
# Ensures consistent BuildKit version (not coupled to Docker Engine),
|
||||
# and increased compatibility of the build cache vs mixing buildx drivers.
|
||||
- name: 'Set up Docker Buildx'
|
||||
uses: docker/setup-buildx-action@v3.9.0
|
||||
uses: docker/setup-buildx-action@v3.10.0
|
||||
|
||||
# Importing from the cache should create the image within approx 30 seconds:
|
||||
# NOTE: `qemu` step is not needed as we only test for AMD64.
|
||||
- name: 'Build AMD64 image from cache'
|
||||
uses: docker/build-push-action@v6.13.0
|
||||
uses: docker/build-push-action@v6.15.0
|
||||
with:
|
||||
context: .
|
||||
tags: mailserver-testing:ci
|
||||
|
|
|
|||
|
|
@ -37,12 +37,12 @@ jobs:
|
|||
# Ensures consistent BuildKit version (not coupled to Docker Engine),
|
||||
# and increased compatibility of the build cache vs mixing buildx drivers.
|
||||
- name: 'Set up Docker Buildx'
|
||||
uses: docker/setup-buildx-action@v3.9.0
|
||||
uses: docker/setup-buildx-action@v3.10.0
|
||||
|
||||
# Importing from the cache should create the image within approx 30 seconds:
|
||||
# NOTE: `qemu` step is not needed as we only test for AMD64.
|
||||
- name: 'Build AMD64 image from cache'
|
||||
uses: docker/build-push-action@v6.13.0
|
||||
uses: docker/build-push-action@v6.15.0
|
||||
with:
|
||||
context: .
|
||||
tags: mailserver-testing:ci
|
||||
|
|
|
|||
26
CHANGELOG.md
26
CHANGELOG.md
|
|
@ -2,10 +2,29 @@
|
|||
|
||||
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v14.0.0...HEAD)
|
||||
## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v15.0.0...HEAD)
|
||||
|
||||
> **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
|
||||
|
||||
### Added
|
||||
|
||||
- **Internal:**
|
||||
- Added the Smallstep `step` CLI command for future internal usage ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376))
|
||||
|
||||
### Fixes
|
||||
|
||||
- **Postfix:**
|
||||
- `setup email restrict` generated configs now only prepend to `dms_smtpd_sender_restrictions` ([#4379](https://github.com/docker-mailserver/docker-mailserver/pull/4379))
|
||||
- **Internal:**
|
||||
- A permissions fix for `/var/log/mail` that was [added in DMS v15]((https://github.com/docker-mailserver/docker-mailserver/pull/4374)) no longer encounters an error when no log files are present during a container restart, such as with a `tmpfs` volume mount ([#4391](https://github.com/docker-mailserver/docker-mailserver/pull/4391))
|
||||
|
||||
### Updates
|
||||
|
||||
- **Internal:**
|
||||
- Minor improvements to `_install_utils()` in `packages.sh` ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376))
|
||||
|
||||
## [v15.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.0)
|
||||
|
||||
### Breaking
|
||||
|
||||
- **saslauthd** mechanism support via ENV `SASLAUTHD_MECHANISMS` with `pam`, `shadow`, `mysql` values has been removed. Only `ldap` and `rimap` remain supported ([#4259](https://github.com/docker-mailserver/docker-mailserver/pull/4259))
|
||||
|
|
@ -17,6 +36,7 @@ All notable changes to this project will be documented in this file. The format
|
|||
- This has been corrected to `/var/lib/getmail` (_if you have mounted a DMS State Volume to `/var/mail-state`, `/var/lib/getmail` will be symlinked to `/var/mail-state/lib-getmail`_).
|
||||
- To preserve this state when upgrading to DMS v15, **you must manually migrate `getmail/` from the _DMS Config Volume_ to `lib-getmail/` in the _DMS State Volume_.**
|
||||
- `setup email delete <EMAIL ADDRESS>` now requires explicit confirmation if the mailbox data should be deleted ([#4365](https://github.com/docker-mailserver/docker-mailserver/pull/4365)).
|
||||
- **Rspamd:** Removed deprecated file path check (_DMS config volume: `./rspamd-modules.conf` => `./rspamd/custom-commands.conf`_) ([#4373](https://github.com/docker-mailserver/docker-mailserver/pull/4373))
|
||||
|
||||
### Added
|
||||
|
||||
|
|
@ -26,7 +46,7 @@ All notable changes to this project will be documented in this file. The format
|
|||
|
||||
### Updates
|
||||
|
||||
**Internal:**
|
||||
- **Internal:**
|
||||
- **Removed `VERSION` file** from the repo. Releases of DMS prior to v13 (Nov 2023) would check this to detect new releases ([#3677](https://github.com/docker-mailserver/docker-mailserver/issues/3677), [#4321](https://github.com/docker-mailserver/docker-mailserver/pull/4321))
|
||||
- During image build, ensure a secure connection when downloading the `fail2ban` package ([#4080](https://github.com/docker-mailserver/docker-mailserver/pull/4080))
|
||||
- Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375))
|
||||
|
|
@ -60,7 +80,7 @@ All notable changes to this project will be documented in this file. The format
|
|||
- The main `mail.log` (_which is piped to stdout via `tail`_) now correctly begins from the first log line of the active container run. Previously some daemon logs and potential warnings/errors were omitted ([#4146](https://github.com/docker-mailserver/docker-mailserver/pull/4146))
|
||||
- `start-mailserver.sh` removed unused `shopt -s inherit_errexit` ([#4161](https://github.com/docker-mailserver/docker-mailserver/pull/4161))
|
||||
- Fixed a regression introduced in DMS v14 where `postfix-main.cf` appended `stderr` output into `/etc/postfix/main.cf`, causing Postfix startup to fail ([#4147](https://github.com/docker-mailserver/docker-mailserver/pull/4147))
|
||||
- Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254))
|
||||
- Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254), [#4374](https://github.com/docker-mailserver/docker-mailserver/pull/4374))
|
||||
- The command `swaks --help` is now functional ([#4282](https://github.com/docker-mailserver/docker-mailserver/pull/4282))
|
||||
- **Rspamd:**
|
||||
- DKIM private key path checking is now performed only on paths that do not contain `$` ([#4201](https://github.com/docker-mailserver/docker-mailserver/pull/4201))
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-fetchmail
|
||||
# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-fetchmail
|
||||
# Additional context, with CLI commands for verification:
|
||||
# https://github.com/orgs/docker-mailserver/discussions/3994#discussioncomment-9290570
|
||||
|
||||
services:
|
||||
dms-fetch:
|
||||
image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0
|
||||
image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0
|
||||
hostname: mail.example.test
|
||||
environment:
|
||||
ENABLE_FETCHMAIL: 1
|
||||
|
|
@ -26,7 +26,7 @@ services:
|
|||
target: /tmp/docker-mailserver/fetchmail.cf
|
||||
|
||||
dms-remote:
|
||||
image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0
|
||||
image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0
|
||||
hostname: mail.remote.test
|
||||
environment:
|
||||
# Allows for us send a test mail easily by trusting any mail client run within this container (`swaks`):
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-forwarding/relay-hosts/
|
||||
# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-forwarding/relay-hosts/
|
||||
# Additional context, with CLI commands for verification:
|
||||
# https://github.com/docker-mailserver/docker-mailserver/issues/4136#issuecomment-2253693490
|
||||
|
||||
services:
|
||||
# This would represent your actual DMS container:
|
||||
dms-sender:
|
||||
image: mailserver/docker-mailserver:latest # :14.0
|
||||
image: mailserver/docker-mailserver:latest # :15.0
|
||||
hostname: mail.example.test
|
||||
environment:
|
||||
# All outbound mail will be relayed through this host
|
||||
|
|
@ -37,7 +37,7 @@ services:
|
|||
|
||||
# Pretend this is your third-party relay service:
|
||||
dms-relay:
|
||||
image: mailserver/docker-mailserver:latest # :14.0
|
||||
image: mailserver/docker-mailserver:latest # :15.0
|
||||
hostname: smtp.relay-service.test
|
||||
environment:
|
||||
# WORKAROUND: Bypass security checks from the mail-client (dms-sender container)
|
||||
|
|
@ -58,7 +58,7 @@ services:
|
|||
|
||||
# Pretend this is another mail server that your target recipient belongs to (like Gmail):
|
||||
dms-destination:
|
||||
image: mailserver/docker-mailserver:latest # :14.0
|
||||
image: mailserver/docker-mailserver:latest # :15.0
|
||||
hostname: mail.destination.test
|
||||
# WORKAROUND: dms-relay must be able to resolve DNS for `@destination.test` to the IP of this container:
|
||||
# Normally a MX record would direct mail to the MTA (eg: `mail.destination.test`)
|
||||
|
|
|
|||
|
|
@ -151,6 +151,6 @@ We provide this support via two config files:
|
|||
[wikipedia::smarthost]: https://en.wikipedia.org/wiki/Smart_host
|
||||
|
||||
[docs::env-relay]: ../../environment.md#relay-host
|
||||
[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v14.0.0/target/scripts/helpers/relay.sh
|
||||
[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v15.0.0/target/scripts/helpers/relay.sh
|
||||
[dms-gh::pr-3607]: https://github.com/docker-mailserver/docker-mailserver/issues/3607
|
||||
[dms-gh::relay-example]: https://github.com/docker-mailserver/docker-mailserver/issues/3842#issuecomment-1913380639
|
||||
|
|
|
|||
|
|
@ -14,18 +14,48 @@ hide:
|
|||
|
||||
## Configuration
|
||||
|
||||
!!! warning
|
||||
Enabling Fail2Ban support can be done via ENV, but also requires granting at least the `NET_ADMIN` capability to interact with the kernel and ban IP addresses.
|
||||
|
||||
DMS must be launched with the `NET_ADMIN` capability in order to be able to install the NFTables rules that actually ban IP addresses. Thus, either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in the `compose.yaml`:
|
||||
!!! example
|
||||
|
||||
```yaml
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
```
|
||||
=== "Docker Compose"
|
||||
|
||||
```yaml title="compose.yaml"
|
||||
services:
|
||||
mailserver:
|
||||
environment:
|
||||
- ENABLE_FAIL2BAN=1
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
```
|
||||
|
||||
=== "Docker CLI"
|
||||
|
||||
```bash
|
||||
docker run --rm -it \
|
||||
--cap-add=NET_ADMIN \
|
||||
--env ENABLE_FAIL2BAN=1
|
||||
```
|
||||
|
||||
!!! warning "Security risk of adding non-default capabilties"
|
||||
|
||||
DMS bundles F2B into the image for convenience to simplify integration and deployment.
|
||||
|
||||
The [`NET_ADMIN`][security::cap-net-admin] and [`NET_RAW`][security::cap-net-raw] capabilities are not granted by default to the container root user, as they can be used to compromise security.
|
||||
|
||||
If this risk concerns you, it may be wiser to instead prefer only granting these capabilities to a dedicated Fail2Ban container ([example][lsio:f2b-image]).
|
||||
|
||||
!!! bug "Running Fail2Ban on Older Kernels"
|
||||
|
||||
DMS configures F2B to use NFTables, not IPTables (legacy). We have observed that older systems, for example NAS systems, do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [``fail2ban-jail.cf``][github-file-f2bjail], see the [section on configuration further down below](#custom-files).
|
||||
DMS configures F2B to use [NFTables][network::nftables], not [IPTables (legacy)][network::iptables-legacy].
|
||||
|
||||
We have observed that older systems (for example NAS systems), do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [`fail2ban-jail.cf`][github-file-f2bjail], see the [section on configuration further down below](#custom-files).
|
||||
|
||||
[security::cap-net-admin]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_admin
|
||||
[security::cap-net-raw]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_raw
|
||||
[lsio:f2b-image]: https://docs.linuxserver.io/images/docker-fail2ban
|
||||
[network::nftables]: https://en.wikipedia.org/wiki/Nftables
|
||||
[network::iptables-legacy]: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#two_variants_of_the_iptables_command
|
||||
|
||||
### DMS Defaults
|
||||
|
||||
|
|
|
|||
|
|
@ -139,7 +139,7 @@ To use the web interface you will need to configure a password, [otherwise you w
|
|||
|
||||
---
|
||||
|
||||
**Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms:guide::rspamd-web].
|
||||
**Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms::guide::rspamd-web].
|
||||
|
||||
### DNS
|
||||
|
||||
|
|
@ -353,8 +353,8 @@ While _Abusix_ can be integrated into Postfix, Postscreen and a multitude of oth
|
|||
[abusix-docs::rspamd-integration]: https://abusix.com/docs/rspamd/
|
||||
[spamhaus::faq::dnsbl-usage]: https://www.spamhaus.org/faq/section/DNSBL%20Usage#365
|
||||
|
||||
[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd/local.d/actions.conf
|
||||
[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd
|
||||
[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd/local.d/actions.conf
|
||||
[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd
|
||||
[gh-dms::guide::valkey]: https://github.com/docker-mailserver/docker-mailserver/issues/4001#issuecomment-2652596692
|
||||
[gh-dms::guide::rspamd-web]: https://github.com/orgs/docker-mailserver/discussions/4269#discussioncomment-11329588
|
||||
|
||||
|
|
|
|||
|
|
@ -24,39 +24,41 @@ As the official DMS image does not provide `dovecot-solr`, you'll need to includ
|
|||
!!! quote ""
|
||||
|
||||
=== "`user-patches.sh`"
|
||||
|
||||
|
||||
If you'd prefer to avoid a custom image build. This approach is simpler but with the caveat that any time the container is restarted, you'll have a delay as the package is installed each time.
|
||||
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
apt-get update && apt-get install dovecot-solr
|
||||
```
|
||||
|
||||
|
||||
=== "`compose.yaml`"
|
||||
|
||||
|
||||
A custom DMS image does not add much friction. You do not need a separate `Dockerfile` as Docker Compose supports building from an inline `Dockerfile` in your `compose.yaml`.
|
||||
|
||||
|
||||
The `image` key of the service is swapped for the `build` key instead, as shown below:
|
||||
|
||||
|
||||
```yaml
|
||||
services:
|
||||
mailserver:
|
||||
hostname: mail.example.com
|
||||
# The `image` setting now represents the tag for the local build configured below:
|
||||
image: local/dms:14.0
|
||||
image: local/dms:${DMS_TAG?Must set DMS image tag}
|
||||
# Local build (no need to try pull `image` remotely):
|
||||
pull_policy: build
|
||||
# Add this `build` section to your real `compose.yaml` for your DMS service:
|
||||
build:
|
||||
dockerfile_inline: |
|
||||
FROM docker.io/mailserver/docker-mailserver:14.0
|
||||
FROM docker.io/mailserver/docker-mailserver:${DMS_TAG?Must set DMS image tag}
|
||||
RUN apt-get update && apt-get install dovecot-solr
|
||||
```
|
||||
|
||||
- Just run `docker compose up` and it will pull DMS and build your custom image to run a container.
|
||||
- Updating to a new DMS release is straight-forward, just adjust the version tag as you normally would. If you make future changes that don't apply, you may need to force a rebuild.
|
||||
- This approach only needs to install the package once with the image build itself. This minimizes delay of container startup.
|
||||
|
||||
This approach only needs to install the package once with the image build itself which minimizes the delay of container startup.
|
||||
|
||||
- Just run `DMS_TAG='14.0' docker compose up` and it will pull the DMS image, then build your custom DMS image to run a new container instance.
|
||||
- Updating to a new DMS release is straight-forward, just adjust the `DMS_TAG` ENV value or change the image tag directly in `compose.yaml` as you normally would to upgrade an image.
|
||||
- If you make future changes to the `dockerfile_inline` that don't seem to be applied, you may need to force a rebuild with `DMS_TAG='14.0' docker compose up --build`.
|
||||
|
||||
!!! note "Why doesn't DMS include `dovecot-solr`?"
|
||||
|
||||
|
|
|
|||
|
|
@ -508,7 +508,7 @@ DOVECOT_MAILBOX_FORMAT=maildir
|
|||
|
||||
# empty => no
|
||||
# yes => Allow bind authentication for LDAP
|
||||
# https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
|
||||
# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind
|
||||
DOVECOT_AUTH_BIND=
|
||||
|
||||
# -----------------------------------------------
|
||||
|
|
|
|||
|
|
@ -68,9 +68,10 @@ smtpd_forbid_bare_newline = yes
|
|||
# smtpd_forbid_bare_newline_exclusions = $mynetworks
|
||||
|
||||
# Custom defined parameters for DMS:
|
||||
# reject_unknown_sender_domain: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234
|
||||
# Custom sender restrictions overview: https://github.com/docker-mailserver/docker-mailserver/pull/4379#issuecomment-2670365917
|
||||
# `reject_unknown_sender_domain`: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234
|
||||
dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
|
||||
# Submission ports 587 and 465 support for SPOOF_PROTECTION=1
|
||||
# `SPOOF_PROTECTION=1` support requires prepending `reject_authenticated_sender_login_mismatch`
|
||||
mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $dms_smtpd_sender_restrictions
|
||||
|
||||
# Postscreen settings to drop zombies/open relays/spam early
|
||||
|
|
|
|||
|
|
@ -36,20 +36,46 @@ function _pre_installation_steps() {
|
|||
apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null
|
||||
}
|
||||
|
||||
# Install third-party commands to /usr/local/bin
|
||||
function _install_utils() {
|
||||
local ARCH_A
|
||||
ARCH_A=$(uname --machine)
|
||||
# Alternate naming convention support: x86_64 (amd64) / aarch64 (arm64)
|
||||
# https://en.wikipedia.org/wiki/X86-64#Industry_naming_conventions
|
||||
local ARCH_B
|
||||
case "${ARCH_A}" in
|
||||
( 'x86_64' ) ARCH_B='amd64' ;;
|
||||
( 'aarch64' ) ARCH_B='arm64' ;;
|
||||
( * )
|
||||
_log 'error' "Unsupported arch: '${ARCH_A}'"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# TIP: `*.tar.gz` releases tend to forget to reset UID/GID ownership when archiving.
|
||||
# When extracting with `tar` as `root` the archived UID/GID is kept, unless using `--no-same-owner`.
|
||||
# Likewise when the binary is in a nested location the full archived path
|
||||
# must be provided + `--strip-components` to extract the file to the target directory.
|
||||
# Doing this avoids the need for (`mv` + `rm`) or (`--to-stdout` + `chmod +x`)
|
||||
_log 'debug' 'Installing utils sourced from Github'
|
||||
|
||||
_log 'trace' 'Installing jaq'
|
||||
local JAQ_TAG='v2.1.0'
|
||||
curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq
|
||||
chmod +x /usr/bin/jaq
|
||||
curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/local/bin/jaq
|
||||
chmod +x /usr/local/bin/jaq
|
||||
|
||||
_log 'trace' 'Installing step'
|
||||
local STEP_RELEASE='0.28.2'
|
||||
curl -sSfL "https://github.com/smallstep/cli/releases/download/v${STEP_RELEASE}/step_linux_${STEP_RELEASE}_${ARCH_B}.tar.gz" \
|
||||
| tar -xz --directory /usr/local/bin --no-same-owner --strip-components=2 "step_${STEP_RELEASE}/bin/step"
|
||||
|
||||
_log 'trace' 'Installing swaks'
|
||||
# `perl-doc` is required for `swaks --help` to work:
|
||||
apt-get "${QUIET}" install --no-install-recommends perl-doc
|
||||
local SWAKS_VERSION='20240103.0'
|
||||
local SWAKS_RELEASE="swaks-${SWAKS_VERSION}"
|
||||
curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz
|
||||
mv "${SWAKS_RELEASE}/swaks" /usr/local/bin
|
||||
rm -r "${SWAKS_RELEASE}"
|
||||
curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" \
|
||||
| tar -xz --directory /usr/local/bin --no-same-owner --strip-components=1 "${SWAKS_RELEASE}/swaks"
|
||||
}
|
||||
|
||||
function _install_postfix() {
|
||||
|
|
|
|||
|
|
@ -111,14 +111,6 @@ function _rspamd_handle_user_modules_adjustments() {
|
|||
fi
|
||||
}
|
||||
|
||||
# We check for usage of the previous location of the commands file.
|
||||
# TODO This can be removed after the release of v14.0.0.
|
||||
local RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD="${RSPAMD_DMS_D}-modules.conf"
|
||||
readonly RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD
|
||||
if [[ -f ${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD} ]]; then
|
||||
_dms_panic__general "Old custom command file location '${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD}' is deprecated (use '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' now)" 'Rspamd setup'
|
||||
fi
|
||||
|
||||
if [[ -f "${RSPAMD_DMS_CUSTOM_COMMANDS_F}" ]]; then
|
||||
__rspamd__log 'debug' "Found file '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' - parsing and applying it"
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ function _register_functions() {
|
|||
# ? >> Setup
|
||||
|
||||
_register_setup_function '_setup_vmail_id'
|
||||
_register_setup_function '_setup_logs_general'
|
||||
_register_setup_function '_setup_timezone'
|
||||
|
||||
if [[ ${SMTP_ONLY} -ne 1 ]]; then
|
||||
|
|
@ -182,6 +181,9 @@ if [[ -f /CONTAINER_START ]]; then
|
|||
# We cannot skip all setup routines because some need to run _after_
|
||||
# the initial setup (and hence, they cannot be moved to the check stack).
|
||||
_setup_directory_and_file_permissions
|
||||
|
||||
# shellcheck source=./startup/setup.d/mail_state.sh
|
||||
source /usr/local/bin/setup.d/mail_state.sh
|
||||
_setup_adjust_state_permissions
|
||||
else
|
||||
_setup
|
||||
|
|
|
|||
|
|
@ -82,6 +82,8 @@ function _setup_timezone() {
|
|||
fi
|
||||
}
|
||||
|
||||
# Misc checks and fixes migrated here until next refactor:
|
||||
# NOTE: `start-mailserver.sh` runs this along with `mail-state.sh` during container restarts
|
||||
function _setup_directory_and_file_permissions() {
|
||||
_log 'trace' 'Removing leftover PID files from a stop/start'
|
||||
find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
|
||||
|
|
@ -101,6 +103,8 @@ function _setup_directory_and_file_permissions() {
|
|||
_log 'debug' "Ensuring '${RSPAMD_DMS_DKIM_D}' is owned by '_rspamd:_rspamd'"
|
||||
chown -R _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}"
|
||||
fi
|
||||
|
||||
__log_fixes
|
||||
}
|
||||
|
||||
function _setup_run_user_patches() {
|
||||
|
|
@ -113,3 +117,32 @@ function _setup_run_user_patches() {
|
|||
_log 'trace' "No optional '${USER_PATCHES}' provided"
|
||||
fi
|
||||
}
|
||||
|
||||
function __log_fixes() {
|
||||
_log 'debug' 'Ensuring /var/log/mail owneership + permissions are correct'
|
||||
|
||||
# File/folder permissions are fine when using docker volumes, but may be wrong
|
||||
# when file system folders are mounted into the container.
|
||||
# Set the expected values and create missing folders/files just in case.
|
||||
mkdir -p /var/log/{mail,supervisor}
|
||||
|
||||
# TODO: Remove these lines in a future release once concerns are resolved:
|
||||
# https://github.com/docker-mailserver/docker-mailserver/pull/4370#issuecomment-2661762043
|
||||
chown syslog:root /var/log/mail
|
||||
|
||||
if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then
|
||||
# TODO: Consider assigning /var/log/mail a writable non-root group for other processes like ClamAV?
|
||||
# - Check if ClamAV is capable of creating files itself when they're missing?
|
||||
# - Alternatively a symlink to /var/log/mail from the original intended location would allow write access
|
||||
# as a user to the symlink location, while keeping ownership as root at /var/log/mail
|
||||
# - `LogSyslog false` for clamd.conf + freshclam.conf could possibly be enabled instead of log files?
|
||||
# However without better filtering in place (once Vector is adopted), this should be avoided.
|
||||
touch /var/log/mail/{clamav,freshclam}.log
|
||||
chown clamav:adm /var/log/mail/{clamav,freshclam}.log
|
||||
fi
|
||||
|
||||
# Volume permissions should be corrected:
|
||||
# https://github.com/docker-mailserver/docker-mailserver-helm/issues/137
|
||||
chmod 755 /var/log/mail/
|
||||
find /var/log/mail/ -type f -exec chmod 640 {} +
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
function _setup_logs_general() {
|
||||
_log 'debug' 'Setting up general log files'
|
||||
|
||||
# File/folder permissions are fine when using docker volumes, but may be wrong
|
||||
# when file system folders are mounted into the container.
|
||||
# Set the expected values and create missing folders/files just in case.
|
||||
mkdir -p /var/log/{mail,supervisor}
|
||||
chown syslog:root /var/log/mail
|
||||
}
|
||||
|
||||
function _setup_logrotate() {
|
||||
_log 'debug' 'Setting up logrotate'
|
||||
|
||||
|
|
|
|||
|
|
@ -93,13 +93,19 @@ EOF
|
|||
function _setup_postfix_late() {
|
||||
_log 'debug' 'Configuring Postfix (late setup)'
|
||||
|
||||
# These two config files are `access` database tables managed via `setup email restrict`:
|
||||
# NOTE: Prepends to existing restrictions, thus has priority over other permit/reject policies that follow.
|
||||
# https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
|
||||
# https://www.postfix.org/access.5.html
|
||||
__postfix__log 'trace' 'Configuring user access'
|
||||
if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]]; then
|
||||
sed -i -E 's|(smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
|
||||
# Prefer to prepend to our specialized variant instead:
|
||||
# https://github.com/docker-mailserver/docker-mailserver/pull/4379
|
||||
sed -i -E 's|^(dms_smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
|
||||
fi
|
||||
|
||||
if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]]; then
|
||||
sed -i -E 's|(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
|
||||
sed -i -E 's|^(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
|
||||
fi
|
||||
|
||||
__postfix__log 'trace' 'Configuring relay host'
|
||||
|
|
|
|||
|
|
@ -155,13 +155,6 @@ function __setup__security__clamav() {
|
|||
if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then
|
||||
_log 'debug' 'Enabling and configuring ClamAV'
|
||||
|
||||
local FILE
|
||||
for FILE in /var/log/mail/{clamav,freshclam}.log; do
|
||||
touch "${FILE}"
|
||||
chown clamav:adm "${FILE}"
|
||||
chmod 640 "${FILE}"
|
||||
done
|
||||
|
||||
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]; then
|
||||
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue