Added greylisting using postgrey

2017-01-28 16:51:32 +00:00 · 2017-01-28 16:51:32 +00:00 · 11d4fd9726
parent d40ae81d09
commit 11d4fd9726
7 changed files with 212 additions and 1 deletions
--- a/6
+++ b/6
@ -39,6 +39,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -q --fix-missing && \
    rsyslog \
    sasl2-bin \
    spamassassin \
+    postgrey \
    unzip \
    && \
  curl -sk http://neuro.debian.net/lists/trusty.de-m.libre > /etc/apt/sources.list.d/neurodebian.sources.list && \
@ -70,6 +71,11 @@ COPY target/postfix/ldap-users.cf target/postfix/ldap-groups.cf target/postfix/l
 # Enables Spamassassin CRON updates
 RUN sed -i -r 's/^(CRON)=0/\1=1/g' /etc/default/spamassassin

+#Enables Postgrey
+COPY target/postgrey/postgrey /etc/default/postgrey
+COPY target/postgrey/postgrey.init /etc/init.d/postgrey
+RUN chmod 755 /etc/init.d/postgrey
+
 # Enables Amavis
 RUN sed -i -r 's/#(@|   \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode
 RUN adduser clamav amavis && adduser amavis clamav
--- a/10
+++ b/10
@ -119,6 +119,13 @@ run:
 		-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
 		-h mail.my-domain.com -t $(NAME)
 	sleep 30
+	docker run -d --name mail_with_postgrey \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test":/tmp/docker-mailserver-test \
+		-e ENABLE_POSTGREY=1 \
+		-h mail.my-domain.com -t $(NAME)
+	sleep 15
+

 fixtures:
 	cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
@ -162,7 +169,8 @@ clean:
 		ldap_for_mail \
 		mail_with_ldap \
 		mail_with_imap \
-		mail_lmtp_ip
+		mail_lmtp_ip \
+		mail_with_postgrey

 	@if [ -f config/postfix-accounts.cf.bak ]; then\
 		rm -f config/postfix-accounts.cf ;\
--- a/README.md
+++ b/README.md
@ -18,6 +18,7 @@ Includes:
 - opendmarc
 - fail2ban
 - fetchmail
+- postgrey
 - basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot
 - [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates
 - persistent data and state (but think about backups!)
@ -62,6 +63,7 @@ services:
    - ENABLE_SPAMASSASSIN=1
    - ENABLE_CLAMAV=1
    - ENABLE_FAIL2BAN=1
+    - ENABLE_POSTGREY=1
    - ONE_DIR=1
    - DMS_DEBUG=0
    cap_add:
@ -216,6 +218,11 @@ Otherwise, `iptables` won't be able to ban IPs.
  - **0** => `saslauthd` is disabled
  - 1 => `saslauthd` is enabled

+#### ENABLE_POSTGREY
+
+  - **0** => `postgrey` is disabled
+  - 1 => `postgrey` is enabled
+
 ##### SASLAUTHD_MECHANISMS

  - empty => pam
--- a/target/postgrey/postgrey
+++ b/target/postgrey/postgrey
@ -0,0 +1,7 @@
+# you may want to set
+#   --delay=N   how long to greylist, seconds (default: 300)
+#   --max-age=N delete old entries after N days (default: 35)
+
+POSTGREY_OPTS="--inet=10023"
+
+#POSTGREY_TEXT="Your customized rejection message here"
--- a/target/postgrey/postgrey.init
+++ b/target/postgrey/postgrey.init
@ -0,0 +1,141 @@
+#!/bin/sh
+#
+# postgrey      start/stop the postgrey greylisting deamon for postfix
+#               (priority should be smaller than that of postfix)
+#
+# Author:       (c)2004-2006 Adrian von Bidder <avbidder@fortytwo.ch>
+#               Based on Debian sarge's 'skeleton' example
+#               Distribute and/or modify at will.
+#
+# Version:      $Id: postgrey.init 1436 2006-12-07 07:15:03Z avbidder $
+#
+### BEGIN INIT INFO
+# Provides:          postgrey
+# Required-Start:    $syslog $local_fs $remote_fs
+# Required-Stop:     $syslog $local_fs $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop the postgrey daemon
+### END INIT INFO
+
+set -e
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/postgrey
+DAEMON_NAME=postgrey
+DESC="postfix greylisting daemon"
+DAEMON_USER=postgrey
+
+PIDFILE=/var/run/$DAEMON_NAME.pid
+SCRIPTNAME=/etc/init.d/$DAEMON_NAME
+
+# Gracefully exit if the package has been removed.
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+# Read config file if it is present.
+if [ -r /etc/default/$DAEMON_NAME ]
+then
+    . /etc/default/$DAEMON_NAME
+fi
+
+POSTGREY_OPTS="--pidfile=$PIDFILE --daemonize $POSTGREY_OPTS"
+if [ -z "$POSTGREY_TEXT" ]; then
+    POSTGREY_TEXT_OPT=""
+else
+    POSTGREY_TEXT_OPT="--greylist-text=$POSTGREY_TEXT"
+fi
+
+ret=0
+
+do_start()
+{
+        # Return
+        #   0 if daemon has been started
+        #   1 if daemon was already running
+        #   2 if daemon could not be started
+        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+                || return 1
+        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+                $POSTGREY_OPTS "$POSTGREY_TEXT_OPT" \
+                || return 2
+}
+
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+        start-stop-daemon --user $DAEMON_USER --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE
+        RETVAL="$?"
+        [ "$RETVAL" = 2 ] && return 2
+
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --user $DAEMON_USER --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+
+}
+
+do_reload()
+{
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$DAEMON_NAME"
+        do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+        ;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$DAEMON_NAME"
+        do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+        ;;
+  reload|force-reload)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Reloading $DESC" "$DAEMON_NAME"
+        do_reload
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+        ;;
+  restart)
+        do_stop
+        do_start
+        ;;
+  status)
+        status_of_proc -p $PIDFILE $DAEMON "$DAEMON_NAME" 2>/dev/null
+        ret=$?
+        ;;
+
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+
+exit $ret
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@ -14,6 +14,7 @@ DEFAULT_VARS["ENABLE_FAIL2BAN"]="${ENABLE_FAIL2BAN:="0"}"
 DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}"
 DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}"
 DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}"
+DEFAULT_VARS["ENABLE_POSTGREY"]="${ENABLE_POSTGREY:="0"}"
 DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}"
 DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}"
 DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}"
@ -90,6 +91,10 @@ function register_functions() {
 		_register_setup_function "_setup_postfix_sasl"
 	fi

+	if [ "$ENABLE_POSTGREY" = 1 ];then
+		_register_setup_function "_setup_postgrey"
+	fi
+
 	_register_setup_function "_setup_dkim"
 	_register_setup_function "_setup_ssl"
 	_register_setup_function "_setup_docker_permit"
@ -141,6 +146,12 @@ function register_functions() {
 	# needs to be started before saslauthd
 	_register_start_daemon "_start_daemons_opendkim"
 	_register_start_daemon "_start_daemons_opendmarc"
+
+	#postfix uses postgray, needs to be started before postfix
+	if [ "$ENABLE_POSTGREY" = 1 ]; then
+		_register_start_daemon "_start_daemons_postgrey"
+	fi
+	
 	_register_start_daemon "_start_daemons_postfix"

 	if [ "$ENABLE_SASLAUTHD" = 1 ];then
@ -160,6 +171,7 @@ function register_functions() {
 		_register_start_daemon "_start_daemons_clamav"
 	fi

+
 	_register_start_daemon "_start_daemons_amavis"
 	################### << daemon funcs
 }
@ -487,6 +499,11 @@ function _setup_ldap() {
 	return 0
 }

+function _setup_postgrey() {
+	notify 'inf' "Configuring postgrey"
+	sed -i -e 's/bl.spamcop.net/bl.spamcop.net, check_policy_service inet:127.0.0.1:10023/' /etc/postfix/main.cf
+}
+
 function _setup_postfix_sasl() {
 	[ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF
 pwcheck_method: saslauthd
@ -1023,6 +1040,12 @@ function _start_daemons_clamav() {
 	display_startup_daemon "/etc/init.d/clamav-daemon start"
 }

+function _start_daemons_postgrey() {
+	notify 'task' 'Starting postgrey' 'n'
+	display_startup_daemon "/etc/init.d/postgrey start"
+}
+
+
 function _start_daemons_amavis() {
 	notify 'task' 'Starting amavis' 'n'
 	display_startup_daemon "/etc/init.d/amavis start"
--- a/test/tests.bats
+++ b/test/tests.bats
@ -78,6 +78,25 @@ load 'test_helper/bats-assert/load'
  assert_success
 }

+#
+# postgrey
+#
+
+@test "checking process: postgrey (disabled in default configuration)" {
+  run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/postgrey'"
+  assert_failure
+}
+
+@test "checking postgrey: /etc/postfix/main.cf correctly edited" {
+  run docker exec mail_with_postgrey /bin/bash -c "grep 'bl.spamcop.net, check_policy_service' /etc/postfix/main.cf"
+  assert_success
+}
+
+@test "checking process: postgrey (postgrey server enabled)" {
+  run docker exec mail_with_postgrey /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/postgrey'"
+  assert_success
+}
+
 #
 # imap
 #