diff --git a/Dockerfile b/Dockerfile index 677394a1..18610dfc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,9 +8,7 @@ ENV ONE_DIR=0 # Packages RUN apt-get update -q --fix-missing && \ apt-get -y upgrade && \ - apt-get -y install postfix -RUN apt-get update -q --fix-missing && \ - apt-get -y upgrade && \ + apt-get -y install postfix && \ apt-get -y install --no-install-recommends \ amavisd-new \ arj \ @@ -49,6 +47,7 @@ RUN apt-get update -q --fix-missing && \ rsyslog \ sasl2-bin \ spamassassin \ + supervisor \ postgrey \ unzip \ && \ @@ -62,6 +61,9 @@ RUN apt-get update -q --fix-missing && \ # Enables Clamav RUN (echo "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" ; crontab -l) | crontab - RUN chmod 644 /etc/clamav/freshclam.conf && freshclam +RUN sed -i 's/Foreground false/Foreground true/g' /etc/clamav/clamd.conf && \ +sed -i 's/AllowSupplementaryGroups false/AllowSupplementaryGroups true/g' /etc/clamav/clamd.conf && \ +mkdir /var/run/clamav && chown -R clamav:root /var/run/clamav # Configures Dovecot RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf @@ -100,7 +102,7 @@ RUN (echo "0 4 * * * /usr/local/bin/virus-wiper" ; crontab -l) | crontab - # Configure Fail2ban COPY target/fail2ban/jail.conf /etc/fail2ban/jail.conf COPY target/fail2ban/filter.d/dovecot.conf /etc/fail2ban/filter.d/dovecot.conf -RUN echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf +RUN echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf && mkdir /var/run/fail2ban # Enables Pyzor and Razor USER amavis @@ -121,6 +123,9 @@ COPY target/opendmarc/ignore.hosts /etc/opendmarc/ignore.hosts COPY target/fetchmail/fetchmailrc /etc/fetchmailrc_general RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail +# Configure supervisor +COPY target/supervisor/supervisor-app.conf /etc/supervisor/conf.d/ + # Configures Postfix COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ RUN echo "" > /etc/aliases @@ -149,7 +154,7 @@ RUN chmod +x /usr/local/bin/* EXPOSE 25 587 143 993 110 995 4190 -CMD /usr/local/bin/start-mailserver.sh +CMD /usr/local/bin/start-mailserver.sh | tee /var/log/container-startup.log ADD target/filebeat.yml.tmpl /etc/filebeat/filebeat.yml.tmpl diff --git a/Makefile b/Makefile index e0695097..70938eeb 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ run: -e SASL_PASSWD="external-domain.com username:password" \ -e ENABLE_MANAGESIEVE=1 \ -e PERMIT_DOCKER=host \ - -e DMS_DEBUG=0 \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) sleep 15 docker run -d --name mail_pop3 \ @@ -49,6 +49,7 @@ run: -v "`pwd`/test":/tmp/docker-mailserver-test \ -e SMTP_ONLY=1 \ -e PERMIT_DOCKER=network \ + -e DMS_DEBUG=1 \ -e OVERRIDE_HOSTNAME=mail.my-domain.com \ -t $(NAME) sleep 15 @@ -63,6 +64,7 @@ run: -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e PERMIT_DOCKER=network \ + -e DMS_DEBUG=1 \ -e OVERRIDE_HOSTNAME=mail.my-domain.com \ -h mail.my-domain.com \ -t $(NAME) @@ -79,6 +81,7 @@ run: -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_FETCHMAIL=1 \ --cap-add=NET_ADMIN \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) sleep 15 docker run -d --name mail_disabled_clamav_spamassassin \ @@ -86,6 +89,7 @@ run: -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_CLAMAV=0 \ -e ENABLE_SPAMASSASSIN=0 \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) sleep 15 docker run -d --name mail_manual_ssl \ @@ -94,6 +98,7 @@ run: -e SSL_TYPE=manual \ -e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \ -e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) sleep 15 docker run -d --name ldap_for_mail \ @@ -120,6 +125,7 @@ run: -e SASLAUTHD_LDAP_PASSWORD=admin \ -e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ + -e DMS_DEBUG=1 \ --link ldap_for_mail:ldap \ -h mail.my-domain.com -t $(NAME) sleep 15 @@ -130,6 +136,7 @@ run: -e SASLAUTHD_MECHANISMS=rimap \ -e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \ -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) # Wait for containers to fully start sleep 15 @@ -139,6 +146,7 @@ run: -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \ -e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) sleep 30 docker run -d --name mail_with_postgrey \ @@ -148,6 +156,7 @@ run: -e POSTGREY_DELAY=15 \ -e POSTGREY_MAX_AGE=35 \ -e POSTGREY_TEXT="Delayed by postgrey" \ + -e DMS_DEBUG=1 \ -h mail.my-domain.com -t $(NAME) sleep 20 diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index e2c4d5e3..3eddebc4 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -1119,55 +1119,58 @@ function _start_daemons_cron() { } function _start_daemons_rsyslog() { - notify 'task' 'Starting rsyslog' 'n' - display_startup_daemon "/etc/init.d/rsyslog start" + notify 'task' 'Starting rsyslog ' 'n' + supervisorctl start rsyslog } function _start_daemons_saslauthd() { notify 'task' 'Starting saslauthd' 'n' - display_startup_daemon "/etc/init.d/saslauthd start" + display_startup_daemon "/etc/init.d/saslauthd start" } function _start_daemons_fail2ban() { - notify 'task' 'Starting fail2ban' 'n' + notify 'task' 'Starting fail2ban ' 'n' touch /var/log/auth.log # Delete fail2ban.sock that probably was left here after container restart if [ -e /var/run/fail2ban/fail2ban.sock ]; then rm /var/run/fail2ban/fail2ban.sock fi - display_startup_daemon "/etc/init.d/fail2ban start" + supervisorctl start fail2ban } function _start_daemons_opendkim() { - notify 'task' 'Starting opendkim' 'n' - display_startup_daemon "/etc/init.d/opendkim start" + notify 'task' 'Starting opendkim ' 'n' + supervisorctl start opendkim } function _start_daemons_opendmarc() { - notify 'task' 'Starting opendmarc' 'n' - display_startup_daemon "/etc/init.d/opendmarc start" + notify 'task' 'Starting opendmarc ' 'n' + supervisorctl start opendmarc } function _start_daemons_postfix() { notify 'task' 'Starting postfix' 'n' - display_startup_daemon "/etc/init.d/postfix start" + display_startup_daemon "/etc/init.d/postfix start" } function _start_daemons_dovecot() { # Here we are starting sasl and imap, not pop3 because it's disabled by default - notify 'task' 'Starting dovecot services' 'n' - display_startup_daemon "/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf" + + notify 'task' 'Starting dovecot services' 'n' if [ "$ENABLE_POP3" = 1 ]; then notify 'task' 'Starting pop3 services' 'n' mv /etc/dovecot/protocols.d/pop3d.protocol.disab /etc/dovecot/protocols.d/pop3d.protocol - display_startup_daemon "/usr/sbin/dovecot reload" + # /usr/sbin/dovecot reload fi if [ -f /tmp/docker-mailserver/dovecot.cf ]; then cp /tmp/docker-mailserver/dovecot.cf /etc/dovecot/local.conf - /usr/sbin/dovecot reload + # /usr/sbin/dovecot reload fi + + + supervisorctl start dovecot # @TODO fix: on integration test # doveadm: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: No such file or directory @@ -1181,7 +1184,7 @@ function _start_daemons_dovecot() { function _start_daemons_filebeat() { notify 'task' 'Starting filebeat' 'n' - display_startup_daemon "/etc/init.d/filebeat start" + supervisorctl start filebeat } function _start_daemons_fetchmail() { @@ -1192,18 +1195,18 @@ function _start_daemons_fetchmail() { function _start_daemons_clamav() { notify 'task' 'Starting clamav' 'n' - display_startup_daemon "/etc/init.d/clamav-daemon start" + supervisorctl start clamav } function _start_daemons_postgrey() { notify 'task' 'Starting postgrey' 'n' - display_startup_daemon "/etc/init.d/postgrey start" + supervisorctl start postgrey } function _start_daemons_amavis() { notify 'task' 'Starting amavis' 'n' - display_startup_daemon "/etc/init.d/amavis start" + supervisorctl start amavis } ########################################################################## @@ -1238,6 +1241,8 @@ notify 'taskgrp' "#" notify 'taskgrp' "#" notify 'taskgrp' "" +supervisord -c /etc/supervisor/supervisord.conf + register_functions check @@ -1252,7 +1257,7 @@ notify 'taskgrp' "# $HOSTNAME is up and running" notify 'taskgrp' "#" notify 'taskgrp' "" - +touch /var/log/mail/mail.log tail -fn 0 /var/log/mail/mail.log diff --git a/target/supervisor/supervisor-app.conf b/target/supervisor/supervisor-app.conf new file mode 100644 index 00000000..c879654b --- /dev/null +++ b/target/supervisor/supervisor-app.conf @@ -0,0 +1,115 @@ +# each program entry below is a separate terminal command. +# Each command MUST run in the foreground and stay running. +# If the command ever exits, the supervisor daemon will automatically run it again. +# Programs can be controlled like this: 'supervisorctl start fail2ban' 'supervisorctl stop fail2ban' +# supervisor writes program statuses in /var/log/supervisor + +[program:rsyslog] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/rsyslogd -n + +[program:fail2ban] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/bin/fail2ban-server -f + +[program:opendkim] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/opendkim -f + +[program:opendmarc] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/opendmarc -f -p "inet:8893@localhost" + +[program:dovecot] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf + +[program:filebeat] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/bin/filebeat -c /etc/filebeat/filebeat.yml + +[program:clamav] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/clamd -c /etc/clamav/clamd.conf + +[program:postgrey] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/postgrey --inet=127.0.0.1:10023 + +[program:amavis] +startsecs=0 +autostart=false +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command = /usr/sbin/amavisd-new foreground + + +# Couldn't figure out how to run these in the foreground. We'll start them without supervisor. +#[program:fetchmail] +#startsecs=0 +#autostart=false +#autorestart=true +#command = /usr/bin/fetchmail + +#[program:postfix] +#startsecs=0 +#autostart=false +#autorestart=true +#command = /etc/init.d/postfix start + +#[program:saslauthd] +#startsecs=0 +#autostart=false +#autorestart=true +#command = /etc/init.d/saslauthd start diff --git a/test/tests.bats b/test/tests.bats index e6d6db7c..7acb13ca 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -116,6 +116,52 @@ load 'test_helper/bats-assert/load' assert_success } +# +# supervisor +# + +# + +@test "checking restart of process: clamd" { + run docker exec mail /bin/bash -c "pkill -f clamav && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" + assert_success +} + +@test "checking process: new" { + run docker exec mail /bin/bash -c "pkill -f amavis && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" + assert_success +} + +@test "checking process: opendkim" { + run docker exec mail /bin/bash -c "pkill -f opendkim && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'" + assert_success +} + +@test "checking process: opendmarc" { + run docker exec mail /bin/bash -c "pkill -f opendmarc && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'" + assert_success +} + +@test "checking process: fail2ban (fail2ban server enabled)" { + run docker exec mail_fail2ban /bin/bash -c "pkill -f fail2ban && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'" + assert_success +} + +# + +@test "checking process: clamav (clamav disabled by ENABLED_CLAMAV=0)" { + run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "pkill -f clamd && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" + assert_failure +} + +@test "checking process: saslauthd (saslauthd server enabled)" { + run docker exec mail_with_ldap /bin/bash -c "pkill -f saslauthd && sleep 5 && ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" + assert_success +} + +# + + # # postgrey #