Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'release/5.8.0' into stable

This commit is contained in:
Johan Smits 2018-03-19 20:46:46 +01:00
parent 9192816e85 f682dfc15d
commit 69d66912c6
No known key found for this signature in database
GPG Key ID: 410DEF86BA323E19
12 changed files with 184 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.env.dist
View File

@ -45,6 +45,11 @@ TLS_LEVEL=
# Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages. # Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION= SPOOF_PROTECTION=
# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
# - **0** => Disabled
# - 1 => Enabled
ENABLE_SRS=0
# 1 => Enables POP3 service # 1 => Enables POP3 service
# empty => disables POP3 # empty => disables POP3
ENABLE_POP3= ENABLE_POP3=
@ -94,6 +99,20 @@ Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postf
# etc. # etc.
POSTFIX_DAGENT= POSTFIX_DAGENT=
# Enables a report being sent (created by pflogsumm) on a regular basis.
# **0** => Report emails are disabled
# 1 => Using POSTMASTER_ADDRESS as the recipient
# => Specify the recipient address
REPORT_RECIPIENT=0
# Changes the interval in which a report is being sent.
# **daily** => Send a daily report
# weekly => Send a report every week
# monthly => Send a report every month
#
# Note: This Variable actually controls logrotate inside the container and rotates the log depending on this setting. The main log output is still available in its entirety via `docker logs mail` (Or your respective container name). If you want to control logrotation for the docker generated logfile see: [Docker Logging Drivers](https://docs.docker.com/config/containers/logging/configure/)
REPORT_INTERVAL=daily
# ----------------------------------------------------------------------------------------------------------------------------- # -----------------------------------------------------------------------------------------------------------------------------
# --------------------- Spamassassin section ---------------------------------------------------------------------------------- # --------------------- Spamassassin section ----------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------------- # -----------------------------------------------------------------------------------------------------------------------------

2
Dockerfile
View File

@ -50,6 +50,7 @@ RUN apt-get update -q --fix-missing && \
opendkim-tools \ opendkim-tools \
opendmarc \ opendmarc \
pax \ pax \
pflogsumm \
p7zip-full \ p7zip-full \
postfix-ldap \ postfix-ldap \
postfix-pcre \ postfix-pcre \
@ -197,6 +198,7 @@ RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \
sed -i -r 's|UpdateLogFile /var/log/clamav/|UpdateLogFile /var/log/mail/|g' /etc/clamav/freshclam.conf && \ sed -i -r 's|UpdateLogFile /var/log/clamav/|UpdateLogFile /var/log/mail/|g' /etc/clamav/freshclam.conf && \
sed -i -r 's|/var/log/clamav|/var/log/mail|g' /etc/logrotate.d/clamav-daemon && \ sed -i -r 's|/var/log/clamav|/var/log/mail|g' /etc/logrotate.d/clamav-daemon && \
sed -i -r 's|/var/log/clamav|/var/log/mail|g' /etc/logrotate.d/clamav-freshclam && \ sed -i -r 's|/var/log/clamav|/var/log/mail|g' /etc/logrotate.d/clamav-freshclam && \
sed -i -r '/\/var\/log\/mail\/mail.log/d' /etc/logrotate.d/rsyslog && \
sed -i -r 's|/var/log/mail|/var/log/mail/mail|g' /etc/logrotate.d/rsyslog && \ sed -i -r 's|/var/log/mail|/var/log/mail/mail|g' /etc/logrotate.d/rsyslog && \
# prevent syslog logrotate warnings \ # prevent syslog logrotate warnings \
sed -i -e 's/\(printerror "could not determine current runlevel"\)/#\1/' /usr/sbin/invoke-rc.d && \ sed -i -e 's/\(printerror "could not determine current runlevel"\)/#\1/' /usr/sbin/invoke-rc.d && \

2
Makefile
View File

@ -25,11 +25,13 @@ run:
-e ENABLE_CLAMAV=1 \ -e ENABLE_CLAMAV=1 \
-e SPOOF_PROTECTION=1 \ -e SPOOF_PROTECTION=1 \
-e ENABLE_SPAMASSASSIN=1 \ -e ENABLE_SPAMASSASSIN=1 \
-e REPORT_RECIPIENT=user1@localhost.localdomain \
-e SA_TAG=-5.0 \ -e SA_TAG=-5.0 \
-e SA_TAG2=2.0 \ -e SA_TAG2=2.0 \
-e SA_KILL=3.0 \ -e SA_KILL=3.0 \
-e SA_SPAM_SUBJECT="SPAM: " \ -e SA_SPAM_SUBJECT="SPAM: " \
-e VIRUSMAILS_DELETE_DELAY=7 \ -e VIRUSMAILS_DELETE_DELAY=7 \
-e ENABLE_SRS=1 \
-e SASL_PASSWD="external-domain.com username:password" \ -e SASL_PASSWD="external-domain.com username:password" \
-e ENABLE_MANAGESIEVE=1 \ -e ENABLE_MANAGESIEVE=1 \
--cap-add=SYS_PTRACE \ --cap-add=SYS_PTRACE \

25
README.md
View File

@ -83,6 +83,10 @@ You're done!
And don't forget to have a look at the remaining functions of the `setup.sh` script And don't forget to have a look at the remaining functions of the `setup.sh` script
#### SPF/Forwarding Problems
If you got any problems with SPF and/or forwarding mails, give [SRS](https://github.com/roehling/postsrsd/blob/master/README.md) a try. You enable SRS by setting `ENABLE_SRS=1`. See the variable description for further information.
#### For informational purposes: #### For informational purposes:
Your config folder will be mounted in `/tmp/docker-mailserver/`. To understand how things work on boot, please have a look at [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh) Your config folder will be mounted in `/tmp/docker-mailserver/`. To understand how things work on boot, please have a look at [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh)
@ -260,6 +264,11 @@ Configures the handling of creating mails with forged sender addresses.
- **empty** => Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address. See also [Wikipedia](https://en.wikipedia.org/wiki/Email_spoofing)(not recommended, but default for backwards compatibility reasons) - **empty** => Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address. See also [Wikipedia](https://en.wikipedia.org/wiki/Email_spoofing)(not recommended, but default for backwards compatibility reasons)
- 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with [extension delimiters](http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages. - 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with [extension delimiters](http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
##### ENABLE_SRS
Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
- **0** => Disabled
- 1 => Enabled
##### PERMIT_DOCKER ##### PERMIT_DOCKER
Set different options for mynetworks option (can be overwrite in postfix-main.cf) Set different options for mynetworks option (can be overwrite in postfix-main.cf)
@ -311,6 +320,22 @@ Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postf
- drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. - drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
- ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail. - ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
##### REPORT_RECIPIENT
Enables a report being sent (created by pflogsumm) on a regular basis.
- **0** => Report emails are disabled
- 1 => Using POSTMASTER_ADDRESS as the recipient
- => Specify the recipient address
##### REPORT_INTERVAL
changes the interval in which a report is being sent.
- **daily** => Send a daily report
- weekly => Send a report every week
- monthly => Send a report every month
Note: This Variable actually controls logrotate inside the container and rotates the log depending on this setting. The main log output is still available in its entirety via `docker logs mail` (Or your respective container name). If you want to control logrotation for the docker generated logfile see: [Docker Logging Drivers](https://docs.docker.com/config/containers/logging/configure/)
## Spamassassin ## Spamassassin
##### ENABLE_SPAMASSASSIN ##### ENABLE_SPAMASSASSIN

3
docker-compose.elk.yml.dist
View File

@ -26,6 +26,9 @@ services:
- OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME} - OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME}
- POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS} - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
- POSTSCREEN_ACTION=${POSTSCREEN_ACTION} - POSTSCREEN_ACTION=${POSTSCREEN_ACTION}
- ENABLE_SRS=${ENABLE_SRS}
- REPORT_RECIPIENT=${REPORT_RECIPIENT}
- REPORT_INTERVAL=${REPORT_INTERVAL}
- SMTP_ONLY=${SMTP_ONLY} - SMTP_ONLY=${SMTP_ONLY}
- SSL_TYPE=${SSL_TYPE} - SSL_TYPE=${SSL_TYPE}
- PERMIT_DOCKER=${PERMIT_DOCKER} - PERMIT_DOCKER=${PERMIT_DOCKER}

3
docker-compose.yml.dist
View File

@ -24,10 +24,13 @@ services:
- OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME} - OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME}
- POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS} - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
- POSTSCREEN_ACTION=${POSTSCREEN_ACTION} - POSTSCREEN_ACTION=${POSTSCREEN_ACTION}
- REPORT_RECIPIENT=${REPORT_RECIPIENT}
- REPORT_INTERVAL=${REPORT_INTERVAL}
- SMTP_ONLY=${SMTP_ONLY} - SMTP_ONLY=${SMTP_ONLY}
- SSL_TYPE=${SSL_TYPE} - SSL_TYPE=${SSL_TYPE}
- TLS_LEVEL=${TLS_LEVEL} - TLS_LEVEL=${TLS_LEVEL}
- SPOOF_PROTECTION=${SPOOF_PROTECTION} - SPOOF_PROTECTION=${SPOOF_PROTECTION}
- ENABLE_SRS=${ENABLE_SRS}
- PERMIT_DOCKER=${PERMIT_DOCKER} - PERMIT_DOCKER=${PERMIT_DOCKER}
- VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY} - VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}
- ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT} - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT}

11
target/bin/delalias
View File

@ -21,10 +21,7 @@ escape() {
[ -z "$EMAIL" ] || [ -z "$RECIPIENT" ] && { usage; errex "No email specifed"; } [ -z "$EMAIL" ] || [ -z "$RECIPIENT" ] && { usage; errex "No email specifed"; }
[ -s "$DATABASE" ] || exit 0 [ -s "$DATABASE" ] || exit 0
CNT=$(grep "^$EMAIL" $DATABASE | wc -w | awk '{print $1}') #CNT=$(grep "^$EMAIL" $DATABASE | wc -w | awk '{print $1}')
sed -i -e "/^$EMAIL *$RECIPIENT$/d" \
if [[ $CNT -eq 2 ]]; then -e "/^$EMAIL/s/,$RECIPIENT//g" \
sed -i "/^$EMAIL/d" $DATABASE -e "/^$EMAIL/s/$RECIPIENT,//g" $DATABASE
else
sed -i "/^$EMAIL/s/,$RECIPIENT//g" $DATABASE
fi

18
target/bin/postfix-summary Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
HOSTNAME=$1
RECIPIENT=$2
errex() {
echo -e "$@" 1>&2
exit 1
}
test -x /usr/sbin/pflogsumm || errex "Critical: /usr/sbin/pflogsumm not found"
BODY="Subject: Postfix Summary for $HOSTNAME\n\n"
# The case that the mail.log.1 file isn't readable shouldn't actually be possible with logrotate not rotating empty files.. But you never know!
[ -r "/var/log/mail/mail.log.1" ] \
&& BODY="$BODY"$(/usr/sbin/pflogsumm /var/log/mail/mail.log.1 --problems-first) \
|| BODY="$BODY Error: Mail log not readable or not found: /var/log/mail/mail.log.1\n\nIn case of mail inactivity since the last report, this might be considered a nuisance warning.\n\nYours faithfully, The $HOSTNAME Mailserver"
echo -e "$BODY" | sendmail -f "mailserver-report@$HOSTNAME" "$RECIPIENT"

6
target/postfix/main.cf
View File

@ -97,9 +97,3 @@ policyd-spf_time_limit = 3600
# Remove unwanted headers that reveail our privacy # Remove unwanted headers that reveail our privacy
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
# postSRSd rules to process spf mail forwarding
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient,header_recipient

54
target/start-mailserver.sh
View File

@ -27,6 +27,9 @@ DEFAULT_VARS["POSTMASTER_ADDRESS"]="${POSTMASTER_ADDRESS:="postmaster@domain.com
DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}" DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}"
DEFAULT_VARS["SPOOF_PROTECTION"]="${SPOOF_PROTECTION:="0"}" DEFAULT_VARS["SPOOF_PROTECTION"]="${SPOOF_PROTECTION:="0"}"
DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}" DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}"
DEFAULT_VARS["ENABLE_SRS"]="${ENABLE_SRS:="0"}"
DEFAULT_VARS["REPORT_RECIPIENT"]="${REPORT_RECIPIENT:="0"}"
DEFAULT_VARS["REPORT_INTERVAL"]="${REPORT_INTERVAL:="daily"}"
########################################################################## ##########################################################################
# << DEFAULT VARS # << DEFAULT VARS
########################################################################## ##########################################################################
@ -124,6 +127,11 @@ function register_functions() {
_register_setup_function "_setup_spoof_protection" _register_setup_function "_setup_spoof_protection"
fi fi
if [ "$ENABLE_SRS" = 1 ]; then
_register_setup_function "_setup_SRS"
_register_start_daemon "_start_daemons_postsrsd"
fi
_register_setup_function "_setup_postfix_access_control" _register_setup_function "_setup_postfix_access_control"
if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
@ -135,6 +143,11 @@ function register_functions() {
fi fi
_register_setup_function "_setup_environment" _register_setup_function "_setup_environment"
_register_setup_function "_setup_logrotate"
if [ "$REPORT_RECIPIENT" != 0 ]; then
_register_setup_function "_setup_mail_summary"
fi
################### << setup funcs ################### << setup funcs
@ -726,6 +739,14 @@ function _setup_postfix_aliases() {
fi fi
} }
function _setup_SRS() {
notify 'task' 'Setting up SRS'
postconf -e "sender_canonical_maps = tcp:localhost:10001"
postconf -e "sender_canonical_classes = envelope_sender"
postconf -e "recipient_canonical_maps = tcp:localhost:10002"
postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
}
function _setup_dkim() { function _setup_dkim() {
notify 'task' 'Setting up DKIM' notify 'task' 'Setting up DKIM'
@ -1085,6 +1106,34 @@ function _setup_elk_forwarder() {
> /etc/filebeat/filebeat.yml > /etc/filebeat/filebeat.yml
} }
function _setup_logrotate() {
notify 'inf' "Setting up logrotate"
LOGROTATE="/var/log/mail/mail.log\n{\n compress\n copytruncate\n delaycompress\n"
case "$REPORT_INTERVAL" in
"daily" )
notify 'inf' "Setting postfix summary interval to daily"
LOGROTATE="$LOGROTATE rotate 1\n daily\n"
;;
"weekly" )
notify 'inf' "Setting postfix summary interval to weekly"
LOGROTATE="$LOGROTATE rotate 1\n weekly\n"
;;
"monthly" )
notify 'inf' "Setting postfix summary interval to monthly"
LOGROTATE="$LOGROTATE rotate 1\n monthly\n"
;;
esac
LOGROTATE="$LOGROTATE}"
echo -e "$LOGROTATE" > /etc/logrotate.d/maillog
}
function _setup_mail_summary() {
notify 'inf' "Enable postfix summary with recipient $REPORT_RECIPIENT"
[ "$REPORT_RECIPIENT" = 1 ] && REPORT_RECIPIENT=$POSTMASTER_ADDRESS
sed -i "s|}| postrotate\n /usr/local/bin/postfix-summary $HOSTNAME $REPORT_RECIPIENT\n endscript\n}\n|" /etc/logrotate.d/maillog
}
function _setup_environment() { function _setup_environment() {
notify 'task' 'Setting up /etc/environment' notify 'task' 'Setting up /etc/environment'
@ -1257,6 +1306,11 @@ function _start_daemons_opendmarc() {
supervisorctl start opendmarc supervisorctl start opendmarc
} }
function _start_daemons_postsrsd(){
notify 'task' 'Starting postsrsd ' 'n'
supervisorctl start postsrsd
}
function _start_daemons_postfix() { function _start_daemons_postfix() {
notify 'task' 'Starting postfix' 'n' notify 'task' 'Starting postfix' 'n'
supervisorctl start postfix supervisorctl start postfix

2
target/supervisor/conf.d/supervisor-app.conf
View File

@ -124,7 +124,7 @@ command=/usr/local/bin/check-for-changes.sh
[program:postsrsd] [program:postsrsd]
startsecs=0 startsecs=0
autostart=true autostart=false
autorestart=unexpected autorestart=unexpected
stdout_logfile=/var/log/supervisor/%(program_name)s.log stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log stderr_logfile=/var/log/supervisor/%(program_name)s.log

55
test/tests.bats
View File

@ -790,6 +790,26 @@ load 'test_helper/bats-assert/load'
assert_success assert_success
} }
#
# postsrsd
#
@test "checking SRS: main.cf entries" {
run docker exec mail grep "sender_canonical_maps = tcp:localhost:10001" /etc/postfix/main.cf
assert_success
run docker exec mail grep "sender_canonical_classes = envelope_sender" /etc/postfix/main.cf
assert_success
run docker exec mail grep "recipient_canonical_maps = tcp:localhost:10002" /etc/postfix/main.cf
assert_success
run docker exec mail grep "recipient_canonical_classes = envelope_recipient,header_recipient" /etc/postfix/main.cf
assert_success
}
@test "checking SRS: postsrsd running" {
run docker exec mail /bin/sh -c "ps aux | grep ^postsrsd"
assert_success
}
# #
# fail2ban # fail2ban
# #
@ -1223,12 +1243,27 @@ load 'test_helper/bats-assert/load'
run /bin/sh -c 'cat ./config/postfix-virtual.cf | grep "test1@example.org test1@forward.com,test2@forward.com" | wc -l | grep 1' run /bin/sh -c 'cat ./config/postfix-virtual.cf | grep "test1@example.org test1@forward.com,test2@forward.com" | wc -l | grep 1'
assert_success assert_success
} }
@test "checking setup.sh: setup.sh alias del" { @test "checking setup.sh: setup.sh alias del" {
echo 'test1@example.org test1@forward.com, test2@forward.com,' > ./config/postfix-virtual.cf echo -e 'test1@example.org test1@forward.com,test2@forward.com\ntest2@example.org test1@forward.com' > ./config/postfix-virtual.cf
./setup.sh -c mail alias del test1@example.org test1@forward.com ./setup.sh -c mail alias del test1@example.org test1@forward.com
run grep "test1@forward.com" ./config/postfix-virtual.cf
assert_output --regexp "^test2@example.org +test1@forward.com$"
run grep "test2@forward.com" ./config/postfix-virtual.cf
assert_output --regexp "^test1@example.org +test2@forward.com$"
./setup.sh -c mail alias del test1@example.org test2@forward.com ./setup.sh -c mail alias del test1@example.org test2@forward.com
run cat ./config/postfix-virtual.cf | wc -l | grep 0 run grep "test1@example.org" ./config/postfix-virtual.cf
assert_failure
run grep "test2@example.org" ./config/postfix-virtual.cf
assert_success assert_success
./setup.sh -c mail alias del test2@example.org test1@forward.com
run grep "test2@example.org" ./config/postfix-virtual.cf
assert_failure
} }
# config # config
@ -1465,6 +1500,22 @@ load 'test_helper/bats-assert/load'
assert_output 1 assert_output 1
} }
#
# Pflogsumm delivery check
#
@test "checking pflogsum delivery" {
# checking logrotation working and report being sent
docker exec mail logrotate --force /etc/logrotate.d/maillog
sleep 10
run docker exec mail grep "Subject: Postfix Summary for " /var/mail/localhost.localdomain/user1/new/ -R
assert_success
# checking default logrotation setup
run docker exec mail_with_ldap grep "daily" /etc/logrotate.d/maillog
assert_success
}
# #
# PCI compliance # PCI compliance
# #