From ffb9c180b8d63f76b633549ec025f054482f73a8 Mon Sep 17 00:00:00 2001 From: Felix Schwarz Date: Tue, 18 Jul 2017 16:15:30 +0200 Subject: [PATCH 1/3] New features: * ADD_PERMIT_NETWORK options allows to specify additional networks to whitelist in mynetworks while retaining the benefits of automatically determining relevant networks through PERMIT_DOCKER. E.g. to add the network "10.0.1.0/24", set ADD_PERMIT_NETWORK to "10.0.1.0/24" * DISABLE_FILTERS_FOR_MYNETWORKS option to add amavisd-new configuration to disable clamav/spamassassin filters for the IPv4 hosts listed in mynetworks (amavisd-new doesn't seem to support IPv6 here). Set DISABLE_FILTERS_FOR_MYNETWORKS to enable this. * Added PCRE support to postfix, allowing efficient rejections of mail headers and body based on PCRE regexps. The regexps can be placed in config/postfix-reject_body_checks and config/reject_header_checks accordingly. See postfix main.cf documentation on header_checks and body_checks for more information. * Added support for the second postgrey whitelist (whitelist_clients.local) Improvements: * Postgrey whitelists are also accepted as config/postgrey-whitelist_clients.local and config/postgrey-whitelist_recipients.local Bug/Security fixes: * Fixing permissions problems for /var/mail-state/spool-postfix when ONE_DIR=1: - spool-postfix/maildrop and spool-postfix/public folders must be owned by group postdrop - spool-postfix/[dev/etc/lib/pid/usr] permissions were not restrictive enough. They should be owned by the root user and root group. --- Dockerfile | 1 + target/start-mailserver.sh | 80 ++++++++++++++++++++++++++++++++++---- 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 677394a1..6791a7f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,6 +43,7 @@ RUN apt-get update -q --fix-missing && \ opendmarc \ p7zip \ postfix-ldap \ + postfix-pcre \ postfix-policyd-spf-python \ pyzor \ razor \ diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index e2c4d5e3..19989a4f 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -22,6 +22,8 @@ DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}" DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}" DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" DEFAULT_VARS["OVERRIDE_HOSTNAME"]="${OVERRIDE_HOSTNAME}" +DEFAULT_VARS["ADD_PERMIT_NETWORK"]="${ADD_PERMIT_NETWORK}" +DEFAULT_VARS["DISABLE_FILTERS_FOR_MYNETWORKS"]="${DISABLE_FILTERS_FOR_MYNETWORKS}" ########################################################################## # << DEFAULT VARS ########################################################################## @@ -111,6 +113,7 @@ function register_functions() { _register_setup_function "_setup_postfix_sasl_password" _register_setup_function "_setup_security_stack" _register_setup_function "_setup_postfix_aliases" + _register_setup_function "_setup_postfix_rejections" _register_setup_function "_setup_postfix_vhost" if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then @@ -121,7 +124,7 @@ function register_functions() { _register_setup_function "_setup_postfix_virtual_transport" fi - _register_setup_function "_setup_environment" + _register_setup_function "_setup_environment" ################### << setup funcs @@ -587,6 +590,15 @@ function _setup_postgrey() { if [ -f /tmp/docker-mailserver/whitelist_clients.local ]; then cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local fi + if [ -f /tmp/docker-mailserver/whitelist_recipients.local ]; then + cp -f /tmp/docker-mailserver/whitelist_recipients.local /etc/postgrey/whitelist_recipients.local + fi + if [ -f /tmp/docker-mailserver/postgrey-whitelist_clients.local ]; then + cp -f /tmp/docker-mailserver/postgrey-whitelist_clients.local /etc/postgrey/whitelist_clients.local + fi + if [ -f /tmp/docker-mailserver/postgrey-whitelist_recipients.local ]; then + cp -f /tmp/docker-mailserver/postgrey-whitelist_recipients.local /etc/postgrey/whitelist_recipients.local + fi } @@ -691,6 +703,19 @@ function _setup_postfix_aliases() { fi } +function _setup_postfix_rejections() { + notify 'task' 'Setting up Postfix Rejections' + + if [ -f /tmp/docker-mailserver/postfix-reject_header_checks ]; then + cp -f /tmp/docker-mailserver/postfix-reject_header_checks /etc/postfix/reject_header_checks + postconf -e "header_checks = pcre:/etc/postfix/reject_body_checks" + fi + if [ -f /tmp/docker-mailserver/postfix-reject_body_checks ]; then + cp -f /tmp/docker-mailserver/postfix-reject_body_checks /etc/postfix/reject_body_checks + postconf -e "body_checks = pcre:/etc/postfix/reject_body_checks" + fi +} + function _setup_dkim() { notify 'task' 'Setting up DKIM' @@ -823,33 +848,44 @@ function _setup_postfix_vhost() { } function _setup_docker_permit() { - notify 'task' 'Setting up PERMIT_DOCKER Option' + notify 'task' 'Setting up PERMIT_DOCKER and ADD_PERMIT_NETWORK Options' container_ip=$(ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1) container_network="$(echo $container_ip | cut -d '.' -f1-2).0.0" + if [[ ! -z ${DEFAULT_VARS["ADD_PERMIT_NETWORK"]} ]]; then + add_permit_network="$ADD_PERMIT_NETWORK" + else + add_permit_network="" + fi + case $PERMIT_DOCKER in "host" ) notify 'inf' "Adding $container_network/16 to my networks" - postconf -e "$(postconf | grep '^mynetworks =') $container_network/16" + postconf -e "$(postconf | grep '^mynetworks =') $container_network/16 $add_permit_network" echo $container_network/16 >> /etc/opendmarc/ignore.hosts echo $container_network/16 >> /etc/opendkim/TrustedHosts ;; "network" ) notify 'inf' "Adding docker network in my networks" - postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12" + postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12 $add_permit_network" echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts ;; * ) notify 'inf' "Adding container ip in my networks" - postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32" + postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32 $add_permit_network" echo $container_ip/32 >> /etc/opendmarc/ignore.hosts echo $container_ip/32 >> /etc/opendkim/TrustedHosts ;; esac + + if [[ ! -z ${DEFAULT_VARS["ADD_PERMIT_NETWORK"]} ]]; then + echo $add_permit_network >> /etc/opendmarc/ignore.hosts + echo $add_permit_network >> /etc/opendkim/TrustedHosts + fi } function _setup_postfix_virtual_transport() { @@ -930,7 +966,7 @@ function _setup_security_stack() { # recreate auto-generated file dms_amavis_file="/etc/amavis/conf.d/61-dms_auto_generated" - echo "# WARNING: this file is auto-generated." > $dms_amavis_file + echo "# WARNING: this file is auto-generated." > $dms_amavis_file echo "use strict;" >> $dms_amavis_file # Spamassassin @@ -954,6 +990,29 @@ function _setup_security_stack() { notify 'inf' "Enabling clamav" fi + # Disable filters for mynetworks + if [ "$DISABLE_FILTERS_FOR_MYNETWORKS" = 1 ]; then + notify 'inf' "Disabling filters for mynetworks" + + echo "" >>$dms_amavis_file + echo "# list of local IPs:" >>$dms_amavis_file + echo "@mynetworks = qw( $(postconf | grep '^mynetworks =' | sed 's/mynetworks = //' | sed 's/ /\n/g' | grep "\." | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') );" >>$dms_amavis_file + echo "" >>$dms_amavis_file + echo "# allow all mail from local IPs:" >>$dms_amavis_file + echo "\$policy_bank{'MYNETS'} = {" >>$dms_amavis_file + echo " bypass_decode_parts => 1," >>$dms_amavis_file + echo " bypass_header_checks_maps => [1]," >>$dms_amavis_file + echo " bypass_virus_checks_maps => [1]," >>$dms_amavis_file + echo " bypass_spam_checks_maps => [1]," >>$dms_amavis_file + echo " bypass_banned_checks_maps => [1]," >>$dms_amavis_file + echo " bypass_header_checks_maps => [1]," >>$dms_amavis_file + echo " spam_lovers_maps => [1]," >>$dms_amavis_file + echo " banned_files_lovers_maps => [1]," >>$dms_amavis_file + echo " archive_quarantine_to_maps => []," >>$dms_amavis_file + echo "};" >>$dms_amavis_file + echo "" >>$dms_amavis_file + fi + echo "1; # ensure a defined return" >> $dms_amavis_file @@ -1097,6 +1156,13 @@ function _misc_save_states() { chown -R postgrey /var/mail-state/lib-postgrey chown -R debian-spamd /var/mail-state/lib-spamassasin chown -R postfix /var/mail-state/spool-postfix + chown -R postfix:postdrop /var/mail-state/spool-postfix/maildrop + chown -R postfix:postdrop /var/mail-state/spool-postfix/public + chown -R root:root /var/mail-state/spool-postfix/dev + chown -R root:root /var/mail-state/spool-postfix/etc + chown -R root:root /var/mail-state/spool-postfix/lib + chown -R root:root /var/mail-state/spool-postfix/pid + chown -R root:root /var/mail-state/spool-postfix/usr fi } @@ -1252,10 +1318,8 @@ notify 'taskgrp' "# $HOSTNAME is up and running" notify 'taskgrp' "#" notify 'taskgrp' "" - tail -fn 0 /var/log/mail/mail.log - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # ! CARE --> DON'T CHANGE, unless you exactly know what you are doing # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! From 5b9f0a6b9de0dec5164e7387b3292af018b974d2 Mon Sep 17 00:00:00 2001 From: Felix Schwarz Date: Sun, 23 Jul 2017 14:26:14 +0200 Subject: [PATCH 2/3] Improvements: * Stray pid files that could hinder a proper startup of postgrey and dovecot are now removed on container start * When the container is stopped, all services are now shut down properly - previously, the services were just killed, resulting in stray pid files and - possibly - corruption of files modified by the services at the time of termination - stopping the container is now much faster (previously took 10 seconds - the standard grace period for containers from being signalled by 'docker stop' and timing out and being killed off) --- Dockerfile | 3 +- target/start-mailserver.sh | 120 +++++++++++++++++++++++++++++++++---- 2 files changed, 108 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6791a7f1..0f0a1bed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -150,7 +150,6 @@ RUN chmod +x /usr/local/bin/* EXPOSE 25 587 143 993 110 995 4190 -CMD /usr/local/bin/start-mailserver.sh - +CMD ["/bin/bash", "/usr/local/bin/start-mailserver.sh"] ADD target/filebeat.yml.tmpl /etc/filebeat/filebeat.yml.tmpl diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 19989a4f..51bca61f 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -1,4 +1,5 @@ #!/bin/bash +trap 'stop_daemons' TERM INT QUIT ########################################################################## # >> DEFAULT VARS @@ -144,46 +145,46 @@ function register_functions() { ################### >> daemon funcs _register_start_daemon "_start_daemons_cron" - _register_start_daemon "_start_daemons_rsyslog" + _register_start_stop_daemon "_start_daemons_rsyslog" "_stop_daemons_rsyslog" if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then - _register_start_daemon "_start_daemons_filebeat" + _register_start_stop_daemon "_start_daemons_filebeat" "_stop_daemons_filebeat" fi if [ "$SMTP_ONLY" != 1 ]; then - _register_start_daemon "_start_daemons_dovecot" + _register_start_stop_daemon "_start_daemons_dovecot" "_stop_daemons_dovecot" fi # needs to be started before saslauthd - _register_start_daemon "_start_daemons_opendkim" - _register_start_daemon "_start_daemons_opendmarc" + _register_start_stop_daemon "_start_daemons_opendkim" "_stop_daemons_opendkim" + _register_start_stop_daemon "_start_daemons_opendmarc" "_stop_daemons_opendmarc" #postfix uses postgrey, needs to be started before postfix if [ "$ENABLE_POSTGREY" = 1 ]; then - _register_start_daemon "_start_daemons_postgrey" + _register_start_stop_daemon "_start_daemons_postgrey" "_stop_daemons_postgrey" fi - _register_start_daemon "_start_daemons_postfix" + _register_start_stop_daemon "_start_daemons_postfix" "_stop_daemons_postfix" if [ "$ENABLE_SASLAUTHD" = 1 ];then - _register_start_daemon "_start_daemons_saslauthd" + _register_start_stop_daemon "_start_daemons_saslauthd" "_stop_daemons_saslauthd" fi # care needs to run after postfix if [ "$ENABLE_FAIL2BAN" = 1 ]; then - _register_start_daemon "_start_daemons_fail2ban" + _register_start_stop_daemon "_start_daemons_fail2ban" "_stop_daemons_fail2ban" fi if [ "$ENABLE_FETCHMAIL" = 1 ]; then - _register_start_daemon "_start_daemons_fetchmail" + _register_start_stop_daemon "_start_daemons_fetchmail" "_stop_daemons_fetchmail" fi if [ "$ENABLE_CLAMAV" = 1 ]; then - _register_start_daemon "_start_daemons_clamav" + _register_start_stop_daemon "_start_daemons_clamav" "_stop_daemons_clamav" fi - _register_start_daemon "_start_daemons_amavis" + _register_start_stop_daemon "_start_daemons_amavis" "_stop_daemons_amavis" ################### << daemon funcs } ########################################################################## @@ -206,6 +207,7 @@ declare -a FUNCS_FIX declare -a FUNCS_CHECK declare -a FUNCS_MISC declare -a DAEMONS_START +declare -a DAEMONS_STOP declare -A HELPERS_EXEC_STATE ########################################################################## # << CONSTANTS @@ -215,11 +217,18 @@ declare -A HELPERS_EXEC_STATE ########################################################################## # >> protected register_functions ########################################################################## + function _register_start_daemon() { DAEMONS_START+=($1) notify 'inf' "$1() registered" } +function _register_start_stop_daemon() { + DAEMONS_START+=($1) + DAEMONS_STOP=($2 "${DAEMONS_STOP[@]}") + notify 'inf' "$1() and $2() registered" +} + function _register_setup_function() { FUNCS_SETUP+=($1) notify 'inf' "$1() registered" @@ -1222,6 +1231,7 @@ function _start_daemons_postfix() { function _start_daemons_dovecot() { # Here we are starting sasl and imap, not pop3 because it's disabled by default notify 'task' 'Starting dovecot services' 'n' + rm -f /var/run/dovecot/master.pid display_startup_daemon "/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf" if [ "$ENABLE_POP3" = 1 ]; then @@ -1263,6 +1273,7 @@ function _start_daemons_clamav() { function _start_daemons_postgrey() { notify 'task' 'Starting postgrey' 'n' + rm -f /var/run/postgrey/postgrey.pid display_startup_daemon "/etc/init.d/postgrey start" } @@ -1276,6 +1287,87 @@ function _start_daemons_amavis() { # << Start Daemons ########################################################################## +########################################################################## +# >> Stop Daemons +########################################################################## +function stop_daemons() { + notify 'taskgrp' 'Stopping mail server' + + for _func in "${DAEMONS_STOP[@]}";do + $_func + done + + kill -SIGTERM ${TAIL_PID} +} + +function _stop_daemons_cron() { + notify 'task' 'Stopping cron' 'n' + display_startup_daemon "/etc/inid.d/cron stop" +} + +function _stop_daemons_rsyslog() { + notify 'task' 'Stopping rsyslog' 'n' + display_startup_daemon "/etc/init.d/rsyslog stop" +} + +function _stop_daemons_saslauthd() { + notify 'task' 'Stopping saslauthd' 'n' + display_startup_daemon "/etc/init.d/saslauthd stop" +} + +function _stop_daemons_fail2ban() { + notify 'task' 'Stopping fail2ban' 'n' + display_startup_daemon "/etc/init.d/fail2ban stop" +} + +function _stop_daemons_opendkim() { + notify 'task' 'Stopping opendkim' 'n' + display_startup_daemon "/etc/init.d/opendkim stop" +} + +function _stop_daemons_opendmarc() { + notify 'task' 'Stopping opendmarc' 'n' + display_startup_daemon "/etc/init.d/opendmarc stop" +} + +function _stop_daemons_postfix() { + notify 'task' 'Stopping postfix' 'n' + display_startup_daemon "/etc/init.d/postfix stop" +} + +function _stop_daemons_dovecot() { + notify 'task' 'Stopping dovecot services' 'n' + display_startup_daemon "/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf stop" +} + +function _stop_daemons_filebeat() { + notify 'task' 'Stopping filebeat' 'n' + display_startup_daemon "/etc/init.d/filebeat stop" +} + +function _stop_daemons_fetchmail() { + notify 'task' 'Stopping fetchmail' 'n' + display_startup_daemon "/etc/init.d/fetchmail stop" +} + +function _stop_daemons_clamav() { + notify 'task' 'Stopping clamav' 'n' + display_startup_daemon "/etc/init.d/clamav-daemon stop" +} + +function _stop_daemons_postgrey() { + notify 'task' 'Stopping postgrey' 'n' + display_startup_daemon "/etc/init.d/postgrey stop" +} + +function _stop_daemons_amavis() { + notify 'task' 'Stopping amavis' 'n' + display_startup_daemon "/etc/init.d/amavis stop" +} + +########################################################################## +# << Stop Daemons +########################################################################## @@ -1318,7 +1410,9 @@ notify 'taskgrp' "# $HOSTNAME is up and running" notify 'taskgrp' "#" notify 'taskgrp' "" -tail -fn 0 /var/log/mail/mail.log +tail -fn 0 /var/log/mail/mail.log & +TAIL_PID="$!" +wait ${TAIL_PID} # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # ! CARE --> DON'T CHANGE, unless you exactly know what you are doing From b06c8e438e52f9ff132dbe122005717364828438 Mon Sep 17 00:00:00 2001 From: Felix Schwarz Date: Sun, 30 Jul 2017 10:28:08 +0200 Subject: [PATCH 3/3] Merging changes from tomav/docker-mailserver up to 60afbe1; fixing path for header_reject pcre file --- .travis.yml | 2 +- Dockerfile | 84 +++++++++++++++++++++++--------------- target/start-mailserver.sh | 11 ++++- 3 files changed, 61 insertions(+), 36 deletions(-) diff --git a/.travis.yml b/.travis.yml index 92bddfb5..b6bf81c5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ sudo: required services: - docker install: -- travis_wait make build-no-cache +- travis_retry travis_wait make build-no-cache script: - make generate-accounts run fixtures tests after_script: diff --git a/Dockerfile b/Dockerfile index 0f0a1bed..fe3caac3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,9 +8,7 @@ ENV ONE_DIR=0 # Packages RUN apt-get update -q --fix-missing && \ apt-get -y upgrade && \ - apt-get -y install postfix -RUN apt-get update -q --fix-missing && \ - apt-get -y upgrade && \ + apt-get -y install postfix && \ apt-get -y install --no-install-recommends \ amavisd-new \ arj \ @@ -55,27 +53,38 @@ RUN apt-get update -q --fix-missing && \ && \ curl https://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add - && \ echo "deb http://packages.elastic.co/beats/apt stable main" | tee -a /etc/apt/sources.list.d/beats.list && \ - apt-get update -q --fix-missing && apt-get -y upgrade fail2ban filebeat && \ - apt-get autoclean && rm -rf /var/lib/apt/lists/* && \ - rm -rf /usr/share/locale/* && rm -rf /usr/share/man/* && rm -rf /usr/share/doc/* && \ - touch /var/log/auth.log && update-locale + apt-get update -q --fix-missing && \ + apt-get -y upgrade \ + fail2ban \ + filebeat \ + && \ + apt-get autoclean && \ + rm -rf /var/lib/apt/lists/* && \ + rm -rf /usr/share/locale/* && \ + rm -rf /usr/share/man/* && \ + rm -rf /usr/share/doc/* && \ + touch /var/log/auth.log && \ + update-locale && \ + rm -f /etc/cron.weekly/fstrim -# Enables Clamav -RUN (echo "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" ; crontab -l) | crontab - -RUN chmod 644 /etc/clamav/freshclam.conf && freshclam +RUN echo "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" > /etc/cron.d/freshclam && \ + chmod 644 /etc/clamav/freshclam.conf && \ + freshclam # Configures Dovecot -RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf -RUN sed -i -e 's/#mail_plugins = \$mail_plugins/mail_plugins = \$mail_plugins sieve/g' /etc/dovecot/conf.d/15-lda.conf -RUN sed -i -e 's/^.*lda_mailbox_autocreate.*/lda_mailbox_autocreate = yes/g' /etc/dovecot/conf.d/15-lda.conf -RUN sed -i -e 's/^.*lda_mailbox_autosubscribe.*/lda_mailbox_autosubscribe = yes/g' /etc/dovecot/conf.d/15-lda.conf -RUN sed -i -e 's/^.*postmaster_address.*/postmaster_address = '${POSTMASTER_ADDRESS:="postmaster@domain.com"}'/g' /etc/dovecot/conf.d/15-lda.conf -RUN sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval = 29 mins/' /etc/dovecot/conf.d/20-imap.conf -COPY target/dovecot/auth-passwdfile.inc /etc/dovecot/conf.d/ -COPY target/dovecot/??-*.conf /etc/dovecot/conf.d/ -RUN cd /usr/share/dovecot && ./mkcert.sh -RUN mkdir /usr/lib/dovecot/sieve-pipe && chmod 755 /usr/lib/dovecot/sieve-pipe -RUN mkdir /usr/lib/dovecot/sieve-filter && chmod 755 /usr/lib/dovecot/sieve-filter +COPY target/dovecot/auth-passwdfile.inc target/dovecot/??-*.conf /etc/dovecot/conf.d/ +RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf && \ + sed -i -e 's/#mail_plugins = \$mail_plugins/mail_plugins = \$mail_plugins sieve/g' /etc/dovecot/conf.d/15-lda.conf && \ + sed -i -e 's/^.*lda_mailbox_autocreate.*/lda_mailbox_autocreate = yes/g' /etc/dovecot/conf.d/15-lda.conf && \ + sed -i -e 's/^.*lda_mailbox_autosubscribe.*/lda_mailbox_autosubscribe = yes/g' /etc/dovecot/conf.d/15-lda.conf && \ + sed -i -e 's/^.*postmaster_address.*/postmaster_address = '${POSTMASTER_ADDRESS:="postmaster@domain.com"}'/g' /etc/dovecot/conf.d/15-lda.conf && \ + sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval = 29 mins/' /etc/dovecot/conf.d/20-imap.conf && \ + cd /usr/share/dovecot && \ + ./mkcert.sh && \ + mkdir /usr/lib/dovecot/sieve-pipe && \ + chmod 755 /usr/lib/dovecot/sieve-pipe && \ + mkdir /usr/lib/dovecot/sieve-filter && \ + chmod 755 /usr/lib/dovecot/sieve-filter # Configures LDAP COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot @@ -87,16 +96,17 @@ RUN sed -i -r 's/^(CRON)=0/\1=1/g' /etc/default/spamassassin # Enables Postgrey COPY target/postgrey/postgrey /etc/default/postgrey COPY target/postgrey/postgrey.init /etc/init.d/postgrey -RUN chmod 755 /etc/init.d/postgrey -RUN mkdir /var/run/postgrey -RUN chown postgrey:postgrey /var/run/postgrey +RUN chmod 755 /etc/init.d/postgrey && \ + mkdir /var/run/postgrey && \ + chown postgrey:postgrey /var/run/postgrey # Enables Amavis -RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode COPY target/amavis/conf.d/60-dms_default_config /etc/amavis/conf.d/ -RUN adduser clamav amavis && adduser amavis clamav -RUN useradd -u 5000 -d /home/docker -s /bin/bash -p $(echo docker | openssl passwd -1 -stdin) docker -RUN (echo "0 4 * * * /usr/local/bin/virus-wiper" ; crontab -l) | crontab - +RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \ + adduser clamav amavis && \ + adduser amavis clamav && \ + useradd -u 5000 -d /home/docker -s /bin/bash -p $(echo docker | openssl passwd -1 -stdin) docker && \ + (echo "0 4 * * * /usr/local/bin/virus-wiper" ; crontab -l) | crontab - # Configure Fail2ban COPY target/fail2ban/jail.conf /etc/fail2ban/jail.conf @@ -105,7 +115,9 @@ RUN echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf # Enables Pyzor and Razor USER amavis -RUN razor-admin -create && razor-admin -register && pyzor discover +RUN razor-admin -create && \ + razor-admin -register && \ + pyzor discover USER root # Configure DKIM (opendkim) @@ -124,14 +136,17 @@ RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail # Configures Postfix COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ -RUN echo "" > /etc/aliases -RUN openssl dhparam -out /etc/postfix/dhparams.pem 2048 +RUN echo "" > /etc/aliases && \ + openssl dhparam -out /etc/postfix/dhparams.pem 2048 # Configuring Logs RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ - mkdir -p /var/log/mail && chown syslog:root /var/log/mail && \ - touch /var/log/mail/clamav.log && chown -R clamav:root /var/log/mail/clamav.log && \ - touch /var/log/mail/freshclam.log && chown -R clamav:root /var/log/mail/freshclam.log && \ + mkdir -p /var/log/mail && \ + chown syslog:root /var/log/mail && \ + touch /var/log/mail/clamav.log && \ + chown -R clamav:root /var/log/mail/clamav.log && \ + touch /var/log/mail/freshclam.log && \ + chown -R clamav:root /var/log/mail/freshclam.log && \ sed -i -r 's|/var/log/mail|/var/log/mail/mail|g' /etc/rsyslog.d/50-default.conf && \ sed -i -r 's|;auth,authpriv.none|;mail.none;mail.error;auth,authpriv.none|g' /etc/rsyslog.d/50-default.conf && \ sed -i -r 's|LogFile /var/log/clamav/|LogFile /var/log/mail/|g' /etc/clamav/clamd.conf && \ @@ -144,6 +159,7 @@ RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ RUN curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem COPY ./target/bin /usr/local/bin + # Start-mailserver script COPY ./target/start-mailserver.sh ./target/docker-configomat/configomat.sh /usr/local/bin/ RUN chmod +x /usr/local/bin/* diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 51bca61f..bcf39271 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -133,6 +133,9 @@ function register_functions() { _register_fix_function "_fix_var_mail_permissions" _register_fix_function "_fix_var_amavis_permissions" + if [ "$ENABLE_CLAMAV" = 0 ]; then + _register_fix_function "_fix_cleanup_clamav" + fi ################### << fix funcs @@ -717,7 +720,7 @@ function _setup_postfix_rejections() { if [ -f /tmp/docker-mailserver/postfix-reject_header_checks ]; then cp -f /tmp/docker-mailserver/postfix-reject_header_checks /etc/postfix/reject_header_checks - postconf -e "header_checks = pcre:/etc/postfix/reject_body_checks" + postconf -e "header_checks = pcre:/etc/postfix/reject_header_checks" fi if [ -f /tmp/docker-mailserver/postfix-reject_body_checks ]; then cp -f /tmp/docker-mailserver/postfix-reject_body_checks /etc/postfix/reject_body_checks @@ -1118,6 +1121,12 @@ function _fix_var_amavis_permissions() { fi } +function _fix_cleanup_clamav() { + notify 'task' 'Cleaning up disabled Clamav' + rm -f /etc/logrotate.d/clamav-* + rm -f /etc/cron.d/freshclam +} + ########################################################################## # << Fix Stack ##########################################################################