From 1f31475e11d23d3255546514c3375399389a9cbd Mon Sep 17 00:00:00 2001 From: alinmear Date: Thu, 1 Dec 2016 15:45:40 +0100 Subject: [PATCH 01/38] Restructure start-mailserver.sh #338 --- target/start-mailserver.sh | 1331 ++++++++++++++++++++++++------------ 1 file changed, 877 insertions(+), 454 deletions(-) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index a41cd4c1..d14175cd 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -1,145 +1,433 @@ #!/bin/bash -die () { - echo "## Configuration error:" - echo >&2 "> $@" - exit 1 +########################################################################## +# >> DEFAULT VARS +# +# add them here. +# Example: DEFAULT_VARS["KEY"]="VALUE" +########################################################################## +declare -A DEFAULT_VARS +DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" +########################################################################## +# << DEFAULT VARS +########################################################################## + + +########################################################################## +# >> REGISTER FUNCTIONS +# +# add your new functions/methods here. +# +# NOTE: position matters when registering a function in stacks. First in First out +# Execution Logic: +# > check functions +# > setup functions +# > fix functions +# > misc functions +# > start-daemons +# +# Example: +# if [ CONDITION IS MET ]; then +# _register_{setup,fix,check,start}_{functions,daemons} "$FUNCNAME" +# fi +# +# Implement them in the section-group: {check,setup,fix,start} +########################################################################## +function register_functions() { + notify 'taskgrp' 'Registering check,setup,fix,misc and start-daemons functions' + + ################### >> check funcs + + _register_check_function "_check_environment_variables" + _register_check_function "_check_hostname" + + ################### << check funcs + + ################### >> setup funcs + + _register_setup_function "_setup_default_vars" + + if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then + _register_setup_function "_setup_elk_forwarder" + fi + + if [ "$SMTP_ONLY" != 1 ]; then + _register_setup_function "_setup_dovecot" + _register_setup_function "_setup_dovecot_local_user" + fi + + if [ "$ENABLE_LDAP" = 1 ];then + _register_setup_function "_setup_ldap" + fi + + if [ "$ENABLE_SASLAUTHD" = 1 ];then + _register_setup_function "_setup_saslauthd" + fi + + _register_setup_function "_setup_dkim" + _register_setup_function "_setup_ssl" + _register_setup_function "_setup_docker_permit" + + _register_setup_function "_setup_mailname" + + _register_setup_function "_setup_postfix_override_configuration" + _register_setup_function "_setup_postfix_sasl_password" + _register_setup_function "_setup_security_stack" + _register_setup_function "_setup_postfix_aliases" + _register_setup_function "_setup_postfix_vhost" + _register_setup_function "_setup_postfix_relay_amazon_ses" + + ################### << setup funcs + + ################### >> fix funcs + + _register_fix_function "_fix_var_mail_permissions" + + ################### << fix funcs + + ################### >> misc funcs + + _register_misc_function "_misc_save_states" + + ################### << misc funcs + + ################### >> daemon funcs + + _register_start_daemon "_start_daemons_sys" + + if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then + _register_start_daemon "_start_daemons_filebeat" + fi + + if [ "$SMTP_ONLY" != 1 ]; then + _register_start_daemon "_start_daemons_dovecot" + fi + + # needs to be started before saslauthd + _register_start_daemon "_start_daemons_opendkim" + _register_start_daemon "_start_daemons_opendmarc" + _register_start_daemon "_start_daemons_postfix" + + if [ "$ENABLE_SASLAUTHD" = 1 ];then + _register_start_daemon "_start_daemons_saslauthd" + fi + + # care needs to run after postfix + if [ "$ENABLE_FAIL2BAN" = 1 ]; then + _register_start_daemon "_start_daemons_fail2ban" + fi + + if [ "$ENABLE_FETCHMAIL" = 1 ]; then + _register_start_daemon "_start_daemons_fetchmail" + fi + + if ! [ "$DISABLE_CLAMAV" = 1 ]; then + _register_start_daemon "_start_daemons_clamav" + fi + + if ! [ "$DISABLE_AMAVIS" = 1 ]; then + _register_start_daemon "_start_daemons_amavis" + fi + ################### << daemon funcs +} +########################################################################## +# << REGISTER FUNCTIONS +########################################################################## + + + +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# ! CARE --> DON'T CHANGE, unless you exactly know what you are doing +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# >> + + +########################################################################## +# >> CONSTANTS +########################################################################## +declare -a FUNCS_SETUP +declare -a FUNCS_FIX +declare -a FUNCS_CHECK +declare -a FUNCS_MISC +declare -a DAEMONS_START +declare -A HELPERS_EXEC_STATE +########################################################################## +# << CONSTANTS +########################################################################## + + +########################################################################## +# >> protected register_functions +########################################################################## +function _register_start_daemon() { + DAEMONS_START+=($1) + notify 'inf' "$1() registered" } +function _register_setup_function() { + FUNCS_SETUP+=($1) + notify 'inf' "$1() registered" +} + +function _register_fix_function() { + FUNCS_FIX+=($1) + notify 'inf' "$1() registered" +} + +function _register_check_function() { + FUNCS_CHECK+=($1) + notify 'inf' "$1() registered" +} + +function _register_misc_function() { + FUNCS_MISC+=($1) + notify 'inf' "$1() registered" +} +########################################################################## +# << protected register_functions +########################################################################## + + +function notify () { + c_red="\e[0;31m" + c_green="\e[0;32m" + c_blue="\e[0;34m" + c_bold="\033[1m" + c_reset="\e[0m" + + notification_type=$1 + notification_msg=$2 + + case "${notification_type}" in + 'inf') + msg="${c_green} * ${c_reset}${notification_msg}" + ;; + 'err') + msg="${c_red} * ${c_reset}${notification_msg}" + ;; + 'warn') + msg="${c_blue} * ${c_reset}${notification_msg}" + ;; + 'task') + msg=" >>>> ${notification_msg}" + ;; + 'taskgrp') + msg="${c_bold}${notification_msg}${c_reset}" + ;; + 'fatal') + msg="${c_bold} >>>> ${notification_msg} <<<<${c_reset}" + ;; + *) + msg="" + ;; + esac + + [[ ! -z "${msg}" ]] && echo -e "${msg}" +} + +function defunc() { + notify 'fatal' "Please fix the failures. Exiting ..." + exit 1 +} + +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# ! CARE --> DON'T CHANGE, except you know exactly what you are doing +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# << + + + +########################################################################## +# >> Check Stack # -# Check that hostname/domainname is provided (no default docker hostname) +# Description: Place functions for initial check of container sanity +########################################################################## +function check() { + notify 'taskgrp' 'Checking configuration sanity:' + for _func in "${FUNCS_CHECK[@]}";do + $_func + [ $? != 0 ] && defunc + done +} + +function _check_hostname() { + notify "task" "Check that hostname/domainname is provided (no default docker hostname) [$FUNCNAME]" + + if ( ! echo $(hostname) | grep -E '^(\S+[.]\S+)$' ); then + notify 'err' "Setting hostname/domainname is required" + return 1 + else + notify 'inf' "Hostname has been set" + return 0 + fi +} + +function _check_environment_variables() { + notify "task" "Check that there are no conflicts with env variables [$FUNCNAME]" + return 0 +} +########################################################################## +# << Check Stack +########################################################################## + + +########################################################################## +# >> Setup Stack # -if ( ! echo $(hostname) | grep -E '^(\S+[.]\S+)$' ); then - die "Setting hostname/domainname is required." -fi +# Description: Place functions for functional configurations here +########################################################################## +function setup() { + notify 'taskgrp' 'Setting up the Container:' -# -# Default variables -# -echo "export VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY:="7"}" >> /root/.bashrc + for _func in "${FUNCS_SETUP[@]}";do + $_func + [ $? != 0 ] && defunc + done +} -# -# Configuring Dovecot -# -if [ "$SMTP_ONLY" != 1 ]; then - cp -a /usr/share/dovecot/protocols.d /etc/dovecot/ - # Disable pop3 (it will be eventually enabled later in the script, if requested) - mv /etc/dovecot/protocols.d/pop3d.protocol /etc/dovecot/protocols.d/pop3d.protocol.disab - mv /etc/dovecot/protocols.d/managesieved.protocol /etc/dovecot/protocols.d/managesieved.protocol.disab - sed -i -e 's/#ssl = yes/ssl = yes/g' /etc/dovecot/conf.d/10-master.conf - sed -i -e 's/#port = 993/port = 993/g' /etc/dovecot/conf.d/10-master.conf - sed -i -e 's/#port = 995/port = 995/g' /etc/dovecot/conf.d/10-master.conf - sed -i -e 's/#ssl = yes/ssl = required/g' /etc/dovecot/conf.d/10-ssl.conf -fi +function _setup_default_vars() { + notify 'task' "Setting up default variables [$FUNCNAME]" -# -# Users -# -echo -n > /etc/postfix/vmailbox -echo -n > /etc/dovecot/userdb -if [ -f /tmp/docker-mailserver/postfix-accounts.cf -a "$ENABLE_LDAP" != 1 ]; then - echo "Checking file line endings" - sed -i 's/\r//g' /tmp/docker-mailserver/postfix-accounts.cf - echo "Regenerating postfix 'vmailbox' and 'virtual' for given users" - echo "# WARNING: this file is auto-generated. Modify config/postfix-accounts.cf to edit user list." > /etc/postfix/vmailbox + for var in ${!DEFAULT_VARS[@]}; do + echo "export $var=${DEFAULT_VARS[$var]}" >> /root/.bashrc + [ $? != 0 ] && notify 'err' "Unable to set $var=${DEFAULT_VARS[$var]}" && return 1 + notify 'inf' "$var=${DEFAULT_VARS[$var]} set" + done +} - # Checking that /tmp/docker-mailserver/postfix-accounts.cf ends with a newline - sed -i -e '$a\' /tmp/docker-mailserver/postfix-accounts.cf +function _setup_mailname() { + notify 'task' 'Setting up Mailname' - chown dovecot:dovecot /etc/dovecot/userdb - chmod 640 /etc/dovecot/userdb + echo "Creating /etc/mailname" + echo $(hostname -d) > /etc/mailname +} - sed -i -e '/\!include auth-ldap\.conf\.ext/s/^/#/' /etc/dovecot/conf.d/10-auth.conf - sed -i -e '/\!include auth-passwdfile\.inc/s/^#//' /etc/dovecot/conf.d/10-auth.conf +function _setup_dovecot() { + notify 'task' 'Setting up Dovecot' - # Creating users - # 'pass' is encrypted - while IFS=$'|' read login pass - do - # Setting variables for better readability - user=$(echo ${login} | cut -d @ -f1) - domain=$(echo ${login} | cut -d @ -f2) - # Let's go! - echo "user '${user}' for domain '${domain}' with password '********'" - echo "${login} ${domain}/${user}/" >> /etc/postfix/vmailbox - # User database for dovecot has the following format: - # user:password:uid:gid:(gecos):home:(shell):extra_fields - # Example : - # ${login}:${pass}:5000:5000::/var/mail/${domain}/${user}::userdb_mail=maildir:/var/mail/${domain}/${user} - echo "${login}:${pass}:5000:5000::/var/mail/${domain}/${user}::" >> /etc/dovecot/userdb - mkdir -p /var/mail/${domain} - if [ ! -d "/var/mail/${domain}/${user}" ]; then - maildirmake.dovecot "/var/mail/${domain}/${user}" - maildirmake.dovecot "/var/mail/${domain}/${user}/.Sent" - maildirmake.dovecot "/var/mail/${domain}/${user}/.Trash" - maildirmake.dovecot "/var/mail/${domain}/${user}/.Drafts" - echo -e "INBOX\nSent\nTrash\nDrafts" >> "/var/mail/${domain}/${user}/subscriptions" - touch "/var/mail/${domain}/${user}/.Sent/maildirfolder" - fi - # Copy user provided sieve file, if present - test -e /tmp/docker-mailserver/${login}.dovecot.sieve && cp /tmp/docker-mailserver/${login}.dovecot.sieve /var/mail/${domain}/${user}/.dovecot.sieve - echo ${domain} >> /tmp/vhost.tmp - done < /tmp/docker-mailserver/postfix-accounts.cf -else - echo "==> Warning: 'config/docker-mailserver/postfix-accounts.cf' is not provided. No mail account created." -fi + cp -a /usr/share/dovecot/protocols.d /etc/dovecot/ + # Disable pop3 (it will be eventually enabled later in the script, if requested) + mv /etc/dovecot/protocols.d/pop3d.protocol /etc/dovecot/protocols.d/pop3d.protocol.disab + mv /etc/dovecot/protocols.d/managesieved.protocol /etc/dovecot/protocols.d/managesieved.protocol.disab + sed -i -e 's/#ssl = yes/ssl = yes/g' /etc/dovecot/conf.d/10-master.conf + sed -i -e 's/#port = 993/port = 993/g' /etc/dovecot/conf.d/10-master.conf + sed -i -e 's/#port = 995/port = 995/g' /etc/dovecot/conf.d/10-master.conf + sed -i -e 's/#ssl = yes/ssl = required/g' /etc/dovecot/conf.d/10-ssl.conf -# -# LDAP -# -if [ "$ENABLE_LDAP" = 1 ]; then - for i in 'users' 'groups' 'aliases'; do - sed -i -e 's|^server_host.*|server_host = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ - -e 's|^search_base.*|search_base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \ - -e 's|^bind_dn.*|bind_dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ - -e 's|^bind_pw.*|bind_pw = '${LDAP_BIND_PW:="admin"}'|g' \ - /etc/postfix/ldap-${i}.cf - done + # Enable Managesieve service by setting the symlink + # to the configuration file Dovecot will actually find + if [ "$ENABLE_MANAGESIEVE" = 1 ]; then + echo "Sieve management enabled" + mv /etc/dovecot/protocols.d/managesieved.protocol.disab /etc/dovecot/protocols.d/managesieved.protocol + fi +} - echo "Configuring dovecot LDAP authentification" - sed -i -e 's|^hosts.*|hosts = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ - -e 's|^base.*|base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \ - -e 's|^dn\s*=.*|dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ - -e 's|^dnpass\s*=.*|dnpass = '${LDAP_BIND_PW:="admin"}'|g' \ - /etc/dovecot/dovecot-ldap.conf.ext +function _setup_dovecot_local_user() { + notify 'task' 'Setting up Dovecot Local User' + echo -n > /etc/postfix/vmailbox + echo -n > /etc/dovecot/userdb + if [ -f /tmp/docker-mailserver/postfix-accounts.cf -a "$ENABLE_LDAP" != 1 ]; then + echo "Checking file line endings" + sed -i 's/\r//g' /tmp/docker-mailserver/postfix-accounts.cf + echo "Regenerating postfix 'vmailbox' and 'virtual' for given users" + echo "# WARNING: this file is auto-generated. Modify config/postfix-accounts.cf to edit user list." > /etc/postfix/vmailbox - # Add domainname to vhost. - echo $(hostname -d) >> /tmp/vhost.tmp + # Checking that /tmp/docker-mailserver/postfix-accounts.cf ends with a newline + sed -i -e '$a\' /tmp/docker-mailserver/postfix-accounts.cf - echo "Enabling dovecot LDAP authentification" - sed -i -e '/\!include auth-ldap\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf - sed -i -e '/\!include auth-passwdfile\.inc/s/^/#/' /etc/dovecot/conf.d/10-auth.conf + chown dovecot:dovecot /etc/dovecot/userdb + chmod 640 /etc/dovecot/userdb - echo "Configuring LDAP" - [ -f /etc/postfix/ldap-users.cf ] && \ - postconf -e "virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf" || \ - echo '==> Warning: /etc/postfix/ldap-user.cf not found' + sed -i -e '/\!include auth-ldap\.conf\.ext/s/^/#/' /etc/dovecot/conf.d/10-auth.conf + sed -i -e '/\!include auth-passwdfile\.inc/s/^#//' /etc/dovecot/conf.d/10-auth.conf - [ -f /etc/postfix/ldap-aliases.cf -a -f /etc/postfix/ldap-groups.cf ] && \ - postconf -e "virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf" || \ - echo '==> Warning: /etc/postfix/ldap-aliases.cf or /etc/postfix/ldap-groups.cf not found' - - [ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF + # Creating users + # 'pass' is encrypted + while IFS=$'|' read login pass + do + # Setting variables for better readability + user=$(echo ${login} | cut -d @ -f1) + domain=$(echo ${login} | cut -d @ -f2) + # Let's go! + echo "user '${user}' for domain '${domain}' with password '********'" + echo "${login} ${domain}/${user}/" >> /etc/postfix/vmailbox + # User database for dovecot has the following format: + # user:password:uid:gid:(gecos):home:(shell):extra_fields + # Example : + # ${login}:${pass}:5000:5000::/var/mail/${domain}/${user}::userdb_mail=maildir:/var/mail/${domain}/${user} + echo "${login}:${pass}:5000:5000::/var/mail/${domain}/${user}::" >> /etc/dovecot/userdb + mkdir -p /var/mail/${domain} + if [ ! -d "/var/mail/${domain}/${user}" ]; then + maildirmake.dovecot "/var/mail/${domain}/${user}" + maildirmake.dovecot "/var/mail/${domain}/${user}/.Sent" + maildirmake.dovecot "/var/mail/${domain}/${user}/.Trash" + maildirmake.dovecot "/var/mail/${domain}/${user}/.Drafts" + echo -e "INBOX\nSent\nTrash\nDrafts" >> "/var/mail/${domain}/${user}/subscriptions" + touch "/var/mail/${domain}/${user}/.Sent/maildirfolder" + fi + # Copy user provided sieve file, if present + test -e /tmp/docker-mailserver/${login}.dovecot.sieve && cp /tmp/docker-mailserver/${login}.dovecot.sieve /var/mail/${domain}/${user}/.dovecot.sieve + echo ${domain} >> /tmp/vhost.tmp + done < /tmp/docker-mailserver/postfix-accounts.cf + else + echo "==> Warning: 'config/docker-mailserver/postfix-accounts.cf' is not provided. No mail account created." + fi +} + +function _setup_ldap() { + notify 'task' 'Setting up Ldap' + for i in 'users' 'groups' 'aliases'; do + sed -i -e 's|^server_host.*|server_host = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ + -e 's|^search_base.*|search_base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \ + -e 's|^bind_dn.*|bind_dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ + -e 's|^bind_pw.*|bind_pw = '${LDAP_BIND_PW:="admin"}'|g' \ + /etc/postfix/ldap-${i}.cf + done + + echo "Configuring dovecot LDAP authentification" + sed -i -e 's|^hosts.*|hosts = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ + -e 's|^base.*|base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \ + -e 's|^dn\s*=.*|dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ + -e 's|^dnpass\s*=.*|dnpass = '${LDAP_BIND_PW:="admin"}'|g' \ + /etc/dovecot/dovecot-ldap.conf.ext + + # Add domainname to vhost. + echo $(hostname -d) >> /tmp/vhost.tmp + + echo "Enabling dovecot LDAP authentification" + sed -i -e '/\!include auth-ldap\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf + sed -i -e '/\!include auth-passwdfile\.inc/s/^/#/' /etc/dovecot/conf.d/10-auth.conf + + echo "Configuring LDAP" + [ -f /etc/postfix/ldap-users.cf ] && \ + postconf -e "virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf" || \ + echo '==> Warning: /etc/postfix/ldap-user.cf not found' + + [ -f /etc/postfix/ldap-aliases.cf -a -f /etc/postfix/ldap-groups.cf ] && \ + postconf -e "virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf" || \ + echo '==> Warning: /etc/postfix/ldap-aliases.cf or /etc/postfix/ldap-groups.cf not found' + + [ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF pwcheck_method: saslauthd mech_list: plain login EOF -fi +return 0 +} -# -# SASLAUTHD -# -if [ "$ENABLE_SASLAUTHD" = 1 ]; then - echo "Configuring Cyrus SASL" - # checking env vars and setting defaults - [ -z $SASLAUTHD_MECHANISMS ] && SASLAUTHD_MECHANISMS=pam - [ -z $SASLAUTHD_LDAP_SEARCH_BASE ] && SASLAUTHD_MECHANISMS=pam - [ -z $SASLAUTHD_LDAP_SERVER ] && SASLAUTHD_LDAP_SERVER=localhost - [ -z $SASLAUTHD_LDAP_FILTER ] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' - ([ -z $SASLAUTHD_LDAP_SSL ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' +function _setup_saslauthd() { + notify 'task' 'Setting up Saslauthd' - if [ ! -f /etc/saslauthd.conf ]; then - echo "Creating /etc/saslauthd.conf" - cat > /etc/saslauthd.conf << EOF + echo "Configuring Cyrus SASL" + # checking env vars and setting defaults + [ -z $SASLAUTHD_MECHANISMS ] && SASLAUTHD_MECHANISMS=pam + [ -z $SASLAUTHD_LDAP_SEARCH_BASE ] && SASLAUTHD_MECHANISMS=pam + [ -z $SASLAUTHD_LDAP_SERVER ] && SASLAUTHD_LDAP_SERVER=localhost + [ -z $SASLAUTHD_LDAP_FILTER ] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' + ([ -z $SASLAUTHD_LDAP_SSL ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' + + if [ ! -f /etc/saslauthd.conf ]; then + echo "Creating /etc/saslauthd.conf" + cat > /etc/saslauthd.conf << EOF ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} ldap_auth_method: bind @@ -152,375 +440,510 @@ ldap_filter: ${SASLAUTHD_LDAP_FILTER} ldap_referrals: yes log_level: 10 EOF - fi - - sed -i -e "s|^START=.*|START=yes|g" \ - -e "s|^MECHANISMS=.*|MECHANISMS="\"$SASLAUTHD_MECHANISMS\""|g" \ - -e "s|^MECH_OPTIONS=.*|MECH_OPTIONS="\"$SASLAUTHD_MECH_OPTIONS\""|g" \ - /etc/default/saslauthd - sed -i -e "/smtpd_sasl_path =.*/d" \ - -e "/smtpd_sasl_type =.*/d" \ - -e "/dovecot_destination_recipient_limit =.*/d" \ - /etc/postfix/main.cf - gpasswd -a postfix sasl -fi + fi + sed -i \ + -e "s|^START=.*|START=yes|g" \ + -e "s|^MECHANISMS=.*|MECHANISMS="\"$SASLAUTHD_MECHANISMS\""|g" \ + -e "s|^MECH_OPTIONS=.*|MECH_OPTIONS="\"$SASLAUTHD_MECH_OPTIONS\""|g" \ + /etc/default/saslauthd + sed -i \ + -e "/smtpd_sasl_path =.*/d" \ + -e "/smtpd_sasl_type =.*/d" \ + -e "/dovecot_destination_recipient_limit =.*/d" \ + /etc/postfix/main.cf + gpasswd -a postfix sasl +} + +function _setup_postfix_aliases() { + notify 'task' 'Setting up Postfix Aliases' + + echo -n > /etc/postfix/virtual + echo -n > /etc/postfix/regexp + if [ -f /tmp/docker-mailserver/postfix-virtual.cf ]; then + # Copying virtual file + cp -f /tmp/docker-mailserver/postfix-virtual.cf /etc/postfix/virtual + while read from to + do + # Setting variables for better readability + uname=$(echo ${from} | cut -d @ -f1) + domain=$(echo ${from} | cut -d @ -f2) + # if they are equal it means the line looks like: "user1 other@domain.tld" + test "$uname" != "$domain" && echo ${domain} >> /tmp/vhost.tmp + done < /tmp/docker-mailserver/postfix-virtual.cf + else + echo "==> Warning: 'config/postfix-virtual.cf' is not provided. No mail alias/forward created." + fi + if [ -f /tmp/docker-mailserver/postfix-regexp.cf ]; then + # Copying regexp alias file + echo "Adding regexp alias file postfix-regexp.cf" + cp -f /tmp/docker-mailserver/postfix-regexp.cf /etc/postfix/regexp + sed -i -e '/^virtual_alias_maps/{ + s/ regexp:.*// + s/$/ regexp:\/etc\/postfix\/regexp/ + }' /etc/postfix/main.cf + fi +} + +function _setup_dkim() { + notify 'task' 'Setting up DKIM' + + # Check if keys are already available + if [ -e "/tmp/docker-mailserver/opendkim/KeyTable" ]; then + mkdir -p /etc/opendkim + cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/ + echo "DKIM keys added for: `ls -C /etc/opendkim/keys/`" + echo "Changing permissions on /etc/opendkim" + # chown entire directory + chown -R opendkim:opendkim /etc/opendkim/ + # And make sure permissions are right + chmod -R 0700 /etc/opendkim/keys/ + else + echo "No DKIM key provided. Check the documentation to find how to get your keys." + fi +} + +function _setup_ssl() { + notify 'task' 'Setting up SSL' + + # SSL Configuration + case $SSL_TYPE in + "letsencrypt" ) + # letsencrypt folders and files mounted in /etc/letsencrypt + if [ -e "/etc/letsencrypt/live/$(hostname)/cert.pem" ] \ + && [ -e "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then + KEY="" + if [ -e "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then + KEY="privkey" + elif [ -e "/etc/letsencrypt/live/$(hostname)/key.pem" ]; then + KEY="key" + fi + if [ -n "$KEY" ]; then + echo "Adding $(hostname) SSL certificate" + + # Postfix configuration + sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$(hostname)'/fullchain.pem~g' /etc/postfix/main.cf + sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$(hostname)'/'"$KEY"'\.pem~g' /etc/postfix/main.cf + + # Dovecot configuration + sed -i -e 's~ssl_cert = /etc/postfix/vhost && rm /tmp/vhost.tmp + fi +} + +function _setup_docker_permit() { + notify 'task' 'Setting up PERMIT_DOCKER Option' + + container_ip=$(ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1) + container_network="$(echo $container_ip | cut -d '.' -f1-2).0.0" + + case $PERMIT_DOCKER in + "host" ) + echo "Adding $container_network/16 to my networks" + postconf -e "$(postconf | grep '^mynetworks =') $container_network/16" + bash -c "echo $container_network/16 >> /etc/opendmarc/ignore.hosts" + bash -c "echo $container_network/16 >> /etc/opendkim/TrustedHosts" + ;; + + "network" ) + echo "Adding docker network in my networks" + postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12" + bash -c "echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts" + bash -c "echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts" + ;; + + * ) + echo "Adding container ip in my networks" + postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32" + bash -c "echo $container_ip/32 >> /etc/opendmarc/ignore.hosts" + bash -c "echo $container_ip/32 >> /etc/opendkim/TrustedHosts" + ;; + esac + + # @TODO fix: bash: /etc/opendkim/TrustedHosts: No such file or directory + # temporary workarround return success + return 0 +} + +function _setup_postfix_override_configuration() { + notify 'task' 'Setting up Postfix Override configuration' + + if [ -f /tmp/docker-mailserver/postfix-main.cf ]; then + while read line; do + postconf -e "$line" + done < /tmp/docker-mailserver/postfix-main.cf + echo "Loaded 'config/postfix-main.cf'" + else + echo "No extra postfix settings loaded because optional '/tmp/docker-mailserver/postfix-main.cf' not provided." + fi +} + +function _setup_postfix_sasl_password() { + notify 'task' 'Setting up Postfix SASL Password' + + # Support general SASL password + rm -f /etc/postfix/sasl_passwd + if [ ! -z "$SASL_PASSWD" ]; then + echo "$SASL_PASSWD" >> /etc/postfix/sasl_passwd + fi + + # Install SASL passwords + if [ -f /etc/postfix/sasl_passwd ]; then + chown root:root /etc/postfix/sasl_passwd + chmod 0600 /etc/postfix/sasl_passwd + echo "Loaded SASL_PASSWD" + else + echo "==> Warning: 'SASL_PASSWD' is not provided. /etc/postfix/sasl_passwd not created." + fi +} + +function _setup_postfix_relay_amazon_ses() { + notify 'task' 'Setting up Postfix Relay Amazon SES' + + if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then + if [ -z "$AWS_SES_PORT" ];then + AWS_SES_PORT=25 + fi + echo "Setting up outgoing email via AWS SES host $AWS_SES_HOST:$AWS_SES_PORT" + echo "[$AWS_SES_HOST]:$AWS_SES_PORT $AWS_SES_USERPASS" >> /etc/postfix/sasl_passwd + postconf -e \ + "relayhost = [$AWS_SES_HOST]:$AWS_SES_PORT" \ + "smtp_sasl_auth_enable = yes" \ + "smtp_sasl_security_options = noanonymous" \ + "smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd" \ + "smtp_use_tls = yes" \ + "smtp_tls_security_level = encrypt" \ + "smtp_tls_note_starttls_offer = yes" \ + "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt" + fi +} + + +function _setup_security_stack() { + notify 'task' 'Setting up Security Stack' + + echo "Configuring Spamassassin" + SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults + SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults + SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults + test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ + + if [ "$ENABLE_FAIL2BAN" = 1 ]; then + echo "Fail2ban enabled" + test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local + else + # Disable logrotate config for fail2ban if not enabled + rm -f /etc/logrotate.d/fail2ban + fi + + # Fix cron.daily for spamassassin + sed -i -e 's~invoke-rc.d spamassassin reload~/etc/init\.d/spamassassin reload~g' /etc/cron.daily/spamassassin + + # Copy user provided configuration files if provided + if [ -f /tmp/docker-mailserver/amavis.cf ]; then + cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user + fi +} + +function _setup_elk_forwarder() { + notify 'task' 'Setting up Elk forwarder' + + ELK_PORT=${ELK_PORT:="5044"} + ELK_HOST=${ELK_HOST:="elk"} + echo "Enabling log forwarding to ELK ($ELK_HOST:$ELK_PORT)" + cat /etc/filebeat/filebeat.yml.tmpl \ + | sed "s@\$ELK_HOST@$ELK_HOST@g" \ + | sed "s@\$ELK_PORT@$ELK_PORT@g" \ + > /etc/filebeat/filebeat.yml +} +########################################################################## +# << Setup Stack +########################################################################## + + +########################################################################## +# >> Fix Stack # -# Aliases +# Description: Place functions for temporary workarounds and fixes here +########################################################################## +function fix() { + notify 'taskgrg' "Starting to fix:" + for _func in "${FUNCS_FIX[@]}";do + $_func + [ $? != 0 ] && defunc + done +} + +function _fix_var_mail_permissions() { + notify 'task' 'Fixing /var/mail permissions' + + # Fix permissions, but skip this if 3 levels deep the user id is already set + if [ `find /var/mail -maxdepth 3 -a \( \! -user 5000 -o \! -group 5000 \) | grep -c .` != 0 ]; then + chown -R 5000:5000 /var/mail + echo "/var/mail permissions fixed" + else + echo "Permissions in /var/mail look OK" + fi +} +########################################################################## +# << Fix Stack +########################################################################## + + +########################################################################## +# >> Misc Stack # -echo -n > /etc/postfix/virtual -echo -n > /etc/postfix/regexp -if [ -f /tmp/docker-mailserver/postfix-virtual.cf ]; then - # Copying virtual file - cp -f /tmp/docker-mailserver/postfix-virtual.cf /etc/postfix/virtual - while read from to - do - # Setting variables for better readability - uname=$(echo ${from} | cut -d @ -f1) - domain=$(echo ${from} | cut -d @ -f2) - # if they are equal it means the line looks like: "user1 other@domain.tld" - test "$uname" != "$domain" && echo ${domain} >> /tmp/vhost.tmp - done < /tmp/docker-mailserver/postfix-virtual.cf -else - echo "==> Warning: 'config/postfix-virtual.cf' is not provided. No mail alias/forward created." -fi -if [ -f /tmp/docker-mailserver/postfix-regexp.cf ]; then - # Copying regexp alias file - echo "Adding regexp alias file postfix-regexp.cf" - cp -f /tmp/docker-mailserver/postfix-regexp.cf /etc/postfix/regexp - sed -i -e '/^virtual_alias_maps/{ - s/ regexp:.*// - s/$/ regexp:\/etc\/postfix\/regexp/ - }' /etc/postfix/main.cf -fi +# Description: Place functions that do not fit in the sections above here +########################################################################## +function misc() { + notify 'taskgrp' 'Starting Misc:' -# DKIM -# Check if keys are already available -if [ -e "/tmp/docker-mailserver/opendkim/KeyTable" ]; then - mkdir -p /etc/opendkim - cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/ - echo "DKIM keys added for: `ls -C /etc/opendkim/keys/`" - echo "Changing permissions on /etc/opendkim" - # chown entire directory - chown -R opendkim:opendkim /etc/opendkim/ - # And make sure permissions are right - chmod -R 0700 /etc/opendkim/keys/ -else - echo "No DKIM key provided. Check the documentation to find how to get your keys." -fi + for _func in "${FUNCS_MISC[@]}";do + $_func + [ $? != 0 ] && defunc + done +} -# SSL Configuration -case $SSL_TYPE in - "letsencrypt" ) - # letsencrypt folders and files mounted in /etc/letsencrypt - if [ -e "/etc/letsencrypt/live/$(hostname)/cert.pem" ] \ - && [ -e "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then - KEY="" - if [ -e "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then - KEY="privkey" - elif [ -e "/etc/letsencrypt/live/$(hostname)/key.pem" ]; then - KEY="key" - fi - if [ -n "$KEY" ]; then - echo "Adding $(hostname) SSL certificate" +function _misc_save_states() { + # Consolidate all state that should be persisted across container restarts into one mounted + # directory + statedir=/var/mail-state + if [ "$ONE_DIR" = 1 -a -d $statedir ]; then + echo "Consolidating all state onto $statedir" + for d in /var/spool/postfix /var/lib/postfix /var/lib/amavis /var/lib/clamav /var/lib/spamassasin /var/lib/fail2ban; do + dest=$statedir/`echo $d | sed -e 's/.var.//; s/\//-/g'` + if [ -d $dest ]; then + echo " Destination $dest exists, linking $d to it" + rm -rf $d + ln -s $dest $d + elif [ -d $d ]; then + echo " Moving contents of $d to $dest:" `ls $d` + mv $d $dest + ln -s $dest $d + else + echo " Linking $d to $dest" + mkdir -p $dest + ln -s $dest $d + fi + done + fi +} - # Postfix configuration - sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$(hostname)'/fullchain.pem~g' /etc/postfix/main.cf - sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$(hostname)'/'"$KEY"'\.pem~g' /etc/postfix/main.cf - # Dovecot configuration - sed -i -e 's~ssl_cert = > Start Daemons +########################################################################## +function start_daemons() { + notify 'taskgrp' 'Starting Daemons' - echo "SSL configured with 'letsencrypt' certificates" + for _func in "${DAEMONS_START[@]}";do + $_func + [ $? != 0 ] && defunc + done +} - fi - fi - ;; +function _start_daemons_sys() { + notify 'task' 'Starting Cron' + cron - "custom" ) - # Adding CA signed SSL certificate if provided in 'postfix/ssl' folder - if [ -e "/tmp/docker-mailserver/ssl/$(hostname)-full.pem" ]; then - echo "Adding $(hostname) SSL certificate" - mkdir -p /etc/postfix/ssl - cp "/tmp/docker-mailserver/ssl/$(hostname)-full.pem" /etc/postfix/ssl + notify 'task' 'Starting rsyslog' + /etc/init.d/rsyslog start +} - # Postfix configuration - sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/postfix/ssl/'$(hostname)'-full.pem~g' /etc/postfix/main.cf - sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/postfix/ssl/'$(hostname)'-full.pem~g' /etc/postfix/main.cf +function _start_daemons_saslauthd() { + notify "task" "Starting saslauthd" + /etc/init.d/saslauthd start +} - # Dovecot configuration - sed -i -e 's~ssl_cert = /etc/postfix/vhost && rm /tmp/vhost.tmp -fi + # > temporary workaround to passe integration test + return 0 +} +########################################################################## +# << Start Daemons +########################################################################## -# PERMIT_DOCKER Option -container_ip=$(ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1) -container_network="$(echo $container_ip | cut -d '.' -f1-2).0.0" -case $PERMIT_DOCKER in - "host" ) - echo "Adding $container_network/16 to my networks" - postconf -e "$(postconf | grep '^mynetworks =') $container_network/16" - bash -c "echo $container_network/16 >> /etc/opendmarc/ignore.hosts" - bash -c "echo $container_network/16 >> /etc/opendkim/TrustedHosts" - ;; - "network" ) - echo "Adding docker network in my networks" - postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12" - bash -c "echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts" - bash -c "echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts" - ;; - * ) - echo "Adding container ip in my networks" - postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32" - bash -c "echo $container_ip/32 >> /etc/opendmarc/ignore.hosts" - bash -c "echo $container_ip/32 >> /etc/opendkim/TrustedHosts" - ;; -esac -# -# Override Postfix configuration -# -if [ -f /tmp/docker-mailserver/postfix-main.cf ]; then - while read line; do - postconf -e "$line" - done < /tmp/docker-mailserver/postfix-main.cf - echo "Loaded 'config/postfix-main.cf'" -else - echo "No extra postfix settings loaded because optional '/tmp/docker-mailserver/postfix-main.cf' not provided." -fi +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# ! CARE --> DON'T CHANGE, unless you exactly know what you are doing +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# >> -# Support general SASL password -rm -f /etc/postfix/sasl_passwd -if [ ! -z "$SASL_PASSWD" ]; then - echo "$SASL_PASSWD" >> /etc/postfix/sasl_passwd -fi -# Support outgoing email relay via Amazon SES -if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then - if [ -z "$AWS_SES_PORT" ];then - AWS_SES_PORT=25 - fi - echo "Setting up outgoing email via AWS SES host $AWS_SES_HOST:$AWS_SES_PORT" - echo "[$AWS_SES_HOST]:$AWS_SES_PORT $AWS_SES_USERPASS" >> /etc/postfix/sasl_passwd - postconf -e \ - "relayhost = [$AWS_SES_HOST]:$AWS_SES_PORT" \ - "smtp_sasl_auth_enable = yes" \ - "smtp_sasl_security_options = noanonymous" \ - "smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd" \ - "smtp_use_tls = yes" \ - "smtp_tls_security_level = encrypt" \ - "smtp_tls_note_starttls_offer = yes" \ - "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt" -fi +register_functions -# Install SASL passwords -if [ -f /etc/postfix/sasl_passwd ]; then - chown root:root /etc/postfix/sasl_passwd - chmod 0600 /etc/postfix/sasl_passwd - echo "Loaded SASL_PASSWD" -else - echo "==> Warning: 'SASL_PASSWD' is not provided. /etc/postfix/sasl_passwd not created." -fi +check +setup +fix +misc +start_daemons -# Fix permissions, but skip this if 3 levels deep the user id is already set -if [ `find /var/mail -maxdepth 3 -a \( \! -user 5000 -o \! -group 5000 \) | grep -c .` != 0 ]; then - echo "Fixing /var/mail permissions" - chown -R 5000:5000 /var/mail -else - echo "Permissions in /var/mail look OK" -fi - -echo "Creating /etc/mailname" -echo $(hostname -d) > /etc/mailname - -echo "Configuring Spamassassin" -SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults -SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults -SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults -test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ - -if [ "$ENABLE_FAIL2BAN" = 1 ]; then - echo "Fail2ban enabled" - test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local -else - # Disable logrotate config for fail2ban if not enabled - rm -f /etc/logrotate.d/fail2ban -fi - -# Fix cron.daily for spamassassin -sed -i -e 's~invoke-rc.d spamassassin reload~/etc/init\.d/spamassassin reload~g' /etc/cron.daily/spamassassin - -# Consolidate all state that should be persisted across container restarts into one mounted -# directory -statedir=/var/mail-state -if [ "$ONE_DIR" = 1 -a -d $statedir ]; then - echo "Consolidating all state onto $statedir" - for d in /var/spool/postfix /var/lib/postfix /var/lib/amavis /var/lib/clamav /var/lib/spamassasin /var/lib/fail2ban; do - dest=$statedir/`echo $d | sed -e 's/.var.//; s/\//-/g'` - if [ -d $dest ]; then - echo " Destination $dest exists, linking $d to it" - rm -rf $d - ln -s $dest $d - elif [ -d $d ]; then - echo " Moving contents of $d to $dest:" `ls $d` - mv $d $dest - ln -s $dest $d - else - echo " Linking $d to $dest" - mkdir -p $dest - ln -s $dest $d - fi - done -fi -if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then -ELK_PORT=${ELK_PORT:="5044"} -ELK_HOST=${ELK_HOST:="elk"} -echo "Enabling log forwarding to ELK ($ELK_HOST:$ELK_PORT)" -cat /etc/filebeat/filebeat.yml.tmpl \ - | sed "s@\$ELK_HOST@$ELK_HOST@g" \ - | sed "s@\$ELK_PORT@$ELK_PORT@g" \ - > /etc/filebeat/filebeat.yml -fi - -echo "Starting daemons" -cron -/etc/init.d/rsyslog start -if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then -/etc/init.d/filebeat start -fi - -# Enable Managesieve service by setting the symlink -# to the configuration file Dovecot will actually find -if [ "$ENABLE_MANAGESIEVE" = 1 ]; then - echo "Sieve management enabled" - mv /etc/dovecot/protocols.d/managesieved.protocol.disab /etc/dovecot/protocols.d/managesieved.protocol -fi - -if [ "$SMTP_ONLY" != 1 ]; then - # Here we are starting sasl and imap, not pop3 because it's disabled by default - echo " * Starting dovecot services" - /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf -fi - -if [ "$ENABLE_POP3" = 1 -a "$SMTP_ONLY" != 1 ]; then - echo "Starting POP3 services" - mv /etc/dovecot/protocols.d/pop3d.protocol.disab /etc/dovecot/protocols.d/pop3d.protocol - /usr/sbin/dovecot reload -fi - -if [ -f /tmp/docker-mailserver/dovecot.cf ]; then - echo 'Adding file "dovecot.cf" to the Dovecot configuration' - cp /tmp/docker-mailserver/dovecot.cf /etc/dovecot/local.conf - /usr/sbin/dovecot reload -fi - -# Enable fetchmail daemon -if [ "$ENABLE_FETCHMAIL" = 1 ]; then - /usr/local/bin/setup-fetchmail - echo "Fetchmail enabled" - /etc/init.d/fetchmail start -fi - -# Start services related to SMTP -if ! [ "$DISABLE_CLAMAV" = 1 ]; then - /etc/init.d/clamav-daemon start -fi - -# Copy user provided configuration files if provided -if [ -f /tmp/docker-mailserver/amavis.cf ]; then - cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user -fi - -if ! [ "$DISABLE_AMAVIS" = 1 ]; then - /etc/init.d/amavis start -fi -/etc/init.d/opendkim start -/etc/init.d/opendmarc start -/etc/init.d/postfix start - -if [ "$ENABLE_FAIL2BAN" = 1 ]; then - echo "Starting fail2ban service" - touch /var/log/auth.log - /etc/init.d/fail2ban start -fi - -if [ "$ENABLE_SASLAUTHD" = 1 ]; then - /etc/init.d/saslauthd start -fi - -if [ "$SMTP_ONLY" != 1 -a "$ENABLE_LDAP" != 1 ]; then - echo "Listing users" - /usr/sbin/dovecot user '*' -fi - -echo "Starting..." tail -f /var/log/mail/mail.log + + +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# ! CARE --> DON'T CHANGE, unless you exactly know what you are doing +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# << + +exit 0 From d47cf72650f57a027e456e189af8a31d132a4b6c Mon Sep 17 00:00:00 2001 From: Sylvain Dumont Date: Sat, 17 Dec 2016 10:59:04 +0100 Subject: [PATCH 02/38] use strong tls and ciphers --- target/dovecot/10-ssl.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf index 8873bc25..f6937d11 100644 --- a/target/dovecot/10-ssl.conf +++ b/target/dovecot/10-ssl.conf @@ -46,13 +46,13 @@ ssl_key = Date: Sat, 17 Dec 2016 21:26:16 +0100 Subject: [PATCH 03/38] Fixes #401 by running update-locale --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5098feb3..bbd0fd77 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,7 +47,8 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -q --fix-missing && \ echo "deb http://packages.elastic.co/beats/apt stable main" | tee -a /etc/apt/sources.list.d/beats.list && \ apt-get update -q --fix-missing && apt-get -y upgrade fail2ban filebeat && \ apt-get autoclean && rm -rf /var/lib/apt/lists/* && \ - rm -rf /usr/share/locale/* && rm -rf /usr/share/man/* && rm -rf /usr/share/doc/* + rm -rf /usr/share/locale/* && rm -rf /usr/share/man/* && rm -rf /usr/share/doc/* && \ + update-locale # Enables Clamav RUN (echo "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" ; crontab -l) | crontab - From a9b1686e5787a610ee92d8259a39ab6a1d4557cb Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 17 Dec 2016 21:53:09 +0100 Subject: [PATCH 04/38] Added test --- test/tests.bats | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/tests.bats b/test/tests.bats index dd6ce40c..2fa82550 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -583,6 +583,11 @@ [ "$status" -eq 1 ] } +@test "checking system: /var/log/auth.log is error free" { + run docker exec mail grep 'Unable to open env file: /etc/default/locale' /var/log/auth.log + [ "$status" -eq 1 ] +} + @test "checking system: sets the server fqdn" { run docker exec mail hostname [ "$status" -eq 0 ] From c7da5583b517aa5c5432214fe673d1276fb372ff Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 17 Dec 2016 22:04:59 +0100 Subject: [PATCH 05/38] Fixing test --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bbd0fd77..f13df638 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,7 +48,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -q --fix-missing && \ apt-get update -q --fix-missing && apt-get -y upgrade fail2ban filebeat && \ apt-get autoclean && rm -rf /var/lib/apt/lists/* && \ rm -rf /usr/share/locale/* && rm -rf /usr/share/man/* && rm -rf /usr/share/doc/* && \ - update-locale + touch /var/log/auth.log && update-locale # Enables Clamav RUN (echo "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" ; crontab -l) | crontab - From 2707992c442805b9c3c5c7f4561b3e66ad121c13 Mon Sep 17 00:00:00 2001 From: arcaine2 Date: Sun, 18 Dec 2016 13:06:45 +0100 Subject: [PATCH 06/38] Fail2ban fix for restarting container Fail2ban doesn't seems to shutdown cleanly and leaves fail2ban.sock file that prevent it from starting after a container restart. That simple check should do the trick. --- target/start-mailserver.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index d14175cd..9e8f8efe 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -840,6 +840,10 @@ function _start_daemons_saslauthd() { function _start_daemons_fail2ban() { notify 'task' 'Starting fail2ban' touch /var/log/auth.log + # Delete fail2ban.sock that probably was left here after container restart + if [ -e /var/run/fail2ban/fail2ban.sock ]; then + rm /var/run/fail2ban/fail2ban.sock + fi /etc/init.d/fail2ban start } From 782152f82749573a97825c69ed2ba0475fc7e669 Mon Sep 17 00:00:00 2001 From: alinmear Date: Mon, 19 Dec 2016 13:39:30 +0100 Subject: [PATCH 07/38] Fix Problem with Saslauthd and Postfix master.cf The provided default postfix master.cf overwrites the configs for saslauthd within main.cf. To make saslauthd work, we have to comment or in this case delete the lines from master.cf to make the given configs in main.cf work. --- target/start-mailserver.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 9e8f8efe..45aef988 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -442,6 +442,11 @@ log_level: 10 EOF fi + sed -i \ + -e "/^[^#].*smtpd_sasl_type.*/s/^/#/g" \ + -e "/^[^#].*smtpd_sasl_path.*/s/^/#/g" \ + etc/postfix/master.cf + sed -i \ -e "s|^START=.*|START=yes|g" \ -e "s|^MECHANISMS=.*|MECHANISMS="\"$SASLAUTHD_MECHANISMS\""|g" \ From 5d7783753232a2f964e6ee2603c83881384c6a7a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 21 Dec 2016 11:34:29 +0100 Subject: [PATCH 08/38] Added travis_wait in config to increase build time to 20min --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 4f945c21..d85c94e7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ sudo: required services: - docker script: -- make all +- travis_wait make all notifications: slack: secure: TTo1z9nbZCWcIdfPwypubNa3y+pwvfgDGlzEVAGEuK7uuIpmEoAcAUNSSPTnbewDGHnDl8t/ml93MtvP+a+IVuAKytMqF39PHyoZO7aUl9J62V+G75OmnyGjXGJm40pQosCS6LzqoRRYXotl9+fwH568Kf4ifXCrMZX1d+ir7Ww= From c5af8d32a95c025c2e52069fec89f96baec2ede5 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 21 Dec 2016 11:52:51 +0100 Subject: [PATCH 09/38] Changed configuration in 2 different lines --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d85c94e7..e846c4fc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,9 @@ sudo: required services: - docker script: -- travis_wait make all +- travis_wait make build-no-cache +- make generate-accounts run fixtures tests clean + notifications: slack: secure: TTo1z9nbZCWcIdfPwypubNa3y+pwvfgDGlzEVAGEuK7uuIpmEoAcAUNSSPTnbewDGHnDl8t/ml93MtvP+a+IVuAKytMqF39PHyoZO7aUl9J62V+G75OmnyGjXGJm40pQosCS6LzqoRRYXotl9+fwH568Kf4ifXCrMZX1d+ir7Ww= From b71a48c33fb61cfd3fc04abf9b601c7f913ffe60 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 21 Dec 2016 12:39:28 +0100 Subject: [PATCH 10/38] Refactored config --- .travis.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index e846c4fc..ec3bc887 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,10 +5,12 @@ language: bash sudo: required services: - docker -script: +install: - travis_wait make build-no-cache -- make generate-accounts run fixtures tests clean - +script: +- make generate-accounts run fixtures tests +after_script: +- make clean notifications: slack: secure: TTo1z9nbZCWcIdfPwypubNa3y+pwvfgDGlzEVAGEuK7uuIpmEoAcAUNSSPTnbewDGHnDl8t/ml93MtvP+a+IVuAKytMqF39PHyoZO7aUl9J62V+G75OmnyGjXGJm40pQosCS6LzqoRRYXotl9+fwH568Kf4ifXCrMZX1d+ir7Ww= From 83c0095e003a1ad7106b2e3783b0aa63d4b7aef6 Mon Sep 17 00:00:00 2001 From: Influencer Date: Wed, 21 Dec 2016 14:12:05 -0500 Subject: [PATCH 11/38] Script to update users password, made test and updated setup.sh (#413) * Added script to update users password, made test and updated setup.sh * Moved update password test to tests.bat * Fixed test for update password --- setup.sh | 5 +++++ target/bin/updatemailuser | 29 +++++++++++++++++++++++++++++ test/tests.bats | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100755 target/bin/updatemailuser diff --git a/setup.sh b/setup.sh index bfdc9da4..2050d755 100755 --- a/setup.sh +++ b/setup.sh @@ -43,6 +43,7 @@ SUBCOMMANDS: email: $0 email add + $0 email update $0 email del $0 email list @@ -115,6 +116,10 @@ case $1 in shift _docker_image addmailuser $@ ;; + update) + shift + _docker_image updatemailuser + ;; del) shift _docker_image delmailuser $@ diff --git a/target/bin/updatemailuser b/target/bin/updatemailuser new file mode 100755 index 00000000..b97ced1f --- /dev/null +++ b/target/bin/updatemailuser @@ -0,0 +1,29 @@ +#!/bin/bash + +DATABASE=/tmp/docker-mailserver/postfix-accounts.cf + +function usage { + echo 'Usage: updatemailuser [password]' + exit 1 +} + +if [ ! -z "$1" ]; then + USER=$1 + if [ -e "$DATABASE" ] && [ -z "$(grep $USER -i $DATABASE)" ]; then + echo "User doesn't exist" + exit 1 + fi + if [ ! -z "$2" ]; then + PASS="$2" + else + read -s -p "Enter Password: " PASS + if [ -z "$PASS" ]; then + echo "Password can't be empty" + exit 1 + fi + fi + ENTRY=$(echo "$USER|$(doveadm pw -s SHA512-CRYPT -u "$USER" -p "$PASS")") + sed -i.bak "s%^$USER.*%$ENTRY%g" $DATABASE +else + usage +fi diff --git a/test/tests.bats b/test/tests.bats index 2fa82550..88790db4 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -645,6 +645,27 @@ [ -z "$output" ] } +@test "checking user updating password for user in /tmp/docker-mailserver/postfix-accounts.cf" { + docker exec mail /bin/sh -c "addmailuser user3@domain.tld mypassword" + + initialpass=$(run docker exec mail /bin/sh -c "grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf") + sleep 2 + docker exec mail /bin/sh -c "updatemailuser user3@domain.tld mynewpassword" + sleep 2 + changepass=$(run docker exec mail /bin/sh -c "grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf") + + if [ initialpass != changepass ]; then + status="0" + else + status="1" + fi + + docker exec mail /bin/sh -c "delmailuser user3@domain.tld" + + [ "$status" -eq 0 ] +} + + @test "checking accounts: listmailuser" { run docker exec mail /bin/sh -c "listmailuser | head -n 1" [ "$status" -eq 0 ] @@ -730,6 +751,17 @@ run ./setup.sh -c mail email list [ "$status" -eq 0 ] } +@test "checking setup.sh: setup.sh email update" { + initialpass=$(cat ./config/postfix-accounts.cf | grep lorem@impsum.org | awk -F '|' '{print $2}') + run ./setup.sh -c mail email update lorem@impsum.org consectetur + updatepass=$(cat ./config/postfix-accounts.cf | grep lorem@impsum.org | awk -F '|' '{print $2}') + if [ initialpass != changepass ]; then + status="0" + else + status="1" + fi + [ "$status" -eq 0 ] +} @test "checking setup.sh: setup.sh email del" { run ./setup.sh -c mail email del lorem@impsum.org [ "$status" -eq 0 ] From 2a15ac619e5d3de81c3ff4d6620c2a3a0f8e4f11 Mon Sep 17 00:00:00 2001 From: Daniele Bellavista Date: Fri, 23 Dec 2016 19:14:02 +0100 Subject: [PATCH 12/38] Secure TLS protocols (#418) --- target/dovecot/10-ssl.conf | 4 ++-- target/postfix/main.cf | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf index f6937d11..ef1bfb6e 100644 --- a/target/dovecot/10-ssl.conf +++ b/target/dovecot/10-ssl.conf @@ -46,10 +46,10 @@ ssl_key = Date: Fri, 23 Dec 2016 23:56:39 +0100 Subject: [PATCH 13/38] Improved start-mailserver output (#420) * Improved start-mailserver output * Fixed rework to make tests work again * Improved output and updated SSL certs for LE --- Dockerfile | 3 +- Makefile | 4 +- README.md | 5 + target/start-mailserver.sh | 322 ++++++++++++++++++++++--------------- test/tests.bats | 13 +- 5 files changed, 202 insertions(+), 145 deletions(-) diff --git a/Dockerfile b/Dockerfile index f13df638..089c3a11 100644 --- a/Dockerfile +++ b/Dockerfile @@ -117,8 +117,7 @@ RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ sed -i -r 's|/var/log/mail|/var/log/mail/mail|g' /etc/logrotate.d/rsyslog # Get LetsEncrypt signed certificate -RUN curl -s https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem && \ - curl -s https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem > /etc/ssl/certs/lets-encrypt-x2-cross-signed.pem +RUN curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem COPY ./target/bin /usr/local/bin # Start-mailserver script diff --git a/Makefile b/Makefile index 1156a37c..29c4d8d8 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,8 @@ run: -e VIRUSMAILS_DELETE_DELAY=7 \ -e SASL_PASSWD="external-domain.com username:password" \ -e ENABLE_MANAGESIEVE=1 \ - -e PERMIT_DOCKER=host\ + -e PERMIT_DOCKER=host \ + -e DMS_DEBUG=0 \ -h mail.my-domain.com -t $(NAME) sleep 20 docker run -d --name mail_pop3 \ @@ -36,6 +37,7 @@ run: -v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test/config/letsencrypt":/etc/letsencrypt/live \ -e ENABLE_POP3=1 \ + -e DMS_DEBUG=1 \ -e SSL_TYPE=letsencrypt \ -h mail.my-domain.com -t $(NAME) sleep 20 diff --git a/README.md b/README.md index f3d78ae4..f8a48c3b 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,11 @@ Please check [how the container starts](https://github.com/tomav/docker-mailserv Value in **bold** is the default value. +##### DMS_DEBUG + + - **empty** (0) => Debug disabled + - 1 => Enables debug on startup + ##### ENABLE_POP3 - **empty** => POP3 service disabled diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 45aef988..778e4a4a 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -8,6 +8,7 @@ ########################################################################## declare -A DEFAULT_VARS DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" +DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" ########################################################################## # << DEFAULT VARS ########################################################################## @@ -34,7 +35,8 @@ DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" # Implement them in the section-group: {check,setup,fix,start} ########################################################################## function register_functions() { - notify 'taskgrp' 'Registering check,setup,fix,misc and start-daemons functions' + notify 'taskgrp' 'Initializing setup' + notify 'task' 'Registering check,setup,fix,misc and start-daemons functions' ################### >> check funcs @@ -75,7 +77,10 @@ function register_functions() { _register_setup_function "_setup_security_stack" _register_setup_function "_setup_postfix_aliases" _register_setup_function "_setup_postfix_vhost" - _register_setup_function "_setup_postfix_relay_amazon_ses" + + if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then + _register_setup_function "_setup_postfix_relay_amazon_ses" + fi ################### << setup funcs @@ -93,7 +98,8 @@ function register_functions() { ################### >> daemon funcs - _register_start_daemon "_start_daemons_sys" + _register_start_daemon "_start_daemons_cron" + _register_start_daemon "_start_daemons_rsyslog" if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then _register_start_daemon "_start_daemons_filebeat" @@ -191,45 +197,78 @@ function _register_misc_function() { function notify () { c_red="\e[0;31m" c_green="\e[0;32m" + c_brown="\e[0;33m" c_blue="\e[0;34m" c_bold="\033[1m" c_reset="\e[0m" notification_type=$1 notification_msg=$2 + notification_format=$3 + msg="" case "${notification_type}" in - 'inf') - msg="${c_green} * ${c_reset}${notification_msg}" - ;; - 'err') - msg="${c_red} * ${c_reset}${notification_msg}" - ;; - 'warn') - msg="${c_blue} * ${c_reset}${notification_msg}" - ;; - 'task') - msg=" >>>> ${notification_msg}" - ;; 'taskgrp') msg="${c_bold}${notification_msg}${c_reset}" ;; + 'task') + if [[ ${DEFAULT_VARS["DMS_DEBUG"]} == 1 ]]; then + msg=" ${notification_msg}${c_reset}" + fi + ;; + 'inf') + if [[ ${DEFAULT_VARS["DMS_DEBUG"]} == 1 ]]; then + msg="${c_green} * ${notification_msg}${c_reset}" + fi + ;; + 'started') + msg="${c_green} ${notification_msg}${c_reset}" + ;; + 'warn') + msg="${c_brown} * ${notification_msg}${c_reset}" + ;; + 'err') + msg="${c_red} * ${notification_msg}${c_reset}" + ;; 'fatal') - msg="${c_bold} >>>> ${notification_msg} <<<<${c_reset}" + msg="${c_red}Error: ${notification_msg}${c_reset}" ;; *) msg="" ;; esac - [[ ! -z "${msg}" ]] && echo -e "${msg}" + case "${notification_format}" in + 'n') + options="-ne" + ;; + *) + options="-e" + ;; + esac + + [[ ! -z "${msg}" ]] && echo $options "${msg}" } function defunc() { - notify 'fatal' "Please fix the failures. Exiting ..." + notify 'fatal' "Please fix your configuration. Exiting..." exit 1 } +function display_startup_daemon() { + $1 &>/dev/null + res=$? + if [[ ${DEFAULT_VARS["DMS_DEBUG"]} == 1 ]]; then + if [ $res = 0 ]; then + notify 'started' " [ OK ]" + else + echo "false" + notify 'err' " [ FAILED ]" + fi + fi + return $res +} + # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # ! CARE --> DON'T CHANGE, except you know exactly what you are doing # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! @@ -243,7 +282,7 @@ function defunc() { # Description: Place functions for initial check of container sanity ########################################################################## function check() { - notify 'taskgrp' 'Checking configuration sanity:' + notify 'taskgrp' 'Checking configuration' for _func in "${FUNCS_CHECK[@]}";do $_func [ $? != 0 ] && defunc @@ -253,11 +292,11 @@ function check() { function _check_hostname() { notify "task" "Check that hostname/domainname is provided (no default docker hostname) [$FUNCNAME]" - if ( ! echo $(hostname) | grep -E '^(\S+[.]\S+)$' ); then + if ( ! echo $(hostname) | grep -E '^(\S+[.]\S+)$' > /dev/null ); then notify 'err' "Setting hostname/domainname is required" return 1 else - notify 'inf' "Hostname has been set" + notify 'inf' "Hostname has been set to $(hostname)" return 0 fi } @@ -277,11 +316,9 @@ function _check_environment_variables() { # Description: Place functions for functional configurations here ########################################################################## function setup() { - notify 'taskgrp' 'Setting up the Container:' - + notify 'taskgrp' 'Configuring mail server' for _func in "${FUNCS_SETUP[@]}";do $_func - [ $? != 0 ] && defunc done } @@ -291,14 +328,14 @@ function _setup_default_vars() { for var in ${!DEFAULT_VARS[@]}; do echo "export $var=${DEFAULT_VARS[$var]}" >> /root/.bashrc [ $? != 0 ] && notify 'err' "Unable to set $var=${DEFAULT_VARS[$var]}" && return 1 - notify 'inf' "$var=${DEFAULT_VARS[$var]} set" + notify 'inf' "Set $var=${DEFAULT_VARS[$var]}" done } function _setup_mailname() { notify 'task' 'Setting up Mailname' - echo "Creating /etc/mailname" + notify 'inf' "Creating /etc/mailname" echo $(hostname -d) > /etc/mailname } @@ -317,7 +354,7 @@ function _setup_dovecot() { # Enable Managesieve service by setting the symlink # to the configuration file Dovecot will actually find if [ "$ENABLE_MANAGESIEVE" = 1 ]; then - echo "Sieve management enabled" + notify 'inf' "Sieve management enabled" mv /etc/dovecot/protocols.d/managesieved.protocol.disab /etc/dovecot/protocols.d/managesieved.protocol fi } @@ -327,9 +364,9 @@ function _setup_dovecot_local_user() { echo -n > /etc/postfix/vmailbox echo -n > /etc/dovecot/userdb if [ -f /tmp/docker-mailserver/postfix-accounts.cf -a "$ENABLE_LDAP" != 1 ]; then - echo "Checking file line endings" + notify 'inf' "Checking file line endings" sed -i 's/\r//g' /tmp/docker-mailserver/postfix-accounts.cf - echo "Regenerating postfix 'vmailbox' and 'virtual' for given users" + notify 'inf' "Regenerating postfix user list" echo "# WARNING: this file is auto-generated. Modify config/postfix-accounts.cf to edit user list." > /etc/postfix/vmailbox # Checking that /tmp/docker-mailserver/postfix-accounts.cf ends with a newline @@ -349,7 +386,7 @@ function _setup_dovecot_local_user() { user=$(echo ${login} | cut -d @ -f1) domain=$(echo ${login} | cut -d @ -f2) # Let's go! - echo "user '${user}' for domain '${domain}' with password '********'" + notify 'inf' "user '${user}' for domain '${domain}' with password '********'" echo "${login} ${domain}/${user}/" >> /etc/postfix/vmailbox # User database for dovecot has the following format: # user:password:uid:gid:(gecos):home:(shell):extra_fields @@ -370,7 +407,7 @@ function _setup_dovecot_local_user() { echo ${domain} >> /tmp/vhost.tmp done < /tmp/docker-mailserver/postfix-accounts.cf else - echo "==> Warning: 'config/docker-mailserver/postfix-accounts.cf' is not provided. No mail account created." + notify 'warn' "'config/docker-mailserver/postfix-accounts.cf' is not provided. No mail account created." fi } @@ -384,7 +421,7 @@ function _setup_ldap() { /etc/postfix/ldap-${i}.cf done - echo "Configuring dovecot LDAP authentification" + notify 'inf' "Configuring dovecot LDAP authentification" sed -i -e 's|^hosts.*|hosts = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ -e 's|^base.*|base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \ -e 's|^dn\s*=.*|dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ @@ -394,18 +431,18 @@ function _setup_ldap() { # Add domainname to vhost. echo $(hostname -d) >> /tmp/vhost.tmp - echo "Enabling dovecot LDAP authentification" + notify 'inf' "Enabling dovecot LDAP authentification" sed -i -e '/\!include auth-ldap\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf sed -i -e '/\!include auth-passwdfile\.inc/s/^/#/' /etc/dovecot/conf.d/10-auth.conf - echo "Configuring LDAP" + notify 'inf' "Configuring LDAP" [ -f /etc/postfix/ldap-users.cf ] && \ postconf -e "virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf" || \ - echo '==> Warning: /etc/postfix/ldap-user.cf not found' + notify 'inf' "==> Warning: /etc/postfix/ldap-user.cf not found" [ -f /etc/postfix/ldap-aliases.cf -a -f /etc/postfix/ldap-groups.cf ] && \ postconf -e "virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf" || \ - echo '==> Warning: /etc/postfix/ldap-aliases.cf or /etc/postfix/ldap-groups.cf not found' + notify 'inf' "==> Warning: /etc/postfix/ldap-aliases.cf or /etc/postfix/ldap-groups.cf not found" [ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF pwcheck_method: saslauthd @@ -415,9 +452,9 @@ return 0 } function _setup_saslauthd() { - notify 'task' 'Setting up Saslauthd' + notify 'task' "Setting up Saslauthd" - echo "Configuring Cyrus SASL" + notify 'inf' "Configuring Cyrus SASL" # checking env vars and setting defaults [ -z $SASLAUTHD_MECHANISMS ] && SASLAUTHD_MECHANISMS=pam [ -z $SASLAUTHD_LDAP_SEARCH_BASE ] && SASLAUTHD_MECHANISMS=pam @@ -426,7 +463,7 @@ function _setup_saslauthd() { ([ -z $SASLAUTHD_LDAP_SSL ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' if [ ! -f /etc/saslauthd.conf ]; then - echo "Creating /etc/saslauthd.conf" + notify 'inf' "Creating /etc/saslauthd.conf" cat > /etc/saslauthd.conf << EOF ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} @@ -477,11 +514,11 @@ function _setup_postfix_aliases() { test "$uname" != "$domain" && echo ${domain} >> /tmp/vhost.tmp done < /tmp/docker-mailserver/postfix-virtual.cf else - echo "==> Warning: 'config/postfix-virtual.cf' is not provided. No mail alias/forward created." + notify 'inf' "Warning 'config/postfix-virtual.cf' is not provided. No mail alias/forward created." fi if [ -f /tmp/docker-mailserver/postfix-regexp.cf ]; then # Copying regexp alias file - echo "Adding regexp alias file postfix-regexp.cf" + notify 'inf' "Adding regexp alias file postfix-regexp.cf" cp -f /tmp/docker-mailserver/postfix-regexp.cf /etc/postfix/regexp sed -i -e '/^virtual_alias_maps/{ s/ regexp:.*// @@ -493,18 +530,18 @@ function _setup_postfix_aliases() { function _setup_dkim() { notify 'task' 'Setting up DKIM' + mkdir -p /etc/opendkim && touch /etc/opendkim/SigningTable + # Check if keys are already available if [ -e "/tmp/docker-mailserver/opendkim/KeyTable" ]; then - mkdir -p /etc/opendkim cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/ - echo "DKIM keys added for: `ls -C /etc/opendkim/keys/`" - echo "Changing permissions on /etc/opendkim" - # chown entire directory + notify 'inf' "DKIM keys added for: `ls -C /etc/opendkim/keys/`" + notify 'inf' "Changing permissions on /etc/opendkim" chown -R opendkim:opendkim /etc/opendkim/ # And make sure permissions are right chmod -R 0700 /etc/opendkim/keys/ else - echo "No DKIM key provided. Check the documentation to find how to get your keys." + notify 'warn' "No DKIM key provided. Check the documentation to find how to get your keys." fi } @@ -524,7 +561,7 @@ function _setup_ssl() { KEY="key" fi if [ -n "$KEY" ]; then - echo "Adding $(hostname) SSL certificate" + notify 'inf' "Adding $(hostname) SSL certificate" # Postfix configuration sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$(hostname)'/fullchain.pem~g' /etc/postfix/main.cf @@ -534,14 +571,14 @@ function _setup_ssl() { sed -i -e 's~ssl_cert = Warning: 'SASL_PASSWD' is not provided. /etc/postfix/sasl_passwd not created." + notify 'inf' "Warning: 'SASL_PASSWD' is not provided. /etc/postfix/sasl_passwd not created." fi } function _setup_postfix_relay_amazon_ses() { notify 'task' 'Setting up Postfix Relay Amazon SES' - - if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then - if [ -z "$AWS_SES_PORT" ];then - AWS_SES_PORT=25 - fi - echo "Setting up outgoing email via AWS SES host $AWS_SES_HOST:$AWS_SES_PORT" - echo "[$AWS_SES_HOST]:$AWS_SES_PORT $AWS_SES_USERPASS" >> /etc/postfix/sasl_passwd - postconf -e \ - "relayhost = [$AWS_SES_HOST]:$AWS_SES_PORT" \ - "smtp_sasl_auth_enable = yes" \ - "smtp_sasl_security_options = noanonymous" \ - "smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd" \ - "smtp_use_tls = yes" \ - "smtp_tls_security_level = encrypt" \ - "smtp_tls_note_starttls_offer = yes" \ - "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt" + if [ -z "$AWS_SES_PORT" ];then + AWS_SES_PORT=25 fi + notify 'inf' "Setting up outgoing email via AWS SES host $AWS_SES_HOST:$AWS_SES_PORT" + echo "[$AWS_SES_HOST]:$AWS_SES_PORT $AWS_SES_USERPASS" >> /etc/postfix/sasl_passwd + postconf -e \ + "relayhost = [$AWS_SES_HOST]:$AWS_SES_PORT" \ + "smtp_sasl_auth_enable = yes" \ + "smtp_sasl_security_options = noanonymous" \ + "smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd" \ + "smtp_use_tls = yes" \ + "smtp_tls_security_level = encrypt" \ + "smtp_tls_note_starttls_offer = yes" \ + "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt" } - function _setup_security_stack() { - notify 'task' 'Setting up Security Stack' + notify 'task' "Setting up Security Stack" - echo "Configuring Spamassassin" + notify 'inf' "Configuring Spamassassin" SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ if [ "$ENABLE_FAIL2BAN" = 1 ]; then - echo "Fail2ban enabled" + notify 'inf' "Fail2ban enabled" test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local else # Disable logrotate config for fail2ban if not enabled @@ -737,7 +766,7 @@ function _setup_elk_forwarder() { ELK_PORT=${ELK_PORT:="5044"} ELK_HOST=${ELK_HOST:="elk"} - echo "Enabling log forwarding to ELK ($ELK_HOST:$ELK_PORT)" + notify 'inf' "Enabling log forwarding to ELK ($ELK_HOST:$ELK_PORT)" cat /etc/filebeat/filebeat.yml.tmpl \ | sed "s@\$ELK_HOST@$ELK_HOST@g" \ | sed "s@\$ELK_PORT@$ELK_PORT@g" \ @@ -754,7 +783,7 @@ function _setup_elk_forwarder() { # Description: Place functions for temporary workarounds and fixes here ########################################################################## function fix() { - notify 'taskgrg' "Starting to fix:" + notify 'taskgrg' "Post-configuration checks..." for _func in "${FUNCS_FIX[@]}";do $_func [ $? != 0 ] && defunc @@ -766,10 +795,10 @@ function _fix_var_mail_permissions() { # Fix permissions, but skip this if 3 levels deep the user id is already set if [ `find /var/mail -maxdepth 3 -a \( \! -user 5000 -o \! -group 5000 \) | grep -c .` != 0 ]; then + notify 'inf' "Fixing /var/mail permissions" chown -R 5000:5000 /var/mail - echo "/var/mail permissions fixed" else - echo "Permissions in /var/mail look OK" + notify 'inf' "Permissions in /var/mail look OK" fi } ########################################################################## @@ -783,11 +812,11 @@ function _fix_var_mail_permissions() { # Description: Place functions that do not fit in the sections above here ########################################################################## function misc() { - notify 'taskgrp' 'Starting Misc:' + notify 'taskgrp' 'Starting Misc' for _func in "${FUNCS_MISC[@]}";do $_func - [ $? != 0 ] && defunc + [ $? != 0 ] && defunc done } @@ -796,19 +825,19 @@ function _misc_save_states() { # directory statedir=/var/mail-state if [ "$ONE_DIR" = 1 -a -d $statedir ]; then - echo "Consolidating all state onto $statedir" + notify 'inf' "Consolidating all state onto $statedir" for d in /var/spool/postfix /var/lib/postfix /var/lib/amavis /var/lib/clamav /var/lib/spamassasin /var/lib/fail2ban; do dest=$statedir/`echo $d | sed -e 's/.var.//; s/\//-/g'` if [ -d $dest ]; then - echo " Destination $dest exists, linking $d to it" + notify 'inf' " Destination $dest exists, linking $d to it" rm -rf $d ln -s $dest $d elif [ -d $d ]; then - echo " Moving contents of $d to $dest:" `ls $d` + notify 'inf' " Moving contents of $d to $dest:" `ls $d` mv $d $dest ln -s $dest $d else - echo " Linking $d to $dest" + notify 'inf' " Linking $d to $dest" mkdir -p $dest ln -s $dest $d fi @@ -821,65 +850,66 @@ function _misc_save_states() { # >> Start Daemons ########################################################################## function start_daemons() { - notify 'taskgrp' 'Starting Daemons' + notify 'taskgrp' 'Starting mail server' for _func in "${DAEMONS_START[@]}";do $_func - [ $? != 0 ] && defunc + [ $? != 0 ] && defunc done } -function _start_daemons_sys() { - notify 'task' 'Starting Cron' - cron +function _start_daemons_cron() { + notify 'task' 'Starting cron' 'n' + display_startup_daemon "cron" +} - notify 'task' 'Starting rsyslog' - /etc/init.d/rsyslog start +function _start_daemons_rsyslog() { + notify 'task' 'Starting rsyslog' 'n' + display_startup_daemon "/etc/init.d/rsyslog start" } function _start_daemons_saslauthd() { - notify "task" "Starting saslauthd" - /etc/init.d/saslauthd start + notify 'task' 'Starting saslauthd' 'n' + display_startup_daemon "/etc/init.d/saslauthd start" } function _start_daemons_fail2ban() { - notify 'task' 'Starting fail2ban' + notify 'task' 'Starting fail2ban' 'n' touch /var/log/auth.log # Delete fail2ban.sock that probably was left here after container restart if [ -e /var/run/fail2ban/fail2ban.sock ]; then rm /var/run/fail2ban/fail2ban.sock fi - /etc/init.d/fail2ban start + display_startup_daemon "/etc/init.d/fail2ban start" } function _start_daemons_opendkim() { - notify 'task' 'Starting opendkim' - /etc/init.d/opendkim start + notify 'task' 'Starting opendkim' 'n' + display_startup_daemon "/etc/init.d/opendkim start" } function _start_daemons_opendmarc() { - notify 'task' 'Starting opendmarc' - /etc/init.d/opendmarc start + notify 'task' 'Starting opendmarc' 'n' + display_startup_daemon "/etc/init.d/opendmarc start" } function _start_daemons_postfix() { - notify 'task' 'Starting postfix' - /etc/init.d/postfix start + notify 'task' 'Starting postfix' 'n' + display_startup_daemon "/etc/init.d/postfix start" } function _start_daemons_dovecot() { # Here we are starting sasl and imap, not pop3 because it's disabled by default - notify 'task' "Starting dovecot services" - /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf + notify 'task' 'Starting dovecot services' 'n' + display_startup_daemon "/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf" if [ "$ENABLE_POP3" = 1 ]; then - echo "Starting POP3 services" + notify 'task' 'Starting pop3 services' 'n' mv /etc/dovecot/protocols.d/pop3d.protocol.disab /etc/dovecot/protocols.d/pop3d.protocol - /usr/sbin/dovecot reload + display_startup_daemon "/usr/sbin/dovecot reload" fi if [ -f /tmp/docker-mailserver/dovecot.cf ]; then - echo 'Adding file "dovecot.cf" to the Dovecot configuration' cp /tmp/docker-mailserver/dovecot.cf /etc/dovecot/local.conf /usr/sbin/dovecot reload fi @@ -895,25 +925,24 @@ function _start_daemons_dovecot() { } function _start_daemons_filebeat() { - notify 'task' 'Starting FileBeat' - /etc/init.d/filebeat start + notify 'task' 'Starting filebeat' 'n' + display_startup_daemon "/etc/init.d/filebeat start" } function _start_daemons_fetchmail() { - notify 'task' 'Starting fetchmail' + notify 'task' 'Starting fetchmail' 'n' /usr/local/bin/setup-fetchmail - echo "Fetchmail enabled" - /etc/init.d/fetchmail start + display_startup_daemon "/etc/init.d/fetchmail start" } function _start_daemons_clamav() { - notify 'task' "Starting clamav" - /etc/init.d/clamav-daemon start + notify 'task' 'Starting clamav' 'n' + display_startup_daemon "/etc/init.d/clamav-daemon start" } function _start_daemons_amavis() { - notify 'task' 'Starting Daemon Amavis' - /etc/init.d/amavis start + notify 'task' 'Starting amavis' 'n' + display_startup_daemon "/etc/init.d/amavis start" # @TODO fix: on integration test of mail_with_ldap amavis fails because of: # Starting amavisd: The value of variable $myhostname is "ldap", but should have been @@ -922,7 +951,7 @@ function _start_daemons_amavis() { # in /etc/amavis/conf.d/05-node_id, or fix what uname(3) provides as a host's # network name! - # > temporary workaround to passe integration test + # > temporary workaround to pass integration test return 0 } ########################################################################## @@ -938,6 +967,24 @@ function _start_daemons_amavis() { # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # >> +if [[ ${DEFAULT_VARS["DMS_DEBUG"]} == 1 ]]; then +notify 'taskgrp' "" +notify 'taskgrp' "#" +notify 'taskgrp' "#" +notify 'taskgrp' "# ENV" +notify 'taskgrp' "#" +notify 'taskgrp' "#" +notify 'taskgrp' "" +printenv +fi + +notify 'taskgrp' "" +notify 'taskgrp' "#" +notify 'taskgrp' "#" +notify 'taskgrp' "# docker-mailserver" +notify 'taskgrp' "#" +notify 'taskgrp' "#" +notify 'taskgrp' "" register_functions @@ -947,7 +994,14 @@ fix misc start_daemons -tail -f /var/log/mail/mail.log +notify 'taskgrp' "" +notify 'taskgrp' "#" +notify 'taskgrp' "# $(hostname) is up and running" +notify 'taskgrp' "#" +notify 'taskgrp' "" + + +tail -fn 0 /var/log/mail/mail.log # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! diff --git a/test/tests.bats b/test/tests.bats index 88790db4..a0811ee1 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -402,13 +402,8 @@ [ "$status" -eq 0 ] } -@test "checking ssl: lets-encrypt-x1-cross-signed.pem is installed" { - run docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem - [ "$status" -eq 0 ] -} - -@test "checking ssl: lets-encrypt-x2-cross-signed.pem is installed" { - run docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-encrypt-x2-cross-signed.pem +@test "checking ssl: lets-encrypt-x3-cross-signed.pem is installed" { + run docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem [ "$status" -eq 0 ] } @@ -483,7 +478,7 @@ # Getting mail_fail2ban container IP MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban) - # Create a container which will send wront authentications and should banned + # Create a container which will send wrong authentications and should banned docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt' @@ -577,6 +572,8 @@ [ "$status" -eq 1 ] run docker exec mail grep -i 'permission denied' /var/log/mail/mail.log [ "$status" -eq 1 ] + run docker exec mail grep -i '(!)connect' /var/log/mail/mail.log + [ "$status" -eq 1 ] run docker exec mail_pop3 grep 'non-null host address bits in' /var/log/mail/mail.log [ "$status" -eq 1 ] run docker exec mail_pop3 grep ': error:' /var/log/mail/mail.log From 328661283120da429f33c1b8ddac96428510ac86 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 24 Dec 2016 14:24:29 +0100 Subject: [PATCH 14/38] Should fix #426 (#427) --- target/dovecot/10-ssl.conf | 4 ++-- target/postfix/main.cf | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf index ef1bfb6e..77f60c5c 100644 --- a/target/dovecot/10-ssl.conf +++ b/target/dovecot/10-ssl.conf @@ -46,10 +46,10 @@ ssl_key = Date: Sat, 24 Dec 2016 14:52:00 +0100 Subject: [PATCH 15/38] Fixes #423 (#428) --- CONTRIBUTING.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..e1b107ad --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,32 @@ +# Contributing + +`docker-mailserver` is OpenSource. That means that you can contribute on enhancements, bug fixing or improving the documentation in the Wiki. + +## Open an issue + +When opening an issue, please provide details use case to let the community reproduce your problem. +Please start the mail server with env `DMS_DEBUG=1` and paste the ouput into the issue. + +## Pull Requests + +#### Project architecture + + ├── config # User: personal configurations + ├── target # Developer: default server configuration, used when building the image + └── test # Developer: integration tests to check that everything keeps working + +#### Development Workflow + +The development workflow is the following: + +- Fork project and clone your fork +- Create a branch using `git checkout -b branch_name` (you can use `issue-xxx` if fixing an existing issue) +- Code :-) +- Add integration tests in `test/tests.bats` +- Use `make` to build image locally and run tests +- Document your improvements +- [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request +- Pull-request is automatically tested on Travis +- When tests are green, your branch is merged into `master` +- `master` is automatically tested on Travis +- Docker builds a new `latest` image From 63cf0f9965ff7c90661baedbb6aff2e9396584fc Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 25 Dec 2016 15:41:02 +0100 Subject: [PATCH 16/38] Disables clamav config in amavis when DISABLE_CLAMAV=1. Fixes #378 (#431) --- Makefile | 1 + target/start-mailserver.sh | 13 +++++++++++++ test/tests.bats | 19 +++++++++++++++++++ 3 files changed, 33 insertions(+) diff --git a/Makefile b/Makefile index 29c4d8d8..a8e7b8a8 100644 --- a/Makefile +++ b/Makefile @@ -123,6 +123,7 @@ fixtures: docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-catchall-local.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt" + docker exec mail_disabled_clamav /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" # Wait for mails to be analyzed sleep 10 diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 778e4a4a..df24bb1c 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -744,6 +744,19 @@ function _setup_security_stack() { SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ + if [ "$DISABLE_CLAMAV" = 1 ]; then + notify 'inf' "Disabling clamav" + cat > /etc/amavis/conf.d/50-user-security <<- EOM +use strict; +@bypass_virus_checks_maps = (); +$undecipherable_subject_tag = undef; +1; + EOM + else + notify 'inf' "Enabling clamav" + echo "" > /etc/amavis/conf.d/50-user-security + fi + if [ "$ENABLE_FAIL2BAN" = 1 ]; then notify 'inf' "Fail2ban enabled" test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local diff --git a/test/tests.bats b/test/tests.bats index a0811ee1..1e3879c5 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -292,6 +292,25 @@ [ "$status" -eq 0 ] } +# +# clamav +# + +@test "checking clamav: should be listed in amavis when enabled" { + run docker exec mail grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log + [ "$status" -eq 0 ] +} + +@test "checking clamav: should not be listed in amavis when disabled" { + run docker exec mail_disabled_clamav grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log + [ "$status" -eq 1 ] +} + +@test "checking clamav: should not be called when disabled" { + run docker exec mail_disabled_clamav grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log + [ "$status" -eq 1 ] +} + # # opendkim # From ae9eaae68ed59a4dbb5ff8f0bc37419c84c48b02 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 25 Dec 2016 15:56:35 +0100 Subject: [PATCH 17/38] Empty /etc/aliases to avoid error in log regarding format (we use virtual aliases in this image). (#429) Fixes #425 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 089c3a11..b9fa1c1b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -102,6 +102,7 @@ RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail # Configures Postfix COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ +RUN echo "" > /etc/aliases # Configuring Logs RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ From df752280e0aad08e0603ac91c6ac58fea0f792b0 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 25 Dec 2016 22:54:37 +0100 Subject: [PATCH 18/38] BREAKING CHANGES: (#432) * Removed DISABLE_AMAVIS * Renamed DISABLE_* to ENABLE_* with 0 as default value. (this must be explicit) * Added missing tests for ENABLE_* * Improved readme and docker-compose example Should fix #256 and #386 --- Makefile | 36 ++++++++---------- README.md | 75 ++++++++++++++++++++++++++------------ docker-compose.yml.dist | 9 ++++- target/start-mailserver.sh | 55 ++++++++++++++++++---------- test/tests.bats | 23 +++++++----- 5 files changed, 124 insertions(+), 74 deletions(-) diff --git a/Makefile b/Makefile index a8e7b8a8..a8022d1c 100644 --- a/Makefile +++ b/Makefile @@ -22,6 +22,8 @@ run: -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test/onedir":/var/mail-state \ + -e ENABLE_CLAMAV=1 \ + -e ENABLE_SPAMASSASSIN=1 \ -e SA_TAG=1.0 \ -e SA_TAG2=2.0 \ -e SA_KILL=3.0 \ @@ -31,7 +33,7 @@ run: -e PERMIT_DOCKER=host \ -e DMS_DEBUG=0 \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_pop3 \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ @@ -40,40 +42,35 @@ run: -e DMS_DEBUG=1 \ -e SSL_TYPE=letsencrypt \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_smtponly \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e SMTP_ONLY=1 \ -e PERMIT_DOCKER=network\ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_fail2ban \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_FAIL2BAN=1 \ --cap-add=NET_ADMIN \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_fetchmail \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_FETCHMAIL=1 \ --cap-add=NET_ADMIN \ -h mail.my-domain.com -t $(NAME) - sleep 20 - docker run -d --name mail_disabled_amavis \ + sleep 15 + docker run -d --name mail_disabled_clamav_spamassassin \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ - -e DISABLE_AMAVIS=1 \ + -e ENABLE_CLAMAV=0 \ + -e ENABLE_SPAMASSASSIN=0 \ -h mail.my-domain.com -t $(NAME) - sleep 20 - docker run -d --name mail_disabled_clamav \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test":/tmp/docker-mailserver-test \ - -e DISABLE_CLAMAV=1 \ - -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_manual_ssl \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ @@ -81,11 +78,11 @@ run: -e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \ -e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name ldap_for_mail \ -e LDAP_DOMAIN="localhost.localdomain" \ -h mail.my-domain.com -t ldap - sleep 20 + sleep 15 docker run -d --name mail_with_ldap \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ @@ -103,7 +100,7 @@ run: --link ldap_for_mail:ldap \ -h mail.my-domain.com -t $(NAME) # Wait for containers to fully start - sleep 20 + sleep 15 fixtures: cp config/postfix-accounts.cf config/postfix-accounts.cf.bak @@ -123,7 +120,7 @@ fixtures: docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-catchall-local.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt" - docker exec mail_disabled_clamav /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" + docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" # Wait for mails to be analyzed sleep 10 @@ -140,8 +137,7 @@ clean: mail_fail2ban \ mail_fetchmail \ fail-auth-mailer \ - mail_disabled_amavis \ - mail_disabled_clamav \ + mail_disabled_clamav_spamassassin \ mail_manual_ssl \ ldap_for_mail \ mail_with_ldap diff --git a/README.md b/README.md index f8a48c3b..1788669e 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ Includes: - fetchmail - basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot - [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates +- persistent data and state (but think about backups!) - [integration tests](https://travis-ci.org/tomav/docker-mailserver) - [automated builds on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/) @@ -42,23 +43,33 @@ version: '2' services: mail: - image: tvial/docker-mailserver:latest - # build: . + image: tvial/docker-mailserver:v2.1 hostname: mail domainname: domain.com container_name: mail ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" + - "25:25" + - "143:143" + - "587:587" + - "993:993" volumes: - - maildata:/var/mail - - ./config/:/tmp/docker-mailserver/ + - maildata:/var/mail + - mailstate:/var/mail-state + - ./config/:/tmp/docker-mailserver/ + environment: + - ENABLE_SPAMASSASSIN=1 + - ENABLE_CLAMAV=1 + - ENABLE_FAIL2BAN=1 + - ONE_DIR=1 + - DMS_DEBUG=0 + cap_add: + - NET_ADMIN volumes: maildata: driver: local + mailstate: + driver: local ``` #### Create your mail accounts @@ -95,9 +106,37 @@ Value in **bold** is the default value. ##### DMS_DEBUG - - **empty** (0) => Debug disabled + - **0** => Debug disabled - 1 => Enables debug on startup +#### ENABLE_CLAMAV + + - **0** => Clamav is disabled + - 1 => Clamav is enabled + +#### ENABLE_SPAMASSASSIN + + - **0** => Spamassassin is disabled + - 1 => Spamassassin is enabled + +##### SA_TAG + + - **2.0** => add spam info headers if at, or above that level + +Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` + +##### SA_TAG2 + + - **6.31** => add 'spam detected' headers at that level + +Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` + +##### SA_KILL + + - **6.31** => triggers spam evasive actions + +Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` + ##### ENABLE_POP3 - **empty** => POP3 service disabled @@ -105,7 +144,7 @@ Value in **bold** is the default value. ##### ENABLE_FAIL2BAN - - **empty** => fail2ban service disabled + - **0** => fail2ban service disabled - 1 => Enables fail2ban service If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: @@ -121,7 +160,7 @@ Otherwise, `iptables` won't be able to ban IPs. - 1 => Enables Managesieve on port 4190 ##### ENABLE_FETCHMAIL - - **empty** => `fetchmail` disabled + - **0** => `fetchmail` disabled - 1 => `fetchmail` enabled ##### ENABLE_LDAP @@ -158,21 +197,9 @@ Otherwise, `iptables` won't be able to ban IPs. - **empty** => postmaster@domain.com - => Specify the postmaster address -##### SA_TAG - - - **2.0** => add spam info headers if at, or above that level - -##### SA_TAG2 - - - **6.31** => add 'spam detected' headers at that level - -##### SA_KILL - - - **6.31** => triggers spam evasive actions - ##### ENABLE_SASLAUTHD - - **empty** => `saslauthd` is disabled + - **0** => `saslauthd` is disabled - 1 => `saslauthd` is enabled ##### SASLAUTHD_MECHANISMS diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 4eb13770..0666438a 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -2,7 +2,7 @@ version: '2' services: mail: - image: tvial/docker-mailserver:v2 + image: tvial/docker-mailserver:v2.1 hostname: mail domainname: domain.com container_name: mail @@ -13,12 +13,19 @@ services: - "993:993" volumes: - maildata:/var/mail + - mailstate:/var/mail-state - ./config/:/tmp/docker-mailserver/ environment: + - ENABLE_SPAMASSASSIN=1 + - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 + - ONE_DIR=1 + - DMS_DEBUG=0 cap_add: - NET_ADMIN volumes: maildata: driver: local + mailstate: + driver: local diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index df24bb1c..cb7afb49 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -7,6 +7,13 @@ # Example: DEFAULT_VARS["KEY"]="VALUE" ########################################################################## declare -A DEFAULT_VARS +DEFAULT_VARS["ENABLE_CLAMAV"]="${ENABLE_CLAMAV:="0"}" +DEFAULT_VARS["ENABLE_SPAMASSASSIN"]="${ENABLE_SPAMASSASSIN:="0"}" +DEFAULT_VARS["ENABLE_FAIL2BAN"]="${ENABLE_FAIL2BAN:="0"}" +DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}" +DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}" +DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}" +DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}" DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" ########################################################################## @@ -127,13 +134,11 @@ function register_functions() { _register_start_daemon "_start_daemons_fetchmail" fi - if ! [ "$DISABLE_CLAMAV" = 1 ]; then + if [ "$ENABLE_CLAMAV" = 1 ]; then _register_start_daemon "_start_daemons_clamav" fi - if ! [ "$DISABLE_AMAVIS" = 1 ]; then - _register_start_daemon "_start_daemons_amavis" - fi + _register_start_daemon "_start_daemons_amavis" ################### << daemon funcs } ########################################################################## @@ -738,25 +743,35 @@ function _setup_postfix_relay_amazon_ses() { function _setup_security_stack() { notify 'task' "Setting up Security Stack" - notify 'inf' "Configuring Spamassassin" - SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults - SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults - SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults - test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ + # recreate auto-generated file + dms_amavis_file="/etc/amavis/conf.d/51-dms_auto_generated" + echo "# WARNING: this file is auto-generated." > $dms_amavis_file + echo "use strict;" >> $dms_amavis_file - if [ "$DISABLE_CLAMAV" = 1 ]; then - notify 'inf' "Disabling clamav" - cat > /etc/amavis/conf.d/50-user-security <<- EOM -use strict; -@bypass_virus_checks_maps = (); -$undecipherable_subject_tag = undef; -1; - EOM - else - notify 'inf' "Enabling clamav" - echo "" > /etc/amavis/conf.d/50-user-security + # Spamassassin + if [ "$ENABLE_SPAMASSASSIN" = 0 ]; then + notify 'warn' "Spamassassin is disabled. You can enable it with 'ENABLE_SPAMASSASSIN=1'" + echo "@bypass_spam_checks_maps = (1);" >> $dms_amavis_file + elif [ "$ENABLE_SPAMASSASSIN" = 1 ]; then + notify 'inf' "Enabling and configuring spamassassin" + SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults + SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults + SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults + test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ fi + # Clamav + if [ "$ENABLE_CLAMAV" = 0 ]; then + notify 'warn' "Clamav is disabled. You can enable it with 'ENABLE_CLAMAV=1'" + echo "@bypass_virus_checks_maps = (1);" >> $dms_amavis_file + elif [ "$ENABLE_CLAMAV" = 1 ]; then + notify 'inf' "Enabling clamav" + fi + + echo "1; # ensure a defined return" >> $dms_amavis_file + + + # Fail2ban if [ "$ENABLE_FAIL2BAN" = 1 ]; then notify 'inf' "Fail2ban enabled" test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local diff --git a/test/tests.bats b/test/tests.bats index 1e3879c5..c9cd111a 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -56,13 +56,8 @@ [ "$status" -eq 0 ] } -@test "checking process: amavis (amavis disabled by DISABLE_AMAVIS)" { - run docker exec mail_disabled_amavis /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" - [ "$status" -eq 1 ] -} - -@test "checking process: clamav (clamav disabled by DISABLE_CLAMAV)" { - run docker exec mail_disabled_clamav /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" +@test "checking process: clamav (clamav disabled by ENABLED_CLAMAV=0)" { + run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" [ "$status" -eq 1 ] } @@ -274,6 +269,16 @@ # spamassassin # +@test "checking spamassassin: should be listed in amavis when enabled" { + run docker exec mail /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'" + [ "$status" -eq 1 ] +} + +@test "checking spamassassin: should not be listed in amavis when disabled" { + run docker exec mail_disabled_clamav_spamassassin /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'" + [ "$status" -eq 0 ] +} + @test "checking spamassassin: docker env variables are set correctly (default)" { run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'" [ "$status" -eq 0 ] @@ -302,12 +307,12 @@ } @test "checking clamav: should not be listed in amavis when disabled" { - run docker exec mail_disabled_clamav grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log + run docker exec mail_disabled_clamav_spamassassin grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log [ "$status" -eq 1 ] } @test "checking clamav: should not be called when disabled" { - run docker exec mail_disabled_clamav grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log + run docker exec mail_disabled_clamav_spamassassin grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log [ "$status" -eq 1 ] } From 03a0c92e6fb2387454129193701090ce42472dc2 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 25 Dec 2016 23:10:06 +0100 Subject: [PATCH 19/38] Fixed docker version from "v2.1" to "2.1" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1788669e..555eccb5 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ version: '2' services: mail: - image: tvial/docker-mailserver:v2.1 + image: tvial/docker-mailserver:2.1 hostname: mail domainname: domain.com container_name: mail From 40ae75112b205272a007f722b45c4309faedbf2b Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Tue, 27 Dec 2016 15:55:41 +0100 Subject: [PATCH 20/38] Fixed #437 setting ENABLE_POP3 to 0 by default (#438) --- target/start-mailserver.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index cb7afb49..a7862537 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -9,6 +9,7 @@ declare -A DEFAULT_VARS DEFAULT_VARS["ENABLE_CLAMAV"]="${ENABLE_CLAMAV:="0"}" DEFAULT_VARS["ENABLE_SPAMASSASSIN"]="${ENABLE_SPAMASSASSIN:="0"}" +DEFAULT_VARS["ENABLE_POP3"]="${ENABLE_POP3:="0"}" DEFAULT_VARS["ENABLE_FAIL2BAN"]="${ENABLE_FAIL2BAN:="0"}" DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}" DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}" From de70a155f2a78744360f0c055751081d46fd457a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Tue, 27 Dec 2016 16:09:16 +0100 Subject: [PATCH 21/38] Fixed Issue #437 (#439) * Also fixed SMTP_ONLY --- target/start-mailserver.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index a7862537..c7fc4b7b 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -15,6 +15,7 @@ DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}" DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}" DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}" DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}" +DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}" DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" ########################################################################## From 461c88e6aee0240281389519a3fa0687a53e024a Mon Sep 17 00:00:00 2001 From: Wolfgang Ocker Date: Fri, 30 Dec 2016 20:06:44 +0100 Subject: [PATCH 22/38] Fix mailuser tools (#441) * Add some checks for user name matching in mail user scripts * Fix user matching problems in mail user scripts ** fix matching problems at several places: "delmailuser a@example.com" deletes also user "aa@example.com" "delmailuser a@sub.example.com" deletes also user "a@sub-example.com" ** similar problems when inserting ** refactor and clean up --- target/bin/addmailuser | 51 +++++++++++++++++++++------------------ target/bin/delmailuser | 34 +++++++++++++++----------- target/bin/listmailuser | 21 +++++++--------- target/bin/updatemailuser | 48 ++++++++++++++++++------------------ test/tests.bats | 39 +++++++++++++++++++++++------- 5 files changed, 109 insertions(+), 84 deletions(-) diff --git a/target/bin/addmailuser b/target/bin/addmailuser index f6a29ec6..c9e83d9c 100755 --- a/target/bin/addmailuser +++ b/target/bin/addmailuser @@ -1,29 +1,32 @@ -#!/bin/bash +#! /bin/bash -DATABASE=/tmp/docker-mailserver/postfix-accounts.cf +DATABASE=${DATABASE:-/tmp/docker-mailserver/postfix-accounts.cf} -function usage { - echo 'Usage: addmailuser [password]' - exit 1 +USER="$1" +PASSWD="$2" + +usage() { + echo "Usage: addmailuser []" } -if [ ! -z "$1" ]; then - USER=$1 - if [ -e "$DATABASE" ] && [ ! -z "$(grep $USER -i $DATABASE)" ]; then - echo "User already exists" - exit 1 - fi - if [ ! -z "$2" ]; then - PASS="$2" - else - read -s -p "Enter Password: " PASS - if [ -z "$PASS" ]; then - echo "Password can't be empty" - exit 1 - fi - fi - ENTRY=$(echo "$USER|$(doveadm pw -s SHA512-CRYPT -u "$USER" -p "$PASS")") - echo "$ENTRY" >> $DATABASE -else - usage +errex() { + echo "$@" 1>&2 + exit 1 +} + +escape() { + echo "${1//./\\.}" +} + +[ -z "$USER" ] && { usage; errex "no username specified"; } + +grep -qi "^$(escape "$USER")|" $DATABASE 2>/dev/null && + errex "User \"$USER\" already exists" + +if [ -z "$PASSWD" ]; then + read -s -p "Enter Password: " PASSWD + echo + [ -z "$PASSWD" ] && errex "Password must not be empty" fi + +echo "$USER|$(doveadm pw -s SHA512-CRYPT -u "$USER" -p "$PASSWD")" >>$DATABASE diff --git a/target/bin/delmailuser b/target/bin/delmailuser index 9638b026..e0d5762d 100755 --- a/target/bin/delmailuser +++ b/target/bin/delmailuser @@ -1,18 +1,24 @@ -#!/bin/bash +#! /bin/bash -DATABASE=/tmp/docker-mailserver/postfix-accounts.cf +DATABASE=${DATABASE:-/tmp/docker-mailserver/postfix-accounts.cf} -function usage { - echo "Usage: delmailuser " - exit 1 +USER="$1" + +usage() { + echo "Usage: delmailuser " } -if [ ! -z "$1" ]; then - USER=$1 - if [ -f "$DATABASE" ]; then - ENTRIES=$(grep "$USER" -vi $DATABASE) - echo "$ENTRIES" > $DATABASE - fi -else - usage -fi +errex() { + echo "$@" 1>&2 + exit 1 +} + +escape() { + echo "${1//./\\.}" +} + +[ -z "$USER" ] && { usage; errex "No user specifed"; } +[ -s "$DATABASE" ] || exit 0 + +# XXX $USER must not contain /s and other syntactic characters +sed -i "/^$(escape "$USER")|/d" $DATABASE diff --git a/target/bin/listmailuser b/target/bin/listmailuser index 0004b547..04352a5d 100755 --- a/target/bin/listmailuser +++ b/target/bin/listmailuser @@ -1,16 +1,13 @@ -#! /bin/sh +#! /bin/bash -DATABASE=/tmp/docker-mailserver/postfix-accounts.cf +DATABASE=${DATABASE:-/tmp/docker-mailserver/postfix-accounts.cf} -if [ ! -f "$DATABASE" ]; then - echo "The configuration file 'postfix-accounts.cf' doesn't exist. Until now no email addresses have been added." - exit 1 -fi +errex() { + echo "$@" 1>&2 + exit 1 +} -if [ ! -s "$DATABASE" ]; then - echo "No email addresses have been added." - exit 1 -fi - -cat "$DATABASE" | awk -F '|' '{print $1}' +[ -f $DATABASE ] || errex "No postfix-accounts.cf file" +[ -s $DATABASE ] || errex "Empty postfix-accounts.cf - no users have been added" +awk -F '|' '{ print $1; }' $DATABASE diff --git a/target/bin/updatemailuser b/target/bin/updatemailuser index b97ced1f..a302891c 100755 --- a/target/bin/updatemailuser +++ b/target/bin/updatemailuser @@ -1,29 +1,27 @@ -#!/bin/bash +#! /bin/bash -DATABASE=/tmp/docker-mailserver/postfix-accounts.cf +DATABASE=${DATABASE:-/tmp/docker-mailserver/postfix-accounts.cf} -function usage { - echo 'Usage: updatemailuser [password]' - exit 1 +USER="$1" +PASSWD="$2" + +usage() { + echo "Usage: updatemailuser [password]" } -if [ ! -z "$1" ]; then - USER=$1 - if [ -e "$DATABASE" ] && [ -z "$(grep $USER -i $DATABASE)" ]; then - echo "User doesn't exist" - exit 1 - fi - if [ ! -z "$2" ]; then - PASS="$2" - else - read -s -p "Enter Password: " PASS - if [ -z "$PASS" ]; then - echo "Password can't be empty" - exit 1 - fi - fi - ENTRY=$(echo "$USER|$(doveadm pw -s SHA512-CRYPT -u "$USER" -p "$PASS")") - sed -i.bak "s%^$USER.*%$ENTRY%g" $DATABASE -else - usage -fi +errex() { + echo "$@" 1>&2 + exit 1 +} + +escape() { + echo "${1//./\\.}" +} + +[ -z "$USER" ] && { usage; errex "no username specified"; } + +grep -qi "^$(escape "$USER")|" $DATABASE 2>/dev/null || + errex "User \"$USER\" does not exist" + +delmailuser "$USER" +addmailuser "$USER" "$PASSWD" diff --git a/test/tests.bats b/test/tests.bats index c9cd111a..d1beb76e 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -565,7 +565,7 @@ } @test "checking amavis: VIRUSMAILS_DELETE_DELAY override works as expected" { - run docker run -ti --rm -e VIRUSMAILS_DELETE_DELAY=2 `docker inspect --format '{{ .Config.Image }}' mail` /bin/bash -c 'echo $VIRUSMAILS_DELETE_DELAY | grep 2' + run docker run -ti --rm -e VIRUSMAILS_DELETE_DELAY=2 `docker inspect --format '{{ .Config.Image }}' mail` /bin/bash -c 'echo $VIRUSMAILS_DELETE_DELAY | grep 2' [ "$status" -eq 0 ] } @@ -653,27 +653,47 @@ @test "checking accounts: user3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf" { docker exec mail /bin/sh -c "addmailuser user3@domain.tld mypassword" - run docker exec mail /bin/sh -c "grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf" + run docker exec mail /bin/sh -c "grep '^user3@domain\.tld|' -i /tmp/docker-mailserver/postfix-accounts.cf" [ "$status" -eq 0 ] [ ! -z "$output" ] } -@test "checking accounts: user3 should have been removed from /tmp/docker-mailserver/postfix-accounts.cf" { +@test "checking accounts: auser3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf" { + docker exec mail /bin/sh -c "addmailuser auser3@domain.tld mypassword" + + run docker exec mail /bin/sh -c "grep '^auser3@domain\.tld|' -i /tmp/docker-mailserver/postfix-accounts.cf" + [ "$status" -eq 0 ] + [ ! -z "$output" ] +} + +@test "checking accounts: a.ser3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf" { + docker exec mail /bin/sh -c "addmailuser a.ser3@domain.tld mypassword" + + run docker exec mail /bin/sh -c "grep '^a\.ser3@domain\.tld|' -i /tmp/docker-mailserver/postfix-accounts.cf" + [ "$status" -eq 0 ] + [ ! -z "$output" ] +} + +@test "checking accounts: user3 should have been removed from /tmp/docker-mailserver/postfix-accounts.cf but not auser3" { docker exec mail /bin/sh -c "delmailuser user3@domain.tld" - run docker exec mail /bin/sh -c "grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf" + run docker exec mail /bin/sh -c "grep '^user3@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf" [ "$status" -eq 1 ] [ -z "$output" ] + + run docker exec mail /bin/sh -c "grep '^auser3@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf" + [ "$status" -eq 0 ] + [ ! -z "$output" ] } @test "checking user updating password for user in /tmp/docker-mailserver/postfix-accounts.cf" { - docker exec mail /bin/sh -c "addmailuser user3@domain.tld mypassword" + docker exec mail /bin/sh -c "addmailuser user4@domain.tld mypassword" - initialpass=$(run docker exec mail /bin/sh -c "grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf") + initialpass=$(run docker exec mail /bin/sh -c "grep '^user4@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf") sleep 2 - docker exec mail /bin/sh -c "updatemailuser user3@domain.tld mynewpassword" + docker exec mail /bin/sh -c "updatemailuser user4@domain.tld mynewpassword" sleep 2 - changepass=$(run docker exec mail /bin/sh -c "grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf") + changepass=$(run docker exec mail /bin/sh -c "grep '^user4@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf") if [ initialpass != changepass ]; then status="0" @@ -681,7 +701,7 @@ status="1" fi - docker exec mail /bin/sh -c "delmailuser user3@domain.tld" + docker exec mail /bin/sh -c "delmailuser auser3@domain.tld" [ "$status" -eq 0 ] } @@ -705,6 +725,7 @@ run docker run --rm \ -v "$(pwd)/test/config/without-accounts/":/tmp/docker-mailserver/ \ `docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'addmailuser user3@domain.tld mypassword' + [ "$status" -eq 0 ] run docker run --rm \ -v "$(pwd)/test/config/without-accounts/":/tmp/docker-mailserver/ \ `docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf' From fd8ad784d103198069551f75181a8cca1804510d Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 2 Jan 2017 13:39:46 +0100 Subject: [PATCH 23/38] Fixes #424, suggested by @alinmear (#447) --- target/start-mailserver.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index c7fc4b7b..e0e1eaa5 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -829,6 +829,7 @@ function _fix_var_mail_permissions() { chown -R 5000:5000 /var/mail else notify 'inf' "Permissions in /var/mail look OK" + return 0 fi } ########################################################################## From 9095ba380352f10024153ea29ee56631979426d9 Mon Sep 17 00:00:00 2001 From: Wolfgang Ocker Date: Tue, 3 Jan 2017 10:55:03 +0100 Subject: [PATCH 24/38] Fix #443 - RIMAP support (#448) * Add unit tests for #443 (rimap auth) * Fix #443 - configure rimap for saslauth * Fix #443 - reuse smtp-auth-login.txt when testing rimap auth --- Makefile | 12 +++++++++++- target/start-mailserver.sh | 16 ++++++++++++++-- test/tests.bats | 27 +++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index a8022d1c..f01a1c63 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,15 @@ run: -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ --link ldap_for_mail:ldap \ -h mail.my-domain.com -t $(NAME) + sleep 15 + docker run -d --name mail_with_imap \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test":/tmp/docker-mailserver-test \ + -e ENABLE_SASLAUTHD=1 \ + -e SASLAUTHD_MECHANISMS=rimap \ + -e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \ + -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ + -h mail.my-domain.com -t $(NAME) # Wait for containers to fully start sleep 15 @@ -140,7 +149,8 @@ clean: mail_disabled_clamav_spamassassin \ mail_manual_ssl \ ldap_for_mail \ - mail_with_ldap + mail_with_ldap \ + mail_with_imap @if [ -f config/postfix-accounts.cf.bak ]; then\ rm -f config/postfix-accounts.cf ;\ diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index e0e1eaa5..bbe739a1 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -73,6 +73,7 @@ function register_functions() { if [ "$ENABLE_SASLAUTHD" = 1 ];then _register_setup_function "_setup_saslauthd" + _register_setup_function "_setup_postfix_sasl" fi _register_setup_function "_setup_dkim" @@ -451,11 +452,15 @@ function _setup_ldap() { postconf -e "virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf" || \ notify 'inf' "==> Warning: /etc/postfix/ldap-aliases.cf or /etc/postfix/ldap-groups.cf not found" + return 0 +} + +function _setup_postfix_sasl() { [ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF pwcheck_method: saslauthd mech_list: plain login EOF -return 0 + return 0 } function _setup_saslauthd() { @@ -464,7 +469,7 @@ function _setup_saslauthd() { notify 'inf' "Configuring Cyrus SASL" # checking env vars and setting defaults [ -z $SASLAUTHD_MECHANISMS ] && SASLAUTHD_MECHANISMS=pam - [ -z $SASLAUTHD_LDAP_SEARCH_BASE ] && SASLAUTHD_MECHANISMS=pam + [ "$SASLAUTHD_MECHANISMS" = ldap -a -z $SASLAUTHD_LDAP_SEARCH_BASE ] && SASLAUTHD_MECHANISMS=pam [ -z $SASLAUTHD_LDAP_SERVER ] && SASLAUTHD_LDAP_SERVER=localhost [ -z $SASLAUTHD_LDAP_FILTER ] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' ([ -z $SASLAUTHD_LDAP_SSL ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' @@ -496,6 +501,13 @@ EOF -e "s|^MECHANISMS=.*|MECHANISMS="\"$SASLAUTHD_MECHANISMS\""|g" \ -e "s|^MECH_OPTIONS=.*|MECH_OPTIONS="\"$SASLAUTHD_MECH_OPTIONS\""|g" \ /etc/default/saslauthd + + if [ "$SASLAUTHD_MECHANISMS" = rimap ]; then + sed -i \ + -e 's|^OPTIONS="|OPTIONS="-r |g' \ + /etc/default/saslauthd + fi + sed -i \ -e "/smtpd_sasl_path =.*/d" \ -e "/smtpd_sasl_type =.*/d" \ diff --git a/test/tests.bats b/test/tests.bats index d1beb76e..3872111a 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -66,6 +66,11 @@ [ "$status" -eq 0 ] } +@test "checking process: saslauthd (saslauthd server enabled)" { + run docker exec mail_with_imap /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" + [ "$status" -eq 0 ] +} + # # imap # @@ -881,3 +886,25 @@ run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" [ "$status" -eq 0 ] } + + +# +# RIMAP +# + +# dovecot +@test "checking dovecot: ldap rimap connection and authentication works" { + run docker exec mail_with_imap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-auth.txt" + [ "$status" -eq 0 ] +} + +# saslauthd +@test "checking saslauthd: sasl rimap authentication works" { + run docker exec mail_with_imap bash -c "testsaslauthd -u user1@localhost.localdomain -p mypassword" + [ "$status" -eq 0 ] +} + +@test "checking saslauthd: rimap smtp authentication" { + run docker exec mail_with_imap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt | grep 'Authentication successful'" + [ "$status" -eq 0 ] +} From cfd7fde1eafb733835945975fe98fe1d3fad8c37 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 4 Jan 2017 10:05:02 +0100 Subject: [PATCH 25/38] Added config information Added information regarding were config files must be mounted. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 555eccb5..4904c97e 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ Before you open an issue, please have a look this `README`, the [Wiki](https://g Adapt this file with your FQDN. Install [docker-compose](https://docs.docker.com/compose/) in the version `1.6` or higher. +Your configs must be mounted in `/tmp/docker-mailserver/`. To understand how things work on boot, please have a look to [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh) + ```yaml version: '2' From 9cebc503073b73c9efc35552c38728f5dfe28c38 Mon Sep 17 00:00:00 2001 From: Bogdan Date: Wed, 4 Jan 2017 10:09:03 +0100 Subject: [PATCH 26/38] #445: mention the setup.sh convenience script (#453) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4904c97e..e9ec0eb3 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,8 @@ Don't forget to adapt MAIL_USER and MAIL_PASS to your needs Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. +Note: you can also manage email accounts, DKIM keys and more with the [setup.sh convenience script](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh). + #### Start the container docker-compose up -d mail From 89aa42d658b615c0087bad051424f25dda34a18e Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 4 Jan 2017 10:39:43 +0100 Subject: [PATCH 27/38] Added Gitter webhook --- .travis.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.travis.yml b/.travis.yml index ec3bc887..cf62d9bf 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,3 +14,9 @@ after_script: notifications: slack: secure: TTo1z9nbZCWcIdfPwypubNa3y+pwvfgDGlzEVAGEuK7uuIpmEoAcAUNSSPTnbewDGHnDl8t/ml93MtvP+a+IVuAKytMqF39PHyoZO7aUl9J62V+G75OmnyGjXGJm40pQosCS6LzqoRRYXotl9+fwH568Kf4ifXCrMZX1d+ir7Ww= + webhooks: + urls: + - https://webhooks.gitter.im/e/7c5e56a8257cdec003ab + on_success: always + on_failure: always + on_start: never From 8eb53438cecf01e8c596065606e9b9ce7054ecea Mon Sep 17 00:00:00 2001 From: Guillaume Simon Date: Thu, 5 Jan 2017 09:24:45 +0100 Subject: [PATCH 28/38] Docker tag fix (#455) --- docker-compose.yml.dist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 0666438a..d965a9a6 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -2,7 +2,7 @@ version: '2' services: mail: - image: tvial/docker-mailserver:v2.1 + image: tvial/docker-mailserver:2.1 hostname: mail domainname: domain.com container_name: mail From 0216ce84a25fa0e66ae07e24270a2e7fde50355c Mon Sep 17 00:00:00 2001 From: Dominik Date: Mon, 9 Jan 2017 16:27:20 +0100 Subject: [PATCH 29/38] Fix update in setup.sh (#456) The updatemailuser needs parameters --- setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.sh b/setup.sh index 2050d755..40e29ead 100755 --- a/setup.sh +++ b/setup.sh @@ -118,7 +118,7 @@ case $1 in ;; update) shift - _docker_image updatemailuser + _docker_image updatemailuser $@ ;; del) shift From d4cee677ce655a67b08791f9fa891f0ed6e12141 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 9 Jan 2017 17:11:10 +0100 Subject: [PATCH 30/38] ONE_DIR documentation (#460) * Fixes #457 adding information regarding `ONE_DIR` env variable --- README.md | 5 +++++ target/start-mailserver.sh | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e9ec0eb3..b37c8da7 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,11 @@ Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` +##### ONE_DIR + + - **0** => state in default directories + - 1 => consolidate all states into a single directory (`/var/mail-state`) to allow persistence using docker volumes + ##### ENABLE_POP3 - **empty** => POP3 service disabled diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index bbe739a1..43556b5b 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -864,8 +864,7 @@ function misc() { } function _misc_save_states() { - # Consolidate all state that should be persisted across container restarts into one mounted - # directory + # consolidate all states into a single directory (`/var/mail-state`) to allow persistence using docker volumes statedir=/var/mail-state if [ "$ONE_DIR" = 1 -a -d $statedir ]; then notify 'inf' "Consolidating all state onto $statedir" From 5020ab0a0ffcb1b76e33fe4f2051ae2283298b3b Mon Sep 17 00:00:00 2001 From: Kai Ren Date: Tue, 10 Jan 2017 00:49:46 +0200 Subject: [PATCH 31/38] Convert `$(hostname)` usage to `$(hostname -f)` (#459) * Convert `$(hostname)` usage to `$(hostname -f)` --- Makefile | 2 +- target/start-mailserver.sh | 89 ++++++++++++++++++++++---------------- 2 files changed, 52 insertions(+), 39 deletions(-) diff --git a/Makefile b/Makefile index f01a1c63..6e63ec81 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,7 @@ run: sleep 15 docker run -d --name ldap_for_mail \ -e LDAP_DOMAIN="localhost.localdomain" \ - -h mail.my-domain.com -t ldap + -h ldap.my-domain.com -t ldap sleep 15 docker run -d --name mail_with_ldap \ -v "`pwd`/test/config":/tmp/docker-mailserver \ diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 43556b5b..f0373eb9 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -22,6 +22,19 @@ DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" # << DEFAULT VARS ########################################################################## +########################################################################## +# >> GLOBAL VARS +# +# add your global script variables here. +# +# Example: KEY="VALUE" +########################################################################## +HOSTNAME="$(hostname -f)" +DOMAINNAME="$(hostname -d)" +########################################################################## +# << GLOBAL VARS +########################################################################## + ########################################################################## # >> REGISTER FUNCTIONS @@ -300,11 +313,11 @@ function check() { function _check_hostname() { notify "task" "Check that hostname/domainname is provided (no default docker hostname) [$FUNCNAME]" - if ( ! echo $(hostname) | grep -E '^(\S+[.]\S+)$' > /dev/null ); then + if ( ! echo $HOSTNAME | grep -E '^(\S+[.]\S+)$' > /dev/null ); then notify 'err' "Setting hostname/domainname is required" return 1 else - notify 'inf' "Hostname has been set to $(hostname)" + notify 'inf' "Hostname has been set to $HOSTNAME" return 0 fi } @@ -344,7 +357,7 @@ function _setup_mailname() { notify 'task' 'Setting up Mailname' notify 'inf' "Creating /etc/mailname" - echo $(hostname -d) > /etc/mailname + echo $DOMAINNAME > /etc/mailname } function _setup_dovecot() { @@ -429,7 +442,7 @@ function _setup_ldap() { /etc/postfix/ldap-${i}.cf done - notify 'inf' "Configuring dovecot LDAP authentification" + notify 'inf' "Configuring dovecot LDAP authentification" sed -i -e 's|^hosts.*|hosts = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ -e 's|^base.*|base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \ -e 's|^dn\s*=.*|dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ @@ -437,7 +450,7 @@ function _setup_ldap() { /etc/dovecot/dovecot-ldap.conf.ext # Add domainname to vhost. - echo $(hostname -d) >> /tmp/vhost.tmp + echo $DOMAINNAME >> /tmp/vhost.tmp notify 'inf' "Enabling dovecot LDAP authentification" sed -i -e '/\!include auth-ldap\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf @@ -571,24 +584,24 @@ function _setup_ssl() { case $SSL_TYPE in "letsencrypt" ) # letsencrypt folders and files mounted in /etc/letsencrypt - if [ -e "/etc/letsencrypt/live/$(hostname)/cert.pem" ] \ - && [ -e "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then + if [ -e "/etc/letsencrypt/live/$HOSTNAME/cert.pem" ] \ + && [ -e "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem" ]; then KEY="" - if [ -e "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then + if [ -e "/etc/letsencrypt/live/$HOSTNAME/privkey.pem" ]; then KEY="privkey" - elif [ -e "/etc/letsencrypt/live/$(hostname)/key.pem" ]; then + elif [ -e "/etc/letsencrypt/live/$HOSTNAME/key.pem" ]; then KEY="key" fi if [ -n "$KEY" ]; then - notify 'inf' "Adding $(hostname) SSL certificate" + notify 'inf' "Adding $HOSTNAME SSL certificate" # Postfix configuration - sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$(hostname)'/fullchain.pem~g' /etc/postfix/main.cf - sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$(hostname)'/'"$KEY"'\.pem~g' /etc/postfix/main.cf + sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$HOSTNAME'/fullchain.pem~g' /etc/postfix/main.cf + sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/postfix/main.cf # Dovecot configuration - sed -i -e 's~ssl_cert = Date: Mon, 9 Jan 2017 23:52:36 +0100 Subject: [PATCH 32/38] Add #394: Postfix Virtual Transport (#461) * Add #394: Postfix Virtual Transport This makes it possible to specify a lmtp config file, by providing POSTFIX_DAGENT. Update - Readme with informations about #394 * Add Variable ENABLE_POSTFIX_VIRTUAL_TRANSPORT (task) * Add Variable POSTFIX_DAGENT (section) Added Unit tests for virtual transport * Fix syntax error in test/tests.bats * Fix Unit Test --- Makefile | 13 +- README.md | 17 + target/start-mailserver.sh | 13 + test/config/dovecot-lmtp/README | 2 + test/config/dovecot-lmtp/conf.d/10-auth.conf | 128 ++++++ .../dovecot-lmtp/conf.d/10-director.conf | 61 +++ .../dovecot-lmtp/conf.d/10-logging.conf | 84 ++++ test/config/dovecot-lmtp/conf.d/10-mail.conf | 374 ++++++++++++++++++ .../config/dovecot-lmtp/conf.d/10-master.conf | 128 ++++++ test/config/dovecot-lmtp/conf.d/10-ssl.conf | 58 +++ .../dovecot-lmtp/conf.d/10-tcpwrapper.conf | 14 + test/config/dovecot-lmtp/conf.d/15-lda.conf | 48 +++ .../dovecot-lmtp/conf.d/15-mailboxes.conf | 50 +++ test/config/dovecot-lmtp/conf.d/20-imap.conf | 61 +++ test/config/dovecot-lmtp/conf.d/20-lmtp.conf | 19 + .../dovecot-lmtp/conf.d/20-managesieve.conf | 73 ++++ test/config/dovecot-lmtp/conf.d/20-pop3.conf | 98 +++++ test/config/dovecot-lmtp/conf.d/90-acl.conf | 19 + .../config/dovecot-lmtp/conf.d/90-plugin.conf | 11 + test/config/dovecot-lmtp/conf.d/90-quota.conf | 80 ++++ test/config/dovecot-lmtp/conf.d/90-sieve.conf | 105 +++++ .../conf.d/auth-checkpassword.conf.ext | 21 + .../dovecot-lmtp/conf.d/auth-deny.conf.ext | 15 + .../dovecot-lmtp/conf.d/auth-ldap.conf.ext | 33 ++ .../dovecot-lmtp/conf.d/auth-master.conf.ext | 16 + .../conf.d/auth-passwdfile.conf.ext | 20 + .../dovecot-lmtp/conf.d/auth-passwdfile.inc | 21 + .../dovecot-lmtp/conf.d/auth-sql.conf.ext | 30 ++ .../dovecot-lmtp/conf.d/auth-static.conf.ext | 24 ++ .../dovecot-lmtp/conf.d/auth-system.conf.ext | 74 ++++ .../conf.d/auth-vpopmail.conf.ext | 17 + .../dovecot-lmtp/dovecot-dict-sql.conf.ext | 41 ++ .../config/dovecot-lmtp/dovecot-ldap.conf.ext | 10 + test/config/dovecot-lmtp/dovecot-sql.conf.ext | 139 +++++++ test/config/dovecot-lmtp/dovecot.conf | 105 +++++ test/config/dovecot-lmtp/dovecot.pem | 22 ++ test/config/dovecot-lmtp/local.conf | 1 + test/config/dovecot-lmtp/private/dovecot.pem | 28 ++ .../dovecot-lmtp/protocols.d/imapd.protocol | 1 + .../dovecot-lmtp/protocols.d/lmtpd.protocol | 1 + .../protocols.d/managesieved.protocol.disab | 1 + .../protocols.d/pop3d.protocol.disab | 1 + test/config/dovecot-lmtp/userdb | 2 + test/tests.bats | 15 +- 44 files changed, 2092 insertions(+), 2 deletions(-) create mode 100644 test/config/dovecot-lmtp/README create mode 100644 test/config/dovecot-lmtp/conf.d/10-auth.conf create mode 100644 test/config/dovecot-lmtp/conf.d/10-director.conf create mode 100644 test/config/dovecot-lmtp/conf.d/10-logging.conf create mode 100644 test/config/dovecot-lmtp/conf.d/10-mail.conf create mode 100644 test/config/dovecot-lmtp/conf.d/10-master.conf create mode 100644 test/config/dovecot-lmtp/conf.d/10-ssl.conf create mode 100644 test/config/dovecot-lmtp/conf.d/10-tcpwrapper.conf create mode 100644 test/config/dovecot-lmtp/conf.d/15-lda.conf create mode 100644 test/config/dovecot-lmtp/conf.d/15-mailboxes.conf create mode 100644 test/config/dovecot-lmtp/conf.d/20-imap.conf create mode 100644 test/config/dovecot-lmtp/conf.d/20-lmtp.conf create mode 100644 test/config/dovecot-lmtp/conf.d/20-managesieve.conf create mode 100644 test/config/dovecot-lmtp/conf.d/20-pop3.conf create mode 100644 test/config/dovecot-lmtp/conf.d/90-acl.conf create mode 100644 test/config/dovecot-lmtp/conf.d/90-plugin.conf create mode 100644 test/config/dovecot-lmtp/conf.d/90-quota.conf create mode 100644 test/config/dovecot-lmtp/conf.d/90-sieve.conf create mode 100644 test/config/dovecot-lmtp/conf.d/auth-checkpassword.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-deny.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-ldap.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-master.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-passwdfile.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-passwdfile.inc create mode 100644 test/config/dovecot-lmtp/conf.d/auth-sql.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-static.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-system.conf.ext create mode 100644 test/config/dovecot-lmtp/conf.d/auth-vpopmail.conf.ext create mode 100644 test/config/dovecot-lmtp/dovecot-dict-sql.conf.ext create mode 100644 test/config/dovecot-lmtp/dovecot-ldap.conf.ext create mode 100644 test/config/dovecot-lmtp/dovecot-sql.conf.ext create mode 100644 test/config/dovecot-lmtp/dovecot.conf create mode 100644 test/config/dovecot-lmtp/dovecot.pem create mode 100644 test/config/dovecot-lmtp/local.conf create mode 100644 test/config/dovecot-lmtp/private/dovecot.pem create mode 100644 test/config/dovecot-lmtp/protocols.d/imapd.protocol create mode 100644 test/config/dovecot-lmtp/protocols.d/lmtpd.protocol create mode 100644 test/config/dovecot-lmtp/protocols.d/managesieved.protocol.disab create mode 100644 test/config/dovecot-lmtp/protocols.d/pop3d.protocol.disab create mode 100644 test/config/dovecot-lmtp/userdb diff --git a/Makefile b/Makefile index 6e63ec81..980f4927 100644 --- a/Makefile +++ b/Makefile @@ -110,6 +110,14 @@ run: -h mail.my-domain.com -t $(NAME) # Wait for containers to fully start sleep 15 + docker run -d --name mail_lmtp_ip \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/config/dovecot-lmtp":/etc/dovecot \ + -v "`pwd`/test":/tmp/docker-mailserver-test \ + -e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \ + -e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \ + -h mail.my-domain.com -t $(NAME) + sleep 15 fixtures: cp config/postfix-accounts.cf config/postfix-accounts.cf.bak @@ -130,6 +138,8 @@ fixtures: docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt" docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" + # postfix virtual transport lmtp + docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" # Wait for mails to be analyzed sleep 10 @@ -150,7 +160,8 @@ clean: mail_manual_ssl \ ldap_for_mail \ mail_with_ldap \ - mail_with_imap + mail_with_imap \ + mail_lmtp_ip @if [ -f config/postfix-accounts.cf.bak ]; then\ rm -f config/postfix-accounts.cf ;\ diff --git a/README.md b/README.md index b37c8da7..b914071d 100644 --- a/README.md +++ b/README.md @@ -287,3 +287,20 @@ Set different options for mynetworks option (can be overwrite in postfix-main.cf Set how many days a virusmail will stay on the server before being deleted - **empty** => 7 days + + +##### ENABLE_POSTFIX_VIRTUAL_TRANSPORT + +This Option is activating the Usage of POSTFIX_DAGENT to specify a ltmp client different from default dovecot socket. + - **empty** => disabled + - 1 => enabled + +##### POSTFIX_DAGENT + +Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix + - **empty**: fail + - lmtp:unix:private/dovecot-lmtp (use socket) + - lmtps:inet:: (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/) + - lmtp::2003 (use kopano as mailstore) + - etc. + diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index f0373eb9..a6b36bfc 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -105,6 +105,10 @@ function register_functions() { _register_setup_function "_setup_postfix_relay_amazon_ses" fi + if [ "$ENABLE_POSTFIX_VIRTUAL_TRANSPORT" = 1 ]; then + _register_setup_function "_setup_postfix_virtual_transport" + fi + ################### << setup funcs ################### >> fix funcs @@ -717,6 +721,15 @@ function _setup_docker_permit() { esac } +function _setup_postfix_virtual_transport() { + notify 'task' 'Setting up Postfix virtual transport' + + [ -z ${POSTFIX_DAGENT} ] && \ + echo "${POSTFIX_DAGENT} not set." && \ + return 1 + postconf -e "virtual_transport = ${POSTFIX_DAGENT}" +} + function _setup_postfix_override_configuration() { notify 'task' 'Setting up Postfix Override configuration' diff --git a/test/config/dovecot-lmtp/README b/test/config/dovecot-lmtp/README new file mode 100644 index 00000000..9dcc22ac --- /dev/null +++ b/test/config/dovecot-lmtp/README @@ -0,0 +1,2 @@ +Configuration files go to this directory. See example configuration files in +/usr/share/doc/dovecot-core/example-config/ diff --git a/test/config/dovecot-lmtp/conf.d/10-auth.conf b/test/config/dovecot-lmtp/conf.d/10-auth.conf new file mode 100644 index 00000000..fd51326d --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/10-auth.conf @@ -0,0 +1,128 @@ +## +## Authentication processes +## + +# Disable LOGIN command and all other plaintext authentications unless +# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP +# matches the local IP (ie. you're connecting from the same computer), the +# connection is considered secure and plaintext authentication is allowed. +# See also ssl=required setting. +#disable_plaintext_auth = yes + +# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that +# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. +#auth_cache_size = 0 +# Time to live for cached data. After TTL expires the cached record is no +# longer used, *except* if the main database lookup returns internal failure. +# We also try to handle password changes automatically: If user's previous +# authentication was successful, but this one wasn't, the cache isn't used. +# For now this works only with plaintext authentication. +#auth_cache_ttl = 1 hour +# TTL for negative hits (user not found, password mismatch). +# 0 disables caching them completely. +#auth_cache_negative_ttl = 1 hour + +# Space separated list of realms for SASL authentication mechanisms that need +# them. You can leave it empty if you don't want to support multiple realms. +# Many clients simply use the first one listed here, so keep the default realm +# first. +#auth_realms = + +# Default realm/domain to use if none was specified. This is used for both +# SASL realms and appending @domain to username in plaintext logins. +#auth_default_realm = + +# List of allowed characters in username. If the user-given username contains +# a character not listed in here, the login automatically fails. This is just +# an extra check to make sure user can't exploit any potential quote escaping +# vulnerabilities with SQL/LDAP databases. If you want to allow all characters, +# set this value to empty. +#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ + +# Username character translations before it's looked up from databases. The +# value contains series of from -> to characters. For example "#@/@" means +# that '#' and '/' characters are translated to '@'. +#auth_username_translation = + +# Username formatting before it's looked up from databases. You can use +# the standard variables here, eg. %Lu would lowercase the username, %n would +# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into +# "-AT-". This translation is done after auth_username_translation changes. +#auth_username_format = %Lu + +# If you want to allow master users to log in by specifying the master +# username within the normal username string (ie. not using SASL mechanism's +# support for it), you can specify the separator character here. The format +# is then . UW-IMAP uses "*" as the +# separator, so that could be a good choice. +#auth_master_user_separator = + +# Username to use for users logging in with ANONYMOUS SASL mechanism +#auth_anonymous_username = anonymous + +# Maximum number of dovecot-auth worker processes. They're used to execute +# blocking passdb and userdb queries (eg. MySQL and PAM). They're +# automatically created and destroyed as needed. +#auth_worker_max_count = 30 + +# Host name to use in GSSAPI principal names. The default is to use the +# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab +# entries. +#auth_gssapi_hostname = + +# Kerberos keytab to use for the GSSAPI mechanism. Will use the system +# default (usually /etc/krb5.keytab) if not specified. You may need to change +# the auth service to run as root to be able to read this file. +#auth_krb5_keytab = + +# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and +# ntlm_auth helper. +#auth_use_winbind = no + +# Path for Samba's ntlm_auth helper binary. +#auth_winbind_helper_path = /usr/bin/ntlm_auth + +# Time to delay before replying to failed authentications. +#auth_failure_delay = 2 secs + +# Require a valid SSL client certificate or the authentication fails. +#auth_ssl_require_client_cert = no + +# Take the username from client's SSL certificate, using +# X509_NAME_get_text_by_NID() which returns the subject's DN's +# CommonName. +#auth_ssl_username_from_cert = no + +# Space separated list of wanted authentication mechanisms: +# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey +# gss-spnego +# NOTE: See also disable_plaintext_auth setting. +auth_mechanisms = plain login + +## +## Password and user databases +## + +# +# Password database is used to verify user's password (and nothing more). +# You can have multiple passdbs and userdbs. This is useful if you want to +# allow both system users (/etc/passwd) and virtual users to login without +# duplicating the system users into virtual database. +# +# +# +# User database specifies where mails are located and what user/group IDs +# own them. For single-UID configuration use "static" userdb. +# +# + +#!include auth-deny.conf.ext +#!include auth-master.conf.ext + +#!include auth-system.conf.ext +#!include auth-sql.conf.ext +######!include auth-ldap.conf.ext +!include auth-passwdfile.inc +#!include auth-checkpassword.conf.ext +#!include auth-vpopmail.conf.ext +#!include auth-static.conf.ext diff --git a/test/config/dovecot-lmtp/conf.d/10-director.conf b/test/config/dovecot-lmtp/conf.d/10-director.conf new file mode 100644 index 00000000..31e97e9e --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/10-director.conf @@ -0,0 +1,61 @@ +## +## Director-specific settings. +## + +# Director can be used by Dovecot proxy to keep a temporary user -> mail server +# mapping. As long as user has simultaneous connections, the user is always +# redirected to the same server. Each proxy server is running its own director +# process, and the directors are communicating the state to each others. +# Directors are mainly useful with NFS-like setups. + +# List of IPs or hostnames to all director servers, including ourself. +# Ports can be specified as ip:port. The default port is the same as +# what director service's inet_listener is using. +#director_servers = + +# List of IPs or hostnames to all backend mail servers. Ranges are allowed +# too, like 10.0.0.10-10.0.0.30. +#director_mail_servers = + +# How long to redirect users to a specific server after it no longer has +# any connections. +#director_user_expire = 15 min + +# TCP/IP port that accepts doveadm connections (instead of director connections) +# If you enable this, you'll also need to add inet_listener for the port. +#director_doveadm_port = 0 + +# How the username is translated before being hashed. Useful values include +# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared +# within domain. +#director_username_hash = %Lu + +# To enable director service, uncomment the modes and assign a port. +service director { + unix_listener login/director { + #mode = 0666 + } + fifo_listener login/proxy-notify { + #mode = 0666 + } + unix_listener director-userdb { + #mode = 0600 + } + inet_listener { + #port = + } +} + +# Enable director for the wanted login services by telling them to +# connect to director socket instead of the default login socket: +service imap-login { + #executable = imap-login director +} +service pop3-login { + #executable = pop3-login director +} + +# Enable director for LMTP proxying: +protocol lmtp { + #auth_socket_path = director-userdb +} diff --git a/test/config/dovecot-lmtp/conf.d/10-logging.conf b/test/config/dovecot-lmtp/conf.d/10-logging.conf new file mode 100644 index 00000000..ddc45cef --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/10-logging.conf @@ -0,0 +1,84 @@ +## +## Log destination. +## + +# Log file to use for error messages. "syslog" logs to syslog, +# /dev/stderr logs to stderr. +#log_path = syslog + +# Log file to use for informational messages. Defaults to log_path. +#info_log_path = +# Log file to use for debug messages. Defaults to info_log_path. +#debug_log_path = + +# Syslog facility to use if you're logging to syslog. Usually if you don't +# want to use "mail", you'll use local0..local7. Also other standard +# facilities are supported. +#syslog_facility = mail + +## +## Logging verbosity and debugging. +## + +# Log unsuccessful authentication attempts and the reasons why they failed. +auth_verbose = yes + +# In case of password mismatches, log the attempted password. Valid values are +# no, plain and sha1. sha1 can be useful for detecting brute force password +# attempts vs. user simply trying the same password over and over again. +# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). +auth_verbose_passwords = sha1:6 + +# Even more verbose logging for debugging purposes. Shows for example SQL +# queries. +#auth_debug = no + +# In case of password mismatches, log the passwords and used scheme so the +# problem can be debugged. Enabling this also enables auth_debug. +#auth_debug_passwords = no + +# Enable mail process debugging. This can help you figure out why Dovecot +# isn't finding your mails. +#mail_debug = no + +# Show protocol level SSL errors. +verbose_ssl = no + +# mail_log plugin provides more event logging for mail processes. +plugin { + # Events to log. Also available: flag_change append + #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename + # Available fields: uid, box, msgid, from, subject, size, vsize, flags + # size and vsize are available only for expunge and copy events. + #mail_log_fields = uid box msgid size +} + +## +## Log formatting. +## + +# Prefix for each line written to log file. % codes are in strftime(3) +# format. +#log_timestamp = "%b %d %H:%M:%S " + +# Space-separated list of elements we want to log. The elements which have +# a non-empty variable value are joined together to form a comma-separated +# string. +#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c + +# Login log format. %s contains login_log_format_elements string, %$ contains +# the data we want to log. +#login_log_format = %$: %s + +# Log prefix for mail processes. See doc/wiki/Variables.txt for list of +# possible variables you can use. +#mail_log_prefix = "%s(%u): " + +# Format to use for logging mail deliveries. You can use variables: +# %$ - Delivery status message (e.g. "saved to INBOX") +# %m - Message-ID +# %s - Subject +# %f - From address +# %p - Physical size +# %w - Virtual size +#deliver_log_format = msgid=%m: %$ diff --git a/test/config/dovecot-lmtp/conf.d/10-mail.conf b/test/config/dovecot-lmtp/conf.d/10-mail.conf new file mode 100644 index 00000000..da0a13e9 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/10-mail.conf @@ -0,0 +1,374 @@ +## +## Mailbox locations and namespaces +## + +# Location for users' mailboxes. The default is empty, which means that Dovecot +# tries to find the mailboxes automatically. This won't work if the user +# doesn't yet have any mail, so you should explicitly tell Dovecot the full +# location. +# +# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) +# isn't enough. You'll also need to tell Dovecot where the other mailboxes are +# kept. This is called the "root mail directory", and it must be the first +# path given in the mail_location setting. +# +# There are a few special variables you can use, eg.: +# +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if there's no domain +# %h - home directory +# +# See doc/wiki/Variables.txt for full list. Some examples: +# +# mail_location = maildir:~/Maildir +# mail_location = mbox:~/mail:INBOX=/var/mail/%u +# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n +# +# +# +mail_location = maildir:/var/mail/%d/%n + +# If you need to set multiple mailbox locations or want to change default +# namespace settings, you can do it by defining namespace sections. +# +# You can have private, shared and public namespaces. Private namespaces +# are for user's personal mails. Shared namespaces are for accessing other +# users' mailboxes that have been shared. Public namespaces are for shared +# mailboxes that are managed by sysadmin. If you create any shared or public +# namespaces you'll typically want to enable ACL plugin also, otherwise all +# users can access all the shared mailboxes, assuming they have permissions +# on filesystem level to do so. +namespace inbox { + # Namespace type: private, shared or public + #type = private + + # Hierarchy separator to use. You should use the same separator for all + # namespaces or some clients get confused. '/' is usually a good one. + # The default however depends on the underlying mail storage format. + #separator = + + # Prefix required to access this namespace. This needs to be different for + # all namespaces. For example "Public/". + #prefix = + + # Physical location of the mailbox. This is in same format as + # mail_location, which is also the default for it. + #location = + + # There can be only one INBOX, and this setting defines which namespace + # has it. + inbox = yes + + # If namespace is hidden, it's not advertised to clients via NAMESPACE + # extension. You'll most likely also want to set list=no. This is mostly + # useful when converting from another server with different namespaces which + # you want to deprecate but still keep working. For example you can create + # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". + #hidden = no + + # Show the mailboxes under this namespace with LIST command. This makes the + # namespace visible for clients that don't support NAMESPACE extension. + # "children" value lists child mailboxes, but hides the namespace prefix. + #list = yes + + # Namespace handles its own subscriptions. If set to "no", the parent + # namespace handles them (empty prefix should always have this as "yes") + #subscriptions = yes +} + +# Example shared namespace configuration +#namespace { + #type = shared + #separator = / + + # Mailboxes are visible under "shared/user@domain/" + # %%n, %%d and %%u are expanded to the destination user. + #prefix = shared/%%u/ + + # Mail location for other users' mailboxes. Note that %variables and ~/ + # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the + # destination user's data. + #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u + + # Use the default namespace for saving subscriptions. + #subscriptions = no + + # List the shared/ namespace only if there are visible shared mailboxes. + #list = children +#} +# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? +#mail_shared_explicit_inbox = no + +# System user and group used to access mails. If you use multiple, userdb +# can override these by returning uid or gid fields. You can use either numbers +# or names. +#mail_uid = +#mail_gid = + +# Group to enable temporarily for privileged operations. Currently this is +# used only with INBOX when either its initial creation or dotlocking fails. +# Typically this is set to "mail" to give access to /var/mail. +mail_privileged_group = docker + +# Grant access to these supplementary groups for mail processes. Typically +# these are used to set up access to shared mailboxes. Note that it may be +# dangerous to set these if users can create symlinks (e.g. if "mail" group is +# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' +# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). +#mail_access_groups = + +# Allow full filesystem access to clients. There's no access checks other than +# what the operating system does for the active UID/GID. It works with both +# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ +# or ~user/. +#mail_full_filesystem_access = no + +# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but +# soon intended to be used by METADATA as well. +#mail_attribute_dict = + +## +## Mail processes +## + +# Don't use mmap() at all. This is required if you store indexes to shared +# filesystems (NFS or clustered filesystem). +#mmap_disable = no + +# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL +# since version 3, so this should be safe to use nowadays by default. +#dotlock_use_excl = yes + +# When to use fsync() or fdatasync() calls: +# optimized (default): Whenever necessary to avoid losing important data +# always: Useful with e.g. NFS when write()s are delayed +# never: Never use it (best performance, but crashes can lose data) +#mail_fsync = optimized + +# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches +# whenever needed. If you're using only a single mail server this isn't needed. +#mail_nfs_storage = no +# Mail index files also exist in NFS. Setting this to yes requires +# mmap_disable=yes and fsync_disable=no. +#mail_nfs_index = no + +# Locking method for index files. Alternatives are fcntl, flock and dotlock. +# Dotlocking uses some tricks which may create more disk I/O than other locking +# methods. NFS users: flock doesn't work, remember to change mmap_disable. +#lock_method = fcntl + +# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. +#mail_temp_dir = /tmp + +# Valid UID range for users, defaults to 500 and above. This is mostly +# to make sure that users can't log in as daemons or other system users. +# Note that denying root logins is hardcoded to dovecot binary and can't +# be done even if first_valid_uid is set to 0. +#first_valid_uid = 500 +#last_valid_uid = 0 + +# Valid GID range for users, defaults to non-root/wheel. Users having +# non-valid GID as primary group ID aren't allowed to log in. If user +# belongs to supplementary groups with non-valid GIDs, those groups are +# not set. +#first_valid_gid = 1 +#last_valid_gid = 0 + +# Maximum allowed length for mail keyword name. It's only forced when trying +# to create new keywords. +#mail_max_keyword_length = 50 + +# ':' separated list of directories under which chrooting is allowed for mail +# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). +# This setting doesn't affect login_chroot, mail_chroot or auth chroot +# settings. If this setting is empty, "/./" in home dirs are ignored. +# WARNING: Never add directories here which local users can modify, that +# may lead to root exploit. Usually this should be done only if you don't +# allow shell access for users. +#valid_chroot_dirs = + +# Default chroot directory for mail processes. This can be overridden for +# specific users in user database by giving /./ in user's home directory +# (eg. /home/./user chroots into /home). Note that usually there is no real +# need to do chrooting, Dovecot doesn't allow users to access files outside +# their mail directory anyway. If your home directories are prefixed with +# the chroot directory, append "/." to mail_chroot. +#mail_chroot = + +# UNIX socket path to master authentication server to find users. +# This is used by imap (for shared users) and lda. +#auth_socket_path = /var/run/dovecot/auth-userdb + +# Directory where to look up mail plugins. +#mail_plugin_dir = /usr/lib/dovecot/modules + +# Space separated list of plugins to load for all services. Plugins specific to +# IMAP, LDA, etc. are added to this list in their own .conf files. +#mail_plugins = + +## +## Mailbox handling optimizations +## + +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +#mailbox_list_index = no + +# The minimum number of mails in a mailbox before updates are done to cache +# file. This allows optimizing Dovecot's behavior to do less disk writes at +# the cost of more disk reads. +#mail_cache_min_mail_count = 0 + +# When IDLE command is running, mailbox is checked once in a while to see if +# there are any new mails or other changes. This setting defines the minimum +# time to wait between those checks. Dovecot can also use dnotify, inotify and +# kqueue to find out immediately when changes occur. +#mailbox_idle_check_interval = 30 secs + +# Save mails with CR+LF instead of plain LF. This makes sending those mails +# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. +# But it also creates a bit more disk I/O which may just make it slower. +# Also note that if other software reads the mboxes/maildirs, they may handle +# the extra CRs wrong and cause problems. +#mail_save_crlf = no + +# Max number of mails to keep open and prefetch to memory. This only works with +# some mailbox formats and/or operating systems. +#mail_prefetch_count = 0 + +# How often to scan for stale temporary files and delete them (0 = never). +# These should exist only after Dovecot dies in the middle of saving mails. +#mail_temp_scan_interval = 1w + +## +## Maildir-specific settings +## + +# By default LIST command returns all entries in maildir beginning with a dot. +# Enabling this option makes Dovecot return only entries which are directories. +# This is done by stat()ing each entry, so it causes more disk I/O. +# (For systems setting struct dirent->d_type, this check is free and it's +# done always regardless of this setting) +#maildir_stat_dirs = no + +# When copying a message, do it with hard links whenever possible. This makes +# the performance much better, and it's unlikely to have any side effects. +#maildir_copy_with_hardlinks = yes + +# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only +# when its mtime changes unexpectedly or when we can't find the mail otherwise. +#maildir_very_dirty_syncs = no + +# If enabled, Dovecot doesn't use the S= in the Maildir filenames for +# getting the mail's physical size, except when recalculating Maildir++ quota. +# This can be useful in systems where a lot of the Maildir filenames have a +# broken size. The performance hit for enabling this is very small. +#maildir_broken_filename_sizes = no + +## +## mbox-specific settings +## + +# Which locking methods to use for locking mbox. There are four available: +# dotlock: Create .lock file. This is the oldest and most NFS-safe +# solution. If you want to use /var/mail/ like directory, the users +# will need write access to that directory. +# dotlock_try: Same as dotlock, but if it fails because of permissions or +# because there isn't enough disk space, just skip it. +# fcntl : Use this if possible. Works with NFS too if lockd is used. +# flock : May not exist in all systems. Doesn't work with NFS. +# lockf : May not exist in all systems. Doesn't work with NFS. +# +# You can use multiple locking methods; if you do the order they're declared +# in is important to avoid deadlocks if other MTAs/MUAs are using multiple +# locking methods as well. Some operating systems don't allow using some of +# them simultaneously. +# +# The Debian value for mbox_write_locks differs from upstream Dovecot. It is +# changed to be compliant with Debian Policy (section 11.6) for NFS safety. +# Dovecot: mbox_write_locks = dotlock fcntl +# Debian: mbox_write_locks = fcntl dotlock +# +#mbox_read_locks = fcntl +#mbox_write_locks = fcntl dotlock + +# Maximum time to wait for lock (all of them) before aborting. +#mbox_lock_timeout = 5 mins + +# If dotlock exists but the mailbox isn't modified in any way, override the +# lock file after this much time. +#mbox_dotlock_change_timeout = 2 mins + +# When mbox changes unexpectedly we have to fully read it to find out what +# changed. If the mbox is large this can take a long time. Since the change +# is usually just a newly appended mail, it'd be faster to simply read the +# new mails. If this setting is enabled, Dovecot does this but still safely +# fallbacks to re-reading the whole mbox file whenever something in mbox isn't +# how it's expected to be. The only real downside to this setting is that if +# some other MUA changes message flags, Dovecot doesn't notice it immediately. +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# commands. +#mbox_dirty_syncs = yes + +# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, +# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. +#mbox_very_dirty_syncs = no + +# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK +# commands and when closing the mailbox). This is especially useful for POP3 +# where clients often delete all mails. The downside is that our changes +# aren't immediately visible to other MUAs. +#mbox_lazy_writes = yes + +# If mbox size is smaller than this (e.g. 100k), don't write index files. +# If an index file already exists it's still read, just not updated. +#mbox_min_index_size = 0 + +# Mail header selection algorithm to use for MD5 POP3 UIDLs when +# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired +# algorithm, but it fails if the first Received: header isn't unique in all +# mails. An alternative algorithm is "all" that selects all headers. +#mbox_md5 = apop3d + +## +## mdbox-specific settings +## + +# Maximum dbox file size until it's rotated. +#mdbox_rotate_size = 2M + +# Maximum dbox file age until it's rotated. Typically in days. Day begins +# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. +#mdbox_rotate_interval = 0 + +# When creating new mdbox files, immediately preallocate their size to +# mdbox_rotate_size. This setting currently works only in Linux with some +# filesystems (ext4, xfs). +#mdbox_preallocate_space = no + +## +## Mail attachments +## + +# sdbox and mdbox support saving mail attachments to external files, which +# also allows single instance storage for them. Other backends don't support +# this for now. + +# Directory root where to store mail attachments. Disabled, if empty. +#mail_attachment_dir = + +# Attachments smaller than this aren't saved externally. It's also possible to +# write a plugin to disable saving specific attachments externally. +#mail_attachment_min_size = 128k + +# Filesystem backend to use for saving attachments: +# posix : No SiS done by Dovecot (but this might help FS's own deduplication) +# sis posix : SiS with immediate byte-by-byte comparison during saving +# sis-queue posix : SiS with delayed comparison and deduplication +#mail_attachment_fs = sis posix + +# Hash format to use in attachment filenames. You can add any text and +# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. +# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits +#mail_attachment_hash = %{sha1} diff --git a/test/config/dovecot-lmtp/conf.d/10-master.conf b/test/config/dovecot-lmtp/conf.d/10-master.conf new file mode 100644 index 00000000..55c9de96 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/10-master.conf @@ -0,0 +1,128 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + #port = 143 + } + inet_listener imaps { + port = 993 + ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. + #service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + port = 995 + ssl = yes + } +} + +service lmtp { + unix_listener lmtp { + mode = 0660 + group = postfix + } + + # Create inet listener only if you can't use the above UNIX socket + inet_listener lmtp { + # Avoid making LMTP visible for the entire internet + address = 0.0.0.0 + port = 24 + } +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + unix_listener auth-userdb { + mode = 0666 + user = docker + group = docker + } + + unix_listener auth-master { + mode = 0600 + user = docker + group = docker + } + + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/auth { + mode = 0666 + user = docker + group = docker + } + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + #user = root +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} diff --git a/test/config/dovecot-lmtp/conf.d/10-ssl.conf b/test/config/dovecot-lmtp/conf.d/10-ssl.conf new file mode 100644 index 00000000..17e0355e --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/10-ssl.conf @@ -0,0 +1,58 @@ +## +## SSL settings +## + +# SSL/TLS support: yes, no, required. +ssl = required + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = . %d expands to recipient domain. +postmaster_address = postmaster@domain.com + +# Hostname to use in various parts of sent mails (e.g. in Message-Id) and +# in LMTP replies. Default is the system's real hostname@domain. +#hostname = + +# If user is over quota, return with temporary failure instead of +# bouncing the mail. +#quota_full_tempfail = no + +# Binary to use for sending mails. +#sendmail_path = /usr/sbin/sendmail + +# If non-empty, send mails via this SMTP host[:port] instead of sendmail. +#submission_host = + +# Subject: header to use for rejection mails. You can use the same variables +# as for rejection_reason below. +#rejection_subject = Rejected: %s + +# Human readable error message for rejection mails. You can use variables: +# %n = CRLF, %r = reason, %s = original subject, %t = recipient +#rejection_reason = Your message to <%t> was automatically rejected:%n%r + +# Delimiter character between local-part and detail in email address. +#recipient_delimiter = + + +# Header where the original recipient address (SMTP's RCPT TO: address) is taken +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# A commonly used header for this is X-Original-To. +#lda_original_recipient_header = + +# Should saving a mail to a nonexistent mailbox automatically create it? +lda_mailbox_autocreate = yes + +# Should automatically created mailboxes be also automatically subscribed? +lda_mailbox_autosubscribe = yes + +protocol lda { + # Space separated list of plugins to load (default is global mail_plugins). + mail_plugins = $mail_plugins sieve +} diff --git a/test/config/dovecot-lmtp/conf.d/15-mailboxes.conf b/test/config/dovecot-lmtp/conf.d/15-mailboxes.conf new file mode 100644 index 00000000..73ed268c --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/15-mailboxes.conf @@ -0,0 +1,50 @@ +## +## Mailbox definitions +## + +# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. +namespace inbox { + + #mailbox name { + # auto=create will automatically create this mailbox. + # auto=subscribe will both create and subscribe to the mailbox. + #auto = no + + # Space separated list of IMAP SPECIAL-USE attributes as specified by + # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash + #special_use = + #} + + # These mailboxes are widely used and could perhaps be created automatically: + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + mailbox Junk { + special_use = \Junk + } + mailbox Trash { + auto = subscribe + special_use = \Trash + } + + # For \Sent mailboxes there are two widely used names. We'll mark both of + # them as \Sent. User typically deletes one of them if duplicates are created. + mailbox Sent { + auto = subscribe + special_use = \Sent + } +# mailbox "Sent Messages" { +# special_use = \Sent +# } + + # If you have a virtual "All messages" mailbox: + #mailbox virtual/All { + # special_use = \All + #} + + # If you have a virtual "Flagged" mailbox: + #mailbox virtual/Flagged { + # special_use = \Flagged + #} +} diff --git a/test/config/dovecot-lmtp/conf.d/20-imap.conf b/test/config/dovecot-lmtp/conf.d/20-imap.conf new file mode 100644 index 00000000..689b0ea4 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/20-imap.conf @@ -0,0 +1,61 @@ +## +## IMAP specific settings +## + +# Maximum IMAP command line length. Some clients generate very long command +# lines with huge mailboxes, so you may need to raise this if you get +# "Too long argument" or "IMAP command line too large" errors often. +#imap_max_line_length = 64k + +# IMAP logout format string: +# %i - total number of bytes read from client +# %o - total number of bytes sent to client +#imap_logout_format = in=%i out=%o + +# Override the IMAP CAPABILITY response. If the value begins with '+', +# add the given capabilities on top of the defaults (e.g. +XFOO XBAR). +#imap_capability = + +# How long to wait between "OK Still here" notifications when client is +# IDLEing. +#imap_idle_notify_interval = 2 mins + +# ID field names and values to send to clients. Using * as the value makes +# Dovecot use the default value. The following fields have default values +# currently: name, version, os, os-version, support-url, support-email. +#imap_id_send = + +# ID fields sent by client to log. * means everything. +#imap_id_log = + +# Workarounds for various client bugs: +# delay-newmail: +# Send EXISTS/RECENT new mail notifications only when replying to NOOP +# and CHECK commands. Some clients ignore them otherwise, for example OSX +# Mail ( + #service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = 64M +#} + +#service managesieve { + # Max. number of ManageSieve processes (connections) + #process_limit = 1024 +#} + +# Service configuration + +protocol sieve { + # Maximum ManageSieve command line length in bytes. ManageSieve usually does + # not involve overly long command lines, so this setting will not normally + # need adjustment + #managesieve_max_line_length = 65536 + + # Maximum number of ManageSieve connections allowed for a user from each IP + # address. + # NOTE: The username is compared case-sensitively. + #mail_max_userip_connections = 10 + + # Space separated list of plugins to load (none known to be useful so far). + # Do NOT try to load IMAP plugins here. + #mail_plugins = + + # MANAGESIEVE logout format string: + # %i - total number of bytes read from client + # %o - total number of bytes sent to client + #managesieve_logout_format = bytes=%i/%o + + # To fool ManageSieve clients that are focused on CMU's timesieved you can + # specify the IMPLEMENTATION capability that Dovecot reports to clients. + # For example: 'Cyrus timsieved v2.2.13' + #managesieve_implementation_string = Dovecot Pigeonhole + + # Explicitly specify the SIEVE and NOTIFY capability reported by the server + # before login. If left unassigned these will be reported dynamically + # according to what the Sieve interpreter supports by default (after login + # this may differ depending on the user). + #managesieve_sieve_capability = + #managesieve_notify_capability = + + # The maximum number of compile errors that are returned to the client upon + # script upload or script verification. + #managesieve_max_compile_errors = 5 + + # Refer to 90-sieve.conf for script quota configuration and configuration of + # Sieve execution limits. +} diff --git a/test/config/dovecot-lmtp/conf.d/20-pop3.conf b/test/config/dovecot-lmtp/conf.d/20-pop3.conf new file mode 100644 index 00000000..50470e90 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/20-pop3.conf @@ -0,0 +1,98 @@ +## +## POP3 specific settings +## + +# Don't try to set mails non-recent or seen with POP3 sessions. This is +# mostly intended to reduce disk I/O. With maildir it doesn't move files +# from new/ to cur/, with mbox it doesn't write Status-header. +#pop3_no_flag_updates = no + +# Support LAST command which exists in old POP3 specs, but has been removed +# from new ones. Some clients still wish to use this though. Enabling this +# makes RSET command clear all \Seen flags from messages. +#pop3_enable_last = no + +# If mail has X-UIDL header, use it as the mail's UIDL. +#pop3_reuse_xuidl = no + +# Allow only one POP3 session to run simultaneously for the same user. +#pop3_lock_session = no + +# POP3 requires message sizes to be listed as if they had CR+LF linefeeds. +# Many POP3 servers violate this by returning the sizes with LF linefeeds, +# because it's faster to get. When this setting is enabled, Dovecot still +# tries to do the right thing first, but if that requires opening the +# message, it fallbacks to the easier (but incorrect) size. +#pop3_fast_size_lookups = no + +# POP3 UIDL (unique mail identifier) format to use. You can use following +# variables, along with the variable modifiers described in +# doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase) +# +# %v - Mailbox's IMAP UIDVALIDITY +# %u - Mail's IMAP UID +# %m - MD5 sum of the mailbox headers in hex (mbox only) +# %f - filename (maildir only) +# %g - Mail's GUID +# +# If you want UIDL compatibility with other POP3 servers, use: +# UW's ipop3d : %08Xv%08Xu +# Courier : %f or %v-%u (both might be used simultaneosly) +# Cyrus (<= 2.1.3) : %u +# Cyrus (>= 2.1.4) : %v.%u +# Dovecot v0.99.x : %v.%u +# tpop3d : %Mf +# +# Note that Outlook 2003 seems to have problems with %v.%u format which was +# Dovecot's default, so if you're building a new server it would be a good +# idea to change this. %08Xu%08Xv should be pretty fail-safe. +# +#pop3_uidl_format = %08Xu%08Xv + +# Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes +# won't change those UIDLs. Currently this works only with Maildir. +#pop3_save_uidl = no + +# What to do about duplicate UIDLs if they exist? +# allow: Show duplicates to clients. +# rename: Append a temporary -2, -3, etc. counter after the UIDL. +#pop3_uidl_duplicates = allow + +# This option changes POP3 behavior so that it's not possible to actually +# delete mails via POP3, only hide them from future POP3 sessions. The mails +# will still be counted towards user's quota until actually deleted via IMAP. +# Use e.g. "$POP3Deleted" as the value (it will be visible as IMAP keyword). +# Make sure you can legally archive mails before enabling this setting. +#pop3_deleted_flag = + +# POP3 logout format string: +# %i - total number of bytes read from client +# %o - total number of bytes sent to client +# %t - number of TOP commands +# %p - number of bytes sent to client as a result of TOP command +# %r - number of RETR commands +# %b - number of bytes sent to client as a result of RETR command +# %d - number of deleted messages +# %m - number of messages (before deletion) +# %s - mailbox size in bytes (before deletion) +# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly +#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s + +# Workarounds for various client bugs: +# outlook-no-nuls: +# Outlook and Outlook Express hang if mails contain NUL characters. +# This setting replaces them with 0x80 character. +# oe-ns-eoh: +# Outlook Express and Netscape Mail breaks if end of headers-line is +# missing. This option simply sends it if it's missing. +# The list is space-separated. +#pop3_client_workarounds = + +protocol pop3 { + # Space separated list of plugins to load (default is global mail_plugins). + #mail_plugins = $mail_plugins + + # Maximum number of POP3 connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + #mail_max_userip_connections = 10 +} diff --git a/test/config/dovecot-lmtp/conf.d/90-acl.conf b/test/config/dovecot-lmtp/conf.d/90-acl.conf new file mode 100644 index 00000000..f0c0e7a5 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/90-acl.conf @@ -0,0 +1,19 @@ +## +## Mailbox access control lists. +## + +# vfile backend reads ACLs from "dovecot-acl" file from mail directory. +# You can also optionally give a global ACL directory path where ACLs are +# applied to all users' mailboxes. The global ACL directory contains +# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter +# specifies how many seconds to wait between stat()ing dovecot-acl file +# to see if it changed. +plugin { + #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 +} + +# To let users LIST mailboxes shared by other users, Dovecot needs a +# shared mailbox dictionary. For example: +plugin { + #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes +} diff --git a/test/config/dovecot-lmtp/conf.d/90-plugin.conf b/test/config/dovecot-lmtp/conf.d/90-plugin.conf new file mode 100644 index 00000000..8c8fccf4 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/90-plugin.conf @@ -0,0 +1,11 @@ +## +## Plugin settings +## + +# All wanted plugins must be listed in mail_plugins setting before any of the +# settings take effect. See for list of plugins and +# their configuration. Note that %variable expansion is done for all values. + +plugin { + #setting_name = value +} diff --git a/test/config/dovecot-lmtp/conf.d/90-quota.conf b/test/config/dovecot-lmtp/conf.d/90-quota.conf new file mode 100644 index 00000000..db1f7188 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/90-quota.conf @@ -0,0 +1,80 @@ +## +## Quota configuration. +## + +# Note that you also have to enable quota plugin in mail_plugins setting. +# + +## +## Quota limits +## + +# Quota limits are set using "quota_rule" parameters. To get per-user quota +# limits, you can set/override them by returning "quota_rule" extra field +# from userdb. It's also possible to give mailbox-specific limits, for example +# to give additional 100 MB when saving to Trash: + +plugin { + #quota_rule = *:storage=1G + #quota_rule2 = Trash:storage=+100M + + # LDA/LMTP allows saving the last mail to bring user from under quota to + # over quota, if the quota doesn't grow too high. Default is to allow as + # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. + #quota_grace = 10%% +} + +## +## Quota warnings +## + +# You can execute a given command when user exceeds a specified quota limit. +# Each quota root has separate limits. Only the command for the first +# exceeded limit is excecuted, so put the highest limit first. +# The commands are executed via script service by connecting to the named +# UNIX socket (quota-warning below). +# Note that % needs to be escaped as %%, otherwise "% " expands to empty. + +plugin { + #quota_warning = storage=95%% quota-warning 95 %u + #quota_warning2 = storage=80%% quota-warning 80 %u +} + +# Example quota-warning service. The unix listener's permissions should be +# set in a way that mail processes can connect to it. Below example assumes +# that mail processes run as vmail user. If you use mode=0666, all system users +# can generate quota warnings to anyone. +#service quota-warning { +# executable = script /usr/local/bin/quota-warning.sh +# user = dovecot +# unix_listener quota-warning { +# user = vmail +# } +#} + +## +## Quota backends +## + +# Multiple backends are supported: +# dirsize: Find and sum all the files found from mail directory. +# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. +# dict: Keep quota stored in dictionary (eg. SQL) +# maildir: Maildir++ quota +# fs: Read-only support for filesystem quota + +plugin { + #quota = dirsize:User quota + #quota = maildir:User quota + #quota = dict:User quota::proxy::quota + #quota = fs:User quota +} + +# Multiple quota roots are also possible, for example this gives each user +# their own 100MB quota and one shared 1GB quota within the domain: +plugin { + #quota = dict:user::proxy::quota + #quota2 = dict:domain:%d:proxy::quota_domain + #quota_rule = *:storage=102400 + #quota2_rule = *:storage=1048576 +} diff --git a/test/config/dovecot-lmtp/conf.d/90-sieve.conf b/test/config/dovecot-lmtp/conf.d/90-sieve.conf new file mode 100644 index 00000000..1ebf9f33 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/90-sieve.conf @@ -0,0 +1,105 @@ +## +## Settings for the Sieve interpreter +## + +# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf +# by adding it to the respective mail_plugins= settings. + +plugin { + # The path to the user's main active script. If ManageSieve is used, this the + # location of the symbolic link controlled by ManageSieve. + sieve = ~/.dovecot.sieve + + # The default Sieve script when the user has none. This is a path to a global + # sieve script file, which gets executed ONLY if user's private Sieve script + # doesn't exist. Be sure to pre-compile this script manually using the sievec + # command line tool. + # --> See sieve_before fore executing scripts before the user's personal + # script. + #sieve_default = /var/lib/dovecot/sieve/default.sieve + + # Directory for :personal include scripts for the include extension. This + # is also where the ManageSieve service stores the user's scripts. + sieve_dir = ~/sieve + + # Directory for :global include scripts for the include extension. + #sieve_global_dir = + + # Path to a script file or a directory containing script files that need to be + # executed before the user's script. If the path points to a directory, all + # the Sieve scripts contained therein (with the proper .sieve extension) are + # executed. The order of execution within a directory is determined by the + # file names, using a normal 8bit per-character comparison. Multiple script + # file or directory paths can be specified by appending an increasing number. + #sieve_before = + #sieve_before2 = + #sieve_before3 = (etc...) + + # Identical to sieve_before, only the specified scripts are executed after the + # user's script (only when keep is still in effect!). Multiple script file or + # directory paths can be specified by appending an increasing number. + #sieve_after = + #sieve_after2 = + #sieve_after2 = (etc...) + + # Which Sieve language extensions are available to users. By default, all + # supported extensions are available, except for deprecated extensions or + # those that are still under development. Some system administrators may want + # to disable certain Sieve extensions or enable those that are not available + # by default. This setting can use '+' and '-' to specify differences relative + # to the default. For example `sieve_extensions = +imapflags' will enable the + # deprecated imapflags extension in addition to all extensions were already + # enabled by default. + #sieve_extensions = +notify +imapflags + + # Which Sieve language extensions are ONLY available in global scripts. This + # can be used to restrict the use of certain Sieve extensions to administrator + # control, for instance when these extensions can cause security concerns. + # This setting has higher precedence than the `sieve_extensions' setting + # (above), meaning that the extensions enabled with this setting are never + # available to the user's personal script no matter what is specified for the + # `sieve_extensions' setting. The syntax of this setting is similar to the + # `sieve_extensions' setting, with the difference that extensions are + # enabled or disabled for exclusive use in global scripts. Currently, no + # extensions are marked as such by default. + #sieve_global_extensions = + + # The Pigeonhole Sieve interpreter can have plugins of its own. Using this + # setting, the used plugins can be specified. Check the Dovecot wiki + # (wiki2.dovecot.org) or the pigeonhole website + # (http://pigeonhole.dovecot.org) for available plugins. + # The sieve_extprograms plugin is included in this release. + #sieve_plugins = + + # The separator that is expected between the :user and :detail + # address parts introduced by the subaddress extension. This may + # also be a sequence of characters (e.g. '--'). The current + # implementation looks for the separator from the left of the + # localpart and uses the first one encountered. The :user part is + # left of the separator and the :detail part is right. This setting + # is also used by Dovecot's LMTP service. + #recipient_delimiter = + + + # The maximum size of a Sieve script. The compiler will refuse to compile any + # script larger than this limit. If set to 0, no limit on the script size is + # enforced. + #sieve_max_script_size = 1M + + # The maximum number of actions that can be performed during a single script + # execution. If set to 0, no limit on the total number of actions is enforced. + #sieve_max_actions = 32 + + # The maximum number of redirect actions that can be performed during a single + # script execution. If set to 0, no redirect actions are allowed. + #sieve_max_redirects = 4 + + # The maximum number of personal Sieve scripts a single user can have. If set + # to 0, no limit on the number of scripts is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_scripts = 0 + + # The maximum amount of disk storage a single user's scripts may occupy. If + # set to 0, no limit on the used amount of disk storage is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_storage = 0 +} diff --git a/test/config/dovecot-lmtp/conf.d/auth-checkpassword.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-checkpassword.conf.ext new file mode 100644 index 00000000..b2fb13a2 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-checkpassword.conf.ext @@ -0,0 +1,21 @@ +# Authentication for checkpassword users. Included from 10-auth.conf. +# +# + +passdb { + driver = checkpassword + args = /usr/bin/checkpassword +} + +# passdb lookup should return also userdb info +userdb { + driver = prefetch +} + +# Standard checkpassword doesn't support direct userdb lookups. +# If you need checkpassword userdb, the checkpassword must support +# Dovecot-specific extensions. +#userdb { +# driver = checkpassword +# args = /usr/bin/checkpassword +#} diff --git a/test/config/dovecot-lmtp/conf.d/auth-deny.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-deny.conf.ext new file mode 100644 index 00000000..ce3f1cf1 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-deny.conf.ext @@ -0,0 +1,15 @@ +# Deny access for users. Included from 10-auth.conf. + +# Users can be (temporarily) disabled by adding a passdb with deny=yes. +# If the user is found from that database, authentication will fail. +# The deny passdb should always be specified before others, so it gets +# checked first. + +# Example deny passdb using passwd-file. You can use any passdb though. +passdb { + driver = passwd-file + deny = yes + + # File contains a list of usernames, one per line + args = /etc/dovecot/deny-users +} diff --git a/test/config/dovecot-lmtp/conf.d/auth-ldap.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-ldap.conf.ext new file mode 100644 index 00000000..5db32fa3 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-ldap.conf.ext @@ -0,0 +1,33 @@ +# Authentication for LDAP users. Included from 10-auth.conf. +# +# + +passdb { + driver = ldap + + # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext + args = /etc/dovecot/dovecot-ldap.conf.ext +} + +# "prefetch" user database means that the passdb already provided the +# needed information and there's no need to do a separate userdb lookup. +# +#userdb { +# driver = prefetch +#} + +userdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap.conf.ext + + # Default fields can be used to specify defaults that LDAP may override + #default_fields = home=/home/virtual/%u +} + +# If you don't have any user-specific settings, you can avoid the userdb LDAP +# lookup by using userdb static instead of userdb ldap, for example: +# +#userdb { + #driver = static + #args = uid=vmail gid=vmail home=/var/vmail/%u +#} diff --git a/test/config/dovecot-lmtp/conf.d/auth-master.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-master.conf.ext new file mode 100644 index 00000000..2cf128f1 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-master.conf.ext @@ -0,0 +1,16 @@ +# Authentication for master users. Included from 10-auth.conf. + +# By adding master=yes setting inside a passdb you make the passdb a list +# of "master users", who can log in as anyone else. +# + +# Example master user passdb using passwd-file. You can use any passdb though. +passdb { + driver = passwd-file + master = yes + args = /etc/dovecot/master-users + + # Unless you're using PAM, you probably still want the destination user to + # be looked up from passdb that it really exists. pass=yes does that. + pass = yes +} diff --git a/test/config/dovecot-lmtp/conf.d/auth-passwdfile.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-passwdfile.conf.ext new file mode 100644 index 00000000..c89d28c6 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-passwdfile.conf.ext @@ -0,0 +1,20 @@ +# Authentication for passwd-file users. Included from 10-auth.conf. +# +# passwd-like file with specified location. +# + +passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users +} + +userdb { + driver = passwd-file + args = username_format=%u /etc/dovecot/users + + # Default fields that can be overridden by passwd-file + #default_fields = quota_rule=*:storage=1G + + # Override fields from passwd-file + #override_fields = home=/home/virtual/%u +} diff --git a/test/config/dovecot-lmtp/conf.d/auth-passwdfile.inc b/test/config/dovecot-lmtp/conf.d/auth-passwdfile.inc new file mode 100644 index 00000000..bba1af7e --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-passwdfile.inc @@ -0,0 +1,21 @@ +# Authentication for passwd-file users. Included from 10-auth.conf. +# +# passwd-like file with specified location. +# + +passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/userdb +} + +userdb { + driver = passwd-file + args = username_format=%u /etc/dovecot/userdb + + # Default fields that can be overridden by passwd-file + #default_fields = quota_rule=*:storage=1G + default_fields = uid=docker gid=docker home=/var/mail/%d/%u + + # Override fields from passwd-file + #override_fields = home=/home/virtual/%u +} diff --git a/test/config/dovecot-lmtp/conf.d/auth-sql.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-sql.conf.ext new file mode 100644 index 00000000..ccbea864 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-sql.conf.ext @@ -0,0 +1,30 @@ +# Authentication for SQL users. Included from 10-auth.conf. +# +# + +passdb { + driver = sql + + # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext + args = /etc/dovecot/dovecot-sql.conf.ext +} + +# "prefetch" user database means that the passdb already provided the +# needed information and there's no need to do a separate userdb lookup. +# +#userdb { +# driver = prefetch +#} + +userdb { + driver = sql + args = /etc/dovecot/dovecot-sql.conf.ext +} + +# If you don't have any user-specific settings, you can avoid the user_query +# by using userdb static instead of userdb sql, for example: +# +#userdb { + #driver = static + #args = uid=vmail gid=vmail home=/var/vmail/%u +#} diff --git a/test/config/dovecot-lmtp/conf.d/auth-static.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-static.conf.ext new file mode 100644 index 00000000..90890c59 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-static.conf.ext @@ -0,0 +1,24 @@ +# Static passdb. Included from 10-auth.conf. + +# This can be used for situations where Dovecot doesn't need to verify the +# username or the password, or if there is a single password for all users: +# +# - proxy frontend, where the backend verifies the password +# - proxy backend, where the frontend already verified the password +# - authentication with SSL certificates +# - simple testing + +#passdb { +# driver = static +# args = proxy=y host=%1Mu.example.com nopassword=y +#} + +#passdb { +# driver = static +# args = password=test +#} + +#userdb { +# driver = static +# args = uid=vmail gid=vmail home=/home/%u +#} diff --git a/test/config/dovecot-lmtp/conf.d/auth-system.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-system.conf.ext new file mode 100644 index 00000000..23f943c7 --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-system.conf.ext @@ -0,0 +1,74 @@ +# Authentication for system users. Included from 10-auth.conf. +# +# +# + +# PAM authentication. Preferred nowadays by most systems. +# PAM is typically used with either userdb passwd or userdb static. +# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM +# authentication to actually work. +passdb { + driver = pam + # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=] + # [cache_key=] [] + #args = dovecot +} + +# System users (NSS, /etc/passwd, or similiar). +# In many systems nowadays this uses Name Service Switch, which is +# configured in /etc/nsswitch.conf. +#passdb { + #driver = passwd + # [blocking=no] + #args = +#} + +# Shadow passwords for system users (NSS, /etc/shadow or similiar). +# Deprecated by PAM nowadays. +# +#passdb { + #driver = shadow + # [blocking=no] + #args = +#} + +# PAM-like authentication for OpenBSD. +# +#passdb { + #driver = bsdauth + # [blocking=no] [cache_key=] + #args = +#} + +## +## User databases +## + +# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this +# uses Name Service Switch, which is configured in /etc/nsswitch.conf. +userdb { + # + driver = passwd + # [blocking=no] + #args = + + # Override fields from passwd + #override_fields = home=/home/virtual/%u +} + +# Static settings generated from template +#userdb { + #driver = static + # Can return anything a userdb could normally return. For example: + # + # args = uid=500 gid=500 home=/var/mail/%u + # + # LDA and LMTP needs to look up users only from the userdb. This of course + # doesn't work with static userdb because there is no list of users. + # Normally static userdb handles this by doing a passdb lookup. This works + # with most passdbs, with PAM being the most notable exception. If you do + # the user verification another way, you can add allow_all_users=yes to + # the args in which case the passdb lookup is skipped. + # + #args = +#} diff --git a/test/config/dovecot-lmtp/conf.d/auth-vpopmail.conf.ext b/test/config/dovecot-lmtp/conf.d/auth-vpopmail.conf.ext new file mode 100644 index 00000000..f2da976b --- /dev/null +++ b/test/config/dovecot-lmtp/conf.d/auth-vpopmail.conf.ext @@ -0,0 +1,17 @@ +# Authentication for vpopmail users. Included from 10-auth.conf. +# +# + +passdb { + driver = vpopmail + + # [cache_key=] [webmail=] + args = +} + +userdb { + driver = vpopmail + + # [quota_template=