From 94077b2a291639c5a37516e4c68e24d498e93e65 Mon Sep 17 00:00:00 2001
From: Dominik Winter <info@edge-project.org>
Date: Fri, 3 Jun 2016 01:22:03 +0200
Subject: [PATCH 1/6] added ability to overwrite jail.conf

---
 config/fail2ban-jail.cf    | 11 +++++++++++
 target/start-mailserver.sh |  9 +++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 config/fail2ban-jail.cf

diff --git a/config/fail2ban-jail.cf b/config/fail2ban-jail.cf
new file mode 100644
index 00000000..7b426c4a
--- /dev/null
+++ b/config/fail2ban-jail.cf
@@ -0,0 +1,11 @@
+[DEFAULT]
+
+# "bantime" is the number of seconds that a host is banned.
+#bantime  = 10800
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+#findtime  = 600
+
+# "maxretry" is the number of failures before a host get banned.
+#maxretry = 3
diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index a7a85033..37859b28 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -263,8 +263,13 @@ SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag
 SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults
 test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
 
-# Disable logrotate config for fail2ban if not enabled
-test -z "$ENABLE_FAIL2BAN" && rm -f /etc/logrotate.d/fail2ban
+if [ "$ENABLE_FAIL2BAN" = 1 ]; then
+  test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local
+else
+  # Disable logrotate config for fail2ban if not enabled
+  rm -f /etc/logrotate.d/fail2ban
+fi
+
 # Fix cron.daily for spamassassin
 sed -i -e 's/invoke-rc.d spamassassin reload/\/etc\/init\.d\/spamassassin reload/g' /etc/cron.daily/spamassassin
 

From 54763a9d59e7743b9083d7fc6c9f1360eecf4422 Mon Sep 17 00:00:00 2001
From: Dominik Winter <info@edge-project.org>
Date: Fri, 3 Jun 2016 01:22:16 +0200
Subject: [PATCH 2/6] added tests

---
 test/tests.bats | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/test/tests.bats b/test/tests.bats
index a8e954af..a986d398 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -366,6 +366,23 @@
   [ "$status" -eq 0 ]
 }
 
+@test "checking fail2ban: fail2ban-jail.cf overrides" {
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get sshd          bantime   | grep 10800";  [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix       bantime   | grep 10800";  [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get dovecot       bantime   | grep 10800";  [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix-sasl  bantime   | grep 10800";  [ "$status" -eq 1 ]
+
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get sshd          findtime  | grep 600";    [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix       findtime  | grep 600";    [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get dovecot       findtime  | grep 600";    [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix-sasl  findtime  | grep 600";    [ "$status" -eq 1 ]
+
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get sshd          maxretry  | grep 3";      [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix       maxretry  | grep 3";      [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get dovecot       maxretry  | grep 3";      [ "$status" -eq 1 ]
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix-sasl  maxretry  | grep 3";      [ "$status" -eq 1 ]
+}
+
 @test "checking fail2ban: ban ip on multiple failed login" {
   # Getting mail_fail2ban container IP
   MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)

From c1bbf5295f61b8a46a4e507306c8471b48862ae2 Mon Sep 17 00:00:00 2001
From: Dominik Winter <info@edge-project.org>
Date: Sat, 4 Jun 2016 02:34:00 +0200
Subject: [PATCH 3/6] ignore test/onedir

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 6cf2b8e6..fc55b270 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ docker-compose.yml
 test/config/empty/
 test/config/postfix-accounts.cf
 test/config/letsencrypt/mail.my-domain.com/combined.pem
+test/onedir

From e3b65aea7ad6f9bc5243feb778787970d9aad90c Mon Sep 17 00:00:00 2001
From: Dominik Winter <info@edge-project.org>
Date: Sat, 4 Jun 2016 02:46:33 +0200
Subject: [PATCH 4/6] corrected test cases

---
 test/config/fail2ban-jail.cf | 11 +++++++++++
 test/tests.bats              | 22 ++++++++++------------
 2 files changed, 21 insertions(+), 12 deletions(-)
 create mode 100644 test/config/fail2ban-jail.cf

diff --git a/test/config/fail2ban-jail.cf b/test/config/fail2ban-jail.cf
new file mode 100644
index 00000000..eee1f8ff
--- /dev/null
+++ b/test/config/fail2ban-jail.cf
@@ -0,0 +1,11 @@
+[DEFAULT]
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 1234
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 321
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 2
diff --git a/test/tests.bats b/test/tests.bats
index a986d398..65aa536a 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -367,20 +367,18 @@
 }
 
 @test "checking fail2ban: fail2ban-jail.cf overrides" {
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get sshd          bantime   | grep 10800";  [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix       bantime   | grep 10800";  [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get dovecot       bantime   | grep 10800";  [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix-sasl  bantime   | grep 10800";  [ "$status" -eq 1 ]
+  FILTERS=(sshd postfix dovecot postfix-sasl)
 
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get sshd          findtime  | grep 600";    [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix       findtime  | grep 600";    [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get dovecot       findtime  | grep 600";    [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix-sasl  findtime  | grep 600";    [ "$status" -eq 1 ]
+  for FILTER in "${arr[@]}"; do
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime"
+    [ "$output" = 1234 ]
 
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get sshd          maxretry  | grep 3";      [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix       maxretry  | grep 3";      [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get dovecot       maxretry  | grep 3";      [ "$status" -eq 1 ]
-  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get postfix-sasl  maxretry  | grep 3";      [ "$status" -eq 1 ]
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER findtime"
+    [ "$output" = 321 ]
+
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER maxretry"
+    [ "$output" = 2 ]
+  done
 }
 
 @test "checking fail2ban: ban ip on multiple failed login" {

From 8c24b0f418f18c9ddc9d907c04943e4b61c3c7d5 Mon Sep 17 00:00:00 2001
From: Dominik Winter <info@edge-project.org>
Date: Sat, 4 Jun 2016 02:53:44 +0200
Subject: [PATCH 5/6] using -n because iptables resolved ip address to domain
 name

---
 test/tests.bats | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/test/tests.bats b/test/tests.bats
index 65aa536a..8073e16c 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -384,29 +384,38 @@
 @test "checking fail2ban: ban ip on multiple failed login" {
   # Getting mail_fail2ban container IP
   MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)
+
   # Create a container which will send wront authentications and should banned
-  docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d `docker inspect --format '{{ .Config.Image }}' mail` tail -f /var/log/faillog
-  docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
+  docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog
+
   docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
   docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
+
   sleep 5
+
   # Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
   FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
-  run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
+
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
   [ "$status" -eq 0 ]
-  # Checking that FAIL_AUTH_MAILER_IP is banned in /etc/hosts.deny
-  run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT     all  --  $FAIL_AUTH_MAILER_IP'"
+
+  # Checking that FAIL_AUTH_MAILER_IP is banned by iptables
+  run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
   [ "$status" -eq 0 ]
 }
 
 @test "checking fail2ban: unban ip works" {
   FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
+
   docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP
+
   sleep 5
+
   run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
   [ "$status" -eq 1 ]
-  # Checking that FAIL_AUTH_MAILER_IP is unbanned in /etc/hosts.deny
-  run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT     all  --  $FAIL_AUTH_MAILER_IP'"
+
+  # Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables
+  run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
   [ "$status" -eq 1 ]
 }
 

From 18d910530cd19faf4d29a26b3b26a6f3b29c7eee Mon Sep 17 00:00:00 2001
From: Dominik Winter <info@edge-project.org>
Date: Sat, 4 Jun 2016 03:12:18 +0200
Subject: [PATCH 6/6] corrected wrong variable name

---
 test/tests.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/tests.bats b/test/tests.bats
index 8073e16c..c12bf711 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -369,7 +369,7 @@
 @test "checking fail2ban: fail2ban-jail.cf overrides" {
   FILTERS=(sshd postfix dovecot postfix-sasl)
 
-  for FILTER in "${arr[@]}"; do
+  for FILTER in "${FILTERS[@]}"; do
     run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime"
     [ "$output" = 1234 ]