New features:
* ADD_PERMIT_NETWORK options allows to specify additional networks to whitelist in mynetworks while retaining the benefits of automatically determining relevant networks through PERMIT_DOCKER. E.g. to add the network "10.0.1.0/24", set ADD_PERMIT_NETWORK to "10.0.1.0/24" * DISABLE_FILTERS_FOR_MYNETWORKS option to add amavisd-new configuration to disable clamav/spamassassin filters for the IPv4 hosts listed in mynetworks (amavisd-new doesn't seem to support IPv6 here). Set DISABLE_FILTERS_FOR_MYNETWORKS to enable this. * Added PCRE support to postfix, allowing efficient rejections of mail headers and body based on PCRE regexps. The regexps can be placed in config/postfix-reject_body_checks and config/reject_header_checks accordingly. See postfix main.cf documentation on header_checks and body_checks for more information. * Added support for the second postgrey whitelist (whitelist_clients.local) Improvements: * Postgrey whitelists are also accepted as config/postgrey-whitelist_clients.local and config/postgrey-whitelist_recipients.local Bug/Security fixes: * Fixing permissions problems for /var/mail-state/spool-postfix when ONE_DIR=1: - spool-postfix/maildrop and spool-postfix/public folders must be owned by group postdrop - spool-postfix/[dev/etc/lib/pid/usr] permissions were not restrictive enough. They should be owned by the root user and root group.
This commit is contained in:
Felix Schwarz
parent
dbf65789f2
commit
ffb9c180b8
|
|
@ -43,6 +43,7 @@ RUN apt-get update -q --fix-missing && \
|
|||
opendmarc \
|
||||
p7zip \
|
||||
postfix-ldap \
|
||||
postfix-pcre \
|
||||
postfix-policyd-spf-python \
|
||||
pyzor \
|
||||
razor \
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@ DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}"
|
|||
DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}"
|
||||
DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}"
|
||||
DEFAULT_VARS["OVERRIDE_HOSTNAME"]="${OVERRIDE_HOSTNAME}"
|
||||
DEFAULT_VARS["ADD_PERMIT_NETWORK"]="${ADD_PERMIT_NETWORK}"
|
||||
DEFAULT_VARS["DISABLE_FILTERS_FOR_MYNETWORKS"]="${DISABLE_FILTERS_FOR_MYNETWORKS}"
|
||||
##########################################################################
|
||||
# << DEFAULT VARS
|
||||
##########################################################################
|
||||
|
|
@ -111,6 +113,7 @@ function register_functions() {
|
|||
_register_setup_function "_setup_postfix_sasl_password"
|
||||
_register_setup_function "_setup_security_stack"
|
||||
_register_setup_function "_setup_postfix_aliases"
|
||||
_register_setup_function "_setup_postfix_rejections"
|
||||
_register_setup_function "_setup_postfix_vhost"
|
||||
|
||||
if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
|
||||
|
|
@ -121,7 +124,7 @@ function register_functions() {
|
|||
_register_setup_function "_setup_postfix_virtual_transport"
|
||||
fi
|
||||
|
||||
_register_setup_function "_setup_environment"
|
||||
_register_setup_function "_setup_environment"
|
||||
|
||||
################### << setup funcs
|
||||
|
||||
|
|
@ -587,6 +590,15 @@ function _setup_postgrey() {
|
|||
if [ -f /tmp/docker-mailserver/whitelist_clients.local ]; then
|
||||
cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
|
||||
fi
|
||||
if [ -f /tmp/docker-mailserver/whitelist_recipients.local ]; then
|
||||
cp -f /tmp/docker-mailserver/whitelist_recipients.local /etc/postgrey/whitelist_recipients.local
|
||||
fi
|
||||
if [ -f /tmp/docker-mailserver/postgrey-whitelist_clients.local ]; then
|
||||
cp -f /tmp/docker-mailserver/postgrey-whitelist_clients.local /etc/postgrey/whitelist_clients.local
|
||||
fi
|
||||
if [ -f /tmp/docker-mailserver/postgrey-whitelist_recipients.local ]; then
|
||||
cp -f /tmp/docker-mailserver/postgrey-whitelist_recipients.local /etc/postgrey/whitelist_recipients.local
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -691,6 +703,19 @@ function _setup_postfix_aliases() {
|
|||
fi
|
||||
}
|
||||
|
||||
function _setup_postfix_rejections() {
|
||||
notify 'task' 'Setting up Postfix Rejections'
|
||||
|
||||
if [ -f /tmp/docker-mailserver/postfix-reject_header_checks ]; then
|
||||
cp -f /tmp/docker-mailserver/postfix-reject_header_checks /etc/postfix/reject_header_checks
|
||||
postconf -e "header_checks = pcre:/etc/postfix/reject_body_checks"
|
||||
fi
|
||||
if [ -f /tmp/docker-mailserver/postfix-reject_body_checks ]; then
|
||||
cp -f /tmp/docker-mailserver/postfix-reject_body_checks /etc/postfix/reject_body_checks
|
||||
postconf -e "body_checks = pcre:/etc/postfix/reject_body_checks"
|
||||
fi
|
||||
}
|
||||
|
||||
function _setup_dkim() {
|
||||
notify 'task' 'Setting up DKIM'
|
||||
|
||||
|
|
@ -823,33 +848,44 @@ function _setup_postfix_vhost() {
|
|||
}
|
||||
|
||||
function _setup_docker_permit() {
|
||||
notify 'task' 'Setting up PERMIT_DOCKER Option'
|
||||
notify 'task' 'Setting up PERMIT_DOCKER and ADD_PERMIT_NETWORK Options'
|
||||
|
||||
container_ip=$(ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1)
|
||||
container_network="$(echo $container_ip | cut -d '.' -f1-2).0.0"
|
||||
|
||||
if [[ ! -z ${DEFAULT_VARS["ADD_PERMIT_NETWORK"]} ]]; then
|
||||
add_permit_network="$ADD_PERMIT_NETWORK"
|
||||
else
|
||||
add_permit_network=""
|
||||
fi
|
||||
|
||||
case $PERMIT_DOCKER in
|
||||
"host" )
|
||||
notify 'inf' "Adding $container_network/16 to my networks"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') $container_network/16"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') $container_network/16 $add_permit_network"
|
||||
echo $container_network/16 >> /etc/opendmarc/ignore.hosts
|
||||
echo $container_network/16 >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
"network" )
|
||||
notify 'inf' "Adding docker network in my networks"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12 $add_permit_network"
|
||||
echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts
|
||||
echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
* )
|
||||
notify 'inf' "Adding container ip in my networks"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32 $add_permit_network"
|
||||
echo $container_ip/32 >> /etc/opendmarc/ignore.hosts
|
||||
echo $container_ip/32 >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
esac
|
||||
|
||||
if [[ ! -z ${DEFAULT_VARS["ADD_PERMIT_NETWORK"]} ]]; then
|
||||
echo $add_permit_network >> /etc/opendmarc/ignore.hosts
|
||||
echo $add_permit_network >> /etc/opendkim/TrustedHosts
|
||||
fi
|
||||
}
|
||||
|
||||
function _setup_postfix_virtual_transport() {
|
||||
|
|
@ -930,7 +966,7 @@ function _setup_security_stack() {
|
|||
|
||||
# recreate auto-generated file
|
||||
dms_amavis_file="/etc/amavis/conf.d/61-dms_auto_generated"
|
||||
echo "# WARNING: this file is auto-generated." > $dms_amavis_file
|
||||
echo "# WARNING: this file is auto-generated." > $dms_amavis_file
|
||||
echo "use strict;" >> $dms_amavis_file
|
||||
|
||||
# Spamassassin
|
||||
|
|
@ -954,6 +990,29 @@ function _setup_security_stack() {
|
|||
notify 'inf' "Enabling clamav"
|
||||
fi
|
||||
|
||||
# Disable filters for mynetworks
|
||||
if [ "$DISABLE_FILTERS_FOR_MYNETWORKS" = 1 ]; then
|
||||
notify 'inf' "Disabling filters for mynetworks"
|
||||
|
||||
echo "" >>$dms_amavis_file
|
||||
echo "# list of local IPs:" >>$dms_amavis_file
|
||||
echo "@mynetworks = qw( $(postconf | grep '^mynetworks =' | sed 's/mynetworks = //' | sed 's/ /\n/g' | grep "\." | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') );" >>$dms_amavis_file
|
||||
echo "" >>$dms_amavis_file
|
||||
echo "# allow all mail from local IPs:" >>$dms_amavis_file
|
||||
echo "\$policy_bank{'MYNETS'} = {" >>$dms_amavis_file
|
||||
echo " bypass_decode_parts => 1," >>$dms_amavis_file
|
||||
echo " bypass_header_checks_maps => [1]," >>$dms_amavis_file
|
||||
echo " bypass_virus_checks_maps => [1]," >>$dms_amavis_file
|
||||
echo " bypass_spam_checks_maps => [1]," >>$dms_amavis_file
|
||||
echo " bypass_banned_checks_maps => [1]," >>$dms_amavis_file
|
||||
echo " bypass_header_checks_maps => [1]," >>$dms_amavis_file
|
||||
echo " spam_lovers_maps => [1]," >>$dms_amavis_file
|
||||
echo " banned_files_lovers_maps => [1]," >>$dms_amavis_file
|
||||
echo " archive_quarantine_to_maps => []," >>$dms_amavis_file
|
||||
echo "};" >>$dms_amavis_file
|
||||
echo "" >>$dms_amavis_file
|
||||
fi
|
||||
|
||||
echo "1; # ensure a defined return" >> $dms_amavis_file
|
||||
|
||||
|
||||
|
|
@ -1097,6 +1156,13 @@ function _misc_save_states() {
|
|||
chown -R postgrey /var/mail-state/lib-postgrey
|
||||
chown -R debian-spamd /var/mail-state/lib-spamassasin
|
||||
chown -R postfix /var/mail-state/spool-postfix
|
||||
chown -R postfix:postdrop /var/mail-state/spool-postfix/maildrop
|
||||
chown -R postfix:postdrop /var/mail-state/spool-postfix/public
|
||||
chown -R root:root /var/mail-state/spool-postfix/dev
|
||||
chown -R root:root /var/mail-state/spool-postfix/etc
|
||||
chown -R root:root /var/mail-state/spool-postfix/lib
|
||||
chown -R root:root /var/mail-state/spool-postfix/pid
|
||||
chown -R root:root /var/mail-state/spool-postfix/usr
|
||||
|
||||
fi
|
||||
}
|
||||
|
|
@ -1252,10 +1318,8 @@ notify 'taskgrp' "# $HOSTNAME is up and running"
|
|||
notify 'taskgrp' "#"
|
||||
notify 'taskgrp' ""
|
||||
|
||||
|
||||
tail -fn 0 /var/log/mail/mail.log
|
||||
|
||||
|
||||
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
# ! CARE --> DON'T CHANGE, unless you exactly know what you are doing
|
||||
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
|
|
|
|||
Loading…
Reference in New Issue