2016-04-21 10:15:34 +00:00
|
|
|
NAME = tvial/docker-mailserver:testing
|
2015-10-18 19:02:46 +00:00
|
|
|
|
2017-12-31 11:33:48 +00:00
|
|
|
all: build-no-cache generate-accounts run generate-accounts-after-run fixtures tests clean
|
|
|
|
all-fast: build generate-accounts run generate-accounts-after-run fixtures tests clean
|
|
|
|
no-build: generate-accounts run generate-accounts-after-run fixtures tests clean
|
2016-04-13 19:43:25 +00:00
|
|
|
|
|
|
|
build-no-cache:
|
2016-10-30 13:11:36 +00:00
|
|
|
cd test/docker-openldap/ && docker build -f Dockerfile -t ldap --no-cache .
|
2016-04-15 13:54:07 +00:00
|
|
|
docker build --no-cache -t $(NAME) .
|
2015-10-18 19:02:46 +00:00
|
|
|
|
|
|
|
build:
|
2016-10-30 13:11:36 +00:00
|
|
|
cd test/docker-openldap/ && docker build -f Dockerfile -t ldap .
|
2016-04-15 13:54:23 +00:00
|
|
|
docker build -t $(NAME) .
|
2015-10-18 19:02:46 +00:00
|
|
|
|
2016-04-25 14:00:39 +00:00
|
|
|
generate-accounts:
|
2016-06-14 11:00:51 +00:00
|
|
|
docker run --rm -e MAIL_USER=user1@localhost.localdomain -e MAIL_PASS=mypassword -t $(NAME) /bin/sh -c 'echo "$$MAIL_USER|$$(doveadm pw -s SHA512-CRYPT -u $$MAIL_USER -p $$MAIL_PASS)"' > test/config/postfix-accounts.cf
|
|
|
|
docker run --rm -e MAIL_USER=user2@otherdomain.tld -e MAIL_PASS=mypassword -t $(NAME) /bin/sh -c 'echo "$$MAIL_USER|$$(doveadm pw -s SHA512-CRYPT -u $$MAIL_USER -p $$MAIL_PASS)"' >> test/config/postfix-accounts.cf
|
2016-08-21 20:13:13 +00:00
|
|
|
|
2015-10-18 19:02:46 +00:00
|
|
|
run:
|
2016-01-23 22:51:09 +00:00
|
|
|
# Run containers
|
2016-02-18 21:11:24 +00:00
|
|
|
docker run -d --name mail \
|
2016-04-11 22:04:33 +00:00
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
2016-04-20 23:08:14 +00:00
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
2016-05-24 06:21:18 +00:00
|
|
|
-v "`pwd`/test/onedir":/var/mail-state \
|
2016-12-25 21:54:37 +00:00
|
|
|
-e ENABLE_CLAMAV=1 \
|
|
|
|
-e ENABLE_SPAMASSASSIN=1 \
|
2017-04-18 12:18:42 +00:00
|
|
|
-e SA_TAG=-5.0 \
|
2016-02-18 21:11:24 +00:00
|
|
|
-e SA_TAG2=2.0 \
|
|
|
|
-e SA_KILL=3.0 \
|
2017-06-23 19:50:01 +00:00
|
|
|
-e SA_SPAM_SUBJECT="SPAM: " \
|
2016-10-08 17:02:47 +00:00
|
|
|
-e VIRUSMAILS_DELETE_DELAY=7 \
|
2016-07-23 17:54:10 +00:00
|
|
|
-e SASL_PASSWD="external-domain.com username:password" \
|
2016-04-29 15:09:48 +00:00
|
|
|
-e ENABLE_MANAGESIEVE=1 \
|
2017-10-10 06:15:18 +00:00
|
|
|
--cap-add=SYS_PTRACE \
|
2016-12-23 22:56:39 +00:00
|
|
|
-e PERMIT_DOCKER=host \
|
|
|
|
-e DMS_DEBUG=0 \
|
2016-02-18 21:11:24 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2017-12-31 11:33:48 +00:00
|
|
|
docker run -d --name mail_privacy \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_CLAMAV=1 \
|
|
|
|
-e ENABLE_SPAMASSASSIN=1 \
|
|
|
|
-e SA_TAG=-5.0 \
|
|
|
|
-e SA_TAG2=2.0 \
|
|
|
|
-e SA_KILL=3.0 \
|
|
|
|
-e SA_SPAM_SUBJECT="SPAM: " \
|
|
|
|
-e VIRUSMAILS_DELETE_DELAY=7 \
|
|
|
|
-e SASL_PASSWD="external-domain.com username:password" \
|
|
|
|
-e ENABLE_MANAGESIEVE=1 \
|
|
|
|
--cap-add=SYS_PTRACE \
|
|
|
|
-e PERMIT_DOCKER=host \
|
|
|
|
-e DMS_DEBUG=0 \
|
|
|
|
-h mail.my-domain.com -t $(NAME)
|
|
|
|
sleep 15
|
2016-02-18 21:11:24 +00:00
|
|
|
docker run -d --name mail_pop3 \
|
2016-04-11 22:04:33 +00:00
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
2016-04-20 23:08:14 +00:00
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
2016-04-26 17:39:08 +00:00
|
|
|
-v "`pwd`/test/config/letsencrypt":/etc/letsencrypt/live \
|
2016-02-18 21:11:24 +00:00
|
|
|
-e ENABLE_POP3=1 \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2016-04-26 17:39:08 +00:00
|
|
|
-e SSL_TYPE=letsencrypt \
|
2016-02-18 21:11:24 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2016-02-29 22:52:10 +00:00
|
|
|
docker run -d --name mail_smtponly \
|
2016-04-11 22:04:33 +00:00
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
2016-04-20 23:08:14 +00:00
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
2016-02-29 22:52:10 +00:00
|
|
|
-e SMTP_ONLY=1 \
|
2017-01-20 22:30:29 +00:00
|
|
|
-e PERMIT_DOCKER=network \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2017-01-20 22:30:29 +00:00
|
|
|
-e OVERRIDE_HOSTNAME=mail.my-domain.com \
|
|
|
|
-t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2017-06-07 13:35:42 +00:00
|
|
|
docker run -d --name mail_smtponly_without_config \
|
|
|
|
-e SMTP_ONLY=1 \
|
|
|
|
-e ENABLE_LDAP=1 \
|
|
|
|
-e PERMIT_DOCKER=network \
|
|
|
|
-e OVERRIDE_HOSTNAME=mail.mydomain.com \
|
|
|
|
-t $(NAME)
|
|
|
|
sleep 15
|
2017-02-13 10:07:30 +00:00
|
|
|
docker run -d --name mail_override_hostname \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e PERMIT_DOCKER=network \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2017-02-13 10:07:30 +00:00
|
|
|
-e OVERRIDE_HOSTNAME=mail.my-domain.com \
|
2017-04-27 15:59:28 +00:00
|
|
|
-h mail.my-domain.com \
|
2017-02-13 10:07:30 +00:00
|
|
|
-t $(NAME)
|
|
|
|
sleep 15
|
2016-03-31 10:33:47 +00:00
|
|
|
docker run -d --name mail_fail2ban \
|
2016-04-11 22:04:33 +00:00
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
2016-04-20 23:08:14 +00:00
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
2016-03-31 10:33:47 +00:00
|
|
|
-e ENABLE_FAIL2BAN=1 \
|
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
|
|
|
-e POSTSCREEN_ACTION=ignore \
|
2016-04-23 10:09:28 +00:00
|
|
|
--cap-add=NET_ADMIN \
|
2016-03-31 10:33:47 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2016-08-21 20:13:13 +00:00
|
|
|
docker run -d --name mail_fetchmail \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_FETCHMAIL=1 \
|
|
|
|
--cap-add=NET_ADMIN \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2016-08-21 20:13:13 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
|
|
|
docker run -d --name mail_disabled_clamav_spamassassin \
|
2016-08-04 19:04:26 +00:00
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
2016-12-25 21:54:37 +00:00
|
|
|
-e ENABLE_CLAMAV=0 \
|
|
|
|
-e ENABLE_SPAMASSASSIN=0 \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2016-08-04 19:04:26 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2016-08-31 13:15:39 +00:00
|
|
|
docker run -d --name mail_manual_ssl \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e SSL_TYPE=manual \
|
|
|
|
-e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \
|
|
|
|
-e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2016-08-31 13:15:39 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2016-10-30 13:11:36 +00:00
|
|
|
docker run -d --name ldap_for_mail \
|
|
|
|
-e LDAP_DOMAIN="localhost.localdomain" \
|
2017-01-09 22:49:46 +00:00
|
|
|
-h ldap.my-domain.com -t ldap
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
2016-10-30 13:11:36 +00:00
|
|
|
docker run -d --name mail_with_ldap \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_LDAP=1 \
|
|
|
|
-e LDAP_SERVER_HOST=ldap \
|
2018-01-25 21:38:41 +00:00
|
|
|
-e LDAP_START_TLS=no \
|
2016-10-30 13:11:36 +00:00
|
|
|
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
|
|
|
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
2017-07-03 11:16:16 +00:00
|
|
|
-e LDAP_BIND_PW=admin \
|
|
|
|
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
|
|
|
|
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
|
|
|
-e LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))" \
|
2017-08-19 08:32:00 +00:00
|
|
|
-e LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" \
|
2018-01-25 21:38:41 +00:00
|
|
|
-e DOVECOT_TLS=no \
|
2017-07-03 11:16:16 +00:00
|
|
|
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
|
|
|
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
2016-10-30 13:11:36 +00:00
|
|
|
-e ENABLE_SASLAUTHD=1 \
|
|
|
|
-e SASLAUTHD_MECHANISMS=ldap \
|
|
|
|
-e SASLAUTHD_LDAP_SERVER=ldap \
|
|
|
|
-e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
|
|
|
-e SASLAUTHD_LDAP_PASSWORD=admin \
|
|
|
|
-e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
|
|
|
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2016-10-30 13:11:36 +00:00
|
|
|
--link ldap_for_mail:ldap \
|
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2017-01-03 09:55:03 +00:00
|
|
|
sleep 15
|
|
|
|
docker run -d --name mail_with_imap \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_SASLAUTHD=1 \
|
|
|
|
-e SASLAUTHD_MECHANISMS=rimap \
|
|
|
|
-e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \
|
|
|
|
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2017-01-03 09:55:03 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2016-12-25 21:54:37 +00:00
|
|
|
sleep 15
|
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
|
|
|
docker run -d --name mail_postscreen \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e POSTSCREEN_ACTION=enforce \
|
|
|
|
--cap-add=NET_ADMIN \
|
|
|
|
-h mail.my-domain.com -t $(NAME)
|
|
|
|
sleep 15
|
2017-01-09 22:52:36 +00:00
|
|
|
docker run -d --name mail_lmtp_ip \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test/config/dovecot-lmtp":/etc/dovecot \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
|
|
|
|
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2017-01-09 22:52:36 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
2017-01-25 13:10:40 +00:00
|
|
|
sleep 30
|
2017-02-06 09:21:18 +00:00
|
|
|
docker run -d --name mail_with_postgrey \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_POSTGREY=1 \
|
|
|
|
-e POSTGREY_DELAY=15 \
|
|
|
|
-e POSTGREY_MAX_AGE=35 \
|
|
|
|
-e POSTGREY_TEXT="Delayed by postgrey" \
|
2017-08-07 15:39:40 +00:00
|
|
|
-e DMS_DEBUG=0 \
|
2017-02-06 09:21:18 +00:00
|
|
|
-h mail.my-domain.com -t $(NAME)
|
|
|
|
sleep 20
|
2018-03-02 21:38:57 +00:00
|
|
|
docker run -d --name mail_undef_spam_subject \
|
|
|
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
|
|
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
|
|
|
-e ENABLE_SPAMASSASSIN=1 \
|
|
|
|
-e SA_SPAM_SUBJECT="undef" \
|
|
|
|
-h mail.my-domain.com -t $(NAME)
|
|
|
|
sleep 15
|
2017-02-06 09:21:18 +00:00
|
|
|
|
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
|
|
|
|
2017-10-10 06:15:18 +00:00
|
|
|
generate-accounts-after-run:
|
|
|
|
docker run --rm -e MAIL_USER=added@localhost.localdomain -e MAIL_PASS=mypassword -t $(NAME) /bin/sh -c 'echo "$$MAIL_USER|$$(doveadm pw -s SHA512-CRYPT -u $$MAIL_USER -p $$MAIL_PASS)"' >> test/config/postfix-accounts.cf
|
|
|
|
sleep 10
|
2017-12-31 11:33:48 +00:00
|
|
|
|
2015-10-18 19:02:46 +00:00
|
|
|
fixtures:
|
2016-09-12 15:49:46 +00:00
|
|
|
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
|
2016-04-28 06:57:50 +00:00
|
|
|
# Setup sieve & create filtering folder (INBOX/spam)
|
|
|
|
docker cp "`pwd`/test/config/sieve/dovecot.sieve" mail:/var/mail/localhost.localdomain/user1/.dovecot.sieve
|
|
|
|
docker exec mail /bin/sh -c "maildirmake.dovecot /var/mail/localhost.localdomain/user1/.INBOX.spam"
|
|
|
|
docker exec mail /bin/sh -c "chown 5000:5000 -R /var/mail/localhost.localdomain/user1/.INBOX.spam"
|
2017-10-18 05:43:30 +00:00
|
|
|
sleep 30
|
2015-10-18 20:08:21 +00:00
|
|
|
# Sending test mails
|
2016-04-20 23:08:14 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt"
|
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-virus.txt"
|
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-alias-external.txt"
|
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-alias-local.txt"
|
2017-03-03 17:27:22 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-alias-recipient-delimiter.txt"
|
2017-04-18 12:18:42 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt"
|
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user2.txt"
|
2017-10-10 06:15:18 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-added.txt"
|
2016-07-23 19:01:01 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user-and-cc-local-alias.txt"
|
2016-05-24 04:43:08 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-regexp-alias-external.txt"
|
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-regexp-alias-local.txt"
|
2016-07-23 21:42:18 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-catchall-local.txt"
|
2016-04-28 06:57:50 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt"
|
2017-05-10 07:54:02 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-pipe.txt"
|
2016-04-20 23:08:14 +00:00
|
|
|
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt"
|
2017-04-18 12:18:42 +00:00
|
|
|
docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt"
|
2017-01-09 22:52:36 +00:00
|
|
|
# postfix virtual transport lmtp
|
2017-04-18 12:18:42 +00:00
|
|
|
docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt"
|
2017-12-31 11:33:48 +00:00
|
|
|
docker exec mail_privacy /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/email-templates/send-privacy-email.txt"
|
2017-04-18 12:18:42 +00:00
|
|
|
docker exec mail_override_hostname /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt"
|
2015-10-19 13:41:51 +00:00
|
|
|
# Wait for mails to be analyzed
|
2017-10-18 05:43:30 +00:00
|
|
|
sleep 80
|
2015-10-18 19:02:46 +00:00
|
|
|
|
|
|
|
tests:
|
|
|
|
# Start tests
|
2017-01-10 13:15:41 +00:00
|
|
|
./test/bats/bin/bats test/tests.bats
|
2016-01-22 17:47:43 +00:00
|
|
|
|
|
|
|
clean:
|
2016-02-04 07:51:07 +00:00
|
|
|
# Remove running test containers
|
2016-09-12 15:49:46 +00:00
|
|
|
-docker rm -f \
|
|
|
|
mail \
|
2017-12-31 11:33:48 +00:00
|
|
|
mail_privacy \
|
2016-09-12 15:49:46 +00:00
|
|
|
mail_pop3 \
|
|
|
|
mail_smtponly \
|
2017-06-07 13:35:42 +00:00
|
|
|
mail_smtponly_without_config \
|
2016-09-12 15:49:46 +00:00
|
|
|
mail_fail2ban \
|
|
|
|
mail_fetchmail \
|
|
|
|
fail-auth-mailer \
|
2016-12-25 21:54:37 +00:00
|
|
|
mail_disabled_clamav_spamassassin \
|
2016-10-30 13:11:36 +00:00
|
|
|
mail_manual_ssl \
|
|
|
|
ldap_for_mail \
|
2017-01-03 09:55:03 +00:00
|
|
|
mail_with_ldap \
|
2017-01-09 22:52:36 +00:00
|
|
|
mail_with_imap \
|
2017-02-06 09:21:18 +00:00
|
|
|
mail_lmtp_ip \
|
2017-02-13 10:07:30 +00:00
|
|
|
mail_with_postgrey \
|
2018-03-02 21:38:57 +00:00
|
|
|
mail_undef_spam_subject \
|
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
|
|
|
mail_postscreen \
|
2017-02-13 10:07:30 +00:00
|
|
|
mail_override_hostname
|
2016-10-30 13:11:36 +00:00
|
|
|
|
2016-09-12 15:49:46 +00:00
|
|
|
@if [ -f config/postfix-accounts.cf.bak ]; then\
|
|
|
|
rm -f config/postfix-accounts.cf ;\
|
|
|
|
mv config/postfix-accounts.cf.bak config/postfix-accounts.cf ;\
|
|
|
|
fi
|
2016-09-30 21:37:09 +00:00
|
|
|
-sudo rm -rf test/onedir \
|
2016-09-12 15:49:46 +00:00
|
|
|
test/config/empty \
|
|
|
|
test/config/without-accounts \
|
2017-08-12 16:09:11 +00:00
|
|
|
test/config/without-virtual \
|
2017-12-31 11:33:48 +00:00
|
|
|
test/config/with-domain \
|
2018-02-18 12:29:43 +00:00
|
|
|
test/config/dovecot-lmtp/userdb \
|
|
|
|
test/config/postfix-*-access.cf*
|
|
|
|
|