From 0322d890cd3f66be2c2826a7032d1a173cebbebf Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Fri, 22 Apr 2016 17:51:14 +0200 Subject: [PATCH] Fixed i#152 Fail2ban config and tests --- Dockerfile | 2 +- README.md | 6 +++--- target/fail2ban/jail.conf | 2 +- test/tests.bats | 10 ++++++++-- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index ad84b0af..87ee0f2b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ RUN apt-get -y upgrade RUN DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends \ postfix dovecot-core dovecot-imapd dovecot-pop3d gamin amavisd-new spamassassin razor pyzor \ clamav clamav-daemon libnet-dns-perl libmail-spf-perl bzip2 file gzip p7zip unzip zip rsyslog \ - opendkim opendkim-tools opendmarc curl fail2ban && apt-get autoclean && rm -rf /var/lib/apt/lists/* + opendkim opendkim-tools opendmarc curl fail2ban ed && apt-get autoclean && rm -rf /var/lib/apt/lists/* # Configures Dovecot RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf diff --git a/README.md b/README.md index 22a1e299..5a186976 100644 --- a/README.md +++ b/README.md @@ -79,14 +79,14 @@ Just add the full email address and its encrypted password separated by a pipe. Example: - user1@domain.tld|{SCHEME}mypassword-encrypted - user2@otherdomain.tld|{SCHEME}myotherpassword-encrypted + user1@domain.tld|{CRAM-MD5}mypassword-cram-md5-encrypted + user2@otherdomain.tld|{CRAM-MD5}myotherpassword-cram-md5-encrypted To generate the password you could run for example the following: docker run --rm -ti tvial/docker-mailserver:v2 doveadm pw -s CRAM-MD5 -u user1@domain.tld -You will be asked for a password (and for a confirmation of the password). Just copy all the output string in the file `config/postfix-accounts.cf`. +You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. The `doveadm pw` command let you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. diff --git a/target/fail2ban/jail.conf b/target/fail2ban/jail.conf index 9aac0f66..f0824882 100644 --- a/target/fail2ban/jail.conf +++ b/target/fail2ban/jail.conf @@ -68,7 +68,7 @@ sendername = Fail2Ban # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file -banaction = iptables-multiport +banaction = hostsdeny # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail diff --git a/test/tests.bats b/test/tests.bats index f423e24c..bd727df0 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -52,7 +52,7 @@ } @test "checking imap: server is ready with STARTTLS" { - run docker exec mail /bin/bash -c "nc -w 5 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'" + run docker exec mail /bin/bash -c "nc -w 2 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'" [ "$status" -eq 0 ] } @@ -313,7 +313,7 @@ # @test "checking ssl: generated default cert is installed" { - run docker exec mail /bin/sh -c "openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" + run docker exec mail /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" [ "$status" -eq 0 ] } @@ -343,6 +343,9 @@ FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer) run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status sasl | grep '$FAIL_AUTH_MAILER_IP'" [ "$status" -eq 0 ] + # Checking that FAIL_AUTH_MAILER_IP is banned in /etc/hosts.deny + run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && grep 'ALL: $FAIL_AUTH_MAILER_IP' /etc/hosts.deny" + [ "$status" -eq 0 ] } @test "checking fail2ban: unban ip works" { @@ -351,6 +354,9 @@ sleep 5 run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'" [ "$status" -eq 1 ] + # Checking that FAIL_AUTH_MAILER_IP is unbanned in /etc/hosts.deny + run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && grep 'ALL: $FAIL_AUTH_MAILER_IP' /etc/hosts.deny" + [ "$status" -eq 1 ] } #