diff --git a/Dockerfile b/Dockerfile index bf4ab16d..4c893e81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ RUN apt-get -y upgrade RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl \ courier-pop courier-pop-ssl courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl \ pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat \ - opendkim opendkim-tools opendmarc curl + opendkim opendkim-tools opendmarc curl fail2ban RUN apt-get autoclean && rm -rf /var/lib/apt/lists/* # Configures Saslauthd diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 69501fc4..752794dc 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -2,6 +2,8 @@ mail: image: tvial/docker-mailserver hostname: mail domainname: domain.com + cap_add: + - NET_ADMIN ports: - "25:25" - "143:143" diff --git a/start-mailserver.sh b/start-mailserver.sh index 050b9e06..f52cd5cb 100644 --- a/start-mailserver.sh +++ b/start-mailserver.sh @@ -188,6 +188,22 @@ echo "required_score 5" >> /etc/mail/spamassassin/local.cf echo "rewrite_header Subject ***SPAM***" >> /etc/mail/spamassassin/local.cf cp /tmp/spamassassin/rules.cf /etc/spamassassin/ + +echo "Configuring fail2ban" +# enable filters +perl -i -0pe 's/(\[postfix\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf +perl -i -0pe 's/(\[couriersmtp\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf +perl -i -0pe 's/(\[courierauth\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf +perl -i -0pe 's/(\[sasl\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf + +# increase ban time and find time to 3h +sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf +sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf + +# avoid warning on startup +echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf + + echo "Starting daemons" cron /etc/init.d/rsyslog start @@ -208,6 +224,7 @@ fi /etc/init.d/opendkim start /etc/init.d/opendmarc start /etc/init.d/postfix start +/etc/init.d/fail2ban start echo "Listing SASL users" sasldblistusers2 diff --git a/test/auth/smtp-auth-login-wrong.txt b/test/auth/smtp-auth-login-wrong.txt new file mode 100644 index 00000000..39b4f01c --- /dev/null +++ b/test/auth/smtp-auth-login-wrong.txt @@ -0,0 +1,4 @@ +EHLO mail +AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu +Bn3JKisq4HQ2RO== +QUIT diff --git a/test/test.sh b/test/test.sh index 107e0dcd..d855fc00 100644 --- a/test/test.sh +++ b/test/test.sh @@ -4,16 +4,17 @@ source assert.sh # Testing that services are running and pop3 is disabled -assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/postfix/master'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/saslauthd'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/clamd'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/amavisd-new'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendkim'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendmarc'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 1 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/postfix/master'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 1 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'" 0 # Testing services of pop3 container -assert_raises "docker exec mail_pop3 ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 0 +assert_raises "docker exec mail_pop3 ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 0 # Testing IMAP server assert_raises "docker exec mail nc -w 1 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'Courier-IMAP ready'" 0 @@ -85,5 +86,23 @@ assert_raises "docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-enc # Testing generated ssl certs assert_raises "docker exec mail openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" "0" +# Testing fail2ban +assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1 + +docker exec mail fail2ban-client set sasl delignoreip 127.0.0.1/8 &> /dev/null + +docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null +docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null +docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null + +sleep 10 +assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 0 + +docker exec mail fail2ban-client set sasl addignoreip 127.0.0.1/8 &> /dev/null +docker exec mail fail2ban-client set sasl unbanip 127.0.0.1 &> /dev/null + +sleep 10 +assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1 + # Ending tests -assert_end +assert_end