From 7e7c34a256bbdb37e890f284e68297b5be1e6b33 Mon Sep 17 00:00:00 2001 From: Dominik Winter Date: Fri, 12 Feb 2016 00:19:21 +0100 Subject: [PATCH 1/4] added fail2ban --- Dockerfile | 2 +- docker-compose.yml.dist | 1 + start-mailserver.sh | 17 +++++++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bf4ab16d..4c893e81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ RUN apt-get -y upgrade RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl \ courier-pop courier-pop-ssl courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl \ pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat \ - opendkim opendkim-tools opendmarc curl + opendkim opendkim-tools opendmarc curl fail2ban RUN apt-get autoclean && rm -rf /var/lib/apt/lists/* # Configures Saslauthd diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 69501fc4..15e07908 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -2,6 +2,7 @@ mail: image: tvial/docker-mailserver hostname: mail domainname: domain.com + privileged: true ports: - "25:25" - "143:143" diff --git a/start-mailserver.sh b/start-mailserver.sh index 050b9e06..f52cd5cb 100644 --- a/start-mailserver.sh +++ b/start-mailserver.sh @@ -188,6 +188,22 @@ echo "required_score 5" >> /etc/mail/spamassassin/local.cf echo "rewrite_header Subject ***SPAM***" >> /etc/mail/spamassassin/local.cf cp /tmp/spamassassin/rules.cf /etc/spamassassin/ + +echo "Configuring fail2ban" +# enable filters +perl -i -0pe 's/(\[postfix\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf +perl -i -0pe 's/(\[couriersmtp\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf +perl -i -0pe 's/(\[courierauth\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf +perl -i -0pe 's/(\[sasl\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf + +# increase ban time and find time to 3h +sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf +sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf + +# avoid warning on startup +echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf + + echo "Starting daemons" cron /etc/init.d/rsyslog start @@ -208,6 +224,7 @@ fi /etc/init.d/opendkim start /etc/init.d/opendmarc start /etc/init.d/postfix start +/etc/init.d/fail2ban start echo "Listing SASL users" sasldblistusers2 From 25b09928a3ce320351602730430915fda81af42a Mon Sep 17 00:00:00 2001 From: Dominik Winter Date: Sat, 13 Feb 2016 01:40:36 +0100 Subject: [PATCH 2/4] add NET_ADMIN container capabilities instead of all privileges --- docker-compose.yml.dist | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 15e07908..752794dc 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -2,7 +2,8 @@ mail: image: tvial/docker-mailserver hostname: mail domainname: domain.com - privileged: true + cap_add: + - NET_ADMIN ports: - "25:25" - "143:143" From 5d157dcecaff591a99cce9fc623112b77ddafcea Mon Sep 17 00:00:00 2001 From: Dominik Winter Date: Sat, 13 Feb 2016 04:43:57 +0100 Subject: [PATCH 3/4] added fail2ban tests --- test/auth/smtp-auth-login-wrong.txt | 4 ++++ test/test.sh | 35 +++++++++++++++++++++-------- 2 files changed, 30 insertions(+), 9 deletions(-) create mode 100644 test/auth/smtp-auth-login-wrong.txt diff --git a/test/auth/smtp-auth-login-wrong.txt b/test/auth/smtp-auth-login-wrong.txt new file mode 100644 index 00000000..39b4f01c --- /dev/null +++ b/test/auth/smtp-auth-login-wrong.txt @@ -0,0 +1,4 @@ +EHLO mail +AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu +Bn3JKisq4HQ2RO== +QUIT diff --git a/test/test.sh b/test/test.sh index 107e0dcd..e7be5319 100644 --- a/test/test.sh +++ b/test/test.sh @@ -4,16 +4,17 @@ source assert.sh # Testing that services are running and pop3 is disabled -assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/postfix/master'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/saslauthd'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/clamd'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/amavisd-new'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendkim'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendmarc'" 0 -assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 1 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/postfix/master'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'" 0 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 1 +assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'" 0 # Testing services of pop3 container -assert_raises "docker exec mail_pop3 ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 0 +assert_raises "docker exec mail_pop3 ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 0 # Testing IMAP server assert_raises "docker exec mail nc -w 1 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'Courier-IMAP ready'" 0 @@ -85,5 +86,21 @@ assert_raises "docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-enc # Testing generated ssl certs assert_raises "docker exec mail openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" "0" +# Testing fail2ban +assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1 + +docker exec mail fail2ban-client set sasl delignoreip 127.0.0.1/8 &> /dev/null + +docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null +docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null +docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null + +assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 0 + +docker exec mail fail2ban-client set sasl addignoreip 127.0.0.1/8 &> /dev/null +docker exec mail fail2ban-client set sasl unbanip 127.0.0.1 &> /dev/null + +assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1 + # Ending tests -assert_end +assert_end From b54bce7b7762f014e5a819d053120e5bdb6612c6 Mon Sep 17 00:00:00 2001 From: Dominik Winter Date: Sat, 13 Feb 2016 05:37:06 +0100 Subject: [PATCH 4/4] fixed timing problem for fail2ban test --- test/test.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/test.sh b/test/test.sh index e7be5319..d855fc00 100644 --- a/test/test.sh +++ b/test/test.sh @@ -95,11 +95,13 @@ docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null +sleep 10 assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 0 docker exec mail fail2ban-client set sasl addignoreip 127.0.0.1/8 &> /dev/null docker exec mail fail2ban-client set sasl unbanip 127.0.0.1 &> /dev/null +sleep 10 assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1 # Ending tests