From 2167108ec00957297729e5048fb172175145941a Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Sun, 18 Mar 2018 20:15:06 +0100 Subject: [PATCH] introducing ENABLE_SRS env variable (Closes: #906, #852) * making postsrsd optional * added tests, added documentation --- .env.dist | 5 +++++ Makefile | 1 + README.md | 9 +++++++++ docker-compose.elk.yml.dist | 1 + docker-compose.yml.dist | 1 + target/postfix/main.cf | 6 ------ target/start-mailserver.sh | 19 +++++++++++++++++++ target/supervisor/conf.d/supervisor-app.conf | 2 +- test/tests.bats | 20 ++++++++++++++++++++ 9 files changed, 57 insertions(+), 7 deletions(-) diff --git a/.env.dist b/.env.dist index a30871a7..7db07447 100644 --- a/.env.dist +++ b/.env.dist @@ -45,6 +45,11 @@ TLS_LEVEL= # Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages. SPOOF_PROTECTION= +# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation. +# - **0** => Disabled +# - 1 => Enabled +ENABLE_SRS=0 + # 1 => Enables POP3 service # empty => disables POP3 ENABLE_POP3= diff --git a/Makefile b/Makefile index 0e942cfe..5356ee9b 100644 --- a/Makefile +++ b/Makefile @@ -31,6 +31,7 @@ run: -e SA_KILL=3.0 \ -e SA_SPAM_SUBJECT="SPAM: " \ -e VIRUSMAILS_DELETE_DELAY=7 \ + -e ENABLE_SRS=1 \ -e SASL_PASSWD="external-domain.com username:password" \ -e ENABLE_MANAGESIEVE=1 \ --cap-add=SYS_PTRACE \ diff --git a/README.md b/README.md index 25430596..14842be0 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,10 @@ You're done! And don't forget to have a look at the remaining functions of the `setup.sh` script +#### SPF/Forwarding Problems + +If you got any problems with SPF and/or forwarding mails, give [SRS](https://github.com/roehling/postsrsd/blob/master/README.md) a try. You enable SRS by setting `ENABLE_SRS=1`. See the variable description for further information. + #### For informational purposes: Your config folder will be mounted in `/tmp/docker-mailserver/`. To understand how things work on boot, please have a look at [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh) @@ -260,6 +264,11 @@ Configures the handling of creating mails with forged sender addresses. - **empty** => Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address. See also [Wikipedia](https://en.wikipedia.org/wiki/Email_spoofing)(not recommended, but default for backwards compatibility reasons) - 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with [extension delimiters](http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages. +##### ENABLE_SRS +Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation. + - **0** => Disabled + - 1 => Enabled + ##### PERMIT_DOCKER Set different options for mynetworks option (can be overwrite in postfix-main.cf) diff --git a/docker-compose.elk.yml.dist b/docker-compose.elk.yml.dist index 40c41523..e717e927 100644 --- a/docker-compose.elk.yml.dist +++ b/docker-compose.elk.yml.dist @@ -26,6 +26,7 @@ services: - OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME} - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS} - POSTSCREEN_ACTION=${POSTSCREEN_ACTION} + - ENABLE_SRS=${ENABLE_SRS} - REPORT_RECIPIENT=${REPORT_RECIPIENT} - REPORT_INTERVAL=${REPORT_INTERVAL} - SMTP_ONLY=${SMTP_ONLY} diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 18d17584..8fc776ac 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -30,6 +30,7 @@ services: - SSL_TYPE=${SSL_TYPE} - TLS_LEVEL=${TLS_LEVEL} - SPOOF_PROTECTION=${SPOOF_PROTECTION} + - ENABLE_SRS=${ENABLE_SRS} - PERMIT_DOCKER=${PERMIT_DOCKER} - VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY} - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT} diff --git a/target/postfix/main.cf b/target/postfix/main.cf index 10af5b65..807e282f 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -97,9 +97,3 @@ policyd-spf_time_limit = 3600 # Remove unwanted headers that reveail our privacy smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre - -# postSRSd rules to process spf mail forwarding -sender_canonical_maps = tcp:localhost:10001 -sender_canonical_classes = envelope_sender -recipient_canonical_maps = tcp:localhost:10002 -recipient_canonical_classes = envelope_recipient,header_recipient diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index c3c1b917..370d3f1e 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -27,6 +27,7 @@ DEFAULT_VARS["POSTMASTER_ADDRESS"]="${POSTMASTER_ADDRESS:="postmaster@domain.com DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}" DEFAULT_VARS["SPOOF_PROTECTION"]="${SPOOF_PROTECTION:="0"}" DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}" +DEFAULT_VARS["ENABLE_SRS"]="${ENABLE_SRS:="0"}" DEFAULT_VARS["REPORT_RECIPIENT"]="${REPORT_RECIPIENT:="0"}" DEFAULT_VARS["REPORT_INTERVAL"]="${REPORT_INTERVAL:="daily"}" ########################################################################## @@ -126,6 +127,11 @@ function register_functions() { _register_setup_function "_setup_spoof_protection" fi + if [ "$ENABLE_SRS" = 1 ]; then + _register_setup_function "_setup_SRS" + _register_start_daemon "_start_daemons_postsrsd" + fi + _register_setup_function "_setup_postfix_access_control" if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then @@ -733,6 +739,14 @@ function _setup_postfix_aliases() { fi } +function _setup_SRS() { + notify 'task' 'Setting up SRS' + postconf -e "sender_canonical_maps = tcp:localhost:10001" + postconf -e "sender_canonical_classes = envelope_sender" + postconf -e "recipient_canonical_maps = tcp:localhost:10002" + postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient" +} + function _setup_dkim() { notify 'task' 'Setting up DKIM' @@ -1292,6 +1306,11 @@ function _start_daemons_opendmarc() { supervisorctl start opendmarc } +function _start_daemons_postsrsd(){ + notify 'task' 'Starting postsrsd ' 'n' + supervisorctl start postsrsd +} + function _start_daemons_postfix() { notify 'task' 'Starting postfix' 'n' supervisorctl start postfix diff --git a/target/supervisor/conf.d/supervisor-app.conf b/target/supervisor/conf.d/supervisor-app.conf index e327e715..f0b8ef1d 100644 --- a/target/supervisor/conf.d/supervisor-app.conf +++ b/target/supervisor/conf.d/supervisor-app.conf @@ -124,7 +124,7 @@ command=/usr/local/bin/check-for-changes.sh [program:postsrsd] startsecs=0 -autostart=true +autostart=false autorestart=unexpected stdout_logfile=/var/log/supervisor/%(program_name)s.log stderr_logfile=/var/log/supervisor/%(program_name)s.log diff --git a/test/tests.bats b/test/tests.bats index 6db58ac4..a9e540b3 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -790,6 +790,26 @@ load 'test_helper/bats-assert/load' assert_success } +# +# postsrsd +# + +@test "checking SRS: main.cf entries" { + run docker exec mail grep "sender_canonical_maps = tcp:localhost:10001" /etc/postfix/main.cf + assert_success + run docker exec mail grep "sender_canonical_classes = envelope_sender" /etc/postfix/main.cf + assert_success + run docker exec mail grep "recipient_canonical_maps = tcp:localhost:10002" /etc/postfix/main.cf + assert_success + run docker exec mail grep "recipient_canonical_classes = envelope_recipient,header_recipient" /etc/postfix/main.cf + assert_success +} + +@test "checking SRS: postsrsd running" { + run docker exec mail /bin/sh -c "ps aux | grep ^postsrsd" + assert_success +} + # # fail2ban #