introducing ENABLE_SRS env variable (Closes: #906, #852)

* making postsrsd optional
* added tests, added documentation
This commit is contained in:
17Halbe 2018-03-18 20:15:06 +01:00 committed by Johan Smits
parent a420b15370
commit 2167108ec0
9 changed files with 57 additions and 7 deletions

View file

@ -45,6 +45,11 @@ TLS_LEVEL=
# Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=
# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
# - **0** => Disabled
# - 1 => Enabled
ENABLE_SRS=0
# 1 => Enables POP3 service
# empty => disables POP3
ENABLE_POP3=

View file

@ -31,6 +31,7 @@ run:
-e SA_KILL=3.0 \
-e SA_SPAM_SUBJECT="SPAM: " \
-e VIRUSMAILS_DELETE_DELAY=7 \
-e ENABLE_SRS=1 \
-e SASL_PASSWD="external-domain.com username:password" \
-e ENABLE_MANAGESIEVE=1 \
--cap-add=SYS_PTRACE \

View file

@ -83,6 +83,10 @@ You're done!
And don't forget to have a look at the remaining functions of the `setup.sh` script
#### SPF/Forwarding Problems
If you got any problems with SPF and/or forwarding mails, give [SRS](https://github.com/roehling/postsrsd/blob/master/README.md) a try. You enable SRS by setting `ENABLE_SRS=1`. See the variable description for further information.
#### For informational purposes:
Your config folder will be mounted in `/tmp/docker-mailserver/`. To understand how things work on boot, please have a look at [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh)
@ -260,6 +264,11 @@ Configures the handling of creating mails with forged sender addresses.
- **empty** => Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address. See also [Wikipedia](https://en.wikipedia.org/wiki/Email_spoofing)(not recommended, but default for backwards compatibility reasons)
- 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with [extension delimiters](http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
##### ENABLE_SRS
Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
- **0** => Disabled
- 1 => Enabled
##### PERMIT_DOCKER
Set different options for mynetworks option (can be overwrite in postfix-main.cf)

View file

@ -26,6 +26,7 @@ services:
- OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME}
- POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
- POSTSCREEN_ACTION=${POSTSCREEN_ACTION}
- ENABLE_SRS=${ENABLE_SRS}
- REPORT_RECIPIENT=${REPORT_RECIPIENT}
- REPORT_INTERVAL=${REPORT_INTERVAL}
- SMTP_ONLY=${SMTP_ONLY}

View file

@ -30,6 +30,7 @@ services:
- SSL_TYPE=${SSL_TYPE}
- TLS_LEVEL=${TLS_LEVEL}
- SPOOF_PROTECTION=${SPOOF_PROTECTION}
- ENABLE_SRS=${ENABLE_SRS}
- PERMIT_DOCKER=${PERMIT_DOCKER}
- VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}
- ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT}

View file

@ -97,9 +97,3 @@ policyd-spf_time_limit = 3600
# Remove unwanted headers that reveail our privacy
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
# postSRSd rules to process spf mail forwarding
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient,header_recipient

View file

@ -27,6 +27,7 @@ DEFAULT_VARS["POSTMASTER_ADDRESS"]="${POSTMASTER_ADDRESS:="postmaster@domain.com
DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}"
DEFAULT_VARS["SPOOF_PROTECTION"]="${SPOOF_PROTECTION:="0"}"
DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}"
DEFAULT_VARS["ENABLE_SRS"]="${ENABLE_SRS:="0"}"
DEFAULT_VARS["REPORT_RECIPIENT"]="${REPORT_RECIPIENT:="0"}"
DEFAULT_VARS["REPORT_INTERVAL"]="${REPORT_INTERVAL:="daily"}"
##########################################################################
@ -126,6 +127,11 @@ function register_functions() {
_register_setup_function "_setup_spoof_protection"
fi
if [ "$ENABLE_SRS" = 1 ]; then
_register_setup_function "_setup_SRS"
_register_start_daemon "_start_daemons_postsrsd"
fi
_register_setup_function "_setup_postfix_access_control"
if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
@ -733,6 +739,14 @@ function _setup_postfix_aliases() {
fi
}
function _setup_SRS() {
notify 'task' 'Setting up SRS'
postconf -e "sender_canonical_maps = tcp:localhost:10001"
postconf -e "sender_canonical_classes = envelope_sender"
postconf -e "recipient_canonical_maps = tcp:localhost:10002"
postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
}
function _setup_dkim() {
notify 'task' 'Setting up DKIM'
@ -1292,6 +1306,11 @@ function _start_daemons_opendmarc() {
supervisorctl start opendmarc
}
function _start_daemons_postsrsd(){
notify 'task' 'Starting postsrsd ' 'n'
supervisorctl start postsrsd
}
function _start_daemons_postfix() {
notify 'task' 'Starting postfix' 'n'
supervisorctl start postfix

View file

@ -124,7 +124,7 @@ command=/usr/local/bin/check-for-changes.sh
[program:postsrsd]
startsecs=0
autostart=true
autostart=false
autorestart=unexpected
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log

View file

@ -790,6 +790,26 @@ load 'test_helper/bats-assert/load'
assert_success
}
#
# postsrsd
#
@test "checking SRS: main.cf entries" {
run docker exec mail grep "sender_canonical_maps = tcp:localhost:10001" /etc/postfix/main.cf
assert_success
run docker exec mail grep "sender_canonical_classes = envelope_sender" /etc/postfix/main.cf
assert_success
run docker exec mail grep "recipient_canonical_maps = tcp:localhost:10002" /etc/postfix/main.cf
assert_success
run docker exec mail grep "recipient_canonical_classes = envelope_recipient,header_recipient" /etc/postfix/main.cf
assert_success
}
@test "checking SRS: postsrsd running" {
run docker exec mail /bin/sh -c "ps aux | grep ^postsrsd"
assert_success
}
#
# fail2ban
#