From 40e2d8848232d62ca5782cb143043078604bb97e Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Mon, 6 Jun 2022 10:59:42 +1200 Subject: [PATCH] chore: Merge `helpers/sasl.sh` into `helpers/relay.sh` (#2605) This helper was to support an earlier ENV for SASL auth support. When extracting logic into individual helpers, it was assumed this was separate from relay support, which it appears was not the case. --- The `SASL_PASSWD` ENV is specified in tests but no longer used. There is no `external-domain.com` relay configured or tested against anywhere in the project. The ENV was likely used in tests prior to improved relay support that allowed for adding more than a single set of relay credentials. --- It likewise has no real relevance anywhere else outside of `relay.sh` as it's the only portion of code to operate with it. It's only relevant for SASL auth as an SMTP client, not the SMTP server (`smtpd`) SASL support that is delegated to Dovecot. Functionality has been completely migrated into `relay.sh` as a result. Documentation is poor for this ENV, it is unlikely in wide use? Should consider for removal. --- The ENV has been dependent upon `RELAY_HOST` to actually enable postfix to use `/etc/postfix/sasl_passwd`, thus not likely relevant in existing setups? --- Migrate `/etc/postfix/sasl_passwd` check from `tests.bats` as it belongs to relay tests. --- target/scripts/helpers/index.sh | 1 - target/scripts/helpers/relay.sh | 34 +++++++++++++++++++-------- target/scripts/helpers/sasl.sh | 22 ----------------- target/scripts/start-mailserver.sh | 1 - target/scripts/startup/setup-stack.sh | 15 ------------ test/mail_privacy.bats | 1 - test/mail_with_relays.bats | 5 ++++ test/tests.bats | 6 ----- 8 files changed, 29 insertions(+), 56 deletions(-) delete mode 100644 target/scripts/helpers/sasl.sh diff --git a/target/scripts/helpers/index.sh b/target/scripts/helpers/index.sh index 027e0e6a..41d1b098 100644 --- a/target/scripts/helpers/index.sh +++ b/target/scripts/helpers/index.sh @@ -17,7 +17,6 @@ function _import_scripts source "${PATH_TO_SCRIPTS}/network.sh" source "${PATH_TO_SCRIPTS}/postfix.sh" source "${PATH_TO_SCRIPTS}/relay.sh" - source "${PATH_TO_SCRIPTS}/sasl.sh" source "${PATH_TO_SCRIPTS}/ssl.sh" source "${PATH_TO_SCRIPTS}/utils.sh" } diff --git a/target/scripts/helpers/relay.sh b/target/scripts/helpers/relay.sh index d1ae382e..8852bd44 100644 --- a/target/scripts/helpers/relay.sh +++ b/target/scripts/helpers/relay.sh @@ -64,16 +64,36 @@ function _env_relay_host # `/etc/postfix/sasl_passwd` example at end of file. function _relayhost_sasl { - if [[ ! -f /tmp/docker-mailserver/postfix-sasl-password.cf ]] && [[ -z ${RELAY_USER} || -z ${RELAY_PASSWORD} ]] + if [[ ! -f /tmp/docker-mailserver/postfix-sasl-password.cf ]] \ + && [[ -z ${RELAY_USER} || -z ${RELAY_PASSWORD} ]] \ + && [[ -z ${SASL_PASSWD} ]] then - _log 'warn' "No relay auth file found and no default set" + _log 'warn' "Missing relay-host mapped credentials provided via ENV, or from postfix-sasl-password.cf" return 1 fi + _log 'trace' "Adding relay-host credential mappings to Postfix" + + # Start from a new `/etc/postfix/sasl_passwd`: + : >/etc/postfix/sasl_passwd + chown root:root /etc/postfix/sasl_passwd + chmod 0600 /etc/postfix/sasl_passwd + + # SASL_PASSWD is a legacy ENV, not likely in use by any users. + # + # Single ENV for specifying ` :`, + # Where `` must match the equivalent ENV, + # while the other two have no dependency to their equivalent ENV. + # SASL_PASSWD requires `smtp_sasl_password_maps` to be enabled - but that has only + # ever been via this function which relies upon RELAY_HOST. Hence redundant. + # TODO: Deprecate. Remove on next major version? + if [[ -n ${SASL_PASSWD} ]] + then + echo "${SASL_PASSWD}" >> /etc/postfix/sasl_passwd + fi + if [[ -f /tmp/docker-mailserver/postfix-sasl-password.cf ]] then - _log 'trace' "Adding relay authentication from postfix-sasl-password.cf" - # Add domain-specific auth from config file: while read -r LINE do @@ -93,8 +113,6 @@ function _relayhost_sasl echo "$(_env_relay_host) ${RELAY_USER}:${RELAY_PASSWORD}" >> /etc/postfix/sasl_passwd fi - _sasl_set_passwd_permissions - # Technically if only a single relay host is configured, a `static` lookup table could be used instead?: # postconf "smtp_sasl_password_maps = static:${RELAY_USER}:${RELAY_PASSWORD}" postconf 'smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd' @@ -196,7 +214,6 @@ function _setup_relayhost then _log 'trace' "Setting up relay hosts (default: ${RELAY_HOST})" - # Expects `_sasl_passwd_create` was called prior in `setup-stack.sh` _relayhost_sasl _populate_relayhost_map @@ -208,9 +225,6 @@ function _rebuild_relayhost { if [[ -n ${RELAY_HOST} ]] then - # Start from a new `/etc/postfix/sasl_passwd` state: - _sasl_passwd_create - _relayhost_sasl _populate_relayhost_map fi diff --git a/target/scripts/helpers/sasl.sh b/target/scripts/helpers/sasl.sh deleted file mode 100644 index e5fb7a16..00000000 --- a/target/scripts/helpers/sasl.sh +++ /dev/null @@ -1,22 +0,0 @@ -#! /bin/bash - -function _sasl_passwd_create -{ - if [[ -n ${SASL_PASSWD} ]] - then - # create SASL password - echo "${SASL_PASSWD}" > /etc/postfix/sasl_passwd - _sasl_set_passwd_permissions - else - rm -f /etc/postfix/sasl_passwd - fi -} - -function _sasl_set_passwd_permissions -{ - if [[ -f /etc/postfix/sasl_passwd ]] - then - chown root:root /etc/postfix/sasl_passwd - chmod 0600 /etc/postfix/sasl_passwd - fi -} diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index fc189772..5a46490e 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -215,7 +215,6 @@ function _register_functions _register_setup_function '_setup_dovecot_hostname' _register_setup_function '_setup_postfix_smtputf8' _register_setup_function '_setup_postfix_sasl' - _register_setup_function '_setup_postfix_sasl_password' _register_setup_function '_setup_security_stack' _register_setup_function '_setup_postfix_aliases' _register_setup_function '_setup_postfix_vhost' diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 0d8293f5..6043509c 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -764,21 +764,6 @@ function _setup_postfix_override_configuration fi } -function _setup_postfix_sasl_password -{ - _log 'debug' 'Setting up Postfix SASL Password' - - # support general SASL password - _sasl_passwd_create - - if [[ -f /etc/postfix/sasl_passwd ]] - then - _log 'trace' 'Loaded SASL_PASSWD' - else - _log 'debug' "SASL_PASSWD was not provided - '/etc/postfix/sasl_passwd' not created" - fi -} - function _setup_postfix_relay_hosts { _setup_relayhost diff --git a/test/mail_privacy.bats b/test/mail_privacy.bats index ba489b04..c83d5087 100644 --- a/test/mail_privacy.bats +++ b/test/mail_privacy.bats @@ -7,7 +7,6 @@ function setup_file() { docker run -d --name mail_privacy \ -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \ -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \ - -e SASL_PASSWD="external-domain.com username:password" \ -e ENABLE_MANAGESIEVE=1 \ --cap-add=SYS_PTRACE \ -e PERMIT_DOCKER=host \ diff --git a/test/mail_with_relays.bats b/test/mail_with_relays.bats index 44279849..ecd2112f 100644 --- a/test/mail_with_relays.bats +++ b/test/mail_with_relays.bats @@ -64,6 +64,11 @@ function teardown_file() { assert_output '' } +@test "checking relay hosts: sasl_passwd exists" { + run docker exec mail_with_relays [ -f /etc/postfix/sasl_passwd ] + assert_success +} + @test "checking relay hosts: auth entry is added" { run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/sasl_passwd | grep -e "^@domaintwo.tld\s\+smtp_user_2:smtp_password_2" | wc -l' assert_success diff --git a/test/tests.bats b/test/tests.bats index 5ace6b09..81743446 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -31,7 +31,6 @@ setup_file() { -e SA_SPAM_SUBJECT="SPAM: " \ -e SA_TAG=-5.0 \ -e SA_TAG2=2.0 \ - -e SASL_PASSWD="external-domain.com username:password" \ -e SPAMASSASSIN_SPAM_TO_INBOX=0 \ -e SPOOF_PROTECTION=1 \ -e SSL_TYPE='snakeoil' \ @@ -175,11 +174,6 @@ teardown_file() { assert_success } -@test "checking sasl: sasl_passwd exists" { - run docker exec mail [ -f /etc/postfix/sasl_passwd ] - assert_success -} - # # logs #