scripts: housekeeping & cleanup setup (1/2) (#3121)

This commit is contained in:
Georg Lauterbach 2023-02-27 20:21:45 +01:00 committed by GitHub
parent f35b60042f
commit 4b04c3e31c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 233 additions and 262 deletions

View file

@ -2,12 +2,6 @@
# ------------------------------------------------------------ # ------------------------------------------------------------
# ? >> Sourcing helpers & stacks # ? >> Sourcing helpers & stacks
# 1. Helpers
# 2. Checks
# 3. Setup
# 4. Fixes
# 5. Miscellaneous
# 6. Daemons
# ------------------------------------------------------------ # ------------------------------------------------------------
# shellcheck source=./helpers/index.sh # shellcheck source=./helpers/index.sh
@ -22,12 +16,6 @@ source /usr/local/bin/check-stack.sh
# shellcheck source=./startup/setup-stack.sh # shellcheck source=./startup/setup-stack.sh
source /usr/local/bin/setup-stack.sh source /usr/local/bin/setup-stack.sh
# shellcheck source=./startup/fixes-stack.sh
source /usr/local/bin/fixes-stack.sh
# shellcheck source=./startup/misc-stack.sh
source /usr/local/bin/misc-stack.sh
# shellcheck source=./startup/daemons-stack.sh # shellcheck source=./startup/daemons-stack.sh
source /usr/local/bin/daemons-stack.sh source /usr/local/bin/daemons-stack.sh
@ -48,7 +36,6 @@ _early_variables_setup
function _register_functions function _register_functions
{ {
_log 'info' 'Initializing setup'
_log 'debug' 'Registering functions' _log 'debug' 'Registering functions'
# ? >> Checks # ? >> Checks
@ -93,39 +80,36 @@ function _register_functions
_register_setup_function '_setup_saslauthd' _register_setup_function '_setup_saslauthd'
fi fi
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_setup_function '_setup_postgrey'
[[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_postfix_inet_protocols' [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_postfix_inet_protocols'
[[ ${DOVECOT_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_dovecot_inet_protocols' [[ ${DOVECOT_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_dovecot_inet_protocols'
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
[[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable'
[[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit'
[[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd'
_register_setup_function '_setup_dkim_dmarc' _register_setup_function '_setup_opendkim'
_register_setup_function '_setup_opendmarc' # must come after `_setup_opendkim`
_register_setup_function '_setup_security_stack'
_register_setup_function '_setup_rspamd'
_register_setup_function '_setup_ssl' _register_setup_function '_setup_ssl'
_register_setup_function '_setup_docker_permit' _register_setup_function '_setup_docker_permit'
_register_setup_function '_setup_mailname' _register_setup_function '_setup_mailname'
_register_setup_function '_setup_amavis'
_register_setup_function '_setup_dmarc_hostname'
_register_setup_function '_setup_postfix_hostname'
_register_setup_function '_setup_dovecot_hostname' _register_setup_function '_setup_dovecot_hostname'
_register_setup_function '_setup_postfix_hostname'
_register_setup_function '_setup_postfix_smtputf8' _register_setup_function '_setup_postfix_smtputf8'
_register_setup_function '_setup_postfix_sasl' _register_setup_function '_setup_postfix_sasl'
_register_setup_function '_setup_security_stack'
_register_setup_function '_setup_postfix_aliases' _register_setup_function '_setup_postfix_aliases'
_register_setup_function '_setup_postfix_vhost' _register_setup_function '_setup_postfix_vhost'
_register_setup_function '_setup_postfix_dhparam' _register_setup_function '_setup_postfix_dhparam'
_register_setup_function '_setup_postfix_postscreen'
_register_setup_function '_setup_postfix_sizelimits' _register_setup_function '_setup_postfix_sizelimits'
# needs to come after _setup_postfix_aliases # needs to come after _setup_postfix_aliases
[[ ${SPOOF_PROTECTION} -eq 1 ]] && _register_setup_function '_setup_spoof_protection'
if [[ ${ENABLE_FETCHMAIL} -eq 1 ]] if [[ ${ENABLE_FETCHMAIL} -eq 1 ]]
then then
_register_setup_function '_setup_fetchmail' _register_setup_function '_setup_fetchmail'
[[ ${FETCHMAIL_PARALLEL} -eq 1 ]] && _register_setup_function '_setup_fetchmail_parallel' [[ ${FETCHMAIL_PARALLEL} -eq 1 ]] && _register_setup_function '_setup_fetchmail_parallel'
fi fi
_register_setup_function '_setup_spoof_protection'
if [[ ${ENABLE_SRS} -eq 1 ]] if [[ ${ENABLE_SRS} -eq 1 ]]
then then
@ -143,16 +127,8 @@ function _register_functions
_register_setup_function '_setup_mail_summary' _register_setup_function '_setup_mail_summary'
_register_setup_function '_setup_logwatch' _register_setup_function '_setup_logwatch'
# ? >> Fixes _register_setup_function '_setup_save_states'
_register_setup_function '_setup_apply_fixes_after_configuration'
_register_fix_function '_fix_var_mail_permissions'
[[ ${ENABLE_CLAMAV} -eq 0 ]] && _register_fix_function '_fix_cleanup_clamav'
[[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] && _register_fix_function '_fix_cleanup_spamassassin'
# ? >> Miscellaneous
_register_misc_function '_misc_save_states'
_register_setup_function '_environment_variables_export' _register_setup_function '_environment_variables_export'
# ? >> Daemons # ? >> Daemons
@ -169,48 +145,27 @@ function _register_functions
_register_start_daemon '_start_daemon_rspamd' _register_start_daemon '_start_daemon_rspamd'
fi fi
[[ ${SMTP_ONLY} -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot'
[[ ${ENABLE_UPDATE_CHECK} -eq 1 ]] && _register_start_daemon '_start_daemon_update_check'
# needs to be started before SASLauthd # needs to be started before SASLauthd
[[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim' [[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim'
[[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc' [[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc'
# needs to be started before postfix # needs to be started before postfix
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey' [[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey'
_register_start_daemon '_start_daemon_postfix' _register_start_daemon '_start_daemon_postfix'
# needs to be started after postfix # needs to be started after postfix
[[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd' [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd'
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_start_daemon '_start_daemon_fail2ban' [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_start_daemon '_start_daemon_fail2ban'
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail' [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail'
[[ ${ENABLE_CLAMAV} -eq 1 ]] && _register_start_daemon '_start_daemon_clamav' [[ ${ENABLE_CLAMAV} -eq 1 ]] && _register_start_daemon '_start_daemon_clamav'
[[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis' [[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis'
[[ ${ACCOUNT_PROVISIONER} == 'FILE' ]] && _register_start_daemon '_start_daemon_changedetector' [[ ${ACCOUNT_PROVISIONER} == 'FILE' ]] && _register_start_daemon '_start_daemon_changedetector'
} }
function _register_start_daemon
{
DAEMONS_START+=("${1}")
_log 'trace' "${1}() registered"
}
function _register_fix_function
{
FUNCS_FIX+=("${1}")
_log 'trace' "${1}() registered"
}
function _register_check_function
{
FUNCS_CHECK+=("${1}")
_log 'trace' "${1}() registered"
}
function _register_misc_function
{
FUNCS_MISC+=("${1}")
_log 'trace' "${1}() registered"
}
# ------------------------------------------------------------ # ------------------------------------------------------------
# ? << Registering functions # ? << Registering functions
# -- # --
@ -223,8 +178,6 @@ _register_functions
_check _check
_setup _setup
[[ ${LOG_LEVEL} =~ (debug|trace) ]] && print-environment [[ ${LOG_LEVEL} =~ (debug|trace) ]] && print-environment
_apply_fixes
_start_misc
_setup_run_user_patches _setup_run_user_patches
_start_daemons _start_daemons

View file

@ -1,5 +1,13 @@
#!/bin/bash #!/bin/bash
declare -a FUNCS_CHECK
function _register_check_function
{
FUNCS_CHECK+=("${1}")
_log 'trace' "${1}() registered"
}
function _check function _check
{ {
_log 'info' 'Checking configuration' _log 'info' 'Checking configuration'

View file

@ -1,5 +1,13 @@
#!/bin/bash #!/bin/bash
declare -a DAEMONS_START
function _register_start_daemon
{
DAEMONS_START+=("${1}")
_log 'trace' "${1}() registered"
}
function _start_daemons function _start_daemons
{ {
_log 'info' 'Starting daemons' _log 'info' 'Starting daemons'

View file

@ -1,40 +0,0 @@
#!/bin/bash
function _apply_fixes
{
_log 'info' 'Post-configuration checks'
for FUNC in "${FUNCS_FIX[@]}"
do
${FUNC}
done
_log 'trace' 'Removing leftover PID files from a stop/start'
find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
touch /dev/shm/supervisor.sock
}
function _fix_var_mail_permissions
{
_log 'debug' 'Checking /var/mail permissions'
_chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
_log 'trace' 'Permissions in /var/mail look OK'
}
function _fix_cleanup_clamav
{
_log 'trace' 'Cleaning up disabled ClamAV'
rm /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam 2>/dev/null || {
# show warning only on first container start
[[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove ClamAV configuration'
}
}
function _fix_cleanup_spamassassin
{
_log 'trace' 'Cleaning up disabled SpamAssassin'
rm /etc/cron.daily/spamassassin 2>/dev/null || {
# show warning only on first container start
[[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove SpamAssassin configuration'
}
}

View file

@ -111,3 +111,11 @@ function _setup_timezone
return 1 return 1
fi fi
} }
function _setup_apply_fixes_after_configuration
{
_log 'trace' 'Removing leftover PID files from a stop/start'
find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
touch /dev/shm/supervisor.sock
_log 'debug' 'Checking /var/mail permissions'
_chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
}

View file

@ -1,17 +1,16 @@
#!/bin/bash #!/bin/bash
# Set up OpenDKIM
# Set up OpenDKIM & OpenDMARC.
# #
# ## Attention # ## Attention
# #
# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's# # The OpenDKIM milter must come before the OpenDMARC milter in Postfix's
# `smtpd_milters` milters options. # `smtpd_milters` milters options.
function _setup_dkim_dmarc function _setup_opendkim
{ {
if [[ ${ENABLE_OPENDKIM} -eq 1 ]] if [[ ${ENABLE_OPENDKIM} -eq 1 ]]
then then
_log 'debug' 'Setting up DKIM' _log 'debug' 'Configuring DKIM'
mkdir -p /etc/opendkim/keys/ mkdir -p /etc/opendkim/keys/
touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable} touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable}
@ -43,26 +42,45 @@ function _setup_dkim_dmarc
echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf
_log 'trace' "Nameservers added to '/etc/opendkim.conf'" _log 'trace' "Nameservers added to '/etc/opendkim.conf'"
fi fi
else
# Even though we do nothing here and the message suggests we perform some action, the
# message is due to the default value being `1`, i.e. enabled. If the default were `0`,
# we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
# other functions.
_log 'debug' 'Disabling OpenDKIM'
fi fi
}
# Set up OpenDKIM
#
# ## Attention
#
# The OpenDMARC milter must come after the OpenDKIM milter in Postfix's
# `smtpd_milters` milters options.
function _setup_opendmarc
{
if [[ ${ENABLE_OPENDMARC} -eq 1 ]] if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
then then
# TODO when disabling SPF is possible, add a check whether DKIM and SPF is disabled # TODO When disabling SPF is possible, add a check whether DKIM and SPF is disabled
# for DMARC to work, you should have at least one enabled # for DMARC to work, you should have at least one enabled
# (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24) # (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24)
_log 'debug' 'Configuring OpenDMARC'
_log 'trace' "Adding OpenDMARC to Postfix's milters" _log 'trace' "Adding OpenDMARC to Postfix's milters"
postconf 'dmarc_milter = inet:localhost:8893' postconf 'dmarc_milter = inet:localhost:8893'
# Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter! # Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter!
# shellcheck disable=SC2016 # shellcheck disable=SC2016
sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf
sed -i \
-e "s|^AuthservID.*$|AuthservID ${HOSTNAME}|g" \
-e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs ${HOSTNAME}|g" \
/etc/opendmarc.conf
else
# Even though we do nothing here and the message suggests we perform some action, the
# message is due to the default value being `1`, i.e. enabled. If the default were `0`,
# we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
# other functions.
_log 'debug' 'Disabling OpenDMARC'
fi fi
} }
function _setup_dmarc_hostname
{
_log 'debug' 'Setting up DMARC'
sed -i -e \
"s|^AuthservID.*$|AuthservID ${HOSTNAME}|g" \
-e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs ${HOSTNAME}|g" \
/etc/opendmarc.conf
}

View file

@ -1,17 +1,8 @@
#!/bin/bash #!/bin/bash
function _start_misc # Consolidate all states into a single directory
{
_log 'info' 'Starting miscellaneous tasks'
for FUNC in "${FUNCS_MISC[@]}"
do
${FUNC}
done
}
# consolidate all states into a single directory
# (/var/mail-state) to allow persistence using docker volumes # (/var/mail-state) to allow persistence using docker volumes
function _misc_save_states function _setup_save_states
{ {
local STATEDIR FILE FILES local STATEDIR FILE FILES

View file

@ -4,18 +4,79 @@ function _setup_security_stack
{ {
_log 'debug' 'Setting up Security Stack' _log 'debug' 'Setting up Security Stack'
__setup__security__postgrey
__setup__security__postscreen
# recreate auto-generated file # recreate auto-generated file
local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated
echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}" echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}"
echo "use strict;" >>"${DMS_AMAVIS_FILE}" echo "use strict;" >>"${DMS_AMAVIS_FILE}"
# SpamAssassin __setup__security__spamassassin
if [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] __setup__security__clamav
echo '1; # ensure a defined return' >>"${DMS_AMAVIS_FILE}"
chmod 444 "${DMS_AMAVIS_FILE}"
__setup__security__fail2ban
__setup__security__amavis
}
function __setup__security__postgrey
{
if [[ ${ENABLE_POSTGREY} -eq 1 ]]
then then
_log 'debug' 'SpamAssassin is disabled' _log 'debug' 'Enabling and configuring Postgrey'
echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
elif [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] sedfile -i -E \
's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
/etc/postfix/main.cf
sed -i -e \
"s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
/etc/default/postgrey
if ! grep -i 'POSTGREY_TEXT' /etc/default/postgrey
then
printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
fi
if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
then
cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
fi
if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
then
cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
fi
else
_log 'debug' 'Postscreen is disabled'
fi
}
function __setup__security__postscreen
{
_log 'debug' 'Configuring Postscreen'
sed -i \
-e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
-e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
-e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
if [[ ${ENABLE_DNSBL} -eq 0 ]]
then
_log 'debug' 'Disabling Postscreen DNSBLs'
postconf 'postscreen_dnsbl_action = ignore'
postconf 'postscreen_dnsbl_sites = '
else
_log 'debug' 'Postscreen DNSBLs are enabled'
fi
}
function __setup__security__spamassassin
{
if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
then then
_log 'debug' 'Enabling and configuring SpamAssassin' _log 'debug' 'Enabling and configuring SpamAssassin'
@ -28,6 +89,11 @@ function _setup_security_stack
# shellcheck disable=SC2016 # shellcheck disable=SC2016
sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
# fix cron.daily for spamassassin
sed -i \
's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
/etc/cron.daily/spamassassin
if [[ ${SA_SPAM_SUBJECT} == 'undef' ]] if [[ ${SA_SPAM_SUBJECT} == 'undef' ]]
then then
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -96,25 +162,37 @@ EOF
chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}" chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
fi fi
else
_log 'debug' 'SpamAssassin is disabled'
echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
rm -f /etc/cron.daily/spamassassin
fi fi
}
# ClamAV function __setup__security__clamav
if [[ ${ENABLE_CLAMAV} -eq 0 ]] {
if [[ ${ENABLE_CLAMAV} -eq 1 ]]
then then
_log 'debug' 'ClamAV is disabled' _log 'debug' 'Enabling and configuring ClamAV'
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
sedfile -i \
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \
/etc/clamav/clamd.conf
fi
else
_log 'debug' 'Disabling ClamAV'
echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}" echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}"
elif [[ ${ENABLE_CLAMAV} -eq 1 ]] rm -f /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam
then
_log 'debug' 'Enabling ClamAV'
fi fi
}
echo '1; # ensure a defined return' >>"${DMS_AMAVIS_FILE}" function __setup__security__fail2ban
chmod 444 "${DMS_AMAVIS_FILE}" {
# Fail2ban
if [[ ${ENABLE_FAIL2BAN} -eq 1 ]] if [[ ${ENABLE_FAIL2BAN} -eq 1 ]]
then then
_log 'debug' 'Enabling Fail2Ban' _log 'debug' 'Enabling and configuring Fail2Ban'
if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]] if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]]
then then
@ -125,20 +203,24 @@ EOF
then then
cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local
fi fi
if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
then
echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
fi
echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
else else
# disable logrotate config for fail2ban if not enabled _log 'debug' 'Fail2Ban is disabled'
rm -f /etc/logrotate.d/fail2ban rm -f /etc/logrotate.d/fail2ban
fi fi
}
# fix cron.daily for spamassassin function __setup__security__amavis
sed -i \ {
's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
/etc/cron.daily/spamassassin
# Amavis
if [[ ${ENABLE_AMAVIS} -eq 1 ]] if [[ ${ENABLE_AMAVIS} -eq 1 ]]
then then
_log 'debug' 'Enabling Amavis' _log 'debug' 'Configuring Amavis'
if [[ -f /tmp/docker-mailserver/amavis.cf ]] if [[ -f /tmp/docker-mailserver/amavis.cf ]]
then then
cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user
@ -147,14 +229,6 @@ EOF
sed -i -E \ sed -i -E \
"s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \ "s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \
/etc/amavis/conf.d/49-docker-mailserver /etc/amavis/conf.d/49-docker-mailserver
fi
}
function _setup_amavis
{
if [[ ${ENABLE_AMAVIS} -eq 1 ]]
then
_log 'debug' 'Setting up Amavis'
cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf
postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024' postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024'
@ -163,7 +237,9 @@ function _setup_amavis
"s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \ "s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \
/etc/amavis/conf.d/05-node_id /etc/amavis/conf.d/05-node_id
else else
_log 'debug' 'Disabling Amavis cron job' _log 'debug' 'Disabling Amavis'
_log 'trace' 'Disabling Amavis cron job'
mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
chmod 0 /etc/cron.d/amavisd-new.disabled chmod 0 /etc/cron.d/amavisd-new.disabled
@ -178,88 +254,3 @@ function _setup_amavis
fi fi
fi fi
} }
function _setup_fail2ban
{
_log 'debug' 'Setting up Fail2Ban'
if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
then
echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
fi
echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
}
function _setup_postgrey
{
_log 'debug' 'Configuring Postgrey'
sedfile -i -E \
's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
/etc/postfix/main.cf
sed -i -e \
"s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
/etc/default/postgrey
TEXT_FOUND=$(grep -c -i 'POSTGREY_TEXT' /etc/default/postgrey)
if [[ ${TEXT_FOUND} -eq 0 ]]
then
printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
fi
if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
then
cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
fi
if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
then
cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
fi
}
function _setup_postfix_postscreen
{
_log 'debug' 'Configuring Postscreen'
sed -i \
-e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
-e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
-e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
}
function _setup_clamav_sizelimit
{
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
sedfile -i "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" /etc/clamav/clamd.conf
}
function _setup_spoof_protection
{
_log 'trace' 'Configuring spoof protection'
sed -i \
's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
/etc/postfix/main.cf
if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
then
if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
then
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
else
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
fi
else
if [[ -f /etc/postfix/regexp ]]
then
postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
else
postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
fi
fi
}

View file

@ -2,13 +2,18 @@
function _setup_rspamd function _setup_rspamd
{ {
_log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time' if [[ ${ENABLE_RSPAMD} -eq 1 ]]
_log 'debug' 'Enabling Rspamd' then
_log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time'
_log 'debug' 'Enabling and configuring Rspamd'
__rspamd__preflight_checks __rspamd__preflight_checks
__rspamd__adjust_postfix_configuration __rspamd__adjust_postfix_configuration
__rspamd__disable_default_modules __rspamd__disable_default_modules
__rspamd__handle_modules_configuration __rspamd__handle_modules_configuration
else
_log 'debug' 'Rspamd is disabled'
fi
} }
# Just a helper to prepend the log messages with `(Rspamd setup)` so # Just a helper to prepend the log messages with `(Rspamd setup)` so

View file

@ -0,0 +1,32 @@
#!/bin/bash
function _setup_spoof_protection
{
if [[ ${SPOOF_PROTECTION} -eq 1 ]]
then
_log 'trace' 'Enabling and configuring spoof protection'
sed -i \
's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
/etc/postfix/main.cf
if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
then
if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
then
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
else
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
fi
else
if [[ -f /etc/postfix/regexp ]]
then
postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
else
postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
fi
fi
else
_log 'debug' 'Spoof protection is disabled'
fi
}

View file

@ -3,9 +3,6 @@
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -A VARS declare -A VARS
# shellcheck disable=SC2034
declare -a FUNCS_FIX FUNCS_CHECK FUNCS_MISC DAEMONS_START
function _early_variables_setup function _early_variables_setup
{ {
_obtain_hostname_and_domainname _obtain_hostname_and_domainname