mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
scripts: housekeeping & cleanup setup (1/2) (#3121)
This commit is contained in:
parent
f35b60042f
commit
4b04c3e31c
|
@ -2,12 +2,6 @@
|
||||||
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
# ? >> Sourcing helpers & stacks
|
# ? >> Sourcing helpers & stacks
|
||||||
# 1. Helpers
|
|
||||||
# 2. Checks
|
|
||||||
# 3. Setup
|
|
||||||
# 4. Fixes
|
|
||||||
# 5. Miscellaneous
|
|
||||||
# 6. Daemons
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
|
|
||||||
# shellcheck source=./helpers/index.sh
|
# shellcheck source=./helpers/index.sh
|
||||||
|
@ -22,12 +16,6 @@ source /usr/local/bin/check-stack.sh
|
||||||
# shellcheck source=./startup/setup-stack.sh
|
# shellcheck source=./startup/setup-stack.sh
|
||||||
source /usr/local/bin/setup-stack.sh
|
source /usr/local/bin/setup-stack.sh
|
||||||
|
|
||||||
# shellcheck source=./startup/fixes-stack.sh
|
|
||||||
source /usr/local/bin/fixes-stack.sh
|
|
||||||
|
|
||||||
# shellcheck source=./startup/misc-stack.sh
|
|
||||||
source /usr/local/bin/misc-stack.sh
|
|
||||||
|
|
||||||
# shellcheck source=./startup/daemons-stack.sh
|
# shellcheck source=./startup/daemons-stack.sh
|
||||||
source /usr/local/bin/daemons-stack.sh
|
source /usr/local/bin/daemons-stack.sh
|
||||||
|
|
||||||
|
@ -48,7 +36,6 @@ _early_variables_setup
|
||||||
|
|
||||||
function _register_functions
|
function _register_functions
|
||||||
{
|
{
|
||||||
_log 'info' 'Initializing setup'
|
|
||||||
_log 'debug' 'Registering functions'
|
_log 'debug' 'Registering functions'
|
||||||
|
|
||||||
# ? >> Checks
|
# ? >> Checks
|
||||||
|
@ -93,39 +80,36 @@ function _register_functions
|
||||||
_register_setup_function '_setup_saslauthd'
|
_register_setup_function '_setup_saslauthd'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_setup_function '_setup_postgrey'
|
|
||||||
[[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_postfix_inet_protocols'
|
[[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_postfix_inet_protocols'
|
||||||
[[ ${DOVECOT_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_dovecot_inet_protocols'
|
[[ ${DOVECOT_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_dovecot_inet_protocols'
|
||||||
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
|
|
||||||
[[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable'
|
|
||||||
[[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit'
|
|
||||||
[[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd'
|
|
||||||
|
|
||||||
_register_setup_function '_setup_dkim_dmarc'
|
_register_setup_function '_setup_opendkim'
|
||||||
|
_register_setup_function '_setup_opendmarc' # must come after `_setup_opendkim`
|
||||||
|
|
||||||
|
_register_setup_function '_setup_security_stack'
|
||||||
|
_register_setup_function '_setup_rspamd'
|
||||||
|
|
||||||
_register_setup_function '_setup_ssl'
|
_register_setup_function '_setup_ssl'
|
||||||
_register_setup_function '_setup_docker_permit'
|
_register_setup_function '_setup_docker_permit'
|
||||||
_register_setup_function '_setup_mailname'
|
_register_setup_function '_setup_mailname'
|
||||||
_register_setup_function '_setup_amavis'
|
|
||||||
_register_setup_function '_setup_dmarc_hostname'
|
|
||||||
_register_setup_function '_setup_postfix_hostname'
|
|
||||||
_register_setup_function '_setup_dovecot_hostname'
|
_register_setup_function '_setup_dovecot_hostname'
|
||||||
|
|
||||||
|
_register_setup_function '_setup_postfix_hostname'
|
||||||
_register_setup_function '_setup_postfix_smtputf8'
|
_register_setup_function '_setup_postfix_smtputf8'
|
||||||
_register_setup_function '_setup_postfix_sasl'
|
_register_setup_function '_setup_postfix_sasl'
|
||||||
_register_setup_function '_setup_security_stack'
|
|
||||||
_register_setup_function '_setup_postfix_aliases'
|
_register_setup_function '_setup_postfix_aliases'
|
||||||
_register_setup_function '_setup_postfix_vhost'
|
_register_setup_function '_setup_postfix_vhost'
|
||||||
_register_setup_function '_setup_postfix_dhparam'
|
_register_setup_function '_setup_postfix_dhparam'
|
||||||
_register_setup_function '_setup_postfix_postscreen'
|
|
||||||
_register_setup_function '_setup_postfix_sizelimits'
|
_register_setup_function '_setup_postfix_sizelimits'
|
||||||
|
|
||||||
# needs to come after _setup_postfix_aliases
|
# needs to come after _setup_postfix_aliases
|
||||||
[[ ${SPOOF_PROTECTION} -eq 1 ]] && _register_setup_function '_setup_spoof_protection'
|
|
||||||
|
|
||||||
if [[ ${ENABLE_FETCHMAIL} -eq 1 ]]
|
if [[ ${ENABLE_FETCHMAIL} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_register_setup_function '_setup_fetchmail'
|
_register_setup_function '_setup_fetchmail'
|
||||||
[[ ${FETCHMAIL_PARALLEL} -eq 1 ]] && _register_setup_function '_setup_fetchmail_parallel'
|
[[ ${FETCHMAIL_PARALLEL} -eq 1 ]] && _register_setup_function '_setup_fetchmail_parallel'
|
||||||
fi
|
fi
|
||||||
|
_register_setup_function '_setup_spoof_protection'
|
||||||
|
|
||||||
if [[ ${ENABLE_SRS} -eq 1 ]]
|
if [[ ${ENABLE_SRS} -eq 1 ]]
|
||||||
then
|
then
|
||||||
|
@ -143,16 +127,8 @@ function _register_functions
|
||||||
_register_setup_function '_setup_mail_summary'
|
_register_setup_function '_setup_mail_summary'
|
||||||
_register_setup_function '_setup_logwatch'
|
_register_setup_function '_setup_logwatch'
|
||||||
|
|
||||||
# ? >> Fixes
|
_register_setup_function '_setup_save_states'
|
||||||
|
_register_setup_function '_setup_apply_fixes_after_configuration'
|
||||||
_register_fix_function '_fix_var_mail_permissions'
|
|
||||||
|
|
||||||
[[ ${ENABLE_CLAMAV} -eq 0 ]] && _register_fix_function '_fix_cleanup_clamav'
|
|
||||||
[[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] && _register_fix_function '_fix_cleanup_spamassassin'
|
|
||||||
|
|
||||||
# ? >> Miscellaneous
|
|
||||||
|
|
||||||
_register_misc_function '_misc_save_states'
|
|
||||||
_register_setup_function '_environment_variables_export'
|
_register_setup_function '_environment_variables_export'
|
||||||
|
|
||||||
# ? >> Daemons
|
# ? >> Daemons
|
||||||
|
@ -169,48 +145,27 @@ function _register_functions
|
||||||
_register_start_daemon '_start_daemon_rspamd'
|
_register_start_daemon '_start_daemon_rspamd'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[[ ${SMTP_ONLY} -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot'
|
||||||
|
[[ ${ENABLE_UPDATE_CHECK} -eq 1 ]] && _register_start_daemon '_start_daemon_update_check'
|
||||||
|
|
||||||
# needs to be started before SASLauthd
|
# needs to be started before SASLauthd
|
||||||
[[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim'
|
[[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim'
|
||||||
[[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc'
|
[[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc'
|
||||||
|
|
||||||
# needs to be started before postfix
|
# needs to be started before postfix
|
||||||
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey'
|
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey'
|
||||||
|
|
||||||
_register_start_daemon '_start_daemon_postfix'
|
_register_start_daemon '_start_daemon_postfix'
|
||||||
|
|
||||||
# needs to be started after postfix
|
# needs to be started after postfix
|
||||||
[[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd'
|
[[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd'
|
||||||
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_start_daemon '_start_daemon_fail2ban'
|
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_start_daemon '_start_daemon_fail2ban'
|
||||||
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail'
|
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail'
|
||||||
[[ ${ENABLE_CLAMAV} -eq 1 ]] && _register_start_daemon '_start_daemon_clamav'
|
[[ ${ENABLE_CLAMAV} -eq 1 ]] && _register_start_daemon '_start_daemon_clamav'
|
||||||
[[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis'
|
[[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis'
|
||||||
[[ ${ACCOUNT_PROVISIONER} == 'FILE' ]] && _register_start_daemon '_start_daemon_changedetector'
|
[[ ${ACCOUNT_PROVISIONER} == 'FILE' ]] && _register_start_daemon '_start_daemon_changedetector'
|
||||||
}
|
}
|
||||||
|
|
||||||
function _register_start_daemon
|
|
||||||
{
|
|
||||||
DAEMONS_START+=("${1}")
|
|
||||||
_log 'trace' "${1}() registered"
|
|
||||||
}
|
|
||||||
|
|
||||||
function _register_fix_function
|
|
||||||
{
|
|
||||||
FUNCS_FIX+=("${1}")
|
|
||||||
_log 'trace' "${1}() registered"
|
|
||||||
}
|
|
||||||
|
|
||||||
function _register_check_function
|
|
||||||
{
|
|
||||||
FUNCS_CHECK+=("${1}")
|
|
||||||
_log 'trace' "${1}() registered"
|
|
||||||
}
|
|
||||||
|
|
||||||
function _register_misc_function
|
|
||||||
{
|
|
||||||
FUNCS_MISC+=("${1}")
|
|
||||||
_log 'trace' "${1}() registered"
|
|
||||||
}
|
|
||||||
|
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
||||||
# ? << Registering functions
|
# ? << Registering functions
|
||||||
# --
|
# --
|
||||||
|
@ -223,8 +178,6 @@ _register_functions
|
||||||
_check
|
_check
|
||||||
_setup
|
_setup
|
||||||
[[ ${LOG_LEVEL} =~ (debug|trace) ]] && print-environment
|
[[ ${LOG_LEVEL} =~ (debug|trace) ]] && print-environment
|
||||||
_apply_fixes
|
|
||||||
_start_misc
|
|
||||||
_setup_run_user_patches
|
_setup_run_user_patches
|
||||||
_start_daemons
|
_start_daemons
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
declare -a FUNCS_CHECK
|
||||||
|
|
||||||
|
function _register_check_function
|
||||||
|
{
|
||||||
|
FUNCS_CHECK+=("${1}")
|
||||||
|
_log 'trace' "${1}() registered"
|
||||||
|
}
|
||||||
|
|
||||||
function _check
|
function _check
|
||||||
{
|
{
|
||||||
_log 'info' 'Checking configuration'
|
_log 'info' 'Checking configuration'
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
declare -a DAEMONS_START
|
||||||
|
|
||||||
|
function _register_start_daemon
|
||||||
|
{
|
||||||
|
DAEMONS_START+=("${1}")
|
||||||
|
_log 'trace' "${1}() registered"
|
||||||
|
}
|
||||||
|
|
||||||
function _start_daemons
|
function _start_daemons
|
||||||
{
|
{
|
||||||
_log 'info' 'Starting daemons'
|
_log 'info' 'Starting daemons'
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
function _apply_fixes
|
|
||||||
{
|
|
||||||
_log 'info' 'Post-configuration checks'
|
|
||||||
for FUNC in "${FUNCS_FIX[@]}"
|
|
||||||
do
|
|
||||||
${FUNC}
|
|
||||||
done
|
|
||||||
|
|
||||||
_log 'trace' 'Removing leftover PID files from a stop/start'
|
|
||||||
find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
|
|
||||||
touch /dev/shm/supervisor.sock
|
|
||||||
}
|
|
||||||
|
|
||||||
function _fix_var_mail_permissions
|
|
||||||
{
|
|
||||||
_log 'debug' 'Checking /var/mail permissions'
|
|
||||||
|
|
||||||
_chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
|
|
||||||
_log 'trace' 'Permissions in /var/mail look OK'
|
|
||||||
}
|
|
||||||
|
|
||||||
function _fix_cleanup_clamav
|
|
||||||
{
|
|
||||||
_log 'trace' 'Cleaning up disabled ClamAV'
|
|
||||||
rm /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam 2>/dev/null || {
|
|
||||||
# show warning only on first container start
|
|
||||||
[[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove ClamAV configuration'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
function _fix_cleanup_spamassassin
|
|
||||||
{
|
|
||||||
_log 'trace' 'Cleaning up disabled SpamAssassin'
|
|
||||||
rm /etc/cron.daily/spamassassin 2>/dev/null || {
|
|
||||||
# show warning only on first container start
|
|
||||||
[[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove SpamAssassin configuration'
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -111,3 +111,11 @@ function _setup_timezone
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
function _setup_apply_fixes_after_configuration
|
||||||
|
{
|
||||||
|
_log 'trace' 'Removing leftover PID files from a stop/start'
|
||||||
|
find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
|
||||||
|
touch /dev/shm/supervisor.sock
|
||||||
|
_log 'debug' 'Checking /var/mail permissions'
|
||||||
|
_chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
|
||||||
|
}
|
||||||
|
|
|
@ -1,17 +1,16 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Set up OpenDKIM
|
||||||
# Set up OpenDKIM & OpenDMARC.
|
|
||||||
#
|
#
|
||||||
# ## Attention
|
# ## Attention
|
||||||
#
|
#
|
||||||
# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's#
|
# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's
|
||||||
# `smtpd_milters` milters options.
|
# `smtpd_milters` milters options.
|
||||||
function _setup_dkim_dmarc
|
function _setup_opendkim
|
||||||
{
|
{
|
||||||
if [[ ${ENABLE_OPENDKIM} -eq 1 ]]
|
if [[ ${ENABLE_OPENDKIM} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'Setting up DKIM'
|
_log 'debug' 'Configuring DKIM'
|
||||||
|
|
||||||
mkdir -p /etc/opendkim/keys/
|
mkdir -p /etc/opendkim/keys/
|
||||||
touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable}
|
touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable}
|
||||||
|
@ -43,26 +42,45 @@ function _setup_dkim_dmarc
|
||||||
echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf
|
echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf
|
||||||
_log 'trace' "Nameservers added to '/etc/opendkim.conf'"
|
_log 'trace' "Nameservers added to '/etc/opendkim.conf'"
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
# Even though we do nothing here and the message suggests we perform some action, the
|
||||||
|
# message is due to the default value being `1`, i.e. enabled. If the default were `0`,
|
||||||
|
# we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
|
||||||
|
# other functions.
|
||||||
|
_log 'debug' 'Disabling OpenDKIM'
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set up OpenDKIM
|
||||||
|
#
|
||||||
|
# ## Attention
|
||||||
|
#
|
||||||
|
# The OpenDMARC milter must come after the OpenDKIM milter in Postfix's
|
||||||
|
# `smtpd_milters` milters options.
|
||||||
|
function _setup_opendmarc
|
||||||
|
{
|
||||||
if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
|
if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
|
||||||
then
|
then
|
||||||
# TODO when disabling SPF is possible, add a check whether DKIM and SPF is disabled
|
# TODO When disabling SPF is possible, add a check whether DKIM and SPF is disabled
|
||||||
# for DMARC to work, you should have at least one enabled
|
# for DMARC to work, you should have at least one enabled
|
||||||
# (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24)
|
# (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24)
|
||||||
|
_log 'debug' 'Configuring OpenDMARC'
|
||||||
|
|
||||||
_log 'trace' "Adding OpenDMARC to Postfix's milters"
|
_log 'trace' "Adding OpenDMARC to Postfix's milters"
|
||||||
postconf 'dmarc_milter = inet:localhost:8893'
|
postconf 'dmarc_milter = inet:localhost:8893'
|
||||||
# Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter!
|
# Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter!
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf
|
sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf
|
||||||
|
|
||||||
|
sed -i \
|
||||||
|
-e "s|^AuthservID.*$|AuthservID ${HOSTNAME}|g" \
|
||||||
|
-e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs ${HOSTNAME}|g" \
|
||||||
|
/etc/opendmarc.conf
|
||||||
|
else
|
||||||
|
# Even though we do nothing here and the message suggests we perform some action, the
|
||||||
|
# message is due to the default value being `1`, i.e. enabled. If the default were `0`,
|
||||||
|
# we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
|
||||||
|
# other functions.
|
||||||
|
_log 'debug' 'Disabling OpenDMARC'
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function _setup_dmarc_hostname
|
|
||||||
{
|
|
||||||
_log 'debug' 'Setting up DMARC'
|
|
||||||
sed -i -e \
|
|
||||||
"s|^AuthservID.*$|AuthservID ${HOSTNAME}|g" \
|
|
||||||
-e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs ${HOSTNAME}|g" \
|
|
||||||
/etc/opendmarc.conf
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,17 +1,8 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
function _start_misc
|
# Consolidate all states into a single directory
|
||||||
{
|
|
||||||
_log 'info' 'Starting miscellaneous tasks'
|
|
||||||
for FUNC in "${FUNCS_MISC[@]}"
|
|
||||||
do
|
|
||||||
${FUNC}
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# consolidate all states into a single directory
|
|
||||||
# (/var/mail-state) to allow persistence using docker volumes
|
# (/var/mail-state) to allow persistence using docker volumes
|
||||||
function _misc_save_states
|
function _setup_save_states
|
||||||
{
|
{
|
||||||
local STATEDIR FILE FILES
|
local STATEDIR FILE FILES
|
||||||
|
|
|
@ -4,18 +4,79 @@ function _setup_security_stack
|
||||||
{
|
{
|
||||||
_log 'debug' 'Setting up Security Stack'
|
_log 'debug' 'Setting up Security Stack'
|
||||||
|
|
||||||
|
__setup__security__postgrey
|
||||||
|
__setup__security__postscreen
|
||||||
|
|
||||||
# recreate auto-generated file
|
# recreate auto-generated file
|
||||||
local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated
|
local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated
|
||||||
|
|
||||||
echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}"
|
echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}"
|
||||||
echo "use strict;" >>"${DMS_AMAVIS_FILE}"
|
echo "use strict;" >>"${DMS_AMAVIS_FILE}"
|
||||||
|
|
||||||
# SpamAssassin
|
__setup__security__spamassassin
|
||||||
if [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]]
|
__setup__security__clamav
|
||||||
|
|
||||||
|
echo '1; # ensure a defined return' >>"${DMS_AMAVIS_FILE}"
|
||||||
|
chmod 444 "${DMS_AMAVIS_FILE}"
|
||||||
|
|
||||||
|
__setup__security__fail2ban
|
||||||
|
__setup__security__amavis
|
||||||
|
}
|
||||||
|
|
||||||
|
function __setup__security__postgrey
|
||||||
|
{
|
||||||
|
if [[ ${ENABLE_POSTGREY} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'SpamAssassin is disabled'
|
_log 'debug' 'Enabling and configuring Postgrey'
|
||||||
echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
|
|
||||||
elif [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
|
sedfile -i -E \
|
||||||
|
's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
|
||||||
|
/etc/postfix/main.cf
|
||||||
|
|
||||||
|
sed -i -e \
|
||||||
|
"s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
|
||||||
|
/etc/default/postgrey
|
||||||
|
|
||||||
|
if ! grep -i 'POSTGREY_TEXT' /etc/default/postgrey
|
||||||
|
then
|
||||||
|
printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
|
||||||
|
then
|
||||||
|
cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
|
||||||
|
then
|
||||||
|
cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
_log 'debug' 'Postscreen is disabled'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function __setup__security__postscreen
|
||||||
|
{
|
||||||
|
_log 'debug' 'Configuring Postscreen'
|
||||||
|
sed -i \
|
||||||
|
-e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
|
||||||
|
-e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
|
||||||
|
-e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
|
||||||
|
|
||||||
|
if [[ ${ENABLE_DNSBL} -eq 0 ]]
|
||||||
|
then
|
||||||
|
_log 'debug' 'Disabling Postscreen DNSBLs'
|
||||||
|
postconf 'postscreen_dnsbl_action = ignore'
|
||||||
|
postconf 'postscreen_dnsbl_sites = '
|
||||||
|
else
|
||||||
|
_log 'debug' 'Postscreen DNSBLs are enabled'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function __setup__security__spamassassin
|
||||||
|
{
|
||||||
|
if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'Enabling and configuring SpamAssassin'
|
_log 'debug' 'Enabling and configuring SpamAssassin'
|
||||||
|
|
||||||
|
@ -28,6 +89,11 @@ function _setup_security_stack
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
|
sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
|
||||||
|
|
||||||
|
# fix cron.daily for spamassassin
|
||||||
|
sed -i \
|
||||||
|
's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
|
||||||
|
/etc/cron.daily/spamassassin
|
||||||
|
|
||||||
if [[ ${SA_SPAM_SUBJECT} == 'undef' ]]
|
if [[ ${SA_SPAM_SUBJECT} == 'undef' ]]
|
||||||
then
|
then
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
|
@ -96,25 +162,37 @@ EOF
|
||||||
|
|
||||||
chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
|
chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
_log 'debug' 'SpamAssassin is disabled'
|
||||||
|
echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
|
||||||
|
rm -f /etc/cron.daily/spamassassin
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# ClamAV
|
function __setup__security__clamav
|
||||||
if [[ ${ENABLE_CLAMAV} -eq 0 ]]
|
{
|
||||||
|
if [[ ${ENABLE_CLAMAV} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'ClamAV is disabled'
|
_log 'debug' 'Enabling and configuring ClamAV'
|
||||||
|
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
|
||||||
|
then
|
||||||
|
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
|
||||||
|
sedfile -i \
|
||||||
|
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \
|
||||||
|
/etc/clamav/clamd.conf
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
_log 'debug' 'Disabling ClamAV'
|
||||||
echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}"
|
echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}"
|
||||||
elif [[ ${ENABLE_CLAMAV} -eq 1 ]]
|
rm -f /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam
|
||||||
then
|
|
||||||
_log 'debug' 'Enabling ClamAV'
|
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
echo '1; # ensure a defined return' >>"${DMS_AMAVIS_FILE}"
|
function __setup__security__fail2ban
|
||||||
chmod 444 "${DMS_AMAVIS_FILE}"
|
{
|
||||||
|
|
||||||
# Fail2ban
|
|
||||||
if [[ ${ENABLE_FAIL2BAN} -eq 1 ]]
|
if [[ ${ENABLE_FAIL2BAN} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'Enabling Fail2Ban'
|
_log 'debug' 'Enabling and configuring Fail2Ban'
|
||||||
|
|
||||||
if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]]
|
if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]]
|
||||||
then
|
then
|
||||||
|
@ -125,20 +203,24 @@ EOF
|
||||||
then
|
then
|
||||||
cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local
|
cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
|
||||||
|
then
|
||||||
|
echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
|
||||||
else
|
else
|
||||||
# disable logrotate config for fail2ban if not enabled
|
_log 'debug' 'Fail2Ban is disabled'
|
||||||
rm -f /etc/logrotate.d/fail2ban
|
rm -f /etc/logrotate.d/fail2ban
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# fix cron.daily for spamassassin
|
function __setup__security__amavis
|
||||||
sed -i \
|
{
|
||||||
's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
|
|
||||||
/etc/cron.daily/spamassassin
|
|
||||||
|
|
||||||
# Amavis
|
|
||||||
if [[ ${ENABLE_AMAVIS} -eq 1 ]]
|
if [[ ${ENABLE_AMAVIS} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'Enabling Amavis'
|
_log 'debug' 'Configuring Amavis'
|
||||||
if [[ -f /tmp/docker-mailserver/amavis.cf ]]
|
if [[ -f /tmp/docker-mailserver/amavis.cf ]]
|
||||||
then
|
then
|
||||||
cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user
|
cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user
|
||||||
|
@ -147,14 +229,6 @@ EOF
|
||||||
sed -i -E \
|
sed -i -E \
|
||||||
"s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \
|
"s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \
|
||||||
/etc/amavis/conf.d/49-docker-mailserver
|
/etc/amavis/conf.d/49-docker-mailserver
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
function _setup_amavis
|
|
||||||
{
|
|
||||||
if [[ ${ENABLE_AMAVIS} -eq 1 ]]
|
|
||||||
then
|
|
||||||
_log 'debug' 'Setting up Amavis'
|
|
||||||
|
|
||||||
cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf
|
cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf
|
||||||
postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024'
|
postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024'
|
||||||
|
@ -163,7 +237,9 @@ function _setup_amavis
|
||||||
"s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \
|
"s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \
|
||||||
/etc/amavis/conf.d/05-node_id
|
/etc/amavis/conf.d/05-node_id
|
||||||
else
|
else
|
||||||
_log 'debug' 'Disabling Amavis cron job'
|
_log 'debug' 'Disabling Amavis'
|
||||||
|
|
||||||
|
_log 'trace' 'Disabling Amavis cron job'
|
||||||
mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
|
mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
|
||||||
chmod 0 /etc/cron.d/amavisd-new.disabled
|
chmod 0 /etc/cron.d/amavisd-new.disabled
|
||||||
|
|
||||||
|
@ -178,88 +254,3 @@ function _setup_amavis
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function _setup_fail2ban
|
|
||||||
{
|
|
||||||
_log 'debug' 'Setting up Fail2Ban'
|
|
||||||
|
|
||||||
if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
|
|
||||||
then
|
|
||||||
echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
|
|
||||||
}
|
|
||||||
|
|
||||||
function _setup_postgrey
|
|
||||||
{
|
|
||||||
_log 'debug' 'Configuring Postgrey'
|
|
||||||
|
|
||||||
sedfile -i -E \
|
|
||||||
's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
|
|
||||||
/etc/postfix/main.cf
|
|
||||||
|
|
||||||
sed -i -e \
|
|
||||||
"s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
|
|
||||||
/etc/default/postgrey
|
|
||||||
|
|
||||||
TEXT_FOUND=$(grep -c -i 'POSTGREY_TEXT' /etc/default/postgrey)
|
|
||||||
|
|
||||||
if [[ ${TEXT_FOUND} -eq 0 ]]
|
|
||||||
then
|
|
||||||
printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
|
|
||||||
then
|
|
||||||
cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
|
|
||||||
then
|
|
||||||
cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
function _setup_postfix_postscreen
|
|
||||||
{
|
|
||||||
_log 'debug' 'Configuring Postscreen'
|
|
||||||
sed -i \
|
|
||||||
-e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
|
|
||||||
-e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
|
|
||||||
-e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function _setup_clamav_sizelimit
|
|
||||||
{
|
|
||||||
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
|
|
||||||
sedfile -i "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" /etc/clamav/clamd.conf
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function _setup_spoof_protection
|
|
||||||
{
|
|
||||||
_log 'trace' 'Configuring spoof protection'
|
|
||||||
sed -i \
|
|
||||||
's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
|
|
||||||
/etc/postfix/main.cf
|
|
||||||
|
|
||||||
if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
|
|
||||||
then
|
|
||||||
if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
|
|
||||||
then
|
|
||||||
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
|
|
||||||
else
|
|
||||||
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
if [[ -f /etc/postfix/regexp ]]
|
|
||||||
then
|
|
||||||
postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
|
|
||||||
else
|
|
||||||
postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -2,13 +2,18 @@
|
||||||
|
|
||||||
function _setup_rspamd
|
function _setup_rspamd
|
||||||
{
|
{
|
||||||
_log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time'
|
if [[ ${ENABLE_RSPAMD} -eq 1 ]]
|
||||||
_log 'debug' 'Enabling Rspamd'
|
then
|
||||||
|
_log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time'
|
||||||
|
_log 'debug' 'Enabling and configuring Rspamd'
|
||||||
|
|
||||||
__rspamd__preflight_checks
|
__rspamd__preflight_checks
|
||||||
__rspamd__adjust_postfix_configuration
|
__rspamd__adjust_postfix_configuration
|
||||||
__rspamd__disable_default_modules
|
__rspamd__disable_default_modules
|
||||||
__rspamd__handle_modules_configuration
|
__rspamd__handle_modules_configuration
|
||||||
|
else
|
||||||
|
_log 'debug' 'Rspamd is disabled'
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Just a helper to prepend the log messages with `(Rspamd setup)` so
|
# Just a helper to prepend the log messages with `(Rspamd setup)` so
|
||||||
|
|
32
target/scripts/startup/setup.d/security/spoofing.sh
Normal file
32
target/scripts/startup/setup.d/security/spoofing.sh
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
function _setup_spoof_protection
|
||||||
|
{
|
||||||
|
if [[ ${SPOOF_PROTECTION} -eq 1 ]]
|
||||||
|
then
|
||||||
|
_log 'trace' 'Enabling and configuring spoof protection'
|
||||||
|
|
||||||
|
sed -i \
|
||||||
|
's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
|
||||||
|
/etc/postfix/main.cf
|
||||||
|
|
||||||
|
if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
|
||||||
|
then
|
||||||
|
if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
|
||||||
|
then
|
||||||
|
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
|
||||||
|
else
|
||||||
|
postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [[ -f /etc/postfix/regexp ]]
|
||||||
|
then
|
||||||
|
postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
|
||||||
|
else
|
||||||
|
postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
_log 'debug' 'Spoof protection is disabled'
|
||||||
|
fi
|
||||||
|
}
|
|
@ -3,9 +3,6 @@
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
declare -A VARS
|
declare -A VARS
|
||||||
|
|
||||||
# shellcheck disable=SC2034
|
|
||||||
declare -a FUNCS_FIX FUNCS_CHECK FUNCS_MISC DAEMONS_START
|
|
||||||
|
|
||||||
function _early_variables_setup
|
function _early_variables_setup
|
||||||
{
|
{
|
||||||
_obtain_hostname_and_domainname
|
_obtain_hostname_and_domainname
|
||||||
|
|
Loading…
Reference in a new issue