From 5219aab9e8d6a0336f330a1d00d412cb00d2fe99 Mon Sep 17 00:00:00 2001
From: angus <foobar.angus@gmail.com>
Date: Thu, 31 Mar 2016 12:33:47 +0200
Subject: [PATCH] Add ENABLE_FAIL2BAN environment variable to enable fail2ban
 service (it's not enabled by default, now).

* Changed/updated Makefile and integration tests
* Changed some grep expressions in the fail2ban tests
---
 Makefile            |  8 +++++++-
 README.md           |  5 ++++-
 start-mailserver.sh |  6 +++++-
 test/tests.bats     | 27 ++++++++++++++++-----------
 4 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/Makefile b/Makefile
index aed0b797..03899b5c 100644
--- a/Makefile
+++ b/Makefile
@@ -33,6 +33,12 @@ run:
 		-v "`pwd`/test":/tmp/test \
 		-e SMTP_ONLY=1 \
 		-h mail.my-domain.com -t $(NAME)
+	docker run -d --name mail_fail2ban \
+		-v "`pwd`/postfix":/tmp/postfix \
+		-v "`pwd`/spamassassin":/tmp/spamassassin \
+		-v "`pwd`/test":/tmp/test \
+		-e ENABLE_FAIL2BAN=1 \
+		-h mail.my-domain.com -t $(NAME)
 	# Wait for containers to fully start
 	sleep 60
 
@@ -55,4 +61,4 @@ clean:
 	# Get default files back
 	git checkout postfix/accounts.cf postfix/main.cf postfix/virtual
 	# Remove running test containers
-	docker rm -f mail mail_pop3 mail_smtponly
+	docker rm -f mail mail_pop3 mail_smtponly mail_fail2ban
diff --git a/README.md b/README.md
index 6fdb8edf..acb30ea7 100644
--- a/README.md
+++ b/README.md
@@ -96,10 +96,13 @@ Example:
 * SA_TAG2
   * *6.31* (default) => add 'spam detected' headers at that level
 * SA_KILL
-  * *6.31* (default) => triggers spam evasive actions)
+  * *6.31* (default) => triggers spam evasive actions
 * SASL_PASSWORD
   * *empty* (default) => No sasl_passwd will be created
   * *string* => A /etc/postfix/sasl_passwd will be created with that content and postmap will be run on it
+* ENABLE_FAIL2BAN
+  * *empty* (default) => fail2ban service disabled
+  * 1 => Enables fail2ban service
 
 Please read [how the container starts](https://github.com/tomav/docker-mailserver/blob/master/start-mailserver.sh) to understand what's expected.  
 
diff --git a/start-mailserver.sh b/start-mailserver.sh
index 46f1ff45..5486c78e 100644
--- a/start-mailserver.sh
+++ b/start-mailserver.sh
@@ -269,7 +269,11 @@ fi
 /etc/init.d/opendkim start
 /etc/init.d/opendmarc start
 /etc/init.d/postfix start
-/etc/init.d/fail2ban start
+
+if [ "$ENABLE_FAIL2BAN" = 1 ]; then
+  echo "Starting fail2ban service"
+  /etc/init.d/fail2ban start
+fi
 
 echo "Listing SASL users"
 sasldblistusers2
diff --git a/test/tests.bats b/test/tests.bats
index 8cfe488e..72c569b5 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -32,8 +32,13 @@
   [ "$status" -eq 0 ]
 }
 
-@test "checking process: fail2ban" {
+@test "checking process: fail2ban (disabled in default configuration)" {
   run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'"
+  [ "$status" -eq 1 ]
+}
+
+@test "checking process: fail2ban (fail2ban server enabled)" {
+  run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'"
   [ "$status" -eq 0 ]
 }
 
@@ -311,26 +316,26 @@
 #
 
 @test "checking fail2ban: localhost is not banned" {
-  run docker exec mail /bin/sh -c "fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'"
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status sasl | grep 'IP list:.*127.0.0.1'"
   [ "$status" -eq 1 ]
 }
 
 @test "checking fail2ban: ban ip on multiple failed login" {
-  docker exec mail fail2ban-client status sasl
-  docker exec mail fail2ban-client set sasl delignoreip 127.0.0.1/8
-  docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt'
-  docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt'
-  docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt'
+  docker exec mail_fail2ban fail2ban-client status sasl
+  docker exec mail_fail2ban fail2ban-client set sasl delignoreip 127.0.0.1/8
+  docker exec mail_fail2ban /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt'
+  docker exec mail_fail2ban /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt'
+  docker exec mail_fail2ban /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt'
   sleep 5
-  run docker exec mail /bin/sh -c "fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'"
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status sasl | grep 'IP list:.*127.0.0.1'"
   [ "$status" -eq 0 ]
 }
 
 @test "checking fail2ban: unban ip works" {
-  docker exec mail fail2ban-client set sasl addignoreip 127.0.0.1/8
-  docker exec mail fail2ban-client set sasl unbanip 127.0.0.1
+  docker exec mail_fail2ban fail2ban-client set sasl addignoreip 127.0.0.1/8
+  docker exec mail_fail2ban fail2ban-client set sasl unbanip 127.0.0.1
   sleep 5
-  run docker exec mail /bin/sh -c "fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'"
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status sasl | grep 'IP list:.*127.0.0.1'"
   [ "$status" -eq 1 ]
 }