Restrict access (Closes #452, #816)

new setup.sh function, new tests, new script
This commit is contained in:
17Halbe 2018-02-07 21:33:07 +01:00 committed by Johan Smits
parent 115ad555be
commit 5394a505b9
6 changed files with 90 additions and 8 deletions

View file

@ -42,9 +42,10 @@ SUBCOMMANDS:
email: email:
$0 email add <email> <password> $0 email add <email> [<password>]
$0 email update <email> <password> $0 email update <email> [<password>]
$0 email del <email> $0 email del <email>
$0 email restrict <add|del|list> <send|receive> [<email>]
$0 email list $0 email list
alias: alias:
@ -60,7 +61,7 @@ SUBCOMMANDS:
debug: debug:
$0 debug fetchmail $0 debug fetchmail
$0 debug fail2ban <unban> <ip-address> $0 debug fail2ban [<unban> <ip-address>]
$0 debug show-mail-logs $0 debug show-mail-logs
$0 debug inspect $0 debug inspect
$0 debug login <commands> $0 debug login <commands>
@ -117,7 +118,6 @@ case $1 in
email) email)
shift shift
case $1 in case $1 in
add) add)
shift shift
_docker_image addmailuser $@ _docker_image addmailuser $@
@ -130,6 +130,10 @@ case $1 in
shift shift
_docker_image delmailuser $@ _docker_image delmailuser $@
;; ;;
restrict)
shift
_docker_image restrict-access $@
;;
list) list)
_docker_image listmailuser _docker_image listmailuser
;; ;;

56
target/bin/restrict-access Executable file
View file

@ -0,0 +1,56 @@
#! /bin/bash
MODE="$1"
USER="$3"
usage() {
echo "Usage: $0 <add|del|list> <send|receive> [<email@domain.com>]"
}
raise() {
echo "$@" 1>&2
exit 1
}
escape() {
echo "${1//./\\.}"
}
[ -z "$MODE" ] && raise "missing parameters: <add|del|list> <send|receive> [<email@domain.com>]"
case $2 in
send)
DATABASE="/tmp/docker-mailserver/postfix-send-access.cf"
;;
receive)
DATABASE="/tmp/docker-mailserver/postfix-receive-access.cf"
;;
*)
usage; raise "missing parameters. Specify \"send\" or \"receive\"";
;;
esac
if [ -z "$USER" ] && [ "$MODE" != list ]; then
read -p "User(user@domain.com): " USER
echo
[ -z "$USER" ] && raise "User must not be empty"
fi
case $MODE in
add)
grep -qi "^$(escape "$USER")" $DATABASE 2>/dev/null &&
raise "User \"$USER\" already denied to $2 mails"
echo -e "$USER \t\t REJECT" >>$DATABASE
;;
del)
sed -ie "/^$(escape "$USER")/d" $DATABASE 2>/dev/null ||
raise "User \"$USER\" not found."
;;
list)
grep "REJECT" $DATABASE 2>/dev/null ||
echo "Everyone is allowed to $2 mails."
;;
*)
usage; raise "missing mode. Specify \"add\", \"del\" or \"list\"";
;;
esac

View file

@ -44,10 +44,9 @@ smtpd_helo_required = yes
smtpd_delay_reject = yes smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
disable_vrfy_command = yes disable_vrfy_command = yes
# Postscreen settings to drop zombies/open relays/spam early # Postscreen settings to drop zombies/open relays/spam early

View file

@ -0,0 +1 @@

View file

@ -0,0 +1 @@

View file

@ -1122,6 +1122,27 @@ load 'test_helper/bats-assert/load'
[ -z "$value" ] [ -z "$value" ]
} }
@test "checking setup.sh: setup.sh email restrict" {
run ./setup.sh -c mail email restrict
assert_failure
run ./setup.sh -c mail email restrict add
assert_failure
./setup.sh -c mail email restrict add send lorem@impsum.org
run ./setup.sh -c mail email restrict list send
assert_output --regexp "^lorem@impsum.org.*REJECT"
run ./setup.sh -c mail email restrict del send lorem@impsum.org
assert_success
run ./setup.sh -c mail email restrict list send
assert_output --partial "Everyone is allowed"
./setup.sh -c mail email restrict add receive rec_lorem@impsum.org
run ./setup.sh -c mail email restrict list receive
assert_output --regexp "^rec_lorem@impsum.org.*REJECT"
run ./setup.sh -c mail email restrict del receive rec_lorem@impsum.org
assert_success
}
# alias # alias
@test "checking setup.sh: setup.sh alias list" { @test "checking setup.sh: setup.sh alias list" {
echo "test@example.org test@forward.com" > ./config/postfix-virtual.cf echo "test@example.org test@forward.com" > ./config/postfix-virtual.cf