mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
PERMIT_DOCKER=none as new default value (#2424)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
parent
6d1c740310
commit
57c52d7b5b
|
@ -39,7 +39,8 @@ The log-level will show everything in its class and above.
|
|||
|
||||
Set different options for mynetworks option (can be overwrite in postfix-main.cf) **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or `connected-networks` option, can create an [**open relay**](https://en.wikipedia.org/wiki/Open_mail_relay), for instance if IPv6 is enabled on the host machine but not in Docker.
|
||||
|
||||
- **empty** => localhost only.
|
||||
- **none** => Explicitly force authentication
|
||||
- container => Container IP address only.
|
||||
- host => Add docker host (ipv4 only).
|
||||
- network => Add the docker default bridge network (172.16.0.0/12); **WARNING**: `docker-compose` might use others (e.g. 192.168.0.0/16) use `PERMIT_DOCKER=connected-networks` in this case.
|
||||
- connected-networks => Add all connected docker networks (ipv4 only).
|
||||
|
|
|
@ -48,12 +48,13 @@ UPDATE_CHECK_INTERVAL=1d
|
|||
# https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
|
||||
# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns
|
||||
# https://github.com/docker-mailserver/docker-mailserver/issues/2377
|
||||
# <empty> => container ip only
|
||||
#
|
||||
# none => Explicitly force authentication
|
||||
# container => Container IP address only
|
||||
# host => Add docker container network (ipv4 only)
|
||||
# network => Add all docker container networks (ipv4 only)
|
||||
# connected-networks => Add all connected docker networks (ipv4 only)
|
||||
PERMIT_DOCKER=
|
||||
PERMIT_DOCKER=none
|
||||
|
||||
# In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes,
|
||||
# you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used.
|
||||
|
|
|
@ -47,6 +47,7 @@ VARS[MOVE_SPAM_TO_JUNK]="${MOVE_SPAM_TO_JUNK:=1}"
|
|||
VARS[NETWORK_INTERFACE]="${NETWORK_INTERFACE:=eth0}"
|
||||
VARS[ONE_DIR]="${ONE_DIR:=1}"
|
||||
VARS[OVERRIDE_HOSTNAME]="${OVERRIDE_HOSTNAME}"
|
||||
VARS[PERMIT_DOCKER]="${PERMIT_DOCKER:=none}"
|
||||
VARS[POSTFIX_INET_PROTOCOLS]="${POSTFIX_INET_PROTOCOLS:=all}"
|
||||
VARS[POSTFIX_MAILBOX_SIZE_LIMIT]="${POSTFIX_MAILBOX_SIZE_LIMIT:=0}"
|
||||
VARS[POSTFIX_MESSAGE_SIZE_LIMIT]="${POSTFIX_MESSAGE_SIZE_LIMIT:=10240000}" # ~10MB
|
||||
|
|
|
@ -754,38 +754,44 @@ function _setup_docker_permit
|
|||
postconf -e "mynetworks ="
|
||||
;;
|
||||
|
||||
"host" )
|
||||
_notify 'inf' "Adding ${CONTAINER_NETWORK}/16 to my networks"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_NETWORK}/16"
|
||||
echo "${CONTAINER_NETWORK}/16" >> /etc/opendmarc/ignore.hosts
|
||||
echo "${CONTAINER_NETWORK}/16" >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
"network" )
|
||||
_notify 'inf' "Adding docker network in my networks"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12"
|
||||
echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts
|
||||
echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
"connected-networks" )
|
||||
for NETWORK in "${CONTAINER_NETWORKS[@]}"
|
||||
do
|
||||
NETWORK=$(_sanitize_ipv4_to_subnet_cidr "${NETWORK}")
|
||||
_notify 'inf' "Adding docker network ${NETWORK} in my networks"
|
||||
_notify 'inf' "Adding docker network ${NETWORK} to Postfix's 'mynetworks'"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') ${NETWORK}"
|
||||
echo "${NETWORK}" >> /etc/opendmarc/ignore.hosts
|
||||
echo "${NETWORK}" >> /etc/opendkim/TrustedHosts
|
||||
done
|
||||
;;
|
||||
|
||||
* )
|
||||
_notify 'inf' 'Adding container ip in my networks'
|
||||
"container" )
|
||||
_notify 'inf' "Adding container IP address to Postfix's 'mynetworks'"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_IP}/32"
|
||||
echo "${CONTAINER_IP}/32" >> /etc/opendmarc/ignore.hosts
|
||||
echo "${CONTAINER_IP}/32" >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
"host" )
|
||||
_notify 'inf' "Adding ${CONTAINER_NETWORK}/16 to Postfix's 'mynetworks'"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_NETWORK}/16"
|
||||
echo "${CONTAINER_NETWORK}/16" >> /etc/opendmarc/ignore.hosts
|
||||
echo "${CONTAINER_NETWORK}/16" >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
"network" )
|
||||
_notify 'inf' "Adding docker network to Postfix's 'mynetworks'"
|
||||
postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12"
|
||||
echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts
|
||||
echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts
|
||||
;;
|
||||
|
||||
* )
|
||||
_notify 'warn' "Invalid value for PERMIT_DOCKER: ${PERMIT_DOCKER}"
|
||||
_notify 'inf' "Clearing Postfix's 'mynetworks'"
|
||||
postconf -e "mynetworks ="
|
||||
;;
|
||||
|
||||
esac
|
||||
}
|
||||
|
||||
|
|
|
@ -8,9 +8,10 @@ setup_file() {
|
|||
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
||||
-v "${PRIVATE_ETC}":/etc/dovecot \
|
||||
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
|
||||
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-h mail.my-domain.com -t "${NAME}"
|
||||
wait_for_finished_setup_in_container mail_lmtp_ip
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ function setup_file() {
|
|||
docker run -d --name mail_pop3 \
|
||||
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
||||
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e ENABLE_POP3=1 \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ENABLE_POP3=1 \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-h mail.my-domain.com -t "${NAME}"
|
||||
|
||||
wait_for_finished_setup_in_container mail_pop3
|
||||
|
|
|
@ -27,6 +27,7 @@ function setup_file() {
|
|||
# shellcheck disable=SC2034
|
||||
local TEST_DOCKER_ARGS=(
|
||||
--env ENABLE_SPAMASSASSIN=1
|
||||
--env PERMIT_DOCKER=container
|
||||
--env SPAMASSASSIN_SPAM_TO_INBOX=0
|
||||
)
|
||||
|
||||
|
|
|
@ -11,9 +11,10 @@ load 'test_helper/common'
|
|||
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
||||
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e ENABLE_SPAMASSASSIN=1 \
|
||||
-e SPAMASSASSIN_SPAM_TO_INBOX=1 \
|
||||
-e MOVE_SPAM_TO_JUNK=1 \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-e SA_SPAM_SUBJECT="SPAM: " \
|
||||
-e SPAMASSASSIN_SPAM_TO_INBOX=1 \
|
||||
-h mail.my-domain.com -t "${NAME}"
|
||||
|
||||
teardown() { docker rm -f mail_spam_moved_junk; }
|
||||
|
@ -39,9 +40,10 @@ load 'test_helper/common'
|
|||
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
||||
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e ENABLE_SPAMASSASSIN=1 \
|
||||
-e SPAMASSASSIN_SPAM_TO_INBOX=1 \
|
||||
-e MOVE_SPAM_TO_JUNK=0 \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-e SA_SPAM_SUBJECT="SPAM: " \
|
||||
-e SPAMASSASSIN_SPAM_TO_INBOX=1 \
|
||||
-h mail.my-domain.com -t "${NAME}"
|
||||
|
||||
teardown() { docker rm -f mail_spam_moved_new; }
|
||||
|
|
|
@ -50,6 +50,7 @@ function teardown() {
|
|||
|
||||
local TEST_DOCKER_ARGS=(
|
||||
--volume "${TEST_TMP_CONFIG}/letsencrypt/${TARGET_DOMAIN}/:/etc/letsencrypt/live/${TARGET_DOMAIN}/:ro"
|
||||
--env PERMIT_DOCKER='container'
|
||||
--env SSL_TYPE='letsencrypt'
|
||||
)
|
||||
|
||||
|
@ -69,6 +70,7 @@ function teardown() {
|
|||
|
||||
local TEST_DOCKER_ARGS=(
|
||||
--volume "${TEST_TMP_CONFIG}/letsencrypt/${TARGET_DOMAIN}/:/etc/letsencrypt/live/${TARGET_DOMAIN}/:ro"
|
||||
--env PERMIT_DOCKER='container'
|
||||
--env SSL_TYPE='letsencrypt'
|
||||
)
|
||||
|
||||
|
@ -107,9 +109,10 @@ function teardown() {
|
|||
# shellcheck disable=SC2034
|
||||
local TEST_DOCKER_ARGS=(
|
||||
--volume "${TEST_TMP_CONFIG}/letsencrypt/acme.json:/etc/letsencrypt/acme.json:ro"
|
||||
--env SSL_TYPE='letsencrypt'
|
||||
--env SSL_DOMAIN='*.example.test'
|
||||
--env DMS_DEBUG=1
|
||||
--env PERMIT_DOCKER='container'
|
||||
--env SSL_DOMAIN='*.example.test'
|
||||
--env SSL_TYPE='letsencrypt'
|
||||
)
|
||||
|
||||
common_container_setup 'TEST_DOCKER_ARGS'
|
||||
|
|
|
@ -7,11 +7,12 @@ setup_file() {
|
|||
docker run -d --name mail_with_imap \
|
||||
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
||||
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e ENABLE_SASLAUTHD=1 \
|
||||
-e SASLAUTHD_MECHANISMS=rimap \
|
||||
-e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \
|
||||
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ENABLE_SASLAUTHD=1 \
|
||||
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
|
||||
-e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \
|
||||
-e SASLAUTHD_MECHANISMS=rimap \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-h mail.my-domain.com -t "${NAME}"
|
||||
wait_for_smtp_port_in_container mail_with_imap
|
||||
}
|
||||
|
|
|
@ -28,26 +28,27 @@ function setup_file() {
|
|||
docker run -d --name mail_with_ldap \
|
||||
-v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
|
||||
-v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
|
||||
-e SPOOF_PROTECTION=1 \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||
-e DOVECOT_TLS=no \
|
||||
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||
-e ENABLE_LDAP=1 \
|
||||
-e LDAP_SERVER_HOST=ldap \
|
||||
-e LDAP_START_TLS=no \
|
||||
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
||||
-e ENABLE_SASLAUTHD=1 \
|
||||
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
||||
-e LDAP_BIND_PW=admin \
|
||||
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
|
||||
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
||||
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
|
||||
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
|
||||
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
||||
-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
|
||||
-e DOVECOT_TLS=no \
|
||||
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||
-e REPORT_RECIPIENT=1 \
|
||||
-e ENABLE_SASLAUTHD=1 \
|
||||
-e SASLAUTHD_MECHANISMS=ldap \
|
||||
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
|
||||
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
||||
-e LDAP_SERVER_HOST=ldap \
|
||||
-e LDAP_START_TLS=no \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-e POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e REPORT_RECIPIENT=1 \
|
||||
-e SASLAUTHD_MECHANISMS=ldap \
|
||||
-e SPOOF_PROTECTION=1 \
|
||||
-e SSL_TYPE='snakeoil' \
|
||||
--network "${DMS_TEST_NETWORK}" \
|
||||
--hostname "${FQDN_MAIL}" \
|
||||
|
@ -190,14 +191,14 @@ function teardown_file() {
|
|||
assert_failure
|
||||
}
|
||||
|
||||
@test "checking spoofing: rejects sender forging" {
|
||||
@test "checking spoofing (with LDAP): rejects sender forging" {
|
||||
wait_for_smtp_port_in_container_to_respond mail_with_ldap
|
||||
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
|
||||
assert_success
|
||||
}
|
||||
|
||||
# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
|
||||
@test "checking spoofing: accepts sending as alias" {
|
||||
@test "checking spoofing: accepts sending as alias (with LDAP)" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
||||
assert_success
|
||||
}
|
||||
|
|
|
@ -6,13 +6,14 @@ function setup_file() {
|
|||
docker run -d --name mail_with_postgrey \
|
||||
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
||||
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ENABLE_DNSBL=1 \
|
||||
-e ENABLE_POSTGREY=1 \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
|
||||
-e POSTGREY_DELAY=15 \
|
||||
-e POSTGREY_MAX_AGE=35 \
|
||||
-e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
|
||||
-e POSTGREY_TEXT="Delayed by Postgrey" \
|
||||
-e ENABLE_DNSBL=1 \
|
||||
-e DMS_DEBUG=0 \
|
||||
-h mail.my-domain.com -t "${NAME}"
|
||||
# using postfix availability as start indicator, this might be insufficient for postgrey
|
||||
wait_for_smtp_port_in_container mail_with_postgrey
|
||||
|
|
|
@ -19,9 +19,9 @@ setup_file() {
|
|||
-e ENABLE_MANAGESIEVE=1 \
|
||||
-e ENABLE_QUOTAS=1 \
|
||||
-e ENABLE_SPAMASSASSIN=1 \
|
||||
-e SPAMASSASSIN_SPAM_TO_INBOX=0 \
|
||||
-e ENABLE_SRS=1 \
|
||||
-e ENABLE_UPDATE_CHECK=0 \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-e PERMIT_DOCKER=host \
|
||||
-e REPORT_RECIPIENT=user1@localhost.localdomain \
|
||||
-e REPORT_SENDER=report1@mail.my-domain.com \
|
||||
|
@ -30,6 +30,7 @@ setup_file() {
|
|||
-e SA_TAG=-5.0 \
|
||||
-e SA_TAG2=2.0 \
|
||||
-e SASL_PASSWD="external-domain.com username:password" \
|
||||
-e SPAMASSASSIN_SPAM_TO_INBOX=0 \
|
||||
-e SPOOF_PROTECTION=1 \
|
||||
-e SSL_TYPE='snakeoil' \
|
||||
-e VIRUSMAILS_DELETE_DELAY=7 \
|
||||
|
|
Loading…
Reference in a new issue