postscreen implementation altered (#846)

* new setup.sh function, new tests, new script and some minor updates to main.cf
* fix for missing files
* removed obsolete test-files
* restart postfix if neccessary.
* see pr  #845
* fixed typo
* fixed branchmixup
* changed postfix reload command & changed to operate on container instead of image
* reload postfix only on adding new restriction
* main.cf is only changed when user is added.
 - Postfix reload changed
 - working on container instead of image now in setup.sh
 - added cleanup after tests
* moved cleanup to makefile

Makefile

@@ -258,4 +258,6 @@ clean:
 		test/config/without-accounts \
 		test/config/without-virtual \
 		test/config/with-domain \
-		test/config/dovecot-lmtp/userdb
+		test/config/dovecot-lmtp/userdb \
+		test/config/postfix-*-access.cf*
+

setup.sh

@@ -150,7 +150,7 @@ case $1 in
         ;;
       restrict)
         shift
-        _docker_image restrict-access $@
+        _docker_container restrict-access $@
         ;;
       list)
         _docker_image listmailuser

target/bin/restrict-access

@@ -34,12 +34,19 @@ if [ -z "$USER" ] && [ "$MODE" != list ]; then
 	echo
 	[ -z "$USER" ] && raise "User must not be empty"
 fi
- 
 
-case $MODE in 
+
+
+case $MODE in
 	add)
 		grep -qi "^$(escape "$USER")" $DATABASE 2>/dev/null &&
 			raise "User \"$USER\" already denied to $2 mails"
+		if [ ! -f $DATABASE ]; then
+			[[ $DATABASE = *"send"* ]] && \
+					sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf \
+				|| sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|'  /etc/postfix/main.cf
+			service postfix reload > /dev/null
+		fi
 		echo -e "$USER \t\t REJECT" >>$DATABASE
 	;;
 	del)
@@ -47,10 +54,11 @@ case $MODE in
 			raise "User \"$USER\" not found."
 	;;
 	list)
-		grep "REJECT" $DATABASE 2>/dev/null || 
+		grep "REJECT" $DATABASE 2>/dev/null ||
 		    echo "Everyone is allowed to $2 mails."
     ;;
 	*)
 		usage; raise "missing mode. Specify \"add\", \"del\" or \"list\"";
 	;;
-esac
+esac
+

target/postfix/main.cf

@@ -44,25 +44,25 @@ smtpd_helo_required = yes
 smtpd_delay_reject = yes
 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
-smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
 disable_vrfy_command = yes
 
 # Postscreen settings to drop zombies/open relays/spam early
 postscreen_dnsbl_action = enforce
-postscreen_dnsbl_sites = zen.spamhaus.org*3 
-	bl.mailspike.net 
-	b.barracudacentral.org*2 
-	bl.spameatingmonkey.net 
-	bl.spamcop.net 
-	dnsbl.sorbs.net 
-	psbl.surriel.com 
-	list.dnswl.org=127.0.[0..255].0*-2 
-	list.dnswl.org=127.0.[0..255].1*-3 
-	list.dnswl.org=127.0.[0..255].[2..3]*-4                                        
-postscreen_dnsbl_threshold = 3                     
-postscreen_dnsbl_whitelist_threshold = -1          
+postscreen_dnsbl_sites = zen.spamhaus.org*3
+	bl.mailspike.net
+	b.barracudacentral.org*2
+	bl.spameatingmonkey.net
+	bl.spamcop.net
+	dnsbl.sorbs.net
+	psbl.surriel.com
+	list.dnswl.org=127.0.[0..255].0*-2
+	list.dnswl.org=127.0.[0..255].1*-3
+	list.dnswl.org=127.0.[0..255].[2..3]*-4
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_whitelist_threshold = -1
 postscreen_greet_action = enforce
 postscreen_bare_newline_action = enforce
 

target/start-mailserver.sh

@@ -116,6 +116,7 @@ function register_functions() {
 	_register_setup_function "_setup_postfix_vhost"
 	_register_setup_function "_setup_postfix_dhparam"
 	_register_setup_function "_setup_postfix_postscreen"
+  _register_setup_function "_setup_postfix_access_control"
 
 	if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
 		_register_setup_function "_setup_postfix_relay_amazon_ses"
@@ -611,6 +612,12 @@ function _setup_postfix_postscreen() {
 	       -e "s/postscreen_bare_newline_action = enforce/postscreen_bare_newline_action = $POSTSCREEN_ACTION/" /etc/postfix/main.cf
 }
 
+function _setup_postfix_access_control() {
+  notify 'inf' "Configuring user access"
+  [ -f /tmp/docker-mailserver/postfix-send-access.cf ] && sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
+  [ -f /tmp/docker-mailserver/postfix-receive-access.cf ] && sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
+}
+
 function _setup_postfix_sasl() {
     if [[ ${ENABLE_SASLAUTHD} == 1 ]];then
 	[ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF

test/config/postfix-receive-access.cf

@@ -1 +0,0 @@
-

test/config/postfix-send-access.cf

@@ -1 +0,0 @@
-