From 5e09074d587114ef4d771fe65c911b67735d4fcb Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Sun, 18 Feb 2018 13:29:43 +0100 Subject: [PATCH] postscreen implementation altered (#846) * new setup.sh function, new tests, new script and some minor updates to main.cf * fix for missing files * removed obsolete test-files * restart postfix if neccessary. * see pr #845 * fixed typo * fixed branchmixup * changed postfix reload command & changed to operate on container instead of image * reload postfix only on adding new restriction * main.cf is only changed when user is added. - Postfix reload changed - working on container instead of image now in setup.sh - added cleanup after tests * moved cleanup to makefile --- Makefile | 4 +++- setup.sh | 2 +- target/bin/restrict-access | 16 +++++++++++---- target/postfix/main.cf | 28 +++++++++++++-------------- target/start-mailserver.sh | 7 +++++++ test/config/postfix-receive-access.cf | 1 - test/config/postfix-send-access.cf | 1 - 7 files changed, 37 insertions(+), 22 deletions(-) delete mode 100644 test/config/postfix-receive-access.cf delete mode 100644 test/config/postfix-send-access.cf diff --git a/Makefile b/Makefile index 001f4f4b..860730ba 100644 --- a/Makefile +++ b/Makefile @@ -258,4 +258,6 @@ clean: test/config/without-accounts \ test/config/without-virtual \ test/config/with-domain \ - test/config/dovecot-lmtp/userdb + test/config/dovecot-lmtp/userdb \ + test/config/postfix-*-access.cf* + diff --git a/setup.sh b/setup.sh index 2a67e088..bc5b6569 100755 --- a/setup.sh +++ b/setup.sh @@ -150,7 +150,7 @@ case $1 in ;; restrict) shift - _docker_image restrict-access $@ + _docker_container restrict-access $@ ;; list) _docker_image listmailuser diff --git a/target/bin/restrict-access b/target/bin/restrict-access index 7b693bd4..aaa46ddc 100755 --- a/target/bin/restrict-access +++ b/target/bin/restrict-access @@ -34,12 +34,19 @@ if [ -z "$USER" ] && [ "$MODE" != list ]; then echo [ -z "$USER" ] && raise "User must not be empty" fi - -case $MODE in + + +case $MODE in add) grep -qi "^$(escape "$USER")" $DATABASE 2>/dev/null && raise "User \"$USER\" already denied to $2 mails" + if [ ! -f $DATABASE ]; then + [[ $DATABASE = *"send"* ]] && \ + sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf \ + || sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf + service postfix reload > /dev/null + fi echo -e "$USER \t\t REJECT" >>$DATABASE ;; del) @@ -47,10 +54,11 @@ case $MODE in raise "User \"$USER\" not found." ;; list) - grep "REJECT" $DATABASE 2>/dev/null || + grep "REJECT" $DATABASE 2>/dev/null || echo "Everyone is allowed to $2 mails." ;; *) usage; raise "missing mode. Specify \"add\", \"del\" or \"list\""; ;; -esac \ No newline at end of file +esac + diff --git a/target/postfix/main.cf b/target/postfix/main.cf index 01b7823a..cfbfbc8f 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -44,25 +44,25 @@ smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net +smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining -smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch +smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch disable_vrfy_command = yes # Postscreen settings to drop zombies/open relays/spam early postscreen_dnsbl_action = enforce -postscreen_dnsbl_sites = zen.spamhaus.org*3 - bl.mailspike.net - b.barracudacentral.org*2 - bl.spameatingmonkey.net - bl.spamcop.net - dnsbl.sorbs.net - psbl.surriel.com - list.dnswl.org=127.0.[0..255].0*-2 - list.dnswl.org=127.0.[0..255].1*-3 - list.dnswl.org=127.0.[0..255].[2..3]*-4 -postscreen_dnsbl_threshold = 3 -postscreen_dnsbl_whitelist_threshold = -1 +postscreen_dnsbl_sites = zen.spamhaus.org*3 + bl.mailspike.net + b.barracudacentral.org*2 + bl.spameatingmonkey.net + bl.spamcop.net + dnsbl.sorbs.net + psbl.surriel.com + list.dnswl.org=127.0.[0..255].0*-2 + list.dnswl.org=127.0.[0..255].1*-3 + list.dnswl.org=127.0.[0..255].[2..3]*-4 +postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = enforce postscreen_bare_newline_action = enforce diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index a4e8088f..4fec625e 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -116,6 +116,7 @@ function register_functions() { _register_setup_function "_setup_postfix_vhost" _register_setup_function "_setup_postfix_dhparam" _register_setup_function "_setup_postfix_postscreen" + _register_setup_function "_setup_postfix_access_control" if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then _register_setup_function "_setup_postfix_relay_amazon_ses" @@ -611,6 +612,12 @@ function _setup_postfix_postscreen() { -e "s/postscreen_bare_newline_action = enforce/postscreen_bare_newline_action = $POSTSCREEN_ACTION/" /etc/postfix/main.cf } +function _setup_postfix_access_control() { + notify 'inf' "Configuring user access" + [ -f /tmp/docker-mailserver/postfix-send-access.cf ] && sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf + [ -f /tmp/docker-mailserver/postfix-receive-access.cf ] && sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf +} + function _setup_postfix_sasl() { if [[ ${ENABLE_SASLAUTHD} == 1 ]];then [ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF diff --git a/test/config/postfix-receive-access.cf b/test/config/postfix-receive-access.cf deleted file mode 100644 index 8b137891..00000000 --- a/test/config/postfix-receive-access.cf +++ /dev/null @@ -1 +0,0 @@ - diff --git a/test/config/postfix-send-access.cf b/test/config/postfix-send-access.cf deleted file mode 100644 index 8b137891..00000000 --- a/test/config/postfix-send-access.cf +++ /dev/null @@ -1 +0,0 @@ -