postscreen implementation altered (#846)

* new setup.sh function, new tests, new script and some minor updates to main.cf
* fix for missing files
* removed obsolete test-files
* restart postfix if neccessary.
* see pr  #845
* fixed typo
* fixed branchmixup
* changed postfix reload command & changed to operate on container instead of image
* reload postfix only on adding new restriction
* main.cf is only changed when user is added.
 - Postfix reload changed
 - working on container instead of image now in setup.sh
 - added cleanup after tests
* moved cleanup to makefile
This commit is contained in:
17Halbe 2018-02-18 13:29:43 +01:00 committed by Johan Smits
parent 803dab12c6
commit 5e09074d58
7 changed files with 37 additions and 22 deletions

View file

@ -258,4 +258,6 @@ clean:
test/config/without-accounts \
test/config/without-virtual \
test/config/with-domain \
test/config/dovecot-lmtp/userdb
test/config/dovecot-lmtp/userdb \
test/config/postfix-*-access.cf*

View file

@ -150,7 +150,7 @@ case $1 in
;;
restrict)
shift
_docker_image restrict-access $@
_docker_container restrict-access $@
;;
list)
_docker_image listmailuser

View file

@ -36,10 +36,17 @@ if [ -z "$USER" ] && [ "$MODE" != list ]; then
fi
case $MODE in
add)
grep -qi "^$(escape "$USER")" $DATABASE 2>/dev/null &&
raise "User \"$USER\" already denied to $2 mails"
if [ ! -f $DATABASE ]; then
[[ $DATABASE = *"send"* ]] && \
sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf \
|| sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
service postfix reload > /dev/null
fi
echo -e "$USER \t\t REJECT" >>$DATABASE
;;
del)
@ -54,3 +61,4 @@ case $MODE in
usage; raise "missing mode. Specify \"add\", \"del\" or \"list\"";
;;
esac

View file

@ -44,9 +44,9 @@ smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
disable_vrfy_command = yes
# Postscreen settings to drop zombies/open relays/spam early

View file

@ -116,6 +116,7 @@ function register_functions() {
_register_setup_function "_setup_postfix_vhost"
_register_setup_function "_setup_postfix_dhparam"
_register_setup_function "_setup_postfix_postscreen"
_register_setup_function "_setup_postfix_access_control"
if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
_register_setup_function "_setup_postfix_relay_amazon_ses"
@ -611,6 +612,12 @@ function _setup_postfix_postscreen() {
-e "s/postscreen_bare_newline_action = enforce/postscreen_bare_newline_action = $POSTSCREEN_ACTION/" /etc/postfix/main.cf
}
function _setup_postfix_access_control() {
notify 'inf' "Configuring user access"
[ -f /tmp/docker-mailserver/postfix-send-access.cf ] && sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
[ -f /tmp/docker-mailserver/postfix-receive-access.cf ] && sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
}
function _setup_postfix_sasl() {
if [[ ${ENABLE_SASLAUTHD} == 1 ]];then
[ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF

View file

@ -1 +0,0 @@

View file

@ -1 +0,0 @@