1175: specify user for cron.d freshclam file (#1176)

* 1175: specify user for cron.d freshclam file

* Fix Dovecot SSL parameters and generate dhparams as for Postfix

* Fixed broken unit tests
This commit is contained in:
Erik Wramner 2019-07-23 16:12:12 +02:00 committed by Thomas VIAL
parent adf3d8e1b3
commit 603dbbd7b0
5 changed files with 47 additions and 8 deletions

View file

@ -27,6 +27,7 @@ The development workflow is the following:
- Code :-) - Code :-)
- Add integration tests in `test/tests.bats` - Add integration tests in `test/tests.bats`
- Use `make` to build image locally and run tests - Use `make` to build image locally and run tests
Note that tests work on Linux only; they hang on Mac and Windows.
- Document your improvements in `README.md` or Wiki depending on content - Document your improvements in `README.md` or Wiki depending on content
- [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request - [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request
- Pull-request is automatically tested on Travis - Pull-request is automatically tested on Travis

View file

@ -97,7 +97,7 @@ RUN apt-get update -q --fix-missing && \
rm -f /etc/cron.weekly/fstrim && \ rm -f /etc/cron.weekly/fstrim && \
rm -f /etc/postsrsd.secret rm -f /etc/postsrsd.secret
RUN echo "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \ RUN echo "0 0,6,12,18 * * * root /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \
chmod 644 /etc/clamav/freshclam.conf && \ chmod 644 /etc/clamav/freshclam.conf && \
freshclam && \ freshclam && \
sed -i 's/Foreground false/Foreground true/g' /etc/clamav/clamd.conf && \ sed -i 's/Foreground false/Foreground true/g' /etc/clamav/clamd.conf && \
@ -119,7 +119,8 @@ RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/e
cd /usr/share/dovecot && \ cd /usr/share/dovecot && \
./mkcert.sh && \ ./mkcert.sh && \
mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \ mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \
chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \
openssl dhparam -out /etc/dovecot/dh.pem 2048
# Configures LDAP # Configures LDAP
COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot

View file

@ -15,6 +15,16 @@ if [ ! -f postfix-accounts.cf ]; then
exit exit
fi fi
# Determine postmaster address, duplicated from start-mailserver.sh
# This script previously didn't work when POSTMASTER_ADDRESS was empty
if [[ -n "${OVERRIDE_HOSTNAME}" ]]; then
DOMAINNAME=$(echo "${OVERRIDE_HOSTNAME}" | sed s/[^.]*.//)
else
DOMAINNAME="$(hostname -d)"
fi
PM_ADDRESS="${POSTMASTER_ADDRESS:=postmaster@${DOMAINNAME}}"
echo "${log_date} Using postmaster address ${PM_ADDRESS}"
# create an array of files to monitor (perhaps simple *.cf would be ok here) # create an array of files to monitor (perhaps simple *.cf would be ok here)
declare -a cf_files=() declare -a cf_files=()
for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf; do for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf; do
@ -37,8 +47,11 @@ chksum=$(sha512sum -c --ignore-missing chksum)
if [[ $chksum == *"FAIL"* ]]; then if [[ $chksum == *"FAIL"* ]]; then
echo "${log_date} Change detected" echo "${log_date} Change detected"
# Bug alert! This overwrites the alias set by start-mailserver.sh
# Take care that changes in one script are propagated to the other
#regen postix aliases. #regen postix aliases.
echo "root: ${POSTMASTER_ADDRESS}" > /etc/aliases echo "root: ${PM_ADDRESS}" > /etc/aliases
if [ -f /tmp/docker-mailserver/postfix-aliases.cf ]; then if [ -f /tmp/docker-mailserver/postfix-aliases.cf ]; then
cat /tmp/docker-mailserver/postfix-aliases.cf>>/etc/aliases cat /tmp/docker-mailserver/postfix-aliases.cf>>/etc/aliases
fi fi

View file

@ -42,11 +42,15 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
# auth_ssl_username_from_cert=yes. # auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName #ssl_cert_username_field = commonName
# DH parameters length to use. # SSL DH parameters
ssl_dh_parameters_length = 2048 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem
# SSL protocols to use # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
ssl_protocols = !SSLv3,!TLSv1,!TLSv1.1 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = TLSv1.2
# SSL ciphers to use # SSL ciphers to use
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

View file

@ -95,6 +95,7 @@ function register_functions() {
if [ "$SMTP_ONLY" != 1 ]; then if [ "$SMTP_ONLY" != 1 ]; then
_register_setup_function "_setup_dovecot" _register_setup_function "_setup_dovecot"
_register_setup_function "_setup_dovecot_dhparam"
_register_setup_function "_setup_dovecot_local_user" _register_setup_function "_setup_dovecot_local_user"
fi fi
@ -1189,13 +1190,32 @@ function _setup_postfix_dhparam() {
notify 'inf' "Use dhparams that was generated previously" notify 'inf' "Use dhparams that was generated previously"
fi fi
# Copy from the state directpry to the working location # Copy from the state directory to the working location
rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
else else
notify 'inf' "No state dir, we use the dhparams generated on image creation" notify 'inf' "No state dir, we use the dhparams generated on image creation"
fi fi
} }
function _setup_dovecot_dhparam() {
notify 'task' 'Setting up Dovecot dhparam'
if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-dovecot/dh.pem
if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new dhparams for dovecot"
mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048
else
notify 'inf' "Use dovecot dhparams that was generated previously"
fi
# Copy from the state directory to the working location
rm /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
else
notify 'inf' "No state dir, we use the dovecot dhparams generated on image creation"
fi
}
function _setup_security_stack() { function _setup_security_stack() {
notify 'task' "Setting up Security Stack" notify 'task' "Setting up Security Stack"