Fix fail2ban issues and install some suggested amavis packages

This commit is contained in:
Erik Wramner 2020-01-06 13:10:46 +01:00
parent 91b2c9834e
commit 85ae8a1471
2 changed files with 28 additions and 1 deletions

View file

@ -33,6 +33,7 @@ RUN \
apt-get update -q --fix-missing && \
apt-get -y install postfix && \
apt-get -y install --no-install-recommends \
altermime \
amavisd-new \
apt-transport-https \
arj \
@ -55,6 +56,7 @@ RUN \
iptables \
locales \
logwatch \
lhasa \
libdate-manip-perl \
liblz4-tool \
libmail-spf-perl \
@ -190,7 +192,8 @@ RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_fil
# Configure Fail2ban
COPY target/fail2ban/jail.conf /etc/fail2ban/jail.conf
COPY target/fail2ban/filter.d/dovecot.conf /etc/fail2ban/filter.d/dovecot.conf
RUN echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf && mkdir /var/run/fail2ban
COPY target/fail2ban/filter.d/postfix-sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf
RUN mkdir /var/run/fail2ban
# Enables Pyzor and Razor
RUN su - amavis -c "razor-admin -create && \
@ -252,6 +255,11 @@ COPY target/supervisor/conf.d/* /etc/supervisor/conf.d/
WORKDIR /
# Switch iptables and ip6tables to legacy for fail2ban
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
EXPOSE 25 587 143 465 993 110 995 4190
CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

View file

@ -0,0 +1,19 @@
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
ignoreregex =