Adding the PERMIT_DOCKER option (#270)

* Adding the PERMIT_DOCKER option

See README.md for more informations

* Adding some test for PERMIT_DOCKER option

* Fix test cases

* Opendkim and Openmarc configuration

Fix docker network range
Adding opendkim and openmarc configuration

* Adding some options for tests

* Update log message

* Update tests

Makefile

@@ -26,6 +26,7 @@ run:
 		-e SASL_PASSWD="external-domain.com username:password" \
 		-e ENABLE_MANAGESIEVE=1 \
 		-e ONE_DIR=1 \
+		-e PERMIT_DOCKER=host\
 		-h mail.my-domain.com -t $(NAME)
 	sleep 20
 	docker run -d --name mail_pop3 \
@@ -40,6 +41,7 @@ run:
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
 		-v "`pwd`/test":/tmp/docker-mailserver-test \
 		-e SMTP_ONLY=1 \
+		-e PERMIT_DOCKER=network\
 		-h mail.my-domain.com -t $(NAME)
 	sleep 20
 	docker run -d --name mail_fail2ban \

README.md

@@ -141,3 +141,10 @@ Otherwise, `iptables` won't be able to ban IPs.
   - self-signed => Enables self-signed certificates
 
 Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information.
+
+##### PERMIT_DOCKER
+
+Set different options for mynetworks option (can be overwrite in postfix-main.cf)
+  - **empty** => localhost only
+  - host => Add docker host (ipv4 only)
+  - network => Add all docker containers (ipv4 only)

target/postfix/main.cf

@@ -11,7 +11,7 @@ alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = 
 relayhost = 
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.17.0.0/16
+mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all

target/start-mailserver.sh

@@ -202,6 +202,33 @@ echo "Postfix configurations"
 touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
 touch /etc/postfix/virtual && postmap /etc/postfix/virtual
 
+# PERMIT_DOCKER Option
+container_ip=$(ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1)
+container_network="$(echo $container_ip | cut -d '.' -f1-2).0.0"
+case $PERMIT_DOCKER in
+  "host" )
+      echo "Adding $container_network/16 to my networks"
+      postconf -e "$(postconf | grep '^mynetworks =') $container_network/16"
+      bash -c "echo $container_network/16 >> /etc/opendmarc/ignore.hosts"
+      bash -c "echo $container_network/16 >> /etc/opendkim/TrustedHosts"
+    ;;
+
+  "network" )
+      echo "Adding docker network in my networks"
+      postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12"
+      bash -c "echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts"
+      bash -c "echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts"
+    ;;
+
+  * )
+      echo "Adding container ip in my networks"
+      postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32"
+      bash -c "echo $container_ip/32 >> /etc/opendmarc/ignore.hosts"
+      bash -c "echo $container_ip/32 >> /etc/opendkim/TrustedHosts"
+    ;;
+
+esac
+
 #
 # Override Postfix configuration
 #

test/tests.bats

@@ -510,3 +510,25 @@
   [ "$status" -eq 1 ]
   [ -z "$output" ]
 }
+
+#
+# PERMIT_DOCKER mynetworks
+#
+@test "checking PERMIT_DOCKER: can get container ip" {
+  run docker exec mail /bin/sh -c "ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1 | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'"
+  [ "$status" -eq 0 ]
+}
+
+@test "checking PERMIT_DOCKER: opendmarc/opendkim config" {
+  run docker exec mail_smtponly /bin/sh -c "cat /etc/opendmarc/ignore.hosts | grep '172.16.0.0/12'"
+  [ "$status" -eq 0 ]
+  run docker exec mail_smtponly /bin/sh -c "cat /etc/opendkim/TrustedHosts | grep '172.16.0.0/12'"
+  [ "$status" -eq 0 ]
+}
+
+@test "checking PERMIT_DOCKER: my network value" {
+  run docker exec mail /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.0\.0/16'"
+  [ "$status" -eq 0 ]
+  run docker exec mail_pop3 /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/32'"
+  [ "$status" -eq 0 ]
+}