Introduce ENABLE_DNSBL env (#2342)

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
This commit is contained in:
Casper 2022-01-03 22:03:46 +01:00 committed by GitHub
parent f68878a2c2
commit 9d5a9a16a0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 93 additions and 1 deletions

View file

@ -62,6 +62,16 @@ Amavis content filter (used for ClamAV & SpamAssassin)
- 1/2 => Show default informational output - 1/2 => Show default informational output
- 3/4/5 => log debug information (very verbose) - 3/4/5 => log debug information (very verbose)
##### ENABLE_DNSBL
This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
Note: Emails will be rejected, if they don't pass the block list checks!
- **0** => DNS block lists are disabled
- 1 => DNS block lists are enabled
##### ENABLE_CLAMAV ##### ENABLE_CLAMAV
- **0** => Clamav is disabled - **0** => Clamav is disabled
@ -352,7 +362,7 @@ Note: this SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`
!!! note "This SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`" !!! note "This SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`"
By default, `docker-mailserver` is configured to quarantine spam emails. By default, `docker-mailserver` is configured to quarantine spam emails.
If emails are quarantined, they are compressed and stored in a location dependent on the `ONE_DIR` setting above. To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. `100.0`. If emails are quarantined, they are compressed and stored in a location dependent on the `ONE_DIR` setting above. To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. `100.0`.
If `ONE_DIR=1` (default) the location is `/var/mail-state/lib-amavis/virusmails/`, or if `ONE_DIR=0`: `/var/lib/amavis/virusmails/`. These paths are inside the docker container. If `ONE_DIR=1` (default) the location is `/var/mail-state/lib-amavis/virusmails/`, or if `ONE_DIR=0`: `/var/lib/amavis/virusmails/`. These paths are inside the docker container.
@ -483,6 +493,7 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
- => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`) - => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`)
##### DOVECOT_DNPASS ##### DOVECOT_DNPASS
- **empty** => same as `LDAP_BIND_PW` - **empty** => same as `LDAP_BIND_PW`
- => Password for LDAP dn sepecifified in `DOVECOT_DN`. - => Password for LDAP dn sepecifified in `DOVECOT_DN`.

View file

@ -92,6 +92,13 @@ ENABLE_AMAVIS=1
# 3/4/5 => log debug information (very verbose) # 3/4/5 => log debug information (very verbose)
AMAVIS_LOGLEVEL=0 AMAVIS_LOGLEVEL=0
# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
# Note: Emails will be rejected, if they don't pass the block list checks!
# **0** => DNS block lists are disabled
# 1 => DNS block lists are enabled
ENABLE_DNSBL=0
# If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: # If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`:
# cap_add: # cap_add:
# - NET_ADMIN # - NET_ADMIN

View file

@ -23,6 +23,7 @@ VARS[DOVECOT_MAILBOX_FORMAT]="${DOVECOT_MAILBOX_FORMAT:=maildir}"
VARS[DOVECOT_TLS]="${DOVECOT_TLS:=no}" VARS[DOVECOT_TLS]="${DOVECOT_TLS:=no}"
VARS[ENABLE_AMAVIS]="${ENABLE_AMAVIS:=1}" VARS[ENABLE_AMAVIS]="${ENABLE_AMAVIS:=1}"
VARS[ENABLE_CLAMAV]="${ENABLE_CLAMAV:=0}" VARS[ENABLE_CLAMAV]="${ENABLE_CLAMAV:=0}"
VARS[ENABLE_DNSBL]="${ENABLE_DNSBL:=0}"
VARS[ENABLE_FAIL2BAN]="${ENABLE_FAIL2BAN:=0}" VARS[ENABLE_FAIL2BAN]="${ENABLE_FAIL2BAN:=0}"
VARS[ENABLE_FETCHMAIL]="${ENABLE_FETCHMAIL:=0}" VARS[ENABLE_FETCHMAIL]="${ENABLE_FETCHMAIL:=0}"
VARS[ENABLE_LDAP]="${ENABLE_LDAP:=0}" VARS[ENABLE_LDAP]="${ENABLE_LDAP:=0}"
@ -109,6 +110,7 @@ function register_functions
[[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_setup_function '_setup_saslauthd' [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_setup_function '_setup_saslauthd'
[[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_inet_protocols' [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_inet_protocols'
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban' [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
[[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable'
_register_setup_function '_setup_dkim' _register_setup_function '_setup_dkim'
_register_setup_function '_setup_ssl' _register_setup_function '_setup_ssl'

View file

@ -1512,3 +1512,13 @@ function _setup_fail2ban
echo -e "[Init]\nblocktype = DROP" > /etc/fail2ban/action.d/iptables-common.local echo -e "[Init]\nblocktype = DROP" > /etc/fail2ban/action.d/iptables-common.local
fi fi
} }
function _setup_dnsbl_disable
{
_notify 'task' 'Disabling postfix DNS block list (zen.spamhaus.org)'
sedfile -i '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org//' /etc/postfix/main.cf
_notify 'task' 'Disabling postscreen DNS block lists'
postconf -e "postscreen_dnsbl_action = ignore"
postconf -e "postscreen_dnsbl_sites = "
}

61
test/mail_dnsbl.bats Normal file
View file

@ -0,0 +1,61 @@
load 'test_helper/common'
CONTAINER="mail_dnsbl_enabled"
CONTAINER2="mail_dnsbl_disabled"
function setup_file() {
local PRIVATE_CONFIG
PRIVATE_CONFIG="$(duplicate_config_for_container . "${CONTAINER}")"
docker run --rm -d --name "${CONTAINER}" \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-e ENABLE_DNSBL=1 \
-h mail.my-domain.com \
-t "${NAME}"
docker run --rm -d --name "${CONTAINER2}" \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-e ENABLE_DNSBL=0 \
-h mail.my-domain.com \
-t "${NAME}"
wait_for_smtp_port_in_container "${CONTAINER}"
wait_for_smtp_port_in_container "${CONTAINER2}"
}
# ENABLE_DNSBL=1
@test "checking enabled postfix DNS block list zen.spamhaus.org" {
run docker exec "${CONTAINER}" postconf smtpd_recipient_restrictions
assert_output --partial 'reject_rbl_client zen.spamhaus.org'
}
@test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_action" {
run docker exec "${CONTAINER}" postconf postscreen_dnsbl_action
assert_output 'postscreen_dnsbl_action = enforce'
}
@test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
run docker exec "${CONTAINER}" postconf postscreen_dnsbl_sites
assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4'
}
# ENABLE_DNSBL=0
@test "checking disabled postfix DNS block list zen.spamhaus.org" {
run docker exec "${CONTAINER2}" postconf smtpd_recipient_restrictions
refute_output --partial 'reject_rbl_client zen.spamhaus.org'
}
@test "checking disabled postscreen DNS block lists --> postscreen_dnsbl_action" {
run docker exec "${CONTAINER2}" postconf postscreen_dnsbl_action
assert_output 'postscreen_dnsbl_action = ignore'
}
@test "checking disabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
run docker exec "${CONTAINER2}" postconf postscreen_dnsbl_sites
assert_output 'postscreen_dnsbl_sites ='
}
# cleanup
function teardown_file() {
docker rm -f "${CONTAINER}" "${CONTAINER2}"
}

View file

@ -19,6 +19,7 @@ function setup_file() {
-e POSTGREY_MAX_AGE=35 \ -e POSTGREY_MAX_AGE=35 \
-e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \ -e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
-e POSTGREY_TEXT="Delayed by Postgrey" \ -e POSTGREY_TEXT="Delayed by Postgrey" \
-e ENABLE_DNSBL=1 \
-e DMS_DEBUG=0 \ -e DMS_DEBUG=0 \
-h mail.my-domain.com -t "${NAME}" -h mail.my-domain.com -t "${NAME}"
# using postfix availability as start indicator, this might be insufficient for postgrey # using postfix availability as start indicator, this might be insufficient for postgrey