diff --git a/Dockerfile b/Dockerfile index bbb90ea3..a6264c63 100644 --- a/Dockerfile +++ b/Dockerfile @@ -125,6 +125,7 @@ RUN echo "0 */6 * * * clamav /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-fr # Configures Dovecot COPY target/dovecot/auth-passwdfile.inc target/dovecot/??-*.conf /etc/dovecot/conf.d/ COPY target/dovecot/scripts/quota-warning.sh /usr/local/bin/quota-warning.sh +COPY target/dovecot/sieve/* /usr/lib/dovecot/sieve-global/ WORKDIR /usr/share/dovecot # hadolint ignore=SC2016,SC2086 RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf && \ diff --git a/README.md b/README.md index b0aae244..0e5dd7b0 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,7 @@ services: - ./config/:/tmp/docker-mailserver/ environment: - ENABLE_SPAMASSASSIN=1 + - SPAMASSASSIN_SPAM_TO_INBOX=1 - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 - ENABLE_POSTGREY=1 @@ -202,6 +203,7 @@ services: - ./config/:/tmp/docker-mailserver/ environment: - ENABLE_SPAMASSASSIN=1 + - SPAMASSASSIN_SPAM_TO_INBOX=1 - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 - ENABLE_POSTGREY=1 @@ -483,9 +485,26 @@ Finally the logrotate interval **may** affect the period for generated reports. ##### ENABLE_SPAMASSASSIN + - **0** => Spamassassin is disabled - 1 => Spamassassin is enabled +**/!\\ Spam delivery:** when Spamassassin is enabled, messages marked as spam WILL NOT BE DELIVERED. +Use `SPAMASSASSIN_SPAM_TO_INBOX=1` for receiving spam messages. + +##### SPAMASSASSIN_SPAM_TO_INBOX + + + - **0** => Spam messages will be bounced (_rejected_) without any notification (_dangerous_). + - 1 => Spam messages will be delivered to the inbox and tagged as spam using `SA_SPAM_SUBJECT`. + +##### MOVE_SPAM_TO_JUNK + + - **1** => Spam messages will be delivered in the `Junk` folder. + - 0 => Spam messages will be delivered in the mailbox. + +Note: this setting needs `SPAMASSASSIN_SPAM_TO_INBOX=1` + ##### SA_TAG - **2.0** => add spam info headers if at, or above that level diff --git a/env-mailserver.dist b/env-mailserver.dist index 89064b5b..ac0120b3 100644 --- a/env-mailserver.dist +++ b/env-mailserver.dist @@ -177,9 +177,12 @@ POSTFIX_INET_PROTOCOLS=all ENABLE_SPAMASSASSIN=0 -#If Enabled, SPAM goes to your inbox with added SPAM header, you can then move it to a specific SPAM folder with SIEVE rules +# deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT) SPAMASSASSIN_SPAM_TO_INBOX=1 +# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required) +MOVE_SPAM_TO_JUNK=1 + # add spam info headers if at, or above that level: SA_TAG=2.0 diff --git a/target/amavis/conf.d/49-docker-mailserver b/target/amavis/conf.d/49-docker-mailserver index 3d67ae00..213ab18e 100644 --- a/target/amavis/conf.d/49-docker-mailserver +++ b/target/amavis/conf.d/49-docker-mailserver @@ -3,7 +3,8 @@ use strict; # Override options set in earlier files, use 50-user to override these # Bounce spam, the default option for buster is D_PASS to deliver -$final_spam_destiny = D_BOUNCE; +$final_spam_destiny = D_BOUNCE; +$final_bad_header_destiny = D_BOUNCE; # Higher log level to get expected messages at startup $log_level = 2; diff --git a/target/dovecot/90-sieve.conf b/target/dovecot/90-sieve.conf index 8fb7649e..1c4db02d 100644 --- a/target/dovecot/90-sieve.conf +++ b/target/dovecot/90-sieve.conf @@ -32,7 +32,7 @@ plugin { # file names, using a normal 8bit per-character comparison. Multiple script # file or directory paths can be specified by appending an increasing number. #sieve_before = /usr/lib/dovecot/sieve-global/before.dovecot.sieve - #sieve_before2 = + #sieve_before2 = /usr/lib/dovecot/sieve-global/before.spam.sieve #sieve_before3 = (etc...) # Identical to sieve_before, only the specified scripts are executed after the diff --git a/target/dovecot/sieve/before.spam.sieve b/target/dovecot/sieve/before.spam.sieve new file mode 100644 index 00000000..4fa29fab --- /dev/null +++ b/target/dovecot/sieve/before.spam.sieve @@ -0,0 +1,4 @@ +require "fileinto"; +if header :contains "X-Spam-Flag" "YES" { + fileinto "Junk"; +} diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index b92c3fea..d688b51d 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -39,7 +39,9 @@ DEFAULT_VARS["SRS_SENDER_CLASSES"]="${SRS_SENDER_CLASSES:="envelope_sender"}" DEFAULT_VARS["REPORT_RECIPIENT"]="${REPORT_RECIPIENT:="0"}" DEFAULT_VARS["LOGROTATE_INTERVAL"]="${LOGROTATE_INTERVAL:=${REPORT_INTERVAL:-"daily"}}" DEFAULT_VARS["LOGWATCH_INTERVAL"]="${LOGWATCH_INTERVAL:="none"}" +DEFAULT_VARS["EXPLICITLY_DEFINED_SPAMASSASSIN_SPAM_TO_INBOX"]="$( [ -z "${SPAMASSASSIN_SPAM_TO_INBOX}" ] && echo "0" || echo "1" )" # used for backward compatibility DEFAULT_VARS["SPAMASSASSIN_SPAM_TO_INBOX"]="${SPAMASSASSIN_SPAM_TO_INBOX:="0"}" +DEFAULT_VARS["MOVE_SPAM_TO_JUNK"]="${MOVE_SPAM_TO_JUNK:="1"}" DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" ########################################################################## @@ -99,7 +101,7 @@ function register_functions() { if [ "$SMTP_ONLY" != 1 ]; then _register_setup_function "_setup_dovecot" - _register_setup_function "_setup_dovecot_dhparam" + _register_setup_function "_setup_dovecot_dhparam" _register_setup_function "_setup_dovecot_quota" _register_setup_function "_setup_dovecot_local_user" fi @@ -627,6 +629,16 @@ function _setup_dovecot() { else sed -i "s/ sieve_after =/ #sieve_after =/" /etc/dovecot/conf.d/90-sieve.conf fi + + # sieve will move spams to .Junk folder when SPAMASSASSIN_SPAM_TO_INBOX=1 and MOVE_SPAM_TO_JUNK=1 + if [ "$SPAMASSASSIN_SPAM_TO_INBOX" = 1 ] && [ "$MOVE_SPAM_TO_JUNK" = 1 ]; then + notify 'inf' "Spam messages will be moved to the Junk folder." + sed -i "s/#sieve_before2 =/sieve_before2 =/" /etc/dovecot/conf.d/90-sieve.conf + sievec /usr/lib/dovecot/sieve-global/before.spam.sieve + else + sed -i "s/ sieve_before2 =/ #sieve_before2 =/" /etc/dovecot/conf.d/90-sieve.conf + fi + chown docker:docker -R /usr/lib/dovecot/sieve* chmod 550 -R /usr/lib/dovecot/sieve* chmod -f +x /usr/lib/dovecot/sieve-pipe/* @@ -1475,19 +1487,18 @@ function _setup_security_stack() { test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ - if [ "$SPAMASSASSIN_SPAM_TO_INBOX" = "1" ]; then + if [ "$SPAMASSASSIN_SPAM_TO_INBOX" = 1 ]; then notify 'inf' "Configure Spamassassin/Amavis to put SPAM inbox" - bannedbouncecheck=`egrep "final_banned_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults` - if [ -n "$bannedbouncecheck" ] ; - then - sed -i "/final_banned_destiny/ s|D_BOUNCE|D_REJECT|" /etc/amavis/conf.d/20-debian_defaults - fi - finalbouncecheck=`egrep "final_spam_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults` - if [ -n "$finalbouncecheck" ] ; - then - sed -i "/final_spam_destiny/ s|D_BOUNCE|D_PASS|" /etc/amavis/conf.d/20-debian_defaults - fi + sed -i "s/\$final_spam_destiny.*=.*$/\$final_spam_destiny = D_PASS;/g" /etc/amavis/conf.d/49-docker-mailserver + sed -i "s/\$final_bad_header_destiny.*=.*$/\$final_bad_header_destiny = D_PASS;/g" /etc/amavis/conf.d/49-docker-mailserver + else + sed -i "s/\$final_spam_destiny.*=.*$/\$final_spam_destiny = D_BOUNCE;/g" /etc/amavis/conf.d/49-docker-mailserver + sed -i "s/\$final_bad_header_destiny.*=.*$/\$final_bad_header_destiny = D_BOUNCE;/g" /etc/amavis/conf.d/49-docker-mailserver + + if [ "${DEFAULT_VARS['EXPLICITLY_DEFINED_SPAMASSASSIN_SPAM_TO_INBOX']}" = 0 ]; then + notify 'warn' "Spam messages WILL NOT BE DELIVERED, you will NOT be notified of ANY message bounced. Please define SPAMASSASSIN_SPAM_TO_INBOX explicitly." + fi fi fi diff --git a/test/mail_spam_bounced.bats b/test/mail_spam_bounced.bats new file mode 100644 index 00000000..9b0880fc --- /dev/null +++ b/test/mail_spam_bounced.bats @@ -0,0 +1,71 @@ +load 'test_helper/common' + +# Test case +# --------- +# When SPAMASSASSIN_SPAM_TO_INBOX=0, spam messages must be bounced. + + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run -d --name mail_spam_bounced_defined \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_SPAMASSASSIN=1 \ + -e SPAMASSASSIN_SPAM_TO_INBOX=0 \ + -h mail.my-domain.com -t "${NAME}" + + wait_for_finished_setup_in_container mail_spam_bounced_defined + + docker run -d --name mail_spam_bounced_undefined \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_SPAMASSASSIN=1 \ + -h mail.my-domain.com -t "${NAME}" + + wait_for_finished_setup_in_container mail_spam_bounced_undefined +} + +function teardown_file() { + docker rm -f mail_spam_bounced_defined + docker rm -f mail_spam_bounced_undefined +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +@test "checking amavis: spam message is bounced" { + # this warning should only be raised when no explicit value for SPAMASSASSIN_SPAM_TO_INBOX is defined + run sh -c "docker logs mail_spam_bounced_defined | grep 'Spam messages WILL NOT BE DELIVERED'" + assert_failure + + # send a spam message + run docker exec mail_spam_bounced_defined /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt" + assert_success + + run repeat_until_success_or_timeout 20 sh -c "docker logs mail_spam_bounced_defined | grep 'Blocked SPAM {NoBounceInbound,Quarantined}'" + assert_success +} + +@test "checking amavis: spam message is bounced, undefined SPAMASSASSIN_SPAM_TO_INBOX raise a warning" { + run sh -c "docker logs mail_spam_bounced_undefined | grep 'Spam messages WILL NOT BE DELIVERED'" + assert_success + + # send a spam message + run docker exec mail_spam_bounced_defined /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt" + assert_success + + run repeat_until_success_or_timeout 20 sh -c "docker logs mail_spam_bounced_defined | grep 'Blocked SPAM {NoBounceInbound,Quarantined}'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} diff --git a/test/mail_spam_junk_folder.bats b/test/mail_spam_junk_folder.bats new file mode 100644 index 00000000..3b17c92e --- /dev/null +++ b/test/mail_spam_junk_folder.bats @@ -0,0 +1,77 @@ +load 'test_helper/common' + +# Test case +# --------- +# When SPAMASSASSIN_SPAM_TO_INBOX=1, spam messages must be delivered and eventually (MOVE_SPAM_TO_JUNK=1) moved to the Junk folder. + + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run -d --name mail_spam_moved_junk \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_SPAMASSASSIN=1 \ + -e SPAMASSASSIN_SPAM_TO_INBOX=1 \ + -e MOVE_SPAM_TO_JUNK=1 \ + -e SA_SPAM_SUBJECT="SPAM: " \ + -h mail.my-domain.com -t "${NAME}" + + wait_for_finished_setup_in_container mail_spam_moved_junk + + docker run -d --name mail_spam_moved_new \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_SPAMASSASSIN=1 \ + -e SPAMASSASSIN_SPAM_TO_INBOX=1 \ + -e MOVE_SPAM_TO_JUNK=0 \ + -e SA_SPAM_SUBJECT="SPAM: " \ + -h mail.my-domain.com -t "${NAME}" + + wait_for_finished_setup_in_container mail_spam_moved_new +} + +function teardown_file() { + docker rm -f mail_spam_moved_new + docker rm -f mail_spam_moved_junk +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +@test "checking amavis: spam message is delivered and moved to the Junk folder (MOVE_SPAM_TO_JUNK=1)" { + # send a spam message + run docker exec mail_spam_moved_junk /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt" + assert_success + + run repeat_until_success_or_timeout 20 sh -c "docker logs mail_spam_moved_junk | grep 'Passed SPAM {RelayedTaggedInbound,Quarantined}'" + assert_success + + # spam moved to Junk folder + run repeat_until_success_or_timeout 20 sh -c "docker exec mail_spam_moved_junk sh -c 'grep \"Subject: SPAM: \" /var/mail/localhost.localdomain/user1/.Junk/new/ -R'" + assert_success +} + +@test "checking amavis: spam message is delivered to INBOX (MOVE_SPAM_TO_JUNK=0)" { + # send a spam message + run docker exec mail_spam_moved_new /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt" + assert_success + + run repeat_until_success_or_timeout 20 sh -c "docker logs mail_spam_moved_new | grep 'Passed SPAM {RelayedTaggedInbound,Quarantined}'" + assert_success + + # spam moved to INBOX + run repeat_until_success_or_timeout 20 sh -c "docker exec mail_spam_moved_new sh -c 'grep \"Subject: SPAM: \" /var/mail/localhost.localdomain/user1/new/ -R'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +}