github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #204 from dominikwinter/master

Browse source 
added ability to overwrite jail.conf #200
This commit is contained in:
Thomas VIAL 2016-06-04 11:04:47 +02:00
parent 5232935d47 18d910530c
commit a267af5efe
5 changed files with 61 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -4,3 +4,4 @@ docker-compose.yml
test/config/empty/
test/config/postfix-accounts.cf
test/config/letsencrypt/mail.my-domain.com/combined.pem
test/onedir

11
config/fail2ban-jail.cf Normal file
View file

@ -0,0 +1,11 @@
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
#bantime = 10800
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
#findtime = 600
# "maxretry" is the number of failures before a host get banned.
#maxretry = 3

9
target/start-mailserver.sh
View file

@ -263,8 +263,13 @@ SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag
SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults
test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
# Disable logrotate config for fail2ban if not enabled
test -z "$ENABLE_FAIL2BAN" && rm -f /etc/logrotate.d/fail2ban
if [ "$ENABLE_FAIL2BAN" = 1 ]; then
test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local
else
# Disable logrotate config for fail2ban if not enabled
rm -f /etc/logrotate.d/fail2ban
fi
# Fix cron.daily for spamassassin
sed -i -e 's/invoke-rc.d spamassassin reload/\/etc\/init\.d\/spamassassin reload/g' /etc/cron.daily/spamassassin

11
test/config/fail2ban-jail.cf Normal file
View file

@ -0,0 +1,11 @@
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 1234
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 321
# "maxretry" is the number of failures before a host get banned.
maxretry = 2

38
test/tests.bats
View file

@ -366,32 +366,56 @@
[ "$status" -eq 0 ]
}
@test "checking fail2ban: fail2ban-jail.cf overrides" {
FILTERS=(sshd postfix dovecot postfix-sasl)
for FILTER in "${FILTERS[@]}"; do
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime"
[ "$output" = 1234 ]
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER findtime"
[ "$output" = 321 ]
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER maxretry"
[ "$output" = 2 ]
done
}
@test "checking fail2ban: ban ip on multiple failed login" {
# Getting mail_fail2ban container IP
MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)
# Create a container which will send wront authentications and should banned
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d `docker inspect --format '{{ .Config.Image }}' mail` tail -f /var/log/faillog
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
sleep 5
# Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
[ "$status" -eq 0 ]
# Checking that FAIL_AUTH_MAILER_IP is banned in /etc/hosts.deny
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT all -- $FAIL_AUTH_MAILER_IP'"
# Checking that FAIL_AUTH_MAILER_IP is banned by iptables
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
[ "$status" -eq 0 ]
}
@test "checking fail2ban: unban ip works" {
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP
sleep 5
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
[ "$status" -eq 1 ]
# Checking that FAIL_AUTH_MAILER_IP is unbanned in /etc/hosts.deny
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT all -- $FAIL_AUTH_MAILER_IP'"
# Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
[ "$status" -eq 1 ]
}