mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Merge pull request #204 from dominikwinter/master
added ability to overwrite jail.conf #200
This commit is contained in:
commit
a267af5efe
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -4,3 +4,4 @@ docker-compose.yml
|
|||
test/config/empty/
|
||||
test/config/postfix-accounts.cf
|
||||
test/config/letsencrypt/mail.my-domain.com/combined.pem
|
||||
test/onedir
|
||||
|
|
11
config/fail2ban-jail.cf
Normal file
11
config/fail2ban-jail.cf
Normal file
|
@ -0,0 +1,11 @@
|
|||
[DEFAULT]
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
#bantime = 10800
|
||||
|
||||
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||
# seconds.
|
||||
#findtime = 600
|
||||
|
||||
# "maxretry" is the number of failures before a host get banned.
|
||||
#maxretry = 3
|
|
@ -263,8 +263,13 @@ SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag
|
|||
SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults
|
||||
test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
|
||||
|
||||
if [ "$ENABLE_FAIL2BAN" = 1 ]; then
|
||||
test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local
|
||||
else
|
||||
# Disable logrotate config for fail2ban if not enabled
|
||||
test -z "$ENABLE_FAIL2BAN" && rm -f /etc/logrotate.d/fail2ban
|
||||
rm -f /etc/logrotate.d/fail2ban
|
||||
fi
|
||||
|
||||
# Fix cron.daily for spamassassin
|
||||
sed -i -e 's/invoke-rc.d spamassassin reload/\/etc\/init\.d\/spamassassin reload/g' /etc/cron.daily/spamassassin
|
||||
|
||||
|
|
11
test/config/fail2ban-jail.cf
Normal file
11
test/config/fail2ban-jail.cf
Normal file
|
@ -0,0 +1,11 @@
|
|||
[DEFAULT]
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = 1234
|
||||
|
||||
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||
# seconds.
|
||||
findtime = 321
|
||||
|
||||
# "maxretry" is the number of failures before a host get banned.
|
||||
maxretry = 2
|
|
@ -366,32 +366,56 @@
|
|||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "checking fail2ban: fail2ban-jail.cf overrides" {
|
||||
FILTERS=(sshd postfix dovecot postfix-sasl)
|
||||
|
||||
for FILTER in "${FILTERS[@]}"; do
|
||||
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime"
|
||||
[ "$output" = 1234 ]
|
||||
|
||||
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER findtime"
|
||||
[ "$output" = 321 ]
|
||||
|
||||
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER maxretry"
|
||||
[ "$output" = 2 ]
|
||||
done
|
||||
}
|
||||
|
||||
@test "checking fail2ban: ban ip on multiple failed login" {
|
||||
# Getting mail_fail2ban container IP
|
||||
MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)
|
||||
|
||||
# Create a container which will send wront authentications and should banned
|
||||
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d `docker inspect --format '{{ .Config.Image }}' mail` tail -f /var/log/faillog
|
||||
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
|
||||
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog
|
||||
|
||||
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
|
||||
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
|
||||
|
||||
sleep 5
|
||||
|
||||
# Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
|
||||
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
||||
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
|
||||
|
||||
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
|
||||
[ "$status" -eq 0 ]
|
||||
# Checking that FAIL_AUTH_MAILER_IP is banned in /etc/hosts.deny
|
||||
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT all -- $FAIL_AUTH_MAILER_IP'"
|
||||
|
||||
# Checking that FAIL_AUTH_MAILER_IP is banned by iptables
|
||||
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "checking fail2ban: unban ip works" {
|
||||
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
||||
|
||||
docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP
|
||||
|
||||
sleep 5
|
||||
|
||||
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
|
||||
[ "$status" -eq 1 ]
|
||||
# Checking that FAIL_AUTH_MAILER_IP is unbanned in /etc/hosts.deny
|
||||
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT all -- $FAIL_AUTH_MAILER_IP'"
|
||||
|
||||
# Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables
|
||||
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue