Merge branch 'master' into issues/2467

This commit is contained in:
Nathan Pierce 2022-03-17 09:24:55 -04:00 committed by GitHub
commit a435c32661
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 70 additions and 49 deletions

View file

@ -14,7 +14,7 @@ function _setup_supervisor
if ! grep -q "loglevel = ${SUPERVISOR_LOGLEVEL}" /etc/supervisor/supervisord.conf if ! grep -q "loglevel = ${SUPERVISOR_LOGLEVEL}" /etc/supervisor/supervisord.conf
then then
case "${SUPERVISOR_LOGLEVEL}" in case "${SUPERVISOR_LOGLEVEL}" in
'critical' | 'error' | 'info' | 'debug' ) ( 'critical' | 'error' | 'info' | 'debug' )
sed -i -E \ sed -i -E \
"s|(loglevel).*|\1 = ${SUPERVISOR_LOGLEVEL}|g" \ "s|(loglevel).*|\1 = ${SUPERVISOR_LOGLEVEL}|g" \
/etc/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
@ -23,11 +23,11 @@ function _setup_supervisor
exit exit
;; ;;
'warn' ) ( 'warn' )
return 0 return 0
;; ;;
* ) ( * )
_notify 'err' \ _notify 'err' \
"SUPERVISOR_LOGLEVEL '${SUPERVISOR_LOGLEVEL}' unknown. Using default 'warn'" "SUPERVISOR_LOGLEVEL '${SUPERVISOR_LOGLEVEL}' unknown. Using default 'warn'"
;; ;;
@ -160,7 +160,7 @@ function _setup_dovecot
# set mail_location according to mailbox format # set mail_location according to mailbox format
case "${DOVECOT_MAILBOX_FORMAT}" in case "${DOVECOT_MAILBOX_FORMAT}" in
"sdbox" | "mdbox" ) ( "sdbox" | "mdbox" )
_notify 'inf' "Dovecot ${DOVECOT_MAILBOX_FORMAT} format configured" _notify 'inf' "Dovecot ${DOVECOT_MAILBOX_FORMAT} format configured"
sed -i -e \ sed -i -e \
"s|^mail_location = .*$|mail_location = ${DOVECOT_MAILBOX_FORMAT}:\/var\/mail\/%d\/%n|g" \ "s|^mail_location = .*$|mail_location = ${DOVECOT_MAILBOX_FORMAT}:\/var\/mail\/%d\/%n|g" \
@ -171,7 +171,7 @@ function _setup_dovecot
chmod 644 /etc/cron.d/dovecot-purge chmod 644 /etc/cron.d/dovecot-purge
;; ;;
* ) ( * )
_notify 'inf' "Dovecot maildir format configured (default)" _notify 'inf' "Dovecot maildir format configured (default)"
sed -i -e 's|^mail_location = .*$|mail_location = maildir:\/var\/mail\/%d\/%n|g' /etc/dovecot/conf.d/10-mail.conf sed -i -e 's|^mail_location = .*$|mail_location = maildir:\/var\/mail\/%d\/%n|g' /etc/dovecot/conf.d/10-mail.conf
;; ;;
@ -719,12 +719,12 @@ function _setup_docker_permit
done < <(ip -o -4 addr show type veth | grep -E -o '[0-9\.]+/[0-9]+') done < <(ip -o -4 addr show type veth | grep -E -o '[0-9\.]+/[0-9]+')
case "${PERMIT_DOCKER}" in case "${PERMIT_DOCKER}" in
"none" ) ( 'none' )
_notify 'inf' "Clearing Postfix's 'mynetworks'" _notify 'inf' "Clearing Postfix's 'mynetworks'"
postconf -e "mynetworks =" postconf -e "mynetworks ="
;; ;;
"connected-networks" ) ( 'connected-networks' )
for NETWORK in "${CONTAINER_NETWORKS[@]}" for NETWORK in "${CONTAINER_NETWORKS[@]}"
do do
NETWORK=$(_sanitize_ipv4_to_subnet_cidr "${NETWORK}") NETWORK=$(_sanitize_ipv4_to_subnet_cidr "${NETWORK}")
@ -735,28 +735,28 @@ function _setup_docker_permit
done done
;; ;;
"container" ) ( 'container' )
_notify 'inf' "Adding container IP address to Postfix's 'mynetworks'" _notify 'inf' "Adding container IP address to Postfix's 'mynetworks'"
postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_IP}/32" postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_IP}/32"
echo "${CONTAINER_IP}/32" >> /etc/opendmarc/ignore.hosts echo "${CONTAINER_IP}/32" >> /etc/opendmarc/ignore.hosts
echo "${CONTAINER_IP}/32" >> /etc/opendkim/TrustedHosts echo "${CONTAINER_IP}/32" >> /etc/opendkim/TrustedHosts
;; ;;
"host" ) ( 'host' )
_notify 'inf' "Adding ${CONTAINER_NETWORK}/16 to Postfix's 'mynetworks'" _notify 'inf' "Adding ${CONTAINER_NETWORK}/16 to Postfix's 'mynetworks'"
postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_NETWORK}/16" postconf -e "$(postconf | grep '^mynetworks =') ${CONTAINER_NETWORK}/16"
echo "${CONTAINER_NETWORK}/16" >> /etc/opendmarc/ignore.hosts echo "${CONTAINER_NETWORK}/16" >> /etc/opendmarc/ignore.hosts
echo "${CONTAINER_NETWORK}/16" >> /etc/opendkim/TrustedHosts echo "${CONTAINER_NETWORK}/16" >> /etc/opendkim/TrustedHosts
;; ;;
"network" ) ( 'network' )
_notify 'inf' "Adding docker network to Postfix's 'mynetworks'" _notify 'inf' "Adding docker network to Postfix's 'mynetworks'"
postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12" postconf -e "$(postconf | grep '^mynetworks =') 172.16.0.0/12"
echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts
echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts
;; ;;
* ) ( * )
_notify 'warn' "Invalid value for PERMIT_DOCKER: ${PERMIT_DOCKER}" _notify 'warn' "Invalid value for PERMIT_DOCKER: ${PERMIT_DOCKER}"
_notify 'inf' "Clearing Postfix's 'mynetworks'" _notify 'inf' "Clearing Postfix's 'mynetworks'"
postconf -e "mynetworks =" postconf -e "mynetworks ="
@ -942,10 +942,21 @@ function _setup_security_stack
local SPAMASSASSIN_KAM_CRON_FILE=/etc/cron.daily/spamassassin_kam local SPAMASSASSIN_KAM_CRON_FILE=/etc/cron.daily/spamassassin_kam
sa-update --import /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key sa-update --import /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key
cat >"${SPAMASSASSIN_KAM_CRON_FILE}" <<"EOM" cat >"${SPAMASSASSIN_KAM_CRON_FILE}" <<"EOM"
#! /bin/bash #! /bin/bash
sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com RESULT="$(sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com 2>&1)"
EXIT_CODE=${?}
# see https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
if [[ ${EXIT_CODE} -ge 4 ]]
then
echo -e "Updating SpamAssassin KAM failed:\n${RESULT}\n" >&2
exit 1
fi
exit 0
EOM EOM
@ -986,7 +997,9 @@ EOM
fi fi
# fix cron.daily for spamassassin # fix cron.daily for spamassassin
sed -i -e 's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' /etc/cron.daily/spamassassin sed -i \
's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
/etc/cron.daily/spamassassin
# Amavis # Amavis
if [[ ${ENABLE_AMAVIS} -eq 1 ]] if [[ ${ENABLE_AMAVIS} -eq 1 ]]
@ -1010,22 +1023,22 @@ function _setup_logrotate
LOGROTATE='/var/log/mail/mail.log\n{\n compress\n copytruncate\n delaycompress\n' LOGROTATE='/var/log/mail/mail.log\n{\n compress\n copytruncate\n delaycompress\n'
case "${LOGROTATE_INTERVAL}" in case "${LOGROTATE_INTERVAL}" in
'daily' ) ( 'daily' )
_notify 'inf' 'Setting postfix logrotate interval to daily' _notify 'inf' 'Setting postfix logrotate interval to daily'
LOGROTATE="${LOGROTATE} rotate 4\n daily\n" LOGROTATE="${LOGROTATE} rotate 4\n daily\n"
;; ;;
'weekly' ) ( 'weekly' )
_notify 'inf' 'Setting postfix logrotate interval to weekly' _notify 'inf' 'Setting postfix logrotate interval to weekly'
LOGROTATE="${LOGROTATE} rotate 4\n weekly\n" LOGROTATE="${LOGROTATE} rotate 4\n weekly\n"
;; ;;
'monthly' ) ( 'monthly' )
_notify 'inf' 'Setting postfix logrotate interval to monthly' _notify 'inf' 'Setting postfix logrotate interval to monthly'
LOGROTATE="${LOGROTATE} rotate 4\n monthly\n" LOGROTATE="${LOGROTATE} rotate 4\n monthly\n"
;; ;;
* ) ( * )
_notify 'warn' 'LOGROTATE_INTERVAL not found in _setup_logrotate' _notify 'warn' 'LOGROTATE_INTERVAL not found in _setup_logrotate'
;; ;;
@ -1039,27 +1052,30 @@ function _setup_mail_summary
_notify 'inf' "Enable postfix summary with recipient ${PFLOGSUMM_RECIPIENT}" _notify 'inf' "Enable postfix summary with recipient ${PFLOGSUMM_RECIPIENT}"
case "${PFLOGSUMM_TRIGGER}" in case "${PFLOGSUMM_TRIGGER}" in
'daily_cron' ) ( 'daily_cron' )
_notify 'inf' 'Creating daily cron job for pflogsumm report' _notify 'inf' 'Creating daily cron job for pflogsumm report'
echo '#! /bin/bash' > /etc/cron.daily/postfix-summary cat >/etc/cron.daily/postfix-summary << EOM
echo "/usr/local/bin/report-pflogsumm-yesterday ${HOSTNAME} ${PFLOGSUMM_RECIPIENT} ${PFLOGSUMM_SENDER}" >>/etc/cron.daily/postfix-summary #! /bin/bash
/usr/local/bin/report-pflogsumm-yesterday ${HOSTNAME} ${PFLOGSUMM_RECIPIENT} ${PFLOGSUMM_SENDER}
EOM
chmod +x /etc/cron.daily/postfix-summary chmod +x /etc/cron.daily/postfix-summary
;; ;;
'logrotate' ) ( 'logrotate' )
_notify 'inf' 'Add postrotate action for pflogsumm report' _notify 'inf' 'Add postrotate action for pflogsumm report'
sed -i \ sed -i \
"s|}| postrotate\n /usr/local/bin/postfix-summary ${HOSTNAME} ${PFLOGSUMM_RECIPIENT} ${PFLOGSUMM_SENDER}\n endscript\n}\n|" \ "s|}| postrotate\n /usr/local/bin/postfix-summary ${HOSTNAME} ${PFLOGSUMM_RECIPIENT} ${PFLOGSUMM_SENDER}\n endscript\n}\n|" \
/etc/logrotate.d/maillog /etc/logrotate.d/maillog
;; ;;
'none' ) ( 'none' )
_notify 'inf' 'Postfix log summary reports disabled.' _notify 'inf' 'Postfix log summary reports disabled.'
;; ;;
* ) ( * )
_notify 'err' 'PFLOGSUMM_TRIGGER not found in _setup_mail_summery' _notify 'err' 'PFLOGSUMM_TRIGGER not found in _setup_mail_summery'
;; ;;
@ -1068,34 +1084,37 @@ function _setup_mail_summary
function _setup_logwatch function _setup_logwatch
{ {
_notify 'inf' "Enable logwatch reports with recipient ${LOGWATCH_RECIPIENT}"
echo 'LogFile = /var/log/mail/freshclam.log' >>/etc/logwatch/conf/logfiles/clam-update.conf echo 'LogFile = /var/log/mail/freshclam.log' >>/etc/logwatch/conf/logfiles/clam-update.conf
echo "MailFrom = ${LOGWATCH_SENDER}" >>/etc/logwatch/conf/logwatch.conf echo "MailFrom = ${LOGWATCH_SENDER}" >>/etc/logwatch/conf/logwatch.conf
case "${LOGWATCH_INTERVAL}" in case "${LOGWATCH_INTERVAL}" in
'daily' ) ( 'daily' | 'weekly' )
_notify 'inf' "Creating daily cron job for logwatch reports" _notify 'inf' "Enable logwatch reports with recipient ${LOGWATCH_RECIPIENT}"
echo "#! /bin/bash" > /etc/cron.daily/logwatch _notify 'inf' "Creating ${LOGWATCH_INTERVAL} cron job for logwatch reports"
echo "/usr/sbin/logwatch --range Yesterday --hostname ${HOSTNAME} --mailto ${LOGWATCH_RECIPIENT}" \
>>/etc/cron.daily/logwatch local LOGWATCH_FILE INTERVAL
chmod 744 /etc/cron.daily/logwatch
LOGWATCH_FILE="/etc/cron.${LOGWATCH_INTERVAL}/logwatch"
INTERVAL='--range Yesterday'
if [[ ${LOGWATCH_INTERVAL} == 'weekly' ]]
then
INTERVAL="--range 'between -7 days and -1 days'"
fi
cat >"${LOGWATCH_FILE}" << EOM
#! /bin/bash
/usr/sbin/logwatch ${INTERVAL} --hostname ${HOSTNAME} --mailto ${LOGWATCH_RECIPIENT}
EOM
chmod 744 "${LOGWATCH_FILE}"
;; ;;
'weekly' ) ( 'none' )
_notify 'inf' "Creating weekly cron job for logwatch reports"
echo "#! /bin/bash" > /etc/cron.weekly/logwatch
echo "/usr/sbin/logwatch --range 'between -7 days and -1 days' --hostname ${HOSTNAME} --mailto ${LOGWATCH_RECIPIENT}" \
>>/etc/cron.weekly/logwatch
chmod 744 /etc/cron.weekly/logwatch
;;
'none' )
_notify 'inf' 'Logwatch reports disabled.' _notify 'inf' 'Logwatch reports disabled.'
;; ;;
* ) ( * )
_notify 'warn' 'LOGWATCH_INTERVAL not found in _setup_logwatch' _notify 'warn' 'LOGWATCH_INTERVAL not found in _setup_logwatch'
;; ;;
@ -1127,7 +1146,9 @@ function _setup_fail2ban
function _setup_dnsbl_disable function _setup_dnsbl_disable
{ {
_notify 'task' 'Disabling postfix DNS block list (zen.spamhaus.org)' _notify 'task' 'Disabling postfix DNS block list (zen.spamhaus.org)'
sedfile -i '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org//' /etc/postfix/main.cf sedfile -i \
'/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org//' \
/etc/postfix/main.cf
_notify 'task' 'Disabling postscreen DNS block lists' _notify 'task' 'Disabling postscreen DNS block lists'
postconf -e "postscreen_dnsbl_action = ignore" postconf -e "postscreen_dnsbl_action = ignore"

View file

@ -101,7 +101,7 @@ function teardown_file() {
@test "checking ssl: manual cert changes are picked up by check-for-changes" { @test "checking ssl: manual cert changes are picked up by check-for-changes" {
printf 'someThingsChangedHere' \ printf 'someThingsChangedHere' \
>>"$(pwd)/test/test-files/ssl/${DOMAIN_SSL_MANUAL}/with_ca/ecdsa/key.ecdsa.pem" >>"$(pwd)/test/test-files/ssl/${DOMAIN_SSL_MANUAL}/with_ca/ecdsa/key.ecdsa.pem"
sleep 10 sleep 15
run docker exec mail_manual_ssl /bin/bash -c "supervisorctl tail -3000 changedetector" run docker exec mail_manual_ssl /bin/bash -c "supervisorctl tail -3000 changedetector"
assert_output --partial 'Change detected' assert_output --partial 'Change detected'