mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Merge pull request #153 from tomav/fixed-fail2ban-config-and-tests
Fixed #152 Fail2ban config and tests
This commit is contained in:
commit
c441a55476
|
@ -7,7 +7,7 @@ RUN apt-get -y upgrade
|
||||||
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends \
|
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends \
|
||||||
postfix dovecot-core dovecot-imapd dovecot-pop3d gamin amavisd-new spamassassin razor pyzor \
|
postfix dovecot-core dovecot-imapd dovecot-pop3d gamin amavisd-new spamassassin razor pyzor \
|
||||||
clamav clamav-daemon libnet-dns-perl libmail-spf-perl bzip2 file gzip p7zip unzip zip rsyslog \
|
clamav clamav-daemon libnet-dns-perl libmail-spf-perl bzip2 file gzip p7zip unzip zip rsyslog \
|
||||||
opendkim opendkim-tools opendmarc curl fail2ban && apt-get autoclean && rm -rf /var/lib/apt/lists/*
|
opendkim opendkim-tools opendmarc curl fail2ban ed && apt-get autoclean && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Configures Dovecot
|
# Configures Dovecot
|
||||||
RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf
|
RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/etc\/dovecot\/protocols\.d/g' /etc/dovecot/dovecot.conf
|
||||||
|
|
|
@ -79,14 +79,14 @@ Just add the full email address and its encrypted password separated by a pipe.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
user1@domain.tld|{SCHEME}mypassword-encrypted
|
user1@domain.tld|{CRAM-MD5}mypassword-cram-md5-encrypted
|
||||||
user2@otherdomain.tld|{SCHEME}myotherpassword-encrypted
|
user2@otherdomain.tld|{CRAM-MD5}myotherpassword-cram-md5-encrypted
|
||||||
|
|
||||||
To generate the password you could run for example the following:
|
To generate the password you could run for example the following:
|
||||||
|
|
||||||
docker run --rm -ti tvial/docker-mailserver:v2 doveadm pw -s CRAM-MD5 -u user1@domain.tld
|
docker run --rm -ti tvial/docker-mailserver:v2 doveadm pw -s CRAM-MD5 -u user1@domain.tld
|
||||||
|
|
||||||
You will be asked for a password (and for a confirmation of the password). Just copy all the output string in the file `config/postfix-accounts.cf`.
|
You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`.
|
||||||
|
|
||||||
The `doveadm pw` command let you choose between several encryption schemes for the password.
|
The `doveadm pw` command let you choose between several encryption schemes for the password.
|
||||||
Use doveadm pw -l to get a list of the currently supported encryption schemes.
|
Use doveadm pw -l to get a list of the currently supported encryption schemes.
|
||||||
|
|
|
@ -68,7 +68,7 @@ sendername = Fail2Ban
|
||||||
# iptables-multiport, shorewall, etc) It is used to define
|
# iptables-multiport, shorewall, etc) It is used to define
|
||||||
# action_* variables. Can be overridden globally or per
|
# action_* variables. Can be overridden globally or per
|
||||||
# section within jail.local file
|
# section within jail.local file
|
||||||
banaction = iptables-multiport
|
banaction = hostsdeny
|
||||||
|
|
||||||
# email action. Since 0.8.1 upstream fail2ban uses sendmail
|
# email action. Since 0.8.1 upstream fail2ban uses sendmail
|
||||||
# MTA for the mailing. Change mta configuration parameter to mail
|
# MTA for the mailing. Change mta configuration parameter to mail
|
||||||
|
|
|
@ -52,7 +52,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "checking imap: server is ready with STARTTLS" {
|
@test "checking imap: server is ready with STARTTLS" {
|
||||||
run docker exec mail /bin/bash -c "nc -w 5 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'"
|
run docker exec mail /bin/bash -c "nc -w 2 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -313,7 +313,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
@test "checking ssl: generated default cert is installed" {
|
@test "checking ssl: generated default cert is installed" {
|
||||||
run docker exec mail /bin/sh -c "openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'"
|
run docker exec mail /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -343,6 +343,9 @@
|
||||||
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
||||||
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status sasl | grep '$FAIL_AUTH_MAILER_IP'"
|
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status sasl | grep '$FAIL_AUTH_MAILER_IP'"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
# Checking that FAIL_AUTH_MAILER_IP is banned in /etc/hosts.deny
|
||||||
|
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && grep 'ALL: $FAIL_AUTH_MAILER_IP' /etc/hosts.deny"
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "checking fail2ban: unban ip works" {
|
@test "checking fail2ban: unban ip works" {
|
||||||
|
@ -351,6 +354,9 @@
|
||||||
sleep 5
|
sleep 5
|
||||||
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
|
||||||
[ "$status" -eq 1 ]
|
[ "$status" -eq 1 ]
|
||||||
|
# Checking that FAIL_AUTH_MAILER_IP is unbanned in /etc/hosts.deny
|
||||||
|
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && grep 'ALL: $FAIL_AUTH_MAILER_IP' /etc/hosts.deny"
|
||||||
|
[ "$status" -eq 1 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue