github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity

Added greylisting using postgrey (#495)

Browse source 
* Added greylisting using postgrey
* Updated the documentation
This commit is contained in:
Sven Kauber 2017-02-06 09:21:18 +00:00 committed by Thomas VIAL
parent d40ae81d09
commit c7e4206466
8 changed files with 291 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Dockerfile
View file

@ -39,6 +39,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -q --fix-missing && \
rsyslog \ rsyslog \
sasl2-bin \ sasl2-bin \
spamassassin \ spamassassin \
postgrey \
unzip \ unzip \
&& \ && \
curl -sk http://neuro.debian.net/lists/trusty.de-m.libre > /etc/apt/sources.list.d/neurodebian.sources.list && \ curl -sk http://neuro.debian.net/lists/trusty.de-m.libre > /etc/apt/sources.list.d/neurodebian.sources.list && \
@ -70,6 +71,13 @@ COPY target/postfix/ldap-users.cf target/postfix/ldap-groups.cf target/postfix/l
# Enables Spamassassin CRON updates # Enables Spamassassin CRON updates
RUN sed -i -r 's/^(CRON)=0/\1=1/g' /etc/default/spamassassin RUN sed -i -r 's/^(CRON)=0/\1=1/g' /etc/default/spamassassin
#Enables Postgrey
COPY target/postgrey/postgrey /etc/default/postgrey
COPY target/postgrey/postgrey.init /etc/init.d/postgrey
RUN chmod 755 /etc/init.d/postgrey
RUN mkdir /var/run/postgrey
RUN chown postgrey:postgrey /var/run/postgrey
# Enables Amavis # Enables Amavis
RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode
RUN adduser clamav amavis && adduser amavis clamav RUN adduser clamav amavis && adduser amavis clamav

13
Makefile
View file

@ -119,6 +119,16 @@ run:
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \ -e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 30 sleep 30
docker run -d --name mail_with_postgrey \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \
-e ENABLE_POSTGREY=1 \
-e POSTGREY_DELAY=15 \
-e POSTGREY_MAX_AGE=35 \
-e POSTGREY_TEXT="Delayed by postgrey" \
-h mail.my-domain.com -t $(NAME)
sleep 20
fixtures: fixtures:
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
@ -162,7 +172,8 @@ clean:
ldap_for_mail \ ldap_for_mail \
mail_with_ldap \ mail_with_ldap \
mail_with_imap \ mail_with_imap \
mail_lmtp_ip mail_lmtp_ip \
mail_with_postgrey
@if [ -f config/postfix-accounts.cf.bak ]; then\ @if [ -f config/postfix-accounts.cf.bak ]; then\
rm -f config/postfix-accounts.cf ;\ rm -f config/postfix-accounts.cf ;\

25
README.md
View file

@ -18,6 +18,7 @@ Includes:
- opendmarc - opendmarc
- fail2ban - fail2ban
- fetchmail - fetchmail
- postgrey
- basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot - basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot
- [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates - [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates
- persistent data and state (but think about backups!) - persistent data and state (but think about backups!)
@ -62,6 +63,7 @@ services:
- ENABLE_SPAMASSASSIN=1 - ENABLE_SPAMASSASSIN=1
- ENABLE_CLAMAV=1 - ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1 - ENABLE_FAIL2BAN=1
- ENABLE_POSTGREY=1
- ONE_DIR=1 - ONE_DIR=1
- DMS_DEBUG=0 - DMS_DEBUG=0
cap_add: cap_add:
@ -211,6 +213,29 @@ Otherwise, `iptables` won't be able to ban IPs.
- **empty** => postmaster@domain.com - **empty** => postmaster@domain.com
- => Specify the postmaster address - => Specify the postmaster address
#### ENABLE_POSTGREY
- **0** => `postgrey` is disabled
- 1 => `postgrey` is enabled
##### POSTGREY_DELAY
- **300** => greylist for N seconds
Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### POSTGREY_MAX_AGE
- **35** => delete entries older than N days since the last time that they have been seen
Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### POSTGREY_TEXT
- **Delayed by postgrey** => response when a mail is greylisted
Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### ENABLE_SASLAUTHD ##### ENABLE_SASLAUTHD
- **0** => `saslauthd` is disabled - **0** => `saslauthd` is disabled

6
target/postgrey/postgrey Normal file
View file

@ -0,0 +1,6 @@
# you may want to set
# --delay=N how long to greylist, seconds (default: 300)
# --max-age=N delete old entries after N days (default: 35)
POSTGREY_OPTS="--inet=10023"

142
target/postgrey/postgrey.init Normal file
View file

@ -0,0 +1,142 @@
#!/bin/sh
#
# postgrey start/stop the postgrey greylisting deamon for postfix
# (priority should be smaller than that of postfix)
#
# Author: (c)2004-2006 Adrian von Bidder <avbidder@fortytwo.ch>
# Based on Debian sarge's 'skeleton' example
# Distribute and/or modify at will.
#
# Version: $Id: postgrey.init 1436 2006-12-07 07:15:03Z avbidder $
#
### BEGIN INIT INFO
# Provides: postgrey
# Required-Start: $syslog $local_fs $remote_fs
# Required-Stop: $syslog $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/stop the postgrey daemon
### END INIT INFO
set -e
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/postgrey
DAEMON_NAME=postgrey
DESC="postfix greylisting daemon"
DAEMON_USER=postgrey
PIDFILE=/var/run/$DAEMON_NAME/$DAEMON_NAME.pid
SCRIPTNAME=/etc/init.d/$DAEMON_NAME
# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
# Read config file if it is present.
if [ -r /etc/default/$DAEMON_NAME ]
then
. /etc/default/$DAEMON_NAME
fi
POSTGREY_OPTS="--pidfile=$PIDFILE --daemonize $POSTGREY_OPTS"
if [ -z "$POSTGREY_TEXT" ]; then
POSTGREY_TEXT_OPT=""
else
POSTGREY_TEXT_OPT="--greylist-text=$POSTGREY_TEXT"
fi
ret=0
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$POSTGREY_OPTS "$POSTGREY_TEXT_OPT" \
|| return 2
}
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --user $DAEMON_USER --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --user $DAEMON_USER --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
do_reload()
{
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$DAEMON_NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$DAEMON_NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
reload|force-reload)
[ "$VERBOSE" != no ] && log_daemon_msg "Reloading $DESC" "$DAEMON_NAME"
do_reload
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
restart)
do_stop
do_start
;;
status)
status_of_proc -p $PIDFILE $DAEMON "$DAEMON_NAME" 2>/dev/null
ret=$?
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|status}" >&2
exit 1
;;
esac
exit $ret

33
target/start-mailserver.sh
View file

@ -14,6 +14,10 @@ DEFAULT_VARS["ENABLE_FAIL2BAN"]="${ENABLE_FAIL2BAN:="0"}"
DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}" DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}"
DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}" DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}"
DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}" DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}"
DEFAULT_VARS["ENABLE_POSTGREY"]="${ENABLE_POSTGREY:="0"}"
DEFAULT_VARS["POSTGREY_DELAY"]="${POSTGREY_DELAY:="300"}"
DEFAULT_VARS["POSTGREY_MAX_AGE"]="${POSTGREY_MAX_AGE:="35"}"
DEFAULT_VARS["POSTGREY_TEXT"]="${POSTGREY_TEXT:="Delayed by postgrey"}"
DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}" DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}"
DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}" DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}"
DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}"
@ -90,6 +94,10 @@ function register_functions() {
_register_setup_function "_setup_postfix_sasl" _register_setup_function "_setup_postfix_sasl"
fi fi
if [ "$ENABLE_POSTGREY" = 1 ];then
_register_setup_function "_setup_postgrey"
fi
_register_setup_function "_setup_dkim" _register_setup_function "_setup_dkim"
_register_setup_function "_setup_ssl" _register_setup_function "_setup_ssl"
_register_setup_function "_setup_docker_permit" _register_setup_function "_setup_docker_permit"
@ -141,6 +149,12 @@ function register_functions() {
# needs to be started before saslauthd # needs to be started before saslauthd
_register_start_daemon "_start_daemons_opendkim" _register_start_daemon "_start_daemons_opendkim"
_register_start_daemon "_start_daemons_opendmarc" _register_start_daemon "_start_daemons_opendmarc"
#postfix uses postgrey, needs to be started before postfix
if [ "$ENABLE_POSTGREY" = 1 ]; then
_register_start_daemon "_start_daemons_postgrey"
fi
_register_start_daemon "_start_daemons_postfix" _register_start_daemon "_start_daemons_postfix"
if [ "$ENABLE_SASLAUTHD" = 1 ];then if [ "$ENABLE_SASLAUTHD" = 1 ];then
@ -160,6 +174,7 @@ function register_functions() {
_register_start_daemon "_start_daemons_clamav" _register_start_daemon "_start_daemons_clamav"
fi fi
_register_start_daemon "_start_daemons_amavis" _register_start_daemon "_start_daemons_amavis"
################### << daemon funcs ################### << daemon funcs
} }
@ -487,6 +502,18 @@ function _setup_ldap() {
return 0 return 0
} }
function _setup_postgrey() {
notify 'inf' "Configuring postgrey"
sed -i -e 's/bl.spamcop.net$/bl.spamcop.net, check_policy_service inet:127.0.0.1:10023/' /etc/postfix/main.cf
sed -i -e "s/\"--inet=10023\"/\"--inet=10023 --delay=$POSTGREY_DELAY --max-age=$POSTGREY_MAX_AGE\"/" /etc/default/postgrey
TEXT_FOUND=`grep -i "POSTGREY_TEXT" /etc/default/postgrey | wc -l`
if [ $TEXT_FOUND -eq 0 ]; then
printf "POSTGREY_TEXT=\"$POSTGREY_TEXT\"\n\n" >> /etc/default/postgrey
fi
}
function _setup_postfix_sasl() { function _setup_postfix_sasl() {
[ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF [ ! -f /etc/postfix/sasl/smtpd.conf ] && cat > /etc/postfix/sasl/smtpd.conf << EOF
pwcheck_method: saslauthd pwcheck_method: saslauthd
@ -1023,6 +1050,12 @@ function _start_daemons_clamav() {
display_startup_daemon "/etc/init.d/clamav-daemon start" display_startup_daemon "/etc/init.d/clamav-daemon start"
} }
function _start_daemons_postgrey() {
notify 'task' 'Starting postgrey' 'n'
display_startup_daemon "/etc/init.d/postgrey start"
}
function _start_daemons_amavis() { function _start_daemons_amavis() {
notify 'task' 'Starting amavis' 'n' notify 'task' 'Starting amavis' 'n'
display_startup_daemon "/etc/init.d/amavis start" display_startup_daemon "/etc/init.d/amavis start"

12
test/email-templates/postgrey.txt Normal file
View file

@ -0,0 +1,12 @@
HELO mail.external.tld
MAIL FROM: user@external.tld
RCPT TO: user1@localhost.localdomain
DATA
From: Docker Mail Server <dockermailserver@external.tld>
To: Existing Local User <user1@localhost.localdomain>
Date: Sat, 22 May 2010 07:43:25 -0400
Subject: Postgrey Test Message
This is a test mail.
.
QUIT

53
test/tests.bats
View file

@ -78,6 +78,59 @@ load 'test_helper/bats-assert/load'
assert_success assert_success
} }
#
# postgrey
#
@test "checking process: postgrey (disabled in default configuration)" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/postgrey'"
assert_failure
}
@test "checking postgrey: /etc/postfix/main.cf correctly edited" {
run docker exec mail_with_postgrey /bin/bash -c "grep 'bl.spamcop.net, check_policy_service inet:127.0.0.1:10023' /etc/postfix/main.cf | wc -l"
assert_success
assert_output 1
}
@test "checking postgrey: /etc/default/postgrey correctly edited and has the default values" {
run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_OPTS=\"--inet=10023 --delay=15 --max-age=35\"$' /etc/default/postgrey | wc -l"
assert_success
assert_output 1
run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_TEXT=\"Delayed by postgrey\"$' /etc/default/postgrey | wc -l"
assert_success
assert_output 1
}
@test "checking process: postgrey (postgrey server enabled)" {
run docker exec mail_with_postgrey /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/postgrey'"
assert_success
}
@test "checking postgrey: there should be a log entry about a new greylisted e-mail user@external.tld in /var/log/mail/mail.log" {
#editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictionswould interfere with it.
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*reject_unauth_destination,$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions = /smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "/etc/init.d/postfix reload"
run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
sleep 5 #ensure that the information has been written into the log
run docker exec mail_with_postgrey /bin/bash -c "grep -i 'action=greylist.*user@external\.tld' /var/log/mail/mail.log | wc -l"
assert_success
assert_output 1
}
@test "checking postgrey: there should be a log entry about the retried and passed e-mail user@external.tld in /var/log/mail/mail.log" {
sleep 20 #wait 20 seconds so that postgrey would accept the message
run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
sleep 8
run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=triplet found.*user@external\.tld' /var/log/mail/mail.log | wc -l"
assert_success
assert_output 1
}
# #
# imap # imap
# #