Merge pull request #1384 from erik-wramner/debian-buster

Debian buster

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:stretch-slim
+FROM debian:buster-slim
 
 ARG VCS_REF
 ARG VCS_VERSION
@@ -29,11 +29,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Packages
 # hadolint ignore=DL3015
-RUN echo "deb http://http.debian.net/debian stretch-backports main" | tee -a /etc/apt/sources.list.d/stretch-bp.list && \
+RUN \
   apt-get update -q --fix-missing && \
   apt-get -y install postfix && \
-  # TODO installing postfix with --no-install-recommends makes "checking ssl: generated default cert works correctly" fail
   apt-get -y install --no-install-recommends \
+    altermime \
     amavisd-new \
     apt-transport-https \
     arj \
@@ -56,6 +56,7 @@ RUN echo "deb http://http.debian.net/debian stretch-backports main" | tee -a /et
     iptables \
     locales \
     logwatch \
+    lhasa \
     libdate-manip-perl \
     liblz4-tool \
     libmail-spf-perl \
@@ -77,7 +78,8 @@ RUN echo "deb http://http.debian.net/debian stretch-backports main" | tee -a /et
     postsrsd \
     pyzor \
     razor \
-    ripole \
+    # TODO not present in buster?
+    #ripole \
     rpm2cpio \
     rsyslog \
     sasl2-bin \
@@ -88,14 +90,15 @@ RUN echo "deb http://http.debian.net/debian stretch-backports main" | tee -a /et
     unzip \
     whois \
     xz-utils \
-    zoo \
+    # TODO not present in buster?
-    && \
+    #zoo \
+    #&& \
   # use Dovecot community repo to react faster on security updates
-  curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import && \
+  #curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import && \
-  gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg && \
+  #gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg && \
-  echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/stretch stretch main" > /etc/apt/sources.list.d/dovecot-community.list && \
+  #echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/stretch stretch main" > /etc/apt/sources.list.d/dovecot-community.list && \
-  apt-get update -q --fix-missing && \
+  #apt-get update -q --fix-missing && \
-  apt-get -y install --no-install-recommends \
+  #apt-get -y install --no-install-recommends \
     dovecot-core \
     dovecot-imapd \
     dovecot-ldap \
@@ -117,15 +120,15 @@ RUN echo "deb http://http.debian.net/debian stretch-backports main" | tee -a /et
   rm -f /etc/cron.daily/00logwatch
 
 # install filebeat for logging
-RUN curl https://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add - && \
+# SKIP and run in an external container instead
-  echo "deb http://packages.elastic.co/beats/apt stable main" | tee -a /etc/apt/sources.list.d/beats.list && \
+#RUN curl https://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add - && \
-  apt-get update -q --fix-missing && \
+#  echo "deb http://packages.elastic.co/beats/apt stable main" | tee -a /etc/apt/sources.list.d/beats.list && \
-  apt-get -y install --no-install-recommends \
+#  apt-get update -q --fix-missing && \
-    filebeat \
+#  apt-get -y install --no-install-recommends \
-  && apt-get clean \
+#    filebeat \
-  && rm -rf /var/lib/apt/lists/*
+#  && apt-get clean \
-
+#  && rm -rf /var/lib/apt/lists/*
-COPY target/filebeat.yml.tmpl /etc/filebeat/filebeat.yml.tmpl
+#COPY target/filebeat.yml.tmpl /etc/filebeat/filebeat.yml.tmpl
 
 RUN echo "0 */6 * * * clamav /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \
   chmod 644 /etc/clamav/freshclam.conf && \
@@ -189,7 +192,8 @@ RUN sed -i -r 's/#(@|   \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_fil
 # Configure Fail2ban
 COPY target/fail2ban/jail.conf /etc/fail2ban/jail.conf
 COPY target/fail2ban/filter.d/dovecot.conf /etc/fail2ban/filter.d/dovecot.conf
-RUN echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf && mkdir /var/run/fail2ban
+COPY target/fail2ban/filter.d/postfix-sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf
+RUN mkdir /var/run/fail2ban
 
 # Enables Pyzor and Razor
 RUN su - amavis -c "razor-admin -create && \
@@ -251,6 +255,11 @@ COPY target/supervisor/conf.d/* /etc/supervisor/conf.d/
 
 WORKDIR /
 
+# Switch iptables and ip6tables to legacy for fail2ban
+RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \
+ && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+
+
 EXPOSE 25 587 143 465 993 110 995 4190
 
 CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

target/amavis/conf.d/49-docker-mailserver

@@ -0,0 +1,12 @@
+use strict;
+
+# Override options set in earlier files, use 50-user to override these
+
+# Bounce spam, the default option for buster is D_PASS to deliver
+$final_spam_destiny = D_BOUNCE;
+
+# Higher log level to get expected messages at startup
+$log_level = 2;
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return

target/fail2ban/filter.d/postfix-sasl.conf

@@ -0,0 +1,19 @@
+# Fail2Ban filter for postfix authentication failures
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
+
+ignoreregex = authentication failed: Connection lost to authentication server$
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+ignoreregex =

target/filebeat.yml.tmpl

@@ -1,13 +0,0 @@
-output:
-  logstash:
-    enabled: true
-    hosts:
-      - $ELK_HOST:$ELK_PORT
-
-filebeat:
-  prospectors:
-    -
-      paths:
-        - /var/log/mail/mail.log
-      document_type: syslog
-

target/supervisor/conf.d/supervisor-app.conf

@@ -65,14 +65,6 @@ stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
 
-[program:filebeat]
-startsecs=0
-autostart=false
-autorestart=true
-stdout_logfile=/var/log/supervisor/%(program_name)s.log
-stderr_logfile=/var/log/supervisor/%(program_name)s.log
-command=/usr/bin/filebeat -c /etc/filebeat/filebeat.yml
-
 [program:clamav]
 startsecs=0
 autostart=false

test/tests.bats

@@ -217,10 +217,8 @@ function count_processed_changes() {
 }
 
 @test "checking smtp: delivers mail to existing account" {
-  #run docker exec mail /bin/sh -c "grep 'postfix/lmtp' /var/log/mail/mail.log | grep 'status=sent' | grep ' Saved)' | sed 's/.* to=</</g' | sed 's/, relay.*//g' | sort | uniq -c | tr -s \" \" | tr '\n' ';'"
   run docker exec mail /bin/sh -c "grep 'postfix/lmtp' /var/log/mail/mail.log | grep 'status=sent' | grep ' Saved)' | sed 's/.* to=</</g' | sed 's/, relay.*//g' | sort | uniq -c | tr -s \" \""
   assert_success
-  #assert_output " 1 <added@localhost.localdomain>; 6 <user1@localhost.localdomain>; 1 <user1@localhost.localdomain>, orig_to=<postmaster@my-domain.com>; 1 <user1@localhost.localdomain>, orig_to=<root>; 1 <user1~test@localhost.localdomain>; 2 <user2@otherdomain.tld>;"
   cat <<'EOF' | assert_output
  1 <added@localhost.localdomain>
  6 <user1@localhost.localdomain>
@@ -284,7 +282,7 @@ EOF
 }
 
 @test "checking smtp: redirects mail to external aliases" {
-  run docker exec mail /bin/sh -c "grep -- '-> <external1@otherdomain.tld>' /var/log/mail/mail.log | wc -l"
+  run docker exec mail /bin/sh -c "grep -- '-> <external1@otherdomain.tld>' /var/log/mail/mail.log* | grep RelayedInbound | wc -l"
   assert_success
   assert_output 2
 }
@@ -785,9 +783,37 @@ EOF
 }
 
 @test "checking system: amavis decoders installed and available" {
-  run docker exec mail /bin/sh -c "grep -E '.*(Internal decoder|Found decoder) for\s+\..*' /var/log/mail/mail.log|grep -Eo '(mail|Z|gz|bz2|xz|lzma|lrz|lzo|lz4|rpm|cpio|tar|deb|rar|arj|arc|zoo|doc|cab|tnef|zip|kmz|7z|jar|swf|lha|iso|exe)' | sort | uniq | tr '\n' ';'"
+  run docker exec mail /bin/sh -c "grep -E '.*(Internal decoder|Found decoder) for\s+\..*' /var/log/mail/mail.log*|grep -Eo '(mail|Z|gz|bz2|xz|lzma|lrz|lzo|lz4|rpm|cpio|tar|deb|rar|arj|arc|zoo|doc|cab|tnef|zip|kmz|7z|jar|swf|lha|iso|exe)' | sort | uniq"
   assert_success
-  assert_output "7z;Z;arc;arj;bz2;cab;cpio;deb;doc;exe;gz;iso;jar;kmz;lha;lrz;lz4;lzma;lzo;mail;rar;rpm;swf;tar;tnef;xz;zip;zoo;"
+  # Support for doc and zoo removed in buster
+  cat <<'EOF' | assert_output
+7z
+Z
+arc
+arj
+bz2
+cab
+cpio
+deb
+exe
+gz
+iso
+jar
+kmz
+lha
+lrz
+lz4
+lzma
+lzo
+mail
+rar
+rpm
+swf
+tar
+tnef
+xz
+zip
+EOF
 }
 
 
@@ -1307,6 +1333,6 @@ EOF
 #
 
 @test "checking that the container stops cleanly" {
-  run docker stop -t 60 mail
+  run docker stop -t 60 mail_override_hostname
   assert_success
 }