diff --git a/Makefile b/Makefile index a8e7b8a8..a8022d1c 100644 --- a/Makefile +++ b/Makefile @@ -22,6 +22,8 @@ run: -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test/onedir":/var/mail-state \ + -e ENABLE_CLAMAV=1 \ + -e ENABLE_SPAMASSASSIN=1 \ -e SA_TAG=1.0 \ -e SA_TAG2=2.0 \ -e SA_KILL=3.0 \ @@ -31,7 +33,7 @@ run: -e PERMIT_DOCKER=host \ -e DMS_DEBUG=0 \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_pop3 \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ @@ -40,40 +42,35 @@ run: -e DMS_DEBUG=1 \ -e SSL_TYPE=letsencrypt \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_smtponly \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e SMTP_ONLY=1 \ -e PERMIT_DOCKER=network\ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_fail2ban \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_FAIL2BAN=1 \ --cap-add=NET_ADMIN \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_fetchmail \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_FETCHMAIL=1 \ --cap-add=NET_ADMIN \ -h mail.my-domain.com -t $(NAME) - sleep 20 - docker run -d --name mail_disabled_amavis \ + sleep 15 + docker run -d --name mail_disabled_clamav_spamassassin \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ - -e DISABLE_AMAVIS=1 \ + -e ENABLE_CLAMAV=0 \ + -e ENABLE_SPAMASSASSIN=0 \ -h mail.my-domain.com -t $(NAME) - sleep 20 - docker run -d --name mail_disabled_clamav \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test":/tmp/docker-mailserver-test \ - -e DISABLE_CLAMAV=1 \ - -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name mail_manual_ssl \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ @@ -81,11 +78,11 @@ run: -e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \ -e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \ -h mail.my-domain.com -t $(NAME) - sleep 20 + sleep 15 docker run -d --name ldap_for_mail \ -e LDAP_DOMAIN="localhost.localdomain" \ -h mail.my-domain.com -t ldap - sleep 20 + sleep 15 docker run -d --name mail_with_ldap \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test":/tmp/docker-mailserver-test \ @@ -103,7 +100,7 @@ run: --link ldap_for_mail:ldap \ -h mail.my-domain.com -t $(NAME) # Wait for containers to fully start - sleep 20 + sleep 15 fixtures: cp config/postfix-accounts.cf config/postfix-accounts.cf.bak @@ -123,7 +120,7 @@ fixtures: docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-catchall-local.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt" - docker exec mail_disabled_clamav /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" + docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" # Wait for mails to be analyzed sleep 10 @@ -140,8 +137,7 @@ clean: mail_fail2ban \ mail_fetchmail \ fail-auth-mailer \ - mail_disabled_amavis \ - mail_disabled_clamav \ + mail_disabled_clamav_spamassassin \ mail_manual_ssl \ ldap_for_mail \ mail_with_ldap diff --git a/README.md b/README.md index f8a48c3b..1788669e 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ Includes: - fetchmail - basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot - [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates +- persistent data and state (but think about backups!) - [integration tests](https://travis-ci.org/tomav/docker-mailserver) - [automated builds on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/) @@ -42,23 +43,33 @@ version: '2' services: mail: - image: tvial/docker-mailserver:latest - # build: . + image: tvial/docker-mailserver:v2.1 hostname: mail domainname: domain.com container_name: mail ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" + - "25:25" + - "143:143" + - "587:587" + - "993:993" volumes: - - maildata:/var/mail - - ./config/:/tmp/docker-mailserver/ + - maildata:/var/mail + - mailstate:/var/mail-state + - ./config/:/tmp/docker-mailserver/ + environment: + - ENABLE_SPAMASSASSIN=1 + - ENABLE_CLAMAV=1 + - ENABLE_FAIL2BAN=1 + - ONE_DIR=1 + - DMS_DEBUG=0 + cap_add: + - NET_ADMIN volumes: maildata: driver: local + mailstate: + driver: local ``` #### Create your mail accounts @@ -95,9 +106,37 @@ Value in **bold** is the default value. ##### DMS_DEBUG - - **empty** (0) => Debug disabled + - **0** => Debug disabled - 1 => Enables debug on startup +#### ENABLE_CLAMAV + + - **0** => Clamav is disabled + - 1 => Clamav is enabled + +#### ENABLE_SPAMASSASSIN + + - **0** => Spamassassin is disabled + - 1 => Spamassassin is enabled + +##### SA_TAG + + - **2.0** => add spam info headers if at, or above that level + +Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` + +##### SA_TAG2 + + - **6.31** => add 'spam detected' headers at that level + +Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` + +##### SA_KILL + + - **6.31** => triggers spam evasive actions + +Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1` + ##### ENABLE_POP3 - **empty** => POP3 service disabled @@ -105,7 +144,7 @@ Value in **bold** is the default value. ##### ENABLE_FAIL2BAN - - **empty** => fail2ban service disabled + - **0** => fail2ban service disabled - 1 => Enables fail2ban service If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: @@ -121,7 +160,7 @@ Otherwise, `iptables` won't be able to ban IPs. - 1 => Enables Managesieve on port 4190 ##### ENABLE_FETCHMAIL - - **empty** => `fetchmail` disabled + - **0** => `fetchmail` disabled - 1 => `fetchmail` enabled ##### ENABLE_LDAP @@ -158,21 +197,9 @@ Otherwise, `iptables` won't be able to ban IPs. - **empty** => postmaster@domain.com - => Specify the postmaster address -##### SA_TAG - - - **2.0** => add spam info headers if at, or above that level - -##### SA_TAG2 - - - **6.31** => add 'spam detected' headers at that level - -##### SA_KILL - - - **6.31** => triggers spam evasive actions - ##### ENABLE_SASLAUTHD - - **empty** => `saslauthd` is disabled + - **0** => `saslauthd` is disabled - 1 => `saslauthd` is enabled ##### SASLAUTHD_MECHANISMS diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 4eb13770..0666438a 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -2,7 +2,7 @@ version: '2' services: mail: - image: tvial/docker-mailserver:v2 + image: tvial/docker-mailserver:v2.1 hostname: mail domainname: domain.com container_name: mail @@ -13,12 +13,19 @@ services: - "993:993" volumes: - maildata:/var/mail + - mailstate:/var/mail-state - ./config/:/tmp/docker-mailserver/ environment: + - ENABLE_SPAMASSASSIN=1 + - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 + - ONE_DIR=1 + - DMS_DEBUG=0 cap_add: - NET_ADMIN volumes: maildata: driver: local + mailstate: + driver: local diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index df24bb1c..cb7afb49 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -7,6 +7,13 @@ # Example: DEFAULT_VARS["KEY"]="VALUE" ########################################################################## declare -A DEFAULT_VARS +DEFAULT_VARS["ENABLE_CLAMAV"]="${ENABLE_CLAMAV:="0"}" +DEFAULT_VARS["ENABLE_SPAMASSASSIN"]="${ENABLE_SPAMASSASSIN:="0"}" +DEFAULT_VARS["ENABLE_FAIL2BAN"]="${ENABLE_FAIL2BAN:="0"}" +DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}" +DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}" +DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}" +DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}" DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" ########################################################################## @@ -127,13 +134,11 @@ function register_functions() { _register_start_daemon "_start_daemons_fetchmail" fi - if ! [ "$DISABLE_CLAMAV" = 1 ]; then + if [ "$ENABLE_CLAMAV" = 1 ]; then _register_start_daemon "_start_daemons_clamav" fi - if ! [ "$DISABLE_AMAVIS" = 1 ]; then - _register_start_daemon "_start_daemons_amavis" - fi + _register_start_daemon "_start_daemons_amavis" ################### << daemon funcs } ########################################################################## @@ -738,25 +743,35 @@ function _setup_postfix_relay_amazon_ses() { function _setup_security_stack() { notify 'task' "Setting up Security Stack" - notify 'inf' "Configuring Spamassassin" - SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults - SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults - SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults - test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ + # recreate auto-generated file + dms_amavis_file="/etc/amavis/conf.d/51-dms_auto_generated" + echo "# WARNING: this file is auto-generated." > $dms_amavis_file + echo "use strict;" >> $dms_amavis_file - if [ "$DISABLE_CLAMAV" = 1 ]; then - notify 'inf' "Disabling clamav" - cat > /etc/amavis/conf.d/50-user-security <<- EOM -use strict; -@bypass_virus_checks_maps = (); -$undecipherable_subject_tag = undef; -1; - EOM - else - notify 'inf' "Enabling clamav" - echo "" > /etc/amavis/conf.d/50-user-security + # Spamassassin + if [ "$ENABLE_SPAMASSASSIN" = 0 ]; then + notify 'warn' "Spamassassin is disabled. You can enable it with 'ENABLE_SPAMASSASSIN=1'" + echo "@bypass_spam_checks_maps = (1);" >> $dms_amavis_file + elif [ "$ENABLE_SPAMASSASSIN" = 1 ]; then + notify 'inf' "Enabling and configuring spamassassin" + SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults + SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults + SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults + test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ fi + # Clamav + if [ "$ENABLE_CLAMAV" = 0 ]; then + notify 'warn' "Clamav is disabled. You can enable it with 'ENABLE_CLAMAV=1'" + echo "@bypass_virus_checks_maps = (1);" >> $dms_amavis_file + elif [ "$ENABLE_CLAMAV" = 1 ]; then + notify 'inf' "Enabling clamav" + fi + + echo "1; # ensure a defined return" >> $dms_amavis_file + + + # Fail2ban if [ "$ENABLE_FAIL2BAN" = 1 ]; then notify 'inf' "Fail2ban enabled" test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local diff --git a/test/tests.bats b/test/tests.bats index 1e3879c5..c9cd111a 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -56,13 +56,8 @@ [ "$status" -eq 0 ] } -@test "checking process: amavis (amavis disabled by DISABLE_AMAVIS)" { - run docker exec mail_disabled_amavis /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" - [ "$status" -eq 1 ] -} - -@test "checking process: clamav (clamav disabled by DISABLE_CLAMAV)" { - run docker exec mail_disabled_clamav /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" +@test "checking process: clamav (clamav disabled by ENABLED_CLAMAV=0)" { + run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" [ "$status" -eq 1 ] } @@ -274,6 +269,16 @@ # spamassassin # +@test "checking spamassassin: should be listed in amavis when enabled" { + run docker exec mail /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'" + [ "$status" -eq 1 ] +} + +@test "checking spamassassin: should not be listed in amavis when disabled" { + run docker exec mail_disabled_clamav_spamassassin /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'" + [ "$status" -eq 0 ] +} + @test "checking spamassassin: docker env variables are set correctly (default)" { run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'" [ "$status" -eq 0 ] @@ -302,12 +307,12 @@ } @test "checking clamav: should not be listed in amavis when disabled" { - run docker exec mail_disabled_clamav grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log + run docker exec mail_disabled_clamav_spamassassin grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log [ "$status" -eq 1 ] } @test "checking clamav: should not be called when disabled" { - run docker exec mail_disabled_clamav grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log + run docker exec mail_disabled_clamav_spamassassin grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log [ "$status" -eq 1 ] }