BREAKING CHANGES: (#432)

* Removed DISABLE_AMAVIS
* Renamed DISABLE_* to ENABLE_* with 0 as default value. (this must be explicit)
* Added missing tests for ENABLE_*
* Improved readme and docker-compose example

Should fix #256 and #386
This commit is contained in:
Thomas VIAL 2016-12-25 22:54:37 +01:00 committed by GitHub
parent ae9eaae68e
commit df752280e0
5 changed files with 124 additions and 74 deletions

View file

@ -22,6 +22,8 @@ run:
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-v "`pwd`/test/onedir":/var/mail-state \ -v "`pwd`/test/onedir":/var/mail-state \
-e ENABLE_CLAMAV=1 \
-e ENABLE_SPAMASSASSIN=1 \
-e SA_TAG=1.0 \ -e SA_TAG=1.0 \
-e SA_TAG2=2.0 \ -e SA_TAG2=2.0 \
-e SA_KILL=3.0 \ -e SA_KILL=3.0 \
@ -31,7 +33,7 @@ run:
-e PERMIT_DOCKER=host \ -e PERMIT_DOCKER=host \
-e DMS_DEBUG=0 \ -e DMS_DEBUG=0 \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name mail_pop3 \ docker run -d --name mail_pop3 \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
@ -40,40 +42,35 @@ run:
-e DMS_DEBUG=1 \ -e DMS_DEBUG=1 \
-e SSL_TYPE=letsencrypt \ -e SSL_TYPE=letsencrypt \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name mail_smtponly \ docker run -d --name mail_smtponly \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-e SMTP_ONLY=1 \ -e SMTP_ONLY=1 \
-e PERMIT_DOCKER=network\ -e PERMIT_DOCKER=network\
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name mail_fail2ban \ docker run -d --name mail_fail2ban \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-e ENABLE_FAIL2BAN=1 \ -e ENABLE_FAIL2BAN=1 \
--cap-add=NET_ADMIN \ --cap-add=NET_ADMIN \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name mail_fetchmail \ docker run -d --name mail_fetchmail \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-e ENABLE_FETCHMAIL=1 \ -e ENABLE_FETCHMAIL=1 \
--cap-add=NET_ADMIN \ --cap-add=NET_ADMIN \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name mail_disabled_amavis \ docker run -d --name mail_disabled_clamav_spamassassin \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-e DISABLE_AMAVIS=1 \ -e ENABLE_CLAMAV=0 \
-e ENABLE_SPAMASSASSIN=0 \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name mail_disabled_clamav \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \
-e DISABLE_CLAMAV=1 \
-h mail.my-domain.com -t $(NAME)
sleep 20
docker run -d --name mail_manual_ssl \ docker run -d --name mail_manual_ssl \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
@ -81,11 +78,11 @@ run:
-e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \ -e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \
-e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \ -e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 20 sleep 15
docker run -d --name ldap_for_mail \ docker run -d --name ldap_for_mail \
-e LDAP_DOMAIN="localhost.localdomain" \ -e LDAP_DOMAIN="localhost.localdomain" \
-h mail.my-domain.com -t ldap -h mail.my-domain.com -t ldap
sleep 20 sleep 15
docker run -d --name mail_with_ldap \ docker run -d --name mail_with_ldap \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
@ -103,7 +100,7 @@ run:
--link ldap_for_mail:ldap \ --link ldap_for_mail:ldap \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
# Wait for containers to fully start # Wait for containers to fully start
sleep 20 sleep 15
fixtures: fixtures:
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
@ -123,7 +120,7 @@ fixtures:
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-catchall-local.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-catchall-local.txt"
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/sieve-spam-folder.txt"
docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt" docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/non-existing-user.txt"
docker exec mail_disabled_clamav /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
# Wait for mails to be analyzed # Wait for mails to be analyzed
sleep 10 sleep 10
@ -140,8 +137,7 @@ clean:
mail_fail2ban \ mail_fail2ban \
mail_fetchmail \ mail_fetchmail \
fail-auth-mailer \ fail-auth-mailer \
mail_disabled_amavis \ mail_disabled_clamav_spamassassin \
mail_disabled_clamav \
mail_manual_ssl \ mail_manual_ssl \
ldap_for_mail \ ldap_for_mail \
mail_with_ldap mail_with_ldap

View file

@ -20,6 +20,7 @@ Includes:
- fetchmail - fetchmail
- basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot - basic [sieve support](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) using dovecot
- [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates - [LetsEncrypt](https://letsencrypt.org/) and self-signed certificates
- persistent data and state (but think about backups!)
- [integration tests](https://travis-ci.org/tomav/docker-mailserver) - [integration tests](https://travis-ci.org/tomav/docker-mailserver)
- [automated builds on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/) - [automated builds on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/)
@ -42,8 +43,7 @@ version: '2'
services: services:
mail: mail:
image: tvial/docker-mailserver:latest image: tvial/docker-mailserver:v2.1
# build: .
hostname: mail hostname: mail
domainname: domain.com domainname: domain.com
container_name: mail container_name: mail
@ -54,11 +54,22 @@ services:
- "993:993" - "993:993"
volumes: volumes:
- maildata:/var/mail - maildata:/var/mail
- mailstate:/var/mail-state
- ./config/:/tmp/docker-mailserver/ - ./config/:/tmp/docker-mailserver/
environment:
- ENABLE_SPAMASSASSIN=1
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ONE_DIR=1
- DMS_DEBUG=0
cap_add:
- NET_ADMIN
volumes: volumes:
maildata: maildata:
driver: local driver: local
mailstate:
driver: local
``` ```
#### Create your mail accounts #### Create your mail accounts
@ -95,9 +106,37 @@ Value in **bold** is the default value.
##### DMS_DEBUG ##### DMS_DEBUG
- **empty** (0) => Debug disabled - **0** => Debug disabled
- 1 => Enables debug on startup - 1 => Enables debug on startup
#### ENABLE_CLAMAV
- **0** => Clamav is disabled
- 1 => Clamav is enabled
#### ENABLE_SPAMASSASSIN
- **0** => Spamassassin is disabled
- 1 => Spamassassin is enabled
##### SA_TAG
- **2.0** => add spam info headers if at, or above that level
Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1`
##### SA_TAG2
- **6.31** => add 'spam detected' headers at that level
Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1`
##### SA_KILL
- **6.31** => triggers spam evasive actions
Note: this spamassassin setting needs `ENABLE_SPAMASSASSIN=1`
##### ENABLE_POP3 ##### ENABLE_POP3
- **empty** => POP3 service disabled - **empty** => POP3 service disabled
@ -105,7 +144,7 @@ Value in **bold** is the default value.
##### ENABLE_FAIL2BAN ##### ENABLE_FAIL2BAN
- **empty** => fail2ban service disabled - **0** => fail2ban service disabled
- 1 => Enables fail2ban service - 1 => Enables fail2ban service
If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`:
@ -121,7 +160,7 @@ Otherwise, `iptables` won't be able to ban IPs.
- 1 => Enables Managesieve on port 4190 - 1 => Enables Managesieve on port 4190
##### ENABLE_FETCHMAIL ##### ENABLE_FETCHMAIL
- **empty** => `fetchmail` disabled - **0** => `fetchmail` disabled
- 1 => `fetchmail` enabled - 1 => `fetchmail` enabled
##### ENABLE_LDAP ##### ENABLE_LDAP
@ -158,21 +197,9 @@ Otherwise, `iptables` won't be able to ban IPs.
- **empty** => postmaster@domain.com - **empty** => postmaster@domain.com
- => Specify the postmaster address - => Specify the postmaster address
##### SA_TAG
- **2.0** => add spam info headers if at, or above that level
##### SA_TAG2
- **6.31** => add 'spam detected' headers at that level
##### SA_KILL
- **6.31** => triggers spam evasive actions
##### ENABLE_SASLAUTHD ##### ENABLE_SASLAUTHD
- **empty** => `saslauthd` is disabled - **0** => `saslauthd` is disabled
- 1 => `saslauthd` is enabled - 1 => `saslauthd` is enabled
##### SASLAUTHD_MECHANISMS ##### SASLAUTHD_MECHANISMS

View file

@ -2,7 +2,7 @@ version: '2'
services: services:
mail: mail:
image: tvial/docker-mailserver:v2 image: tvial/docker-mailserver:v2.1
hostname: mail hostname: mail
domainname: domain.com domainname: domain.com
container_name: mail container_name: mail
@ -13,12 +13,19 @@ services:
- "993:993" - "993:993"
volumes: volumes:
- maildata:/var/mail - maildata:/var/mail
- mailstate:/var/mail-state
- ./config/:/tmp/docker-mailserver/ - ./config/:/tmp/docker-mailserver/
environment: environment:
- ENABLE_SPAMASSASSIN=1
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1 - ENABLE_FAIL2BAN=1
- ONE_DIR=1
- DMS_DEBUG=0
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
volumes: volumes:
maildata: maildata:
driver: local driver: local
mailstate:
driver: local

View file

@ -7,6 +7,13 @@
# Example: DEFAULT_VARS["KEY"]="VALUE" # Example: DEFAULT_VARS["KEY"]="VALUE"
########################################################################## ##########################################################################
declare -A DEFAULT_VARS declare -A DEFAULT_VARS
DEFAULT_VARS["ENABLE_CLAMAV"]="${ENABLE_CLAMAV:="0"}"
DEFAULT_VARS["ENABLE_SPAMASSASSIN"]="${ENABLE_SPAMASSASSIN:="0"}"
DEFAULT_VARS["ENABLE_FAIL2BAN"]="${ENABLE_FAIL2BAN:="0"}"
DEFAULT_VARS["ENABLE_MANAGESIEVE"]="${ENABLE_MANAGESIEVE:="0"}"
DEFAULT_VARS["ENABLE_FETCHMAIL"]="${ENABLE_FETCHMAIL:="0"}"
DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}"
DEFAULT_VARS["ENABLE_SASLAUTHD"]="${ENABLE_SASLAUTHD:="0"}"
DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}" DEFAULT_VARS["VIRUSMAILS_DELETE_DELAY"]="${VIRUSMAILS_DELETE_DELAY:="7"}"
DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}" DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}"
########################################################################## ##########################################################################
@ -127,13 +134,11 @@ function register_functions() {
_register_start_daemon "_start_daemons_fetchmail" _register_start_daemon "_start_daemons_fetchmail"
fi fi
if ! [ "$DISABLE_CLAMAV" = 1 ]; then if [ "$ENABLE_CLAMAV" = 1 ]; then
_register_start_daemon "_start_daemons_clamav" _register_start_daemon "_start_daemons_clamav"
fi fi
if ! [ "$DISABLE_AMAVIS" = 1 ]; then
_register_start_daemon "_start_daemons_amavis" _register_start_daemon "_start_daemons_amavis"
fi
################### << daemon funcs ################### << daemon funcs
} }
########################################################################## ##########################################################################
@ -738,25 +743,35 @@ function _setup_postfix_relay_amazon_ses() {
function _setup_security_stack() { function _setup_security_stack() {
notify 'task' "Setting up Security Stack" notify 'task' "Setting up Security Stack"
notify 'inf' "Configuring Spamassassin" # recreate auto-generated file
dms_amavis_file="/etc/amavis/conf.d/51-dms_auto_generated"
echo "# WARNING: this file is auto-generated." > $dms_amavis_file
echo "use strict;" >> $dms_amavis_file
# Spamassassin
if [ "$ENABLE_SPAMASSASSIN" = 0 ]; then
notify 'warn' "Spamassassin is disabled. You can enable it with 'ENABLE_SPAMASSASSIN=1'"
echo "@bypass_spam_checks_maps = (1);" >> $dms_amavis_file
elif [ "$ENABLE_SPAMASSASSIN" = 1 ]; then
notify 'inf' "Enabling and configuring spamassassin"
SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults SA_TAG=${SA_TAG:="2.0"} && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = '$SA_TAG';/g' /etc/amavis/conf.d/20-debian_defaults
SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults SA_TAG2=${SA_TAG2:="6.31"} && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = '$SA_TAG2';/g' /etc/amavis/conf.d/20-debian_defaults
SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults SA_KILL=${SA_KILL:="6.31"} && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = '$SA_KILL';/g' /etc/amavis/conf.d/20-debian_defaults
test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/ test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
if [ "$DISABLE_CLAMAV" = 1 ]; then
notify 'inf' "Disabling clamav"
cat > /etc/amavis/conf.d/50-user-security <<- EOM
use strict;
@bypass_virus_checks_maps = ();
$undecipherable_subject_tag = undef;
1;
EOM
else
notify 'inf' "Enabling clamav"
echo "" > /etc/amavis/conf.d/50-user-security
fi fi
# Clamav
if [ "$ENABLE_CLAMAV" = 0 ]; then
notify 'warn' "Clamav is disabled. You can enable it with 'ENABLE_CLAMAV=1'"
echo "@bypass_virus_checks_maps = (1);" >> $dms_amavis_file
elif [ "$ENABLE_CLAMAV" = 1 ]; then
notify 'inf' "Enabling clamav"
fi
echo "1; # ensure a defined return" >> $dms_amavis_file
# Fail2ban
if [ "$ENABLE_FAIL2BAN" = 1 ]; then if [ "$ENABLE_FAIL2BAN" = 1 ]; then
notify 'inf' "Fail2ban enabled" notify 'inf' "Fail2ban enabled"
test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local

View file

@ -56,13 +56,8 @@
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "checking process: amavis (amavis disabled by DISABLE_AMAVIS)" { @test "checking process: clamav (clamav disabled by ENABLED_CLAMAV=0)" {
run docker exec mail_disabled_amavis /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
[ "$status" -eq 1 ]
}
@test "checking process: clamav (clamav disabled by DISABLE_CLAMAV)" {
run docker exec mail_disabled_clamav /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }
@ -274,6 +269,16 @@
# spamassassin # spamassassin
# #
@test "checking spamassassin: should be listed in amavis when enabled" {
run docker exec mail /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'"
[ "$status" -eq 1 ]
}
@test "checking spamassassin: should not be listed in amavis when disabled" {
run docker exec mail_disabled_clamav_spamassassin /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'"
[ "$status" -eq 0 ]
}
@test "checking spamassassin: docker env variables are set correctly (default)" { @test "checking spamassassin: docker env variables are set correctly (default)" {
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'" run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
@ -302,12 +307,12 @@
} }
@test "checking clamav: should not be listed in amavis when disabled" { @test "checking clamav: should not be listed in amavis when disabled" {
run docker exec mail_disabled_clamav grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log run docker exec mail_disabled_clamav_spamassassin grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }
@test "checking clamav: should not be called when disabled" { @test "checking clamav: should not be called when disabled" {
run docker exec mail_disabled_clamav grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log run docker exec mail_disabled_clamav_spamassassin grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }