From e1e45423901ff2c038ddc9fcd0542b30ab9b59ac Mon Sep 17 00:00:00 2001 From: Jurek Barth Date: Tue, 6 Feb 2018 08:11:57 +0100 Subject: [PATCH] Fix: Add SRS to fix SPF issues on redirect #611 (#814) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add srs support * change autorestart behavior * this may work now * make postsrsd’s own wrapper file * fix dockerfile formatting * fixing tests --- Dockerfile | 6 ++- target/postfix/main.cf | 6 +++ target/postsrsd-wrapper.sh | 8 ++++ target/postsrsd/postsrsd | 41 ++++++++++++++++++++ target/supervisor/conf.d/supervisor-app.conf | 8 ++++ test/tests.bats | 4 +- 6 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 target/postsrsd-wrapper.sh create mode 100644 target/postsrsd/postsrsd diff --git a/Dockerfile b/Dockerfile index 3e0cfd6b..78894d42 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,6 +54,7 @@ RUN apt-get update -q --fix-missing && \ postfix-ldap \ postfix-pcre \ postfix-policyd-spf-python \ + postsrsd \ pyzor \ razor \ ripole \ @@ -134,6 +135,9 @@ RUN chmod 755 /etc/init.d/postgrey && \ mkdir /var/run/postgrey && \ chown postgrey:postgrey /var/run/postgrey +# Copy PostSRSd Config +COPY target/postsrsd/postsrsd /etc/default/postsrsd + # Enables Amavis COPY target/amavis/conf.d/* /etc/amavis/conf.d/ RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \ @@ -200,7 +204,7 @@ RUN curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /et COPY ./target/bin /usr/local/bin # Start-mailserver script -COPY ./target/check-for-changes.sh ./target/start-mailserver.sh ./target/fail2ban-wrapper.sh ./target/postfix-wrapper.sh ./target/docker-configomat/configomat.sh /usr/local/bin/ +COPY ./target/check-for-changes.sh ./target/start-mailserver.sh ./target/fail2ban-wrapper.sh ./target/postfix-wrapper.sh ./target/postsrsd-wrapper.sh ./target/docker-configomat/configomat.sh /usr/local/bin/ RUN chmod +x /usr/local/bin/* # Configure supervisor diff --git a/target/postfix/main.cf b/target/postfix/main.cf index 41cd6f30..4a879d20 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -98,3 +98,9 @@ policyd-spf_time_limit = 3600 # Remove unwanted headers that reveail our privacy smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre + +# postSRSd rules to process spf mail forwarding +sender_canonical_maps = tcp:localhost:10001 +sender_canonical_classes = envelope_sender +recipient_canonical_maps = tcp:localhost:10002 +recipient_canonical_classes = envelope_recipient,header_recipient diff --git a/target/postsrsd-wrapper.sh b/target/postsrsd-wrapper.sh new file mode 100644 index 00000000..3e0cc144 --- /dev/null +++ b/target/postsrsd-wrapper.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +# postsrsd-wrapper.sh, version 0.1.0 + +DOMAINNAME="$(hostname -d)" +sed -i -e "s/localdomain/$DOMAINNAME/g" /etc/default/postsrsd + +/etc/init.d/postsrsd start + diff --git a/target/postsrsd/postsrsd b/target/postsrsd/postsrsd new file mode 100644 index 00000000..8238786a --- /dev/null +++ b/target/postsrsd/postsrsd @@ -0,0 +1,41 @@ +# Default settings for postsrsd + +# Local domain name. +# Addresses are rewritten to originate from this domain. The default value +# is taken from `postconf -h mydomain` and probably okay. +# +SRS_DOMAIN=localdomain + +# Exclude additional domains. +# You may list domains which shall not be subjected to address rewriting. +# If a domain name starts with a dot, it matches all subdomains, but not +# the domain itself. Separate multiple domains by space or comma. +# +#SRS_EXCLUDE_DOMAINS=.example.com,example.org + +# First separator character after SRS0 or SRS1. +# Can be one of: -+= +SRS_SEPARATOR== + +# Secret key to sign rewritten addresses. +# When postsrsd is installed for the first time, a random secret is generated +# and stored in /etc/postsrsd.secret. For most installations, that's just fine. +# +SRS_SECRET=/etc/postsrsd.secret + +# Local ports for TCP list. +# These ports are used to bind the TCP list for postfix. If you change +# these, you have to modify the postfix settings accordingly. The ports +# are bound to the loopback interface, and should never be exposed on +# the internet. +# +SRS_FORWARD_PORT=10001 +SRS_REVERSE_PORT=10002 + +# Drop root privileges and run as another user after initialization. +# This is highly recommended as postsrsd handles untrusted input. +# +RUN_AS=postsrsd + +# Jail daemon in chroot environment +CHROOT=/var/lib/postsrsd \ No newline at end of file diff --git a/target/supervisor/conf.d/supervisor-app.conf b/target/supervisor/conf.d/supervisor-app.conf index 86eb6c99..e327e715 100644 --- a/target/supervisor/conf.d/supervisor-app.conf +++ b/target/supervisor/conf.d/supervisor-app.conf @@ -121,3 +121,11 @@ autorestart=true stdout_logfile=/var/log/supervisor/%(program_name)s.log stderr_logfile=/var/log/supervisor/%(program_name)s.log command=/usr/local/bin/check-for-changes.sh + +[program:postsrsd] +startsecs=0 +autostart=true +autorestart=unexpected +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +command=/usr/local/bin/postsrsd-wrapper.sh diff --git a/test/tests.bats b/test/tests.bats index 5ddb488f..53099a4f 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -345,13 +345,13 @@ load 'test_helper/bats-assert/load' } @test "checking smtp: rejects spam" { - run docker exec mail /bin/sh -c "grep 'Blocked SPAM' /var/log/mail/mail.log | grep spam@external.tld | wc -l" + run docker exec mail /bin/sh -c "grep 'Blocked SPAM' /var/log/mail/mail.log | grep external.tld=spam@my-domain.com | wc -l" assert_success assert_output 1 } @test "checking smtp: rejects virus" { - run docker exec mail /bin/sh -c "grep 'Blocked INFECTED' /var/log/mail/mail.log | grep virus@external.tld | wc -l" + run docker exec mail /bin/sh -c "grep 'Blocked INFECTED' /var/log/mail/mail.log | grep external.tld=virus@my-domain.com | wc -l" assert_success assert_output 1 }