Commit graph

393 commits

Author SHA1 Message Date
Georg Lauterbach dd5c0b003a
removing debug trace 2020-11-05 12:40:24 +01:00
Georg Lauterbach 5365e7f0f8
fixes #1677 2020-11-05 11:41:18 +01:00
Georg Lauterbach f0105f6d47
Merge pull request #1613 from martin-schulze-vireso/feature/extract_even_more_tests 2020-10-28 11:16:15 +01:00
Charles Harris 451bbfdf40
silence errorneous output when not generating reports (#1657)
* silence errorneous output when not generating reports
* remove incorrect variable assignment
* change error messages and logic when reports turned off
* changing warn -> inf

Co-authored-by: Charles Harris
Co-authored-by: Georg Lauterbach
2020-10-21 19:45:47 +02:00
Georg Lauterbach da8171388f
Complete Refactor for target/bin (#1654)
* documentation and script updates trying to fix #1647
* preparations for refactoring target/bin/
* complete refactor for target/bin/
* changing script output slightly
* outsourcing functions in `bin-helper.sh`
* re-wrote linting to allow for proper shellcheck -x execution
* show explanation for shellcheck ignore
* adding some more information
2020-10-21 18:16:32 +02:00
Georg Lauterbach 0ada57d87c
Documentation and Script Updates trying to fix #1647 (#1653)
* documentation and script updates trying to fix #1647
* re-trigger tests
* removing unnecessary rm statements
* re-trigger tests
2020-10-21 16:00:35 +02:00
Martin Schulze 1bd1fd3b32 Merge remote-tracking branch 'tvial/master' into feature/extract_even_more_tests 2020-10-20 13:19:15 +02:00
Georg Lauterbach d5543b21c4
Correction for LINE variable 2020-10-19 16:29:25 +02:00
Georg Lauterbach 6bff929b13
Merge pull request #1 from martin-schulze-vireso/feature/extract_even_more_tests
Feature/extract even more tests
2020-10-18 15:25:50 +02:00
Casper 90778de19d
Quotes removed to have a uniform style 2020-10-17 22:17:59 +02:00
Martin Schulze c46edee8f9 Mark the end of restarts due to changes by moving the checksum file 2020-10-17 02:04:30 +02:00
Georg Lauterbach 94c2a68bd5
Updated submodule target/docker-configomat 2020-10-11 19:41:53 +02:00
Georg Lauterbach 916ef571b9
Miscellaneous cleanup / housekeeping (#1641) 2020-10-06 14:45:55 +02:00
Georg Lauterbach 177d24feab
streamlined all scripts (now completely adhering to the contributing guidelines) 2020-10-02 15:45:57 +02:00
Sergey Nazaryev 84dbf4a7b4
Merge pull request #1634 from 3ap/master
fix: use self-signed cert for dovecot
2020-10-01 22:32:15 +02:00
Georg Lauterbach 1d18cb81fb
possible fix for tomav#1383 2020-09-28 11:42:50 +02:00
Georg Lauterbach 8e8671bb42
added option to use non-default network-interface, resolves #1227 (#1621)
* added option to use non-default network-interface (#1227)
* minor (stylistic) changes
* properly working with Bash arrays for CONTAINER_NETWORKS
* cleanup to trigger rebuild
* added CODE_OF_CONDUCT to trigger rebuild
2020-09-26 15:11:52 +02:00
Georg Lauterbach a0791ef457
formatting files according to standard (#1619)
* added EditorConfig linting
* adding `eclint` as Travis script target
* re-adjusted .pem files to have a newline
2020-09-24 14:54:21 +02:00
Casper 9f7414d95f
remove unnecessary use of cat (#1616) 2020-09-23 21:53:07 +02:00
Georg Lauterbach 566eaa0e13
complete refactoring for start-mailserver.sh (#1605)
* completely refactored `start-mailserver.sh`
* added braces; correctly formatted tabs / spaces
*  included `start-mailserver` into shellcheck checks
* cleanup
* removed unnecessary shellcheck comments adding braces and "" where necessary
* corrected some mistakes in CONTRIBUTING
* Makefile now uses correct shellcheck
2020-09-23 10:21:37 +02:00
Georg Lauterbach 77520bf96f
adjusted coding style guidelines; added table of contents 2020-09-09 17:19:48 +02:00
Georg Lauterbach 323303431a
fixed shellcheck version 2020-09-08 19:49:19 +02:00
Georg Lauterbach f7ca406ec9
fixing #1602; variable-brace-policy changed; 2020-09-06 12:27:40 +02:00
Georg Lauterbach 67e1e586c7
coherent renaming of functions 2020-09-05 16:53:36 +02:00
Georg Lauterbach bf679a5504
changes from tomav#1599 without start-mailserver.sh
included all changes from the work on refactoring all scripts, but excluded one big script to make merging easier; replaced mapfile with read
2020-09-05 16:19:12 +02:00
mwnx 42352a3259 Update relayhost_map with virtual accounts too
Previously, only postfix-relaymap.cf and postfix-accounts.cf would be
used to populate the relayhost_map file.

Now, also use postfix-virtual.cf when present. To me, there is nothing
absurd about sending mail "From:" a virtual account (or more
specifically its domain) so it makes sense that when a $RELAY_HOST is
defined it should be used for virtual accounts as well.
2020-08-28 15:03:51 +02:00
mwnx 1286a1266b Fix/refactor relayhost_map update when dynamically adding account
check-for-changes.sh did not have a special case to handle lines in
postfix-relaymap.cf consisting of only a domain (indicating that said
domain should never be relayed). This case is handled by
start-mailserver.sh so when such a line existed, things would work well
until a config file update was detected by check-for-changes.sh. After
that, the generated relayhost_map file would be corrupted.

Fixed by factoring a 'populate_relayhost_map' function out of
start-mailserver.sh and into helper_functions.sh and reusing it in
check-for-changes.sh.

Note: There are certainly quite a few more pieces of code that could be
refactored in a similar fashion.

Note2: check-for-changes.sh would previously never update the
relayhost_map file when $ENABLE_LDAP was set to 1. I don't think this
was intended —there is after all no such condition in
start-mailserver.sh— and so this condition no longer applies.
2020-08-28 15:03:51 +02:00
mwnx 2a70f33a4b Fix checksum race condition in check-for-changes.sh
If a change to one of the tracked files happened soon after (<1 second?)
a previously detected change, it could end up going undetected. In
particular, this could cause integration tests to fail (see next
commits).

Fixed by computing the new checksum file _before_ checking for changes.
2020-08-28 14:57:43 +02:00
Erik Wramner 26cc0c49ca
Merge pull request #1573 from casperklein/patch-2
addalias: check if two arguments are given
2020-07-22 16:13:51 +02:00
Martin Wepner 821d88e93a add break; remove empty print 2020-07-20 11:28:23 +02:00
Martin Wepner 6bd1fb568e fix: extractCertsFromAcmeJson fails if "sans" not in Certificates.domain.main 2020-07-19 23:57:16 +02:00
Casper 398b1dd554
Merge pull request #2 from casperklein/patch-1
Small change to error message
2020-07-19 21:33:41 +02:00
Casper 2ffb0de1db
Small change to error message 2020-07-19 21:33:06 +02:00
Casper 79f6c88653
Merge pull request #1 from casperklein/patch-3
More detailed error message
2020-07-19 21:26:36 +02:00
Casper 11ab4a84a9
More detailed error message 2020-07-19 21:23:59 +02:00
Casper 7c0998f7fa
Check if second argument is given 2020-07-19 21:21:01 +02:00
Erik Wramner f206ad7ee1
Merge pull request #1553 from MichaelSp/letsencrypt-traefik-acme-json
Letsencrypt traefik v2 acme json
2020-07-16 07:49:04 +02:00
guardiande 5c5c8eb814
Revert dummy change 2020-07-15 09:39:59 +02:00
guardiande 7189d4c63f
Dummy change to trigger travis 2020-07-15 09:12:14 +02:00
guardiande 76d3f7643a
Fix sasl_password generation to allow passwords containing hashes 2020-07-15 08:26:25 +02:00
Michael Sprauer d61a8cd9c0 letsencrypt & traefik wildcard support
set SSL_DOMAIN=*.example.com to extract a wildcard certificate from traefiks acme.json store
2020-07-13 22:58:17 +02:00
Michael Sprauer 3a3cec6a8f trigger reload if cert change
/etc/letsencrypt/live/$HOSTNAME/key.pem  and /etc/letsencrypt/live/$HOSTNAME/fullchain.pem are watched and will trigger a reload if changed
2020-07-07 21:26:53 +02:00
Ben 2ee280dcb3
Update dovecot-ldap.conf.ext
add auth_bind = no so that it can be overridden via the env-mailserver file used by docker compose. This is related to #1526
2020-07-04 11:50:25 -07:00
Michael Sprauer 32c732e276 certificates from acme.json
Will extract certificates from acme.json as written by traefik for usage in dovecot and postfix.
Also watches acme.json for changes. For this to work the file has to be mounted/present at `/etc/letsencrypt/acme.json`
2020-06-30 22:43:22 +02:00
Erik Wramner df4e04f033
Merge pull request #1547 from MrFreezeex/master
Fix dovecot variable with whitespace
2020-06-28 11:02:58 +02:00
Gio d888dbcf7f Fix typo 2020-06-27 23:07:17 -05:00
Arthur Outhenin-Chalandre c7f9fbd439
Fix dovecot variable with whitespace
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
2020-06-27 11:17:25 +02:00
Casper c359521121
Typo fixed 2020-06-14 04:39:34 +02:00
Nicholas Pepper 1b659a5574 Modified letsencrypt support to add domain name checking in addition to
hostname checking.  Added necessary tests and renamed original manual
ssl test to a name that supports adding the other SSL tests.
2020-05-15 04:52:26 +00:00
youtous 04059cd618
MAIL-8818 - Postfix information leakage
To prevent announcing software or version to malicious people or scripts, it is advised to hide such information.


This information is provided as part of the Lynis community project. It is related to Lynis control MAIL-8818 and should be considered as-is and without guarantees.

https://cisofy.com/lynis/controls/MAIL-8818/
2020-05-10 16:04:53 +02:00
youtous d0f7257333
support comments in .cf files 2020-05-06 22:59:55 +02:00
youtous 32d16084ec
sieve scripts using alphabetical order 2020-05-04 16:13:47 +02:00
youtous 92414b7eba
sieve after/before use folder instead of individual listing
Loading sieve scripts using a directory scheme permits to handle multi scripts wtihout defining individual sieve_before/sieve_after
2020-05-04 00:27:29 +02:00
youtous 30262128f4
raise a warning when SPAMASSASSIN_SPAM_TO_INBOX isn't explicitly defined 2020-05-03 10:33:50 +02:00
youtous d829905cf7
init spams to junk 2020-05-03 10:33:28 +02:00
Erik Wramner 23eb7c42ab
Merge pull request #1481 from youtous/fix-sieve-folder
Prevent sieve symlink to be evaluated as a directory by dovecot
2020-05-02 08:09:09 +02:00
Erik Wramner 0537c6f046
Merge pull request #1482 from youtous/feature-quota-optional
Feature quota optional.
2020-05-02 08:07:38 +02:00
youtous 16cd4f9d2d
Reduce opportunities for a potential CPU exhaustion attack with NO_RENEGOTIATION
See https://en.wikipedia.org/wiki/Resource_exhaustion_attack
2020-05-02 00:04:05 +02:00
youtous 0c838706d0
Option to disable dovecot quota 2020-05-01 23:42:21 +02:00
youtous e8581be2d3
Prevent sieve symlink to be evaluated as a directory by dovecot 2020-05-01 23:20:15 +02:00
youtous 3aeacef125
remove start-mailserver nested conditions dovecot quota 2020-04-30 16:11:45 +02:00
youtous d45e6b1c22
#fix 1478 2020-04-30 12:47:12 +02:00
Erik Wramner 35f473ad12
Merge pull request #1474 from polarathene/chore/remove-obsolete-param-usetls
chore: Remove obsolete postfix parameter `smtpd_use_tls`
2020-04-30 08:02:11 +02:00
Brennan Kinney 76594c21c4
Add note about tls_ssl_options = NO_COMPRESSION
[Postfix docs](http://www.postfix.org/postconf.5.html#tls_ssl_options):

> Disable SSL compression even if supported by the OpenSSL library. Compression is CPU-intensive, and compression before encryption does not always improve security.

[Postfix mailing list discussion](http://postfix.1071664.n5.nabble.com/patch-mitigate-CRIME-attack-td57978.html):

> The CRIME attack does not apply to SMTP, because unlike SMTP, there is no javascript in SMTP clients that makes them send thousands of email messages with chosen plaintext compressed together in the same packet with SASL credentials or other sensitive data.
> The auditor completely failed to take the context into account.

[Mailing list discussion of potential compression CRIME-like attack](https://lists.cert.at/pipermail/ach/2014-December/001660.html)

> keeping compression disabled is a good idea.

If you need a good test score, PCI compliance will likely flag compression despite not having any known risk with non-HTTP TLS.
2020-04-29 19:41:08 +12:00
Brennan Kinney e7de9bceaf
chore: Remove obsolete postfix parameter smtpd_use_tls
See: http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

> this overrides the obsolete parameters `smtpd_use_tls` and `smtpd_enforce_tls`.
2020-04-27 23:24:26 +12:00
youtous 03b8f87ffc
update dovecot conf comment 2020-04-26 22:23:51 +02:00
youtous 47fac2706f
use ffdhe4096 for DHE params
use by default ffdhe4096 for DHE params 


use by default ffdhe4096 for DHE params
2020-04-26 22:23:51 +02:00
youtous f60de0c66e
init tests cases ffdhe4096 2020-04-26 22:23:51 +02:00
youtous 2527ebfaf2
added dovecot quota feature
add postfix service quota check


check-for-changes on quotas


setquota command


fix checkforchanges quota


addquota verify user exists


add setquota in setup.sh


merging addquota into setquota


test quota commands


add ldap tests for dovecot quota


fix smtp only quota postfix rules


test postfix conf


add quota test integration


add quota exceeded test


add wait analyze


fix tests


fix setup typo


add test fixes


fix error output


wip


update startup rules


fix setup


fix setup tests


fix output commands


remove quota on remove user


try to fix sync limit mails


check if file exists


fix path


change used quota user


fix post size


check if quota file exists


update tests


configure virtualmailbox limit for dovecot


last fix


fix quota expr


relax dovecot tests


auto create dovecot-quotas


fix dovecot apply quota test


wip quota warning


trying to fix get dovadm quota


dovecot applies fix


fix quota warning lda path


test count mail on quota


fix quota warning permissiosn


fix test
2020-04-24 14:56:15 +02:00
Nils Knappmeier 370d08fd33 fail2ban: use filter.d/dovecot.conf from distribution
closes #972
2020-04-10 22:21:40 +02:00
Erik Wramner 73b8d65dd3 Merge next into master 2020-04-05 09:28:22 +02:00
Erik Wramner 04777fdb89
Merge pull request #1435 from Drakulix/master
amavis: fix config permission
2020-04-05 08:43:47 +02:00
Christian Glahn ff1248eeee activate shortcircuit plugin, fixes #1442 2020-03-31 17:09:23 +02:00
Jairo Llopis a00dced8bc Allow to set comfortably inet_protocols
Setting `inet_protocols = ipv4` is almost a requirement when running behind Docker. Provide a way to make it easy.

@Tecnativa TT22925
2020-03-25 21:43:29 +01:00
Victor Brekenfeld c491496b6e avavis fix config permission 2020-03-24 15:43:35 +01:00
Erik Wramner 142b98a209
Merge pull request #1427 from Tecnativa/inet-protocols
Allow to set comfortably inet_protocols
2020-03-22 08:56:55 +01:00
Germain Masse ce41f60888 Move filebeat to its own container 2020-03-20 17:56:18 +01:00
Jairo Llopis ab22450364
Allow to set comfortably inet_protocols
Setting `inet_protocols = ipv4` is almost a requirement when running behind Docker. Provide a way to make it easy.

@Tecnativa TT22925
2020-03-19 08:35:25 +00:00
Wandrille RONCE d148eeddfb Add an option to place spam in the inbox, and then sort the mail by a sieve rule for example 2020-03-16 18:47:24 +01:00
Robert Pufky d3f7c56cdf Fix broken fail2ban dovecot filter; use <HOST> instead of undocumented feature.
* Replace deprecated, undocumented fail2ban feature "(\P<host>\S*)" with
  supported host match "<HOST>".
* Fixes "No failure-id group in '(?: pop3-login|ima ..." fail2ban dovecot filter
  error message.
* See: https://github.com/fail2ban/fail2ban/issues/2130
2020-03-16 18:45:22 +01:00
Wandrille RONCE 90951876cd Add an option to place spam in the inbox, and then sort the mail by a sieve rule for example 2020-03-15 17:51:12 +01:00
Robert Pufky a82caf5d9b Fix broken fail2ban dovecot filter; use <HOST> instead of undocumented feature.
* Replace deprecated, undocumented fail2ban feature "(\P<host>\S*)" with
  supported host match "<HOST>".
* Fixes "No failure-id group in '(?: pop3-login|ima ..." fail2ban dovecot filter
  error message.
* See: https://github.com/fail2ban/fail2ban/issues/2130
2020-02-01 14:57:03 -08:00
Erik Wramner f342151b80 Fixed several amavis tests and removed commented code 2020-01-26 16:39:58 +01:00
Erik Wramner a208748ea2 Configure amavis with D_BOUNCE for spam 2020-01-26 08:34:40 +01:00
Erik Wramner 85ae8a1471 Fix fail2ban issues and install some suggested amavis packages 2020-01-25 15:33:06 +01:00
Erik Wramner 91b2c9834e Upgrade to buster and remove filebeat 2020-01-25 15:33:06 +01:00
Torben Weibert ca16307729 Added -f flag to chmod command to suppress error when no sieve-pipe scripts exist 2020-01-21 22:18:00 +01:00
Torben Weibert 70d87f5119 Add executable flag for scripts in /usr/lib/dovecot/sieve-pipe 2020-01-21 18:18:16 +01:00
Erik Wramner ae2aa6eeb4
Merge pull request #1372 from phish108/shortcircuit-bayes-99-mini
activate SA shortcircuit features via env, fixes #1118 (again)
2020-01-15 07:28:00 +01:00
Lukas Elsner 35df764107 fix clamav issue in logwatch 2020-01-13 17:58:34 -05:00
Christian Glahn b8726b80a4 activate SA shortcircuit features via env, fixes #1118 2020-01-13 14:22:14 +01:00
Erik Wramner d847be2d5a
Merge pull request #1331 from Tecnativa/srs-sender-classes
Allow to configure SRS sender classes easily
2019-12-06 07:22:46 +01:00
Jairo Llopis 7f1bc8f8b3
Avoid infinite failure log in Amavis with SMTP_ONLY=1
Fix #801 by simply touching the file if it doesn't exist.

@Tecnativa TT20505
2019-12-03 13:43:43 +00:00
Jairo Llopis 42348ff353
Allow to configure SRS sender classes easily
This will allow to forward safely any email from any host, no matter how strict their SPF policy is, by setting `SRS_SENDER_CLASSES=envelope_sender,header_sender`.

@Tecnativa TT20505
2019-12-03 13:33:51 +00:00
Erik Wramner da1287c1a5 Changed wrong set options in pflogsumm cron job 2019-12-01 09:19:47 +01:00
Erik Wramner c882d95deb
Merge pull request #1284 from vortex852456/master
Added optional file user-patches.sh for own patches without recompiling
2019-11-09 15:13:06 +01:00
Germain Masse 36afac7726 New option DOVECOT_MAILBOX_FORMAT 2019-11-04 15:49:29 +00:00
Germain Masse e465e659ad Remove unnecessary maildir folders creation 2019-11-01 20:04:37 +00:00
Erik Wramner 37e0082cd7 Set expected permissions in log #1300 2019-10-27 09:22:16 +01:00
Vortex c30c3bf5de moved user_patches from misc to nearly the end of setups 2019-10-16 18:56:06 +02:00