Commit graph

2103 commits

Author SHA1 Message Date
Marek Walczak c505177486 Dkim key size (#868)
Allow to change the keysize for the dkim key
2018-03-02 22:17:18 +01:00
17Halbe b644ced730 Updated Setup docker mailserver using the script setup.sh (markdown) 2018-03-01 09:32:21 +01:00
Andreas Gerstmayr 2687469f38 update postmaster_address in dovecot config according to POSTMASTER_ADDRESS env var (#866)
* update postmaster_address in dovecot config according to POSTMASTER_ADDRESS env var
* tests: add another test for postmaster_address with default settings
2018-02-27 20:44:45 +01:00
Marek Walczak c36e878d76 Nist tls (#831)
* remove two ciphers according to https://www.htbridge.com/ssl/ (NIST, HIPAA)
* added a switch via an environment variable to choose between modern and intermediate ciphers
2018-02-22 08:36:12 +01:00
Achim Christ eb20722b80 Add environment variable to allow for customizing postsrsd's SRS_EXCLUDE_DOMAINS setting (#849, #842) 2018-02-18 20:53:13 +01:00
17Halbe 5e09074d58 postscreen implementation altered (#846)
* new setup.sh function, new tests, new script and some minor updates to main.cf
* fix for missing files
* removed obsolete test-files
* restart postfix if neccessary.
* see pr  #845
* fixed typo
* fixed branchmixup
* changed postfix reload command & changed to operate on container instead of image
* reload postfix only on adding new restriction
* main.cf is only changed when user is added.
 - Postfix reload changed
 - working on container instead of image now in setup.sh
 - added cleanup after tests
* moved cleanup to makefile
2018-02-18 13:29:43 +01:00
Johan Smits 803dab12c6
Update readme and changelog about the ports and usage (#848) 2018-02-18 13:12:39 +01:00
17Halbe 795cbf103d fixed greedy postgrey sed command (#845) 2018-02-18 10:37:31 +01:00
17Halbe b08c9b42ed moved fail2ban function from setup.sh to own file (#837)
* moved fail2ban function out of setup.sh
2018-02-13 08:31:12 +01:00
Cédric Laubacher 19cb22a1a5 Generate new DH param weekly instead of daily (#836) 2018-02-12 22:04:02 +01:00
17Halbe ac9be357ce Diffie-Hellman 2048 Bit Parameters should be changed regularly. (#834)
Since it is assumed that the NSA uses Rainbowtables to break default-DHE-Parameters, one is encouraged to change the Parameters periodically.
2018-02-11 18:37:04 +01:00
17Halbe 21b7cf72c9 added config-path option to setup.sh script (Closes: #698)
* added config-path option to setup.sh script
2018-02-11 18:26:46 +01:00
17Halbe 260486b305 Updated Configure SPF (markdown) 2018-02-09 22:16:48 +01:00
17Halbe e5b15a3330 Updated Setup docker mailserver using the script setup.sh (markdown) 2018-02-08 08:32:56 +01:00
17Halbe 7fc0bf145f Updated Configure Fail2ban (markdown) 2018-02-08 08:28:41 +01:00
17Halbe 5394a505b9 Restrict access (Closes #452, #816)
new setup.sh function, new tests, new script
2018-02-07 21:33:07 +01:00
Darren McGrandle 3afbf12a46 Updated Overwrite Default Postfix Configuration (markdown) 2018-02-07 12:01:12 -08:00
17Halbe 115ad555be Introduce .env for docker-compose examples (Closes #815)
Introduce .env for docker-compose examples
2018-02-07 19:37:26 +01:00
H4R0 f6404156f9 Changed Junk folder to be created and subscribed by default (#806) 2018-02-06 20:21:37 +01:00
Johan Smits a643caf793 Add restart message 2018-02-06 19:57:16 +01:00
TechnicLab f68befdbee Added reject_sender_login_mismatch (Closes: #811) 2018-02-06 19:35:32 +01:00
Jurek Barth e1e4542390 Fix: Add SRS to fix SPF issues on redirect #611 (#814)
* add srs support

* change autorestart behavior

* this may work now

* make postsrsd’s own wrapper file

* fix dockerfile formatting

* fixing tests
2018-02-06 08:11:57 +01:00
17Halbe 3b7fc5930c Introducing Postscreen (#799)
* Introduced Postscreen

cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.

Things we need to consider:

 - Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
   - Via introducing an optional config/postfix-access.cidr
   - The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
 - Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
   - postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
   - postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
   - postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
   (*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
   (http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
   - zen.spamhaus.org*3
   - bl.mailspike.net
   - b.barracudacentral.org*2
   - bl.spameatingmonkey.net
   - bl.spamcop.net
   - dnsbl.sorbs.net
   - psbl.surriel.com
   - list.dnswl.org=127.0.[0..255].0*-2
   - list.dnswl.org=127.0.[0..255].1*-3
   - list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
   - ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
   - enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
   - drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.

In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.

Hope that wasn't too much to read! ;)

* main.cf got misformatted..
Don't know how, should be ok now.

* fixed malformatted main.cf & repaired master.cf

* reenabled rbl stuff.. It's cached, therefore doesn't hurt

* fixed tests

* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 21:31:08 +01:00
Marek Walczak b4b19e76b7 Stretch backport (#813)
* install dovecot from backports

* dovecot 2.2.33 has a slightly different TLS-configuration than 2.2.27

* want to have both images a the same time

* make use of the /etc/dovecot/ssl as mkcert.sh (2.2.33) is using that folder for certs.
2018-02-04 21:27:47 +01:00
17Halbe c1e490d6b5 Added fail2ban description 2018-02-01 09:36:13 +01:00
17Halbe c2f4220016 fail2ban handling integrated in setup.sh (#797)
* fail2ban handling integrated in setup.sh

- calling \"./setup debug fail2ban\" lists all iptable chains whith blocked IPs (like: Banned in dovecot: 91.200.12.164
										       Banned in postfix-sasl: 91.200.12.164)
- calling \"./setup debug fail2ban unban xxx.xxx.xxx.xxx [yyy.yyy.yyy.yyy ...]\" unbans/removes those IPs from all jails.
- calling \"./setup debug fail2ban unban\" (without an IP) gives an descriptive error: (You need to specify an IP address. Run "./setup.sh debug fail2ban" to get a list of banned IP addresses.)

* disable_vrfy_command: (#798)

Prevents Spammers from collecting existing mail-addresses by probing the mailserver for them.

* Added support for Dovecot and Postfix LDAP TLS (#800)

* Allow setup of LDAP STARTTLS for Dovecot and Postfix

* Added tests for TLS config override

* Add missing Postfix TLS options

* Added missing new line at the end of the file

* Added STARTTLS tests for Postfix config

* tests added
and made the script output look more shiny.

* setup.sh enhancements
2018-01-31 22:25:29 +01:00
17Halbe b14249faf2 Updated Setup docker mailserver using the script setup.sh (markdown) 2018-01-30 18:05:00 +01:00
Hugues Granger b0532e3d88 AWS_SES_PORT was implemented, but wiki not updated 2018-01-26 18:32:53 +01:00
Mathieu Brunot d270fcdd40 Added support for Dovecot and Postfix LDAP TLS (#800)
* Allow setup of LDAP STARTTLS for Dovecot and Postfix

* Added tests for TLS config override

* Add missing Postfix TLS options

* Added missing new line at the end of the file

* Added STARTTLS tests for Postfix config
2018-01-25 22:38:41 +01:00
17Halbe eea4ec1dbc disable_vrfy_command: (#798)
Prevents Spammers from collecting existing mail-addresses by probing the mailserver for them.
2018-01-25 08:32:00 +01:00
Johan Smits 84c0d23a80 Remove no mail option. 2018-01-09 08:39:54 +01:00
Sylvain Benner 0748734b19 Add requirements to README (#789) 2018-01-09 08:31:15 +01:00
Steve Johnson 55b0a5bfb8 Updated Debugging (markdown) 2018-01-01 21:07:54 -07:00
Steve Johnson db63b693d3 Updated Debugging (markdown) 2018-01-01 14:23:27 -07:00
Steve Johnson 34f929ed6b Updated Debugging (markdown) 2018-01-01 14:20:58 -07:00
Steve Johnson 276f199e4f Updated Debugging (markdown) 2018-01-01 10:33:39 -07:00
Steve Johnson 11e5262b09 Updated Debugging (markdown) 2018-01-01 10:32:03 -07:00
Steve Johnson a77d21a6c4 Updated Debugging (markdown) 2018-01-01 10:30:55 -07:00
Steve Johnson a95250e74f Updated Debugging (markdown) 2018-01-01 10:30:39 -07:00
Steve Johnson 1065e17dcb Updated Debugging (markdown) 2018-01-01 10:29:12 -07:00
Steve Johnson 3363d77f96 Updated Debugging (markdown) 2018-01-01 10:28:23 -07:00
Steve Johnson 1a94c99c3a Updated Debugging (markdown) 2018-01-01 10:27:39 -07:00
Steve Johnson 8c4ba0e2d8 Updated Debugging (markdown) 2018-01-01 10:27:15 -07:00
Marek Walczak 49b3867c1b debian stretch slim (#784)
* Switch to stretch-slim as base image.
 - first step correct the testdata, as newer packages are more strict
about the mail-structure.

* Switch to stretch-slim: correcting the test-environment and the build
 - add missing build-step to make
 - clean the userdb aswell
 - use timeout of netcat, as postgrey would not close the connection
 - there is 2 extra mail-logs -> assert_output 5
 - cosmetic: use "" instead of ''

* Switch to stretch-slim:
new image:
 - smaller size
 - 0 CVEs compared to 11 CVEs in ubuntu 16.04 Image
better backport situation
 - postfix 3.1.6 vs 3.1.0
 - fail2ban 0.9.6 vs 0.9.3
 ...
changes needed because of stretch-slim:
- add missing gnupg and iproute2 package
- remove non-free rar, unrar-free should do
- rsyslog does not add syslog user and has different conf-structure
- pyzor command discover was deprecated and is missing in the new
stretch package

- dovecot does not know SSLv2 anymore. removed because of warnings in
log

- iptables does not know imap3, IMAP working group chose imap2 in favor
of imap3

* Switch to debian stretch slim:
SSLv2 seems to be a not known protocol anymore - good!

* switch to debian stretch slim:
make this test more stable. there might be more than only one mail.log
(mail.info, mail.warn, ...)

* switch to debian stretc slim:
 new openssl 1.1.0 needs stronger ciphers, removed some weekers ones.
Please, look through the new list of cipher! this needs to be done in
another commit for all other SSL/TLS-Endpoints aswell.

* Switch to debian stretch slim:
let our server pre-empt the cipher list.
Did a read through, wwwDOTpostfixDOTorg/FORWARD_SECRECY_READMEDOThtml
and
wwwDOTpostfixDOTorg/TLS_READMEDOThtml

* Switch to debian stretch slim: lets give this openssl-based test a new and independent but identical container.  many other test on the main 'mail' container might interfere here.

* Switch to debian stretch slim: remove unused lines
2017-12-31 12:33:48 +01:00
Toru Hisai b0526d0afe fix arguments for [ command (#783) 2017-12-31 10:49:15 +01:00
Alessio Nava c26d02a910 Changed omitted headers for DKIM with mailtrain (#774)
Added List-ID and List-Unsubscribe omitted headers for DKIM verification.
2017-12-18 21:55:50 +01:00
Damian Moore 01a41e9d93 Use PCRE for alias regular expressions instead of the basic type (#751) 2017-12-07 19:44:45 +01:00
Marek Walczak d62ea049e6 Add ability to override fail2ban.conf with fail2ban.local values. (#769)
* Add ability to override fail2ban.conf with fail2ban.local values.
2017-12-07 19:27:31 +01:00
Marek Walczak 2be8757322 this an explaining PR #769 2017-11-30 22:55:27 +01:00
makloda b7259d2500 Added info on how to use Synology NAS generated letsencrypt certificates and how to find them 2017-11-11 18:38:37 +01:00