Commit graph

662 commits

Author SHA1 Message Date
Andreas Perhab ec330a35a1
ClamAV: add a warning for the internal message size limit (#3341) 2023-05-15 15:46:13 +02:00
Georg Lauterbach a99ae786db
adjust antivirus.conf for Rspamd (#3331)
See #3320
2023-05-15 07:01:13 +02:00
Georg Lauterbach 9fd00bd6ad
Rspamd: adjust learning of ham (#3334)
* adjust learning of ham

See #3333

When moving a mail from the Junk folder to the Trash folder, the mail
previously classified as ham due to the wildcard match of `*`. Because
the syntax does not allow for negation, we can only change the behavior
in a way that mails are learned as ham when they are moved into `INBOX`
from `Junk`. This is reasonable though.

* adjust tests accordingly

* adjust docs accordingly
2023-05-13 13:59:16 +02:00
Georg Lauterbach 78b7f0cbea
scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage (#3332)
* add sanity check for Clam size & adjusted MaxScanSize

The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.

* add SlamAV size configuration to Rspamd
2023-05-12 16:04:41 +02:00
ghnp5 823ef33a92
fix: typo about OpenDMARC (#3330)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-05-11 18:10:51 +02:00
Georg Lauterbach e4274ef113
docs: improve Rspamd docs about DKIM signing of multiple domains (#3329)
* improve Rspamd docs

See #3326 & #3328

* improve warning message

See #3328
2023-05-11 18:08:54 +02:00
Brennan Kinney 793e4026fc
chore(main.cf): Add note advising caution changing mydestination (#3316)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-05-10 23:23:02 +00:00
Georg Lauterbach 595ff03804
Postfix: rename "smtps" to "submissions" (#3235) 2023-05-10 11:29:51 +02:00
Georg Lauterbach c461dabe9e
docs/misc: update to align with Docker Compose v2 (#3295)
* rename: `docker-compose.yml` => `compose.yaml`
* rename: `docker-compose` => `docker compose`
2023-05-10 11:02:44 +02:00
Georg Lauterbach bba72daedf
scripts: add DKIM helper script for Rspamd (#3286)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-05-03 08:30:49 +02:00
Casper 423188176f
fail2ban: add 'log' command (#3299)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-05-03 00:13:44 +02:00
Georg Lauterbach 2bdbe5d918
F2B: update F2B after discussion in #3256 (#3288) 2023-05-01 15:00:35 +02:00
Georg Lauterbach b6261c7387
remove unnecessary return 0 statements (#3290)
See <https://github.com/docker-mailserver/docker-mailserver/pull/3285#issuecomment-1521706729>
2023-04-29 10:55:54 +02:00
Georg Lauterbach 7e7497ae5a
scripts: apply fixes to helpers when using set -eE (#3285)
For an upcoming PR, these changes are required, because the script that
is using the helpers uses `set -eE`. This leads to situations where
errors are not properly handled in our helpers (yet; I plan on changing
that in the future).
2023-04-24 14:35:19 +02:00
Georg Lauterbach 449d53fc3f
docs/scripts: remove WIP warnings for Rspamd (#3283) 2023-04-23 15:14:36 +02:00
Georg Lauterbach cd1721334c
scripts: Rspamd stabilization pt. 2 (#3282)
* move modules adjustment file to new location

Because we link `/tmp/docker-mailserver/rspamd/override.d` to
`/etc/rspamd/override.d`, I think it makes sense to move the modules
adjustment file into `/tmp/docker-mailserver/rspamd/` as well.

I write the code in a way that it is backwards compatible for now, so
this is NOT a breaking change.

* minor improvement to `__rspamd__handle_user_modules_adjustments`

The expansion of `ARGUMENT3` is now done in a way that only adds the
whitespace in case the variable is set and not null.

* move test file structure to respect latest changes

Because we're now linking `rspamd/override.d/`, we can simplify the
setup a bit. But this requires a change in directory structure.

The current Rspamd test will be renamed to `rspamd_full.bats`, because I
plan on adding more tests in different files for different feature sets.
This is done to make this feature well-tested!

* improved and added tests to Rspamd-full

FYI: The line

```bats
_run_in_container grep 'sieve_global_extensions.*\+vnd\.dovecot\.pipe'
"${SIEVE_CONFIG_FILE}"
```

was testing a condition that should actually not be met, but when I
started working on this feature, I thought this was the correct
configuration. Adding the `assert_success` statements revealed this
wrong line.

I also added tests to check whether `override.d` is linked correctly.

* renamed: `rspamd.bats` => `rspamd_full.bats`

* added new tests for incomplete Rspamd feature set

We now test that warnings are emitted & features are disabled correctly.

* update documentation
2023-04-23 14:02:56 +02:00
Georg Lauterbach 638975922e
scripts: Rspamd stabilization pt. 1 (#3261)
* added checks whether OpenDKIM/OpenDMARC/policyd-spf are enabled
* added functions to check if VAR is 0/0 or an int

and also added tests.

I also adjusted the test file to not run in a container, because there
is no need. This also decreases test time, which, in turn, increases
maintainers' happiness.

* added more checks to Rspamd setup

I added the helpers from the previous commit to the Rspamd setup to make
the whole setup more robust, and indicate to the user that an ENV
variable's value is incorrect.

While we did not issues for this in the past, I believe it to be
worthwhile for the future.

* added canonical directory for users to place files in

This dir is canonical with DMS's optional configuration dirs, as it
lives in well-known volume mounts. Hence, users will not need to adjust
`/etc/rspamd/override.d` manually anymore, or mount a volume to this
place.

The docs explain this now, but the DKIM page needs a slight update on
this too I guess. I will follow-up here.

* misc minor improvements
* use variables for common directories
2023-04-23 12:22:54 +02:00
Georg Lauterbach 88cd244e47
scripts: misc improvements (#3281)
* corrected typo
* corrected indentation
2023-04-23 12:16:53 +02:00
Andreas Perhab 2b330fdc49
scripts: remove superfluous EOF in dmarc_dkim_spf.sh (#3266)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-04-20 09:52:07 +02:00
Casper ea07bcdb4c
scripts: improve shutdown function by making PANIC_STRATEGY obsolete (#3265) 2023-04-18 23:38:46 +02:00
James a735dddc52
scripts: fix setting SRS_EXCLUDE_DOMAINS during startup (#3271) 2023-04-18 17:07:08 +02:00
Andreas Perhab 2f33f44f4a
postfix.sh: add missing -E for extended regexes in smtpd_sender_restrictions (#3272) 2023-04-18 11:08:19 +02:00
Georg Lauterbach 3f22cbce01
scripts: disallow alias = account (#3270) 2023-04-17 19:22:50 +02:00
Georg Lauterbach c8dfb9ac76
Posfix: add option to re-enable reject_unknown_client_hostname after #3248 (#3255) 2023-04-16 14:09:00 +02:00
Georg Lauterbach 03772f612a
scripts: get all policyd-spf setup in one place (#3263) 2023-04-15 00:40:42 +02:00
Georg Lauterbach 1076aac37d
change F2B configs: made config more aggressive (#3243) 2023-04-11 20:28:43 +02:00
Georg Lauterbach 9a284150b2
Rspamd: replace reject_unknown_client_hostname with Rspamd HFILTER_HOSTNAME_UNKNOWN and make it configurable (#3248) 2023-04-11 18:51:23 +02:00
Georg Lauterbach 806d3efef9
Rspamd: add greylisting option & code refactoring (#3206) 2023-04-11 09:16:57 +02:00
Georg Lauterbach 9ee33a81b7
scripts: make policyd-spf configurable (#3246) 2023-04-11 08:52:43 +02:00
Georg Lauterbach 1e20e7c332
Image registry and setup update (#3233)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-04-10 11:37:25 +02:00
Georg Lauterbach 585a2d64d2
config: remove chroot for Dovecot & PostSRSd (#3208)
* remove PostSRSd chroot
* remove chroot for Dovecot

A dedicated file for Dovecot's chroot environments is easier to handle
and adjust later.
2023-03-31 12:17:44 +02:00
Casper f4fe5bf527
Update SA_KILL values; follow up to #3058 (#3204) 2023-03-27 01:59:43 +02:00
Casper 6fa06f4986
Fix: only chmod when there are files (#3203) 2023-03-26 20:30:34 +08:00
Georg Lauterbach e58dd1b95b
Rspamd: more features (#3159) 2023-03-18 23:32:48 +08:00
Casper 6c97a505be
fix: postsrsd restart loop (#3160) 2023-03-13 12:39:03 +13:00
Casper 2da3e1b022
fix: SRS setup (#3158) 2023-03-12 12:10:45 +01:00
Jack Pearson 0baf82f7d0
fix: TLS setup (self-signed) error message should include SS_CA_CERT (#3168) 2023-03-10 18:25:46 +13:00
Georg Lauterbach dab70709d9
scripts: improve panic helpers (#3155) 2023-03-06 10:06:50 +01:00
Georg Lauterbach b5fc40eb7a
fix regression introduced in #3153 (#3157) 2023-03-05 22:23:25 +01:00
Casper a8f6fa6181
DRY: Replace path with variable in mail_state.sh (#3153) 2023-03-05 16:59:01 +01:00
Georg Lauterbach 4e9ffbf224
fix(Postfix): special bits for maildrop and public directory (#3149)
* fixed special bits for maildrop and public dir

After changing the group, special bits are lost, but they should be set for the directories `/var/spool/postfix/{maildrop,public}`, otherwise you see the following error:

```
postfix/postdrop[17400]: warning: mail_queue_enter: create file maildrop/729504.17400: Permission denied
```

* fix: Match octal permissions originally provided

Officially Postfix source seems to imply:
- `730` for `maildrop/` (_but has mentioned a sticky bit in the past, set-gid bit only for the postdrop binary involved_)
- `710` for `public/`

Both folders are assigned the same group that `postdrop` belongs to which has the SGID permission for it's executable. SGID special bit on`public/` doesn't seem necessary, but left as-is to match the default from Debian.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-03-05 20:57:40 +13:00
Georg Lauterbach 8ec5dbec74
scripts: touchups for v12.0.0 (#3144) 2023-03-04 10:57:42 +01:00
Georg Lauterbach 5e9849d94f
rspamd: rename ENABLE_REDIS & add persistence for Redis (#3143) 2023-03-04 10:45:43 +01:00
Georg Lauterbach f0edcc28d9
config: ensure SASL socket file is not inside a volume mount (#3131) 2023-03-03 23:42:55 +01:00
Brennan Kinney 9a9380150e
fix: Avoid creating an unnecessary syslog socket for Postfix (#3134)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-03-03 23:08:51 +01:00
Georg Lauterbach 5ec6845c96
config/ENV: improve Postfix config for spoof protection (#3127) 2023-03-03 15:55:32 +01:00
Georg Lauterbach 9e2f96448a
scripts: remove PostSRSD wrapper (#3128)
* remove PostSRSD wrapper

The setup is now completely done during _actual_ setup phase. The
wrapper did not even catch signals (SIGINT, etc.), which I think is
strange.

I also added all the ENVs the wrapper relied on (which previously could
have been unset) to the variables script.

* forgot adjusting the `Dockerfile`
2023-03-02 17:44:01 +01:00
Georg Lauterbach f3edcf9cd5
issue warning in case of improper restart (#3129) 2023-03-01 16:33:54 +01:00
Georg Lauterbach 0949f16344
scripts/ENV: make disabling Redis possible (#3132)
* make disabling Redis possible

* add documentation

* Apply suggestions from code review

* Update docs/content/config/environment.md

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-03-01 16:24:59 +01:00
Georg Lauterbach dfc2b39308
scripts: housekeeping & cleanup setup (2/2) (#3123) 2023-02-28 10:25:23 +01:00