Commit graph

185 commits

Author SHA1 Message Date
Georg Lauterbach a9305a073f
firewall: replace iptables with nftables (#2505)
* first adjustments to use Fail2Ban with nftables

* replace `iptables` -> `nftables` and adjust tests

nftables lists IPs a bit differently , so the order was adjusted for the
tests to be more flexible.

* line correction in mailserver.env

* change from `.conf` -> `.local` and remove redundant config

* revert HEREDOC to `echo`

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-04-05 15:13:59 +02:00
Georg Lauterbach a1ecd781c8
scripts: introduce _log to sedfile (#2507) 2022-04-02 15:52:30 +02:00
Casper f22d75fa62
Remove invalid URL from SPF message (#2503) 2022-03-22 17:53:12 +01:00
NorseGaud f14945c52d
issues/2023: postfix is not able to install due to incorrect hostname in container 2022-03-06 19:57:31 -05:00
Georg Lauterbach b61dfe1e24
refactoring: split helper functions into smaller scripts (#2420) 2022-02-21 11:56:57 +01:00
Georg Lauterbach 2927cc47c7
Add SpamAssassin KAM (#2418) 2022-02-21 10:48:28 +01:00
Georg Lauterbach 701037d3b2
added libldap-common to packages in Dockerfile (#2341) 2021-12-25 20:44:24 +01:00
Georg Lauterbach 8a47e7db11
chore(image): Update Debian base image to Debian 11 "Bullseye" (#2116) 2021-12-11 11:24:46 +13:00
Brennan Kinney 5254f7c658
fix: check-for-changes.sh should not fall out of sync with shared logic (#2260)
Removes duplicate logic from `check-for-changes.sh` that is used/maintained elsewhere to avoid risk of problems, as this code is already starting to diverge / rot.

---

Previously the change detection support has had code added for rebuilding config upon change detection which is the same as code run during startup scripts. Unfortunately over time this has fallen out of sync. Mostly the startup scripts would get maintenance and the contributor and reviewers may not have been aware of the duplicate code handled by `check-for-changes.sh`.

That code was starting to diverge in addition to some changes in structure (_eg: relay host logic seems interleaved here vs separated out in startup scripts_). I wanted to address this before it risks becoming a much bigger headache.

Rather than bloat `helper-functions.sh` further, I've added a `helpers/` folder extracting relevant common logic between startup scripts and `changedetector`. If you want to follow that process I've kept scoped commits to make those diffs easier. Some minor changes/improvements were added but nothing significant.

---

- chore: Extract relay host logic to new `relay.sh` helper
- chore: Extract `/etc/postfix/sasl_passwd` logic to new `sasl.sh` helper
- chore: Extract `postfix-accounts.cf` logic to new `accounts.sh` helper
- chore: Extract `/etc/aliases` logic to new `aliases.sh` helper
- chore: Extract `/etc/postfix/vhost` logic to new `postfix.sh` helper

- chore: Add inline docs for Postfix configs
> These are possibly more verbose than needed and can be reduced at a later stage.
> They are helpful during this refactor process while investigating that everything is handled correctly.

`accounts.sh`: 
- Add note regarding potential bug for bare domain setups with `/etc/postfix/vhost` and `mydestination` sharing same domain value.

`relay.sh`: 
- Remove the tabs for a single space delimiter, revised associated comment.
- Add PR reference for original `_populate_relayhost_map` implementation which has some useful details.


Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-11-21 09:33:49 +13:00
Casper b117cd1423
Improve VIRUSMAILS_DELETE_DELAY usage (#2281) 2021-11-01 22:13:14 +01:00
Brennan Kinney 4db546d300
fix: Don't needlessly invalidate cache layers (#2197)
Recent `sedfile` addition moved all scripts section earlier into the Dockerfile so that `sedfile` could be used within the Dockerfile.

However whenever a change is made to scripts which is most of the time for this project, building the Docker image for tests results in all layers after the scripts being invalidated, notably ClamAV, wasting storage of previous instances and increasing build time unnecessarily.

This isn't as noticeable of an issue via the CI as we don't leverage any caching at present there, but for iterating on a local branch and testing, it can be quite the drawback.

- `sedfile` is handled early in the Dockerfile still, while the scripts have been moved as far down as it made sense to.
- `chmod` was split out into it's own RUN command as again it's unnecessary for the rest of it's prior RUN command group to be invalidated.
2021-09-19 12:36:26 +00:00
Brennan Kinney c851f5b6aa
fix: Remove mkcert.sh usage + _setup_ssl refactor. (#2196)
* chore(refactor): DRY up the `_setup_ssl` method

- `/etc/postfix/ssl` was a bit misleading in usage here. As a maintainer (of my own contribution!) I was confused why only `/etc/postfix/ssl` was referenced and not `/etc/dovecot/ssl`.
- The postfix specific path is unnecessary, dovecot was referencing it via it's config, the same can be done from postfix to a generic DMS specific config location instead.
- This location is defined and created early as `/etc/dms/tls` (with var `DMS_TLS_PATH`). All usage of `/etc/postfix/ssl` has been replaced, making it easier to grok. Several `mkdir` commands related to this have been dropped as a result.

- Likewise, a related `TMP_DMS_TLS_PATH` var provides a reference to the config volume path `/tmp/docker-mailserver` which is used for conditions on presently hard-coded paths.

- Other values that benefit from being DRY have been lifted up into vars. Definitely easier to follow now and makes some further opportunities clearer to tackle in a future refactor.

- `chmod` has been updated where appropriate. Public key/cert is acceptable to have as readable by non-root users (644). The custom type with single fullchain file was not root accessible only, but should as it contains a private key.
- That said, the security benefit can be a bit moot due to source files that were copied remain present, the user would be responsible to ensure similar permissions on their source files.

- I've not touched LetsEncrypt section as I don't have time to investigate into that yet (not familiar with that portion).

---

* chore: Remove mkcert logic and dovecot cert

- No longer serving a purpose.
- Our own TLS startup script handles a variety of cert scenarios, while the dropped code was always generating a self-signed cert and persisting an unused cert regardless with `ONE_DIR=1`.
- To avoid similar issues that DH params had with doveadm validating filepath values in the SSL config, the default dummy values match postfix pointing to "snakeoil" cert. That serves the same purpose as mkcert was covering in the image.
- Bonus, no more hassle with differing mkcert target paths for users replacing our supplied Dovecot with the latest community edition.

---

* Error handling for SSL_TYPE

- Added a panic utility to exit early when SSL_TYPE conditions are misconfigured.
- Some info text had order of key/cert occurrence swapped to be consistent with key then cert.
- Some existing comments moved and rephrased.
- Additional comments added.
- `-f` test for cert files instead of `-e` (true also for directories/devices/symlinks).
- _notify messages lifted out of conditionals so that they always output when the case is hit.
- ~~Empty SSL_TYPE collapsed into catch all panic, while it's contents is now mapped to a new 'disabled' value.~~

---

* Use sedfile + improve sed expressions + update case style

- Uses sedfile when appropriate (file change intentional, not optional match/check).
- sed expressions modified to be DRY and reduce escaping via `-r` flag (acceptable if actual text content contains no `?`,`+`,`()` or `{}` characters, [otherwise they must be escaped](https://www.gnu.org/software/sed/manual/html_node/Extended-regexps.html)).
- sed captures anything matched between the parenthesis`()` and inserts it via `\1` as part of the replacement.

- case statements adopt the `(` prefix, adopting recent shell style for consistency.

---

* Refactor SSL_TYPE=disabled

- Postfix is also disabled now.
- Included heavy inline documentation reference for maintainers.
- Dropped an obsolete postfix config option 'use_tls' on the relayhost function, it was replaced by 'security_level'.

---

* I'm a friggin' sed wizard now

- The `modern` TLS_LEVEL is the default values for the configs they modify. As such, `sedfile` outputs an "Error" which isn't an actual concern, back to regular `sed`.

- I realized that multiple edits for the same file can all be done at once via `-e` (assuming other sed options are the same for each operation), and that `g` suffix is global scope for single line match, not whole file (default as sed iterates through individual lines).

- Some postfix replacements have `smtp` and `smtpd` lines, collapsed into a single `smtpd?` instead now that I know sed better.

---

* tests(fix): Tests that require SSL/TLS to pass

- SSL_TYPE=snakeoil added as temporary workaround.

- nmap tests are being dropped. These were added about 4-5 years ago, I have since made these redundant with the `testssl.sh` tests.
- Additionally the `--link` option is deprecated and IIRC these grades were a bit misleading when I initially used nmap in my own TLS cipher suite update PRs in the past.
- The removed SSL test is already handled in mail_ssl_manual.bats

ldap test:
- Replace `--link` alias option with `--network` and alias assignment.
- Parameterized some values and added the `SSL_TYPE` to resolve the starttls test failure.

privacy test:
- Also needed `SSL_TYPE` to pass the starttls test.

`tests.bats` had another starttls test for imap:
- Workaround for now is to give the main test container `SSL_TYPE=snakeoil`.

---

* Remove the expired lets-encrypt cert

This expired in March 2021. It was originally required when first added back in 2016 as LetsEncrypt was fairly new and not as broadly accepted into OS trust stores.

No longer the case today.

---

* chore: Housekeeping

Not required for this PR branch, little bit of tidying up while working on these two test files.

- privacy test copied over content when extracted from `tests.bats` that isn't relevant.
- ldap test was not as easy to identify the source of DOVECOT_TLS. Added comment to make the prefix connection to `configomat.sh` and `.ext` files more easier to find.
- Additionally converted the two localhost FQDN to vars.

---

* Default SSL_TYPE becomes `''` (aka equivalent to desired `disabled` case)

- This is to prevent other tests from failing by hitting the panic catchall case.
- More ideal would be adjusting tests to default to `disabled`, rather than treating `disabled` as an empty / unset SSL_TYPE value.

---

* Add inline documentation for `dms_panic`

- This could later be better formatted and placed into contributor docs.

Panic with kill (shutdown) not exit (errex):
- `kill 1` from `_shutdown` will send SIGTERM signal to PID 1 (init process).
- `exit 1` within the `start-mailserver.sh` init scripts context, will just exit the initialization script leaving the container running when it shouldn't.

The two previous `_shutdown` methods can benefit from using `dms_panic` wrapper instead to standardize on panic messages.
2021-09-20 00:31:11 +12:00
Brennan Kinney 08cd4d3371
fix: Enable DH parameters (ffdhe4096) by default (#2192)
This feature was originally introduced by the PR: https://github.com/docker-mailserver/docker-mailserver/pull/1463

- Assign default DH params to use via Dockerfile build instead of copy and update at runtime.
- Parameterized service names and paths.
- Refactor postfix and dovecot dh methods to wrap shared dh logic
- I don't see any value in checking the alternative service for dh params file to copy over, so that's now dropped too.
- Another conditional check is dropped and the default fallback message for existing DH params file is no longer relevant.
- Improved the remaining `_notify` messages. Collapsing the warning into a single logged message also seemed relevant.
- There is no apparent need for special handling with `ONE_DIR=1`. Dropped it.

- Refactor DH params  tests
- Combine custom and default DH param tests into single test file
- docs: Add instructions to use custom DH params

There is no official documented support for custom DH parameters. As no guarantee is provided, this is considered an internal change, not a breaking one.
2021-09-15 20:28:04 +12:00
Nathan Pierce be35d9bef1
Lock file create and remove improvements (#2183)
* changed the locking function to better support multiple servers running at once and sharing the same config

* helper function testing now runs inside of container

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-09-13 20:09:01 +12:00
Casper e89ea3110f
sed wrapper (#2158)
* sed wrapper 'sedfile' added

* formatting

* sed --> sedfile

* typo

* fix lint

* debug

* fixme

* mkcert fix

* style adjusted

* Update Dockerfile
2021-09-06 10:07:02 +12:00
Casper 6336c0b256
Change default value of ONE_DIR (#2148)
* ONE_DIR=1

* Update Dockerfile

* Update start-mailserver.sh

* Update tests.bats

* Update tests.bats

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-08-31 13:50:56 +02:00
Andrew Low 0e9c9889ff
Add logwatch maillog.conf file to support /var/log/mail/ (#2112)
* Add logwatch maillog.conf file to support /var/log/mail/
* Simpliied after reviewing logwatch doc

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-08-11 11:31:00 +02:00
eleith 4473b881cf
add dovecot-fts-xapian (#2064)
* add dovecot-fts-xapian

update Docker to build from debian bullseye slim, as it contains
packages for fts-xapian.

update Docker to install dovecot-fts-xapian.

update docs with instructions on how to enable fts-xapian or fts-solr
and what considerations to take into when deciding.

* address review feedback

* update backport method to previously proposed approach (which was lost in a forced push)
2021-07-05 10:25:26 +00:00
20th 772016ec09
Prevent automatic installation of dbconfig-mysql (#2059)
Debian opendmarc package has a dependency on dbconfig-mysql, which it
will pull, together with its dependencies, during image build.

Explicitly listing an alternative dbconfig-no-thanks package prevents
installation of unnecessary packages and reduces the image size.
2021-06-27 11:27:31 +02:00
Andreas Perhab de05ce91a2
Use keyserver that still returns keys with user IDs (#2051)
keys.gnupg.net doesn't return user IDs (without approval) and therefore gpg
doesn't accept keys from it.
2021-06-22 10:37:44 +02:00
Casper 80a0425ade
Update postgrey whitelist 2021-06-17 18:16:28 +02:00
Georg Lauterbach 65fc24414c
follow up on #2024 implementing @polarathene's suggestions (#2030) 2021-06-09 11:07:01 +12:00
Georg Lauterbach e7b88d865b
cleaned up >/dev/nulls in Dockerfile and replaced em dashes with normal dashes (#2024) 2021-06-08 13:20:20 +12:00
Casper bab0277723
Update check (#1951)
* mail binary

* initial work

* make env vars available

* typo

* some fixes

* make script ugly, to satisfy linter..

* mailserver.env updated

* Version to welcome message added

* remove VERSION file references

* VERSION --> DMS_VERSION

* fetch remote version

* variable usage

* Quoting added

* edge test & docu

* dash removed

* subject changed

* re-add VERSION

* VERSION added

* new file:   VERSION

* rewrite

* unnecessary additions from fail2ban PR removed

* UPDATE_CHECK_INTERVAL added

* syntax check & _log function

* comment added

* final commit
2021-05-19 21:18:06 +02:00
Casper 225e21edb7
Add version variable (#1976) 2021-05-17 14:54:43 +02:00
Casper 0ba8630c72
ARM build fix (#1971) 2021-05-16 21:05:39 +02:00
Georg Lauterbach 75e74e4a19
introduce F2B v0.11 (#1965) 2021-05-15 11:11:10 +02:00
Moritz Marquardt 271d94a37e
Add LDAP_QUERY_FILTER_SENDERS setting for spoof protection with LDAP (#1902) 2021-04-17 22:40:19 +02:00
Casper ba0f9199b7
fail2ban cleanup (#1895) 2021-04-11 15:33:39 +00:00
Casper 22321c308c
fix SpamAssassin spelling/typos (#1869) 2021-03-28 22:07:52 +02:00
Georg Lauterbach c881facbd2
start-mailserver.sh split (#1820)
* splitting start-mailserver.sh

* refactoring part 2

* refactored setup-stack.sh
* stzarted adjusting target/bin/*.sh to use new usage format

* corrected lowercase-uppercase test error

* better handling of .bashrc variable export

* linting tests and fix for default assignements

* last stylistic changes and rebase
2021-02-23 20:03:01 +01:00
Casper 2740e0fa0c
Remove fix-missing 2021-02-21 23:36:09 +01:00
Georg Lauterbach c6c7b8522d
enhancement for function _setup_postfix_sasl fixing #1796 & more 2021-02-07 18:11:33 +01:00
Georg Lauterbach a0056b1a88
should fix build inconsistencies for razor 2021-01-19 15:32:16 +01:00
Georg Lauterbach dba291dc43
Introducing the repository secret (#18)
* fixes #17
* corrections and adjustments
2021-01-18 20:51:56 +01:00
Casper 6e9f6152be
Add init system 2021-01-16 19:35:42 +01:00
Georg Lauterbach 189e5376cc
Final Migration Step (#6)
* first migration steps
  * altered issue templates
  * altered README
  * removed .travis.yml
* adjusting registry & repository, Dockerfile and compose.env
* Close stale issues automatically
* Integrated CI with Github Actions (#3)
* feat: integrated ci with github actions
* fix: use secrets for docker org and update image
* docs: clarify why we use -t if no tty exists
* fix: correct remaining references to old repo
chore: prettier automatically updated markdown as well
* fix: hardcode docker org
* change testing image to just testing
* ci: add armv7 as a supported platform
* finished migration steps
* corrected linting in build-push action
* corrected linting in build-push action (2)
* minor preps for PR
* correcting push on pull request and minor details
* adjusted workflows to adhere closer to @wernerfred's diagram
* minor patches
* adjusting Dockerfile's installation of base packages
* adjusting schedule for stale issue action
* reverting license text
* improving CONTRIBUTING.md PR text
* Update CONTRIBUTING.md
* a bigger patch at the end
  * moved all scripts into one directory under target/scripts/
  * moved the quota-warning.sh script into target/scripts/ and removed empty directory /target/dovecot/scripts
  * minor fixes here and there
  * adjusted workflows for use a fully qualified name (i.e. docker.io/...)
  * improved on the Dockerfile layer count
  * corrected local tests - now they (actually) work (fine)!
  * corrected start-mailserver.sh to make use of defaults consistently
  * removed very old, deprecated variables (actually only one)
* various smaller improvements in the end
* last commit before merging #6
* rearranging variables to use alphabetic order

Co-authored-by: casperklein <casperklein@users.noreply.github.com>
Co-authored-by: Nick Pappas <radicand@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
2021-01-16 10:16:05 +01:00
Georg Lauterbach e11f4f609a
Merge pull request #1705 from gmasse/new-1697
Add purge cron job for Dovecot dbox format
2020-12-18 23:00:36 +01:00
Germain Masse d400417d0e Add purge cron job for dbox 2020-12-17 20:35:06 +01:00
Jarrod Smith fd9b9ebf1e Comment out errant/noisy kernel logging in /etc/rsyslogd 2020-12-09 20:42:21 +00:00
Jarrod Smith bc95107b54 Get rid of syslogd warning about kernel logging. 2020-12-09 20:02:27 +00:00
Georg Lauterbach da8171388f
Complete Refactor for target/bin (#1654)
* documentation and script updates trying to fix #1647
* preparations for refactoring target/bin/
* complete refactor for target/bin/
* changing script output slightly
* outsourcing functions in `bin-helper.sh`
* re-wrote linting to allow for proper shellcheck -x execution
* show explanation for shellcheck ignore
* adding some more information
2020-10-21 18:16:32 +02:00
Louis e693596b95
Make final permissions on amavis config files more predictable 2020-10-05 17:11:15 +02:00
Louis a9c5367490
Update Dockerfile
Remove write access to group and others to Amavis configuration files

Fix: #1446
2020-10-01 13:54:43 +02:00
Casper 85d670bba0
dovecot community repo info removed (#1627) 2020-09-27 22:23:23 +02:00
Georg Lauterbach a0791ef457
formatting files according to standard (#1619)
* added EditorConfig linting
* adding `eclint` as Travis script target
* re-adjusted .pem files to have a newline
2020-09-24 14:54:21 +02:00
Georg Lauterbach 523a0e25a9
fixing #1563 2020-09-09 11:19:57 +02:00
Erik Wramner b99bce1c2e Nonsense commit to trigger rebuild 2020-05-21 08:13:10 +02:00
Germain Masse 452fe3609f Do not try to reload freshclam daemon after log rotation 2020-05-18 10:10:37 +02:00
youtous 92414b7eba
sieve after/before use folder instead of individual listing
Loading sieve scripts using a directory scheme permits to handle multi scripts wtihout defining individual sieve_before/sieve_after
2020-05-04 00:27:29 +02:00