# syntax=docker.io/docker/dockerfile:1 # This Dockerfile provides two stages: stage-base and stage-final # This is in preparation for more granular stages (eg ClamAV and Fail2Ban split into their own) # # Base stage provides all packages, config, and adds scripts # FROM docker.io/debian:11-slim AS stage-base ARG DEBIAN_FRONTEND=noninteractive ARG DOVECOT_COMMUNITY_REPO=1 ARG LOG_LEVEL=trace SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"] # ----------------------------------------------- # --- Install Basic Software -------------------- # ----------------------------------------------- COPY target/bin/sedfile /usr/local/bin/sedfile RUN </etc/cron.d/clamav-freshclam chmod 644 /etc/clamav/freshclam.conf sedfile -i 's/Foreground false/Foreground true/g' /etc/clamav/clamd.conf mkdir /var/run/clamav chown -R clamav:root /var/run/clamav rm -rf /var/log/clamav/ EOF # ----------------------------------------------- # --- Dovecot ----------------------------------- # ----------------------------------------------- COPY target/dovecot/*.inc target/dovecot/*.conf /etc/dovecot/conf.d/ COPY target/dovecot/sieve/ /etc/dovecot/sieve/ COPY target/dovecot/dovecot-purge.cron /etc/cron.d/dovecot-purge.disabled RUN chmod 0 /etc/cron.d/dovecot-purge.disabled WORKDIR /usr/share/dovecot # hadolint ignore=SC2016,SC2086,SC2069 RUN <>/etc/postfix-policyd-spf-python/policyd-spf.conf COPY target/fetchmail/fetchmailrc /etc/fetchmailrc_general COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ # DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3 # This file is for TLS <1.3 handshakes that rely on DHE cipher suites # Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts) COPY target/shared/ffdhe4096.pem /etc/postfix/dhparams.pem COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem COPY \ target/postfix/header_checks.pcre \ target/postfix/sender_header_filter.pcre \ target/postfix/sender_login_maps.pcre \ /etc/postfix/maps/ RUN </etc/aliases sedfile -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail mkdir /var/run/fetchmail && chown fetchmail /var/run/fetchmail EOF # ----------------------------------------------- # --- Logs -------------------------------------- # ----------------------------------------------- RUN </dev/null \|\| true|g' /etc/logrotate.d/clamav-daemon sedfile -i -r 's|/var/log/clamav|/var/log/mail|g' /etc/logrotate.d/clamav-freshclam sedfile -i -r '/postrotate/,/endscript/d' /etc/logrotate.d/clamav-freshclam sedfile -i -r 's|/var/log/mail|/var/log/mail/mail|g' /etc/logrotate.d/rsyslog sedfile -i -r '/\/var\/log\/mail\/mail.log/d' /etc/logrotate.d/rsyslog # prevent syslog logrotate warnings sedfile -i -e 's/\(printerror "could not determine current runlevel"\)/#\1/' /usr/sbin/invoke-rc.d sedfile -i -e 's/^\(POLICYHELPER=\).*/\1/' /usr/sbin/invoke-rc.d # prevent syslog warning about imklog permissions sedfile -i -e 's/^module(load=\"imklog\")/#module(load=\"imklog\")/' /etc/rsyslog.conf # prevent email when /sbin/init or init system is not existing sedfile -i -e 's|invoke-rc.d rsyslog rotate > /dev/null|/usr/bin/supervisorctl signal hup rsyslog >/dev/null|g' /usr/lib/rsyslog/rsyslog-rotate EOF # ----------------------------------------------- # --- Logwatch ---------------------------------- # ----------------------------------------------- COPY target/logwatch/maillog.conf /etc/logwatch/conf/logfiles/maillog.conf # ----------------------------------------------- # --- Supervisord & Start ----------------------- # ----------------------------------------------- COPY target/supervisor/supervisord.conf /etc/supervisor/supervisord.conf COPY target/supervisor/conf.d/* /etc/supervisor/conf.d/ # ----------------------------------------------- # --- Scripts & Miscellaneous-------------------- # ----------------------------------------------- RUN <