From 0d17808d1cb042c6b62248ca93b9b0fd78123586 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Sat, 24 Mar 2018 17:52:46 +0000 Subject: [PATCH] dreckiger commit --- TODO | 2 ++ docker-compose.yml | 10 +++++++++- dovecot/10-logging.conf | 2 -- dovecot/Dockerfile | 3 ++- dovecot/entrypoint.sh | 11 +++++++---- newaliases.sh | 4 ++++ postfix.env | 13 ++++++++++--- postfix/Dockerfile | 15 +++++++++++---- postfix/ldap/virtual_alias_maps.cf | 4 ++++ postfix/ldap/virtual_mailbox_maps.cf | 10 ++++++++++ postfix/postfix.sh | 23 ++++++++++++++++++++--- postfix/rsyslog.conf | 10 ++++++++++ postgrey/Dockerfile | 2 -- ssl.env | 4 ++-- 14 files changed, 91 insertions(+), 22 deletions(-) create mode 100644 TODO create mode 100755 newaliases.sh create mode 100644 postfix/ldap/virtual_alias_maps.cf create mode 100644 postfix/ldap/virtual_mailbox_maps.cf create mode 100644 postfix/rsyslog.conf diff --git a/TODO b/TODO new file mode 100644 index 0000000..d3ad972 --- /dev/null +++ b/TODO @@ -0,0 +1,2 @@ + * backscatter test + * open relay test diff --git a/docker-compose.yml b/docker-compose.yml index 36e1e2e..0b7f8bd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,14 +6,18 @@ services: env_file: - ssl.env - postfix.env + - ldap.env volumes: - ./aliases:/etc/postfix/virtual - - ./domains:/etc/postfix/domains - /var/lib/acme/:/var/lib/acme/:ro - /var/lib/docker-volumes/mail/queue/:/var/spool/postfix - postfix-dh:/etc/postfix/dh-params networks: mail: + auth: + ports: + - "25:25" + - "587:587" depends_on: - postgrey - dovecot @@ -34,9 +38,12 @@ services: volumes: - /var/lib/docker-volumes/mail/vmail/:/var/vmail/ - /var/lib/acme/:/var/lib/acme/:ro + - dovecot-dh:/var/lib/dovecot/ networks: mail: auth: + ports: + - "143:143" rainloop: image: runningman84/rainloop @@ -56,3 +63,4 @@ networks: volumes: postfix-dh: {} + dovecot-dh: {} diff --git a/dovecot/10-logging.conf b/dovecot/10-logging.conf index df28b41..f5bfbfd 100644 --- a/dovecot/10-logging.conf +++ b/dovecot/10-logging.conf @@ -1,7 +1,5 @@ log_path = /dev/stdout -#auth_verbose = yes - plugin { # Events to log. Also available: flag_change append #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename diff --git a/dovecot/Dockerfile b/dovecot/Dockerfile index a519886..22debde 100644 --- a/dovecot/Dockerfile +++ b/dovecot/Dockerfile @@ -19,6 +19,7 @@ COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] +VOLUME ["/var/lib/dovecot"] VOLUME ["/var/vmail"] -EXPOSE 24 100 143 +EXPOSE 143 diff --git a/dovecot/entrypoint.sh b/dovecot/entrypoint.sh index 6a7fd82..6ccff8b 100755 --- a/dovecot/entrypoint.sh +++ b/dovecot/entrypoint.sh @@ -6,9 +6,9 @@ base = $LDAP_BASE auth_bind = yes user_filter = (&(objectClass=posixAccount)(mail=%u)) pass_filter = (&(objectClass=posixAccount)(mail=%u)) -#user_attrs = \ -# =home=/var/vmail/%d/%n, \ -# =mail=maildir:/var/vmail/%d/%n/Maildir +user_attrs = \ + =home=/var/vmail/%d/%n, \ + =mail=maildir:/var/vmail/%d/%n/Maildir DOVECOTLDAP cat > /etc/dovecot/conf.d/10-ssl.conf << SSL @@ -19,6 +19,9 @@ ssl_key = <$TLS_KEY ssl_dh_parameters_length = 2048 SSL -echo -e "auth_verbose=yes\nauth_debug=yes\nauth_debug_passwords=yes" >> /etc/dovecot/dovecot.conf +# debugging +#echo -e "auth_verbose=yes\nauth_debug=yes\nauth_debug_passwords=yes" >> /etc/dovecot/dovecot.conf + +[ -e /var/lib/dovecot/instances ] && rm -rf /var/lib/dovecot/instances exec dovecot -F diff --git a/newaliases.sh b/newaliases.sh new file mode 100755 index 0000000..831249a --- /dev/null +++ b/newaliases.sh @@ -0,0 +1,4 @@ +#!/bin/sh +sudo chown root:root aliases +docker-compose exec postfix postmap /etc/postfix/virtual +sudo chown $USER:$USER aliases diff --git a/postfix.env b/postfix.env index 541d82c..13dc79a 100644 --- a/postfix.env +++ b/postfix.env @@ -1,5 +1,12 @@ -MYHOSTNAME=mail.kegelschiene.com -MYDOMAIN=mail.kegelschiene.com -MAIL_NAME="sbrudermail" +# FQDN! +MYHOSTNAME=home.sbruder.de +# Without first part +MYDOMAIN=sbruder.de +# Used in EHLO +MAIL_NAME=sbrudermail MESSAGE_SIZE_LIMIT=15360000 + +DOMAINS=kegelschiene.com + +POSTMASTER=hanstest@kegelschiene.com diff --git a/postfix/Dockerfile b/postfix/Dockerfile index c002eba..6977969 100644 --- a/postfix/Dockerfile +++ b/postfix/Dockerfile @@ -6,10 +6,13 @@ RUN apk add --no-cache \ ca-certificates \ postfix \ postfix-pcre \ + postfix-ldap \ openssl +COPY rsyslog.conf /etc/rsyslog.conf + RUN echo '' > /etc/postfix/main.cf \ - && postconf -e myorigin='$myhostname' \ + && postconf -e myorigin='$mydomain' \ && postconf -e mynetworks='127.0.0.0/8 [::1]/128' \ && postconf -e smtpd_relay_restrictions='permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender, reject_unlisted_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_hostname' \ && postconf -e smtpd_recipient_restrictions='check_recipient_access hash:/etc/postfix/access_recipient, check_sender_access hash:/etc/postfix/access_sender, check_helo_access hash:/etc/postfix/access_helo, check_client_access cidr:/etc/postfix/access_client, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_policy_service inet:postgrey:25 reject_unverified_recipient, permit' \ @@ -32,13 +35,15 @@ RUN echo '' > /etc/postfix/main.cf \ && postconf -e smtpd_sasl_path='inet:dovecot:100' \ && postconf -e virtual_transport='lmtp:[dovecot]' \ && postconf -e virtual_alias_maps='hash:/etc/postfix/virtual' \ - && postconf -e virtual_mailbox_domains='/etc/postfix/domains' \ + && postconf -e virtual_mailbox_maps='ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf' \ + && postconf -e virtual_mailbox_limit='0' \ && postconf -e smtp_tls_security_level='may' \ && postconf -e disable_vrfy_command='yes' \ && postconf -e enable_long_queue_ids='yes' \ - && postconf -e strict_rfc821_envelopes='yes' + && postconf -e strict_rfc821_envelopes='yes' \ + && echo 'MAILER-DAEMON: postmaster\npostmaster: root' > /etc/postfix/aliases -# && postconf -e smtpd_recipient_restrictions='permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender, reject_unlisted_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_hostname' \ +# && postconf -e virtual_mailbox_maps='ldap:/etc/postfix/ldap/mailbox.cf' \ COPY master.cf /etc/postfix/master.cf COPY smtp_header_checks /etc/postfix/smtp_header_checks @@ -46,6 +51,8 @@ COPY smtp_header_checks /etc/postfix/smtp_header_checks COPY postfix.sh /postfix.sh COPY supervisord.conf /etc/supervisord.conf +COPY ldap /etc/postfix/ldap + ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] VOLUME ["/etc/postfix/dh-params/"] diff --git a/postfix/ldap/virtual_alias_maps.cf b/postfix/ldap/virtual_alias_maps.cf new file mode 100644 index 0000000..46113fb --- /dev/null +++ b/postfix/ldap/virtual_alias_maps.cf @@ -0,0 +1,4 @@ +server_host = @@SERVER_HOST@@ +search_base = @@SEARCH_BASE@@ +query_filter = mail=%s +result_attribute = mail diff --git a/postfix/ldap/virtual_mailbox_maps.cf b/postfix/ldap/virtual_mailbox_maps.cf new file mode 100644 index 0000000..a71617c --- /dev/null +++ b/postfix/ldap/virtual_mailbox_maps.cf @@ -0,0 +1,10 @@ +server_host = @@SERVER_HOST@@ +server_port = 389 +version = 3 +bind = no +search_base = @@SEARCH_BASE@@ +scope = sub +query_filter = (mail=%s) +result_attribute= mail +result_format = %d/%u/Maildir/ +debuglevel = 0 diff --git a/postfix/postfix.sh b/postfix/postfix.sh index d311c62..776d5a7 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -11,14 +11,31 @@ postconf -e message_size_limit="$MESSAGE_SIZE_LIMIT" postconf -e smtpd_tls_key_file="$TLS_KEY" postconf -e smtpd_tls_cert_file="$TLS_FULLCHAIN" -postmap /etc/postfix/virtual -postmap /etc/postfix/domains +postconf -e virtual_mailbox_domains="$DOMAINS" + +for hash in access_recipient access_sender access_helo;do #virtual;do + touch /etc/postfix/$hash + postmap /etc/postfix/$hash +done + +# set ldap search base +sed -i \ + -e "s/@@SEARCH_BASE@@/${LDAP_BASE}/g" \ + -e "s/@@SERVER_HOST@@/${LDAP_SERVER}/g" \ + /etc/postfix/ldap/virtual_mailbox_maps.cf + +# is cidr, so not included in the hash section +touch /etc/postfix/access_client + +echo "MAILER-DAEMON: postmaster\npostmaster: $POSTMASTER" > /etc/postfix/aliases + +newaliases # is mounted, so no default structure ( cd /var/spool/postfix chown postfix:postfix . - for dir in active bounce corrupt defer deferred flush hold incoming maildrop pid private public saved trace; do + for dir in active bounce corrupt defer deferred flush hold incoming maildrop pid private public saved trace; do mkdir -p $dir chown postfix:postfix $dir done diff --git a/postfix/rsyslog.conf b/postfix/rsyslog.conf new file mode 100644 index 0000000..567a790 --- /dev/null +++ b/postfix/rsyslog.conf @@ -0,0 +1,10 @@ +$ModLoad immark.so # provides --MARK-- message capability +$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 +$template CustomFormat,"%timegenerated% %syslogtag%%msg%\n" +$ActionFileDefaultTemplate CustomFormat +mail.* -/var/log/maillog diff --git a/postgrey/Dockerfile b/postgrey/Dockerfile index 875bf5a..8a5bb14 100644 --- a/postgrey/Dockerfile +++ b/postgrey/Dockerfile @@ -5,5 +5,3 @@ RUN apk add --no-cache \ postgrey ENTRYPOINT ["postgrey", "--inet=0.0.0.0:25", "--auto-whitelist-clients"] - -EXPOSE 25 diff --git a/ssl.env b/ssl.env index 0c431f8..f284538 100644 --- a/ssl.env +++ b/ssl.env @@ -1,2 +1,2 @@ -TLS_FULLCHAIN=/var/lib/acme/live/mail.kegelschiene.com/fullchain -TLS_KEY=/var/lib/acme/live/mail.kegelschiene.com/privkey +TLS_FULLCHAIN=/var/lib/acme/live/home.sbruder.de/fullchain +TLS_KEY=/var/lib/acme/live/home.sbruder.de/privkey