dreckiger commit

TODO

@@ -0,0 +1,2 @@
+ * backscatter test
+ * open relay test

docker-compose.yml

@@ -6,14 +6,18 @@ services:
     env_file:
       - ssl.env
       - postfix.env
+      - ldap.env
     volumes:
       - ./aliases:/etc/postfix/virtual
-      - ./domains:/etc/postfix/domains
       - /var/lib/acme/:/var/lib/acme/:ro
       - /var/lib/docker-volumes/mail/queue/:/var/spool/postfix
       - postfix-dh:/etc/postfix/dh-params
     networks:
       mail:
+      auth:
+    ports:
+      - "25:25"
+      - "587:587"
     depends_on:
       - postgrey
       - dovecot
@@ -34,9 +38,12 @@ services:
     volumes:
       - /var/lib/docker-volumes/mail/vmail/:/var/vmail/
       - /var/lib/acme/:/var/lib/acme/:ro
+      - dovecot-dh:/var/lib/dovecot/
     networks:
       mail:
       auth:
+    ports:
+      - "143:143"
 
   rainloop:
     image: runningman84/rainloop
@@ -56,3 +63,4 @@ networks:
 
 volumes:
   postfix-dh: {}
+  dovecot-dh: {}

dovecot/10-logging.conf

@@ -1,7 +1,5 @@
 log_path = /dev/stdout
 
-#auth_verbose = yes
-
 plugin {
   # Events to log. Also available: flag_change append
   #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename

dovecot/Dockerfile

@@ -19,6 +19,7 @@ COPY entrypoint.sh /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 
+VOLUME ["/var/lib/dovecot"]
 VOLUME ["/var/vmail"]
 
-EXPOSE 24 100 143
+EXPOSE 143

dovecot/entrypoint.sh

@@ -6,9 +6,9 @@ base = $LDAP_BASE
 auth_bind = yes
 user_filter = (&(objectClass=posixAccount)(mail=%u))
 pass_filter = (&(objectClass=posixAccount)(mail=%u))
-#user_attrs = \
+user_attrs = \
-#           =home=/var/vmail/%d/%n, \
+           =home=/var/vmail/%d/%n, \
-#           =mail=maildir:/var/vmail/%d/%n/Maildir
+           =mail=maildir:/var/vmail/%d/%n/Maildir
 DOVECOTLDAP
 
 cat > /etc/dovecot/conf.d/10-ssl.conf << SSL
@@ -19,6 +19,9 @@ ssl_key = <$TLS_KEY
 ssl_dh_parameters_length = 2048
 SSL
 
-echo -e "auth_verbose=yes\nauth_debug=yes\nauth_debug_passwords=yes" >> /etc/dovecot/dovecot.conf
+# debugging
+#echo -e "auth_verbose=yes\nauth_debug=yes\nauth_debug_passwords=yes" >> /etc/dovecot/dovecot.conf
+
+[ -e /var/lib/dovecot/instances ] && rm -rf /var/lib/dovecot/instances
 
 exec dovecot -F

newaliases.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+sudo chown root:root aliases
+docker-compose exec postfix postmap /etc/postfix/virtual
+sudo chown $USER:$USER aliases

postfix.env

@@ -1,5 +1,12 @@
-MYHOSTNAME=mail.kegelschiene.com
+# FQDN!
-MYDOMAIN=mail.kegelschiene.com
+MYHOSTNAME=home.sbruder.de
-MAIL_NAME="sbrudermail"
+# Without first part
+MYDOMAIN=sbruder.de
+# Used in EHLO
+MAIL_NAME=sbrudermail
 
 MESSAGE_SIZE_LIMIT=15360000
+
+DOMAINS=kegelschiene.com
+
+POSTMASTER=hanstest@kegelschiene.com

postfix/Dockerfile

@@ -6,10 +6,13 @@ RUN apk add --no-cache \
     ca-certificates \
     postfix \
     postfix-pcre \
+    postfix-ldap \
     openssl
 
+COPY rsyslog.conf /etc/rsyslog.conf
+
 RUN echo '' > /etc/postfix/main.cf \
-    && postconf -e myorigin='$myhostname' \
+    && postconf -e myorigin='$mydomain' \
     && postconf -e mynetworks='127.0.0.0/8 [::1]/128' \
     && postconf -e smtpd_relay_restrictions='permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender, reject_unlisted_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_hostname' \
     && postconf -e smtpd_recipient_restrictions='check_recipient_access hash:/etc/postfix/access_recipient, check_sender_access hash:/etc/postfix/access_sender, check_helo_access hash:/etc/postfix/access_helo, check_client_access cidr:/etc/postfix/access_client, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_policy_service inet:postgrey:25 reject_unverified_recipient, permit' \
@@ -32,13 +35,15 @@ RUN echo '' > /etc/postfix/main.cf \
     && postconf -e smtpd_sasl_path='inet:dovecot:100' \
     && postconf -e virtual_transport='lmtp:[dovecot]' \
     && postconf -e virtual_alias_maps='hash:/etc/postfix/virtual' \
-    && postconf -e virtual_mailbox_domains='/etc/postfix/domains' \
+    && postconf -e virtual_mailbox_maps='ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf' \
+    && postconf -e virtual_mailbox_limit='0' \
     && postconf -e smtp_tls_security_level='may' \
     && postconf -e disable_vrfy_command='yes' \
     && postconf -e enable_long_queue_ids='yes' \
-    && postconf -e strict_rfc821_envelopes='yes'
+    && postconf -e strict_rfc821_envelopes='yes' \
+    && echo 'MAILER-DAEMON: postmaster\npostmaster: root' > /etc/postfix/aliases
 
-#    && postconf -e smtpd_recipient_restrictions='permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender, reject_unlisted_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_hostname' \
+#    && postconf -e virtual_mailbox_maps='ldap:/etc/postfix/ldap/mailbox.cf' \
 
 COPY master.cf /etc/postfix/master.cf
 COPY smtp_header_checks /etc/postfix/smtp_header_checks
@@ -46,6 +51,8 @@ COPY smtp_header_checks /etc/postfix/smtp_header_checks
 COPY postfix.sh /postfix.sh
 COPY supervisord.conf /etc/supervisord.conf
 
+COPY ldap /etc/postfix/ldap
+
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
 
 VOLUME ["/etc/postfix/dh-params/"]

postfix/ldap/virtual_alias_maps.cf

@@ -0,0 +1,4 @@
+server_host = @@SERVER_HOST@@
+search_base = @@SEARCH_BASE@@
+query_filter = mail=%s
+result_attribute = mail

postfix/ldap/virtual_mailbox_maps.cf

@@ -0,0 +1,10 @@
+server_host     = @@SERVER_HOST@@
+server_port     = 389
+version         = 3
+bind            = no
+search_base     = @@SEARCH_BASE@@
+scope           = sub
+query_filter    = (mail=%s)
+result_attribute= mail
+result_format   = %d/%u/Maildir/
+debuglevel      = 0

postfix/postfix.sh

@@ -11,14 +11,31 @@ postconf -e message_size_limit="$MESSAGE_SIZE_LIMIT"
 postconf -e smtpd_tls_key_file="$TLS_KEY"
 postconf -e smtpd_tls_cert_file="$TLS_FULLCHAIN"
 
-postmap /etc/postfix/virtual
+postconf -e virtual_mailbox_domains="$DOMAINS"
-postmap /etc/postfix/domains
+
+for hash in access_recipient access_sender access_helo;do #virtual;do
+	touch /etc/postfix/$hash
+	postmap /etc/postfix/$hash
+done
+
+# set ldap search base
+sed -i \
+	-e "s/@@SEARCH_BASE@@/${LDAP_BASE}/g" \
+	-e "s/@@SERVER_HOST@@/${LDAP_SERVER}/g" \
+	/etc/postfix/ldap/virtual_mailbox_maps.cf
+
+# is cidr, so not included in the hash section
+touch /etc/postfix/access_client
+
+echo "MAILER-DAEMON: postmaster\npostmaster: $POSTMASTER" > /etc/postfix/aliases
+
+newaliases
 
 # is mounted, so no default structure
 (
 	cd /var/spool/postfix
 	chown postfix:postfix .
-	for dir in  active bounce corrupt defer deferred flush hold incoming maildrop pid private public saved trace; do
+	for dir in active bounce corrupt defer deferred flush hold incoming maildrop pid private public saved trace; do
 		mkdir -p $dir
 		chown postfix:postfix $dir
 	done

postfix/rsyslog.conf

@@ -0,0 +1,10 @@
+$ModLoad immark.so # provides --MARK-- message capability
+$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+$template CustomFormat,"%timegenerated% %syslogtag%%msg%\n"
+$ActionFileDefaultTemplate CustomFormat
+mail.*                                                  -/var/log/maillog

postgrey/Dockerfile

@@ -5,5 +5,3 @@ RUN apk add --no-cache \
         postgrey
 
 ENTRYPOINT ["postgrey", "--inet=0.0.0.0:25", "--auto-whitelist-clients"]
-
-EXPOSE 25

ssl.env

@@ -1,2 +1,2 @@
-TLS_FULLCHAIN=/var/lib/acme/live/mail.kegelschiene.com/fullchain
+TLS_FULLCHAIN=/var/lib/acme/live/home.sbruder.de/fullchain
-TLS_KEY=/var/lib/acme/live/mail.kegelschiene.com/privkey
+TLS_KEY=/var/lib/acme/live/home.sbruder.de/privkey