From 3412d9fb99b617e0889992def614ccd27a8a2281 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Thu, 8 Mar 2018 14:45:31 +0000 Subject: [PATCH] init --- .gitignore | 2 + aliases.dist | 0 docker-compose.yml | 49 +++++++++++++++ dovecot/10-logging.conf | 11 ++++ dovecot/10-master.conf | 118 +++++++++++++++++++++++++++++++++++++ dovecot/Dockerfile | 22 +++++++ dovecot/auth-ldap.conf.ext | 8 +++ dovecot/entrypoint.sh | 24 ++++++++ environment.dist | 11 ++++ postfix/Dockerfile | 19 ++++++ postfix/postfix.sh | 73 +++++++++++++++++++++++ postfix/supervisord.conf | 23 ++++++++ postgrey/Dockerfile | 9 +++ 13 files changed, 369 insertions(+) create mode 100644 .gitignore create mode 100644 aliases.dist create mode 100644 docker-compose.yml create mode 100644 dovecot/10-logging.conf create mode 100644 dovecot/10-master.conf create mode 100644 dovecot/Dockerfile create mode 100644 dovecot/auth-ldap.conf.ext create mode 100755 dovecot/entrypoint.sh create mode 100644 environment.dist create mode 100644 postfix/Dockerfile create mode 100755 postfix/postfix.sh create mode 100644 postfix/supervisord.conf create mode 100644 postgrey/Dockerfile diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..38da362 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +environment +aliases diff --git a/aliases.dist b/aliases.dist new file mode 100644 index 0000000..e69de29 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..c1ce6b9 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,49 @@ +version: '3.5' +services: + postfix: + build: postfix + restart: unless-stopped + env_file: + - environment + volumes: + - ./aliases:/etc/postfix/virtual + - /var/lib/acme/:/var/lib/acme/:ro + networks: + mail: + depends_on: + - postgrey + - dovecot + + postgrey: + build: postgrey + restart: unless-stopped + networks: + mail: + + dovecot: + build: dovecot + restart: unless-stopped + env_file: + - environment + volumes: + - /var/lib/docker-volumes/mail/vmail/:/srv/vmail/ + - /var/lib/acme/:/var/lib/acme/:ro + networks: + mail: + auth: + + rainloop: + image: runningman84/rainloop + restart: unless-stopped + env_file: + - environment + volumes: + - /var/lib/docker-volumes/mail/rainloop/:/var/www/html/data + networks: + mail: + +networks: + mail: + auth: + external: true + name: auth_auth diff --git a/dovecot/10-logging.conf b/dovecot/10-logging.conf new file mode 100644 index 0000000..212f501 --- /dev/null +++ b/dovecot/10-logging.conf @@ -0,0 +1,11 @@ +log_path = /dev/stdout + +auth_verbose = yes + +plugin { + # Events to log. Also available: flag_change append + #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename + # Available fields: uid, box, msgid, from, subject, size, vsize, flags + # size and vsize are available only for expunge and copy events. + #mail_log_fields = uid box msgid size +} diff --git a/dovecot/10-master.conf b/dovecot/10-master.conf new file mode 100644 index 0000000..7cb5541 --- /dev/null +++ b/dovecot/10-master.conf @@ -0,0 +1,118 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + #port = 143 + } + inet_listener imaps { + #port = 993 + #ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. + #service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + #port = 995 + #ssl = yes + } +} + +service lmtp { + unix_listener lmtp { + #mode = 0666 + } + + # Create inet listener only if you can't use the above UNIX socket + inet_listener lmtp { + port = 24 + } +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + unix_listener auth-userdb { + #mode = 0666 + #user = + #group = + } + + # Postfix smtp-auth + inet_listener { + port = 100 + } + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + #user = root +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} + diff --git a/dovecot/Dockerfile b/dovecot/Dockerfile new file mode 100644 index 0000000..45a6187 --- /dev/null +++ b/dovecot/Dockerfile @@ -0,0 +1,22 @@ +FROM alpine:latest + +RUN apk add --no-cache \ + dovecot \ + dovecot-ldap + +RUN sed -i 's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/' /etc/dovecot/conf.d/10-auth.conf \ + && sed -i 's/!include auth-passwdfile.conf.ext/#!include auth-passwdfile.conf.ext/' /etc/dovecot/conf.d/10-auth.conf + +RUN mkdir /ssl-params-cache/ \ + && ln -s /ssl-params-cache/ssl-parameters.dat /var/lib/dovecot/ssl-parameters.dat + +COPY 10-master.conf /etc/dovecot/conf.d/10-master.conf +COPY 10-logging.conf /etc/dovecot/conf.d/10-logging.conf +COPY auth-ldap.conf.ext /etc/dovecot/conf.d/auth-ldap.conf.ext +COPY entrypoint.sh /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] + +VOLUME "/ssl-params-cache/" + +EXPOSE 24 100 143 diff --git a/dovecot/auth-ldap.conf.ext b/dovecot/auth-ldap.conf.ext new file mode 100644 index 0000000..72acb21 --- /dev/null +++ b/dovecot/auth-ldap.conf.ext @@ -0,0 +1,8 @@ +passdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap.conf.ext +} +userdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap-userdb.conf.ext +} diff --git a/dovecot/entrypoint.sh b/dovecot/entrypoint.sh new file mode 100755 index 0000000..db65d68 --- /dev/null +++ b/dovecot/entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/ash + +cat > /etc/dovecot/dovecot-ldap.conf.ext << LDAP +hosts = $LDAP_SERVER +auth_bind = yes +base = $LDAP_BASE +user_filter = (&(objectClass=posixAccount)(mail=%u)) +pass_filter = (&(objectClass=posixAccount)(mail=%u)) +user_attrs = \ + =home=/var/vmail/%d/%u, \ + =mail=maildir:/var/vmail/%d/%u/Maildir +LDAP + +cat > /etc/dovecot/conf.d/10-ssl.conf << SSL +ssl = required +ssl_cert = <$TLS_FULLCHAIN +ssl_key = <$TLS_KEY + +ssl_dh_parameters_length = 2048 +SSL + +ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext + +dovecot -F diff --git a/environment.dist b/environment.dist new file mode 100644 index 0000000..5ff3d1e --- /dev/null +++ b/environment.dist @@ -0,0 +1,11 @@ +HOSTNAME=mail.example.com +VIRTUAL_HOSTS=example.com example.net +RELAYS= +TLS_CERT=/path/to/cert +TLS_CHAIN=/path/to/chain +TLS_FULLCHAIN=/path/to/certandchain +TLS_KEY=/path/to/key +LDAP_SERVER=ldap +LDAP_BASE=dc=ldap,dc=example,dc=com +RAINLOOP_ADMIN_LOGIN=admin +RAINLOOP_ADMIN_PASSWORD=password diff --git a/postfix/Dockerfile b/postfix/Dockerfile new file mode 100644 index 0000000..83f9634 --- /dev/null +++ b/postfix/Dockerfile @@ -0,0 +1,19 @@ +FROM alpine:latest + +RUN apk add --no-cache \ + supervisor \ + rsyslog \ + ca-certificates \ + postfix \ + openssl + +COPY postfix.sh /postfix.sh +COPY supervisord.conf /etc/supervisord.conf + +ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] + +VOLUME "/etc/postfix/dh-params/" + +EXPOSE 25 587 + +# Noch submission machen diff --git a/postfix/postfix.sh b/postfix/postfix.sh new file mode 100755 index 0000000..195fd64 --- /dev/null +++ b/postfix/postfix.sh @@ -0,0 +1,73 @@ +#!/bin/sh +cat > /etc/postfix/main.cf << MAINCF +# FQDN of system !reverse DNS! +myhostname = $HOSTNAME + +# aliases +virtual_alias_maps = hash:/etc/postfix/virtual + +recipient_delimiter = + + +smtpd_relay_restictions = + +smtpd_recipient_restrictions = +# white/blacklists + check_recipient_access hash:/etc/postfix/access_recipient + check_sender_access hash:/etc/postfix/access_sender, + check_helo_access hash:/etc/postfix/access_helo, + check_client_access cidr:/etc/postfix/access_client, +# deny mails for nonexistend recipients + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, +# allow mails of our users + permit_sasl_authenticated, + permit_mynetworks, +# deny mails to external destinations + reject_unauth_destination, +# check against RBL + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, +# check greylisting + check_policy_service inet:postgrey:25 +# check if the user exists in dovecot + reject_unverified_recipient, +# let it out + permit + +smtpd_sasl_auth_enable = yes +smtpd_sasl_path= inet:dovecot:100 +smtpd_sasl_type = dovecot + +# out +smtp_tls_security_level = may + +# in +smtpd_tls_security_level = may +smtpd_tls_cert_file = $TLS_CERT +smtpd_tls_CAfile = $TLS_CHAIN +smtpd_tls_key_file = $TLS_KEY + +smtpd_tls_dh1024_param_file = /etc/postfix/dh-params/2048.pem +smtpd_tls_dh512_param_file = /etc/postfix/dh-params/512.pem +smtpd_tls_eecdh_grade = strong +tls_preempt_cipherlist = yes + +smtpd_tls_auth_only = yes + +# for lmtp relaying to dovecot +relay_domains = hash:/etc/postfix/relay_domains +MAINCF + +[ -e /etc/postfix/relay_domains ] && rm /etc/postfix/relay_domains +for virtual_host in $VIRTUAL_HOSTS;do + echo "$virtual_host lmtp:[dovecot]" >> /etc/postfix/relay_domains +done +postmap /etc/postfix/relay_domains + +[ -e /etc/postfix/dh_512.pem ] || openssl gendh -out /etc/postfix/dh-params/512.pem -2 512 +[ -e /etc/postfix/dh_2048.pem ] || openssl gendh -out /etc/postfix/dh-params/2048.pem -2 2048 + +postmap /etc/postfix/virtual +/usr/lib/postfix/master -c /etc/postfix -d diff --git a/postfix/supervisord.conf b/postfix/supervisord.conf new file mode 100644 index 0000000..7099a3e --- /dev/null +++ b/postfix/supervisord.conf @@ -0,0 +1,23 @@ +[supervisord] +nodaemon=true +loglevel=critical +logfile=/dev/stdout +logfile_maxbytes=0 + +[program:rsyslog] +command=/usr/sbin/rsyslogd -n +stdout_logfile=/dev/null +stdout_logfile_maxbytes=0 +redirect_stderr=true + +[program:postfix] +command=/postfix.sh +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +redirect_stderr=true + +[program:logs] +command=/usr/bin/tail -F /var/log/maillog +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +redirect_stderr=true diff --git a/postgrey/Dockerfile b/postgrey/Dockerfile new file mode 100644 index 0000000..875bf5a --- /dev/null +++ b/postgrey/Dockerfile @@ -0,0 +1,9 @@ +FROM alpine:latest + +RUN apk add --no-cache \ + perl-netaddr-ip \ + postgrey + +ENTRYPOINT ["postgrey", "--inet=0.0.0.0:25", "--auto-whitelist-clients"] + +EXPOSE 25