This commit is contained in:
Simon Bruder 2018-03-08 14:45:31 +00:00
commit 3412d9fb99
13 changed files with 369 additions and 0 deletions

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
environment
aliases

0
aliases.dist Normal file
View file

49
docker-compose.yml Normal file
View file

@ -0,0 +1,49 @@
version: '3.5'
services:
postfix:
build: postfix
restart: unless-stopped
env_file:
- environment
volumes:
- ./aliases:/etc/postfix/virtual
- /var/lib/acme/:/var/lib/acme/:ro
networks:
mail:
depends_on:
- postgrey
- dovecot
postgrey:
build: postgrey
restart: unless-stopped
networks:
mail:
dovecot:
build: dovecot
restart: unless-stopped
env_file:
- environment
volumes:
- /var/lib/docker-volumes/mail/vmail/:/srv/vmail/
- /var/lib/acme/:/var/lib/acme/:ro
networks:
mail:
auth:
rainloop:
image: runningman84/rainloop
restart: unless-stopped
env_file:
- environment
volumes:
- /var/lib/docker-volumes/mail/rainloop/:/var/www/html/data
networks:
mail:
networks:
mail:
auth:
external: true
name: auth_auth

11
dovecot/10-logging.conf Normal file
View file

@ -0,0 +1,11 @@
log_path = /dev/stdout
auth_verbose = yes
plugin {
# Events to log. Also available: flag_change append
#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
# Available fields: uid, box, msgid, from, subject, size, vsize, flags
# size and vsize are available only for expunge and copy events.
#mail_log_fields = uid box msgid size
}

118
dovecot/10-master.conf Normal file
View file

@ -0,0 +1,118 @@
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
unix_listener lmtp {
#mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
inet_listener lmtp {
port = 24
}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Postfix smtp-auth
inet_listener {
port = 100
}
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}

22
dovecot/Dockerfile Normal file
View file

@ -0,0 +1,22 @@
FROM alpine:latest
RUN apk add --no-cache \
dovecot \
dovecot-ldap
RUN sed -i 's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/' /etc/dovecot/conf.d/10-auth.conf \
&& sed -i 's/!include auth-passwdfile.conf.ext/#!include auth-passwdfile.conf.ext/' /etc/dovecot/conf.d/10-auth.conf
RUN mkdir /ssl-params-cache/ \
&& ln -s /ssl-params-cache/ssl-parameters.dat /var/lib/dovecot/ssl-parameters.dat
COPY 10-master.conf /etc/dovecot/conf.d/10-master.conf
COPY 10-logging.conf /etc/dovecot/conf.d/10-logging.conf
COPY auth-ldap.conf.ext /etc/dovecot/conf.d/auth-ldap.conf.ext
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
VOLUME "/ssl-params-cache/"
EXPOSE 24 100 143

View file

@ -0,0 +1,8 @@
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}

24
dovecot/entrypoint.sh Executable file
View file

@ -0,0 +1,24 @@
#!/bin/ash
cat > /etc/dovecot/dovecot-ldap.conf.ext << LDAP
hosts = $LDAP_SERVER
auth_bind = yes
base = $LDAP_BASE
user_filter = (&(objectClass=posixAccount)(mail=%u))
pass_filter = (&(objectClass=posixAccount)(mail=%u))
user_attrs = \
=home=/var/vmail/%d/%u, \
=mail=maildir:/var/vmail/%d/%u/Maildir
LDAP
cat > /etc/dovecot/conf.d/10-ssl.conf << SSL
ssl = required
ssl_cert = <$TLS_FULLCHAIN
ssl_key = <$TLS_KEY
ssl_dh_parameters_length = 2048
SSL
ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext
dovecot -F

11
environment.dist Normal file
View file

@ -0,0 +1,11 @@
HOSTNAME=mail.example.com
VIRTUAL_HOSTS=example.com example.net
RELAYS=
TLS_CERT=/path/to/cert
TLS_CHAIN=/path/to/chain
TLS_FULLCHAIN=/path/to/certandchain
TLS_KEY=/path/to/key
LDAP_SERVER=ldap
LDAP_BASE=dc=ldap,dc=example,dc=com
RAINLOOP_ADMIN_LOGIN=admin
RAINLOOP_ADMIN_PASSWORD=password

19
postfix/Dockerfile Normal file
View file

@ -0,0 +1,19 @@
FROM alpine:latest
RUN apk add --no-cache \
supervisor \
rsyslog \
ca-certificates \
postfix \
openssl
COPY postfix.sh /postfix.sh
COPY supervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
VOLUME "/etc/postfix/dh-params/"
EXPOSE 25 587
# Noch submission machen

73
postfix/postfix.sh Executable file
View file

@ -0,0 +1,73 @@
#!/bin/sh
cat > /etc/postfix/main.cf << MAINCF
# FQDN of system !reverse DNS!
myhostname = $HOSTNAME
# aliases
virtual_alias_maps = hash:/etc/postfix/virtual
recipient_delimiter = +
smtpd_relay_restictions =
smtpd_recipient_restrictions =
# white/blacklists
check_recipient_access hash:/etc/postfix/access_recipient
check_sender_access hash:/etc/postfix/access_sender,
check_helo_access hash:/etc/postfix/access_helo,
check_client_access cidr:/etc/postfix/access_client,
# deny mails for nonexistend recipients
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# allow mails of our users
permit_sasl_authenticated,
permit_mynetworks,
# deny mails to external destinations
reject_unauth_destination,
# check against RBL
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
# check greylisting
check_policy_service inet:postgrey:25
# check if the user exists in dovecot
reject_unverified_recipient,
# let it out
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path= inet:dovecot:100
smtpd_sasl_type = dovecot
# out
smtp_tls_security_level = may
# in
smtpd_tls_security_level = may
smtpd_tls_cert_file = $TLS_CERT
smtpd_tls_CAfile = $TLS_CHAIN
smtpd_tls_key_file = $TLS_KEY
smtpd_tls_dh1024_param_file = /etc/postfix/dh-params/2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh-params/512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes
smtpd_tls_auth_only = yes
# for lmtp relaying to dovecot
relay_domains = hash:/etc/postfix/relay_domains
MAINCF
[ -e /etc/postfix/relay_domains ] && rm /etc/postfix/relay_domains
for virtual_host in $VIRTUAL_HOSTS;do
echo "$virtual_host lmtp:[dovecot]" >> /etc/postfix/relay_domains
done
postmap /etc/postfix/relay_domains
[ -e /etc/postfix/dh_512.pem ] || openssl gendh -out /etc/postfix/dh-params/512.pem -2 512
[ -e /etc/postfix/dh_2048.pem ] || openssl gendh -out /etc/postfix/dh-params/2048.pem -2 2048
postmap /etc/postfix/virtual
/usr/lib/postfix/master -c /etc/postfix -d

23
postfix/supervisord.conf Normal file
View file

@ -0,0 +1,23 @@
[supervisord]
nodaemon=true
loglevel=critical
logfile=/dev/stdout
logfile_maxbytes=0
[program:rsyslog]
command=/usr/sbin/rsyslogd -n
stdout_logfile=/dev/null
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:postfix]
command=/postfix.sh
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:logs]
command=/usr/bin/tail -F /var/log/maillog
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
redirect_stderr=true

9
postgrey/Dockerfile Normal file
View file

@ -0,0 +1,9 @@
FROM alpine:latest
RUN apk add --no-cache \
perl-netaddr-ip \
postgrey
ENTRYPOINT ["postgrey", "--inet=0.0.0.0:25", "--auto-whitelist-clients"]
EXPOSE 25