diff --git a/docker-mailserver/docker-compose.yml b/docker-mailserver/docker-compose.yml index 58af9a3..560fa7a 100644 --- a/docker-mailserver/docker-compose.yml +++ b/docker-mailserver/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.8" services: mail: - image: docker.io/mailserver/docker-mailserver:10.5 + image: docker.io/mailserver/docker-mailserver:11.0.0 hostname: mail domainname: zweili.org env_file: mailserver.env diff --git a/docker-mailserver/mailserver.env b/docker-mailserver/mailserver.env index 2ecac57..05d6dd9 100644 --- a/docker-mailserver/mailserver.env +++ b/docker-mailserver/mailserver.env @@ -1,13 +1,24 @@ -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Mailserver Environment Variables –––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- Mailserver Environment Variables ---------- +# ----------------------------------------------- + +# DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER +# https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/ + +# ----------------------------------------------- +# --- General Section --------------------------- +# ----------------------------------------------- # empty => uses the `hostname` command to get the mail server's canonical hostname # => Specify a fully-qualified domainname to serve mail for. This is used for many of the config features so if you can't set your hostname (e.g. you're in a container platform that doesn't let you) specify it in this environment variable. OVERRIDE_HOSTNAME=mail.zweili.org -# 0 => Debug disabled 1 => Enables debug on startup -DMS_DEBUG=0 +# Set the log level for DMS. +# This is mostly relevant for container startup scripts and change detection event feedback. +# +# Valid values (in order of increasing verbosity) are: `error`, `warn`, `info`, `debug` and `trace`. +# The default log level is `info`. +LOG_LEVEL=info # critical => Only show critical messages # error => Only show erroneous output @@ -24,15 +35,35 @@ ONE_DIR=0 # => Specify the postmaster address POSTMASTER_ADDRESS=postmaster@2li.ch +# Check for updates on container start and then once a day +# If an update is available, a mail is sent to POSTMASTER_ADDRESS +# 0 => Update check disabled +# 1 => Update check enabled +ENABLE_UPDATE_CHECK=1 + +# Customize the update check interval. +# Number + Suffix. Suffix must be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days. +UPDATE_CHECK_INTERVAL=1d + # Set different options for mynetworks option (can be overwrite in postfix-main.cf) # **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or # `connected-networks` option, can create an open relay # https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498 -# empty => localhost only -# host => Add docker host (ipv4 only) -# network => Add all docker containers (ipv4 only) +# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns +# https://github.com/docker-mailserver/docker-mailserver/issues/2377 +# +# none => Explicitly force authentication +# container => Container IP address only +# host => Add docker container network (ipv4 only) +# network => Add all docker container networks (ipv4 only) # connected-networks => Add all connected docker networks (ipv4 only) -PERMIT_DOCKER= +PERMIT_DOCKER=none + +# Set the timezone. If this variable is unset, the container runtime will try to detect the time using +# `/etc/localtime`, which you can alternatively mount into the container. The value of this variable +# must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`. +# You can lookup all available timezones here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List +TZ= # In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes, # you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used. @@ -68,12 +99,30 @@ ENABLE_CLAMAV=1 # 1 => Enabled ENABLE_AMAVIS=1 +# -1/-2/-3 => Only show errors +# **0** => Show warnings +# 1/2 => Show default informational output +# 3/4/5 => log debug information (very verbose) +AMAVIS_LOGLEVEL=0 + +# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix +# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen. +# Note: Emails will be rejected, if they don't pass the block list checks! +# **0** => DNS block lists are disabled +# 1 => DNS block lists are enabled +ENABLE_DNSBL=0 + # If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: # cap_add: # - NET_ADMIN -# Otherwise, `iptables` won't be able to ban IPs. +# Otherwise, `nftables` won't be able to ban IPs. ENABLE_FAIL2BAN=0 +# Fail2Ban blocktype +# drop => drop packet (send NO reply) +# reject => reject packet (send ICMP unreachable) +FAIL2BAN_BLOCKTYPE=drop + # 1 => Enables Managesieve on port 4190 # empty => disables Managesieve ENABLE_MANAGESIEVE= @@ -128,11 +177,22 @@ POSTFIX_DAGENT= # empty => 0 POSTFIX_MAILBOX_SIZE_LIMIT= +# See https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/accounts/#notes +# 0 => Dovecot quota is disabled +# 1 => Dovecot quota is enabled +ENABLE_QUOTAS=1 + # Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!) # # empty => 10240000 (~10 MB) POSTFIX_MESSAGE_SIZE_LIMIT= +# Mails larger than this limit won't be scanned. +# ClamAV must be enabled (ENABLE_CLAMAV=1) for this. +# +# empty => 25M (25 MB) +CLAMAV_MESSAGE_SIZE_LIMIT= + # Enables regular pflogsumm mail reports. # This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used. # @@ -147,9 +207,9 @@ PFLOGSUMM_TRIGGER=daily_cron # => Specify the recipient address(es) PFLOGSUMM_RECIPIENT=andreas@zweili.ch -# From address for pflogsumm reports. +# Sender address (`FROM`) for pflogsumm reports if pflogsumm reports are enabled. # -# not set => Use REPORT_SENDER or POSTMASTER_ADDRESS +# not set => Use REPORT_SENDER # => Specify the sender address PFLOGSUMM_SENDER= @@ -164,44 +224,72 @@ LOGWATCH_INTERVAL=daily # # not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS # => Specify the recipient address(es) -LOGWATCH_RECIPIENT=andreas@zweili.ch +LOGWATCH_RECIPIENT= -# Enables a report being sent (created by pflogsumm) on a regular basis. (deprecated) -# **0** => Report emails are disabled -# 1 => Using POSTMASTER_ADDRESS as the recipient +# Sender address (`FROM`) for logwatch reports if logwatch reports are enabled. +# +# not set => Use REPORT_SENDER +# => Specify the sender address +LOGWATCH_SENDER= + +# Defines who receives reports if they are enabled. +# **empty** => ${POSTMASTER_ADDRESS} # => Specify the recipient address -REPORT_RECIPIENT=0 +REPORT_RECIPIENT=andreas@zweili.ch -# Change the sending address for mail report (deprecated) -# **empty** => mailserver-report@hostname -# => Specify the report sender (From) address +# Defines who sends reports if they are enabled. +# **empty** => mailserver-report@${DOMAINNAME} +# => Specify the sender address REPORT_SENDER= -# Changes the interval in which a report is being sent. (deprecated) -# **daily** => Send a daily report -# weekly => Send a report every week -# monthly => Send a report every month +# Changes the interval in which log files are rotated +# **weekly** => Rotate log files weekly +# daily => Rotate log files daily +# monthly => Rotate log files monthly # -# Note: This Variable actually controls logrotate inside the container and rotates the log depending on this setting. The main log output is still available in its entirety via `docker logs mail` (Or your respective container name). If you want to control logrotation for the docker generated logfile see: [Docker Logging Drivers](https://docs.docker.com/config/containers/logging/configure/) -REPORT_INTERVAL=daily +# Note: This Variable actually controls logrotate inside the container +# and rotates the log files depending on this setting. The main log output is +# still available in its entirety via `docker logs mail` (Or your +# respective container name). If you want to control logrotation for +# the Docker-generated logfile see: +# https://docs.docker.com/config/containers/logging/configure/ +# +# Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger). +LOGROTATE_INTERVAL=weekly -# Choose TCP/IP protocols to use +# Choose TCP/IP protocols for postfix to use # **all** => All possible protocols. # ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker. # ipv6 => Use only IPv6 traffic. # -# Note: More details in http://www.postfix.org/postconf.5.html#inet_protocols +# Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols POSTFIX_INET_PROTOCOLS=all -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Spamassassin Section –––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# Choose TCP/IP protocols for dovecot to use +# **all** => Listen on all interfaces +# ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker. +# ipv6 => Listen only on IPv6 interfaces. +# +# Note: More information at https://dovecot.org/doc/dovecot-example.conf +DOVECOT_INET_PROTOCOLS=all + +# ----------------------------------------------- +# --- SpamAssassin Section ---------------------- +# ----------------------------------------------- ENABLE_SPAMASSASSIN=1 # deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT) SPAMASSASSIN_SPAM_TO_INBOX=1 +# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation. +# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset. +# - **0** => KAM disabled +# - 1 => KAM enabled +# +# Note: only has an effect if `ENABLE_SPAMASSASSIN=1` +ENABLE_SPAMASSASSIN_KAM=1 + # spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required) MOVE_SPAM_TO_JUNK=1 @@ -217,18 +305,18 @@ SA_KILL=6.31 # add tag to subject if spam detected SA_SPAM_SUBJECT=***SPAM***** -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Fetchmail Section ––––––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- Fetchmail Section ------------------------- +# ----------------------------------------------- ENABLE_FETCHMAIL=0 # The interval to fetch mail in seconds FETCHMAIL_POLL=300 -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– LDAP Section –––––––––––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- LDAP Section ------------------------------ +# ----------------------------------------------- # A second container for the ldap service is necessary (i.e. https://github.com/osixia/docker-openldap) # For preparing the ldap server to use in combination with this container this article may be helpful: http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/ @@ -274,9 +362,9 @@ LDAP_QUERY_FILTER_ALIAS= # => Specify how ldap should be asked for domains LDAP_QUERY_FILTER_DOMAIN= -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Dovecot Section ––––––––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- Dovecot Section --------------------------- +# ----------------------------------------------- # empty => no # yes => LDAP over TLS enabled for Dovecot @@ -297,9 +385,9 @@ DOVECOT_MAILBOX_FORMAT=maildir # https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds DOVECOT_AUTH_BIND= -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Postgrey Section –––––––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- Postgrey Section -------------------------- +# ----------------------------------------------- ENABLE_POSTGREY=0 # greylist for N seconds @@ -307,13 +395,13 @@ POSTGREY_DELAY=300 # delete entries older than N days since the last time that they have been seen POSTGREY_MAX_AGE=35 # response when a mail is greylisted -POSTGREY_TEXT=Delayed by Postgrey +POSTGREY_TEXT="Delayed by Postgrey" # whitelist host after N successful deliveries (N=0 to disable whitelisting) POSTGREY_AUTO_WHITELIST_CLIENTS=5 -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– SASL Section –––––––––––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- SASL Section ------------------------------ +# ----------------------------------------------- ENABLE_SASLAUTHD=0 @@ -322,30 +410,27 @@ ENABLE_SASLAUTHD=0 # `shadow` => authenticate against local user db # `mysql` => authenticate against mysql db # `rimap` => authenticate against imap server -# NOTE: can be a list of mechanisms like pam ldap shadow +# Note: can be a list of mechanisms like pam ldap shadow SASLAUTHD_MECHANISMS= # empty => None # e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx SASLAUTHD_MECH_OPTIONS= -# empty => localhost +# empty => Use value of LDAP_SERVER_HOST +# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL. SASLAUTHD_LDAP_SERVER= -# empty or 0 => `ldap://` will be used -# 1 => `ldaps://` will be used -SASLAUTHD_LDAP_SSL= - -# empty => anonymous bind +# empty => Use value of LDAP_BIND_DN # specify an object with priviliges to search the directory tree # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net SASLAUTHD_LDAP_BIND_DN= -# empty => anonymous bind +# empty => Use value of LDAP_BIND_PW SASLAUTHD_LDAP_PASSWORD= -# empty => Reverting to SASLAUTHD_MECHANISMS pam +# empty => Use value of LDAP_SEARCH_BASE # specify the search base SASLAUTHD_LDAP_SEARCH_BASE= @@ -356,7 +441,7 @@ SASLAUTHD_LDAP_FILTER= # empty => no # yes => LDAP over TLS enabled for SASL -# Must not be used together with SASLAUTHD_LDAP_SSL=1_ +# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing. SASLAUTHD_LDAP_START_TLS= # empty => no @@ -390,12 +475,12 @@ SASLAUTHD_LDAP_AUTH_METHOD= # Specify the authentication mechanism for SASL bind # empty => Nothing is added to the configuration -# Any value => Fills the `ldap_mech` option +# Any value => Fills the `ldap_mech` option SASLAUTHD_LDAP_MECH= -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– SRS Section ––––––––––––––––––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- SRS Section ------------------------------- +# ----------------------------------------------- # envelope_sender => Rewrite only envelope sender address (default) # header_sender => Rewrite only header sender (not recommended) @@ -416,9 +501,9 @@ SRS_EXCLUDE_DOMAINS= # rotate and expire keys SRS_SECRET= -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Default Relay Host Section –––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- Default Relay Host Section ---------------- +# ----------------------------------------------- # Setup relaying all mail through a default relay host # @@ -426,9 +511,9 @@ SRS_SECRET= # default host and optional port to relay all mail through DEFAULT_RELAY_HOST=mail.infomaniak.com -# ––––––––––––––––––––––––––––––––––––––––––––––– -# ––– Multi-Domain Relay Section –––––––––––––––– -# ––––––––––––––––––––––––––––––––––––––––––––––– +# ----------------------------------------------- +# --- Multi-Domain Relay Section ---------------- +# ----------------------------------------------- # Setup relaying for multiple domains based on the domain name of the sender # optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf diff --git a/docker-mailserver/setup.sh b/docker-mailserver/setup.sh old mode 100755 new mode 100644 index 8dd22b4..62dfd3e --- a/docker-mailserver/setup.sh +++ b/docker-mailserver/setup.sh @@ -26,7 +26,7 @@ LBLUE="\e[94m" RESET="\e[0m" set -euEo pipefail -shopt -s inherit_errexit +shopt -s inherit_errexit 2>/dev/null || true trap '__err "${BASH_SOURCE}" "${FUNCNAME[0]:-?}" "${BASH_COMMAND:-?}" "${LINENO:-?}" "${?:-?}"' ERR function __err @@ -88,14 +88,6 @@ function _show_local_usage function _get_absolute_script_directory { - if [[ "$(uname)" == 'Darwin' ]] - then - readlink() { - # requires coreutils - greadlink "${@:+$@}" - } - fi - if dirname "$(readlink -f "${0}")" &>/dev/null then DIR="$(dirname "$(readlink -f "${0}")")" @@ -154,7 +146,7 @@ function _run_in_new_container ${CRI} run --rm "${USE_TTY}" \ -v "${CONFIG_PATH}:${DMS_CONFIG}${USE_SELINUX}" \ - "${IMAGE_NAME}" "${@:+$@}" + "${IMAGE_NAME}" "${@}" } function _main @@ -234,9 +226,9 @@ function _main if [[ -n ${CONTAINER_NAME} ]] then - ${CRI} exec "${USE_TTY}" "${CONTAINER_NAME}" setup "${@:+$@}" + ${CRI} exec "${USE_TTY}" "${CONTAINER_NAME}" setup "${@}" else - _run_in_new_container setup "${@:+$@}" + _run_in_new_container setup "${@}" fi [[ ${1} == 'help' ]] && _show_local_usage @@ -244,4 +236,5 @@ function _main return 0 } -_main "${@:+$@}" +[[ -z ${1:-} ]] && set 'help' +_main "${@}"