Restrict access (Closes #452, #816)

new setup.sh function, new tests, new script

setup.sh

@@ -42,9 +42,10 @@ SUBCOMMANDS:
 
   email:
 
-    $0 email add <email> <password>
-    $0 email update <email> <password>
+    $0 email add <email> [<password>]
+    $0 email update <email> [<password>]
     $0 email del <email>
+    $0 email restrict <add|del|list> <send|receive> [<email>]
     $0 email list
 
   alias:
@@ -60,7 +61,7 @@ SUBCOMMANDS:
   debug:
 
     $0 debug fetchmail
-    $0 debug fail2ban <unban> <ip-address>               
+    $0 debug fail2ban [<unban> <ip-address>]               
     $0 debug show-mail-logs
     $0 debug inspect
     $0 debug login <commands>
@@ -117,7 +118,6 @@ case $1 in
   email)
     shift
     case $1 in
-
       add)
         shift
         _docker_image addmailuser $@
@@ -130,6 +130,10 @@ case $1 in
         shift
         _docker_image delmailuser $@
         ;;
+      restrict)
+        shift
+        _docker_image restrict-access $@
+        ;;  
       list)
         _docker_image listmailuser
         ;;

target/bin/restrict-access

@@ -0,0 +1,56 @@
+#! /bin/bash
+
+MODE="$1"
+USER="$3"
+
+usage() {
+	echo "Usage: $0 <add|del|list> <send|receive> [<email@domain.com>]"
+}
+
+raise() {
+	echo "$@" 1>&2
+	exit 1
+}
+
+escape() {
+	echo "${1//./\\.}"
+}
+[ -z "$MODE" ] && raise "missing parameters: <add|del|list> <send|receive> [<email@domain.com>]"
+
+case $2 in
+	send)
+		DATABASE="/tmp/docker-mailserver/postfix-send-access.cf"
+		;;
+	receive)
+		DATABASE="/tmp/docker-mailserver/postfix-receive-access.cf"
+		;;
+	*)
+		usage; raise "missing parameters. Specify \"send\" or \"receive\"";
+		;;
+esac
+
+if [ -z "$USER" ] && [ "$MODE" != list ]; then
+	read -p "User(user@domain.com): " USER
+	echo
+	[ -z "$USER" ] && raise "User must not be empty"
+fi
+ 
+
+case $MODE in 
+	add)
+		grep -qi "^$(escape "$USER")" $DATABASE 2>/dev/null &&
+			raise "User \"$USER\" already denied to $2 mails"
+		echo -e "$USER \t\t REJECT" >>$DATABASE
+	;;
+	del)
+		sed -ie "/^$(escape "$USER")/d" $DATABASE 2>/dev/null ||
+			raise "User \"$USER\" not found."
+	;;
+	list)
+		grep "REJECT" $DATABASE 2>/dev/null || 
+		    echo "Everyone is allowed to $2 mails."
+    ;;
+	*)
+		usage; raise "missing mode. Specify \"add\", \"del\" or \"list\"";
+	;;
+esac

target/postfix/main.cf

@@ -44,10 +44,9 @@ smtpd_helo_required = yes
 smtpd_delay_reject = yes
 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf,
-    reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
+smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain,  reject_sender_login_mismatch
+smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
 disable_vrfy_command = yes
 
 # Postscreen settings to drop zombies/open relays/spam early

test/config/postfix-receive-access.cf

@@ -0,0 +1 @@
+

test/config/postfix-send-access.cf

@@ -0,0 +1 @@
+

test/tests.bats

@@ -146,7 +146,7 @@ load 'test_helper/bats-assert/load'
   run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*policyd-spf,$//g' /etc/postfix/main.cf"
   run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf"
   run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf"
-  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions = /smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
+  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions =/smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
 
   run docker exec mail_with_postgrey /bin/sh -c "/etc/init.d/postfix reload"
   run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
@@ -1122,6 +1122,27 @@ load 'test_helper/bats-assert/load'
   [ -z "$value" ]
 }
 
+@test "checking setup.sh: setup.sh email restrict" {
+  run ./setup.sh -c mail email restrict 
+  assert_failure
+  run ./setup.sh -c mail email restrict add
+  assert_failure
+  ./setup.sh -c mail email restrict add send lorem@impsum.org
+  run ./setup.sh -c mail email restrict list send
+  assert_output --regexp "^lorem@impsum.org.*REJECT"
+
+  run ./setup.sh -c mail email restrict del send lorem@impsum.org
+  assert_success
+  run ./setup.sh -c mail email restrict list send
+  assert_output --partial "Everyone is allowed"
+  
+  ./setup.sh -c mail email restrict add receive rec_lorem@impsum.org
+  run ./setup.sh -c mail email restrict list receive
+  assert_output --regexp "^rec_lorem@impsum.org.*REJECT"
+  run ./setup.sh -c mail email restrict del receive rec_lorem@impsum.org
+  assert_success
+}
+
 # alias
 @test "checking setup.sh: setup.sh alias list" {
   echo "test@example.org test@forward.com" > ./config/postfix-virtual.cf