diff --git a/Dockerfile b/Dockerfile index fe322d26..38f30633 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,7 @@ ENV ENABLE_POSTGREY=0 ENV FETCHMAIL_POLL=300 ENV POSTGREY_DELAY=300 ENV POSTGREY_MAX_AGE=35 +ENV POSTGREY_AUTO_WHITELIST_CLIENTS=5 ENV POSTGREY_TEXT="Delayed by postgrey" ENV SASLAUTHD_MECHANISMS=pam @@ -176,7 +177,7 @@ RUN mkdir /var/run/fetchmail && chown fetchmail /var/run/fetchmail # Configures Postfix COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ -COPY target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/ +COPY target/postfix/header_checks.pcre target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/ RUN echo "" > /etc/aliases && \ openssl dhparam -out /etc/postfix/dhparams.pem 2048 && \ echo "@weekly FILE=`mktemp` ; openssl dhparam -out $FILE 2048 > /dev/null 2>&1 && mv -f $FILE /etc/postfix/dhparams.pem" > /etc/cron.d/dh2048 diff --git a/Makefile b/Makefile index 1e693c80..090b81f7 100644 --- a/Makefile +++ b/Makefile @@ -220,6 +220,7 @@ run: -e ENABLE_POSTGREY=1 \ -e POSTGREY_DELAY=15 \ -e POSTGREY_MAX_AGE=35 \ + -e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \ -e POSTGREY_TEXT="Delayed by postgrey" \ -e DMS_DEBUG=0 \ -h mail.my-domain.com -t $(NAME) diff --git a/README.md b/README.md index 51da6915..9851731b 100644 --- a/README.md +++ b/README.md @@ -487,6 +487,12 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` Note: This postgrey setting needs `ENABLE_POSTGREY=1` +##### POSTGREY_AUTO_WHITELIST_CLIENTS + + - **5** => whitelist host after N successful deliveries (N=0 to disable whitelisting) + +Note: This postgrey setting needs `ENABLE_POSTGREY=1` + ##### POSTGREY_TEXT - **Delayed by postgrey** => response when a mail is greylisted diff --git a/docker-compose.elk.yml.dist b/docker-compose.elk.yml.dist index c9e042f9..1dea1890 100644 --- a/docker-compose.elk.yml.dist +++ b/docker-compose.elk.yml.dist @@ -58,6 +58,7 @@ services: - ENABLE_POSTGREY=${ENABLE_POSTGREY} - POSTGREY_DELAY=${POSTGREY_DELAY} - POSTGREY_MAX_AGE=${POSTGREY_MAX_AGE} + - POSTGREY_AUTO_WHITELIST_CLIENTS=${POSTGREY_AUTO_WHITELIST_CLIENTS} - POSTGREY_TEXT=${POSTGREY_TEXT} - ENABLE_SASLAUTHD=${ENABLE_SASLAUTHD} - SASLAUTHD_MECHANISMS=${SASLAUTHD_MECHANISMS} diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index 8768e57d..d8f4ead5 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -60,6 +60,7 @@ services: - ENABLE_POSTGREY=${ENABLE_POSTGREY} - POSTGREY_DELAY=${POSTGREY_DELAY} - POSTGREY_MAX_AGE=${POSTGREY_MAX_AGE} + - POSTGREY_AUTO_WHITELIST_CLIENTS=${POSTGREY_AUTO_WHITELIST_CLIENTS} - POSTGREY_TEXT=${POSTGREY_TEXT} - ENABLE_SASLAUTHD=${ENABLE_SASLAUTHD} - SASLAUTHD_MECHANISMS=${SASLAUTHD_MECHANISMS} diff --git a/target/postfix/header_checks.pcre b/target/postfix/header_checks.pcre new file mode 100644 index 00000000..e69de29b diff --git a/target/postfix/main.cf b/target/postfix/main.cf index 74c26493..dcca0f53 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -95,5 +95,8 @@ non_smtpd_milters = $dkim_milter # SPF policy settings policyd-spf_time_limit = 3600 +# Header checks for content inspection on receiving +header_checks = pcre:/etc/postfix/maps/header_checks.pcre + # Remove unwanted headers that reveail our privacy smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 41b132c2..3c97ef83 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -18,6 +18,7 @@ DEFAULT_VARS["ENABLE_LDAP"]="${ENABLE_LDAP:="0"}" DEFAULT_VARS["ENABLE_POSTGREY"]="${ENABLE_POSTGREY:="0"}" DEFAULT_VARS["POSTGREY_DELAY"]="${POSTGREY_DELAY:="300"}" DEFAULT_VARS["POSTGREY_MAX_AGE"]="${POSTGREY_MAX_AGE:="35"}" +DEFAULT_VARS["POSTGREY_AUTO_WHITELIST_CLIENTS"]="${POSTGREY_AUTO_WHITELIST_CLIENTS:="5"}" DEFAULT_VARS["POSTGREY_TEXT"]="${POSTGREY_TEXT:="Delayed by postgrey"}" DEFAULT_VARS["POSTFIX_MESSAGE_SIZE_LIMIT"]="${POSTFIX_MESSAGE_SIZE_LIMIT:="10240000"}" # ~10 MB by default DEFAULT_VARS["POSTFIX_MAILBOX_SIZE_LIMIT"]="${POSTFIX_MAILBOX_SIZE_LIMIT:="0"}" # no limit by default @@ -638,7 +639,7 @@ function _setup_ldap() { function _setup_postgrey() { notify 'inf' "Configuring postgrey" sed -i -e 's/, reject_rbl_client bl.spamcop.net$/, reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:10023/' /etc/postfix/main.cf - sed -i -e "s/\"--inet=127.0.0.1:10023\"/\"--inet=127.0.0.1:10023 --delay=$POSTGREY_DELAY --max-age=$POSTGREY_MAX_AGE\"/" /etc/default/postgrey + sed -i -e "s/\"--inet=127.0.0.1:10023\"/\"--inet=127.0.0.1:10023 --delay=$POSTGREY_DELAY --max-age=$POSTGREY_MAX_AGE --auto-whitelist-clients=$POSTGREY_AUTO_WHITELIST_CLIENTS\"/" /etc/default/postgrey TEXT_FOUND=`grep -i "POSTGREY_TEXT" /etc/default/postgrey | wc -l` if [ $TEXT_FOUND -eq 0 ]; then @@ -647,6 +648,9 @@ function _setup_postgrey() { if [ -f /tmp/docker-mailserver/whitelist_clients.local ]; then cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local fi + if [ -f /tmp/docker-mailserver/whitelist_recipients ]; then + cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients + fi } function _setup_postfix_postscreen() { diff --git a/target/supervisor/conf.d/supervisor-app.conf b/target/supervisor/conf.d/supervisor-app.conf index f0b8ef1d..08b246f5 100644 --- a/target/supervisor/conf.d/supervisor-app.conf +++ b/target/supervisor/conf.d/supervisor-app.conf @@ -87,7 +87,7 @@ autostart=false autorestart=true stdout_logfile=/var/log/mail/mail.log stderr_logfile=/var/log/mail/mail.log -command=/usr/sbin/postgrey --inet=127.0.0.1:10023 --syslog-facility=mail --delay=%(ENV_POSTGREY_DELAY)s --max-age=%(ENV_POSTGREY_MAX_AGE)s --greylist-text="%(ENV_POSTGREY_TEXT)s" +command=/usr/sbin/postgrey --inet=127.0.0.1:10023 --syslog-facility=mail --delay=%(ENV_POSTGREY_DELAY)s --max-age=%(ENV_POSTGREY_MAX_AGE)s --auto-whitelist-clients=%(ENV_POSTGREY_AUTO_WHITELIST_CLIENTS)s --greylist-text="%(ENV_POSTGREY_TEXT)s" [program:amavis] startsecs=0 diff --git a/test/config/whitelist_recipients b/test/config/whitelist_recipients new file mode 100644 index 00000000..3176ad0a --- /dev/null +++ b/test/config/whitelist_recipients @@ -0,0 +1 @@ +user2@otherdomain.tld diff --git a/test/nc_templates/postgrey_whitelist_local.txt b/test/nc_templates/postgrey_whitelist_local.txt new file mode 100644 index 00000000..0358d5ca --- /dev/null +++ b/test/nc_templates/postgrey_whitelist_local.txt @@ -0,0 +1,9 @@ +request=smtpd_access_policy +protocol_state=RCPT +protocol_name=ESMTP +client_address=127.0.0.1 +client_name=whitelistlocal.tld +helo_name=whitelistlocal.tld +sender=test@whitelistlocal.tld +recipient=user1@localhost.localdomain + diff --git a/test/nc_templates/postgrey_whitelist_recipients.txt b/test/nc_templates/postgrey_whitelist_recipients.txt new file mode 100644 index 00000000..9df8c055 --- /dev/null +++ b/test/nc_templates/postgrey_whitelist_recipients.txt @@ -0,0 +1,9 @@ +request=smtpd_access_policy +protocol_state=RCPT +protocol_name=ESMTP +client_address=127.0.0.1 +client_name=nonwhitelist.tld +helo_name=nonwhitelist.tld +sender=test@nonwhitelist.tld +recipient=user2@otherdomain.tld + diff --git a/test/tests.bats b/test/tests.bats index a4bec59a..0c86c380 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -128,7 +128,7 @@ load 'test_helper/bats-assert/load' } @test "checking postgrey: /etc/default/postgrey correctly edited and has the default values" { - run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_OPTS=\"--inet=127.0.0.1:10023 --delay=15 --max-age=35\"$' /etc/default/postgrey | wc -l" + run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_OPTS=\"--inet=127.0.0.1:10023 --delay=15 --max-age=35 --auto-whitelist-clients=5\"$' /etc/default/postgrey | wc -l" assert_success assert_output 1 run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_TEXT=\"Delayed by postgrey\"$' /etc/default/postgrey | wc -l" @@ -142,7 +142,7 @@ load 'test_helper/bats-assert/load' } @test "checking postgrey: there should be a log entry about a new greylisted e-mail user@external.tld in /var/log/mail/mail.log" { - #editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictionswould interfere with it. + #editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictions would interfere with it. run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*policyd-spf,$//g' /etc/postfix/main.cf" run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf" run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf" @@ -172,6 +172,21 @@ load 'test_helper/bats-assert/load' assert_output 1 } +@test "checking postgrey: there should be a log entry about the whitelisted local and passed e-mail user@whitelistlocal.tld in /var/log/mail/mail.log" { + run docker exec mail_with_postgrey /bin/sh -c "nc -w 8 0.0.0.0 10023 < /tmp/docker-mailserver-test/nc_templates/postgrey_whitelist_local.txt" + run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=client whitelist' /var/log/mail/mail.log | wc -l" + assert_success + assert_output 1 +} + +@test "checking postgrey: there should be a log entry about the whitelisted recipient user2@otherdomain.tld in /var/log/mail/mail.log" { + run docker exec mail_with_postgrey /bin/sh -c "nc -w 8 0.0.0.0 10023 < /tmp/docker-mailserver-test/nc_templates/postgrey_whitelist_recipients.txt" + run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=recipient whitelist' /var/log/mail/mail.log | wc -l" + assert_success + assert_output 1 +} + + # # imap #