From 85ae8a1471d6b522c9949bb644bc05e506f2677b Mon Sep 17 00:00:00 2001
From: Erik Wramner <erik@wramner.name>
Date: Mon, 6 Jan 2020 13:10:46 +0100
Subject: [PATCH] Fix fail2ban issues and install some suggested amavis
 packages

---
 Dockerfile                                 | 10 +++++++++-
 target/fail2ban/filter.d/postfix-sasl.conf | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 target/fail2ban/filter.d/postfix-sasl.conf

diff --git a/Dockerfile b/Dockerfile
index e6af09b6..1d4f0a88 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,6 +33,7 @@ RUN \
   apt-get update -q --fix-missing && \
   apt-get -y install postfix && \
   apt-get -y install --no-install-recommends \
+    altermime \
     amavisd-new \
     apt-transport-https \
     arj \
@@ -55,6 +56,7 @@ RUN \
     iptables \
     locales \
     logwatch \
+    lhasa \
     libdate-manip-perl \
     liblz4-tool \
     libmail-spf-perl \
@@ -190,7 +192,8 @@ RUN sed -i -r 's/#(@|   \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_fil
 # Configure Fail2ban
 COPY target/fail2ban/jail.conf /etc/fail2ban/jail.conf
 COPY target/fail2ban/filter.d/dovecot.conf /etc/fail2ban/filter.d/dovecot.conf
-RUN echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf && mkdir /var/run/fail2ban
+COPY target/fail2ban/filter.d/postfix-sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf
+RUN mkdir /var/run/fail2ban
 
 # Enables Pyzor and Razor
 RUN su - amavis -c "razor-admin -create && \
@@ -252,6 +255,11 @@ COPY target/supervisor/conf.d/* /etc/supervisor/conf.d/
 
 WORKDIR /
 
+# Switch iptables and ip6tables to legacy for fail2ban
+RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \
+ && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+
+
 EXPOSE 25 587 143 465 993 110 995 4190
 
 CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]
diff --git a/target/fail2ban/filter.d/postfix-sasl.conf b/target/fail2ban/filter.d/postfix-sasl.conf
new file mode 100644
index 00000000..756b4937
--- /dev/null
+++ b/target/fail2ban/filter.d/postfix-sasl.conf
@@ -0,0 +1,19 @@
+# Fail2Ban filter for postfix authentication failures
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
+
+ignoreregex = authentication failed: Connection lost to authentication server$
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+ignoreregex =