From 234632913eaf4a304c3347a16e68bc5002c98df4 Mon Sep 17 00:00:00 2001
From: Martin Schulze <martin.schulze@vireso.de>
Date: Fri, 2 Aug 2019 15:05:00 +0200
Subject: [PATCH 1/3] Add PERMIT_DOCKER=connected-networks

---
 Makefile                   | 18 +++++++++++++++++-
 README.md                  |  3 ++-
 target/start-mailserver.sh | 10 +++++++++-
 test/tests.bats            |  7 +++++++
 4 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 35e7481c..cd31b64d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,5 @@
 NAME = tvial/docker-mailserver:testing
+NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME=non-default-docker-mail-network
 
 all: build-no-cache backup generate-accounts run generate-accounts-after-run fixtures tests clean
 all-fast: build backup generate-accounts run generate-accounts-after-run fixtures tests clean
@@ -26,6 +27,19 @@ generate-accounts:
 	docker run --rm -e MAIL_USER=user2@otherdomain.tld -e MAIL_PASS=mypassword -t $(NAME) /bin/sh -c 'echo "$$MAIL_USER|$$(doveadm pw -s SHA512-CRYPT -u $$MAIL_USER -p $$MAIL_PASS)"' >> test/config/postfix-accounts.cf
 
 run:
+	docker network create --driver bridge --subnet 192.168.133.0/24 $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME)
+	# use two networks (default ("bridge") and our custom network) to recreate problematic test case where PERMIT_DOCKER=host would not help
+	docker run -d --name mail_smtponly_second_network \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test":/tmp/docker-mailserver-test \
+		-e SMTP_ONLY=1 \
+		-e PERMIT_DOCKER=connected-networks \
+		-e DMS_DEBUG=0 \
+		-e OVERRIDE_HOSTNAME=mail.my-domain.com \
+		--network bridge  \
+		--network $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME) \
+		-t $(NAME)
+	sleep 15
 	# Run containers
 	docker run -d --name mail \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
@@ -319,8 +333,10 @@ clean:
 		mail_domainname \
 		mail_srs_domainname \
 		mail_with_relays \
-		mail_with_default_relay
+		mail_with_default_relay \
+		mail_smtponly_second_network
 
+	docker network rm ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME}
 	@if [ -d config.bak ]; then\
 		rm -rf config ;\
 		mv config.bak config ;\
diff --git a/README.md b/README.md
index c6b79f94..9e4c2fe8 100644
--- a/README.md
+++ b/README.md
@@ -285,7 +285,8 @@ Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as f
 Set different options for mynetworks option (can be overwrite in postfix-main.cf)
   - **empty** => localhost only
   - host => Add docker host (ipv4 only)
-  - network => Add all docker containers (ipv4 only)
+  - network => Add the docker default bridge network (172.16.0.0/12); **WARNING**: `docker-compose` might use others (e.g. 192.168.0.0/16) use `PERMIT_DOCKER=connected-networks` in this case
+  - connected-networks => Add all connected docker networks (ipv4 only)
 
 ##### VIRUSMAILS_DELETE_DELAY
 
diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index c7830312..82b9e4b0 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -1016,6 +1016,7 @@ function _setup_docker_permit() {
 
 	container_ip=$(ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1)
 	container_network="$(echo $container_ip | cut -d '.' -f1-2).0.0"
+	container_networks=$(ip -o -4 addr show type veth | egrep -o '[0-9\.]+/[0-9]+')
 
 	case $PERMIT_DOCKER in
 		"host" )
@@ -1031,7 +1032,14 @@ function _setup_docker_permit() {
 			echo 172.16.0.0/12 >> /etc/opendmarc/ignore.hosts
 			echo 172.16.0.0/12 >> /etc/opendkim/TrustedHosts
 			;;
-
+		"connected-networks" )
+			for network in $container_networks; do
+				notify 'inf' "Adding docker network $network in my networks"
+				postconf -e "$(postconf | grep '^mynetworks =') $network"
+				echo $network >> /etc/opendmarc/ignore.hosts
+				echo $network >> /etc/opendkim/TrustedHosts
+			done
+			;;
 		* )
 			notify 'inf' "Adding container ip in my networks"
 			postconf -e "$(postconf | grep '^mynetworks =') $container_ip/32"
diff --git a/test/tests.bats b/test/tests.bats
index 7d6d177c..6a2a8305 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -1227,6 +1227,13 @@ function count_processed_changes() {
   assert_success
 }
 
+@test "checking PERMIT_DOCKER: connected-networks" {
+  run docker exec mail /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.0\.0/16'"
+  assert_success
+  run docker exec mail_pop3 /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/32'"
+  assert_success
+}
+
 #
 # amavis
 #

From 9c1a5d76af0634dcf2e38e770d03af179a5cbb67 Mon Sep 17 00:00:00 2001
From: Martin Schulze <martin.schulze@vireso.de>
Date: Sat, 3 Aug 2019 20:49:10 +0200
Subject: [PATCH 2/3] Fix tests for PERMIT_DOCKER=connected-networks

---
 Makefile        | 12 ++++++++----
 test/tests.bats |  7 +++----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index cd31b64d..41490a99 100644
--- a/Makefile
+++ b/Makefile
@@ -27,18 +27,22 @@ generate-accounts:
 	docker run --rm -e MAIL_USER=user2@otherdomain.tld -e MAIL_PASS=mypassword -t $(NAME) /bin/sh -c 'echo "$$MAIL_USER|$$(doveadm pw -s SHA512-CRYPT -u $$MAIL_USER -p $$MAIL_PASS)"' >> test/config/postfix-accounts.cf
 
 run:
-	docker network create --driver bridge --subnet 192.168.133.0/24 $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME)
+	docker network create --driver bridge --subnet 192.168.13.0/24 $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME)
+	docker network create --driver bridge --subnet 192.168.37.0/24 $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME)2
 	# use two networks (default ("bridge") and our custom network) to recreate problematic test case where PERMIT_DOCKER=host would not help
-	docker run -d --name mail_smtponly_second_network \
+	# currently we cannot use --network in `docker run` multiple times, it will just use the last one
+	# instead we need to use create, network connect and start (see https://success.docker.com/article/multiple-docker-networks)
+	docker create --name mail_smtponly_second_network \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
 		-v "`pwd`/test":/tmp/docker-mailserver-test \
 		-e SMTP_ONLY=1 \
 		-e PERMIT_DOCKER=connected-networks \
 		-e DMS_DEBUG=0 \
 		-e OVERRIDE_HOSTNAME=mail.my-domain.com \
-		--network bridge  \
 		--network $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME) \
 		-t $(NAME)
+	docker network connect $(NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME)2 mail_smtponly_second_network
+	docker start mail_smtponly_second_network
 	sleep 15
 	# Run containers
 	docker run -d --name mail \
@@ -336,7 +340,7 @@ clean:
 		mail_with_default_relay \
 		mail_smtponly_second_network
 
-	docker network rm ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME}
+	docker network rm ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME} ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME}2
 	@if [ -d config.bak ]; then\
 		rm -rf config ;\
 		mv config.bak config ;\
diff --git a/test/tests.bats b/test/tests.bats
index 6a2a8305..b66dd666 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -1228,10 +1228,9 @@ function count_processed_changes() {
 }
 
 @test "checking PERMIT_DOCKER: connected-networks" {
-  run docker exec mail /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.0\.0/16'"
-  assert_success
-  run docker exec mail_pop3 /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/32'"
-  assert_success
+  run docker exec mail_smtponly_second_network /bin/sh -c "postconf | grep '^mynetworks ='"
+  assert_output --regexp "192\.168\.13\.[0-9]{1,3}\/24"
+  assert_output --regexp '192.168.37.[0-9]{1,3}/24'
 }
 
 #

From 63c909da4251c557d47dd7e12ab67a8c1812d291 Mon Sep 17 00:00:00 2001
From: Martin Schulze <martin.schulze@vireso.de>
Date: Sun, 4 Aug 2019 10:47:17 +0200
Subject: [PATCH 3/3] Update to test-files, ignore cleanup return code

---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 41490a99..4475ff4a 100644
--- a/Makefile
+++ b/Makefile
@@ -34,7 +34,7 @@ run:
 	# instead we need to use create, network connect and start (see https://success.docker.com/article/multiple-docker-networks)
 	docker create --name mail_smtponly_second_network \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
-		-v "`pwd`/test":/tmp/docker-mailserver-test \
+		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
 		-e SMTP_ONLY=1 \
 		-e PERMIT_DOCKER=connected-networks \
 		-e DMS_DEBUG=0 \
@@ -340,7 +340,7 @@ clean:
 		mail_with_default_relay \
 		mail_smtponly_second_network
 
-	docker network rm ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME} ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME}2
+	-docker network rm ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME} ${NON_DEFAULT_DOCKER_MAIL_NETWORK_NAME}2
 	@if [ -d config.bak ]; then\
 		rm -rf config ;\
 		mv config.bak config ;\