From c8dfb9ac765cd9c2fbacd604e580112ff12daa4e Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Sun, 16 Apr 2023 14:09:00 +0200 Subject: [PATCH] Posfix: add option to re-enable `reject_unknown_client_hostname` after #3248 (#3255) --- docs/content/config/environment.md | 7 + mailserver.env | 7 + target/scripts/start-mailserver.sh | 16 +-- target/scripts/startup/setup.d/postfix.sh | 149 ++++++++++------------ target/scripts/startup/variables-stack.sh | 3 +- 5 files changed, 89 insertions(+), 93 deletions(-) diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md index e221d13c..bea6b93b 100644 --- a/docs/content/config/environment.md +++ b/docs/content/config/environment.md @@ -274,6 +274,13 @@ Customize the update check interval. Number + Suffix. Suffix must be 's' for sec This option has been added in November 2019. Using other format than Maildir is considered as experimental in docker-mailserver and should only be used for testing purpose. For more details, please refer to [Dovecot Documentation](https://wiki2.dovecot.org/MailboxFormat). +##### POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME + +If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration. + +- **0** => Disabled +- 1 => Enabled + ##### POSTFIX_INET_PROTOCOLS - **all** => Listen on all interfaces. diff --git a/mailserver.env b/mailserver.env index 81356af5..7ff2843f 100644 --- a/mailserver.env +++ b/mailserver.env @@ -318,6 +318,13 @@ REPORT_SENDER= # Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger). LOGROTATE_INTERVAL=weekly + +# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration. +# +# - **0** => Disabled +# - 1 => Enabled +POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0 + # Choose TCP/IP protocols for postfix to use # **all** => All possible protocols. # ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker. diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index 039c8f74..ff187f11 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -75,7 +75,6 @@ function _register_functions _register_setup_function '_setup_saslauthd' fi - _register_setup_function '_setup_postfix_inet_protocols' _register_setup_function '_setup_dovecot_inet_protocols' _register_setup_function '_setup_opendkim' @@ -91,17 +90,11 @@ function _register_functions _register_setup_function '_setup_mailname' _register_setup_function '_setup_dovecot_hostname' - _register_setup_function '_setup_postfix_hostname' - _register_setup_function '_setup_postfix_smtputf8' - _register_setup_function '_setup_postfix_sasl' - _register_setup_function '_setup_postfix_aliases' - _register_setup_function '_setup_postfix_vhost' - _register_setup_function '_setup_postfix_dhparam' - _register_setup_function '_setup_postfix_sizelimits' + _register_setup_function '_setup_postfix_early' _register_setup_function '_setup_fetchmail' _register_setup_function '_setup_fetchmail_parallel' - # needs to come after _setup_postfix_aliases + # needs to come after _setup_postfix_early _register_setup_function '_setup_spoof_protection' if [[ ${ENABLE_SRS} -eq 1 ]] @@ -110,10 +103,7 @@ function _register_functions _register_start_daemon '_start_daemon_postsrsd' fi - _register_setup_function '_setup_postfix_access_control' - _register_setup_function '_setup_postfix_relay_hosts' - _register_setup_function '_setup_postfix_virtual_transport' - _register_setup_function '_setup_postfix_override_configuration' + _register_setup_function '_setup_postfix_late' _register_setup_function '_setup_logrotate' _register_setup_function '_setup_mail_summary' _register_setup_function '_setup_logwatch' diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh index 12a2f8b6..bd9feaa6 100644 --- a/target/scripts/startup/setup.d/postfix.sh +++ b/target/scripts/startup/setup.d/postfix.sh @@ -1,34 +1,30 @@ #!/bin/bash -function _setup_postfix_sizelimits +# Just a helper to prepend the log messages with `(Postfix setup)` so +# users know exactly where the message originated from. +# +# @param ${1} = log level +# @param ${2} = message +function __postfix__log { _log "${1:-}" "(Postfix setup) ${2:-}" ; } + +function _setup_postfix_early { - _log 'trace' "Configuring Postfix message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'" - postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}" + _log 'debug' 'Configuring Postfix (early setup)' - _log 'trace' "Configuring Postfix mailbox size limit to '${POSTFIX_MAILBOX_SIZE_LIMIT}'" - postconf "mailbox_size_limit = ${POSTFIX_MAILBOX_SIZE_LIMIT}" + __postfix__log 'trace' 'Applying hostname and domainname' + postconf "myhostname = ${HOSTNAME}" + postconf "mydomain = ${DOMAINNAME}" - _log 'trace' "Configuring Postfix virtual mailbox size limit to '${POSTFIX_MAILBOX_SIZE_LIMIT}'" - postconf "virtual_mailbox_limit = ${POSTFIX_MAILBOX_SIZE_LIMIT}" -} - -function _setup_postfix_access_control -{ - _log 'trace' 'Configuring user access' - - if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]] + if [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] then - sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf + __postfix__log 'trace' 'Setting up POSTFIX_INET_PROTOCOLS option' + postconf "inet_protocols = ${POSTFIX_INET_PROTOCOLS}" fi - if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]] - then - sed -i 's|smtpd_recipient_restrictions =|smtpd_recipient_restrictions = check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf - fi -} + __postfix__log 'trace' "Disabling SMTPUTF8 support" + postconf 'smtputf8_enable = no' -function _setup_postfix_sasl -{ + __postfix__log 'trace' "Configuring SASLauthd" if [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && [[ ! -f /etc/postfix/sasl/smtpd.conf ]] then cat >/etc/postfix/sasl/smtpd.conf << EOF @@ -46,40 +42,65 @@ EOF 's|^ -o smtpd_sasl_auth_enable=.*| -o smtpd_sasl_auth_enable=no|g' \ /etc/postfix/master.cf fi -} -function _setup_postfix_aliases -{ - _log 'debug' 'Setting up Postfix aliases' + __postfix__log 'trace' 'Setting up aliases' _create_aliases -} -function _setup_postfix_vhost -{ - _log 'debug' 'Setting up Postfix vhost' + __postfix__log 'trace' 'Setting up Postfix vhost' _create_postfix_vhost + + __postfix__log 'trace' 'Setting up DH Parameters' + _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem' + + __postfix__log 'trace' "Configuring message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'" + postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}" + + __postfix__log 'trace' "Configuring mailbox size limit to '${POSTFIX_MAILBOX_SIZE_LIMIT}'" + postconf "mailbox_size_limit = ${POSTFIX_MAILBOX_SIZE_LIMIT}" + + __postfix__log 'trace' "Configuring virtual mailbox size limit to '${POSTFIX_MAILBOX_SIZE_LIMIT}'" + postconf "virtual_mailbox_limit = ${POSTFIX_MAILBOX_SIZE_LIMIT}" + + if [[ ${POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME} -eq 1 ]] + then + __postfix__log 'trace' 'Enabling reject_unknown_client_hostname to dms_smtpd_sender_restrictions' + sedfile -i -E \ + 's|^(dms_smtpd_sender_restrictions = .*)|\1, reject_unknown_client_hostname|' \ + /etc/postfix/main.cf + fi } -function _setup_postfix_inet_protocols +function _setup_postfix_late { - [[ ${POSTFIX_INET_PROTOCOLS} == 'all' ]] && return 0 + _log 'debug' 'Configuring Postfix (late setup)' - _log 'trace' 'Setting up POSTFIX_INET_PROTOCOLS option' - postconf "inet_protocols = ${POSTFIX_INET_PROTOCOLS}" + __postfix__log 'trace' 'Configuring user access' + if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]] + then + sed -i 's|(smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf + fi + + if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]] + then + sed -i -E 's|(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf + fi + + __postfix__log 'trace' 'Configuring relay host' + _setup_relayhost + + if [[ -n ${POSTFIX_DAGENT} ]] + then + __postfix__log 'trace' "Changing virtual transport to '${POSTFIX_DAGENT}'" + # Default value in main.cf should be 'lmtp:unix:/var/run/dovecot/lmtp' + postconf "virtual_transport = ${POSTFIX_DAGENT}" + fi + + __postfix__setup_override_configuration } -function _setup_postfix_virtual_transport +function __postfix__setup_override_configuration { - [[ -z ${POSTFIX_DAGENT} ]] && return 0 - - _log 'trace' "Changing Postfix virtual transport to '${POSTFIX_DAGENT}'" - # Default value in main.cf should be 'lmtp:unix:/var/run/dovecot/lmtp' - postconf "virtual_transport = ${POSTFIX_DAGENT}" -} - -function _setup_postfix_override_configuration -{ - _log 'debug' 'Overriding / adjusting Postfix configuration with user-supplied values' + __postfix__log 'debug' 'Overriding / adjusting configuration with user-supplied values' if [[ -f /tmp/docker-mailserver/postfix-main.cf ]] then @@ -91,9 +112,9 @@ function _setup_postfix_override_configuration mv /tmp/postfix-main-new.cf /etc/postfix/main.cf _adjust_mtime_for_postfix_maincf - _log 'trace' "Adjusted '/etc/postfix/main.cf' according to '/tmp/docker-mailserver/postfix-main.cf'" + __postfix__log 'trace' "Adjusted '/etc/postfix/main.cf' according to '/tmp/docker-mailserver/postfix-main.cf'" else - _log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-main.cf' was not provided" + __postfix__log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-main.cf' was not provided" fi if [[ -f /tmp/docker-mailserver/postfix-master.cf ]] @@ -105,35 +126,12 @@ function _setup_postfix_override_configuration postconf -P "${LINE}" fi done < /tmp/docker-mailserver/postfix-master.cf - _log 'trace' "Adjusted '/etc/postfix/master.cf' according to '/tmp/docker-mailserver/postfix-master.cf'" + __postfix__log 'trace' "Adjusted '/etc/postfix/master.cf' according to '/tmp/docker-mailserver/postfix-master.cf'" else - _log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-master.cf' was not provided" + __postfix__log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-master.cf' was not provided" fi } -function _setup_postfix_relay_hosts -{ - _setup_relayhost -} - -function _setup_postfix_dhparam -{ - _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem' -} - -function _setup_dnsbl_disable -{ - _log 'debug' 'Disabling postscreen DNS block lists' - postconf 'postscreen_dnsbl_action = ignore' - postconf 'postscreen_dnsbl_sites = ' -} - -function _setup_postfix_smtputf8 -{ - _log 'trace' "Disabling Postfix's smtputf8 support" - postconf 'smtputf8_enable = no' -} - function _setup_SRS { _log 'debug' 'Setting up SRS' @@ -177,10 +175,3 @@ function _setup_SRS /etc/default/postsrsd fi } - -function _setup_postfix_hostname -{ - _log 'debug' 'Applying hostname and domainname to Postfix' - postconf "myhostname = ${HOSTNAME}" - postconf "mydomain = ${DOMAINNAME}" -} diff --git a/target/scripts/startup/variables-stack.sh b/target/scripts/startup/variables-stack.sh index 8919a547..0746c55c 100644 --- a/target/scripts/startup/variables-stack.sh +++ b/target/scripts/startup/variables-stack.sh @@ -107,10 +107,11 @@ function __environment_variables_general_setup VARS[DOVECOT_MAILBOX_FORMAT]="${DOVECOT_MAILBOX_FORMAT:=maildir}" VARS[DOVECOT_TLS]="${DOVECOT_TLS:=no}" + VARS[POSTFIX_DAGENT]="${POSTFIX_DAGENT:=}" VARS[POSTFIX_INET_PROTOCOLS]="${POSTFIX_INET_PROTOCOLS:=all}" VARS[POSTFIX_MAILBOX_SIZE_LIMIT]="${POSTFIX_MAILBOX_SIZE_LIMIT:=0}" VARS[POSTFIX_MESSAGE_SIZE_LIMIT]="${POSTFIX_MESSAGE_SIZE_LIMIT:=10240000}" # ~10 MB - VARS[POSTFIX_DAGENT]="${POSTFIX_DAGENT:=}" + VARS[POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME]="${POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME:=0}" _log 'trace' 'Setting SRS specific environment variables'