Commit Graph

570 Commits

Author SHA1 Message Date
William Desportes 3a38b23a1a
Improve fail2ban docs and fix a typo (#2126)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-08-13 10:30:39 +02:00
William Desportes 392ee076ec
Fix #2122 - only chmod when needed (#2127) 2021-08-13 00:09:44 +02:00
Andrew Low 0e9c9889ff
Add logwatch maillog.conf file to support /var/log/mail/ (#2112)
* Add logwatch maillog.conf file to support /var/log/mail/
* Simpliied after reviewing logwatch doc

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-08-11 11:31:00 +02:00
hnws 630e083c9a
docs: Add example for customizing IMAP folders (#2045)
* docs: Add example for customizing IMAP folders (mailboxes)

* chore: Update `15-mailboxes.conf` to sync with upstream

This config has not been updated since 2016 (ignoring the Junk autosubscribe addition).

Synced to upstream equivalent at https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/15-mailboxes.conf

Retains the `Archive` example definition from this PR and prior `auto = subscribe` additions.

---

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-06-23 10:28:43 +12:00
Casper 7293e3c9e8
Check if CONTAINER_IP could be determined (#2046)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-06-19 22:24:06 +02:00
Casper 4822709000
do not delete supervisord.pid (#2044) 2021-06-19 14:01:38 +02:00
Nathan Pierce 5becce8064
chore(scripts): Removing flock so NFS works (#1980)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2021-06-15 14:03:41 +02:00
Georg Lauterbach e7b88d865b
cleaned up >/dev/nulls in Dockerfile and replaced em dashes with normal dashes (#2024) 2021-06-08 13:20:20 +12:00
Nathan Pierce 543bd8b16b
MacOS linting & testing support + docs (#2001) 2021-06-07 14:58:34 +02:00
Georg Lauterbach abdf681d02
chore(ci): Linting Improved (#2000) 2021-06-01 18:12:17 +02:00
Frederic Werner a0f4a37512
v10.0.0 release (#1978)
* chore: prepare v10 release

* chore: bump version to v10.0.0

* chore: bump version to v10.0.0

* chore: add changelog for v10.0.0

* Fail2ban compatibility/downgrade info added

* chore: add PR and PR links

* fix a dot in the README

* chore: add pr 1996

* chore: add pr 1921 and 1989

* Revert "chore: add pr 1996"

This reverts commit 58a8ba4b44.

* chore: add grace_period pr reference

* remove :stable and other deprecated stuff

* corrected linting and removed generate ssl bin

* updated CHANGELOG

* fix: list of prs

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* fix: list of prs

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* partial revert of dc8f49de54

* chore: add pr 2021

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-06-01 12:17:14 +02:00
Moritz Marquardt 66bc157c1d
fix!: Allow protocol in SASLAUTHD_LDAP_SERVER & adjust SASLAUTHD_LDAP_ default values (#1989)
* fix: make sure the SASLAUTHD_LDAP_HOST/PROTO logic makes sense and use LDAP_SERVER_HOST as a fallback (#1983)

* chore(docs): document changes to LDAP/SASLAUTHD as of #1983

* fix!: apply default value modifications suggested in #1983

https://github.com/docker-mailserver/docker-mailserver/issues/1983#issuecomment-844848224

* chore(test): Test SASLAUTHD_LDAP_SERVER with protocol and ..._SSL=0, as well as with default bind credentials

Note that there are currently no regression tests for this as there's only one setup_file, so that would require big changes to the testing methodology.

* refactor!: completely remove SASLAUTHD_LDAP_SSL and SASLAUTHD_LDAP_PROTO

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2021-05-22 22:52:56 +02:00
Casper bab0277723
Update check (#1951)
* mail binary

* initial work

* make env vars available

* typo

* some fixes

* make script ugly, to satisfy linter..

* mailserver.env updated

* Version to welcome message added

* remove VERSION file references

* VERSION --> DMS_VERSION

* fetch remote version

* variable usage

* Quoting added

* edge test & docu

* dash removed

* subject changed

* re-add VERSION

* VERSION added

* new file:   VERSION

* rewrite

* unnecessary additions from fail2ban PR removed

* UPDATE_CHECK_INTERVAL added

* syntax check & _log function

* comment added

* final commit
2021-05-19 21:18:06 +02:00
Casper 225e21edb7
Add version variable (#1976) 2021-05-17 14:54:43 +02:00
Georg Lauterbach 04e98dc49f
introduce variable to control Amavis' loglevel (#1947) 2021-05-06 23:51:45 +02:00
Casper ba37ed115d
Add supervisor stop grace period (#1945) 2021-05-06 19:04:24 +02:00
Moritz Marquardt 94b5ac49c1
fix!: use dovecot's LDAP uris option instead of hosts (#1901)
* Use dovecot's LDAP uris option instead of hosts (fixes #1510)

* Clean up variables & environment documentation for #1901

Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-04-19 09:02:03 +02:00
Georg Lauterbach 8313d9753b
Adjusted documentation for service name and Traefik certificate issuance (#1918)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2021-04-18 15:21:08 +02:00
Casper f7836c8b1a
Fail2Ban block behaviour (#1914)
* new default: block IP on all ports

* introduce FAIL2BAN_BLOCKTYPE

* fix test

* tests added

* test added

* test blocktype drop

* merged two tests
2021-04-18 12:55:43 +02:00
Moritz Marquardt 271d94a37e
Add LDAP_QUERY_FILTER_SENDERS setting for spoof protection with LDAP (#1902) 2021-04-17 22:40:19 +02:00
Casper dea9bca900
Enhance setup.sh email list (#1898)
* add quota and aliases to output

* shellcheck fixes

* fix test

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-04-12 15:18:15 +02:00
Casper ba0f9199b7
fail2ban cleanup (#1895) 2021-04-11 15:33:39 +00:00
Georg Lauterbach bc5bc51c02
Partial revert #1864 (#1877) 2021-03-31 14:45:16 +00:00
Casper 22321c308c
fix SpamAssassin spelling/typos (#1869) 2021-03-28 22:07:52 +02:00
Casper dd0b399f33
feat: Introduce ENABLE_AMAVIS env (#1866)
* Introduce ENABLE_AMAVIS env

* missing 'fi' added

* documentation added

* add condition for amavis fix function

* Fix spelling

Co-authored-by: William Desportes <williamdes@wdes.fr>

* Fix spelling

Co-authored-by: William Desportes <williamdes@wdes.fr>

Co-authored-by: William Desportes <williamdes@wdes.fr>
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2021-03-28 15:37:48 +02:00
Georg Lauterbach 4afebda64d
fix for #1808 (#1864) 2021-03-24 20:42:00 +01:00
Stephan c214cba981
Make directory with parent directories (#1862) 2021-03-23 13:50:29 +00:00
Georg Lauterbach 4ba2315058
corrected dkim keysize argument in help pages, closing #1845 2021-03-10 11:21:24 +01:00
Georg Lauterbach 0d9fb096b7
adjusting _seup_supervisor to not restart when wrong log-level given 2021-02-25 10:57:20 +01:00
Georg Lauterbach 0fa5c1ef9d
revamping the notify function (#1836) 2021-02-24 17:28:59 +01:00
Georg Lauterbach 1ef66fd5c5
first (may-be) fixes for v9.0.0 startup problems (#1835)
* first (may-be) fixes for v9.0.0 startup problems
* adjust grep showing an error when it shouldn't
2021-02-24 10:12:20 +01:00
Georg Lauterbach c881facbd2
start-mailserver.sh split (#1820)
* splitting start-mailserver.sh

* refactoring part 2

* refactored setup-stack.sh
* stzarted adjusting target/bin/*.sh to use new usage format

* corrected lowercase-uppercase test error

* better handling of .bashrc variable export

* linting tests and fix for default assignements

* last stylistic changes and rebase
2021-02-23 20:03:01 +01:00
landergate a8d7d1802b
Fixed REPORT_RECIPIENT=1 behavior
Condition never matched, so reports were sent to 1@ instead of postmaster@
2021-02-23 00:17:01 +03:00
polarathene 867cac6707 chore: Consistent `sed` substitution delimiter `+`
This additionally converts `+` delimited to `|` standardizing it throughout the file.
2021-02-22 11:59:59 +13:00
polarathene 75aefa3bdf chore: Consistent `sed` substitution delimiter
My `~` substitution and any usage of `/` within `start-mailserver.sh` has been replaced with the `|` delimiter instead as advised for matching style guide preference. Note there are other `sed` substitution delimiters still in use such as `+`.

Also added warning for empty `SSL_TYPE` ENV var that may result in an internal state config persist bug when changing `SSL_TYPE` depending on how a container is restarted.
2021-02-22 11:55:10 +13:00
Brennan Kinney d02ebc922c
Dual certificate support (eg ECDSA with RSA fallback) (#1801)
* feat: Change Postfix smtpd_tls key and cert files to chain_files

Since Postfix 3.4, `smtpd_tls_cert_file` and `smtpd_tls_key_file` have been deprecated in favor of `smtpd_tls_chain_files` which supports a list of values where a single or sequence of file paths provide a private key followed by it's certificate chain.

* feat: Dual certificate support

`smtpd_tls_chain_files` allows for multiple key+cert bundles so that you can provide different key types, such as ECDSA and RSA.

To maintain compatibility with the current CERT/KEY ENV vars only a 2nd certificate is supported.

Since Dovecot 2.2.31 a related feature is also available, but it is limited to only providing one alternative certificate via separate cert and key settings.

---

This feature enables support for multiple certificates, eg for serving modern ECDSA certs with RSA as fallback.

* chore: Refactor variable names to meet style guide

Improved some comments too.

* chore: Have function definitions respect style guide

* chore: Minor edits to comments

* chore: Expand on comments for maintenance, alert of insecure config

When `SSL_TYPE` isn't properly setup, we're still offering SSL connections but not warning in logs about the insecurity of such, or why a misconfiguration may have occurred.

This commit more clearly communicates to the user that they should look into the issue before considering deploying to production.

The `TODO` comments communicate to any future maintainer to consider treating these improper configs as disabling TLS instead.

* fix: Use `snakeoil` cert

I mistakenly thought this was placeholder text, which broke some tests. This adds the two files in the correct order (private key followed by cert/chain), to fix that issue.

* fix: Disable alt cert for Dovecot if necessary

Certain scenarios may persist state of previously configured alt cert via ENV vars that are removed from a future run. If the config is not reset to original immutable state, this will correctly disable the config from using alt cert unintentionally.

* fix: Satisfy ShellCheck lint

By switching from string var to array / list expansion, this better stores the extracted result and applies it in a manner that ShellCheck linting approves, removing the need to disable the rule.

* feat: Support dual cert test

Few tweaks to the test script allows re-purposing it for covering dual cert support as well.

* chore: Rearranged cert and key lines

A little reorganization, mostly placing private key ahead of related cert lines.

* chore: Refactor `_set_certificate`

This should make the parameters a little less confusing.

Previously was 3 parameters, but the Postfix parameter (1st) may look like two variables if you don't pay attention to the surrounding quotes; while the Dovecot parameters (2nd + 3rd) would have an opposing order. There was also a variant where the `FULLKEYCHAIN` var was passed in three times.

Now it's two params, with the 2nd param as an optional one. If the 2nd param is provided, then the two params are in the order of private key then certificate, otherwise if only a single parameter it's a single PEM file with the full cert chain and private key bundled.

This avoids implying that Postfix and Dovecot might use different files.

* chore: Document current state of `SSL_TYPE` logic better

Inlined for the benefit of anyone else maintaining this section if I'm unable to address the concerns within my own time.

* docs: ENV vars

`TLS_LEVEL=old` isn't in the codebase anymore, not likely to be relevant to retain.

No point in documenting what is considered invalid / unsupported config value in the first place for `SSL_TYPE`.

`SSL_TYPE=manual` was missing documentation for both related file path ENV vars, they've been added along with their alt fallback variants.

* chore: Update Dovecot LMTP SSL test config

Not sure how relevant this is, the file isn't complete sync with the main dovecot `10-ssl.conf` config, adding the support just in case.

* chore: Rename `FULLKEYCHAIN` to avoid confusion

There doesn't appear to be a standardized name for this type of file bundle, and `keychain` may be misleading (fullkeychain often provides macOS keychain  results on search engines).

Opting for a more explicit `KEY_WITH_FULLCHAIN` name instead.

* fix: Invalid var name

`_set_certificate` refactor commit accidentally changed a var name and committed that breaking the dual cert support (thanks tests!).

* test: Refactor `mail_ssl_manual.bats`

Proper test return values instead of `wc -l` based checking.

Tests with dual cert support active, tests that feature (to better detect failure case.

Third test case was unable to verify new self-signed certificate, added new certs signed with self-signed root CA.

Adjusted openssl `CApath` parameter to use `CAfile` instead as `letsencrypt` cert was replaced thus CA cert is missing from the system trust store.

* test: Properly check for files in `mail_ssl_manual.bats`

Fixes lint error.

Also realized I was accidentally asserting a file exists in the test environment, not within the container.

Resolved that and also added an additional test case to ensure the ENV var files are valid when passed in, in the event a change misconfigures them and that the issue is identified earlier.

* chore: Apply PR review feedback

Better format some strings that had mixed quotes when they weren't necessary.

Additionally DRYed up the config path for Postfix and Dovecot within the `_setup_ssl` method.

Co-authored-by: Georg Lauterbach <infrastructure@itbsd.com>
2021-02-21 23:43:41 +01:00
Astro a7ecb0ea8b
feat/enable custom dkim selector (#1811)
* let dkim generator accept selector as parameter

* test dkim-generator with selector parameter

* fix: correct name of domain argument in usage

* fix: adapt command to new syntax

* tests: use different quotes

* tests: use different quotes

* tests: remove domains that were never added

* style: change test name

* refactor: dkim setup

* style: remove trailing whitespace

* tests: remove test of removed dummy file

Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2021-02-21 22:05:35 +01:00
Frederic Werner 6e6b5be1ee
chore: change argument name and parameter shift 2021-02-18 19:20:48 +01:00
Georg Lauterbach f3f38db0f9
adjust test to use new script output from openDKIM 2021-02-18 13:11:45 +01:00
Georg Lauterbach 1005bb3b09
Provide complete refactoring of openDKIM script (#1812)
* provide complete refactoring of openDKIM usage and tests

* fix leftover linting errors

* correct defualt key size and README usage

* provide independent order for arguments

* added `config` and adjusted usage information

* fixing shift in setup.sh

* adjust usage information to use new style and rename script

* use updated argument keysize instead of size
2021-02-18 10:29:34 +01:00
Brennan Kinney 432f96b3a6
Use best practice cipher suites for 2021 (#1802)
Update cipherlist to sync with OWASP B and Mozilla Intermediate
2021-02-18 10:24:34 +01:00
Georg Lauterbach cb2ecacd56
Rewrite of `delmailuser` to enable proper account deletion (again) (#1813)
* rewrite to fix docker-mailserver#1808 (again)
* exiting script correctly now
* over-engineered usage information
the usage is now displayed like a man page and the paging mechanism (i.e. the display of the information) is borrowed from batcat
* fix typos
2021-02-17 12:12:51 +01:00
Georg Lauterbach ddf2bc2567
exchanging errex with echo 2021-02-14 22:09:33 +01:00
Georg Lauterbach 227719ee0d
patching the delmailuser script to function properly (+ refactoring) 2021-02-14 21:19:58 +01:00
Georg Lauterbach 11eb174121
follow up style enhancement 2021-02-09 12:12:36 +01:00
Georg Lauterbach 5338433b78
Merge pull request #1798 from aendeavor/fix#1796
Enhancement for function _setup_postfix_sasl fixing #1796 & More
2021-02-08 11:38:05 +01:00
Ask Bjørn Hansen 4a3735bced
Support extra user_attributes in accounts configuration (#1792)
This allows you to add for example

    |userdb_mail=mbox:~/mail:INBOX=~/inbox

 to the end of an account to have a different mailbox configuration.
2021-02-07 19:02:09 +01:00
Georg Lauterbach c6c7b8522d
enhancement for function _setup_postfix_sasl fixing #1796 & more 2021-02-07 18:11:33 +01:00
Georg Lauterbach 6c575adae2
correct application of the new SUPERVISOR_LOGLEVEL variable (#1787)
* correct application of the new SUPERVISOR_LOGLEVEL variable
* correcting default log level adjustment
* replacing grep &>/dev/null with grep -q
2021-02-01 18:39:05 +01:00
Georg Lauterbach 931eab0541
removing bl.spamcop.net for 8.0.1 2021-01-31 16:05:05 +01:00
Georg Lauterbach cc7138e28f
minor adjustments before release 8.0.0 2021-01-27 18:42:39 +01:00
William Desportes 4616894fbf
Allow manual domains for dkim generator (#1753)
* Allow manual domains for dkim generator

* Document the DKIM manual mode

* Remove unnecessary quotes

* updating default value usage and "" in [[ ]]

* Change parameter expansion

* Add test for manual dkim domains

* Remove obsolete script

* Add manual dkim mode to usage

* Move manual dkim guide into quickstart section

* Cover case that key for domain already exists

* Set default dkim key size to 4096

Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-01-27 14:09:24 +01:00
Casper 23984e3f07
Missing variables added (#1771)
Co-authored-by: casperklein <casperklein@users.noreply.github.com>
2021-01-27 13:35:55 +01:00
Georg Lauterbach fd030644bf
Merge pull request #1770 from casperklein/fix-1769 2021-01-26 13:13:23 +01:00
casperklein 1bda61580d export prefixed to variable assignment 2021-01-26 12:20:35 +01:00
casperklein 4bda0cf1e0 fix wrong default value 2021-01-26 00:09:58 +01:00
casperklein ce86ee485f add missing quotes 2021-01-26 00:08:42 +01:00
Frederic Werner 11bbda4adf
Strip all ANSI escape sequences from child log files
Closes #1768 and sadly partly reverts #1758
2021-01-25 21:54:20 +01:00
Casper cb1e6d579e
Typo fixed 2021-01-23 19:10:15 +01:00
Georg Lauterbach 324ee8eb85
Improve logging significantly – color is back! (#1758)
* improve logging significantly
* now defaulting to warn
* final adjustments
* correcting not-escaped $ in sed
2021-01-22 10:03:31 +01:00
Georg Lauterbach e40c2593cc
FIX: Postfix configuration in `start-mailserver.sh` for regex (#1754)
* fixes tomav#1437
2021-01-19 12:31:45 +01:00
Georg Lauterbach 221d4ce187
adjusting links & misc 2021-01-19 09:27:01 +01:00
brainkiller 061fe12aa7
Solve Fetchmail imap idle issue (#10)
* Migrate PR#1730 from tomav/docker-mailserver repo to new
docker-mailserver/docker-mailserver repo
* Resolved review comments
* Moved counter increment to have consistency between fetchmail process
and fetchmail config files
* Added tests for new fetchmail option

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-01-17 10:39:09 +01:00
Georg Lauterbach 189e5376cc
Final Migration Step (#6)
* first migration steps
  * altered issue templates
  * altered README
  * removed .travis.yml
* adjusting registry & repository, Dockerfile and compose.env
* Close stale issues automatically
* Integrated CI with Github Actions (#3)
* feat: integrated ci with github actions
* fix: use secrets for docker org and update image
* docs: clarify why we use -t if no tty exists
* fix: correct remaining references to old repo
chore: prettier automatically updated markdown as well
* fix: hardcode docker org
* change testing image to just testing
* ci: add armv7 as a supported platform
* finished migration steps
* corrected linting in build-push action
* corrected linting in build-push action (2)
* minor preps for PR
* correcting push on pull request and minor details
* adjusted workflows to adhere closer to @wernerfred's diagram
* minor patches
* adjusting Dockerfile's installation of base packages
* adjusting schedule for stale issue action
* reverting license text
* improving CONTRIBUTING.md PR text
* Update CONTRIBUTING.md
* a bigger patch at the end
  * moved all scripts into one directory under target/scripts/
  * moved the quota-warning.sh script into target/scripts/ and removed empty directory /target/dovecot/scripts
  * minor fixes here and there
  * adjusted workflows for use a fully qualified name (i.e. docker.io/...)
  * improved on the Dockerfile layer count
  * corrected local tests - now they (actually) work (fine)!
  * corrected start-mailserver.sh to make use of defaults consistently
  * removed very old, deprecated variables (actually only one)
* various smaller improvements in the end
* last commit before merging #6
* rearranging variables to use alphabetic order

Co-authored-by: casperklein <casperklein@users.noreply.github.com>
Co-authored-by: Nick Pappas <radicand@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
2021-01-16 10:16:05 +01:00
William Desportes 7765d4a6b3
Fix shebangs 2021-01-02 14:49:35 +01:00
Georg Lauterbach e11f4f609a
Merge pull request #1705 from gmasse/new-1697
Add purge cron job for Dovecot dbox format
2020-12-18 23:00:36 +01:00
Germain Masse d400417d0e Add purge cron job for dbox 2020-12-17 20:35:06 +01:00
Georg Lauterbach d9e4b89415
Merge pull request #1703 from BrandonSchmitt/acme-fixes
Small fixes for extracting certs from the acme.json file
2020-12-11 12:53:04 +01:00
Brandon Schmitt ad4d4cc794
Refactor bash [[ ... ]] && ... || ... into if then else 2020-12-11 04:51:53 +01:00
William Desportes e58020029e
Add more sasl LDAP config options
- SASLAUTHD_LDAP_PASSWORD_ATTR => ldap_password_attr
- SASLAUTHD_LDAP_AUTH_METHOD => ldap_auth_method
- SASLAUTHD_LDAP_MECH => ldap_mech
2020-12-08 15:30:55 +01:00
William Desportes 17962c243a
Implement more sasl config options
Follow up of: https://github.com/tomav/docker-mailserver/pull/980
Ref: https://github.com/tomav/docker-mailserver/issues/1704
2020-12-08 15:07:22 +01:00
Brandon Schmitt c020cc88a1
Use the environment var SSL_DOMAIN while extracting certs from the acme.json during start-up
Signed-off-by: Brandon Schmitt <Brandon.Schmitt@live.de>
2020-12-06 20:36:22 +01:00
Brandon Schmitt 6251f898ea
Fix error in python script extracting certs from the acme.json file if there are sections with null values as certs
Signed-off-by: Brandon Schmitt <Brandon.Schmitt@live.de>
2020-12-06 20:30:20 +01:00
Aleksey Drozdov cc014d5b4b added additional pem file for _monitored_files_checksums 2020-11-16 15:49:35 +01:00
Georg Lauterbach 3780783145
Housekeeping (#1682)
Housekeeping
2020-11-07 09:56:03 +01:00
Casper ab45ae5504
Change default logrotate settings for /var/mail/maillog (#1667)
Change default logrotate settings for /var/mail/maillog

See also: https://github.com/tomav/docker-mailserver/issues/1666
2020-11-07 00:54:50 +01:00
Georg Lauterbach ed7106b04d
housekeeping 2020-11-06 14:04:23 +01:00
Georg Lauterbach dd5c0b003a
removing debug trace 2020-11-05 12:40:24 +01:00
Georg Lauterbach 5365e7f0f8
fixes #1677 2020-11-05 11:41:18 +01:00
Georg Lauterbach f0105f6d47
Merge pull request #1613 from martin-schulze-vireso/feature/extract_even_more_tests 2020-10-28 11:16:15 +01:00
Charles Harris 451bbfdf40
silence errorneous output when not generating reports (#1657)
* silence errorneous output when not generating reports
* remove incorrect variable assignment
* change error messages and logic when reports turned off
* changing warn -> inf

Co-authored-by: Charles Harris
Co-authored-by: Georg Lauterbach
2020-10-21 19:45:47 +02:00
Georg Lauterbach da8171388f
Complete Refactor for `target/bin` (#1654)
* documentation and script updates trying to fix #1647
* preparations for refactoring target/bin/
* complete refactor for target/bin/
* changing script output slightly
* outsourcing functions in `bin-helper.sh`
* re-wrote linting to allow for proper shellcheck -x execution
* show explanation for shellcheck ignore
* adding some more information
2020-10-21 18:16:32 +02:00
Georg Lauterbach 0ada57d87c
Documentation and Script Updates trying to fix #1647 (#1653)
* documentation and script updates trying to fix #1647
* re-trigger tests
* removing unnecessary rm statements
* re-trigger tests
2020-10-21 16:00:35 +02:00
Martin Schulze 1bd1fd3b32 Merge remote-tracking branch 'tvial/master' into feature/extract_even_more_tests 2020-10-20 13:19:15 +02:00
Georg Lauterbach d5543b21c4
Correction for LINE variable 2020-10-19 16:29:25 +02:00
Georg Lauterbach 6bff929b13
Merge pull request #1 from martin-schulze-vireso/feature/extract_even_more_tests
Feature/extract even more tests
2020-10-18 15:25:50 +02:00
Casper 90778de19d
Quotes removed to have a uniform style 2020-10-17 22:17:59 +02:00
Martin Schulze c46edee8f9 Mark the end of restarts due to changes by moving the checksum file 2020-10-17 02:04:30 +02:00
Georg Lauterbach 94c2a68bd5
Updated submodule target/docker-configomat 2020-10-11 19:41:53 +02:00
Georg Lauterbach 916ef571b9
Miscellaneous cleanup / housekeeping (#1641) 2020-10-06 14:45:55 +02:00
Georg Lauterbach 177d24feab
streamlined all scripts (now completely adhering to the contributing guidelines) 2020-10-02 15:45:57 +02:00
Sergey Nazaryev 84dbf4a7b4
Merge pull request #1634 from 3ap/master
fix: use self-signed cert for dovecot
2020-10-01 22:32:15 +02:00
Georg Lauterbach 1d18cb81fb
possible fix for tomav#1383 2020-09-28 11:42:50 +02:00
Georg Lauterbach 8e8671bb42
added option to use non-default network-interface, resolves #1227 (#1621)
* added option to use non-default network-interface (#1227)
* minor (stylistic) changes
* properly working with Bash arrays for CONTAINER_NETWORKS
* cleanup to trigger rebuild
* added CODE_OF_CONDUCT to trigger rebuild
2020-09-26 15:11:52 +02:00
Georg Lauterbach a0791ef457
formatting files according to standard (#1619)
* added EditorConfig linting
* adding `eclint` as Travis script target
* re-adjusted .pem files to have a newline
2020-09-24 14:54:21 +02:00
Casper 9f7414d95f
remove unnecessary use of `cat` (#1616) 2020-09-23 21:53:07 +02:00
Georg Lauterbach 566eaa0e13
complete refactoring for `start-mailserver.sh` (#1605)
* completely refactored `start-mailserver.sh`
* added braces; correctly formatted tabs / spaces
*  included `start-mailserver` into shellcheck checks
* cleanup
* removed unnecessary shellcheck comments adding braces and "" where necessary
* corrected some mistakes in CONTRIBUTING
* Makefile now uses correct shellcheck
2020-09-23 10:21:37 +02:00
Georg Lauterbach 77520bf96f
adjusted coding style guidelines; added table of contents 2020-09-09 17:19:48 +02:00
Georg Lauterbach 323303431a
fixed shellcheck version 2020-09-08 19:49:19 +02:00
Georg Lauterbach f7ca406ec9
fixing #1602; variable-brace-policy changed; 2020-09-06 12:27:40 +02:00
Georg Lauterbach 67e1e586c7
coherent renaming of functions 2020-09-05 16:53:36 +02:00
Georg Lauterbach bf679a5504
changes from tomav#1599 without `start-mailserver.sh`
included all changes from the work on refactoring all scripts, but excluded one big script to make merging easier; replaced mapfile with read
2020-09-05 16:19:12 +02:00
mwnx 42352a3259 Update relayhost_map with virtual accounts too
Previously, only postfix-relaymap.cf and postfix-accounts.cf would be
used to populate the relayhost_map file.

Now, also use postfix-virtual.cf when present. To me, there is nothing
absurd about sending mail "From:" a virtual account (or more
specifically its domain) so it makes sense that when a $RELAY_HOST is
defined it should be used for virtual accounts as well.
2020-08-28 15:03:51 +02:00
mwnx 1286a1266b Fix/refactor relayhost_map update when dynamically adding account
check-for-changes.sh did not have a special case to handle lines in
postfix-relaymap.cf consisting of only a domain (indicating that said
domain should never be relayed). This case is handled by
start-mailserver.sh so when such a line existed, things would work well
until a config file update was detected by check-for-changes.sh. After
that, the generated relayhost_map file would be corrupted.

Fixed by factoring a 'populate_relayhost_map' function out of
start-mailserver.sh and into helper_functions.sh and reusing it in
check-for-changes.sh.

Note: There are certainly quite a few more pieces of code that could be
refactored in a similar fashion.

Note2: check-for-changes.sh would previously never update the
relayhost_map file when $ENABLE_LDAP was set to 1. I don't think this
was intended —there is after all no such condition in
start-mailserver.sh— and so this condition no longer applies.
2020-08-28 15:03:51 +02:00
mwnx 2a70f33a4b Fix checksum race condition in check-for-changes.sh
If a change to one of the tracked files happened soon after (<1 second?)
a previously detected change, it could end up going undetected. In
particular, this could cause integration tests to fail (see next
commits).

Fixed by computing the new checksum file _before_ checking for changes.
2020-08-28 14:57:43 +02:00
Erik Wramner 26cc0c49ca
Merge pull request #1573 from casperklein/patch-2
addalias: check if two arguments are given
2020-07-22 16:13:51 +02:00
Martin Wepner 821d88e93a add break; remove empty print 2020-07-20 11:28:23 +02:00
Martin Wepner 6bd1fb568e fix: extractCertsFromAcmeJson fails if "sans" not in Certificates.domain.main 2020-07-19 23:57:16 +02:00
Casper 398b1dd554
Merge pull request #2 from casperklein/patch-1
Small change to error message
2020-07-19 21:33:41 +02:00
Casper 2ffb0de1db
Small change to error message 2020-07-19 21:33:06 +02:00
Casper 79f6c88653
Merge pull request #1 from casperklein/patch-3
More detailed error message
2020-07-19 21:26:36 +02:00
Casper 11ab4a84a9
More detailed error message 2020-07-19 21:23:59 +02:00
Casper 7c0998f7fa
Check if second argument is given 2020-07-19 21:21:01 +02:00
Erik Wramner f206ad7ee1
Merge pull request #1553 from MichaelSp/letsencrypt-traefik-acme-json
Letsencrypt traefik v2 acme json
2020-07-16 07:49:04 +02:00
guardiande 5c5c8eb814
Revert dummy change 2020-07-15 09:39:59 +02:00
guardiande 7189d4c63f
Dummy change to trigger travis 2020-07-15 09:12:14 +02:00
guardiande 76d3f7643a
Fix sasl_password generation to allow passwords containing hashes 2020-07-15 08:26:25 +02:00
Michael Sprauer d61a8cd9c0 letsencrypt & traefik wildcard support
set SSL_DOMAIN=*.example.com to extract a wildcard certificate from traefiks acme.json store
2020-07-13 22:58:17 +02:00
Michael Sprauer 3a3cec6a8f trigger reload if cert change
/etc/letsencrypt/live/$HOSTNAME/key.pem  and /etc/letsencrypt/live/$HOSTNAME/fullchain.pem are watched and will trigger a reload if changed
2020-07-07 21:26:53 +02:00
Ben 2ee280dcb3
Update dovecot-ldap.conf.ext
add auth_bind = no so that it can be overridden via the env-mailserver file used by docker compose. This is related to #1526
2020-07-04 11:50:25 -07:00
Michael Sprauer 32c732e276 certificates from acme.json
Will extract certificates from acme.json as written by traefik for usage in dovecot and postfix.
Also watches acme.json for changes. For this to work the file has to be mounted/present at `/etc/letsencrypt/acme.json`
2020-06-30 22:43:22 +02:00
Erik Wramner df4e04f033
Merge pull request #1547 from MrFreezeex/master
Fix dovecot variable with whitespace
2020-06-28 11:02:58 +02:00
Gio d888dbcf7f Fix typo 2020-06-27 23:07:17 -05:00
Arthur Outhenin-Chalandre c7f9fbd439
Fix dovecot variable with whitespace
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
2020-06-27 11:17:25 +02:00
Casper c359521121
Typo fixed 2020-06-14 04:39:34 +02:00
Nicholas Pepper 1b659a5574 Modified letsencrypt support to add domain name checking in addition to
hostname checking.  Added necessary tests and renamed original manual
ssl test to a name that supports adding the other SSL tests.
2020-05-15 04:52:26 +00:00
youtous 04059cd618
MAIL-8818 - Postfix information leakage
To prevent announcing software or version to malicious people or scripts, it is advised to hide such information.


This information is provided as part of the Lynis community project. It is related to Lynis control MAIL-8818 and should be considered as-is and without guarantees.

https://cisofy.com/lynis/controls/MAIL-8818/
2020-05-10 16:04:53 +02:00
youtous d0f7257333
support comments in .cf files 2020-05-06 22:59:55 +02:00
youtous 32d16084ec
sieve scripts using alphabetical order 2020-05-04 16:13:47 +02:00
youtous 92414b7eba
sieve after/before use folder instead of individual listing
Loading sieve scripts using a directory scheme permits to handle multi scripts wtihout defining individual sieve_before/sieve_after
2020-05-04 00:27:29 +02:00
youtous 30262128f4
raise a warning when SPAMASSASSIN_SPAM_TO_INBOX isn't explicitly defined 2020-05-03 10:33:50 +02:00
youtous d829905cf7
init spams to junk 2020-05-03 10:33:28 +02:00
Erik Wramner 23eb7c42ab
Merge pull request #1481 from youtous/fix-sieve-folder
Prevent sieve symlink to be evaluated as a directory by dovecot
2020-05-02 08:09:09 +02:00
Erik Wramner 0537c6f046
Merge pull request #1482 from youtous/feature-quota-optional
Feature quota optional.
2020-05-02 08:07:38 +02:00
youtous 16cd4f9d2d
Reduce opportunities for a potential CPU exhaustion attack with `NO_RENEGOTIATION`
See https://en.wikipedia.org/wiki/Resource_exhaustion_attack
2020-05-02 00:04:05 +02:00
youtous 0c838706d0
Option to disable dovecot quota 2020-05-01 23:42:21 +02:00
youtous e8581be2d3
Prevent sieve symlink to be evaluated as a directory by dovecot 2020-05-01 23:20:15 +02:00
youtous 3aeacef125
remove start-mailserver nested conditions dovecot quota 2020-04-30 16:11:45 +02:00
youtous d45e6b1c22
#fix 1478 2020-04-30 12:47:12 +02:00
Erik Wramner 35f473ad12
Merge pull request #1474 from polarathene/chore/remove-obsolete-param-usetls
chore: Remove obsolete postfix parameter `smtpd_use_tls`
2020-04-30 08:02:11 +02:00
Brennan Kinney 76594c21c4
Add note about `tls_ssl_options = NO_COMPRESSION`
[Postfix docs](http://www.postfix.org/postconf.5.html#tls_ssl_options):

> Disable SSL compression even if supported by the OpenSSL library. Compression is CPU-intensive, and compression before encryption does not always improve security.

[Postfix mailing list discussion](http://postfix.1071664.n5.nabble.com/patch-mitigate-CRIME-attack-td57978.html):

> The CRIME attack does not apply to SMTP, because unlike SMTP, there is no javascript in SMTP clients that makes them send thousands of email messages with chosen plaintext compressed together in the same packet with SASL credentials or other sensitive data.
> The auditor completely failed to take the context into account.

[Mailing list discussion of potential compression CRIME-like attack](https://lists.cert.at/pipermail/ach/2014-December/001660.html)

> keeping compression disabled is a good idea.

If you need a good test score, PCI compliance will likely flag compression despite not having any known risk with non-HTTP TLS.
2020-04-29 19:41:08 +12:00
Brennan Kinney e7de9bceaf
chore: Remove obsolete postfix parameter `smtpd_use_tls`
See: http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

> this overrides the obsolete parameters `smtpd_use_tls` and `smtpd_enforce_tls`.
2020-04-27 23:24:26 +12:00
youtous 03b8f87ffc
update dovecot conf comment 2020-04-26 22:23:51 +02:00
youtous 47fac2706f
use ffdhe4096 for DHE params
use by default ffdhe4096 for DHE params 


use by default ffdhe4096 for DHE params
2020-04-26 22:23:51 +02:00
youtous f60de0c66e
init tests cases ffdhe4096 2020-04-26 22:23:51 +02:00
youtous 2527ebfaf2
added dovecot quota feature
add postfix service quota check


check-for-changes on quotas


setquota command


fix checkforchanges quota


addquota verify user exists


add setquota in setup.sh


merging addquota into setquota


test quota commands


add ldap tests for dovecot quota


fix smtp only quota postfix rules


test postfix conf


add quota test integration


add quota exceeded test


add wait analyze


fix tests


fix setup typo


add test fixes


fix error output


wip


update startup rules


fix setup


fix setup tests


fix output commands


remove quota on remove user


try to fix sync limit mails


check if file exists


fix path


change used quota user


fix post size


check if quota file exists


update tests


configure virtualmailbox limit for dovecot


last fix


fix quota expr


relax dovecot tests


auto create dovecot-quotas


fix dovecot apply quota test


wip quota warning


trying to fix get dovadm quota


dovecot applies fix


fix quota warning lda path


test count mail on quota


fix quota warning permissiosn


fix test
2020-04-24 14:56:15 +02:00
Nils Knappmeier 370d08fd33 fail2ban: use filter.d/dovecot.conf from distribution
closes #972
2020-04-10 22:21:40 +02:00
Erik Wramner 73b8d65dd3 Merge next into master 2020-04-05 09:28:22 +02:00
Erik Wramner 04777fdb89
Merge pull request #1435 from Drakulix/master
amavis: fix config permission
2020-04-05 08:43:47 +02:00
Christian Glahn ff1248eeee activate shortcircuit plugin, fixes #1442 2020-03-31 17:09:23 +02:00
Jairo Llopis a00dced8bc Allow to set comfortably inet_protocols
Setting `inet_protocols = ipv4` is almost a requirement when running behind Docker. Provide a way to make it easy.

@Tecnativa TT22925
2020-03-25 21:43:29 +01:00
Victor Brekenfeld c491496b6e avavis fix config permission 2020-03-24 15:43:35 +01:00
Erik Wramner 142b98a209
Merge pull request #1427 from Tecnativa/inet-protocols
Allow to set comfortably inet_protocols
2020-03-22 08:56:55 +01:00
Germain Masse ce41f60888 Move filebeat to its own container 2020-03-20 17:56:18 +01:00
Jairo Llopis ab22450364
Allow to set comfortably inet_protocols
Setting `inet_protocols = ipv4` is almost a requirement when running behind Docker. Provide a way to make it easy.

@Tecnativa TT22925
2020-03-19 08:35:25 +00:00
Wandrille RONCE d148eeddfb Add an option to place spam in the inbox, and then sort the mail by a sieve rule for example 2020-03-16 18:47:24 +01:00
Robert Pufky d3f7c56cdf Fix broken fail2ban dovecot filter; use <HOST> instead of undocumented feature.
* Replace deprecated, undocumented fail2ban feature "(\P<host>\S*)" with
  supported host match "<HOST>".
* Fixes "No failure-id group in '(?: pop3-login|ima ..." fail2ban dovecot filter
  error message.
* See: https://github.com/fail2ban/fail2ban/issues/2130
2020-03-16 18:45:22 +01:00
Wandrille RONCE 90951876cd Add an option to place spam in the inbox, and then sort the mail by a sieve rule for example 2020-03-15 17:51:12 +01:00
Robert Pufky a82caf5d9b Fix broken fail2ban dovecot filter; use <HOST> instead of undocumented feature.
* Replace deprecated, undocumented fail2ban feature "(\P<host>\S*)" with
  supported host match "<HOST>".
* Fixes "No failure-id group in '(?: pop3-login|ima ..." fail2ban dovecot filter
  error message.
* See: https://github.com/fail2ban/fail2ban/issues/2130
2020-02-01 14:57:03 -08:00
Erik Wramner f342151b80 Fixed several amavis tests and removed commented code 2020-01-26 16:39:58 +01:00
Erik Wramner a208748ea2 Configure amavis with D_BOUNCE for spam 2020-01-26 08:34:40 +01:00
Erik Wramner 85ae8a1471 Fix fail2ban issues and install some suggested amavis packages 2020-01-25 15:33:06 +01:00
Erik Wramner 91b2c9834e Upgrade to buster and remove filebeat 2020-01-25 15:33:06 +01:00
Torben Weibert ca16307729 Added -f flag to chmod command to suppress error when no sieve-pipe scripts exist 2020-01-21 22:18:00 +01:00
Torben Weibert 70d87f5119 Add executable flag for scripts in /usr/lib/dovecot/sieve-pipe 2020-01-21 18:18:16 +01:00
Erik Wramner ae2aa6eeb4
Merge pull request #1372 from phish108/shortcircuit-bayes-99-mini
activate SA shortcircuit features via env, fixes #1118 (again)
2020-01-15 07:28:00 +01:00
Lukas Elsner 35df764107 fix clamav issue in logwatch 2020-01-13 17:58:34 -05:00
Christian Glahn b8726b80a4 activate SA shortcircuit features via env, fixes #1118 2020-01-13 14:22:14 +01:00
Erik Wramner d847be2d5a
Merge pull request #1331 from Tecnativa/srs-sender-classes
Allow to configure SRS sender classes easily
2019-12-06 07:22:46 +01:00
Jairo Llopis 7f1bc8f8b3
Avoid infinite failure log in Amavis with SMTP_ONLY=1
Fix #801 by simply touching the file if it doesn't exist.

@Tecnativa TT20505
2019-12-03 13:43:43 +00:00
Jairo Llopis 42348ff353
Allow to configure SRS sender classes easily
This will allow to forward safely any email from any host, no matter how strict their SPF policy is, by setting `SRS_SENDER_CLASSES=envelope_sender,header_sender`.

@Tecnativa TT20505
2019-12-03 13:33:51 +00:00
Erik Wramner da1287c1a5 Changed wrong set options in pflogsumm cron job 2019-12-01 09:19:47 +01:00
Erik Wramner c882d95deb
Merge pull request #1284 from vortex852456/master
Added optional file user-patches.sh for own patches without recompiling
2019-11-09 15:13:06 +01:00
Germain Masse 36afac7726 New option DOVECOT_MAILBOX_FORMAT 2019-11-04 15:49:29 +00:00
Germain Masse e465e659ad Remove unnecessary maildir folders creation 2019-11-01 20:04:37 +00:00
Erik Wramner 37e0082cd7 Set expected permissions in log #1300 2019-10-27 09:22:16 +01:00
Vortex c30c3bf5de moved user_patches from misc to nearly the end of setups 2019-10-16 18:56:06 +02:00
Daniel Dobko e441f1318a Tests should work from now on
Merge branch 'user-patches.sh'

# Conflicts:
#	config/user-patches.sh
#	target/start-mailserver.sh
2019-10-08 21:55:46 +02:00
Undercover1989 275a83667a base files 2019-10-08 21:22:12 +02:00
Undercover1989 0975b71d72 chown docker:docker /tmp/docker-mailserver/user-patches.sh 2019-10-08 19:24:01 +02:00
Undercover1989 b5c422c3c5 start user-patches.sh native instead of explicit using the bash-command 2019-10-08 15:08:01 +02:00
Undercover1989 b01071f52f Added optional file ./config/user-patches.sh which is executed between configuration and starting daemons (misc-section) 2019-10-07 21:04:49 +02:00
Erik Wramner 5f9428fcf3 Set REPORT_RECIPIENT to postmaster when 0 2019-09-24 21:09:48 +02:00
Erik Wramner b9515eae4c Fix report_recipient bugs 2019-09-22 17:16:33 +02:00
Erik Wramner 008b8e6bce Fix #1093, pflogsumm and logwatch 2019-09-16 08:00:35 +02:00
Erik Wramner f14c9fc6ce Moved Postfix overrides last to fix #1143 2019-09-15 18:29:46 +02:00
Erik Wramner 0eef718ed2 Fix #1251 intermediate TLS level 2019-09-05 19:39:33 +02:00
Erik Wramner 615a845d6c Fixed bug when dh.pem/dhparam.pem exists with ONE_DIR 2019-08-13 07:26:31 +02:00
Erik Wramner 5ebb8614a2
Merge pull request #1220 from erik-wramner/dhparam_on_start
Generate dhparam and dovecot cert on start
2019-08-12 22:00:31 +02:00
Erik Wramner f5dac6e71c Disable SMTPUTF8 as Dovecot can't handle it 2019-08-11 17:14:00 +02:00
Erik Wramner d6838e8274 Remove spamassassin cron job when spamassassin is off 2019-08-11 09:52:50 +02:00
Erik Wramner 9d7873850d Move dovecot cert generation to startup 2019-08-10 10:15:35 +02:00
Erik Wramner fc8d684994 Generate dhparams at startup, not build 2019-08-09 22:13:50 +02:00
Roman Seyffarth 5eb0d5ffa6 Fixed opendkim config on multiple nameservers 2019-08-09 09:04:43 +02:00
Martin Schulze fcce47a392 WIP: actually test PERMIT_DOCKER=connected-networks
also showcase timeouts and makefile integration
2019-08-07 02:24:56 +02:00
Erik Wramner 41921f82aa
Merge pull request #1205 from j-marz/opendkim_nameserver
set Nameservers in opendkim.conf at start-up
2019-08-04 18:54:08 +02:00
j-marz 8a1584c3cb set Nameservers in opendkim.conf at start-up 2019-08-03 15:26:44 +10:00
Martin Schulze 234632913e Add PERMIT_DOCKER=connected-networks 2019-08-02 15:05:00 +02:00
Erik Wramner 81e9c7dcff Protect user db with flock 2019-08-01 19:39:25 +02:00
Erik Wramner ec4661194b Compute checksum after possible in-place sed changes 2019-08-01 12:05:48 +02:00