From 93939d8b254887e2751faff15a281f4cbc3dd445 Mon Sep 17 00:00:00 2001 From: Pastilhas Date: Sat, 7 Nov 2020 17:43:25 +0000 Subject: [PATCH] [DOCKER][MAIL] Switched named volume to shared volume and changed env vars to env file --- bin/setup_mail | 21 +++ docker-compose.yaml | 12 +- docker/mail/Dockerfile | 26 ++-- docker/mail/config/aliases | 0 docker/mail/config/aliases.db | Bin 0 -> 12288 bytes docker/mail/config/domains | 0 docker/mail/config/domains.db | Bin 0 -> 12288 bytes .../etc => config}/dovecot/15-lda.conf | 0 .../dovecot/20-managesieve.conf | 0 .../dovecot/90-sieve-extprograms.conf | 0 .../etc => config}/dovecot/90-sieve.conf | 0 docker/mail/config/dovecot/dovecot.conf | 73 ++++++++++ docker/mail/config/mailboxes | 0 .../etc => config}/opendkim/TrustedHosts | 4 +- .../etc => config}/opendkim/opendkim.conf | 8 +- docker/mail/config/passwd | 0 .../{rootfs/etc => config}/postfix/main.cf | 3 +- .../{rootfs/etc => config}/postfix/master.cf | 0 .../etc => config}/rsyslogd/rsyslog.conf | 4 +- .../supervisord/supervisord.conf | 8 +- docker/mail/exec.sh | 1 + .../mail/rootfs/etc/mail/dovecot/15-lda.conf | 48 +++++++ .../etc/mail/dovecot/20-managesieve.conf | 76 +++++++++++ .../mail/dovecot/90-sieve-extprograms.conf | 44 ++++++ .../rootfs/etc/mail/dovecot/90-sieve.conf | 105 ++++++++++++++ .../etc/{ => mail}/dovecot/dovecot.conf | 4 +- .../rootfs/etc/mail/opendkim/TrustedHosts | 13 ++ .../rootfs/etc/mail/opendkim/opendkim.conf | 128 ++++++++++++++++++ docker/mail/rootfs/etc/mail/postfix/main.cf | 77 +++++++++++ docker/mail/rootfs/etc/mail/postfix/master.cf | 126 +++++++++++++++++ .../rootfs/etc/mail/rsyslogd/rsyslog.conf | 91 +++++++++++++ .../etc/mail/supervisord/supervisord.conf | 46 +++++++ docker/mail/rootfs/usr/bin/start.sh | 38 ++---- 33 files changed, 890 insertions(+), 66 deletions(-) create mode 100644 bin/setup_mail create mode 100644 docker/mail/config/aliases create mode 100644 docker/mail/config/aliases.db create mode 100644 docker/mail/config/domains create mode 100644 docker/mail/config/domains.db rename docker/mail/{rootfs/etc => config}/dovecot/15-lda.conf (100%) rename docker/mail/{rootfs/etc => config}/dovecot/20-managesieve.conf (100%) rename docker/mail/{rootfs/etc => config}/dovecot/90-sieve-extprograms.conf (100%) rename docker/mail/{rootfs/etc => config}/dovecot/90-sieve.conf (100%) create mode 100644 docker/mail/config/dovecot/dovecot.conf create mode 100644 docker/mail/config/mailboxes rename docker/mail/{rootfs/etc => config}/opendkim/TrustedHosts (78%) rename docker/mail/{rootfs/etc => config}/opendkim/opendkim.conf (95%) create mode 100644 docker/mail/config/passwd rename docker/mail/{rootfs/etc => config}/postfix/main.cf (97%) rename docker/mail/{rootfs/etc => config}/postfix/master.cf (100%) rename docker/mail/{rootfs/etc => config}/rsyslogd/rsyslog.conf (96%) rename docker/mail/{rootfs/etc => config}/supervisord/supervisord.conf (78%) create mode 100644 docker/mail/rootfs/etc/mail/dovecot/15-lda.conf create mode 100644 docker/mail/rootfs/etc/mail/dovecot/20-managesieve.conf create mode 100644 docker/mail/rootfs/etc/mail/dovecot/90-sieve-extprograms.conf create mode 100644 docker/mail/rootfs/etc/mail/dovecot/90-sieve.conf rename docker/mail/rootfs/etc/{ => mail}/dovecot/dovecot.conf (90%) create mode 100644 docker/mail/rootfs/etc/mail/opendkim/TrustedHosts create mode 100644 docker/mail/rootfs/etc/mail/opendkim/opendkim.conf create mode 100644 docker/mail/rootfs/etc/mail/postfix/main.cf create mode 100644 docker/mail/rootfs/etc/mail/postfix/master.cf create mode 100644 docker/mail/rootfs/etc/mail/rsyslogd/rsyslog.conf create mode 100644 docker/mail/rootfs/etc/mail/supervisord/supervisord.conf diff --git a/bin/setup_mail b/bin/setup_mail new file mode 100644 index 0000000000..80ba34e7b2 --- /dev/null +++ b/bin/setup_mail @@ -0,0 +1,21 @@ +#!/bin/sh + +printf "Domain root: " +read -r domain_root +printf "Subdomain (can be empty): " +read -r sub_domain + +if [ -z "$sub_domain" ] +then + domain="${domain_root}" +else + domain="${sub_domain}.${domain_root}" +fi + +cat > ./docker/mail/mail.env <|FOP!IhVHZEhkjdU>1!_{ zVpnF4YrBs+4^5eeJVaE}_O(8`D()qD^`G-;zR4O(oiQpk-p||RC!gQj2oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D)}sQs5FkK+ P009C72oNAZ;NJoRad-|v literal 0 HcmV?d00001 diff --git a/docker/mail/config/domains b/docker/mail/config/domains new file mode 100644 index 0000000000..e69de29bb2 diff --git a/docker/mail/config/domains.db b/docker/mail/config/domains.db new file mode 100644 index 0000000000000000000000000000000000000000..f3a38bdd850ec82cd6d70c285bdab8dbf4fc3312 GIT binary patch literal 12288 zcmeI%Jr06E5C+hJf?$E6vG4@m%EXSulUT?_JczY7atE*wTkPH@`;%`sv&m~GBBClY z$K}w(E)RW~Z5|@(dHY(&XC2p)-1eu(akht%}&3~-&Db)Yp)?YOO1PBlyK!5-N M0t5&UAn. %d expands to recipient domain. +#postmaster_address = + +# Hostname to use in various parts of sent mails (e.g. in Message-Id) and +# in LMTP replies. Default is the system's real hostname@domain. +#hostname = + +# If user is over quota, return with temporary failure instead of +# bouncing the mail. +#quota_full_tempfail = no + +# Binary to use for sending mails. +#sendmail_path = /usr/sbin/sendmail + +# If non-empty, send mails via this SMTP host[:port] instead of sendmail. +#submission_host = + +# Subject: header to use for rejection mails. You can use the same variables +# as for rejection_reason below. +#rejection_subject = Rejected: %s + +# Human readable error message for rejection mails. You can use variables: +# %n = CRLF, %r = reason, %s = original subject, %t = recipient +#rejection_reason = Your message to <%t> was automatically rejected:%n%r + +# Delimiter character between local-part and detail in email address. +#recipient_delimiter = + + +# Header where the original recipient address (SMTP's RCPT TO: address) is taken +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# A commonly used header for this is X-Original-To. +#lda_original_recipient_header = + +# Should saving a mail to a nonexistent mailbox automatically create it? +lda_mailbox_autocreate = yes + +# Should automatically created mailboxes be also automatically subscribed? +#lda_mailbox_autosubscribe = no + +protocol lda { + # Space separated list of plugins to load (default is global mail_plugins). + mail_plugins = $mail_plugins sieve +} diff --git a/docker/mail/rootfs/etc/mail/dovecot/20-managesieve.conf b/docker/mail/rootfs/etc/mail/dovecot/20-managesieve.conf new file mode 100644 index 0000000000..ed3e584a72 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/dovecot/20-managesieve.conf @@ -0,0 +1,76 @@ +## +## ManageSieve specific settings +## + +# Uncomment to enable managesieve protocol: +protocols = $protocols sieve + +# Service definitions + +service managesieve-login { + inet_listener sieve { + port = 4190 + } + + #inet_listener sieve_deprecated { + # port = 2000 + #} + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. + service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = 64M +} + +service managesieve { + # Max. number of ManageSieve processes (connections) + process_limit = 1024 +} + +# Service configuration + +protocol sieve { + # Maximum ManageSieve command line length in bytes. ManageSieve usually does + # not involve overly long command lines, so this setting will not normally + # need adjustment + #managesieve_max_line_length = 65536 + + # Maximum number of ManageSieve connections allowed for a user from each IP + # address. + # NOTE: The username is compared case-sensitively. + #mail_max_userip_connections = 10 + + # Space separated list of plugins to load (none known to be useful so far). + # Do NOT try to load IMAP plugins here. + #mail_plugins = + + # MANAGESIEVE logout format string: + # %i - total number of bytes read from client + # %o - total number of bytes sent to client + #managesieve_logout_format = bytes=%i/%o + + # To fool ManageSieve clients that are focused on CMU's timesieved you can + # specify the IMPLEMENTATION capability that Dovecot reports to clients. + # For example: 'Cyrus timsieved v2.2.13' + #managesieve_implementation_string = Dovecot Pigeonhole + + # Explicitly specify the SIEVE and NOTIFY capability reported by the server + # before login. If left unassigned these will be reported dynamically + # according to what the Sieve interpreter supports by default (after login + # this may differ depending on the user). + #managesieve_sieve_capability = + #managesieve_notify_capability = + + # The maximum number of compile errors that are returned to the client upon + # script upload or script verification. + #managesieve_max_compile_errors = 5 + + # Refer to 90-sieve.conf for script quota configuration and configuration of + # Sieve execution limits. +} diff --git a/docker/mail/rootfs/etc/mail/dovecot/90-sieve-extprograms.conf b/docker/mail/rootfs/etc/mail/dovecot/90-sieve-extprograms.conf new file mode 100644 index 0000000000..17dcb77d51 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/dovecot/90-sieve-extprograms.conf @@ -0,0 +1,44 @@ +# Sieve Extprograms plugin configuration + +# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting. +# Also enable the extensions you need (one or more of vnd.dovecot.pipe, +# vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the +# sieve_extensions or sieve_global_extensions settings. Restricting these +# extensions to a global context using sieve_global_extensions is recommended. + +plugin { + + # The directory where the program sockets are located for the + # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension + # respectively. The name of each unix socket contained in that directory + # directly maps to a program-name referenced from the Sieve script. + #sieve_pipe_socket_dir = sieve-pipe + #sieve_filter_socket_dir = sieve-filter + #sieve_execute_socket_dir = sieve-execute + + # The directory where the scripts are located for direct execution by the + # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension + # respectively. The name of each script contained in that directory + # directly maps to a program-name referenced from the Sieve script. + #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe + #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter + #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute +} + +# An example program service called 'do-something' to pipe messages to +#service do-something { + # Define the executed script as parameter to the sieve service + #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh + + # Use some unprivileged user for executing the program + #user = dovenull + + # The unix socket located in the sieve_pipe_socket_dir (as defined in the + # plugin {} section above) + #unix_listener sieve-pipe/do-something { + # LDA/LMTP must have access + # user = vmail + # mode = 0600 + #} +#} + diff --git a/docker/mail/rootfs/etc/mail/dovecot/90-sieve.conf b/docker/mail/rootfs/etc/mail/dovecot/90-sieve.conf new file mode 100644 index 0000000000..1ebf9f339a --- /dev/null +++ b/docker/mail/rootfs/etc/mail/dovecot/90-sieve.conf @@ -0,0 +1,105 @@ +## +## Settings for the Sieve interpreter +## + +# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf +# by adding it to the respective mail_plugins= settings. + +plugin { + # The path to the user's main active script. If ManageSieve is used, this the + # location of the symbolic link controlled by ManageSieve. + sieve = ~/.dovecot.sieve + + # The default Sieve script when the user has none. This is a path to a global + # sieve script file, which gets executed ONLY if user's private Sieve script + # doesn't exist. Be sure to pre-compile this script manually using the sievec + # command line tool. + # --> See sieve_before fore executing scripts before the user's personal + # script. + #sieve_default = /var/lib/dovecot/sieve/default.sieve + + # Directory for :personal include scripts for the include extension. This + # is also where the ManageSieve service stores the user's scripts. + sieve_dir = ~/sieve + + # Directory for :global include scripts for the include extension. + #sieve_global_dir = + + # Path to a script file or a directory containing script files that need to be + # executed before the user's script. If the path points to a directory, all + # the Sieve scripts contained therein (with the proper .sieve extension) are + # executed. The order of execution within a directory is determined by the + # file names, using a normal 8bit per-character comparison. Multiple script + # file or directory paths can be specified by appending an increasing number. + #sieve_before = + #sieve_before2 = + #sieve_before3 = (etc...) + + # Identical to sieve_before, only the specified scripts are executed after the + # user's script (only when keep is still in effect!). Multiple script file or + # directory paths can be specified by appending an increasing number. + #sieve_after = + #sieve_after2 = + #sieve_after2 = (etc...) + + # Which Sieve language extensions are available to users. By default, all + # supported extensions are available, except for deprecated extensions or + # those that are still under development. Some system administrators may want + # to disable certain Sieve extensions or enable those that are not available + # by default. This setting can use '+' and '-' to specify differences relative + # to the default. For example `sieve_extensions = +imapflags' will enable the + # deprecated imapflags extension in addition to all extensions were already + # enabled by default. + #sieve_extensions = +notify +imapflags + + # Which Sieve language extensions are ONLY available in global scripts. This + # can be used to restrict the use of certain Sieve extensions to administrator + # control, for instance when these extensions can cause security concerns. + # This setting has higher precedence than the `sieve_extensions' setting + # (above), meaning that the extensions enabled with this setting are never + # available to the user's personal script no matter what is specified for the + # `sieve_extensions' setting. The syntax of this setting is similar to the + # `sieve_extensions' setting, with the difference that extensions are + # enabled or disabled for exclusive use in global scripts. Currently, no + # extensions are marked as such by default. + #sieve_global_extensions = + + # The Pigeonhole Sieve interpreter can have plugins of its own. Using this + # setting, the used plugins can be specified. Check the Dovecot wiki + # (wiki2.dovecot.org) or the pigeonhole website + # (http://pigeonhole.dovecot.org) for available plugins. + # The sieve_extprograms plugin is included in this release. + #sieve_plugins = + + # The separator that is expected between the :user and :detail + # address parts introduced by the subaddress extension. This may + # also be a sequence of characters (e.g. '--'). The current + # implementation looks for the separator from the left of the + # localpart and uses the first one encountered. The :user part is + # left of the separator and the :detail part is right. This setting + # is also used by Dovecot's LMTP service. + #recipient_delimiter = + + + # The maximum size of a Sieve script. The compiler will refuse to compile any + # script larger than this limit. If set to 0, no limit on the script size is + # enforced. + #sieve_max_script_size = 1M + + # The maximum number of actions that can be performed during a single script + # execution. If set to 0, no limit on the total number of actions is enforced. + #sieve_max_actions = 32 + + # The maximum number of redirect actions that can be performed during a single + # script execution. If set to 0, no redirect actions are allowed. + #sieve_max_redirects = 4 + + # The maximum number of personal Sieve scripts a single user can have. If set + # to 0, no limit on the number of scripts is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_scripts = 0 + + # The maximum amount of disk storage a single user's scripts may occupy. If + # set to 0, no limit on the used amount of disk storage is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_storage = 0 +} diff --git a/docker/mail/rootfs/etc/dovecot/dovecot.conf b/docker/mail/rootfs/etc/mail/dovecot/dovecot.conf similarity index 90% rename from docker/mail/rootfs/etc/dovecot/dovecot.conf rename to docker/mail/rootfs/etc/mail/dovecot/dovecot.conf index 04a3a3d5f1..974d4c8fc7 100644 --- a/docker/mail/rootfs/etc/dovecot/dovecot.conf +++ b/docker/mail/rootfs/etc/mail/dovecot/dovecot.conf @@ -7,8 +7,8 @@ ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL listen = *, :: dict { - #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext - #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext + #quota = mysql:/etc/mail/dovecot/dovecot-dict-sql.conf.ext + #expire = sqlite:/etc/mail/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no diff --git a/docker/mail/rootfs/etc/mail/opendkim/TrustedHosts b/docker/mail/rootfs/etc/mail/opendkim/TrustedHosts new file mode 100644 index 0000000000..4fa1f327a0 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/opendkim/TrustedHosts @@ -0,0 +1,13 @@ +# OPENDKIM TRUSTED HOSTS +# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts +# option in /etc/mail/opendkim.conf then restart OpenDKIM. Additional hosts +# may be added on separate lines (IP addresses, hostnames, or CIDR ranges). +# The localhost IP (127.0.0.1) should always be the first entry in this file. +127.0.0.1 +::1 +172.17.0.0/16 +fe80::/64 +#HOSTNAME + +#host.example.com +#192.168.1.0/24 diff --git a/docker/mail/rootfs/etc/mail/opendkim/opendkim.conf b/docker/mail/rootfs/etc/mail/opendkim/opendkim.conf new file mode 100644 index 0000000000..979bec49a4 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/opendkim/opendkim.conf @@ -0,0 +1,128 @@ +## BASIC OPENDKIM CONFIGURATION FILE +## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more + +## BEFORE running OpenDKIM you must: + +## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM +## - generate keys for your domain (if signing) +## - edit your DNS records to publish your public keys (if signing) + +## See /usr/share/doc/opendkim/INSTALL for detailed instructions. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy + +## CONFIGURATION OPTIONS + +## Specifies the path to the process ID file. +PidFile /var/run/opendkim/opendkim.pid + +## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. +## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing +## messages. +Mode s + +## Log activity to the system log. +Syslog yes + +## Log additional entries indicating successful signing or verification of messages. +SyslogSuccess yes + +## If logging is enabled, include detailed logging about why or why not a message was +## signed or verified. This causes an increase in the amount of log data generated +## for each message, so set this to No (or comment it out) if it gets too noisy. +LogWhy yes + +## Attempt to become the specified user before starting operations. +UserID opendkim:opendkim + +## Create a socket through which your MTA can communicate. +Socket inet:8891@localhost + +## Required to use local socket with MTAs that access the socket as a non- +## privileged user (e.g. Postfix) +Umask 002 + +## This specifies a text file in which to store DKIM transaction statistics. +## OpenDKIM must be manually compiled with --enable-stats to enable this feature. +# Statistics /var/spool/opendkim/stats.dat + +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. +# SendReports yes + +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used (executing_user@hostname). +# ReportAddress "Example.com Postmaster" + +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. +SoftwareHeader yes + +## SIGNING OPTIONS + +## Selects the canonicalization method(s) to be used when signing messages. +Canonicalization relaxed/simple + +## Domain(s) whose mail should be signed by this filter. Mail from other domains will +## be verified rather than being signed. Uncomment and use your domain name. +## This parameter is not required if a SigningTable is in use. +Domain file:/etc/mail/domains + + +## Defines the name of the selector to be used when signing messages. +Selector default + +## Specifies the minimum number of key bits for acceptable keys and signatures. +MinimumKeyBits 1024 + +## Gives the location of a private key to be used for signing ALL messages. This +## directive is ignored if KeyTable is enabled. +KeyFile /var/opendkim/keys/default.private + +## Gives the location of a file mapping key names to signing keys. In simple terms, +## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile +## directive in the configuration file. Requires SigningTable be enabled. +# KeyTable /etc/mail/opendkim/KeyTable + +## Defines a table used to select one or more signatures to apply to a message based +## on the address found in the From: header field. In simple terms, this tells +## OpenDKIM how to use your keys. Requires KeyTable be enabled. +# SigningTable refile:/etc/mail/opendkim/SigningTable + +## Identifies a set of "external" hosts that may send mail through the server as one +## of the signing domains without credentials as such. +# ExternalIgnoreList refile:/etc/mail/opendkim/TrustedHosts + +## Identifies a set "internal" hosts whose mail should be signed rather than verified. +InternalHosts refile:/etc/mail/opendkim/TrustedHosts + +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. +# PeerList X.X.X.X + +## Always oversign From (sign using actual From and a null From to prevent +## malicious signatures header fields (From and/or others) between the signer +## and the verifier. From is oversigned by default in the Fedora package +## because it is often the identity key used by reputation systems and thus +## somewhat security sensitive. +OversignHeaders From diff --git a/docker/mail/rootfs/etc/mail/postfix/main.cf b/docker/mail/rootfs/etc/mail/postfix/main.cf new file mode 100644 index 0000000000..f6951ddd05 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/postfix/main.cf @@ -0,0 +1,77 @@ +## STANDARD POSTFIX CONFIG PARAMS ### + +queue_directory = /var/spool/postfix +command_directory = /usr/sbin +daemon_directory = /usr/lib/postfix/sbin +data_directory = /var/lib/postfix +mail_owner = postfix +myhostname = %MAIL_HOSTNAME% +mydomain = %MAIL_HOSTNAME_FQDN% +myorigin = $myhostname +inet_interfaces = all +inet_protocols = all +mydestination = $myhostname, localhost.$mydomain, localhost +unknown_local_recipient_reject_code = 550 +mynetworks = 127.0.0.0/8, [::1]/128 +alias_maps = hash:/etc/mail/postfix/aliases + +mailbox_command = /usr/lib/dovecot/deliver + +debug_peer_level = 2 +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 +sendmail_path = /usr/sbin/sendmail.postfix +newaliases_path = /usr/bin/newaliases.postfix +mailq_path = /usr/bin/mailq.postfix +setgid_group = postdrop +html_directory = no +manpage_directory = /usr/share/man +sample_directory = /usr/share/doc/postfix-2.10.1/samples +readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES + +smtp_tls_security_level = may +smtp_tls_loglevel = 1 +smtp_tls_protocols = !SSLv2 +smtp_tls_exclude_ciphers = EXPORT, LOW + +### VIRTUAL MAIL CONFIG PARAMS ### +relay_domains = * +virtual_alias_maps = hash:/etc/mail/aliases +virtual_mailbox_domains = hash:/etc/mail/domains +virtual_mailbox_maps = hash:/etc/mail/mailboxes + +virtual_mailbox_base = /var/mail +virtual_minimum_uid = 2222 +virtual_transport = dovecot +virtual_uid_maps = static:2222 +virtual_gid_maps = static:2222 + +dovecot_destination_recipient_limit = 1 + +milter_protocol = 2 +milter_default_action = accept +smtpd_milters = inet:localhost:8891 +non_smtpd_milters = inet:localhost:8891 + +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = /var/run/dovecot/auth-client +smtpd_sasl_security_options = noanonymous +smtpd_sasl_tls_security_options = $smtpd_sasl_security_options +smtpd_sasl_local_domain = $mydomain +broken_sasl_auth_clients = yes + +smtpd_tls_security_level = may +smtpd_tls_key_file = /etc/ssl/mail.key +smtpd_tls_cert_file = /etc/ssl/mail.crt +smtpd_tls_loglevel = 1 +smtpd_tls_session_cache_timeout = 3600s +smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache +smtpd_tls_protocols = $smtp_tls_protocols +tls_random_source = dev:/dev/urandom +tls_random_exchange_name = /var/lib/postfix/prng_exch +smtpd_tls_auth_only = yes + +smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination +smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination diff --git a/docker/mail/rootfs/etc/mail/postfix/master.cf b/docker/mail/rootfs/etc/mail/postfix/master.cf new file mode 100644 index 0000000000..8caedc3fab --- /dev/null +++ b/docker/mail/rootfs/etc/mail/postfix/master.cf @@ -0,0 +1,126 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +submission inet n - n - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +smtps inet n - n - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +#mailman unix - n n - - pipe +# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# ${nexthop} ${user} +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} diff --git a/docker/mail/rootfs/etc/mail/rsyslogd/rsyslog.conf b/docker/mail/rootfs/etc/mail/rsyslogd/rsyslog.conf new file mode 100644 index 0000000000..0912c551e7 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/rsyslogd/rsyslog.conf @@ -0,0 +1,91 @@ +# rsyslog configuration file + +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html + +#### MODULES #### + +# The imjournal module bellow is now used as a message source instead of imuxsock. +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +#$ModLoad imjournal # provides access to the systemd journal +#$ModLoad imklog # reads kernel messages (the same are read from journald) +#$ModLoad immark # provides --MARK-- message capability + +# Provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# Provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +#### GLOBAL DIRECTIVES #### + +# Where to place auxiliary files +#$WorkDirectory /var/lib/rsyslog + +# Use default timestamp format +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/mail/rsyslog.d/ +$IncludeConfig /etc/mail/rsyslog.d/*.conf + +# Turn off message reception via local log socket; +# local messages are retrieved through imjournal now. +$OmitLocalLogging off + +# File to store the position in the journal +# $IMJournalStateFile imjournal.state + + +#### RULES #### + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/maillog + + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +*.emerg :omusrmsg:* + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + + +# ### begin forwarding rule ### +# The statement between the begin ... end define a SINGLE forwarding +# rule. They belong together, do NOT split them. If you create multiple +# forwarding rules, duplicate the whole block! +# Remote Logging (we use TCP for reliable delivery) +# +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @@remote-host:514 +# ### end of the forwarding rule ### \ No newline at end of file diff --git a/docker/mail/rootfs/etc/mail/supervisord/supervisord.conf b/docker/mail/rootfs/etc/mail/supervisord/supervisord.conf new file mode 100644 index 0000000000..e4501f8693 --- /dev/null +++ b/docker/mail/rootfs/etc/mail/supervisord/supervisord.conf @@ -0,0 +1,46 @@ +[unix_http_server] +file=/tmp/supervisor.sock + +[supervisord] +nodaemon=true +user=root +loglevel=warn + +[supervisorctl] +serverurl=unix:///tmp/supervisor.sock +user=root + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[program:opendkim] +autostart=false +autorestart=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +command=/usr/sbin/opendkim -x /etc/mail/opendkim/opendkim.conf + +[program:postfix] +autostart=false +autorestart=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +command=postfix -c /etc/mail/postfix/postfix.conf + +[program:dovecot] +autostart=false +autorestart=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +command=dovecot -c /etc/mail/dovecot/dovecot.conf + +[program:rsyslog] +autostart=false +autorestart=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +command=rsyslog -f /etc/mail/rsyslogd/rsyslog.conf diff --git a/docker/mail/rootfs/usr/bin/start.sh b/docker/mail/rootfs/usr/bin/start.sh index 2802c64518..8c3575a046 100644 --- a/docker/mail/rootfs/usr/bin/start.sh +++ b/docker/mail/rootfs/usr/bin/start.sh @@ -1,32 +1,24 @@ #!/bin/sh - -CERTBOT="/etc/letsencrypt/live/$domain/fullchain.pem" -KEYBOT="/etc/letsencrypt/live/$domain/privkey.pem" - # Config postfix postconf -e myhostname="$MAILNAME" postconf -e mydomain="$DOMAINNAME" -postconf -e smtpd_tls_cert_file="$CERTBOT" -postconf -e smtpd_tls_key_file="$KEYBOT" +postconf -e smtpd_tls_cert_file="$SSL_CERT" +postconf -e smtpd_tls_key_file="$SSL_KEY" # Config dovecot -sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <$CERTBOT#" /etc/dovecot/dovecot.conf -sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <$KEYBOT#" /etc/dovecot/dovecot.conf -sed -i -e "s#^\s*hostname\s*=.*#hostname = $MAILNAME#" /etc/dovecot/dovecot.conf -sed -i -e "s#^\s*postmaster_address\s*=.*#postmaster_address = $POSTMASTER#" /etc/dovecot/dovecot.conf +sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <$SSL_CERT#" /etc/mail/dovecot/dovecot.conf +sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <$SSL_KEY#" /etc/mail/dovecot/dovecot.conf +sed -i -e "s#^\s*hostname\s*=.*#hostname = $MAILNAME#" /etc/mail/dovecot/dovecot.conf +sed -i -e "s#^\s*postmaster_address\s*=.*#postmaster_address = $POSTMASTER#" /etc/mail/dovecot/dovecot.conf # Config dkim -sed -i -e "s/#HOSTNAME/$MAILNAME/" /etc/opendkim/TrustedHosts +sed -i -e "s/#HOSTNAME/$MAILNAME/" /etc/mail/opendkim/TrustedHosts # Run openssl -if [ $signed -eq 0 ] +if [ ! -e "$SSL_CERT" ] then - openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout "$SSL_KEY" -out "$SSL_CERT" \ - -subj "/C=UK/ST=England/L=London/O=OrgName/OU=IT Department/CN=$MAILNAME" - postconf -e smtpd_tls_cert_file="$SSL_CERT" - postconf -e smtpd_tls_key_file="$SSL_KEY" - sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <$SSL_CERT#" /etc/dovecot/dovecot.conf - sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <$SSL_KEY#" /etc/dovecot/dovecot.conf + mkdir -p "$(dirname $SSL_CERT)" "$(dirname $SSL_KEY)" + openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "$SSL_CERT" -out "$SSL_KEY" fi # Run opendkim @@ -45,8 +37,8 @@ fi # Start services -rsyslogd -f /etc/rsyslogd/rsyslog.conf -/usr/sbin/opendkim -x /etc/opendkim/opendkim.conf -/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf -/usr/sbin/postfix start -c /etc/postfix -supervisord -c /etc/supervisord/supervisord.conf +rsyslogd -f /etc/mail/rsyslogd/rsyslog.conf +/usr/sbin/opendkim -x /etc/mail/opendkim/opendkim.conf +/usr/sbin/dovecot -c /etc/mail/dovecot/dovecot.conf +/usr/sbin/postfix start -c /etc/mail/postfix +supervisord -c /etc/mail/supervisord/supervisord.conf