[DOCKER][MAIL] Update config and change the way mail docker handles it, so the edits aren't visible from the outside, polluting the git staging area

This commit is contained in:
Hugo Sales 2021-03-24 22:31:43 +00:00
parent 0a15ccab9b
commit 349df02f78
17 changed files with 149 additions and 201 deletions

79
bin/configure vendored
View File

@ -96,14 +96,15 @@ while true; do
done
if [ "${DBMS}" = 'postgres' ]; then DB_USER="postgres"; else DB_USER="social"; fi
while true; do
DB_USER=$(${WHIPTAIL} --title 'GNU social DB user' --clear --backtitle 'GNU social' \
--inputbox "\nEnter a user name for social to connect to the database under" 0 0 "${DB_USER}" \
3>&1 1>&2 2>&3)
validate_exit $?
if [ -n "${DB_USER}" ]; then break; fi
done
if echo "${DOCKER}" | grep -Fvq '"db"'; then
while true; do
DB_USER=$(${WHIPTAIL} --title 'GNU social DB user' --clear --backtitle 'GNU social' \
--inputbox "\nEnter a user name for social to connect to the database under" 0 0 "${DB_USER}" \
3>&1 1>&2 2>&3)
validate_exit $?
if [ -n "${DB_USER}" ]; then break; fi
done
fi
while true; do
DB_PASSWORD=$(${WHIPTAIL} --title 'GNU social DB password' --clear --backtitle 'GNU social' \
--passwordbox "\nEnter a password for social to connect to the database with" 0 0 \
@ -224,17 +225,25 @@ validate_exit $?
# ------------ Mail server --------------
if echo "${DOCKER}" | grep -Fq '"mail"'; then
MAILER_DSN='sendmail://localhost'
if echo "${DOCKER}" | grep -Fvq '"mail"'; then
while true; do
MAILER_DSN=$(${WHIPTAIL} --title 'GNU social mail server DSN' --clear --backtitle 'GNU social' \
--inputbox "\nEnter a DSN/URL social will use to connect to the mail server" 0 0 'sendmail://localhost' \
--inputbox "\nEnter a DSN/URL social will use to connect to the mail server" 0 0 "${MAILER_DSN}" \
3>&1 1>&2 2>&3)
validate_exit $?
if [ -n "${MAILER_DSN}" ]; then break; fi
done
while true; do
MAIL_DOMAIN=$(${WHIPTAIL} --title 'GNU social mail server domain' --clear --backtitle 'GNU social' \
--inputbox "\nEnter the domain social will use to serve mail" 0 0 "${DOMAIN_ROOT}" \
3>&1 1>&2 2>&3)
validate_exit $?
if [ -n "${MAIL_DOMAIN}" ]; then break; fi
done
fi
if echo "${DOCKER}" | grep -Fvq '"mail"'; then
if echo "${DOCKER}" | grep -Fq '"mail"'; then
while true; do
MAIL_DOMAIN_ROOT=$(${WHIPTAIL} --title 'GNU social mail server domain' --clear --backtitle 'GNU social' \
--inputbox "\nEnter the root domain social will use to serve mail" 0 0 "${DOMAIN_ROOT}" \
@ -256,7 +265,7 @@ if echo "${DOCKER}" | grep -Fvq '"mail"'; then
while true; do
MAIL_SENDER_USER=$(${WHIPTAIL} --title 'GNU social mail sender user' --clear --backtitle 'GNU social' \
--inputbox "\nEnter the user emails should be sent from" 0 0 \
--inputbox "\nEnter the user emails should be sent from (email without @domain)" 0 0 \
3>&1 1>&2 2>&3)
validate_exit $?
if [ -n "${MAIL_SENDER_USER}" ]; then break; fi
@ -264,7 +273,7 @@ if echo "${DOCKER}" | grep -Fvq '"mail"'; then
while true; do
MAIL_SENDER_NAME=$(${WHIPTAIL} --title 'GNU social mail sender name' --clear --backtitle 'GNU social' \
--inputbox "\nEnter the name emails should be sent from (name without @domain)" 0 0 \
--inputbox "\nEnter the name emails should be sent from" 0 0 "${NODE_NAME}" \
3>&1 1>&2 2>&3)
validate_exit $?
if [ -n "${MAIL_SENDER_NAME}" ]; then break; fi
@ -331,7 +340,7 @@ SOCIAL_DB=${DB_NAME}
SOCIAL_USER=${DB_USER}
SOCIAL_PASSWORD=${DB_PASSWORD}
SOCIAL_DOMAIN=${DOMAIN}
SOCIAL_SITENAME=${SITENAME}
SOCIAL_NODE_NAME=${NODE_NAME}
SOCIAL_ADMIN_EMAIL=${EMAIL}
SOCIAL_SITE_PROFILE=${PROFILE}
MAILER_DSN=${MAILER_DSN}
@ -347,40 +356,18 @@ EOF
# --------------- Write mail configuration, and setup ----------------------
mkdir -p "${INSTALL_DIR}/docker/mail"
cat > "${INSTALL_DIR}/docker/mail/mail.env" <<EOF
MAIL_DOMAIN=${MAIL_DOMAIN}
MAIL_USER=${MAIL_SENDER_USER}
MAIL_NAME=${MAIL_SENDER_NAME}
MAIL=${MAIL_SENDER_USER}@${MAIL_DOMAIN}
SSL_CERT=/etc/letsencrypt/live/${MAIL_DOMAIN}/fullchain.pem
SSL_KEY=/etc/letsencrypt/live/${MAIL_DOMAIN}/privkey.pem
EOF
HASHED_PASSWORD="{SHA512-CRYPT}"$(echo "${MAIL_PASSWORD}" | openssl passwd -6 -in -)
# Config postfix
sed -ri \
-e "s/^\s*myhostname\s*=.*/myhostname = ${MAILNAME}/" \
-e "s/^\s*mydomain\s*=.*/mydomain = ${DOMAINNAME}/" \
-e "s/^\s*smtpd_tls_cert_file\s*=.*/smtpd_tls_cert_file = ${SSL_CERT}/" \
-e "s/^\s*smtpd_tls_key_file\s*=.*/smtpd_tls_key_file = ${SSL_KEY}/" \
"${INSTALL_DIR}/docker/mail/config/postfix/main.cf"
# Config dovecot
sed -ri \
-e "s/^\s*ssl_cert\s*=.*/ssl_cert = <${SSL_CERT}/" \
-e "s/^\s*ssl_key\s*=.*/ssl_key = <${SSL_KEY}/" \
-e "s/^\s*postmaster_address\s*=.*/postmaster_address = postmaster@${DOMAINNAME}/" \
"${INSTALL_DIR}/docker/mail/config/dovecot/dovecot.conf"
# Config dkim
sed -i -e "s/^.*#HOSTNAME/${MAILNAME}#HOSTNAME/" "${INSTALL_DIR}/docker/mail/config/opendkim/TrustedHosts"
# Prepare mail user
echo "${MAIL_DOMAIN_ROOT} #OK" > "${INSTALL_DIR}/docker/mail/config/domains"
echo "${MAIL_USER} ${MAIL_USER}" > "${INSTALL_DIR}/docker/mail/config/aliases"
echo "${MAIL_USER} ${MAIL_DOMAIN}/${MAIL_USER}/" > "${INSTALL_DIR}/docker/mail/config/mailboxes"
echo "${MAIL_USER}:${HASHED_PASSWORD}" > "${INSTALL_DIR}/docker/mail/config/passwd"
cat > "${INSTALL_DIR}/docker/mail/mail.env" <<EOF
MAIL_DOMAIN=${MAIL_DOMAIN}
MAIL_DOMAIN_ROOT=${MAIL_DOMAIN_ROOT}
MAIL_USER=${MAIL_SENDER_USER}
MAIL_NAME=${MAIL_SENDER_NAME}
MAIL_ADDRESS=${MAIL_SENDER_USER}@${MAIL_DOMAIN}
SSL_CERT=/etc/letsencrypt/live/${MAIL_DOMAIN}/fullchain.pem
SSL_KEY=/etc/letsencrypt/live/${MAIL_DOMAIN}/privkey.pem
HASHED_PASSWORD=${HASHED_PASSWORD}
EOF
# --------------------------------------------------------------------------

View File

@ -5,7 +5,7 @@
. bootstrap.env
sed -ri "s/%hostname%/${DOMAIN}/" /etc/nginx/conf.d/challenge.conf
sed -ri "s/%hostname%/${MAIL_DOMAIN}/" /etc/nginx/conf.d/challenge.conf
nginx

View File

@ -1,54 +1,12 @@
FROM debian:buster-slim
FROM alpine
ENV DEBIAN_FRONTEND=noninteractive
# Install packages
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
dovecot-core \
dovecot-imapd \
dovecot-lmtpd \
dovecot-pop3d \
opendkim \
opendkim-tools \
openssl \
postfix \
procps \
rsyslog \
s6 \
&& apt-get autoclean \
&& apt-get autoremove
# Setup folders and users
RUN groupadd -g 2222 vmail \
&& mkdir -p -m 751 "/var/mail/" \
&& mkdir -p -m 755 "/etc/mail/" \
&& mkdir -p "/var/opendkim/keys/" \
&& useradd -d "/var/mail" -M -s "/usr/sbin/nologin" -u 2222 -g 2222 vmail \
&& usermod -aG vmail postfix \
&& usermod -aG vmail dovecot \
&& usermod -aG vmail opendkim \
&& chown vmail:vmail "/var/mail" \
&& chown opendkim:opendkim "/var/opendkim/keys/"
# Copy config files
COPY rootfs/ /
RUN chmod +x "/etc/service/postfix/run" \
&& chmod +x "/etc/service/dovecot/run" \
&& chmod +x "/etc/service/opendkim/run" \
&& chmod +x "/etc/service/rsyslog/run" \
&& chmod +x "/usr/bin/start.sh"
# Prepare user
RUN mkdir -p "/var/mail/${MAIL_DOMAIN}" \
&& mkdir -p "/var/mail/${DOMAINPART}/${USER%@*}" \
&& chown vmail:vmail "/var/mail/${MAIL_DOMAIN}" \
&& chown vmail:vmail "/var/mail/${MAIL_DOMAIN_ROOT}/${MAIL_USER%@*}"
RUN apk update && apk add postfix dovecot dovecot-pop3d opendkim s6
# Expose ports
EXPOSE 25 110 143 587 993 995
# Fixes problem with s6 (s6 claims it's a docker bug)
VOLUME ["/run"]
# Run start script
ENTRYPOINT /usr/bin/start.sh
ENTRYPOINT /usr/bin/entrypoint.sh

View File

@ -1,9 +1,10 @@
protocols = imap pop3 lmtp
ssl = yes
ssl_cert =
ssl_key =
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
# `<` means read from file
ssl_cert = <%cert_file%
ssl_key = <%key_file%
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
listen = *, ::
dict {
@ -33,7 +34,7 @@ userdb {
}
service auth {
unix_listener auth-client {
unix_listener /var/spool/postfix/private/auth {
user = postfix
group = postfix
mode = 0660
@ -47,7 +48,7 @@ service imap-login {
}
protocol lmtp {
postmaster_address =
postmaster_address = %postmaster_address%
}
protocol imap {
@ -68,5 +69,5 @@ service stats {
}
}
!include_try conf.d/*.conf
!include_try local.conf
# !include_try conf.d/*.conf
# !include_try local.conf

View File

@ -7,5 +7,5 @@
::1
172.17.0.0/16
fe80::/64
#HOSTNAME
%hostname%

View File

@ -1,19 +1,39 @@
## STANDARD POSTFIX CONFIG PARAMS ###
myhostname = %hostname%
mydomain = %domain_root%
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
# Intentianally blank
relayhost =
alias_maps = hash:/etc/mail/postfix/aliases
alias_database = hash:/etc/mail/postfix/aliases
smtpd_tls_cert_file = %cert_file%
smtpd_tls_key_file = %key_file%
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
#SSLv2 and SSLv3 are obsolete
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_exclude_ciphers = EXPORT, LOW
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname =
mydomain =
myorigin = $myhostname
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, [::1]/128
alias_maps = hash:/etc/mail/postfix/aliases
mailbox_command = /usr/lib/dovecot/deliver
@ -30,10 +50,6 @@ manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2
smtp_tls_exclude_ciphers = EXPORT, LOW
### VIRTUAL MAIL CONFIG PARAMS ###
relay_domains = *
@ -63,12 +79,7 @@ smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_tls_security_level = may
smtpd_tls_key_file =
smtpd_tls_cert_file =
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_protocols = $smtp_tls_protocols
tls_random_source = dev:/dev/urandom
tls_random_exchange_name = /var/lib/postfix/prng_exch
smtpd_tls_auth_only = yes

View File

@ -8,21 +8,16 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
@ -30,7 +25,7 @@ smtps inet n - n - - smtpd
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
@ -122,5 +117,5 @@ scache unix - - n - 1 scache
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
dovecot unix - n n - - pipe
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

View File

@ -12,8 +12,12 @@ cat <<EOF
- 587:587
- 993:993
volumes:
- ./docker/mail/etc:/etc
- ./docker/mail/entrypoint.sh:/usr/bin/entrypoint.sh
- ./docker/mail/mail:/var/mail
- ./docker/mail/config:/etc/mail
- ./docker/mail/config/postfix:/etc/postfix
- ./docker/mail/config/dovecot:/etc/dovecot
# Certbot
- ./docker/certbot/www:/var/www/certbot
- ./docker/certbot/.files:/etc/letsencrypt

51
docker/mail/entrypoint.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/sh
set -x
touch /etc/passwd
adduser nobody
adduser postfix
adduser dovecot
adduser opendkim
addgroup dovecot postfix
addgroup opendkim postfix
chown postfix:postfix "/var/mail/${MAIL_DOMAIN}"
mkdir -p "/var/opendkim/keys/"
chown opendkim:opendkim "/var/opendkim/keys/"
chmod +x "/etc/service/postfix/run"
chmod +x "/etc/service/dovecot/run"
chmod +x "/etc/service/opendkim/run"
chmod +x "/etc/service/rsyslog/run"
chmod +x "/usr/bin/entrypoint.sh"
mkdir -p "/var/mail/${MAIL_DOMAIN}/${MAIL_USER}"
# Config postfix
sed -ri \
-e "s,%hostname%,${MAIL_DOMAIN}," \
-e "s,%domain_root%,${MAIL_DOMAIN_ROOT}," \
-e "s,%cert_file%,${SSL_CERT}," \
-e "s,%key_file%,${SSL_KEY}," \
-e "s,%postmaster_address%,${MAIL_ADDRESS}," \
/etc/postfix/main.cf /etc/dovecot/dovecot.conf /etc/mail/opendkim/TrustedHosts
# Prepare mail user
touch /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd
echo "${MAIL_DOMAIN} #OK" > /etc/mail/domains
if ! grep -Fq 'root:' /etc/mail/aliases; then echo "root: ${MAIL_USER}" >> /etc/mail/aliases; fi
echo "${MAIL_USER} ${MAIL_DOMAIN}/${MAIL_USER}/" > /etc/mail/mailboxes
echo "${MAIL_USER}:${HASHED_PASSWORD}" > /etc/mail/passwd
# Run opendkim
if [ ! -e "/var/opendkim/keys/default.private" ]
then
opendkim-genkey -d "${MAIL_DOMAIN}" -D "/var/opendkim/keys/"
fi
newaliases
postmap /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd
postfix reload
dovecot
# # Run services
# s6-svscan /etc/service

View File

@ -0,0 +1,10 @@
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root

View File

@ -1,21 +0,0 @@
#!/bin/sh
# Run openssl
if [ ! -e "${SSL_CERT}" ]
then
mkdir -p "$(dirname ${SSL_CERT})" "$(dirname $SSL_KEY)"
openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "${SSL_CERT}" -out "${SSL_KEY}"
fi
# Run opendkim
if [ ! -e "/var/opendkim/keys/default.private" ]
then
opendkim-genkey -d "${DOMAINNAME}" -D "/var/opendkim/keys/"
fi
postmap /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd
postfix reload
dovecot reload
# Run services
s6-svscan /etc/service

View File

@ -1,48 +0,0 @@
#!/bin/sh
ROOT="$(git rev-parse --show-toplevel)"
. $ROOT/docker/mail/mail.env
cd "${0%/*}"
if [ -z "${MAIL_SUBDOMAIN}" ]
then
domain="${MAIL_DOMAIN_ROOT}"
else
domain="${MAIL_SUBDOMAIN}.${MAIL_DOMAIN_ROOT}"
fi
PASSHASH="{SHA512-CRYPT}$(mkpasswd -m sha-512 -R 5000 ${MAIL_PASSWORD})"
cat > mail.env <<EOF
#!/bin/sh
DOMAINNAME=${MAIL_DOMAIN_ROOT}
MAILNAME=${domain}
SSL_CERT=/etc/letsencrypt/live/${MAIL_DOMAIN_ROOT}/fullchain.pem
SSL_KEY=/etc/letsencrypt/live/${MAIL_DOMAIN_ROOT}/privkey.pem
MAIL_USER="${MAIL_USER}"
USER="${MAIL_USER}@${MAIL_DOMAIN_ROOT}"
EOF
. $ROOT/docker/mail/mail.env
# Config postfix
sed -i -e "s#^\s*myhostname\s*=.*#myhostname = ${MAILNAME}#" config/postfix/main.cf
sed -i -e "s#^\s*mydomain\s*=.*#mydomain = ${DOMAINNAME}#" config/postfix/main.cf
sed -i -e "s#^\s*smtpd_tls_cert_file\s*=.*#smtpd_tls_cert_file = ${SSL_CERT}#" config/postfix/main.cf
sed -i -e "s#^\s*smtpd_tls_key_file\s*=.*#smtpd_tls_key_file = ${SSL_KEY}#" config/postfix/main.cf
# Config dovecot
sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <${SSL_CERT}#" config/dovecot/dovecot.conf
sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <${SSL_KEY}#" config/dovecot/dovecot.conf
sed -i -e "s#^\s*postmaster_address\s*=.*#postmaster_address = postmaster@${DOMAINNAME}#" config/dovecot/dovecot.conf
# Config dkim
sed -i -e "s/^.*#HOSTNAME/${MAILNAME}#HOSTNAME/" config/opendkim/TrustedHosts
# Prepare mail user
touch config/aliases config/domains config/mailboxes config/passwd
echo "${DOMAINNAME} #OK" > config/domains
echo "${USER} ${USER}" > config/aliases
echo "${USER} ${DOMAINNAME}/${MAIL_USER}/" > config/mailboxes
echo "${USER}:${PASSHASH}" > config/passwd

View File

@ -2,5 +2,5 @@
# Can't do sed inplace, because the file would be busy
cat /var/nginx/social.conf | \
sed -r "s/%hostname%/${DOMAIN}/g;" > \
sed -r "s/%hostname%/${WEB_DOMAIN}/g;" > \
/etc/nginx/conf.d/social.conf