diff --git a/.gitignore b/.gitignore index adac7f9..655a164 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *~ \#* .#* +.DS_Store diff --git a/Dockerfile b/Dockerfile index 9d55ee7..a3edd60 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ -FROM eumau/debian:bookworm-slim +FROM debian:trixie-slim LABEL maintainer "Mauro Torrez " ARG DEBIAN_FRONTEND=noninteractive +ARG TARGETARCH +ARG GOMPLATE_VERSION=4.3.0 ENV LC_ALL C ENV BIFF=no @@ -73,6 +75,9 @@ RUN echo "_dev_null: /dev/null" > /etc/aliases \ ssl-cert \ ca-certificates \ bogofilter-sqlite \ + curl \ + && curl -o /usr/local/bin/gomplate -sSL "https://github.com/hairyhenderson/gomplate/releases/download/v${GOMPLATE_VERSION}/gomplate_linux-${TARGETARCH}" \ + && chmod 755 /usr/local/bin/gomplate \ && rm -rf /var/lib/apt/lists/* \ && cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf \ && mkdir -p /etc/postfix/rules \ @@ -110,10 +115,12 @@ RUN echo "_dev_null: /dev/null" > /etc/aliases \ anvil/unix/chroot=n \ scache/unix/chroot=n -ADD confd /etc/confd/ -ADD postmap_all /usr/local/bin/ +COPY --chmod=0755 entrypoint.sh /usr/local/bin/ +COPY templates /etc/templates +COPY postmap_all /usr/local/bin/ VOLUME ["/ssl","/var/spool/postfix"] EXPOSE 25/tcp 587/tcp +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] CMD ["postfix","start-fg"] diff --git a/confd/conf.d/noreply.toml.disabled b/confd/conf.d/noreply.toml.disabled deleted file mode 100644 index 8379c88..0000000 --- a/confd/conf.d/noreply.toml.disabled +++ /dev/null @@ -1,7 +0,0 @@ -[template] -src = "noreply.tmpl" -dest = "/etc/postfix/noreply" -keys = [ -"/noreply/aliases", -"/virtual/mailbox/domains", -] diff --git a/confd/conf.d/setup_main.toml b/confd/conf.d/setup_main.toml deleted file mode 100644 index 2da8566..0000000 --- a/confd/conf.d/setup_main.toml +++ /dev/null @@ -1,35 +0,0 @@ -[template] -src = "setup_main.tmpl" -dest = "/start.d/99_main" -mode = "0755" -keys = [ -"/biff", -"/message/size/limit", -"/mydestination", -"/mydomain", -"/myhostname", -"/mynetworks", -"/mynetworks/style", -"/propagate/unmatched/extensions", -"/recipient/delimiter", -"/smtp/tls/security/level", -"/smtpd/client/restrictions", -"/smtpd/data/restrictions", -"/smtpd/helo/required", -"/smtpd/helo/restrictions", -"/smtpd/recipient/restrictions", -"/smtpd/relay/restrictions", -"/smtpd/sasl/auth/enable", -"/smtpd/sasl/path", -"/smtpd/sasl/type", -"/smtpd/tls/auth/only", -"/smtpd/tls/cert/file", -"/smtpd/tls/key/file", -"/smtpd/tls/security/level", -"/smtpd/tls/session/cache/database", -"/smtputf8/enable", -"/virtual/alias/maps", -"/virtual/mailbox/domains", -"/virtual/mailbox/maps", -"/virtual/transport", -] diff --git a/confd/conf.d/setup_milter.toml b/confd/conf.d/setup_milter.toml deleted file mode 100644 index 1b01366..0000000 --- a/confd/conf.d/setup_milter.toml +++ /dev/null @@ -1,10 +0,0 @@ -[template] -src = "setup_milter.tmpl" -dest = "/start.d/10_milter" -mode = "0755" -keys = [ -"/internal/mail/filter/classes", -"/milter/default/action", -"/non/smtpd/milters", -"/smtpd/milters", -] diff --git a/confd/conf.d/setup_postscreen.toml b/confd/conf.d/setup_postscreen.toml deleted file mode 100644 index e5b15f6..0000000 --- a/confd/conf.d/setup_postscreen.toml +++ /dev/null @@ -1,16 +0,0 @@ -[template] -src = "setup_postscreen.tmpl" -dest = "/start.d/89_postscreen" -mode = "0755" -keys = [ -"/bogofilter/enable", -"/postscreen/access/list", -"/postscreen/blacklist/action", -"/postscreen/dnsbl/action", -"/postscreen/dnsbl/reply/map", -"/postscreen/dnsbl/sites", -"/postscreen/dnsbl/threshold", -"/postscreen/dnsbl/whitelist/threshold", -"/postscreen/enable", -"/postscreen/greet/action", -] diff --git a/confd/conf.d/setup_relayhost.toml b/confd/conf.d/setup_relayhost.toml deleted file mode 100644 index b4e5eef..0000000 --- a/confd/conf.d/setup_relayhost.toml +++ /dev/null @@ -1,16 +0,0 @@ -[template] -src = "setup_relayhost.tmpl" -dest = "/start.d/88_relayhost" -mode = "0755" -keys = [ -"/relayhost", -"/smtp/fallback/relay", -"/smtp/sasl/auth/enable", -"/smtp/sasl/password/maps", -"/smtp/sasl/security/options", -"/smtp/tls/cafile", -"/smtp/tls/mandatory/protocols", -"/smtp/tls/note/starttls/offer", -"/smtp/tls/security/level", -"/smtp/tls/session/cache/database" -] diff --git a/confd/conf.d/setup_submission.toml b/confd/conf.d/setup_submission.toml deleted file mode 100644 index 9ac5937..0000000 --- a/confd/conf.d/setup_submission.toml +++ /dev/null @@ -1,7 +0,0 @@ -[template] -src = "setup_submission.tmpl" -dest = "/start.d/11_submission" -mode = "0755" -keys = [ -"/submission/enable", -] diff --git a/confd/conf.d/spamfilter.toml b/confd/conf.d/spamfilter.toml deleted file mode 100644 index 38ce3c4..0000000 --- a/confd/conf.d/spamfilter.toml +++ /dev/null @@ -1,8 +0,0 @@ -[template] -src = "spamfilter.tmpl" -dest = "/usr/local/bin/spamfilter" -mode = "0755" -keys = [ -"/bogofilter/ham/cutoff", -"/bogofilter/spam/cutoff", -] diff --git a/confd/templates/noreply.tmpl b/confd/templates/noreply.tmpl deleted file mode 100644 index fcbf725..0000000 --- a/confd/templates/noreply.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -# "no-reply" mail aliases. -# DO NOT edit this file, it will be overwritten. -# Instead, set the variable NOREPLY_ALIASES -{{ range split (getv "/noreply/aliases") " " }} -{{ if (strings.Contains . "@") }} -{{.}} _dev_null -{{ else }} -{{.}}@{{ index (split (getv "/virtual/mailbox/domains") " ") 0 }} _dev_null -{{ end }} -{{ end }} diff --git a/confd/templates/setup_main.tmpl b/confd/templates/setup_main.tmpl deleted file mode 100644 index 201d605..0000000 --- a/confd/templates/setup_main.tmpl +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash - -# Managing main.cf: -# postconf [-dfhHnopvx] [-c config_dir] [-C class,...] [parameter ...] -# postconf [-epv] [-c config_dir] parameter=value ... -# postconf -# [-pv] [-c config_dir] parameter ... -# postconf -X [-pv] [-c config_dir] parameter ... - -# Managing master.cf service entries: -# postconf -M [-fovx] [-c config_dir] [service[/type] ...] -# postconf -M [-ev] [-c config_dir] service/type=value ... -# postconf -M# [-v] [-c config_dir] service/type ... -# postconf -MX [-v] [-c config_dir] service/type ... - -# Managing master.cf service fields: -# postconf -F [-fhHovx] [-c config_dir] [service[/type[/field]] ...] -# postconf -F [-ev] [-c config_dir] service/type/field=value ... - -# Managing master.cf service parameters: -# postconf -P [-fhHovx] [-c config_dir] [service[/type[/parameter]] ...] -# postconf -P [-ev] [-c config_dir] service/type/parameter=value ... -# postconf -PX [-v] [-c config_dir] service/type/parameter ... - -# Managing bounce message templates: -# postconf -b [-v] [-c config_dir] [template_file] -# postconf -t [-v] [-c config_dir] [template_file] - -# Managing TLS features: -# postconf -T mode [-v] [-c config_dir] - -# Managing other configuration: -# postconf -a|-A|-l|-m [-v] [-c config_dir] - -postconf maillog_file=/dev/stdout -postconf alias_maps=hash:/etc/aliases -{{ with getv "/biff" }}postconf biff='{{.}}'{{ end }} -{{ with getv "/message/size/limit" }}postconf message_size_limit='{{.}}'{{ end }} -{{ with getv "/mydestination" }}postconf mydestination='{{.}}'{{ end }} -{{ with getv "/mydomain" }}postconf mydomain='{{.}}'{{ end }} -{{ with getv "/myhostname" }}postconf myhostname='{{.}}'{{ end }} -{{ with getv "/mynetworks" }}postconf mynetworks='{{.}}'{{ end }} -{{ with getv "/mynetworks/style" }}postconf mynetworks_style='{{.}}'{{ end }} -{{ with getv "/propagate/unmatched/extensions" }}postconf propagate_unmatched_extensions='{{.}}'{{ end }} -{{ with getv "/recipient/delimiter" }}postconf recipient_delimiter='{{.}}'{{ end }} -{{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }} -{{ with getv "/smtpd/client/restrictions" }}postconf smtpd_client_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/data/restrictions" }}postconf smtpd_data_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/helo/required" }}postconf smtpd_helo_required='{{.}}'{{ end }} -{{ with getv "/smtpd/helo/restrictions" }}postconf smtpd_helo_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/recipient/restrictions" }}postconf smtpd_recipient_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/relay/restrictions" }}postconf smtpd_relay_restrictions='{{.}}'{{ end }} -{{ with getv "/smtpd/sasl/auth/enable" }}postconf smtpd_sasl_auth_enable='{{.}}'{{ end }} -{{ with getv "/smtpd/sasl/path" }}postconf smtpd_sasl_path='{{.}}'{{ end }} -{{ with getv "/smtpd/sasl/type" }}postconf smtpd_sasl_type='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/auth/only" }}postconf smtpd_tls_auth_only='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/cert/file" }}postconf smtpd_tls_cert_file='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/key/file" }}postconf smtpd_tls_key_file='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/security/level" }}postconf smtpd_tls_security_level='{{.}}'{{ end }} -{{ with getv "/smtpd/tls/session/cache/database" }}postconf smtpd_tls_session_cache_database='{{.}}'{{ end }} -{{ with getv "/smtputf8/enable" }}postconf smtputf8_enable='{{.}}'{{ end }} -{{ with getv "/virtual/alias/maps" }}postconf virtual_alias_maps='{{.}}'{{ end }} -{{ with getv "/virtual/mailbox/domains" }}postconf virtual_mailbox_domains='{{.}}'{{ end }} -{{ with getv "/virtual/mailbox/maps" }}postconf virtual_mailbox_maps='{{.}}'{{ end }} -{{ with getv "/virtual/transport" }}postconf virtual_transport='{{.}}'{{ end }} - -postconf -M spamfilter/unix | grep -q spamfilter || { - postconf -M spamfilter/unix="spamfilter unix - n n - - pipe" -} -postconf -F spamfilter/unix/private=- \ - spamfilter/unix/unprivileged=n \ - spamfilter/unix/chroot=n \ - spamfilter/unix/wakeup=- \ - spamfilter/unix/process_limit=- \ - spamfilter/unix/command='pipe flags=Rq user=vmail argv=/usr/local/bin/spamfilter -oi -f ${sender} ${recipient}' - -# run postmap for all lookup tables -postmap_all diff --git a/confd/templates/setup_milter.tmpl b/confd/templates/setup_milter.tmpl deleted file mode 100644 index 7b3765c..0000000 --- a/confd/templates/setup_milter.tmpl +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -{{ with getv "/internal/mail/filter/classes" }}postconf internal_mail_filter_classes='{{.}}'{{ end }} -{{ with getv "/milter/default/action" }}postconf milter_default_action='{{.}}'{{ end }} -{{ with getv "/non/smtpd/milters" }}postconf non_smtpd_milters='{{.}}'{{ end }} -{{ with getv "/smtpd/milters" }}postconf smtpd_milters='{{.}}'{{ end }} diff --git a/confd/templates/setup_postscreen.tmpl b/confd/templates/setup_postscreen.tmpl deleted file mode 100644 index 8cabbd8..0000000 --- a/confd/templates/setup_postscreen.tmpl +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/bash - -#postconf -M smtpd/pass -#postconf -Fh smtp/inet/private smtp/inet/unprivileged smtp/inet/chroot smtp/inet/wakeup smtp/inet/process_limit smtp/inet/command -#postconf -M smtp/inet -#postconf -M tlsproxy/unix -#postconf -M dnsblog/unix -#postconf -h postscreen_access_list -#postconf -h postscreen_dnsbl_sites -#postconf -h postscreen_dnsbl_reply_map -#postconf -h postscreen_dnsbl_action -#postconf -h postscreen_blacklist_action -#postconf -h postscreen_dnsbl_whitelist_threshold -#postconf -h postscreen_greet_action -#postconf -h postscreen_greet_wait - -# NOT SUPPORTED: -#postconf -h postscreen_bare_newline_enable -#postconf -h postscreen_non_smtp_command_enable -#postconf -h postscreen_pipelining_enable -#postconf -h postscreen_bare_newline_action -#postconf -h postscreen_dnsbl_threshold -#postconf -h postscreen_non_smtp_command_action -#postconf -h postscreen_pipelining_action - -{{ if eq (getv "/postscreen/enable") "yes"}} -postconf -M smtpd/pass="smtpd pass - - n - - smtpd" -postconf -F smtpd/pass/private=- \ - smtpd/pass/unprivileged=- \ - smtpd/pass/chroot=n \ - smtpd/pass/wakeup=- \ - smtpd/pass/process_limit=- \ - smtpd/pass/command="smtpd" -postconf -F smtp/inet/private=n \ - smtp/inet/unprivileged=- \ - smtp/inet/chroot=n \ - smtp/inet/wakeup=- \ - smtp/inet/process_limit=1 \ - smtp/inet/command="postscreen" -postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy" -postconf -F tlsproxy/unix/private=- \ - tlsproxy/unix/unprivileged=- \ - tlsproxy/unix/chroot=n \ - tlsproxy/unix/wakeup=- \ - tlsproxy/unix/process_limit=0 \ - tlsproxy/unix/command="tlsproxy" -postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog" -postconf -F dnsblog/unix/private=- \ - dnsblog/unix/unprivileged=- \ - dnsblog/unix/chroot=n \ - dnsblog/unix/wakeup=- \ - dnsblog/unix/process_limit=0 \ - dnsblog/unix/command="dnsblog" - -{{ if eq (getv "/bogofilter/enable") "yes" }} -postconf -P smtpd/pass/content_filter=spamfilter -{{ else }} -postconf -X -P smtpd/pass/content_filter -{{ end }} - -# FIXME: template tables instead of creating empty files -touch /etc/postfix/rules/postscreen_access_list.cidr -touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre - -# main.cf options -# FIXME: allow un-setting options by blanking variable values -{{ with getv "/postscreen/access/list" }}postconf -e postscreen_access_list='{{.}}'{{ end }} -{{ with getv "/postscreen/blacklist/action" }}postconf -e postscreen_blacklist_action='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/action" }}postconf -e postscreen_dnsbl_action='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/reply/map" }}postconf -e postscreen_dnsbl_reply_map='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/sites" }}postconf -e postscreen_dnsbl_sites='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/threshold" }}postconf -e postscreen_dnsbl_threshold='{{.}}'{{ end }} -{{ with getv "/postscreen/dnsbl/whitelist/threshold" }}postconf -e postscreen_dnsbl_whitelist_threshold='{{.}}'{{ end }} -{{ with getv "/postscreen/greet/action" }}postconf -e postscreen_greet_action='{{.}}'{{ end }} - -{{ else }} - -# disable postscreen -postconf -M# smtpd/pass -postconf -F smtp/inet/private=n \ - smtp/inet/unprivileged=- \ - smtp/inet/chroot=n \ - smtp/inet/wakeup=- \ - smtp/inet/process_limit=- \ - smtp/inet/command="smtpd" - -{{ if eq (getv "/bogofilter/enable") "yes" }} -postconf -P smtp/inet/content_filter=spamfilter -{{ else }} -postconf -X -P smtp/inet/content_filter -{{ end }} - -postconf -M# dnsblog/unix - -{{ end }} - -# TODO: access list: -# # Ansible-generated postscreen CIDR access table. You can change this -# # file by setting the host variable `postfix_postscreen_access_list` -# {% for entry in postfix_postscreen_access_list -%} -# { { entry.address } } { { entry.action } } -# {% endfor %} - -# TODO: reply map: -# # postscreen reply map, matching entries will be replaced -# # with the resulting text when telling the source of DNS -# # blacklisting to the remote client. -# # used to mask passwords contained in dnsbl names -# # edit this file by setting the "mask" option for items -# # in the host variable postfix_postscreen_dnsbl_sites -# {% for entry in postfix_postscreen_dnsbl_sites -%} -# {% if entry is mapping -%}{% if entry.mask is defined -%} -# {% if entry.mask is string and entry.mask != "" -%} -# /^{ { entry.site } }$/ { { entry.mask } } -# {% else %} -# /^{ { entry.site } }$/ dnsbl blacklist -# {% endif %}{% endif %}{% endif %}{% endfor %} diff --git a/confd/templates/setup_relayhost.tmpl b/confd/templates/setup_relayhost.tmpl deleted file mode 100644 index b3a025b..0000000 --- a/confd/templates/setup_relayhost.tmpl +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# These postfix settings allow for sending all mail through a relay host. - -{{ with getv "/relayhost" }}postconf relayhost='{{.}}'{{ end }} -{{ with getv "/smtp/fallback/relay" }}postconf smtp_fallback_relay='{{.}}'{{ end }} -{{ with getv "/smtp/sasl/auth/enable" }}postconf smtp_sasl_auth_enable='{{.}}'{{ end }} -{{ with getv "/smtp/sasl/password/maps" }}postconf smtp_sasl_password_maps='{{.}}'{{ end }} -{{ with getv "/smtp/sasl/security/options" }}postconf smtp_sasl_security_options='{{.}}'{{ end }} -{{ with getv "/smtp/tls/cafile" }}postconf smtp_tls_CAfile='{{.}}'{{ end }} -{{ with getv "/smtp/tls/mandatory/protocols" }}postconf smtp_tls_mandatory_protocols='{{.}}'{{ end }} -{{ with getv "/smtp/tls/note/starttls/offer" }}postconf smtp_tls_note_starttls_offer='{{.}}'{{ end }} -{{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }} -{{ with getv "/smtp/tls/session/cache/database" }}postconf smtp_tls_session_cache_database='{{.}}'{{ end }} diff --git a/confd/templates/spamfilter.tmpl b/confd/templates/spamfilter.tmpl deleted file mode 100755 index 89b0b14..0000000 --- a/confd/templates/spamfilter.tmpl +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -# pass mail through spam filter Bogofilter -# arguments are passed on to sendmail - -/usr/bin/bogofilter -d /vmail/bogofilter -p {{ with getv "/bogofilter/ham/cutoff" }}--ham-cutoff '{{.}}'{{ end }} {{ with getv "/bogofilter/spam/cutoff" }}--spam-cutoff '{{.}}'{{ end }} | /usr/sbin/sendmail "$@" diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..2161e3f --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -e +gomplate --input-dir=/etc/templates --output-dir=/ +run-parts -v --exit-on-error /start.d +exec "$@" diff --git a/templates/start.d/setup_main b/templates/start.d/setup_main new file mode 100644 index 0000000..abac0b0 --- /dev/null +++ b/templates/start.d/setup_main @@ -0,0 +1,105 @@ +#!/bin/bash +set -e + +postconf maillog_file=/dev/stdout +postconf alias_maps=hash:/etc/aliases +{{- if getenv "BIFF" }} +postconf biff='{{ getenv "BIFF" }}' +{{- end }} +{{- if getenv "MESSAGE_SIZE_LIMIT" }} +postconf message_size_limit='{{ getenv "MESSAGE_SIZE_LIMIT" }}' +{{- end }} +{{- if getenv "MYDESTINATION" }} +postconf mydestination='{{ getenv "MYDESTINATION" }}' +{{- end }} +{{- if getenv "MYDOMAIN" }} +postconf mydomain='{{ getenv "MYDOMAIN" }}' +{{- end }} +{{- if getenv "MYHOSTNAME" }} +postconf myhostname='{{ getenv "MYHOSTNAME" }}' +{{- end }} +{{- if getenv "MYNETWORKS" }} +postconf mynetworks='{{ getenv "MYNETWORKS" }}' +{{- end }} +{{- if getenv "MYNETWORKS_STYLE" }} +postconf mynetworks_style='{{ getenv "MYNETWORKS_STYLE" }}' +{{- end }} +{{- if getenv "PROPAGATE_UNMATCHED_EXTENSIONS" }} +postconf propagate_unmatched_extensions='{{ getenv "PROPAGATE_UNMATCHED_EXTENSIONS" }}' +{{- end }} +{{- if getenv "RECIPIENT_DELIMITER" }} +postconf recipient_delimiter='{{ getenv "RECIPIENT_DELIMITER" }}' +{{- end }} +{{- if getenv "SMTP_TLS_SECURITY_LEVEL" }} +postconf smtp_tls_security_level='{{ getenv "SMTP_TLS_SECURITY_LEVEL" }}' +{{- end }} +{{- if getenv "SMTPD_CLIENT_RESTRICTIONS" }} +postconf smtpd_client_restrictions='{{ getenv "SMTPD_CLIENT_RESTRICTIONS" }}' +{{- end }} +{{- if getenv "SMTPD_DATA_RESTRICTIONS" }} +postconf smtpd_data_restrictions='{{ getenv "SMTPD_DATA_RESTRICTIONS" }}' +{{- end }} +{{- if getenv "SMTPD_HELO_REQUIRED" }} +postconf smtpd_helo_required='{{ getenv "SMTPD_HELO_REQUIRED" }}' +{{- end }} +{{- if getenv "SMTPD_HELO_RESTRICTIONS" }} +postconf smtpd_helo_restrictions='{{ getenv "SMTPD_HELO_RESTRICTIONS" }}' +{{- end }} +{{- if getenv "SMTPD_RECIPIENT_RESTRICTIONS" }} +postconf smtpd_recipient_restrictions='{{ getenv "SMTPD_RECIPIENT_RESTRICTIONS" }}' +{{- end }} +{{- if getenv "SMTPD_RELAY_RESTRICTIONS" }} +postconf smtpd_relay_restrictions='{{ getenv "SMTPD_RELAY_RESTRICTIONS" }}' +{{- end }} +{{- if getenv "SMTPD_SASL_AUTH_ENABLE" }} +postconf smtpd_sasl_auth_enable='{{ getenv "SMTPD_SASL_AUTH_ENABLE" }}' +{{- end }} +{{- if getenv "SMTPD_SASL_PATH" }} +postconf smtpd_sasl_path='{{ getenv "SMTPD_SASL_PATH" }}' +{{- end }} +{{- if getenv "SMTPD_SASL_TYPE" }} +postconf smtpd_sasl_type='{{ getenv "SMTPD_SASL_TYPE" }}' +{{- end }} +{{- if getenv "SMTPD_TLS_AUTH_ONLY" }} +postconf smtpd_tls_auth_only='{{ getenv "SMTPD_TLS_AUTH_ONLY" }}' +{{- end }} +{{- if getenv "SMTPD_TLS_CERT_FILE" }} +postconf smtpd_tls_cert_file='{{ getenv "SMTPD_TLS_CERT_FILE" }}' +{{- end }} +{{- if getenv "SMTPD_TLS_KEY_FILE" }} +postconf smtpd_tls_key_file='{{ getenv "SMTPD_TLS_KEY_FILE" }}' +{{- end }} +{{- if getenv "SMTPD_TLS_SECURITY_LEVEL" }} +postconf smtpd_tls_security_level='{{ getenv "SMTPD_TLS_SECURITY_LEVEL" }}' +{{- end }} +{{- if getenv "SMTPD_TLS_SESSION_CACHE_DATABASE" }} +postconf smtpd_tls_session_cache_database='{{ getenv "SMTPD_TLS_SESSION_CACHE_DATABASE" }}' +{{- end }} +{{- if getenv "SMTPUTF8_ENABLE" }} +postconf smtputf8_enable='{{ getenv "SMTPUTF8_ENABLE" }}' +{{- end }} +{{- if getenv "VIRTUAL_ALIAS_MAPS" }} +postconf virtual_alias_maps='{{ getenv "VIRTUAL_ALIAS_MAPS" }}' +{{- end }} +{{- if getenv "VIRTUAL_MAILBOX_DOMAINS" }} +postconf virtual_mailbox_domains='{{ getenv "VIRTUAL_MAILBOX_DOMAINS" }}' +{{- end }} +{{- if getenv "VIRTUAL_MAILBOX_MAPS" }} +postconf virtual_mailbox_maps='{{ getenv "VIRTUAL_MAILBOX_MAPS" }}' +{{- end }} +{{- if getenv "VIRTUAL_TRANSPORT" }} +postconf virtual_transport='{{ getenv "VIRTUAL_TRANSPORT" }}' +{{- end }} + +postconf -M spamfilter/unix | grep -q spamfilter || { + postconf -M spamfilter/unix="spamfilter unix - n n - - pipe" +} +postconf -F spamfilter/unix/private=- \ + spamfilter/unix/unprivileged=n \ + spamfilter/unix/chroot=n \ + spamfilter/unix/wakeup=- \ + spamfilter/unix/process_limit=- \ + spamfilter/unix/command='pipe flags=Rq user=vmail argv=/usr/local/bin/spamfilter -oi -f ${sender} ${recipient}' + +# run postmap for all lookup tables +postmap_all diff --git a/templates/start.d/setup_milter b/templates/start.d/setup_milter new file mode 100644 index 0000000..e538c6f --- /dev/null +++ b/templates/start.d/setup_milter @@ -0,0 +1,15 @@ +#!/bin/bash +set -e + +{{- if getenv "INTERNAL_MAIL_FILTER_CLASSES" }} +postconf internal_mail_filter_classes='{{ getenv "INTERNAL_MAIL_FILTER_CLASSES" }}' +{{- end }} +{{- if getenv "MILTER_DEFAULT_ACTION" }} +postconf milter_default_action='{{ getenv "MILTER_DEFAULT_ACTION" }}' +{{- end }} +{{- if getenv "NON_SMTPD_MILTERS" }} +postconf non_smtpd_milters='{{ getenv "NON_SMTPD_MILTERS" }}' +{{- end }} +{{- if getenv "SMTPD_MILTERS" }} +postconf smtpd_milters='{{ getenv "SMTPD_MILTERS" }}' +{{- end }} diff --git a/templates/start.d/setup_postscreen b/templates/start.d/setup_postscreen new file mode 100644 index 0000000..a0d806b --- /dev/null +++ b/templates/start.d/setup_postscreen @@ -0,0 +1,88 @@ +#!/bin/bash +set -e + +{{ if eq (getenv "POSTSCREEN_ENABLE") "yes" -}} +postconf -M smtpd/pass="smtpd pass - - n - - smtpd" +postconf -F smtpd/pass/private=- \ + smtpd/pass/unprivileged=- \ + smtpd/pass/chroot=n \ + smtpd/pass/wakeup=- \ + smtpd/pass/process_limit=- \ + smtpd/pass/command="smtpd" +postconf -F smtp/inet/private=n \ + smtp/inet/unprivileged=- \ + smtp/inet/chroot=n \ + smtp/inet/wakeup=- \ + smtp/inet/process_limit=1 \ + smtp/inet/command="postscreen" +postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy" +postconf -F tlsproxy/unix/private=- \ + tlsproxy/unix/unprivileged=- \ + tlsproxy/unix/chroot=n \ + tlsproxy/unix/wakeup=- \ + tlsproxy/unix/process_limit=0 \ + tlsproxy/unix/command="tlsproxy" +postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog" +postconf -F dnsblog/unix/private=- \ + dnsblog/unix/unprivileged=- \ + dnsblog/unix/chroot=n \ + dnsblog/unix/wakeup=- \ + dnsblog/unix/process_limit=0 \ + dnsblog/unix/command="dnsblog" + +{{ if eq (getenv "BOGOFILTER_ENABLE") "yes" -}} +postconf -P smtpd/pass/content_filter=spamfilter +{{ else -}} +postconf -X -P smtpd/pass/content_filter +{{ end -}} + +# FIXME: template tables instead of creating empty files +touch /etc/postfix/rules/postscreen_access_list.cidr +touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre + +# main.cf options +{{- if getenv "POSTSCREEN_ACCESS_LIST" }} +postconf -e postscreen_access_list='{{ getenv "POSTSCREEN_ACCESS_LIST" }}' +{{- end }} +{{- if getenv "POSTSCREEN_BLACKLIST_ACTION" }} +postconf -e postscreen_blacklist_action='{{ getenv "POSTSCREEN_BLACKLIST_ACTION" }}' +{{- end }} +{{- if getenv "POSTSCREEN_DNSBL_ACTION" }} +postconf -e postscreen_dnsbl_action='{{ getenv "POSTSCREEN_DNSBL_ACTION" }}' +{{- end }} +{{- if getenv "POSTSCREEN_DNSBL_REPLY_MAP" }} +postconf -e postscreen_dnsbl_reply_map='{{ getenv "POSTSCREEN_DNSBL_REPLY_MAP" }}' +{{- end }} +{{- if getenv "POSTSCREEN_DNSBL_SITES" }} +postconf -e postscreen_dnsbl_sites='{{ getenv "POSTSCREEN_DNSBL_SITES" }}' +{{- end }} +{{- if getenv "POSTSCREEN_DNSBL_THRESHOLD" }} +postconf -e postscreen_dnsbl_threshold='{{ getenv "POSTSCREEN_DNSBL_THRESHOLD" }}' +{{- end }} +{{- if getenv "POSTSCREEN_DNSBL_WHITELIST_THRESHOLD" }} +postconf -e postscreen_dnsbl_whitelist_threshold='{{ getenv "POSTSCREEN_DNSBL_WHITELIST_THRESHOLD" }}' +{{- end }} +{{- if getenv "POSTSCREEN_GREET_ACTION" }} +postconf -e postscreen_greet_action='{{ getenv "POSTSCREEN_GREET_ACTION" }}' +{{- end }} + +{{ else -}} + +# disable postscreen +postconf -M# smtpd/pass +postconf -F smtp/inet/private=n \ + smtp/inet/unprivileged=- \ + smtp/inet/chroot=n \ + smtp/inet/wakeup=- \ + smtp/inet/process_limit=- \ + smtp/inet/command="smtpd" + +{{ if eq (getenv "BOGOFILTER_ENABLE") "yes" -}} +postconf -P smtp/inet/content_filter=spamfilter +{{ else -}} +postconf -X -P smtp/inet/content_filter +{{ end -}} + +postconf -M# dnsblog/unix + +{{ end -}} diff --git a/templates/start.d/setup_relayhost b/templates/start.d/setup_relayhost new file mode 100644 index 0000000..2317a53 --- /dev/null +++ b/templates/start.d/setup_relayhost @@ -0,0 +1,33 @@ +#!/bin/bash +set -e + +{{- if getenv "RELAYHOST" }} +postconf relayhost='{{ getenv "RELAYHOST" }}' +{{- end }} +{{- if getenv "SMTP_FALLBACK_RELAY" }} +postconf smtp_fallback_relay='{{ getenv "SMTP_FALLBACK_RELAY" }}' +{{- end }} +{{- if getenv "SMTP_SASL_AUTH_ENABLE" }} +postconf smtp_sasl_auth_enable='{{ getenv "SMTP_SASL_AUTH_ENABLE" }}' +{{- end }} +{{- if getenv "SMTP_SASL_PASSWORD_MAPS" }} +postconf smtp_sasl_password_maps='{{ getenv "SMTP_SASL_PASSWORD_MAPS" }}' +{{- end }} +{{- if getenv "SMTP_SASL_SECURITY_OPTIONS" }} +postconf smtp_sasl_security_options='{{ getenv "SMTP_SASL_SECURITY_OPTIONS" }}' +{{- end }} +{{- if getenv "SMTP_TLS_CAFILE" }} +postconf smtp_tls_CAfile='{{ getenv "SMTP_TLS_CAFILE" }}' +{{- end }} +{{- if getenv "SMTP_TLS_MANDATORY_PROTOCOLS" }} +postconf smtp_tls_mandatory_protocols='{{ getenv "SMTP_TLS_MANDATORY_PROTOCOLS" }}' +{{- end }} +{{- if getenv "SMTP_TLS_NOTE_STARTTLS_OFFER" }} +postconf smtp_tls_note_starttls_offer='{{ getenv "SMTP_TLS_NOTE_STARTTLS_OFFER" }}' +{{- end }} +{{- if getenv "SMTP_TLS_SECURITY_LEVEL" }} +postconf smtp_tls_security_level='{{ getenv "SMTP_TLS_SECURITY_LEVEL" }}' +{{- end }} +{{- if getenv "SMTP_TLS_SESSION_CACHE_DATABASE" }} +postconf smtp_tls_session_cache_database='{{ getenv "SMTP_TLS_SESSION_CACHE_DATABASE" }}' +{{- end }} diff --git a/confd/templates/setup_submission.tmpl b/templates/start.d/setup_submission similarity index 66% rename from confd/templates/setup_submission.tmpl rename to templates/start.d/setup_submission index b6d21f7..6a05121 100644 --- a/confd/templates/setup_submission.tmpl +++ b/templates/start.d/setup_submission @@ -1,13 +1,7 @@ #!/bin/bash +set -e -#postconf -M submission/inet -#postconf -P -h submission/inet/milter_macro_daemon_name -#postconf -P -h submission/inet/smtpd_client_restrictions -#postconf -P -h submission/inet/smtpd_sasl_auth_enable -#postconf -P -h submission/inet/smtpd_tls_security_level -#postconf -P -h submission/inet/syslog_name - -{{ if eq (getv "/submission/enable") "yes"}} +{{ if eq (getenv "SUBMISSION_ENABLE") "yes" -}} postconf -M submission/inet="submission inet n - n - - smtpd" postconf -F submission/inet/private=n \ submission/inet/unprivileged=- \ @@ -20,6 +14,6 @@ postconf -P -e submission/inet/smtpd_helo_restrictions="permit" postconf -P -e submission/inet/smtpd_sasl_auth_enable="yes" postconf -P -e submission/inet/smtpd_tls_security_level="encrypt" postconf -P -e submission/inet/syslog_name="postfix/submission" -{{ else }} +{{ else -}} postconf -M# submission/inet -{{ end }} +{{ end -}} diff --git a/templates/start.d/spamfilter b/templates/start.d/spamfilter new file mode 100644 index 0000000..899a986 --- /dev/null +++ b/templates/start.d/spamfilter @@ -0,0 +1,6 @@ +#!/bin/bash + +# pass mail through spam filter Bogofilter +# arguments are passed on to sendmail + +/usr/bin/bogofilter -d /vmail/bogofilter -p {{ if getenv "BOGOFILTER_HAM_CUTOFF" }}--ham-cutoff '{{ getenv "BOGOFILTER_HAM_CUTOFF" }}'{{ end }} {{ if getenv "BOGOFILTER_SPAM_CUTOFF" }}--spam-cutoff '{{ getenv "BOGOFILTER_SPAM_CUTOFF" }}'{{ end }} | /usr/sbin/sendmail "$@"