From c8bbf043c9e0ff6272abe79c9a66c9fe1f5e2853 Mon Sep 17 00:00:00 2001
From: Mauro Torrez <mauro@qom>
Date: Mon, 30 Sep 2019 02:29:16 -0300
Subject: [PATCH] version inicial

---
 .drone.yml                            |  30 ++++++++
 .gitignore                            |   3 +
 Dockerfile                            |  81 ++++++++++++++++++++
 confd/conf.d/setup_main.toml          |  31 ++++++++
 confd/conf.d/setup_postscreen.toml    |   7 ++
 confd/conf.d/setup_submission.toml    |   7 ++
 confd/templates/setup_main.tmpl       |  59 +++++++++++++++
 confd/templates/setup_postscreen.tmpl | 103 ++++++++++++++++++++++++++
 confd/templates/setup_submission.tmpl |  24 ++++++
 9 files changed, 345 insertions(+)
 create mode 100644 .drone.yml
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 confd/conf.d/setup_main.toml
 create mode 100644 confd/conf.d/setup_postscreen.toml
 create mode 100644 confd/conf.d/setup_submission.toml
 create mode 100644 confd/templates/setup_main.tmpl
 create mode 100644 confd/templates/setup_postscreen.tmpl
 create mode 100644 confd/templates/setup_submission.tmpl

diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..4bc3368
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,30 @@
+---
+kind: pipeline
+name: default
+
+steps:
+  - name: build image only
+    image: plugins/docker
+    settings:
+      repo: eumau/postfix
+      auto_tag: true
+      dry_run: true
+    when:
+      ref:
+        - refs/pull/**
+      # event no anda (?)
+      # event:
+      #   - pull_request
+
+  - name: build and publish image
+    image: plugins/docker
+    settings:
+      repo: eumau/postfix
+      auto_tag: true
+      username:
+        from_secret: dockerhub_username
+      password:
+        from_secret: dockerhub_password
+    when:
+      branch:
+        - master
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..adac7f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*~
+\#*
+.#*
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..fb24018
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,81 @@
+FROM eumau/debian:buster-slim
+LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
+ARG DEBIAN_FRONTEND=noninteractive
+ENV LC_ALL C
+
+ENV MYDESTINATION='localhost.localdomain, localhost'
+ENV MYHOSTNAME=mail.example.com
+ENV MYDOMAIN=example.com
+ENV MYNETWORKS='127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128'
+ENV VIRTUAL_ALIAS_MAPS=
+ENV VIRTUAL_MAILBOX_MAPS=
+ENV VIRTUAL_TRANSPORT=lmtp:dovecot:24
+ENV VIRTUAL_MAILBOX_DOMAINS=example.com
+ENV SMTPD_SASL_PATH=inet:dovecot:12345
+ENV SMTPD_SASL_TYPE=dovecot
+ENV SMTPD_SASL_AUTH_ENABLE=no
+ENV SMTPD_TLS_CERT_FILE=/ssl/cert.pem
+ENV SMTPD_TLS_KEY_FILE=/ssl/key.pem
+ENV SMTP_TLS_SECURITY_LEVEL=may
+ENV SMTPD_TLS_SECURITY_LEVEL=may
+ENV SMTPD_TLS_AUTH_ONLY=no
+ENV SMTPD_TLS_SESSION_CACHE_DATABASE="btree:\${data_directory}/smtpd_scache"
+ENV SMTPD_CLIENT_RESTRICTIONS="check_client_access pcre:/etc/postfix/rules/client_access_list, permit_sasl_authenticated, permit_mynetworks, reject_unknown_client_hostname, reject_unauth_pipelining, permit"
+ENV SMTPD_DATA_RESTRICTIONS="reject_unauth_pipelining, permit"
+ENV SMTPD_HELO_RESTRICTIONS="check_helo_access hash:/etc/postfix/rules/helo_access_list, permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, warn_if_reject, permit"
+ENV SMTPD_RELAY_RESTRICTIONS="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit"
+ENV SMTPD_RECIPIENT_RESTRICTIONS="check_recipient_access hash:/etc/postfix/rules/recipient_access_list, permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, permit"
+ENV MESSAGE_SIZE_LIMIT=31457280
+ENV SMTPD_HELO_REQUIRED=yes
+ENV BIFF=no
+ENV SUBMISSION_ENABLE=no
+
+# TODO: template access lists
+
+RUN echo "_dev_null: /dev/null" > /etc/aliases \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends \
+	postfix \
+	postfix-pcre \
+	postfix-ldap \
+	postfix-sqlite \
+	libsasl2-modules \
+	ssl-cert \
+  && rm -rf /var/lib/apt/lists/* \
+  && cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf \
+  && mkdir -p /etc/postfix/rules \
+  && touch \
+	/etc/postfix/rules/client_access_list \
+	/etc/postfix/rules/helo_access_list \
+	/etc/postfix/rules/recipient_access_list \
+  && mkdir -p /ssl \
+  && chmod 700 /ssl \
+  && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
+  && cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem \
+  && postconf -F \
+     smtp/inet/chroot=n \
+     pickup/unix/chroot=n \
+     cleanup/unix/chroot=n \
+     qmgr/unix/chroot=n \
+     tlsmgr/unix/chroot=n \
+     rewrite/unix/chroot=n \
+     bounce/unix/chroot=n \
+     defer/unix/chroot=n \
+     trace/unix/chroot=n \
+     verify/unix/chroot=n \
+     flush/unix/chroot=n \
+     smtp/unix/chroot=n \
+     relay/unix/chroot=n \
+     showq/unix/chroot=n \
+     error/unix/chroot=n \
+     retry/unix/chroot=n \
+     discard/unix/chroot=n \
+     lmtp/unix/chroot=n \
+     anvil/unix/chroot=n \
+     scache/unix/chroot=n
+
+ADD confd /etc/confd/
+VOLUME /etc/postfix /ssl
+EXPOSE 25/tcp 587/tcp
+
+CMD ["postfix","start-fg"]
diff --git a/confd/conf.d/setup_main.toml b/confd/conf.d/setup_main.toml
new file mode 100644
index 0000000..c3f188e
--- /dev/null
+++ b/confd/conf.d/setup_main.toml
@@ -0,0 +1,31 @@
+[template]
+src = "setup_main.tmpl"
+dest = "/start.d/setup_main"
+mode = "0755"
+keys = [
+"/mydestination",
+"/myhostname",
+"/mydomain",
+"/mynetworks",
+"/virtual/alias/maps",
+"/virtual/mailbox/maps",
+"/virtual/transport",
+"/virtual/mailbox/domains",
+"/smtpd/sasl/path",
+"/smtpd/sasl/type",
+"/smtpd/sasl/auth/enable",
+"/smtpd/tls/cert/file",
+"/smtpd/tls/key/file",
+"/smtp/tls/security/level",
+"/smtpd/tls/security/level",
+"/smtpd/tls/auth/only",
+"/smtpd/tls/session/cache/database",
+"/smtpd/client/restrictions",
+"/smtpd/data/restrictions",
+"/smtpd/helo/restrictions",
+"/smtpd/relay/restrictions",
+"/smtpd/recipient/restrictions",
+"/message/size/limit",
+"/smtpd/helo/required",
+"/biff",
+]
diff --git a/confd/conf.d/setup_postscreen.toml b/confd/conf.d/setup_postscreen.toml
new file mode 100644
index 0000000..34d9aef
--- /dev/null
+++ b/confd/conf.d/setup_postscreen.toml
@@ -0,0 +1,7 @@
+[template]
+src = "setup_postscreen.tmpl"
+dest = "/start.d/setup_postscreen"
+mode = "0755"
+keys = [
+"/postscreen/enable",
+]
diff --git a/confd/conf.d/setup_submission.toml b/confd/conf.d/setup_submission.toml
new file mode 100644
index 0000000..40a9f5e
--- /dev/null
+++ b/confd/conf.d/setup_submission.toml
@@ -0,0 +1,7 @@
+[template]
+src = "setup_submission.tmpl"
+dest = "/start.d/setup_submission"
+mode = "0755"
+keys = [
+"/submission/enable",
+]
diff --git a/confd/templates/setup_main.tmpl b/confd/templates/setup_main.tmpl
new file mode 100644
index 0000000..80c2e17
--- /dev/null
+++ b/confd/templates/setup_main.tmpl
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Managing main.cf:
+#     postconf [-dfhHnopvx] [-c config_dir] [-C class,...] [parameter ...]
+#     postconf [-epv] [-c config_dir] parameter=value ...
+#     postconf -# [-pv] [-c config_dir] parameter ...
+#     postconf -X [-pv] [-c config_dir] parameter ...
+
+# Managing master.cf service entries:
+#     postconf -M [-fovx] [-c config_dir] [service[/type] ...]
+#     postconf -M [-ev] [-c config_dir] service/type=value ...
+#     postconf -M# [-v] [-c config_dir] service/type ...
+#     postconf -MX [-v] [-c config_dir] service/type ...
+
+# Managing master.cf service fields:
+#     postconf -F [-fhHovx] [-c config_dir] [service[/type[/field]] ...]
+#     postconf -F [-ev] [-c config_dir] service/type/field=value ...
+
+# Managing master.cf service parameters:
+#     postconf -P [-fhHovx] [-c config_dir] [service[/type[/parameter]] ...]
+#     postconf -P [-ev] [-c config_dir] service/type/parameter=value ...
+#     postconf -PX [-v] [-c config_dir] service/type/parameter ...
+
+# Managing bounce message templates:
+#     postconf -b [-v] [-c config_dir] [template_file]
+#     postconf -t [-v] [-c config_dir] [template_file]
+
+# Managing TLS features:
+#     postconf -T mode [-v] [-c config_dir]
+
+# Managing other configuration:
+#     postconf -a|-A|-l|-m [-v] [-c config_dir]
+
+postconf maillog_file=/dev/stdout
+{{ with getv "/mydestination" }}postconf mydestination='{{.}}'{{ end }}
+{{ with getv "/myhostname" }}postconf myhostname='{{.}}'{{ end }}
+{{ with getv "/mydomain" }}postconf mydomain='{{.}}'{{ end }}
+{{ with getv "/mynetworks" }}postconf mynetworks='{{.}}'{{ end }}
+{{ with getv "/virtual/alias/maps" }}postconf virtual_alias_maps='{{.}}'{{ end }}
+{{ with getv "/virtual/mailbox/maps" }}postconf virtual_mailbox_maps='{{.}}'{{ end }}
+{{ with getv "/virtual/transport" }}postconf virtual_transport='{{.}}'{{ end }}
+{{ with getv "/virtual/mailbox/domains" }}postconf virtual_mailbox_domains='{{.}}'{{ end }}
+{{ with getv "/smtpd/sasl/path" }}postconf smtpd_sasl_path='{{.}}'{{ end }}
+{{ with getv "/smtpd/sasl/type" }}postconf smtpd_sasl_type='{{.}}'{{ end }}
+{{ with getv "/smtpd/sasl/auth/enable" }}postconf smtpd_sasl_auth_enable='{{.}}'{{ end }}
+{{ with getv "/smtpd/tls/cert/file" }}postconf smtpd_tls_cert_file='{{.}}'{{ end }}
+{{ with getv "/smtpd/tls/key/file" }}postconf smtpd_tls_key_file='{{.}}'{{ end }}
+{{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }}
+{{ with getv "/smtpd/tls/security/level" }}postconf smtpd_tls_security_level='{{.}}'{{ end }}
+{{ with getv "/smtpd/tls/auth/only" }}postconf smtpd_tls_auth_only='{{.}}'{{ end }}
+{{ with getv "/smtpd/tls/session/cache/database" }}postconf smtpd_tls_session_cache_database='{{.}}'{{ end }}
+{{ with getv "/smtpd/client/restrictions" }}postconf smtpd_client_restrictions='{{.}}'{{ end }}
+{{ with getv "/smtpd/data/restrictions" }}postconf smtpd_data_restrictions='{{.}}'{{ end }}
+{{ with getv "/smtpd/helo/restrictions" }}postconf smtpd_helo_restrictions='{{.}}'{{ end }}
+{{ with getv "/smtpd/relay/restrictions" }}postconf smtpd_relay_restrictions='{{.}}'{{ end }}
+{{ with getv "/smtpd/recipient/restrictions" }}postconf smtpd_recipient_restrictions='{{.}}'{{ end }}
+{{ with getv "/message/size/limit" }}postconf message_size_limit='{{.}}'{{ end }}
+{{ with getv "/smtpd/helo/required" }}postconf smtpd_helo_required='{{.}}'{{ end }}
+{{ with getv "/biff" }}postconf biff='{{.}}'{{ end }}
diff --git a/confd/templates/setup_postscreen.tmpl b/confd/templates/setup_postscreen.tmpl
new file mode 100644
index 0000000..2f104df
--- /dev/null
+++ b/confd/templates/setup_postscreen.tmpl
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+#postconf -M smtpd/pass
+#postconf -Fh smtp/inet/private smtp/inet/unprivileged smtp/inet/chroot smtp/inet/wakeup smtp/inet/process_limit smtp/inet/command
+#postconf -M smtp/inet
+#postconf -M tlsproxy/unix
+#postconf -M dnsblog/unix
+#postconf -h postscreen_access_list
+#postconf -h postscreen_dnsbl_sites
+#postconf -h postscreen_dnsbl_reply_map
+#postconf -h postscreen_dnsbl_action
+#postconf -h postscreen_blacklist_action
+#postconf -h postscreen_dnsbl_whitelist_threshold
+#postconf -h postscreen_greet_action
+#postconf -h postscreen_greet_wait
+
+# NOT SUPPORTED:
+#postconf -h postscreen_bare_newline_enable
+#postconf -h postscreen_non_smtp_command_enable
+#postconf -h postscreen_pipelining_enable
+#postconf -h postscreen_bare_newline_action
+#postconf -h postscreen_dnsbl_threshold
+#postconf -h postscreen_non_smtp_command_action
+#postconf -h postscreen_pipelining_action
+
+{{ if eq (getv "/postscreen/enable") "yes"}}
+postconf -M smtpd/pass="smtpd pass - - n - - smtpd"
+postconf -F smtpd/pass/private=- \
+	 smtpd/pass/unprivileged=- \
+	 smtpd/pass/chroot=n \
+         smtpd/pass/wakeup=- \
+	 smtpd/pass/process_limit=- \
+	 smtpd/pass/command="smtpd"
+postconf -F smtp/inet/private=n \
+	 smtp/inet/unprivileged=- \
+	 smtp/inet/chroot=n \
+         smtp/inet/wakeup=- \
+	 smtp/inet/process_limit=1 \
+	 smtp/inet/command="postscreen"
+postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy"
+postconf -F tlsproxy/unix/private=- \
+	 tlsproxy/unix/unprivileged=- \
+	 tlsproxy/unix/chroot=n \
+         tlsproxy/unix/wakeup=- \
+	 tlsproxy/unix/process_limit=0 \
+	 tlsproxy/unix/command="tlsproxy"
+postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog"
+postconf -F dnsblog/unix/private=- \
+	 dnsblog/unix/unprivileged=- \
+	 dnsblog/unix/chroot=n \
+         dnsblog/unix/wakeup=- \
+	 dnsblog/unix/process_limit=0 \
+	 dnsblog/unix/command="dnsblog"
+
+# FIXME: template tables instead of creating empty files
+touch /etc/postfix/rules/postscreen_access_list.cidr
+touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre
+
+# main.cf options
+postconf -e postscreen_access_list="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
+postconf -e postscreen_dnsbl_sites="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4"
+postconf -e postscreen_dnsbl_reply_map="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
+postconf -e postscreen_blacklist_action="drop"
+postconf -e postscreen_dnsbl_action="enforce"
+postconf -e postscreen_dnsbl_threshold="3"
+postconf -e postscreen_dnsbl_whitelist_threshold="-1"
+postconf -e postscreen_greet_action="enforce"
+
+{{ else }}
+
+# disable postscreen
+postconf -M# smtpd/pass
+postconf -F smtp/inet/private=n \
+	 smtp/inet/unprivileged=- \
+	 smtp/inet/chroot=n \
+         smtp/inet/wakeup=- \
+	 smtp/inet/process_limit=- \
+	 smtp/inet/command="smtpd"
+postconf -M# dnsblog/unix
+
+{{ end }}
+
+# TODO: access list:
+# # Ansible-generated postscreen CIDR access table. You can change this
+# # file by setting the host variable `postfix_postscreen_access_list`
+# {% for entry in postfix_postscreen_access_list -%}
+# { { entry.address } } { { entry.action } }
+# {% endfor %}
+
+# TODO: reply map:
+# # postscreen reply map, matching entries will be replaced
+# # with the resulting text when telling the source of DNS
+# # blacklisting to the remote client.
+# # used to mask passwords contained in dnsbl names
+# # edit this file by setting the "mask" option for items
+# # in the host variable postfix_postscreen_dnsbl_sites
+# {% for entry in postfix_postscreen_dnsbl_sites -%}
+# {% if entry is mapping -%}{% if entry.mask is defined -%}
+# {% if entry.mask is string and entry.mask != "" -%}
+# /^{ { entry.site } }$/ { { entry.mask } }
+# {% else %}
+# /^{ { entry.site } }$/ dnsbl blacklist
+# {% endif %}{% endif %}{% endif %}{% endfor %}
diff --git a/confd/templates/setup_submission.tmpl b/confd/templates/setup_submission.tmpl
new file mode 100644
index 0000000..70c923a
--- /dev/null
+++ b/confd/templates/setup_submission.tmpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+#postconf -M submission/inet
+#postconf -P -h submission/inet/milter_macro_daemon_name
+#postconf -P -h submission/inet/smtpd_client_restrictions
+#postconf -P -h submission/inet/smtpd_sasl_auth_enable
+#postconf -P -h submission/inet/smtpd_tls_security_level
+#postconf -P -h submission/inet/syslog_name
+
+{{ if eq (getv "/submission/enable") "yes"}}
+postconf -M submission/inet="submission inet n - n - - smtpd"
+postconf -F submission/inet/private=n \
+	 submission/inet/unprivileged=- \
+	 submission/inet/chroot=n submission/inet/wakeup=- \
+	 submission/inet/process_limit=- \
+	 submission/inet/command="smtpd"
+postconf -P -e submission/inet/milter_macro_daemon_name="ORIGINATING"
+postconf -P -e submission/inet/smtpd_client_restrictions="permit_sasl_authenticated,reject"
+postconf -P -e submission/inet/smtpd_sasl_auth_enable="yes"
+postconf -P -e submission/inet/smtpd_tls_security_level="encrypt"
+postconf -P -e submission/inet/syslog_name="postfix/submission"
+{{ else }}
+postconf -M# submission/inet
+{{ end }}