This commit is contained in:
commit
c8bbf043c9
30
.drone.yml
Normal file
30
.drone.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
kind: pipeline
|
||||
name: default
|
||||
|
||||
steps:
|
||||
- name: build image only
|
||||
image: plugins/docker
|
||||
settings:
|
||||
repo: eumau/postfix
|
||||
auto_tag: true
|
||||
dry_run: true
|
||||
when:
|
||||
ref:
|
||||
- refs/pull/**
|
||||
# event no anda (?)
|
||||
# event:
|
||||
# - pull_request
|
||||
|
||||
- name: build and publish image
|
||||
image: plugins/docker
|
||||
settings:
|
||||
repo: eumau/postfix
|
||||
auto_tag: true
|
||||
username:
|
||||
from_secret: dockerhub_username
|
||||
password:
|
||||
from_secret: dockerhub_password
|
||||
when:
|
||||
branch:
|
||||
- master
|
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
*~
|
||||
\#*
|
||||
.#*
|
81
Dockerfile
Normal file
81
Dockerfile
Normal file
@ -0,0 +1,81 @@
|
||||
FROM eumau/debian:buster-slim
|
||||
LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
|
||||
ARG DEBIAN_FRONTEND=noninteractive
|
||||
ENV LC_ALL C
|
||||
|
||||
ENV MYDESTINATION='localhost.localdomain, localhost'
|
||||
ENV MYHOSTNAME=mail.example.com
|
||||
ENV MYDOMAIN=example.com
|
||||
ENV MYNETWORKS='127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128'
|
||||
ENV VIRTUAL_ALIAS_MAPS=
|
||||
ENV VIRTUAL_MAILBOX_MAPS=
|
||||
ENV VIRTUAL_TRANSPORT=lmtp:dovecot:24
|
||||
ENV VIRTUAL_MAILBOX_DOMAINS=example.com
|
||||
ENV SMTPD_SASL_PATH=inet:dovecot:12345
|
||||
ENV SMTPD_SASL_TYPE=dovecot
|
||||
ENV SMTPD_SASL_AUTH_ENABLE=no
|
||||
ENV SMTPD_TLS_CERT_FILE=/ssl/cert.pem
|
||||
ENV SMTPD_TLS_KEY_FILE=/ssl/key.pem
|
||||
ENV SMTP_TLS_SECURITY_LEVEL=may
|
||||
ENV SMTPD_TLS_SECURITY_LEVEL=may
|
||||
ENV SMTPD_TLS_AUTH_ONLY=no
|
||||
ENV SMTPD_TLS_SESSION_CACHE_DATABASE="btree:\${data_directory}/smtpd_scache"
|
||||
ENV SMTPD_CLIENT_RESTRICTIONS="check_client_access pcre:/etc/postfix/rules/client_access_list, permit_sasl_authenticated, permit_mynetworks, reject_unknown_client_hostname, reject_unauth_pipelining, permit"
|
||||
ENV SMTPD_DATA_RESTRICTIONS="reject_unauth_pipelining, permit"
|
||||
ENV SMTPD_HELO_RESTRICTIONS="check_helo_access hash:/etc/postfix/rules/helo_access_list, permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, warn_if_reject, permit"
|
||||
ENV SMTPD_RELAY_RESTRICTIONS="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit"
|
||||
ENV SMTPD_RECIPIENT_RESTRICTIONS="check_recipient_access hash:/etc/postfix/rules/recipient_access_list, permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, permit"
|
||||
ENV MESSAGE_SIZE_LIMIT=31457280
|
||||
ENV SMTPD_HELO_REQUIRED=yes
|
||||
ENV BIFF=no
|
||||
ENV SUBMISSION_ENABLE=no
|
||||
|
||||
# TODO: template access lists
|
||||
|
||||
RUN echo "_dev_null: /dev/null" > /etc/aliases \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --no-install-recommends \
|
||||
postfix \
|
||||
postfix-pcre \
|
||||
postfix-ldap \
|
||||
postfix-sqlite \
|
||||
libsasl2-modules \
|
||||
ssl-cert \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf \
|
||||
&& mkdir -p /etc/postfix/rules \
|
||||
&& touch \
|
||||
/etc/postfix/rules/client_access_list \
|
||||
/etc/postfix/rules/helo_access_list \
|
||||
/etc/postfix/rules/recipient_access_list \
|
||||
&& mkdir -p /ssl \
|
||||
&& chmod 700 /ssl \
|
||||
&& cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
|
||||
&& cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem \
|
||||
&& postconf -F \
|
||||
smtp/inet/chroot=n \
|
||||
pickup/unix/chroot=n \
|
||||
cleanup/unix/chroot=n \
|
||||
qmgr/unix/chroot=n \
|
||||
tlsmgr/unix/chroot=n \
|
||||
rewrite/unix/chroot=n \
|
||||
bounce/unix/chroot=n \
|
||||
defer/unix/chroot=n \
|
||||
trace/unix/chroot=n \
|
||||
verify/unix/chroot=n \
|
||||
flush/unix/chroot=n \
|
||||
smtp/unix/chroot=n \
|
||||
relay/unix/chroot=n \
|
||||
showq/unix/chroot=n \
|
||||
error/unix/chroot=n \
|
||||
retry/unix/chroot=n \
|
||||
discard/unix/chroot=n \
|
||||
lmtp/unix/chroot=n \
|
||||
anvil/unix/chroot=n \
|
||||
scache/unix/chroot=n
|
||||
|
||||
ADD confd /etc/confd/
|
||||
VOLUME /etc/postfix /ssl
|
||||
EXPOSE 25/tcp 587/tcp
|
||||
|
||||
CMD ["postfix","start-fg"]
|
31
confd/conf.d/setup_main.toml
Normal file
31
confd/conf.d/setup_main.toml
Normal file
@ -0,0 +1,31 @@
|
||||
[template]
|
||||
src = "setup_main.tmpl"
|
||||
dest = "/start.d/setup_main"
|
||||
mode = "0755"
|
||||
keys = [
|
||||
"/mydestination",
|
||||
"/myhostname",
|
||||
"/mydomain",
|
||||
"/mynetworks",
|
||||
"/virtual/alias/maps",
|
||||
"/virtual/mailbox/maps",
|
||||
"/virtual/transport",
|
||||
"/virtual/mailbox/domains",
|
||||
"/smtpd/sasl/path",
|
||||
"/smtpd/sasl/type",
|
||||
"/smtpd/sasl/auth/enable",
|
||||
"/smtpd/tls/cert/file",
|
||||
"/smtpd/tls/key/file",
|
||||
"/smtp/tls/security/level",
|
||||
"/smtpd/tls/security/level",
|
||||
"/smtpd/tls/auth/only",
|
||||
"/smtpd/tls/session/cache/database",
|
||||
"/smtpd/client/restrictions",
|
||||
"/smtpd/data/restrictions",
|
||||
"/smtpd/helo/restrictions",
|
||||
"/smtpd/relay/restrictions",
|
||||
"/smtpd/recipient/restrictions",
|
||||
"/message/size/limit",
|
||||
"/smtpd/helo/required",
|
||||
"/biff",
|
||||
]
|
7
confd/conf.d/setup_postscreen.toml
Normal file
7
confd/conf.d/setup_postscreen.toml
Normal file
@ -0,0 +1,7 @@
|
||||
[template]
|
||||
src = "setup_postscreen.tmpl"
|
||||
dest = "/start.d/setup_postscreen"
|
||||
mode = "0755"
|
||||
keys = [
|
||||
"/postscreen/enable",
|
||||
]
|
7
confd/conf.d/setup_submission.toml
Normal file
7
confd/conf.d/setup_submission.toml
Normal file
@ -0,0 +1,7 @@
|
||||
[template]
|
||||
src = "setup_submission.tmpl"
|
||||
dest = "/start.d/setup_submission"
|
||||
mode = "0755"
|
||||
keys = [
|
||||
"/submission/enable",
|
||||
]
|
59
confd/templates/setup_main.tmpl
Normal file
59
confd/templates/setup_main.tmpl
Normal file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Managing main.cf:
|
||||
# postconf [-dfhHnopvx] [-c config_dir] [-C class,...] [parameter ...]
|
||||
# postconf [-epv] [-c config_dir] parameter=value ...
|
||||
# postconf -# [-pv] [-c config_dir] parameter ...
|
||||
# postconf -X [-pv] [-c config_dir] parameter ...
|
||||
|
||||
# Managing master.cf service entries:
|
||||
# postconf -M [-fovx] [-c config_dir] [service[/type] ...]
|
||||
# postconf -M [-ev] [-c config_dir] service/type=value ...
|
||||
# postconf -M# [-v] [-c config_dir] service/type ...
|
||||
# postconf -MX [-v] [-c config_dir] service/type ...
|
||||
|
||||
# Managing master.cf service fields:
|
||||
# postconf -F [-fhHovx] [-c config_dir] [service[/type[/field]] ...]
|
||||
# postconf -F [-ev] [-c config_dir] service/type/field=value ...
|
||||
|
||||
# Managing master.cf service parameters:
|
||||
# postconf -P [-fhHovx] [-c config_dir] [service[/type[/parameter]] ...]
|
||||
# postconf -P [-ev] [-c config_dir] service/type/parameter=value ...
|
||||
# postconf -PX [-v] [-c config_dir] service/type/parameter ...
|
||||
|
||||
# Managing bounce message templates:
|
||||
# postconf -b [-v] [-c config_dir] [template_file]
|
||||
# postconf -t [-v] [-c config_dir] [template_file]
|
||||
|
||||
# Managing TLS features:
|
||||
# postconf -T mode [-v] [-c config_dir]
|
||||
|
||||
# Managing other configuration:
|
||||
# postconf -a|-A|-l|-m [-v] [-c config_dir]
|
||||
|
||||
postconf maillog_file=/dev/stdout
|
||||
{{ with getv "/mydestination" }}postconf mydestination='{{.}}'{{ end }}
|
||||
{{ with getv "/myhostname" }}postconf myhostname='{{.}}'{{ end }}
|
||||
{{ with getv "/mydomain" }}postconf mydomain='{{.}}'{{ end }}
|
||||
{{ with getv "/mynetworks" }}postconf mynetworks='{{.}}'{{ end }}
|
||||
{{ with getv "/virtual/alias/maps" }}postconf virtual_alias_maps='{{.}}'{{ end }}
|
||||
{{ with getv "/virtual/mailbox/maps" }}postconf virtual_mailbox_maps='{{.}}'{{ end }}
|
||||
{{ with getv "/virtual/transport" }}postconf virtual_transport='{{.}}'{{ end }}
|
||||
{{ with getv "/virtual/mailbox/domains" }}postconf virtual_mailbox_domains='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/sasl/path" }}postconf smtpd_sasl_path='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/sasl/type" }}postconf smtpd_sasl_type='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/sasl/auth/enable" }}postconf smtpd_sasl_auth_enable='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/tls/cert/file" }}postconf smtpd_tls_cert_file='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/tls/key/file" }}postconf smtpd_tls_key_file='{{.}}'{{ end }}
|
||||
{{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/tls/security/level" }}postconf smtpd_tls_security_level='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/tls/auth/only" }}postconf smtpd_tls_auth_only='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/tls/session/cache/database" }}postconf smtpd_tls_session_cache_database='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/client/restrictions" }}postconf smtpd_client_restrictions='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/data/restrictions" }}postconf smtpd_data_restrictions='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/helo/restrictions" }}postconf smtpd_helo_restrictions='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/relay/restrictions" }}postconf smtpd_relay_restrictions='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/recipient/restrictions" }}postconf smtpd_recipient_restrictions='{{.}}'{{ end }}
|
||||
{{ with getv "/message/size/limit" }}postconf message_size_limit='{{.}}'{{ end }}
|
||||
{{ with getv "/smtpd/helo/required" }}postconf smtpd_helo_required='{{.}}'{{ end }}
|
||||
{{ with getv "/biff" }}postconf biff='{{.}}'{{ end }}
|
103
confd/templates/setup_postscreen.tmpl
Normal file
103
confd/templates/setup_postscreen.tmpl
Normal file
@ -0,0 +1,103 @@
|
||||
#!/bin/bash
|
||||
|
||||
#postconf -M smtpd/pass
|
||||
#postconf -Fh smtp/inet/private smtp/inet/unprivileged smtp/inet/chroot smtp/inet/wakeup smtp/inet/process_limit smtp/inet/command
|
||||
#postconf -M smtp/inet
|
||||
#postconf -M tlsproxy/unix
|
||||
#postconf -M dnsblog/unix
|
||||
#postconf -h postscreen_access_list
|
||||
#postconf -h postscreen_dnsbl_sites
|
||||
#postconf -h postscreen_dnsbl_reply_map
|
||||
#postconf -h postscreen_dnsbl_action
|
||||
#postconf -h postscreen_blacklist_action
|
||||
#postconf -h postscreen_dnsbl_whitelist_threshold
|
||||
#postconf -h postscreen_greet_action
|
||||
#postconf -h postscreen_greet_wait
|
||||
|
||||
# NOT SUPPORTED:
|
||||
#postconf -h postscreen_bare_newline_enable
|
||||
#postconf -h postscreen_non_smtp_command_enable
|
||||
#postconf -h postscreen_pipelining_enable
|
||||
#postconf -h postscreen_bare_newline_action
|
||||
#postconf -h postscreen_dnsbl_threshold
|
||||
#postconf -h postscreen_non_smtp_command_action
|
||||
#postconf -h postscreen_pipelining_action
|
||||
|
||||
{{ if eq (getv "/postscreen/enable") "yes"}}
|
||||
postconf -M smtpd/pass="smtpd pass - - n - - smtpd"
|
||||
postconf -F smtpd/pass/private=- \
|
||||
smtpd/pass/unprivileged=- \
|
||||
smtpd/pass/chroot=n \
|
||||
smtpd/pass/wakeup=- \
|
||||
smtpd/pass/process_limit=- \
|
||||
smtpd/pass/command="smtpd"
|
||||
postconf -F smtp/inet/private=n \
|
||||
smtp/inet/unprivileged=- \
|
||||
smtp/inet/chroot=n \
|
||||
smtp/inet/wakeup=- \
|
||||
smtp/inet/process_limit=1 \
|
||||
smtp/inet/command="postscreen"
|
||||
postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy"
|
||||
postconf -F tlsproxy/unix/private=- \
|
||||
tlsproxy/unix/unprivileged=- \
|
||||
tlsproxy/unix/chroot=n \
|
||||
tlsproxy/unix/wakeup=- \
|
||||
tlsproxy/unix/process_limit=0 \
|
||||
tlsproxy/unix/command="tlsproxy"
|
||||
postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog"
|
||||
postconf -F dnsblog/unix/private=- \
|
||||
dnsblog/unix/unprivileged=- \
|
||||
dnsblog/unix/chroot=n \
|
||||
dnsblog/unix/wakeup=- \
|
||||
dnsblog/unix/process_limit=0 \
|
||||
dnsblog/unix/command="dnsblog"
|
||||
|
||||
# FIXME: template tables instead of creating empty files
|
||||
touch /etc/postfix/rules/postscreen_access_list.cidr
|
||||
touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre
|
||||
|
||||
# main.cf options
|
||||
postconf -e postscreen_access_list="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
|
||||
postconf -e postscreen_dnsbl_sites="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4"
|
||||
postconf -e postscreen_dnsbl_reply_map="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
|
||||
postconf -e postscreen_blacklist_action="drop"
|
||||
postconf -e postscreen_dnsbl_action="enforce"
|
||||
postconf -e postscreen_dnsbl_threshold="3"
|
||||
postconf -e postscreen_dnsbl_whitelist_threshold="-1"
|
||||
postconf -e postscreen_greet_action="enforce"
|
||||
|
||||
{{ else }}
|
||||
|
||||
# disable postscreen
|
||||
postconf -M# smtpd/pass
|
||||
postconf -F smtp/inet/private=n \
|
||||
smtp/inet/unprivileged=- \
|
||||
smtp/inet/chroot=n \
|
||||
smtp/inet/wakeup=- \
|
||||
smtp/inet/process_limit=- \
|
||||
smtp/inet/command="smtpd"
|
||||
postconf -M# dnsblog/unix
|
||||
|
||||
{{ end }}
|
||||
|
||||
# TODO: access list:
|
||||
# # Ansible-generated postscreen CIDR access table. You can change this
|
||||
# # file by setting the host variable `postfix_postscreen_access_list`
|
||||
# {% for entry in postfix_postscreen_access_list -%}
|
||||
# { { entry.address } } { { entry.action } }
|
||||
# {% endfor %}
|
||||
|
||||
# TODO: reply map:
|
||||
# # postscreen reply map, matching entries will be replaced
|
||||
# # with the resulting text when telling the source of DNS
|
||||
# # blacklisting to the remote client.
|
||||
# # used to mask passwords contained in dnsbl names
|
||||
# # edit this file by setting the "mask" option for items
|
||||
# # in the host variable postfix_postscreen_dnsbl_sites
|
||||
# {% for entry in postfix_postscreen_dnsbl_sites -%}
|
||||
# {% if entry is mapping -%}{% if entry.mask is defined -%}
|
||||
# {% if entry.mask is string and entry.mask != "" -%}
|
||||
# /^{ { entry.site } }$/ { { entry.mask } }
|
||||
# {% else %}
|
||||
# /^{ { entry.site } }$/ dnsbl blacklist
|
||||
# {% endif %}{% endif %}{% endif %}{% endfor %}
|
24
confd/templates/setup_submission.tmpl
Normal file
24
confd/templates/setup_submission.tmpl
Normal file
@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
|
||||
#postconf -M submission/inet
|
||||
#postconf -P -h submission/inet/milter_macro_daemon_name
|
||||
#postconf -P -h submission/inet/smtpd_client_restrictions
|
||||
#postconf -P -h submission/inet/smtpd_sasl_auth_enable
|
||||
#postconf -P -h submission/inet/smtpd_tls_security_level
|
||||
#postconf -P -h submission/inet/syslog_name
|
||||
|
||||
{{ if eq (getv "/submission/enable") "yes"}}
|
||||
postconf -M submission/inet="submission inet n - n - - smtpd"
|
||||
postconf -F submission/inet/private=n \
|
||||
submission/inet/unprivileged=- \
|
||||
submission/inet/chroot=n submission/inet/wakeup=- \
|
||||
submission/inet/process_limit=- \
|
||||
submission/inet/command="smtpd"
|
||||
postconf -P -e submission/inet/milter_macro_daemon_name="ORIGINATING"
|
||||
postconf -P -e submission/inet/smtpd_client_restrictions="permit_sasl_authenticated,reject"
|
||||
postconf -P -e submission/inet/smtpd_sasl_auth_enable="yes"
|
||||
postconf -P -e submission/inet/smtpd_tls_security_level="encrypt"
|
||||
postconf -P -e submission/inet/syslog_name="postfix/submission"
|
||||
{{ else }}
|
||||
postconf -M# submission/inet
|
||||
{{ end }}
|
Loading…
x
Reference in New Issue
Block a user