diff --git a/Dockerfile b/Dockerfile index fb24018..d4674bb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,6 +29,15 @@ ENV MESSAGE_SIZE_LIMIT=31457280 ENV SMTPD_HELO_REQUIRED=yes ENV BIFF=no ENV SUBMISSION_ENABLE=no +ENV POSTSCREEN_ENABLE=no +ENV POSTSCREEN_ACCESS_LIST="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks" +ENV POSTSCREEN_DNSBL_SITES="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4" +ENV POSTSCREEN_DNSBL_REPLY_MAP="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre" +ENV POSTSCREEN_BLACKLIST_ACTION="drop" +ENV POSTSCREEN_DNSBL_ACTION="enforce" +ENV POSTSCREEN_DNSBL_THRESHOLD="3" +ENV POSTSCREEN_DNSBL_WHITELIST_THRESHOLD="-1" +ENV POSTSCREEN_GREET_ACTION="enforce" # TODO: template access lists @@ -48,6 +57,8 @@ RUN echo "_dev_null: /dev/null" > /etc/aliases \ /etc/postfix/rules/client_access_list \ /etc/postfix/rules/helo_access_list \ /etc/postfix/rules/recipient_access_list \ + /etc/postfix/rules/postscreen_access_list.cidr \ + /etc/postfix/rules/postscreen_dnsbl_mask.pcre \ && mkdir -p /ssl \ && chmod 700 /ssl \ && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \ diff --git a/confd/conf.d/setup_postscreen.toml b/confd/conf.d/setup_postscreen.toml index 34d9aef..596a74e 100644 --- a/confd/conf.d/setup_postscreen.toml +++ b/confd/conf.d/setup_postscreen.toml @@ -4,4 +4,12 @@ dest = "/start.d/setup_postscreen" mode = "0755" keys = [ "/postscreen/enable", +"/postscreen/access/list", +"/postscreen/blacklist/action", +"/postscreen/dnsbl/sites", +"/postscreen/dnsbl/reply/map", +"/postscreen/dnsbl/action", +"/postscreen/dnsbl/threshold", +"/postscreen/dnsbl/whitelist/threshold", +"/postscreen/greet/action", ] diff --git a/confd/templates/setup_postscreen.tmpl b/confd/templates/setup_postscreen.tmpl index 2f104df..1445170 100644 --- a/confd/templates/setup_postscreen.tmpl +++ b/confd/templates/setup_postscreen.tmpl @@ -57,14 +57,15 @@ touch /etc/postfix/rules/postscreen_access_list.cidr touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre # main.cf options -postconf -e postscreen_access_list="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks" -postconf -e postscreen_dnsbl_sites="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4" -postconf -e postscreen_dnsbl_reply_map="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre" -postconf -e postscreen_blacklist_action="drop" -postconf -e postscreen_dnsbl_action="enforce" -postconf -e postscreen_dnsbl_threshold="3" -postconf -e postscreen_dnsbl_whitelist_threshold="-1" -postconf -e postscreen_greet_action="enforce" +# FIXME: allow un-setting options by blanking variable values +{{ with getv "/postscreen/access/list" }}postconf -e postscreen_access_list='{{.}}'{{ end }} +{{ with getv "/postscreen/blacklist/action" }}postconf -e postscreen_blacklist_action='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/sites" }}postconf -e postscreen_dnsbl_sites='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/reply/map" }}postconf -e postscreen_dnsbl_reply_map='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/action" }}postconf -e postscreen_dnsbl_action='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/threshold" }}postconf -e postscreen_dnsbl_threshold='{{.}}'{{ end }} +{{ with getv "/postscreen/dnsbl/whitelist/threshold" }}postconf -e postscreen_dnsbl_whitelist_threshold='{{.}}'{{ end }} +{{ with getv "/postscreen/greet/action" }}postconf -e postscreen_greet_action='{{.}}'{{ end }} {{ else }}