postscreen parametrization

Dockerfile

@@ -29,6 +29,15 @@ ENV MESSAGE_SIZE_LIMIT=31457280
 ENV SMTPD_HELO_REQUIRED=yes
 ENV BIFF=no
 ENV SUBMISSION_ENABLE=no
+ENV POSTSCREEN_ENABLE=no
+ENV POSTSCREEN_ACCESS_LIST="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
+ENV POSTSCREEN_DNSBL_SITES="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4"
+ENV POSTSCREEN_DNSBL_REPLY_MAP="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
+ENV POSTSCREEN_BLACKLIST_ACTION="drop"
+ENV POSTSCREEN_DNSBL_ACTION="enforce"
+ENV POSTSCREEN_DNSBL_THRESHOLD="3"
+ENV POSTSCREEN_DNSBL_WHITELIST_THRESHOLD="-1"
+ENV POSTSCREEN_GREET_ACTION="enforce"
 
 # TODO: template access lists
 
@@ -48,6 +57,8 @@ RUN echo "_dev_null: /dev/null" > /etc/aliases \
 	/etc/postfix/rules/client_access_list \
 	/etc/postfix/rules/helo_access_list \
 	/etc/postfix/rules/recipient_access_list \
+	/etc/postfix/rules/postscreen_access_list.cidr \
+	/etc/postfix/rules/postscreen_dnsbl_mask.pcre \
   && mkdir -p /ssl \
   && chmod 700 /ssl \
   && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \

confd/conf.d/setup_postscreen.toml

@@ -4,4 +4,12 @@ dest = "/start.d/setup_postscreen"
 mode = "0755"
 keys = [
 "/postscreen/enable",
+"/postscreen/access/list",
+"/postscreen/blacklist/action",
+"/postscreen/dnsbl/sites",
+"/postscreen/dnsbl/reply/map",
+"/postscreen/dnsbl/action",
+"/postscreen/dnsbl/threshold",
+"/postscreen/dnsbl/whitelist/threshold",
+"/postscreen/greet/action",
 ]

confd/templates/setup_postscreen.tmpl

@@ -57,14 +57,15 @@ touch /etc/postfix/rules/postscreen_access_list.cidr
 touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre
 
 # main.cf options
-postconf -e postscreen_access_list="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
+# FIXME: allow un-setting options by blanking variable values
-postconf -e postscreen_dnsbl_sites="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4"
+{{ with getv "/postscreen/access/list" }}postconf -e postscreen_access_list='{{.}}'{{ end }}
-postconf -e postscreen_dnsbl_reply_map="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
+{{ with getv "/postscreen/blacklist/action" }}postconf -e postscreen_blacklist_action='{{.}}'{{ end }}
-postconf -e postscreen_blacklist_action="drop"
+{{ with getv "/postscreen/dnsbl/sites" }}postconf -e postscreen_dnsbl_sites='{{.}}'{{ end }}
-postconf -e postscreen_dnsbl_action="enforce"
+{{ with getv "/postscreen/dnsbl/reply/map" }}postconf -e postscreen_dnsbl_reply_map='{{.}}'{{ end }}
-postconf -e postscreen_dnsbl_threshold="3"
+{{ with getv "/postscreen/dnsbl/action" }}postconf -e postscreen_dnsbl_action='{{.}}'{{ end }}
-postconf -e postscreen_dnsbl_whitelist_threshold="-1"
+{{ with getv "/postscreen/dnsbl/threshold" }}postconf -e postscreen_dnsbl_threshold='{{.}}'{{ end }}
-postconf -e postscreen_greet_action="enforce"
+{{ with getv "/postscreen/dnsbl/whitelist/threshold" }}postconf -e postscreen_dnsbl_whitelist_threshold='{{.}}'{{ end }}
+{{ with getv "/postscreen/greet/action" }}postconf -e postscreen_greet_action='{{.}}'{{ end }}
 
 {{ else }}