scripts: housekeeping & cleanup setup (1/2) (#3121)

target/scripts/start-mailserver.sh

@@ -2,12 +2,6 @@
 
 # ------------------------------------------------------------
 # ? >> Sourcing helpers & stacks
-#      1. Helpers
-#      2. Checks
-#      3. Setup
-#      4. Fixes
-#      5. Miscellaneous
-#      6. Daemons
 # ------------------------------------------------------------
 
 # shellcheck source=./helpers/index.sh
@@ -22,12 +16,6 @@ source /usr/local/bin/check-stack.sh
 # shellcheck source=./startup/setup-stack.sh
 source /usr/local/bin/setup-stack.sh
 
-# shellcheck source=./startup/fixes-stack.sh
-source /usr/local/bin/fixes-stack.sh
-
-# shellcheck source=./startup/misc-stack.sh
-source /usr/local/bin/misc-stack.sh
-
 # shellcheck source=./startup/daemons-stack.sh
 source /usr/local/bin/daemons-stack.sh
 
@@ -48,7 +36,6 @@ _early_variables_setup
 
 function _register_functions
 {
-  _log 'info' 'Initializing setup'
   _log 'debug' 'Registering functions'
 
   # ? >> Checks
@@ -93,39 +80,36 @@ function _register_functions
     _register_setup_function '_setup_saslauthd'
   fi
 
-  [[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_setup_function '_setup_postgrey'
   [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_postfix_inet_protocols'
   [[ ${DOVECOT_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_dovecot_inet_protocols'
-  [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
-  [[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable'
-  [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit'
-  [[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd'
 
-  _register_setup_function '_setup_dkim_dmarc'
+  _register_setup_function '_setup_opendkim'
+  _register_setup_function '_setup_opendmarc' # must come after `_setup_opendkim`
+
+  _register_setup_function '_setup_security_stack'
+  _register_setup_function '_setup_rspamd'
+
   _register_setup_function '_setup_ssl'
   _register_setup_function '_setup_docker_permit'
   _register_setup_function '_setup_mailname'
-  _register_setup_function '_setup_amavis'
-  _register_setup_function '_setup_dmarc_hostname'
-  _register_setup_function '_setup_postfix_hostname'
   _register_setup_function '_setup_dovecot_hostname'
+
+  _register_setup_function '_setup_postfix_hostname'
   _register_setup_function '_setup_postfix_smtputf8'
   _register_setup_function '_setup_postfix_sasl'
-  _register_setup_function '_setup_security_stack'
   _register_setup_function '_setup_postfix_aliases'
   _register_setup_function '_setup_postfix_vhost'
   _register_setup_function '_setup_postfix_dhparam'
-  _register_setup_function '_setup_postfix_postscreen'
   _register_setup_function '_setup_postfix_sizelimits'
 
   # needs to come after _setup_postfix_aliases
-  [[ ${SPOOF_PROTECTION} -eq 1 ]] && _register_setup_function '_setup_spoof_protection'
 
   if [[ ${ENABLE_FETCHMAIL} -eq 1 ]]
   then
     _register_setup_function '_setup_fetchmail'
     [[ ${FETCHMAIL_PARALLEL} -eq 1 ]] && _register_setup_function '_setup_fetchmail_parallel'
   fi
+  _register_setup_function '_setup_spoof_protection'
 
   if [[ ${ENABLE_SRS} -eq 1  ]]
   then
@@ -143,16 +127,8 @@ function _register_functions
   _register_setup_function '_setup_mail_summary'
   _register_setup_function '_setup_logwatch'
 
-  # ? >> Fixes
-
-  _register_fix_function '_fix_var_mail_permissions'
-
-  [[ ${ENABLE_CLAMAV} -eq 0 ]] && _register_fix_function '_fix_cleanup_clamav'
-  [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] &&	_register_fix_function '_fix_cleanup_spamassassin'
-
-  # ? >> Miscellaneous
-
-  _register_misc_function '_misc_save_states'
+  _register_setup_function '_setup_save_states'
+  _register_setup_function '_setup_apply_fixes_after_configuration'
   _register_setup_function '_environment_variables_export'
 
   # ? >> Daemons
@@ -169,48 +145,27 @@ function _register_functions
     _register_start_daemon '_start_daemon_rspamd'
   fi
 
+  [[ ${SMTP_ONLY}               -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot'
+  [[ ${ENABLE_UPDATE_CHECK}     -eq 1 ]] && _register_start_daemon '_start_daemon_update_check'
+
   # needs to be started before SASLauthd
-  [[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim'
-  [[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc'
+  [[ ${ENABLE_OPENDKIM}         -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim'
+  [[ ${ENABLE_OPENDMARC}        -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc'
 
   # needs to be started before postfix
-  [[ ${ENABLE_POSTGREY} -eq 1 ]] &&	_register_start_daemon '_start_daemon_postgrey'
+  [[ ${ENABLE_POSTGREY}         -eq 1 ]] &&	_register_start_daemon '_start_daemon_postgrey'
 
   _register_start_daemon '_start_daemon_postfix'
 
   # needs to be started after postfix
-  [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd'
-  [[ ${ENABLE_FAIL2BAN} -eq 1 ]] &&	_register_start_daemon '_start_daemon_fail2ban'
-  [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail'
-  [[ ${ENABLE_CLAMAV} -eq 1 ]] &&	_register_start_daemon '_start_daemon_clamav'
-  [[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis'
+  [[ ${ENABLE_SASLAUTHD}        -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd'
+  [[ ${ENABLE_FAIL2BAN}         -eq 1 ]] &&	_register_start_daemon '_start_daemon_fail2ban'
+  [[ ${ENABLE_FETCHMAIL}        -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail'
+  [[ ${ENABLE_CLAMAV}           -eq 1 ]] &&	_register_start_daemon '_start_daemon_clamav'
+  [[ ${ENABLE_AMAVIS}           -eq 1 ]] && _register_start_daemon '_start_daemon_amavis'
   [[ ${ACCOUNT_PROVISIONER} == 'FILE' ]] && _register_start_daemon '_start_daemon_changedetector'
 }
 
-function _register_start_daemon
-{
-  DAEMONS_START+=("${1}")
-  _log 'trace' "${1}() registered"
-}
-
-function _register_fix_function
-{
-  FUNCS_FIX+=("${1}")
-  _log 'trace' "${1}() registered"
-}
-
-function _register_check_function
-{
-  FUNCS_CHECK+=("${1}")
-  _log 'trace' "${1}() registered"
-}
-
-function _register_misc_function
-{
-  FUNCS_MISC+=("${1}")
-  _log 'trace' "${1}() registered"
-}
-
 # ------------------------------------------------------------
 # ? << Registering functions
 # --
@@ -223,8 +178,6 @@ _register_functions
 _check
 _setup
 [[ ${LOG_LEVEL} =~ (debug|trace) ]] && print-environment
-_apply_fixes
-_start_misc
 _setup_run_user_patches
 _start_daemons
 

target/scripts/startup/check-stack.sh

@@ -1,5 +1,13 @@
 #!/bin/bash
 
+declare -a FUNCS_CHECK
+
+function _register_check_function
+{
+  FUNCS_CHECK+=("${1}")
+  _log 'trace' "${1}() registered"
+}
+
 function _check
 {
   _log 'info' 'Checking configuration'

target/scripts/startup/daemons-stack.sh

@@ -1,5 +1,13 @@
 #!/bin/bash
 
+declare -a DAEMONS_START
+
+function _register_start_daemon
+{
+  DAEMONS_START+=("${1}")
+  _log 'trace' "${1}() registered"
+}
+
 function _start_daemons
 {
   _log 'info' 'Starting daemons'

target/scripts/startup/fixes-stack.sh

@@ -1,40 +0,0 @@
-#!/bin/bash
-
-function _apply_fixes
-{
-  _log 'info' 'Post-configuration checks'
-  for FUNC in "${FUNCS_FIX[@]}"
-  do
-    ${FUNC}
-  done
-
-  _log 'trace' 'Removing leftover PID files from a stop/start'
-  find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
-  touch /dev/shm/supervisor.sock
-}
-
-function _fix_var_mail_permissions
-{
-  _log 'debug' 'Checking /var/mail permissions'
-
-  _chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
-  _log 'trace' 'Permissions in /var/mail look OK'
-}
-
-function _fix_cleanup_clamav
-{
-  _log 'trace' 'Cleaning up disabled ClamAV'
-  rm /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam 2>/dev/null || {
-    # show warning only on first container start
-    [[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove ClamAV configuration'
-  }
-}
-
-function _fix_cleanup_spamassassin
-{
-  _log 'trace' 'Cleaning up disabled SpamAssassin'
-  rm /etc/cron.daily/spamassassin 2>/dev/null || {
-    # show warning only on first container start
-    [[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove SpamAssassin configuration'
-  }
-}

target/scripts/startup/setup-stack.sh

@@ -111,3 +111,11 @@ function _setup_timezone
     return 1
   fi
 }
+function _setup_apply_fixes_after_configuration
+{
+  _log 'trace' 'Removing leftover PID files from a stop/start'
+  find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
+  touch /dev/shm/supervisor.sock
+  _log 'debug' 'Checking /var/mail permissions'
+  _chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
+}

target/scripts/startup/setup.d/dmarc_dkim_spf.sh

@@ -1,17 +1,16 @@
 #!/bin/bash
 
-
-# Set up OpenDKIM & OpenDMARC.
+# Set up OpenDKIM
 #
 # ## Attention
 #
-# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's#
+# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's
 # `smtpd_milters` milters options.
-function _setup_dkim_dmarc
+function _setup_opendkim
 {
   if [[ ${ENABLE_OPENDKIM} -eq 1 ]]
   then
-    _log 'debug' 'Setting up DKIM'
+    _log 'debug' 'Configuring DKIM'
 
     mkdir -p /etc/opendkim/keys/
     touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable}
@@ -43,26 +42,45 @@ function _setup_dkim_dmarc
       echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf
       _log 'trace' "Nameservers added to '/etc/opendkim.conf'"
     fi
+  else
+    # Even though we do nothing here and the message suggests we perform some action, the
+    # message is due to the default value being `1`, i.e. enabled. If the default were `0`,
+    # we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
+    # other functions.
+    _log 'debug' 'Disabling OpenDKIM'
   fi
+}
 
+# Set up OpenDKIM
+#
+# ## Attention
+#
+# The OpenDMARC milter must come after the OpenDKIM milter in Postfix's
+# `smtpd_milters` milters options.
+function _setup_opendmarc
+{
   if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
   then
-    # TODO when disabling SPF is possible, add a check whether DKIM and SPF is disabled
+    # TODO When disabling SPF is possible, add a check whether DKIM and SPF is disabled
     #      for DMARC to work, you should have at least one enabled
     #      (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24)
+    _log 'debug' 'Configuring OpenDMARC'
+
     _log 'trace' "Adding OpenDMARC to Postfix's milters"
     postconf 'dmarc_milter = inet:localhost:8893'
     # Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter!
     # shellcheck disable=SC2016
     sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf
+
+    sed -i \
+      -e "s|^AuthservID.*$|AuthservID          ${HOSTNAME}|g" \
+      -e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs  ${HOSTNAME}|g" \
+      /etc/opendmarc.conf
+  else
+    # Even though we do nothing here and the message suggests we perform some action, the
+    # message is due to the default value being `1`, i.e. enabled. If the default were `0`,
+    # we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
+    # other functions.
+    _log 'debug' 'Disabling OpenDMARC'
   fi
 }
-
-function _setup_dmarc_hostname
-{
-  _log 'debug' 'Setting up DMARC'
-  sed -i -e \
-    "s|^AuthservID.*$|AuthservID          ${HOSTNAME}|g" \
-    -e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs  ${HOSTNAME}|g" \
-    /etc/opendmarc.conf
-}

target/scripts/startup/setup.d/mail_state.sh

@@ -1,17 +1,8 @@
 #!/bin/bash
 
-function _start_misc
-{
-  _log 'info' 'Starting miscellaneous tasks'
-  for FUNC in "${FUNCS_MISC[@]}"
-  do
-    ${FUNC}
-  done
-}
-
-# consolidate all states into a single directory
+# Consolidate all states into a single directory
 # (/var/mail-state) to allow persistence using docker volumes
-function _misc_save_states
+function _setup_save_states
 {
   local STATEDIR FILE FILES
 

target/scripts/startup/setup.d/security/misc.sh

@@ -4,18 +4,79 @@ function _setup_security_stack
 {
   _log 'debug' 'Setting up Security Stack'
 
+  __setup__security__postgrey
+  __setup__security__postscreen
+
   # recreate auto-generated file
   local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated
 
   echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}"
   echo "use strict;" >>"${DMS_AMAVIS_FILE}"
 
-  # SpamAssassin
-  if [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]]
+  __setup__security__spamassassin
+  __setup__security__clamav
+
+  echo '1;  # ensure a defined return' >>"${DMS_AMAVIS_FILE}"
+  chmod 444 "${DMS_AMAVIS_FILE}"
+
+  __setup__security__fail2ban
+  __setup__security__amavis
+}
+
+function __setup__security__postgrey
+{
+  if [[ ${ENABLE_POSTGREY} -eq 1 ]]
   then
-    _log 'debug' 'SpamAssassin is disabled'
-    echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
-  elif [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
+    _log 'debug' 'Enabling and configuring Postgrey'
+
+    sedfile -i -E \
+      's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
+      /etc/postfix/main.cf
+
+    sed -i -e \
+      "s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
+      /etc/default/postgrey
+
+    if ! grep -i 'POSTGREY_TEXT' /etc/default/postgrey
+    then
+      printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
+    fi
+
+    if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
+    then
+      cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
+    fi
+
+    if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
+    then
+      cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
+    fi
+  else
+    _log 'debug' 'Postscreen is disabled'
+  fi
+}
+
+function __setup__security__postscreen
+{
+  _log 'debug' 'Configuring Postscreen'
+  sed -i \
+    -e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
+    -e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
+    -e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
+
+  if [[ ${ENABLE_DNSBL} -eq 0 ]]
+  then
+    _log 'debug' 'Disabling Postscreen DNSBLs'
+    postconf 'postscreen_dnsbl_action = ignore'
+    postconf 'postscreen_dnsbl_sites = '
+  else
+    _log 'debug' 'Postscreen DNSBLs are enabled'
+  fi
+}
+
+function __setup__security__spamassassin
+{
+  if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
   then
     _log 'debug' 'Enabling and configuring SpamAssassin'
 
@@ -28,6 +89,11 @@ function _setup_security_stack
     # shellcheck disable=SC2016
     sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
 
+    # fix cron.daily for spamassassin
+    sed -i \
+      's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
+      /etc/cron.daily/spamassassin
+
     if [[ ${SA_SPAM_SUBJECT} == 'undef' ]]
     then
       # shellcheck disable=SC2016
@@ -96,25 +162,37 @@ EOF
 
       chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
     fi
+  else
+    _log 'debug' 'SpamAssassin is disabled'
+    echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
+    rm -f /etc/cron.daily/spamassassin
   fi
+}
 
-  # ClamAV
-  if [[ ${ENABLE_CLAMAV} -eq 0 ]]
+function __setup__security__clamav
+{
+  if [[ ${ENABLE_CLAMAV} -eq 1 ]]
   then
-    _log 'debug' 'ClamAV is disabled'
+    _log 'debug' 'Enabling and configuring ClamAV'
+    if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
+    then
+      _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
+      sedfile -i \
+        "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \
+        /etc/clamav/clamd.conf
+    fi
+  else
+    _log 'debug' 'Disabling ClamAV'
     echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}"
-  elif [[ ${ENABLE_CLAMAV} -eq 1 ]]
-  then
-    _log 'debug' 'Enabling ClamAV'
+    rm -f /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam
   fi
+}
 
-  echo '1;  # ensure a defined return' >>"${DMS_AMAVIS_FILE}"
-  chmod 444 "${DMS_AMAVIS_FILE}"
-
-  # Fail2ban
+function __setup__security__fail2ban
+{
   if [[ ${ENABLE_FAIL2BAN} -eq 1 ]]
   then
-    _log 'debug' 'Enabling Fail2Ban'
+    _log 'debug' 'Enabling and configuring Fail2Ban'
 
     if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]]
     then
@@ -125,20 +203,24 @@ EOF
     then
       cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local
     fi
+
+    if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
+    then
+      echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
+    fi
+
+    echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
   else
-    # disable logrotate config for fail2ban if not enabled
+    _log 'debug' 'Fail2Ban is disabled'
     rm -f /etc/logrotate.d/fail2ban
   fi
+}
 
-  # fix cron.daily for spamassassin
-  sed -i \
-    's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
-    /etc/cron.daily/spamassassin
-
-  # Amavis
+function __setup__security__amavis
+{
   if [[ ${ENABLE_AMAVIS} -eq 1 ]]
   then
-    _log 'debug' 'Enabling Amavis'
+    _log 'debug' 'Configuring Amavis'
     if [[ -f /tmp/docker-mailserver/amavis.cf ]]
     then
       cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user
@@ -147,14 +229,6 @@ EOF
     sed -i -E \
       "s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \
       /etc/amavis/conf.d/49-docker-mailserver
-  fi
-}
-
-function _setup_amavis
-{
-  if [[ ${ENABLE_AMAVIS} -eq 1 ]]
-  then
-    _log 'debug' 'Setting up Amavis'
 
     cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf
     postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024'
@@ -163,7 +237,9 @@ function _setup_amavis
       "s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \
       /etc/amavis/conf.d/05-node_id
   else
-    _log 'debug' 'Disabling Amavis cron job'
+    _log 'debug' 'Disabling Amavis'
+
+    _log 'trace' 'Disabling Amavis cron job'
     mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
     chmod 0 /etc/cron.d/amavisd-new.disabled
 
@@ -178,88 +254,3 @@ function _setup_amavis
     fi
   fi
 }
-
-function _setup_fail2ban
-{
-  _log 'debug' 'Setting up Fail2Ban'
-
-  if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
-  then
-    echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
-  fi
-
-  echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
-}
-
-function _setup_postgrey
-{
-  _log 'debug' 'Configuring Postgrey'
-
-  sedfile -i -E \
-    's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
-    /etc/postfix/main.cf
-
-  sed -i -e \
-    "s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
-    /etc/default/postgrey
-
-  TEXT_FOUND=$(grep -c -i 'POSTGREY_TEXT' /etc/default/postgrey)
-
-  if [[ ${TEXT_FOUND} -eq 0 ]]
-  then
-    printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
-  fi
-
-  if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
-  then
-    cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
-  fi
-
-  if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
-  then
-    cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
-  fi
-}
-
-function _setup_postfix_postscreen
-{
-  _log 'debug' 'Configuring Postscreen'
-  sed -i \
-    -e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
-    -e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
-    -e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
-}
-
-
-function _setup_clamav_sizelimit
-{
-  _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
-  sedfile -i "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" /etc/clamav/clamd.conf
-}
-
-
-function _setup_spoof_protection
-{
-  _log 'trace' 'Configuring spoof protection'
-  sed -i \
-    's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
-    /etc/postfix/main.cf
-
-  if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
-  then
-    if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
-    then
-      postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
-    else
-      postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
-    fi
-  else
-    if [[ -f /etc/postfix/regexp ]]
-    then
-      postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
-    else
-      postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
-    fi
-  fi
-}
-

target/scripts/startup/setup.d/security/rspamd.sh

@@ -2,13 +2,18 @@
 
 function _setup_rspamd
 {
-  _log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time'
-  _log 'debug' 'Enabling Rspamd'
+  if [[ ${ENABLE_RSPAMD} -eq 1 ]]
+  then
+    _log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time'
+    _log 'debug' 'Enabling and configuring Rspamd'
 
-  __rspamd__preflight_checks
-  __rspamd__adjust_postfix_configuration
-  __rspamd__disable_default_modules
-  __rspamd__handle_modules_configuration
+    __rspamd__preflight_checks
+    __rspamd__adjust_postfix_configuration
+    __rspamd__disable_default_modules
+    __rspamd__handle_modules_configuration
+  else
+    _log 'debug' 'Rspamd is disabled'
+  fi
 }
 
 # Just a helper to prepend the log messages with `(Rspamd setup)` so

target/scripts/startup/setup.d/security/spoofing.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+function _setup_spoof_protection
+{
+  if [[ ${SPOOF_PROTECTION} -eq 1 ]]
+  then
+    _log 'trace' 'Enabling and configuring spoof protection'
+
+    sed -i \
+      's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
+      /etc/postfix/main.cf
+
+    if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
+    then
+      if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
+      then
+        postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
+      else
+        postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
+      fi
+    else
+      if [[ -f /etc/postfix/regexp ]]
+      then
+        postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
+      else
+        postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
+      fi
+    fi
+  else
+    _log 'debug' 'Spoof protection is disabled'
+  fi
+}

target/scripts/startup/variables-stack.sh

@@ -3,9 +3,6 @@
 # shellcheck disable=SC2034
 declare -A VARS
 
-# shellcheck disable=SC2034
-declare -a FUNCS_FIX FUNCS_CHECK FUNCS_MISC DAEMONS_START
-
 function _early_variables_setup
 {
   _obtain_hostname_and_domainname