From 4b04c3e31cde383490e9287a3687782e35b7aaf8 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Mon, 27 Feb 2023 20:21:45 +0100 Subject: [PATCH] scripts: housekeeping & cleanup setup (1/2) (#3121) --- target/scripts/start-mailserver.sh | 91 ++----- target/scripts/startup/check-stack.sh | 8 + target/scripts/startup/daemons-stack.sh | 8 + target/scripts/startup/fixes-stack.sh | 40 --- target/scripts/startup/setup-stack.sh | 8 + .../scripts/startup/setup.d/dmarc_dkim_spf.sh | 48 ++-- .../{misc-stack.sh => setup.d/mail_state.sh} | 13 +- .../scripts/startup/setup.d/security/misc.sh | 227 +++++++++--------- .../startup/setup.d/security/rspamd.sh | 17 +- .../startup/setup.d/security/spoofing.sh | 32 +++ target/scripts/startup/variables-stack.sh | 3 - 11 files changed, 233 insertions(+), 262 deletions(-) delete mode 100644 target/scripts/startup/fixes-stack.sh rename target/scripts/startup/{misc-stack.sh => setup.d/mail_state.sh} (95%) create mode 100644 target/scripts/startup/setup.d/security/spoofing.sh diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index 6498a914..62b22a4e 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -2,12 +2,6 @@ # ------------------------------------------------------------ # ? >> Sourcing helpers & stacks -# 1. Helpers -# 2. Checks -# 3. Setup -# 4. Fixes -# 5. Miscellaneous -# 6. Daemons # ------------------------------------------------------------ # shellcheck source=./helpers/index.sh @@ -22,12 +16,6 @@ source /usr/local/bin/check-stack.sh # shellcheck source=./startup/setup-stack.sh source /usr/local/bin/setup-stack.sh -# shellcheck source=./startup/fixes-stack.sh -source /usr/local/bin/fixes-stack.sh - -# shellcheck source=./startup/misc-stack.sh -source /usr/local/bin/misc-stack.sh - # shellcheck source=./startup/daemons-stack.sh source /usr/local/bin/daemons-stack.sh @@ -48,7 +36,6 @@ _early_variables_setup function _register_functions { - _log 'info' 'Initializing setup' _log 'debug' 'Registering functions' # ? >> Checks @@ -93,39 +80,36 @@ function _register_functions _register_setup_function '_setup_saslauthd' fi - [[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_setup_function '_setup_postgrey' [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_postfix_inet_protocols' [[ ${DOVECOT_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_dovecot_inet_protocols' - [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban' - [[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable' - [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit' - [[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd' - _register_setup_function '_setup_dkim_dmarc' + _register_setup_function '_setup_opendkim' + _register_setup_function '_setup_opendmarc' # must come after `_setup_opendkim` + + _register_setup_function '_setup_security_stack' + _register_setup_function '_setup_rspamd' + _register_setup_function '_setup_ssl' _register_setup_function '_setup_docker_permit' _register_setup_function '_setup_mailname' - _register_setup_function '_setup_amavis' - _register_setup_function '_setup_dmarc_hostname' - _register_setup_function '_setup_postfix_hostname' _register_setup_function '_setup_dovecot_hostname' + + _register_setup_function '_setup_postfix_hostname' _register_setup_function '_setup_postfix_smtputf8' _register_setup_function '_setup_postfix_sasl' - _register_setup_function '_setup_security_stack' _register_setup_function '_setup_postfix_aliases' _register_setup_function '_setup_postfix_vhost' _register_setup_function '_setup_postfix_dhparam' - _register_setup_function '_setup_postfix_postscreen' _register_setup_function '_setup_postfix_sizelimits' # needs to come after _setup_postfix_aliases - [[ ${SPOOF_PROTECTION} -eq 1 ]] && _register_setup_function '_setup_spoof_protection' if [[ ${ENABLE_FETCHMAIL} -eq 1 ]] then _register_setup_function '_setup_fetchmail' [[ ${FETCHMAIL_PARALLEL} -eq 1 ]] && _register_setup_function '_setup_fetchmail_parallel' fi + _register_setup_function '_setup_spoof_protection' if [[ ${ENABLE_SRS} -eq 1 ]] then @@ -143,16 +127,8 @@ function _register_functions _register_setup_function '_setup_mail_summary' _register_setup_function '_setup_logwatch' - # ? >> Fixes - - _register_fix_function '_fix_var_mail_permissions' - - [[ ${ENABLE_CLAMAV} -eq 0 ]] && _register_fix_function '_fix_cleanup_clamav' - [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] && _register_fix_function '_fix_cleanup_spamassassin' - - # ? >> Miscellaneous - - _register_misc_function '_misc_save_states' + _register_setup_function '_setup_save_states' + _register_setup_function '_setup_apply_fixes_after_configuration' _register_setup_function '_environment_variables_export' # ? >> Daemons @@ -169,48 +145,27 @@ function _register_functions _register_start_daemon '_start_daemon_rspamd' fi + [[ ${SMTP_ONLY} -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot' + [[ ${ENABLE_UPDATE_CHECK} -eq 1 ]] && _register_start_daemon '_start_daemon_update_check' + # needs to be started before SASLauthd - [[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim' - [[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc' + [[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim' + [[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc' # needs to be started before postfix - [[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey' + [[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey' _register_start_daemon '_start_daemon_postfix' # needs to be started after postfix - [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd' - [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_start_daemon '_start_daemon_fail2ban' - [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail' - [[ ${ENABLE_CLAMAV} -eq 1 ]] && _register_start_daemon '_start_daemon_clamav' - [[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis' + [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd' + [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_start_daemon '_start_daemon_fail2ban' + [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && _register_start_daemon '_start_daemon_fetchmail' + [[ ${ENABLE_CLAMAV} -eq 1 ]] && _register_start_daemon '_start_daemon_clamav' + [[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_start_daemon '_start_daemon_amavis' [[ ${ACCOUNT_PROVISIONER} == 'FILE' ]] && _register_start_daemon '_start_daemon_changedetector' } -function _register_start_daemon -{ - DAEMONS_START+=("${1}") - _log 'trace' "${1}() registered" -} - -function _register_fix_function -{ - FUNCS_FIX+=("${1}") - _log 'trace' "${1}() registered" -} - -function _register_check_function -{ - FUNCS_CHECK+=("${1}") - _log 'trace' "${1}() registered" -} - -function _register_misc_function -{ - FUNCS_MISC+=("${1}") - _log 'trace' "${1}() registered" -} - # ------------------------------------------------------------ # ? << Registering functions # -- @@ -223,8 +178,6 @@ _register_functions _check _setup [[ ${LOG_LEVEL} =~ (debug|trace) ]] && print-environment -_apply_fixes -_start_misc _setup_run_user_patches _start_daemons diff --git a/target/scripts/startup/check-stack.sh b/target/scripts/startup/check-stack.sh index f8a13b7c..4afe0af0 100644 --- a/target/scripts/startup/check-stack.sh +++ b/target/scripts/startup/check-stack.sh @@ -1,5 +1,13 @@ #!/bin/bash +declare -a FUNCS_CHECK + +function _register_check_function +{ + FUNCS_CHECK+=("${1}") + _log 'trace' "${1}() registered" +} + function _check { _log 'info' 'Checking configuration' diff --git a/target/scripts/startup/daemons-stack.sh b/target/scripts/startup/daemons-stack.sh index 3b389b6b..87055ed6 100644 --- a/target/scripts/startup/daemons-stack.sh +++ b/target/scripts/startup/daemons-stack.sh @@ -1,5 +1,13 @@ #!/bin/bash +declare -a DAEMONS_START + +function _register_start_daemon +{ + DAEMONS_START+=("${1}") + _log 'trace' "${1}() registered" +} + function _start_daemons { _log 'info' 'Starting daemons' diff --git a/target/scripts/startup/fixes-stack.sh b/target/scripts/startup/fixes-stack.sh deleted file mode 100644 index b118b742..00000000 --- a/target/scripts/startup/fixes-stack.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -function _apply_fixes -{ - _log 'info' 'Post-configuration checks' - for FUNC in "${FUNCS_FIX[@]}" - do - ${FUNC} - done - - _log 'trace' 'Removing leftover PID files from a stop/start' - find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete - touch /dev/shm/supervisor.sock -} - -function _fix_var_mail_permissions -{ - _log 'debug' 'Checking /var/mail permissions' - - _chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions' - _log 'trace' 'Permissions in /var/mail look OK' -} - -function _fix_cleanup_clamav -{ - _log 'trace' 'Cleaning up disabled ClamAV' - rm /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam 2>/dev/null || { - # show warning only on first container start - [[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove ClamAV configuration' - } -} - -function _fix_cleanup_spamassassin -{ - _log 'trace' 'Cleaning up disabled SpamAssassin' - rm /etc/cron.daily/spamassassin 2>/dev/null || { - # show warning only on first container start - [[ ! -f /CONTAINER_START ]] && _log 'warn' 'Failed to remove SpamAssassin configuration' - } -} diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 461ab3f0..c9cfebe6 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -111,3 +111,11 @@ function _setup_timezone return 1 fi } +function _setup_apply_fixes_after_configuration +{ + _log 'trace' 'Removing leftover PID files from a stop/start' + find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete + touch /dev/shm/supervisor.sock + _log 'debug' 'Checking /var/mail permissions' + _chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions' +} diff --git a/target/scripts/startup/setup.d/dmarc_dkim_spf.sh b/target/scripts/startup/setup.d/dmarc_dkim_spf.sh index 77460398..f541eeaa 100644 --- a/target/scripts/startup/setup.d/dmarc_dkim_spf.sh +++ b/target/scripts/startup/setup.d/dmarc_dkim_spf.sh @@ -1,17 +1,16 @@ #!/bin/bash - -# Set up OpenDKIM & OpenDMARC. +# Set up OpenDKIM # # ## Attention # -# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's# +# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's # `smtpd_milters` milters options. -function _setup_dkim_dmarc +function _setup_opendkim { if [[ ${ENABLE_OPENDKIM} -eq 1 ]] then - _log 'debug' 'Setting up DKIM' + _log 'debug' 'Configuring DKIM' mkdir -p /etc/opendkim/keys/ touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable} @@ -43,26 +42,45 @@ function _setup_dkim_dmarc echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf _log 'trace' "Nameservers added to '/etc/opendkim.conf'" fi + else + # Even though we do nothing here and the message suggests we perform some action, the + # message is due to the default value being `1`, i.e. enabled. If the default were `0`, + # we could have said `OpenDKIM is disabled`, but we need to make it uniform with all + # other functions. + _log 'debug' 'Disabling OpenDKIM' fi +} +# Set up OpenDKIM +# +# ## Attention +# +# The OpenDMARC milter must come after the OpenDKIM milter in Postfix's +# `smtpd_milters` milters options. +function _setup_opendmarc +{ if [[ ${ENABLE_OPENDMARC} -eq 1 ]] then - # TODO when disabling SPF is possible, add a check whether DKIM and SPF is disabled + # TODO When disabling SPF is possible, add a check whether DKIM and SPF is disabled # for DMARC to work, you should have at least one enabled # (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24) + _log 'debug' 'Configuring OpenDMARC' + _log 'trace' "Adding OpenDMARC to Postfix's milters" postconf 'dmarc_milter = inet:localhost:8893' # Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter! # shellcheck disable=SC2016 sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf + + sed -i \ + -e "s|^AuthservID.*$|AuthservID ${HOSTNAME}|g" \ + -e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs ${HOSTNAME}|g" \ + /etc/opendmarc.conf + else + # Even though we do nothing here and the message suggests we perform some action, the + # message is due to the default value being `1`, i.e. enabled. If the default were `0`, + # we could have said `OpenDKIM is disabled`, but we need to make it uniform with all + # other functions. + _log 'debug' 'Disabling OpenDMARC' fi } - -function _setup_dmarc_hostname -{ - _log 'debug' 'Setting up DMARC' - sed -i -e \ - "s|^AuthservID.*$|AuthservID ${HOSTNAME}|g" \ - -e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs ${HOSTNAME}|g" \ - /etc/opendmarc.conf -} diff --git a/target/scripts/startup/misc-stack.sh b/target/scripts/startup/setup.d/mail_state.sh similarity index 95% rename from target/scripts/startup/misc-stack.sh rename to target/scripts/startup/setup.d/mail_state.sh index a4542c4e..5dd53390 100644 --- a/target/scripts/startup/misc-stack.sh +++ b/target/scripts/startup/setup.d/mail_state.sh @@ -1,17 +1,8 @@ #!/bin/bash -function _start_misc -{ - _log 'info' 'Starting miscellaneous tasks' - for FUNC in "${FUNCS_MISC[@]}" - do - ${FUNC} - done -} - -# consolidate all states into a single directory +# Consolidate all states into a single directory # (/var/mail-state) to allow persistence using docker volumes -function _misc_save_states +function _setup_save_states { local STATEDIR FILE FILES diff --git a/target/scripts/startup/setup.d/security/misc.sh b/target/scripts/startup/setup.d/security/misc.sh index 92db3912..4feb0344 100644 --- a/target/scripts/startup/setup.d/security/misc.sh +++ b/target/scripts/startup/setup.d/security/misc.sh @@ -4,18 +4,79 @@ function _setup_security_stack { _log 'debug' 'Setting up Security Stack' + __setup__security__postgrey + __setup__security__postscreen + # recreate auto-generated file local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}" echo "use strict;" >>"${DMS_AMAVIS_FILE}" - # SpamAssassin - if [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] + __setup__security__spamassassin + __setup__security__clamav + + echo '1; # ensure a defined return' >>"${DMS_AMAVIS_FILE}" + chmod 444 "${DMS_AMAVIS_FILE}" + + __setup__security__fail2ban + __setup__security__amavis +} + +function __setup__security__postgrey +{ + if [[ ${ENABLE_POSTGREY} -eq 1 ]] then - _log 'debug' 'SpamAssassin is disabled' - echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}" - elif [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] + _log 'debug' 'Enabling and configuring Postgrey' + + sedfile -i -E \ + 's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \ + /etc/postfix/main.cf + + sed -i -e \ + "s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \ + /etc/default/postgrey + + if ! grep -i 'POSTGREY_TEXT' /etc/default/postgrey + then + printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey + fi + + if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]] + then + cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local + fi + + if [[ -f /tmp/docker-mailserver/whitelist_recipients ]] + then + cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients + fi + else + _log 'debug' 'Postscreen is disabled' + fi +} + +function __setup__security__postscreen +{ + _log 'debug' 'Configuring Postscreen' + sed -i \ + -e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \ + -e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \ + -e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf + + if [[ ${ENABLE_DNSBL} -eq 0 ]] + then + _log 'debug' 'Disabling Postscreen DNSBLs' + postconf 'postscreen_dnsbl_action = ignore' + postconf 'postscreen_dnsbl_sites = ' + else + _log 'debug' 'Postscreen DNSBLs are enabled' + fi +} + +function __setup__security__spamassassin +{ + if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] then _log 'debug' 'Enabling and configuring SpamAssassin' @@ -28,6 +89,11 @@ function _setup_security_stack # shellcheck disable=SC2016 sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults + # fix cron.daily for spamassassin + sed -i \ + 's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \ + /etc/cron.daily/spamassassin + if [[ ${SA_SPAM_SUBJECT} == 'undef' ]] then # shellcheck disable=SC2016 @@ -96,25 +162,37 @@ EOF chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}" fi + else + _log 'debug' 'SpamAssassin is disabled' + echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}" + rm -f /etc/cron.daily/spamassassin fi +} - # ClamAV - if [[ ${ENABLE_CLAMAV} -eq 0 ]] +function __setup__security__clamav +{ + if [[ ${ENABLE_CLAMAV} -eq 1 ]] then - _log 'debug' 'ClamAV is disabled' + _log 'debug' 'Enabling and configuring ClamAV' + if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] + then + _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'" + sedfile -i \ + "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \ + /etc/clamav/clamd.conf + fi + else + _log 'debug' 'Disabling ClamAV' echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}" - elif [[ ${ENABLE_CLAMAV} -eq 1 ]] - then - _log 'debug' 'Enabling ClamAV' + rm -f /etc/logrotate.d/clamav-* /etc/cron.d/clamav-freshclam fi +} - echo '1; # ensure a defined return' >>"${DMS_AMAVIS_FILE}" - chmod 444 "${DMS_AMAVIS_FILE}" - - # Fail2ban +function __setup__security__fail2ban +{ if [[ ${ENABLE_FAIL2BAN} -eq 1 ]] then - _log 'debug' 'Enabling Fail2Ban' + _log 'debug' 'Enabling and configuring Fail2Ban' if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]] then @@ -125,20 +203,24 @@ EOF then cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local fi + + if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]] + then + echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local + fi + + echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf else - # disable logrotate config for fail2ban if not enabled + _log 'debug' 'Fail2Ban is disabled' rm -f /etc/logrotate.d/fail2ban fi +} - # fix cron.daily for spamassassin - sed -i \ - 's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \ - /etc/cron.daily/spamassassin - - # Amavis +function __setup__security__amavis +{ if [[ ${ENABLE_AMAVIS} -eq 1 ]] then - _log 'debug' 'Enabling Amavis' + _log 'debug' 'Configuring Amavis' if [[ -f /tmp/docker-mailserver/amavis.cf ]] then cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user @@ -147,14 +229,6 @@ EOF sed -i -E \ "s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \ /etc/amavis/conf.d/49-docker-mailserver - fi -} - -function _setup_amavis -{ - if [[ ${ENABLE_AMAVIS} -eq 1 ]] - then - _log 'debug' 'Setting up Amavis' cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024' @@ -163,7 +237,9 @@ function _setup_amavis "s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \ /etc/amavis/conf.d/05-node_id else - _log 'debug' 'Disabling Amavis cron job' + _log 'debug' 'Disabling Amavis' + + _log 'trace' 'Disabling Amavis cron job' mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled chmod 0 /etc/cron.d/amavisd-new.disabled @@ -178,88 +254,3 @@ function _setup_amavis fi fi } - -function _setup_fail2ban -{ - _log 'debug' 'Setting up Fail2Ban' - - if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]] - then - echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local - fi - - echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf -} - -function _setup_postgrey -{ - _log 'debug' 'Configuring Postgrey' - - sedfile -i -E \ - 's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \ - /etc/postfix/main.cf - - sed -i -e \ - "s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \ - /etc/default/postgrey - - TEXT_FOUND=$(grep -c -i 'POSTGREY_TEXT' /etc/default/postgrey) - - if [[ ${TEXT_FOUND} -eq 0 ]] - then - printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey - fi - - if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]] - then - cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local - fi - - if [[ -f /tmp/docker-mailserver/whitelist_recipients ]] - then - cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients - fi -} - -function _setup_postfix_postscreen -{ - _log 'debug' 'Configuring Postscreen' - sed -i \ - -e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \ - -e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \ - -e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf -} - - -function _setup_clamav_sizelimit -{ - _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'" - sedfile -i "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" /etc/clamav/clamd.conf -} - - -function _setup_spoof_protection -{ - _log 'trace' 'Configuring spoof protection' - sed -i \ - 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \ - /etc/postfix/main.cf - - if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]] - then - if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]] - then - postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf' - else - postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf' - fi - else - if [[ -f /etc/postfix/regexp ]] - then - postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }' - else - postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre' - fi - fi -} - diff --git a/target/scripts/startup/setup.d/security/rspamd.sh b/target/scripts/startup/setup.d/security/rspamd.sh index 3425bbbd..a3d8237f 100644 --- a/target/scripts/startup/setup.d/security/rspamd.sh +++ b/target/scripts/startup/setup.d/security/rspamd.sh @@ -2,13 +2,18 @@ function _setup_rspamd { - _log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time' - _log 'debug' 'Enabling Rspamd' + if [[ ${ENABLE_RSPAMD} -eq 1 ]] + then + _log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time' + _log 'debug' 'Enabling and configuring Rspamd' - __rspamd__preflight_checks - __rspamd__adjust_postfix_configuration - __rspamd__disable_default_modules - __rspamd__handle_modules_configuration + __rspamd__preflight_checks + __rspamd__adjust_postfix_configuration + __rspamd__disable_default_modules + __rspamd__handle_modules_configuration + else + _log 'debug' 'Rspamd is disabled' + fi } # Just a helper to prepend the log messages with `(Rspamd setup)` so diff --git a/target/scripts/startup/setup.d/security/spoofing.sh b/target/scripts/startup/setup.d/security/spoofing.sh new file mode 100644 index 00000000..81926832 --- /dev/null +++ b/target/scripts/startup/setup.d/security/spoofing.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +function _setup_spoof_protection +{ + if [[ ${SPOOF_PROTECTION} -eq 1 ]] + then + _log 'trace' 'Enabling and configuring spoof protection' + + sed -i \ + 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \ + /etc/postfix/main.cf + + if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]] + then + if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]] + then + postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf' + else + postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf' + fi + else + if [[ -f /etc/postfix/regexp ]] + then + postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }' + else + postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre' + fi + fi + else + _log 'debug' 'Spoof protection is disabled' + fi +} diff --git a/target/scripts/startup/variables-stack.sh b/target/scripts/startup/variables-stack.sh index bdb57091..bfff1c1c 100644 --- a/target/scripts/startup/variables-stack.sh +++ b/target/scripts/startup/variables-stack.sh @@ -3,9 +3,6 @@ # shellcheck disable=SC2034 declare -A VARS -# shellcheck disable=SC2034 -declare -a FUNCS_FIX FUNCS_CHECK FUNCS_MISC DAEMONS_START - function _early_variables_setup { _obtain_hostname_and_domainname