From fc8d684994e65875b942de68f783848ddd78971e Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Fri, 9 Aug 2019 22:13:50 +0200 Subject: [PATCH 1/4] Generate dhparams at startup, not build --- Dockerfile | 12 +++++------- target/start-mailserver.sh | 40 +++++++++++++++++++++++++++++++------- test/config/dhparams.pem | 8 ++++++++ 3 files changed, 46 insertions(+), 14 deletions(-) create mode 100644 test/config/dhparams.pem diff --git a/Dockerfile b/Dockerfile index 8b180e6c..22dcf253 100644 --- a/Dockerfile +++ b/Dockerfile @@ -96,7 +96,9 @@ RUN apt-get update -q --fix-missing && \ touch /var/log/auth.log && \ update-locale && \ rm -f /etc/cron.weekly/fstrim && \ - rm -f /etc/postsrsd.secret + rm -f /etc/postsrsd.secret && \ + rm -f /etc/postfix/dhparams.pem && \ + rm -f /etc/dovecot/dh.pem RUN echo "0 */6 * * * clamav /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \ chmod 644 /etc/clamav/freshclam.conf && \ @@ -120,8 +122,7 @@ RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/e cd /usr/share/dovecot && \ ./mkcert.sh && \ mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \ - chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \ - openssl dhparam -out /etc/dovecot/dh.pem 2048 + chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global # Configures LDAP COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot @@ -180,10 +181,7 @@ RUN mkdir /var/run/fetchmail && chown fetchmail /var/run/fetchmail # Configures Postfix COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ COPY target/postfix/header_checks.pcre target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/ -RUN echo "" > /etc/aliases && \ - openssl dhparam -out /etc/postfix/dhparams.pem 2048 && \ - echo "@weekly FILE=\`mktemp\` ; openssl dhparam -out \$FILE 2048 > /dev/null 2>&1 && mv -f \$FILE /etc/postfix/dhparams.pem" > /etc/cron.d/dh2048 - +RUN echo "" > /etc/aliases # Configuring Logs RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 8571d9e3..b289df04 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -1224,28 +1224,41 @@ function _setup_postfix_relay_hosts() { function _setup_postfix_dhparam() { notify 'task' 'Setting up Postfix dhparam' if [ "$ONE_DIR" = 1 ];then - DHPARAMS_FILE=/var/mail-state/lib-postfix/dhparams.pem + DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem if [ ! -f $DHPARAMS_FILE ]; then - notify 'inf' "Generate new dhparams for postfix" + notify 'inf' "Generate new shared dhparams (postfix)" mkdir -p $(dirname "$DHPARAMS_FILE") openssl dhparam -out $DHPARAMS_FILE 2048 else - notify 'inf' "Use dhparams that was generated previously" + notify 'inf' "Use postfix dhparams that was generated previously" fi # Copy from the state directory to the working location rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem else - notify 'inf' "No state dir, we use the dhparams generated on image creation" + if [ ! -f /etc/postfix/dhparams.pem ]; then + if [ -f /etc/dovecot/dh.pem ]; then + notify 'inf' "Copy dovecot dhparams to postfix" + cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem + elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then + notify 'inf' "Copy pre-generated dhparams to postfix" + cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem + else + notify 'inf' "Generate new dhparams for postfix" + openssl dhparam -out /etc/postfix/dhparams.pem 2048 + fi + else + notify 'inf' "Use existing postfix dhparams" + fi fi } function _setup_dovecot_dhparam() { notify 'task' 'Setting up Dovecot dhparam' if [ "$ONE_DIR" = 1 ];then - DHPARAMS_FILE=/var/mail-state/lib-dovecot/dh.pem + DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem if [ ! -f $DHPARAMS_FILE ]; then - notify 'inf' "Generate new dhparams for dovecot" + notify 'inf' "Generate new shared dhparams (dovecot)" mkdir -p $(dirname "$DHPARAMS_FILE") openssl dhparam -out $DHPARAMS_FILE 2048 else @@ -1255,7 +1268,20 @@ function _setup_dovecot_dhparam() { # Copy from the state directory to the working location rm /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem else - notify 'inf' "No state dir, we use the dovecot dhparams generated on image creation" + if [ ! -f /etc/dovecot/dh.pem ]; then + if [ -f /etc/postfix/dhparams.pem ]; then + notify 'inf' "Copy postfix dhparams to dovecot" + cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem + elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then + notify 'inf' "Copy pre-generated dhparams to dovecot" + cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem + else + notify 'inf' "Generate new dhparams for dovecot" + openssl dhparam -out /etc/dovecot/dh.pem 2048 + fi + else + notify 'inf' "Use existing dovecot dhparams" + fi fi } diff --git a/test/config/dhparams.pem b/test/config/dhparams.pem new file mode 100644 index 00000000..4ebe8dd2 --- /dev/null +++ b/test/config/dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8 +8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g +wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2 +f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti +4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC +Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg== +-----END DH PARAMETERS----- From c9bd3f3e83269bfea72071e25f7e5c0cde3ee967 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Sat, 10 Aug 2019 08:34:18 +0200 Subject: [PATCH 2/4] Added sleep to test that keeps failing randomly --- test/tests.bats | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/tests.bats b/test/tests.bats index e65e6693..cc28458b 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -1290,6 +1290,11 @@ function count_processed_changes() { [ "${originalChangesProcessed}" != "$(count_processed_changes mail)" ] assert_success + # Dovecot has been restarted, but this test often fails so presumably it may not be ready + # Add a short sleep to see if that helps to make the test more stable + # Alternatively we could login with a known good user to make sure that the service is up + sleep 2 + result=$(docker exec mail doveadm auth test -x service=smtp setup_email_add@example.com 'test_password' | grep 'auth succeeded') [ "$result" = "passdb: setup_email_add@example.com auth succeeded" ] } From 9d7873850d1da85c468b8e18bbd000760d2925fd Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Sat, 10 Aug 2019 10:15:35 +0200 Subject: [PATCH 3/4] Move dovecot cert generation to startup --- Dockerfile | 2 -- target/start-mailserver.sh | 20 +++++++++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 22dcf253..4c30fd08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -119,8 +119,6 @@ RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/e # stretch-backport of dovecot needs this folder mkdir /etc/dovecot/ssl && \ chmod 755 /etc/dovecot/ssl && \ - cd /usr/share/dovecot && \ - ./mkcert.sh && \ mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \ chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index b289df04..d5562f0d 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -507,6 +507,25 @@ function _setup_dovecot_hostname() { function _setup_dovecot() { notify 'task' 'Setting up Dovecot' + # Moved from docker file, copy or generate default self-signed cert + if [ -f /var/mail-state/lib-dovecot/dovecot.pem -a "$ONE_DIR" = 1 ]; then + notify 'inf' "Copying default dovecot cert" + cp /var/mail-state/lib-dovecot/dovecot.key /etc/dovecot/ssl/ + cp /var/mail-state/lib-dovecot/dovecot.pem /etc/dovecot/ssl/ + fi + if [ ! -f /etc/dovecot/ssl/dovecot.pem ]; then + notify 'inf' "Generating default dovecot cert" + pushd /usr/share/dovecot + ./mkcert.sh + popd + + if [ "$ONE_DIR" = 1 ];then + mkdir -p /var/mail-state/lib-dovecot + cp /etc/dovecot/ssl/dovecot.key /var/mail-state/lib-dovecot/ + cp /etc/dovecot/ssl/dovecot.pem /var/mail-state/lib-dovecot/ + fi + fi + cp -a /usr/share/dovecot/protocols.d /etc/dovecot/ # Disable pop3 (it will be eventually enabled later in the script, if requested) mv /etc/dovecot/protocols.d/pop3d.protocol /etc/dovecot/protocols.d/pop3d.protocol.disab @@ -1003,7 +1022,6 @@ function _setup_ssl() { ;; * ) # Unknown option, default behavior, no action is required - notify 'warn' "SSL configured by default" ;; esac From a7408b73e04e3bb0dad6c0b4052802b41afbff95 Mon Sep 17 00:00:00 2001 From: Felix Bartels Date: Mon, 12 Aug 2019 19:31:24 +0200 Subject: [PATCH 4/4] Do not remove dh*.pem as they do not exist at this point in time Signed-off-by: Felix Bartels --- Dockerfile | 4 +--- test/bats | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4c30fd08..fc41e7ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -96,9 +96,7 @@ RUN apt-get update -q --fix-missing && \ touch /var/log/auth.log && \ update-locale && \ rm -f /etc/cron.weekly/fstrim && \ - rm -f /etc/postsrsd.secret && \ - rm -f /etc/postfix/dhparams.pem && \ - rm -f /etc/dovecot/dh.pem + rm -f /etc/postsrsd.secret RUN echo "0 */6 * * * clamav /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \ chmod 644 /etc/clamav/freshclam.conf && \ diff --git a/test/bats b/test/bats index 1c83a1b1..03608115 160000 --- a/test/bats +++ b/test/bats @@ -1 +1 @@ -Subproject commit 1c83a1b1d743075ed8e505ff94e548701f545b73 +Subproject commit 03608115df2071fff4eaaff1605768c275e5f81f