Fix: Add SRS to fix SPF issues on redirect #611 (#814)

* add srs support * change autorestart behavior * this may work now * make postsrsd’s own wrapper file * fix dockerfile formatting * fixing tests
2024-05-19 14:16:06 +02:00 · 2018-02-06 08:11:57 +01:00 · 2018-02-06 08:11:57 +01:00 · e1e4542390
parent 3b7fc5930c
commit e1e4542390
6 changed files with 70 additions and 3 deletions
--- a/6
+++ b/6
@ -54,6 +54,7 @@ RUN apt-get update -q --fix-missing && \
    postfix-ldap \
    postfix-pcre \
    postfix-policyd-spf-python \
+    postsrsd \
    pyzor \
    razor \
    ripole \
@ -134,6 +135,9 @@ RUN chmod 755 /etc/init.d/postgrey && \
  mkdir /var/run/postgrey && \
  chown postgrey:postgrey /var/run/postgrey

+# Copy PostSRSd Config
+COPY target/postsrsd/postsrsd /etc/default/postsrsd
+
 # Enables Amavis
 COPY target/amavis/conf.d/* /etc/amavis/conf.d/
 RUN sed -i -r 's/#(@|   \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \
@ -200,7 +204,7 @@ RUN curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /et

 COPY ./target/bin /usr/local/bin
 # Start-mailserver script
-COPY ./target/check-for-changes.sh ./target/start-mailserver.sh ./target/fail2ban-wrapper.sh ./target/postfix-wrapper.sh ./target/docker-configomat/configomat.sh /usr/local/bin/
+COPY ./target/check-for-changes.sh ./target/start-mailserver.sh ./target/fail2ban-wrapper.sh ./target/postfix-wrapper.sh ./target/postsrsd-wrapper.sh ./target/docker-configomat/configomat.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/*

 # Configure supervisor
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@ -98,3 +98,9 @@ policyd-spf_time_limit = 3600

 # Remove unwanted headers that reveail our privacy
 smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
+
+# postSRSd rules to process spf mail forwarding
+sender_canonical_maps = tcp:localhost:10001
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:localhost:10002
+recipient_canonical_classes = envelope_recipient,header_recipient
--- a/target/postsrsd-wrapper.sh
+++ b/target/postsrsd-wrapper.sh
@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# postsrsd-wrapper.sh, version 0.1.0
+
+DOMAINNAME="$(hostname -d)"
+sed -i -e "s/localdomain/$DOMAINNAME/g" /etc/default/postsrsd
+
+/etc/init.d/postsrsd start
+
--- a/target/postsrsd/postsrsd
+++ b/target/postsrsd/postsrsd
@ -0,0 +1,41 @@
+# Default settings for postsrsd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN=localdomain
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+#SRS_EXCLUDE_DOMAINS=.example.com,example.org
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Jail daemon in chroot environment
+CHROOT=/var/lib/postsrsd
--- a/target/supervisor/conf.d/supervisor-app.conf
+++ b/target/supervisor/conf.d/supervisor-app.conf
@ -121,3 +121,11 @@ autorestart=true
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/usr/local/bin/check-for-changes.sh
+
+[program:postsrsd]
+startsecs=0
+autostart=true
+autorestart=unexpected
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+command=/usr/local/bin/postsrsd-wrapper.sh
--- a/test/tests.bats
+++ b/test/tests.bats
@ -345,13 +345,13 @@ load 'test_helper/bats-assert/load'
 }

@test "checking smtp: rejects spam" {
-  run docker exec mail /bin/sh -c "grep 'Blocked SPAM' /var/log/mail/mail.log | grep spam@external.tld | wc -l"
+  run docker exec mail /bin/sh -c "grep 'Blocked SPAM' /var/log/mail/mail.log | grep external.tld=spam@my-domain.com | wc -l"
  assert_success
  assert_output 1
 }

@test "checking smtp: rejects virus" {
-  run docker exec mail /bin/sh -c "grep 'Blocked INFECTED' /var/log/mail/mail.log | grep virus@external.tld | wc -l"
+  run docker exec mail /bin/sh -c "grep 'Blocked INFECTED' /var/log/mail/mail.log | grep external.tld=virus@my-domain.com | wc -l"
  assert_success
  assert_output 1
 }