#!/bin/bash # # Mail Service PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin config_mail() { echo -ne "\n* Configuring /federated/apps/mail container.." spin & SPINPID=$! if [ ! -d "/federated/apps/mail" ]; then mkdir -p /federated/apps/mail/data/root/certs &> /dev/null mkdir -p /federated/apps/mail/data/var/mail &> /dev/null mkdir -p /federated/apps/mail/data/var/mail-state &> /dev/null mkdir -p /federated/apps/mail/data/var/log/mail &> /dev/null mkdir -p /federated/apps/mail/data/tmp/docker-mailserver &> /dev/null cp /federated/certs/certs/$DOMAIN.crt /federated/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/ fi cat > /federated/apps/mail/docker-compose.yml < /federated/apps/mail/.env < /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF' smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, check_policy_service unix:private/policyd-spf, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname EOF cat > /federated/apps/mail/data/tmp/docker-mailserver/fail2ban-jail.cf <<'EOF' [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 3h # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 5m # "maxretry" is the number of failures before a host get banned. maxretry = 12 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8,172.99.0.0/16 # default ban action # nftables-multiport: block IP only on affected port # nftables-allports: block IP on all ports banaction = nftables-allports [dovecot] enabled = true [postfix] enabled = true [postfix-sasl] enabled = true # This jail is used for manual bans. # To ban an IP address use: setup.sh fail2ban ban [custom] enabled = true bantime = 180d port = smtp,pop3,pop3s,imap,imaps,submission,submissions,sieve EOF kill -9 $SPINPID &> /dev/null echo -ne "done." } start_mail() { # Grab the container IP from docker-compose above SERVICE_IP=`grep ipv4_address /federated/apps/mail/docker-compose.yml | awk '{ print $2 }'` # Start service with command to make sure it's up before proceeding start_service "mail" "nc -z $SERVICE_IP 25 &> /dev/null" # Generate the DKIM DNS key and setup docker exec -it mail setup config dkim docker exec -it mail setup config dkim keysize 2048 domain $DOMAIN &> /dev/null [ $? -ne 0 ] && fail "Couldn't generate DKIM record" docker exec -it mail bash -c "setup config dkim domain '$DOMAIN'" [ $? -ne 0 ] && fail "Couldn't setup DKIM domain" # Insert the DKIM DNS TXT entry into /federated/apps/pdns container DKIM_RECORD_STRIP=`cat /federated/apps/mail/data/tmp/docker-mailserver/opendkim/keys/$DOMAIN/mail.txt | sed 's/.*(//'` DKIM_RECORD=`echo $DKIM_RECORD_STRIP | sed 's/).*//'` docker exec -it pdns pdnsutil add-record $DOMAIN mail._domainkey TXT 86400 "$DKIM_RECORD" &> /dev/null [ $? -ne 0 ] && fail "Couldn't insert DKIM record into /federated/apps/pdns container" # Insert the DMARC DNS TXT entry into /federated/apps/pdns container docker exec -it pdns pdnsutil add-record $DOMAIN _dmarc TXT 86400 "\"v=DMARC1; p=quarantine; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" &> /dev/null [ $? -ne 0 ] && fail "Couldn't insert DMARC record into /federated/apps/pdns container" kill -9 $SPINPID &> /dev/null echo -ne "done." }