317 lines
12 KiB
Bash
317 lines
12 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Mail Service
|
|
|
|
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
|
|
config_mail() {
|
|
echo -ne "* Configuring mail container.."
|
|
|
|
if [ ! -d "/federated/apps/mail" ]; then
|
|
mkdir -p /federated/apps/mail/data/root/certs &> /dev/null
|
|
mkdir -p /federated/apps/mail/data/var/mail &> /dev/null
|
|
mkdir -p /federated/apps/mail/data/var/mail-state &> /dev/null
|
|
mkdir -p /federated/apps/mail/data/var/log/mail &> /dev/null
|
|
mkdir -p /federated/apps/mail/data/tmp/docker-mailserver &> /dev/null
|
|
mkdir -p /federated/apps/mail/data/etc/dovecot/conf.d &> /dev/null
|
|
mkdir -p /federated/apps/mail/data/home &> /dev/null
|
|
cp /federated/certs/certs/$DOMAIN.crt /federated/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/
|
|
chgrp 5000 /federated/apps/mail/data/home
|
|
chmod g+rwx /federated/apps/mail/data/home
|
|
fi
|
|
|
|
cat > /federated/apps/mail/docker-compose.yml <<EOF
|
|
services:
|
|
mail:
|
|
image: docker.io/mailserver/docker-mailserver:\${IMAGE_VERSION}
|
|
container_name: mail
|
|
hostname: mail.$DOMAIN
|
|
restart: always
|
|
networks:
|
|
core:
|
|
ipv4_address: 192.168.0.16
|
|
ports:
|
|
- "25:25"
|
|
- "143:143"
|
|
- "465:465"
|
|
- "587:587"
|
|
- "993:993"
|
|
- "4190:4190"
|
|
volumes:
|
|
- ./data/etc/dovecot/conf.d/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf
|
|
- ./data/home:/home
|
|
- ./data/root/certs:/root/certs
|
|
- ./data/var/mail:/var/mail/
|
|
- ./data/var/mail-state:/var/mail-state/
|
|
- ./data/var/log/mail:/var/log/mail/
|
|
- ./data/tmp/docker-mailserver:/tmp/docker-mailserver/
|
|
- /etc/localtime:/etc/localtime:ro
|
|
env_file:
|
|
- ./.env
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- SYS_PTRACE
|
|
|
|
networks:
|
|
core:
|
|
external: true
|
|
EOF
|
|
|
|
LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
|
|
|
|
cat > /federated/apps/mail/.env <<EOF
|
|
IMAGE_VERSION="$(current_version mail)"
|
|
ENABLE_SPAMASSASSIN=1
|
|
ENABLE_SPAMASSASSIN_KAM=1
|
|
SPAMASSASSIN_SPAM_TO_INBOX=1
|
|
ENABLE_CLAMAV=0
|
|
ENABLE_FAIL2BAN=1
|
|
ENABLE_POSTGREY=1
|
|
ENABLE_OPENDKIM=1
|
|
ENBALE_OPENDMARC=1
|
|
ONE_DIR=1
|
|
DMS_DEBUG=0
|
|
LOG_LEVEL=debug
|
|
ACCOUNT_PROVISIONER=LDAP
|
|
SSL_TYPE=manual
|
|
SSL_CERT_PATH=/root/certs/$DOMAIN.crt
|
|
SSL_KEY_PATH=/root/certs/$DOMAIN.key
|
|
LDAP_START_TLS=yes
|
|
DOVECOT_TLS=yes
|
|
SASLAUTHD_LDAP_START_TLS=yes
|
|
LDAP_SERVER_HOST=ldap://ldap.$DOMAIN
|
|
LDAP_SEARCH_BASE=ou=people,dc=federatedcomputer,dc=cloud
|
|
LDAP_BIND_DN=cn=admin,dc=federatedcomputer,dc=cloud
|
|
LDAP_BIND_PW=$LDAP_SECRET
|
|
LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
|
|
LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
|
|
LDAP_QUERY_FILTER_ALIAS=(&(mailAlias=%s)(mailEnabled=TRUE))
|
|
LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailAlias=*@%s))
|
|
# DOVECOT
|
|
DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(mail=%u))
|
|
DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(mail=%u))
|
|
DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
|
|
# SASLAUTHD
|
|
ENABLE_SASLAUTHD=1
|
|
SASLAUTHD_MECHANISMS=ldap
|
|
SASLAUTHD_LDAP_SERVER=ldap://ldap.$DOMAIN
|
|
SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=federatedcomputer,dc=cloud
|
|
SASLAUTHD_LDAP_PASSWORD=$LDAP_SECRET
|
|
SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=federatedcomputer,dc=cloud
|
|
SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(mail=%U@%r))
|
|
POSTMASTER_ADDRESS=postmaster@localhost.localdomain
|
|
POSTFIX_MESSAGE_SIZE_LIMIT=100000000
|
|
ENABLE_MANAGESIEVE=1
|
|
EOF
|
|
chmod 600 /federated/apps/mail/.env
|
|
|
|
cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
|
|
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
|
|
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, check_policy_service unix:private/policyd-spf
|
|
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
|
|
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
|
|
EOF
|
|
|
|
cat > /federated/apps/mail/data/etc/dovecot/conf.d/90-sieve.conf <<'EOF'
|
|
##
|
|
## Settings for the Sieve interpreter
|
|
##
|
|
|
|
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
|
|
# by adding it to the respective mail_plugins= settings.
|
|
|
|
plugin {
|
|
# The path to the user's main active script. If ManageSieve is used, this the
|
|
# location of the symbolic link controlled by ManageSieve.
|
|
sieve = ~/.dovecot.sieve
|
|
|
|
# The default Sieve script when the user has none. This is a path to a global
|
|
# sieve script file, which gets executed ONLY if user's private Sieve script
|
|
# doesn't exist. Be sure to pre-compile this script manually using the sievec
|
|
# command line tool.
|
|
# --> See sieve_before fore executing scripts before the user's personal
|
|
# script.
|
|
#sieve_default = /var/lib/dovecot/sieve/default.sieve
|
|
|
|
# Directory for :personal include scripts for the include extension. This
|
|
# is also where the ManageSieve service stores the user's scripts.
|
|
sieve_dir = ~/sieve
|
|
|
|
# Directory for :global include scripts for the include extension.
|
|
#sieve_global_dir =
|
|
|
|
# Path to a script file or a directory containing script files that need to be
|
|
# executed before the user's script. If the path points to a directory, all
|
|
# the Sieve scripts contained therein (with the proper .sieve extension) are
|
|
# executed. The order of execution within a directory is determined by the
|
|
# file names, using a normal 8bit per-character comparison. Multiple script
|
|
# file or directory paths can be specified by appending an increasing number.
|
|
sieve_before = /usr/lib/dovecot/sieve-global/before/
|
|
#sieve_before2 =
|
|
#sieve_before3 = (etc...)
|
|
|
|
# Identical to sieve_before, only the specified scripts are executed after the
|
|
# user's script (only when keep is still in effect!). Multiple script file or
|
|
# directory paths can be specified by appending an increasing number.
|
|
sieve_after = /usr/lib/dovecot/sieve-global/after/
|
|
#sieve_after2 =
|
|
#sieve_after2 = (etc...)
|
|
|
|
# Which Sieve language extensions are available to users. By default, all
|
|
# supported extensions are available, except for deprecated extensions or
|
|
# those that are still under development. Some system administrators may want
|
|
# to disable certain Sieve extensions or enable those that are not available
|
|
# by default. This setting can use '+' and '-' to specify differences relative
|
|
# to the default. For example `sieve_extensions = +imapflags' will enable the
|
|
# deprecated imapflags extension in addition to all extensions were already
|
|
# enabled by default.
|
|
#sieve_extensions = +notify +imapflags
|
|
sieve_extensions = +notify +imapflags +special-use +vnd.dovecot.pipe +vnd.dovecot.filter
|
|
|
|
# Which Sieve language extensions are ONLY available in global scripts. This
|
|
# can be used to restrict the use of certain Sieve extensions to administrator
|
|
# control, for instance when these extensions can cause security concerns.
|
|
# This setting has higher precedence than the `sieve_extensions' setting
|
|
# (above), meaning that the extensions enabled with this setting are never
|
|
# available to the user's personal script no matter what is specified for the
|
|
# `sieve_extensions' setting. The syntax of this setting is similar to the
|
|
# `sieve_extensions' setting, with the difference that extensions are
|
|
# enabled or disabled for exclusive use in global scripts. Currently, no
|
|
# extensions are marked as such by default.
|
|
#sieve_global_extensions =
|
|
|
|
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
|
|
# setting, the used plugins can be specified. Check the Dovecot wiki
|
|
# (wiki2.dovecot.org) or the pigeonhole website
|
|
# (http://pigeonhole.dovecot.org) for available plugins.
|
|
# The sieve_extprograms plugin is included in this release.
|
|
#sieve_plugins =
|
|
sieve_plugins = sieve_imapsieve sieve_extprograms
|
|
|
|
# The separator that is expected between the :user and :detail
|
|
# address parts introduced by the subaddress extension. This may
|
|
# also be a sequence of characters (e.g. '--'). The current
|
|
# implementation looks for the separator from the left of the
|
|
# localpart and uses the first one encountered. The :user part is
|
|
# left of the separator and the :detail part is right. This setting
|
|
# is also used by Dovecot's LMTP service.
|
|
#recipient_delimiter = +
|
|
|
|
# The maximum size of a Sieve script. The compiler will refuse to compile any
|
|
# script larger than this limit. If set to 0, no limit on the script size is
|
|
# enforced.
|
|
#sieve_max_script_size = 1M
|
|
|
|
# The maximum number of actions that can be performed during a single script
|
|
# execution. If set to 0, no limit on the total number of actions is enforced.
|
|
#sieve_max_actions = 32
|
|
|
|
# The maximum number of redirect actions that can be performed during a single
|
|
# script execution. If set to 0, no redirect actions are allowed.
|
|
#sieve_max_redirects = 4
|
|
|
|
# The maximum number of personal Sieve scripts a single user can have. If set
|
|
# to 0, no limit on the number of scripts is enforced.
|
|
# (Currently only relevant for ManageSieve)
|
|
#sieve_quota_max_scripts = 0
|
|
|
|
# The maximum amount of disk storage a single user's scripts may occupy. If
|
|
# set to 0, no limit on the used amount of disk storage is enforced.
|
|
# (Currently only relevant for ManageSieve)
|
|
#sieve_quota_max_storage = 0
|
|
|
|
# Locations of programs that can be called by the sieve_extprograms plugin
|
|
sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
|
|
sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
|
|
sieve_vacation_send_from_recipient = yes
|
|
}
|
|
EOF
|
|
|
|
cat > /federated/apps/mail/data/tmp/docker-mailserver/fail2ban-jail.cf <<'EOF'
|
|
[DEFAULT]
|
|
|
|
# "bantime" is the number of seconds that a host is banned.
|
|
bantime = 3h
|
|
|
|
# A host is banned if it has generated "maxretry" during the last "findtime"
|
|
# seconds.
|
|
findtime = 5m
|
|
|
|
# "maxretry" is the number of failures before a host get banned.
|
|
maxretry = 12
|
|
|
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
|
# will not ban a host which matches an address in this list. Several addresses
|
|
# can be defined using space (and/or comma) separator.
|
|
ignoreip = 127.0.0.1/8,192.168.0.0/16
|
|
|
|
# default ban action
|
|
# nftables-multiport: block IP only on affected port
|
|
# nftables-allports: block IP on all ports
|
|
banaction = nftables-allports
|
|
|
|
[dovecot]
|
|
enabled = true
|
|
|
|
[postfix]
|
|
enabled = true
|
|
|
|
[postfix-sasl]
|
|
enabled = true
|
|
|
|
# This jail is used for manual bans.
|
|
# To ban an IP address use: setup.sh fail2ban ban <IP>
|
|
[custom]
|
|
enabled = true
|
|
bantime = 180d
|
|
port = smtp,pop3,pop3s,imap,imaps,submission,submissions,sieve
|
|
EOF
|
|
|
|
echo -ne "done.\n"
|
|
}
|
|
start_mail() {
|
|
# Start service with command to make sure it's up before proceeding
|
|
start_service "mail" "nc -z 192.168.0.16 25 &> /dev/null" "25"
|
|
|
|
# Generate the DKIM DNS key and setup
|
|
run_command "docker exec mail setup config dkim"
|
|
run_command "docker exec mail setup config dkim keysize 2048 domain $DOMAIN"
|
|
|
|
docker exec mail bash -c "setup config dkim domain '$DOMAIN' &> /dev/null"
|
|
[ $? -ne 0 ] && fail "Couldn't setup DKIM domain"
|
|
|
|
# Insert the DKIM DNS TXT entry into /federated/apps/pdns container
|
|
DKIM_RECORD_STRIP=`cat /federated/apps/mail/data/tmp/docker-mailserver/opendkim/keys/$DOMAIN/mail.txt | sed 's/.*(//'`
|
|
DKIM_RECORD=`echo $DKIM_RECORD_STRIP | sed 's/).*//'`
|
|
docker exec pdns pdnsutil add-record $DOMAIN mail._domainkey TXT 86400 "$DKIM_RECORD" &> /dev/null
|
|
[ $? -ne 0 ] && fail "Couldn't insert DKIM record into /federated/apps/pdns container"
|
|
|
|
# Insert the DMARC DNS TXT entry into /federated/apps/pdns container
|
|
docker exec pdns pdnsutil add-record $DOMAIN _dmarc TXT 86400 "\"v=DMARC1; p=quarantine; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" &> /dev/null
|
|
[ $? -ne 0 ] && fail "Couldn't insert DMARC record into /federated/apps/pdns container"
|
|
|
|
# Stop and Start mail to reload DKIM
|
|
run_command "/federated/bin/stop mail"
|
|
run_command "/federated/bin/start mail"
|
|
|
|
echo -ne "done.\n"
|
|
}
|
|
uninstall_mail() {
|
|
echo -ne "* Uninstalling mail container.."
|
|
|
|
# First stop the service
|
|
cd /federated/apps/mail && docker compose -f docker-compose.yml -p mail down &> /dev/null
|
|
|
|
# Delete the app directory
|
|
rm -rf /federated/apps/mail
|
|
|
|
# Delete the image
|
|
docker.io/mailserver/docker-mailserver:$IMAGE_VERSION &> /dev/null
|
|
|
|
# Delete the DNS record
|
|
docker exec pdns pdnsutil delete-rrset $DOMAIN mail._domainkey TXT
|
|
docker exec pdns pdnsutil delete-rrset $DOMAIN _dmarc TXT
|
|
|
|
echo -ne "done.\n"
|
|
}
|