Move all directories per theme

2017-11-01 12:11:04 +01:00
parent 26da4f306d
commit 689be5f2d9
210 changed files with 3 additions and 3 deletions
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -0,0 +1,8 @@
+FROM alpine
+
+RUN apk add --no-cache postfix postfix-sqlite postfix-pcre rsyslog python py-jinja2
+
+COPY conf /conf
+COPY start.py /start.py
+
+CMD /start.py
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -0,0 +1,103 @@
+###############
+# General
+###############
+
+# Main domain and hostname
+mydomain = {{ DOMAIN }}
+myhostname = {{ HOSTNAMES.split(",")[0] }}
+myorigin = $mydomain
+
+# Queue location
+queue_directory = /queue
+
+# Message size limit
+message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
+
+# Relayed networks
+mynetworks = 127.0.0.1/32 [::1]/128 {{ RELAYNETS }}
+
+# Empty alias list to override the configuration variable and disable NIS
+alias_maps =
+
+# SQLite configuration
+sql = sqlite:${config_directory}/
+
+# Only accept virtual emails
+mydestination =
+
+# Relayhost if any is configured
+relayhost = {{ RELAYHOST }}
+
+# Recipient delimiter for extended addresses
+recipient_delimiter = {{ RECIPIENT_DELIMITER }}
+
+# Only the front server is allowed to perform xclient
+smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
+
+###############
+# TLS
+###############
+
+# General TLS configuration
+tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+tls_preempt_cipherlist = yes
+tls_ssl_options = NO_COMPRESSION
+
+# Outgoing TLS is more flexible because 1. not all receiving servers will
+# support TLS, 2. not all will have and up-to-date TLS stack.
+smtp_tls_security_level = may
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols =!SSLv2,!SSLv3
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+###############
+# Virtual
+###############
+
+# The alias map actually returns both aliases and local mailboxes, which is
+# required for reject_unlisted_sender to work properly
+virtual_alias_maps = ${sql}sqlite-virtual_alias_maps.cf
+virtual_mailbox_domains = ${sql}sqlite-virtual_mailbox_domains.cf
+virtual_mailbox_maps = $virtual_alias_maps
+
+# Mails are transported if required, then forwarded to Dovecot for delivery
+transport_maps = ${sql}sqlite-transport.cf
+virtual_transport = lmtp:inet:imap:2525
+
+# In order to prevent Postfix from running DNS query, enforce the use of the
+# native DNS stack, that will check /etc/hosts properly.
+lmtp_host_lookup = native
+
+###############
+# Restrictions
+###############
+
+# Delay all rejects until all information can be logged
+smtpd_delay_reject = yes
+
+# Allowed senders are: the user or one of the alias destinations
+smtpd_sender_login_maps = $virtual_alias_maps
+
+# Restrictions for incoming SMTP, other restrictions are applied in master.cf
+smtpd_helo_required = yes
+
+smtpd_recipient_restrictions =
+  permit_mynetworks,
+  check_sender_access ${sql}sqlite-reject-spoofed.cf,
+  reject_non_fqdn_sender,
+  reject_unknown_sender_domain,
+  reject_unknown_recipient_domain,
+  permit
+
+###############
+# Milter
+###############
+
+smtpd_milters = inet:milter:9900
+milter_protocol = 6
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_default_action = tempfail
+
+###############
+# Extra Settings
+###############
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -0,0 +1,34 @@
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+
+# Exposed SMTP service
+smtp      inet  n       -       n       -       -       smtpd
+
+# Internal SMTP service
+10025     inet  n       -       n       -       -       smtpd
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_recipient_restrictions=reject_unlisted_sender,reject_sender_login_mismatch,permit
+  -o cleanup_service_name=outclean
+outclean  unix n       -       n       -       0       cleanup
+  -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf
+
+# Internal postfix services
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
--- a/core/postfix/conf/outclean_header_filter.cf
+++ b/core/postfix/conf/outclean_header_filter.cf
@@ -0,0 +1,17 @@
+# This configuration was copied from Mailinabox. The original version is available at:
+# https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters
+
+# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header
+# because OpenDKIM requires that a header be present when signing outbound mail. The first line is
+# where the user's home IP address would be.
+/^\s*Received:[^\n]*(.*)/         REPLACE Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])$1
+
+# Remove other typically private information.
+/^\s*User-Agent:/        IGNORE
+/^\s*X-Enigmail:/        IGNORE
+/^\s*X-Mailer:/          IGNORE
+/^\s*X-Originating-IP:/  IGNORE
+/^\s*X-Pgp-Agent:/       IGNORE
+
+# The Mime-Version header can leak the user agent too, e.g. in Mime-Version: 1.0 (Mac OS X Mail 8.1 \(2010.6\)).
+/^\s*(Mime-Version:\s*[0-9\.]+)\s.+/  REPLACE $1
--- a/core/postfix/conf/rsyslog.conf
+++ b/core/postfix/conf/rsyslog.conf
@@ -0,0 +1,4 @@
+$ModLoad imuxsock
+$template noTimestampFormat,"%syslogtag%%msg%\n"
+$ActionFileDefaultTemplate noTimestampFormat
+*.*;auth,authpriv.none /dev/stdout
--- a/core/postfix/conf/sqlite-reject-spoofed.cf
+++ b/core/postfix/conf/sqlite-reject-spoofed.cf
@@ -0,0 +1,5 @@
+dbpath = /data/main.db
+query =
+  SELECT 'REJECT' FROM domain WHERE name='%s'
+  UNION
+  SELECT 'REJECT' FROM alternative WHERE name='%s'
--- a/core/postfix/conf/sqlite-transport.cf
+++ b/core/postfix/conf/sqlite-transport.cf
@@ -0,0 +1,3 @@
+dbpath = /data/main.db
+query =
+  SELECT 'smtp:['||smtp||']' FROM relay WHERE name='%s'
--- a/core/postfix/conf/sqlite-virtual_alias_maps.cf
+++ b/core/postfix/conf/sqlite-virtual_alias_maps.cf
@@ -0,0 +1,23 @@
+dbpath = /data/main.db
+query =
+  SELECT destination
+   FROM
+     (SELECT destination, email, wildcard, localpart FROM alias
+      UNION
+      SELECT (CASE WHEN forward_enabled=1 THEN (CASE WHEN forward_keep=1 THEN email||',' ELSE '' END)||forward_destination ELSE email END) AS destination, email, 0 as wildcard, localpart FROM user
+      UNION
+      SELECT '@'||domain_name as destination, '@'||name as email, 0 as wildcard, '' as localpart FROM alternative)
+   WHERE
+     (
+      wildcard = 0
+      AND
+      email = '%s'
+     ) OR (
+      wildcard = 1
+      AND
+      '%s' LIKE email
+     )
+   ORDER BY
+     wildcard ASC,
+     length(localpart) DESC
+   LIMIT 1
--- a/core/postfix/conf/sqlite-virtual_mailbox_domains.cf
+++ b/core/postfix/conf/sqlite-virtual_mailbox_domains.cf
@@ -0,0 +1,5 @@
+dbpath = /data/main.db
+query =
+  SELECT name FROM domain WHERE name='%s'
+  UNION
+  SELECT name FROM alternative WHERE name='%s'
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+import jinja2
+import os
+import socket
+import glob
+import shutil
+	
+convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
+
+# Actual startup script
+os.environ["FRONT_ADDRESS"] = socket.gethostbyname("front")
+
+for postfix_file in glob.glob("/conf/*.cf"):
+    convert(postfix_file, os.path.join("/etc/postfix", os.path.basename(postfix_file)))
+
+if os.path.exists("/overrides/postfix.cf"):
+    for line in open("/overrides/postfix.cf").read().strip().split("\n"):
+        os.system('postconf -e "{}"'.format(line))
+
+if os.path.exists("/overrides/postfix.master"):
+    for line in open("/overrides/postfix.master").read().strip().split("\n"):
+        os.system('postconf -Me "{}"'.format(line))
+
+for map_file in glob.glob("/overrides/*.map"):
+    destination = os.path.join("/etc/postfix", os.path.basename(map_file))
+    shutil.copyfile(map_file, destination)
+    os.system("postmap {}".format(destination))
+    os.remove(destination)
+
+convert("/conf/rsyslog.conf", "/etc/rsyslog.conf")
+
+# Run postfix
+if os.path.exists("/var/run/rsyslogd.pid"):
+    os.remove("/var/run/rsyslogd.pid")
+os.system("/usr/lib/postfix/post-install meta_directory=/etc/postfix create-missing")
+os.system("/usr/lib/postfix/master &")
+os.execv("/usr/sbin/rsyslogd", ["rsyslogd", "-n"])