From b3ac14327a52f34dbddefdf59786b85a9b554e3e Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 15:42:53 +0200 Subject: [PATCH 1/9] Update ubuntu and sasl_xoauth2 version --- .github/workflows/master.yml | 1 + Dockerfile | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 2de4c29..d0e5d0e 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -129,6 +129,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache-new/ubuntu build-args: | BASE_IMAGE=ubuntu:impish + BASE_IMAGE=ubuntu:focal - name: Move cache run: | diff --git a/Dockerfile b/Dockerfile index 3db3c67..c419eb3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,6 +28,7 @@ FROM base AS sasl ARG TARGETPLATFORM ARG SASL_XOAUTH2_REPO_URL=https://github.com/tarickb/sasl-xoauth2.git ARG SASL_XOAUTH2_GIT_REF=release-0.12 +ARG SASL_XOAUTH2_GIT_REF=release-0.14 # --mount=type=cache,target=/var/cache/apk,sharing=locked,id=var-cache-apk-$TARGETPLATFORM \ # --mount=type=cache,target=/etc/apk/cache,sharing=locked,id=etc-apk-cache-$TARGETPLATFORM \ From 0c33001e9f0fb90ad6da7e88231c262b9c8991da Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 15:44:43 +0200 Subject: [PATCH 2/9] Fix network error: disable postfix chroot --- Dockerfile | 1 + configs/master.cf | 127 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 configs/master.cf diff --git a/Dockerfile b/Dockerfile index c419eb3..7977a83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,6 +49,7 @@ COPY /configs/supervisord.conf /etc/supervisord.conf COPY /configs/rsyslog*.conf /etc/ COPY /configs/opendkim.conf /etc/opendkim/opendkim.conf COPY /configs/smtp_header_checks /etc/postfix/smtp_header_checks +COPY /configs/master.cf /etc/postfix/master.cf COPY /scripts/* /scripts/ RUN chmod +x /scripts/* diff --git a/configs/master.cf b/configs/master.cf new file mode 100644 index 0000000..c6ee8bc --- /dev/null +++ b/configs/master.cf @@ -0,0 +1,127 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +submission inet n - n - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - n - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + From e2d1a5de15c9a1b1bb305c4e496f2d1bc2340587 Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 15:46:55 +0200 Subject: [PATCH 3/9] Fix run error: dependency missing --- build-scripts/postfix-install.sh | 2 +- build-scripts/sasl-build.sh | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/build-scripts/postfix-install.sh b/build-scripts/postfix-install.sh index 6e80f95..32c3c7c 100644 --- a/build-scripts/postfix-install.sh +++ b/build-scripts/postfix-install.sh @@ -17,7 +17,7 @@ do_ubuntu() { apt-get install -y libsasl2-modules apt-get install -y postfix apt-get install -y opendkim - apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 postfix-lmdb netcat + apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 postfix-lmdb netcat } if [ -f /etc/alpine-release ]; then diff --git a/build-scripts/sasl-build.sh b/build-scripts/sasl-build.sh index a0161b8..433de95 100644 --- a/build-scripts/sasl-build.sh +++ b/build-scripts/sasl-build.sh @@ -6,9 +6,15 @@ do_build() { cd /sasl-xoauth2 mkdir build cd build - cmake -DCMAKE_INSTALL_PREFIX=/ .. + if [ -f /etc/alpine-release ]; then + cmake -DCMAKE_INSTALL_PREFIX=/ .. + else + cmake -DCMAKE_INSTALL_PREFIX=/usr .. + fi make make install + install ../scripts/postfix-sasl-xoauth2-update-ca-certs /etc/ca-certificates/update.d + update-ca-certificates } if [ -f /etc/alpine-release ]; then @@ -18,7 +24,7 @@ if [ -f /etc/alpine-release ]; then else . /etc/lsb-release apt-get update -y -qq - LIBS="git build-essential cmake pkg-config libcurl4 libcurl4-openssl-dev libssl-dev libjsoncpp-dev libsasl2-dev" + LIBS="git build-essential cmake pkg-config libcurl4-openssl-dev libssl-dev libjsoncpp-dev libsasl2-dev" apt-get install -y --no-install-recommends ${LIBS} do_build apt-get remove --purge -y ${LIBS} From 33c70f080dda34a776e9fb93bf87c420bf0de3b5 Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 15:49:08 +0200 Subject: [PATCH 4/9] Add smtpd sender sasl authentication --- build-scripts/postfix-install.sh | 2 +- scripts/common-run.sh | 34 +++++++++++++++++++++++++++++++- scripts/run.sh | 1 + 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/build-scripts/postfix-install.sh b/build-scripts/postfix-install.sh index 32c3c7c..f10da5b 100644 --- a/build-scripts/postfix-install.sh +++ b/build-scripts/postfix-install.sh @@ -17,7 +17,7 @@ do_ubuntu() { apt-get install -y libsasl2-modules apt-get install -y postfix apt-get install -y opendkim - apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 postfix-lmdb netcat + apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 sasl2-bin postfix-lmdb netcat } if [ -f /etc/alpine-release ]; then diff --git a/scripts/common-run.sh b/scripts/common-run.sh index a63dfb6..80e19a8 100755 --- a/scripts/common-run.sh +++ b/scripts/common-run.sh @@ -306,6 +306,33 @@ postfix_setup_xoauth2_post_setup() { fi } +postfix_setup_smtpd_sasl_auth() { + if [ ! -z "$SMTPD_SASL_USERS" ]; then + info "Enable smtpd sasl auth." + do_postconf -e "smtpd_sasl_auth_enable=yes" + do_postconf -e "broken_sasl_auth_clients=yes" + + [ ! -d /etc/postfix/sasl ] && mkdir /etc/postfix/sasl + cat >> /etc/postfix/sasl/smtpd.conf < /tmp/passwd + while IFS=':' read -r _user _pwd; do + echo $_pwd | saslpasswd2 -p -c $_user + done < /tmp/passwd + + rm -f /tmp/passwd + + chown postfix:postfix /etc/sasldb2 + fi +} + postfix_setup_networks() { if [ ! -z "$MYNETWORKS" ]; then deprecated "${emphasis}MYNETWORKS${reset} variable is deprecated. Please use ${emphasis}POSTFIX_mynetworks${reset} instead." @@ -352,7 +379,11 @@ postfix_setup_sender_domains() { echo postmap lmdb:$allowed_senders - do_postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access lmdb:$allowed_senders, reject" + if [ ! -z "$SMTPD_SASL_USERS" ]; then + smtpd_sasl="permit_sasl_authenticated," + fi + + do_postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access lmdb:$allowed_senders, $smtpd_sasl reject" # Since we are behind closed doors, let's just permit all relays. do_postconf -e "smtpd_relay_restrictions=permit" @@ -579,4 +610,5 @@ unset_sensible_variables() { unset XOAUTH2_SECRET unset XOAUTH2_INITIAL_ACCESS_TOKEN unset XOAUTH2_INITIAL_REFRESH_TOKEN + unset SMTPD_SASL_USERS } diff --git a/scripts/run.sh b/scripts/run.sh index 0ba79d0..c4fc0f3 100755 --- a/scripts/run.sh +++ b/scripts/run.sh @@ -29,6 +29,7 @@ postfix_setup_sender_domains # Configure allowed sender domains postfix_setup_masquarading # Setup masquaraded domains postfix_setup_header_checks # Enable SMTP header checks, if defined postfix_setup_dkim # Configure DKIM, if enabled +postfix_setup_smtpd_sasl_auth # Enable sender sasl auth, if defined postfix_custom_commands # Apply custom postfix settings opendkim_custom_commands # Apply custom OpenDKIM settings postfix_open_submission_port # Enable the submission port From ae96fdc9f4638b00dc663b25130a43a411a15966 Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 15:50:30 +0200 Subject: [PATCH 5/9] Fix stuck kubernetes pod shutdown --- helm/mail/templates/statefulset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/mail/templates/statefulset.yaml b/helm/mail/templates/statefulset.yaml index a341d88..5073e8b 100644 --- a/helm/mail/templates/statefulset.yaml +++ b/helm/mail/templates/statefulset.yaml @@ -77,7 +77,7 @@ spec: command: - bash - -c - - touch /tmp/container_is_terminating && while ! [[ "`mailq`" == *empty* ]]; do echo "Flushing queue..." && postfix flush; sleep 1; done + - touch /tmp/container_is_terminating && while ! [[ "`mailq`" == *empty* ]]; do echo "Flushing queue..." && postfix flush; sleep 1; done; killall5 -15 supervisord {{- if .Values.lifecycle.postStart }} postStart: {{- toYaml .Values.lifecycle.postStart | nindent 14 }} {{- end }} From fcd5004092f0b63bc4fad19a001fb6f52b7d0c0f Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 15:56:16 +0200 Subject: [PATCH 6/9] Add SMTPD_SASL_USERS option to README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7507f8a..11ab006 100644 --- a/README.md +++ b/README.md @@ -170,6 +170,7 @@ To change the log format, set the (unsurprisingly named) variable `LOG_FORMAT=js * `XOAUTH2_SECRET` = OAuth2 secret used when configured as a relayhost. * `XOAUTH2_INITIAL_ACCESS_TOKEN` = Initial OAuth2 access token. * `XOAUTH2_INITIAL_REFRESH_TOKEN` = Initial OAuth2 refresh token. +* `SMTPD_SASL_USERS` = Users allow to send mail (ex: user1:pass1,user2:pass2,...) * `MASQUERADED_DOMAINS` = domains where you want to masquerade internal hosts * `SMTP_HEADER_CHECKS`= Set to `1` to enable header checks of to a location of the file for header checks * `POSTFIX_myhostname` = Set the name of this postfix server From 54522b1a9b84a35794adacfa9ec7054c7e9048cb Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Mon, 29 Aug 2022 18:05:55 +0200 Subject: [PATCH 7/9] Remove duplicate var --- .github/workflows/master.yml | 1 - Dockerfile | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index d0e5d0e..ca4cdea 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -128,7 +128,6 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache/ubuntu cache-to: type=local,dest=/tmp/.buildx-cache-new/ubuntu build-args: | - BASE_IMAGE=ubuntu:impish BASE_IMAGE=ubuntu:focal - name: Move cache diff --git a/Dockerfile b/Dockerfile index 7977a83..da1d258 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,6 @@ FROM base AS sasl ARG TARGETPLATFORM ARG SASL_XOAUTH2_REPO_URL=https://github.com/tarickb/sasl-xoauth2.git -ARG SASL_XOAUTH2_GIT_REF=release-0.12 ARG SASL_XOAUTH2_GIT_REF=release-0.14 # --mount=type=cache,target=/var/cache/apk,sharing=locked,id=var-cache-apk-$TARGETPLATFORM \ From 9ed65af90ffa8046b2039e33f078c95bd3fcb6f5 Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Tue, 6 Sep 2022 21:45:23 +0200 Subject: [PATCH 8/9] Fix sasl-xoauth2 alpine build error: basename was not declared --- build-scripts/sasl-build.sh | 3 ++- build-scripts/sasl-xoauth2.diff | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 build-scripts/sasl-xoauth2.diff diff --git a/build-scripts/sasl-build.sh b/build-scripts/sasl-build.sh index 433de95..6790984 100644 --- a/build-scripts/sasl-build.sh +++ b/build-scripts/sasl-build.sh @@ -7,6 +7,7 @@ do_build() { mkdir build cd build if [ -f /etc/alpine-release ]; then + patch -p1 -d .. < /build-scripts/sasl-xoauth2.diff cmake -DCMAKE_INSTALL_PREFIX=/ .. else cmake -DCMAKE_INSTALL_PREFIX=/usr .. @@ -18,7 +19,7 @@ do_build() { } if [ -f /etc/alpine-release ]; then - apk add --upgrade --virtual .build-deps git cmake clang make gcc g++ libc-dev pkgconfig curl-dev jsoncpp-dev cyrus-sasl-dev + apk add --upgrade --virtual .build-deps git cmake clang make gcc g++ libc-dev pkgconfig curl-dev jsoncpp-dev cyrus-sasl-dev patch do_build apk del .build-deps; else diff --git a/build-scripts/sasl-xoauth2.diff b/build-scripts/sasl-xoauth2.diff new file mode 100644 index 0000000..7f971f7 --- /dev/null +++ b/build-scripts/sasl-xoauth2.diff @@ -0,0 +1,10 @@ +--- a/src/test_config.cc 2022-09-06 21:21:10.600553457 +0200 ++++ b/src/test_config.cc 2022-09-06 21:21:42.736614599 +0200 +@@ -1,6 +1,7 @@ + #include + #include + #include ++#include + + #include "config.h" + #include "log.h" From 492583b6846d4d9e8a6b524f495fdb6687576b44 Mon Sep 17 00:00:00 2001 From: vcazsdk Date: Tue, 6 Sep 2022 22:28:11 +0200 Subject: [PATCH 9/9] Fix bad sasldb2 path with alpine image --- scripts/common-run.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/common-run.sh b/scripts/common-run.sh index 80e19a8..ec5d33d 100755 --- a/scripts/common-run.sh +++ b/scripts/common-run.sh @@ -329,7 +329,8 @@ EOF rm -f /tmp/passwd - chown postfix:postfix /etc/sasldb2 + [ -f /etc/sasldb2 ] && chown postfix:postfix /etc/sasldb2 + [ -f /etc/sasl2/sasldb2 ] && chown postfix:postfix /etc/sasl2/sasldb2 fi }