Update ubuntu and sasl_xoauth2 version and add SMPTD_SASL_USERS option

.github/workflows/master.yml

@@ -128,7 +128,7 @@ jobs:
           cache-from: type=local,src=/tmp/.buildx-cache/ubuntu
           cache-to: type=local,dest=/tmp/.buildx-cache-new/ubuntu
           build-args: |
-            BASE_IMAGE=ubuntu:impish
+            BASE_IMAGE=ubuntu:focal
 
       - name: Move cache
         run: |

Dockerfile

@@ -27,7 +27,7 @@ FROM base AS sasl
 
 ARG TARGETPLATFORM
 ARG SASL_XOAUTH2_REPO_URL=https://github.com/tarickb/sasl-xoauth2.git
-ARG SASL_XOAUTH2_GIT_REF=release-0.12
+ARG SASL_XOAUTH2_GIT_REF=release-0.14
 
 #           --mount=type=cache,target=/var/cache/apk,sharing=locked,id=var-cache-apk-$TARGETPLATFORM \
 #           --mount=type=cache,target=/etc/apk/cache,sharing=locked,id=etc-apk-cache-$TARGETPLATFORM \
@@ -48,6 +48,7 @@ COPY       /configs/supervisord.conf     /etc/supervisord.conf
 COPY       /configs/rsyslog*.conf        /etc/
 COPY       /configs/opendkim.conf        /etc/opendkim/opendkim.conf
 COPY       /configs/smtp_header_checks   /etc/postfix/smtp_header_checks
+COPY       /configs/master.cf            /etc/postfix/master.cf
 COPY       /scripts/*                    /scripts/
 
 RUN        chmod +x /scripts/*

README.md

@@ -170,6 +170,7 @@ To change the log format, set the (unsurprisingly named) variable `LOG_FORMAT=js
 * `XOAUTH2_SECRET` = OAuth2 secret used when configured as a relayhost.
 * `XOAUTH2_INITIAL_ACCESS_TOKEN` = Initial OAuth2 access token.
 * `XOAUTH2_INITIAL_REFRESH_TOKEN` = Initial OAuth2 refresh token.
+* `SMTPD_SASL_USERS` = Users allow to send mail (ex: user1:pass1,user2:pass2,...)
 * `MASQUERADED_DOMAINS` = domains where you want to masquerade internal hosts
 * `SMTP_HEADER_CHECKS`= Set to `1` to enable header checks of to a location of the file for header checks
 * `POSTFIX_myhostname` = Set the name of this postfix server

build-scripts/postfix-install.sh

@@ -17,7 +17,7 @@ do_ubuntu() {
     apt-get install -y libsasl2-modules
     apt-get install -y postfix
     apt-get install -y opendkim
-    apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 postfix-lmdb netcat
+    apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 sasl2-bin postfix-lmdb netcat
 }
 
 if [ -f /etc/alpine-release ]; then

build-scripts/sasl-build.sh

@@ -6,19 +6,26 @@ do_build() {
     cd /sasl-xoauth2
     mkdir build
     cd build
-    cmake -DCMAKE_INSTALL_PREFIX=/ ..
+    if [ -f /etc/alpine-release ]; then
+        patch -p1 -d .. < /build-scripts/sasl-xoauth2.diff
+        cmake -DCMAKE_INSTALL_PREFIX=/ ..
+    else
+        cmake -DCMAKE_INSTALL_PREFIX=/usr ..
+    fi
     make
     make install
+    install ../scripts/postfix-sasl-xoauth2-update-ca-certs /etc/ca-certificates/update.d
+    update-ca-certificates
 }
 
 if [ -f /etc/alpine-release ]; then
-    apk add --upgrade --virtual .build-deps git cmake clang make gcc g++ libc-dev pkgconfig curl-dev jsoncpp-dev cyrus-sasl-dev
+    apk add --upgrade --virtual .build-deps git cmake clang make gcc g++ libc-dev pkgconfig curl-dev jsoncpp-dev cyrus-sasl-dev patch
     do_build
     apk del .build-deps;
 else
     . /etc/lsb-release
     apt-get update -y -qq
-    LIBS="git build-essential cmake pkg-config libcurl4 libcurl4-openssl-dev libssl-dev libjsoncpp-dev libsasl2-dev"
+    LIBS="git build-essential cmake pkg-config libcurl4-openssl-dev libssl-dev libjsoncpp-dev libsasl2-dev"
     apt-get install -y --no-install-recommends ${LIBS}
     do_build
     apt-get remove --purge -y ${LIBS}

build-scripts/sasl-xoauth2.diff

@@ -0,0 +1,10 @@
+--- a/src/test_config.cc	2022-09-06 21:21:10.600553457 +0200
++++ b/src/test_config.cc	2022-09-06 21:21:42.736614599 +0200
+@@ -1,6 +1,7 @@
+ #include <getopt.h>
+ #include <sasl/sasl.h>
+ #include <string.h>
++#include <libgen.h>
+
+ #include "config.h"
+ #include "log.h"

configs/master.cf

@@ -0,0 +1,127 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+#smtp      inet  n       -       n       -       1       postscreen
+#smtpd     pass  -       -       n       -       -       smtpd
+#dnsblog   unix  -       -       n       -       0       dnsblog
+#tlsproxy  unix  -       -       n       -       0       tlsproxy
+submission inet n       -       n       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       n       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       n       -       -       qmqpd
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+

helm/mail/templates/statefulset.yaml

@@ -77,7 +77,7 @@ spec:
                 command:
                   - bash
                   - -c
-                  - touch /tmp/container_is_terminating && while ! [[ "`mailq`" == *empty* ]]; do echo "Flushing queue..." && postfix flush; sleep 1; done
+                  - touch /tmp/container_is_terminating && while ! [[ "`mailq`" == *empty* ]]; do echo "Flushing queue..." && postfix flush; sleep 1; done; killall5 -15 supervisord
             {{- if .Values.lifecycle.postStart }}
             postStart: {{- toYaml .Values.lifecycle.postStart | nindent 14 }}
             {{- end }}

scripts/common-run.sh

@@ -306,6 +306,34 @@ postfix_setup_xoauth2_post_setup() {
 	fi
 }
 
+postfix_setup_smtpd_sasl_auth() {
+	if [ ! -z "$SMTPD_SASL_USERS" ]; then
+		info "Enable smtpd sasl auth."
+		do_postconf -e "smtpd_sasl_auth_enable=yes"
+		do_postconf -e "broken_sasl_auth_clients=yes"
+
+		[ ! -d /etc/postfix/sasl ] && mkdir /etc/postfix/sasl
+		cat >> /etc/postfix/sasl/smtpd.conf <<EOF
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
+EOF
+		[ ! -d /etc/sasl2 ] && mkdir /etc/sasl2
+		ln -s /etc/postfix/sasl/smtpd.conf /etc/sasl2/
+
+		# sasldb2
+		echo $SMTPD_SASL_USERS | tr , \\n > /tmp/passwd
+		while IFS=':' read -r _user _pwd; do
+			echo $_pwd | saslpasswd2 -p -c $_user
+		done < /tmp/passwd
+
+		rm -f /tmp/passwd
+
+		[ -f /etc/sasldb2 ] && chown postfix:postfix /etc/sasldb2
+		[ -f /etc/sasl2/sasldb2 ] && chown postfix:postfix /etc/sasl2/sasldb2
+	fi
+}
+
 postfix_setup_networks() {
 	if [ ! -z "$MYNETWORKS" ]; then
 		deprecated "${emphasis}MYNETWORKS${reset} variable is deprecated. Please use ${emphasis}POSTFIX_mynetworks${reset} instead."
@@ -352,7 +380,11 @@ postfix_setup_sender_domains() {
 		echo
 		postmap lmdb:$allowed_senders
 
-		do_postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access lmdb:$allowed_senders, reject"
+		if [ ! -z "$SMTPD_SASL_USERS" ]; then
+			smtpd_sasl="permit_sasl_authenticated,"
+		fi
+
+		do_postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access lmdb:$allowed_senders, $smtpd_sasl reject"
 
 		# Since we are behind closed doors, let's just permit all relays.
 		do_postconf -e "smtpd_relay_restrictions=permit"
@@ -579,4 +611,5 @@ unset_sensible_variables() {
 	unset XOAUTH2_SECRET
 	unset XOAUTH2_INITIAL_ACCESS_TOKEN
 	unset XOAUTH2_INITIAL_REFRESH_TOKEN
+	unset SMTPD_SASL_USERS
 }

scripts/run.sh

@@ -29,6 +29,7 @@ postfix_setup_sender_domains        # Configure allowed sender domains
 postfix_setup_masquarading          # Setup masquaraded domains
 postfix_setup_header_checks         # Enable SMTP header checks, if defined
 postfix_setup_dkim                  # Configure DKIM, if enabled
+postfix_setup_smtpd_sasl_auth       # Enable sender sasl auth, if defined
 postfix_custom_commands             # Apply custom postfix settings
 opendkim_custom_commands            # Apply custom OpenDKIM settings
 postfix_open_submission_port        # Enable the submission port