diff --git a/.install/bin/pdm-launch b/.install/bin/pdm-launch index 696689c..82d1ff0 100755 --- a/.install/bin/pdm-launch +++ b/.install/bin/pdm-launch @@ -9,33 +9,36 @@ badarg() { exit 2 } -help="Usage: $(basename $0) [-fch] [-l label] [-e options] image [container] +help="Usage: $(basename $0) [-fcdh] [-l label] [-e options] image [container] Create and start a container from a local image, and assign it the given name. If second argument is omitted, defaults to assigning the container the same name as the image. Options: - -f Force overwrite if a container with the given name already exists -c Configure the container with deploy options stored in the image metadata. By default, uses the metadata tag labeled 'config_default' - -l [label] Label from which to get the deploy options. Automatically sets -c + -d Dry-run -e [options] Extra deploy options to assign to the container. If -e and -c are both used, options from image metadata and command line are combined + -f Force overwrite if a container with the given name already exists + -l [label] Label from which to get the deploy options. Automatically sets -c -h Display this help and exit" # Handle options opt_force=0 +opt_dryrun=0 opt_config=0 opt_label='config_default' opt_extras='' -while getopts ':fcl:e:h' arg; do +while getopts ':fcdl:e:h' arg; do case $arg in - f) opt_force=1;; c) opt_config=1;; - l) opt_config=1; opt_label="${OPTARG}";; + d) opt_dryrun=1;; e) opt_extras="${OPTARG}";; + f) opt_force=1;; h) echo "$help"; exit 0;; + l) opt_config=1; opt_label="${OPTARG}";; :) badarg "Argument missing for option '-$OPTARG'";; ?) badarg "Invalid option '-$OPTARG'";; esac @@ -76,5 +79,9 @@ if [[ $opt_force -eq 1 ]]; then podman rm -i -f "$container" fi -podman run -itd --name "$container" --hostname "$container" $deployconf "$image" -echo "Done!" +if [[ $opt_dryrun -eq 1 ]]; then + echo podman run -itd --name "$container" --hostname "$container" $deployconf "$image" +else + podman run -itd --name "$container" --hostname "$container" $deployconf "$image" +fi + diff --git a/mailsrv/Containerfile b/mailsrv/Containerfile index 49ba0d1..1c68c45 100644 --- a/mailsrv/Containerfile +++ b/mailsrv/Containerfile @@ -29,7 +29,7 @@ ARG FILESUID=5000 ARG DEBIAN_FRONTEND=noninteractive # install packages we want -RUN apt update -y && apt install -y rsyslog postfix dovecot-imapd dovecot-lmtpd dovecot-sieve cron +RUN apt update -y && apt install -y rsyslog postfix dovecot-imapd dovecot-lmtpd dovecot-sieve cron postfix-policyd-spf-python # add virtual mail user RUN addgroup --gid ${FILESUID:?} vmail && \ @@ -64,6 +64,10 @@ RUN systemctl enable mkvirtual.service # copy postfix config COPY assets/postfix /etc/postfix +# replace SPF server config file with symlink to the config file in the postfix dir +RUN rm /etc/postfix-policyd-spf-python/policyd-spf.conf && \ + ln -s /etc/postfix/policyd-spf.conf /etc/postfix-policyd-spf-python/policyd-spf.conf + ### ### Dovecot ### diff --git a/mailsrv/assets/postfix/main.cf.part b/mailsrv/assets/postfix/main.cf.part index 4648cc4..8821ee5 100644 --- a/mailsrv/assets/postfix/main.cf.part +++ b/mailsrv/assets/postfix/main.cf.part @@ -74,15 +74,16 @@ smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/deny, pe smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, - reject_unknown_client_hostname, # weaker version of reject_unknown_client_hostname -# the strong version may cause problems with some legitimate senders (eg, Verizon) -# reject_unknown_reverse_client_hostname, +# the strong version may cause problems with some legitimate senders + reject_unknown_reverse_client_hostname, +# check if sender meets SPF policy for its domain + check_policy_service unix:private/policy-spf, # reject clients from lists of known spammers -# reject_rbl_client zen.spamhaus.org, -# reject_rhsbl_reverse_client dbl.spamhaus.org, -# reject_rhsbl_helo dbl.spamhaus.org, -# reject_rhsbl_sender dbl.spamhaus.org, + reject_rbl_client zen.spamhaus.org, + reject_rhsbl_reverse_client dbl.spamhaus.org, + reject_rhsbl_helo dbl.spamhaus.org, + reject_rhsbl_sender dbl.spamhaus.org, permit ### Misc ### @@ -94,3 +95,5 @@ biff = no compatibility_level = 2 # maximum size allowed for sent messages, in bytes message_size_limit = 102400000 +# longer timeout for SPF policy server +policy-spf_time_limit = 3600s diff --git a/mailsrv/assets/postfix/master.cf b/mailsrv/assets/postfix/master.cf index a95bb63..851b9c9 100644 --- a/mailsrv/assets/postfix/master.cf +++ b/mailsrv/assets/postfix/master.cf @@ -57,3 +57,5 @@ postlog unix-dgram n - n - 1 postlogd # dovecot unix - n n - - pipe flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} +policy-spf unix - n n - - spawn + user=nobody argv=/usr/bin/policyd-spf diff --git a/mailsrv/assets/postfix/policyd-spf.conf b/mailsrv/assets/postfix/policyd-spf.conf new file mode 100644 index 0000000..c908fe3 --- /dev/null +++ b/mailsrv/assets/postfix/policyd-spf.conf @@ -0,0 +1,138 @@ +# Amount of debugging information logged. 0 logs no debugging messages +# 5 includes all debug messages. +debugLevel = 1 + +# If set to 0, no messages are rejected by SPF. This allows you to see the +# potential impact of SPF checking in your mail logs without rejecting mail. +TestOnly = 1 + +# Reject and deferred reason +#Reason_Message = Message {rejectdefer} due to: {spf}. Please see {url} + +# HELO check rejection policy. Options are: +# HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail. +# HELO_reject = Softfail - Reject if result Softfail and Fail +# HELO_reject = Fail - Reject on HELO Fail +# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic) +# HELO_reject = False - Never reject/defer on HELO, append header only. +# HELO_reject = No_Check - Never check HELO. +HELO_reject = Fail + +# HELO pass restriction policy. +# HELO_pass_restriction = helo_passed_spf - Apply the given restriction when +# the HELO checking result is Pass. The given restriction must be an +# action as defined for a Postfix SMTP server access table access(5). +#HELO_pass_restriction + +# Mail From rejection policy. Options are: +# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail. +# Mail_From_reject = Softfail - Reject if result Softfail and Fail +# Mail_From_reject = Fail - Reject on Mail From Fail (default) +# Mail_From_reject = False - Never reject/defer on Mail From, append header only +# Mail_From_reject = No_Check - Never check Mail From/Return Path. +Mail_From_reject = Fail + +# Reject only from domains that send no mail. Options are: +# No_Mail = False - Normal SPF record processing (default) +# No_Mail = True - Only reject for "v=spf1 -all" records + +# Mail From pass restriction policy. +# Mail_From_pass_restriction = mfrom_passed_spf - Apply the given +# restriction when the Mail From checking result is Pass. The given +# restriction must be an action as defined for a Postfix SMTP server +# access table access(5). +#Mail_From_pass_restriction + +# Reject mail for Netural/Softfail results for these domains. +# Recevier policy option to reject mail from certain domains when SPF is not +# Pass/None even if their SPF record does not produce a Fail result. This +# Option does not change the effect of PermError_reject or TempError_Defer +#Reject_Not_Pass_Domains = aol.com,hotmail.com + +# Policy for rejecting due to SPF PermError. Options are: +# PermError_reject = True +# PermError_reject = False +PermError_reject = False + +# Policy for deferring messages due to SPF TempError. Options are: +# TempError_Defer = True +# TempError_Defer = False +TempError_Defer = False + +# Prospective SPF checking - Check to see if mail sent from the defined IP +# address would pass. +# Prospective = 192.168.0.4 + +# Do not check SPF for localhost addresses - add to skip addresses to +# skip SPF for internal networks if desired. Defaults are standard IPv4 and +# IPv6 localhost addresses. +skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 + +# Whitelist: CIDR Notation list of IP addresses not to check SPF for. +# Example (default is no whitelist): +# Whitelist = 192.168.0.0/31,192.168.1.12 + +# SPF HELO WHITELIST: HELO/EHLO host names to skip SPF checks for. +# Example (default is no HELO_Whitelist): +# HELO_Whitelist = relay.example.com,sender.example.org + +# Domain_Whitelist: List of domains whose sending IPs (defined by passing +# their SPF check should be whitelisted from SPF. +# Example (default is no domain whitelist): +# Domain_Whitelist = pobox.com,trustedforwarder.org + +# Domain_Whitelist_PTR: List of domains to whitelist against SPF checks base +# on PTR match. +# Example (default is no PTR whitelist) +# Domain_Whitelist_PTR = yahoo.com + +# SPF ENHANCED STATUS CODES: Override Postfix enhanced status codes to use the +# RFC 7372 codes. Disable by setting this option to "No". +# SPF_Enhanced_Status_Codes = No + +# Type of header to insert to document SPF result. Can be Received-SPF (SPF) +# or Authentication Results (AR). It cannot be both. +# Examples: (default is Received-SPF): +# Header_Type = AR +# Header_Type = SPF + +# In order to avoid disclosing BCC recipients in SPF header fields, +# Hide_Receiver is set to Yes by default in the interest of maximizing +# privacy. This setting will replace the actual recipient with both +# in header fields and SMTP responses. The latter may make it more difficult +# for senders to troubleshoot issues with their SPF deployments. +#Hide_Receiver = No +Hide_Receiver = Yes + +# Every Authentication-Results header field has an authentication identifier +# field ('Authserv_Id'). This is similar in syntax to a fully-qualified domain +# name. See policyd-spf.conf.5 and RFC 7001 paragraph 2.4 for details. +# Default is HOSTNAME (as provided by socket.gethostname). Authserv-Id must +# be provided if Header_Type 'AR' is used. +# Authserv_Id = mx.example.com +Authserv_Id = HEADER + +# RFC 7208 recommends an elapsed time limit for SPF checks of at least 20 +# seconds. Lookup_Time allows the maximum time (seconds) to be adjusted. 20 +# seconds is the default. +# Lookup_Time = 20 + +# Some of the available whitelisting mechanisms, i.e. Domain_Whitelist, +# Domain_Whitelist_PTR, and HELO_Whitelist, require specific non-SPF DNS +# lookups to determine if a connection should be white listed from SPF checks. +# The maximum amount of time (in seconds) allocated for each of these checks, +# when used (none are enabled by default), is controlled by the +# Whitelist_Lookup_Time parameter. It defaults to 10 seconds and is applied +# independently to each whitelisting method in use. +# Whitelist_Lookup_Time = 10 + +# RFC 7208 adds a new processing limit called "void lookup limit" (See section +# 4.6.4). Default is 2, but it can be adjusted. +# Void_Limit = 2 + +# In some versions of postfix, for bizarre Sendmail compatibility reasons, the +# first header field added by a policy server is not visible to milters. To +# make this easy to work around, set the Mock value to true and a fixed header +# field will be inserted so the actual SPF check will be the second field and +# visible to milters such as DMARC milter. +# Mock = False diff --git a/nextcloud/Containerfile b/nextcloud/Containerfile index 1d042f5..8b67b2f 100644 --- a/nextcloud/Containerfile +++ b/nextcloud/Containerfile @@ -47,6 +47,29 @@ RUN mkdir -p /vol/data /vol/files COPY --chown=www-data:www-data data/ /vol/data/ +### +### Nextcloud +### + +# download nextcloud +RUN cd /var/www/html && \ + wget --progress=dot:giga https://download.nextcloud.com/server/releases/latest.zip && \ + echo "Unzipping..." && \ + unzip -q latest.zip && \ + chown -R www-data:www-data nextcloud && \ + rm latest.zip + +# create data dir for nextcloud +RUN mkdir -p /vol/files && \ + chown -R www-data:www-data /vol/files + +# copy nextcloud config +COPY --chown=www-data:www-data assets/config/ nextcloud/config/ +# make link to host config & secret config +RUN cd nextcloud/config && \ + ln -s /vol/data/host.config.php && \ + ln -s /vol/data/secret.config.php + ### ### PHP ### @@ -65,12 +88,12 @@ RUN mv php/php.ini /etc/php/${PHPV:?}/fpm/ && \ ### # configure PostgreSQL -COPY --chown=postgres:postgres assets/postgresql postgresql/ +COPY --chown=postgres:postgres assets/postgresql/ postgresql/ # If the posgresql.conf file contains multiple entries for the same parameter, all but the last one is ignored. # So we can just append our settings to the already-existing postgresql.conf file. RUN mv postgresql/pg_hba.conf /etc/postgresql/${PSQLV:?}/main/ && \ cat postgresql/postgresql.conf >> /etc/postgresql/${PSQLV:?}/main/postgresql.conf && \ - rm -r postgresql + rm -rf postgresql ### ### Apache @@ -94,29 +117,6 @@ COPY --chown=redis:redis assets/redis.conf /etc/redis/redis.conf # add www-data to redis group so it can use the socket RUN usermod -a -G redis www-data -### -### Nextcloud -### - -# download nextcloud -WORKDIR /var/www/html -RUN wget --progress=dot:giga https://download.nextcloud.com/server/releases/latest.zip && \ - echo "Unzipping ..." && \ - unzip -q latest.zip && \ - chown -R www-data:www-data nextcloud && \ - rm latest.zip - -# create data dir for nextcloud -RUN mkdir -p /vol/files && \ - chown -R www-data:www-data /vol/files - -# copy nextcloud config -COPY --chown=www-data:www-data assets/config/ nextcloud/config/ -# make link to host config & secret config -RUN cd nextcloud/config && \ - ln -s /vol/data/host.config.php && \ - ln -s /vol/data/secret.config.php - ### ### Timers/Services ### @@ -140,7 +140,6 @@ COPY assets/bugfix/redis-server.service /etc/systemd/system/redis-server.service COPY assets/bugfix/apache2.override /etc/systemd/system/apache2.service.d/override.conf - ### ### Workdir ###