mailcow/data/Dockerfiles/postfix/postfix.sh

#!/bin/bash

trap "postfix stop" EXIT

[[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/

# Wait for MySQL to warm-up
while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for database to come up..."
  sleep 2
done

until dig +short mailcow.email > /dev/null; do
  echo "Waiting for DNS..."
  sleep 1
done

cat <<EOF > /etc/aliases
# Autogenerated by mailcow
null: /dev/null
watchdog: /dev/null
ham: "|/usr/local/bin/rspamd-pipe-ham"
spam: "|/usr/local/bin/rspamd-pipe-spam"
EOF
newaliases;

# create sni configuration
if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  echo -n "" > /opt/postfix/conf/sni.map
else
  echo -n "" > /opt/postfix/conf/sni.map;
  for cert_dir in /etc/ssl/mail/*/ ; do
    if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
      continue;
    fi
    IFS=" " read -r -a domains <<< "$(cat "${cert_dir}domains")"
    for domain in "${domains[@]}"; do
      echo -n "${domain} ${cert_dir}key.pem ${cert_dir}cert.pem" >> /opt/postfix/conf/sni.map;
      echo "" >> /opt/postfix/conf/sni.map;
    done
  done
fi
postmap -F hash:/opt/postfix/conf/sni.map;

cat <<EOF > /opt/postfix/conf/sql/mysql_relay_ne.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT IF(EXISTS(SELECT address, domain FROM alias
      WHERE address = '%s'
        AND domain IN (
          SELECT domain FROM domain
            WHERE backupmx = '1'
              AND relay_all_recipients = '1'
              AND relay_unknown_only = '1')

      ), 'lmtp:inet:dovecot:24', NULL) AS 'transport'
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT DISTINCT
  CASE WHEN '%d' IN (
    SELECT domain FROM domain
      WHERE relay_all_recipients=1
        AND domain='%d'
        AND backupmx=1
  )
  THEN '%s' ELSE (
    SELECT goto FROM alias WHERE address='%s' AND active='1'
  )
  END AS result;
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT CONCAT(policy, ' ', parameters) AS tls_policy FROM tls_policy_override WHERE active = '1' AND dest = '%s'
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT IF(EXISTS(
  SELECT 'TLS_ACTIVE' FROM alias
    LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
      WHERE (address='%s'
        OR address IN (
          SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
            WHERE alias_domain='%d'
        )
      ) AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_in')) = '1' AND mailbox.active = '1'
  ), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
  FROM (
    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias
      LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
        WHERE (address = '%s'
          OR address IN (
            SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
              WHERE alias_domain = '%d'
          )
        )
        AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_out')) = '1'
        AND mailbox.active = '1'
    ), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
    UNION ALL
    SELECT COALESCE(
      (SELECT hostname FROM relayhosts
      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
        WHERE relayhosts.active = '1'
          AND (
            mailbox.username IN (SELECT alias.goto from alias
              JOIN mailbox ON mailbox.username = alias.goto
                WHERE alias.active = '1'
                  AND alias.address = '%s'
                  AND alias.address NOT LIKE '@%%'
            )
          )
      ),
      (SELECT hostname FROM relayhosts
      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
        WHERE relayhosts.active = '1'
          AND (domain.domain = '%d'
            OR domain.domain IN (
              SELECT target_domain FROM alias_domain
                WHERE alias_domain = '%d'
            )
          )
      )
    )
  ) AS transport_view;
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_transport_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT CONCAT('smtp_via_transport_maps:', nexthop) AS transport FROM transports
  WHERE active = '1'
  AND destination = '%s';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_resource_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT 'null@localhost' FROM mailbox
  WHERE kind REGEXP 'location|thing|group' AND username = '%s';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts
  WHERE id IN (
    SELECT COALESCE(
      (SELECT id FROM relayhosts
      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
      WHERE relayhosts.active = '1'
        AND (domain.domain = '%d'
          OR domain.domain IN (
            SELECT target_domain FROM alias_domain
            WHERE alias_domain = '%d'
          )
        )
      ),
      (SELECT id FROM relayhosts
      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
      WHERE relayhosts.active = '1'
        AND (
          mailbox.username IN (
            SELECT alias.goto from alias
              JOIN mailbox ON mailbox.username = alias.goto
                WHERE alias.active = '1'
                  AND alias.address = '%s'
                  AND alias.address NOT LIKE '@%%'
          )
        )
      )
    )
  )
  AND active = '1'
  AND username != '';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM transports
  WHERE nexthop = '%s'
  AND active = '1'
  AND username != ''
  LIMIT 1;
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT username FROM mailbox, alias_domain
  WHERE alias_domain.alias_domain = '%d'
    AND mailbox.username = CONCAT('%u', '@', alias_domain.target_domain)
    AND (mailbox.active = '1' OR mailbox.active = '2')
    AND alias_domain.active='1'
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT goto FROM alias
  WHERE address='%s'
    AND (active='1' OR active='2');
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT bcc_dest FROM bcc_maps
  WHERE local_dest='%s'
    AND type='rcpt'
    AND active='1';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT bcc_dest FROM bcc_maps
  WHERE local_dest='%s'
    AND type='sender'
    AND active='1';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT new_dest FROM recipient_maps
  WHERE old_dest='%s'
    AND active='1';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT alias_domain from alias_domain WHERE alias_domain='%s' AND active='1'
  UNION
  SELECT domain FROM domain
    WHERE domain='%s'
      AND active = '1'
      AND backupmx = '0'
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%u/') FROM mailbox WHERE username='%s' AND (active = '1' OR active = '2')
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '1' AND active = '1'
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
# First select queries domain and alias_domain to determine if domains are active.
query = SELECT goto FROM alias
  WHERE id IN (
      SELECT COALESCE (
        (
          SELECT id FROM alias
            WHERE address='%s'
            AND (active='1' OR active='2')
        ), (
          SELECT id FROM alias
            WHERE address='@%d'
            AND (active='1' OR active='2')
        )
      )
    )
    AND active='1'
    AND (domain IN
      (SELECT domain FROM domain
        WHERE domain='%d'
          AND active='1')
      OR domain in (
        SELECT alias_domain FROM alias_domain
          WHERE alias_domain='%d'
            AND active='1'
      )
    )
  UNION
  SELECT logged_in_as FROM sender_acl
    WHERE send_as='@%d'
      OR send_as='%s'
      OR send_as='*'
      OR send_as IN (
        SELECT CONCAT('@',target_domain) FROM alias_domain
          WHERE alias_domain = '%d')
      OR send_as IN (
        SELECT CONCAT('%u','@',target_domain) FROM alias_domain
          WHERE alias_domain = '%d')
      AND logged_in_as NOT IN (
        SELECT goto FROM alias
          WHERE address='%s')
  UNION
  SELECT username FROM mailbox, alias_domain
    WHERE alias_domain.alias_domain = '%d'
      AND mailbox.username = CONCAT('%u','@',alias_domain.target_domain)
      AND (mailbox.active = '1' OR mailbox.active ='2')
      AND alias_domain.active='1';
EOF

# MX based routing
cat <<EOF > /opt/postfix/conf/sql/mysql_mbr_access_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT CONCAT('FILTER smtp_via_transport_maps:', nexthop) as transport FROM transports
  WHERE '%s' REGEXP destination
    AND active='1'
    AND is_mx_based='1';
EOF

cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf
# Autogenerated by mailcow
user = ${DBUSER}
password = ${DBPASS}
hosts = unix:/var/run/mysqld/mysqld.sock
dbname = ${DBNAME}
query = SELECT goto FROM spamalias
  WHERE address='%s'
    AND validity >= UNIX_TIMESTAMP()
EOF

if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
  cat <<EOF > /opt/postfix/conf/dns_blocklists.cf
# This file can be edited. 
# Delete this file and restart postfix container to revert any changes.
postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-4
  list.dnswl.org=127.0.[0..255].2*-6
  list.dnswl.org=127.0.[0..255].3*-8
  ix.dnsbl.manitu.net*2
  bl.spamcop.net*2
  bl.suomispam.net*2
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*2
  hostkarma.junkemailfilter.com=127.0.1.2*1
  backscatter.spameatingmonkey.net*2
  bl.ipv6.spameatingmonkey.net*2
  bl.spameatingmonkey.net*2
  b.barracudacentral.org=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
EOF
fi
DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')

if [ ! -z "$DNSBL_CONFIG" ]; then
  echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m"
  if [ -n "$SPAMHAUS_DQS_KEY" ]; then
    echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m"
    echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m"
    SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[4..7]*6
  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8
  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4
  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
EOF

  cat <<EOF > /opt/postfix/conf/dnsbl_reply.map
# Autogenerated by mailcow, using Spamhaus DQS reply domains
${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
EOF
    )
  else
    if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then
      rm /opt/postfix/conf/dnsbl_reply.map
    fi
    response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
    if [ "$response" -eq 503 ]; then
      echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m"
      echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m"
      SPAMHAUS_DNSBL_CONFIG=""
    elif [ "$response" -eq 200 ]; then
      echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m"
      echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m"
      SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
EOF
      )

    else
      echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m"
      echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m"
      SPAMHAUS_DNSBL_CONFIG=""
    fi
  fi
fi

# Reset main.cf
sed -i '/Overrides/q' /opt/postfix/conf/main.cf
echo >> /opt/postfix/conf/main.cf
# Append postscreen dnsbl sites to main.cf
if [ ! -z "$DNSBL_CONFIG" ]; then
  echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf
fi
# Append user overrides
echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf
touch /opt/postfix/conf/extra.cf
sed -i '/myhostname/d' /opt/postfix/conf/extra.cf
echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf
cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf

if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then
  echo "Creating dummy custom_transport.pcre"
  touch /opt/postfix/conf/custom_transport.pcre
fi

if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
  echo "Creating dummy custom_postscreen_whitelist.cidr"
  cat <<EOF > /opt/postfix/conf/custom_postscreen_whitelist.cidr
# Autogenerated by mailcow
# Rules are evaluated in the order as specified.
# Blacklist 192.168.* except 192.168.0.1.
# 192.168.0.1          permit
# 192.168.0.0/16       reject
EOF
fi

# Fix Postfix permissions
chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
chgrp -R postdrop /var/spool/postfix/public
chgrp -R postdrop /var/spool/postfix/maildrop
postfix set-permissions

# Check Postfix configuration
postconf -c /opt/postfix/conf > /dev/null

if [[ $? != 0 ]]; then
  echo "Postfix configuration error, refusing to start."
  exit 1
else
  postfix -c /opt/postfix/conf start
  sleep 126144000
fi