diff --git a/data/Dockerfiles/clamav/Dockerfile b/data/Dockerfiles/clamav/Dockerfile index 5fc44d9a..170b7d8f 100755 --- a/data/Dockerfiles/clamav/Dockerfile +++ b/data/Dockerfiles/clamav/Dockerfile @@ -1,8 +1,8 @@ -FROM debian:latest +FROM debian:stretch-slim MAINTAINER https://m-ko.de Markus Kosmal # Debian Base to use -ENV DEBIAN_VERSION jessie +ENV DEBIAN_VERSION stretch # initial install of av daemon RUN echo "deb http://http.debian.net/debian/ $DEBIAN_VERSION main contrib non-free" > /etc/apt/sources.list && \ @@ -13,15 +13,14 @@ RUN echo "deb http://http.debian.net/debian/ $DEBIAN_VERSION main contrib non-fr clamav-daemon \ clamav-freshclam \ libclamunrar7 \ - wget && \ + curl && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* # initial update of av databases -RUN wget -O /var/lib/clamav/main.cvd http://db.local.clamav.net/main.cvd && \ - wget -O /var/lib/clamav/daily.cvd http://db.local.clamav.net/daily.cvd && \ - wget -O /var/lib/clamav/bytecode.cvd http://db.local.clamav.net/bytecode.cvd && \ - chown clamav:clamav /var/lib/clamav/*.cvd +COPY dl_files.sh /dl_files.sh +RUN chmod +x /dl_files.sh +RUN /dl_files.sh # permission juggling RUN mkdir /var/run/clamav && \ @@ -33,9 +32,6 @@ RUN sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf && \ echo "TCPSocket 3310" >> /etc/clamav/clamd.conf && \ sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf -# volume provision -VOLUME ["/var/lib/clamav"] - # port provision EXPOSE 3310 diff --git a/data/Dockerfiles/clamav/bootstrap.sh b/data/Dockerfiles/clamav/bootstrap.sh index 635e93ea..bc5d1b32 100755 --- a/data/Dockerfiles/clamav/bootstrap.sh +++ b/data/Dockerfiles/clamav/bootstrap.sh @@ -1,35 +1,7 @@ #!/bin/bash -# bootstrap clam av service and clam av database updater shell script -# presented by mko (Markus Kosmal) -set -m +trap "kill 0" SIGINT -# start clam service itself and the updater in background as daemon freshclam -d & clamd & -# recognize PIDs -pidlist=`jobs -p` - -# initialize latest result var -latest_exit=0 - -# define shutdown helper -function shutdown() { - trap "" SUBS - - for single in $pidlist; do - if ! kill -0 $pidlist 2>/dev/null; then - wait $pidlist - exitcode=$? - fi - done - - kill $pidlist 2>/dev/null -} - -# run shutdown -trap terminate SUBS -wait - -# return received result -exit $latest_exit +sleep inf diff --git a/data/Dockerfiles/clamav/dl_files.sh b/data/Dockerfiles/clamav/dl_files.sh new file mode 100755 index 00000000..09d61241 --- /dev/null +++ b/data/Dockerfiles/clamav/dl_files.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +declare -a DB_MIRRORS=( + "switch.clamav.net" + "clamavdb.heanet.ie" + "clamav.iol.cz" + "clamav.univ-nantes.fr" + "clamav.easynet.fr" + "clamav.begi.net" +) +declare -a DB_MIRRORS=( $(shuf -e "${DB_MIRRORS[@]}") ) + +DB_FILES=( + "bytecode.cvd" + "daily.cvd" + "main.cvd" +) + +for i in "${DB_MIRRORS[@]}"; do + for j in "${DB_FILES[@]}"; do + [[ -f "/var/lib/clamav/${j}" && -s "/var/lib/clamav/${j}" ]] && continue; + if [[ $(curl -o /dev/null --connect-timeout 1 \ + --max-time 1 \ + --silent \ + --head \ + --write-out "%{http_code}\n" "${i}/${j}") == 200 ]]; then + curl "${i}/${j}" -o "/var/lib/clamav/${j}" -# + fi + done +done + +chown clamav:clamav /var/lib/clamav/*.cvd diff --git a/data/Dockerfiles/postfix/Dockerfile b/data/Dockerfiles/postfix/Dockerfile index 0fcdc893..9da92ad6 100644 --- a/data/Dockerfiles/postfix/Dockerfile +++ b/data/Dockerfiles/postfix/Dockerfile @@ -23,6 +23,7 @@ RUN apt-get install -y --no-install-recommends supervisor \ gnupg \ python-gpgme \ sudo \ + curl \ dirmngr RUN addgroup --system --gid 600 zeyple @@ -34,6 +35,7 @@ COPY zeyple.py /usr/local/bin/zeyple.py COPY zeyple.conf /etc/zeyple.conf COPY supervisord.conf /etc/supervisor/supervisord.conf COPY postfix.sh /opt/postfix.sh +COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh EXPOSE 588 diff --git a/data/Dockerfiles/postfix/whitelist_forwardinghosts.sh b/data/Dockerfiles/postfix/whitelist_forwardinghosts.sh new file mode 100755 index 00000000..4ad5ab32 --- /dev/null +++ b/data/Dockerfiles/postfix/whitelist_forwardinghosts.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +while read QUERY; do + QUERY=($QUERY) + if [ "${QUERY[0]}" != "get" ]; then + echo "500 dunno" + continue + fi + result=$(curl -s http://nginx:8081/forwardinghosts.php?host=${QUERY[1]}) + logger -t whitelist_forwardinghosts -p mail.info "Look up ${QUERY[1]} on whitelist, result $result" + echo ${result} +done diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf index b28f6eb9..52e86681 100644 --- a/data/conf/postfix/main.cf +++ b/data/conf/postfix/main.cf @@ -24,7 +24,7 @@ milter_default_action = accept milter_protocol = 6 minimal_backoff_time = 300s plaintext_reject_code = 550 -postscreen_access_list = permit_mynetworks, cidr:/opt/postfix/conf/postscreen_access.cidr +postscreen_access_list = permit_mynetworks, cidr:/opt/postfix/conf/postscreen_access.cidr, tcp:127.0.0.1:10027 postscreen_bare_newline_enable = no postscreen_blacklist_action = drop postscreen_cache_cleanup_interval = 24h diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf index 3802c9a0..955728d1 100644 --- a/data/conf/postfix/master.cf +++ b/data/conf/postfix/master.cf @@ -55,3 +55,5 @@ zeyple unix - n n - - pipe -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + +127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh diff --git a/data/conf/rspamd/dynmaps/forwardinghosts.php b/data/conf/rspamd/dynmaps/forwardinghosts.php new file mode 100644 index 00000000..377c5e7e --- /dev/null +++ b/data/conf/rspamd/dynmaps/forwardinghosts.php @@ -0,0 +1,56 @@ + 1) + $mask = $net[1]; + $net = inet_pton($net[0]); + $addr = inet_pton($addr); + + $length = strlen($net); // 4 for IPv4, 16 for IPv6 + if (strlen($net) != strlen($addr)) + return FALSE; + if (!isset($mask)) + $mask = $length * 8; + + $addr_bin = ''; + $net_bin = ''; + for ($i = 0; $i < $length; ++$i) + { + $addr_bin .= str_pad(decbin(ord(substr($addr, $i, $i+1))), 8, '0', STR_PAD_LEFT); + $net_bin .= str_pad(decbin(ord(substr($net, $i, $i+1))), 8, '0', STR_PAD_LEFT); + } + + return substr($addr_bin, 0, $mask) == substr($net_bin, 0, $mask); +} + +$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name; +$opt = [ + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, + PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, + PDO::ATTR_EMULATE_PREPARES => false, +]; +try { + $pdo = new PDO($dsn, $database_user, $database_pass, $opt); + $stmt = $pdo->query("SELECT host FROM `forwarding_hosts`"); + $networks = $stmt->fetchAll(PDO::FETCH_COLUMN); + foreach ($networks as $network) + { + if (in_net($_GET['host'], $network)) + { + echo '200 permit'; + exit; + } + } + echo '200 dunno'; +} +catch (PDOException $e) { + echo '200 dunno'; + exit; +} +?> diff --git a/data/conf/rspamd/dynmaps/settings.php b/data/conf/rspamd/dynmaps/settings.php index 9be1f696..098ffbd9 100644 --- a/data/conf/rspamd/dynmaps/settings.php +++ b/data/conf/rspamd/dynmaps/settings.php @@ -32,6 +32,35 @@ catch (PDOException $e) { ?> settings { query("SELECT `host` FROM `forwarding_hosts`"); + $rows = $stmt->fetchAll(PDO::FETCH_COLUMN); +} +catch (PDOException $e) { + $rows = array(); +} + +if ($rows) +{ +?> + whitelist_forwarding_hosts { + priority = high; + + apply "default" { + actions { + reject = 999.9; + } + } + symbols [ + "WHITELIST_FORWARDING_HOST" + ] + } +query("SELECT DISTINCT `object` FROM `filterconf` WHERE `option` = 'highspamlevel' OR `option` = 'lowspamlevel'"); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); @@ -207,8 +236,11 @@ while ($row = array_shift($rows)) { } ?> apply "default" { - MAILCOW_MOO = -999.0; + MAILCOW_WHITE = -999.0; } + symbols [ + "MAILCOW_WHITE" + ] } apply "default" { - MAILCOW_MOO = 999.0; + MAILCOW_BLACK = 999.0; } + symbols [ + "MAILCOW_BLACK" + ] } -} \ No newline at end of file +} diff --git a/data/conf/rspamd/local.d/antivirus.conf b/data/conf/rspamd/local.d/antivirus.conf new file mode 100644 index 00000000..51bc46f9 --- /dev/null +++ b/data/conf/rspamd/local.d/antivirus.conf @@ -0,0 +1,8 @@ +clamav { + attachments_only = false; + max_size = 20000000; + symbol = "CLAM_VIRUS"; + type = "clamav"; + log_clean = true; + servers = "clamd:3310"; +} diff --git a/data/conf/rspamd/local.d/force_actions.conf b/data/conf/rspamd/local.d/force_actions.conf new file mode 100644 index 00000000..7b97e437 --- /dev/null +++ b/data/conf/rspamd/local.d/force_actions.conf @@ -0,0 +1,7 @@ +rules { + DKIM_FAIL { + action = "add header"; + expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK"; + require_action = ["no action", "greylist"]; + } +} diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua index 7d6aaa20..09cf9d10 100644 --- a/data/conf/rspamd/lua/rspamd.local.lua +++ b/data/conf/rspamd/lua/rspamd.local.lua @@ -7,10 +7,6 @@ rspamd_config.MAILCOW_AUTH = { end } -rspamd_config.MAILCOW_MOO = function (task) - return true -end - modify_subject_map = rspamd_config:add_map({ url = 'http://172.22.1.251:8081/tags.php', type = 'map', diff --git a/data/web/add.php b/data/web/add.php index 39017e98..5f1aa0d6 100644 --- a/data/web/add.php +++ b/data/web/add.php @@ -353,7 +353,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] ==
- +
diff --git a/data/web/admin.php b/data/web/admin.php index e0e04aee..ca20af8a 100644 --- a/data/web/admin.php +++ b/data/web/admin.php @@ -183,9 +183,11 @@ $tfa_data = get_tfa();

+ +
+
-

+ +
+
+
+

+
+
+ + + + + + + + + + source; + $host = $host->host; + ?> + + + + + + + + + + + +
+
+ +
+
+
+
+ +

+
+
+ +
+ +
+
+
+
+ +
+
+
+
+ +
+