[Policyd] Added policyd Dockerfile
[Compose] Added policyd Service [Postfix] Added policyd for check_policy_service to main.cf
This commit is contained in:
parent
97adcbe5f8
commit
9b43974c96
19
data/Dockerfiles/policyd/Dockerfile
Normal file
19
data/Dockerfiles/policyd/Dockerfile
Normal file
@ -0,0 +1,19 @@
|
||||
FROM docker.io/1and1internet/ubuntu-16-apache-php-7.1:latest
|
||||
ARG DEBIAN_FRONTEND=noninteractive
|
||||
COPY files /
|
||||
RUN \
|
||||
groupadd cbpolicyd && \
|
||||
useradd -g cbpolicyd cbpolicyd && \
|
||||
apt-get update && \
|
||||
apt-get -o Dpkg::Options::=--force-confdef -y install gettext-base postfix-cluebringer postfix-cluebringer-mysql postfix-cluebringer-webui -y && \
|
||||
apt-get -y clean && \
|
||||
rm -rf /var/lib/apt/lists/* /etc/cluebringer && \
|
||||
mkdir --mode=0775 /etc/cluebringer && \
|
||||
cp /usr/share/doc/postfix-cluebringer/database/policyd-db.mysql.gz /tmp/ && \
|
||||
cp -r /usr/share/postfix-cluebringer-webui/webui/* /var/www/html/ && \
|
||||
gunzip /tmp/policyd-db.mysql.gz && \
|
||||
sed -i -e 's/TYPE=InnoDB/ENGINE=InnoDB/g' /tmp/policyd-db.mysql && \
|
||||
chmod -R 0755 /hooks && \
|
||||
chmod -R 0777 /var/www/html && \
|
||||
chmod 0666 /var/log/cbpolicyd.log
|
||||
EXPOSE 10031 8080 8443
|
@ -0,0 +1,12 @@
|
||||
[program:apache-2.4]
|
||||
command=/bin/bash -c "source /etc/apache2/envvars && exec /usr/sbin/apache2 -DFOREGROUND"
|
||||
autostart=true
|
||||
autorestart=true
|
||||
startretries=3
|
||||
|
||||
# Redirect output so we can see it using "docker logs"
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
stderr_logfile=/dev/stderr
|
||||
stderr_logfile_maxbytes=0
|
||||
|
@ -0,0 +1,12 @@
|
||||
[program:cbpolicyd]
|
||||
command=/usr/sbin/cbpolicyd --fg --config=/etc/cluebringer/cluebringer.conf
|
||||
autostart=true
|
||||
autorestart=true
|
||||
startretries=3
|
||||
|
||||
# Redirect output so we can see it using "docker logs"
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
stderr_logfile=/dev/stderr
|
||||
stderr_logfile_maxbytes=0
|
||||
|
@ -0,0 +1,48 @@
|
||||
#!/bin/bash
|
||||
set -eo pipefail
|
||||
|
||||
# Password protect webui
|
||||
echo Creating webui user
|
||||
echo $WEBUI_PASSWORD | htpasswd -ci /var/www/html/.htpasswd webui
|
||||
|
||||
# Checking for DB liveness before continuing with DB set up.
|
||||
count=0
|
||||
while [ $count -lt 4 ]; do
|
||||
if [[ $(mysql -h$CLUEBRINGER_DB_HOST -uroot -p$MYSQL_ROOT_PASSWORD -e "select 1" &>/dev/null ; echo $?) -ne 0 ]]; then
|
||||
echo "Waiting for DB to be ready."
|
||||
sleep 15
|
||||
let count+=1
|
||||
else
|
||||
echo "DB appears to be ready."
|
||||
break
|
||||
fi
|
||||
done
|
||||
# Die if DB doesn't come up in time.
|
||||
if [ $count -eq 4 ]; then
|
||||
echo "!!!WARNING!!! DB didn't come up in time."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Set up DB if it's empty.
|
||||
if [[ $(mysql -N -h$CLUEBRINGER_DB_HOST -uroot -p$MYSQL_ROOT_PASSWORD -e "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = '$MYSQL_DATABASE';") == 0 ]]; then
|
||||
echo "Setting up cluebringer DB."
|
||||
|
||||
# Set up DB and User
|
||||
if [[ $(mysql -N -h$CLUEBRINGER_DB_HOST -uroot -p$MYSQL_ROOT_PASSWORD -e "create database $MYSQL_DATABASE;use $MYSQL_DATABASE;CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD';GRANT ALL PRIVILEGES ON $MYSQL_DATABASE.* TO '$MYSQL_USER'@'%';") -ne 0 ]]; then
|
||||
echo "Can't create DB and Policyd DB user!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Add our policys from sql if they exist.
|
||||
if [[ -e /tmpl/cluebringer/import/policy.sql ]]; then
|
||||
echo "Importing our configuration."
|
||||
mysql -h$CLUEBRINGER_DB_HOST -u$MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE < /tmpl/cluebringer/import/policy.sql
|
||||
echo "Done."
|
||||
else
|
||||
echo "Additional sql configuration no found importing standart configuration."
|
||||
mysql -h$CLUEBRINGER_DB_HOST -u$MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE < /tmp/policyd-db.mysql
|
||||
fi
|
||||
else
|
||||
echo "Cluebringer DB not empty, exiting."
|
||||
exit 0
|
||||
fi
|
@ -0,0 +1,14 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eu
|
||||
|
||||
export DOLLAR=$
|
||||
export MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
export MYSQL_USER=${MYSQL_USER}
|
||||
export MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
export CLUEBRINGER_DB_BACKEND=${CLUEBRINGER_DB_BACKEND}
|
||||
export CLUEBRINGER_DB_PORT=${CLUEBRINGER_DB_PORT}
|
||||
export CLUEBRINGER_DB_HOST=${CLUEBRINGER_DB_HOST}
|
||||
|
||||
envsubst < /tmpl/cluebringer/cluebringer.conf > /etc/cluebringer/cluebringer.conf
|
||||
envsubst < /tmpl/cluebringer/cluebringer-webui.conf > /etc/cluebringer/cluebringer-webui.conf
|
@ -0,0 +1,16 @@
|
||||
<?php
|
||||
|
||||
# mysql:host=xx;dbname=yyy
|
||||
# pgsql:host=xx;dbname=yyy
|
||||
# sqlite:////full/unix/path/to/file.db?mode=0666
|
||||
#
|
||||
#$DB_DSN="sqlite:////tmp/cluebringer.sqlite";
|
||||
#$DB_DSN="pgsql:host=xx;dbname=yyy";
|
||||
#$DB_DSN="mysql:host=xx;dbname=yyy";
|
||||
|
||||
${DOLLAR}DB_DSN="${CLUEBRINGER_DB_BACKEND}:host=${CLUEBRINGER_DB_HOST};dbname=${MYSQL_DATABASE}";
|
||||
${DOLLAR}DB_USER="${MYSQL_USER}";
|
||||
${DOLLAR}DB_PASS="${MYSQL_PASSWORD}";
|
||||
|
||||
|
||||
?>
|
192
data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer.conf
Normal file
192
data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer.conf
Normal file
@ -0,0 +1,192 @@
|
||||
#
|
||||
# Server configuration
|
||||
#
|
||||
[server]
|
||||
|
||||
# Protocols to load
|
||||
protocols=<<EOT
|
||||
Postfix
|
||||
Bizanga
|
||||
EOT
|
||||
|
||||
# Modules to load
|
||||
modules=<<EOT
|
||||
Core
|
||||
AccessControl
|
||||
CheckHelo
|
||||
CheckSPF
|
||||
Greylisting
|
||||
Quotas
|
||||
EOT
|
||||
|
||||
# User to run this daemon as
|
||||
user=root
|
||||
#group=
|
||||
|
||||
# Filename to store pid of parent process
|
||||
pid_file=/var/run/cluebringer/cbpolicyd.pid
|
||||
|
||||
# Uncommenting the below option will prevent cbpolicyd going into the background
|
||||
background=no
|
||||
|
||||
# Preforking configuration
|
||||
#
|
||||
# min_server - Minimum servers to keep around
|
||||
# min_spare_servers - Minimum spare servers to keep around ready to
|
||||
# handle requests
|
||||
# max_spare_servers - Maximum spare servers to have around doing nothing
|
||||
# max_servers - Maximum servers alltogether
|
||||
# max_requests - Maximum number of requests each child will serve
|
||||
#
|
||||
# One may want to use the following as a rough guideline...
|
||||
# Small mailserver: 2, 2, 4, 10, 1000
|
||||
# Medium mailserver: 4, 4, 12, 25, 1000
|
||||
# Large mailserver: 8, 8, 16, 64, 1000
|
||||
#
|
||||
min_servers=4
|
||||
min_spare_servers=4
|
||||
max_spare_servers=12
|
||||
max_servers=25
|
||||
max_requests=1000
|
||||
|
||||
|
||||
|
||||
# Log level:
|
||||
# 0 - Errors only
|
||||
# 1 - Warnings and errors
|
||||
# 2 - Notices, warnings, errors
|
||||
# 3 - Info, notices, warnings, errors
|
||||
# 4 - Debugging
|
||||
log_level=4
|
||||
|
||||
# File to log to instead of stdout
|
||||
log_file=/var/log/cbpolicyd.log
|
||||
|
||||
# Log destination for mail logs...
|
||||
# main - Default. Log to policyd's main log mechanism, accepts NO args
|
||||
# syslog - log mail via syslog
|
||||
# format: log_mail=facility@method,args
|
||||
#
|
||||
# Valid methods for syslog:
|
||||
# native - Let Sys::Syslog decide
|
||||
# unix - Unix socket
|
||||
# udp - UDP socket
|
||||
# stream - Stream (for Solaris)
|
||||
#
|
||||
# Example: unix native
|
||||
#log_mail=mail@syslog:native
|
||||
#
|
||||
# Example: unix socket
|
||||
#log_mail=mail@syslog:unix
|
||||
#
|
||||
# Example: udp
|
||||
#log_mail=mail@syslog:udp,127.0.0.1
|
||||
#
|
||||
# Example: Solaris
|
||||
#log_mail=local0@syslog:stream,/dev/log
|
||||
#log_mail=maillog
|
||||
log_mail=main
|
||||
#mail@syslog:native
|
||||
|
||||
# Things to log in extreme detail
|
||||
# modules - Log detailed module running information
|
||||
# tracking - Log detailed tracking information
|
||||
# policies - Log policy resolution
|
||||
# protocols - Log general protocol info, but detailed
|
||||
# bizanga - Log the bizanga protocol
|
||||
#
|
||||
# There is no default for this configuration option. Options can be
|
||||
# separated by commas. ie. protocols,modules
|
||||
#
|
||||
#log_detail=
|
||||
|
||||
# IP to listen on, * for all
|
||||
host=*
|
||||
# host=0.0.0.0
|
||||
|
||||
# Port to run on
|
||||
port=10031
|
||||
|
||||
# Timeout in communication with clients
|
||||
#timeout=120
|
||||
|
||||
# cidr_allow/cidr_deny
|
||||
# Comma, whitespace or semi-colon separated. Contains a CIDR block to
|
||||
# compare the clients IP to. If cidr_allow or cidr_deny options are
|
||||
# given, the incoming client must match a cidr_allow and not match a
|
||||
# cidr_deny or the client connection will be closed.
|
||||
#cidr_allow=0.0.0.0/0
|
||||
#cidr_deny=
|
||||
|
||||
|
||||
|
||||
[database]
|
||||
#DSN=DBI:SQLite:dbname=policyd.sqlite
|
||||
#DSN=DBI:mysql:database=policyd;host=localhost
|
||||
#DSN=DBI:Pg:database=policyd;host=localhost
|
||||
#DSN=DBI:_DBC_DBTYPE_:dbname=_DBC_DBNAME_;host=_DBC_DBSERVER_
|
||||
## Debian
|
||||
# DB_Type can be one of - pgsql, mysql or sqlite3
|
||||
# DB_Host is ignored for sqlite3. For pgsql and mysql it should be left
|
||||
# unset or as 'localhost' if you wish to use unix sockets to communicate
|
||||
# with the database. To use TCP/IP to connect to a local database set
|
||||
# '127.0.0.1' as the value. Otherwise use the hostname or IP address of
|
||||
# the database server.
|
||||
# DB_Port is ignored for sqlite3. For pgsql it will default to '5432' and
|
||||
# for mysql the default is '3306'. If you are running your database server
|
||||
# on a non-standard port you should set it's value here.
|
||||
# DB_Name defaults to '/var/lib/cluebringer/cluebringer.db' for sqlite3, if you
|
||||
# wish to use another file for the database set it's full path here and
|
||||
# ensure that the cluebringer user can read and write not only the file
|
||||
# but the directory it lives in. For pgsql and mysql this will
|
||||
# default to 'cluebringer', otherwise you should set the name of the
|
||||
# database here.
|
||||
|
||||
DSN=DBI:${CLUEBRINGER_DB_BACKEND}:database=${MYSQL_DATABASE};host=${CLUEBRINGER_DB_HOST}
|
||||
DB_Type=${CLUEBRINGER_DB_BACKEND}
|
||||
DB_Host=${CLUEBRINGER_DB_HOST}
|
||||
DB_Port=${CLUEBRINGER_DB_PORT}
|
||||
DB_Name=${MYSQL_DATABASE}
|
||||
Username=${MYSQL_USER}
|
||||
Password=${MYSQL_PASSWORD}
|
||||
|
||||
|
||||
# What do we do when we have a database connection problem
|
||||
# tempfail - Return temporary failure
|
||||
# pass - Return success
|
||||
bypass_mode=tempfail
|
||||
|
||||
# How many seconds before we retry a DB connection
|
||||
bypass_timeout=30
|
||||
|
||||
|
||||
|
||||
# Access Control module
|
||||
[AccessControl]
|
||||
enable=1
|
||||
|
||||
# Accounting module
|
||||
[Accounting]
|
||||
enable=1
|
||||
|
||||
# Greylisting module
|
||||
[Greylisting]
|
||||
enable=1
|
||||
|
||||
|
||||
# CheckHelo module
|
||||
[CheckHelo]
|
||||
enable=1
|
||||
|
||||
|
||||
# CheckSPF module
|
||||
[CheckSPF]
|
||||
enable=1
|
||||
|
||||
|
||||
# Quotas module
|
||||
[Quotas]
|
||||
enable=1
|
||||
|
||||
|
||||
|
4
data/Dockerfiles/policyd/files/var/www/html/.htaccess
Normal file
4
data/Dockerfiles/policyd/files/var/www/html/.htaccess
Normal file
@ -0,0 +1,4 @@
|
||||
AuthType Basic
|
||||
AuthName "Password Protected Area"
|
||||
AuthUserFile /var/www/html/.htpasswd
|
||||
Require valid-user
|
@ -81,7 +81,7 @@ smtpd_error_sleep_time = 10s
|
||||
smtpd_hard_error_limit = ${stress?1}${stress:5}
|
||||
smtpd_helo_required = yes
|
||||
smtpd_proxy_timeout = 600s
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
|
||||
smtpd_recipient_restrictions = check_policy_service inet:172.22.1.200:10031, permit_mynetworks, permit_sasl_authenticated, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
|
||||
smtpd_sasl_auth_enable = yes
|
||||
smtpd_sasl_authenticated_header = yes
|
||||
smtpd_sasl_path = inet:dovecot:10001
|
||||
|
@ -210,6 +210,33 @@ services:
|
||||
aliases:
|
||||
- dovecot
|
||||
|
||||
policyd-mailcow:
|
||||
hostname: policyd
|
||||
container_name: policyd-mailcow
|
||||
build: ./data/Dockerfiles/policyd
|
||||
image: policyd-mailcow:1.00
|
||||
ports:
|
||||
# - "10031:10031"
|
||||
- "9080:8080"
|
||||
- "9443:8443"
|
||||
user: "1000000"
|
||||
environment:
|
||||
- "SUPERVISORD_LOGLEVEL=${POLICYD_SUPERVISORD_LOGLEVEL:-debug}"
|
||||
- "CLUEBRINGER_DB_HOST=mysql"
|
||||
- "MYSQL_ROOT_PASSWORD=${DBROOT}"
|
||||
- "MYSQL_DATABASE=${POLICYD_MYSQL_DATABASE:-cluebringer}"
|
||||
- "MYSQL_USER=${POLICYD_MYSQL_USER:-cluebringer}"
|
||||
- "MYSQL_PASSWORD=${POLICYD_MYSQL_PASSWORD}"
|
||||
- "CLUEBRINGER_DB_BACKEND=${POLICYD_DB_BACKEND:-mysql}"
|
||||
- "CLUEBRINGER_DB_PORT=${INTERNAL_MYSQL_PORT:-3306}"
|
||||
- "WEBUI_PASSWORD=${POLICYD_WEBUI_PASSWORD}"
|
||||
networks:
|
||||
mailcow-network:
|
||||
ipv4_address: ${IPV4_NETWORK:-172.22.1}.200
|
||||
aliases:
|
||||
- policyd
|
||||
|
||||
|
||||
postfix-mailcow:
|
||||
image: mailcow/postfix:1.29
|
||||
build: ./data/Dockerfiles/postfix
|
||||
|
@ -140,6 +140,18 @@ SIEVE_PORT=4190
|
||||
DOVEADM_PORT=127.0.0.1:19991
|
||||
SQL_PORT=127.0.0.1:13306
|
||||
|
||||
# ------------------------------
|
||||
# POLCIYD (Cluebringer) CONFIGURATION
|
||||
# ------------------------------
|
||||
|
||||
POLICYD_SUPERVISORD_LOGLEVEL=debug
|
||||
POLICYD_MYSQL_DATABASE=cluebringer
|
||||
POLICYD_MYSQL_USER=cluebringer
|
||||
POLICYD_MYSQL_PASSWORD=asnRTXvDtbI8h7naFtB97wNNcoXq
|
||||
POLICYD_DB_BACKEND=mysql
|
||||
POLICYD_WEBUI_PASSWORD=HPAA297BUcgSYf3AiftHQUjS3KVd
|
||||
INTERNAL_MYSQL_PORT=3306
|
||||
|
||||
# Your timezone
|
||||
|
||||
TZ=${MAILCOW_TZ}
|
||||
|
Loading…
Reference in New Issue
Block a user