From cf8cd4d688f954781658bcecb23dc6da12ea65cd Mon Sep 17 00:00:00 2001 From: Sebastian Hugentobler Date: Mon, 18 Feb 2019 14:48:21 +0100 Subject: [PATCH] use multistage docker build --- Dockerfile | 30 ++++++++++++++++++------- README.md | 4 ++-- rootfs/etc/confd/templates/main.cf.tmpl | 16 +++++++++++-- 3 files changed, 38 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index aad07d0..925c3d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,31 @@ -FROM thallian/confd-env:latest +FROM alpine:3.9 as builder -RUN apk add --no-cache postfix postfix-ldap libressl spamassassin-client libstdc++ g++ make tar libmilter-dev - -RUN addgroup -g 2222 access -RUN addgroup postfix access +RUN apk add --no-cache \ + g++ \ + make \ + libmilter-dev \ + spamassassin-client RUN mkdir /tmp/spamass-milter RUN wget -qO- https://download.savannah.gnu.org/releases/spamass-milt/spamass-milter-0.4.0.tar.gz | tar -xz -C /tmp/spamass-milter --strip 1 WORKDIR /tmp/spamass-milter -RUN ./configure && make && make install -RUN rm -rf /tmp/spamass-milter -WORKDIR / +RUN ./configure && make + +FROM thallian/confd-env:latest + +COPY --from=builder /tmp/spamass-milter/spamass-milter /bin/spamass-milter + +RUN apk add --no-cache \ + postfix \ + postfix-ldap \ + openssl \ + spamassassin-client \ + libstdc++ \ + libmilter + +RUN addgroup -g 2222 access +RUN addgroup postfix access RUN mkdir /var/run/spamass-milter RUN chown postfix:postfix /var/run/spamass-milter diff --git a/README.md b/README.md index 47841c4..6550e49 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ Message size limit in bytes. Mailbox size limit in bytes. `0` disables the limit. ## TLS_SECURITY_LEVEL -- default: may +- default: encrypt One of: - none: TLS will not be used. @@ -98,7 +98,7 @@ One of: According to [RFC 2487](http://tools.ietf.org/html/rfc2487) this MUST NOT be applied in case of a publicly-referenced SMTP server. ## TLS_PROTOCOLS -- default: !SSLv2, !SSLv3 +- default: !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 Comma seperated list of accepted TLS protocols. diff --git a/rootfs/etc/confd/templates/main.cf.tmpl b/rootfs/etc/confd/templates/main.cf.tmpl index 076df67..6c5cfed 100644 --- a/rootfs/etc/confd/templates/main.cf.tmpl +++ b/rootfs/etc/confd/templates/main.cf.tmpl @@ -23,11 +23,22 @@ virtual_transport = lmtp:inet:{{getenv "LMTP_HOST"}}:{{getenv "LMTP_PORT"}} smtpd_tls_key_file=/etc/ssl/mail/{{getenv "CERT_DOMAIN"}}.key smtpd_tls_cert_file=/etc/ssl/mail/{{getenv "CERT_DOMAIN"}}.crt +smtp_tls_security_level = {{getenv "TLS_SECURITY_LEVEL" "may"}} +smtp_tls_auth_only = yes + smtpd_tls_security_level = {{getenv "TLS_SECURITY_LEVEL" "may"}} smtpd_tls_auth_only = yes -smtpd_tls_mandatory_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3"}} -smtpd_tls_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3"}} +smtp_tls_mandatory_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}} +smtp_tls_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}} +smtp_tls_mandatory_ciphers = {{getenv "TLS_CIPHERS" "high"}} +smtp_tls_ciphers = {{getenv "TLS_CIPHERS" "high"}} +smtp_tls_mandatory_exclude_ciphers = {{getenv "TLS_EXCLUDE_CIPHERS" "aNULL, MD5, 3DES"}} +smtp_tls_exclude_ciphers = {{getenv "TLS_EXCLUDE_CIPHERS" "aNULL, MD5, 3DES"}} +smtp_tls_wrappermode = no + +smtpd_tls_mandatory_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}} +smtpd_tls_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}} smtpd_tls_mandatory_ciphers = {{getenv "TLS_CIPHERS" "high"}} smtpd_tls_ciphers = {{getenv "TLS_CIPHERS" "high"}} smtpd_tls_mandatory_exclude_ciphers = {{getenv "TLS_EXCLUDE_CIPHERS" "aNULL, MD5, 3DES"}} @@ -48,6 +59,7 @@ smtpd_sasl_path = inet:{{getenv "DOVECOT_HOST"}}:{{getenv "DOVECOT_AUTH_PORT"}} smtpd_sasl_auth_enable = yes smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination +smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_milters = unix:/var/run/spamass-milter/spamass.sock