mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2025-07-10 01:15:00 +02:00
general: update base image to Debian 12 ("Bookworm") (#3403)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Co-authored-by: Casper <casperklein@users.noreply.github.com>
This commit is contained in:
Georg Lauterbach
GitHub
parent
0c7e49e654
commit
00018e7e2b
18 changed files with 145 additions and 148 deletions
|
|
@ -17,7 +17,7 @@ function _compile_dovecot_fts_xapian() {
|
|||
tar xzvf dovecot-fts-xapian.tar.gz
|
||||
cd fts-xapian-1.5.5
|
||||
USER=root dh_make -p dovecot-fts-xapian-1.5.5 --single --native --copyright gpl2 -y
|
||||
rm debian/*.ex debian/*.EX
|
||||
rm debian/*.ex
|
||||
cp PACKAGES/DEB/control debian/
|
||||
cp PACKAGES/DEB/changelog debian/
|
||||
cp PACKAGES/DEB/compat debian/
|
||||
|
|
|
|||
|
|
@ -1,10 +1,13 @@
|
|||
#!/bin/bash
|
||||
|
||||
# -eE :: exit on error (do this in functions as well)
|
||||
# -u :: show (and exit) when using unset variables
|
||||
# -e :: exit on error (do this in functions as well)
|
||||
# -E :: inherit the ERR trap to functions, command substitutions and sub-shells
|
||||
# -u :: show (and exit) when using unset variables
|
||||
# -o pipefail :: exit on error in pipes
|
||||
set -eE -u -o pipefail
|
||||
|
||||
VERSION_CODENAME='bookworm'
|
||||
|
||||
# shellcheck source=../helpers/log.sh
|
||||
source /usr/local/bin/helpers/log.sh
|
||||
|
||||
|
|
@ -17,17 +20,38 @@ function _pre_installation_steps() {
|
|||
_log 'trace' 'Updating package signatures'
|
||||
apt-get "${QUIET}" update
|
||||
|
||||
_log 'trace' 'Installing packages that are needed early'
|
||||
apt-get "${QUIET}" install --no-install-recommends apt-utils 2>/dev/null
|
||||
|
||||
_log 'trace' 'Upgrading packages'
|
||||
apt-get "${QUIET}" upgrade
|
||||
|
||||
_log 'trace' 'Installing packages that are needed early'
|
||||
# add packages usually required by apt to
|
||||
# - not log unnecessary warnings
|
||||
# - be able to add PPAs early (e.g., Rspamd)
|
||||
local EARLY_PACKAGES=(
|
||||
apt-utils # avoid useless warnings
|
||||
apt-transport-https ca-certificates curl gnupg # required for adding PPAs
|
||||
systemd-standalone-sysusers # avoid problems with SA / Amavis (https://github.com/docker-mailserver/docker-mailserver/pull/3403#pullrequestreview-1596689953)
|
||||
)
|
||||
apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null
|
||||
}
|
||||
|
||||
function _install_utils() {
|
||||
_log 'debug' 'Installing utils sourced from Github'
|
||||
_log 'trace' 'Installing jaq'
|
||||
curl -sSfL "https://github.com/01mf02/jaq/releases/latest/download/jaq-v1.2.0-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq && chmod +x /usr/bin/jaq
|
||||
|
||||
_log 'trace' 'Installing swaks'
|
||||
local SWAKS_VERSION='20240103.0'
|
||||
local SWAKS_RELEASE="swaks-${SWAKS_VERSION}"
|
||||
curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz
|
||||
mv "${SWAKS_RELEASE}/swaks" /usr/local/bin
|
||||
rm -r "${SWAKS_RELEASE}"
|
||||
}
|
||||
|
||||
function _install_postfix() {
|
||||
_log 'debug' 'Installing Postfix'
|
||||
|
||||
_log 'warn' 'Applying workaround for Postfix bug (see https://github.com//issues/2023#issuecomment-855326403)'
|
||||
_log 'warn' 'Applying workaround for Postfix bug (see https://github.com/docker-mailserver/docker-mailserver/issues/2023#issuecomment-855326403)'
|
||||
|
||||
# Debians postfix package has a post-install script that expects a valid FQDN hostname to work:
|
||||
mv /bin/hostname /bin/hostname.bak
|
||||
|
|
@ -43,12 +67,17 @@ function _install_postfix() {
|
|||
function _install_packages() {
|
||||
_log 'debug' 'Installing all packages now'
|
||||
|
||||
ANTI_VIRUS_SPAM_PACKAGES=(
|
||||
amavisd-new clamav clamav-daemon
|
||||
pyzor razor spamassassin
|
||||
local ANTI_VIRUS_SPAM_PACKAGES=(
|
||||
clamav clamav-daemon
|
||||
# spamassassin is used only with amavisd-new, while pyzor + razor are used by spamassasin
|
||||
amavisd-new spamassassin pyzor razor
|
||||
# the following packages are all for Fail2Ban
|
||||
# https://github.com/docker-mailserver/docker-mailserver/pull/3403#discussion_r1306581431
|
||||
fail2ban python3-pyinotify python3-dnspython
|
||||
)
|
||||
|
||||
CODECS_PACKAGES=(
|
||||
# predominantly for Amavis support
|
||||
local CODECS_PACKAGES=(
|
||||
altermime arj bzip2
|
||||
cabextract cpio file
|
||||
gzip lhasa liblz4-tool
|
||||
|
|
@ -57,26 +86,33 @@ function _install_packages() {
|
|||
unrar-free unzip xz-utils
|
||||
)
|
||||
|
||||
MISCELLANEOUS_PACKAGES=(
|
||||
apt-transport-https binutils bsd-mailx
|
||||
ca-certificates curl dbconfig-no-thanks
|
||||
dumb-init gnupg iproute2 libdate-manip-perl
|
||||
libldap-common libmail-spf-perl
|
||||
libnet-dns-perl locales logwatch
|
||||
netcat-openbsd nftables rsyslog
|
||||
supervisor uuid whois
|
||||
local MISCELLANEOUS_PACKAGES=(
|
||||
binutils bsd-mailx
|
||||
dbconfig-no-thanks dumb-init iproute2
|
||||
libdate-manip-perl libldap-common libmail-spf-perl libnet-dns-perl
|
||||
locales logwatch netcat-openbsd
|
||||
nftables # primarily for Fail2Ban
|
||||
rsyslog supervisor
|
||||
uuid # used for file-locking
|
||||
whois
|
||||
)
|
||||
|
||||
POSTFIX_PACKAGES=(
|
||||
local POSTFIX_PACKAGES=(
|
||||
pflogsumm postgrey postfix-ldap postfix-mta-sts-resolver
|
||||
postfix-pcre postfix-policyd-spf-python postsrsd
|
||||
)
|
||||
|
||||
MAIL_PROGRAMS_PACKAGES=(
|
||||
fetchmail opendkim opendkim-tools
|
||||
local MAIL_PROGRAMS_PACKAGES=(
|
||||
opendkim opendkim-tools
|
||||
opendmarc libsasl2-modules sasl2-bin
|
||||
)
|
||||
|
||||
# These packages support community contributed features.
|
||||
# If they cause too much maintenance burden in future, they are liable for removal.
|
||||
local COMMUNITY_PACKAGES=(
|
||||
fetchmail getmail6
|
||||
)
|
||||
|
||||
# `bind9-dnsutils` provides the `dig` command
|
||||
# `iputils-ping` provides the `ping` command
|
||||
DEBUG_PACKAGES=(
|
||||
|
|
@ -89,14 +125,12 @@ function _install_packages() {
|
|||
"${MISCELLANEOUS_PACKAGES[@]}" \
|
||||
"${POSTFIX_PACKAGES[@]}" \
|
||||
"${MAIL_PROGRAMS_PACKAGES[@]}" \
|
||||
"${DEBUG_PACKAGES[@]}"
|
||||
"${DEBUG_PACKAGES[@]}" \
|
||||
"${COMMUNITY_PACKAGES[@]}"
|
||||
}
|
||||
|
||||
function _install_dovecot() {
|
||||
declare -a DOVECOT_PACKAGES
|
||||
|
||||
# Dovecot packages for officially supported features.
|
||||
DOVECOT_PACKAGES=(
|
||||
local DOVECOT_PACKAGES=(
|
||||
dovecot-core dovecot-imapd
|
||||
dovecot-ldap dovecot-lmtpd dovecot-managesieved
|
||||
dovecot-pop3d dovecot-sieve dovecot-solr
|
||||
|
|
@ -111,7 +145,8 @@ function _install_dovecot() {
|
|||
_log 'trace' 'Using Dovecot community repository'
|
||||
curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import
|
||||
gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg
|
||||
echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/bullseye bullseye main" > /etc/apt/sources.list.d/dovecot.list
|
||||
# VERSION_CODENAME sourced from /etc/os-release
|
||||
echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/${VERSION_CODENAME} ${VERSION_CODENAME} main" > /etc/apt/sources.list.d/dovecot.list
|
||||
|
||||
_log 'trace' 'Updating Dovecot package signatures'
|
||||
apt-get "${QUIET}" update
|
||||
|
|
@ -128,47 +163,31 @@ function _install_dovecot() {
|
|||
}
|
||||
|
||||
function _install_rspamd() {
|
||||
_log 'trace' 'Adding Rspamd package signatures'
|
||||
local DEB_FILE='/etc/apt/sources.list.d/rspamd.list'
|
||||
|
||||
curl -sSfL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor >/etc/apt/trusted.gpg.d/rspamd.gpg
|
||||
local URL='[signed-by=/etc/apt/trusted.gpg.d/rspamd.gpg] http://rspamd.com/apt-stable/ bullseye main'
|
||||
echo "deb ${URL}" >"${DEB_FILE}"
|
||||
|
||||
_log 'debug' 'Installing Rspamd'
|
||||
_log 'trace' 'Adding Rspamd PPA'
|
||||
curl -sSfL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor >/etc/apt/trusted.gpg.d/rspamd.gpg
|
||||
echo \
|
||||
"deb [signed-by=/etc/apt/trusted.gpg.d/rspamd.gpg] http://rspamd.com/apt-stable/ ${VERSION_CODENAME} main" \
|
||||
>/etc/apt/sources.list.d/rspamd.list
|
||||
|
||||
_log 'trace' 'Updating package index after adding PPAs'
|
||||
apt-get "${QUIET}" update
|
||||
apt-get "${QUIET}" --no-install-recommends install 'rspamd' 'redis-server'
|
||||
|
||||
_log 'trace' 'Installing actual package'
|
||||
apt-get "${QUIET}" install rspamd redis-server
|
||||
}
|
||||
|
||||
function _install_fail2ban() {
|
||||
local FAIL2BAN_DEB_URL='https://github.com/fail2ban/fail2ban/releases/download/1.0.2/fail2ban_1.0.2-1.upstream1_all.deb'
|
||||
local FAIL2BAN_DEB_ASC_URL="${FAIL2BAN_DEB_URL}.asc"
|
||||
local FAIL2BAN_GPG_FINGERPRINT='8738 559E 26F6 71DF 9E2C 6D9E 683B F1BE BD0A 882C'
|
||||
local FAIL2BAN_GPG_PUBLIC_KEY_ID='0x683BF1BEBD0A882C'
|
||||
local FAIL2BAN_GPG_PUBLIC_KEY_SERVER='hkps://keyserver.ubuntu.com'
|
||||
function _post_installation_steps() {
|
||||
_log 'debug' 'Running post-installation steps (cleanup)'
|
||||
_log 'debug' 'Deleting sensitive files (secrets)'
|
||||
rm /etc/postsrsd.secret
|
||||
|
||||
_log 'debug' 'Installing Fail2ban'
|
||||
apt-get "${QUIET}" --no-install-recommends install python3-pyinotify python3-dnspython
|
||||
_log 'debug' 'Deleting default logwatch cronjob'
|
||||
rm /etc/cron.daily/00logwatch
|
||||
|
||||
gpg --keyserver "${FAIL2BAN_GPG_PUBLIC_KEY_SERVER}" --recv-keys "${FAIL2BAN_GPG_PUBLIC_KEY_ID}" 2>&1
|
||||
|
||||
curl -Lkso fail2ban.deb "${FAIL2BAN_DEB_URL}"
|
||||
curl -Lkso fail2ban.deb.asc "${FAIL2BAN_DEB_ASC_URL}"
|
||||
|
||||
FINGERPRINT=$(LANG=C gpg --verify fail2ban.deb.asc fail2ban.deb |& sed -n 's#Primary key fingerprint: \(.*\)#\1#p')
|
||||
|
||||
if [[ -z ${FINGERPRINT} ]]; then
|
||||
echo 'ERROR: Invalid GPG signature!' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ${FINGERPRINT} != "${FAIL2BAN_GPG_FINGERPRINT}" ]]; then
|
||||
echo "ERROR: Wrong GPG fingerprint!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dpkg -i fail2ban.deb 2>&1
|
||||
rm fail2ban.deb fail2ban.deb.asc
|
||||
_log 'trace' 'Removing leftovers from APT'
|
||||
apt-get "${QUIET}" clean
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
_log 'debug' 'Patching Fail2ban to enable network bans'
|
||||
# Enable network bans
|
||||
|
|
@ -176,56 +195,10 @@ function _install_fail2ban() {
|
|||
sedfile -i -r 's/^_nft_add_set = .+/_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \\{ type <addr_type>\\; flags interval\\; \\}/' /etc/fail2ban/action.d/nftables.conf
|
||||
}
|
||||
|
||||
# Presently the getmail6 package is v6.14, which is too old.
|
||||
# v6.18 contains fixes for Google and Microsoft OAuth support.
|
||||
# using pip to install getmail.
|
||||
# TODO This can be removed when the base image is updated to Debian 12 (Bookworm)
|
||||
function _install_getmail() {
|
||||
_log 'debug' 'Installing getmail6'
|
||||
apt-get "${QUIET}" --no-install-recommends install python3-pip
|
||||
pip3 install --no-cache-dir 'getmail6~=6.18.12'
|
||||
ln -s /usr/local/bin/getmail /usr/bin/getmail
|
||||
ln -s /usr/local/bin/getmail-gmail-xoauth-tokens /usr/bin/getmail-gmail-xoauth-tokens
|
||||
apt-get "${QUIET}" purge python3-pip
|
||||
apt-get "${QUIET}" autoremove
|
||||
}
|
||||
|
||||
function _install_utils() {
|
||||
_log 'debug' 'Installing utils sourced from Github'
|
||||
_log 'trace' 'Installing jaq'
|
||||
curl -sL "https://github.com/01mf02/jaq/releases/latest/download/jaq-v1.2.0-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq && chmod +x /usr/bin/jaq
|
||||
|
||||
_log 'trace' 'Installing swaks'
|
||||
local SWAKS_VERSION='20240103.0'
|
||||
local SWAKS_RELEASE="swaks-${SWAKS_VERSION}"
|
||||
curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz
|
||||
mv "${SWAKS_RELEASE}/swaks" /usr/local/bin
|
||||
rm -r "${SWAKS_RELEASE}"
|
||||
}
|
||||
|
||||
function _remove_data_after_package_installations() {
|
||||
_log 'debug' 'Deleting sensitive files (secrets)'
|
||||
rm /etc/postsrsd.secret
|
||||
|
||||
_log 'debug' 'Deleting default logwatch cronjob'
|
||||
rm /etc/cron.daily/00logwatch
|
||||
}
|
||||
|
||||
function _post_installation_steps() {
|
||||
_log 'debug' 'Running post-installation steps (cleanup)'
|
||||
apt-get "${QUIET}" clean
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
_log 'info' 'Finished installing packages'
|
||||
}
|
||||
|
||||
_pre_installation_steps
|
||||
_install_utils
|
||||
_install_postfix
|
||||
_install_packages
|
||||
_install_dovecot
|
||||
_install_rspamd
|
||||
_install_fail2ban
|
||||
_install_getmail
|
||||
_install_utils
|
||||
_remove_data_after_package_installations
|
||||
_post_installation_steps
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ function _reload_amavis() {
|
|||
if [[ ${CHANGED} =~ ${DMS_DIR}/postfix-accounts.cf ]] || [[ ${CHANGED} =~ ${DMS_DIR}/postfix-virtual.cf ]]; then
|
||||
# /etc/postfix/vhost was updated, amavis must refresh it's config by
|
||||
# reading this file again in case of new domains, otherwise they will be ignored.
|
||||
amavisd-new reload
|
||||
amavisd reload
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -81,11 +81,6 @@ function __setup__security__spamassassin() {
|
|||
# shellcheck disable=SC2016
|
||||
sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
|
||||
|
||||
# fix cron.daily for spamassassin
|
||||
sed -i \
|
||||
's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
|
||||
/etc/cron.daily/spamassassin
|
||||
|
||||
if [[ ${SA_SPAM_SUBJECT} == 'undef' ]]; then
|
||||
# shellcheck disable=SC2016
|
||||
sed -i -r 's|^\$sa_spam_subject_tag (.*);|\$sa_spam_subject_tag = undef;|g' /etc/amavis/conf.d/20-debian_defaults
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue