scripts: split setup-stack.sh (#3115)

target/scripts/startup/setup.d/security/misc.sh

@@ -0,0 +1,265 @@
+#!/bin/bash
+
+function _setup_security_stack
+{
+  _log 'debug' 'Setting up Security Stack'
+
+  # recreate auto-generated file
+  local DMS_AMAVIS_FILE=/etc/amavis/conf.d/61-dms_auto_generated
+
+  echo "# WARNING: this file is auto-generated." >"${DMS_AMAVIS_FILE}"
+  echo "use strict;" >>"${DMS_AMAVIS_FILE}"
+
+  # SpamAssassin
+  if [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]]
+  then
+    _log 'debug' 'SpamAssassin is disabled'
+    echo "@bypass_spam_checks_maps = (1);" >>"${DMS_AMAVIS_FILE}"
+  elif [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
+  then
+    _log 'debug' 'Enabling and configuring SpamAssassin'
+
+    # shellcheck disable=SC2016
+    sed -i -r 's|^\$sa_tag_level_deflt (.*);|\$sa_tag_level_deflt = '"${SA_TAG}"';|g' /etc/amavis/conf.d/20-debian_defaults
+
+    # shellcheck disable=SC2016
+    sed -i -r 's|^\$sa_tag2_level_deflt (.*);|\$sa_tag2_level_deflt = '"${SA_TAG2}"';|g' /etc/amavis/conf.d/20-debian_defaults
+
+    # shellcheck disable=SC2016
+    sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
+
+    if [[ ${SA_SPAM_SUBJECT} == 'undef' ]]
+    then
+      # shellcheck disable=SC2016
+      sed -i -r 's|^\$sa_spam_subject_tag (.*);|\$sa_spam_subject_tag = undef;|g' /etc/amavis/conf.d/20-debian_defaults
+    else
+      # shellcheck disable=SC2016
+      sed -i -r 's|^\$sa_spam_subject_tag (.*);|\$sa_spam_subject_tag = '"'${SA_SPAM_SUBJECT}'"';|g' /etc/amavis/conf.d/20-debian_defaults
+    fi
+
+    # activate short circuits when SA BAYES is certain it has spam or ham.
+    if [[ ${SA_SHORTCIRCUIT_BAYES_SPAM} -eq 1 ]]
+    then
+      # automatically activate the Shortcircuit Plugin
+      sed -i -r 's|^# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit|loadplugin Mail::SpamAssassin::Plugin::Shortcircuit|g' /etc/spamassassin/v320.pre
+      sed -i -r 's|^# shortcircuit BAYES_99|shortcircuit BAYES_99|g' /etc/spamassassin/local.cf
+    fi
+
+    if [[ ${SA_SHORTCIRCUIT_BAYES_HAM} -eq 1 ]]
+    then
+      # automatically activate the Shortcircuit Plugin
+      sed -i -r 's|^# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit|loadplugin Mail::SpamAssassin::Plugin::Shortcircuit|g' /etc/spamassassin/v320.pre
+      sed -i -r 's|^# shortcircuit BAYES_00|shortcircuit BAYES_00|g' /etc/spamassassin/local.cf
+    fi
+
+    if [[ -e /tmp/docker-mailserver/spamassassin-rules.cf ]]
+    then
+      cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
+    fi
+
+    if [[ ${SPAMASSASSIN_SPAM_TO_INBOX} -eq 1 ]]
+    then
+      _log 'trace' 'Configuring Spamassassin/Amavis to send SPAM to inbox'
+
+      sed -i "s|\$final_spam_destiny.*=.*$|\$final_spam_destiny = D_PASS;|g" /etc/amavis/conf.d/49-docker-mailserver
+      sed -i "s|\$final_bad_header_destiny.*=.*$|\$final_bad_header_destiny = D_PASS;|g" /etc/amavis/conf.d/49-docker-mailserver
+    else
+      _log 'trace' 'Configuring Spamassassin/Amavis to bounce SPAM'
+
+      sed -i "s|\$final_spam_destiny.*=.*$|\$final_spam_destiny = D_BOUNCE;|g" /etc/amavis/conf.d/49-docker-mailserver
+      sed -i "s|\$final_bad_header_destiny.*=.*$|\$final_bad_header_destiny = D_BOUNCE;|g" /etc/amavis/conf.d/49-docker-mailserver
+    fi
+
+    if [[ ${ENABLE_SPAMASSASSIN_KAM} -eq 1 ]]
+    then
+      _log 'trace' 'Configuring Spamassassin KAM'
+      local SPAMASSASSIN_KAM_CRON_FILE=/etc/cron.daily/spamassassin_kam
+
+      sa-update --import /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key
+
+      cat >"${SPAMASSASSIN_KAM_CRON_FILE}" <<"EOF"
+#!/bin/bash
+
+RESULT=$(sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com 2>&1)
+EXIT_CODE=${?}
+
+# see https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
+if [[ ${EXIT_CODE} -ge 4 ]]
+then
+  echo -e "Updating SpamAssassin KAM failed:\n${RESULT}\n" >&2
+  exit 1
+fi
+
+exit 0
+
+EOF
+
+      chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
+    fi
+  fi
+
+  # ClamAV
+  if [[ ${ENABLE_CLAMAV} -eq 0 ]]
+  then
+    _log 'debug' 'ClamAV is disabled'
+    echo '@bypass_virus_checks_maps = (1);' >>"${DMS_AMAVIS_FILE}"
+  elif [[ ${ENABLE_CLAMAV} -eq 1 ]]
+  then
+    _log 'debug' 'Enabling ClamAV'
+  fi
+
+  echo '1;  # ensure a defined return' >>"${DMS_AMAVIS_FILE}"
+  chmod 444 "${DMS_AMAVIS_FILE}"
+
+  # Fail2ban
+  if [[ ${ENABLE_FAIL2BAN} -eq 1 ]]
+  then
+    _log 'debug' 'Enabling Fail2Ban'
+
+    if [[ -e /tmp/docker-mailserver/fail2ban-fail2ban.cf ]]
+    then
+      cp /tmp/docker-mailserver/fail2ban-fail2ban.cf /etc/fail2ban/fail2ban.local
+    fi
+
+    if [[ -e /tmp/docker-mailserver/fail2ban-jail.cf ]]
+    then
+      cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.d/user-jail.local
+    fi
+  else
+    # disable logrotate config for fail2ban if not enabled
+    rm -f /etc/logrotate.d/fail2ban
+  fi
+
+  # fix cron.daily for spamassassin
+  sed -i \
+    's|invoke-rc.d spamassassin reload|/etc/init\.d/spamassassin reload|g' \
+    /etc/cron.daily/spamassassin
+
+  # Amavis
+  if [[ ${ENABLE_AMAVIS} -eq 1 ]]
+  then
+    _log 'debug' 'Enabling Amavis'
+    if [[ -f /tmp/docker-mailserver/amavis.cf ]]
+    then
+      cp /tmp/docker-mailserver/amavis.cf /etc/amavis/conf.d/50-user
+    fi
+
+    sed -i -E \
+      "s|(log_level).*|\1 = ${AMAVIS_LOGLEVEL};|g" \
+      /etc/amavis/conf.d/49-docker-mailserver
+  fi
+}
+
+function _setup_amavis
+{
+  if [[ ${ENABLE_AMAVIS} -eq 1 ]]
+  then
+    _log 'debug' 'Setting up Amavis'
+
+    cat /etc/dms/postfix/master.d/postfix-amavis.cf >>/etc/postfix/master.cf
+    postconf 'content_filter = smtp-amavis:[127.0.0.1]:10024'
+
+    sed -i \
+      "s|^#\$myhostname = \"mail.example.com\";|\$myhostname = \"${HOSTNAME}\";|" \
+      /etc/amavis/conf.d/05-node_id
+  else
+    _log 'debug' 'Disabling Amavis cron job'
+    mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
+    chmod 0 /etc/cron.d/amavisd-new.disabled
+
+    if [[ ${ENABLE_CLAMAV} -eq 1 ]] && [[ ${ENABLE_RSPAMD} -eq 0 ]]
+    then
+      _log 'warn' 'ClamAV will not work when Amavis & rspamd are disabled. Enable either Amavis or rspamd to fix it.'
+    fi
+
+    if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
+    then
+      _log 'warn' 'Spamassassin will not work when Amavis is disabled. Enable Amavis to fix it.'
+    fi
+  fi
+}
+
+function _setup_fail2ban
+{
+  _log 'debug' 'Setting up Fail2Ban'
+
+  if [[ ${FAIL2BAN_BLOCKTYPE} != 'reject' ]]
+  then
+    echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
+  fi
+
+  echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
+}
+
+function _setup_postgrey
+{
+  _log 'debug' 'Configuring Postgrey'
+
+  sedfile -i -E \
+    's|(^smtpd_recipient_restrictions =.*)|\1, check_policy_service inet:127.0.0.1:10023|' \
+    /etc/postfix/main.cf
+
+  sed -i -e \
+    "s|\"--inet=127.0.0.1:10023\"|\"--inet=127.0.0.1:10023 --delay=${POSTGREY_DELAY} --max-age=${POSTGREY_MAX_AGE} --auto-whitelist-clients=${POSTGREY_AUTO_WHITELIST_CLIENTS}\"|" \
+    /etc/default/postgrey
+
+  TEXT_FOUND=$(grep -c -i 'POSTGREY_TEXT' /etc/default/postgrey)
+
+  if [[ ${TEXT_FOUND} -eq 0 ]]
+  then
+    printf 'POSTGREY_TEXT=\"%s\"\n\n' "${POSTGREY_TEXT}" >>/etc/default/postgrey
+  fi
+
+  if [[ -f /tmp/docker-mailserver/whitelist_clients.local ]]
+  then
+    cp -f /tmp/docker-mailserver/whitelist_clients.local /etc/postgrey/whitelist_clients.local
+  fi
+
+  if [[ -f /tmp/docker-mailserver/whitelist_recipients ]]
+  then
+    cp -f /tmp/docker-mailserver/whitelist_recipients /etc/postgrey/whitelist_recipients
+  fi
+}
+
+function _setup_postfix_postscreen
+{
+  _log 'debug' 'Configuring Postscreen'
+  sed -i \
+    -e "s|postscreen_dnsbl_action = enforce|postscreen_dnsbl_action = ${POSTSCREEN_ACTION}|" \
+    -e "s|postscreen_greet_action = enforce|postscreen_greet_action = ${POSTSCREEN_ACTION}|" \
+    -e "s|postscreen_bare_newline_action = enforce|postscreen_bare_newline_action = ${POSTSCREEN_ACTION}|" /etc/postfix/main.cf
+}
+
+
+function _setup_clamav_sizelimit
+{
+  _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
+  sedfile -i "s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" /etc/clamav/clamd.conf
+}
+
+
+function _setup_spoof_protection
+{
+  _log 'trace' 'Configuring spoof protection'
+  sed -i \
+    's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' \
+    /etc/postfix/main.cf
+
+  if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]
+  then
+    if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]
+    then
+      postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf'
+    else
+      postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
+    fi
+  else
+    if [[ -f /etc/postfix/regexp ]]
+    then
+      postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
+    else
+      postconf 'smtpd_sender_login_maps = texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre'
+    fi
+  fi
+}
+

target/scripts/startup/setup.d/security/rspamd.sh

@@ -0,0 +1,195 @@
+#!/bin/bash
+
+function _setup_rspamd
+{
+  _log 'warn' 'Rspamd integration is work in progress - expect (breaking) changes at any time'
+  _log 'debug' 'Enabling Rspamd'
+
+  __rspamd__preflight_checks
+  __rspamd__adjust_postfix_configuration
+  __rspamd__disable_default_modules
+  __rspamd__handle_modules_configuration
+}
+
+# Just a helper to prepend the log messages with `(Rspamd setup)` so
+# users know exactly where the message originated from.
+#
+# @param ${1} = log level
+# @param ${2} = message
+function __rspamd__log { _log "${1:-}" "(Rspamd setup) ${2:-}" ; }
+
+# Run miscellaneous checks against the current configuration so we can
+# properly handle integration into ClamAV, etc.
+#
+# This will also check whether Amavis is enabled and emit a warning as
+# we discourage users from running Amavis & Rspamd at the same time.
+function __rspamd__preflight_checks
+{
+  touch /var/lib/rspamd/stats.ucl
+
+  if [[ ${ENABLE_AMAVIS} -eq 1 ]] || [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
+  then
+    __rspamd__log 'warn' 'Running Amavis/SA & Rspamd at the same time is discouraged'
+  fi
+
+  if [[ ${ENABLE_CLAMAV} -eq 1 ]]
+  then
+    __rspamd__log 'debug' 'Enabling ClamAV integration'
+    sedfile -i -E 's|^(enabled).*|\1 = true;|g' /etc/rspamd/local.d/antivirus.conf
+    # RSpamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group
+    usermod -a -G clamav _rspamd
+  else
+    __rspamd__log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
+  fi
+}
+
+# Adjust Postfix's configuration files. Append Rspamd at the end of
+# `smtpd_milters` in `main.cf`.
+function __rspamd__adjust_postfix_configuration
+{
+  postconf 'rspamd_milter = inet:localhost:11332'
+
+  # shellcheck disable=SC2016
+  sed -i -E 's|^(smtpd_milters =.*)|\1 \$rspamd_milter|g' /etc/postfix/main.cf
+}
+
+# Helper for explicitly enabling or disabling a specific module.
+#
+# @param ${1} = module name
+# @param ${2} = `true` when you want to enable the module (default),
+#               `false` when you want to disable the module [OPTIONAL]
+# @param ${3} = whether to use `local` (default) or `override` [OPTIONAL]
+function __rspamd__enable_disable_module
+{
+  local MODULE=${1:?Module name must be provided}
+  local ENABLE_MODULE=${2:-true}
+  local LOCAL_OR_OVERRIDE=${3:-local}
+  local MESSAGE='Enabling'
+
+  if [[ ! ${ENABLE_MODULE} =~ ^(true|false)$ ]]
+  then
+    __rspamd__log 'warn' "__rspamd__enable_disable_module got non-boolean argument for deciding whether module should be enabled or not"
+    return 1
+  fi
+
+  [[ ${ENABLE_MODULE} == true ]] || MESSAGE='Disabling'
+
+  __rspamd__log 'trace' "${MESSAGE} module '${MODULE}'"
+  cat >"/etc/rspamd/${LOCAL_OR_OVERRIDE}.d/${MODULE}.conf" << EOF
+# documentation: https://rspamd.com/doc/modules/${MODULE}.html
+
+enabled = ${ENABLE_MODULE};
+
+EOF
+}
+
+# Disables certain modules by default. This can be overwritten by the user later.
+# We disable the modules listed in `DISABLE_MODULES` as we believe these modules
+# are not commonly used and the average user does not need them. As a consequence,
+# disabling them saves resources.
+function __rspamd__disable_default_modules
+{
+  local DISABLE_MODULES=(
+    clickhouse
+    elastic
+    greylist
+    neural
+    reputation
+    spamassassin
+    url_redirector
+    metric_exporter
+  )
+
+  for MODULE in "${DISABLE_MODULES[@]}"
+  do
+    __rspamd__enable_disable_module "${MODULE}" 'false'
+  done
+}
+
+# Parses `RSPAMD_CUSTOM_COMMANDS_FILE` and executed the directives given by the file.
+# To get a detailed explanation of the commands and how the file works, visit
+# https://docker-mailserver.github.io/docker-mailserver/edge/config/security/rspamd/#with-the-help-of-a-custom-file
+function __rspamd__handle_modules_configuration
+{
+  # Adds an option with a corresponding value to a module, or, in case the option
+  # is already present, overwrites it.
+  #
+  # @param ${1} = file name in /etc/rspamd/override.d/
+  # @param ${2} = module name as it should appear in the log
+  # @patam ${3} = option name in the module
+  # @param ${4} = value of the option
+  #
+  # ## Note
+  #
+  # While this function is currently bound to the scope of `__rspamd__handle_modules_configuration`,
+  # it is written in a versatile way (taking 4 arguments instead of assuming `ARGUMENT2` / `ARGUMENT3`
+  # are set) so that it may be used elsewhere if needed.
+  function __add_or_replace
+  {
+    local MODULE_FILE=${1:?Module file name must be provided}
+    local MODULE_LOG_NAME=${2:?Module log name must be provided}
+    local OPTION=${3:?Option name must be provided}
+    local VALUE=${4:?Value belonging to an option must be provided}
+    # remove possible whitespace at the end (e.g., in case ${ARGUMENT3} is empty)
+    VALUE=${VALUE% }
+
+    local FILE="/etc/rspamd/override.d/${MODULE_FILE}"
+    [[ -f ${FILE} ]] || touch "${FILE}"
+
+    if grep -q -E "${OPTION}.*=.*" "${FILE}"
+    then
+      __rspamd__log 'trace' "Overwriting option '${OPTION}' with value '${VALUE}' for ${MODULE_LOG_NAME}"
+      sed -i -E "s|([[:space:]]*${OPTION}).*|\1 = ${VALUE};|g" "${FILE}"
+    else
+      __rspamd__log 'trace' "Setting option '${OPTION}' for ${MODULE_LOG_NAME} to '${VALUE}'"
+      echo "${OPTION} = ${VALUE};" >>"${FILE}"
+    fi
+  }
+
+  local RSPAMD_CUSTOM_COMMANDS_FILE='/tmp/docker-mailserver/rspamd-modules.conf'
+  if [[ -f "${RSPAMD_CUSTOM_COMMANDS_FILE}" ]]
+  then
+    __rspamd__log 'debug' "Found file 'rspamd-modules.conf' - parsing and applying it"
+
+    while read -r COMMAND ARGUMENT1 ARGUMENT2 ARGUMENT3
+    do
+      case "${COMMAND}" in
+
+        ('disable-module')
+          __rspamd__enable_disable_module "${ARGUMENT1}" 'false' 'override'
+          ;;
+
+        ('enable-module')
+          __rspamd__enable_disable_module "${ARGUMENT1}" 'true' 'override'
+          ;;
+
+        ('set-option-for-module')
+          __add_or_replace "${ARGUMENT1}.conf" "module '${ARGUMENT1}'" "${ARGUMENT2}" "${ARGUMENT3}"
+          ;;
+
+        ('set-option-for-controller')
+          __add_or_replace 'worker-controller.inc' 'controller worker' "${ARGUMENT1}" "${ARGUMENT2} ${ARGUMENT3}"
+          ;;
+
+        ('set-option-for-proxy')
+          __add_or_replace 'worker-proxy.inc' 'proxy worker' "${ARGUMENT1}" "${ARGUMENT2} ${ARGUMENT3}"
+          ;;
+
+        ('set-common-option')
+          __add_or_replace 'options.inc' 'common options' "${ARGUMENT1}" "${ARGUMENT2} ${ARGUMENT3}"
+          ;;
+
+        ('add-line')
+          __rspamd__log 'trace' "Adding complete line to '${ARGUMENT1}'"
+          echo "${ARGUMENT2} ${ARGUMENT3:-}" >>"/etc/rspamd/override.d/${ARGUMENT1}"
+          ;;
+
+        (*)
+          __rspamd__log 'warn' "Command '${COMMAND}' is invalid"
+          continue
+          ;;
+
+      esac
+    done < <(_get_valid_lines_from_file "${RSPAMD_CUSTOM_COMMANDS_FILE}")
+  fi
+}