enable spampd

.gitignore

@@ -4,4 +4,4 @@ ssl/certs
 ssl/tmp
 ssl/db
 */ssl
-*/postfix/relay_clientcerts
+relay_clientcerts

docker-compose.yml

@@ -88,6 +88,11 @@ services:
       - 8025:25
     volumes:
       - spool:/var/spool/postfix
+  spampd:
+    build: ./spampd
+    image: baloan/spampd
+    volumes:
+      - spamassassin:/var/lib/spamassassin
 networks:
   traefik:
     external: true
@@ -97,3 +102,4 @@ volumes:
   search:
   z-push:
   spool:
+  spamassassin:

postfix/Dockerfile.alpine

@@ -1,10 +0,0 @@
-# syntax=docker.io/docker/dockerfile:1.5.2
-FROM alpine:latest
-# install apt packages
-ENV TZ Europe/Berlin 
-RUN apk add --no-cache postfix spamassassin rsyslog logrotate xz
-COPY --chmod=0775 entrypoint.sh /entrypoint.sh
-EXPOSE 25
-VOLUME /var/spool/postfix
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["postfix", "start-fg"]

spampd/Dockerfile

@@ -0,0 +1,32 @@
+# syntax=docker.io/docker/dockerfile:1.5.2
+FROM ubuntu:20.04
+# install apt packages
+ENV TZ Europe/Berlin 
+RUN <<EOF
+apt-get update
+apt-get install -y spampd rsyslog iputils-ping
+# cleanup
+apt-get autoclean
+# rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm
+EOF
+RUN <<EOF
+sed -e's/LISTENHOST=127.0.0.1/LISTENHOST=0.0.0.0/' \
+  -e's/DESTHOST=127.0.0.1/DESTHOST=postfix/' \
+  -e's/CHILDREN=3/CHILDREN=2/' \
+  -e's|ADDOPTS=""|ADDOPTS="--homedir=/var/lib/spamassassin/.spamassassin"|' \
+  -i /etc/default/spampd
+sed -i '/imklog/s/^/#/' /etc/rsyslog.conf
+ln -sf /dev/stdout /var/log/syslog
+usermod debian-spamd -l spamd -s /bin/bash
+groupmod debian-spamd -n spamd
+mkdir /var/run/spampd
+chown spamd:spamd /var/run/spampd
+EOF
+COPY --chmod=0775 entrypoint.sh /entrypoint.sh
+EXPOSE 10025
+VOLUME /var/lib/spamassassin
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/usr/sbin/spampd", "--nodetach", "--user=spamd", "--group=spamd", \
+  "--tagall", "--local-only", "--children=2", "--pid=/var/run/spampd/spampd.pid", \
+  "--port=10025", "--host=0.0.0.0", "--relayport=10026",  "--relayhost=postfix",  \
+  "--homedir=/var/lib/spamassassin/.spamassassin" ]

spampd/entrypoint.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+set -e
+/usr/sbin/rsyslogd
+su spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"
+exec "$@"

spampd/scratchpad.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+# export DOCKER_BUILDKIT=1
+# docker run -d --name apache -p80:80 -v/root/kopano/dist:/var/www httpd
+docker rm spampd
+docker build -t spampd .
+docker run -it --rm --name spampd spampd
+docker logs -f spampd
+docker exec -it spampd sh
+
+docker container prune -f 
+docker kill spampd
+docker rm spampd

ssl/create-postfix-certs

@@ -7,6 +7,7 @@ pushd certs
 # https://www.postfix.org/postconf.5.html#relay_clientcerts
 openssl x509 -in $CN.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -md5 -c | ( read D FP; echo $FP $CN ) >>relay_clientcerts
 cp $CN.key ~/kopano-docker/etc-$CN/ssl/private
-cp kopano-ca.crt ~/kopano-docker/etc-$CN/ssl/certs
+# https://ubuntu.com/server/docs/security-trust-store
+cp kopano-ca.crt ~/kopano-docker/etc-$CN/ssl/usr-local-share-ca-certificates
 cat kopano-ca.crt $CN.crt >~/kopano-docker/etc-$CN/ssl/$CN-full-chain.pem
 popd

todo

@@ -1,8 +1,8 @@
 ok - complete internal SSL key generation and injection
 ok - complete relay SSL key generation and injection (manual for distribution to relay)
+poc - enable spampd
 enable zntrl.de
 remove passwords from gitlab & docker
-add spamd
 check logging for all containers
 bareos mysql backup (mysqldump, or database shutdown during backup)
 recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push)