From 718eac95ae783e17d6a521cefae8c308cd5d1487 Mon Sep 17 00:00:00 2001 From: Patrick Niebeling Date: Wed, 20 Nov 2024 15:22:30 +0100 Subject: [PATCH] Build Experimental Signed-off-by: Patrick Niebeling --- .gitea/workflows/deploy.yaml | 44 ++++++- Experimental/Dockerfile | 64 +++++---- Experimental/docker-entrypoint.sh | 197 ++++++++++++++++++++++++++++ Experimental/set_worker_password.sh | 12 ++ StableV2/Dockerfile | 3 - 5 files changed, 288 insertions(+), 32 deletions(-) create mode 100644 Experimental/docker-entrypoint.sh create mode 100644 Experimental/set_worker_password.sh diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index e4f3f01..98f900f 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -7,7 +7,7 @@ on: - main jobs: - docker: + docker-build-stable: runs-on: ubuntu-latest steps: - name: Checkout @@ -31,8 +31,6 @@ jobs: run: | echo VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) | tee -a $GITHUB_OUTPUT echo IMAGE_CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | tee -a $GITHUB_OUTPUT - - run: pwd - - run: ls -lah - name: Build and push uses: docker/build-push-action@v6 with: @@ -46,4 +44,42 @@ jobs: IMAGE_CREATED=${{ steps.meta.outputs.IMAGE_CREATED }} tags: | ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }} - ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:${{ steps.meta.outputs.VERSION }} \ No newline at end of file + ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:${{ steps.meta.outputs.VERSION }} + + docker-build-experimental: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + registry: gitea.gnilebein.de + username: ${{ gitea.repository_owner }} + password: ${{ secrets.REG_GITEA_PASSWORD }} + + - name: Get Meta + id: meta + run: | + echo VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) | tee -a $GITHUB_OUTPUT + echo IMAGE_CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | tee -a $GITHUB_OUTPUT + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: ./Experimental + file: Experimental/Dockerfile + pull: false + push: true + no-cache: true + build-args: | + VERSION=${{ steps.meta.outputs.VERSION }} + IMAGE_CREATED=${{ steps.meta.outputs.IMAGE_CREATED }} + tags: | + ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:experimental \ No newline at end of file diff --git a/Experimental/Dockerfile b/Experimental/Dockerfile index ac6b531..3fb92d7 100644 --- a/Experimental/Dockerfile +++ b/Experimental/Dockerfile @@ -1,13 +1,38 @@ FROM debian:stable-slim -LABEL maintainer="gnilebein - " +LABEL maintainer="gnilebein - " + +# Setup Labels +ARG VERSION +ARG DATE # Set apt non-interactive -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive + +LABEL org.label-schema.name="Rspamd" \ + org.label-schema.description="Rspamd Spam Filter - EXPERIMENTAL" \ + org.label-schema.usage="https://gitea.gnilebein.de/gnilebein/-/packages/container/docker-rspamd/experimental" \ + org.label-schema.url="https://rspamd.com" \ + org.label-schema.vendor="gnilebein" \ + org.label-schema.schema-version="1.0" \ + org.label-schema.version=$VERSION \ + org.label-schema.vcs-url="https://gitea.gnilebein.de/gnilebein/Docker-rspamd" \ + org.label-schema.build-date=$DATE # Install Rspamd RUN set -x \ && apt update \ - && apt --no-install-recommends install -y lsb-release wget gnupg openssl ca-certificates \ + && apt --no-install-recommends install -y \ + apt-transport-https \ + dnsutils \ + netcat-traditional \ + lsb-release \ + wget \ + gnupg \ + openssl \ + ca-certificates \ + nano \ + less \ + ca-certificates \ && DEBIAN_CODE_NAME=`lsb_release -c -s` \ && wget -O - https://rspamd.com/apt/gpg.key | apt-key add - \ && echo "deb http://rspamd.com/apt/ $DEBIAN_CODE_NAME main" > /etc/apt/sources.list.d/rspamd.list \ @@ -16,42 +41,31 @@ RUN set -x \ && apt --no-install-recommends install -y rspamd \ && apt autoremove --purge -y \ && apt clean \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* \ + && echo 'alias ll="ls -la --color"' >> ~/.bashrc # Override default settings COPY rspamd.conf.local.override /etc/rspamd/ COPY worker-controller.inc /etc/rspamd/override.d/ COPY worker-proxy.inc /etc/rspamd/override.d/ +COPY set_worker_password.sh /set_worker_password.sh +COPY docker-entrypoint.sh /docker-entrypoint.sh -# Keep database and configuration persistent +# # Keep database and configuration persistent VOLUME /etc/rspamd/local.d +VOLUME /etc/rspamd/override.d +VOLUME /etc/rspamd/custom VOLUME /var/lib/rspamd -# Port 11334 is for web frontend -# Port 11332 is for milter -# Port 11333 is for worker -EXPOSE 11332 11334 +EXPOSE 11332 11333 11334 # Healtcheck if Rspamd is returning stats HEALTHCHECK --interval=1m --timeout=5s --start-period=10s \ CMD /usr/bin/rspamadm control stat || exit 1 # Run Rspamd -ENTRYPOINT ["/usr/bin/rspamd","-f","-u","_rspamd","-g","_rspamd"] +ENTRYPOINT ["bash", "/docker-entrypoint.sh"] -# Setup Labels -ARG VERSION -ARG COMMIT -ARG BRANCH -ARG DATE +STOPSIGNAL SIGTERM -LABEL org.label-schema.name="Rspamd" \ - org.label-schema.description="Rspamd Spam Filter - EXPERIMENTAL" \ - org.label-schema.usage="https://hub.docker.com/r/gnilebein/rspamd/" \ - org.label-schema.url="https://rspamd.com" \ - org.label-schema.vendor="gnilebein" \ - org.label-schema.schema-version="1.0" \ - org.label-schema.version=$VERSION \ - org.label-schema.vcs-url="https://github.com/rspamd/rspamd/" \ - org.label-schema.vcs-ref=$COMMIT \ - org.label-schema.build-date=$DATE \ +CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"] \ No newline at end of file diff --git a/Experimental/docker-entrypoint.sh b/Experimental/docker-entrypoint.sh new file mode 100644 index 0000000..b94f8e4 --- /dev/null +++ b/Experimental/docker-entrypoint.sh @@ -0,0 +1,197 @@ +#!/bin/bash + +chmod 755 /var/lib/rspamd + +[[ ! -f /etc/rspamd/override.d/worker-controller-password.inc ]] && echo '# Autogenerated' >/etc/rspamd/override.d/worker-controller-password.inc + +mkdir -p /etc/rspamd/custom + +# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs +if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then + cat </etc/rspamd/custom/dqs-rbl.conf + # Autogenerated by mailcow. DO NOT TOUCH! + spamhaus { + rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net"; + from = false; + } + spamhaus_from { + from = true; + received = false; + rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net"; + returncodes { + SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ]; + } + } + spamhaus_authbl_received { + # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN) + rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net"; + from = false; + received = true; + ipv6 = true; + returncodes { + SH_AUTHBL_RECEIVED = "127.0.0.20" + } + } + spamhaus_dbl { + # Add checks on the HELO string + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + helo = true; + rdns = true; + dkim = true; + disable_monitoring = true; + returncodes { + RBL_DBL_SPAM = "127.0.1.2"; + RBL_DBL_PHISH = "127.0.1.4"; + RBL_DBL_MALWARE = "127.0.1.5"; + RBL_DBL_BOTNET = "127.0.1.6"; + RBL_DBL_ABUSED_SPAM = "127.0.1.102"; + RBL_DBL_ABUSED_PHISH = "127.0.1.104"; + RBL_DBL_ABUSED_MALWARE = "127.0.1.105"; + RBL_DBL_ABUSED_BOTNET = "127.0.1.106"; + RBL_DBL_DONT_QUERY_IPS = "127.0.1.255"; + } + } + spamhaus_dbl_fullurls { + ignore_defaults = true; + no_ip = true; + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + selector = 'urls:get_host' + disable_monitoring = true; + returncodes { + DBLABUSED_SPAM_FULLURLS = "127.0.1.102"; + DBLABUSED_PHISH_FULLURLS = "127.0.1.104"; + DBLABUSED_MALWARE_FULLURLS = "127.0.1.105"; + DBLABUSED_BOTNET_FULLURLS = "127.0.1.106"; + } + } + spamhaus_zrd { + # Add checks on the HELO string also for DQS + rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"; + helo = true; + rdns = true; + dkim = true; + disable_monitoring = true; + returncodes { + RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"]; + RBL_ZRD_FRESH_DOMAIN = [ + "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24" + ]; + RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255"; + } + } + "SPAMHAUS_ZEN_URIBL" { + enabled = true; + rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net"; + resolve_ip = true; + checks = ['urls']; + replyto = true; + emails = true; + ipv4 = true; + ipv6 = true; + emails_domainonly = true; + returncodes { + URIBL_SBL = "127.0.0.2"; + URIBL_SBL_CSS = "127.0.0.3"; + URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"]; + URIBL_PBL = ["127.0.0.10", "127.0.0.11"]; + URIBL_DROP = "127.0.0.9"; + } + } + SH_EMAIL_DBL { + ignore_defaults = true; + replyto = true; + emails_domainonly = true; + disable_monitoring = true; + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + returncodes = { + SH_EMAIL_DBL = [ + "127.0.1.2", + "127.0.1.4", + "127.0.1.5", + "127.0.1.6" + ]; + SH_EMAIL_DBL_ABUSED = [ + "127.0.1.102", + "127.0.1.104", + "127.0.1.105", + "127.0.1.106" + ]; + SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ]; + } + } + SH_EMAIL_ZRD { + ignore_defaults = true; + replyto = true; + emails_domainonly = true; + disable_monitoring = true; + rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"; + returncodes = { + SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"]; + SH_EMAIL_ZRD_FRESH_DOMAIN = [ + "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24" + ]; + SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ]; + } + } + "DBL" { + # override the defaults for DBL defined in modules.d/rbl.conf + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + disable_monitoring = true; + } + "ZRD" { + ignore_defaults = true; + rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"; + no_ip = true; + dkim = true; + emails = true; + emails_domainonly = true; + urls = true; + returncodes = { + ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"]; + ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"]; + } + } + spamhaus_sbl_url { + ignore_defaults = true + rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net"; + checks = ['urls']; + disable_monitoring = true; + returncodes { + SPAMHAUS_SBL_URL = "127.0.0.2"; + } + } + + SH_HBL_EMAIL { + ignore_defaults = true; + rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net"; + emails_domainonly = false; + selector = "from('smtp').lower;from('mime').lower"; + ignore_whitelist = true; + checks = ['emails', 'replyto']; + hash = "sha1"; + returncodes = { + SH_HBL_EMAIL = [ + "127.0.3.2" + ]; + } + } + + spamhaus_dqs_hbl { + symbol = "HBL_FILE_UNKNOWN"; + rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net."; + selector = "attachments('rbase32', 'sha256')"; + ignore_whitelist = true; + ignore_defaults = true; + returncodes { + SH_HBL_FILE_MALICIOUS = "127.0.3.10"; + SH_HBL_FILE_SUSPICIOUS = "127.0.3.15"; + } + } +EOF +else + rm -rf /etc/rspamd/custom/dqs-rbl.conf +fi + +chown -R _rspamd:_rspamd /var/lib/rspamd /etc/rspamd/ + +exec "$@" \ No newline at end of file diff --git a/Experimental/set_worker_password.sh b/Experimental/set_worker_password.sh new file mode 100644 index 0000000..7205e88 --- /dev/null +++ b/Experimental/set_worker_password.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +password_file='/etc/rspamd/override.d/worker-controller-password.inc' +password_hash=`/usr/bin/rspamadm pw -e -p $1` + +echo 'enable_password = "'$password_hash'";' > $password_file + +if grep -q "$password_hash" "$password_file"; then + echo "OK" +else + echo "ERROR" +fi \ No newline at end of file diff --git a/StableV2/Dockerfile b/StableV2/Dockerfile index c7a1af4..96ac7db 100644 --- a/StableV2/Dockerfile +++ b/StableV2/Dockerfile @@ -3,10 +3,7 @@ LABEL maintainer="gnilebein - " # Setup Labels ARG VERSION -ARG COMMIT -ARG BRANCH ARG DATE -ARG DEBIAN_FRONTEND=noninteractive # Set apt non-interactive ENV DEBIAN_FRONTEND=noninteractive