diff --git a/Stable/hooks/build b/Stable/hooks/build index f7670db..bff954c 100644 --- a/Stable/hooks/build +++ b/Stable/hooks/build @@ -9,6 +9,8 @@ VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^ IMAGE_NAME=docker-rspamd +zip -r config + docker build \ --build-arg VERSION=${VERSION} \ --build-arg COMMIT=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^\([[:xdigit:]]\{40\}\)[[:blank:]]refs\/tags\/${VERSION}^{}$/\1/p" | xargs git rev-parse --short) \ diff --git a/Stable2.0/Dockerfile b/Stable2.0/Dockerfile new file mode 100644 index 0000000..ba38408 --- /dev/null +++ b/Stable2.0/Dockerfile @@ -0,0 +1,78 @@ +FROM debian:stable-slim +LABEL maintainer="gnilebein - " + +# Setup Labels +ARG VERSION +ARG COMMIT +ARG BRANCH +ARG DATE +ARG DEBIAN_FRONTEND=noninteractive + +# Set apt non-interactive +ENV DEBIAN_FRONTEND=noninteractive + +LABEL org.label-schema.name="Rspamd" \ + org.label-schema.description="Rspamd Spam Filter - STABLE" \ + org.label-schema.usage="https://hub.docker.com/r/gnilebein/rspamd/" \ + org.label-schema.url="https://rspamd.com" \ + org.label-schema.vendor="gnilebein" \ + org.label-schema.schema-version="1.0" \ + org.label-schema.version=$VERSION \ + org.label-schema.vcs-url="https://github.com/rspamd/rspamd/" \ + org.label-schema.vcs-ref=$COMMIT \ + org.label-schema.build-date=$DATE + +# Install Rspamd +RUN set -x \ + && apt update \ + && apt --no-install-recommends install -y \ + apt-transport-https \ + dnsutils \ + netcat-traditional \ + lsb-release \ + wget \ + gnupg \ + openssl \ + ca-certificates \ + nano \ + less \ + ca-certificates \ + && DEBIAN_CODE_NAME=`lsb_release -c -s` \ + && wget -O - https://rspamd.com/apt-stable/gpg.key | apt-key add - \ + && echo "deb http://rspamd.com/apt-stable/ $DEBIAN_CODE_NAME main" > /etc/apt/sources.list.d/rspamd.list \ + && apt purge -y lsb-release wget gnupg \ + && apt update \ + && apt --no-install-recommends install -y rspamd \ + && apt autoremove --purge -y \ + && apt clean \ + && rm -rf /var/lib/apt/lists/* \ + && echo 'alias ll="ls -la --color"' >> ~/.bashrc + +# Override default settings +COPY rspamd.conf.local.override /etc/rspamd/ +COPY worker-controller.inc /etc/rspamd/override.d/ +COPY worker-proxy.inc /etc/rspamd/override.d/ +COPY set_worker_password.sh /set_worker_password.sh +COPY docker-entrypoint.sh /docker-entrypoint.sh + +# # Keep database and configuration persistent +# VOLUME /etc/rspamd/local.d +# VOLUME /etc/rspamd/override.d +# VOLUME /etc/rspamd/custom +# VOLUME /var/lib/rspamd + +# Port 11334 is for web frontend +# Port 11332 is for milter +# Port 11333 is for worker +EXPOSE 11332 11333 11334 + +# Healtcheck if Rspamd is returning stats +HEALTHCHECK --interval=1m --timeout=5s --start-period=10s \ + CMD /usr/bin/rspamadm control stat || exit 1 + +# Run Rspamd +ENTRYPOINT ["bash", "/docker-entrypoint.sh"] + +STOPSIGNAL SIGTERM + +CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"] \ No newline at end of file diff --git a/Stable2.0/docker-entrypoint.sh b/Stable2.0/docker-entrypoint.sh new file mode 100644 index 0000000..b94f8e4 --- /dev/null +++ b/Stable2.0/docker-entrypoint.sh @@ -0,0 +1,197 @@ +#!/bin/bash + +chmod 755 /var/lib/rspamd + +[[ ! -f /etc/rspamd/override.d/worker-controller-password.inc ]] && echo '# Autogenerated' >/etc/rspamd/override.d/worker-controller-password.inc + +mkdir -p /etc/rspamd/custom + +# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs +if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then + cat </etc/rspamd/custom/dqs-rbl.conf + # Autogenerated by mailcow. DO NOT TOUCH! + spamhaus { + rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net"; + from = false; + } + spamhaus_from { + from = true; + received = false; + rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net"; + returncodes { + SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ]; + } + } + spamhaus_authbl_received { + # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN) + rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net"; + from = false; + received = true; + ipv6 = true; + returncodes { + SH_AUTHBL_RECEIVED = "127.0.0.20" + } + } + spamhaus_dbl { + # Add checks on the HELO string + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + helo = true; + rdns = true; + dkim = true; + disable_monitoring = true; + returncodes { + RBL_DBL_SPAM = "127.0.1.2"; + RBL_DBL_PHISH = "127.0.1.4"; + RBL_DBL_MALWARE = "127.0.1.5"; + RBL_DBL_BOTNET = "127.0.1.6"; + RBL_DBL_ABUSED_SPAM = "127.0.1.102"; + RBL_DBL_ABUSED_PHISH = "127.0.1.104"; + RBL_DBL_ABUSED_MALWARE = "127.0.1.105"; + RBL_DBL_ABUSED_BOTNET = "127.0.1.106"; + RBL_DBL_DONT_QUERY_IPS = "127.0.1.255"; + } + } + spamhaus_dbl_fullurls { + ignore_defaults = true; + no_ip = true; + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + selector = 'urls:get_host' + disable_monitoring = true; + returncodes { + DBLABUSED_SPAM_FULLURLS = "127.0.1.102"; + DBLABUSED_PHISH_FULLURLS = "127.0.1.104"; + DBLABUSED_MALWARE_FULLURLS = "127.0.1.105"; + DBLABUSED_BOTNET_FULLURLS = "127.0.1.106"; + } + } + spamhaus_zrd { + # Add checks on the HELO string also for DQS + rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"; + helo = true; + rdns = true; + dkim = true; + disable_monitoring = true; + returncodes { + RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"]; + RBL_ZRD_FRESH_DOMAIN = [ + "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24" + ]; + RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255"; + } + } + "SPAMHAUS_ZEN_URIBL" { + enabled = true; + rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net"; + resolve_ip = true; + checks = ['urls']; + replyto = true; + emails = true; + ipv4 = true; + ipv6 = true; + emails_domainonly = true; + returncodes { + URIBL_SBL = "127.0.0.2"; + URIBL_SBL_CSS = "127.0.0.3"; + URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"]; + URIBL_PBL = ["127.0.0.10", "127.0.0.11"]; + URIBL_DROP = "127.0.0.9"; + } + } + SH_EMAIL_DBL { + ignore_defaults = true; + replyto = true; + emails_domainonly = true; + disable_monitoring = true; + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + returncodes = { + SH_EMAIL_DBL = [ + "127.0.1.2", + "127.0.1.4", + "127.0.1.5", + "127.0.1.6" + ]; + SH_EMAIL_DBL_ABUSED = [ + "127.0.1.102", + "127.0.1.104", + "127.0.1.105", + "127.0.1.106" + ]; + SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ]; + } + } + SH_EMAIL_ZRD { + ignore_defaults = true; + replyto = true; + emails_domainonly = true; + disable_monitoring = true; + rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"; + returncodes = { + SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"]; + SH_EMAIL_ZRD_FRESH_DOMAIN = [ + "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24" + ]; + SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ]; + } + } + "DBL" { + # override the defaults for DBL defined in modules.d/rbl.conf + rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"; + disable_monitoring = true; + } + "ZRD" { + ignore_defaults = true; + rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"; + no_ip = true; + dkim = true; + emails = true; + emails_domainonly = true; + urls = true; + returncodes = { + ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"]; + ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"]; + } + } + spamhaus_sbl_url { + ignore_defaults = true + rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net"; + checks = ['urls']; + disable_monitoring = true; + returncodes { + SPAMHAUS_SBL_URL = "127.0.0.2"; + } + } + + SH_HBL_EMAIL { + ignore_defaults = true; + rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net"; + emails_domainonly = false; + selector = "from('smtp').lower;from('mime').lower"; + ignore_whitelist = true; + checks = ['emails', 'replyto']; + hash = "sha1"; + returncodes = { + SH_HBL_EMAIL = [ + "127.0.3.2" + ]; + } + } + + spamhaus_dqs_hbl { + symbol = "HBL_FILE_UNKNOWN"; + rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net."; + selector = "attachments('rbase32', 'sha256')"; + ignore_whitelist = true; + ignore_defaults = true; + returncodes { + SH_HBL_FILE_MALICIOUS = "127.0.3.10"; + SH_HBL_FILE_SUSPICIOUS = "127.0.3.15"; + } + } +EOF +else + rm -rf /etc/rspamd/custom/dqs-rbl.conf +fi + +chown -R _rspamd:_rspamd /var/lib/rspamd /etc/rspamd/ + +exec "$@" \ No newline at end of file diff --git a/Stable2.0/hooks/build b/Stable2.0/hooks/build new file mode 100644 index 0000000..fdce536 --- /dev/null +++ b/Stable2.0/hooks/build @@ -0,0 +1,18 @@ +#!/bin/bash +# hooks/build +# https://docs.docker.com/docker-cloud/builds/advanced/ + +# $IMAGE_NAME var is injected into the build so the tag is correct. +echo "[***] Build hook running" + +VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) + +IMAGE_NAME=docker-rspamd + +docker build \ + --no-cache \ + --build-arg VERSION=${VERSION} \ + --build-arg COMMIT=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^\([[:xdigit:]]\{40\}\)[[:blank:]]refs\/tags\/${VERSION}^{}$/\1/p" | xargs git rev-parse --short) \ + --build-arg BRANCH=$(git rev-parse --abbrev-ref HEAD) \ + --build-arg DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ + -t ${IMAGE_NAME} . \ No newline at end of file diff --git a/Stable2.0/hooks/post_push b/Stable2.0/hooks/post_push new file mode 100644 index 0000000..3a3788f --- /dev/null +++ b/Stable2.0/hooks/post_push @@ -0,0 +1,9 @@ +#!/bin/bash + +VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) + +docker tag \ + "${IMAGE_NAME}" \ + "${DOCKER_REPO}:stable-${VERSION}" +docker push \ + "${DOCKER_REPO}:stable-${VERSION}" diff --git a/Stable2.0/rspamd.conf.local.override b/Stable2.0/rspamd.conf.local.override new file mode 100644 index 0000000..226a170 --- /dev/null +++ b/Stable2.0/rspamd.conf.local.override @@ -0,0 +1,13 @@ +options { + pidfile = false; + .include "$CONFDIR/options.inc" + .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/options.inc" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/options.inc" +} + +logging { + type = "console"; + .include "$CONFDIR/logging.inc" + .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/logging.inc" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/logging.inc" +} \ No newline at end of file diff --git a/Stable2.0/set_worker_password.sh b/Stable2.0/set_worker_password.sh new file mode 100644 index 0000000..7205e88 --- /dev/null +++ b/Stable2.0/set_worker_password.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +password_file='/etc/rspamd/override.d/worker-controller-password.inc' +password_hash=`/usr/bin/rspamadm pw -e -p $1` + +echo 'enable_password = "'$password_hash'";' > $password_file + +if grep -q "$password_hash" "$password_file"; then + echo "OK" +else + echo "ERROR" +fi \ No newline at end of file diff --git a/Stable2.0/worker-controller.inc b/Stable2.0/worker-controller.inc new file mode 100644 index 0000000..2b6378a --- /dev/null +++ b/Stable2.0/worker-controller.inc @@ -0,0 +1 @@ +bind_socket = "*:11334"; diff --git a/Stable2.0/worker-proxy.inc b/Stable2.0/worker-proxy.inc new file mode 100644 index 0000000..0fe2cf0 --- /dev/null +++ b/Stable2.0/worker-proxy.inc @@ -0,0 +1 @@ +bind_socket = *:11332;