gnilebein/Docker-rspamd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Activity

Build Experimental

Browse Source 
Signed-off-by: Patrick Niebeling <patrick.niebeling@adacor.com>
This commit is contained in:
Patrick Niebeling
2024-11-20 15:22:30 +01:00
parent 620e79cef0
commit 718eac95ae
5 changed files with 288 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.gitea/workflows/deploy.yaml
View File

@ -7,7 +7,7 @@ on:
- main
jobs:
docker:
docker-build-stable:
runs-on: ubuntu-latest
steps:
- name: Checkout
@ -31,8 +31,6 @@ jobs:
run: |
echo VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) | tee -a $GITHUB_OUTPUT
echo IMAGE_CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | tee -a $GITHUB_OUTPUT
- run: pwd
- run: ls -lah
- name: Build and push
uses: docker/build-push-action@v6
with:
@ -47,3 +45,41 @@ jobs:
tags: |
${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}
${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:${{ steps.meta.outputs.VERSION }}
docker-build-experimental:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
registry: gitea.gnilebein.de
username: ${{ gitea.repository_owner }}
password: ${{ secrets.REG_GITEA_PASSWORD }}
- name: Get Meta
id: meta
run: |
echo VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) | tee -a $GITHUB_OUTPUT
echo IMAGE_CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | tee -a $GITHUB_OUTPUT
- name: Build and push
uses: docker/build-push-action@v6
with:
context: ./Experimental
file: Experimental/Dockerfile
pull: false
push: true
no-cache: true
build-args: |
VERSION=${{ steps.meta.outputs.VERSION }}
IMAGE_CREATED=${{ steps.meta.outputs.IMAGE_CREATED }}
tags: |
${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:experimental

64
Experimental/Dockerfile
View File

@ -1,13 +1,38 @@
FROM debian:stable-slim
LABEL maintainer="gnilebein - <docker@gnilebein.nl>"
LABEL maintainer="gnilebein - <patrick@niebel.ing>"
# Setup Labels
ARG VERSION
ARG DATE
# Set apt non-interactive
ENV DEBIAN_FRONTEND noninteractive
ENV DEBIAN_FRONTEND=noninteractive
LABEL org.label-schema.name="Rspamd" \
org.label-schema.description="Rspamd Spam Filter - EXPERIMENTAL" \
org.label-schema.usage="https://gitea.gnilebein.de/gnilebein/-/packages/container/docker-rspamd/experimental" \
org.label-schema.url="https://rspamd.com" \
org.label-schema.vendor="gnilebein" \
org.label-schema.schema-version="1.0" \
org.label-schema.version=$VERSION \
org.label-schema.vcs-url="https://gitea.gnilebein.de/gnilebein/Docker-rspamd" \
org.label-schema.build-date=$DATE
# Install Rspamd
RUN set -x \
&& apt update \
&& apt --no-install-recommends install -y lsb-release wget gnupg openssl ca-certificates \
&& apt --no-install-recommends install -y \
apt-transport-https \
dnsutils \
netcat-traditional \
lsb-release \
wget \
gnupg \
openssl \
ca-certificates \
nano \
less \
ca-certificates \
&& DEBIAN_CODE_NAME=`lsb_release -c -s` \
&& wget -O - https://rspamd.com/apt/gpg.key | apt-key add - \
&& echo "deb http://rspamd.com/apt/ $DEBIAN_CODE_NAME main" > /etc/apt/sources.list.d/rspamd.list \
@ -16,42 +41,31 @@ RUN set -x \
&& apt --no-install-recommends install -y rspamd \
&& apt autoremove --purge -y \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*
&& rm -rf /var/lib/apt/lists/* \
&& echo 'alias ll="ls -la --color"' >> ~/.bashrc
# Override default settings
COPY rspamd.conf.local.override /etc/rspamd/
COPY worker-controller.inc /etc/rspamd/override.d/
COPY worker-proxy.inc /etc/rspamd/override.d/
COPY set_worker_password.sh /set_worker_password.sh
COPY docker-entrypoint.sh /docker-entrypoint.sh
# Keep database and configuration persistent
# # Keep database and configuration persistent
VOLUME /etc/rspamd/local.d
VOLUME /etc/rspamd/override.d
VOLUME /etc/rspamd/custom
VOLUME /var/lib/rspamd
# Port 11334 is for web frontend
# Port 11332 is for milter
# Port 11333 is for worker
EXPOSE 11332 11334
EXPOSE 11332 11333 11334
# Healtcheck if Rspamd is returning stats
HEALTHCHECK --interval=1m --timeout=5s --start-period=10s \
CMD /usr/bin/rspamadm control stat || exit 1
# Run Rspamd
ENTRYPOINT ["/usr/bin/rspamd","-f","-u","_rspamd","-g","_rspamd"]
ENTRYPOINT ["bash", "/docker-entrypoint.sh"]
# Setup Labels
ARG VERSION
ARG COMMIT
ARG BRANCH
ARG DATE
STOPSIGNAL SIGTERM
LABEL org.label-schema.name="Rspamd" \
org.label-schema.description="Rspamd Spam Filter - EXPERIMENTAL" \
org.label-schema.usage="https://hub.docker.com/r/gnilebein/rspamd/" \
org.label-schema.url="https://rspamd.com" \
org.label-schema.vendor="gnilebein" \
org.label-schema.schema-version="1.0" \
org.label-schema.version=$VERSION \
org.label-schema.vcs-url="https://github.com/rspamd/rspamd/" \
org.label-schema.vcs-ref=$COMMIT \
org.label-schema.build-date=$DATE \
CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]

197
Experimental/docker-entrypoint.sh Normal file
View File

@ -0,0 +1,197 @@
#!/bin/bash
chmod 755 /var/lib/rspamd
[[ ! -f /etc/rspamd/override.d/worker-controller-password.inc ]] && echo '# Autogenerated' >/etc/rspamd/override.d/worker-controller-password.inc
mkdir -p /etc/rspamd/custom
# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs
if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then
cat <<EOF >/etc/rspamd/custom/dqs-rbl.conf
# Autogenerated by mailcow. DO NOT TOUCH!
spamhaus {
rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
from = false;
}
spamhaus_from {
from = true;
received = false;
rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
returncodes {
SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ];
}
}
spamhaus_authbl_received {
# Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN)
rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net";
from = false;
received = true;
ipv6 = true;
returncodes {
SH_AUTHBL_RECEIVED = "127.0.0.20"
}
}
spamhaus_dbl {
# Add checks on the HELO string
rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
helo = true;
rdns = true;
dkim = true;
disable_monitoring = true;
returncodes {
RBL_DBL_SPAM = "127.0.1.2";
RBL_DBL_PHISH = "127.0.1.4";
RBL_DBL_MALWARE = "127.0.1.5";
RBL_DBL_BOTNET = "127.0.1.6";
RBL_DBL_ABUSED_SPAM = "127.0.1.102";
RBL_DBL_ABUSED_PHISH = "127.0.1.104";
RBL_DBL_ABUSED_MALWARE = "127.0.1.105";
RBL_DBL_ABUSED_BOTNET = "127.0.1.106";
RBL_DBL_DONT_QUERY_IPS = "127.0.1.255";
}
}
spamhaus_dbl_fullurls {
ignore_defaults = true;
no_ip = true;
rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
selector = 'urls:get_host'
disable_monitoring = true;
returncodes {
DBLABUSED_SPAM_FULLURLS = "127.0.1.102";
DBLABUSED_PHISH_FULLURLS = "127.0.1.104";
DBLABUSED_MALWARE_FULLURLS = "127.0.1.105";
DBLABUSED_BOTNET_FULLURLS = "127.0.1.106";
}
}
spamhaus_zrd {
# Add checks on the HELO string also for DQS
rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
helo = true;
rdns = true;
dkim = true;
disable_monitoring = true;
returncodes {
RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
RBL_ZRD_FRESH_DOMAIN = [
"127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
];
RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255";
}
}
"SPAMHAUS_ZEN_URIBL" {
enabled = true;
rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
resolve_ip = true;
checks = ['urls'];
replyto = true;
emails = true;
ipv4 = true;
ipv6 = true;
emails_domainonly = true;
returncodes {
URIBL_SBL = "127.0.0.2";
URIBL_SBL_CSS = "127.0.0.3";
URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
URIBL_DROP = "127.0.0.9";
}
}
SH_EMAIL_DBL {
ignore_defaults = true;
replyto = true;
emails_domainonly = true;
disable_monitoring = true;
rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
returncodes = {
SH_EMAIL_DBL = [
"127.0.1.2",
"127.0.1.4",
"127.0.1.5",
"127.0.1.6"
];
SH_EMAIL_DBL_ABUSED = [
"127.0.1.102",
"127.0.1.104",
"127.0.1.105",
"127.0.1.106"
];
SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ];
}
}
SH_EMAIL_ZRD {
ignore_defaults = true;
replyto = true;
emails_domainonly = true;
disable_monitoring = true;
rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
returncodes = {
SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
SH_EMAIL_ZRD_FRESH_DOMAIN = [
"127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
];
SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ];
}
}
"DBL" {
# override the defaults for DBL defined in modules.d/rbl.conf
rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
disable_monitoring = true;
}
"ZRD" {
ignore_defaults = true;
rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
no_ip = true;
dkim = true;
emails = true;
emails_domainonly = true;
urls = true;
returncodes = {
ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"];
}
}
spamhaus_sbl_url {
ignore_defaults = true
rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net";
checks = ['urls'];
disable_monitoring = true;
returncodes {
SPAMHAUS_SBL_URL = "127.0.0.2";
}
}
SH_HBL_EMAIL {
ignore_defaults = true;
rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net";
emails_domainonly = false;
selector = "from('smtp').lower;from('mime').lower";
ignore_whitelist = true;
checks = ['emails', 'replyto'];
hash = "sha1";
returncodes = {
SH_HBL_EMAIL = [
"127.0.3.2"
];
}
}
spamhaus_dqs_hbl {
symbol = "HBL_FILE_UNKNOWN";
rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net.";
selector = "attachments('rbase32', 'sha256')";
ignore_whitelist = true;
ignore_defaults = true;
returncodes {
SH_HBL_FILE_MALICIOUS = "127.0.3.10";
SH_HBL_FILE_SUSPICIOUS = "127.0.3.15";
}
}
EOF
else
rm -rf /etc/rspamd/custom/dqs-rbl.conf
fi
chown -R _rspamd:_rspamd /var/lib/rspamd /etc/rspamd/
exec "$@"

12
Experimental/set_worker_password.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
password_file='/etc/rspamd/override.d/worker-controller-password.inc'
password_hash=`/usr/bin/rspamadm pw -e -p $1`
echo 'enable_password = "'$password_hash'";' > $password_file
if grep -q "$password_hash" "$password_file"; then
echo "OK"
else
echo "ERROR"
fi

3
StableV2/Dockerfile
View File

@ -3,10 +3,7 @@ LABEL maintainer="gnilebein - <patrick@niebel.ing>"
# Setup Labels
ARG VERSION
ARG COMMIT
ARG BRANCH
ARG DATE
ARG DEBIAN_FRONTEND=noninteractive
# Set apt non-interactive
ENV DEBIAN_FRONTEND=noninteractive