Merge pull request 'provenance: false' (#19) from Update-Pipeline into main

Reviewed-on: #19

.gitea/workflows/deploy.yaml

@@ -0,0 +1,93 @@
+name: Deploy Container Image to Registry
+on:
+  schedule:
+    - cron: 0 1 * * 1
+  push:
+    branches:
+      - main
+
+jobs:
+  docker-build-stable:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: gitea.gnilebein.de
+          username: ${{ gitea.repository_owner }}
+          password: ${{ secrets.REG_GITEA_PASSWORD }}
+
+      - name: Get Meta
+        id: meta
+        run: |
+          echo VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1) | tee -a $GITHUB_OUTPUT
+          echo IMAGE_CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | tee -a $GITHUB_OUTPUT
+          IMAGE_CREATED=${{ steps.meta.outputs.VERSION }}
+          IMAGE_CREATED=${{ steps.meta.outputs.IMAGE_CREATED }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./Stable
+          file: Stable/Dockerfile
+          platforms: linux/amd64
+          pull: false
+          push: true
+          no-cache: true
+          provenance: false
+          build-args: |
+            VERSION=${{ steps.meta.outputs.VERSION }}
+            IMAGE_CREATED=${{ steps.meta.outputs.IMAGE_CREATED }}
+          tags: |
+            ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}
+            ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:${{ steps.meta.outputs.VERSION }}
+
+  docker-build-experimental:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: gitea.gnilebein.de
+          username: ${{ gitea.repository_owner }}
+          password: ${{ secrets.REG_GITEA_PASSWORD }}
+
+      - name: Get Meta
+        id: meta
+        run: |
+          echo VERSION=$(curl -s https://rspamd.com/apt/pool/main/r/rspamd/ | sed -n "s/^<a href=\"rspamd_\(.*\)\~git.*\~.*.dsc\".*/\1/p" | tail -1) | tee -a $GITHUB_OUTPUT
+          echo IMAGE_CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | tee -a $GITHUB_OUTPUT
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./Experimental
+          file: Experimental/Dockerfile
+          platforms: linux/amd64
+          pull: false
+          push: true
+          no-cache: true
+          provenance: false
+          build-args: |
+            VERSION=${{ steps.meta.outputs.VERSION }}
+            IMAGE_CREATED=${{ steps.meta.outputs.IMAGE_CREATED }}
+          tags: |
+            ${{ vars.DOCKER_REPO }}/${{ gitea.repository_owner }}/${{ vars.IMAGE_NAME }}:experimental

.gitignore

@@ -0,0 +1,300 @@
+# managed by devops-generator/ansible-role-generator
+### Ansible ###
+*.retry
+
+### Intellij+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Intellij+all Patch ###
+# Ignores the whole .idea folder and all .iml files
+# See https://github.com/joeblau/gitignore.io/issues/186 and https://github.com/joeblau/gitignore.io/issues/360
+
+.idea/
+
+# Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-249601023
+
+*.iml
+modules.xml
+.idea/misc.xml
+*.ipr
+
+# Sonarlint plugin
+.idea/sonarlint
+
+### Linux ###
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+pytestdebug.log
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+doc/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+state.json
+
+# terraform lock file
+.terraform.lock*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+### Vim ###
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# VS Code Settings
+.vscode

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "yaml.schemas": {
+        "https://json.schemastore.org/github-workflow.json": "file:///c%3A/Users/patrick.niebeling/Documents/gitRepos%20-%20privat/Docker-rspamd/.gitea/workflows/deploy.yaml"
+    }
+}

Experimental/Dockerfile

@@ -1,13 +1,38 @@
 FROM debian:stable-slim
-LABEL maintainer="gnilebein - <docker@gnilebein.nl>"
+LABEL maintainer="gnilebein - <patrick@niebel.ing>"
+
+# Setup Labels
+ARG VERSION
+ARG IMAGE_CREATED
 
 # Set apt non-interactive
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
+
+LABEL org.label-schema.name="Rspamd" \
+	org.label-schema.description="Rspamd Spam Filter - EXPERIMENTAL" \
+	org.label-schema.usage="https://gitea.gnilebein.de/gnilebein/-/packages/container/docker-rspamd/experimental" \
+	org.label-schema.url="https://rspamd.com" \
+	org.label-schema.vendor="gnilebein" \
+	org.label-schema.schema-version="1.0" \
+	org.label-schema.version=$VERSION \
+	org.label-schema.vcs-url="https://gitea.gnilebein.de/gnilebein/Docker-rspamd" \
+	org.label-schema.build-date=$IMAGE_CREATED
 
 # Install Rspamd
 RUN set -x \
 	&& apt update \
-	&& apt --no-install-recommends install -y lsb-release wget gnupg openssl ca-certificates \
+	&& apt --no-install-recommends install -y \
+	apt-transport-https \
+	dnsutils \
+	netcat-traditional \
+	lsb-release \
+	wget \
+	gnupg \
+	openssl \
+	ca-certificates \
+	nano \
+	less \
+	ca-certificates \
 	&& DEBIAN_CODE_NAME=`lsb_release -c -s` \
 	&& wget -O - https://rspamd.com/apt/gpg.key | apt-key add - \
 	&& echo "deb http://rspamd.com/apt/ $DEBIAN_CODE_NAME main" > /etc/apt/sources.list.d/rspamd.list \
@@ -16,42 +41,31 @@ RUN set -x \
 	&& apt --no-install-recommends install -y rspamd \
 	&& apt autoremove --purge -y \
 	&& apt clean \
-	&& rm -rf /var/lib/apt/lists/*
+	&& rm -rf /var/lib/apt/lists/* \
+	&& echo 'alias ll="ls -la --color"' >> ~/.bashrc
 
 # Override default settings
 COPY rspamd.conf.local.override /etc/rspamd/
 COPY worker-controller.inc /etc/rspamd/override.d/
 COPY worker-proxy.inc /etc/rspamd/override.d/
+COPY set_worker_password.sh /set_worker_password.sh
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 
-# Keep database and configuration persistent
+# # Keep database and configuration persistent
 VOLUME /etc/rspamd/local.d
+VOLUME /etc/rspamd/override.d
+VOLUME /etc/rspamd/custom
 VOLUME /var/lib/rspamd
 
-# Port 11334 is for web frontend
-# Port 11332 is for milter
-# Port 11333 is for worker
-EXPOSE 11332 11334
+EXPOSE 11332 11333 11334
 
 # Healtcheck if Rspamd is returning stats
 HEALTHCHECK --interval=1m --timeout=5s --start-period=10s \
 	CMD /usr/bin/rspamadm control stat || exit 1
 
 # Run Rspamd
-ENTRYPOINT ["/usr/bin/rspamd","-f","-u","_rspamd","-g","_rspamd"]
+ENTRYPOINT ["bash", "/docker-entrypoint.sh"]
 
-# Setup Labels
-ARG VERSION
-ARG COMMIT
-ARG BRANCH
-ARG DATE
+STOPSIGNAL SIGTERM
 
-LABEL org.label-schema.name="Rspamd" \
-	org.label-schema.description="Rspamd Spam Filter - EXPERIMENTAL" \
-	org.label-schema.usage="https://hub.docker.com/r/gnilebein/rspamd/" \
-	org.label-schema.url="https://rspamd.com" \
-	org.label-schema.vendor="gnilebein" \
-	org.label-schema.schema-version="1.0" \
-  org.label-schema.version=$VERSION \
-  org.label-schema.vcs-url="https://github.com/rspamd/rspamd/" \
-  org.label-schema.vcs-ref=$COMMIT \
-  org.label-schema.build-date=$DATE \
+CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]

README.md

@@ -34,4 +34,4 @@ This allows configuration of the _Webinterface_, _DKIM_ and _Redis_. The tool wr
 
 ### Support ###
 This Docker image is for personal use but let me know if there are any improvements available.
-Please use [Github](https://github.com/gnilebein/Docker-Rspamd) to send me a message
+Please use [Github](https://gitea.gnilebein.de/gnilebein/Docker-rspamd) to send me a message

Stable/Dockerfile

@@ -1,13 +1,38 @@
 FROM debian:stable-slim
-LABEL maintainer="gnilebein - <docker@gnilebein.nl>"
+LABEL maintainer="gnilebein - <patrick@niebel.ing>"
+
+# Setup Labels
+ARG VERSION
+ARG IMAGE_CREATED
 
 # Set apt non-interactive
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
+
+LABEL org.label-schema.name="Rspamd" \
+	org.label-schema.description="Rspamd Spam Filter - STABLE" \
+	org.label-schema.usage="https://gitea.gnilebein.de/gnilebein/-/packages/container/docker-rspamd/latest" \
+	org.label-schema.url="https://rspamd.com" \
+	org.label-schema.vendor="gnilebein" \
+	org.label-schema.schema-version="1.0" \
+	org.label-schema.version=$VERSION \
+	org.label-schema.vcs-url="https://gitea.gnilebein.de/gnilebein/Docker-rspamd" \
+	org.label-schema.build-date=$IMAGE_CREATED
 
 # Install Rspamd
 RUN set -x \
 	&& apt update \
-	&& apt --no-install-recommends install -y lsb-release wget gnupg openssl ca-certificates \
+	&& apt --no-install-recommends install -y \
+	apt-transport-https \
+	dnsutils \
+	netcat-traditional \
+	lsb-release \
+	wget \
+	gnupg \
+	openssl \
+	ca-certificates \
+	nano \
+	less \
+	ca-certificates \
 	&& DEBIAN_CODE_NAME=`lsb_release -c -s` \
 	&& wget -O - https://rspamd.com/apt-stable/gpg.key | apt-key add - \
 	&& echo "deb http://rspamd.com/apt-stable/ $DEBIAN_CODE_NAME main" > /etc/apt/sources.list.d/rspamd.list \
@@ -16,42 +41,31 @@ RUN set -x \
 	&& apt --no-install-recommends install -y rspamd \
 	&& apt autoremove --purge -y \
 	&& apt clean \
-	&& rm -rf /var/lib/apt/lists/*
+	&& rm -rf /var/lib/apt/lists/* \
+	&& echo 'alias ll="ls -la --color"' >> ~/.bashrc
 
 # Override default settings
 COPY rspamd.conf.local.override /etc/rspamd/
 COPY worker-controller.inc /etc/rspamd/override.d/
 COPY worker-proxy.inc /etc/rspamd/override.d/
+COPY set_worker_password.sh /set_worker_password.sh
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 
-# Keep database and configuration persistent
+# # Keep database and configuration persistent
 VOLUME /etc/rspamd/local.d
+VOLUME /etc/rspamd/override.d
+VOLUME /etc/rspamd/custom
 VOLUME /var/lib/rspamd
 
-# Port 11334 is for web frontend
-# Port 11332 is for milter
-# Port 11333 is for worker
-EXPOSE 11332 11334
+EXPOSE 11332 11333 11334
 
 # Healtcheck if Rspamd is returning stats
 HEALTHCHECK --interval=1m --timeout=5s --start-period=10s \
 	CMD /usr/bin/rspamadm control stat || exit 1
 
 # Run Rspamd
-ENTRYPOINT ["/usr/bin/rspamd","-f","-u","_rspamd","-g","_rspamd"]
+ENTRYPOINT ["bash", "/docker-entrypoint.sh"]
 
-# Setup Labels
-ARG VERSION
-ARG COMMIT
-ARG BRANCH
-ARG DATE
+STOPSIGNAL SIGTERM
 
-LABEL org.label-schema.name="Rspamd" \
-	org.label-schema.description="Rspamd Spam Filter - STABLE" \
-	org.label-schema.usage="https://hub.docker.com/r/gnilebein/rspamd/" \
-	org.label-schema.url="https://rspamd.com" \
-	org.label-schema.vendor="gnilebein" \
-	org.label-schema.schema-version="1.0" \
-  org.label-schema.version=$VERSION \
-  org.label-schema.vcs-url="https://github.com/rspamd/rspamd/" \
-  org.label-schema.vcs-ref=$COMMIT \
-  org.label-schema.build-date=$DATE \
+CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]

Stable/docker-entrypoint.sh

@@ -0,0 +1,197 @@
+#!/bin/bash
+
+chmod 755 /var/lib/rspamd
+
+[[ ! -f /etc/rspamd/override.d/worker-controller-password.inc ]] && echo '# Autogenerated' >/etc/rspamd/override.d/worker-controller-password.inc
+
+mkdir -p /etc/rspamd/custom
+
+# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs
+if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then
+    cat <<EOF >/etc/rspamd/custom/dqs-rbl.conf
+  # Autogenerated by mailcow. DO NOT TOUCH!
+    spamhaus {
+        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+        from = false;
+    }
+    spamhaus_from {
+        from = true;
+        received = false;
+        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+        returncodes {
+          SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ];
+        }
+    }
+    spamhaus_authbl_received {
+        # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN)
+        rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net";
+        from = false;
+        received = true;
+        ipv6 = true;
+        returncodes {
+          SH_AUTHBL_RECEIVED = "127.0.0.20"
+        }
+    }
+    spamhaus_dbl {
+        # Add checks on the HELO string
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        helo = true;
+        rdns = true;
+        dkim = true;
+        disable_monitoring = true;
+        returncodes {
+            RBL_DBL_SPAM = "127.0.1.2";
+            RBL_DBL_PHISH = "127.0.1.4";
+            RBL_DBL_MALWARE = "127.0.1.5";
+            RBL_DBL_BOTNET = "127.0.1.6";
+            RBL_DBL_ABUSED_SPAM = "127.0.1.102";
+            RBL_DBL_ABUSED_PHISH = "127.0.1.104";
+            RBL_DBL_ABUSED_MALWARE = "127.0.1.105";
+            RBL_DBL_ABUSED_BOTNET = "127.0.1.106";
+            RBL_DBL_DONT_QUERY_IPS = "127.0.1.255";
+        }
+    }
+    spamhaus_dbl_fullurls {
+        ignore_defaults = true;
+        no_ip = true;
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        selector = 'urls:get_host'
+        disable_monitoring = true;
+        returncodes {
+            DBLABUSED_SPAM_FULLURLS = "127.0.1.102";
+            DBLABUSED_PHISH_FULLURLS = "127.0.1.104";
+            DBLABUSED_MALWARE_FULLURLS = "127.0.1.105";
+            DBLABUSED_BOTNET_FULLURLS = "127.0.1.106";
+        }
+    }
+    spamhaus_zrd {
+        # Add checks on the HELO string also for DQS
+        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+        helo = true;
+        rdns = true;
+        dkim = true;
+        disable_monitoring = true;
+        returncodes {
+            RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+            RBL_ZRD_FRESH_DOMAIN = [
+              "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
+            ];
+            RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255";
+        }
+    }
+    "SPAMHAUS_ZEN_URIBL" {
+      enabled = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+      resolve_ip = true;
+      checks = ['urls'];
+      replyto = true;
+      emails = true;
+      ipv4 = true;
+      ipv6 = true;
+      emails_domainonly = true;
+      returncodes {
+        URIBL_SBL = "127.0.0.2";
+        URIBL_SBL_CSS = "127.0.0.3";
+        URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
+        URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
+        URIBL_DROP = "127.0.0.9";
+      }
+    }
+    SH_EMAIL_DBL {
+      ignore_defaults = true;
+      replyto = true;
+      emails_domainonly = true;
+      disable_monitoring = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+      returncodes = {
+        SH_EMAIL_DBL = [
+          "127.0.1.2",
+          "127.0.1.4",
+          "127.0.1.5",
+          "127.0.1.6"
+        ];
+        SH_EMAIL_DBL_ABUSED = [
+          "127.0.1.102",
+          "127.0.1.104",
+          "127.0.1.105",
+          "127.0.1.106"
+        ];
+        SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ];
+      }
+    }
+    SH_EMAIL_ZRD {
+      ignore_defaults = true;
+      replyto = true;
+      emails_domainonly = true;
+      disable_monitoring = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+      returncodes = {
+        SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+        SH_EMAIL_ZRD_FRESH_DOMAIN = [
+          "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
+        ];
+        SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ];
+      }
+    }
+    "DBL" {
+        # override the defaults for DBL defined in modules.d/rbl.conf
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        disable_monitoring = true;
+    }
+    "ZRD" {
+        ignore_defaults = true;
+        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+        no_ip = true;
+        dkim = true;
+        emails = true;
+        emails_domainonly = true;
+        urls = true;
+        returncodes = {
+            ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+            ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"];
+        }
+    }
+    spamhaus_sbl_url {
+        ignore_defaults = true
+        rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net";
+        checks = ['urls'];
+        disable_monitoring = true;
+        returncodes {
+            SPAMHAUS_SBL_URL = "127.0.0.2";
+        }
+    }
+
+    SH_HBL_EMAIL {
+      ignore_defaults = true;
+      rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net";
+      emails_domainonly = false;
+      selector = "from('smtp').lower;from('mime').lower";
+      ignore_whitelist = true;
+      checks = ['emails', 'replyto'];
+      hash = "sha1";
+      returncodes = {
+        SH_HBL_EMAIL = [
+          "127.0.3.2"
+        ];
+      }
+    }
+
+    spamhaus_dqs_hbl {
+      symbol = "HBL_FILE_UNKNOWN";
+      rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net.";
+      selector = "attachments('rbase32', 'sha256')";
+      ignore_whitelist = true;
+      ignore_defaults = true;
+      returncodes {
+        SH_HBL_FILE_MALICIOUS = "127.0.3.10";
+        SH_HBL_FILE_SUSPICIOUS = "127.0.3.15";
+      }
+    }
+EOF
+else
+    rm -rf /etc/rspamd/custom/dqs-rbl.conf
+fi
+
+chown -R _rspamd:_rspamd /var/lib/rspamd /etc/rspamd/
+
+exec "$@"

Stable/hooks/build

@@ -9,9 +9,8 @@ VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^
 
 IMAGE_NAME=docker-rspamd
 
-zip -r config
-
 docker build \
+  --no-cache \
   --build-arg VERSION=${VERSION} \
   --build-arg COMMIT=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^\([[:xdigit:]]\{40\}\)[[:blank:]]refs\/tags\/${VERSION}^{}$/\1/p" |  xargs git rev-parse --short) \
   --build-arg BRANCH=$(git rev-parse --abbrev-ref HEAD) \

Stable/set_worker_password.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+password_file='/etc/rspamd/override.d/worker-controller-password.inc'
+password_hash=`/usr/bin/rspamadm pw -e -p $1`
+
+echo 'enable_password = "'$password_hash'";' > $password_file
+
+if grep -q "$password_hash" "$password_file"; then
+    echo "OK"
+else
+    echo "ERROR"
+fi

StableV2/Dockerfile

@@ -1,78 +0,0 @@
-FROM debian:stable-slim
-LABEL maintainer="gnilebein - <patrick@niebel.ing>"
-
-# Setup Labels
-ARG VERSION
-ARG COMMIT
-ARG BRANCH
-ARG DATE
-ARG DEBIAN_FRONTEND=noninteractive
-
-# Set apt non-interactive
-ENV DEBIAN_FRONTEND=noninteractive
-
-LABEL org.label-schema.name="Rspamd" \
-	org.label-schema.description="Rspamd Spam Filter - STABLE" \
-	org.label-schema.usage="https://hub.docker.com/r/gnilebein/rspamd/" \
-	org.label-schema.url="https://rspamd.com" \
-	org.label-schema.vendor="gnilebein" \
-	org.label-schema.schema-version="1.0" \
-	org.label-schema.version=$VERSION \
-	org.label-schema.vcs-url="https://github.com/rspamd/rspamd/" \
-	org.label-schema.vcs-ref=$COMMIT \
-	org.label-schema.build-date=$DATE
-
-# Install Rspamd
-RUN set -x \
-	&& apt update \
-	&& apt --no-install-recommends install -y \
-	apt-transport-https \
-	dnsutils \
-	netcat-traditional \
-	lsb-release \
-	wget \
-	gnupg \
-	openssl \
-	ca-certificates \
-	nano \
-	less \
-	ca-certificates \
-	&& DEBIAN_CODE_NAME=`lsb_release -c -s` \
-	&& wget -O - https://rspamd.com/apt-stable/gpg.key | apt-key add - \
-	&& echo "deb http://rspamd.com/apt-stable/ $DEBIAN_CODE_NAME main" > /etc/apt/sources.list.d/rspamd.list \
-	&& apt purge -y lsb-release wget gnupg \
-	&& apt update \
-	&& apt --no-install-recommends install -y rspamd \
-	&& apt autoremove --purge -y \
-	&& apt clean \
-	&& rm -rf /var/lib/apt/lists/* \
-	&& echo 'alias ll="ls -la --color"' >> ~/.bashrc
-
-# Override default settings
-COPY rspamd.conf.local.override /etc/rspamd/
-COPY worker-controller.inc /etc/rspamd/override.d/
-COPY worker-proxy.inc /etc/rspamd/override.d/
-COPY set_worker_password.sh /set_worker_password.sh
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-
-# # Keep database and configuration persistent
-# VOLUME /etc/rspamd/local.d
-# VOLUME /etc/rspamd/override.d
-# VOLUME /etc/rspamd/custom
-# VOLUME /var/lib/rspamd
-
-# Port 11334 is for web frontend
-# Port 11332 is for milter
-# Port 11333 is for worker
-EXPOSE 11332 11333 11334
-
-# Healtcheck if Rspamd is returning stats
-HEALTHCHECK --interval=1m --timeout=5s --start-period=10s \
-	CMD /usr/bin/rspamadm control stat || exit 1
-
-# Run Rspamd
-ENTRYPOINT ["bash", "/docker-entrypoint.sh"]
-
-STOPSIGNAL SIGTERM
-
-CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]

StableV2/hooks/build

@@ -1,18 +0,0 @@
-#!/bin/bash
-# hooks/build
-# https://docs.docker.com/docker-cloud/builds/advanced/
-
-# $IMAGE_NAME var is injected into the build so the tag is correct.
-echo "[***] Build hook running"
-
-VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1)
-
-IMAGE_NAME=docker-rspamd
-
-docker build \
-  --no-cache \
-  --build-arg VERSION=${VERSION} \
-  --build-arg COMMIT=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^\([[:xdigit:]]\{40\}\)[[:blank:]]refs\/tags\/${VERSION}^{}$/\1/p" |  xargs git rev-parse --short) \
-  --build-arg BRANCH=$(git rev-parse --abbrev-ref HEAD) \
-  --build-arg DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
-  -t ${IMAGE_NAME} .

StableV2/hooks/post_push

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-VERSION=$(git ls-remote --tags -q https://github.com/rspamd/rspamd | sed -n "s/^[[:xdigit:]]\{40\}[[:blank:]]refs\/tags\/\([0-9]\{1\}\.[0-9]\{1,2\}\($\|\.[0-9]\{1,2\}$\)\)/\1/p" | sort --version-sort | tail -1)
-
-docker tag \
-	"${IMAGE_NAME}" \
-	"${DOCKER_REPO}:stable-${VERSION}"
-docker push \
-	"${DOCKER_REPO}:stable-${VERSION}"

StableV2/rspamd.conf.local.override

@@ -1,13 +0,0 @@
-options {
-    pidfile = false;
-    .include "$CONFDIR/options.inc"
-    .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/options.inc"
-    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/options.inc"
-}
-
-logging {
-	type = "console";
-	.include "$CONFDIR/logging.inc"
-	.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/logging.inc"
-	.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/logging.inc"
-}

StableV2/worker-controller.inc

@@ -1 +0,0 @@
-bind_socket = "*:11334";

StableV2/worker-proxy.inc

@@ -1 +0,0 @@
-bind_socket = *:11332;