Merge branch 'automated-tasks' into 'development'

chore(gitlab-ci): Automated update of git sub-module

See merge request nofusscomputing/projects/docker-mail!68

.cz.yaml

@@ -2,6 +2,6 @@ commitizen:
   bump_message: "build(version): bump version $current_version \u2192 $new_version"
   changelog_incremental: false
   name: cz_conventional_commits
-  tag_format: v$major.$minor.$patch$prerelease
+  tag_format: $major.$minor.$patch$prerelease
   update_changelog_on_bump: true
-  version: 0.1.0rc0
+  version: 0.1.0

.dockerignore

@@ -0,0 +1,14 @@
+# Directories
+.git/
+.gitlab/
+gitlab-ci/
+test/
+.vscode/
+
+# Files
+.cz.yaml
+.gitignore
+.gitlab-ci.yml
+.gitmodules
+.markdownlint.json
+*.md

.gitlab-ci.yml

@@ -1,120 +1,38 @@
-stages:
-    - validation
-    - build
-    - prepare
-    - test
-    - release
-    - sync
-    - publish
+---
 
-variables:
-    GIT_SUBMODULE_STRATEGY: recursive
-    MY_PROJECT_ID: "33611657"
 
 include:
   - project: nofusscomputing/projects/gitlab-ci
-    ref: 36ce0b0b76e6769c7a2e0d4ea0f3fcd2cc2d6bb1
+    ref: development
     file:
-      - conventional_commits/.gitlab-ci.yml
-      - validation/.gitlab-ci.yml
-      - gitlab_release/.gitlab-ci.yml
-      - git_push_mirror/.gitlab-ci.yml
+      - .gitlab-ci_common.yaml
+      - template/automagic.gitlab-ci.yaml
+
+
+variables:
+  DOCKER_IMAGE_BUILD_TARGET_PLATFORMS: "linux/amd64,linux/arm64"
+  DOCKER_IMAGE_PUBLISH_NAME: 'docker-mail'
+  DOCKER_IMAGE_PUBLISH_REGISTRY: docker.io/nofusscomputing
+  DOCKER_IMAGE_PUBLISH_URL: https://hub.docker.com/r/nofusscomputing/$DOCKER_IMAGE_PUBLISH_NAME
+
+  GIT_SUBMODULE_STRATEGY: recursive
+  GIT_SYNC_URL: "https://$GITHUB_USERNAME_ROBOT:$GITHUB_TOKEN_ROBOT@github.com/NoFussComputing/docker-mail.git"
+  MY_PROJECT_ID: "33611657"
+  PAGES_ENVIRONMENT_PATH: projects/docker-mail/
 
 
 
-
-Markdown Linting:
-  extends:
-    - .Lint_Markdown
-
-Docker Container:
-  stage: build
-  image: docker:latest
-  services:
-    - docker:19.03.12-dind
-  before_script:
-    - docker info
-#    - docker login $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD 
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - apk update
-    - apk add --update --no-cache python3 git && ln -sf python3 /usr/bin/python
-    - python3 -m ensurepip
-    - pip3 install -r gitlab-ci/gitlab_release/requirements.txt
-    - pip3 install gitlab-ci/gitlab_release/python-module/cz_nfc/.
-  script:  |
-    docker build . \
-      --label org.opencontainers.image.created="$(date '+%Y-%m-%d %H:%M:%S%:z')" \
-      --label org.opencontainers.image.documentation="$CI_PROJECT_URL/pages" \
-      --label org.opencontainers.image.source="$CI_PROJECT_URL" \
-      --label org.opencontainers.image.url="$CI_PROJECT_URL/-/releases/v$(cz -n cz_nfc version --project)" \
-      --label org.opencontainers.image.version="$(cz -n cz_nfc version --project)" \
-      --label org.opencontainers.image.revision="$CI_COMMIT_SHA" \
-    --no-cache \
-    --tag $CI_REGISTRY_IMAGE/docker-mail:$CI_COMMIT_SHA;
-
-    docker image inspect $CI_REGISTRY_IMAGE/docker-mail:$CI_COMMIT_SHA;
-
-    docker push $CI_REGISTRY_IMAGE/docker-mail:$CI_COMMIT_SHA;
-
-#  after_script:
-#    - docker push $CI_REGISTRY_IMAGE/docker-mail:$CI_COMMIT_SHA
+Compile Dovecot:
+  extends: .build_docker_container
+  variables:
+    DOCKER_DOCKERFILE: dockerfile-compile
+    DOCKER_IMAGE_BUILD_TARGET_PLATFORMS: "linux/arm64"
   rules:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
       when: never
     - if: $CI_COMMIT_TAG
-      when: on_success
-    - if: '$CI_COMMIT_BRANCH != "master"'
+      when: never
+    - if: '$CI_COMMIT_BRANCH != "master" && $CI_PIPELINE_SOURCE == "push"'
       when: manual
+      allow_failure: true
     - when: never
-
-
-Gitlab Release:
-    extends:
-        - .gitlab_release
-
-
-Docker Hub:
-  stage: publish
-  image: docker:latest
-  services:
-    - docker:19.03.12-dind
-  before_script:
-    - export
-    - docker login $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD
-    - docker pull $CI_REGISTRY_IMAGE/docker-mail:$CI_COMMIT_SHA
-    - docker logout $CI_REGISTRY
-  script:
-#    - Release_TAG=$(cat $CI_PROJECT_DIR/dist/version)
-    - docker login docker.io -u $NFC_DOCKERHUB_USERNAME -p $NFC_DOCKERHUB_TOKEN
-#    - if [ "m$(echo $CI_BUILD_REF_NAME | grep rc)" == "m$CI_BUILD_REF_NAME" ]; then Branch_TAG=dev; else Branch_TAG=stable; fi
-    - echo Branch tag is $Branch_TAG
-    - docker image ls
-    - docker image tag $CI_REGISTRY_IMAGE/docker-mail:$CI_COMMIT_SHA nofusscomputing/docker-mail:$CI_COMMIT_TAG
-    - docker image ls
-    - docker push nofusscomputing/docker-mail:$CI_COMMIT_TAG
-  rules:
-    - if: $CI_COMMIT_TAG
-      when: on_success
-    - if: $CI_MERGE_REQUEST_IID
-      when: never
-    - if: '$CI_COMMIT_BRANCH'
-      when: never
-  needs: [ "Docker Container" ]
-  environment:
-    name: DockerHub
-  rules:
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-      when: never
-    - if: $CI_COMMIT_TAG
-      when: on_success
-    - when: never
-
-
-
-Github (Push --mirror):
-    variables:
-        GIT_SYNC_URL: "https://$GITHUB_USERNAME_ROBOT:$GITHUB_TOKEN_ROBOT@github.com/NoFussComputing/docker-mail.git"
-    extends:
-        - .git_push_mirror
-
-

.gitmodules

@@ -2,3 +2,7 @@
 	path = gitlab-ci
 	url = https://gitlab.com/nofusscomputing/projects/gitlab-ci.git
 	branch = development
+[submodule "website-template"]
+	path = website-template
+	url = https://gitlab.com/nofusscomputing/infrastructure/website-template.git
+	branch = development

.nfc_automation.yaml

@@ -0,0 +1,8 @@
+---
+
+role_git_conf:
+  gitlab:
+    submodule_branch: "development"
+    default_branch: development
+    mr_labels: ~"type::automation" ~"impact::0" ~"priority::0"
+    auto_merge: true

CHANGELOG.md

@@ -1,3 +1,133 @@
+## 0.1.0 (2023-11-06)
+
+### Bug Fixes
+
+- **ci**: [cab22ceb](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/cab22cebfa98d50774b4b433fed5f1727f596a26) - added automation config [ [!13](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/13) ]
+
+### Continious Integration
+
+- **automagic**: [b1b5fc20](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/b1b5fc20606dc0d87d860ae5ee64559307c6f3ea) - use template automagic for jobs [ [!12](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/12) [#5](https://gitlab.com/nofusscomputing/projects/docker-mail/-/issues/5) ]
+
+## 0.1.0rc3 (2023-05-24)
+
+### Bug Fixes
+
+- **docs**: [e872534a](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/e872534aec12c0905a7713532f36f6fde63b4730) - use docs path instead of pages [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) [!26](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/26) ]
+- **mkdocs**: [9acc37ec](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/9acc37ec4f2286c06debbbfda0acb8a3bf04c998) - use correct edit path [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **website**: [c2902063](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/c290206392836642af5a3b6ca1dad67abe799b42) - correct repo name [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **docs**: [bfcb3469](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/bfcb346924b12411102fc58bec13aa7e0820a0ce) - add base files for navigation [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **ci**: [235aa8d7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/235aa8d7ccd19dcee44f56a27367113f2e4f5354) - must have index.md file for linting to start [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **build**: [88689c87](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/88689c87ac84ba493652cbf22da934d5873c55b3) - ensure dovecot downloaded and installed [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **build**: [9a0df52c](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/9a0df52cd9d2d0f8574801ca73e6b0a525531b30) - fix build logic [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **publish**: [c30efc8b](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/c30efc8bd64f7d7702b71e3fed2acab915821f2c) - must specify docker publish details [ [!3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/3) ]
+- [29c6d6f7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/29c6d6f7304c6bca751d3904e37d2561ac9f01a1) - lock debian base image [ [!3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/3) ]
+- **versions**: [840e2ad5](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/840e2ad5aead5effdb925dd640ce483782a11ca5) - update postfix [ [!3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/3) ]
+- **repo**: [d6b2b5b4](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/d6b2b5b40ef2643005078807da7ca7dcce82505a) - lock dovecot repo to specified version [ [!3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/3) ]
+
+### Code Refactor
+
+- **image**: [4c106025](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/4c106025d545d89cadef0bf019a86cbaf7dca00a) - reduce the number of layers [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **dockerfile**: [1c6b3a36](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/1c6b3a3617cfcd0a781391c96d0265c2fb7eef3b) - use global var [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **dockerfile**: [88bfc649](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/88bfc64940e7a2b7073c8ebe644afd06a4e2149c) - use args for apt software versions [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **ci**: [300961aa](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/300961aaff303b1b4a6ea2f70b9c13fbf1831260) - update template path [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+
+### Continious Integration
+
+- **gitlab**: [aa461590](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/aa461590a83065e81b3743e791975ebcad916874) - update to latest HEAD [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **compile**: [808ca861](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/808ca861edc1080844cbfd61bd962020146cdcf0) - add dovecot compile job [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **gitlab-ci**: [e2e704c5](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/e2e704c54588c6bddccfcd38c18f21a5bc863c78) - use dev branch and type docker container [ [!3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/3) ]
+
+### Documentaton / Guides
+
+- **build**: [f22931e6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/f22931e6f079657acc94f21e7e2d5c61410a150b) - added navigation for project [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+
+### Features
+
+- **ci**: [80ccaaa6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/80ccaaa6e7d875283770baff1b090b8807a65947) - trigger downstream website to build [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) [!27](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/27) ]
+- **docs**: [6409627d](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/6409627daeb7ce6a131bd7205409c3f8c07f9986) - add website static page building [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) [!25](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/25) ]
+- **build**: [7261769a](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/7261769a95a985b95a5f16142c0e461d0984174e) - dockerfile for compiling dovecot [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **arm64**: [a866bd82](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/a866bd82b82ae6ec45a1121bed1a6dfd9f59f114) - build arm64 image using compiled bins [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **amd64**: [676546f7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/676546f71c13dcc8ddf7db7128b003b8f2416721) - use dovecot apt repo to install [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+- **build**: [2b497fd2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/2b497fd2cf7678e17f544ad38187486cc4efeaf3) - specify architecture [ [!10](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/10) ]
+
+## v0.1.0rc2 (2022-02-19)
+
+### Bug Fixes
+
+- **backup.sh**: [e8eb6f90](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/e8eb6f906f07b5044ec873327117dbf87e357797) - exclude unix sockets from backup [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **backup**: [acccf247](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/acccf24774e100f0cda38941549099adc52b7b58) - ssl dir renamed to certs [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **backup**: [93378dee](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/93378dee86abe5f1ee86e824f2543656e1826e64) - /var/spool/postfix needs to be backed up [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **sa-learn**: [43f6a356](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/43f6a356bd7f458ee33955151ff5609c2b599a70) - amavis can't do bayes check if not mask 777 [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **dovecot**: [e9fb4123](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/e9fb4123e9c6aad6d0793f4de0d21da46ba332fd) - sieve extensions debug error. [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **cron**: [e9718c97](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/e9718c97a678223257c2450cede863757e376b90) - sa-learn must run as spamd user [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **bayes_learn**: [967fd04f](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/967fd04fe7af6c3d5330357e18c1a76583163ede) - ensure journal is synced after scan [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **file_permission**: [fbdf6efa](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/fbdf6efab73324aceebfc49ab37190adb9bc0af5) - set spamd to own spamassassin folder [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **local_group**: [7f7a259a](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/7f7a259a820bdbb6025dfee93cfb8df5ad8dba0a) - amavis and opendkim added to vmail [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **build**: [db03fc2e](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/db03fc2efaa418b28267fe532a0cc9c09d2e09ab) - corrected syntax error in dockerfile
+- **postfix**: [5f7095f2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/5f7095f274e6fe3cf61d8b55e14eaa47f1d2ae4d) - only use the servers order of tls ciphers [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **logrotate**: [3120ecf2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/3120ecf2f5cb61011c321f6e41936e6a77c0686c) - ensure log rotate runs [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **logrotate**: [6625d72a](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/6625d72a48bad7a6a50bc7e93d14470fbc6eacc6) - don't specify log extension [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **dovecot**: [edadc477](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/edadc4779e445ff7036de05fc55607a035a53eb0) - ensure quota syntax is correct [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **mailbox_quota**: [b3d80b41](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/b3d80b41ca7bd6a9b6c15f9d6ea09bbc206f4664) - ensure user quota visible. [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+
+### Continious Integration
+
+- **docker_hub**: [3741b926](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/3741b92606281ddabfa9df50186818d54c0602e1) - fix rc release must be tagged 'dev' [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- [3bca896c](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/3bca896c29fdbe3d79cc12ef56785ef7c02394ca) - Add dockerhub url to environment [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+
+### Features
+
+- **docker_container**: [22a987a5](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/22a987a5133e8e878f8c79e016e218ea5a8b76d1) - Ensure amavis data is a volume [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **amavis**: [9f7ccabf](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/9f7ccabfa52dc71f14fa690ef9e7f0e3184f14c9) - don't allow user to send banned email [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **amavis**: [c3739c4f](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/c3739c4f1964e4e315cd9eaa2a67e787aa121688) - Don't allow user to send spam/virus [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **amavis**: [f6b7bae3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/f6b7bae3eba7398ad6de11b9cb2b36594df6f891) - move policy bank to own config file [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **amavis**: [7ec97502](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/7ec975021659fee5ebaa78332fef0d9533ee769d) - Add received header to message [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **ssl_tls**: [2a222df7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/2a222df7784e85f13a477c3859ca10709734c199) - updated dovecot and postfix accepted ciphers [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **dovecot**: [396cb15a](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/396cb15addc8fd6de038da3a66d16891226b0363) - Disable SSL/TLS protocol logging [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **postfix**: [24f10af6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/24f10af6d6e16b75fc77cf4538033839058748ec) - prevent anonymous users on submission [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **dovecot**: [274ade2d](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/274ade2d8407ff91e448bff4c838a67f53074dde) - log SSL/TLS porotocol errors [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **dovecot**: [478336ca](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/478336ca686c7d6fdbd040d012126f3ad906f44b) - log failed authentication attempts [ [!9](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/9) ]
+- **postfix**: [4554e9e6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/4554e9e66d688c417a06f1a808403f985e4a2a22) - specify my_networks as localhost ONLY [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **postfix**: [41e03936](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/41e03936cc6e36473d0c962361d822d95ae69e86) - no compression or renegotiation [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **submission**: [4c37932b](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/4c37932bf78fbc0af2e4c354fec0a1af037e5e77) - check user quota recipient restriction [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **postfix**: [f90daea4](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/f90daea454fac0ccec781129128bbf40e43378a3) - enforce only reaying mail for auth destination [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **postfix**: [1b168f07](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/1b168f07d56c89cf8e5635aa3d00429342914f15) - enforce SMTPD recipient restrictions [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **postfix**: [58f42a79](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/58f42a7913625afda9550ce99328af9e8ede2df7) - Enforce SMTPD sender restrictions [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **postfix**: [8c68163e](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/8c68163e9d6dd2edf94bba6159156dde115cc8f8) - introduce smtpd helo restrictions [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **postfix**: [64258f2c](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/64258f2cd8b0a8febd63d585e9b3aa1fe5d88bd4) - enforce smtpd client restrictions [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+- **quota_status**: [8f938bd3](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/8f938bd3ce1a5f432a97a2aae75592f39e82d28e) - use a unix socket for postfix [ [!7](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/7) ]
+
+## v0.1.0rc1 (2022-02-17)
+
+### Code Refactor
+
+- [bde6c054](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/bde6c054bbe4bea0a14509070fed9328138dbb1d) - conf config values updated [ [!6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/6) ]
+- **amavis**: [53e0cdd1](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/53e0cdd17139bdd3e6df079edec3c88ef12a5c1a) - move dkim key config to own file [ [!4](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/4) ]
+- [3e30b278](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/3e30b2780ef53ef12d036d0e009bff19b96dd8e2) - ci code review suggestions [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+- **amavis**: [d8e51085](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/d8e51085a1e0598e564030790b1d0fcf5dd8fb17) - seperate config for socket [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+- **ssl**: [09aabeb6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/09aabeb68aae478bd125e48b4bfaecaa7a97b1ae) - Moved /ssl to /certs [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+
+### Continious Integration
+
+- **docker_hub**: [27ad07ea](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/27ad07ead345bbf7b0c929adbfd24947ef977e40) - fix dev push [ [!5](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/5) ]
+- **docker_hub**: [aafd9acc](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/aafd9acca9fe98bad1710a4af2f1b0eabadd6944) - ensure build and DH push works on merge [ [!4](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/4) ]
+- **docker_hub**: [36808960](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/36808960ce9a1369eebcaf0fe878d85bdbd37ced) - push a dev and latest tag to docker hub [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+- **docker_hub**: [76c899e2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/76c899e285f7ea816d6fc4c7e78644302b5921b3) - removed duplicate rules section [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+- **docker_container**: [23830c85](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/23830c85510c5cff6da80fa6ab617b8580e29739) - set to allow failure [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+
+### Documentaton / Guides
+
+- **spf**: [a71e7691](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/a71e7691a2188fb9372c2e7c9b32cb39adb4e8ce) - added basic spf guide [ [!6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/6) ]
+- [be42d0ad](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/be42d0ad3ba83717a9c4e907a48fd087539e720f) - Addied initial documentation for dkim [ [!4](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/4) ]
+
+### Features
+
+- **amavis**: [92e4e4b2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/92e4e4b2d55ab538eda937bc698d7a11961c47b6) - added DKIM verification [ [!6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/6) ]
+- **spf**: [245aa724](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/245aa724d2d8121c7a758da6e086fe0a59c751d8) - conduct spf check for inbound smtp [ [!6](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/6) ]
+- **posfix**: [b795fe5b](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/b795fe5b67ecdfaa9390d2028478fd0b6570cfcc) - configure submission to dkim sign [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+- **amavis**: [b9b2527a](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/b9b2527a42586843faea3ad074c1d34392b5d1d8) - Configured dkim [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+- **dkim**: [72ee475b](https://gitlab.com/nofusscomputing/projects/docker-mail/-/commit/72ee475be7c459531762d489dd649d696a6f47be) - Added OpenDKIM to image [ [!2](https://gitlab.com/nofusscomputing/projects/docker-mail/-/merge_requests/2) ]
+
 ## v0.1.0rc0 (2022-02-14)
 
 ### Bug Fixes

README.md

@@ -77,6 +77,8 @@ This docker container is intended to be a fully fledged E-Mail Server. Dovecot a
 
     - Spam filtering
 
+    - [DKIM key signing](pages/dkim.md) _Note: [Key length requirements](https://datatracker.ietf.org/doc/html/rfc6376#section-3.3.3)_
+
 
 - General Features:
 

dockerfile

@@ -1,6 +1,55 @@
-FROM debian:bullseye-slim
 
 
+ARG CI_JOB_TOKEN
+ARG CI_API_V4_URL
+ARG CI_PROJECT_ID
+
+ARG DOVECOT_BUILD_VERSION=2.3.18
+ARG PIGEONHOLE_BUILD_VERSION=0.5.20
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+ARG VERSION_APT_AMAVISD=1:2.11.1-5+deb11u1
+ARG VERSION_APT_CLAMAV=0.103.5+dfsg-0+deb11u1
+# 2:2.3.18-4+debian11
+ARG VERSION_APT_DOVECOT=2:$DOVECOT_BUILD_VERSION-4+debian11
+ARG VERSION_APT_FETCHMAIL=6.4.16-4+deb11u1
+ARG VERSION_APT_FAM=2.7.0-17.3
+ARG VERSION_APT_LIBNET_DNS_PERL=1.29-1
+ARG VERSION_APT_LIBMAIL_TOOLS_PERL=2.21-1
+ARG VERSION_APT_OPENDKIM=2.11.0~beta2-4+deb11u1
+ARG VERSION_APT_POSTFIX=3.5.25-0+deb11u1
+ARG VERSION_APT_POSTFIX_POLICYD_SPF_PYTHON=2.9.2-1+deb11u1
+ARG VERSION_APT_SPAMASSASSIN=3.4.6-1
+
+
+
+FROM --platform=$TARGETPLATFORM debian:11.7-slim as build
+
+
+ARG CI_JOB_TOKEN
+ARG CI_API_V4_URL
+ARG CI_PROJECT_ID
+
+ARG DOVECOT_BUILD_VERSION
+ARG PIGEONHOLE_BUILD_VERSION
+
+ARG DEBIAN_FRONTEND
+
+ARG VERSION_APT_AMAVISD
+ARG VERSION_APT_CLAMAV
+ARG VERSION_APT_DOVECOT
+ARG VERSION_APT_FETCHMAIL
+ARG VERSION_APT_FAM
+ARG VERSION_APT_LIBNET_DNS_PERL
+ARG VERSION_APT_LIBMAIL_TOOLS_PERL
+ARG VERSION_APT_OPENDKIM
+ARG VERSION_APT_POSTFIX
+ARG VERSION_APT_POSTFIX_POLICYD_SPF_PYTHON
+ARG VERSION_APT_SPAMASSASSIN
+
+#COPY apt_proxy.conf /etc/apt/apt.conf.d/apt_proxy.conf
+
 LABEL \
   #org.opencontainers.image.created="" \ # set during build with $(date --rfc-3339=seconds) \
   org.opencontainers.image.authors="No Fuss Computing" \ 
@@ -12,55 +61,42 @@ LABEL \
   org.opencontainers.image.vendor="No Fuss Computing" \
     #License(s) under which contained software is distributed as an SPDX License Expression.
   org.opencontainers.image.licenses="" \
-  org.opencontainers.image.title="No Fuss Computings docker mail server" \
-  org.opencontainers.image.description="A Complete mailserver in a container"
-
+  org.opencontainers.image.title="Docker Mail Server" \
+  org.opencontainers.image.description="A Complete mailserver in a container" \
+  io.artifacthub.package.license="MIT"
 
 
 # Install dependencies
-RUN apt update && DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends install \
+RUN apt update && apt -y --no-install-recommends install \
       curl \
       gpg \ 
       gpg-agent \ 
       apt-transport-https \
       ca-certificates \
-      supervisor
-
-RUN curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import && \
-    gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg
-
-RUN echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/bullseye bullseye main" > /etc/apt/sources.list.d/dovecot.list
-
-RUN apt update && DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends install \
+      supervisor \
+    && apt -y --no-install-recommends install \
         # System Apps
       cron \
       rsyslog \
       logrotate \
-        # Dovecot
-      dovecot-core=2:2.3.18-4+debian11 \
-      dovecot-imapd=2:2.3.18-4+debian11 \
-      dovecot-lmtpd=2:2.3.18-4+debian11 \
-      dovecot-ldap=2:2.3.18-4+debian11 \
-      dovecot-sieve=2:2.3.18-4+debian11 \
-      dovecot-managesieved=2:2.3.18-4+debian11 \
         # Postfix
-      postfix=3.5.6-1+b1 \
-      postfix-ldap=3.5.6-1+b1 \
+      postfix=$VERSION_APT_POSTFIX \
+      postfix-ldap=$VERSION_APT_POSTFIX \
       libsasl2-modules \
       sasl2-bin \
         # Amavis
-      amavisd-new=1:2.11.1-5 \
-      spamassassin=3.4.6-1 \
-      spamc=3.4.6-1 \
+      amavisd-new=$VERSION_APT_AMAVISD \
+      spamassassin=$VERSION_APT_SPAMASSASSIN \
+      spamc=$VERSION_APT_SPAMASSASSIN \
         # Amavis decoders
       arj bzip2 cabextract cpio file gzip nomarch pax unzip zip xzdec lrzip lzop rpm2cpio unrar-free p7zip-full lz4 \
-#      clamav=0.103.5+dfsg-0+deb11u1 \
-#      clamav-daemon=0.103.5+dfsg-0+deb11u1 \
-      libmailtools-perl=2.21-1 \
-      fam=2.7.0-17.3 \
-      libnet-dns-perl=1.29-1 \
+#      clamav=$VERSION_APT_CLAMAV \
+#      clamav-daemon=$VERSION_APT_CLAMAV \
+      libmailtools-perl=$VERSION_APT_LIBMAIL_TOOLS_PERL \
+      fam=$VERSION_APT_FAM \
+      libnet-dns-perl=$VERSION_APT_LIBNET_DNS_PERL \
         # Fetchmail
-      fetchmail=6.4.16-4+deb11u1 \
+      fetchmail=$VERSION_APT_FETCHMAIL \
         # Perl Modules for fetchmail.pl
         # DBI
       libdbix-easy-perl \
@@ -71,13 +107,43 @@ RUN apt update && DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends
         # Sys::Syslog
       liblogger-syslog-perl \
         # LockFile::Simple
-      libio-lockedfile-perl
-
-
-# Cleanup, remove cron jobs not required
-RUN rm -f /etc/cron.d/e2scrub_all \
+      libio-lockedfile-perl \
+        # DKIM
+      opendkim=$VERSION_APT_OPENDKIM \
+      opendkim-tools=$VERSION_APT_OPENDKIM \
+        # SPF
+      postfix-policyd-spf-python=$VERSION_APT_POSTFIX_POLICYD_SPF_PYTHON; \
+        # Dovecot
+    if [ "0$(echo `dpkg --print-architecture`)" = "0amd64" ]; then \
+        echo "[DEBUG] installing dovecot via APT"; \
+        curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import && \
+          gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg; \
+        echo "deb https://repo.dovecot.org/ce-$DOVECOT_BUILD_VERSION/debian/bullseye bullseye main" > /etc/apt/sources.list.d/dovecot.list; \
+        apt update; \
+        apt -y --no-install-recommends install \
+          dovecot-core=$VERSION_APT_DOVECOT \
+          dovecot-imapd=$VERSION_APT_DOVECOT \
+          dovecot-lmtpd=$VERSION_APT_DOVECOT \
+          dovecot-ldap=$VERSION_APT_DOVECOT \
+          dovecot-sieve=$VERSION_APT_DOVECOT \
+          dovecot-managesieved=$VERSION_APT_DOVECOT; \
+      else \
+        echo "[DEBUG] installing dovecot via compiled binaries"; \
+        # as this architecture doesn't exist in the apt repo, use compiled versions
+        adduser --system --group dovecot --no-create-home; \
+        cd tmp; \
+        curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" \
+            "https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/packages/generic/dovecot/${DOVECOT_BUILD_VERSION}/dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb" -o "dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb"; \
+        curl --header "JOB-TOKEN: $CI_JOB_TOKEN" \
+            "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/packages/generic/dovecot/${DOVECOT_BUILD_VERSION}/dovecot-pigeonhole_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb" -o "dovecot-pigeonhole_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb"; \
+        dpkg -i dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb; \
+        cp /usr/local/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/; \
+        dpkg -i dovecot-pigeonhole_$DOVECOT_BUILD_VERSION-1_$(echo `dpkg --print-architecture`).deb; \
+      fi \
+    && rm -f /etc/cron.d/e2scrub_all \
     && rm -f /etc/cron.daily/apt-compat \
-    && rm -f /etc/cron.daily/dpkg
+    && rm -f /etc/cron.daily/dpkg \
+    && rm -f /etc/cron.daily/logrotate
 
 
 COPY include/ /
@@ -91,14 +157,14 @@ RUN chmod +x /docker-entrypoint.sh \
     && chown root:root /backup \
     && chmod 700 /backup \
       # create SSL directory for ssl certificates
-    && mkdir -p /ssl \
+    && mkdir -p /certs \
       # Ensure scripts are executable
     && chmod +x /bin/backup.sh \
       # Dovecot related commands
     && mkdir -p /srv/mail \ 
     && chown vmail:vmail /srv/mail \
     && chmod 765 -R /srv/mail \
-    && mkdir -p /ssl/dovecot \
+    && mkdir -p /certs/dovecot \
     && chown dovecot:dovecot -R /etc/dovecot/ \
     && chgrp postfix -R /etc/dovecot/sieve/ \
     && chmod 0755 -R /etc/dovecot/sieve/ \
@@ -109,28 +175,36 @@ RUN chmod +x /docker-entrypoint.sh \
     && chmod 744 /etc/dovecot/dovecot-acl \
       # Postfix related commands
     && usermod -a -G vmail postfix \
-    && mkdir -p /ssl/postfix \
+    && mkdir -p /certs/postfix \
     && ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext \
       # ensure postfix related scripts are executable
     && chmod +x /bin/postfix.sh \
       # check if needed
-    && mkdir -p /var/spool/postfix/private/dovecot \
+    && mkdir -p /var/spool/postfix/private/dovecot /var/lib/dovecot \
     && chown postfix:postfix /var/spool/postfix/private/dovecot \
     && chown vmail:vmail /var/lib/dovecot \
       # Spammassassin related Commands
     && mkdir -p /var/spool/spamassassin \
     && chmod 777 /var/spool/spamassassin \
+    && usermod -a -G vmail debian-spamd \
+    && chown debian-spamd:vmail -R /var/spool/spamassassin \
       # Ensure spamassassin related scripts are executable
     && chmod +x /bin/spam-learn.sh \
        # fetchmail.pl setup
     && curl -o /bin/fetchmail.pl https://raw.githubusercontent.com/postfixadmin/postfixadmin/8f20c96278a694a7e0bb570f1d56c208105e5a14/ADDITIONS/fetchmail.pl \
     && chmod +x /bin/fetchmail.pl \
     && mkdir -p /var/run/fetchmail \
-    && mkdir -p /var/lock/fetchmail
+    && mkdir -p /var/lock/fetchmail \
+      # Amavis DKIM related commands
+    && mkdir -p /certs/amavis/dkim/ \
+    && chown root:amavis /certs/amavis/dkim/ \
+    && chmod 750 /certs/amavis/dkim/ \
+    && usermod -a -G vmail amavis \
+    && usermod -a -G vmail opendkim
         
 
 # Setup data volumes
-VOLUME /srv/mail /ssl /var/spool/spamassassin /backup /var/log
+VOLUME /srv/mail /certs /var/spool/postfix /var/spool/spamassassin /var/lib/amavis /backup /var/log
 
 # Configure postfix
 RUN postconf -e "maillog_file=/var/log/postfix.log" \
@@ -142,6 +216,8 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   && postconf -e "virtual_mailbox_domains=ldap:/etc/postfix/ldap/virtual_email_domains" \
   # postfix user mapping 
   && postconf -e "virtual_alias_maps=ldap:/etc/postfix/ldap/virtual_alias_maps" \
+    # Only trust localhost
+  && postconf -e "mynetworks_style = host" \
   # by default encryption is optional
   && postconf -e "smtpd_tls_security_level=may" \
   # log outbound tls connection information
@@ -168,19 +244,35 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   && postconf -e "always_add_missing_headers=yes" \
   # Only add missing headers for authenticated users (mail users) and my networks and mail orginating from localhost
   && postconf -e "local_header_rewrite_clients=permit_sasl_authenticated,permit_mynetworks,permit_inet_interfaces" \
-  # check quota before delivery
-  && postconf -e "smtpd_recipient_restrictions=check_policy_service=inet:localhost:12340" \
   # set tls settings
-  && postconf -e "smtpd_tls_cert_file=/ssl/postfix/cert.pem" \
-  && postconf -e "smtpd_tls_key_file=/ssl/postfix/key.pem" \
+  && postconf -e "tls_preempt_cipherlist = yes" \
+  && postconf -e "tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION" \
+  && postconf -e "smtpd_tls_cert_file=/certs/postfix/cert.pem" \
+  && postconf -e "smtpd_tls_key_file=/certs/postfix/key.pem" \
   && postconf -e "smtpd_helo_required = yes" \
   && postconf -e "smtpd_delay_reject = yes" \
   && postconf -e "disable_vrfy_command = yes" \
   # use secure protocols and cyphers
+  # Generated by https://ssl-config.mozilla.org/
+  #&& postconf -e "smtpd_tls_mandatory_ciphers=high" \
   && postconf -e "smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
   && postconf -e "smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
-  && postconf -e "smtpd_tls_mandatory_ciphers=high" \
-  && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1"
+  && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
+  && postconf -e "tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
+     # SPF postfix Settings
+  && postconf -e "policyd-spf_time_limit=3600" \
+    # Connection defaults to reject where possible/advised
+    # Client command restrictions
+  && postconf -e "smtpd_client_restrictions=reject_unauth_destination,reject_unauth_pipelining,permit_mynetworks,permit_auth_destination,reject" \
+    # HELO/EHLO restrictions
+  && postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit" \
+    # MAIL FROM restrictions
+  && postconf -e "smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,permit" \
+    # RCPT TO restrictions
+  && postconf -e "smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,check_policy_service unix:private/quota,permit_auth_destination,reject" \
+    # RCPT TO restrictions
+  && postconf -e "smtpd_relay_restrictions=reject_non_fqdn_recipient,permit_auth_destination,reject" \
+  && postconf -e "smtpd_sasl_security_options = noanonymous"
     
 EXPOSE 25 587 993 4190
 
@@ -189,9 +281,10 @@ ENTRYPOINT ["/docker-entrypoint.sh"]
 
 
 # testing software
-RUN apt update && DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends install \
+RUN apt update && apt -y --no-install-recommends install \
       procps \
       vim \
       iputils-ping \
-      python3-ldap
+      python3-ldap \
+      net-tools
 #    && freshclam

dockerfile-compile

@@ -0,0 +1,135 @@
+
+ARG CI_JOB_TOKEN
+ARG CI_API_V4_URL
+ARG CI_PROJECT_ID
+
+ARG DOVECOT_BUILD_VERSION=2.3.18
+ARG PIGEONHOLE_BUILD_VERSION=0.5.20
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+
+
+FROM --platform=$TARGETPLATFORM debian:11.7-slim as compile-dovecot
+# ref: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/compiling_source/
+
+
+ARG CI_JOB_TOKEN
+ARG CI_API_V4_URL
+ARG CI_PROJECT_ID
+
+ARG DOVECOT_BUILD_VERSION
+ARG PIGEONHOLE_BUILD_VERSION
+
+ARG DEBIAN_FRONTEND
+
+
+RUN export && apt update \
+  && apt -y install --reinstall --fix-missing \
+      wget \
+      autoconf \
+      automake \
+      libtool \
+      pkg-config \
+      gettext \
+      pandoc \
+      make \
+      git \
+      ca-certificates \
+      libssl-dev \
+      bison \
+      flex \
+      curl \
+      checkinstall \
+      zlib1g-dev 
+
+
+RUN mkdir -p /tmp/build \
+    && cd /tmp/build \
+    && git clone --depth=1 -b release-${DOVECOT_BUILD_VERSION} https://github.com/dovecot/core.git dovecot
+
+
+RUN cd /tmp/build/dovecot \
+    && ./autogen.sh \
+    && ./configure --enable-maintainer-mode --sysconfdir=/etc \
+    # && make \
+    && ls -la
+
+RUN /bin/mkdir -p '/usr/local/lib/dovecot' \
+                  '/usr/local/share/dovecot/stopwords' \
+                  '/usr/local/libexec/dovecot' \
+                  '/usr/local/lib/dovecot/auth' \
+                  '/usr/local/lib/dovecot/old-stats' \
+                  '/usr/local/lib/dovecot/doveadm' \
+                  '/usr/local/share/doc/dovecot/wiki' \
+                  '/usr/local/share/doc/dovecot/example-config/conf.d'
+
+
+RUN cd /tmp/build/dovecot && checkinstall --pkgname=dovecot-core --pkgversion=${DOVECOT_BUILD_VERSION} --pkgarch=$(echo `dpkg --print-architecture`) -D -y \
+    && ls -la
+
+
+RUN cd /tmp/build/dovecot && curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --verbose \
+     --upload-file dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb \
+     "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/packages/generic/dovecot/${DOVECOT_BUILD_VERSION}/dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb"
+
+
+
+
+
+FROM --platform=$TARGETPLATFORM debian:11.7-slim as compile-pigeonhole
+# ref: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/compiling_source/
+
+
+ARG CI_JOB_TOKEN
+ARG CI_API_V4_URL
+ARG CI_PROJECT_ID
+
+ARG DOVECOT_BUILD_VERSION
+ARG PIGEONHOLE_BUILD_VERSION
+
+ARG DEBIAN_FRONTEND
+
+
+RUN export && apt update \
+  && apt -y install --reinstall --fix-missing \
+      wget \
+      autoconf \
+      automake \
+      libtool \
+      pkg-config \
+      gettext \
+      pandoc \
+      make \
+      git \
+      ca-certificates \
+      libssl-dev \
+      bison \
+      flex \
+      curl \
+      checkinstall \
+      zlib1g-dev 
+
+
+
+RUN cd tmp && curl --header "JOB-TOKEN: $CI_JOB_TOKEN" \
+            "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/packages/generic/dovecot/${DOVECOT_BUILD_VERSION}/dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb" -o "dovecot-core_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb" \
+            && dpkg -i dovecot-core_$DOVECOT_BUILD_VERSION-1_$(echo `dpkg --print-architecture`).deb
+
+RUN mkdir -p /tmp/build \
+  && cd /tmp/build/ && git clone -b $PIGEONHOLE_BUILD_VERSION --depth=1 https://github.com/dovecot/pigeonhole.git pigeonhole \
+  && cd pigeonhole \
+  && ./autogen.sh \
+  && ./configure --sysconfdir=/etc --with-dovecot-install-dirs \
+  # && make \
+  && mkdir -p '/usr/local/lib/dovecot/sieve' \
+              '/usr/local/lib/dovecot/settings' \
+              '/usr/local/share/doc/dovecot/example-config'  \
+              '/usr/local/share/doc/dovecot/sieve/extensions'
+
+RUN cd /tmp/build/pigeonhole && checkinstall --pkgname=dovecot-pigeonhole --pkgversion=${DOVECOT_BUILD_VERSION} --pkgarch=$(echo `dpkg --print-architecture`) -D -y
+
+RUN cd /tmp/build/pigeonhole && curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --verbose \
+     --upload-file dovecot-pigeonhole_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb \
+     "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/packages/generic/dovecot/${DOVECOT_BUILD_VERSION}/dovecot-pigeonhole_${DOVECOT_BUILD_VERSION}-1_$(echo `dpkg --print-architecture`).deb"
+

docs/projects/docker-mail/dkim.md

@@ -0,0 +1,181 @@
+---
+title: Amavis DKIM Signing configuration
+Description: How to configure DKIM for No Fuss Computings mail server.
+date: 2022-02-16
+template: project.html
+about: https://gitlab.com/nofusscomputing/projects/docker-mail
+---
+
+To utilise DKIM message signing for outbound mail (leaving the server), you will need to configure dkim to use your certificates.
+
+This document assumes that your are familar with amavis and DKIM E-Mail signing. Without this assumed knowledge, there may be uninteded consequences.
+
+
+## DKIM Key creation
+
+You will be required to generate your DKIM signing certificates for the E-Mail domains that you utilise. The recommended location for DKIM keys is `/certs/amavis/dkim`, this ensures they are included in the backups.
+
+``` bash title="bash"
+
+$ amavisd-new genrsa /certs/amavis/dkim/example.org.dkim.pem 2048 # (1)!
+
+$ chmod g+r /certs/amavis/dkim/example.org.dkim.pem # (2)!
+
+$ chgrp amavis /certs/amavis/dkim/example.org.dkim.pem # (2)!
+
+```
+
+1. create your DKIM Key
+
+    is an RSA Key
+
+    has a key of length 2048 bits _[See RFC6376 - Key Sizes](https://datatracker.ietf.org/doc/html/rfc6376#section-3.3.3)_
+
+    saved to location `/certs/amavis/dkim/` with a name of `example.org.dkim.pem`
+
+    The filename is crucial and has some requirements:
+
+    - `example.org` set to your E-Mail domain name.
+
+    - `dkim` is the key selector that will be utilised during the amavis configuration
+
+    - `.pem` is the file extension
+
+    For example: if you have a E-Mail domain called `myemail.com` and wanted to use a key selector of `q2` for second quarter of teh year, you would use command `amavisd-new genrsa /certs/amavis/dkim/myemail.com.q2.pem 2048` to create your dkim signing key. _not forgetting that `q2` needs to be added to your amavis config, see below_
+
+2. Set the permissions for your dkim signing key to only be accessable to amavis
+
+
+## Configuring Amavis
+
+To configure amavis, you will be required to create a confiuguration file with your E-Mail domain settings. you can name this file anything you wish, as long as the filename is oredered after `90-dkim`. The configuration file needs to be located in `/etc/amavis/conf.d/` and amavis will need to be restarted `supervisorctl restart amavis` for the configuration to take effect.
+
+!!! tip Note
+    Ensure you adjust all occurances of `example.org` to match your E-Mail domain
+
+
+``` conf title="/etc/amavis/conf.d/99-dkim-keys"
+
+dkim_key(
+    'example.org', # (1)!
+    'dkim', # (2)!
+    '/certs/amavis/dkim/example.org.dkim.pem' # (3)!
+);
+
+
+@dkim_signature_options_bysender_maps = (
+    {
+        "example.org" => { # (1)!
+            s   => 'dkim', # (2)! # (4)!
+            d   => 'example.org', # (1)!
+            a   => 'rsa-sha256', # (5)!
+            ttl => 30*24*3600 # (6)!
+        }
+    }
+);
+
+```
+
+1. Adjust to suit your domain name
+
+2. This is the key selector _located in the filename, `{E-Mail domain}.{key_selector}.pem`_.
+
+3. This is the location of the DKIM Signing key. This must match the name given during key generation.
+
+4. This is the key selector. Only this key will be used to sign the E-Mails if it matches the E-Mail domain name.
+
+5. This is the key signing algorithm
+
+6. This is the signed E-Mail validity duration `30*24*3600` = `30 days * 24 hours * seconds in one hour`. This value is used to set the E-Mails signature validation period.
+
+!!! Tip
+    you can add as many `dkim_key` sections to your config as required.
+
+!!! note
+    if you don't place a domain entry in `@dkim_signature_options_bysender_maps` that matches your E-Mail domain, any email sent from that domain will not be dkim signed. You can specify `'.'` for the domain entry to capture all domains.
+
+Once configuration is complete issue command `supervisorctl restart amavis` to load the config changes
+
+
+## Configuring DNS
+
+Once you have configured Amavis and created your DKIM keys, you will need to configure DNS. For this you will require the DKIM Key information. Since we are using Amavis, issue command `amavisd-new showkeys` to display your keys and the required dns config.
+
+``` bash title="DNS Configuration"
+
+$ amavisd-new showkeys
+; key#1 4096 bits, i=dkim, d=example.org, /certs/amavis/dkim/example.org.dkim.pem
+dkim._domainkey.example.org.    3600 TXT (
+  "v=DKIM1; p="
+  "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArP2MsM5q9IbgVTxwj0nA"
+  "2Iqa8NsL5L72TGEnBib8nusfoFWw5G8yGpAkterD7w9hIhCiRbpXakzQ8a9vrsnF"
+  "HsQph79d02mAndE9VS3b+dxABzGKNWdRszrKHDb4q8OeX+g6fsPlPlIOb1ngg4qo"
+  "oVJTlswV3KacE7OwGq1ZRy8X6CIAjzeiC3x7qiBH5Yxi895i7GLeTwMKQY8mIv1Z"
+  "iLVoNcH5lpB3FOJFWtXiztpkQaLLVY/YQAGzwRnWQHcqRd6ybtf9q34ADYhq1gZb"
+  "NC6GOnkets6mv2o7daTQ78Sr+GO2/4DpciXGIDB8QbbX4Qh0kaazEqx9HlGG7MC2"
+  "TdyIjmMF0pzI9qjVDdkXvwFJLLyIDP4Y4DgGuVHi/+Zdi9YtxcWrKpb8Zv+32xgU"
+  "Qvz8EQt03upcpxB0aVRkK1I6GYKYr3I0uhYhfBZdUonUkxaklcnrQZVsooo+xont"
+  "MMyPbPM6HYf0KJZCxGa6AYrIiYlnj7giudVTJdvA1J3IOQEGjq0tRmH0id/Qv2F5"
+  "Po5zMEPMtx/pcWcqEJEC7/phgboQ3vkZYf/lCqZ8T2JXAIE9ujQFTFE86v+pXhVf"
+  "98/oY4n5PN9LYfaflkTOmWyfig/qQ7mCjxdaYnOko9hlUnaRGrG5d6Dfy16qFt64"
+  "PYEseCN67yeWZz8r1NaZHckCAwEAAQ==")
+$ 
+
+```
+
+1. Using the example output from the above command, displays the required DNS txt entry.
+
+    Create a DNS `TXT` entry named `dkim._domainkey.example.org` The breakdown of this name is as follows `{key selector}._domainkey.{domain name}`
+
+    !!! note
+        if you have configured amavis correctly, the selector and domain name will match your E-Mail domain.
+
+    Give it a TTL of at least `3600`. Any value can be set here. However understand that if the duration is too long, if you need to change your key, the ttl period will need to pass before any cached look ups will expire.
+
+    enter the value of (obviously, use the output of your command run):
+
+    ``` text
+    "v=DKIM1; p="
+      "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArP2MsM5q9IbgVTxwj0nA"
+      "2Iqa8NsL5L72TGEnBib8nusfoFWw5G8yGpAkterD7w9hIhCiRbpXakzQ8a9vrsnF"
+      "HsQph79d02mAndE9VS3b+dxABzGKNWdRszrKHDb4q8OeX+g6fsPlPlIOb1ngg4qo"
+      "oVJTlswV3KacE7OwGq1ZRy8X6CIAjzeiC3x7qiBH5Yxi895i7GLeTwMKQY8mIv1Z"
+      "iLVoNcH5lpB3FOJFWtXiztpkQaLLVY/YQAGzwRnWQHcqRd6ybtf9q34ADYhq1gZb"
+      "NC6GOnkets6mv2o7daTQ78Sr+GO2/4DpciXGIDB8QbbX4Qh0kaazEqx9HlGG7MC2"
+      "TdyIjmMF0pzI9qjVDdkXvwFJLLyIDP4Y4DgGuVHi/+Zdi9YtxcWrKpb8Zv+32xgU"
+      "Qvz8EQt03upcpxB0aVRkK1I6GYKYr3I0uhYhfBZdUonUkxaklcnrQZVsooo+xont"
+      "MMyPbPM6HYf0KJZCxGa6AYrIiYlnj7giudVTJdvA1J3IOQEGjq0tRmH0id/Qv2F5"
+      "Po5zMEPMtx/pcWcqEJEC7/phgboQ3vkZYf/lCqZ8T2JXAIE9ujQFTFE86v+pXhVf"
+      "98/oY4n5PN9LYfaflkTOmWyfig/qQ7mCjxdaYnOko9hlUnaRGrG5d6Dfy16qFt64"
+      "PYEseCN67yeWZz8r1NaZHckCAwEAAQ=="
+    ```
+
+    !!! tip Note
+        If you have multiple keys, the above command will output all of the keys and selectors that was configured within amavis.
+
+2. once dns is configured, you can test the DNS entries and amavis config with the following command `amavisd testkeys` if the tests pass, you have configured it properly.
+
+
+## Changing DKIM Keys
+
+To change your DKIM keys, generate new ones, ensuring you utilise a differently named selector and update `99-dkim-keys` with your new key details. You will also be required to update the DNS entries.
+
+!!! alert Danger
+    If you reconfigure amavis to sign your E-Mails with a new key before the DNS changes take effect (before cache expires), you run the risk of having your E-Mails fail the receiving servers DKIM checks.
+    It is recommended that you do the following:
+    
+        1. generate the new key, add it to a new `dkim_key` section in file `99-dkim-keys`
+
+        2. run `amavisd-new showkeys` to get your dns config. Reconfigure DNS with the new key
+
+        3. wait 24 hours
+
+        5. Prevent users from sending emails (or do after hours when the mail server would normally be quite)
+
+        3. edit the `s` to match the new key selector and `d` value to match the domain name in the new key file in section `@dkim_signature_options_bysender_maps` in file `99-dkim-keys`
+
+        6. restart amavis with `supervisorctl restart amavis`
+
+        7. test the config with `amavisd testkeys`. if the tests pass, thumbs up.
+
+        8. you are good to go.

docs/projects/docker-mail/index.md

@@ -0,0 +1,7 @@
+---
+title: No Fuss Computings Dockr Mail Server
+description: How to use No Fuss Computings Dcokerized E-Mail Server
+date: 2023-05-22
+template: project.html
+about: https://gitlab.com/nofusscomputing/projects/docker-mail
+---

docs/projects/docker-mail/spf.md

@@ -0,0 +1,41 @@
+---
+title: SPF configuration
+Description: How to configure SPF for No Fuss Computings docker mail server.
+date: 2022-02-17
+template: project.html
+about: https://gitlab.com/nofusscomputing/projects/docker-mail
+---
+
+Sender Policy Framework (SPF) is defined in [RFC7208, Sender Policy Framework (SPF) for Authorizing Use of Domains in Email](https://datatracker.ietf.org/doc/html/rfc7208).
+
+DNS SPF text record example:
+
+``` text
+
+IN    TXT    "v=spf1 mx a ip4:192.168.0.100 ip6:2001:ef3:2911::/64"
+                 " a:mail.example.org a:mail2.example.org -all"
+
+```
+
+1. `v=spf1` Version attribute. only v1 available.
+
+2. `mx` `a` DNS record type. This indicated that `mx` and `a` records within the domain are authorized senders.
+
+3. `ip4:192.168.0.100` indicates that an ipv4 address as specified is authorized as a sender.
+
+4. `ip6:2001:ef3:2911::/64` Sepcifies that an ipv6 subnet is authorized as a sender
+
+5. `-all` specifies a fail if the sender doesn't match what is specified in the record. other valid qualifiers are "+" pass, "-" fail, "~" softfail, "?" neutral
+
+!!! tip
+    To allow only specified MX DNS records to be the only specified senders, create a record as follows:
+
+    ``` text
+    IN    TXT    "v=spf1 mx -all"
+    ```
+
+    If your MX servers only receive mail, then this option is not suitable. you'll have to use the hostname of the receiving server.
+
+    ``` text
+    IN    TXT    "v=spf1 a:mail.example.org -all"
+    ```

include/bin/backup.sh

@@ -8,13 +8,16 @@ back_file_name="mail_server-$backup_version-$(date +%Y-%m-%d-%H%M-%Z).tar.gz"
 start=$(date '+%s')
 
 includes=(/srv/mail)
-includes+=(/ssl)
+includes+=(/certs)
+includes+=(/var/spool/postfix)
 includes+=(/var/spool/spamassassin)
 includes+=(/var/log)
 includes+=(/var/lib/amavis)
 
 
-backup_command="tar -czpvf $back_file_name ${includes[@]}"
+excludes=(--exclude=*.sock)
+
+backup_command="tar -czpvf $back_file_name ${excludes[@]} ${includes[@]}"
 
 cd /tmp
 

include/bin/spam-learn.sh

@@ -16,9 +16,9 @@ SPAM_REPORT=''
 for i in /srv/mail/* ; do
   if [ -d "$i" ]; then
 
-    HAM_REPORT=$(printf "$HAM_REPORT\n\nMailbox: $i\n    $(sa-learn --ham --showdots --no-sync $i/mail/cur)\n")
+    HAM_REPORT=$(printf "$HAM_REPORT\n\nMailbox: $i\n    $(sa-learn --ham --showdots --sync $i/mail/cur)\n")
 
-    SPAM_REPORT=$(printf "$SPAM_REPORT\n\nMailbox: $i\n    $(sa-learn --spam --showdots --no-sync $i/mail/Spam/cur)\n")
+    SPAM_REPORT=$(printf "$SPAM_REPORT\n\nMailbox: $i\n    $(sa-learn --spam --showdots --sync $i/mail/Spam/cur)\n")
 
   fi
 done

include/docker-entrypoint.sh

@@ -33,25 +33,47 @@ done
 
 mkdir -p /var/lock/fetchmail
 
+chown debian-spamd:vmail -R /var/spool/spamassassin
+
+chmod 777 /var/spool/spamassassin
+
 if [ "$1" == "setup" ]; then
 
 
+
+if [ ! -f /certs/amavis/dkim/example.org.dkim.pem ]; then
+
+        echo "[WARNING] Creating DKIM Cert, example.org. Consider Creating your own";
+
+        amavisd-new genrsa /certs/amavis/dkim/example.org.dkim.pem 4096;
+
+        chmod g+r /certs/amavis/dkim/example.org.dkim.pem;
+
+        chgrp amavis /certs/amavis/dkim/example.org.dkim.pem;
+
+        amavisd-new showkeys example.org;
+    fi
+
+
+    supervisorctl start amavis;
+
+
 postconf -e "myhostname = $(`echo hostname -f`)"
 
 
-    if [ ! -f /ssl/dovecot/key.pem ]; then
+    if [ ! -f /certs/dovecot/key.pem ]; then
 
         echo "[WARNING] Creating Self-signed TLS Cert. Consider using letsencrypt or another trusted CA"
 
-        openssl req  -nodes -new -x509 -keyout /ssl/dovecot/key.pem -out /ssl/dovecot/cert.pem -subj '/CN=localhost'
+        openssl req  -nodes -new -x509 -keyout /certs/dovecot/key.pem -out /certs/dovecot/cert.pem -subj '/CN=localhost'
 
     fi
 
-    if [ ! -f /ssl/dovecot/dh.pem ]; then
+    if [ ! -f /certs/dovecot/dh.pem ]; then
 
         echo "[Information] Creating DHPEM Key"
 
-        openssl dhparam -out /ssl/dovecot/dh.pem 4096
+        openssl dhparam -out /certs/dovecot/dh.pem 2048
 
     fi
 
@@ -68,11 +90,11 @@ postconf -e "myhostname = $(`echo hostname -f`)"
     sed -i -r -e 's/^\$manpage_directory/#$manpage_directory/' /etc/postfix/postfix-files.d/*
 
 
-    if [ ! -f /ssl/postfix/key.pem ]; then
+    if [ ! -f /certs/postfix/key.pem ]; then
 
         echo "[WARNING] Creating Self-signed TLS Cert. Consider using letsencrypt or another trusted CA"
 
-        openssl req  -nodes -new -x509 -keyout /ssl/postfix/key.pem -out /ssl/postfix/cert.pem -subj '/CN=localhost'
+        openssl req  -nodes -new -x509 -keyout /certs/postfix/key.pem -out /certs/postfix/cert.pem -subj '/CN=localhost'
 
     fi
 

include/etc/amavis/conf.d/40-socket

@@ -0,0 +1,10 @@
+#
+# Socket config
+#
+
+# Listening socket
+#   10023 - Submission, Outbound mail
+#   10024 - SMTP, Inbound mail
+
+$inet_socket_port = [10023, 10024]
+

include/etc/amavis/conf.d/50-user

@@ -30,7 +30,7 @@ $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
 $spam_quarantine_to       = undef;
 
 # disable the "Received" headers to be added to the mail header
-$allowed_added_header_fields{lc('Received')} = 0;
+#$allowed_added_header_fields{lc('Received')} = 0;
 
 
 #------------ Do not modify anything below this line -------------

include/etc/amavis/conf.d/60-policy-bank-submission

@@ -0,0 +1,11 @@
+
+$interface_policy{'10023'} = 'SUBMISSION';
+
+$policy_bank{'SUBMISSION'} = {
+    originating => 1,
+    smtpd_discard_ehlo_keywords => ['8BITMIME'],
+    final_banned_destiny => D_BOUNCE, # Bounce so user is notified
+    final_spam_destiny => D_BOUNCE, # Bounce so user is notified
+    final_virus_destiny => D_BOUNCE, # Bounce so user is notified
+};
+

include/etc/amavis/conf.d/90-dkim

@@ -0,0 +1,4 @@
+
+$enable_dkim_signing = 1;
+
+$enable_dkim_verification = 1;

include/etc/amavis/conf.d/99-dkim-keys

@@ -0,0 +1,18 @@
+dkim_key(
+    'example.org',
+    'dkim',
+    '/certs/amavis/dkim/example.org.dkim.pem'
+);
+
+
+@dkim_signature_options_bysender_maps = (
+    {
+        "example.org" => {
+            s   => 'dkim',
+            d   => 'example.org',
+            a   => 'rsa-sha256',
+            ttl => 10*24*3600
+        }
+    }
+);
+

include/etc/cron.d/logrotate

@@ -0,0 +1,6 @@
+#
+#  Run Log rotate 
+#
+# m h dom mon dow user  command
+1 0	* * *	root	/usr/sbin/logrotate -f /etc/logrotate.conf >/dev/null
+

include/etc/cron.d/sa-learn

@@ -2,5 +2,5 @@
 #  SpamAssassin Bayes learning from mailboxes 
 #
 # m h dom mon dow user  command
-30 0,3,6,9,12,15,18,21	* * *	root	/bin/spam-learn.sh >/dev/null 2>&1
+30 0,3,6,9,12,15,18,21	* * *	debian-spamd	/bin/spam-learn.sh >/dev/null 2>&1
 

include/etc/dovecot/conf.d/10-logging.conf

@@ -27,7 +27,7 @@ log_path=/var/log/dovecot.log
 #log_core_filter = 
 
 # Log unsuccessful authentication attempts and the reasons why they failed.
-#auth_verbose = no
+auth_verbose = yes
 
 # In case of password mismatches, log the attempted password. Valid values are
 # no, plain and sha1. sha1 can be useful for detecting brute force password
@@ -48,7 +48,7 @@ log_path=/var/log/dovecot.log
 #mail_debug = no
 
 # Show protocol level SSL errors.
-#verbose_ssl = no
+#verbose_ssl = yes
 
 # mail_log plugin provides more event logging for mail processes.
 plugin {

include/etc/dovecot/conf.d/10-ssl.conf

@@ -11,7 +11,10 @@ ssl_prefer_server_ciphers = yes
 
 ssl_client_ca_dir = /etc/ssl/certs
 
-ssl_dh = </ssl/dovecot/dh.pem
-ssl_cert = </ssl/dovecot/cert.pem
-ssl_key = </ssl/dovecot/key.pem
+ssl_dh = </certs/dovecot/dh.pem
+ssl_cert = </certs/dovecot/cert.pem
+ssl_key = </certs/dovecot/key.pem
 
+# Generated by https://ssl-config.mozilla.org/ 
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

include/etc/dovecot/conf.d/90-quota.conf

@@ -11,6 +11,8 @@
 
 plugin {
   quota = maildir:User quota
+#  quota2 = maildir:Shared quota:ns=shared/
+
   quota_rule = *:storage=200M
   quota_rule2 = Trash:storage=+50M
   quota_grace = 10%%
@@ -24,19 +26,19 @@ plugin {
 
 
 
-plugin {
+#plugin {
 
-  quota = maildir:Shared quota:ns=shared/
-  quota_rule = *:storage=200M
+#  quota2 = maildir:Shared quota:ns=shared/
+#  quota_rule = *:storage=200M
 
 
-  quota_max_mail_size = 25M
+#  quota_max_mail_size = 25M
 
-  quota_status_success = DUNNO
-  quota_status_nouser = DUNNO
-  quota_status_overquota = "552 5.2.2 Mailbox is full"
+#  quota_status_success = DUNNO
+#  quota_status_nouser = DUNNO
+#  quota_status_overquota = "552 5.2.2 Mailbox is full"
 
-}
+#}
 
 
 
@@ -54,8 +56,8 @@ plugin {
 plugin {
   quota_warning = storage=50%% quota-warning 50 %u
   quota_warning2 = storage=80%% quota-warning 80 %u
-  quota_warning2 = storage=90%% quota-warning 90 %u
-  quota_warning3 = storage=95%% quota-warning 95 %u
+  quota_warning3 = storage=90%% quota-warning 90 %u
+  quota_warning4 = storage=95%% quota-warning 95 %u
 }
 
 # Example quota-warning service. The unix listener's permissions should be
@@ -75,10 +77,13 @@ service quota-warning {
 }
 
 service quota-status {
+  
   executable = quota-status -p postfix
-  inet_listener {
-    port = 12340
-    # You can choose any port you want
+
+  unix_listener /var/spool/postfix/private/quota {
+    user = dovecot
+    group = vmail
+    mode = 0660
   }
   client_limit = 1
 }

include/etc/dovecot/conf.d/90-sieve.conf

@@ -95,7 +95,7 @@ plugin {
   # enabled by default.
   #sieve_extensions = +notify +imapflags
 
-  sieve_extensions=-vacation, -enotify, -editheader, imap4flags
+  sieve_extensions=-vacation -enotify -editheader imap4flags
 
   # Which Sieve language extensions are ONLY available in global scripts. This
   # can be used to restrict the use of certain Sieve extensions to administrator

include/etc/logrotate.d/dovecot

@@ -6,7 +6,6 @@
     notifempty
     compress
     delaycompress
-    extension log
     create 0644 dovecot dovecot
          postrotate
              supervisorctl restart dovecot

include/etc/logrotate.d/postfix

@@ -6,7 +6,6 @@
     notifempty
     compress
     delaycompress
-    extension log
     create 0644 postfix postfix
         postrotate
             supervisorctl restart postfix

include/etc/postfix-policyd-spf-python/policyd-spf.conf

@@ -0,0 +1,16 @@
+#  For a fully commented sample config file see policyd-spf.conf.commented
+# or https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html
+
+debugLevel = 1 
+TestOnly = 1
+
+# Don't bounce mail (False). to bounce mail set to Fail
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+

include/etc/postfix/master.cf

@@ -14,7 +14,6 @@ smtp      inet  n       -       y       -       1       postscreen
 smtpd     pass  -       -       y       -       -       smtpd
   -o syslog_name=postfix/inbound
   -o smtpd_tls_security_level=may
-  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,permit_auth_destination,reject
 
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
@@ -29,8 +28,9 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap/smtpd_sender_login_maps,ldap:/etc/postfix/ldap/smtpd_sender_login_maps_groups
   -o smtpd_sender_restrictions=reject_sender_login_mismatch
-  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_policy_service,unix:private/quota,permit_sasl_authenticated,reject
   -o cleanup_service_name=privacy
+  -o content_filter=amavis:[127.0.0.1]:10023
 
 amavis unix -      -       n     -       2  smtp
   -o syslog_name=postfix/$service_name
@@ -62,6 +62,8 @@ amavis unix -      -       n     -       2  smtp
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
   -o content_filter=
 
+policyd-spf unix -     n       n       -       2       spawn
+  user=policyd-spf argv=/usr/bin/policyd-spf
 
 #spamassassin unix -     n       n       -       -       pipe 
 #  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

include/etc/supervisor/conf.d/supervisord.conf

@@ -34,7 +34,7 @@ command=/usr/sbin/cron -f
 [program:amavis]
 startsecs=0
 stopwaitsecs=55
-autostart=true
+autostart=false
 autorestart=true
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log

mkdocs.yml

@@ -0,0 +1,33 @@
+INHERIT: website-template/mkdocs.yml
+
+docs_dir: 'docs'
+
+repo_name: Docker-Mail
+repo_url: https://gitlab.com/nofusscomputing/projects/docker-mail
+edit_uri: '/-/ide/project/nofusscomputing/projects/docker-mail/edit/development/-/docs/'
+
+nav:
+- Home: index.md
+
+- Articles: 
+
+  - articles/index.md
+
+- Projects: 
+
+  - projects/index.md
+
+  - Docker-Mail: 
+
+    - projects/docker-mail/index.md
+
+    - projects/docker-mail/dkim.md
+
+    - projects/docker-mail/spf.md
+
+- Operations: 
+
+  - operations/index.md
+
+- Contact Us: contact.md
+

requirements.txt

@@ -0,0 +1,2 @@
+pymdown-extensions==9.5
+Pygments==2.13.0

test/docker-compose.yml

@@ -83,10 +83,10 @@ services:
     restart: unless-stopped
     cpus: 2
     mem_limit: 512MB
-    hostname: mail.nofusscomputing.com
+    hostname: test.nodomain.org
     volumes:
       - mail_store:/srv/mail:rw
-      - mail_ssl:/ssl
+      - mail_ssl:/certs
       - sa_learn:/var/spool/spamassassin
       - mail_backup:/backup
       - mail_log:/var/log