Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F2571943
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
69 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile
index 411e16ac..9c6369f8 100644
--- a/docker/kolab/Dockerfile
+++ b/docker/kolab/Dockerfile
@@ -1,81 +1,83 @@
FROM quay.io/centos/centos:stream8
LABEL maintainer="contact@apheleia-it.ch"
LABEL dist=centos8
LABEL tier=${TIER}
ENV SYSTEMD_PAGER=''
ENV DISTRO=centos8
ENV LANG=en_US.utf8
ENV LC_ALL=en_US.utf8
# Add EPEL.
RUN dnf config-manager --set-enabled powertools && \
dnf -y install \
epel-release epel-next-release && \
dnf -y module enable 389-directory-server:stable/default && \
dnf -y module enable mariadb:10.3 && \
dnf -y install iputils vim-enhanced bind-utils && \
dnf clean all
RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
# Install kolab
RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \
rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8stream.rpm
RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \
dnf config-manager --enable kolab-16-testing &&\
dnf -y --setopt tsflags= install kolab patch &&\
dnf clean all
COPY kolab-init.service /etc/systemd/system/kolab-init.service
COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service
COPY utils /root/utils
RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \
ln -s /etc/systemd/system/kolab-init.service \
/etc/systemd/system/multi-user.target.wants/kolab-init.service && \
ln -s /etc/systemd/system/kolab-setenv.service \
/etc/systemd/system/multi-user.target.wants/kolab-setenv.service
RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || :
+COPY /rootfs /
+
COPY kolab-init.sh /usr/local/sbin/
RUN chmod 750 /usr/local/sbin/kolab-init.sh
COPY kolab.conf /etc/kolab/kolab.conf
COPY cyrus.conf /etc/cyrus.conf
COPY imapd.conf /etc/imapd.conf
COPY imapd.annotations.conf /etc/imapd.annotations.conf
COPY guam.conf /etc/guam/sys.config
ARG DB_KOLAB_DATABASE
ARG DB_KOLAB_USERNAME
ARG DB_KOLAB_PASSWORD
RUN sed -i -r \
-e "s|DB_KOLAB_DATABASE|$DB_KOLAB_DATABASE|g" \
-e "s|DB_KOLAB_USERNAME|$DB_KOLAB_USERNAME|g" \
-e "s|DB_KOLAB_PASSWORD|$DB_KOLAB_PASSWORD|g" \
/etc/kolab/kolab.conf
RUN mkdir -p /imapdata/{spool,lib} && \
rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \
mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \
chmod -R 777 /imapdata && \
chown cyrus:mail /var/spool/imap /var/lib/imap
RUN mkdir -p /ldapdata/{config,ssca,run} /var/run/dirsrv && \
ln -s /ldapdata/config /etc/dirsrv/slapd-kolab && \
ln -s /ldapdata/ssca /etc/dirsrv/ssca && \
ln -s /ldapdata/run /var/run/dirsrv && \
chmod -R 777 /ldapdata /etc/dirsrv
VOLUME [ "/sys/fs/cgroup" ]
VOLUME [ "/imapdata" ]
VOLUME [ "/ldapdata" ]
WORKDIR /root/
CMD ["/lib/systemd/systemd"]
EXPOSE 21/tcp 22/tcp 25/tcp 53/tcp 53/udp 110/tcp 389/tcp 443/tcp 995/tcp 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp
diff --git a/docker/kolab/rootfs/etc/postfix/header_checks.inbound b/docker/kolab/rootfs/etc/postfix/header_checks.inbound
new file mode 100644
index 00000000..a824f848
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/header_checks.inbound
@@ -0,0 +1,6 @@
+/^X-Spam-Flag:.*YES/ REJECT
+/^X-Virus-Scanned:/ IGNORE
+/^X-Spam-Flag:.*NO/ IGNORE
+/^X-Spam-Score:/ IGNORE
+/^X-Spam-Level:/ IGNORE
+/^X-Spam-Status:/ IGNORE
diff --git a/docker/kolab/rootfs/etc/postfix/header_checks.internal b/docker/kolab/rootfs/etc/postfix/header_checks.internal
new file mode 100644
index 00000000..29761418
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/header_checks.internal
@@ -0,0 +1 @@
+/^Received:.*127\.0\.0\.1/ IGNORE
diff --git a/docker/kolab/rootfs/etc/postfix/header_checks.submission b/docker/kolab/rootfs/etc/postfix/header_checks.submission
new file mode 100644
index 00000000..c11dd8ab
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/header_checks.submission
@@ -0,0 +1,6 @@
+/^Received:.*with ESMTPSA/ IGNORE
+/^Received:.*127\.0\.0\.1/ IGNORE
+/^User-Agent:/ IGNORE
+/^X-Mailer:/ IGNORE
+/^Sender:/ IGNORE
+/^X-Sender:/ IGNORE
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf b/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf
new file mode 100644
index 00000000..1ddf6d1d
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/local_recipient_maps.cf
@@ -0,0 +1,14 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+query_filter = (&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))
+result_attribute = mail
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf
new file mode 100644
index 00000000..0b67082a
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_distgroups.cf
@@ -0,0 +1,19 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+# This finds the mail enabled distribution group LDAP entry
+query_filter = (&(|(mail=%s)(alias=%s))(objectClass=kolabgroupofuniquenames)(objectclass=groupofuniquenames)(!(objectclass=groupofurls)))
+# From this type of group, get all uniqueMember DNs
+special_result_attribute = uniqueMember
+# Only from those DNs, get the mail
+result_attribute =
+leaf_result_attribute = mail
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf
new file mode 100644
index 00000000..48233127
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf
@@ -0,0 +1,19 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+# This finds the mail enabled dynamic distribution group LDAP entry
+query_filter = (&(|(mail=%s)(alias=%s))(objectClass=kolabgroupofuniquenames)(objectClass=groupOfURLs))
+# From this type of group, get all memberURL searches/references
+special_result_attribute = memberURL
+# Only from those DNs, get the mail
+result_attribute =
+leaf_result_attribute = mail
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf b/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf
new file mode 100644
index 00000000..3a0b6489
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/mydestination.cf
@@ -0,0 +1,12 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = ou=Domains,dc=mgmt,dc=com
+scope = sub
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+query_filter = (&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))
+result_attribute = associateddomain
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf b/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf
new file mode 100644
index 00000000..848b9333
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/transport_maps.cf
@@ -0,0 +1,15 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+query_filter = (&(|(mailAlternateAddress=%s)(alias=%s)(mail=%s))(objectclass=kolabinetorgperson))
+result_attribute = mail
+result_format = lmtp:unix:/var/lib/imap/socket/lmtp
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf
new file mode 100644
index 00000000..1553f8fb
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps.cf
@@ -0,0 +1,14 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+query_filter = (&(|(mail=%s)(alias=%s))(objectclass=kolabinetorgperson))
+result_attribute = mail
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf
new file mode 100644
index 00000000..52d9df53
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf
@@ -0,0 +1,14 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+query_filter = (&(|(mail=%s)(alias=%s))(objectclass=mailrecipient)(objectclass=inetorgperson)(mailforwardingaddress=*))
+result_attribute = mailForwardingAddress
diff --git a/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf
new file mode 100644
index 00000000..85637e36
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf
@@ -0,0 +1,15 @@
+
+server_host = 127.0.0.1
+server_port = 389
+version = 3
+search_base = dc=hosted,dc=com
+scope = sub
+
+domain = ldap:/etc/postfix/ldap/mydestination.cf
+
+bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+bind_pw =
+
+query_filter = (&(|(mail=%s)(alias=%s))(objectclass=kolabsharedfolder)(kolabFolderType=mail))
+result_attribute = kolabtargetfolder
+result_format = "shared+%s"
diff --git a/docker/kolab/rootfs/etc/postfix/main.cf b/docker/kolab/rootfs/etc/postfix/main.cf
new file mode 100644
index 00000000..f0176e2f
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/main.cf
@@ -0,0 +1,752 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# COMPATIBILITY
+#
+# The compatibility_level determines what default settings Postfix
+# will use for main.cf and master.cf settings. These defaults will
+# change over time.
+#
+# To avoid breaking things, Postfix will use backwards-compatible
+# default settings and log where it uses those old backwards-compatible
+# default settings, until the system administrator has determined
+# if any backwards-compatible default settings need to be made
+# permanent in main.cf or master.cf.
+#
+# When this review is complete, update the compatibility_level setting
+# below as recommended in the RELEASE_NOTES file.
+#
+# The level below is what should be used with new (not upgrade) installs.
+#
+compatibility_level = 2
+
+# SOFT BOUNCE
+#
+# The soft_bounce parameter provides a limited safety net for
+# testing. When soft_bounce is enabled, mail will remain queued that
+# would otherwise bounce. This parameter disables locally-generated
+# bounces, and prevents the SMTP server from rejecting mail permanently
+# (by changing 5xx replies into 4xx replies). However, soft_bounce
+# is no cure for address rewriting mistakes or mail routing mistakes.
+#
+#soft_bounce = no
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+#
+queue_directory = /var/spool/postfix
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+#
+command_directory = /usr/sbin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+#
+daemon_directory = /usr/libexec/postfix
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+data_directory = /var/lib/postfix
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes. Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+#
+mail_owner = postfix
+
+# The default_privs parameter specifies the default rights used by
+# the local delivery agent for delivery to external file or command.
+# These rights are used in the absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+#
+#default_privs = nobody
+
+# INTERNET HOST AND DOMAIN NAMES
+#
+# The myhostname parameter specifies the internet hostname of this
+# mail system. The default is to use the fully-qualified domain name
+# from gethostname(). $myhostname is used as a default value for many
+# other configuration parameters.
+#
+#myhostname = host.domain.tld
+#myhostname = virtual.domain.tld
+
+# The mydomain parameter specifies the local internet domain name.
+# The default is to use $myhostname minus the first component.
+# $mydomain is used as a default value for many other configuration
+# parameters.
+#
+#mydomain = domain.tld
+
+# SENDING MAIL
+#
+# The myorigin parameter specifies the domain that locally-posted
+# mail appears to come from. The default is to append $myhostname,
+# which is fine for small sites. If you run a domain with multiple
+# machines, you should (1) change this to $mydomain and (2) set up
+# a domain-wide alias database that aliases each user to
+# user@that.users.mailhost.
+#
+# For the sake of consistency between sender and recipient addresses,
+# myorigin also specifies the default domain name that is appended
+# to recipient addresses that have no @domain part.
+#
+#myorigin = $myhostname
+#myorigin = $mydomain
+
+# RECEIVING MAIL
+
+# The inet_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on. By default,
+# the software claims all active interfaces on the machine. The
+# parameter also controls delivery of mail to user@[ip.address].
+#
+# See also the proxy_interfaces parameter, for network addresses that
+# are forwarded to us via a proxy or network address translator.
+#
+# Note: you need to stop/start Postfix when this parameter changes.
+#
+#inet_interfaces = all
+#inet_interfaces = $myhostname
+#inet_interfaces = $myhostname, localhost
+inet_interfaces = all
+
+# Enable IPv4, and IPv6 if supported
+inet_protocols = all
+
+# The proxy_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on by way of a
+# proxy or network address translation unit. This setting extends
+# the address list specified with the inet_interfaces parameter.
+#
+# You must specify your proxy/NAT addresses when your system is a
+# backup MX host for other domains, otherwise mail delivery loops
+# will happen when the primary MX host is down.
+#
+#proxy_interfaces =
+#proxy_interfaces = 1.2.3.4
+
+# The mydestination parameter specifies the list of domains that this
+# machine considers itself the final destination for.
+#
+# These domains are routed to the delivery agent specified with the
+# local_transport parameter setting. By default, that is the UNIX
+# compatible delivery agent that lookups all recipients in /etc/passwd
+# and /etc/aliases or their equivalent.
+#
+# The default is $myhostname + localhost.$mydomain + localhost. On
+# a mail domain gateway, you should also include $mydomain.
+#
+# Do not specify the names of virtual domains - those domains are
+# specified elsewhere (see VIRTUAL_README).
+#
+# Do not specify the names of domains that this machine is backup MX
+# host for. Specify those names via the relay_domains settings for
+# the SMTP server, or use permit_mx_backup if you are lazy (see
+# STANDARD_CONFIGURATION_README).
+#
+# The local machine is always the final destination for mail addressed
+# to user@[the.net.work.address] of an interface that the mail system
+# receives mail on (see the inet_interfaces parameter).
+#
+# Specify a list of host or domain names, /file/name or type:table
+# patterns, separated by commas and/or whitespace. A /file/name
+# pattern is replaced by its contents; a type:table is matched when
+# a name matches a lookup key (the right-hand side is ignored).
+# Continue long lines by starting the next line with whitespace.
+#
+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+#
+mydestination = ldap:/etc/postfix/ldap/mydestination.cf
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
+# mail.$mydomain, www.$mydomain, ftp.$mydomain
+
+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+#
+# The local_recipient_maps parameter specifies optional lookup tables
+# with all names or addresses of users that are local with respect
+# to $mydestination, $inet_interfaces or $proxy_interfaces.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown local users. This parameter is defined by default.
+#
+# To turn off local recipient checking in the SMTP server, specify
+# local_recipient_maps = (i.e. empty).
+#
+# The default setting assumes that you use the default Postfix local
+# delivery agent for local delivery. You need to update the
+# local_recipient_maps setting if:
+#
+# - You define $mydestination domain recipients in files other than
+# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
+# For example, you define $mydestination domain recipients in
+# the $virtual_mailbox_maps files.
+#
+# - You redefine the local delivery agent in master.cf.
+#
+# - You redefine the "local_transport" setting in main.cf.
+#
+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
+# feature of the Postfix local delivery agent (see local(8)).
+#
+# Details are described in the LOCAL_RECIPIENT_README file.
+#
+# Beware: if the Postfix SMTP server runs chrooted, you probably have
+# to access the passwd file via the proxymap service, in order to
+# overcome chroot restrictions. The alternative, having a copy of
+# the system passwd file in the chroot jail is just not practical.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify a bare username, an @domain.tld
+# wild-card, or specify a user@domain.tld address.
+#
+#local_recipient_maps = unix:passwd.byname $alias_maps
+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
+#local_recipient_maps =
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+#
+unknown_local_recipient_reject_code = 550
+
+# TRUST AND RELAY CONTROL
+
+# The mynetworks parameter specifies the list of "trusted" SMTP
+# clients that have more privileges than "strangers".
+#
+# In particular, "trusted" SMTP clients are allowed to relay mail
+# through Postfix. See the smtpd_recipient_restrictions parameter
+# in postconf(5).
+#
+# You can specify the list of "trusted" network addresses by hand
+# or you can let Postfix do it for you (which is the default).
+#
+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
+# clients in the same IP subnetworks as the local machine.
+# On Linux, this works correctly only with interfaces specified
+# with the "ifconfig" command.
+#
+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
+# clients in the same IP class A/B/C networks as the local machine.
+# Don't do this with a dialup site - it would cause Postfix to "trust"
+# your entire provider's network. Instead, specify an explicit
+# mynetworks list by hand, as described below.
+#
+# Specify "mynetworks_style = host" when Postfix should "trust"
+# only the local machine.
+#
+#mynetworks_style = class
+#mynetworks_style = subnet
+#mynetworks_style = host
+
+# Alternatively, you can specify the mynetworks list by hand, in
+# which case Postfix ignores the mynetworks_style setting.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+#mynetworks = 168.100.189.0/28, 127.0.0.0/8
+#mynetworks = $config_directory/mynetworks
+#mynetworks = hash:/etc/postfix/network_table
+
+# The relay_domains parameter restricts what destinations this system will
+# relay mail to. See the smtpd_recipient_restrictions description in
+# postconf(5) for detailed information.
+#
+# By default, Postfix relays mail
+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "untrusted" clients to destinations that match $relay_domains or
+# subdomains thereof, except addresses with sender-specified routing.
+# The default relay_domains value is $mydestination.
+#
+# In addition to the above, the Postfix SMTP server by default accepts mail
+# that Postfix is final destination for:
+# - destinations that match $inet_interfaces or $proxy_interfaces,
+# - destinations that match $mydestination
+# - destinations that match $virtual_alias_domains,
+# - destinations that match $virtual_mailbox_domains.
+# These destinations do not need to be listed in $relay_domains.
+#
+# Specify a list of hosts or domains, /file/name patterns or type:name
+# lookup tables, separated by commas and/or whitespace. Continue
+# long lines by starting the next line with whitespace. A file name
+# is replaced by its contents; a type:name table is matched when a
+# (parent) domain appears as lookup key.
+#
+# NOTE: Postfix will not automatically forward mail for domains that
+# list this system as their primary or backup MX host. See the
+# permit_mx_backup restriction description in postconf(5).
+#
+#relay_domains = $mydestination
+
+# INTERNET OR INTRANET
+
+# The relayhost parameter specifies the default host to send mail to
+# when no entry is matched in the optional transport(5) table. When
+# no relayhost is given, mail is routed directly to the destination.
+#
+# On an intranet, specify the organizational domain name. If your
+# internal DNS uses no MX records, specify the name of the intranet
+# gateway host instead.
+#
+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
+# [address] or [address]:port; the form [host] turns off MX lookups.
+#
+# If you're connected via UUCP, see also the default_transport parameter.
+#
+#relayhost = $mydomain
+#relayhost = [gateway.my.domain]
+#relayhost = [mailserver.isp.tld]
+#relayhost = uucphost
+#relayhost = [an.ip.add.ress]
+
+# REJECTING UNKNOWN RELAY USERS
+#
+# The relay_recipient_maps parameter specifies optional lookup tables
+# with all addresses in the domains that match $relay_domains.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown relay users. This feature is off by default.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify an @domain.tld wild-card, or specify
+# a user@domain.tld address.
+#
+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+# INPUT RATE CONTROL
+#
+# The in_flow_delay configuration parameter implements mail input
+# flow control. This feature is turned on by default, although it
+# still needs further development (it's disabled on SCO UNIX due
+# to an SCO bug).
+#
+# A Postfix process will pause for $in_flow_delay seconds before
+# accepting a new message, when the message arrival rate exceeds the
+# message delivery rate. With the default 100 SMTP server process
+# limit, this limits the mail inflow to 100 messages a second more
+# than the number of messages delivered per second.
+#
+# Specify 0 to disable the feature. Valid delays are 0..10.
+#
+#in_flow_delay = 1s
+
+# ADDRESS REWRITING
+#
+# The ADDRESS_REWRITING_README document gives information about
+# address masquerading or other forms of address rewriting including
+# username->Firstname.Lastname mapping.
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+#
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible. Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi". This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+#recipient_delimiter = +
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+#
+#home_mailbox = Mailbox
+#home_mailbox = Maildir/
+
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception: delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /some/where/procmail
+#mailbox_command = /some/where/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+# server using LMTP (Local Mail Transport Protocol), this is prefered
+# over the older cyrus deliver program by setting the
+# mailbox_transport as below:
+#
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
+# these settings.
+#
+# local_destination_recipient_limit = 300
+# local_destination_concurrency_limit = 5
+#
+# Of course you should adjust these settings as appropriate for the
+# capacity of the hardware you are using. The recipient limit setting
+# can be used to take advantage of the single instance message store
+# capability of Cyrus. The concurrency limit can be used to control
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
+# message store.
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients. By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+
+# JUNK MAIL CONTROLS
+#
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+#
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+#
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+#
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter. The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+# >$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen session, su root and run "screen -r
+# <id_string>" where <id_string> uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+# -dmS $process_name gdb $daemon_directory/$process_name
+# $process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+#
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+#
+sendmail_path = /usr/sbin/sendmail.postfix
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases.postfix
+
+# mailq_path: The full pathname of the Postfix mailq command. This
+# is the Sendmail-compatible mail queue listing command.
+#
+mailq_path = /usr/bin/mailq.postfix
+
+# setgid_group: The group for mail submission and queue management
+# commands. This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /usr/share/doc/postfix/samples
+
+# readme_directory: The location of the Postfix README files.
+#
+readme_directory = /usr/share/doc/postfix/README_FILES
+
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
+smtpd_tls_cert_file = /etc/pki/tls/private/postfix.pem
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
+
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+smtpd_tls_security_level = may
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64/postfix
+recipient_delimiter = +
+local_recipient_maps = ldap:/etc/postfix/ldap/local_recipient_maps.cf
+transport_maps = ldap:/etc/postfix/ldap/transport_maps.cf, hash:/etc/postfix/transport
+virtual_alias_maps = $alias_maps, ldap:/etc/postfix/ldap/virtual_alias_maps.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf, ldap:/etc/postfix/ldap/mailenabled_distgroups.cf, ldap:/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf
+smtpd_tls_auth_only = yes
+smtpd_sasl_auth_enable = yes
+smtpd_sender_login_maps = $local_recipient_maps
+smtpd_data_restrictions = permit_mynetworks, check_policy_service unix:private/recipient_policy_incoming
+smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, reject_invalid_helo_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:private/recipient_policy_incoming, permit
+smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, check_policy_service unix:private/sender_policy_incoming
+submission_recipient_restrictions = check_policy_service unix:private/submission_policy, permit_sasl_authenticated, reject
+submission_sender_restrictions = reject_non_fqdn_sender, check_policy_service unix:private/submission_policy, permit_sasl_authenticated, reject
+submission_data_restrictions = check_policy_service unix:private/submission_policy
+content_filter = smtp-wallace:[127.0.0.1]:10026
diff --git a/docker/kolab/rootfs/etc/postfix/master.cf b/docker/kolab/rootfs/etc/postfix/master.cf
new file mode 100644
index 00000000..5944ff96
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/master.cf
@@ -0,0 +1,137 @@
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+# Do not forget to execute "postfix reload" after editing this file.
+# ==============================================================================
+# service type private unpriv chroot wakeup maxproc command
+# (yes) (yes) (yes) (never) (100) + args
+# ==============================================================================
+smtp inet n - n - - smtpd
+#smtp inet n - n - 1 postscreen
+#smtpd pass - - n - - smtpd
+#dnsblog unix - - n - 0 dnsblog
+#tlsproxy unix - - n - 0 tlsproxy
+#smtps inet n - n - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - n - - qmqpd
+pickup fifo n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+ -o header_checks=regexp:/etc/postfix/header_checks.inbound
+ -o mime_header_checks=regexp:/etc/postfix/header_checks.inbound
+cleanup_internal unix n - n - 0 cleanup
+ -o header_checks=regexp:/etc/postfix/header_checks.internal
+ -o mime_header_checks=regexp:/etc/postfix/header_checks.internal
+cleanup_submission unix n - n - 0 cleanup
+ -o header_checks=regexp:/etc/postfix/header_checks.submission
+ -o mime_header_checks=regexp:/etc/postfix/header_checks.submission
+qmgr fifo n - n 300 1 qmgr
+#qmgr fifo n - n 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - n - - smtp
+relay unix - - n - - smtp
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+scache unix - - n - 1 scache
+
+# Filter email through Amavisd
+smtp-amavis unix - - n - 3 smtp
+ -o smtp_data_done_timeout=1800
+ -o disable_dns_lookups=yes
+ -o smtp_send_xforward_command=yes
+ -o max_use=20
+ -o smtp_bind_address=127.0.0.1
+
+# Listener to re-inject email from Amavisd into Postfix
+127.0.0.1:10025 inet n - n - 100 smtpd
+ -o cleanup_service_name=cleanup_internal
+ -o content_filter=smtp-wallace:[127.0.0.1]:10026
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o mynetworks=127.0.0.0/8
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+
+# Filter email through Wallace
+smtp-wallace unix - - n - 3 smtp
+ -o default_destination_recipient_limit=1
+ -o smtp_data_done_timeout=1800
+ -o disable_dns_lookups=yes
+ -o smtp_send_xforward_command=yes
+ -o max_use=20
+
+# Listener to re-inject email from Wallace into Postfix
+127.0.0.1:10027 inet n - n - 100 smtpd
+ -o cleanup_service_name=cleanup_internal
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o mynetworks=127.0.0.0/8
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+
+recipient_policy unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-recipient
+
+recipient_policy_incoming unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-recipient --allow-unauthenticated
+
+sender_policy unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender
+
+sender_policy_incoming unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender --allow-unauthenticated
+
+submission_policy unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender --verify-recipient
+
+127.0.0.1:10587 inet n - n - - smtpd
+ -o cleanup_service_name=cleanup_submission
+ -o syslog_name=postfix/submission
+ #-o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_sasl_authenticated_header=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_data_restrictions=$submission_data_restrictions
+ -o smtpd_recipient_restrictions=$submission_recipient_restrictions
+ -o smtpd_sender_restrictions=$submission_sender_restrictions
+
+127.0.0.1:10465 inet n - n - - smtpd
+ -o cleanup_service_name=cleanup_submission
+ -o rewrite_service_name=rewrite_submission
+ -o syslog_name=postfix/smtps
+ -o mydestination=
+ -o local_recipient_maps=
+ -o relay_domains=
+ -o relay_recipient_maps=
+ #-o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_sasl_authenticated_header=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_sender_restrictions=$submission_sender_restrictions
+ -o smtpd_recipient_restrictions=$submission_recipient_restrictions
+ -o smtpd_data_restrictions=$submission_data_restrictions
diff --git a/docker/kolab/rootfs/etc/postfix/transport b/docker/kolab/rootfs/etc/postfix/transport
new file mode 100644
index 00000000..fcd77768
--- /dev/null
+++ b/docker/kolab/rootfs/etc/postfix/transport
@@ -0,0 +1,320 @@
+# TRANSPORT(5) TRANSPORT(5)
+#
+# NAME
+# transport - Postfix transport table format
+#
+# SYNOPSIS
+# postmap /etc/postfix/transport
+#
+# postmap -q "string" /etc/postfix/transport
+#
+# postmap -q - /etc/postfix/transport <inputfile
+#
+# DESCRIPTION
+# The optional transport(5) table specifies a mapping from
+# email addresses to message delivery transports and
+# next-hop destinations. Message delivery transports such
+# as local or smtp are defined in the master.cf file, and
+# next-hop destinations are typically hosts or domain names.
+# The table is searched by the trivial-rewrite(8) daemon.
+#
+# This mapping overrides the default transport:nexthop
+# selection that is built into Postfix:
+#
+# local_transport (default: local:$myhostname)
+# This is the default for final delivery to domains
+# listed with mydestination, and for [ipaddress] des-
+# tinations that match $inet_interfaces or
+# $proxy_interfaces. The default nexthop destination
+# is the MTA hostname.
+#
+# virtual_transport (default: virtual:)
+# This is the default for final delivery to domains
+# listed with virtual_mailbox_domains. The default
+# nexthop destination is the recipient domain.
+#
+# relay_transport (default: relay:)
+# This is the default for remote delivery to domains
+# listed with relay_domains. In order of decreasing
+# precedence, the nexthop destination is taken from
+# relay_transport, sender_dependent_relayhost_maps,
+# relayhost, or from the recipient domain.
+#
+# default_transport (default: smtp:)
+# This is the default for remote delivery to other
+# destinations. In order of decreasing precedence,
+# the nexthop destination is taken from sender_depen-
+# dent_default_transport_maps, default_transport,
+# sender_dependent_relayhost_maps, relayhost, or from
+# the recipient domain.
+#
+# Normally, the transport(5) table is specified as a text
+# file that serves as input to the postmap(1) command. The
+# result, an indexed file in dbm or db format, is used for
+# fast searching by the mail system. Execute the command
+# "postmap /etc/postfix/transport" to rebuild an indexed
+# file after changing the corresponding transport table.
+#
+# When the table is provided via other means such as NIS,
+# LDAP or SQL, the same lookups are done as for ordinary
+# indexed files.
+#
+# Alternatively, the table can be provided as a regu-
+# lar-expression map where patterns are given as regular
+# expressions, or lookups can be directed to TCP-based
+# server. In those case, the lookups are done in a slightly
+# different way as described below under "REGULAR EXPRESSION
+# TABLES" or "TCP-BASED TABLES".
+#
+# CASE FOLDING
+# The search string is folded to lowercase before database
+# lookup. As of Postfix 2.3, the search string is not case
+# folded with database types such as regexp: or pcre: whose
+# lookup fields can match both upper and lower case.
+#
+# TABLE FORMAT
+# The input format for the postmap(1) command is as follows:
+#
+# pattern result
+# When pattern matches the recipient address or
+# domain, use the corresponding result.
+#
+# blank lines and comments
+# Empty lines and whitespace-only lines are ignored,
+# as are lines whose first non-whitespace character
+# is a `#'.
+#
+# multi-line text
+# A logical line starts with non-whitespace text. A
+# line that starts with whitespace continues a logi-
+# cal line.
+#
+# The pattern specifies an email address, a domain name, or
+# a domain name hierarchy, as described in section "TABLE
+# LOOKUP".
+#
+# The result is of the form transport:nexthop and specifies
+# how or where to deliver mail. This is described in section
+# "RESULT FORMAT".
+#
+# TABLE SEARCH ORDER
+# With lookups from indexed files such as DB or DBM, or from
+# networked tables such as NIS, LDAP or SQL, patterns are
+# tried in the order as listed below:
+#
+# user+extension@domain transport:nexthop
+# Deliver mail for user+extension@domain through
+# transport to nexthop.
+#
+# user@domain transport:nexthop
+# Deliver mail for user@domain through transport to
+# nexthop.
+#
+# domain transport:nexthop
+# Deliver mail for domain through transport to nex-
+# thop.
+#
+# .domain transport:nexthop
+# Deliver mail for any subdomain of domain through
+# transport to nexthop. This applies only when the
+# string transport_maps is not listed in the par-
+# ent_domain_matches_subdomains configuration set-
+# ting. Otherwise, a domain name matches itself and
+# its subdomains.
+#
+# * transport:nexthop
+# The special pattern * represents any address (i.e.
+# it functions as the wild-card pattern, and is
+# unique to Postfix transport tables).
+#
+# Note 1: the null recipient address is looked up as
+# $empty_address_recipient@$myhostname (default: mailer-dae-
+# mon@hostname).
+#
+# Note 2: user@domain or user+extension@domain lookup is
+# available in Postfix 2.0 and later.
+#
+# RESULT FORMAT
+# The lookup result is of the form transport:nexthop. The
+# transport field specifies a mail delivery transport such
+# as smtp or local. The nexthop field specifies where and
+# how to deliver mail.
+#
+# The transport field specifies the name of a mail delivery
+# transport (the first name of a mail delivery service entry
+# in the Postfix master.cf file).
+#
+# The nexthop field usually specifies one recipient domain
+# or hostname. In the case of the Postfix SMTP/LMTP client,
+# the nexthop field may contain a list of nexthop destina-
+# tions separated by comma or whitespace (Postfix 3.5 and
+# later).
+#
+# The syntax of a nexthop destination is transport depen-
+# dent. With SMTP, specify a service on a non-default port
+# as host:service, and disable MX (mail exchanger) DNS
+# lookups with [host] or [host]:port. The [] form is
+# required when you specify an IP address instead of a host-
+# name.
+#
+# A null transport and null nexthop field means "do not
+# change": use the delivery transport and nexthop informa-
+# tion that would be used when the entire transport table
+# did not exist.
+#
+# A non-null transport field with a null nexthop field
+# resets the nexthop information to the recipient domain.
+#
+# A null transport field with non-null nexthop field does
+# not modify the transport information.
+#
+# EXAMPLES
+# In order to deliver internal mail directly, while using a
+# mail relay for all other mail, specify a null entry for
+# internal destinations (do not change the delivery trans-
+# port or the nexthop information) and specify a wildcard
+# for all other destinations.
+#
+# my.domain :
+# .my.domain :
+# * smtp:outbound-relay.my.domain
+#
+# In order to send mail for example.com and its subdomains
+# via the uucp transport to the UUCP host named example:
+#
+# example.com uucp:example
+# .example.com uucp:example
+#
+# When no nexthop host name is specified, the destination
+# domain name is used instead. For example, the following
+# directs mail for user@example.com via the slow transport
+# to a mail exchanger for example.com. The slow transport
+# could be configured to run at most one delivery process at
+# a time:
+#
+# example.com slow:
+#
+# When no transport is specified, Postfix uses the transport
+# that matches the address domain class (see DESCRIPTION
+# above). The following sends all mail for example.com and
+# its subdomains to host gateway.example.com:
+#
+# example.com :[gateway.example.com]
+# .example.com :[gateway.example.com]
+#
+# In the above example, the [] suppress MX lookups. This
+# prevents mail routing loops when your machine is primary
+# MX host for example.com.
+#
+# In the case of delivery via SMTP or LMTP, one may specify
+# host:service instead of just a host:
+#
+# example.com smtp:bar.example:2025
+#
+# This directs mail for user@example.com to host bar.example
+# port 2025. Instead of a numerical port a symbolic name may
+# be used. Specify [] around the hostname if MX lookups must
+# be disabled.
+#
+# Deliveries via SMTP or LMTP support multiple destinations
+# (Postfix >= 3.5):
+#
+# example.com smtp:bar.example, foo.example
+#
+# This tries to deliver to bar.example before trying to
+# deliver to foo.example.
+#
+# The error mailer can be used to bounce mail:
+#
+# .example.com error:mail for *.example.com is not deliverable
+#
+# This causes all mail for user@anything.example.com to be
+# bounced.
+#
+# REGULAR EXPRESSION TABLES
+# This section describes how the table lookups change when
+# the table is given in the form of regular expressions. For
+# a description of regular expression lookup table syntax,
+# see regexp_table(5) or pcre_table(5).
+#
+# Each pattern is a regular expression that is applied to
+# the entire address being looked up. Thus,
+# some.domain.hierarchy is not looked up via its parent
+# domains, nor is user+foo@domain looked up as user@domain.
+#
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
+# string.
+#
+# The trivial-rewrite(8) server disallows regular expression
+# substitution of $1 etc. in regular expression lookup
+# tables, because that could open a security hole (Postfix
+# version 2.3 and later).
+#
+# TCP-BASED TABLES
+# This section describes how the table lookups change when
+# lookups are directed to a TCP-based server. For a descrip-
+# tion of the TCP client/server lookup protocol, see tcp_ta-
+# ble(5). This feature is not available up to and including
+# Postfix version 2.4.
+#
+# Each lookup operation uses the entire recipient address
+# once. Thus, some.domain.hierarchy is not looked up via
+# its parent domains, nor is user+foo@domain looked up as
+# user@domain.
+#
+# Results are the same as with indexed file lookups.
+#
+# CONFIGURATION PARAMETERS
+# The following main.cf parameters are especially relevant.
+# The text below provides only a parameter summary. See
+# postconf(5) for more details including examples.
+#
+# empty_address_recipient (MAILER-DAEMON)
+# The recipient of mail addressed to the null
+# address.
+#
+# parent_domain_matches_subdomains (see 'postconf -d' out-
+# put)
+# A list of Postfix features where the pattern "exam-
+# ple.com" also matches subdomains of example.com,
+# instead of requiring an explicit ".example.com"
+# pattern.
+#
+# transport_maps (empty)
+# Optional lookup tables with mappings from recipient
+# address to (message delivery transport, next-hop
+# destination).
+#
+# SEE ALSO
+# trivial-rewrite(8), rewrite and resolve addresses
+# master(5), master.cf file format
+# postconf(5), configuration parameters
+# postmap(1), Postfix lookup table manager
+#
+# README FILES
+# Use "postconf readme_directory" or "postconf html_direc-
+# tory" to locate this information.
+# ADDRESS_REWRITING_README, address rewriting guide
+# DATABASE_README, Postfix lookup table overview
+# FILTER_README, external content filter
+#
+# LICENSE
+# The Secure Mailer license must be distributed with this
+# software.
+#
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#
+# Wietse Venema
+# Google, Inc.
+# 111 8th Avenue
+# New York, NY 10011, USA
+#
+# TRANSPORT(5)
+
+# Shared Folder Delivery for mgmt.com:
+shared@mgmt.com lmtp:unix:/var/lib/imap/socket/lmtp
diff --git a/docker/kolab/utils/03-setup-kolab.sh b/docker/kolab/utils/03-setup-kolab.sh
index 86deec4c..ba4a65d1 100755
--- a/docker/kolab/utils/03-setup-kolab.sh
+++ b/docker/kolab/utils/03-setup-kolab.sh
@@ -1,59 +1,53 @@
#!/bin/bash
. ./settings.sh
echo ${CMD} | tee -a /root/setup-kolab.log
echo -n "Wait for MariaDB container: " | tee -a /root/setup-kolab.log
while ! mysqladmin -u root ping > /dev/null 2>&1 ; do
echo -n '.'
sleep 3
done | tee -a /root/setup-kolab.log
echo "OK!" | tee -a /root/setup-kolab.log
echo -n "Wait for DS389 container: " | tee -a /root/setup-kolab.log
while ! ldapsearch -h ${LDAP_HOST} -D "${LDAP_ADMIN_BIND_DN}" -w "${LDAP_ADMIN_BIND_PW}" -b "" -s base > /dev/null 2>&1 ; do
echo -n '.'
sleep 3
done | tee -a /root/setup-kolab.log
echo "OK!" | tee -a /root/setup-kolab.log
-cat > /tmp/kolab-setup-my.cnf << EOF
-[client]
-host=${DB_HOST}
-user=root
-password=${DB_ROOT_PASSWORD}
-EOF
-
-
-CMD="$(which setup-kolab) mta \
- --default"
-${CMD} 2>&1 | tee -a /root/setup-kolab.log
+cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
+chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
+cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
+chown postfix:mail /etc/pki/tls/private/postfix.pem
+chmod 655 /etc/pki/tls/private/postfix.pem
+systemctl enable --now postfix
+systemctl enable --now wallace
# setup imap
if [ -f "/var/lib/imap/db" ]; then
echo "IMAP directory exists, nothing to do"
else
echo "Initializing IMAP volume"
cp -ar /var/lib/imap-bak/* /var/lib/imap/
systemctl start cyrus-imapd
fi
# Setup httpform auth against kolab
sed -i "s/MECH=.*/MECH=httpform/" /etc/sysconfig/saslauthd
cat > /etc/saslauthd.conf << EOF
httpform_host: services.${APP_DOMAIN}
httpform_port: 8000
httpform_uri: /api/webhooks/cyrus-sasl
httpform_data: %u %r %p
EOF
systemctl restart saslauthd
-#Setup guam
-systemctl start guam
-systemctl enable guam
+systemctl enable --now guam
diff --git a/docker/kolab/utils/05-adjust-configs.sh b/docker/kolab/utils/05-adjust-configs.sh
index 929870c2..7267bafa 100755
--- a/docker/kolab/utils/05-adjust-configs.sh
+++ b/docker/kolab/utils/05-adjust-configs.sh
@@ -1,104 +1,10 @@
#!/bin/bash
-#sed -i -e "s/server_host.*/server_host = ${LDAP_HOST}/g" /etc/postfix/ldap/*
. ./settings.sh
-#Adjust basedn
-sed -i -r \
- -e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \
- -e "/\\\$mydomain = / a\
-\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \
- -e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \
- -e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \
- -e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \
- -e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \
- -e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \
- /etc/amavisd/amavisd.conf \
- /etc/postfix/ldap/*.cf
-
-sed -i -r \
- -e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \
- /etc/postfix/ldap/mydestination.cf
-
-
-#Disable amavisd
-postconf -e content_filter='smtp-wallace:[127.0.0.1]:10026'
-
-systemctl stop amavisd
-systemctl disable amavisd
-
-systemctl stop clamd@amavisd
-systemctl disable clamd@amavisd
-
-
-# Change port numbers
cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
chown postfix:mail /etc/pki/tls/private/postfix.pem
chmod 655 /etc/pki/tls/private/postfix.pem
-
-sed -i "s/smtpd_tls_key_file =.*/smtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
-sed -i "s/smtpd_tls_cert_file =.*/smtpd_tls_cert_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
-
-# Remove the submission block, by matching from submission until the next empty line
-sed -i -e '/submission inet/,/^$/d' /etc/postfix/master.cf
-
-# Insert a new submission block with a modified port
-cat >> /etc/postfix/master.cf << EOF
-127.0.0.1:10587 inet n - n - - smtpd
- -o cleanup_service_name=cleanup_submission
- -o syslog_name=postfix/submission
- #-o smtpd_tls_security_level=encrypt
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_sasl_authenticated_header=yes
- -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- -o smtpd_data_restrictions=\$submission_data_restrictions
- -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
- -o smtpd_sender_restrictions=\$submission_sender_restrictions
-
-127.0.0.1:10465 inet n - n - - smtpd
- -o cleanup_service_name=cleanup_submission
- -o rewrite_service_name=rewrite_submission
- -o syslog_name=postfix/smtps
- -o mydestination=
- -o local_recipient_maps=
- -o relay_domains=
- -o relay_recipient_maps=
- #-o smtpd_tls_wrappermode=yes
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_sasl_authenticated_header=yes
- -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- -o smtpd_sender_restrictions=\$submission_sender_restrictions
- -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
- -o smtpd_data_restrictions=\$submission_data_restrictions
-EOF
-
-
-# Adjust postfix
-
-# new: (inetdomainstatus:1.2.840.113556.1.4.803:=1)
-# active: (inetdomainstatus:1.2.840.113556.1.4.803:=2)
-# suspended: (inetdomainstatus:1.2.840.113556.1.4.803:=4)
-# deleted: (inetdomainstatus:1.2.840.113556.1.4.803:=8)
-# confirmed: (inetdomainstatus:1.2.840.113556.1.4.803:=16)
-# verified: (inetdomainstatus:1.2.840.113556.1.4.803:=32)
-# ready: (inetdomainstatus:1.2.840.113556.1.4.803:=64)
-
-sed -i -r \
- -e 's/^query_filter.*$/query_filter = (\&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))/g' \
- /etc/postfix/ldap/mydestination.cf
-
-# new: (inetuserstatus:1.2.840.113556.1.4.803:=1)
-# active: (inetuserstatus:1.2.840.113556.1.4.803:=2)
-# suspended: (inetuserstatus:1.2.840.113556.1.4.803:=4)
-# deleted: (inetuserstatus:1.2.840.113556.1.4.803:=8)
-# ldapready: (inetuserstatus:1.2.840.113556.1.4.803:=16)
-# imapready: (inetuserstatus:1.2.840.113556.1.4.803:=32)
-
-sed -i -r \
- -e 's/^query_filter.*$/query_filter = (\&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))/g' \
- /etc/postfix/ldap/local_recipient_maps.cf
-
-systemctl restart postfix
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Thu, Mar 19, 10:25 AM (1 d, 9 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
458634
Default Alt Text
(69 KB)
Attached To
Mode
R2 kolab
Attached
Detach File
Event Timeline
Log In to Comment