Add TLS/SASL support (#2)

hrpatel · web-flow · commit 1f1945d4dbd6 · 2018-10-26T11:56:11.000-04:00
* Add support for TLS/SASL
* Add CA bundle for TLS
* Add a Git ignore configuration
* Update README
* Update CHANGELOG
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+### JetBrains template
+.idea/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [v0.1.1] - 2018-08-13
+## [v0.1.2] - 2018-10-25
+### Added
+- TLS support
+- SASL Auth support
+
+## [v0.1.1] - 2018-09-24
 ### Added
 - Project `CHANGELOG.md`, `README.md`, and `LICENSE`
 - Initial commit of Docker, build, and configuration
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,7 @@ ENV DEBIAN_FRONTEND noninteractive
 
 RUN apt-get update \
     && apt-get install --yes \
+        ca-certificates \
         postfix \
         rsyslog \
         supervisor \
diff --git a/README.md b/README.md
@@ -10,3 +10,10 @@ See `./bin/postfix_init.sh` for configuration parameters that are available via
 
 * Supervisor to manaage `postfix`, `rsyslog`, and log output to `stdout`
 * Logging support is added with `rsyslog`
+* TLS Support
+  * Set `POSTFIX_TLS` to `true`
+  * Default: unset/disabled
+* SASL Support
+  * Set `POSTFIX_SASL_AUTH` to `<SMTP_USERNAME>:<SMTP_PASSWORD>`
+  * Requires `POSTFIX_RELAYHOST` and `POSTFIX_TLS`
+  * Default: unset/disabled
diff --git a/bin/postfix_init.sh b/bin/postfix_init.sh
@@ -18,6 +18,7 @@
 set -eo pipefail
 
 echo "Configuring postfix with any environment variables that are set"
+
 if [[ -n "${POSTFIX_MYNETWORKS}" ]]; then
     echo "Setting custom 'mynetworks' to '${POSTFIX_MYNETWORKS}'"
     postconf mynetworks="${POSTFIX_MYNETWORKS}"
@@ -28,7 +29,7 @@ fi
 
 if [[ -n "${POSTFIX_RELAYHOST}" ]]; then
     echo "Setting custom 'relayhost' to '${POSTFIX_RELAYHOST}'"
-    postconf relayhost="${POSTFIX_RELAYHOST}"
+    postconf relayhost="[${POSTFIX_RELAYHOST}]:${POSTFIX_RELAYHOST_PORT}"
 else
     echo "Revert 'relayhost' to default (unset)"
     postconf -# relayhost
@@ -38,5 +39,35 @@ echo "Disable chroot for the smtp service"
 postconf -F smtp/inet/chroot=n
 postconf -F smtp/unix/chroot=n
 
+if [[ "${POSTFIX_TLS}" = "true" ]]; then
+    echo "Configuring TLS"
+    postconf smtp_tls_CAfile="/etc/ssl/certs/ca-certificates.crt"
+    postconf smtp_tls_security_level="encrypt"
+    postconf smtp_use_tls="yes"
+fi
+
+echo "Configuring SASL Auth"
+if [[ -n "${POSTFIX_SASL_AUTH}" ]]; then
+    if [[ -z "${POSTFIX_RELAYHOST}" || -z "${POSTFIX_TLS}" ]]; then
+        echo "Please set 'POSTFIX_RELAYHOST' AND 'POSTFIX_TLS' before attempting to enable SSL auth."
+        exit 1
+    fi
+
+    postconf smtp_sasl_auth_enable="yes"
+    postconf smtp_sasl_password_maps="hash:/etc/postfix/sasl_passwd"
+    postconf smtp_sasl_security_options="noanonymous"
+    postconf smtp_tls_note_starttls_offer="yes"
+
+    # generate the SASL password map
+    echo "${POSTFIX_RELAYHOST} ${POSTFIX_SASL_AUTH}" > /etc/postfix/sasl_passwd
+
+    # generate a .db file and clean it up
+    postmap hash:/etc/postfix/sasl_passwd && rm /etc/postfix/sasl_passwd
+
+    # set permissions
+    chmod 600 /etc/postfix/sasl_passwd.db
+fi
+
+
 echo "Starting postfix in the foreground"
 postfix start-fg
diff --git a/bin/travis-ci/check_tag.sh b/bin/travis-ci/check_tag.sh
@@ -17,7 +17,7 @@
 
 set -eo pipefail
 
-# echo "Installing shtdlib"
+echo "Installing shtdlib"
 shtdlib_local_path="/usr/local/bin/shtdlib.sh"
 sudo curl -s -L -o "${shtdlib_local_path}" https://github.com/sdelements/shtdlib/raw/master/shtdlib.sh
 sudo chmod 775 "${shtdlib_local_path}"
@@ -30,11 +30,11 @@ latest_tag="$(git fetch -t && git tag -l | sort --version-sort | tail -n1)"
 color_echo green "Latest Git tag: '${latest_tag}'"
 
 # Get the latest tag from the CHANGELOG
-changelog_ver="$(grep -oP '\[v\d\.\d\.\d\]' CHANGELOG.md | tr -d '[]' | sort -nr | head -n1)"
+changelog_ver="$(grep -oP '\[v\d+\.\d+\.\d+\]' CHANGELOG.md | tr -d '[]' | sort --version-sort -r | head -n1)"
 color_echo green "CHANGELOG version: '${changelog_ver}'"
 
 # Validate version strings
-version_pattern='^v\d\.\d\.\d$'
+version_pattern='^v\d+\.\d+\.\d+$'
 echo "${latest_tag}" | grep -qP ${version_pattern} || ( color_echo red "Invalid tag from repo: '${latest_tag}'" && exit 1 )
 echo "${changelog_ver}" | grep -qP ${version_pattern} || ( color_echo red "Invalid tag from CHANGELOG: '${changelog_ver}'" && exit 1 )
 
