From 9b43974c96cbfae5c7ecba758f2e76fb5a959747 Mon Sep 17 00:00:00 2001
From: zekeriya <zkry.akgul@gmail.com>
Date: Fri, 1 Mar 2019 10:42:11 +0300
Subject: [PATCH] [Policyd] Added policyd Dockerfile [Compose] Added policyd
 Service [Postfix] Added policyd for check_policy_service to main.cf

---
 data/Dockerfiles/policyd/Dockerfile           |  19 ++
 .../etc/supervisor/conf.d/apache-2.4.conf     |  12 ++
 .../etc/supervisor/conf.d/cbpolicyd.conf      |  12 ++
 .../50_install_cluebringer_db                 |  48 +++++
 .../supervisord-pre.d/51_configure_policyd    |  14 ++
 .../tmpl/cluebringer/cluebringer-webui.conf   |  16 ++
 .../files/tmpl/cluebringer/cluebringer.conf   | 192 ++++++++++++++++++
 .../policyd/files/var/www/html/.htaccess      |   4 +
 data/conf/postfix/main.cf                     |   2 +-
 docker-compose.yml                            |  27 +++
 generate_config.sh                            |  12 ++
 11 files changed, 357 insertions(+), 1 deletion(-)
 create mode 100644 data/Dockerfiles/policyd/Dockerfile
 create mode 100644 data/Dockerfiles/policyd/files/etc/supervisor/conf.d/apache-2.4.conf
 create mode 100644 data/Dockerfiles/policyd/files/etc/supervisor/conf.d/cbpolicyd.conf
 create mode 100644 data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/50_install_cluebringer_db
 create mode 100644 data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/51_configure_policyd
 create mode 100644 data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer-webui.conf
 create mode 100644 data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer.conf
 create mode 100644 data/Dockerfiles/policyd/files/var/www/html/.htaccess

diff --git a/data/Dockerfiles/policyd/Dockerfile b/data/Dockerfiles/policyd/Dockerfile
new file mode 100644
index 00000000..3990f9f2
--- /dev/null
+++ b/data/Dockerfiles/policyd/Dockerfile
@@ -0,0 +1,19 @@
+FROM docker.io/1and1internet/ubuntu-16-apache-php-7.1:latest
+ARG DEBIAN_FRONTEND=noninteractive
+COPY files /
+RUN \
+  groupadd cbpolicyd && \
+  useradd -g cbpolicyd cbpolicyd && \
+  apt-get update && \
+  apt-get -o Dpkg::Options::=--force-confdef -y install gettext-base postfix-cluebringer postfix-cluebringer-mysql postfix-cluebringer-webui -y && \
+  apt-get -y clean && \
+  rm -rf /var/lib/apt/lists/* /etc/cluebringer && \
+  mkdir --mode=0775 /etc/cluebringer && \
+  cp /usr/share/doc/postfix-cluebringer/database/policyd-db.mysql.gz /tmp/ && \
+  cp -r /usr/share/postfix-cluebringer-webui/webui/* /var/www/html/ && \
+  gunzip /tmp/policyd-db.mysql.gz && \
+  sed -i -e 's/TYPE=InnoDB/ENGINE=InnoDB/g' /tmp/policyd-db.mysql && \
+  chmod -R 0755 /hooks && \
+  chmod -R 0777 /var/www/html && \
+  chmod 0666 /var/log/cbpolicyd.log
+EXPOSE 10031 8080 8443
diff --git a/data/Dockerfiles/policyd/files/etc/supervisor/conf.d/apache-2.4.conf b/data/Dockerfiles/policyd/files/etc/supervisor/conf.d/apache-2.4.conf
new file mode 100644
index 00000000..d5409158
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/etc/supervisor/conf.d/apache-2.4.conf
@@ -0,0 +1,12 @@
+[program:apache-2.4]
+command=/bin/bash -c "source /etc/apache2/envvars && exec /usr/sbin/apache2 -DFOREGROUND"
+autostart=true
+autorestart=true
+startretries=3
+
+# Redirect output so we can see it using "docker logs"
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
diff --git a/data/Dockerfiles/policyd/files/etc/supervisor/conf.d/cbpolicyd.conf b/data/Dockerfiles/policyd/files/etc/supervisor/conf.d/cbpolicyd.conf
new file mode 100644
index 00000000..53f78cf7
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/etc/supervisor/conf.d/cbpolicyd.conf
@@ -0,0 +1,12 @@
+[program:cbpolicyd]
+command=/usr/sbin/cbpolicyd --fg --config=/etc/cluebringer/cluebringer.conf
+autostart=true
+autorestart=true
+startretries=3
+
+# Redirect output so we can see it using "docker logs"
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
diff --git a/data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/50_install_cluebringer_db b/data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/50_install_cluebringer_db
new file mode 100644
index 00000000..4c53f15b
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/50_install_cluebringer_db
@@ -0,0 +1,48 @@
+#!/bin/bash
+set -eo pipefail
+
+# Password protect webui
+echo Creating webui user
+echo $WEBUI_PASSWORD | htpasswd -ci /var/www/html/.htpasswd webui
+
+# Checking for DB liveness before continuing with DB set up.
+count=0
+while [ $count -lt 4 ]; do
+  if [[ $(mysql -h$CLUEBRINGER_DB_HOST -uroot -p$MYSQL_ROOT_PASSWORD -e "select 1" &>/dev/null ; echo $?) -ne 0 ]]; then
+    echo "Waiting for DB to be ready."
+    sleep 15
+    let count+=1
+  else
+    echo "DB appears to be ready."
+    break
+  fi
+done
+# Die if DB doesn't come up in time.
+if [ $count -eq 4 ]; then
+  echo "!!!WARNING!!! DB didn't come up in time."
+  exit 0
+fi
+
+# Set up DB if it's empty.
+if [[ $(mysql -N -h$CLUEBRINGER_DB_HOST -uroot -p$MYSQL_ROOT_PASSWORD -e "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = '$MYSQL_DATABASE';") == 0 ]]; then
+  echo "Setting up cluebringer DB."
+
+  # Set up DB and User
+  if [[ $(mysql -N -h$CLUEBRINGER_DB_HOST -uroot -p$MYSQL_ROOT_PASSWORD -e "create database $MYSQL_DATABASE;use $MYSQL_DATABASE;CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD';GRANT ALL PRIVILEGES ON $MYSQL_DATABASE.* TO '$MYSQL_USER'@'%';") -ne 0 ]]; then
+    echo "Can't create DB and Policyd DB user!"
+    exit 0
+  fi
+
+  # Add our policys from sql if they exist.
+  if [[ -e /tmpl/cluebringer/import/policy.sql ]]; then
+    echo "Importing our configuration."
+    mysql -h$CLUEBRINGER_DB_HOST -u$MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE < /tmpl/cluebringer/import/policy.sql
+    echo "Done."
+  else
+    echo "Additional sql configuration no found importing standart configuration."
+    mysql -h$CLUEBRINGER_DB_HOST -u$MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE < /tmp/policyd-db.mysql
+  fi
+else
+  echo "Cluebringer DB not empty, exiting."
+  exit 0
+fi
diff --git a/data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/51_configure_policyd b/data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/51_configure_policyd
new file mode 100644
index 00000000..1983b4a5
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/hooks/supervisord-pre.d/51_configure_policyd
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eu
+
+export DOLLAR=$
+export MYSQL_DATABASE=${MYSQL_DATABASE}
+export MYSQL_USER=${MYSQL_USER}
+export MYSQL_PASSWORD=${MYSQL_PASSWORD}
+export CLUEBRINGER_DB_BACKEND=${CLUEBRINGER_DB_BACKEND}
+export CLUEBRINGER_DB_PORT=${CLUEBRINGER_DB_PORT}
+export CLUEBRINGER_DB_HOST=${CLUEBRINGER_DB_HOST}
+
+envsubst < /tmpl/cluebringer/cluebringer.conf > /etc/cluebringer/cluebringer.conf
+envsubst < /tmpl/cluebringer/cluebringer-webui.conf > /etc/cluebringer/cluebringer-webui.conf
diff --git a/data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer-webui.conf b/data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer-webui.conf
new file mode 100644
index 00000000..a68f5a61
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer-webui.conf
@@ -0,0 +1,16 @@
+<?php
+
+# mysql:host=xx;dbname=yyy
+# pgsql:host=xx;dbname=yyy
+# sqlite:////full/unix/path/to/file.db?mode=0666
+#
+#$DB_DSN="sqlite:////tmp/cluebringer.sqlite";
+#$DB_DSN="pgsql:host=xx;dbname=yyy";
+#$DB_DSN="mysql:host=xx;dbname=yyy";
+
+${DOLLAR}DB_DSN="${CLUEBRINGER_DB_BACKEND}:host=${CLUEBRINGER_DB_HOST};dbname=${MYSQL_DATABASE}";
+${DOLLAR}DB_USER="${MYSQL_USER}";
+${DOLLAR}DB_PASS="${MYSQL_PASSWORD}";
+
+
+?>
diff --git a/data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer.conf b/data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer.conf
new file mode 100644
index 00000000..4686f1e2
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/tmpl/cluebringer/cluebringer.conf
@@ -0,0 +1,192 @@
+#
+# Server configuration
+#
+[server]
+
+# Protocols to load
+protocols=<<EOT
+Postfix
+Bizanga
+EOT
+
+# Modules to load
+modules=<<EOT
+Core
+AccessControl
+CheckHelo
+CheckSPF
+Greylisting
+Quotas
+EOT
+
+# User to run this daemon as
+user=root
+#group=
+
+# Filename to store pid of parent process
+pid_file=/var/run/cluebringer/cbpolicyd.pid
+
+# Uncommenting the below option will prevent cbpolicyd going into the background
+background=no
+
+# Preforking configuration
+#
+# min_server		- Minimum servers to keep around
+# min_spare_servers	- Minimum spare servers to keep around ready to
+# 			  handle requests
+# max_spare_servers	- Maximum spare servers to have around doing nothing
+# max_servers		- Maximum servers alltogether
+# max_requests		- Maximum number of requests each child will serve
+#
+# One may want to use the following as a rough guideline...
+# Small mailserver:  2, 2, 4, 10, 1000
+# Medium mailserver: 4, 4, 12, 25, 1000
+# Large mailserver: 8, 8, 16, 64, 1000
+#
+min_servers=4
+min_spare_servers=4
+max_spare_servers=12
+max_servers=25
+max_requests=1000
+
+
+
+# Log level:
+# 0 - Errors only
+# 1 - Warnings and errors
+# 2 - Notices, warnings, errors
+# 3 - Info, notices, warnings, errors
+# 4 - Debugging
+log_level=4
+
+# File to log to instead of stdout
+log_file=/var/log/cbpolicyd.log
+
+# Log destination for mail logs...
+# main		- Default. Log to policyd's main log mechanism, accepts NO args
+# syslog	- log mail via syslog
+#			format: log_mail=facility@method,args
+#
+# Valid methods for syslog:
+# native	- Let Sys::Syslog decide
+# unix		- Unix socket
+# udp		- UDP socket
+# stream	- Stream (for Solaris)
+#
+# Example: unix native
+#log_mail=mail@syslog:native
+#
+# Example: unix socket
+#log_mail=mail@syslog:unix
+#
+# Example: udp
+#log_mail=mail@syslog:udp,127.0.0.1
+#
+# Example: Solaris
+#log_mail=local0@syslog:stream,/dev/log
+#log_mail=maillog
+log_mail=main
+#mail@syslog:native
+
+# Things to log in extreme detail
+# modules 	- Log detailed module running information
+# tracking 	- Log detailed tracking information
+# policies 	- Log policy resolution
+# protocols 	- Log general protocol info, but detailed
+# bizanga 	- Log the bizanga protocol
+#
+# There is no default for this configuration option. Options can be
+# separated by commas. ie. protocols,modules
+#
+#log_detail=
+
+# IP to listen on, * for all
+host=*
+# host=0.0.0.0
+
+# Port to run on
+port=10031
+
+# Timeout in communication with clients
+#timeout=120
+
+# cidr_allow/cidr_deny
+# Comma, whitespace or semi-colon separated. Contains a CIDR block to
+# compare the clients IP to.  If cidr_allow or cidr_deny options are
+# given, the incoming client must match a cidr_allow and not match a
+# cidr_deny or the client connection will be closed.
+#cidr_allow=0.0.0.0/0
+#cidr_deny=
+
+
+
+[database]
+#DSN=DBI:SQLite:dbname=policyd.sqlite
+#DSN=DBI:mysql:database=policyd;host=localhost
+#DSN=DBI:Pg:database=policyd;host=localhost
+#DSN=DBI:_DBC_DBTYPE_:dbname=_DBC_DBNAME_;host=_DBC_DBSERVER_
+## Debian
+# DB_Type can be one of - pgsql, mysql or sqlite3
+# DB_Host is ignored for sqlite3. For pgsql and mysql it should be left
+#         unset or as 'localhost' if you wish to use unix sockets to communicate
+#         with the database. To use TCP/IP to connect to a local database set
+#         '127.0.0.1' as the value. Otherwise use the hostname or IP address of
+#         the database server.
+# DB_Port is ignored for sqlite3. For pgsql it will default to '5432' and
+#         for mysql the default is '3306'. If you are running your database server
+#         on a non-standard port you should set it's value here.
+# DB_Name defaults to '/var/lib/cluebringer/cluebringer.db' for sqlite3, if you
+#         wish to use another file for the database set it's full path here and
+#         ensure that the cluebringer user can read and write not only the file
+#         but the directory it lives in. For pgsql and mysql this will
+#         default to 'cluebringer', otherwise you should set the name of the
+#         database here.
+
+DSN=DBI:${CLUEBRINGER_DB_BACKEND}:database=${MYSQL_DATABASE};host=${CLUEBRINGER_DB_HOST}
+DB_Type=${CLUEBRINGER_DB_BACKEND}
+DB_Host=${CLUEBRINGER_DB_HOST}
+DB_Port=${CLUEBRINGER_DB_PORT}
+DB_Name=${MYSQL_DATABASE}
+Username=${MYSQL_USER}
+Password=${MYSQL_PASSWORD}
+
+
+# What do we do when we have a database connection problem
+# tempfail	- Return temporary failure
+# pass		- Return success
+bypass_mode=tempfail
+
+# How many seconds before we retry a DB connection
+bypass_timeout=30
+
+
+
+# Access Control module
+[AccessControl]
+enable=1
+
+# Accounting module
+[Accounting]
+enable=1
+
+# Greylisting module
+[Greylisting]
+enable=1
+
+
+# CheckHelo module
+[CheckHelo]
+enable=1
+
+
+# CheckSPF module
+[CheckSPF]
+enable=1
+
+
+# Quotas module
+[Quotas]
+enable=1
+
+
+
diff --git a/data/Dockerfiles/policyd/files/var/www/html/.htaccess b/data/Dockerfiles/policyd/files/var/www/html/.htaccess
new file mode 100644
index 00000000..988ee543
--- /dev/null
+++ b/data/Dockerfiles/policyd/files/var/www/html/.htaccess
@@ -0,0 +1,4 @@
+AuthType Basic
+AuthName "Password Protected Area"
+AuthUserFile /var/www/html/.htpasswd
+Require valid-user
\ No newline at end of file
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 83a252d8..dac074a6 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -81,7 +81,7 @@ smtpd_error_sleep_time = 10s
 smtpd_hard_error_limit = ${stress?1}${stress:5}
 smtpd_helo_required = yes
 smtpd_proxy_timeout = 600s
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
+smtpd_recipient_restrictions = check_policy_service inet:172.22.1.200:10031, permit_mynetworks, permit_sasl_authenticated, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_sasl_path = inet:dovecot:10001
diff --git a/docker-compose.yml b/docker-compose.yml
index f2776bd7..f5e8a551 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -210,6 +210,33 @@ services:
           aliases:
             - dovecot
 
+    policyd-mailcow:
+      hostname: policyd
+      container_name: policyd-mailcow
+      build: ./data/Dockerfiles/policyd
+      image: policyd-mailcow:1.00
+      ports:
+        # - "10031:10031"
+        - "9080:8080"
+        - "9443:8443"
+      user: "1000000"
+      environment:
+        - "SUPERVISORD_LOGLEVEL=${POLICYD_SUPERVISORD_LOGLEVEL:-debug}"
+        - "CLUEBRINGER_DB_HOST=mysql"
+        - "MYSQL_ROOT_PASSWORD=${DBROOT}" 
+        - "MYSQL_DATABASE=${POLICYD_MYSQL_DATABASE:-cluebringer}" 
+        - "MYSQL_USER=${POLICYD_MYSQL_USER:-cluebringer}" 
+        - "MYSQL_PASSWORD=${POLICYD_MYSQL_PASSWORD}" 
+        - "CLUEBRINGER_DB_BACKEND=${POLICYD_DB_BACKEND:-mysql}" 
+        - "CLUEBRINGER_DB_PORT=${INTERNAL_MYSQL_PORT:-3306}" 
+        - "WEBUI_PASSWORD=${POLICYD_WEBUI_PASSWORD}"
+      networks:
+          mailcow-network:
+            ipv4_address: ${IPV4_NETWORK:-172.22.1}.200
+            aliases:
+              - policyd
+
+
     postfix-mailcow:
       image: mailcow/postfix:1.29
       build: ./data/Dockerfiles/postfix
diff --git a/generate_config.sh b/generate_config.sh
index a882ec08..c44fdcb4 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -140,6 +140,18 @@ SIEVE_PORT=4190
 DOVEADM_PORT=127.0.0.1:19991
 SQL_PORT=127.0.0.1:13306
 
+# ------------------------------
+# POLCIYD (Cluebringer) CONFIGURATION
+# ------------------------------
+
+POLICYD_SUPERVISORD_LOGLEVEL=debug
+POLICYD_MYSQL_DATABASE=cluebringer
+POLICYD_MYSQL_USER=cluebringer
+POLICYD_MYSQL_PASSWORD=asnRTXvDtbI8h7naFtB97wNNcoXq
+POLICYD_DB_BACKEND=mysql
+POLICYD_WEBUI_PASSWORD=HPAA297BUcgSYf3AiftHQUjS3KVd
+INTERNAL_MYSQL_PORT=3306
+
 # Your timezone
 
 TZ=${MAILCOW_TZ}