RHEL/Rocky/Solaris Support + Firewall Services

Dockerfile

@@ -1,18 +1,48 @@
-From ubuntu:trusty
-MAINTAINER Elliott Ye
+FROM ubuntu:latest
+
+MAINTAINER Alex Noel
 
 # Set noninteractive mode for apt-get
 ENV DEBIAN_FRONTEND noninteractive
 
 # Update
 RUN apt-get update
+RUN apt-get install -y python3
 
-# Start editing
-# Install package here for cache
-RUN apt-get -y install supervisor postfix sasl2-bin opendkim opendkim-tools
+# Check OS type and install packages accordingly
+RUN if grep "ubuntu" /etc/os-release > /dev/null ; then \
+        apt-get -y install supervisor postfix sasl2-bin opendkim opendkim-tools; \
+    elif grep "redhat" /etc/os-release > /dev/null ; then \
+        yum -y update && \
+        yum -y install epel-release && \
+        yum -y install supervisor postfix cyrus-sasl cyrus-sasl-plain opendkim opendkim-tools ; \
+    elif grep -i "rocky" /etc/os-release > /dev/null ; then \
+        yum -y update && \
+        yum -y install epel-release && \
+        yum -y install supervisor postfix cyrus-sasl cyrus-sasl-plain opendkim opendkim-tools ; \
+    elif grep "solaris" /etc/release > /dev/null ; then \
+        pkg update -y && \
+        pkg install -y supervisor postfix sasl opendkim ; \
+    fi
 
 # Add files
 ADD assets/install.sh /opt/install.sh
+ADD assets/update-firewall.sh /opt/update-firewall.sh
+ADD assets/export.bash /opt/SMTPINFO.bash
+add assets/creds.py /opt/creds.py
+ADD assets/build.py /opt/build.py
+
+# Set executable permissions
+RUN chmod +x /opt/update-firewall.sh
+RUN chmod +x /opt/build.py
+RUN chmod +x /opt/SMTPINFO.bash
+RUN chmod +x /opt/creds.py
 
 # Run
-CMD /opt/install.sh;/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD /opt/install.sh && \
+    /usr/bin/supervisord -c /etc/supervisor/supervisord.conf && \
+    /opt/update-firewall.sh && \
+    source /opt/SMTPINFO.bash && \
+    python /opt/build.py && \
+    rm /opt/export.bash
+

assets/SMTPINFO.bash

@@ -0,0 +1,4 @@
+#!/bin/bash
+#Put SMTP_USER and Password here. They will be exported as environmental variables, this will keep them protected. 
+export SMTP_USER='username'
+export SMTP_PASSWORD='password'

assets/build.py

@@ -0,0 +1,8 @@
+#!/usr/bin/python3
+import os
+from creds import *
+
+os.system(f"sudo docker pull catatnight/postfix")
+os.system(f"sudo docker run -p 25:25 -e maildomain=floreana.colorado.edu -e smtp_user={user}:{password} --name postfix -d catatnight/postfix")
+os.system(f"sudo docker run -p 25:25 -e maildomain=mail.example.com -e smtp_user={user}:{password} -v /path/to/domainkeys:/etc/opendkim/domainkeys --name postfix -d catatnight/postfix")
+os.system(f"sudo docker run -p 587:587 -e maildomain=mail.example.com -e smtp_user={user}:{password} -v /etc/:/etc/postfix/certs --name postfix -d catatnight/postfix")

assets/creds.py

@@ -0,0 +1,2 @@
+user = os.environ.get('SMTP_USER')
+password = os.environ.get('SMTP_PASSWORD')

assets/install.sh

@@ -1,12 +1,38 @@
 #!/bin/bash
 
+# Check OS type
+if grep "ubuntu" /etc/os-release > /dev/null ; then
+  # Ubuntu
+  supervisor_config_file="/etc/supervisor/conf.d/supervisord.conf"
+  postconf_cmd="postconf"
+  yum_cmd=""
+elif grep "redhat" /etc/os-release > /dev/null ; then
+  # RHEL/CentOS
+  supervisor_config_file="/etc/supervisord.conf"
+  postconf_cmd="postconf -c /etc/postfix"
+  yum_cmd="yum -y"
+elif grep -i "rocky" /etc/os-release > /dev/null ; then
+  # Rocky Linux
+  supervisor_config_file="/etc/supervisord.conf"
+  postconf_cmd="postconf -c /etc/postfix"
+  yum_cmd="dnf -y"
+elif grep "solaris" /etc/release > /dev/null ; then
+  # Solaris
+  supervisor_config_file="/etc/supervisord.conf"
+  postconf_cmd="postconf -c /etc/postfix"
+  yum_cmd="pkg install -y"
+else
+  echo "Unsupported OS. Exiting."
+  exit 1
+fi
+
 #judgement
-if [[ -a /etc/supervisor/conf.d/supervisord.conf ]]; then
+if [[ -a $supervisor_config_file ]]; then
   exit 0
 fi
 
 #supervisor
-cat > /etc/supervisor/conf.d/supervisord.conf <<EOF
+cat > $supervisor_config_file <<EOF
 [supervisord]
 nodaemon=true
 
@@ -17,27 +43,20 @@ command=/opt/postfix.sh
 command=/usr/sbin/rsyslogd -n -c3
 EOF
 
-############
-#  postfix
-############
+###### postfix ######
 cat >> /opt/postfix.sh <<EOF
 #!/bin/bash
 service postfix start
 tail -f /var/log/mail.log
 EOF
 chmod +x /opt/postfix.sh
-postconf -e myhostname=$maildomain
-postconf -F '*/*/chroot = n'
-
-############
-# SASL SUPPORT FOR CLIENTS
-# The following options set parameters needed by Postfix to enable
-# Cyrus-SASL support for authentication of mail clients.
-############
-# /etc/postfix/main.cf
-postconf -e smtpd_sasl_auth_enable=yes
-postconf -e broken_sasl_auth_clients=yes
-postconf -e smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
+$postconf_cmd -e myhostname=$maildomain
+$postconf_cmd -F '*/*/chroot = n'
+
+###### SASL SUPPORT FOR CLIENTS ######
+$postconf_cmd -e smtpd_sasl_auth_enable=yes
+$postconf_cmd -e broken_sasl_auth_clients=yes
+$postconf_cmd -e smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
 # smtpd.conf
 cat >> /etc/postfix/sasl/smtpd.conf <<EOF
 pwcheck_method: auxprop
@@ -51,40 +70,37 @@ while IFS=':' read -r _user _pwd; do
 done < /tmp/passwd
 chown postfix.sasl /etc/sasldb2
 
-############
-# Enable TLS
-############
-if [[ -n "$(find /etc/postfix/certs -iname *.crt)" && -n "$(find /etc/postfix/certs -iname *.key)" ]]; then
+###### Enable TLS ######
+if [[ -n "$(find /etc/postfix/certs -iname '*.crt')" && -n "$(find /etc/postfix/certs -iname '*.key')" ]]; then
   # /etc/postfix/main.cf
-  postconf -e smtpd_tls_cert_file=$(find /etc/postfix/certs -iname *.crt)
-  postconf -e smtpd_tls_key_file=$(find /etc/postfix/certs -iname *.key)
+  $postconf_cmd -e smtpd_tls_cert_file=$(find /etc/postfix/certs -iname '*.crt')
+  $postconf_cmd -e smtpd_tls_key_file=$(find /etc/postfix/certs -iname '*.key')
   chmod 400 /etc/postfix/certs/*.*
   # /etc/postfix/master.cf
-  postconf -M submission/inet="submission   inet   n   -   n   -   -   smtpd"
-  postconf -P "submission/inet/syslog_name=postfix/submission"
-  postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
-  postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
-  postconf -P "submission/inet/milter_macro_daemon_name=ORIGINATING"
-  postconf -P "submission/inet/smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination"
+  $postconf_cmd -M submission/inet="submission   inet   n   -   n   -   -   smtpd"
+  $postconf_cmd -P "submission/inet/syslog_name=postfix/submission"
+  $postconf_cmd -P "submission/inet/smtpd_tls_security_level=encrypt"
+  $postconf_cmd -P "submission/inet/smtpd_sasl_auth_enable=yes"
+  $postconf_cmd -P "submission/inet/milter_macro_daemon_name=ORIGINATING"
+  $postconf_cmd -P "submission/inet/smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination"
 fi
 
-#############
-#  opendkim
-#############
-
-if [[ -z "$(find /etc/opendkim/domainkeys -iname *.private)" ]]; then
+###### opendkim ######
+if [[ -z "$(find /etc/opendkim/domainkeys -iname '*.private')" ]]; then
   exit 0
 fi
-cat >> /etc/supervisor/conf.d/supervisord.conf <<EOF
+
+cat >> $supervisor_config_file <<EOF
 
 [program:opendkim]
 command=/usr/sbin/opendkim -f
 EOF
+
 # /etc/postfix/main.cf
-postconf -e milter_protocol=2
-postconf -e milter_default_action=accept
-postconf -e smtpd_milters=inet:localhost:12301
-postconf -e non_smtpd_milters=inet:localhost:12301
+$postconf_cmd -e milter_protocol=2
+$postconf_cmd -e milter_default_action=accept
+$postconf_cmd -e smtpd_milters=inet:localhost:12301
+$postconf_cmd -e non_smtpd_milters=inet:localhost:12301
 
 cat >> /etc/opendkim.conf <<EOF
 AutoRestart             Yes
@@ -109,6 +125,7 @@ UserID                  opendkim:opendkim
 
 Socket                  inet:12301@localhost
 EOF
+
 cat >> /etc/default/opendkim <<EOF
 SOCKET="inet:12301@localhost"
 EOF
@@ -120,11 +137,14 @@ localhost
 
 *.$maildomain
 EOF
+
 cat >> /etc/opendkim/KeyTable <<EOF
-mail._domainkey.$maildomain $maildomain:mail:$(find /etc/opendkim/domainkeys -iname *.private)
+mail._domainkey.$maildomain $maildomain:mail:$(find /etc/opendkim/domainkeys -iname '*.private')
 EOF
+
 cat >> /etc/opendkim/SigningTable <<EOF
 *@$maildomain mail._domainkey.$maildomain
 EOF
-chown opendkim:opendkim $(find /etc/opendkim/domainkeys -iname *.private)
-chmod 400 $(find /etc/opendkim/domainkeys -iname *.private)
+
+chown opendkim:opendkim $(find /etc/opendkim/domainkeys -iname '*.private')
+chmod 400 $(find /etc/opendkim/domainkeys -iname '*.private')

assets/update-firewall.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Check if firewalld is running
+if systemctl is-active --quiet firewalld.service; then
+    # Open ports for mail traffic
+    firewall-cmd --add-port=25/tcp --permanent
+    firewall-cmd --add-port=587/tcp --permanent
+    firewall-cmd --add-port=465/tcp --permanent
+
+    # Reload FirewallD service
+    systemctl reload firewalld
+
+# Check if UFW is running
+elif ufw status | grep -q 'Status: active'; then
+    # Open ports for mail traffic
+    ufw allow 25/tcp
+    ufw allow 587/tcp
+    ufw allow 465/tcp
+
+    # Reload UFW service
+    systemctl reload ufw
+
+# Check if IPTABLES service is running
+elif systemctl is-active --quiet iptables.service; then
+    # Open ports for mail traffic
+    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 587 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 465 -j ACCEPT
+
+    # Save IPTABLES rules
+    service iptables save
+
+# If no running firewall service is found, start and enable firewalld
+else
+    # Start and enable Firewalld
+    systemctl start firewalld
+    systemctl enable firewalld
+
+    # Open ports for mail traffic
+    firewall-cmd --add-port=25/tcp --permanent
+    firewall-cmd --add-port=587/tcp --permanent
+    firewall-cmd --add-port=465/tcp --permanent
+
+    # Reload FirewallD service
+    systemctl reload firewalld
+fi
+
+exit 0