`HEALTHCHECK` instruction has been added to `Dockerfile`. This should
allow `docker-compose` installations to monitor and restart the
container if neccessary.
Kubernetes deployment healthcheck has been tweaked a bit to better
validate that the server is actually running.
This is the initial commit of the helm chart.
TO-DO:
* write usage documentation
* add job which will automatically add the chart to `gh-pages` on
creating a new release
The postfix configuration was a bit too permissive with `mynetworks`.
This commit:
- adds `reject` at the end of `*restrictions` list
- adds tests for this feature
Private keys generated with `DKIM_AUTOGENERATE` were created with
the root account and as such were not readable by OpenDKIM.
This fix will reown the created files to the `opendkim` user.
While quite annoying behavour, this is the how `postconf` works.
If you tell it to comment out a command, it will add it to the config
even when the same command exists commented out in the config file.
This commit does a bit of sed and grep magic to find if the comment
already exists and if yes, then it does nothing.
Apparently using sleep with very large numbers is not a good idea
when your image can be compiled down to 32-bit platforms.
This fix uses `sleep infinity` and -- failing that -- tries to
sleep for about 68 years (which is exactly 2^15 seconds).
- It's now possible to choose the logging type - either 'plain' or
'json'
- The code is ready to support multiple integration tests (with
different configurations)
- `OPENDKIM_` and `POSTFIX_` variables are handled properly and recorded
in the corresponding files. (This had a downfall that `bash` now needs
to be installed, so we can probably simplify some of the shell
scripts.)
Summary
^^^^^^^
This commit refactors the code base to be more manageble and
prepares the groundwork for tests.
Refactoring
^^^^^^^^^^^
Files are now moved to subdirectories, all for the sole purpose of
easier management. Tests live in their own folders, as well as configs
and other files.
Test framework
^^^^^^^^^^^^^^
Two new important scripts/directories are available:
- `unit-tests.sh` / `/unit-test` which executes unit tests across shell
scripts, and
- `integration-test.sh` / `integration-tests`, which spins up the
container and tries to send the email.
Both tests use the [BATS](https://github.com/sstephenson/bats) framework
for testing. To create a new test, simply drop a `.bats` file into a
corresponding directory.
Functions have been extracted into `common-run.sh`, to be able to test
them independently.
DKIM_SELECTOR
^^^^^^^^^^^^^
It is now possible to specify a DKIM selector to use (instead of
the default "mail"). See `README.md` for more details.
JSON logging
^^^^^^^^^^^^
WIP: rsyslog will now output JSON logs. This is especially important
if you plan on deploying the image into Kubernetes, as [Prometheus](https://prometheus.io/)
can handle logs in JSON much easier.
TODO: Make this an optional feature, to not confuse existing users.
Expand the `README.md` a bit to better explain what's needed to get the server up and running.
It seems that a lot of users are trying to use this image and running into issues. This should help out a bit to get them started.
* Support multiple alpine versions in Dockerfile
Add an ARG to the Dockerfile to support passing in build-args when
running docker build to support different alpine base image versions.
* Create push.sh script for managing image updates
The push.sh script supports passing multiple alpine tags which will then
be built, tagged, and pushed to docker hub
Use case is being able to reuse the common methods when extending the image so that the behavior is consistent (e.g: same formatting for log messages) without needing to repeat the code while extending.
This PR allows setting an empty `ALLOWED_SENDER_DOMAINS` variable. The default behaviour remains the same (empty `ALLOWED_SENDER_DOMAINS` will throw an error), but it is posible to override this behaviour via a new variable `ALLOW_EMPTY_SENDER_DOMAINS`.
By default OpenDKIM will sign just `From`, `To`, `Sender`,
`Subject` and `Date`.
It makes sense to also sign other headers (especially `Reply-To`)
to make sure nobody fiddles with the email.
Having very specific `TrustedHosts` has turned out to be more of a
hassle than a benefit in the end.
Since the service is runing on `localhost` either way, there's no
theoretical way for anybody alse to access the service. Hence we
just set all hosts (`0.0.0.0/0`) to trusted, reduce the LOC and
call it a day.
Important note: DKIM segment is hardcoded to "mail" in the
configuration.
You shouldn't be using any other segment name.
If you don't know what that means: DKIM checks your DNS server
for this segment name by querying `<segment>._domainkey.<domain>`.
So, when saying you need to use the `mail` segment this means that
the record *must* reside under `mail._domainkey.<domain>`.