Upgrade to debian 12, allow dkim prefix being variable

.github/workflows/docker-publish.yml

@@ -0,0 +1,63 @@
+name: Create and publish a Docker image
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    if: ${{ !contains(github.event.head_commit.message, '#skip-build') }}
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_REGISTRY_USER }}
+          password: ${{ secrets.DOCKER_REGISTRY_PASS }}
+
+      - name: Log in to NETivism Registry
+        uses: docker/login-action@v2
+        with:
+          registry: rg.netivism.com.tw
+          username: ${{ secrets.NETIVISM_REGISTRY_USER }}
+          password: ${{ secrets.NETIVISM_REGISTRY_PASS }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ github.repository }}
+            ghcr.io/${{ github.repository }}
+            rg.netivism.com.tw/${{ github.repository }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:jessie
+FROM debian:bookworm
 MAINTAINER Jimmy Huang <jimmy@netivism.com.tw>
 
 ENV DEBIAN_FRONTEND noninteractive
@@ -17,8 +17,13 @@ ADD container/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 ADD container/init.sh /init.sh
 ADD container/regenpasswd.sh /usr/local/bin/regenpasswd.sh
 ADD container/regenpasswd.sh /usr/local/bin/removemail.sh
+ADD container/pqueue /usr/local/bin/pqueue
+
 RUN chmod +x /init.sh
 RUN chmod +x /usr/local/bin/regenpasswd.sh
 RUN chmod +x /usr/local/bin/removemail.sh
+RUN chmod +x /usr/local/bin/pqueue
+
+RUN sed -i 's/^mydestination = \$myhostname,/mydestination =/g' /etc/postfix/main.cf
 
 CMD ["/usr/bin/supervisord"]

container/init.sh

@@ -7,6 +7,12 @@ elif [ "$FQDN" = "1" ]
 then
   mailname=$(hostname -f)
 fi
+if [ -n "$DKIM_PREFIX" ]
+then
+  dkimp=$DKIM_PREFIX
+else
+  dkimp="mail"
+fi
 
 if [ -f /etc/dovecot/passwd ]; then
   rm -f /etc/dovecot/passwd
@@ -30,55 +36,62 @@ test -f /etc/opendkim/TrustedHosts || touch /etc/opendkim/TrustedHosts
 test -f /etc/opendkim/KeyTable || touch /etc/opendkim/KeyTable
 test -f /etc/opendkim/SigningTable || touch /etc/opendkim/SigningTable
 
-postconf -e 'milter_protocol = 2'
-postconf -e 'milter_default_action = accept'
-postconf -e 'smtpd_milters = inet:127.0.0.1:12301'
-postconf -e 'inet_protocols = ipv4'
-postconf -e 'non_smtpd_milters = $smtpd_milters'
-postconf -e 'virtual_mailbox_domains = /etc/postfix/vhosts'
-postconf -e 'virtual_mailbox_base = /home/vmail'
-postconf -e 'virtual_mailbox_maps = hash:/etc/postfix/vmaps'
-postconf -e 'transport_maps = hash:/etc/postfix/transport'
-postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
-postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
-postconf -e 'virtual_minimum_uid = 1000'
-postconf -e 'virtual_uid_maps = static:5000'
-postconf -e 'virtual_gid_maps = static:5000'
-postconf -e 'smtpd_helo_required = yes'
-postconf -e 'smtpd_sasl_auth_enable = yes'
-postconf -e 'smtpd_sasl_security_options = noanonymous'
-postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
-postconf -e 'smtpd_sasl_type = dovecot'
-postconf -e 'smtpd_sasl_path = private/auth'
-postconf -e 'smtpd_tls_auth_only = no'
-postconf -e 'smtpd_sasl_authenticated_header = yes'
-postconf -e 'smtp_tls_security_level = may'
-postconf -e 'smtpd_tls_security_level = may'
-postconf -e 'smtp_use_tls = yes'
-postconf -e 'local_recipient_maps ='
-postconf -e 'smtpd_use_tls = yes'
-postconf -e 'smtp_tls_note_starttls_offer = yes'
-postconf -e 'smtpd_tls_loglevel = 1'
-postconf -e 'smtpd_tls_received_header = yes'
-postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
-postconf -e 'tls_random_source = dev:/dev/urandom'
-postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3'
-postconf -e 'maximal_queue_lifetime = 5d'
-postconf -e 'maximal_backoff_time = 12h'
-postconf -e 'minimal_backoff_time = 4h'
-postconf -e 'queue_run_delay = 4h'
-postconf -e 'fast_destination_concurrency_limit = 5'
-postconf -e 'fast_destination_rate_delay = 0'
-postconf -e 'fast_destination_recipient_limit = 1'
-postconf -e 'smtp_destination_concurrency_limit = 1'
-postconf -e 'smtp_destination_rate_delay = 3s'
-postconf -e 'smtp_destination_recipient_limit = 1'
-postconf -e 'turtle_destination_concurrency_limit = 1'
-postconf -e 'turtle_destination_rate_delay = 10s'
-postconf -e 'turtle_destination_recipient_limit = 1'
-
-
-echo -e 'SOCKET="inet:12301@localhost"\n' > /etc/default/opendkim
+if [ -f "/home/vmail/postfix-main.cf" ]; then
+  cp -f /etc/postfix/main.cf /etc/postfix/main.cf.origin
+  cp -f /home/vmail/postfix-main.cf /etc/postfix/main.cf
+else
+  postconf -e 'milter_protocol = 2'
+  postconf -e 'milter_default_action = accept'
+  postconf -e 'smtpd_milters = unix:/var/run/opendkim/opendkim.sock'
+  postconf -e 'inet_protocols = ipv4'
+  postconf -e 'non_smtpd_milters = $smtpd_milters'
+  postconf -e 'virtual_mailbox_domains = /etc/postfix/vhosts'
+  postconf -e 'virtual_mailbox_base = /home/vmail'
+  postconf -e 'virtual_mailbox_maps = hash:/etc/postfix/vmaps'
+  postconf -e 'transport_maps = hash:/etc/postfix/transport'
+  postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
+  postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
+  postconf -e 'virtual_minimum_uid = 1000'
+  postconf -e 'virtual_uid_maps = static:5000'
+  postconf -e 'virtual_gid_maps = static:5000'
+  postconf -e 'smtpd_helo_required = yes'
+  postconf -e 'smtpd_sasl_auth_enable = yes'
+  postconf -e 'smtpd_sasl_security_options = noanonymous'
+  postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
+  postconf -e 'smtpd_sasl_type = dovecot'
+  postconf -e 'smtpd_sasl_path = private/auth'
+  postconf -e 'smtpd_tls_auth_only = no'
+  postconf -e 'smtpd_sasl_authenticated_header = yes'
+  postconf -e 'smtp_tls_security_level = may'
+  postconf -e 'smtpd_tls_security_level = may'
+  postconf -e 'smtp_use_tls = yes'
+  postconf -e 'local_recipient_maps ='
+  postconf -e 'smtpd_use_tls = yes'
+  postconf -e 'smtp_tls_note_starttls_offer = yes'
+  postconf -e 'smtpd_tls_loglevel = 1'
+  postconf -e 'smtpd_tls_received_header = yes'
+  postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
+  postconf -e 'tls_random_source = dev:/dev/urandom'
+  postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3'
+  postconf -e 'maximal_queue_lifetime = 1d'
+  postconf -e 'bounce_queue_lifetime = 12h'
+  postconf -e 'maximal_backoff_time = 12h'
+  postconf -e 'minimal_backoff_time = 9h'
+  postconf -e 'queue_run_delay = 9h'
+  postconf -e 'qmgr_message_active_limit = 40000'
+  postconf -e 'qmgr_message_recipient_limit = 40000'
+  postconf -e 'fast_destination_concurrency_limit = 5'
+  postconf -e 'fast_destination_rate_delay = 0'
+  postconf -e 'fast_destination_recipient_limit = 2'
+  postconf -e 'smtp_destination_concurrency_limit = 1'
+  postconf -e 'smtp_destination_rate_delay = 3s'
+  postconf -e 'smtp_destination_recipient_limit = 2'
+  postconf -e 'turtle_destination_concurrency_limit = 1'
+  postconf -e 'turtle_destination_rate_delay = 60s'
+  postconf -e 'turtle_destination_recipient_limit = 2'
+  postconf -e 'compatibility_level = 3'
+fi
+
 echo -e '' > /home/vmail/tmp/vmail_dkim
 if [ -z "$MAILADDR" ]; then
   mailaddr=`cat /home/vmail/mailaddr`
@@ -107,16 +120,23 @@ if [ -n "$mailaddr" ]; then
 
     dkim="/etc/opendkim/keys/$domain"
 
-    if [[ ! -d $dkim ]]
+    if [[ -f "/etc/opendkim/globalkey.private" ]]
+    then
+      chown opendkim:opendkim /etc/opendkim/globalkey.private
+      chmod 600 /etc/opendkim/globalkey.private
+      grep -qF "$domain" /etc/opendkim/TrustedHosts || echo -e "127.0.0.1\nlocalhost\n192.168.0.1/24\n*.$domain" >> /etc/opendkim/TrustedHosts
+      grep -qF "*@$domain $dkimp._domainkey.$domain" /etc/opendkim/SigningTable || echo -e "*@$domain $dkimp._domainkey.$domain\n$(cat /etc/opendkim/SigningTable)" > /etc/opendkim/SigningTable
+      grep -qF "$dkimp._domainkey.$domain $domain:$dkimp:/etc/opendkim/globalkey.private" /etc/opendkim/KeyTable || echo "$dkimp._domainkey.$domain $domain:$dkimp:/etc/opendkim/globalkey.private" >> /etc/opendkim/KeyTable
+    elif [[ ! -d $dkim ]]
     then
       # echo "Creating OpenDKIM folder $dkim"
       mkdir -p $dkim
-      cd $dkim && opendkim-genkey -s mail -d $domain
+      cd $dkim && opendkim-genkey -s $dkimp -d $domain
       chown -R opendkim:opendkim /etc/opendkim/keys/
       echo -e "127.0.0.1\nlocalhost\n192.168.0.1/24\n*.$domain" >> /etc/opendkim/TrustedHosts
-      echo "*@$domain mail._domainkey.$domain" >> /etc/opendkim/SigningTable
-      echo "mail._domainkey.$domain $domain:mail:$dkim/mail.private" >> /etc/opendkim/KeyTable
-      cat "$dkim/mail.txt" > /home/vmail/tmp/vmail_dkim
+      echo "*@$domain $dkimp._domainkey.$domain" >> /etc/opendkim/SigningTable
+      echo "$dkimp._domainkey.$domain $domain:$dkimp:$dkim/$dkimp.private" >> /etc/opendkim/KeyTable
+      cat "$dkim/$dkimp.txt" > /home/vmail/tmp/vmail_dkim
     fi
 
     # maildirmake.dovecot does only chown on user directory, we'll create domain directory instead
@@ -197,14 +217,16 @@ then
 fi
 
 
-ps aux | grep "[u]sr/lib/postfix/master" | awk '{ print $2 }' | xargs kill
-ps aux | grep "[u]sr/sbin/opendkim" | awk '{ print $2 }' | xargs kill
-ps aux | grep "[u]sr/sbin/dovecot" | awk '{ print $2 }' | xargs kill
+/etc/init.d/postfix stop
+/etc/init.d/opendkim stop
+ps aux | grep "postfix\/sbin\/master" | awk '{ print $2 }' | xargs kill
+ps aux | grep "bin\/opendkim" | awk '{ print $2 }' | xargs kill
+ps aux | grep "bin\/dovecot" | awk '{ print $2 }' | xargs kill
 chown -R opendkim:opendkim /etc/opendkim/keys
 rm -f /var/run/dovecot/master.pid
 
 sleep 5
 
-service postfix restart
-service opendkim restart
+/etc/init.d/postfix start
+/etc/init.d/opendkim start 
 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf -F

container/pqueue

@@ -0,0 +1,33 @@
+#!/usr/bin/env perl
+
+# postfix queue/s size
+# author: 
+# source: http://tech.groups.yahoo.com/group/postfix-users/message/255133
+
+use strict;
+use warnings;
+use Symbol;
+sub count {
+        my ($dir) = @_;
+        my $dh = gensym();
+        my $c = 0;
+        opendir($dh, $dir) or die "$0: opendir: $dir: $!\n";
+        while (my $f = readdir($dh)) {
+                if ($f =~ m{^[A-F0-9]{5,}$}) {
+                        ++$c;
+                } elsif ($f =~ m{^[A-F0-9]$}) {
+                        $c += count("$dir/$f");
+                }
+        }
+        closedir($dh) or die "closedir: $dir: $!\n";
+        return $c;
+}
+my $qdir = `postconf -h queue_directory`;
+chomp($qdir);
+chdir($qdir) or die "$0: chdir: $qdir: $!\n";
+printf "Incoming: %d\n", count("incoming");
+printf "Active: %d\n", count("active");
+printf "Deferred: %d\n", count("deferred");
+printf "Bounced: %d\n", count("bounce");
+printf "Hold: %d\n", count("hold");
+printf "Corrupt: %d\n", count("corrupt");

docker-start.sh

@@ -1,22 +1,20 @@
 #!/bin/sh
-docker pull jimyhuang/docker-postfix-dovecot
+#docker pull rg.netivism.com.tw/netivism/docker-postfix-dovecot:develop
 docker stop dovecot
 docker rm dovecot
 docker run \
-    -dit --name dovecot \
-    -p 993:993 \
-    -p 587:587 \
-    -p 25:25 \
-    -p 2525:2525 \
-    -p 465:465 \
-    -e MAILNAME="static.jimmyhub.net" \
-    -e MAILADDR="testa@static.jimmyhub.net;testb@static.jimmyhub.net" \
-    -v /etc/postfix \
-    -v /etc/ssl \
-    -v /var/vmail/opendkim:/etc/opendkim \
-    -v /etc/dovecot \
+    -d --name dovecot \
+    -p 30993:993 \
+    -p 30587:587 \
+    -p 30025:25 \
+    -p 32525:2525 \
+    -p 30465:465 \
     -v /var/vmail:/home/vmail \
     -v /var/vmail/log:/var/log \
-    jimyhuang/docker-postfix-dovecot \
-    /init.sh
+    -v /var/vmail/opendkim:/etc/opendkim \
+    -v /var/vmail/opendkim.conf:/etc/opendkim.conf \
+    -e "MAILNAME=test.netivism.com.tw" \
+    -e "TZ=Asia/Taipei" \
+    -e "DKIM_PREFIX=netimx" \
+    rg.netivism.com.tw/netivism/docker-postfix-dovecot:develop
 docker logs -f dovecot

dovecot/dovecot.conf

@@ -1,7 +1,7 @@
 auth_mechanisms = plain login
 auth_verbose = yes
 ssl = required
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
 ssl_key = </etc/ssl/private/dovecot.pem
 ssl_cert = </etc/ssl/certs/dovecot.pem
 disable_plaintext_auth = yes

opendkim/opendkim.conf

@@ -1,6 +1,6 @@
 AutoRestart             Yes
 AutoRestartRate         10/1h
-UMask                   002
+UMask                   007
 Syslog                  yes
 SyslogSuccess           Yes
 LogWhy                  Yes
@@ -18,7 +18,6 @@ Mode                    sv
 PidFile                 /var/run/opendkim/opendkim.pid
 SignatureAlgorithm      rsa-sha256
 SenderHeaders           Sender,Reply-To,From
+UserID                  opendkim
 
-UserID                  opendkim:opendkim
-
-Socket                  inet:12301@localhost
+Socket			local:/var/run/opendkim/opendkim.sock

postfix/transport

@@ -58,4 +58,7 @@ msn.com         turtle:
 passport.com    turtle:
 passport.net    turtle:
 
+# icloud.com
+icloud.com      turtle:
+
 gmail.com       fast: