Fixes #1875 - Add Nginx SMTP dummy

bwbroersma · bwbroersma · commit 387d7acdf76b · 2025-10-03T22:56:17.000+02:00
diff --git a/docker/batch-test.env b/docker/batch-test.env
@@ -81,6 +81,8 @@ WEBSERVER_PORT=80
 WEBSERVER_PORT_TLS=443
 WEBSERVER_PORT_IPV6=8080
 WEBSERVER_PORT_IPV6_TLS=4443
+SMTPSERVER_PORT=25
+SMTPSERVER_PORT_IPV6=2525
 UNBOUND_PORT_TCP=53/tcp
 UNBOUND_PORT_UDP=53/udp
 # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error
diff --git a/docker/build.env b/docker/build.env
@@ -8,6 +8,8 @@ COMPOSE_PROFILES=monitoring,routinator,run-tests
 # don't expose HTTP(S) and DNS ports to the outside, this also causes issues due to being privileged ports
 WEBSERVER_PORT=80
 WEBSERVER_PORT_TLS=443
+SMTPSERVER_PORT=25
+SMTPSERVER_PORT_IPV6=2525
 UNBOUND_PORT_TCP=53/tcp
 UNBOUND_PORT_UDP=53/udp
 # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error
diff --git a/docker/compose.yaml b/docker/compose.yaml
@@ -27,6 +27,8 @@ services:
       - $WEBSERVER_PORT_IPV6/tcp
       - $WEBSERVER_PORT_IPV6_TLS/tcp
       - $WEBSERVER_PORT_IPV6_TLS/udp
+      - $SMTPSERVER_PORT
+      - $SMTPSERVER_PORT_IPV6
 
     environment:
       - INTERNETNL_DOMAINNAME
diff --git a/docker/defaults.env b/docker/defaults.env
@@ -172,6 +172,8 @@ WEBSERVER_PORT=0.0.0.0:80:80
 WEBSERVER_PORT_TLS=0.0.0.0:443:443
 WEBSERVER_PORT_IPV6=::0:80:80
 WEBSERVER_PORT_IPV6_TLS=::0:443:443
+SMTPSERVER_PORT=0.0.0.0:25:25
+SMTPSERVER_PORT_IPV6=::0:25:25
 UNBOUND_PORT_TCP=0.0.0.0:53:53/tcp
 UNBOUND_PORT_UDP=0.0.0.0:53:53/udp
 UNBOUND_PORT_IPV6_TCP=::0:53:53/tcp
diff --git a/docker/develop.env b/docker/develop.env
@@ -49,6 +49,8 @@ WEBSERVER_PORT=80
 WEBSERVER_PORT_TLS=443
 WEBSERVER_PORT_IPV6=8080
 WEBSERVER_PORT_IPV6_TLS=4443
+SMTPSERVER_PORT=25
+SMTPSERVER_PORT_IPV6=2525
 UNBOUND_PORT_TCP=53/tcp
 UNBOUND_PORT_UDP=53/udp
 # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error
diff --git a/docker/host-multi-dist.env b/docker/host-multi-dist.env
@@ -35,6 +35,9 @@ WEBSERVER_PORT_TLS=$IPV4_IP_PUBLIC:443:443
 WEBSERVER_PORT_IPV6=$IPV6_IP_PUBLIC:80:80
 WEBSERVER_PORT_IPV6_TLS=[$IPV6_IP_PUBLIC]:443:443
 
+SMTPSERVER_PORT=$IPV4_IP_PUBLIC:25:25
+SMTPSERVER_PORT_IPV6=[$IPV6_IP_PUBLIC]:25:25
+
 IPV4_SUBNET_PUBLIC=$IPV4_SUBNET_PUBLIC
 IPV4_SUBNET_INTERNAL=$IPV4_SUBNET_INTERNAL
 
diff --git a/docker/test.env b/docker/test.env
@@ -80,6 +80,8 @@ WEBSERVER_PORT=80
 WEBSERVER_PORT_TLS=443
 WEBSERVER_PORT_IPV6=8080
 WEBSERVER_PORT_IPV6_TLS=4443
+SMTPSERVER_PORT=25
+SMTPSERVER_PORT_IPV6=2525
 UNBOUND_PORT_TCP=53/tcp
 UNBOUND_PORT_UDP=53/udp
 # use fake port numbers here so we don't end up with duplicates in the compose file which causes an error
diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile
@@ -20,6 +20,7 @@ RUN mkdir -p /etc/nginx/htpasswd/
 RUN touch /etc/nginx/htpasswd/monitoring.htpasswd
 
 COPY docker/webserver/10-variables.envsh /docker-entrypoint.d/
+COPY docker/webserver/40-add-mail-include.sh /docker-entrypoint.d/
 COPY docker/webserver/tls_init.sh /docker-entrypoint.d/
 COPY docker/webserver/authentication.sh /docker-entrypoint.d/
 COPY docker/webserver/generate_quic_host_key.sh /docker-entrypoint.d/
diff --git a/docker/webserver/40-add-mail-include.sh b/docker/webserver/40-add-mail-include.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eu
+
+LC_ALL=C
+ME=$(basename "$0")
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+touch /etc/nginx/nginx.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /etc/nginx/nginx.conf (read-only file system?)"; exit 0; }
+
+sed -i -r -z 's@(\}\n)$@\1# Added by '"$ME"' on '"$(date)"'\nmail {\n    include conf.d/*.mail-conf;\n}\n@' /etc/nginx/nginx.conf
diff --git a/docker/webserver/nginx_templates/smtp.mail-conf.template b/docker/webserver/nginx_templates/smtp.mail-conf.template
@@ -0,0 +1,16 @@
+server_name ${SMTP_EHLO_DOMAIN};
+auth_http http://127.0.0.1:9090/;
+
+starttls only;
+
+include conf.d/letsencrypt.conf;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+
+server {
+    listen        25;
+    listen   [::]:25;
+    protocol smtp;
+    smtp_capabilities "SIZE 1099511627776" ENHANCEDSTATUSCODES 8BITMIME DSN SMTPUTF8 REQUIRETLS;
+}
diff --git a/docker/webserver/nginx_templates/smtp_auth_http.conf.template b/docker/webserver/nginx_templates/smtp_auth_http.conf.template
@@ -0,0 +1,11 @@
+# for mail auth_http
+server {
+    listen 127.0.0.1:9090;
+    location / {
+        default_type text/plain;
+        add_header Auth-Status "Login not supported since this is a dummy nginx smtp handler";
+        add_header Auth-Error-Code "550 5.3.5";
+        add_header Auth-Wait 1;
+        return 200;
+    }
+}
diff --git a/documentation/Docker-multi-deployment.md b/documentation/Docker-multi-deployment.md
@@ -37,6 +37,8 @@ Add the following lines to `docker/host.env` and change the IP's to the public I
     WEBSERVER_PORT_TLS=192.0.2.2:443:443
     WEBSERVER_PORT_IPV6=[2001:db8:1::2]:80:80/tcp
     WEBSERVER_PORT_IPV6_TLS=[2001:db8:1::2]:443:443/tcp
+    SMTPSERVER_PORT=192.0.2.2:25:25
+    SMTPSERVER_PORT_IPV6=[2001:db8:1::2]:25:25
 
 ## Adding a new instance
 
@@ -52,7 +54,7 @@ Modify the `docker/host.env` file with the following steps:
 - Update `ALLOWED_HOSTS` and `CSP_DEFAULT_SRC` values to the new domain name (eg: `dev2.example.com`)
 - Change `IPV4_IP_PUBLIC`, `IPV6_IP_PUBLIC`, `IPV6_TEST_ADDR` to the public IPv4/IPv6 addresses specific for this instance
 - Update `UNBOUND_PORT_TCP`, `UNBOUND_PORT_UDP`, `UNBOUND_PORT_IPV6_TCP` and `UNBOUND_PORT_IPV6_UDP` to the public IPv4/IPv6 addresses for this instance
-- Add `WEBSERVER_PORT`, `WEBSERVER_PORT_TLS`, `WEBSERVER_PORT_IPV6`, `WEBSERVER_PORT_IPV6_TLS` with the public IPv4/IPv6 addresses for this instance and the respective ports
+- Add `WEBSERVER_PORT`, `WEBSERVER_PORT_TLS`, `WEBSERVER_PORT_IPV6`, `WEBSERVER_PORT_IPV6_TLS`, `SMTPSERVER_PORT`, `SMTPSERVER_PORT_IPV6` with the public IPv4/IPv6 addresses for this instance and the respective ports
 - Add `IPV4_SUBNET_PUBLIC`, `IPV4_SUBNET_INTERNAL`, `IPV6_SUBNET_PUBLIC` and `IPV6_GATEWAY_PUBLIC` with unique subnet/address from private address space, this should not conflict with the existing instances. Suggested is to iterate over subnets for the existing instance (`172.16.42.0/24`, `192.168.42.0/24`, `fd00:42:1::/48`, `fd00:42:1::1`) so the first ones would become: `172.16.43.0/24`, `192.168.43.0/24`, `fd00:43:1::/48` and `fd00:43:1::1`.
 - Add a `ROUTINATOR_URL` with a URL to the first instance routinator proxy endpoint, so the extra instances don't have to run a resource heavy extra routinator, eg: `https://example.com/routinator/api/v1/validity`. This also requires removing the `routinator` entry from `COMPOSE_PROFILES` on the extra instance.
 - Add `INTERNETNL_INSTALL_BASE` with the path to the new instance directory, eg: `/opt/Internet.nl-dev2`
