Merge pull request #169 from crazy-max/smtp-sidecar

drop ssmtp support and switch to sidecar container with msmtpd
crazy-max · Dec 24, 2024 · 95ec49c · 95ec49c
2 parents 27d1a9e + 8b38efa
commit 95ec49c
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 90 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@
 ARG FAIL2BAN_VERSION=1.1.0
 ARG ALPINE_VERSION=3.21
 
-FROM scratch AS src
+FROM --platform=$BUILDPLATFORM scratch AS src
 ARG FAIL2BAN_VERSION
 ADD "https://github.com/fail2ban/fail2ban.git#${FAIL2BAN_VERSION}" .
 
@@ -22,7 +22,6 @@ RUN --mount=from=src,target=/tmp/fail2ban,rw \
     python3 \
     py3-dnspython \
     py3-inotify \
-    ssmtp \
     tzdata \
     wget \
     whois \

diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ ___
   * [Use fail2ban-client](#use-fail2ban-client)
   * [Global jail configuration](#global-jail-configuration)
   * [Custom jails, actions and filters](#custom-jails-actions-and-filters)
+  * [Sending email using a sidecar container](#sending-email-using-a-sidecar-container)
 * [Contributing](#contributing)
 * [License](#license)
 
@@ -81,17 +82,6 @@ linux/s390x
 * `F2B_LOG_LEVEL`: Log level output (default `INFO`)
 * `F2B_DB_PURGE_AGE`: Age at which bans should be purged from the database (default `1d`)
 * `IPTABLES_MODE`: Choose between iptables `nft` or `legacy` mode. (default `auto`)
-* `SSMTP_HOST`: SMTP server host
-* `SSMTP_PORT`: SMTP server port (default `25`)
-* `SSMTP_HOSTNAME`: Full hostname (default `$(hostname -f)`)
-* `SSMTP_USER`: SMTP username
-* `SSMTP_PASSWORD`: SMTP password
-* `SSMTP_TLS`: Use TLS to talk to the SMTP server (default `NO`)
-* `SSMTP_STARTTLS`: Specifies whether ssmtp does a EHLO/STARTTLS before starting SSL negotiation (default `NO`)
-
-> [!NOTE] 
-> `SSMTP_PASSWORD_FILE` can be used to fill in the value from a file, especially
-> for Docker's secrets feature.
 
 ## Volumes
 
@@ -180,34 +170,27 @@ through the container. Here is an example if you want to ban an IP manually:
 
 ```console
 $ docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
-``` 
+```
 
 ### Global jail configuration
 
 You can provide customizations in `/data/jail.d/*.local` files.
 
-For example to change the default bantime for all jails, send an e-mail with
-whois report and relevant log lines to the destemail:
+For example, to change the default bantime for all jails:
 
 ```text
 [DEFAULT]
 bantime = 1h
-destemail = root@localhost
-sender = root@$(hostname -f)
-action = %(action_mwl)s
 ```
 
-> [!WARNING]
-> If you want email to be sent after a ban, you have to configure SSMTP env vars
-
-FYI, here is the order *jail* configuration would be loaded:
-
-```text
-jail.conf
-jail.d/*.conf (in alphabetical order)
-jail.local
-jail.d/*.local (in alphabetical order)
-```
+> [!NOTE]
+> Loading order for jail configuration:
+> ```text
+> jail.conf
+> jail.d/*.conf (in alphabetical order)
+> jail.local
+> jail.d/*.local (in alphabetical order)
+> ```
 
 A sample configuration file is [available on the official repository](https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf).
 
@@ -220,6 +203,12 @@ exists, it will be overriden.
 > [!WARNING]
 > Container has to be restarted to propagate changes
 
+### Sending email using a sidecar container
+
+If you want to send emails using a sidecar container, see the example in
+[examples/smtp](examples/smtp). It uses the [smtp.py action](https://github.com/fail2ban/fail2ban/blob/1.1.0/config/action.d/smtp.py)
+and [msmtpd SMTP relay](https://github.com/crazy-max/docker-msmtpd) image.
+
 ## Contributing
 
 Want to contribute? Awesome! The most basic way to show your support is to star

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -7,64 +7,11 @@ F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
 F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
 IPTABLES_MODE=${IPTABLES_MODE:-auto}
 
-SSMTP_PORT=${SSMTP_PORT:-25}
-SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
-SSMTP_TLS=${SSMTP_TLS:-NO}
-SSMTP_STARTTLS=${SSMTP_STARTTLS:-NO}
-
-# From https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L21-L41
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-  local val="$def"
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-  export "$var"="$val"
-  unset "$fileVar"
-}
-
 # Timezone
 echo "Setting timezone to ${TZ}..."
 ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
 echo ${TZ} > /etc/timezone
 
-# SSMTP
-file_env 'SSMTP_PASSWORD'
-echo "Setting SSMTP configuration..."
-if [ -z "$SSMTP_HOST" ] ; then
-  echo "WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails"
-else
-  cat > /etc/ssmtp/ssmtp.conf <<EOL
-mailhub=${SSMTP_HOST}:${SSMTP_PORT}
-hostname=${SSMTP_HOSTNAME}
-FromLineOverride=YES
-UseTLS=${SSMTP_TLS}
-UseSTARTTLS=${SSMTP_STARTTLS}
-EOL
-  # Authentication to SMTP server is optional.
-  if [ -n "$SSMTP_USER" ] ; then
-    cat >> /etc/ssmtp/ssmtp.conf <<EOL
-AuthUser=${SSMTP_USER}
-AuthPass=${SSMTP_PASSWORD}
-EOL
-  fi
-fi
-unset SSMTP_HOST
-unset SSMTP_USER
-unset SSMTP_PASSWORD
-
 # Init
 echo "Initializing files and folders..."
 mkdir -p /data/db /data/action.d /data/filter.d /data/jail.d

diff --git a/examples/compose/fail2ban.env b/examples/compose/fail2ban.env
@@ -3,10 +3,3 @@ TZ=Europe/Paris
 F2B_LOG_TARGET=STDOUT
 F2B_LOG_LEVEL=INFO
 F2B_DB_PURGE_AGE=1d
-
-SSMTP_HOST=smtp.example.com
-SSMTP_PORT=587
-SSMTP_HOSTNAME=example.com
-SSMTP_USER=[email protected]
-SSMTP_PASSWORD=
-SSMTP_TLS=YES
diff --git a/examples/smtp/compose.yml b/examples/smtp/compose.yml
@@ -0,0 +1,29 @@
+name: fail2ban
+
+services:
+  msmtpd:
+    image: crazymax/msmtpd:latest
+    container_name: fail2ban_msmtpd
+    env_file:
+      - "./msmtpd.env"
+    ports:
+      - "127.0.0.1:2500:2500"
+    environment:
+      - "TZ"
+    restart: always
+
+  fail2ban:
+    image: crazymax/fail2ban:latest
+    container_name: fail2ban
+    depends_on:
+      - msmtpd
+    network_mode: "host"
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    volumes:
+      - "./data:/data"
+      - "/var/log:/var/log:ro"
+    env_file:
+      - "./fail2ban.env"
+    restart: always
diff --git a/examples/smtp/data/jail.d/00-jail.local b/examples/smtp/data/jail.d/00-jail.local
@@ -0,0 +1,2 @@
+[DEFAULT]
+action = smtp.py[host=localhost:2500, sendername=Fail2Ban, [email protected], [email protected]]
diff --git a/examples/smtp/fail2ban.env b/examples/smtp/fail2ban.env
@@ -0,0 +1,5 @@
+TZ=Europe/Paris
+
+F2B_LOG_TARGET=STDOUT
+F2B_LOG_LEVEL=INFO
+F2B_DB_PURGE_AGE=1d
diff --git a/examples/smtp/msmtpd.env b/examples/smtp/msmtpd.env
@@ -0,0 +1,10 @@
+# https://github.com/crazy-max/docker-msmtpd
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_TLS=on
+SMTP_STARTTLS=on
+SMTP_TLS_CHECKCERT=on
+SMTP_AUTH=on
+SMTP_USER=foo
+SMTP_PASSWORD=bar
+SMTP_FROM=[email protected]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		[DEFAULT]
		action = smtp.py[host=localhost:2500, sendername=Fail2Ban, [email protected], [email protected]]