Merge branch 'master' into master

fjalvarez09 · Jul 26, 2023 · 1d520c7 · 1d520c7
2 parents 5051991 + cf0e11a
commit 1d520c7
Show file tree

Hide file tree

Showing 17 changed files with 375 additions and 92 deletions.
diff --git a/.github/workflows/github-actions.yml b/.github/workflows/github-actions.yml
@@ -0,0 +1,46 @@
+name: policyd-rate-limit
+run-name: ${{ github.actor }} is running policyd-rate-limit CI tests
+on: [push]
+jobs:
+  flake8:
+    runs-on: ubuntu-latest
+    container:
+      image: python:bookworm
+    steps:
+      - uses: actions/checkout@v3
+      - run: pip install tox
+      - run: apt-get update && apt-get install -y --no-install-recommends sudo
+      - run: useradd --uid 1000 testuser && mkdir -p /home/testuser && chown testuser -R . /home/testuser
+      - run: sudo -u testuser tox -e flake8
+  check_rst:
+    runs-on: ubuntu-latest
+    container:
+      image: python:bookworm
+    steps:
+      - uses: actions/checkout@v3
+      - run: pip install tox
+      - run: apt-get update && apt-get install -y --no-install-recommends sudo
+      - run: useradd --uid 1000 testuser && mkdir -p /home/testuser && chown testuser -R . /home/testuser
+      - run: sudo -u testuser tox -e check_rst
+  tests:
+    runs-on: ubuntu-latest
+    container:
+      image: python:bookworm
+    steps:
+      - uses: actions/checkout@v3
+      - run: pip install tox
+      - run: apt-get update && apt-get install -y --no-install-recommends sudo
+      - run: useradd --uid 1000 testuser && mkdir -p /home/testuser && chown testuser -R . /home/testuser
+      - run: sudo -u testuser tox -e py3
+  coverage:
+    runs-on: ubuntu-latest
+    container:
+      image: python:bookworm
+    steps:
+      - uses: actions/checkout@v3
+      - run: pip install tox
+      - run: apt-get update && apt-get install -y --no-install-recommends sudo
+      - run: useradd --uid 1000 testuser && mkdir -p /home/testuser && chown testuser -R . /home/testuser
+      - run: sudo --preserve-env=COVERAGE_TOKEN -u testuser tox -e coverage
+        env:
+          COVERAGE_TOKEN: ${{ secrets.COVERAGE_TOKEN }}
diff --git a/.travis.yml b/.travis.yml
diff --git a/Makefile b/Makefile
@@ -1,6 +1,11 @@
 .PHONY: clean build install dist uninstall
 VERSION=`python3 setup.py -V`
 
+WHL_FILES := $(wildcard dist/*.whl)
+WHL_ASC := $(WHL_FILES:=.asc)
+DIST_FILE := $(wildcard dist/*.tar.gz)
+DIST_ASC := $(DIST_FILE:=.asc)
+
 build:
 	python3 setup.py build
 
@@ -9,14 +14,19 @@ install: dist
 	[ ! -f /etc/policyd-rate-limit.yaml ] && cp -n policyd_rate_limit/policyd-rate-limit.yaml /etc/ || true
 	cp -n init/policyd-rate-limit /etc/init.d
 	cp -n init/policyd-rate-limit.service /etc/systemd/system/ || true
+	cp -n init/policyd-rate-limit-clean.service /etc/systemd/system/policyd-rate-limit-clean.service
+	cp -n init/policyd-rate-limit-clean.timer /etc/systemd/system/policyd-rate-limit-clean.timer
 	pip3 install policyd-rate-limit --no-cache-dir -U --force-reinstall --no-deps --no-binary :all -f ./dist/policyd-rate-limit-${VERSION}.tar.gz
 	systemctl daemon-reload
+	systemctl enable policyd-rate-limit-clean.timer
+	systemctl start policyd-rate-limit-clean.timer
 uninstall:
 	pip3 uninstall policyd-rate-limit || true
 reinstall: uninstall install
 purge: uninstall
 	rm -f /etc/policyd-rate-limit.conf /etc/policyd-rate-limit.yaml
 	rm -f /etc/init.d/policyd-rate-limit /etc/systemd/system/policyd-rate-limit.service
+	rm -f /etc/systemd/system/policyd-rate-limit-clean.service /etc/systemd/system/policyd-rate-limit-clean.timer
 	rm -rf /var/lib/policyd-rate-limit/
 
 clean_pyc:
@@ -42,11 +52,8 @@ man_files:
 dist:
 	python3 setup.py sdist
 
-publish_pypi_release:
-	python setup.py sdist upload --sign
-
 test_venv/bin/python:
-	virtualenv -p python3 test_venv
+	python3 -m venv test_venv
 	test_venv/bin/pip3 install -U -r requirements-dev.txt
 
 test_venv: test_venv/bin/python
@@ -56,3 +63,14 @@ coverage: clean_coverage test_venv
 	export PATH=test_venv/bin/:$$PATH; echo $$PATH; pytest
 	test_venv/bin/coverage html
 	test_venv/bin/coverage report
+
+sign_release: $(WHL_ASC) $(DIST_ASC)
+
+dist/%.asc:
+	gpg --detach-sign -a $(@:.asc=)
+
+test_venv/bin/twine: test_venv
+	test_venv/bin/pip install twine
+
+publish_pypi_release: test_venv test_venv/bin/twine dist sign_release
+	test_venv/bin/twine upload --sign dist/*
diff --git a/README.rst b/README.rst
@@ -1,7 +1,7 @@
 Policyd rate limit
 ==================
 
-|travis| |coverage| |github_version| |pypi_version| |license|
+|coverage| |github_version| |pypi_version| |license|
 
 Postfix policyd server allowing to limit the number of mails accepted by
 postfix over several time periods, by sasl usernames and/or ip addresses.
@@ -137,6 +137,14 @@ The ``.yaml`` are the new configuration format using the YAML syntax.
 * ``smtp_credentials``: Should we use credentials to connect to smtp_server ?
   if yes set ``["user", "password"]``, else ``null``. The default is ``null``.
 
+* ``count_mode``: How sent mail are counted
+
+  * ``0``: each RCPT TO are counted individualy. This is the how it was done historically. If set to 0,
+    the postfix check_policy_service must be set in smtpd_recipient_restrictions.
+    This is deprecated and should not be used anymore
+  * ``1``: recipient are counted in the DATA stage. The postfix parameter check_policy_service must be
+    defined in smtpd_data_restrictions.
+    This is the new default.
 
 Postfix settings
 ----------------
@@ -148,7 +156,7 @@ service.
 
     /etc/postfix/main.cf::
 
-        smtpd_recipient_restrictions =
+        smtpd_data_restrictions =
             ...,
             check_policy_service { unix:ratelimit/policy, default_action=DUNNO },
             ...
@@ -158,15 +166,12 @@ On previous postfix versions, you must use:
 
     /etc/postfix/main.cf::
 
-        smtpd_recipient_restrictions =
+        smtpd_data_restrictions =
             ...,
             check_policy_service unix:ratelimit/policy,
             ...
 
 
-.. |travis| image:: https://badges.genua.fr/travis/nitmir/policyd-rate-limit/master.svg
-    :target: https://travis-ci.org/nitmir/policyd-rate-limit
-
 .. |coverage| image:: https://badges.genua.fr/coverage/badge/policyd-rate-limit/master.svg
     :target: https://badges.genua.fr/coverage/policyd-rate-limit/
 

diff --git a/docs/policyd-rate-limit.8.rst b/docs/policyd-rate-limit.8.rst
@@ -36,7 +36,7 @@ Setup
 For example, for postfix 3.0 and later, you can set in postfix **/etc/postfix/main.cf**
 configuration file::
 
-  smtpd_recipient_restrictions =
+  smtpd_data_restrictions =
     ...,
     check_policy_service { unix:ratelimit/policy, default_action=DUNNO },
     ...
@@ -47,7 +47,7 @@ and will accept mail if policyd-rate-limit become unavailable.
 
 On previous postfix versions, you must use::
 
-  smtpd_recipient_restrictions =
+  smtpd_data_restrictions =
     ...,
     check_policy_service unix:ratelimit/policy,
     ...

diff --git a/docs/policyd-rate-limit.yaml.5.rst b/docs/policyd-rate-limit.yaml.5.rst
@@ -124,6 +124,14 @@ Settings
   if yes set ["user", "password"], else null. The default is null.
 
 
+**count_mode**
+  How sent mail are counted. Set to **0**, each RCPT TO are counted individualy.
+  This is the how it was done historically. If set to 0, the postfix check_policy_service must be set in
+  smtpd_recipient_restrictions. This is deprecated and should not be used anymore.
+  Set to **1** recipient are counted in the DATA stage. The postfix parameter check_policy_service must be
+  defined in smtpd_data_restrictions. This is the new default.
+
+
 See also
 ========
 

diff --git a/init/policyd-rate-limit-clean.service b/init/policyd-rate-limit-clean.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Postfix policyd rate limiter - clean database
+After=syslog.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/policyd-rate-limit --clean
+KillSignal=SIGINT
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/init/policyd-rate-limit-clean.timer b/init/policyd-rate-limit-clean.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Clean policyd rate limit database daily
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/policyd_rate_limit/config.py b/policyd_rate_limit/config.py
@@ -89,3 +89,6 @@
 
 # The time in seconds before an unused socket gets closed
 delay_to_close = 300
+
+# count mode. 0 for RCPT, 1 for DATA
+count_mode = 0
diff --git a/policyd_rate_limit/policyd-rate-limit.yaml b/policyd_rate_limit/policyd-rate-limit.yaml
@@ -54,6 +54,13 @@ limits:
 #     2a01:240:fe3d:4:219:bbff:fe3c:4f76: []
 limits_by_id: {}
 
+# Use custom rate limit for every user, if you have sql backend for your mail server.
+# There is a `rate_limit` table which has id -> limits_by_id-like strings for custom limits.
+# You should set for your users a rate_limit id to map users <-> rate_limits tables. 
+# sql_limits_by_id: "SELECT `limits` FROM `rate_limits` WHERE `id` IN (SELECT `rate_limit`  FROM `virtual_users` WHERE `email`=%s)"
+#
+sql_limits_by_id: ""
+
 # Apply limits by sasl usernames.
 limit_by_sasl: True
 # If no sasl username is found, or limit by sasl usernames disabled,
@@ -110,3 +117,12 @@ smtp_credentials: null
 
 # The time in seconds before an unused socket gets closed
 delay_to_close: 300
+
+# How sent mail are counted:
+# * 0 each RCPT TO are counted individualy. This is the how it was done historically. If set to 0,
+#   the postfix check_policy_service must be set in smtpd_recipient_restrictions.
+#   This is deprecated and should not be used anymore
+# * 1 recipient are counted in the DATA stage. The postfix parameter check_policy_service must be
+#   defined in smtpd_data_restrictions.
+#   This is the new default.
+count_mode: 1