Publish postfix (Docker) ports to standard mail ports on host #39
Conversation
I was hoping to override the default published postfix ports for target (internal container) ports 25 and 587 by including our preferred published ports in docker-compose.production.yml. However, when Docker Compose merges the contents of the default docker-compose.yml with the contents of docker-compose.production.yml, it does not intelligently overwrite the published ports. For example, instead of having target port 25 published to only host port 25 (as specified in docker-compose.production.yml), we end up with target port 25 published to BOTH host port 25 (from docker-compose.production.yml) and host port 1025 (from docker-compose.yml). That is why we remove the default published ports from docker-compose.yml so that only the ports specified in docker-compose.production.yml will be published.
dav3r
added
the
improvement
dav3r
added
the
blocked
| - name: Remove default postfix published ports | ||
| ansible.builtin.replace: | ||
| path: "{{ pca_gophish_composition_path }}/docker-compose.yml" | ||
| regexp: "^\\s*ports:\\s*$\n\ | ||
| ^\\s*-\\s*target:\\s*['\"]25['\"]\\s*$\n\ | ||
| ^\\s*published:\\s*['\"]1025['\"]\\s*$\n\ | ||
| ^\\s*protocol:\\s*tcp\\s*$\n\ | ||
| ^\\s*mode:\\s*host\\s*$\n\ | ||
| ^\\s*-\\s* target:\\s*['\"]587['\"]\\s*$\n\ | ||
| ^\\s*published:\\s*['\"]1587['\"]\\s*$\n\ | ||
| ^\\s*protocol:\\s*tcp\\s*$\n\ | ||
| ^\\s*mode:\\s*host\\s*$\n" |
There was a problem hiding this comment.
This is pretty gnarly. What do you think about creating an issue for figuring out a better way to do this?
There was a problem hiding this comment.
I agree that it's a nasty regex. I looked at ansible.builtin.blockinfile, but that would require us to put some marker lines around the text block that we want to modify, so I didn't love that solution.
If you think it's cleaner, I can switch to overwriting the entire docker-compose.yml file with one customized for this AMI, which would also mean that we could get rid of docker-compose.production.yml. I didn't go that way originally because it means that whenever cisagov/pca-gophish-composition/docker-compose.yml changes, we would also need to make similar updates in this repo, but maybe that's not so terrible compared to this regex. What do you say @jsf9k?
There was a problem hiding this comment.
I thought about those options too, but I don't really like any of them. Ansible doesn't have a built-in module to manipulate YAML files (which is really what we need here), so I thought of these options:
- Convert the YAML to JSON, use
ansible.builtin.commandto runjq, then convert the JSON back to YAML. - Install and use
yqviaansible.builtin.command. - Figure out a way to use the
from_yaml,to_json,to_yaml, andjson_queryAnsible filters to achieve this. - Use jsonpatch.
I'm fine with punting for now, so long as there is an issue to remind us to revisit this.
There was a problem hiding this comment.
Sounds good to me- I made issue #42 for this.
BTW, this may also be something that a future version of docker-compose can help us overcome:
There was a problem hiding this comment.
This sort of thang might be an OK solution as well.
You'll want to add a (short) paragraph to the comment before this task, stating that the regex is ugly and mentioning the issue you just created. There is a line in the checklist in the PR template for this sort of thing that you will also need to re-add.
There was a problem hiding this comment.
You'll want to add a (short) paragraph to the comment before this task, stating that the regex is ugly and mentioning the issue you just created. There is a line in the checklist in the PR template for this sort of thing that you will also need to re-add.
Good call - see a305491.
…cisagov/pca-gophish-composition-packer into improvement/publish-standard-mail-ports
dav3r
removed
the
blocked
🗣 Description
This PR publishes the following ports from the postfix Docker container to the host:
💭 Motivation and context
From #37:
Note that this was not quite as simple as I hoped- please see 66d88b7 for details. If we end up having to make many more changes to the default
docker-compose.ymlfile from cisagov/pca-gophish-composition, I think it will make sense to simply overwrite it completely with a file stored in this repository (rather than simply layering in changes via thedocker-compose.production.ymlfile).Resolves #37 and is part of the work required for cisagov/cool-system#90.
🧪 Testing
I tested the Ansible change by temporarily adding it in to a
cisagov/ansible-role-pca-gophish-compositionplaybook and then runningmolecule convergeandmolecule login -h ...to ensure that it functioned as expected (it does).I also tested this by modifying the
docker-compose.ymlanddocker-compose.production.ymlfiles on an existing Gophish instance to verify that the expected ports were correctly published:sudo systemctl restart pca-gophish-composition)sudo netstat -ltnp)Before I merge this PR, I plan to create a fresh AMI in Staging and confirm that all is well (hence the
blockedlabel).✅ Checklist
in code comments.
sudo netstat -ltnpon the instance shows that ports 25, 587, and 993 are bound to adocker-proxyprocesslocalhost:993