relay mails to $POSTFIX_RELAY_DOMAINS via $POSTFIX_RELAYHOST (postfix 3.3.0, alpine 3.8)

Dockerfile

@@ -0,0 +1,25 @@
+FROM alpine:3.8
+
+RUN find / -xdev -type f -perm /u+s -exec chmod --changes u-s {} \; \
+    && find / -xdev -type f -perm /g+s -exec chmod --changes g-s {} \;
+
+RUN apk add tini
+ENTRYPOINT ["/sbin/tini", "-s", "--"]
+
+RUN apk add postfix
+
+COPY smtp-tls-trusted-ca.pem /etc/postfix/smtp-tls-trusted-ca.pem
+COPY smtp-tls-policy-map /etc/postfix/smtp-tls-policy-map
+RUN postmap /etc/postfix/smtp-tls-policy-map
+
+EXPOSE 25
+COPY main.cf /etc/postfix/main.cf
+RUN postfix check
+
+ENV POSTFIX_RELAYHOST ""
+ENV POSTFIX_RELAY_DOMAINS ""
+# TODO run as unprivileged user?
+CMD postconf -ev relayhost="$POSTFIX_RELAYHOST" \
+ && postconf -ev relay_domains="$POSTFIX_RELAY_DOMAINS" \
+ && postconf -ev syslog_name="$HOSTNAME/pstfx" \
+ && postfix start-fg

README.md

@@ -0,0 +1,21 @@
+# docker container: postfix
+
+docker hub: https://hub.docker.com/r/fphammerle/postfix/
+
+dockerfile repo: https://git.hammerle.me/fphammerle/docker-postfix
+
+config notes: https://git.hammerle.me/fphammerle/config-postfix/src/master/README.md
+
+```sh
+sudo docker run --detach --rm \
+    --security-opt=no-new-privileges \
+    --volume /dev/log:/dev/log \
+    --env POSTFIX_RELAYHOST=relayhost.example.com:submission \
+    --env POSTFIX_RELAY_DOMAINS=example.com \
+    --publish 127.0.0.1:25:25 \
+    --restart unless-stopped \
+    --name postfix \
+    fphammerle/postfix:3.3.0-amd64-relay
+```
+
+optional: enable usernamespace mode via daemon option `userns-remap`

main.cf

@@ -0,0 +1,26 @@
+# SERVER
+inet_interfaces = all
+# $myhostname is as prefix is a RFC requirement
+smtpd_banner = $myhostname ESMTP $mail_name quid agis?
+# RCPT TO matches $relay_domains => !reject_unauth_destination
+smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination
+# include TLS protocol & cipher in 'Received' header
+smtpd_tls_received_header = yes
+# + sasl username
+smtpd_sasl_authenticated_header = yes
+
+# CLIENT
+smtp_tls_security_level = dane
+# exceptions for smtp servers not providing DANE
+smtp_tls_policy_maps = hash:/etc/postfix/smtp-tls-policy-map
+# trusted CA for exceptions specified in policy map (lvl verify & secure)
+smtp_tls_CAfile = /etc/postfix/smtp-tls-trusted-ca.pem
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
+# DANE TLSA records are validated with DNSSEC
+smtp_dns_support_level = dnssec
+# DANE validation requires DNS lookups
+smtp_host_lookup = dns
+
+# http://www.postfix.org/COMPATIBILITY_README.html
+compatibility_level = 2

smtp-tls-policy-map

@@ -0,0 +1,6 @@
+# postmap /etc/postfix/smtp-tls-policy-map
+
+alpaga.hammerle.me	secure match=nexthop
+epignomus.hammerle.me	secure match=nexthop
+velo.hammerle.me	secure match=nexthop
+hammerle.me	secure match=epignomus.hammerle.me:velo.hammerle.me

smtp-tls-trusted-ca.pem

@@ -0,0 +1,39 @@
+Subject: C=AT, CN=Fabian Peter Hammerle
+Validity
+    Not Before: May  8 18:31:41 2017 GMT
+    Not After : Jan  1 00:00:00 2027 GMT
+X509v3 Subject Key Identifier:
+    C2:E0:4B:00:B3:F0:87:DB:14:3B:4B:B6:41:18:13:BA:22:0E:D4:BA
+-----BEGIN CERTIFICATE-----
+MIIFnzCCA4egAwIBAgIKRWuaA5ml2i8RpjANBgkqhkiG9w0BAQsFADAtMQswCQYD
+VQQGEwJBVDEeMBwGA1UEAxMVRmFiaWFuIFBldGVyIEhhbW1lcmxlMB4XDTE3MDUw
+ODE4MzE0MVoXDTI3MDEwMTAwMDAwMFowLTELMAkGA1UEBhMCQVQxHjAcBgNVBAMT
+FUZhYmlhbiBQZXRlciBIYW1tZXJsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBALX8fhBdVeTNDVS48uBcHgeL3lxfnPBX7aK8i/9uPfp29zfhIidQxJAt
+PonOCrlmLwQMA+Cg2c0Yhf9+Lrg2Toior8c5JJbAsdqsrl/VY+xGOsz0AheHmSNp
+nHbJqMO0ZmAJuhJVzmsj1In37mLFinmK04ONjU0czQLuyABU35jy9jhDLFa4EZxn
+J7kfCtPlR1L+ZbqA0XakPyZdA/XPBW5QMWzyMKjx7F9LtuOknTcxG0HQ+KOwu5ul
+NmCbSZ1azRMzKZyjnbzwlBXbJe8gLN5aID7c1onEqik6i06hyju/au1uU7D5iG60
+hmQL+85LIRXiuM1+IIJyvLWp4rghMmnGE/pPdmF4bqJQfsswkFBmPZj4vgQpRPJn
+IUH3o9XhRd6RNjz10Sdm3tZZ31G1l+dzeqnHoXDZ5RmUNabByg0lWCppRLnMgEH4
+CjZ3QN2pkVwHW3z3k5trtCZoHne16MfRmX88uM0arapUFbfYNuKOV1/a/Hy2xze2
+ry1aKTUFET8iyFPepLps4Rz2AYi+bZ3F30em4ngzdYxcAj1V7qpQn/xRgUhxgosT
+0ABaaJWcLRd/QJH4wb+/S1gzIYbpAjjfrJoiBkZ5NPkvzphdhaomNeUT2mz4rSAS
+bPmSWYT+xM3vlmcOe4ZHamBz5kZpnf2scyIXSBcOC9m4OhjDQVqXAgMBAAGjgcAw
+gb0wWgYDVR0RBFMwUYESZmFiaWFuQGhhbW1lcmxlLm1lgRlmYWJpYW4uaGFtbWVy
+bGVAZ21haWwuY29tgSBmYWJpYW4uaGFtbWVybGVAbWVkdW5pd2llbi5hYy5hdDAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTC4EsAs/CH2xQ7S7ZBGBO6Ig7UujAf
+BgNVHSMEGDAWgBTC4EsAs/CH2xQ7S7ZBGBO6Ig7UujAOBgNVHQ8BAf8EBAMCAcYw
+DQYJKoZIhvcNAQELBQADggIBAGMC4ya82j9IGePhl9l2hMgB0ZB48RSTZelNEm8M
+KFCGMRIGBuzAIdIY+0ugJuK6jHIfRtGHXFJlBkm+/vJwuwRqQib8+Nt1ZCSqv7/R
+k0jR4BUdAWSsnskZwYivYKQgANjtmDOpO19tpTcgeptw8AIAfuuglYP5wH5FA2RX
+cvkfHLtd9HJaj62CM5f+A2QTEHvat7KJSme7qZ6I47BiTA//+4SK8vjDoPir0Kx7
+NK7awpzjEzWbQrVwU3YhDuHbZlaHhPini6AlhEqvz/wpPYXUzgmJy0K1m4vWcxsT
+D/nf3LT1wJs5Ph1tO9gdF/yZC7o2QIKVjPF4mQiv/1EkYRY7zV52JcsWRrWlHN0x
+tqinxjY0aN4v6uoybJXHSiergibasDv4MicnW0c3ZE7dLs3iT6+5PAhjNoLdrG6v
+n9RZLZOrACYiPd+thoGQYVB496bobz2hHUUu7MoHxlZks6RVpxUm7jMGDoqZtvGp
+0VRCTglMyrpq26yYeUkE69sCm09EMHyZowOrnoTfqsk+sscuWqbmh2uPEIgqgKjz
+Ock5i72I47uTRUpG4WbYGXKfGaXUzd9A/6Rj6z2u+0z/dgNg/r3nrAAzIvV8Dh0q
+exCOYc3vQ+DdLKCMSMuCjXb6/Mpg5gR5za405RePcFaCoM74jxRScY+gOFguqdr4
+Qqjv
+-----END CERTIFICATE-----