Browse Source

minimal postfix setup; default config; log to stdout

Fabian Peter Hammerle 3 years ago
parent
commit
8d664cb662
7 changed files with 19 additions and 124 deletions
  1. 7 19
      Dockerfile
  2. 12 13
      README.md
  3. 0 4
      docker-compose.yml
  4. 0 29
      main.cf
  5. 0 16
      serve.sh
  6. 0 4
      smtp-tls-policy-map
  7. 0 39
      smtp-tls-trusted-ca.pem

+ 7 - 19
Dockerfile

@@ -1,23 +1,11 @@
-FROM alpine:3.8
-
-RUN find / -xdev -type f -perm /u+s -exec chmod --changes u-s {} \; \
-    && find / -xdev -type f -perm /g+s -exec chmod --changes g-s {} \;
-
-RUN apk add tini
-ENTRYPOINT ["/sbin/tini", "-s", "--"]
+FROM alpine:3.10
 
 RUN apk add postfix
 
-COPY smtp-tls-trusted-ca.pem /etc/postfix/smtp-tls-trusted-ca.pem
-COPY smtp-tls-policy-map /etc/postfix/smtp-tls-policy-map
-RUN postmap /etc/postfix/smtp-tls-policy-map
-
-EXPOSE 25
-COPY main.cf /etc/postfix/main.cf
-RUN postfix check
+# http://www.postfix.org/MAILLOG_README.html
+RUN postconf -F | grep -E '^postlog/unix-dgram/service = postlog$' \
+    && postconf -evv maillog_file=/dev/stdout \
+    && postfix check
 
-ENV POSTFIX_RELAYHOST ""
-ENV POSTFIX_RELAY_DOMAINS ""
-COPY serve.sh /
-# TODO run as unprivileged user?
-CMD ["/serve.sh"]
+EXPOSE 25/tcp
+CMD ["postfix", "start-fg"]

+ 12 - 13
README.md

@@ -1,21 +1,20 @@
-# docker container: postfix
+# postfix ✉️ 🐳
 
-docker hub: https://hub.docker.com/r/fphammerle/postfix/
+Mail Server http://www.postfix.org/documentation.html
 
-dockerfile repo: https://git.hammerle.me/fphammerle/docker-postfix
+```sh
+docker run --rm -p 25:25 fphammerle/postfix
+```
 
-config notes: https://git.hammerle.me/fphammerle/config-postfix/src/master/README.md
+config docs: http://www.postfix.org/postconf.5.html
 
 ```sh
-sudo docker run --detach \
+docker run --name postfix \
+    --volume $PWD/main.cf:/etc/postfix/main.cf:ro \
+    --detach --restart unless-stopped \
     --security-opt=no-new-privileges \
-    --volume /dev/log:/dev/log \
-    --env POSTFIX_RELAYHOST=relayhost.example.com:submission \
-    --env POSTFIX_RELAY_DOMAINS=example.com \
-    --publish 127.0.0.1:25:25 \
-    --restart unless-stopped \
-    --name postfix \
-    fphammerle/postfix:3.3.0-amd64-relay-secure
+    --publish 25:25 \
+    fphammerle/postfix
 ```
 
-optional: enable usernamespace mode via daemon option `userns-remap`
+Optionally enable user namespace remapping via docker daemon option `userns-remap`.

+ 0 - 4
docker-compose.yml

@@ -4,11 +4,7 @@ services:
   postfix:
     build: .
     image: fphammerle/postfix
-    environment:
-      POSTFIX_RELAYHOST: relayhost.example.com:submission
-      POSTFIX_RELAY_DOMAINS: example.com
     ports: ['127.0.0.1:25:25']
-    volumes: [/dev/log]
     security_opt: [no-new-privileges]
     restart: unless-stopped
 

+ 0 - 29
main.cf

@@ -1,29 +0,0 @@
-# SERVER
-inet_interfaces = all
-# $myhostname is as prefix is a RFC requirement
-smtpd_banner = $myhostname ESMTP $mail_name quid agis?
-smtpd_sender_restrictions = reject_non_fqdn_sender
-# RCPT TO matches $relay_domains => !reject_unauth_destination
-smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination
-# include TLS protocol & cipher in 'Received' header
-smtpd_tls_received_header = yes
-# + sasl username
-smtpd_sasl_authenticated_header = yes
-
-# CLIENT
-smtp_tls_security_level = secure
-smtp_tls_secure_cert_match = nexthop
-# exceptions where secure nexthop policy is too strict
-smtp_tls_policy_maps = hash:/etc/postfix/smtp-tls-policy-map
-# trusted CA for exceptions specified in policy map (lvl verify & secure)
-smtp_tls_CAfile = /etc/postfix/smtp-tls-trusted-ca.pem
-# docs recommend against whitelist
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
-# DANE TLSA records are validated with DNSSEC
-smtp_dns_support_level = dnssec
-# DANE validation requires DNS lookups
-smtp_host_lookup = dns
-
-# http://www.postfix.org/COMPATIBILITY_README.html
-compatibility_level = 2

+ 0 - 16
serve.sh

@@ -1,16 +0,0 @@
-#!/bin/sh
-
-function set_option {
-    (set -x; postconf -evv "$1=$2")
-}
-
-# http://www.postfix.org/postconf.5.html
-[ -z "$POSTFIX_RELAYHOST" ] || set_option relayhost "$POSTFIX_RELAYHOST"
-[ -z "$POSTFIX_RELAY_DOMAINS" ] || set_option relay_domains "$POSTFIX_RELAY_DOMAINS"
-# TODO log to stdout (requires postfix >= 3.4)
-# http://www.postfix.org/announcements/postfix-3.4.0.html
-# http://www.postfix.org/MAILLOG_README.html
-set_option syslog_name "$(hostname)/pstfx"
-
-set -x
-exec postfix start-fg

+ 0 - 4
smtp-tls-policy-map

@@ -1,4 +0,0 @@
-# postmap /etc/postfix/smtp-tls-policy-map
-
-hammerle.me:smtp	secure match=epignomus.hammerle.me:velo.hammerle.me:alpaga.hammerle.me
-hammerle.me:submission	secure match=epignomus.hammerle.me:velo.hammerle.me:alpaga.hammerle.me

+ 0 - 39
smtp-tls-trusted-ca.pem

@@ -1,39 +0,0 @@
-Subject: C=AT, CN=Fabian Peter Hammerle
-Validity
-    Not Before: May  8 18:31:41 2017 GMT
-    Not After : Jan  1 00:00:00 2027 GMT
-X509v3 Subject Key Identifier:
-    C2:E0:4B:00:B3:F0:87:DB:14:3B:4B:B6:41:18:13:BA:22:0E:D4:BA
------BEGIN CERTIFICATE-----
-MIIFnzCCA4egAwIBAgIKRWuaA5ml2i8RpjANBgkqhkiG9w0BAQsFADAtMQswCQYD
-VQQGEwJBVDEeMBwGA1UEAxMVRmFiaWFuIFBldGVyIEhhbW1lcmxlMB4XDTE3MDUw
-ODE4MzE0MVoXDTI3MDEwMTAwMDAwMFowLTELMAkGA1UEBhMCQVQxHjAcBgNVBAMT
-FUZhYmlhbiBQZXRlciBIYW1tZXJsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
-AgoCggIBALX8fhBdVeTNDVS48uBcHgeL3lxfnPBX7aK8i/9uPfp29zfhIidQxJAt
-PonOCrlmLwQMA+Cg2c0Yhf9+Lrg2Toior8c5JJbAsdqsrl/VY+xGOsz0AheHmSNp
-nHbJqMO0ZmAJuhJVzmsj1In37mLFinmK04ONjU0czQLuyABU35jy9jhDLFa4EZxn
-J7kfCtPlR1L+ZbqA0XakPyZdA/XPBW5QMWzyMKjx7F9LtuOknTcxG0HQ+KOwu5ul
-NmCbSZ1azRMzKZyjnbzwlBXbJe8gLN5aID7c1onEqik6i06hyju/au1uU7D5iG60
-hmQL+85LIRXiuM1+IIJyvLWp4rghMmnGE/pPdmF4bqJQfsswkFBmPZj4vgQpRPJn
-IUH3o9XhRd6RNjz10Sdm3tZZ31G1l+dzeqnHoXDZ5RmUNabByg0lWCppRLnMgEH4
-CjZ3QN2pkVwHW3z3k5trtCZoHne16MfRmX88uM0arapUFbfYNuKOV1/a/Hy2xze2
-ry1aKTUFET8iyFPepLps4Rz2AYi+bZ3F30em4ngzdYxcAj1V7qpQn/xRgUhxgosT
-0ABaaJWcLRd/QJH4wb+/S1gzIYbpAjjfrJoiBkZ5NPkvzphdhaomNeUT2mz4rSAS
-bPmSWYT+xM3vlmcOe4ZHamBz5kZpnf2scyIXSBcOC9m4OhjDQVqXAgMBAAGjgcAw
-gb0wWgYDVR0RBFMwUYESZmFiaWFuQGhhbW1lcmxlLm1lgRlmYWJpYW4uaGFtbWVy
-bGVAZ21haWwuY29tgSBmYWJpYW4uaGFtbWVybGVAbWVkdW5pd2llbi5hYy5hdDAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTC4EsAs/CH2xQ7S7ZBGBO6Ig7UujAf
-BgNVHSMEGDAWgBTC4EsAs/CH2xQ7S7ZBGBO6Ig7UujAOBgNVHQ8BAf8EBAMCAcYw
-DQYJKoZIhvcNAQELBQADggIBAGMC4ya82j9IGePhl9l2hMgB0ZB48RSTZelNEm8M
-KFCGMRIGBuzAIdIY+0ugJuK6jHIfRtGHXFJlBkm+/vJwuwRqQib8+Nt1ZCSqv7/R
-k0jR4BUdAWSsnskZwYivYKQgANjtmDOpO19tpTcgeptw8AIAfuuglYP5wH5FA2RX
-cvkfHLtd9HJaj62CM5f+A2QTEHvat7KJSme7qZ6I47BiTA//+4SK8vjDoPir0Kx7
-NK7awpzjEzWbQrVwU3YhDuHbZlaHhPini6AlhEqvz/wpPYXUzgmJy0K1m4vWcxsT
-D/nf3LT1wJs5Ph1tO9gdF/yZC7o2QIKVjPF4mQiv/1EkYRY7zV52JcsWRrWlHN0x
-tqinxjY0aN4v6uoybJXHSiergibasDv4MicnW0c3ZE7dLs3iT6+5PAhjNoLdrG6v
-n9RZLZOrACYiPd+thoGQYVB496bobz2hHUUu7MoHxlZks6RVpxUm7jMGDoqZtvGp
-0VRCTglMyrpq26yYeUkE69sCm09EMHyZowOrnoTfqsk+sscuWqbmh2uPEIgqgKjz
-Ock5i72I47uTRUpG4WbYGXKfGaXUzd9A/6Rj6z2u+0z/dgNg/r3nrAAzIvV8Dh0q
-exCOYc3vQ+DdLKCMSMuCjXb6/Mpg5gR5za405RePcFaCoM74jxRScY+gOFguqdr4
-Qqjv
------END CERTIFICATE-----