feat(postfix): Add container image for postfix

ab4d3c9c · Sheogorath · c62d7849 · ab4d3c9c · ab4d3c9c · ab4d3c9c
Verified Commit ab4d3c9c authored 2 years ago by Sheogorath
--- a/images/postfix/.release
+++ b/images/postfix/.release
+release=0.1.0
--- a/images/postfix/Containerfile
+++ b/images/postfix/Containerfile
+FROM docker.io/library/alpine:3.16.0
+# Install pre-requirements
+RUN apk update
+RUN apk add --no-cache ca-certificates rsyslog supervisor
+RUN update-ca-certificates
+RUN apk add --no-cache postfix
+RUN mkdir /var/spool/postfix/etc && echo "smtp		25/tcp		mail		# Simple Mail Transfer" > /var/spool/postfix/etc/services
+COPY config/main.cf /etc/postfix/
+COPY config/master.cf /etc/postfix/
+COPY docker/supervisord.conf /etc/
+COPY docker/rsyslog.conf /etc/
+COPY docker/start.sh /usr/local/libexec/start.sh
+RUN chmod +x /usr/local/libexec/start.sh
+#   25: SMTP (Server2Server)
+#  465: SUBMISSIONS (SSL)
+#  587: SMTP (StartTLS)
+EXPOSE 25 465 587
+ENTRYPOINT [ "sh" , "/usr/local/libexec/start.sh" ]
--- a/images/postfix/Makefile
+++ b/images/postfix/Makefile
+include ../.utils/container-build.mk
+include ../../utils/help.mk
--- a/images/postfix/README.md
+++ b/images/postfix/README.md
+Postfix
+===
+Postfix container image intended for use in Kubernetes with plain text user backend.
+The goal of this postfix image is to be preconfigured to utilse Kubernetes configmaps and secrets to become useful. It doesn't come with external database backend.
+Expectations
+---
+|Path | Usage |
+|-----|-------|
+|`/srv/virtual`|All files for virtual hosting (domains, aliases, mailboxes)|
+|`/srv/tls/`|TLS key and certificate used for TLS enabled services|
+References
+---
+This image is heavily inspired by https://github.com/mum-project/docker-images/tree/master/postfix
--- a/images/postfix/config/.gitignore
+++ b/images/postfix/config/.gitignore
+*.db
\ No newline at end of file
--- a/images/postfix/config/header_checks
+++ b/images/postfix/config/header_checks
+/^Message-ID:/i IGNORE
+/^Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
+/^User-Agent:/ IGNORE
+/^X-Enigmail:/ IGNORE
+/^X-Mailer:/ IGNORE
+/^X-Originating-IP:/ IGNORE
+/^X-PHP-Originating-Script:/ IGNORE
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
+############### Please enable soft_bounce during maintenance: #################
+# Fatal 5xx Errors will be downgraded to temporary 4xx Errors.
+#soft_bounce = yes
+###############################################################################
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mydestination =
+mailbox_size_limit = 51200000
+message_size_limit = 51200000
+recipient_delimiter = +
+inet_interfaces = all
+myorigin = /etc/mailname
+inet_protocols = all
+########
+##
+## TLS Configuration
+##
+smtpd_tls_cert_file=/srv/tls/tls.crt
+smtpd_tls_key_file=/srv/tls/tls.key
+smtpd_tls_loglevel = 1
+smtp_tls_cert_file=/srv/tls/tls.crt
+smtp_tls_key_file=/srv/tls/tls.key
+smtp_tls_loglevel = 1
+smtpd_tls_security_level = may
+smtp_tls_security_level = may
+smtpd_tls_auth_only = yes
+tls_ssl_options = NO_COMPRESSION
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols = !SSLv2, !SSLv3
+lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+lmtp_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers=high
+tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+tls_preempt_cipherlist = yes
+smtp_dns_support_level = dnssec
+smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
+smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
+smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
+smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
+smtpd_tls_eecdh_grade=ultra
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+#smtpd_tls_dh1024_param_file = /srv/config/tls/dh4096.pem
+#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+#smtp_tls_policy_maps = lmdb:/srv/tmp/tls-policies
+########
+##
+## SASL Configuration Configuration
+##
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = inet:dovecot-internal:12345
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+smtpd_tls_auth_only = yes
+virtual_transport = lmtp:inet:dovecot-internal:24
+########
+##
+## Postscreen Configuration
+##
+postscreen_access_list = permit_mynetworks
+postscreen_blacklist_action = drop
+postscreen_greet_action = enforce
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_whitelist_threshold = -1
+postscreen_dnsbl_sites =
+        zen.spamhaus.org*3,
+        ix.dnsbl.manitu.net*3,
+        multi.uribl.com,
+        bl.spamcop.net,
+        b.barracudacentral.org,
+        dnsbl-1.uceprotect.net,
+        safe.dnsbl.sorbs.net,
+        ubl.unsubscore.com,
+        psbl.surriel.com,
+        dnsbl.inps.de,
+        swl.spamhaus.org*-10,
+        list.dnswl.org=127.0.[0..255].1*-2,
+        list.dnswl.org=127.0.[0..255].2*-10,
+        list.dnswl.org=127.0.[0..255].3*-100
+########
+##
+## SMTPD Restrictions Configuration
+##
+smtpd_recipient_restrictions =
+#        check_recipient_access btree:/srv/config/access_recipient,
+#        check_recipient_access pgsql:/srv/tmp/recipient-access.cf
+#        check_client_access cidr:/srv/config/access_client,
+#        check_helo_access btree:/srv/config/access_helo,
+#        check_sender_access btree:/srv/config/access_sender,
+        reject_non_fqdn_sender,
+        reject_non_fqdn_recipient,
+        reject_unknown_sender_domain,
+        reject_unknown_recipient_domain,
+        reject_invalid_hostname,
+		warn_if_reject reject_unauth_pipelining,
+        permit_sasl_authenticated,
+        permit_mynetworks,
+		reject_unverified_recipient,
+        reject_unauth_destination,
+        permit
+smtpd_sender_restrictions =
+	permit_mynetworks,
+	reject_non_fqdn_sender,
+	reject_authenticated_sender_login_mismatch,
+	permit_sasl_authenticated
+#smtpd_restriction_classes = local_only
+#local_only =
+#        check_recipient_access btree:/srv/config/local_domains,
+#        check_sender_access regexp:/srv/config/local_only_reject.regexp
+########
+##
+## Virtual Maps Configuration
+##
+virtual_uid_maps = static:5000
+virtual_gid_maps = static:5000
+virtual_alias_maps = lmdb:/srv/tmp/aliases
+virtual_mailbox_maps = lmdb:/srv/tmp/mailboxes
+virtual_mailbox_domains = lmdb:/srv/tmp/domains
+local_recipient_maps = $virtual_mailbox_maps
+########
+##
+## Miscellaneous
+##
+default_database_type = btree
+#mime_header_checks = pcre:/srv/config/mime_header_checks.pcre
+maximal_queue_lifetime = 1d
+bounce_queue_lifetime = 1d
+unverified_recipient_reject_code = 577
+compatibility_level = 2
--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       -       -       -       qmqpd
+smtp       inet  n       -       y       -       -       smtpd
+    -o smtpd_tls_received_header=yes
+    -o content_filter=
+pickup     unix  n       -       y       60      1       pickup
+    -o receive_override_options=no_header_body_checks
+cleanup    unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr     unix  -       -       y       1000?   1       tlsmgr
+rewrite    unix  -       -       y       -       -       trivial-rewrite
+bounce     unix  -       -       y       -       0       bounce
+defer      unix  -       -       y       -       0       bounce
+trace      unix  -       -       y       -       0       bounce
+verify     unix  -       -       y       -       1       verify
+flush      unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp       unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+relay      unix  -       -       y       -       -       smtp
+showq      unix  n       -       y       -       -       showq
+error      unix  -       -       y       -       -       error
+retry      unix  -       -       y       -       -       error
+discard    unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp       unix  -       -       y       -       -       lmtp
+anvil      unix  -       -       y       -       1       anvil
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+scache     unix  -       -       y       -       1       scache
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+submission inet  n       -       y       -       -       smtpd
+    -o syslog_name=postfix/submission
+    -o smtpd_tls_security_level=encrypt
+    -o tls_preempt_cipherlist=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=inet:dovecot-internal:12345
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sender_login_maps=lmdb:/srv/tmp/sender-login-maps
+    -o cleanup_service_name=headers-cleanup
+submissions inet  n       -       y       -       -       smtpd
+    -o syslog_name=postfix/submissions
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_tls_security_level=encrypt
+    -o tls_preempt_cipherlist=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=inet:dovecot-internal:12345
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sender_login_maps=lmdb:/srv/tmp/sender-login-maps
+    -o cleanup_service_name=headers-cleanup
+dovecot   unix  -       n       n       -       -       pipe flags=DRhu
+  user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
+#smtp-amavis unix -       -       y       -       2       smtp
+#    -o smtp_data_done_timeout=1800
+#    -o smtp_send_xforward_command=yes
+#    -o disable_mime_output_conversion=yes
+#    -o smtp_generic_maps=
+#127.0.0.1:10025 inet n   -       y       -       -       smtpd
+#    -o content_filter=
+#    -o smtpd_proxy_filter=
+#    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+#    -o smtpd_client_restrictions=
+#    -o smtpd_helo_restrictions=
+#    -o smtpd_sender_restrictions=
+#    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+#    -o smtpd_data_restrictions=
+#    -o mynetworks=127.0.0.0/8
+#    -o receive_override_options=no_unknown_recipient_checks
+##        -o header_checks=pcre:/etc/postfix/submission_header_checks.pcre
+#127.0.0.1:10027 inet n   -       y       -       -       smtpd
+#    -o content_filter=smtp-amavis:[127.0.0.1]:10028
+#    -o smtpd_proxy_filter=
+#    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+#    -o smtpd_client_restrictions=
+#    -o smtpd_helo_restrictions=
+#    -o smtpd_sender_restrictions=
+#    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+#    -o smtpd_data_restrictions=
+#    -o mynetworks=127.0.0.0/8
+#    -o receive_override_options=no_unknown_recipient_checks
+#    -o cleanup_service_name=subcleanup
+subcleanup unix  n       -       y       -       0       cleanup
+#    -o header_checks=pcre:/srv/config/submission_header_checks.pcre
+headers-cleanup unix n - - - 0 cleanup
+ -o syslog_name=postfix/headers-cleanup
+ -o header_checks=regexp:/etc/postfix/header_checks
--- a/images/postfix/docker/rsyslog.conf
+++ b/images/postfix/docker/rsyslog.conf
+$ModLoad immark.so # provides --MARK-- message capability
+$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
+# default permissions for all log files.
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+#*.info							/dev/stdout
+#mail.*							/dev/stdout
+mail.info /dev/stdout
\ No newline at end of file
--- a/images/postfix/docker/start.sh
+++ b/images/postfix/docker/start.sh
+#!/bin/bash
+SHOULD_EXIT_EARLY=false
+function var_not_set {
+    echo "Environment variable $1 is not set"
+    SHOULD_EXIT_EARLY=true
+}
+########
+##
+## Variables
+##
+if [ -z $HOSTNAME ]; then
+    HOSTNAME="$(hostname -f)"
+fi
+########
+##
+## Test if we should return early
+##
+if [ $SHOULD_EXIT_EARLY = true ]; then
+    exit 1
+fi
+########
+##
+## Preparation
+##
+########
+##
+## Postfix Configuration
+##
+postconf -e "myhostname = $HOSTNAME"
+cp /srv/virtual/* /srv/tmp
+find /srv/tmp -type f -exec postmap lmdb://{} \;
+########
+##
+## Kube DNS Support
+##
+cp /etc/resolv.conf /var/spool/postfix/etc/
+########
+##
+## Start
+##
+# exec postfix start
+exec supervisord -c /etc/supervisord.conf
--- a/images/postfix/docker/supervisord.conf
+++ b/images/postfix/docker/supervisord.conf
+[supervisord]
+user            = root
+nodaemon        = true
+logfile         = /dev/null
+logfile_maxbytes= 0
+[program:rsyslog]
+command         = rsyslogd -n
+autostart       = true
+autorestart     = true
+startsecs       = 2
+stopwaitsecs    = 2
+stdout_logfile  = /dev/stdout
+stderr_logfile  = /dev/stderr
+stdout_logfile_maxbytes = 0
+stderr_logfile_maxbytes = 0
+[program:postfix]
+process_name    = master
+autostart       = true
+autorestart     = false
+directory       = /etc/postfix
+command         = /usr/sbin/postfix -c /etc/postfix start
+startsecs       = 0
\ No newline at end of file