~dricottone/container-images

a7203db0a58e4c44171294e94198b73681f6312d — Dominic Ricottone 1 year, 2 months ago bae25e4 
Continuation of Postfix redesign

It took frustratingly long to realize that the widely publicized home
for SASL (database in `/etc/sasldb2`, configurations in
`/etc/postfix/sasl`) are at least completely wrong for Alpine Linux, and
probably completely wrong for most distributions. (Everything is in
`/etc/sasl2`, in case you're wondering.)

Logging to stderr is added. One guess as to why I needed to add this.

I've also learned that while bracketing a hostname (i.e.
`smtp:[mail.realy.com]:25`) halts MX record lookups, it does *not* halt
A record lookups. To ensure accurate delivery of mail, Postfix
would much prefer to use public DNS over local name resolution. Luckily
I agree with this design; the opposite behavior only makes sense if a
server isn't delivering to the open internet at all. Precisely the
intended use of the `:tls-in` image. So, that image will no longer do DNS.
patch browse .tar.gz 
7 files changed, 38 insertions(+), 17 deletions(-)

M postfix/Dockerfile
M postfix/Dockerfile.tls-in
M postfix/README.md
M postfix/entrypoint.sh
M postfix/main.cf
M postfix/main.cf.tls-in
M postfix/main.cf.tls-out

M postfix/Dockerfile => postfix/Dockerfile +2 -1
@@ 8,7 8,8 @@ COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl
COPY smtpd.conf /etc/postfix/sasl/smtpd.conf
RUN mkdir /etc/sasl2
COPY smtpd.conf /etc/sasl2/smtpd.conf

RUN addgroup -S mailer
RUN adduser -SD -s /bin/sh -G mailer -g mailer mailer


M postfix/Dockerfile.tls-in => postfix/Dockerfile.tls-in +2 -1
@@ 8,7 8,8 @@ COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl
COPY smtpd.conf /etc/postfix/sasl/smtpd.conf
RUN mkdir /etc/sasl2
COPY smtpd.conf /etc/sasl2/smtpd.conf

RUN addgroup -S mailer
RUN adduser -SD -s /bin/sh -G mailer -g mailer mailer


M postfix/README.md => postfix/README.md +2 -2
@@ 72,8 72,8 @@ $conman run --detach --name postfix --restart always \
  --mount type=bind,src=$genericfile,dst=/etc/postfix/generic,readonly \
  --mount type=bind,src=$transportfile,dst=/etc/postfix/transport,readonly \
  --mount type=bind,src=$saslfile,dst=/etc/postfix/sasl/sasl_passwd,readonly \
  --mount type=bind,src=$sasldb,dst=/etc/sasldb2,readonly \
  --env DOMAIN=example.com --env DESTINATION="mail.example.com" \
  --mount type=bind,src=$sasldb,dst=/etc/sasl2/sasldb2,readonly \
  --env DOMAIN=example.com --env HOSTNAME=mail-1 --env DESTINATION="mail-2.example.com, mail-3.example.com" \
  --publish 0.0.0.0:25:25 --publish 0.0.0.0:465:465 \
  registry.intra.dominic-ricottone.com/postfix:latest
```


M postfix/entrypoint.sh => postfix/entrypoint.sh +2 -1
@@ 5,7 5,8 @@ postmap /etc/postfix/generic
postmap /etc/postfix/sasl/sasl_passwd

sed -i /etc/postfix/main.cf -e "s/^mydomain.*/mydomain = ${DOMAIN}/"
sed -i /etc/postfix/main.cf -e "s/^mydestination.*/mydestination = \$myhostname, ${DESTINATION}, localhost, localhost.localdomain/"
sed -i /etc/postfix/main.cf -e "s/^myhostname.*/myhostname = ${HOSTNAME}.${DOMAIN}/"
sed -i /etc/postfix/main.cf -e "s/^mydestination.*/mydestination = \$mydomain, \$myhostname, ${DESTINATION}, localhost, localhost.localdomain/"

exec "$@"



M postfix/main.cf => postfix/main.cf +12 -5
@@ 8,8 8,8 @@ inet_protocols = ipv4
inet_interfaces = all

# Values for default settings
mydomain = dominic-ricottone.com
myhostname = fedora3.$mydomain
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
myorigin = $mydomain



@@ 22,13 22,20 @@ smtp_generic_maps = lmdb:/etc/postfix/generic
# Transport map
transport_maps = lmdb:/etc/postfix/transport

# Logging
maillog_file = /dev/stdout

# Authentication
cyrus_sasl_config_path = /etc/postfix/sasl/
cyrus_sasl_config_path = /etc/sasl2/
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
#smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes



@@ 38,7 45,7 @@ smtp_tls_security_level = encrypt
smtpd_tls_chain_files = /var/letsencrypt/chain.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt

# If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed
local_recipient_maps =


M postfix/main.cf.tls-in => postfix/main.cf.tls-in +13 -5
@@ 8,8 8,8 @@ inet_protocols = ipv4
inet_interfaces = all

# Values for default settings
mydomain = dominic-ricottone.com
myhostname = fedora3.$mydomain
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
myorigin = $mydomain



@@ 20,12 20,20 @@ smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtp_generic_maps = lmdb:/etc/postfix/generic

# Transport map
smtp_dns_support_level = disabled
transport_maps = lmdb:/etc/postfix/transport

# Logging
maillog_file = /dev/stdout

# Authentication
cyrus_sasl_config_path = /etc/postfix/sasl/
cyrus_sasl_config_path = /etc/sasl2/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
#smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes



@@ 33,7 41,7 @@ smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /var/letsencrypt/chain.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt

# If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed
local_recipient_maps =


M postfix/main.cf.tls-out => postfix/main.cf.tls-out +5 -2
@@ 8,8 8,8 @@ inet_protocols = ipv4
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

# Values for default settings
mydomain = dominic-ricottone.com
myhostname = fedora3.$mydomain
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
myorigin = $mydomain



@@ 22,6 22,9 @@ smtp_generic_maps = lmdb:/etc/postfix/generic
# Transport map
transport_maps = lmdb:/etc/postfix/transport

# Logging
maillog_file = /dev/stdout

# Authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd