From a7203db0a58e4c44171294e94198b73681f6312d Mon Sep 17 00:00:00 2001 From: Dominic Ricottone Date: Wed, 21 Jun 2023 22:30:42 -0500 Subject: [PATCH] Continuation of Postfix redesign It took frustratingly long to realize that the widely publicized home for SASL (database in `/etc/sasldb2`, configurations in `/etc/postfix/sasl`) are at least completely wrong for Alpine Linux, and probably completely wrong for most distributions. (Everything is in `/etc/sasl2`, in case you're wondering.) Logging to stderr is added. One guess as to why I needed to add this. I've also learned that while bracketing a hostname (i.e. `smtp:[mail.realy.com]:25`) halts MX record lookups, it does *not* halt A record lookups. To ensure accurate delivery of mail, Postfix would much prefer to use public DNS over local name resolution. Luckily I agree with this design; the opposite behavior only makes sense if a server isn't delivering to the open internet at all. Precisely the intended use of the `:tls-in` image. So, that image will no longer do DNS. --- postfix/Dockerfile | 3 ++- postfix/Dockerfile.tls-in | 3 ++- postfix/README.md | 4 ++-- postfix/entrypoint.sh | 3 ++- postfix/main.cf | 17 ++++++++++++----- postfix/main.cf.tls-in | 18 +++++++++++++----- postfix/main.cf.tls-out | 7 +++++-- 7 files changed, 38 insertions(+), 17 deletions(-) diff --git a/postfix/Dockerfile b/postfix/Dockerfile index 26ab8d8..07305e5 100644 --- a/postfix/Dockerfile +++ b/postfix/Dockerfile @@ -8,7 +8,8 @@ COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl -COPY smtpd.conf /etc/postfix/sasl/smtpd.conf +RUN mkdir /etc/sasl2 +COPY smtpd.conf /etc/sasl2/smtpd.conf RUN addgroup -S mailer RUN adduser -SD -s /bin/sh -G mailer -g mailer mailer diff --git a/postfix/Dockerfile.tls-in b/postfix/Dockerfile.tls-in index e6f1c47..1269f6b 100644 --- a/postfix/Dockerfile.tls-in +++ b/postfix/Dockerfile.tls-in @@ -8,7 +8,8 @@ COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl -COPY smtpd.conf /etc/postfix/sasl/smtpd.conf +RUN mkdir /etc/sasl2 +COPY smtpd.conf /etc/sasl2/smtpd.conf RUN addgroup -S mailer RUN adduser -SD -s /bin/sh -G mailer -g mailer mailer diff --git a/postfix/README.md b/postfix/README.md index 6bbca96..91c069d 100644 --- a/postfix/README.md +++ b/postfix/README.md @@ -72,8 +72,8 @@ $conman run --detach --name postfix --restart always \ --mount type=bind,src=$genericfile,dst=/etc/postfix/generic,readonly \ --mount type=bind,src=$transportfile,dst=/etc/postfix/transport,readonly \ --mount type=bind,src=$saslfile,dst=/etc/postfix/sasl/sasl_passwd,readonly \ - --mount type=bind,src=$sasldb,dst=/etc/sasldb2,readonly \ - --env DOMAIN=example.com --env DESTINATION="mail.example.com" \ + --mount type=bind,src=$sasldb,dst=/etc/sasl2/sasldb2,readonly \ + --env DOMAIN=example.com --env HOSTNAME=mail-1 --env DESTINATION="mail-2.example.com, mail-3.example.com" \ --publish 0.0.0.0:25:25 --publish 0.0.0.0:465:465 \ registry.intra.dominic-ricottone.com/postfix:latest ``` diff --git a/postfix/entrypoint.sh b/postfix/entrypoint.sh index 2e7b7b4..37dab2c 100644 --- a/postfix/entrypoint.sh +++ b/postfix/entrypoint.sh @@ -5,7 +5,8 @@ postmap /etc/postfix/generic postmap /etc/postfix/sasl/sasl_passwd sed -i /etc/postfix/main.cf -e "s/^mydomain.*/mydomain = ${DOMAIN}/" -sed -i /etc/postfix/main.cf -e "s/^mydestination.*/mydestination = \$myhostname, ${DESTINATION}, localhost, localhost.localdomain/" +sed -i /etc/postfix/main.cf -e "s/^myhostname.*/myhostname = ${HOSTNAME}.${DOMAIN}/" +sed -i /etc/postfix/main.cf -e "s/^mydestination.*/mydestination = \$mydomain, \$myhostname, ${DESTINATION}, localhost, localhost.localdomain/" exec "$@" diff --git a/postfix/main.cf b/postfix/main.cf index f5f0c05..c74df29 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -8,8 +8,8 @@ inet_protocols = ipv4 inet_interfaces = all # Values for default settings -mydomain = dominic-ricottone.com -myhostname = fedora3.$mydomain +mydomain = example.com +myhostname = mail.example.com mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain myorigin = $mydomain @@ -22,13 +22,20 @@ smtp_generic_maps = lmdb:/etc/postfix/generic # Transport map transport_maps = lmdb:/etc/postfix/transport +# Logging +maillog_file = /dev/stdout + # Authentication -cyrus_sasl_config_path = /etc/postfix/sasl/ +cyrus_sasl_config_path = /etc/sasl2/ smtp_sasl_auth_enable = yes smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd smtp_sasl_security_options = noanonymous smtpd_sasl_auth_enable = yes -smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_local_domain = $mydomain +smtpd_sasl_path = smtpd +#smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_security_options = noanonymous +smtpd_sasl_service = smtpd smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes @@ -38,7 +45,7 @@ smtp_tls_security_level = encrypt smtpd_tls_chain_files = /var/letsencrypt/chain.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 -smtpd_tls_security_level = may +smtpd_tls_security_level = encrypt # If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed local_recipient_maps = diff --git a/postfix/main.cf.tls-in b/postfix/main.cf.tls-in index 805bbcd..d770fef 100644 --- a/postfix/main.cf.tls-in +++ b/postfix/main.cf.tls-in @@ -8,8 +8,8 @@ inet_protocols = ipv4 inet_interfaces = all # Values for default settings -mydomain = dominic-ricottone.com -myhostname = fedora3.$mydomain +mydomain = example.com +myhostname = mail.example.com mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain myorigin = $mydomain @@ -20,12 +20,20 @@ smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtp_generic_maps = lmdb:/etc/postfix/generic # Transport map +smtp_dns_support_level = disabled transport_maps = lmdb:/etc/postfix/transport +# Logging +maillog_file = /dev/stdout + # Authentication -cyrus_sasl_config_path = /etc/postfix/sasl/ +cyrus_sasl_config_path = /etc/sasl2/ smtpd_sasl_auth_enable = yes -smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_local_domain = $mydomain +smtpd_sasl_path = smtpd +#smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_security_options = noanonymous +smtpd_sasl_service = smtpd smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes @@ -33,7 +41,7 @@ smtpd_tls_auth_only = yes smtpd_tls_chain_files = /var/letsencrypt/chain.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 -smtpd_tls_security_level = may +smtpd_tls_security_level = encrypt # If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed local_recipient_maps = diff --git a/postfix/main.cf.tls-out b/postfix/main.cf.tls-out index 9c6a86b..7f1e6b0 100644 --- a/postfix/main.cf.tls-out +++ b/postfix/main.cf.tls-out @@ -8,8 +8,8 @@ inet_protocols = ipv4 mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 # Values for default settings -mydomain = dominic-ricottone.com -myhostname = fedora3.$mydomain +mydomain = example.com +myhostname = mail.example.com mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain myorigin = $mydomain @@ -22,6 +22,9 @@ smtp_generic_maps = lmdb:/etc/postfix/generic # Transport map transport_maps = lmdb:/etc/postfix/transport +# Logging +maillog_file = /dev/stdout + # Authentication smtp_sasl_auth_enable = yes smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd -- 2.45.2