Re-fixing encryption So while I will continue to prefer port 465, in order to support public-facing port 587, it really is best to enable wrapper mode only for the appropriate service. In which case, it should be enabled in `master.cf` NOT `main.cf`. Also, to better set relay restrictions, I'm fixing `mydestinations` and adding `relay_domains`.
Fix encryption setup Configuration was a bit confused on account of running both SMTPD and Submission ports. I am going to prefer port 465 with implicit TLS, and to correctly support that mode I am setting wrapper mode on.
Adding recipient_canonical maps to Postfix
Continuation of Postfix redesign It took frustratingly long to realize that the widely publicized home for SASL (database in `/etc/sasldb2`, configurations in `/etc/postfix/sasl`) are at least completely wrong for Alpine Linux, and probably completely wrong for most distributions. (Everything is in `/etc/sasl2`, in case you're wondering.) Logging to stderr is added. One guess as to why I needed to add this. I've also learned that while bracketing a hostname (i.e. `smtp:[mail.realy.com]:25`) halts MX record lookups, it does *not* halt A record lookups. To ensure accurate delivery of mail, Postfix would much prefer to use public DNS over local name resolution. Luckily I agree with this design; the opposite behavior only makes sense if a server isn't delivering to the open internet at all. Precisely the intended use of the `:tls-in` image. So, that image will no longer do DNS.
Postfix redesign Now there are three images tags for `postfix`. `:latest` uses encryption and authentication for inbound and outbound mail. It listens on posts 25 and 465. Because it authenticates, I dropped the requirement for senders to have a LAN IP. `:tls-in` drops outbound encryption and authentication. This is generally going to be useful for receiving mail and handing it to a local service. `:tls-out` drops inbound encryption and authentication and listining on port 465. This is useful for relaying mail off of a trusted host.