From 8182f5ad6e7755356f7f1eb412b2b3c47c5f791d Mon Sep 17 00:00:00 2001 From: f Date: Tue, 10 Sep 2019 20:23:06 -0300 Subject: [PATCH 1/9] postfix --- Dockerfile | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ monit.conf | 5 ++++ postfix.sh | 23 +++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 monit.conf create mode 100644 postfix.sh diff --git a/Dockerfile b/Dockerfile index 59c5898..7559220 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,2 +1,85 @@ +# TODO: This configuration is only really useful for sending e-mail. It +# receives and stores email for local users but we're not serving them +# just yet. FROM sutty/monit:latest MAINTAINER "f " + +# Install postfix and certificates +RUN apk add --no-cache postfix ca-certificates +# Generate params and remove packages +RUN install -dm 2750 -o root -g root /etc/ssl/private \ + && apk add --no-cache gnutls-utils \ + && certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048 \ + && certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512 \ + && apk del gnutls-utils +# Configure postfix +RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ + && postconf -e transport_maps='hash:/etc/postfix/transport' \ + && postconf -e recipient_delimiter='+' \ + && postconf -e sendmail_path='/usr/sbin/sendmail' \ + && postconf -e newaliases_path='/usr/bin/newaliases' \ + && postconf -e mailq_path='/usr/bin/mailq' \ + && postconf -e setgid_group='postdrop' \ + && postconf -e manpage_directory='/usr/share/man' \ + && postconf -e sample_directory='/etc/postfix/sample' \ + && postconf -e readme_directory='/usr/share/doc/postfix' \ + && postconf -e html_directory='no' \ + && postconf -e soft_bounce='no' \ + && postconf -e mydestination='$mydomain' \ + && postconf -e inet_interfaces='all' \ + && postconf -e local_recipient_maps='unix:passwd.byname $alias_maps' \ + && postconf -e mynetworks_style='host' \ + && postconf -e home_mailbox='Maildir/' \ + && postconf -e message_size_limit=20480000 \ + && postconf -e inet_protocols='all' \ + && postconf -e disable_vrfy_command=yes \ + && postconf -e smtpd_helo_required=yes \ + && postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit' \ + && postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient' \ + && postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit' \ + && postconf -e smtpd_data_restrictions='reject_unauth_pipelining' \ + && postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated' \ + && postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination' \ + && postconf -e smtpd_use_tls='yes' \ + && postconf -e smtpd_tls_auth_only='yes' \ + && postconf -e smtp_use_tls='yes' \ + && postconf -e smtp_tls_note_starttls_offer='yes' \ + && postconf -e smtpd_tls_CApath='/etc/ssl/certs' \ + && postconf -e tls_random_source='dev:/dev/urandom' \ + && postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh' \ + && postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh' \ + && postconf -e tls_preempt_cipherlist='yes' \ + && postconf -e smtpd_tls_security_level='may' \ + && postconf -e smtpd_tls_eecdh_grade='strong' \ + && postconf -e smtpd_tls_mandatory_ciphers='high' \ + && postconf -e smtpd_tls_ciphers='medium' \ + && postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA' \ + && postconf -e smtpd_tls_mandatory_protocols='TLSv1' \ + && postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers' \ + && postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers' \ + && postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1' \ + && postconf -e smtpd_tls_loglevel='0' \ + && postconf -e smtpd_tls_received_header='yes' \ + && postconf -e smtpd_tls_session_cache_timeout='3600s' \ + && postconf -e smtp_destination_concurrency_limit=2 \ + && postconf -e smtp_destination_rate_delay=1s \ + && postconf -e smtp_extra_recipient_limit=10 \ + && postconf -e append_dot_mydomain=yes \ + && postconf -e masquerade_domains='$mydomain' +RUN newaliases +RUN postmap /etc/postfix/transport + +# Enable service +COPY ./monit.conf /etc/monit.d/postfix.conf +COPY ./postfix.sh /usr/local/bin/postfix +RUN chmod 755 /usr/local/bin/postfix + +# Check config +RUN monit -t + +# Save email for later! +VOLUME "/var/spool/postfix" +VOLUME "/home" + +# Port +EXPOSE 25 diff --git a/monit.conf b/monit.conf new file mode 100644 index 0000000..a8dd38e --- /dev/null +++ b/monit.conf @@ -0,0 +1,5 @@ +check process postfix with pidfile /var/spool/postfix/pid/master.pid + start program = "/usr/local/bin/postfix" + stop program = "/usr/sbin/postfix stop" + if 5 restarts within 8 cycles then alert + if failed port 25 protocol smtp for 3 times within 5 cycles then restart diff --git a/postfix.sh b/postfix.sh new file mode 100644 index 0000000..142b2c0 --- /dev/null +++ b/postfix.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Reconfigure postfix according to environment +postconf -e myhostname="${SUTTY}" +postconf -e mydomain="${SUTTY}" +postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem" +postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem" +postconf -e mynetworks="127.0.0.0/8 [::1]/128 `ip route | grep -v default | cut -d " " -f 1`" + +# Recreate users from ~ +for home in /home/*; do + user="${home##*/}" + test "${user}" = "*" && continue + + uid="$(stat -c %u "${home}")" + + # Skip if it already exists + getent passwd ${user} >/dev/null && continue + + adduser -h ${home} -s /bin/false -G users -D -H -u ${uid} ${user} +done + +exec /usr/sbin/postfix start From 833502b6dce3f4c1bcc1eb2b4c6813bfaaf424aa Mon Sep 17 00:00:00 2001 From: f Date: Fri, 27 Sep 2019 17:51:40 -0300 Subject: [PATCH 2/9] opendkim --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7559220..6df4fbb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -65,7 +65,10 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e smtp_destination_rate_delay=1s \ && postconf -e smtp_extra_recipient_limit=10 \ && postconf -e append_dot_mydomain=yes \ - && postconf -e masquerade_domains='$mydomain' + && postconf -e masquerade_domains='$mydomain' \ + && postconf -e non_smtpd_milters=inet:opendkim:8891 \ + && postconf -e smtpd_milters=inet:opendkim:8891 + RUN newaliases RUN postmap /etc/postfix/transport From 6278ed6f95a4485f3de780adfc7a1d003fcb0596 Mon Sep 17 00:00:00 2001 From: f Date: Thu, 3 Sep 2020 12:47:39 -0300 Subject: [PATCH 3/9] configurable domains and forwarding --- Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6df4fbb..509bf26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e readme_directory='/usr/share/doc/postfix' \ && postconf -e html_directory='no' \ && postconf -e soft_bounce='no' \ - && postconf -e mydestination='$mydomain' \ + && postconf -e mydestination='/etc/postfix/maps/domains.cf' \ && postconf -e inet_interfaces='all' \ && postconf -e local_recipient_maps='unix:passwd.byname $alias_maps' \ && postconf -e mynetworks_style='host' \ @@ -67,7 +67,8 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e append_dot_mydomain=yes \ && postconf -e masquerade_domains='$mydomain' \ && postconf -e non_smtpd_milters=inet:opendkim:8891 \ - && postconf -e smtpd_milters=inet:opendkim:8891 + && postconf -e smtpd_milters=inet:opendkim:8891 \ + && postconf -e virtual_alias_maps=hash:/etc/postfix/maps/virtual RUN newaliases RUN postmap /etc/postfix/transport @@ -82,6 +83,7 @@ RUN monit -t # Save email for later! VOLUME "/var/spool/postfix" +VOLUME "/etc/postfix/maps" VOLUME "/home" # Port From 882d89fb6613ba9050dc1d35d6bb2e7bebf5e13f Mon Sep 17 00:00:00 2001 From: f Date: Tue, 8 Sep 2020 20:41:08 -0300 Subject: [PATCH 4/9] local sending and forwarding server --- Dockerfile | 15 +++++---------- postfix.sh | 13 ------------- 2 files changed, 5 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index 509bf26..759f225 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,3 @@ -# TODO: This configuration is only really useful for sending e-mail. It -# receives and stores email for local users but we're not serving them -# just yet. FROM sutty/monit:latest MAINTAINER "f " @@ -68,7 +65,11 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e masquerade_domains='$mydomain' \ && postconf -e non_smtpd_milters=inet:opendkim:8891 \ && postconf -e smtpd_milters=inet:opendkim:8891 \ - && postconf -e virtual_alias_maps=hash:/etc/postfix/maps/virtual + && postconf -e virtual_alias_maps=hash:/etc/postfix/maps/virtual \ + && postconf -e sender_canonical_maps=tcp:postsrsd:10001 \ + && postconf -e sender_canonical_classes=envelope_sender \ + && postconf -e recipient_canonical_maps=tcp:postsrsd:10002 \ + && postconf -e recipient_canonical_classes=envelope_recipient,header_recipient RUN newaliases RUN postmap /etc/postfix/transport @@ -78,13 +79,7 @@ COPY ./monit.conf /etc/monit.d/postfix.conf COPY ./postfix.sh /usr/local/bin/postfix RUN chmod 755 /usr/local/bin/postfix -# Check config -RUN monit -t - -# Save email for later! -VOLUME "/var/spool/postfix" VOLUME "/etc/postfix/maps" -VOLUME "/home" # Port EXPOSE 25 diff --git a/postfix.sh b/postfix.sh index 142b2c0..6b6e6ec 100644 --- a/postfix.sh +++ b/postfix.sh @@ -7,17 +7,4 @@ postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem" postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem" postconf -e mynetworks="127.0.0.0/8 [::1]/128 `ip route | grep -v default | cut -d " " -f 1`" -# Recreate users from ~ -for home in /home/*; do - user="${home##*/}" - test "${user}" = "*" && continue - - uid="$(stat -c %u "${home}")" - - # Skip if it already exists - getent passwd ${user} >/dev/null && continue - - adduser -h ${home} -s /bin/false -G users -D -H -u ${uid} ${user} -done - exec /usr/sbin/postfix start From 88e3bedb1ed3f2ebe7d05e78bf1af2921eba6571 Mon Sep 17 00:00:00 2001 From: f Date: Thu, 24 Sep 2020 09:25:56 -0300 Subject: [PATCH 5/9] ipv6 support --- postfix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix.sh b/postfix.sh index 6b6e6ec..e77a79f 100644 --- a/postfix.sh +++ b/postfix.sh @@ -5,6 +5,6 @@ postconf -e myhostname="${SUTTY}" postconf -e mydomain="${SUTTY}" postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem" postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem" -postconf -e mynetworks="127.0.0.0/8 [::1]/128 `ip route | grep -v default | cut -d " " -f 1`" +postconf -e mynetworks="127.0.0.0/8 [::1]/128 `ip route | grep -v default | cut -d " " -f 1` `ip -6 route | grep -v default | cut -d " " -f 1`" exec /usr/sbin/postfix start From 40a6e33126dbebe11c5690fc6550ec21b787c969 Mon Sep 17 00:00:00 2001 From: f Date: Thu, 24 Sep 2020 09:44:56 -0300 Subject: [PATCH 6/9] mynetworks is not needed with mynetworks_style=subnet --- postfix.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/postfix.sh b/postfix.sh index e77a79f..fe8d2c9 100644 --- a/postfix.sh +++ b/postfix.sh @@ -5,6 +5,5 @@ postconf -e myhostname="${SUTTY}" postconf -e mydomain="${SUTTY}" postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem" postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem" -postconf -e mynetworks="127.0.0.0/8 [::1]/128 `ip route | grep -v default | cut -d " " -f 1` `ip -6 route | grep -v default | cut -d " " -f 1`" exec /usr/sbin/postfix start From cce9fe90623e09eb2a25ec85dd6128e54f3e9b27 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 17 Nov 2020 14:59:48 -0300 Subject: [PATCH 7/9] rspamd + trust local network --- Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 759f225..2a342d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e mydestination='/etc/postfix/maps/domains.cf' \ && postconf -e inet_interfaces='all' \ && postconf -e local_recipient_maps='unix:passwd.byname $alias_maps' \ - && postconf -e mynetworks_style='host' \ + && postconf -e mynetworks_style='subnet' \ && postconf -e home_mailbox='Maildir/' \ && postconf -e message_size_limit=20480000 \ && postconf -e inet_protocols='all' \ @@ -64,7 +64,9 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e append_dot_mydomain=yes \ && postconf -e masquerade_domains='$mydomain' \ && postconf -e non_smtpd_milters=inet:opendkim:8891 \ - && postconf -e smtpd_milters=inet:opendkim:8891 \ + && postconf -e smtpd_milters='inet:rspamd:11332,inet:opendkim:8891' \ + && postconf -e milter_default_action=accept \ + && postconf -e milter_protocol=6 \ && postconf -e virtual_alias_maps=hash:/etc/postfix/maps/virtual \ && postconf -e sender_canonical_maps=tcp:postsrsd:10001 \ && postconf -e sender_canonical_classes=envelope_sender \ From d7bde32d6a101d6034ab8319e4d91594b839ba54 Mon Sep 17 00:00:00 2001 From: f Date: Thu, 1 Apr 2021 15:50:15 -0300 Subject: [PATCH 8/9] rspamd is only hosted on a single node --- Dockerfile | 1 - postfix.sh | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2a342d7..4678c2b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -64,7 +64,6 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e append_dot_mydomain=yes \ && postconf -e masquerade_domains='$mydomain' \ && postconf -e non_smtpd_milters=inet:opendkim:8891 \ - && postconf -e smtpd_milters='inet:rspamd:11332,inet:opendkim:8891' \ && postconf -e milter_default_action=accept \ && postconf -e milter_protocol=6 \ && postconf -e virtual_alias_maps=hash:/etc/postfix/maps/virtual \ diff --git a/postfix.sh b/postfix.sh index fe8d2c9..e3f20f5 100644 --- a/postfix.sh +++ b/postfix.sh @@ -5,5 +5,6 @@ postconf -e myhostname="${SUTTY}" postconf -e mydomain="${SUTTY}" postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem" postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem" +postconf -e smtpd_milters="inet:rspamd.${DELEGATE}:11332,inet:opendkim:8891" exec /usr/sbin/postfix start From 8b4cfcda37bb8c3ec0cb8fe2faddc777a644330d Mon Sep 17 00:00:00 2001 From: f Date: Thu, 1 Apr 2021 17:51:39 -0300 Subject: [PATCH 9/9] lmdb --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4678c2b..c1aa876 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,8 +10,8 @@ RUN install -dm 2750 -o root -g root /etc/ssl/private \ && certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512 \ && apk del gnutls-utils # Configure postfix -RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ - && postconf -e transport_maps='hash:/etc/postfix/transport' \ +RUN postconf -e alias_maps='lmdb:/etc/postfix/aliases' \ + && postconf -e transport_maps='lmdb:/etc/postfix/transport' \ && postconf -e recipient_delimiter='+' \ && postconf -e sendmail_path='/usr/sbin/sendmail' \ && postconf -e newaliases_path='/usr/bin/newaliases' \ @@ -66,7 +66,7 @@ RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \ && postconf -e non_smtpd_milters=inet:opendkim:8891 \ && postconf -e milter_default_action=accept \ && postconf -e milter_protocol=6 \ - && postconf -e virtual_alias_maps=hash:/etc/postfix/maps/virtual \ + && postconf -e virtual_alias_maps=lmdb:/etc/postfix/maps/virtual \ && postconf -e sender_canonical_maps=tcp:postsrsd:10001 \ && postconf -e sender_canonical_classes=envelope_sender \ && postconf -e recipient_canonical_maps=tcp:postsrsd:10002 \