This commit is contained in:
f 2022-03-09 13:18:48 -03:00
parent 4c4546392b
commit 5c2779a736
5 changed files with 102 additions and 88 deletions

View file

@ -2,7 +2,7 @@ pipeline:
publish: publish:
image: plugins/docker image: plugins/docker
registry: registry.nulo.in registry: registry.nulo.in
repo: registry.nulo.in/sutty/CHANGEME repo: registry.nulo.in/sutty/postfix
tags: tags:
- ${ALPINE_VERSION} - ${ALPINE_VERSION}
- latest - latest

View file

@ -1,87 +1,95 @@
ARG ALPINE_VERSION=3.13.6 ARG ALPINE_VERSION=3.13.6
ARG BASE_IMAGE=sutty/monit ARG BASE_IMAGE=sutty/monit
FROM ${BASE_IMAGE}:${ALPINE_VERSION} FROM ${BASE_IMAGE}:${ALPINE_VERSION} AS build
MAINTAINER "f <f@sutty.nl>" MAINTAINER "f <f@sutty.nl>"
# Install postfix and certificates
RUN apk add --no-cache postfix ca-certificates RUN apk add --no-cache postfix ca-certificates
# Generate params and remove packages RUN install -dm 2750 -o root -g root /etc/ssl/private
RUN install -dm 2750 -o root -g root /etc/ssl/private \
&& apk add --no-cache gnutls-utils \ RUN apk add --no-cache gnutls-utils
&& certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048 \ RUN certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048
&& certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512 \ RUN certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512
&& apk del gnutls-utils
# Configure postfix RUN postconf -e alias_maps='lmdb:/etc/postfix/aliases'
RUN postconf -e alias_maps='lmdb:/etc/postfix/aliases' \ RUN postconf -e transport_maps='lmdb:/etc/postfix/transport'
&& postconf -e transport_maps='lmdb:/etc/postfix/transport' \ RUN postconf -e recipient_delimiter='+'
&& postconf -e recipient_delimiter='+' \ RUN postconf -e sendmail_path='/usr/sbin/sendmail'
&& postconf -e sendmail_path='/usr/sbin/sendmail' \ RUN postconf -e newaliases_path='/usr/bin/newaliases'
&& postconf -e newaliases_path='/usr/bin/newaliases' \ RUN postconf -e mailq_path='/usr/bin/mailq'
&& postconf -e mailq_path='/usr/bin/mailq' \ RUN postconf -e setgid_group='postdrop'
&& postconf -e setgid_group='postdrop' \ RUN postconf -e manpage_directory='/usr/share/man'
&& postconf -e manpage_directory='/usr/share/man' \ RUN postconf -e sample_directory='/etc/postfix/sample'
&& postconf -e sample_directory='/etc/postfix/sample' \ RUN postconf -e readme_directory='/usr/share/doc/postfix'
&& postconf -e readme_directory='/usr/share/doc/postfix' \ RUN postconf -e html_directory='no'
&& postconf -e html_directory='no' \ RUN postconf -e soft_bounce='no'
&& postconf -e soft_bounce='no' \ RUN postconf -e mydestination='/etc/postfix/maps/domains.cf'
&& postconf -e mydestination='/etc/postfix/maps/domains.cf' \ RUN postconf -e inet_interfaces='all'
&& postconf -e inet_interfaces='all' \ RUN postconf -e local_recipient_maps='unix:passwd.byname $alias_maps'
&& postconf -e local_recipient_maps='unix:passwd.byname $alias_maps' \ RUN postconf -e mynetworks_style='subnet'
&& postconf -e mynetworks_style='subnet' \ RUN postconf -e home_mailbox='Maildir/'
&& postconf -e home_mailbox='Maildir/' \ RUN postconf -e message_size_limit=20480000
&& postconf -e message_size_limit=20480000 \ RUN postconf -e inet_protocols='all'
&& postconf -e inet_protocols='all' \ RUN postconf -e disable_vrfy_command=yes
&& postconf -e disable_vrfy_command=yes \ RUN postconf -e smtpd_helo_required=yes
&& postconf -e smtpd_helo_required=yes \ RUN postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit'
&& postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit' \ RUN postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient'
&& postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient' \ RUN postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit'
&& postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit' \ RUN postconf -e smtpd_data_restrictions='reject_unauth_pipelining'
&& postconf -e smtpd_data_restrictions='reject_unauth_pipelining' \ RUN postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated'
&& postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated' \ RUN postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination'
&& postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination' \ RUN postconf -e smtpd_use_tls='yes'
&& postconf -e smtpd_use_tls='yes' \ RUN postconf -e smtpd_tls_auth_only='yes'
&& postconf -e smtpd_tls_auth_only='yes' \ RUN postconf -e smtp_use_tls='yes'
&& postconf -e smtp_use_tls='yes' \ RUN postconf -e smtp_tls_note_starttls_offer='yes'
&& postconf -e smtp_tls_note_starttls_offer='yes' \ RUN postconf -e smtpd_tls_CApath='/etc/ssl/certs'
&& postconf -e smtpd_tls_CApath='/etc/ssl/certs' \ RUN postconf -e tls_random_source='dev:/dev/urandom'
&& postconf -e tls_random_source='dev:/dev/urandom' \ RUN postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh'
&& postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh' \ RUN postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh'
&& postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh' \ RUN postconf -e tls_preempt_cipherlist='yes'
&& postconf -e tls_preempt_cipherlist='yes' \ RUN postconf -e smtpd_tls_security_level='may'
&& postconf -e smtpd_tls_security_level='may' \ RUN postconf -e smtpd_tls_eecdh_grade='strong'
&& postconf -e smtpd_tls_eecdh_grade='strong' \ RUN postconf -e smtpd_tls_mandatory_ciphers='high'
&& postconf -e smtpd_tls_mandatory_ciphers='high' \ RUN postconf -e smtpd_tls_ciphers='medium'
&& postconf -e smtpd_tls_ciphers='medium' \ RUN postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA'
&& postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA' \ RUN postconf -e smtpd_tls_mandatory_protocols='TLSv1'
&& postconf -e smtpd_tls_mandatory_protocols='TLSv1' \ RUN postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers'
&& postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers' \ RUN postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers'
&& postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers' \ RUN postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1'
&& postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1' \ RUN postconf -e smtpd_tls_loglevel='0'
&& postconf -e smtpd_tls_loglevel='0' \ RUN postconf -e smtpd_tls_received_header='yes'
&& postconf -e smtpd_tls_received_header='yes' \ RUN postconf -e smtpd_tls_session_cache_timeout='3600s'
&& postconf -e smtpd_tls_session_cache_timeout='3600s' \ RUN postconf -e smtp_destination_concurrency_limit=2
&& postconf -e smtp_destination_concurrency_limit=2 \ RUN postconf -e smtp_destination_rate_delay=1s
&& postconf -e smtp_destination_rate_delay=1s \ RUN postconf -e smtp_extra_recipient_limit=10
&& postconf -e smtp_extra_recipient_limit=10 \ RUN postconf -e append_dot_mydomain=yes
&& postconf -e append_dot_mydomain=yes \ RUN postconf -e masquerade_domains='$mydomain'
&& postconf -e masquerade_domains='$mydomain' \ RUN postconf -e non_smtpd_milters=inet:opendkim:8891
&& postconf -e non_smtpd_milters=inet:opendkim:8891 \ RUN postconf -e milter_default_action=accept
&& postconf -e milter_default_action=accept \ RUN postconf -e milter_protocol=6
&& postconf -e milter_protocol=6 \ RUN postconf -e virtual_alias_maps=lmdb:/etc/postfix/maps/virtual
&& postconf -e virtual_alias_maps=lmdb:/etc/postfix/maps/virtual \ RUN postconf -e sender_canonical_maps=tcp:postsrsd:10001
&& postconf -e sender_canonical_maps=tcp:postsrsd:10001 \ RUN postconf -e sender_canonical_classes=envelope_sender
&& postconf -e sender_canonical_classes=envelope_sender \ RUN postconf -e recipient_canonical_maps=tcp:postsrsd:10002
&& postconf -e recipient_canonical_maps=tcp:postsrsd:10002 \ RUN postconf -e recipient_canonical_classes=envelope_recipient,header_recipient
&& postconf -e recipient_canonical_classes=envelope_recipient,header_recipient
ARG ALPINE_VERSION=3.13.6
ARG BASE_IMAGE=sutty/monit
FROM ${BASE_IMAGE}:${ALPINE_VERSION} AS build
MAINTAINER "f <f@sutty.nl>"
RUN apk add --no-cache postfix ca-certificates
RUN install -dm 2750 -o root -g root /etc/ssl/private
COPY --from=build /etc/postfix/main.cf /etc/postfix/main.cf
COPY --from=build /etc/ssl/private/2048.dh /etc/ssl/private/2048.dh
COPY --from=build /etc/ssl/private/512.dh /etc/ssl/private/512.dh
COPY ./monit.conf /etc/monit.d/postfix.conf
COPY ./postfixd.sh /usr/local/bin/postfixd
RUN newaliases RUN newaliases
RUN postmap /etc/postfix/transport RUN postmap /etc/postfix/transport
# Enable service
COPY ./monit.conf /etc/monit.d/postfix.conf
COPY ./postfix.sh /usr/local/bin/postfix
RUN chmod 755 /usr/local/bin/postfix
VOLUME "/etc/postfix/maps" VOLUME "/etc/postfix/maps"
# Port # Port

View file

@ -1,5 +1,5 @@
check process postfix with pidfile /var/spool/postfix/pid/master.pid check process postfix with pidfile /var/spool/postfix/pid/master.pid
start program = "/usr/local/bin/postfix" start program = "/usr/local/bin/postfixd start"
stop program = "/usr/sbin/postfix stop" stop program = "/usr/local/bin/postfixd stop"
if 5 restarts within 8 cycles then alert if 5 restarts within 8 cycles then alert
if failed port 25 protocol smtp for 3 times within 5 cycles then restart if failed port 25 protocol smtp for 3 times within 5 cycles then restart

View file

@ -1,10 +0,0 @@
#!/bin/sh
# Reconfigure postfix according to environment
postconf -e myhostname="${SUTTY}"
postconf -e mydomain="${SUTTY}"
postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem"
postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem"
postconf -e smtpd_milters="inet:rspamd.${DELEGATE}:11332,inet:opendkim:8891"
exec /usr/sbin/postfix start

16
postfixd.sh Normal file
View file

@ -0,0 +1,16 @@
#!/bin/sh
case $1 in
start)
# Reconfigure postfix according to environment
postconf -e myhostname="${SUTTY}"
postconf -e mydomain="${SUTTY}"
postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem"
postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem"
postconf -e smtpd_milters="inet:${RSPAMD}:11332,inet:opendkim:8891"
;;
stop) ;;
esac
exec /usr/sbin/postfix $1