upgrade
This commit is contained in:
parent
4c4546392b
commit
5c2779a736
5 changed files with 102 additions and 88 deletions
|
@ -2,7 +2,7 @@ pipeline:
|
||||||
publish:
|
publish:
|
||||||
image: plugins/docker
|
image: plugins/docker
|
||||||
registry: registry.nulo.in
|
registry: registry.nulo.in
|
||||||
repo: registry.nulo.in/sutty/CHANGEME
|
repo: registry.nulo.in/sutty/postfix
|
||||||
tags:
|
tags:
|
||||||
- ${ALPINE_VERSION}
|
- ${ALPINE_VERSION}
|
||||||
- latest
|
- latest
|
||||||
|
|
158
Dockerfile
158
Dockerfile
|
@ -1,87 +1,95 @@
|
||||||
ARG ALPINE_VERSION=3.13.6
|
ARG ALPINE_VERSION=3.13.6
|
||||||
ARG BASE_IMAGE=sutty/monit
|
ARG BASE_IMAGE=sutty/monit
|
||||||
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
|
FROM ${BASE_IMAGE}:${ALPINE_VERSION} AS build
|
||||||
MAINTAINER "f <f@sutty.nl>"
|
MAINTAINER "f <f@sutty.nl>"
|
||||||
|
|
||||||
# Install postfix and certificates
|
|
||||||
RUN apk add --no-cache postfix ca-certificates
|
RUN apk add --no-cache postfix ca-certificates
|
||||||
# Generate params and remove packages
|
RUN install -dm 2750 -o root -g root /etc/ssl/private
|
||||||
RUN install -dm 2750 -o root -g root /etc/ssl/private \
|
|
||||||
&& apk add --no-cache gnutls-utils \
|
RUN apk add --no-cache gnutls-utils
|
||||||
&& certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048 \
|
RUN certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048
|
||||||
&& certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512 \
|
RUN certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512
|
||||||
&& apk del gnutls-utils
|
|
||||||
# Configure postfix
|
RUN postconf -e alias_maps='lmdb:/etc/postfix/aliases'
|
||||||
RUN postconf -e alias_maps='lmdb:/etc/postfix/aliases' \
|
RUN postconf -e transport_maps='lmdb:/etc/postfix/transport'
|
||||||
&& postconf -e transport_maps='lmdb:/etc/postfix/transport' \
|
RUN postconf -e recipient_delimiter='+'
|
||||||
&& postconf -e recipient_delimiter='+' \
|
RUN postconf -e sendmail_path='/usr/sbin/sendmail'
|
||||||
&& postconf -e sendmail_path='/usr/sbin/sendmail' \
|
RUN postconf -e newaliases_path='/usr/bin/newaliases'
|
||||||
&& postconf -e newaliases_path='/usr/bin/newaliases' \
|
RUN postconf -e mailq_path='/usr/bin/mailq'
|
||||||
&& postconf -e mailq_path='/usr/bin/mailq' \
|
RUN postconf -e setgid_group='postdrop'
|
||||||
&& postconf -e setgid_group='postdrop' \
|
RUN postconf -e manpage_directory='/usr/share/man'
|
||||||
&& postconf -e manpage_directory='/usr/share/man' \
|
RUN postconf -e sample_directory='/etc/postfix/sample'
|
||||||
&& postconf -e sample_directory='/etc/postfix/sample' \
|
RUN postconf -e readme_directory='/usr/share/doc/postfix'
|
||||||
&& postconf -e readme_directory='/usr/share/doc/postfix' \
|
RUN postconf -e html_directory='no'
|
||||||
&& postconf -e html_directory='no' \
|
RUN postconf -e soft_bounce='no'
|
||||||
&& postconf -e soft_bounce='no' \
|
RUN postconf -e mydestination='/etc/postfix/maps/domains.cf'
|
||||||
&& postconf -e mydestination='/etc/postfix/maps/domains.cf' \
|
RUN postconf -e inet_interfaces='all'
|
||||||
&& postconf -e inet_interfaces='all' \
|
RUN postconf -e local_recipient_maps='unix:passwd.byname $alias_maps'
|
||||||
&& postconf -e local_recipient_maps='unix:passwd.byname $alias_maps' \
|
RUN postconf -e mynetworks_style='subnet'
|
||||||
&& postconf -e mynetworks_style='subnet' \
|
RUN postconf -e home_mailbox='Maildir/'
|
||||||
&& postconf -e home_mailbox='Maildir/' \
|
RUN postconf -e message_size_limit=20480000
|
||||||
&& postconf -e message_size_limit=20480000 \
|
RUN postconf -e inet_protocols='all'
|
||||||
&& postconf -e inet_protocols='all' \
|
RUN postconf -e disable_vrfy_command=yes
|
||||||
&& postconf -e disable_vrfy_command=yes \
|
RUN postconf -e smtpd_helo_required=yes
|
||||||
&& postconf -e smtpd_helo_required=yes \
|
RUN postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit'
|
||||||
&& postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit' \
|
RUN postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient'
|
||||||
&& postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient' \
|
RUN postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit'
|
||||||
&& postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit' \
|
RUN postconf -e smtpd_data_restrictions='reject_unauth_pipelining'
|
||||||
&& postconf -e smtpd_data_restrictions='reject_unauth_pipelining' \
|
RUN postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated'
|
||||||
&& postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated' \
|
RUN postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination'
|
||||||
&& postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination' \
|
RUN postconf -e smtpd_use_tls='yes'
|
||||||
&& postconf -e smtpd_use_tls='yes' \
|
RUN postconf -e smtpd_tls_auth_only='yes'
|
||||||
&& postconf -e smtpd_tls_auth_only='yes' \
|
RUN postconf -e smtp_use_tls='yes'
|
||||||
&& postconf -e smtp_use_tls='yes' \
|
RUN postconf -e smtp_tls_note_starttls_offer='yes'
|
||||||
&& postconf -e smtp_tls_note_starttls_offer='yes' \
|
RUN postconf -e smtpd_tls_CApath='/etc/ssl/certs'
|
||||||
&& postconf -e smtpd_tls_CApath='/etc/ssl/certs' \
|
RUN postconf -e tls_random_source='dev:/dev/urandom'
|
||||||
&& postconf -e tls_random_source='dev:/dev/urandom' \
|
RUN postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh'
|
||||||
&& postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh' \
|
RUN postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh'
|
||||||
&& postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh' \
|
RUN postconf -e tls_preempt_cipherlist='yes'
|
||||||
&& postconf -e tls_preempt_cipherlist='yes' \
|
RUN postconf -e smtpd_tls_security_level='may'
|
||||||
&& postconf -e smtpd_tls_security_level='may' \
|
RUN postconf -e smtpd_tls_eecdh_grade='strong'
|
||||||
&& postconf -e smtpd_tls_eecdh_grade='strong' \
|
RUN postconf -e smtpd_tls_mandatory_ciphers='high'
|
||||||
&& postconf -e smtpd_tls_mandatory_ciphers='high' \
|
RUN postconf -e smtpd_tls_ciphers='medium'
|
||||||
&& postconf -e smtpd_tls_ciphers='medium' \
|
RUN postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA'
|
||||||
&& postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA' \
|
RUN postconf -e smtpd_tls_mandatory_protocols='TLSv1'
|
||||||
&& postconf -e smtpd_tls_mandatory_protocols='TLSv1' \
|
RUN postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers'
|
||||||
&& postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers' \
|
RUN postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers'
|
||||||
&& postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers' \
|
RUN postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1'
|
||||||
&& postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1' \
|
RUN postconf -e smtpd_tls_loglevel='0'
|
||||||
&& postconf -e smtpd_tls_loglevel='0' \
|
RUN postconf -e smtpd_tls_received_header='yes'
|
||||||
&& postconf -e smtpd_tls_received_header='yes' \
|
RUN postconf -e smtpd_tls_session_cache_timeout='3600s'
|
||||||
&& postconf -e smtpd_tls_session_cache_timeout='3600s' \
|
RUN postconf -e smtp_destination_concurrency_limit=2
|
||||||
&& postconf -e smtp_destination_concurrency_limit=2 \
|
RUN postconf -e smtp_destination_rate_delay=1s
|
||||||
&& postconf -e smtp_destination_rate_delay=1s \
|
RUN postconf -e smtp_extra_recipient_limit=10
|
||||||
&& postconf -e smtp_extra_recipient_limit=10 \
|
RUN postconf -e append_dot_mydomain=yes
|
||||||
&& postconf -e append_dot_mydomain=yes \
|
RUN postconf -e masquerade_domains='$mydomain'
|
||||||
&& postconf -e masquerade_domains='$mydomain' \
|
RUN postconf -e non_smtpd_milters=inet:opendkim:8891
|
||||||
&& postconf -e non_smtpd_milters=inet:opendkim:8891 \
|
RUN postconf -e milter_default_action=accept
|
||||||
&& postconf -e milter_default_action=accept \
|
RUN postconf -e milter_protocol=6
|
||||||
&& postconf -e milter_protocol=6 \
|
RUN postconf -e virtual_alias_maps=lmdb:/etc/postfix/maps/virtual
|
||||||
&& postconf -e virtual_alias_maps=lmdb:/etc/postfix/maps/virtual \
|
RUN postconf -e sender_canonical_maps=tcp:postsrsd:10001
|
||||||
&& postconf -e sender_canonical_maps=tcp:postsrsd:10001 \
|
RUN postconf -e sender_canonical_classes=envelope_sender
|
||||||
&& postconf -e sender_canonical_classes=envelope_sender \
|
RUN postconf -e recipient_canonical_maps=tcp:postsrsd:10002
|
||||||
&& postconf -e recipient_canonical_maps=tcp:postsrsd:10002 \
|
RUN postconf -e recipient_canonical_classes=envelope_recipient,header_recipient
|
||||||
&& postconf -e recipient_canonical_classes=envelope_recipient,header_recipient
|
|
||||||
|
ARG ALPINE_VERSION=3.13.6
|
||||||
|
ARG BASE_IMAGE=sutty/monit
|
||||||
|
FROM ${BASE_IMAGE}:${ALPINE_VERSION} AS build
|
||||||
|
MAINTAINER "f <f@sutty.nl>"
|
||||||
|
|
||||||
|
RUN apk add --no-cache postfix ca-certificates
|
||||||
|
RUN install -dm 2750 -o root -g root /etc/ssl/private
|
||||||
|
|
||||||
|
COPY --from=build /etc/postfix/main.cf /etc/postfix/main.cf
|
||||||
|
COPY --from=build /etc/ssl/private/2048.dh /etc/ssl/private/2048.dh
|
||||||
|
COPY --from=build /etc/ssl/private/512.dh /etc/ssl/private/512.dh
|
||||||
|
|
||||||
|
COPY ./monit.conf /etc/monit.d/postfix.conf
|
||||||
|
COPY ./postfixd.sh /usr/local/bin/postfixd
|
||||||
|
|
||||||
RUN newaliases
|
RUN newaliases
|
||||||
RUN postmap /etc/postfix/transport
|
RUN postmap /etc/postfix/transport
|
||||||
|
|
||||||
# Enable service
|
|
||||||
COPY ./monit.conf /etc/monit.d/postfix.conf
|
|
||||||
COPY ./postfix.sh /usr/local/bin/postfix
|
|
||||||
RUN chmod 755 /usr/local/bin/postfix
|
|
||||||
|
|
||||||
VOLUME "/etc/postfix/maps"
|
VOLUME "/etc/postfix/maps"
|
||||||
|
|
||||||
# Port
|
# Port
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
check process postfix with pidfile /var/spool/postfix/pid/master.pid
|
check process postfix with pidfile /var/spool/postfix/pid/master.pid
|
||||||
start program = "/usr/local/bin/postfix"
|
start program = "/usr/local/bin/postfixd start"
|
||||||
stop program = "/usr/sbin/postfix stop"
|
stop program = "/usr/local/bin/postfixd stop"
|
||||||
if 5 restarts within 8 cycles then alert
|
if 5 restarts within 8 cycles then alert
|
||||||
if failed port 25 protocol smtp for 3 times within 5 cycles then restart
|
if failed port 25 protocol smtp for 3 times within 5 cycles then restart
|
||||||
|
|
10
postfix.sh
10
postfix.sh
|
@ -1,10 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Reconfigure postfix according to environment
|
|
||||||
postconf -e myhostname="${SUTTY}"
|
|
||||||
postconf -e mydomain="${SUTTY}"
|
|
||||||
postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem"
|
|
||||||
postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem"
|
|
||||||
postconf -e smtpd_milters="inet:rspamd.${DELEGATE}:11332,inet:opendkim:8891"
|
|
||||||
|
|
||||||
exec /usr/sbin/postfix start
|
|
16
postfixd.sh
Normal file
16
postfixd.sh
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
start)
|
||||||
|
# Reconfigure postfix according to environment
|
||||||
|
postconf -e myhostname="${SUTTY}"
|
||||||
|
postconf -e mydomain="${SUTTY}"
|
||||||
|
postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem"
|
||||||
|
postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem"
|
||||||
|
postconf -e smtpd_milters="inet:${RSPAMD}:11332,inet:opendkim:8891"
|
||||||
|
|
||||||
|
;;
|
||||||
|
stop) ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exec /usr/sbin/postfix $1
|
Loading…
Reference in a new issue