postfix
This commit is contained in:
parent
a2e27c5316
commit
8182f5ad6e
3 changed files with 111 additions and 0 deletions
83
Dockerfile
83
Dockerfile
|
@ -1,2 +1,85 @@
|
||||||
|
# TODO: This configuration is only really useful for sending e-mail. It
|
||||||
|
# receives and stores email for local users but we're not serving them
|
||||||
|
# just yet.
|
||||||
FROM sutty/monit:latest
|
FROM sutty/monit:latest
|
||||||
MAINTAINER "f <f@sutty.nl>"
|
MAINTAINER "f <f@sutty.nl>"
|
||||||
|
|
||||||
|
# Install postfix and certificates
|
||||||
|
RUN apk add --no-cache postfix ca-certificates
|
||||||
|
# Generate params and remove packages
|
||||||
|
RUN install -dm 2750 -o root -g root /etc/ssl/private \
|
||||||
|
&& apk add --no-cache gnutls-utils \
|
||||||
|
&& certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048 \
|
||||||
|
&& certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512 \
|
||||||
|
&& apk del gnutls-utils
|
||||||
|
# Configure postfix
|
||||||
|
RUN postconf -e alias_maps='hash:/etc/postfix/aliases' \
|
||||||
|
&& postconf -e transport_maps='hash:/etc/postfix/transport' \
|
||||||
|
&& postconf -e recipient_delimiter='+' \
|
||||||
|
&& postconf -e sendmail_path='/usr/sbin/sendmail' \
|
||||||
|
&& postconf -e newaliases_path='/usr/bin/newaliases' \
|
||||||
|
&& postconf -e mailq_path='/usr/bin/mailq' \
|
||||||
|
&& postconf -e setgid_group='postdrop' \
|
||||||
|
&& postconf -e manpage_directory='/usr/share/man' \
|
||||||
|
&& postconf -e sample_directory='/etc/postfix/sample' \
|
||||||
|
&& postconf -e readme_directory='/usr/share/doc/postfix' \
|
||||||
|
&& postconf -e html_directory='no' \
|
||||||
|
&& postconf -e soft_bounce='no' \
|
||||||
|
&& postconf -e mydestination='$mydomain' \
|
||||||
|
&& postconf -e inet_interfaces='all' \
|
||||||
|
&& postconf -e local_recipient_maps='unix:passwd.byname $alias_maps' \
|
||||||
|
&& postconf -e mynetworks_style='host' \
|
||||||
|
&& postconf -e home_mailbox='Maildir/' \
|
||||||
|
&& postconf -e message_size_limit=20480000 \
|
||||||
|
&& postconf -e inet_protocols='all' \
|
||||||
|
&& postconf -e disable_vrfy_command=yes \
|
||||||
|
&& postconf -e smtpd_helo_required=yes \
|
||||||
|
&& postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit' \
|
||||||
|
&& postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient' \
|
||||||
|
&& postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit' \
|
||||||
|
&& postconf -e smtpd_data_restrictions='reject_unauth_pipelining' \
|
||||||
|
&& postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated' \
|
||||||
|
&& postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination' \
|
||||||
|
&& postconf -e smtpd_use_tls='yes' \
|
||||||
|
&& postconf -e smtpd_tls_auth_only='yes' \
|
||||||
|
&& postconf -e smtp_use_tls='yes' \
|
||||||
|
&& postconf -e smtp_tls_note_starttls_offer='yes' \
|
||||||
|
&& postconf -e smtpd_tls_CApath='/etc/ssl/certs' \
|
||||||
|
&& postconf -e tls_random_source='dev:/dev/urandom' \
|
||||||
|
&& postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh' \
|
||||||
|
&& postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh' \
|
||||||
|
&& postconf -e tls_preempt_cipherlist='yes' \
|
||||||
|
&& postconf -e smtpd_tls_security_level='may' \
|
||||||
|
&& postconf -e smtpd_tls_eecdh_grade='strong' \
|
||||||
|
&& postconf -e smtpd_tls_mandatory_ciphers='high' \
|
||||||
|
&& postconf -e smtpd_tls_ciphers='medium' \
|
||||||
|
&& postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA' \
|
||||||
|
&& postconf -e smtpd_tls_mandatory_protocols='TLSv1' \
|
||||||
|
&& postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers' \
|
||||||
|
&& postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers' \
|
||||||
|
&& postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1' \
|
||||||
|
&& postconf -e smtpd_tls_loglevel='0' \
|
||||||
|
&& postconf -e smtpd_tls_received_header='yes' \
|
||||||
|
&& postconf -e smtpd_tls_session_cache_timeout='3600s' \
|
||||||
|
&& postconf -e smtp_destination_concurrency_limit=2 \
|
||||||
|
&& postconf -e smtp_destination_rate_delay=1s \
|
||||||
|
&& postconf -e smtp_extra_recipient_limit=10 \
|
||||||
|
&& postconf -e append_dot_mydomain=yes \
|
||||||
|
&& postconf -e masquerade_domains='$mydomain'
|
||||||
|
RUN newaliases
|
||||||
|
RUN postmap /etc/postfix/transport
|
||||||
|
|
||||||
|
# Enable service
|
||||||
|
COPY ./monit.conf /etc/monit.d/postfix.conf
|
||||||
|
COPY ./postfix.sh /usr/local/bin/postfix
|
||||||
|
RUN chmod 755 /usr/local/bin/postfix
|
||||||
|
|
||||||
|
# Check config
|
||||||
|
RUN monit -t
|
||||||
|
|
||||||
|
# Save email for later!
|
||||||
|
VOLUME "/var/spool/postfix"
|
||||||
|
VOLUME "/home"
|
||||||
|
|
||||||
|
# Port
|
||||||
|
EXPOSE 25
|
||||||
|
|
5
monit.conf
Normal file
5
monit.conf
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
check process postfix with pidfile /var/spool/postfix/pid/master.pid
|
||||||
|
start program = "/usr/local/bin/postfix"
|
||||||
|
stop program = "/usr/sbin/postfix stop"
|
||||||
|
if 5 restarts within 8 cycles then alert
|
||||||
|
if failed port 25 protocol smtp for 3 times within 5 cycles then restart
|
23
postfix.sh
Normal file
23
postfix.sh
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Reconfigure postfix according to environment
|
||||||
|
postconf -e myhostname="${SUTTY}"
|
||||||
|
postconf -e mydomain="${SUTTY}"
|
||||||
|
postconf -e smtpd_tls_key_file="/etc/letsencrypt/live/${SUTTY}/privkey.pem"
|
||||||
|
postconf -e smtpd_tls_cert_file="/etc/letsencrypt/live/${SUTTY}/fullchain.pem"
|
||||||
|
postconf -e mynetworks="127.0.0.0/8 [::1]/128 `ip route | grep -v default | cut -d " " -f 1`"
|
||||||
|
|
||||||
|
# Recreate users from ~
|
||||||
|
for home in /home/*; do
|
||||||
|
user="${home##*/}"
|
||||||
|
test "${user}" = "*" && continue
|
||||||
|
|
||||||
|
uid="$(stat -c %u "${home}")"
|
||||||
|
|
||||||
|
# Skip if it already exists
|
||||||
|
getent passwd ${user} >/dev/null && continue
|
||||||
|
|
||||||
|
adduser -h ${home} -s /bin/false -G users -D -H -u ${uid} ${user}
|
||||||
|
done
|
||||||
|
|
||||||
|
exec /usr/sbin/postfix start
|
Loading…
Reference in a new issue