99 lines
4.7 KiB
Docker
99 lines
4.7 KiB
Docker
ARG ALPINE_VERSION=3.18.3
|
|
ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
|
|
FROM ${BASE_IMAGE}:${ALPINE_VERSION} AS build
|
|
ARG POSTFIX_VERSION=3.6.6
|
|
MAINTAINER "f <f@sutty.nl>"
|
|
|
|
RUN apk add --no-cache postfix~${POSTFIX_VERSION} ca-certificates
|
|
RUN install -dm 2750 -o root -g root /etc/ssl/private
|
|
|
|
RUN apk add --no-cache gnutls-utils
|
|
RUN certtool --generate-dh-params --outfile=/etc/ssl/private/2048.dh --bits=2048
|
|
RUN certtool --generate-dh-params --outfile=/etc/ssl/private/512.dh --bits=512
|
|
|
|
RUN postconf -e alias_maps='lmdb:/etc/postfix/aliases'
|
|
RUN postconf -e transport_maps='lmdb:/etc/postfix/transport'
|
|
RUN postconf -e recipient_delimiter='+'
|
|
RUN postconf -e sendmail_path='/usr/sbin/sendmail'
|
|
RUN postconf -e newaliases_path='/usr/bin/newaliases'
|
|
RUN postconf -e mailq_path='/usr/bin/mailq'
|
|
RUN postconf -e setgid_group='postdrop'
|
|
RUN postconf -e manpage_directory='/usr/share/man'
|
|
RUN postconf -e sample_directory='/etc/postfix/sample'
|
|
RUN postconf -e readme_directory='/usr/share/doc/postfix'
|
|
RUN postconf -e html_directory='no'
|
|
RUN postconf -e soft_bounce='no'
|
|
RUN postconf -e mydestination='/etc/postfix/maps/domains.cf'
|
|
RUN postconf -e inet_interfaces='all'
|
|
RUN postconf -e local_recipient_maps='unix:passwd.byname $alias_maps'
|
|
RUN postconf -e mynetworks_style='subnet'
|
|
RUN postconf -e home_mailbox='Maildir/'
|
|
RUN postconf -e message_size_limit=20480000
|
|
RUN postconf -e inet_protocols='all'
|
|
RUN postconf -e disable_vrfy_command=yes
|
|
RUN postconf -e smtpd_helo_required=yes
|
|
RUN postconf -e smtpd_helo_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname,permit'
|
|
RUN postconf -e smtpd_recipient_restrictions='reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_unlisted_recipient'
|
|
RUN postconf -e smtpd_sender_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,permit'
|
|
RUN postconf -e smtpd_data_restrictions='reject_unauth_pipelining'
|
|
RUN postconf -e smtpd_client_restrictions='permit_mynetworks,permit_sasl_authenticated'
|
|
RUN postconf -e smtpd_relay_restrictions='permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination'
|
|
RUN postconf -e smtpd_use_tls='yes'
|
|
RUN postconf -e smtpd_tls_auth_only='yes'
|
|
RUN postconf -e smtp_use_tls='yes'
|
|
RUN postconf -e smtp_tls_note_starttls_offer='yes'
|
|
RUN postconf -e smtpd_tls_CApath='/etc/ssl/certs'
|
|
RUN postconf -e tls_random_source='dev:/dev/urandom'
|
|
RUN postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/private/2048.dh'
|
|
RUN postconf -e smtpd_tls_dh512_param_file='/etc/ssl/private/512.dh'
|
|
RUN postconf -e tls_preempt_cipherlist='yes'
|
|
RUN postconf -e smtpd_tls_security_level='may'
|
|
RUN postconf -e smtpd_tls_eecdh_grade='strong'
|
|
RUN postconf -e smtpd_tls_mandatory_ciphers='high'
|
|
RUN postconf -e smtpd_tls_ciphers='medium'
|
|
RUN postconf -e smtpd_tls_exclude_ciphers='aNULL,MD5,DES,3DES,DES-CBC3-SHA,RC4-SHA,AES256-SHA,AES128-SHA,eNULL,EXPORT,RC4,PSK,aECDH,EDH-DSS-DES-CBC3-SHA,EDH-RSA-DES-CDC3-SHA,KRB5-DE5,CBC3-SHA'
|
|
RUN postconf -e smtpd_tls_mandatory_protocols='TLSv1'
|
|
RUN postconf -e smtp_tls_ciphers='$smtpd_tls_ciphers'
|
|
RUN postconf -e smtp_tls_mandatory_ciphers='$smtpd_tls_mandatory_ciphers'
|
|
RUN postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,TLSv1'
|
|
RUN postconf -e smtpd_tls_loglevel='0'
|
|
RUN postconf -e smtpd_tls_received_header='yes'
|
|
RUN postconf -e smtpd_tls_session_cache_timeout='3600s'
|
|
RUN postconf -e smtp_destination_concurrency_limit=2
|
|
RUN postconf -e smtp_destination_rate_delay=1s
|
|
RUN postconf -e smtp_extra_recipient_limit=10
|
|
RUN postconf -e append_dot_mydomain=yes
|
|
RUN postconf -e masquerade_domains='$mydomain'
|
|
RUN postconf -e non_smtpd_milters=inet:opendkim:8891
|
|
RUN postconf -e milter_default_action=accept
|
|
RUN postconf -e milter_protocol=6
|
|
RUN postconf -e virtual_alias_maps=lmdb:/etc/postfix/maps/virtual
|
|
RUN postconf -e sender_canonical_classes=envelope_sender
|
|
RUN postconf -e recipient_canonical_classes=envelope_recipient,header_recipient
|
|
RUN postconf -e smtpd_client_connection_rate_limit=10
|
|
RUN postconf -e smtpd_forbid_bare_newline=yes
|
|
RUN postconf -e smtpd_forbid_bare_newline_exclusions='$mynetworks'
|
|
|
|
ARG ALPINE_VERSION=3.18.3
|
|
ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
|
|
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
|
|
MAINTAINER "f <f@sutty.nl>"
|
|
|
|
RUN apk add --no-cache postfix ca-certificates
|
|
RUN install -dm 2750 -o root -g root /etc/ssl/private
|
|
|
|
COPY --from=build /etc/postfix/main.cf /etc/postfix/main.cf
|
|
COPY --from=build /etc/ssl/private/2048.dh /etc/ssl/private/2048.dh
|
|
COPY --from=build /etc/ssl/private/512.dh /etc/ssl/private/512.dh
|
|
|
|
COPY ./monit.conf /etc/monit.d/postfix.conf
|
|
COPY ./postfixd.sh /usr/local/bin/postfixd
|
|
|
|
RUN newaliases
|
|
RUN postmap /etc/postfix/transport
|
|
|
|
VOLUME "/etc/postfix/maps"
|
|
|
|
# Port
|
|
EXPOSE 25
|