From 87b0b35d80733dcfc7d72bf82f569759a5396e59 Mon Sep 17 00:00:00 2001 From: Fabio Rauber Date: Thu, 16 Feb 2017 11:35:07 -0200 Subject: [PATCH] Initial commit --- Dockerfile | 10 +++++++ conf/main.cf | 57 +++++++++++++++++++++++++++++++++++++ conf/master.cf | 42 +++++++++++++++++++++++++++ conf/outclean_header_filter | 17 +++++++++++ rsyslog.conf | 4 +++ start.sh | 33 +++++++++++++++++++++ 6 files changed, 163 insertions(+) create mode 100644 Dockerfile create mode 100644 conf/main.cf create mode 100644 conf/master.cf create mode 100644 conf/outclean_header_filter create mode 100644 rsyslog.conf create mode 100644 start.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..c7b8946 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine + +RUN apk add --no-cache bash postfix postfix-pcre rsyslog + +COPY conf /etc/postfix +COPY rsyslog.conf /etc/rsyslog.conf + +COPY start.sh /start.sh + +CMD ["/start.sh"] diff --git a/conf/main.cf b/conf/main.cf new file mode 100644 index 0000000..dd2e0d9 --- /dev/null +++ b/conf/main.cf @@ -0,0 +1,57 @@ +############### +# General +############### + +# Main domain and hostname +mydomain = {{ DOMAIN }} +myhostname = {{ HOSTNAME }} +myorigin = $mydomain + +# Message size limit +message_size_limit = {{ MESSAGE_SIZE_LIMIT }} + +# Relayed networks +mynetworks = 127.0.0.1/32 [::1]/128 {{ RELAYNETS }} + +# Empty alias list to override the configuration variable and disable NIS +alias_maps = + +# Only accept virtual emails +mydestination = + +# Relayhost if any is configured +relayhost = {{ RELAYHOST }} + +############### +# Restrictions +############### + +# Delay all rejects until all information can be logged +smtpd_delay_reject = yes + +# Allowed senders are: the user or one of the alias destinations +smtpd_sender_login_maps = $virtual_alias_maps + +# Helo restrictions are specified for smtp only in master.cf +smtpd_helo_required = yes + +# Sender restrictions +smtpd_sender_restrictions = + permit_mynetworks, + reject_non_fqdn_sender, + reject_unknown_sender_domain, + reject_unlisted_sender, + reject_sender_login_mismatch, + permit + +# Recipient restrictions: +smtpd_recipient_restrictions = + reject_unauth_pipelining, + reject_non_fqdn_recipient, + reject_unknown_recipient_domain, + permit_mynetworks, + permit + +############### +# Extra Settings +############### diff --git a/conf/master.cf b/conf/master.cf new file mode 100644 index 0000000..3d98491 --- /dev/null +++ b/conf/master.cf @@ -0,0 +1,42 @@ +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) + +# Exposed SMTP services +smtp inet n - n - - smtpd + -o smtpd_sender_restrictions=permit_mynetworks,permit +submission inet n - n - - smtpd +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o cleanup_service_name=outclean +#smtps inet n - n - - smtpd +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_wrappermode=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o cleanup_service_name=outclean + +# Additional services +outclean unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/outclean_header_filter + +# Internal postfix services +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache diff --git a/conf/outclean_header_filter b/conf/outclean_header_filter new file mode 100644 index 0000000..03e33ee --- /dev/null +++ b/conf/outclean_header_filter @@ -0,0 +1,17 @@ +# This configuration was copied from Mailinabox. The original version is available at: +# https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters + +# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header +# because OpenDKIM requires that a header be present when signing outbound mail. The first line is +# where the user's home IP address would be. +/^\s*Received:[^\n]*(.*)/ REPLACE Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])$1 + +# Remove other typically private information. +/^\s*User-Agent:/ IGNORE +/^\s*X-Enigmail:/ IGNORE +/^\s*X-Mailer:/ IGNORE +/^\s*X-Originating-IP:/ IGNORE +/^\s*X-Pgp-Agent:/ IGNORE + +# The Mime-Version header can leak the user agent too, e.g. in Mime-Version: 1.0 (Mac OS X Mail 8.1 \(2010.6\)). +/^\s*(Mime-Version:\s*[0-9\.]+)\s.+/ REPLACE $1 diff --git a/rsyslog.conf b/rsyslog.conf new file mode 100644 index 0000000..13353b8 --- /dev/null +++ b/rsyslog.conf @@ -0,0 +1,4 @@ +$ModLoad imuxsock +$template noTimestampFormat,"%syslogtag%%msg%\n" +$ActionFileDefaultTemplate noTimestampFormat +*.*;auth,authpriv.none /dev/stdout diff --git a/start.sh b/start.sh new file mode 100644 index 0000000..c093143 --- /dev/null +++ b/start.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Substitute configuration +for VARIABLE in `env | cut -f1 -d=`; do + sed -i "s={{ $VARIABLE }}=${!VARIABLE}=g" /etc/postfix/*.cf +done + +# Override Postfix configuration +if [ -f /overrides/postfix.cf ]; then + while read line; do + postconf -e "$line" + done < /overrides/postfix.cf + echo "Loaded '/overrides/postfix.cf'" +else + echo "No extra postfix settings loaded because optional '/overrides/postfix.cf' not provided." +fi + +# Include table-map files +if ls -A /overrides/*.map 1> /dev/null 2>&1; then + cp /overrides/*.map /etc/postfix/ + postmap /etc/postfix/*.map + rm /etc/postfix/*.map + chown root:root /etc/postfix/*.db + chmod 0600 /etc/postfix/*.db + echo "Loaded 'map files'" +else + echo "No extra map files loaded because optional '/overrides/*.map' not provided." +fi + +# Actually run Postfix +rm -f /var/run/rsyslogd.pid +/usr/lib/postfix/master & +rsyslogd -n