mirror of
https://github.com/bokysan/docker-postfix.git
synced 2024-09-20 06:46:10 +08:00
Updated documentation
This commit is contained in:
parent
51173d36e0
commit
6b62ad360e
BIN
GApps-SMTP-config.png
Normal file
BIN
GApps-SMTP-config.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 118 KiB |
353
README.md
353
README.md
|
@ -2,19 +2,58 @@
|
||||||
|
|
||||||
Simple postfix relay host ("postfix null client") for your Docker containers. Based on Alpine Linux.
|
Simple postfix relay host ("postfix null client") for your Docker containers. Based on Alpine Linux.
|
||||||
|
|
||||||
|
## Table of contents
|
||||||
|
|
||||||
|
* [Table of contents](#table-of-contents)
|
||||||
|
* [Description](#description)
|
||||||
|
* [TL;DR](#tldr)
|
||||||
|
* [Configuration options](#configuration-options)
|
||||||
|
* [General options](#general-options)
|
||||||
|
* [Inbound debugging](#inbound-debugging)
|
||||||
|
* [ALLOWED_SENDER_DOMAINS and ALLOW_EMPTY_SENDER_DOMAINS](#allowed_sender_domains-and-allow_empty_sender_domains)
|
||||||
|
* [Log format](#log-format)
|
||||||
|
* [Postfix-specific options](#postfix-specific-options)
|
||||||
|
* [RELAYHOST, RELAYHOST_USERNAME and RELAYHOST_PASSWORD](#relayhost-relayhost_username-and-relayhost_password)
|
||||||
|
* [RELAYHOST_TLS_LEVEL](#relayhost_tls_level)
|
||||||
|
* [MASQUERADED_DOMAINS](#masqueraded_domains)
|
||||||
|
* [SMTP_HEADER_CHECKS](#smtp_header_checks)
|
||||||
|
* [POSTFIX_hostname](#postfix_hostname)
|
||||||
|
* [POSTFIX_mynetworks](#postfix_mynetworks)
|
||||||
|
* [POSTFIX_message_size_limit](#postfix_message_size_limit)
|
||||||
|
* [Overriding specific postfix settings](#overriding-specific-postfix-settings)
|
||||||
|
* [DKIM / DomainKeys](#dkim--domainkeys)
|
||||||
|
* [Supplying your own DKIM keys](#supplying-your-own-dkim-keys)
|
||||||
|
* [Auto-generating the DKIM selectors through the image](#auto-generating-the-dkim-selectors-through-the-image)
|
||||||
|
* [Changing the DKIM selector](#changing-the-dkim-selector)
|
||||||
|
* [Overriding specific OpenDKIM settings](#overriding-specific-opendkim-settings)
|
||||||
|
* [Verifying your DKIM setup](#verifying-your-dkim-setup)
|
||||||
|
* [Extending the image](#extending-the-image)
|
||||||
|
* [Using custom init scripts](#using-custom-init-scripts)
|
||||||
|
* [Security](#security)
|
||||||
|
* [Quick how-tos](#quick-how-tos)
|
||||||
|
* [Relaying messages through your Gmail account](#relaying-messages-through-your-gmail-account)
|
||||||
|
* [Relaying messages through Google Apps account](#relaying-messages-through-google-apps-account)
|
||||||
|
* [Sending messages directly](#sending-messages-directly)
|
||||||
|
* [Similar projects](#similar-projects)
|
||||||
|
* [License check](#license-check)
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This image allows you to run POSTFIX internally inside your docker cloud/swarm installation to centralise outgoing email sending. The embedded postfix enables you to either _send messages directly_ or _relay them to your company's main server_.
|
This image allows you to run POSTFIX internally inside your docker cloud/swarm installation to centralise outgoing email
|
||||||
|
sending. The embedded postfix enables you to either _send messages directly_ or _relay them to your company's main
|
||||||
|
server_.
|
||||||
|
|
||||||
This is a _server side_ POSTFIX image, geared towards emails that need to be sent from your applications. That's why this postfix configuration does not support username / password login or similar client-side security features.
|
This is a _server side_ POSTFIX image, geared towards emails that need to be sent from your applications. That's why
|
||||||
|
this postfix configuration does not support username / password login or similar client-side security features.
|
||||||
|
|
||||||
**IF YOU WANT TO SET UP AND MANAGE A POSTFIX INSTALLATION FOR END USERS, THIS IMAGE IS NOT FOR YOU.** If you need it to manage your application's outgoing queue, read on.
|
**IF YOU WANT TO SET UP AND MANAGE A POSTFIX INSTALLATION FOR END USERS, THIS IMAGE IS NOT FOR YOU.** If you need it to
|
||||||
|
manage your application's outgoing queue, read on.
|
||||||
|
|
||||||
## TL;DR
|
## TL;DR
|
||||||
|
|
||||||
To run the container, do the following:
|
To run the container, do the following:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com" -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com" -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -49,6 +88,35 @@ The following configuration options are available
|
||||||
- `ALLOW_EMPTY_SENDER_DOMAINS` = if value is set (i.e: `true`), `ALLOWED_SENDER_DOMAINS` can be unset
|
- `ALLOW_EMPTY_SENDER_DOMAINS` = if value is set (i.e: `true`), `ALLOWED_SENDER_DOMAINS` can be unset
|
||||||
- `LOG_FORMAT` = Set your log format (JSON or plain)
|
- `LOG_FORMAT` = Set your log format (JSON or plain)
|
||||||
|
|
||||||
|
#### Inbound debugging
|
||||||
|
|
||||||
|
Enable additional debugging for any connection coming from `POSTFIX_mynetworks`. Set to a non-empty string (usually `1`
|
||||||
|
or `yes`) to enable debugging.
|
||||||
|
|
||||||
|
#### `ALLOWED_SENDER_DOMAINS` and `ALLOW_EMPTY_SENDER_DOMAINS`
|
||||||
|
|
||||||
|
Due to in-built spam protection in [Postfix](http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions) you will
|
||||||
|
need to specify sender domains -- the domains you are using to send your emails from, otherwise Postfix will refuse to
|
||||||
|
start.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```shell script
|
||||||
|
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -p 1587:587 boky/postfix
|
||||||
|
```
|
||||||
|
|
||||||
|
If you want to set the restrictions on the recipient and not on the sender (anyone can send mails but just to a single domain for instance),
|
||||||
|
set `ALLOW_EMPTY_SENDER_DOMAINS` to a non-empty value (e.g. `true`) and `ALLOWED_SENDER_DOMAINS` to an empty string. Then extend this image through custom scripts to configure Postfix further.
|
||||||
|
|
||||||
|
#### Log format
|
||||||
|
|
||||||
|
The image will by default output logs in human-readable (`plain`) format. If you are deploying the image to Kubernetes,
|
||||||
|
it might be worth chaging the output format to `json` as it's more easily parsable by tools such as
|
||||||
|
[Prometheus](https://prometheus.io/).
|
||||||
|
|
||||||
|
To change the log format, set the (unsurprisingly named) variable `LOG_FORMAT=json`.
|
||||||
|
|
||||||
|
|
||||||
### Postfix-specific options
|
### Postfix-specific options
|
||||||
|
|
||||||
- `RELAYHOST` = Host that relays your messages
|
- `RELAYHOST` = Host that relays your messages
|
||||||
|
@ -59,9 +127,12 @@ The following configuration options are available
|
||||||
- `POSTFIX_mynetworks` = Allow sending mails only from specific networks ( default `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` )
|
- `POSTFIX_mynetworks` = Allow sending mails only from specific networks ( default `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` )
|
||||||
- `POSTFIX_myhostname` = Set the name of this postfix server
|
- `POSTFIX_myhostname` = Set the name of this postfix server
|
||||||
- `MASQUERADED_DOMAINS` = domains where you want to masquerade internal hosts
|
- `MASQUERADED_DOMAINS` = domains where you want to masquerade internal hosts
|
||||||
- `POSTFIX_<any_postfix_setting>` = provide any additional postfix setting
|
|
||||||
- `SMTP_HEADER_CHECKS`= Set to `1` to enable header checks of to a location
|
- `SMTP_HEADER_CHECKS`= Set to `1` to enable header checks of to a location
|
||||||
of the file for header checks
|
of the file for header checks
|
||||||
|
- `POSTFIX_hostname` = Set tha name of this postfix server
|
||||||
|
- `POSTFIX_mynetworks` = Allow sending mails only from specific networks ( default `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` )
|
||||||
|
- `POSTFIX_message_size_limit` = The maximum size of the messsage, in bytes, by default it's unlimited
|
||||||
|
- `POSTFIX_<any_postfix_setting>` = provide any additional postfix setting
|
||||||
|
|
||||||
### DKIM-specific options
|
### DKIM-specific options
|
||||||
|
|
||||||
|
@ -89,112 +160,126 @@ you will most likely have a dedicated outgoing mail server. By setting this opti
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e RELAYHOST=192.168.115.215 -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e RELAYHOST=192.168.115.215 -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
You may optionally specifiy a relay port, e.g.:
|
You may optionally specifiy a relay port, e.g.:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e RELAYHOST=192.168.115.215:587 -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e RELAYHOST=192.168.115.215:587 -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
Or an IPv6 address, e.g.:
|
Or an IPv6 address, e.g.:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e 'RELAYHOST=[2001:db8::1]:587' -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e 'RELAYHOST=[2001:db8::1]:587' -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
If your end server requires you to authenticate with username/password, add them also:
|
If your end server requires you to authenticate with username/password, add them also:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e RELAYHOST=mail.google.com -e RELAYHOST_USERNAME=hello@gmail.com -e RELAYHOST_PASSWORD=world -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e RELAYHOST=mail.google.com -e RELAYHOST_USERNAME=hello@gmail.com -e RELAYHOST_PASSWORD=world -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
### `RELAYHOST_TLS_LEVEL`
|
#### `RELAYHOST_TLS_LEVEL`
|
||||||
|
|
||||||
Define relay host TLS connection level. See [smtp_tls_security_level](http://www.postfix.org/postconf.5.html#smtp_tls_security_level) for details. By default, the permissive level ("may") is used, which basically means "use TLS if available" and should be a sane default in most cases.
|
Define relay host TLS connection level. See [smtp_tls_security_level](http://www.postfix.org/postconf.5.html#smtp_tls_security_level) for details. By default, the permissive level ("may") is used, which basically means "use TLS if available" and should be a sane default in most cases.
|
||||||
|
|
||||||
This level defines how the postfix will connect to your upstream server.
|
This level defines how the postfix will connect to your upstream server.
|
||||||
|
|
||||||
### `POSTFIX_message_size_limit`
|
#### `MASQUERADED_DOMAINS`
|
||||||
|
|
||||||
Define the maximum size of the message, in bytes.
|
If you don't want outbound mails to expose hostnames, you can use this variable to enable Postfix's
|
||||||
See more in [Postfix documentation](http://www.postfix.org/postconf.5.html#message_size_limit).
|
[address masquerading](http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade). This can be used to do things
|
||||||
|
like rewrite `lorem@ipsum.example.com` to `lorem@example.com`.
|
||||||
|
|
||||||
By default, this limit is set to 0 (zero), which means unlimited. Why would you want to set this? Well, this is especially useful in relation
|
Example:
|
||||||
with `RELAYHOST` setting. If your relay host has a message limit (and usually it does), set it also here. This will help you "fail fast" --
|
|
||||||
your message will be rejected at the time of sending instead having it stuck in the outbound queue indefenetly.
|
|
||||||
|
|
||||||
### `POSTFIX_mynetworks`
|
```shell script
|
||||||
|
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -e "MASQUERADED_DOMAINS=example.com" -p 1587:587 boky/postfix
|
||||||
|
```
|
||||||
|
|
||||||
|
#### `SMTP_HEADER_CHECKS`
|
||||||
|
|
||||||
|
This image allows you to execute Postfix [header checks](http://www.postfix.org/header_checks.5.html). Header checks
|
||||||
|
allow you to execute a certain action when a certain MIME header is found. For example, header checks can be used
|
||||||
|
prevent attaching executable files to emails.
|
||||||
|
|
||||||
|
Header checks work by comparing each message header line to a pre-configured list of patterns. When a match is found the
|
||||||
|
corresponding action is executed. The default patterns that come with this image can be found in the `smtp_header_checks`
|
||||||
|
file. Feel free to override this file in any derived images or, alternately, provide your own in another directory.
|
||||||
|
|
||||||
|
Set `SMTP_HEADER_CHECKS` to type and location of the file to enable this feature. The sample file is uploaded into
|
||||||
|
`/etc/postfix/smtp_header_checks` in the image. As a convenience, setting `SMTP_HEADER_CHECKS=1` will set this to
|
||||||
|
`regexp:/etc/postfix/smtp_header_checks`.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```shell script
|
||||||
|
docker run --rm --name postfix -e "SMTP_HEADER_CHECKS="regexp:/etc/postfix/smtp_header_checks" -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -p 1587:587 boky/postfix
|
||||||
|
```
|
||||||
|
|
||||||
|
#### `POSTFIX_hostname`
|
||||||
|
|
||||||
|
You may configure a specific hostname that the SMTP server will use to identify itself. If you don't do it,
|
||||||
|
the default Docker host name will be used. A lot of times, this will be just the container id (e.g. `f73792d540a5`)
|
||||||
|
which may make it difficult to track your emails in the log files. If you care about tracking at all,
|
||||||
|
I suggest you set this variable, e.g.:
|
||||||
|
|
||||||
|
```shell script
|
||||||
|
docker run --rm --name postfix -e "POSTFIX_hostname=postfix-docker" -p 1587:587 boky/postfix
|
||||||
|
```
|
||||||
|
|
||||||
|
#### `POSTFIX_mynetworks`
|
||||||
|
|
||||||
This implementation is meant for private installations -- so that when you configure your services using _docker compose_
|
This implementation is meant for private installations -- so that when you configure your services using _docker compose_
|
||||||
you can just plug it in. Precisely because of this reason and the prevent any issues with this postfix being inadvertently
|
you can just plug it in. Precisely because of this reason and the prevent any issues with this postfix being inadvertently
|
||||||
exposed on the internet and then used for sending spam, the *default networks are reserved for private IPv4 IPs only*.
|
exposed on the internet and then used for sending spam, the *default networks are reserved for private IPv4 IPs only*.
|
||||||
|
|
||||||
Most likely you won't need to change this. However, if you need to support IPv6 or strenghten the access further, you can
|
Most likely you won't need to change this. However, if you need to support IPv6 or strenghten the access further, you
|
||||||
override this setting.
|
can override this setting.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e "MYNETWORKS=10.1.2.0/24" -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e "POSTFIX_mynetworks=10.1.2.0/24" -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
### `ALLOWED_SENDER_DOMAINS`
|
#### `POSTFIX_message_size_limit`
|
||||||
|
|
||||||
Due to in-built spam protection in [Postfix](http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions) you will need to specify
|
Define the maximum size of the message, in bytes.
|
||||||
sender domains -- the domains you are using to send your emails from, otherwise Postfix will refuse to start.
|
See more in [Postfix documentation](http://www.postfix.org/postconf.5.html#message_size_limit).
|
||||||
|
|
||||||
Example:
|
By default, this limit is set to 0 (zero), which means unlimited. Why would you want to set this? Well, this is
|
||||||
|
especially useful in relation with `RELAYHOST` setting. If your relay host has a message limit (and usually it does),
|
||||||
|
set it also here. This will help you "fail fast" -- your message will be rejected at the time of sending instead having
|
||||||
|
it stuck in the outbound queue indefinitely.
|
||||||
|
|
||||||
```sh
|
#### Overriding specific postfix settings
|
||||||
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -p 1587:587 boky/postfix
|
|
||||||
```
|
|
||||||
|
|
||||||
If you want to set the restrictions on the recipient and not on the sender (anyone can send mails but just to a single domain for instance), set `ALLOW_EMPTY_SENDER_DOMAINS` to a non-empty value (e.g. `true`) and `ALLOWED_SENDER_DOMAINS` to an empty string. Then extend this image through custom scripts to configure Postfix further.
|
Any Postfix [configuration option](http://www.postfix.org/postconf.5.html) can be overriden using `POSTFIX_<name>`
|
||||||
|
environment variables, e.g. `POSTFIX_allow_mail_to_commands=alias,forward,include`. Specifying no content (empty
|
||||||
|
variable) will remove that variable from postfix config.
|
||||||
|
|
||||||
### `INBOUND_DEBUGGING`
|
### DKIM / DomainKeys
|
||||||
|
|
||||||
Enable additional debugging for any connection comming from `MYNETWORKS`. Set to a non-empty string (usually "1" or "yes") to
|
**This image is equipped with support for DKIM.** If you want to use DKIM you will need to generate DKIM keys. These can
|
||||||
enable debugging.
|
be either generated automatically, or you can supply them yourself.
|
||||||
|
|
||||||
### `MASQUERADED_DOMAINS`
|
The DKIM supports the following options:
|
||||||
|
|
||||||
If you don't want outbound mails to expose hostnames, you can use this variable to enable Postfix's [address masquerading](http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade). This can be used to do things like rewrite `lorem@ipsum.example.com` to `lorem@example.com`.
|
- `DKIM_SELECTOR` = Override the default DKIM selector (by default "mail").
|
||||||
|
- `DKIM_AUTOGENERATE` = Set to non-empty value (e.g. `true` or `1`) to have
|
||||||
|
the server auto-generate domain keys.
|
||||||
|
- `OPENDKIM_<any_dkim_setting>` = Provide any additional OpenDKIM setting.
|
||||||
|
|
||||||
Example:
|
#### Supplying your own DKIM keys
|
||||||
|
|
||||||
```sh
|
If you want to use your own DKIM keys, you'll need to create a folder for every domain you want to send through. You
|
||||||
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -e "MASQUERADED_DOMAINS=example.com" -p 1587:587 boky/postfix
|
will need to generate they key(s) with the `opendkim-genkey` command, e.g.
|
||||||
```
|
|
||||||
|
|
||||||
### `SMTP_HEADER_CHECKS`
|
```shell script
|
||||||
|
|
||||||
This image allows you to execute Postfix [header checks](http://www.postfix.org/header_checks.5.html). Header checks allow you to execute a certain
|
|
||||||
action when a certain MIME header is found. For example, header checks can be used prevent attaching executable files to emails.
|
|
||||||
|
|
||||||
Header checks work by comparing each message header line to a pre-configured list of patterns. When a match is found the corresponding action is
|
|
||||||
executed. The default patterns that come with this image can be found in the `smtp_header_checks` file. Feel free to override this file in any derived
|
|
||||||
images or, alternately, provide your own in another directory.
|
|
||||||
|
|
||||||
Set `SMTP_HEADER_CHECKS` to type and location of the file to enable this feature. The sample file is uploaded into `/etc/postfix/smtp_header_checks`
|
|
||||||
in the image. As a convenience, setting `SMTP_HEADER_CHECKS=1` will set this to `regexp:/etc/postfix/smtp_header_checks`.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
docker run --rm --name postfix -e "SMTP_HEADER_CHECKS="regexp:/etc/postfix/smtp_header_checks" -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -p 1587:587 boky/postfix
|
|
||||||
```
|
|
||||||
|
|
||||||
## DKIM / DomainKeys
|
|
||||||
|
|
||||||
### Supplying your own DKIM keys
|
|
||||||
|
|
||||||
**This image is equiped with support for DKIM.** If you want to use DKIM you will need to generate DKIM keys yourself.
|
|
||||||
You'll need to create a folder for every domain you want to send through Postfix and generate they key(s) with the following command, e.g.
|
|
||||||
|
|
||||||
```sh
|
|
||||||
mkdir -p /host/keys; cd /host/keys
|
mkdir -p /host/keys; cd /host/keys
|
||||||
|
|
||||||
for DOMAIN in example.com example.org; do
|
for DOMAIN in example.com example.org; do
|
||||||
|
@ -211,30 +296,30 @@ done
|
||||||
|
|
||||||
`opendkim-genkey` is usually in your favourite distribution provided by installing `opendkim-tools` or `opendkim-utils`.
|
`opendkim-genkey` is usually in your favourite distribution provided by installing `opendkim-tools` or `opendkim-utils`.
|
||||||
|
|
||||||
Add the created `<domain>.txt` files to your DNS records. Afterwards, just mount `/etc/opendkim/keys` into your image and DKIM
|
Add the created `<domain>.txt` files to your DNS records. Afterwards, just mount `/etc/opendkim/keys` into your image
|
||||||
will be used automatically, e.g.:
|
and DKIM will be used automatically, e.g.:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -v /host/keys:/etc/opendkim/keys -p 1587:587 boky/postfix
|
docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com example.org" -v /host/keys:/etc/opendkim/keys -p 1587:587 boky/postfix
|
||||||
```
|
```
|
||||||
|
|
||||||
### Auto-generating the DKIM selectors with
|
#### Auto-generating the DKIM selectors through the image
|
||||||
|
|
||||||
If you set the environment variable `DKIM_AUTOGENERATE` to a non-empty value
|
If you set the environment variable `DKIM_AUTOGENERATE` to a non-empty value (e.g. `true` or `1`) the image will
|
||||||
(e.g. `true` or `1`) the image will automatically generate the keys.
|
automatically generate the keys.
|
||||||
|
|
||||||
**Be careful when using this option**. If you don't bind `/etc/opendkim/keys`
|
**Be careful when using this option**. If you don't bind `/etc/opendkim/keys` to a persistent volume, you will get new
|
||||||
to a persistent volume, you will get new keys every single time. You will need
|
keys every single time. You will need to take the generated public part of the key (the one in the `.txt` file) and
|
||||||
to take the generated public part of the key (the one in the `.txt` file) and
|
|
||||||
copy it over to your DNS server manually.
|
copy it over to your DNS server manually.
|
||||||
|
|
||||||
### Changing the DKIM selector
|
#### Changing the DKIM selector
|
||||||
|
|
||||||
`mail` is the *default DKIM selector* and should be sufficient for most usages. If you wish to override the selector,
|
`mail` is the *default DKIM selector* and should be sufficient for most usages. If you wish to override the selector,
|
||||||
set the environment variable `DKIM_SELECTOR`, e.g. `... -e DKIM_SELECTOR=postfix`. Note that the same DKIM selector will be
|
set the environment variable `DKIM_SELECTOR`, e.g. `... -e DKIM_SELECTOR=postfix`. Note that the same DKIM selector will
|
||||||
applied to all found domains. To override a selector for a specific domain use the syntax `[<domain>=<selector>,...]`, e.g.:
|
be applied to all found domains. To override a selector for a specific domain use the syntax
|
||||||
|
`[<domain>=<selector>,...]`, e.g.:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
DKIM_SELECTOR=foo,example.org=postfix,example.com=blah
|
DKIM_SELECTOR=foo,example.org=postfix,example.com=blah
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -244,60 +329,112 @@ This means:
|
||||||
- use `blah` for `example.com` domain
|
- use `blah` for `example.com` domain
|
||||||
- use `foo` if no domain matches
|
- use `foo` if no domain matches
|
||||||
|
|
||||||
### Verifying your setup
|
#### Overriding specific OpenDKIM settings
|
||||||
|
|
||||||
I strongly suggest using a service such as [dkimvalidator](https://dkimvalidator.com/) to make sure your keys are set up properly
|
Any OpenDKIM [configuration option](http://opendkim.org/opendkim.conf.5.html) can be overriden using `OPENDKIM_<name>`
|
||||||
and your DNS server is serving them with the correct records.
|
environment variables, e.g. `OPENDKIM_RequireSafeKeys=yes`. Specifying no content (empty variable) will remove that
|
||||||
|
variable from OpenDKIM config.
|
||||||
|
|
||||||
|
#### Verifying your DKIM setup
|
||||||
|
|
||||||
|
I strongly suggest using a service such as [dkimvalidator](https://dkimvalidator.com/) to make sure your keys are set up
|
||||||
|
properly and your DNS server is serving them with the correct records.
|
||||||
|
|
||||||
## Extending the image
|
## Extending the image
|
||||||
|
|
||||||
### Using custom init scripts
|
### Using custom init scripts
|
||||||
|
|
||||||
If you need to add custom configuration to postfix or have it do something outside of the scope of this configuration, simply
|
If you need to add custom configuration to postfix or have it do something outside of the scope of this configuration,
|
||||||
add your scripts to `/docker-init.db/`: All files with the `.sh` extension will be executed automatically at the end of the
|
simply add your scripts to `/docker-init.db/`: All files with the `.sh` extension will be executed automatically at the
|
||||||
startup script.
|
end of the startup script.
|
||||||
|
|
||||||
E.g.: create a custom `Dockerfile` like this:
|
E.g.: create a custom `Dockerfile` like this:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
FROM boky/postfix
|
FROM boky/postfix
|
||||||
LABEL maintainer="Jack Sparrow <jack.sparrow@theblackpearl.example.com>"
|
LABEL maintainer="Jack Sparrow <jack.sparrow@theblackpearl.example.com>"
|
||||||
ADD Dockerfiles/additional-config.sh /docker-init.db/
|
ADD Dockerfiles/additional-config.sh /docker-init.db/
|
||||||
```
|
```
|
||||||
|
|
||||||
Build it with docker and your script will be automatically executed before Postfix starts.
|
Build it with docker, and your script will be automatically executed before Postfix starts.
|
||||||
|
|
||||||
Or -- alternately -- bind this folder in your docker config and put your scripts there. Useful if you need to add additional config
|
Or -- alternately -- bind this folder in your docker config and put your scripts there. Useful if you need to add a
|
||||||
to your postfix server or override configs created by the script.
|
config to your postfix server or override configs created by the script.
|
||||||
|
|
||||||
For example, your script could contain something like this:
|
For example, your script could contain something like this:
|
||||||
|
|
||||||
```sh
|
```shell script
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
postconf -e "address_verify_negative_cache=yes"
|
postconf -e "address_verify_negative_cache=yes"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Overriding specific postfix settings
|
|
||||||
|
|
||||||
Any Postfix [configuration option](http://www.postfix.org/postconf.5.html) can be overriden using `POSTFIX_<name>` environment variables, e.g.
|
|
||||||
`POSTFIX_allow_mail_to_commands=alias,forward,include`. Specifying no content (empty variable) will remove that variable from postfix config.
|
|
||||||
|
|
||||||
### Overriding specific OpenDKIM settings
|
|
||||||
|
|
||||||
Any OpenDKIM [configuration option](http://opendkim.org/opendkim.conf.5.html) can be overriden using `OPENDKIM_<name>` environment variables, e.g.
|
|
||||||
`OPENDKIM_RequireSafeKeys=yes`. Specifying no content (empty variable) will remove that variable from OpenDKIM config.
|
|
||||||
|
|
||||||
## Log format
|
|
||||||
|
|
||||||
The image will by default output logs in human-readable (`plain`) format. If you are deploying the image to Kubernetes, it might be worth chaging
|
|
||||||
the output format to `json` as it's more easily parsable by tools such as [Prometheus](https://prometheus.io/).
|
|
||||||
|
|
||||||
To change the log format, set the (unsuprisingly named) variable `LOG_FORMAT=json`.
|
|
||||||
|
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
Postfix will run the master proces as `root`, because that's how it's designed. Subprocesses will run under the `postfix` account
|
Postfix will run the master proces as `root`, because that's how it's designed. Subprocesses will run under the `postfix`
|
||||||
which will use `UID:GID` of `100:101`. `opendkim` will run under account `102:103`.
|
account which will use `UID:GID` of `100:101`. `opendkim` will run under account `102:103`.
|
||||||
|
|
||||||
|
## Quick how-tos
|
||||||
|
|
||||||
|
### Relaying messages through your Gmail account
|
||||||
|
|
||||||
|
Please note that Gmail does not support using your password with non-OAuth2 clients, which -- technically -- postfix is.
|
||||||
|
You will need to enable [Less secure apps](https://support.google.com/accounts/answer/6010255?hl=en) in your account
|
||||||
|
and assign an "app password". You'll also need to use (only) your email as the sender address.
|
||||||
|
|
||||||
|
Your configuration would be as follows:
|
||||||
|
|
||||||
|
```shell script
|
||||||
|
RELAYHOST=smtp.gmail.com:587
|
||||||
|
RELAYHOST_USERNAME=you@gmail.com
|
||||||
|
RELAYHOST_PASSWORD=your-gmail-app-password
|
||||||
|
ALLOWED_SENDER_DOMAINS=gmail.com
|
||||||
|
```
|
||||||
|
|
||||||
|
There's no need to configure DKIM or SPF, as Gmail will add these headers automatically.
|
||||||
|
|
||||||
|
### Relaying messages through Google Apps account
|
||||||
|
|
||||||
|
Google Apps allows third-party services to use Google's SMTP servers without much hassle. If you have a static IP, you
|
||||||
|
can configure Gmail to accept your messages. You can then send email *from any address within your domain*.
|
||||||
|
|
||||||
|
You need to enable the [SMTP relay service](https://support.google.com/a/answer/2956491?hl=en):
|
||||||
|
- Go to Google [Admin /Apps / G Suite / Gmail /Advanced settings](https://admin.google.com/AdminHome?hl=en_GB#ServiceSettings/service=email&subtab=filters).
|
||||||
|
- Find the **Routing / SMTP relay service**
|
||||||
|
- Click **Add another** button that pops up when you hover over the line
|
||||||
|
- Enter the name and your server's external IP as shown in the picture below:
|
||||||
|
- **Allowed senders:** Only registered Apps users in my domains
|
||||||
|
- Select **Only accept mail from specified IP Addresses**
|
||||||
|
- Click **Add IP RANGE** and add your external IP
|
||||||
|
- Make sure **Require SMTP Authentication** is **NOT** selected
|
||||||
|
- You *may* select **Require TLS encryption**
|
||||||
|
|
||||||
|
![Add setting SMTP relay service](GApps-SMTP-config.png)
|
||||||
|
|
||||||
|
|
||||||
|
Your configuration would be as follows:
|
||||||
|
|
||||||
|
```shell script
|
||||||
|
RELAYHOST=smtp-relay.gmail.com:587
|
||||||
|
ALLOWED_SENDER_DOMAINS=<your-domain>
|
||||||
|
```
|
||||||
|
|
||||||
|
There's no need to configure DKIM or SPF, as Gmail will add these headers automatically.
|
||||||
|
|
||||||
|
### Sending messages directly
|
||||||
|
|
||||||
|
If you're sending messages directly, you'll need to:
|
||||||
|
|
||||||
|
- need to have a fixed IP address;
|
||||||
|
- configure a reverse PTR record;
|
||||||
|
- configure SPF and/or DKIM as explained in this document;
|
||||||
|
- it's also highly advisable to have your own IP block.
|
||||||
|
|
||||||
|
|
||||||
|
Your configuration would be as follows:
|
||||||
|
|
||||||
|
```shell script
|
||||||
|
ALLOWED_SENDER_DOMAINS=<your-domain>
|
||||||
|
```
|
||||||
|
|
||||||
## Similar projects
|
## Similar projects
|
||||||
|
|
||||||
|
@ -314,6 +451,6 @@ The other projects are, in completely random order:
|
||||||
- [juanluisbaptiste/docker-postfix](https://github.com/juanluisbaptiste/docker-postfix)
|
- [juanluisbaptiste/docker-postfix](https://github.com/juanluisbaptiste/docker-postfix)
|
||||||
- [docker-mail-relay](https://github.com/alterrebe/docker-mail-relay)
|
- [docker-mail-relay](https://github.com/alterrebe/docker-mail-relay)
|
||||||
|
|
||||||
|
## License check
|
||||||
|
|
||||||
## License
|
|
||||||
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix?ref=badge_large)
|
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix?ref=badge_large)
|
||||||
|
|
|
@ -2,6 +2,11 @@ TZ=Europe/Amsterdam
|
||||||
POSTFIX_myhostname=smtp-relay
|
POSTFIX_myhostname=smtp-relay
|
||||||
RELAYHOST=smtp.gmail.com:587
|
RELAYHOST=smtp.gmail.com:587
|
||||||
RELAYHOST_USERNAME=you@gmail.com
|
RELAYHOST_USERNAME=you@gmail.com
|
||||||
RELAYHOST_PASSWORD=yourgmailapppassword
|
# Attention Gmail users:
|
||||||
|
# Please note that Gmail does not support using your password with non-OAuth2 clients, which -- technically --
|
||||||
|
# postfix is. You will need to enable "Less secure apps" in your account and assign an "app password" if you
|
||||||
|
# want this to work.
|
||||||
|
# More info: https://support.google.com/accounts/answer/6010255?hl=en
|
||||||
|
RELAYHOST_PASSWORD=your-gmail-app-password
|
||||||
POSTFIX_message_size_limit=26214400
|
POSTFIX_message_size_limit=26214400
|
||||||
ALLOWED_SENDER_DOMAINS=example.org
|
ALLOWED_SENDER_DOMAINS=example.org
|
||||||
|
|
Loading…
Reference in a new issue