#!/bin/sh . /commons.sh echo -e "******************************" echo -e "**** POSTFIX STARTING UP *****" echo -e "******************************" # Check if we need to configure the container timezone if [ ! -z "$TZ" ]; then TZ_FILE="/usr/share/zoneinfo/$TZ" if [ -f "$TZ_FILE" ]; then echo -e "‣ $notice Setting container timezone to: ${emphasis}$TZ${reset}" ln -snf "$TZ_FILE" /etc/localtime echo "$TZ" > /etc/timezone else echo -e "‣ $warn Cannot set timezone to: ${emphasis}$TZ${reset} -- this timezone does not exist." fi else echo -e "‣ $info Not setting any timezone for the container" fi # Make and reown postfix folders mkdir -p /var/spool/postfix/ && mkdir -p /var/spool/postfix/pid chown root: /var/spool/postfix/ chown root: /var/spool/postfix/pid # Disable SMTPUTF8, because libraries (ICU) are missing in alpine postconf -e smtputf8_enable=no # Update aliases database. It's not used, but postfix complains if the .db file is missing postalias /etc/postfix/aliases # Disable local mail delivery postconf -e mydestination= # Don't relay for any domains postconf -e relay_domains= # Increase the allowed header size, the default (102400) is quite smallish postconf -e "header_size_limit=4096000" if [ ! -z "$MESSAGE_SIZE_LIMIT" ]; then echo -e "‣ $notice Restricting message_size_limit to: ${emphasis}$MESSAGE_SIZE_LIMIT bytes${reset}" postconf -e "message_size_limit=$MESSAGE_SIZE_LIMIT" else # As this is a server-based service, allow any message size -- we hope the # sender knows what he is doing. echo -e "‣ $info Using ${emphasis}unlimited${reset} message size." postconf -e "message_size_limit=0" fi # Reject invalid HELOs postconf -e smtpd_delay_reject=yes postconf -e smtpd_helo_required=yes postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit" postconf -e "smtpd_sender_restrictions=permit_mynetworks" # Set up host name if [ ! -z "$HOSTNAME" ]; then echo -e "‣ $notice Setting myhostname: ${emphasis}$HOSTNAME${reset}" postconf -e myhostname="$HOSTNAME" else postconf -# myhostname fi if [ -z "$RELAYHOST_TLS_LEVEL" ]; then echo -e "‣ $info Setting smtp_tls_security_level: ${emphasis}may${reset}" postconf -e "smtp_tls_security_level=may" else echo -e "‣ $notice Setting smtp_tls_security_level: ${emphasis}$RELAYHOST_TLS_LEVEL${reset}" postconf -e "smtp_tls_security_level=$RELAYHOST_TLS_LEVEL" fi # Set up a relay host, if needed if [ ! -z "$RELAYHOST" ]; then echo -en "‣ $notice Forwarding all emails to ${emphasis}$RELAYHOST${reset}" postconf -e "relayhost=$RELAYHOST" # Alternately, this could be a folder, like this: # smtp_tls_CApath postconf -e "smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt" if [ -n "$RELAYHOST_USERNAME" ] && [ -n "$RELAYHOST_PASSWORD" ]; then echo -e " using username ${emphasis}$RELAYHOST_USERNAME${reset} and password ${emphasis}(redacted)${reset}." echo "$RELAYHOST $RELAYHOST_USERNAME:$RELAYHOST_PASSWORD" >> /etc/postfix/sasl_passwd postmap hash:/etc/postfix/sasl_passwd postconf -e "smtp_sasl_auth_enable=yes" postconf -e "smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd" postconf -e "smtp_sasl_security_options=noanonymous" postconf -e "smtp_sasl_tls_security_options=noanonymous" else echo -e " without any authentication. ${emphasis}Make sure your server is configured to accept emails coming from this IP.${reset}" fi else echo -e "‣ $notice Will try to deliver emails directly to the final server. ${emphasis}Make sure your DNS is setup properly!${reset}" postconf -# relayhost postconf -# smtp_sasl_auth_enable postconf -# smtp_sasl_password_maps postconf -# smtp_sasl_security_options fi if [ ! -z "$MYNETWORKS" ]; then echo -e "‣ $notice Using custom allowed networks: ${emphasis}$MYNETWORKS${reset}" else echo -e "‣ $info Using default private network list for trusted networks." MYNETWORKS="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" fi postconf -e "mynetworks=$MYNETWORKS" if [ ! -z "$INBOUND_DEBUGGING" ]; then echo -e "‣ $notice Enabling additional debbuging for: ${emphasis}$MYNETWORKS${reset}" postconf -e "debug_peer_list=$MYNETWORKS" sed -i -E 's/^[ \t]*#?[ \t]*LogWhy[ \t]*.+$/LogWhy yes/' /etc/opendkim/opendkim.conf if ! egrep -q '^LogWhy' /etc/opendkim/opendkim.conf; then echo >> /etc/opendkim/opendkim.conf echo "LogWhy yes" >> /etc/opendkim/opendkim.conf fi else sed -i -E 's/^[ \t]*#?[ \t]*LogWhy[ \t]*.+$/LogWhy no/' /etc/opendkim/opendkim.conf if ! egrep -q '^LogWhy' /etc/opendkim/opendkim.conf; then echo >> /etc/opendkim/opendkim.conf echo "LogWhy no" >> /etc/opendkim/opendkim.conf fi fi if [ ! -z "$ALLOWED_SENDER_DOMAINS" ]; then echo -en "‣ $info Setting up allowed SENDER domains:" allowed_senders=/etc/postfix/allowed_senders rm -f $allowed_senders $allowed_senders.db > /dev/null touch $allowed_senders for i in $ALLOWED_SENDER_DOMAINS; do echo -ne " ${emphasis}$i${reset}" echo -e "$i\tOK" >> $allowed_senders done echo postmap $allowed_senders postconf -e "smtpd_restriction_classes=allowed_domains_only" postconf -e "allowed_domains_only=permit_mynetworks, reject_non_fqdn_sender reject" postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access hash:$allowed_senders, reject" # Since we are behind closed doors, let's just permit all relays. postconf -e "smtpd_relay_restrictions=permit" elif [ -z "$ALLOW_EMPTY_SENDER_DOMAINS" ]; then echo -e "ERROR: You need to specify ALLOWED_SENDER_DOMAINS otherwise Postfix will not run!" exit 1 fi if [ ! -z "$MASQUERADED_DOMAINS" ]; then echo -e "‣ $notice Setting up address masquerading: ${emphasis}$MASQUERADED_DOMAINS${reset}" postconf -e "masquerade_domains = $MASQUERADED_DOMAINS" postconf -e "local_header_rewrite_clients = static:all" fi if [ ! -z "$SMTP_HEADER_CHECKS" ]; then if [ "$SMTP_HEADER_CHECKS" == "1" ]; then echo -e "‣ $info Using default file for SMTP header checks" SMTP_HEADER_CHECKS="regexp:/etc/postfix/smtp_header_checks" fi FORMAT=$(echo "$SMTP_HEADER_CHECKS" | cut -d: -f1) FILE=$(echo "$SMTP_HEADER_CHECKS" | cut -d: -f2-) if [ "$FORMAT" == "$FILE" ]; then echo -e "‣ $warn No Postfix format defined for file ${emphasis}SMTP_HEADER_CHECKS${reset}. Using default ${emphasis}regexp${reset}. To avoid this message, set format explicitly, e.g. ${emphasis}SMTP_HEADER_CHECKS=regexp:$SMTP_HEADER_CHECKS${reset}." FORMAT="regexp" fi if [ -f "$FILE" ]; then echo -e "‣ $notice Setting up ${emphasis}smtp_header_checks${reset} to ${emphasis}$FORMAT:$FILE${reset}" postconf -e "smtp_header_checks=$FORMAT:$FILE" else echo -e "‣ $error File ${emphasis}$FILE${reset} cannot be found. Please make sure your SMTP_HEADER_CHECKS variable points to the right file. Startup aborted." exit 2 fi fi DKIM_ENABLED= if [ -d /etc/opendkim/keys ] && [ ! -z "$(find /etc/opendkim/keys -type f ! -name .)" ]; then DKIM_ENABLED=", ${emphasis}opendkim${reset}" echo -e "‣ $notice Configuring OpenDKIM." mkdir -p /var/run/opendkim chown -R opendkim:opendkim /var/run/opendkim dkim_socket=$(cat /etc/opendkim/opendkim.conf | egrep ^Socket | awk '{ print $2 }') if [ $(echo "$dkim_socket" | cut -d: -f1) == "inet" ]; then dkim_socket=$(echo "$dkim_socket" | cut -d: -f2) dkim_socket="inet:$(echo "$dkim_socket" | cut -d@ -f2):$(echo "$dkim_socket" | cut -d@ -f1)" fi echo -e " ...using socket $dkim_socket" postconf -e "milter_protocol=6" postconf -e "milter_default_action=accept" postconf -e "smtpd_milters=$dkim_socket" postconf -e "non_smtpd_milters=$dkim_socket" echo > /etc/opendkim/TrustedHosts echo > /etc/opendkim/KeyTable echo > /etc/opendkim/SigningTable # Since it's an internal service anyways, it's safe # to assume that *all* hosts are trusted. echo "0.0.0.0/0" > /etc/opendkim/TrustedHosts if [ ! -z "$ALLOWED_SENDER_DOMAINS" ]; then for i in $ALLOWED_SENDER_DOMAINS; do private_key=/etc/opendkim/keys/$i.private if [ -f $private_key ]; then echo -e " ...for domain ${emphasis}$i${reset}" echo "mail._domainkey.$i $i:mail:$private_key" >> /etc/opendkim/KeyTable echo "*@$i mail._domainkey.$i" >> /etc/opendkim/SigningTable else echo " ...$warn skipping for domain ${emphasis}$i${reset}. File $private_key not found!" fi done fi else echo -e "‣ $info No DKIM keys found, will not use DKIM." postconf -# smtpd_milters postconf -# non_smtpd_milters fi # Use 587 (submission) sed -i -r -e 's/^#submission/submission/' /etc/postfix/master.cf if [ -d /docker-init.db/ ]; then echo -e "‣ $notice Executing any found custom scripts..." for f in /docker-init.db/*; do case "$f" in *.sh) chmod +x "$f"; echo -e "\trunning ${emphasis}$f${reset}"; . "$f" ;; *) echo "$0: ignoring $f" ;; esac done fi echo -e "‣ $notice Starting: ${emphasis}rsyslog${reset}, ${emphasis}postfix${reset}$DKIM_ENABLED" exec supervisord -c /etc/supervisord.conf