{"id":13622725,"url":"https://github.com/bokysan/docker-postfix","last_synced_at":"2025-05-15T05:03:36.967Z","repository":{"id":37706266,"uuid":"54157282","full_name":"bokysan/docker-postfix","owner":"bokysan","description":"Multi architecture simple SMTP server (postfix null relay) host for your Docker and Kubernetes containers. Based on Debian/Ubuntu/Alpine.","archived":false,"fork":false,"pushed_at":"2025-03-01T18:25:10.000Z","size":1543,"stargazers_count":590,"open_issues_count":10,"forks_count":157,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-03-30T23:09:14.644Z","etag":null,"topics":["dkim","dkim-keys","docker","docker-compose","docker-container","docker-image","docker-postfix","helm-chart","kubernetes","mail","mailserver","postfix","postfix-configuration","postfix-docker","postfix-relay","postfix-server","relaying-messages","smtp","smtp-server"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bokysan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-03-17T23:05:18.000Z","updated_at":"2025-03-24T20:40:09.000Z","dependencies_parsed_at":"2023-10-29T08:25:37.441Z","dependency_job_id":"fccb59ee-c3a1-4181-8e49-5f6d2d791128","html_url":"https://github.com/bokysan/docker-postfix","commit_stats":{"total_commits":307,"total_committers":38,"mean_commits":8.078947368421053,"dds":"0.21824104234527686","last_synced_commit":"994d4ae646b434f666390e614fb530104874f5db"},"previous_names":[],"tags_count":59,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fdocker-postfix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fdocker-postfix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fdocker-postfix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokysan%2Fdocker-postfix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bokysan","download_url":"https://codeload.github.com/bokysan/docker-postfix/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247569123,"owners_count":20959760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dkim","dkim-keys","docker","docker-compose","docker-container","docker-image","docker-postfix","helm-chart","kubernetes","mail","mailserver","postfix","postfix-configuration","postfix-docker","postfix-relay","postfix-server","relaying-messages","smtp","smtp-server"],"created_at":"2024-08-01T21:01:23.366Z","updated_at":"2025-04-07T00:12:10.849Z","avatar_url":"https://github.com/bokysan.png","language":"Shell","readme":"# docker-postfix\n\n![Build status](https://github.com/bokysan/docker-postfix/workflows/Docker%20image/badge.svg) [![Latest commit](https://img.shields.io/github/last-commit/bokysan/docker-postfix)](https://github.com/bokysan/docker-postfix/commits/master) [![Latest release](https://img.shields.io/github/v/release/bokysan/docker-postfix?sort=semver\u0026Label=Latest%20release)](https://github.com/bokysan/docker-postfix/releases) [![Docker image size](https://img.shields.io/docker/image-size/boky/postfix?sort=semver)](https://hub.docker.com/r/boky/postfix/) ![GitHub Repo stars](https://img.shields.io/github/stars/bokysan/docker-postfix?label=GitHub%20Stars\u0026style=flat) [![Docker Stars](https://img.shields.io/docker/stars/boky/postfix.svg?label=Docker%20Stars)](https://hub.docker.com/r/boky/postfix/) [![Docker Pulls](https://img.shields.io/docker/pulls/boky/postfix.svg)](https://hub.docker.com/r/boky/postfix/) ![License](https://img.shields.io/github/license/bokysan/docker-postfix) [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix?ref=badge_shield)\n\nSimple postfix relay host (\"postfix null client\") for your Docker containers. Based on Debian (default), Ubuntu and Alpine Linux. \nFeel free to pick your favourite distro.\n\n## Table of contents\n\n- [docker-postfix](#docker-postfix)\n  - [Table of contents](#table-of-contents)\n  - [Description](#description)\n  - [TL;DR](#tldr)\n  - [Updates](#updates)\n    - [v4.0.0](#v400)\n    - [v3.0.0](#v300)\n  - [Architectures](#architectures)\n  - [Configuration options](#configuration-options)\n    - [General options](#general-options)\n      - [Inbound debugging](#inbound-debugging)\n      - [`ALLOWED_SENDER_DOMAINS` and `ALLOW_EMPTY_SENDER_DOMAINS`](#allowed_sender_domains-and-allow_empty_sender_domains)\n      - [`AUTOSET_HOSTNAME` and `AUTOSET_HOSTNAME_SERVICES`](#autoset_hostname-and-autoset_hostname_services)\n      - [Log format](#log-format)\n    - [Postfix-specific options](#postfix-specific-options)\n      - [`RELAYHOST`, `RELAYHOST_USERNAME` and `RELAYHOST_PASSWORD`](#relayhost-relayhost_username-and-relayhost_password)\n      - [`POSTFIX_smtp_tls_security_level`](#postfix_smtp_tls_security_level)\n      - [`XOAUTH2_CLIENT_ID`, `XOAUTH2_SECRET`, `XOAUTH2_INITIAL_ACCESS_TOKEN`, `XOAUTH2_INITIAL_REFRESH_TOKEN` and `XOAUTH2_TOKEN_ENDPOINT`](#xoauth2_client_id-xoauth2_secret-xoauth2_initial_access_token-xoauth2_initial_refresh_token-and-xoauth2_token_endpoint)\n        - [OAuth2 Client Credentials (GMail)](#oauth2-client-credentials-gmail)\n        - [Obtain Initial Access Token (GMail)](#obtain-initial-access-token-gmail)\n        - [Debug XOAuth2 issues](#debug-xoauth2-issues)\n      - [`MASQUERADED_DOMAINS`](#masqueraded_domains)\n      - [`SMTP_HEADER_CHECKS`](#smtp_header_checks)\n      - [`POSTFIX_myhostname`](#postfix_myhostname)\n      - [`POSTFIX_mynetworks`](#postfix_mynetworks)\n      - [`POSTFIX_message_size_limit`](#postfix_message_size_limit)\n      - [Overriding specific postfix settings](#overriding-specific-postfix-settings)\n      - [`SKIP_ROOT_SPOOL_CHOWN`](#skip_root_spool_chown)\n      - [`ANONYMIZE_EMAILS`](#anonymize_emails)\n        - [The `default` (`smart`) filter](#the-default-smart-filter)\n        - [The `paranoid` filter](#the-paranoid-filter)\n        - [The `hash` filter](#the-hash-filter)\n        - [The `noop` filter](#the-noop-filter)\n        - [Writing your own filters](#writing-your-own-filters)\n    - [DKIM / DomainKeys](#dkim--domainkeys)\n      - [Supplying your own DKIM keys](#supplying-your-own-dkim-keys)\n      - [Auto-generating the DKIM selectors through the image](#auto-generating-the-dkim-selectors-through-the-image)\n      - [Changing the DKIM selector](#changing-the-dkim-selector)\n      - [Overriding specific OpenDKIM settings](#overriding-specific-opendkim-settings)\n      - [Verifying your DKIM setup](#verifying-your-dkim-setup)\n    - [Docker Secrets / Kubernetes secrets](#docker-secrets--kubernetes-secrets)\n  - [Helm chart](#helm-chart)\n    - [Metrics](#metrics)\n  - [Extending the image](#extending-the-image)\n    - [Using custom init scripts](#using-custom-init-scripts)\n  - [Security](#security)\n    - [UIDs/GIDs numbers](#uidsgids-numbers)\n  - [Quick how-tos](#quick-how-tos)\n    - [Relaying messages through your Gmail account](#relaying-messages-through-your-gmail-account)\n    - [Relaying messages through Google Apps account](#relaying-messages-through-google-apps-account)\n    - [Relaying messages through Amazon's SES](#relaying-messages-through-amazons-ses)\n    - [Sending messages directly](#sending-messages-directly)\n      - [Careful](#careful)\n  - [Similar projects](#similar-projects)\n  - [License check](#license-check)\n\n## Description\n\nThis image allows you to run POSTFIX internally inside your docker cloud/swarm installation to centralise outgoing email\nsending. The embedded postfix enables you to either _send messages directly_ or _relay them to your company's main\nserver_.\n\nThis is a _server side_ POSTFIX image, geared towards emails that need to be sent from your applications. That's why\nthis postfix configuration does not support username / password login or similar client-side security features.\n\n**IF YOU WANT TO SET UP AND MANAGE A POSTFIX INSTALLATION FOR END USERS, THIS IMAGE IS NOT FOR YOU.** If you need it to\nmanage your application's outgoing queue, read on.\n\n## TL;DR\n\nTo run the container, do the following:\n\n```shell script\ndocker run --rm --name postfix -e \"ALLOWED_SENDER_DOMAINS=example.com\" -p 1587:587 boky/postfix\n```\n\nor\n\n```shell script\nhelm repo add bokysan https://bokysan.github.io/docker-postfix/\nhelm upgrade --install --set persistence.enabled=false --set config.general.ALLOW_EMPTY_SENDER_DOMAINS=yes mail bokysan/mail\n```\n\nYou can also find this image at [ArtifactHub](https://artifacthub.io/packages/helm/docker-postfix/mail).\n\n\nYou can now send emails by using `localhost:1587` (on Docker) as your SMTP server address. Note that if you haven't configured your domain\nto allow sending from this IP/server/nameblock, **your emails will most likely be regarded as spam.**\n\nAll standard caveats of configuring the SMTP server apply:\n\n- **MAKE SURE YOUR OUTGOING PORT 25 IS NOT BLOCKED.**\n  - Most ISPs block outgoing connections to port 25 and several companies (e.g.\n    [NoIP](https://www.noip.com/blog/2013/03/26/my-isp-blocks-smtp-port-25-can-i-still-host-a-mail-server/),\n    [Dynu](https://www.dynu.com/en-US/Blog/Article?Article=How-to-host-email-server-if-ISP-blocks-port-25)) offer\n    workarounds.\n  - Hosting centers also tend to block port 25, which can be unblocked per request, see below for AWS hosting.\n- You'll most likely need to at least [set up SPF records](https://en.wikipedia.org/wiki/Sender_Policy_Framework)\n  (see also [openspf](http://www.open-spf.org/)) and/or [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail).\n- If using DKIM ([below](#dkim--domainkeys)), make sure to add DKIM keys to your domain's DNS entries.\n- You'll most likely need to set up [PTR](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) records as well to prevent your\n  mails going to spam.\n\nIf you don't know what any of the above means, get some help. Google is your friend. It's also worth noting that it's pretty difficult\nto host a SMTP server on a dynamic IP address.\n\n**Please note that the image uses the submission (587) port by default**. Port 25 is not exposed on purpose, as it's regularly blocked\nby ISPs, already occupied by other services, and in general should only be used for server-to-server communication.\n\n## Updates\n\n### v4.0.0\n\nSeveral potentially \"surprising\" changes went into this issue and hence warrant a version upgrade:\n\n- **Default image is now based on Debian.** A lot of packages needed for\n  latest builds are missing in certain Alpine architectures. Debian\n  allows us to have a greater cross-platform availability.\n- **Helm charts are now built with `v` and without `v` prefix.**\n  As seen in [PR #141](https://github.com/bokysan/docker-postfix/pull/141) some tools rely on version not\n  having the prefix. I've seen both in the wild, so the image\n  now includes both. This should work and should hopefully provide most compatibility.\n- **[`master`](https://github.com/bokysan/docker-postfix/tree/master/) branch now builds images called [`edge`](https://hub.docker.com/r/boky/postfix/tags?page=1\u0026name=edge)**. \n  `latest` images are built from the last tag. We've had several issues with people using the `latest` tag\n  and reporting problems. You can now rely on `latest` being the latest stable release.\n- Image now builds its own version of [postfix-exporter](https://github.com/kumina/postfix_exporter) and relies on this\n  third-party project. Checkout is from master branch, based\n  on specific SHA commit id. The same hash is used for master and tags.\n- **Architecture galore!** With the addition of debian images, we now support support more architectures than ever. The list includes: \n  `linux/386`, `linux/amd64`, `linux/arm/v5`, `linux/arm/v6`, `linux/arm/v7`, `linux/arm64`, `linux/arm64/v8`, `linux/mips64le`, \n  `linux/ppc64le` and `linux/s390x`.\n- **`smtpd_tls_security_level` is now set to `may`**. If you encounter\n  issues, try setting it to `none` explicitly (see [#160](https://github.com/bokysan/docker-postfix/issues/160)).\n\n### v3.0.0\n\nThere's a potentially breaking change introduced now in `v3.0.0`: Oracle has changed the license of BerkleyDB to AGPL-3.0, making it\nunsuitable to link to packages with GPL-incompatible licenses. As a result Alpine (on which this image is based)\n[has deprecated BerkleyDB throughout the image](https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.13.0#Deprecation_of_Berkeley_DB_.28BDB.29):\n\n\u003e Support for Postfix `hash` and `btree` databases has been removed. `lmdb` is the recommended replacement. Before upgrading, all tables in\n\u003e `/etc/postfix/main.cf` using `hash` and `btree` must be changed to a supported alternative. See the\n\u003e [Postfix lookup table documentation](http://www.postfix.org/DATABASE_README.html) for more information.\n\nWhile this should not affect most of the users (`/etc/postfix/main.cf` is managed by this image), there might be use cases where\npeople have their own configuration which relies on `hash` and `btree` databases. To avoid braking live systems, the version of this\nimage has been updated to `v3.0.0`.\n\n## Architectures\n\nAvailable for all your favourite architectures. Run in your server cluster. Run it on your Raspberry Pi 4. Run it on your ancient Pentium or an old Beaglebone. The following architectures are supported: `linux/386`, `linux/amd64`, `linux/arm/v6`, `linux/arm/v7`, `linux/arm64` and `linux/ppc64le`.\n\n## Configuration options\n\n### General options\n\n* `TZ` = The timezone for the image, e.g. `Europe/Amsterdam`\n* `FORCE_COLOR` = Set to `1` to force color output (otherwise auto-detected)\n* `INBOUND_DEBUGGING` = Set to `1` to enable detailed debugging in the logs\n* `ALLOWED_SENDER_DOMAINS` = domains which are allowed to send email via this server\n* `ALLOW_EMPTY_SENDER_DOMAINS` = if value is set (i.e: `true`), `ALLOWED_SENDER_DOMAINS` can be unset\n* `AUTOSET_HOSTNAME` and `AUTOSET_HOSTNAME_SERVICES` - use to automatically resolve hostname\n* `LOG_FORMAT` = Set your log format (JSON or plain)\n\n#### Inbound debugging\n\nEnable additional debugging for any connection coming from `POSTFIX_mynetworks`. Set to a non-empty string (usually `1`\nor  `yes`) to enable debugging.\n\n#### `ALLOWED_SENDER_DOMAINS` and `ALLOW_EMPTY_SENDER_DOMAINS`\n\nDue to in-built spam protection in [Postfix](http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions) you will\nneed to specify sender domains -- the domains you are using to send your emails from, otherwise Postfix will refuse to\nstart.\n\nExample:\n\n```shell script\ndocker run --rm --name postfix -e \"ALLOWED_SENDER_DOMAINS=example.com example.org\" -p 1587:587 boky/postfix\n```\n\nIf you want to set the restrictions on the recipient and not on the sender (anyone can send mails but just to a single domain\nfor instance), set `ALLOW_EMPTY_SENDER_DOMAINS` to a non-empty value (e.g. `true`) and `ALLOWED_SENDER_DOMAINS` to an empty\nstring. Then extend this image through custom scripts to configure Postfix further.\n\n#### `AUTOSET_HOSTNAME` and `AUTOSET_HOSTNAME_SERVICES`\n\nThis image can automatically set  postfix variable `myhostname` based on reverse DNS resolution of your public IP. To use this\nfeature, set `AUTOSET_HOSTNAME` to `1`. The image will then:\n\n- use an external service to get the public IP address of the image\n- do a reverse DNS lookup to get the hostname associated with that IP\n\nThe image will, by default, try to get the public IP from any of these services, which will be queried in the order defined below:\n\n1. https://ipinfo.io/ip\n2. https://ifconfig.me/ip\n3. https://icanhazip.com\n4. https://ipecho.net/plain\n5. https://ifconfig.co\n6. https://myexternalip.com/raw\n\nThe first service to return a non-empty, non-error response will be deemed successful. If you have a preference of another order\nand/or wish to use a different service, you can do that by setting the bash array `AUTOSET_HOSTNAME_SERVICES`.\n\n#### Log format\n\nThe image will by default output logs in human-readable (`plain`) format. If you are deploying the image to Kubernetes, it might\nbe worth changing the output format to `json` as it's more easily parsable by tools such as [Prometheus](https://prometheus.io/).\n\nTo change the log format, set the (unsurprisingly named) variable `LOG_FORMAT=json`.\n\n### Postfix-specific options\n\n- `RELAYHOST` = Host that relays your messages\n- `SASL_RELAYHOST` = (optional) Relay Host referenced in the `sasl_passwd` file. Defaults to the value of `RELAYHOST`\n- `RELAYHOST_USERNAME` = An (optional) username for the relay server\n- `RELAYHOST_PASSWORD` = An (optional) login password for the relay server\n- `RELAYHOST_PASSWORD_FILE` = An (optional) file containing the login password for the relay server. Mutually exclusive with the previous option.\n- `POSTFIX_smtp_tls_security_level` = Relay host TLS connection level\n- `XOAUTH2_CLIENT_ID` = OAuth2 client id used when configured as a relayhost.\n- `XOAUTH2_SECRET` = OAuth2 secret used when configured as a relayhost.\n- `XOAUTH2_INITIAL_ACCESS_TOKEN` = Initial OAuth2 access token.\n- `XOAUTH2_INITIAL_REFRESH_TOKEN` = Initial OAuth2 refresh token.\n- `XOAUTH2_TOKEN_ENDPOINT` = Token endpoint provided four your XOAUTH App , GMail use : https://accounts.google.com/o/oauth2/token\n- `SMTPD_SASL_USERS` = Users allow to send mail (ex: user1:pass1,user2:pass2,...). *Warning:* Users need to be specified with a domain, as explained\n  on ticket [[#192](https://github.com/bokysan/docker-postfix/issues/192)]. This image will automatically add a domain if one is not provided and will\n  issue a notice when that happens.\n- `MASQUERADED_DOMAINS` = domains where you want to masquerade internal hosts\n- `SMTP_HEADER_CHECKS`= Set to `1` to enable header checks of to a location of the file for header checks\n- `POSTFIX_myhostname` = Set the name of this postfix server\n- `POSTFIX_mynetworks` = Allow sending mails only from specific networks ( default `127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` )\n- `POSTFIX_message_size_limit` = The maximum size of the message, in bytes, by default it's unlimited\n- `POSTFIX_\u003cany_postfix_setting\u003e` = provide any additional postfix setting\n\n#### `RELAYHOST`, `RELAYHOST_USERNAME` and `RELAYHOST_PASSWORD`\n\nPostfix will try to deliver emails directly to the target server. If you are behind a firewall, or inside a corporation\nyou will most likely have a dedicated outgoing mail server. By setting this option, you will instruct postfix to relay\n(hence the name) all incoming emails to the target server for actual delivery.\n\nExample:\n\n```shell script\ndocker run --rm --name postfix -e RELAYHOST=192.168.115.215 -p 1587:587 boky/postfix\n```\n\nYou may optionally specifiy a relay port, e.g.:\n\n```shell script\ndocker run --rm --name postfix -e RELAYHOST=192.168.115.215:587 -p 1587:587 boky/postfix\n```\n\nOr an IPv6 address, e.g.:\n\n```shell script\ndocker run --rm --name postfix -e 'RELAYHOST=[2001:db8::1]:587' -p 1587:587 boky/postfix\n```\n\nIf your end server requires you to authenticate with username/password, add them also:\n\n```shell script\ndocker run --rm --name postfix -e RELAYHOST=mail.google.com -e RELAYHOST_USERNAME=hello@gmail.com -e RELAYHOST_PASSWORD=world -p 1587:587 boky/postfix\n```\n\n#### `POSTFIX_smtp_tls_security_level`\n\nDefine relay host TLS connection level. See [smtp_tls_security_level](http://www.postfix.org/postconf.5.html#smtp_tls_security_level) for details. By default, the permissive level (\"may\") is used, which basically means \"use TLS if available\" and should be a sane default in most cases.\n\nThis level defines how the postfix will connect to your upstream server.\n\n#### `XOAUTH2_CLIENT_ID`, `XOAUTH2_SECRET`, `XOAUTH2_INITIAL_ACCESS_TOKEN`, `XOAUTH2_INITIAL_REFRESH_TOKEN` and `XOAUTH2_TOKEN_ENDPOINT`\n\n\u003e Note: These parameters are used when `RELAYHOST` and `RELAYHOST_USERNAME` are provided.\n\nThese parameters allow you to configure a relayhost that requires (or recommends) the [XOAuth2 authentication method](https://github.com/tarickb/sasl-xoauth2) (e.g. GMail).\n\n- `XOAUTH2_CLIENT_ID` and  `XOAUTH2_SECRET` are the [OAuth2 client credentials](#oauth2-client-credentials-gmail).\n- `XOAUTH2_INITIAL_ACCESS_TOKEN` and `XOAUTH2_INITIAL_REFRESH_TOKEN` are the [initial access token and refresh tokens](#obtain-initial-access-token-gmail).\n- `XOAUTH2_TOKEN_ENDPOINT` is mandatory for Microsoft 365 use, sasl-xoauth2 will use Gmail URL if it is not provided.\n   These values are only  required to initialize the token file `/var/spool/postfix/xoauth2-tokens/$RELAYHOST_USERNAME`.\n\nExample:\n\n```shell script\ndocker run --rm --name pruebas-postfix \\\n    -e RELAYHOST=\"[smtp.gmail.com]:587\" \\\n    -e RELAYHOST_USERNAME=\"\u003cput.your.account\u003e@gmail.com\" \\\n    -e POSTFIX_smtp_tls_security_level=\"encrypt\" \\\n    -e XOAUTH2_CLIENT_ID=\"\u003cput_your_oauth2_client_id\u003e\" \\\n    -e XOAUTH2_SECRET=\"\u003cput_your_oauth2_secret\u003e\" \\\n    -e ALLOW_EMPTY_SENDER_DOMAINS=\"true\" \\\n    -e XOAUTH2_INITIAL_ACCESS_TOKEN=\"\u003cput_your_acess_token\u003e\" \\\n    -e XOAUTH2_INITIAL_REFRESH_TOKEN=\"\u003cput_your_refresh_token\u003e\" \\\n    boky/postfix\n```\n\nNext sections describe how to obtain these values.\n\n##### OAuth2 Client Credentials (GMail)\n\nVisit the [Google API Console](https://console.developers.google.com/) to obtain OAuth 2 credentials (a client ID and client secret) for an \"Installed application\" application type.\n\nSave the client ID and secret and use them to initialize `XOAUTH2_CLIENT_ID` and  `XOAUTH2_SECRET` respectively.\n\nWe'll also need these credentials in the next step.\n\n##### Obtain Initial Access Token (GMail)\n\nUse the [Gmail OAuth2 developer tools](https://github.com/google/gmail-oauth2-tools/) to obtain an OAuth token by following the [Creating and Authorizing an OAuth Token](https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough#creating-and-authorizing-an-oauth-token) instructions.\n\nSave the resulting tokens and use them to initialize `XOAUTH2_INITIAL_ACCESS_TOKEN` and `XOAUTH2_INITIAL_REFRESH_TOKEN`.\n\n##### Debug XOAuth2 issues\n\nIf you have XOAuth2 authentication issues you can enable XOAuth2 debug message setting `XOAUTH2_SYSLOG_ON_FAILURE` to `\"yes\"` (default: `\"no\"`). If you need a more detailed\nlog trace about XOAuth2 you can set `XOAUTH2_FULL_TRACE` to `\"yes\"` (default: `\"no\"`).\n\n#### `MASQUERADED_DOMAINS`\n\nIf you don't want outbound mails to expose hostnames, you can use this variable to enable Postfix's\n[address masquerading](http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade). This can be used to do things\nlike rewrite `lorem@ipsum.example.com` to `lorem@example.com`.\n\nExample:\n\n```shell script\ndocker run --rm --name postfix -e \"ALLOWED_SENDER_DOMAINS=example.com example.org\" -e \"MASQUERADED_DOMAINS=example.com\" -p 1587:587 boky/postfix\n```\n\n#### `SMTP_HEADER_CHECKS`\n\nThis image allows you to execute Postfix [header checks](http://www.postfix.org/header_checks.5.html). Header checks\nallow you to execute a certain action when a certain MIME header is found. For example, header checks can be used\nprevent attaching executable files to emails.\n\nHeader checks work by comparing each message header line to a pre-configured list of patterns. When a match is found the\ncorresponding action is executed. The default patterns that come with this image can be found in the `smtp_header_checks`\nfile. Feel free to override this file in any derived images or, alternately, provide your own in another directory.\n\nSet `SMTP_HEADER_CHECKS` to type and location of the file to enable this feature. The sample file is uploaded into\n`/etc/postfix/smtp_header_checks` in the image. As a convenience, setting `SMTP_HEADER_CHECKS=1` will set this to\n`regexp:/etc/postfix/smtp_header_checks`.\n\nExample:\n\n```shell script\ndocker run --rm --name postfix -e \"SMTP_HEADER_CHECKS=\"regexp:/etc/postfix/smtp_header_checks\" -e \"ALLOWED_SENDER_DOMAINS=example.com example.org\" -p 1587:587 boky/postfix\n```\n\n#### `POSTFIX_myhostname`\n\nYou may configure a specific hostname that the SMTP server will use to identify itself. If you don't do it,\nthe default Docker host name will be used. A lot of times, this will be just the container id (e.g. `f73792d540a5`)\nwhich may make it difficult to track your emails in the log files. If you care about tracking at all,\nI suggest you set this variable, e.g.:\n\n```shell script\ndocker run --rm --name postfix -e \"POSTFIX_myhostname=postfix-docker\" -p 1587:587 boky/postfix\n```\n\n#### `POSTFIX_mynetworks`\n\nThis implementation is meant for private installations -- so that when you configure your services using _docker compose_\nyou can just plug it in. Precisely because of this reason and the prevent any issues with this postfix being inadvertently\nexposed on the internet and then used for sending spam, the *default networks are reserved for private IPv4 IPs only*.\n\nMost likely you won't need to change this. However, if you need to support IPv6 or strenghten the access further, you\ncan override this setting.\n\nExample:\n\n```shell script\ndocker run --rm --name postfix -e \"POSTFIX_mynetworks=10.1.2.0/24\" -p 1587:587 boky/postfix\n```\n\n#### `POSTFIX_message_size_limit`\n\nDefine the maximum size of the message, in bytes.\nSee more in [Postfix documentation](http://www.postfix.org/postconf.5.html#message_size_limit).\n\nBy default, this limit is set to 0 (zero), which means unlimited. Why would you want to set this? Well, this is\nespecially useful in relation with `RELAYHOST` setting. If your relay host has a message limit (and usually it does),\nset it also here. This will help you \"fail fast\" -- your message will be rejected at the time of sending instead having\nit stuck in the outbound queue indefinitely.\n\n#### Overriding specific postfix settings\n\nAny Postfix [configuration option](http://www.postfix.org/postconf.5.html) can be overriden using `POSTFIX_\u003cname\u003e`\nenvironment variables, e.g. `POSTFIX_allow_mail_to_commands=alias,forward,include`. Specifying no content (empty\nvariable) will remove that variable from postfix config.\n\n#### `SKIP_ROOT_SPOOL_CHOWN`\n\nSetting this to `1` will skip re-owning in `/var/spool/postfix/` and `/var/spool/postfix/pid`. You generally do not\nwant to set this option unless you're running into specific issues (e.g. [#97](https://github.com/bokysan/docker-postfix/issues/97)).\n\nIf unsure, leave it as is.\n\n#### `ANONYMIZE_EMAILS`\n\nAnonymize email in Postfix logs. It mask the email content by putting `*` in the middle of the name and the domain.\nFor example: `from=\u003ca*****************s@a***********.com\u003e`\n\nSyntax: `\u003cmasker-name\u003e[?option=value\u0026option=value\u0026....]`\n\n**NOTICE:** Options are URL-encoded.\n\nThe following filters are provided with this implementation:\n\n##### The `default` (`smart`) filter\n\nEnable the filter by setting `ANONYMIZE_EMAILS=smart`.\n\nThe is enabled by setting the value to `on`, `true`, `1`, `default` or `smart`. The filter will take an educated guess at how to best mask the emails, specifically:\n\n- It will leave the first and the last letter of the local part (if the local part is one letter long it gets repeated atht beggining and the end)\n- If the local part is in quotes, it will remove the quotes (Warning: if the email starts with a space, this might look weird in logs)\n- It will replace all the letters inbetween with **ONE** asterisk, even if there are none\n- It will replace everything but a TLD with a star\n- Address-style domains will see the number replaced with stars\n\nE.g.:\n\n- `demo@example.org` -\u003e `d*o@*******.org`\n- `john.doe@example.solutions` -\u003e `j*e@*******.solutions`\n- `sa@localhost` -\u003e `s*a@*********`\n- `s@[192.168.8.10]` -\u003e `s*s@[*.*.*.*]`\n- `\"multi....dot\"@[IPv6:2001:db8:85a3:8d3:1319:8a2e:370:7348]` -\u003e `\"m*t\"@[IPv6:***********]`\n\nConfiguration parameters:\n\n| Property         | Default value | Required | Description |\n|------------------|---------------|----------|-------------|\n| `mask_symbol`    | `*`           | no       | Mask symbol to use instead of replaced characters |\n\n##### The `paranoid` filter\n\nThe paranoid filter works similar to smart filter but will:\n\n- Replace the local part with **ONE** asterisk\n- Replace the domain part (sans TLD) with **ONE** asterisk\n\nE.g.:\n\n- `demo@example.org` -\u003e `*@*.org`\n- `john.doe@example.solutions` -\u003e `*@*.solutions`\n- `sa@localhost` -\u003e `*@*`\n- `s@[192.168.8.10]` -\u003e `*@[*]`\n- `\"multi....dot\"@[IPv6:2001:db8:85a3:8d3:1319:8a2e:370:7348]` -\u003e `*@[IPv6:*]`\n\nConfiguration parameters:\n\n| Property         | Default value | Required | Description |\n|------------------|---------------|----------|-------------|\n| `mask_symbol`    | `*`           | no       | Mask symbol to use instead of replaced characters |\n\n##### The `hash` filter\n\nThis filter will replace the email with the salted (HMAC - SHA256) hash. While it makes the logs much less readable, it has one specific benefit:\nit allows you to search through the logs if you know the email address you're looking for. You are able to calculate the hash yourself\nand then grep through the logs for this specific email address.\n\nE.g.:\n\n- `prettyandsimple@example.com` -\u003e `\u003c3052a860ddfde8b50e39843d8f1c9f591bec442823d97948b811d38779e2c757\u003e` for (`ANONYMIZE_EMAILS=hash?salt=hello%20world`)\n- `prettyandsimple@example.com` -\u003e `c58731d3@8bd7a35c` for (`ANONYMIZE_EMAILS=hash?salt=hello%20world\u0026split=true\u0026short_sha=t\u0026prefix=\u0026suffix=`)\n\nFilter will not work without configuration. You will need to provide (at least) the salt, e.g.: `ANONYMIZE_EMAILS=hash?salt=demo`\n\nConfiguration parameters:\n\n| Property         | Default value | Required | Description |\n|------------------|---------------|----------|-------------|\n| `salt`           | none          | **yes**  | HMAC key (salt) used for calculating the checksum |\n| `prefix`         | ``            | no       | Prefix of emails in the log (for easier grepping) |\n| `suffix`         | ``            | no       | Suffix of emails in the log (for easier grepping) |\n| `split`          | `false`       | no       | Set to `1`, `t` or `true` to hash separately the local and the domain part |\n| `short_sha`      | `false`       | no       | Set to `1`, `t` or `true` to return just the first 8 characters of the hash |\n| `case_sensitive` | `true`        | no       | Set to `0`, `f` or `false` to convert email to lowercase before hashing |\n\n##### The `noop` filter\n\nThis filter doesn't do anything. It's used for testing purposes only.\n\n##### Writing your own filters\n\nIt's easy enough to write your own filters. The simplest way would be to take the `email-anonymizer.py` file in this\nimage, write your own and then attach it to the container image under `/scripts`. If you're feeling adventureus, you can\nalso install your own Python package -- the script will automatically pick up the class name.\n\n### DKIM / DomainKeys\n\n**This image is equipped with support for DKIM.** If you want to use DKIM you will need to generate DKIM keys. These can\nbe either generated automatically, or you can supply them yourself.\n\nThe DKIM supports the following options:\n\n- `DKIM_SELECTOR` = Override the default DKIM selector (by default \"mail\").\n- `DKIM_AUTOGENERATE` = Set to non-empty value (e.g. `true` or `1`) to have the server auto-generate domain keys.\n- `OPENDKIM_\u003cany_dkim_setting\u003e` = Provide any additional OpenDKIM setting.\n\n#### Supplying your own DKIM keys\n\nIf you want to use your own DKIM keys, you'll need to create a folder for every domain you want to send through. You\nwill need to generate they key(s) with the `opendkim-genkey` command, e.g.\n\n```shell script\nmkdir -p /host/keys; cd /host/keys\n\nfor DOMAIN in example.com example.org; do\n    # Generate a key with selector \"mail\"\n    opendkim-genkey -b 2048 -h rsa-sha256 -r -v --subdomains -s mail -d $DOMAIN\n    # Fixes https://github.com/linode/docs/pull/620\n    sed -i 's/h=rsa-sha256/h=sha256/' mail.txt\n    # Move to proper file\n    mv mail.private $DOMAIN.private\n    mv mail.txt $DOMAIN.txt\ndone\n...\n```\n\n`opendkim-genkey` is usually in your favourite distribution provided by installing `opendkim-tools` or `opendkim-utils`.\n\nAdd the created `\u003cdomain\u003e.txt` files to your DNS records. Afterwards, just mount `/etc/opendkim/keys` into your image\nand DKIM will be used automatically, e.g.:\n\n```shell script\ndocker run --rm --name postfix -e \"ALLOWED_SENDER_DOMAINS=example.com example.org\" -v /host/keys:/etc/opendkim/keys -p 1587:587 boky/postfix\n```\n\n#### Auto-generating the DKIM selectors through the image\n\nIf you set the environment variable `DKIM_AUTOGENERATE` to a non-empty value (e.g. `true` or `1`) the image will\nautomatically generate the keys.\n\n**Be careful when using this option**. If you don't bind `/etc/opendkim/keys` to a persistent volume, you will get new\nkeys every single time. You will need to take the generated public part of the key (the one in the `.txt` file) and\ncopy it over to your DNS server manually.\n\n#### Changing the DKIM selector\n\n`mail` is the *default DKIM selector* and should be sufficient for most usages. If you wish to override the selector,\nset the environment variable `DKIM_SELECTOR`, e.g. `... -e DKIM_SELECTOR=postfix`. Note that the same DKIM selector will\nbe applied to all found domains. To override a selector for a specific domain use the syntax\n`[\u003cdomain\u003e=\u003cselector\u003e,...]`, e.g.:\n\n```shell script\nDKIM_SELECTOR=foo,example.org=postfix,example.com=blah\n```\n\nThis means:\n\n- use `postfix` for `example.org` domain\n- use `blah` for `example.com` domain\n- use `foo` if no domain matches\n\n#### Overriding specific OpenDKIM settings\n\nAny OpenDKIM [configuration option](http://opendkim.org/opendkim.conf.5.html) can be overriden using `OPENDKIM_\u003cname\u003e`\nenvironment variables, e.g. `OPENDKIM_RequireSafeKeys=yes`. Specifying no content (empty variable) will remove that\nvariable from OpenDKIM config.\n\n#### Verifying your DKIM setup\n\nI strongly suggest using a service such as [dkimvalidator](https://dkimvalidator.com/) to make sure your keys are set up\nproperly and your DNS server is serving them with the correct records.\n\n### Docker Secrets / Kubernetes secrets\n\nAs an alternative to passing sensitive information via environment variables, `_FILE` may be appended to some environment variables (see below), causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in `/run/secrets/\u003csecret_name\u003e` files. For example:\n\n```\ndocker run --rm --name pruebas-postfix \\\n    -e RELAYHOST=\"[smtp.gmail.com]:587\" \\\n    -e RELAYHOST_USERNAME=\"\u003cput.your.account\u003e@gmail.com\" \\\n    -e POSTFIX_smtp_tls_security_level=\"encrypt\" \\\n    -e XOAUTH2_CLIENT_ID_FILE=\"/run/secrets/xoauth2-client-id\" \\\n    -e XOAUTH2_SECRET_FILE=\"/run/secrets/xoauth2-secret\" \\\n    -e ALLOW_EMPTY_SENDER_DOMAINS=\"true\" \\\n    -e XOAUTH2_INITIAL_ACCESS_TOKEN_FILE=\"/run/secrets/xoauth2-access-token\" \\\n    -e XOAUTH2_INITIAL_REFRESH_TOKEN_FILE=\"/run/secrets/xoauth2-refresh-token\" \\\n    boky/postfix\n```\n\nCurrently, this is only supported for `RELAYHOST_PASSWORD`, `XOAUTH2_CLIENT_ID`, `XOAUTH2_SECRET`, `XOAUTH2_INITIAL_ACCESS_TOKEN`\nand `XOAUTH2_INITIAL_REFRESH_TOKEN`.\n\n## Helm chart\n\nThis image comes with its own helm chart. The chart versions are aligned with the releases of the image. Charts are hosted\nthrough this repository.\n\nTo install the image, simply do the following:\n\n```shell script\nhelm repo add bokysan https://bokysan.github.io/docker-postfix/\nhelm upgrade --install --set persistence.enabled=false --set config.general.ALLOWED_SENDER_DOMAINS=example.com mail bokysan/mail\n```\n\nChart configuration is as follows:\n\n| Property | Default value | Description |\n|----------|---------------|-------------|\n| `replicaCount` | `1` | How many replicas to start |\n| `image.repository` | `boky/postfix` | This docker image repository |\n| `image.tag` | *empty* | Docker image tag, by default uses Chart's `AppVersion` |\n| `image.pullPolicy` | `IfNotPresent` | [Pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for the image |\n| `imagePullSecrets` | `[]` | Pull secrets, if neccessary |\n| `nameOverride` | `\"\"` | Override the helm chart name |\n| `fullnameOverride` | `\"\"` | Override the helm full deployment name |\n| `serviceAccount.create` | `true` | Specifies whether a service account should be created |\n| `serviceAccount.annotations` | `{}` | Annotations to add to the service account |\n| `serviceAccount.name` | `\"\"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |\n| `service.type` | `ClusterIP` | How is the server exposed |\n| `service.port` | `587` | SMTP submission port |\n| `service.labels` | `{}` | Additional service labels |\n| `service.annotations` | `{}` | Additional service annotations |\n| `service.spec` | `{}` | Additional service specifications |\n| `service.nodePort` | *empty* | Use a specific `nodePort` |\n| `service.nodeIP` | *empty* | Use a specific `nodeIP` |\n| `resources` | `{}` | [Pod resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |\n| `autoscaling.enabled` | `false` | Set to `true` to enable [Horisontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) |\n| `autoscaling.minReplicas` | `1` | Minimum number of replicas |\n| `autoscaling.maxReplicas` | `100` | Maximum number of replicas |\n| `autoscaling.targetCPUUtilizationPercentage` | `80` | When to scale up |\n| `autoscaling.targetMemoryUtilizationPercentage` | `\"\"` | When to scale up |\n| `autoscaling.labels` | `{}` | Additional HPA labels |\n| `autoscaling.annotations` | `{}` | Additional HPA annotations |\n| `nodeSelector` | `{}` | Standard Kubernetes stuff |\n| `tolerations` | `[]` | Standard Kubernetes stuff |\n| `affinity` | `{}` | Standard Kubernetes stuff |\n| `certs.create` | `{}` | Auto generate TLS certificates for Postfix |\n| `extraVolumes` | `[]` | Append any extra volumes to the pod |\n| `extraVolumeMounts` | `[]` | Append any extra volume mounts to the postfix container |\n| `extraInitContainers` | `[]` | Execute any extra init containers on startup |\n| `extraEnv` | `[]` | Add any extra environment variables to the container |\n| `extraContainers` | `[]` | Add extra containers |\n| `deployment.labels` | `{}` | Additional labels for the statefulset |\n| `deployment.annotations` | `{}` | Additional annotations for the statefulset |\n| `pod.securityContext` | `{}` | Pods's [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |\n| `pod.labels` | `{}` | Additional labels for the pod |\n| `pod.annotations` | `{}` | Additional annotations for the pod |\n| `container.postfix.securityContext` | `{}` | Containers's [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |\n| `config.general` | `{}` | Key-value list of general configuration options, e.g. `TZ: \"Europe/London\"` |\n| `config.postfix` | `{}` | Key-value list of general postfix options, e.g. `myhostname: \"demo\"` |\n| `config.opendkim` | `{}` | Key-value list of general OpenDKIM options, e.g. `RequireSafeKeys: \"yes\"` |\n| `secret` | `{}` | Key-value list of environment variables to be shared with Postfix / OpenDKIM as secrets |\n| `existingSecret` | `\"\"` | A reference to an existing opaque secret. Secret is mounted and exposed as environment variables in the pod |\n| `mountSecret.enabled` | `false` | Create a folder with contents of the secret in the pod's container |\n| `mountSecret.path` | `/var/lib/secret` | Where to mount secret data |\n| `mountSecret.data` | `{}` | Key-value list of files to be mount into the container |\n| `persistence.enabled` | `true` | Persist Postfix's queue on disk |\n| `persistence.accessModes` | `[ 'ReadWriteOnce' ]` | Access mode |\n| `persistence.existingClaim` | `\"\"` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. |\n| `persistence.size` | `1Gi` | Storage size |\n| `persistence.storageClass` | `\"\"` | Storage class |\n| `recreateOnRedeploy` | `true` | Restart Pods on every helm deployment, to prevent issues with stale configuration(s). |\n\n### Metrics\n\nYou may enable metrics on the cart by simply setting `metrics.enabled=true`. Of course, this comes with some caveats, namely:\n\n- Postfix logs will (by default, if you don't override this) go to `/var/log/mail.log` _as well_ as to stdout.\n- `/var/log/mail.log` will be in plain-text format (always), no matter what you set `LOG_FORMAT` to\n\nPlease see helm chart's `values.yaml` for further configuration options and how to enable `ServiceMonitor`, if you need it for\nPrometheus.\n\n## Extending the image\n\n### Using custom init scripts\n\nIf you need to add custom configuration to postfix or have it do something outside of the scope of this configuration,\nsimply add your scripts to `/docker-init.db/`: All files with the `.sh` extension will be executed automatically at the\nend of the startup script.\n\nE.g.: create a custom `Dockerfile` like this:\n\n```shell script\nFROM boky/postfix\nLABEL maintainer=\"Jack Sparrow \u003cjack.sparrow@theblackpearl.example.com\u003e\"\nADD Dockerfiles/additional-config.sh /docker-init.db/\n```\n\nBuild it with docker, and your script will be automatically executed before Postfix starts.\n\nOr -- alternately -- bind this folder in your docker config and put your scripts there. Useful if you need to add a\nconfig to your postfix server or override configs created by the script.\n\nFor example, your script could contain something like this:\n\n```shell script\n#!/bin/sh\npostconf -e \"address_verify_negative_cache=yes\"\n```\n\n## Security\n\nPostfix will run the master proces as `root`, because that's how it's designed. Subprocesses will run under the `postfix`\nand `opendkim` accounts.\n\n### UIDs/GIDs numbers\n\nWhile I cannot guarantee IDs (they are auto-generated by package manages), they tend to be fairly consistent across \n**specific distribution**. Please be aware of this if you are switching images from Alpine to Debian to Ubuntu or\nback.\n\nAt the last check, images had the following UIDs/GIDs:\n\n| Service    | Debian (`UID/GID`) | Ubuntu (`UID/GID`) | Alpine (`UID/GID`) |\n|------------|--------------------|--------------------|--------------------|\n| `postfix`  | `100:102`          | `101:102`          | `100:101`          |\n| `opendkim` | `101:104`          | `102:104`          | `102:103`          |\n\nPlease check the notification information on startup.\n\n## Quick how-tos\n\n### Relaying messages through your Gmail account\n\nPlease note that Gmail does not support using your password with non-OAuth2 clients. You will need to either enable\n[Less secure apps](https://support.google.com/accounts/answer/6010255?hl=en) in your account and assign an \"app password\",\nor [configure postfix support for XOAuth2 authentication](#xoauth2_client_id-xoauth2_secret-xoauth2_initial_access_token-and-xoauth2_initial_refresh_token).\nYou'll also need to use (only) your email as the sender address.\n\nIf you follow the *less than secure* route, your configuration would be as follows:\n\n```shell script\nRELAYHOST=smtp.gmail.com:587\nRELAYHOST_USERNAME=you@gmail.com\nRELAYHOST_PASSWORD=your-gmail-app-password\nALLOWED_SENDER_DOMAINS=gmail.com\n```\n\nThere's no need to configure DKIM or SPF, as Gmail will add these headers automatically.\n\n### Relaying messages through Google Apps account\n\nGoogle Apps allows third-party services to use Google's SMTP servers without much hassle. If you have a static IP, you\ncan configure Gmail to accept your messages. You can then send email *from any address within your domain*.\n\nYou need to enable the [SMTP relay service](https://support.google.com/a/answer/2956491?hl=en):\n\n* Go to Google [Admin /Apps / G Suite / Gmail /Advanced settings](https://admin.google.com/AdminHome?hl=en_GB#ServiceSettings/service=email\u0026subtab=filters).\n* Find the **Routing / SMTP relay service**\n* Click **Add another** button that pops up when you hover over the line\n* Enter the name and your server's external IP as shown in the picture below:\n  * **Allowed senders:** Only registered Apps users in my domains\n  * Select **Only accept mail from specified IP Addresses**\n  * Click **Add IP RANGE** and add your external IP\n  * Make sure **Require SMTP Authentication** is **NOT** selected\n  * You *may* select **Require TLS encryption**\n\n![Add setting SMTP relay service](GApps-SMTP-config.png)\n\nYour configuration would be as follows:\n\n```shell script\nRELAYHOST=smtp-relay.gmail.com:587\nALLOWED_SENDER_DOMAINS=\u003cyour-domain\u003e\n```\n\nThere's no need to configure DKIM or SPF, as Gmail will add these headers automatically.\n\n### Relaying messages through Amazon's SES\n\nIf your application runs in Amazon Elastic Compute Cloud (Amazon EC2), you can use Amazon SES to send up to 62,000 emails\nevery month at no additional charge. You'll need an AWS account and SMTP credentials. The SMTP settings are available\non the SES page. \n\nFor example, for `eu-central-1`:\n\n- Please See the [SES Page for Details](https://eu-central-1.console.aws.amazon.com/ses/home?region=eu-central-1#smtp)\n\nYou need Amazon SES SMTP credentials to access the SES SMTP interface.\n**NOTE:** Your SMTP password is different from your AWS secret access key.  Additionally, the credentials that you use to send email through the SES SMTP interface are unique to each _AWS Region_. If you use the SES SMTP interface to send email in more than one Region, you must generate a set of SMTP credentials for each Region that you plan to use.\n\n- [Create or Obtain the User Credentials](https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html)\n\n**Make sure you write the user credentials down, as you will only see them once.**\n\nBy default, messages that you send through Amazon SES use a subdomain of `amazonses.com` as the `MAIL FROM` domain. See\n[Amazon's documentation](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html) on how the domain can\nbe configured.\n\nYour configuration would be as follows (example data, these key *will not work*):\n\n```shell script\nRELAYHOST=email-smtp.eu-central-1.amazonaws.com:587\nRELAYHOST_USERNAME=AKIAGHEVSQTOOSQBCSWQ\nRELAYHOST_PASSWORD=BK+kjsdfliWELIhEFnlkjf/jwlfkEFN/kDj89Ufj/AAc\nALLOWED_SENDER_DOMAINS=\u003cyour-domain\u003e\n```\n\nYou will need to configure DKIM and SPF for your domain as well.\n\n### Sending messages directly\n\nIf you're sending messages directly, you'll need to:\n\n- have a fixed IP address;\n- configure a reverse PTR record;\n- configure SPF and/or DKIM as explained in this document;\n- it's also highly advisable to have your own IP block.\n\nYour configuration would be as follows:\n\n```shell script\nALLOWED_SENDER_DOMAINS=\u003cyour-domain\u003e\n```\n\n#### Careful\n\nGetting all of this to work properly is not a small feat:\n\n- Hosting providers will regularly block outgoing connections to port 25. On AWS, for example you can\n  [fill out a form](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/) and request for\n  port 25 to be unblocked.\n- You'll most likely need to at least [set up SPF records](https://en.wikipedia.org/wiki/Sender_Policy_Framework) or\n  [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail).\n- You'll need to set up [PTR](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) records to prevent your emails going\n  to spam.\n- Microsoft is especially notorious for trashing emails from new IPs directly into spam. If you're having trouble\n  delivering emails to `outlook.com` domains, you will need to enroll in their\n  [Smart Network Data Service](https://sendersupport.olc.protection.outlook.com/snds/) programme. And to do this you\n  will need to *be the owner of the netblock you're sending the emails from*.\n\n## Similar projects\n\nThere are may other project offering similar functionality. The aim of this project, however, is:\n\n* to make it as simple as possible to run the relay, without going too much into postfix configuration details\n* to make the image as small as possible (hence basing on Alpine linux)\n* to make the image and the corresponding code testable\n\nThe other projects are, in completely random order:\n\n- [wader/postfix-relay](https://github.com/wader/postfix-relay)\n- [catatnight/postfix](https://github.com/catatnight/docker-postfix)\n- [juanluisbaptiste/docker-postfix](https://github.com/juanluisbaptiste/docker-postfix)\n- [docker-mail-relay](https://github.com/alterrebe/docker-mail-relay)\n- [applariat/kubernetes-postfix-relay-host](https://github.com/applariat/kubernetes-postfix-relay-host)\n- [eldada/postfix-relay-kubernetes](https://github.com/eldada/postfix-relay-kubernetes)\n\n## License check\n\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fbokysan%2Fdocker-postfix?ref=badge_large)\n","funding_links":[],"categories":["Shell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbokysan%2Fdocker-postfix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbokysan%2Fdocker-postfix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbokysan%2Fdocker-postfix/lists"}