{"id":25883102,"url":"https://github.com/o-x-l/postfix-relay-dockerized","last_synced_at":"2025-07-15T23:43:41.107Z","repository":{"id":255757022,"uuid":"853539924","full_name":"O-X-L/postfix-relay-dockerized","owner":"O-X-L","description":"Dockerized Postfix SMTP Relay","archived":false,"fork":false,"pushed_at":"2024-09-06T22:25:52.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-06T06:26:26.395Z","etag":null,"topics":["dkim","dmarc","docker","docker-container","mail","mail-relay","mailer","opendkim","postfix","proxy","relay","sendmail"],"latest_commit_sha":null,"homepage":"https://docs.o-x-l.com/mail/security.html","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/O-X-L.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-06T21:35:50.000Z","updated_at":"2024-09-07T10:32:00.000Z","dependencies_parsed_at":"2024-09-07T02:08:41.667Z","dependency_job_id":"568ddd9d-f4aa-47a0-b857-73ad5906cfd6","html_url":"https://github.com/O-X-L/postfix-relay-dockerized","commit_stats":null,"previous_names":["o-x-l/postfix-relay-dockerized"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/O-X-L/postfix-relay-dockerized","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Fpostfix-relay-dockerized","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Fpostfix-relay-dockerized/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Fpostfix-relay-dockerized/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Fpostfix-relay-dockerized/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/O-X-L","download_url":"https://codeload.github.com/O-X-L/postfix-relay-dockerized/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Fpostfix-relay-dockerized/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265467912,"owners_count":23770799,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dkim","dmarc","docker","docker-container","mail","mail-relay","mailer","opendkim","postfix","proxy","relay","sendmail"],"created_at":"2025-03-02T16:31:13.837Z","updated_at":"2025-07-15T23:43:41.076Z","avatar_url":"https://github.com/O-X-L.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Postfix Mail-Relay Dockerized\n\n**Disclaimer**: This container utilizes [debian12 with systemd](https://serverfault.com/questions/1053187/systemd-fails-to-run-in-a-docker-container-when-using-cgroupv2-cgroupns-priva) which will be seen as *unclean* setup by some!\n\n----\n\n## Contribute\n\nFeel free to open Issues/Discussions or provide PRs!\n\nA non-systemd (unprivileged) setup may be added later on. If you have input on such a setup =\u003e help is welcome.\n\n----\n\n## Features / Config\n\n* Using a DKIM Key for all sender adresses\n* Only allow specific receiver domains (see `/etc/postfix/transport`)\n* No authentication for now - only filtering by IP/Network\n* Listening on port 2525 (see `/etc/postfix/master.cf`)\n* StartTLS with Snakeoil Certificate that has FQDN and IP in SAN\n\n### Roadmap\n\n* [Inbound SASL authentication](https://serverfault.com/questions/547282/postfix-how-to-use-simple-file-for-sasl-authentication)\n* Option for Outbound Relay + SASL authentication\n* Forward mail-service logs to `docker logs`\n\n----\n\n## KnowHow \u0026 Security\n\nThis mail relay can be unsafe, if you misconfigure it!\n\n**Make sure**:\n\n* You [understand the basics of E-Mail security](https://docs.o-x-l.com/mail/security.html)!\n* To only allow IPs to access it, that you have control over\n* Utilize the send/receive filters\n* Add firewall-filters to limit the access to the relay\n\n----\n\n## Build\n\n### Variables\n\n* **MAIL_HOSTNAME** =\u003e You full-qualified mailserver-hostname\n* **MAIL_DKIM_SELECTOR** =\u003e The DKIM selector you want to use (*needs to be used in the DNS record*)\n* **MAIL_PUBLIC_IP** =\u003e Public IP the mail-server will use for outbound traffic\n\n  Note: You should also make sure that a PTR (*reverse DNS*) points to this IP and resolves to your FQDN hostname\n\n* **MAIL_CERT_SUBJECT** =\u003e TLS Certificate subject-name in openssl-format (*Default: /CN=Mail Service*)\n* **MAIL_ALLOWED_SRC** =\u003e Comma-separated list of domains or e-mail addresses that will be signed with your DKIM key\n* **MAIL_ALLOWED_DST** =\u003e Comma-separated list of receiver-domains that are allowed. Other E-mails will be dropped (*to limit impact if someone would be able to send spam over this relay*)\n\n* **MAIL_ALLOWED_NETS** =\u003e Space-separated Networks in CIDR-format that are allowed to send over this mail-relay.\n\n  **Warning**: If you are using docker in bridge-mode - this filter might not work as the source-IPs get NATed\n\n\n### Generate DKIM Key-Pair\n\n```bash\nopenssl genrsa -out mail.key 2048\nchmod 600 mail.key\nopenssl rsa -in mail.key -pubout \u003e mail.crt\ncat mail.crt | tr -d '\\n'\n```\n\nCopy the Public-Key (*without headers*) and create a DNS record for your chosen selector:\n\n`\u003cSELECTOR\u003e._domainkey.\u003cDOMAIN\u003e.\u003cTLD\u003e TXT \"v=DKIM1; k=rsa; p=\u003cPUBLIC-KEY\u003e\"`\n\nExample:\n\n`test._domainkey.oxl.at TXT \"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0BtDBbXYRNcft4d6LeTGkybsxc1JVXxZ2hJHDteHhU7TUfQGq2MqcsegVU97l6THb8VZxv7hWKCFSXwLh1QHRAVB9bxVFbu08cI9OMPpfvjq2XyVdY6D1lRD36emn4Mk9F6kIb5apP6QQtFPvMsX/15NZLZ/pr+G2DHl3TfG7vQIDAQAB\"`\n\n## Example\n\nAdd your `dkim.key` file before to the same directory as the Dockerfile!\n\n`docker build -f Dockerfile_postfix --no-cache --build-arg MAIL_ALLOWED_SRC=service@oxl.at --build-arg MAIL_HOSTNAME=xyz.oxl.at --build-arg MAIL_PUBLIC_IP=1.1.1.1 --build-arg MAIL_CERT_SUBJECT=\"/CN=My Mail Service\" --build-arg MAIL_ALLOWED_DST=oxl.at --build-arg MAIL_ALLOWED_NETS=\"192.168.10.0/24 1.1.1.1/32\" --build-arg MAIL_DKIM_SELECTOR=test -t postfix .`\n\n----\n\n# Run\n\n## Host Mode\n\n`docker run -d --net host --restart always --privileged --name postfix postfix:latest /sbin/init --tmpfs /tmp --tmpfs /run --tmpfs /run/lock`\n\n## Bridged Mode\n\nNot recommended because of Source-NAT.\n\n`docker run -d -p 2525:25/tcp --restart always --privileged --name postfix postfix:latest /sbin/init --tmpfs /tmp --tmpfs /run --tmpfs /run/lock`\n\n----\n\n## Test\n\n* Enter the container: `docker exec -it postfix /bin/bash`\n* Send a test-mail: `echo 'Subject: Test-Mail' | sendmail -F 'TEST_FROM' -f 'TEST_FROM' -t 'TEST_TO'`\n* Check the logs: `journalctl -n 20`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fo-x-l%2Fpostfix-relay-dockerized","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fo-x-l%2Fpostfix-relay-dockerized","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fo-x-l%2Fpostfix-relay-dockerized/lists"}