{"id":40968866,"url":"https://github.com/panubo/docker-postfix","last_synced_at":"2026-01-22T06:29:37.970Z","repository":{"id":37611982,"uuid":"43277993","full_name":"panubo/docker-postfix","owner":"panubo","description":"Postfix Docker Image with great flexibility","archived":false,"fork":false,"pushed_at":"2026-01-19T06:44:22.000Z","size":131,"stargazers_count":32,"open_issues_count":5,"forks_count":50,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-01-19T13:48:35.687Z","etag":null,"topics":["dkim","docker-image","postfix","smtp","smtp-relay"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/panubo/postfix/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panubo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2015-09-28T03:30:38.000Z","updated_at":"2026-01-19T06:44:26.000Z","dependencies_parsed_at":"2024-01-16T09:11:06.919Z","dependency_job_id":null,"html_url":"https://github.com/panubo/docker-postfix","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/panubo/docker-postfix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-postfix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-postfix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-postfix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-postfix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panubo","download_url":"https://codeload.github.com/panubo/docker-postfix/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-postfix/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28656849,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dkim","docker-image","postfix","smtp","smtp-relay"],"created_at":"2026-01-22T06:29:37.267Z","updated_at":"2026-01-22T06:29:37.962Z","avatar_url":"https://github.com/panubo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Postfix Docker Image\n\n![build-push](https://github.com/panubo/docker-postfix/actions/workflows/build-push.yml/badge.svg)\n[![release](https://img.shields.io/github/v/release/panubo/docker-postfix)](https://github.com/panubo/docker-postfix/releases/latest)\n[![license](https://img.shields.io/github/license/panubo/docker-postfix)](LICENSE)\n\nPostfix SMTP Relay based on Debian.\n\nHighly configurable Docker image for SMTP relaying. Use wherever a connected service\nrequires SMTP sending capabilities. Supports TLS out of the box and DKIM\n(if enabled and configured).\n\nNot intended to be used for receiving email for local delivery or end-user\nemail access.\n\nThis image is available on quay.io `quay.io/panubo/postfix` and AWS ECR Public `public.ecr.aws/panubo/postfix`.\n\n\u003c!-- BEGIN_TOP_PANUBO --\u003e\n\u003e [!IMPORTANT]\n\u003e **Maintained by Panubo** — Cloud Native \u0026 SRE Consultants in Sydney.\n\u003e [Work with us →](https://panubo.com.au)\n\u003c!-- END_TOP_PANUBO --\u003e\n\n## Table of Contents\n\n- [Environment Variables](#environment-variables)\n- [Postfix Prometheus Exporter](#postfix-prometheus-exporter)\n- [Logging](#logging)\n- [Custom Scripts](#custom-scripts)\n- [Usage Example](#usage-example)\n- [Volumes](#volumes)\n- [Ports](#ports)\n- [Test email](#test-email)\n- [Developing](#developing)\n- [Releases](#releases)\n- [Status](#status)\n\n## Environment Variables\n\n- `MAILNAME` - set this to a legitimate FQDN hostname for this service (required). (example, `mail.example.com`)\n- `MYNETWORKS` - comma separated list of IP subnets that are allowed to relay. Default `127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`\n- `LOGOUTPUT` - Log file location. e.g. `/var/log/maillog`. Default `/dev/stdout`. See [Logging](#logging)\n- `TZ` - set timezone. This is used by Postfix to create `Received` headers. Default `UTC`.\n- `POSTFIX_EXPORTER_ENABLED` - enable the Prometheus postfix_exporter. Default `false`. See [Postfix Exporter](#postfix-prometheus-exporter)\n\n**General Postfix:**\n\n- `SIZELIMIT` - Postfix `message_size_limit`. Default `15728640`.\n- `POSTFIX_ADD_MISSING_HEADERS` - add missing headers. Default `no`. (options, `yes`, `no`)\n- `INET_PROTOCOLS` - IP protocols, e.g. `ipv4` or `ipv6`. Default `all`. (options, `ipv4`, `ipv6`, `all`)\n- `BOUNCE_ADDRESS` - Email address to receive delivery failure notifications. Default is to log the delivery failure.\n- `HEADER_CHECKS` - If `true` activates a set of pre-configured header_checks. (options, `true`, `false`)\n- `DISABLE_VRFY_COMMAND` - Prevents some email address harvesting techniques. Default `yes`. (options, `yes`, `no`)\n\n**Rate limiting parameters:**\n\nThese are common parameters to rate limit outbound mail:\n\n- `SMTP_DESTINATION_CONCURRENCY_LIMIT` - Number of concurrent connections per receiving domain.\n- `SMTP_DESTINATION_RATE_DELAY` - Additional delay (e.g. `5s`) between messages to the same receiving domain.\n- `SMTP_EXTRA_RECIPIENT_LIMIT` - Limit the number of recipients of each message sent to the receiving domain.\n\n**Relay host parameters:**\n\n- `RELAYHOST` - Postfix relay host. Default ''. (example `mail.example.com:25`, or `[email-smtp.us-west-2.amazonaws.com]:587`). N.B. Use square brackets to prevent MX lookup on relay hostname.\n- `RELAYHOST_AUTH` - Enable authentication for relay host. Generally used with `RELAYHOST_PASSWORDMAP`. Default `no`. (options, `yes`, `no`).\n- `RELAYHOST_PASSWORDMAP` - Relay host password map in format: `RELAYHOST_PASSWORDMAP=[mail1.example.com]:587:user1:pass1,mail2.example.com:user2:pass2,user3:pass3`.\n- `RELAYHOST_MAP` - Sender dependent relayhost map in format: `RELAYHOST_MAP=@domain1.com:smtp.example.com:587,@domain2.com:[smtp.example.com]:587`\n- `SENDER_DEPENDENT_RELAYHOST_AUTH` - Enable sender dependent authentication for relay host. Generally used with `RELAYHOST_MAP` and `RELAYHOST_PASSWORDMAP`. Default `no`. (options, `yes`, `no`).\n\n**Client authentication parameters:**\n\nClient authentication is used to authenticate relay clients. Client authentication can be used in conjunction with, or as an alternative to `MYNETWORKS`.\n\n- `SMTPD_USERS` - SMTPD Users `user1:password1,user2:password2`\n\n**TLS parameters:**\n\n- `USE_TLS` - Enable TLS. Default `yes` (options, `yes`, `no`)\n- `TLS_SECURITY_LEVEL` - Default `may` (opportunistic). (options, `may`, `encrypt`, others see: [www.postfix.org/postconf.5.html#smtp_tls_security_level](http://www.postfix.org/postconf.5.html#smtp_tls_security_level))\n- `TLS_KEY` - Default `/etc/ssl/private/ssl-cert-snakeoil.key`\n- `TLS_CRT` - Default `/etc/ssl/certs/ssl-cert-snakeoil.pem`\n- `TLS_CA` - Default ''\n\n- `CLIENT_TLS_SECURITY_LEVEL` - Default `may` same as TLS_SECURITY_LEVEL but for client TLS\n- `CLIENT_TLS_KEY` - Default `/etc/ssl/private/ssl-cert-snakeoil.key`\n- `CLIENT_TLS_CRT` - Default `/etc/ssl/certs/ssl-cert-snakeoil.pem`\n- `CLIENT_TLS_CA` - Default ''\n\nNB. A self-signed (\"snake-oil\") certificate will be generated on start if required.\n\n**DKIM parameters:**\n\n- `USE_DKIM` - Enable DKIM. Default `no` (options, `yes`, `no`)\n- `DKIM_KEYFILE` - DKIM Keyfile location. Default `/etc/opendkim/dkim.key`\n- `DKIM_DOMAINS` - Domains to sign. Defaults to `MAILNAME`. Multiple domains will use the same key and selector.\n- `DKIM_SELECTOR` - DKIM key selector. Default `mail`. `\u003cselector\u003e._domainkey.\u003cdomain\u003e` is used for resolving the public key in DNS.\n- `DKIM_INTERNALHOSTS` - Defaults to `MYNETWORKS`.\n- `DKIM_EXTERNALIGNORE` - Defaults to `MYNETWORKS`.\n- `DKIM_OVERSIGN_HEADERS` - Sets OversignHeaders. Default `From`.\n- `DKIM_SENDER_HEADERS` - Sets SenderHeaders. Default unset.\n- `DKIM_SIGN_HEADERS` - Sets SignHeaders. Default unset.\n- `DKIM_OMIT_HEADERS` - Sets OmitHeaders. Default unset.\n\n**Advanced Postfix parameters:**\n\nIn some cases it might be necessary to further customise Postfix parameters that are not explicitly exposed via environment variables. In this case the environment variable `POSTCONF` provides a hook that is directly passed to `postconf -e` after splitting it by `;`. N.B. This is different from the comma-separated format used for other multi-value options.\n\nExample usage:\n\n```shell\nPOSTCONF=masquerade_domains=foo.example.com example.com;masquerade_exceptions=root,mailer-daemon\n```\n\nWould result in `masquerade_domains` and `masquerade_exceptions` being configured for Postfix.\n\n**Config Reloader**\n\nThe config reloader watches the known TLS certificates and keys (`TLS_CRT`, `TLS_KEY`, etc.) for changes (e.g. `mv` or an updated Kubernetes secret) and then reloads Postfix.\n\n- `CONFIG_RELOADER_ENABLED` - Enable the config reloader. Default `false`, must be set to `true` to enable.\n\n## Postfix Prometheus Exporter\n\nThis image comes with [kumina/postfix_exporter](https://github.com/kumina/postfix_exporter) pre-installed. To enable set the environment variable `POSTFIX_EXPORTER_ENABLED=true` (this must be exactly \"true\"). The exporter requires that the log output is set to `/dev/stdout`; it cannot be anything else.\n\nThe exporter listens on port `9154/tcp`.\n\nSee [Logging](#logging)\n\n## Logging\n\nThis container outputs the Postfix mail log to stdout by default. Additionally, logs are saved to `/var/log/s6-maillog/current` which is rotated every 10MB with only 3 log files retained.\n\nIf you want to output somewhere else you can set environment variable `LOGOUTPUT`. For example `LOGOUTPUT=/var/log/maillog`.\n\nWhen enabled OpenDKIM only supports syslog output, the syslogd daemon is only used for OpenDKIM. Only /dev/stdout is supported for OpenDKIM syslog logs.\n\n_Note: the Postfix Prometheus exporter only works when logs are sent to /dev/stdout. This requirement is due to the container's logging structure. This may be improved, but was needed to maintain backwards compatibility without adding additional configuration variables._\n\n_Note: The log `/var/log/s6-maillog/current` is always created but won't actually contain any logs if `LOGOUTPUT` is not `/dev/stdout`._\n\n## Custom Scripts\n\nExecutable shell scripts and binaries can be mounted or copied into `/etc/entrypoint.d`. These will be run when the container is launched but before postfix is started. These can be used to customise the behaviour of the container.\n\n## Usage Example\n\nSimple example:\n\n`docker run -e MAILNAME=mail.example.com quay.io/panubo/postfix:latest`\n\nUsage with SendGrid:\n\n```shell\ndocker run --rm -t -i \\\n  --name smtp \\\n  -v $(pwd)/spool:/var/spool/postfix:rw \\\n  -e MAILNAME=mail1.example.com \\\n  -e RELAYHOST_AUTH='yes' \\\n  -e RELAYHOST='[smtp.sendgrid.net]:587' \\\n  -e RELAYHOST_PASSWORDMAP=\"[smtp.sendgrid.net]:587:apikey:\u003capikey goes here\u003e\" \\\n  quay.io/panubo/postfix:latest\n```\n\nUsage with `docker-compose.yml`:\n\n```yaml\nservices:\n  postfix:\n    image: quay.io/panubo/postfix:latest\n    environment:\n      MAILNAME: mail.example.com\n      RELAYHOST: '[smtp.sendgrid.net]:587'\n      RELAYHOST_AUTH: 'yes'\n      RELAYHOST_PASSWORDMAP: '[smtp.sendgrid.net]:587:apikey:YOUR_API_KEY'\n    ports:\n      - \"2525:25\"\n```\n\n## Volumes\n\nNo volumes are defined. If you want persistent spool storage then mount\n`/var/spool/postfix` outside of the container.\n\n## Ports\n\nPorts `25`, `587` and `2525` are enabled.\n\n## Test email\n\nTo send a test email via the command line, make sure heirloom-mailx (aka bsd-mailx) is installed.\n\n```shell\necho -e \"To: Bob \u003cbob@example.com\u003e\\nFrom: Bill \u003cbill@example.com\u003e\\nSubject: Test email\\n\\nThis is a test email message\" | mailx -v -S smtp=smtp://... -S from=bill@example.com -t\n\n# With TLS\necho -e \"To: Bob \u003cbob@example.com\u003e\\nFrom: Bill \u003cbill@example.com\u003e\\nSubject: Test email\\n\\nThis is a test email message\" | mailx -v -S smtp-use-starttls -S ssl-verify=ignore -S smtp=smtp://... -S from=bill@example.com -t\n\n# With TLS on CentOS/Fedora (extra nss-config-dir)\necho -e \"To: Bob \u003cbob@example.com\u003e\\nFrom: Bill \u003cbill@example.com\u003e\\nSubject: Test email\\n\\nThis is a test email message\" | mailx -v -S smtp-use-starttls -S ssl-verify=ignore -S nss-config-dir=/etc/pki/nssdb -S smtp=smtp://... -S from=bill@example.com -t\n```\n\n## Developing\n\nSee the `Makefile` for make targets.\n\nTo run the BATS tests, use the `make test` command. This will build a test Docker image and execute the tests within it.\n\n\n## Releases\n\nFor production usage, please use a versioned release rather than the floating 'latest' tag.\n\nSee the [releases](https://github.com/panubo/docker-postfix/releases) for tag usage\nand release notes.\n\nImages are available on:\n\n- [quay.io/panubo/postfix](https://quay.io/repository/panubo/postfix?tab=tags)\n- [public.ecr.aws/panubo/postfix](https://gallery.ecr.aws/panubo/postfix)\n\n## Status\n\nProduction ready and stable.\n\n\u003c!-- BEGIN_BOTTOM_PANUBO --\u003e\n\u003e [!IMPORTANT]\n\u003e ## About Panubo\n\u003e\n\u003e This project is maintained by Panubo, a technology consultancy based in Sydney, Australia. We build reliable, scalable systems and help teams master the cloud-native ecosystem.\n\u003e\n\u003e We are available for hire to help with:\n\u003e\n\u003e * SRE \u0026 Operations: Improving system reliability and incident response.\n\u003e * Platform Engineering: Building internal developer platforms that scale.\n\u003e * Kubernetes: Cluster design, security auditing, and migrations.\n\u003e * DevOps: Streamlining CI/CD pipelines and developer experience.\n\u003e * [See our other services](https://panubo.com.au/services)\n\u003e\n\u003e Need a hand with your infrastructure? [Let’s have a chat](https://panubo.com.au/contact) or email us at team@panubo.com.\n\u003c!-- END_BOTTOM_PANUBO --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanubo%2Fdocker-postfix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanubo%2Fdocker-postfix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanubo%2Fdocker-postfix/lists"}