https://github.com/wader/postfix-relay

Postfix SMTP relay docker image
https://github.com/wader/postfix-relay

dkim docker-image postfix relay smtp-server spf

Last synced: 4 months ago
JSON representation

Postfix SMTP relay docker image

• Host: GitHub
• URL: https://github.com/wader/postfix-relay
• Owner: wader
• License: mit
• Created: 2015-07-18T14:08:22.000Z (almost 9 years ago)
• Default Branch: master
• Last Pushed: 2024-03-12T18:05:42.000Z (4 months ago)
• Last Synced: 2024-03-12T19:29:32.284Z (4 months ago)
• Topics: dkim, docker-image, postfix, relay, smtp-server, spf
• Language: Shell
• Homepage: https://hub.docker.com/r/mwader/postfix-relay/
• Size: 84 KB
• Stars: 109
• Watchers: 10
• Forks: 39
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Lists

• awesome-starred - wader/postfix-relay - Postfix SMTP relay docker image (others)

README

        
# postfix-relay

Postfix SMTP relay docker image. Useful for sending email without using an

external SMTP server.

Default configuration is an open relay that relies on docker networking for

protection. So be careful to not expose it publicly.

## Usage

`docker pull mwader/postfix-relay` or clone/build it yourself. Docker hub image is built for `amd64`, `arm/v7` and `arm64`.

### Postfix variables

Postfix [configuration options](http://www.postfix.org/postconf.5.html) can be set

using `POSTFIX_` environment variables. See [Dockerfile](Dockerfile) for default

configuration. You probably want to set `POSTFIX_myhostname` (the FQDN used by 220/HELO).

Note that `POSTFIX_myhostname` will change the postfix option

[myhostname](http://www.postfix.org/postconf.5.html#myhostname).

You can modify master.cf using postconf with `POSTFIXMASTER_` variables. All double `__` symbols will be replaced with `/`. For example

### Postfix master.cf variables

```

- POSTFIXMASTER_submission__inet=submission inet n - y - - smtpd

```

will produce

```

postconf -Me submission/inet="submission inet n - y - - smtpd"

```

### Postfix lookup tables

You can also create multiline [tables](http://www.postfix.org/DATABASE_README.html#types) using `POSTMAP_` like this example:

```

environment:

  - POSTFIX_transport_maps=hash:/etc/postfix/transport

  - |

    POSTMAP_transport=gmail.com smtp

    mydomain.com relay:[relay1.mydomain.com]:587

    * relay:[relay2.mydomain.com]:587

```

which will generate file `/etc/postfix/transport`

```

gmail.com smtp

mydomain.com relay:[relay1.mydomain.com]:587

* relay:[relay2.mydomain.com]:587

```

and run `postmap /etc/postfix/transport`.

### Relay Client Authentication

The container includes [Postfix SASL](https://www.postfix.org/SASL_README.html) authentication options that are disabled by default.

#### Example Basic Client PAM Auth

First, create a passwd file.

```

echo "myuser:"`docker run --rm mwader/postfix-relay mkpasswd -m sha-512 "mypassword"` >> passwd_file

```

Then mount the passwd file and add the following postfix configs via enviromental variable.

```

volumes:

  - /path/to/passwd_file:/etc/postfix/sasl/sasl_passwds

environment:

  - SASL_Passwds=/etc/postfix/sasl/sasl_passwds

  - POSTFIX_smtpd_sasl_auth_enable=yes

  - POSTFIX_cyrus_sasl_config_path=/etc/postfix/sasl

  - POSTFIX_smtpd_sasl_security_options=noanonymous

  - POSTFIX_smtpd_relay_restrictions=permit_sasl_authenticated,reject

```

### OpenDKIM variables

OpenDKIM [configuration options](http://opendkim.org/opendkim.conf.5.html) can be set

using `OPENDKIM_` environment variables. See [Dockerfile](Dockerfile) for default

configuration. For example `OPENDKIM_Canonicalization=relaxed/simple`.

### Using docker run

```

docker run -e POSTFIX_myhostname=smtp.domain.tld mwader/postfix-relay

```

### Using docker-compose

```

app:

  # use hostname "smtp" as SMTP server

smtp:

  image: mwader/postfix-relay

  restart: always

  environment:

    - POSTFIX_myhostname=smtp.domain.tld

    - OPENDKIM_DOMAINS=smtp.domain.tld

```

### Logging

By default container only logs to stdout. If you also wish to log `mail.*` messages to file on persistent volume, you can do something like:

```

environment:

  ...

  - RSYSLOG_LOG_TO_FILE=yes

  - RSYSLOG_TIMESTAMP=yes

volumes:

  - /your_local_path:/var/log/

```

You can also forward log output to remote syslog server if you define `RSYSLOG_REMOTE_HOST` variable. It always uses UDP protocol and port `514` as default value,

port number can be changed to different one with `RSYSLOG_REMOTE_PORT`. Default format of forwarded messages is defined by Rsyslog template `RSYSLOG_ForwardFormat`,

you can change it to [another template](https://www.rsyslog.com/doc/v8-stable/configuration/templates.html) (section Reserved Template Names) if you wish with `RSYSLOG_REMOTE_TEMPLATE` variable.

```

environment:

  ...

  - RSYSLOG_REMOTE_HOST=my.remote-syslog-server.com

  - RSYSLOG_REMOTE_PORT=514

  - RSYSLOG_REMOTE_TEMPLATE=RSYSLOG_ForwardFormat

```

#### Advanced logging configuration

If configuration via environment variables is not flexible enough it's possible to configure rsyslog directly: `.conf` files in the `/etc/rsyslog.d` directory will be [sorted alphabetically](https://www.rsyslog.com/doc/v8-stable/rainerscript/include.html#file) and included into the primary configuration.

### Timezone

Wrong timestamps in log can be fixed by setting proper timezone.

This parameter is handled by Debian base image.

```

environment:

  ...

  - TZ=Europe/Prague

```

### Known issues

#### I see `key data is not secure: /etc/opendkim/keys can be read or written by other users` error messages.

Some Docker distributions like Docker for Windows and RancherOS seems to handle

volume permission in way that does not work with OpenDKIM default behavior of

ensuring safe permissions on private keys.

A workaround is to disable the check using a `OPENDKIM_RequireSafeKeys=no` environment variable.

## SPF

When sending email using your own SMTP server it is probably a good idea

to setup [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) for the

domain you're sending from.

## DKIM

To enable [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail),

specify a whitespace-separated list of domains in the environment variable

`OPENDKIM_DOMAINS`. The default DKIM selector is "mail", but can be changed to

"``" using the syntax `OPENDKIM_DOMAINS==`.

At container start, RSA key pairs will be generated for each domain unless the

file `/etc/opendkim/keys//.private` exists. If you want the

keys to persist indefinitely, make sure to mount a volume for

`/etc/opendkim/keys`, otherwise they will be destroyed when the container is

removed.

DNS records to configure can be found in the container log or by running `docker exec  sh -c 'cat /etc/opendkim/keys/*/*.txt` you should see something like this:

```bash

$ docker exec 7996454b5fca sh -c 'cat /etc/opendkim/keys/*/*.txt'

mail._domainkey.smtp.domain.tld. IN	TXT	( "v=DKIM1; h=sha256; k=rsa; "

	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Dx7wLGPFVaxVQ4TGym/eF89aQ8oMxS9v5BCc26Hij91t2Ci8Fl12DHNVqZoIPGm+9tTIoDVDFEFrlPhMOZl8i4jU9pcFjjaIISaV2+qTa8uV1j3MyByogG8pu4o5Ill7zaySYFsYB++cHJ9pjbFSC42dddCYMfuVgrBsLNrvEi3dLDMjJF5l92Uu8YeswFe26PuHX3Avr261n"

	  "j5joTnYwat4387VEUyGUnZ0aZxCERi+ndXv2/wMJ0tizq+a9+EgqIb+7lkUc2XciQPNuTujM25GhrQBEKznvHyPA6fHsFheymOuB763QpkmnQQLCxyLygAY9mE/5RY+5Q6J9oDOQIDAQAB" )  ; ----- DKIM key mail for smtp.domain.tld

```

## License

postfix-relay is licensed under the MIT license. See [LICENSE](LICENSE) for the

full license text.