From 730522c43bfa69e5aee5e29b2b18e5b15a080f13 Mon Sep 17 00:00:00 2001 From: Kelvin Smith Date: Sun, 26 Jan 2020 08:28:03 +1300 Subject: [PATCH 1/5] Added allow specifc client relay hosts --- .gitignore | 4 ++++ Dockerfile | 1 + README.md | 31 +++++++++++++++++++++++++++++-- docker-compose.yml | 12 ++++++++++++ s6/postfix/run | 16 +++++++++++++++- update_relayhosts.sh | 4 ++++ 6 files changed, 65 insertions(+), 3 deletions(-) create mode 100644 docker-compose.yml create mode 100755 update_relayhosts.sh diff --git a/.gitignore b/.gitignore index 3835bc0..c71ec57 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,5 @@ dkim.key +.settings +.project +.buildpath +.gitignore.swp diff --git a/Dockerfile b/Dockerfile index 725c2dc..5c5816b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,6 +51,7 @@ COPY opendkim.conf.sh /etc/ COPY s6 /etc/s6/ COPY entry.sh / +COPY update_relayhosts.sh /usr/sbin/ ENTRYPOINT ["/entry.sh"] CMD ["/usr/bin/s6-svscan", "/etc/s6"] diff --git a/README.md b/README.md index e1d0511..f24ed33 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ Postfix SMTP Relay. Drop-in Docker image for SMTP relaying. Use wherever a connected service requires SMTP sending capabilities. Supports TLS out of the box and DKIM -(if enabled and configured). +(if enabled and configured). Allows specifying which hosts are allowed to relay through mail server. + +NOTE: This is a fork of https://hub.docker.com/r/freinet/postfix-relay respository and added a client relay hosts option. [![Docker Automated build](https://img.shields.io/docker/cloud/automated/freinet/postfix-relay.svg)](https://hub.docker.com/r/freinet/postfix-relay/) [![Docker Build Status](https://img.shields.io/docker/cloud/build/freinet/postfix-relay.svg)](https://hub.docker.com/r/freinet/postfix-relay/builds/) @@ -31,6 +33,8 @@ Relay host parameters: - `RELAYHOST` - Postfix `relayhost`. Default ''. (example `mail.example.com:25`) - `RELAYHOST_AUTH` - Enable authentication for relayhost. Generally used with `RELAYHOST_PASSWORDMAP`. Default `no`. - `RELAYHOST_PASSWORDMAP` - relayhost password map in format: `RELAYHOST_PASSWORDMAP=mail1.example.com:user1:pass2,mail2.example.com:user2:pass2` +- `USE_CLIENT_RELAYHOSTS` - Enable client relay restriction. Default `no`. + TLS parameters: @@ -59,11 +63,34 @@ DKIM parameters: `docker run -e MAILNAME=mail.example.com panubo/postfix` -## Volumes +## Volumes andFiles No volumes are defined. If you want persistent spool storage then mount `/var/spool/postfix` outside of the container. +If using `USE_CLIENT_RELAYHOSTS` mount a `relayhosts` file to `/etc/postfix/relayhosts` if you want to maintain a peristent list over restarts. + +## Client Relay Hosts + +If you want to be able to change the hosts that can be allowed through the server during runtime, enable this option. + +During startup, a `/etc/postfix/relayhosts` file is created is not already available and hashed for postfix. + +The relays hosts file is created in this format + +``` +#IP OK +192.168.1.12 OK +``` + +Once the file has been edited, run the `/usr/sbin/update_relayhosts.sh` from the command line with + +``` +docker exec -it container_name /usr/sbin/update_relayhosts.sh +``` + +Change `container_name` to be the name of the container. The `update_relayshosts.sh` is just a shortcut to postmap and then reloads the configuration into postfix. + ## Test email To send a test email via the command line, make sure heirloom-mailx is installed. diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f41fbed --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,12 @@ +version: '3' +services: + postfix: + image: postfix-relay:1 + container_name: postfix + restart: always + environment: + MAILNAME: test.thesmithcave.nz + MYNETWORKS: "127.0.0.1" + TZ: "Pacific/Auckland" + USE_CLIENT_RELAYHOSTS: "yes" + \ No newline at end of file diff --git a/s6/postfix/run b/s6/postfix/run index 1592c80..5621be5 100755 --- a/s6/postfix/run +++ b/s6/postfix/run @@ -1,5 +1,4 @@ #!/usr/bin/env bash - set -e [ "$DEBUG" == 'true' ] && set -x @@ -33,6 +32,21 @@ if [ "${USE_DKIM}" == "yes" ]; then postconf -e non_smtpd_milters="inet:localhost:8891" fi +# Relay Restrictions +: "${USE_RELAY:=no}" + +if [ "${USE_CLIENT_RELAYHOSTS}" == "yes" ]; then + # TODO s6-svwait for dkim + echo "postfix >> Enabling relay hosts file" + sed -i 's/permit_mynetworks permit_sasl_authenticated/permit_mynetworks check_client_access hash:\/etc\/postfix\/relayhosts permit_sasl_authenticated/g' /etc/postfix/main.cf + + #if no relay hosts file, then create it + if [ ! -f /etc/postfix/relayhosts ]; then + touch /etc/postfix/relayhosts + fi + postmap /etc/postfix/relayhosts +fi + # TLS : "${USE_TLS:=yes}" : "${TLS_SECURITY_LEVEL:=may}" diff --git a/update_relayhosts.sh b/update_relayhosts.sh new file mode 100755 index 0000000..0efef0a --- /dev/null +++ b/update_relayhosts.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +postmap /etc/postfix/relayhosts +postfix reload \ No newline at end of file From b530249738256c3c18347f8e5f16b5efea2ff597 Mon Sep 17 00:00:00 2001 From: Kelvin Smith Date: Sun, 26 Jan 2020 08:30:39 +1300 Subject: [PATCH 2/5] Updated gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c71ec57..5cbd105 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ dkim.key .project .buildpath .gitignore.swp +docker-compose.yml From af299123b517465d35dc6eb786aecec1325b749b Mon Sep 17 00:00:00 2001 From: Kelvin Smith Date: Sun, 26 Jan 2020 08:31:48 +1300 Subject: [PATCH 3/5] Remove docker-compose --- docker-compose.yml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 docker-compose.yml diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index f41fbed..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,12 +0,0 @@ -version: '3' -services: - postfix: - image: postfix-relay:1 - container_name: postfix - restart: always - environment: - MAILNAME: test.thesmithcave.nz - MYNETWORKS: "127.0.0.1" - TZ: "Pacific/Auckland" - USE_CLIENT_RELAYHOSTS: "yes" - \ No newline at end of file From 8d1ebf1d9daa697155ba27508b26c4c2e5422df3 Mon Sep 17 00:00:00 2001 From: Kelvin Smith Date: Sun, 26 Jan 2020 08:41:01 +1300 Subject: [PATCH 4/5] Change client hosts update script --- Dockerfile | 2 +- README.md | 11 +++-------- s6/postfix/run | 3 +-- update_relayhosts.sh => update_clientrelayhosts.sh | 0 4 files changed, 5 insertions(+), 11 deletions(-) rename update_relayhosts.sh => update_clientrelayhosts.sh (100%) diff --git a/Dockerfile b/Dockerfile index 5c5816b..bec7a09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,7 +51,7 @@ COPY opendkim.conf.sh /etc/ COPY s6 /etc/s6/ COPY entry.sh / -COPY update_relayhosts.sh /usr/sbin/ +COPY update_clientrelayhosts.sh /usr/sbin/ ENTRYPOINT ["/entry.sh"] CMD ["/usr/bin/s6-svscan", "/etc/s6"] diff --git a/README.md b/README.md index f24ed33..7ba53f0 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,6 @@ requires SMTP sending capabilities. Supports TLS out of the box and DKIM NOTE: This is a fork of https://hub.docker.com/r/freinet/postfix-relay respository and added a client relay hosts option. -[![Docker Automated build](https://img.shields.io/docker/cloud/automated/freinet/postfix-relay.svg)](https://hub.docker.com/r/freinet/postfix-relay/) -[![Docker Build Status](https://img.shields.io/docker/cloud/build/freinet/postfix-relay.svg)](https://hub.docker.com/r/freinet/postfix-relay/builds/) -[![Docker image size](https://images.microbadger.com/badges/image/freinet/postfix-relay.svg)](https://microbadger.com/images/freinet/postfix-relay) -[![Docker image version](https://images.microbadger.com/badges/version/freinet/postfix-relay.svg)](https://microbadger.com/images/freinet/postfix-relay) - ## Environment Variables - `MAILNAME` - set this to a legitimate FQDN hostname for this service (required). @@ -83,13 +78,13 @@ The relays hosts file is created in this format 192.168.1.12 OK ``` -Once the file has been edited, run the `/usr/sbin/update_relayhosts.sh` from the command line with +Once the file has been edited, run the `/usr/sbin/update_clientrelayhosts.sh` from the command line with ``` -docker exec -it container_name /usr/sbin/update_relayhosts.sh +docker exec -it container_name /usr/sbin/update_clientrelayhosts.sh ``` -Change `container_name` to be the name of the container. The `update_relayshosts.sh` is just a shortcut to postmap and then reloads the configuration into postfix. +Change `container_name` to be the name of the container. The `update_clientrelayhosts.sh` is just a shortcut to postmap and then reloads the configuration into postfix. ## Test email diff --git a/s6/postfix/run b/s6/postfix/run index 5621be5..6eb63b6 100755 --- a/s6/postfix/run +++ b/s6/postfix/run @@ -36,8 +36,7 @@ fi : "${USE_RELAY:=no}" if [ "${USE_CLIENT_RELAYHOSTS}" == "yes" ]; then - # TODO s6-svwait for dkim - echo "postfix >> Enabling relay hosts file" + echo "postfix >> Enabling client relay hosts file" sed -i 's/permit_mynetworks permit_sasl_authenticated/permit_mynetworks check_client_access hash:\/etc\/postfix\/relayhosts permit_sasl_authenticated/g' /etc/postfix/main.cf #if no relay hosts file, then create it diff --git a/update_relayhosts.sh b/update_clientrelayhosts.sh similarity index 100% rename from update_relayhosts.sh rename to update_clientrelayhosts.sh From 5835dd549bf0d1d03abcbeaf33586b267d023832 Mon Sep 17 00:00:00 2001 From: Kelvin Smith Date: Fri, 7 Aug 2020 20:40:10 +1200 Subject: [PATCH 5/5] Added Transport and client relay option. Updated to Buster --- Dockerfile | 3 ++- README.md | 8 ++++++++ s6/postfix/run | 18 ++++++++++++++++++ update_transport.sh | 4 ++++ 4 files changed, 32 insertions(+), 1 deletion(-) create mode 100755 update_transport.sh diff --git a/Dockerfile b/Dockerfile index bec7a09..3606df4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Postfix SMTP Relay -FROM debian:stretch +FROM debian:buster EXPOSE 25 587 @@ -52,6 +52,7 @@ COPY opendkim.conf.sh /etc/ COPY s6 /etc/s6/ COPY entry.sh / COPY update_clientrelayhosts.sh /usr/sbin/ +COPY update_transport.sh /usr/sbin/ ENTRYPOINT ["/entry.sh"] CMD ["/usr/bin/s6-svscan", "/etc/s6"] diff --git a/README.md b/README.md index 7ba53f0..7a0bfeb 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,8 @@ No volumes are defined. If you want persistent spool storage then mount If using `USE_CLIENT_RELAYHOSTS` mount a `relayhosts` file to `/etc/postfix/relayhosts` if you want to maintain a peristent list over restarts. +If using `USE_TRANSPORT_MAPS` mount a `transport` file to `/etc/postfix/transport`. + ## Client Relay Hosts If you want to be able to change the hosts that can be allowed through the server during runtime, enable this option. @@ -86,6 +88,12 @@ docker exec -it container_name /usr/sbin/update_clientrelayhosts.sh Change `container_name` to be the name of the container. The `update_clientrelayhosts.sh` is just a shortcut to postmap and then reloads the configuration into postfix. +## Transport Maps +Sometimes you want to direct where email is being sent to. This is achieved by using transport maps. Create a file and map it through to `/etc/postfix/transport` in the image. Use the `USE_TRANSPORT_MAPS="yes"` environment option to enable. + +Once the file has been modified in a running system, run the `update_transport.sh` command to create a hashfile and reload postfix. + + ## Test email To send a test email via the command line, make sure heirloom-mailx is installed. diff --git a/s6/postfix/run b/s6/postfix/run index 6eb63b6..c86f1bb 100755 --- a/s6/postfix/run +++ b/s6/postfix/run @@ -43,9 +43,27 @@ if [ "${USE_CLIENT_RELAYHOSTS}" == "yes" ]; then if [ ! -f /etc/postfix/relayhosts ]; then touch /etc/postfix/relayhosts fi + # Set ownership in case passed in + chown root /etc/postfix/relayhosts postmap /etc/postfix/relayhosts fi +# Transport Maps +: "${USE_TRANSPORT_MAPS:=no}" + +if [ "${USE_TRANSPORT_MAPS}" == "yes" ]; then + echo "postfix >> Enabling transport maps file" + postconf -e transport_maps="hash:/etc/postfix/transport" + + #if no transport maps file, then create it + if [ ! -f /etc/postfix/transport ]; then + touch /etc/postfix/transport + fi + # Set ownership in case passed in + chown root /etc/postfix/transport + postmap /etc/postfix/transport +fi + # TLS : "${USE_TLS:=yes}" : "${TLS_SECURITY_LEVEL:=may}" diff --git a/update_transport.sh b/update_transport.sh new file mode 100755 index 0000000..631c2e9 --- /dev/null +++ b/update_transport.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +postmap /etc/postfix/transport +postfix reload