postfix

postfix/Dockerfile

@@ -0,0 +1,28 @@
+FROM alpine:3
+
+RUN apk add --update --no-cache \
+        bash \
+        nano \
+        curl \ 
+        postfix \
+        postfix-ldap \
+        postfix-pcre \
+        postfix-policyd-spf-perl \
+        ca-certificates
+
+RUN update-ca-certificates && \
+    mkdir /cert && \
+    chown 100:101 /cert
+
+COPY --chown=root:root start.sh config /
+
+VOLUME /config
+VOLUME /cert
+VOLUME /var/spool/postfix
+
+EXPOSE 10025/tcp
+EXPOSE 10465/tcp
+
+USER root
+
+CMD ["/start.sh"]

postfix/config/ldap_aliases.cf

@@ -0,0 +1,9 @@
+server_host = ldaps://ldap.balsillie.net:636
+version = 3
+bind = yes
+bind_dn = cn=bind,dc=balsillie,dc=net
+bind_pw = $ldap_bind_pw
+search_base = ou=users,dc=balsillie,dc=net
+scope = sub
+query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))
+result_attribute = mail

postfix/config/ldap_senders.cf

@@ -0,0 +1,9 @@
+server_host = ldaps://ldap.balsillie.net:636
+version = 3
+bind = yes
+bind_dn = cn=bind,dc=balsillie,dc=net
+bind_pw = $ldap_bind_pw
+search_base = ou=users,dc=balsillie,dc=net
+scope = sub
+query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))
+result_attribute = mail,uid

postfix/config/main.cf

@@ -0,0 +1,111 @@
+myhostname = smtp.balsillie.net
+mydomain = balsillie.net
+myorigin = $mydomain
+mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.0/24
+mydestination = $myhostname localhost
+
+biff = no
+bounce_queue_lifetime = 1d
+broken_sasl_auth_clients = no
+compatibility_level = 3.6
+
+header_checks = pcre:/config/header_checks.pcre
+
+inet_interfaces = all
+inet_protocols = ipv4
+
+lmtp_tls_loglevel = 1
+lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+lmtp_tls_security_level = none
+lmtp_tls_wrappermode = no
+lmtp_use_tls = no
+
+local_recipient_maps =
+local_transport = local:$myhostname
+
+mailbox_size_limit = 51200000
+maillog_file = /dev/stdout
+maximal_queue_lifetime = 1d
+message_size_limit = 51200000
+mime_header_checks = $header_checks
+
+# Milters
+milter_protocol = 6
+milter_default_action = accept
+dkim_milter = inet:127.0.0.1:8891
+# dmarc_milter = inet:localhost:8893
+# smtpd_milters = $dkim_milter,$dmarc_milter
+smtpd_milters = $dkim_milter
+non_smtpd_milters = $dkim_milter
+
+postscreen_access_list =
+postscreen_denylist_action = drop
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_allowlist_threshold = -1
+postscreen_dnsbl_sites =
+    zen.spamhaus.org=127.0.1.[2..254]*3,
+    ix.dnsbl.manitu.net*3,
+    bl.spamcop.net,
+    b.barracudacentral.org,
+    safe.dnsbl.sorbs.net,
+    swl.spamhaus.org*-10,
+postscreen_dnsbl_threshold = 3
+postscreen_greet_action = ignore
+postscreen_greet_banner =
+postscreen_upstream_proxy_protocol =
+
+# proxy_interfaces = x.x.x.x # Set with postconf during startup
+recipient_delimiter = +
+relay_domains =
+relayhost =
+sender_dependent_relayhost_maps =
+
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps =
+smtp_tls_protocols = !SSLv2, !SSLv3
+smtp_tls_security_level = dane
+
+smtpd_banner = $myhostname ESMTP
+
+# SASL - SMTPS sasl settings specified in master.cf
+
+smtpd_sasl_auth_enable = no
+
+# SMTPD restrictions
+
+smtpd_helo_required = yes
+smtpd_delay_reject = yes
+smtpd_client_restrictions = reject_unknown_client_hostname
+smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
+smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
+smtpd_relay_restrictions = permit_auth_destination, reject_unauth_destination
+smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient
+smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
+
+# client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org
+# helo , reject_rhsbl_helo dbl.spamhaus.org
+# sender , reject_rhsbl_sender dbl.spamhaus.org
+
+smtpd_tls_cert_file=/cert/tls.crt
+smtpd_tls_key_file=/cert/tls.key
+smtpd_tls_dh1024_param_file = /cert/dhparams.pem
+smtpd_tls_loglevel = 1
+smtpd_tls_mandatory_ciphers = medium
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_security_level = encrypt
+
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
+tls_ssl_options = NO_COMPRESSION
+
+unverified_recipient_reject_code = 577
+
+virtual_alias_maps = ldap:/config/ldap_users.cf
+virtual_mailbox_base =
+virtual_mailbox_domains = $mydomain
+virtual_mailbox_maps = $virtual_alias_maps
+virtual_transport = lmtp:unix:private/dovecot-lmtp

postfix/config/master.cf

@@ -0,0 +1,63 @@
+# ======================================================================================
+# service   type        private   unpriv    chroot    wakeup    maxproc   command + args
+# ======================================================================================
+
+# Inputs
+10025       inet        n         -         n         -         1         postscreen
+10465       inet        n         -         n         -         1         smtpd
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_authenticated_header=yes
+    -o smtpd_sasl_local_domain=$mydomain
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=inet:127.0.0.1:12345
+    -o smtpd_sasl_security_options=noanonymous,noplaintext
+    -o smtpd_sasl_tls_security_options=noanonymous
+    -o smtpd_sender_login_maps=ldap:/config/ldap_senders.cf
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_helo_restrictions=
+    -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_sender_login_mismatch
+    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_recipient_restrictions=reject_non_fqdn_recipient
+    -o smtpd_data_restrictions=
+    -o smtpd_tls_auth_only=yes
+    -o cleanup_service_name=scleanup
+smtpd       pass        -         -         n         -         -         smtpd
+
+# Processing
+qmgr        unix        n         -         n         300       1         qmgr
+bounce      unix        -         -         n         -         0         bounce
+defer       unix        -         -         n         -         0         bounce
+verify      unix        -         -         n         -         1         verify
+pickup      unix        n         -         n         60        1         pickup
+    -o receive_override_options=no_header_body_checks
+
+# Outputs
+error       unix        -         -         n         -         -         error
+retry       unix        -         -         n         -         -         error
+discard     unix        -         -         n         -         -         discard
+relay       unix        -         -         n         -         -         smtp
+rewrite     unix        -         -         n         -         -         trivial-rewrite
+local       unix        -         n         n         -         -         local
+lmtp        unix        -         -         n         -         -         lmtp
+smtp        unix        -         -         n         -         -         smtp
+scache      unix        -         -         n         -         1         scache
+
+# Logging
+postlog     unix-dgram  n         -         n         -         1         postlogd
+anvil       unix        -         -         n         -         1         anvil
+
+# Helpers
+dnsblog     unix        -         -         n         -         0         dnsblog
+tlsproxy    unix        -         -         n         -         0         tlsproxy
+trace       unix        -         -         n         -         0         bounce
+tlsmgr      unix        -         -         n         1000?     1         tlsmgr
+showq       unix        n         -         n         -         -         showq
+cleanup     unix        n         -         n         -         0         cleanup
+scleanup    unix        n         -         -         -         0         cleanup
+    -o header_checks=pcre:/config/sender_header_checks.pcre
+
+# Other
+flush       unix        n         -         n         1000?     0         flush
+proxymap    unix        -         -         n         -         -         proxymap
+proxywrite  unix        -         -         n         -         1         proxymap

postfix/config/sender_header_checks.pcre

@@ -0,0 +1,10 @@
+/^\s*Received:.*with ESMTPSA/       IGNORE
+/^\s*Received:.*amavisd-new/        IGNORE
+/^\s*X-Originating-IP:/             IGNORE
+/^\s*X-Mailer:/                     IGNORE
+/^\s*Mime-Version: 1.0.*/           REPLACE Mime-Version: 1.0
+/^\s*User-Agent/                    IGNORE
+/^\s*X-Enigmail/                    IGNORE
+/^\s*X-Mailer/                      IGNORE
+/^\s*X-Originating-IP/              IGNORE
+/^\s*Received: from.*127.0.0.1/     IGNORE

postfix/start.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# --- 2023 Old ---
+
+# # Add ENV vars to postfix config
+# # postconf -e -c /config myhostname=$HOSTNAME 
+
+# /usr/sbin/postconf compatibility_level=3.6
+
+# # Upgrade postfix config
+# postfix -c /config upgrade-configuration
+
+# # Config check
+# postfix -c /config check
+
+# # Start postfix
+# /usr/sbin/postfix -vvvv -c /config start-fg
+
+# --- 2024-12-18 ---
+
+IP=$(curl https://ipv4.icanhazip.com)
+/usr/sbin/postconf proxy_interfaces="$IP"
+/usr/sbin/postconf ldap_bind_pw="$LDAP_BIND_PW"
+
+# Start postfix
+/usr/sbin/postfix -v -c /config start-fg