Mail

dovecot/Dockerfile

@@ -0,0 +1,17 @@
+FROM dovecot/dovecot:latest
+
+COPY --chown=mail:mail start.sh /
+COPY --chown=mail:mail templates/ /templates/
+COPY config/ /config/
+
+RUN mkdir /run/dovecot /cert /dh && \
+    chown mail:mail /config /cert /dh /run/dovecot
+
+VOLUME /cert
+VOLUME /dh
+
+EXPOSE 10993/tcp
+
+USER mail
+
+CMD ["/start.sh"]

dovecot/config/dovecot.conf

@@ -0,0 +1,127 @@
+auth_mechanisms = plain login
+disable_plaintext_auth = no
+info_log_path = /dev/stdout
+log_path = /dev/stderr
+
+## Mailbox location
+
+## UID/GID 1000 = 'vmail' in dovecot container image
+## UID/GID 8 = 'mail' in dovecot container image
+
+default_internal_user = mail
+default_login_user = mail
+default_internal_group = mail
+
+mail_uid = 8
+mail_gid = 8
+first_valid_uid = 8
+last_valid_uid = 8
+first_valid_gid = 8
+last_valid_gid = 8
+mail_privileged_group = mail
+
+## Inbox
+
+namespace inbox {
+    inbox = yes
+    location =
+    mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+    }
+    mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+    }
+    mailbox Spam {
+    auto = subscribe
+    special_use = \Junk
+    }
+    mailbox Trash {
+    auto = subscribe
+    special_use = \Trash
+    }
+    prefix =
+}
+
+## Services
+
+## UID/GID 100 (postfix) = '_apt' in dovecot container image
+## UID/GID 101 (postfix) = 'ssl-cert' in dovecot container image
+## For service unix sockets, Dovecot is too retarded to interpret raw UID/GID integers
+## So we must reference these users by their local names.
+
+protocols = imap lmtp
+service auth {
+    chroot = 
+    unix_listener /socket/sasl {
+    mode = 0666
+    }
+    vsz_limit = 2 G
+}
+service imap-login {
+    chroot = 
+    inet_listener imap {
+    port = 0
+    }
+    inet_listener imaps {
+    address = *
+    port = 10993
+    ssl = yes
+    }
+}
+service lmtp {
+    chroot = 
+    unix_listener /socket/lmtp {
+    mode = 0666
+    }
+}
+service stats {
+    chroot = 
+    inet_listener http {
+    address = *
+    port = 9090
+    }
+}
+service anvil {
+    chroot = 
+}
+
+## TLS
+
+ssl = required
+verbose_ssl = no
+ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+ssl_prefer_server_ciphers = yes
+
+## Authentication
+
+passdb {
+    driver = ldap
+    args = /config/dovecot-ldap-pass.conf.ext
+}
+
+## Users
+
+userdb {
+    driver = ldap
+    args = /config/dovecot-ldap-users.conf.ext
+}
+
+mail_home = /mail/%n/home
+mail_location = sdbox:/mail/%n/mailbox:LAYOUT=fs
+
+verbose_proctitle = yes
+
+## Protocols
+
+protocol imap {
+    imap_idle_notify_interval = 5 mins
+    mail_max_userip_connections = 20
+    ssl_cert = </cert/tls.crt
+    ssl_key = </cert/tls.key
+    ssl_dh = </dh/dhparams.pem
+}
+protocol lmtp {
+    postmaster_address = postmaster@balsillie.net
+}

dovecot/start.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Template out LDAP config
+eval "echo \"$(cat /templates/dovecot-ldap.conf.ext.tmpl)\"" > /config/dovecot-ldap.conf.ext
+
+# Symlink the config
+ln -s /config/dovecot-ldap.conf.ext /config/dovecot-ldap-users.conf.ext
+ln -s /config/dovecot-ldap.conf.ext /config/dovecot-ldap-pass.conf.ext
+
+# Start Dovecot
+/usr/sbin/dovecot -c /config/dovecot.conf -F

dovecot/templates/dovecot-ldap.conf.ext.tmpl

@@ -0,0 +1,12 @@
+uris = ldaps://ldap.balsillie.net:636
+ldap_version = 3
+base = ou=users,dc=balsillie,dc=net
+scope = subtree
+dn = cn=bind,dc=balsillie,dc=net
+dnpass = ${LDAP_BIND_PW}
+auth_bind = yes
+debug_level = 0
+pass_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(uid=%n))
+user_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(uid=%n))
+pass_attrs = uid=user
+user_attrs = uid=user

nginx/content/.well-known/matrix/client

@@ -5,9 +5,6 @@
   "m.identity_server": {
     "base_url": "https://vector.im"
   },
-  "org.matrix.msc3575.proxy": {
-    "url": "https://matrix-sync.balsillie.net"
-  },
   "org.matrix.msc2965.authentication": {
     "issuer": "https://matrix-auth.balsillie.net/",
     "account": "https://matrix-auth.balsillie.net/account"

nginx/content/mail/config-v1.1.xml

@@ -8,14 +8,14 @@
       <hostname>imap.balsillie.net</hostname>
       <port>993</port>
       <socketType>SSL</socketType>
-      <authentication>password-encrypted</authentication>
+      <authentication>password-cleartext</authentication>
       <username>%EMAILLOCALPART%</username>
     </incomingServer>
     <outgoingServer type="smtp">
       <hostname>smtp.balsillie.net</hostname>
       <port>465</port>
       <socketType>SSL</socketType>
-      <authentication>password-encrypted</authentication>
+      <authentication>password-cleartext</authentication>
       <username>%EMAILLOCALPART%</username>
       <addThisServer>true</addThisServer>
       <useGlobalPreferredServer>true</useGlobalPreferredServer>

postfix/Dockerfile

@@ -4,6 +4,7 @@ RUN apk add --update --no-cache \
         bash \
         nano \
         curl \ 
+        bind-tools \
         postfix \
         postfix-ldap \
         postfix-pcre \
@@ -12,12 +13,19 @@ RUN apk add --update --no-cache \
 
 RUN update-ca-certificates && \
     mkdir /cert && \
-    chown 100:101 /cert
+    mkdir /dh && \
+    chown 100:101 /cert && \
+    chown 100:101 /dh
 
-COPY --chown=root:root start.sh config /
+COPY --chown=root:root start.sh /
+COPY --chown=root:root config/ /config/
+COPY --chown=root:root templates/ /templates/
+
+RUN chown -R 100:101 /var/lib/postfix && \
+    chmod 750 /var/lib/postfix
 
-VOLUME /config
 VOLUME /cert
+VOLUME /dh
 VOLUME /var/spool/postfix
 
 EXPOSE 10025/tcp

postfix/config/master.cf

@@ -10,14 +10,14 @@
     -o smtpd_sasl_authenticated_header=yes
     -o smtpd_sasl_local_domain=$mydomain
     -o smtpd_sasl_type=dovecot
-    -o smtpd_sasl_path=inet:127.0.0.1:12345
+    -o smtpd_sasl_path=unix:/socket/sasl
     -o smtpd_sasl_security_options=noanonymous,noplaintext
     -o smtpd_sasl_tls_security_options=noanonymous
     -o smtpd_sender_login_maps=ldap:/config/ldap_senders.cf
-    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
     -o smtpd_helo_restrictions=
-    -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_sender_login_mismatch
-    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_authenticated_sender_login_mismatch,reject_unauthenticated_sender_login_mismatch
+    -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
     -o smtpd_recipient_restrictions=reject_non_fqdn_recipient
     -o smtpd_data_restrictions=
     -o smtpd_tls_auth_only=yes
@@ -31,6 +31,9 @@ defer       unix        -         -         n         -         0         bounce
 verify      unix        -         -         n         -         1         verify
 pickup      unix        n         -         n         60        1         pickup
     -o receive_override_options=no_header_body_checks
+# Inbound SPF checks
+spf         unix        -         n         n         -         0         spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
 
 # Outputs
 error       unix        -         -         n         -         -         error

postfix/start.sh

@@ -18,9 +18,17 @@
 
 # --- 2024-12-18 ---
 
-IP=$(curl https://ipv4.icanhazip.com)
-/usr/sbin/postconf proxy_interfaces="$IP"
-/usr/sbin/postconf ldap_bind_pw="$LDAP_BIND_PW"
-
-# Start postfix
+PUBLIC_IP=$(curl https://ipv4.icanhazip.com)
+echo "Public IP: $PUBLIC_IP"
+echo "Hostname: $POSTFIX_HOST"
+echo "Domain: $POSTFIX_DOMAIN"
+echo "Templating files..."
+eval "echo \"$(cat /templates/ldap_aliases.cf.tmpl)\"" > /config/ldap_aliases.cf
+eval "echo \"$(cat /templates/ldap_senders.cf.tmpl)\"" > /config/ldap_senders.cf
+eval "echo \"$(cat /templates/main.cf.tmpl)\"" > /config/main.cf
+echo "Copying resolv.conf into /var/spool/postfix"
+mkdir -p /var/spool/postfix/etc
+chmod o+rx /var/spool/postfix/etc
+cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
+echo "Starting Postfix..."
 /usr/sbin/postfix -v -c /config start-fg

postfix/templates/ldap_aliases.cf.tmpl

@@ -1,8 +1,9 @@
-server_host = ldaps://ldap.balsillie.net:636
+start_tls = no
+server_host = ${LDAP_SCHEME}://${LDAP_HOST}:${LDAP_PORT}
 version = 3
 bind = yes
 bind_dn = cn=bind,dc=balsillie,dc=net
-bind_pw = $ldap_bind_pw
+bind_pw = ${LDAP_BIND_PW}
 search_base = ou=users,dc=balsillie,dc=net
 scope = sub
 query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))

postfix/templates/ldap_senders.cf.tmpl

@@ -1,8 +1,9 @@
-server_host = ldaps://ldap.balsillie.net:636
+start_tls = no
+server_host = ${LDAP_SCHEME}://${LDAP_HOST}:${LDAP_PORT}
 version = 3
 bind = yes
 bind_dn = cn=bind,dc=balsillie,dc=net
-bind_pw = $ldap_bind_pw
+bind_pw = ${LDAP_BIND_PW}
 search_base = ou=users,dc=balsillie,dc=net
 scope = sub
 query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))

postfix/templates/main.cf.tmpl

@@ -1,8 +1,8 @@
-myhostname = smtp.balsillie.net
-mydomain = balsillie.net
-myorigin = $mydomain
-mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.0/24
-mydestination = $myhostname localhost
+myhostname = ${POSTFIX_HOST}
+mydomain = ${POSTFIX_DOMAIN}
+myorigin = ${POSTFIX_DOMAIN}
+mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.10/32 10.96.10.254/32
+mydestination = ${POSTFIX_HOST} localhost
 
 biff = no
 bounce_queue_lifetime = 1d
@@ -14,30 +14,28 @@ header_checks = pcre:/config/header_checks.pcre
 inet_interfaces = all
 inet_protocols = ipv4
 
-lmtp_tls_loglevel = 1
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_security_level = none
-lmtp_tls_wrappermode = no
-lmtp_use_tls = no
+# Not needed, lmtp uses unix socket
+# lmtp_tls_loglevel = 1
+# lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# lmtp_tls_security_level = none
+# lmtp_tls_wrappermode = no
+# lmtp_use_tls = no
 
 local_recipient_maps =
-local_transport = local:$myhostname
+local_transport = local:${POSTFIX_HOST}
 
 mailbox_size_limit = 51200000
 maillog_file = /dev/stdout
 maximal_queue_lifetime = 1d
 message_size_limit = 51200000
-mime_header_checks = $header_checks
+mime_header_checks = pcre:/config/header_checks.pcre
 
 # Milters
 milter_protocol = 6
 milter_default_action = accept
-dkim_milter = inet:127.0.0.1:8891
-# dmarc_milter = inet:localhost:8893
-# smtpd_milters = $dkim_milter,$dmarc_milter
-smtpd_milters = $dkim_milter
-non_smtpd_milters = $dkim_milter
+smtpd_milters = unix:/socket/dkim
+non_smtpd_milters = unix:/socket/dkim
 
 postscreen_access_list =
 postscreen_denylist_action = drop
@@ -68,22 +66,40 @@ smtp_tls_policy_maps =
 smtp_tls_protocols = !SSLv2, !SSLv3
 smtp_tls_security_level = dane
 
-smtpd_banner = $myhostname ESMTP
+smtpd_banner = ${POSTFIX_HOST} ESMTP
 
 # SASL - SMTPS sasl settings specified in master.cf
 
 smtpd_sasl_auth_enable = no
 
+# SPF
+
+policyd-spf_time_limit = 3600
+
 # SMTPD restrictions
 
 smtpd_helo_required = yes
 smtpd_delay_reject = yes
-smtpd_client_restrictions = reject_unknown_client_hostname
-smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
-smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
-smtpd_relay_restrictions = permit_auth_destination, reject_unauth_destination
-smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient
-smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
+smtpd_client_restrictions = 
+    reject_unknown_reverse_client_hostname
+smtpd_helo_restrictions = 
+    reject_unknown_helo_hostname, 
+    reject_non_fqdn_helo_hostname, 
+    reject_invalid_helo_hostname
+smtpd_sender_restrictions = 
+    reject_non_fqdn_sender, 
+    reject_unknown_sender_domain
+smtpd_relay_before_recipient_restrictions = yes
+smtpd_relay_restrictions = 
+    permit_auth_destination,
+    reject_unauth_destination,
+    check_policy_service unix:private/spf
+smtpd_recipient_restrictions = 
+    reject_non_fqdn_recipient, 
+    reject_unlisted_recipient
+smtpd_data_restrictions = 
+    reject_unauth_pipelining, 
+    reject_multi_recipient_bounce
 
 # client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org
 # helo , reject_rhsbl_helo dbl.spamhaus.org
@@ -91,7 +107,7 @@ smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounc
 
 smtpd_tls_cert_file=/cert/tls.crt
 smtpd_tls_key_file=/cert/tls.key
-smtpd_tls_dh1024_param_file = /cert/dhparams.pem
+smtpd_tls_dh1024_param_file = /dh/dhparams.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
@@ -104,8 +120,16 @@ tls_ssl_options = NO_COMPRESSION
 
 unverified_recipient_reject_code = 577
 
-virtual_alias_maps = ldap:/config/ldap_users.cf
+virtual_alias_maps = ldap:/config/ldap_aliases.cf
 virtual_mailbox_base =
-virtual_mailbox_domains = $mydomain
-virtual_mailbox_maps = $virtual_alias_maps
-virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = ${POSTFIX_DOMAIN}
+virtual_mailbox_maps = ldap:/config/ldap_aliases.cf
+virtual_transport = lmtp:unix:/socket/lmtp
+
+# External IP templated at container start
+proxy_interfaces=${PUBLIC_IP}
+
+disable_dns_lookups = no
+smtp_dns_support_level = enabled
+smtp_host_lookup = dns
+smtpd_peername_lookup = yes

publish.sh

@@ -1,15 +1,19 @@
 #!/bin/sh
 
-REGISTRY=code.balsillie.net
-NAMESPACE=michael/containers
+REGISTRY1=code.balsillie.net
+REGISTRY2=quay.io
+NAMESPACE1=michael/containers
+NAMESPACE2=balsillie
 IMAGE=$1
 
 TAG1=$(date +%Y-%m-%d_%H-%M-%S)
 TAG2=latest
 
 docker buildx build \
-    --tag $REGISTRY/$NAMESPACE/$IMAGE:$TAG1 \
-    --tag $REGISTRY/$NAMESPACE/$IMAGE:$TAG2 \
+    --tag $REGISTRY1/$NAMESPACE1/$IMAGE:$TAG1 \
+    --tag $REGISTRY1/$NAMESPACE1/$IMAGE:$TAG2 \
+    --tag $REGISTRY2/$NAMESPACE2/$IMAGE:$TAG1 \
+    --tag $REGISTRY2/$NAMESPACE2/$IMAGE:$TAG2 \
     --file ./$IMAGE/Dockerfile \
     --push \
     ./$IMAGE