Mail

2024-12-19 22:32:42 -05:00
parent 12e996003e
commit 9803b2f155
27 changed files with 268 additions and 55 deletions
--- a/postfix/Dockerfile
+++ b/postfix/Dockerfile
@ -4,6 +4,7 @@ RUN apk add --update --no-cache \
        bash \
        nano \
        curl \ 
+        bind-tools \
        postfix \
        postfix-ldap \
        postfix-pcre \
@ -12,12 +13,19 @@ RUN apk add --update --no-cache \

 RUN update-ca-certificates && \
    mkdir /cert && \
-    chown 100:101 /cert
+    mkdir /dh && \
+    chown 100:101 /cert && \
+    chown 100:101 /dh

-COPY --chown=root:root start.sh config /
+COPY --chown=root:root start.sh /
+COPY --chown=root:root config/ /config/
+COPY --chown=root:root templates/ /templates/
+
+RUN chown -R 100:101 /var/lib/postfix && \
+    chmod 750 /var/lib/postfix

-VOLUME /config
 VOLUME /cert
+VOLUME /dh
 VOLUME /var/spool/postfix

 EXPOSE 10025/tcp
--- a/postfix/config/master.cf
+++ b/postfix/config/master.cf
@ -10,14 +10,14 @@
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_sasl_local_domain=$mydomain
    -o smtpd_sasl_type=dovecot
-    -o smtpd_sasl_path=inet:127.0.0.1:12345
+    -o smtpd_sasl_path=unix:/socket/sasl
    -o smtpd_sasl_security_options=noanonymous,noplaintext
    -o smtpd_sasl_tls_security_options=noanonymous
    -o smtpd_sender_login_maps=ldap:/config/ldap_senders.cf
-    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=
-    -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_sender_login_mismatch
-    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+    -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_authenticated_sender_login_mismatch,reject_unauthenticated_sender_login_mismatch
+    -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=reject_non_fqdn_recipient
    -o smtpd_data_restrictions=
    -o smtpd_tls_auth_only=yes
@ -31,6 +31,9 @@ defer       unix        -         -         n         -         0         bounce
 verify      unix        -         -         n         -         1         verify
 pickup      unix        n         -         n         60        1         pickup
    -o receive_override_options=no_header_body_checks
+# Inbound SPF checks
+spf         unix        -         n         n         -         0         spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf

 # Outputs
 error       unix        -         -         n         -         -         error
--- a/postfix/start.sh
+++ b/postfix/start.sh
@ -18,9 +18,17 @@

 # --- 2024-12-18 ---

-IP=$(curl https://ipv4.icanhazip.com)
-/usr/sbin/postconf proxy_interfaces="$IP"
-/usr/sbin/postconf ldap_bind_pw="$LDAP_BIND_PW"
-
-# Start postfix
+PUBLIC_IP=$(curl https://ipv4.icanhazip.com)
+echo "Public IP: $PUBLIC_IP"
+echo "Hostname: $POSTFIX_HOST"
+echo "Domain: $POSTFIX_DOMAIN"
+echo "Templating files..."
+eval "echo \"$(cat /templates/ldap_aliases.cf.tmpl)\"" > /config/ldap_aliases.cf
+eval "echo \"$(cat /templates/ldap_senders.cf.tmpl)\"" > /config/ldap_senders.cf
+eval "echo \"$(cat /templates/main.cf.tmpl)\"" > /config/main.cf
+echo "Copying resolv.conf into /var/spool/postfix"
+mkdir -p /var/spool/postfix/etc
+chmod o+rx /var/spool/postfix/etc
+cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
+echo "Starting Postfix..."
 /usr/sbin/postfix -v -c /config start-fg
--- a/postfix/templates/ldap_aliases.cf.tmpl
+++ b/postfix/templates/ldap_aliases.cf.tmpl
@ -1,8 +1,9 @@
-server_host = ldaps://ldap.balsillie.net:636
+start_tls = no
+server_host = ${LDAP_SCHEME}://${LDAP_HOST}:${LDAP_PORT}
 version = 3
 bind = yes
 bind_dn = cn=bind,dc=balsillie,dc=net
-bind_pw = $ldap_bind_pw
+bind_pw = ${LDAP_BIND_PW}
 search_base = ou=users,dc=balsillie,dc=net
 scope = sub
 query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))
--- a/postfix/templates/ldap_senders.cf.tmpl
+++ b/postfix/templates/ldap_senders.cf.tmpl
@ -1,8 +1,9 @@
-server_host = ldaps://ldap.balsillie.net:636
+start_tls = no
+server_host = ${LDAP_SCHEME}://${LDAP_HOST}:${LDAP_PORT}
 version = 3
 bind = yes
 bind_dn = cn=bind,dc=balsillie,dc=net
-bind_pw = $ldap_bind_pw
+bind_pw = ${LDAP_BIND_PW}
 search_base = ou=users,dc=balsillie,dc=net
 scope = sub
 query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))
--- a/postfix/templates/main.cf.tmpl
+++ b/postfix/templates/main.cf.tmpl
@ -1,8 +1,8 @@
-myhostname = smtp.balsillie.net
-mydomain = balsillie.net
-myorigin = $mydomain
-mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.0/24
-mydestination = $myhostname localhost
+myhostname = ${POSTFIX_HOST}
+mydomain = ${POSTFIX_DOMAIN}
+myorigin = ${POSTFIX_DOMAIN}
+mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.10/32 10.96.10.254/32
+mydestination = ${POSTFIX_HOST} localhost

 biff = no
 bounce_queue_lifetime = 1d
@ -14,30 +14,28 @@ header_checks = pcre:/config/header_checks.pcre
 inet_interfaces = all
 inet_protocols = ipv4

-lmtp_tls_loglevel = 1
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_security_level = none
-lmtp_tls_wrappermode = no
-lmtp_use_tls = no
+# Not needed, lmtp uses unix socket
+# lmtp_tls_loglevel = 1
+# lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# lmtp_tls_security_level = none
+# lmtp_tls_wrappermode = no
+# lmtp_use_tls = no

 local_recipient_maps =
-local_transport = local:$myhostname
+local_transport = local:${POSTFIX_HOST}

 mailbox_size_limit = 51200000
 maillog_file = /dev/stdout
 maximal_queue_lifetime = 1d
 message_size_limit = 51200000
-mime_header_checks = $header_checks
+mime_header_checks = pcre:/config/header_checks.pcre

 # Milters
 milter_protocol = 6
 milter_default_action = accept
-dkim_milter = inet:127.0.0.1:8891
-# dmarc_milter = inet:localhost:8893
-# smtpd_milters = $dkim_milter,$dmarc_milter
-smtpd_milters = $dkim_milter
-non_smtpd_milters = $dkim_milter
+smtpd_milters = unix:/socket/dkim
+non_smtpd_milters = unix:/socket/dkim

 postscreen_access_list =
 postscreen_denylist_action = drop
@ -68,22 +66,40 @@ smtp_tls_policy_maps =
 smtp_tls_protocols = !SSLv2, !SSLv3
 smtp_tls_security_level = dane

-smtpd_banner = $myhostname ESMTP
+smtpd_banner = ${POSTFIX_HOST} ESMTP

 # SASL - SMTPS sasl settings specified in master.cf

 smtpd_sasl_auth_enable = no

+# SPF
+
+policyd-spf_time_limit = 3600
+
 # SMTPD restrictions

 smtpd_helo_required = yes
 smtpd_delay_reject = yes
-smtpd_client_restrictions = reject_unknown_client_hostname
-smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
-smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
-smtpd_relay_restrictions = permit_auth_destination, reject_unauth_destination
-smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient
-smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
+smtpd_client_restrictions = 
+    reject_unknown_reverse_client_hostname
+smtpd_helo_restrictions = 
+    reject_unknown_helo_hostname, 
+    reject_non_fqdn_helo_hostname, 
+    reject_invalid_helo_hostname
+smtpd_sender_restrictions = 
+    reject_non_fqdn_sender, 
+    reject_unknown_sender_domain
+smtpd_relay_before_recipient_restrictions = yes
+smtpd_relay_restrictions = 
+    permit_auth_destination,
+    reject_unauth_destination,
+    check_policy_service unix:private/spf
+smtpd_recipient_restrictions = 
+    reject_non_fqdn_recipient, 
+    reject_unlisted_recipient
+smtpd_data_restrictions = 
+    reject_unauth_pipelining, 
+    reject_multi_recipient_bounce

 # client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org
 # helo , reject_rhsbl_helo dbl.spamhaus.org
@ -91,7 +107,7 @@ smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounc

 smtpd_tls_cert_file=/cert/tls.crt
 smtpd_tls_key_file=/cert/tls.key
-smtpd_tls_dh1024_param_file = /cert/dhparams.pem
+smtpd_tls_dh1024_param_file = /dh/dhparams.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
@ -104,8 +120,16 @@ tls_ssl_options = NO_COMPRESSION

 unverified_recipient_reject_code = 577

-virtual_alias_maps = ldap:/config/ldap_users.cf
+virtual_alias_maps = ldap:/config/ldap_aliases.cf
 virtual_mailbox_base =
-virtual_mailbox_domains = $mydomain
-virtual_mailbox_maps = $virtual_alias_maps
-virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = ${POSTFIX_DOMAIN}
+virtual_mailbox_maps = ldap:/config/ldap_aliases.cf
+virtual_transport = lmtp:unix:/socket/lmtp
+
+# External IP templated at container start
+proxy_interfaces=${PUBLIC_IP}
+
+disable_dns_lookups = no
+smtp_dns_support_level = enabled
+smtp_host_lookup = dns
+smtpd_peername_lookup = yes