first commit

Dockerfile

@@ -0,0 +1,42 @@
+FROM ubuntu:14.04
+MAINTAINER Alex Sanz <[email protected]>
+ENV DEBIAN_FRONTEND noninteractive
+ENV POSTMASTER_USER postmaster
+ENV POSTMASTER_PASS password
+
+ENTRYPOINT ["/start"]
+EXPOSE 25
+
+RUN echo "force-unsafe-io" > /etc/dpkg/dpkg.cfg.d/02apt-speedup && \
+    apt-get update && \
+    apt-get --no-install-recommends -y install postfix sipcalc sasl2-bin libsasl2-modules && \
+    postconf -e 'smtpd_sasl_auth_enable = yes' && \
+    postconf -e 'smtpd_sasl_path = smtpd' && \
+    postconf -e 'smtpd_sasl_local_domain =' && \
+    postconf -e 'smtpd_sasl_authenticated_header = yes' && \
+    rm /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key && \
+    find /etc/ssl/certs -type l -xtype l -delete && \
+    apt-get clean && \
+    rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup && \
+    find /var/lib/apt/lists -mindepth 1 -delete -print && \
+    find /tmp /var/tmp -mindepth 2 -delete -print && \
+    rm -f /etc/rsyslog.d/50-default.conf  && \
+    adduser postfix sasl && \
+    adduser --quiet --disabled-password -shell /bin/bash --home /home/$POSTMASTER_USER --gecos "Postmaster" $POSTMASTER_USER && \
+    echo "$POSTMASTER_USER:$POSTMASTER_PASS" | chpasswd
+
+# Inspired by: 
+#    http://uname.pingveno.net/blog/index.php/post/2014/02/01/Configure-Postfix-as-STMP-standalone-single-domain-server-using-Unix-users-and-PAM-on-Debian
+
+ADD start /start 
+ADD rsyslogd.conf /etc/rsyslog.d/stdout.conf
+ADD master.cf /etc/postfix/
+ADD pam.d/ /etc/pam.d/
+ADD saslauthd /etc/default/saslauthd
+ADD smtpd.conf /etc/postfix/sasl/smtpd.conf 
+
+# Test with:  testsaslauthd -u postmaster -p password -f /var/spool/postfix/var/run/saslauthd/mux
+# perl -MMIME::Base64 -e 'print encode_base64("\000postmaster\000password")'  
+# openssl s_client -starttls smtp -crlf -connect localhost:587
+# AUTH PLAIN AHBvc3RtYXN0ZXIAcGFzc3dvcmQ=
+

LICENSE

@@ -0,0 +1,28 @@
+Copyright (c) 2014, Alex Sanz
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the {organization} nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

README.md

@@ -0,0 +1,91 @@
+
+postfix mail server with configurable hostname and trusted hosts and proper
+shutdown handling
+
+Notes
+===
+
+By default, connected rfc1918 networks are detected and allowed. Local networks 
+(127.0.0.1, ::1) are also allowed.
+
+Syslog
+===
+
+Rsyslog is started automatically and sends logs to stdout
+
+Suggested Volumes
+===
+
+  * `/var/spool/postfix` is the spool directory. Its also where postfix chroots to by default.
+  * `/etc/postfix` is the configuation directory
+
+Options
+===
+
+You can customize the image behavior using environmental variables or entrypoint
+arguments.
+
+<table>
+    <thead>
+        <th>Enviromental Variable(s)</th>
+        <th>Entrypoint Option</th>
+        <th>Description</th>
+    </thead>
+    <tbody>
+        <tr>
+        	<td>(use <code>--hostname</code>)</td>
+	        <td><code>--mail-name</code></td>
+	        <td>Mail name to use (appears in mail headers). Defaults to hostname</td>
+	    </tr>
+        <tr>
+        	<td>RELAYHOST="[relay hostname]</td>
+	        <td><code>--relayhost []</code></td>
+	        <td>The host to relay mail to.</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST="local"</code> or <code>TRUST_LOCAL="0"</code></td>
+	        <td><code>--trust-local</code></td>
+	        <td>Trust addresses on the lo interface. Enabled by default</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST="connected-rfc1918"</code> or <code>TRUST_CONNECTED_RFC="1"</code></td>
+	        <td><code>--trust-connected-rfc1918</code></td>
+	        <td>Trust all locally connected rfc1918 subnets. Enabled by default</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST="connected"</code> or <code>TRUST_CONNECTED="1"</td>
+	        <td><code>--trust-connected</code></td>
+	        <td>Trust all addresses connected (excluding IPv6 local-link addresses). Disabled by default</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST="rfc1918"</code> or <code>TRUST_RFC1918="1"</td>
+	        <td><code>--trust-rfc1918</code></td>
+	        <td>Trust all rfc1918 address. Disabled by default</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST_LLA="1"</code></td>
+	        <td><code>--trust-lla</code></td>
+	        <td>Trust the fe80::/64 IPv6 subnet. Disabled by default</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST_SUBNETS="[space separated list of subnets]"</code></td>
+	        <td><code>--trust-subnet []</code></td>
+	        <td>Trust the specified subnet (IPv4 and IPv6 supported). Disabled by default</td>
+	    </tr>
+        <tr>
+        	<td><code>TRUST_INTERFACES="[space separated list of interfaces]"</code></td>
+	        <td><code>--trust-interface []</code></td>
+	        <td>Trust all network address on the interface (excluding IPv6 LLA). Disabled by default</td>
+	    </tr>
+        <tr>
+        	<td></td>
+	        <td><code>--skip-trust-</code>*</td>
+	        <td>Use with local, connected-rfc1918, connected, rfc1918, or lla to skip trusting it. Disabled by default</td>
+	    </tr>
+        <tr>
+        	<td></td>
+	        <td><code>--skip-all</code></td>
+	        <td>Disable/reset all trusts. Disabled by default</td>
+	    </tr>
+	</tbody>
+</table>

master.cf

@@ -0,0 +1,128 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+submission inet n       -       -       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+
+smtps     inet  n       -       -       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+
+#628       inet  n       -       -       -       -       qmqpd
+pickup    unix  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix  - n n - 2 pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+
+
+

pam.d/smtp

@@ -0,0 +1,8 @@
+#
+# /etc/pam.d/smtp - specify PAM SMTP behavior
+#
+
+@include common-auth
+@include common-account
+@include common-password
+@include common-session

rsyslogd.conf

@@ -0,0 +1,8 @@
+$PrivDropToUser root 
+$PrivDropToGroup root 
+
+mail.*  {
+    /proc/1/fd/1
+    stop
+}
+

saslauthd

@@ -0,0 +1,62 @@
+#
+# Settings for saslauthd daemon
+# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
+#
+
+# Should saslauthd run automatically on startup? (default: no)
+START=yes
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="SASL Authentication Daemon"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent  -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam       -- use PAM
+# rimap     -- use a remote IMAP server
+# shadow    -- use the local shadow password file
+# sasldb    -- use the local sasldb database file
+# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
+MECHANISMS="pam"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS=""
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS=1
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
+#
+# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
+# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
+# then your Postfix is running in a chroot.
+# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
+# running in a chroot.
+OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

smtpd.conf

@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+mech_list: PLAIN LOGIN