Dockerfile to run postfix as a docker container, redis is used for table lookups to reduce footprint.
This repository has moved to: https://gitlab.com/container-email/postfix-redis
Compiles postfix-redis (and postfix) during container creation for easy development and testing.
It uses inet lmtp with ssl and auth, for communicating with dovecot instead of sockets as running inside docker network so less dependencies.
Postscreen is configured to reduce load of spammers and bots on the mailserver, ip addresses can bypass postscreen by adding a relevant redis key to the redis container (a seperate redis container for rspamd is needed) eg to allow local lan traffic to bypass postscreen:
redis-cli add PSA:192.168.0.0/24 permit
To block an unwanted ip:
redis-cli add PSA:8.8.8.8 reject
To unblock an ip:
redis-cli del PSA:8.8.8.8
To list all redis keys:
redis-cli keys \*
If posfix receives an email from a mailserver that does not have a reverse dns entry it is rejected (even lan traffic), you can allow with the key:
redis-cli set REV:192.168.0.8 permit
Postfix checks for a valid Helo, an invalid response is rejected, to bypass this check or block a "Helo" use the prefix HLO
redis-cli set HLO:REJECTEDMESSAGE permit
redis-cli set HLO:mail.spammer.bulk reject
These are configured with the following prefixes/keys:
virtual_mailbox_domains = redis:${config_directory}/redis-vdomains.cf #VDOM
virtual_mailbox_maps = redis:${config_directory}/redis-vmailbox-maps.cf #VBOX
virtual_alias_maps = redis:${config_directory}/redis-valias-maps.cf #VALI
The VDOM prefix is used for virtual domains to accept email for
redis-cli set VDOM:example.com example.com
The VBOX prefix/key is optional, see here
The VALI prefix is used to check a user exists, and setup aliases:
redis-cli set VALI:user1@example.com user1@example.com
redis-cli set VALI:user2@example.com user2@example.com
redis-cli set VALI:postmaster@example.com user1@example.com
redis-cli set VALI:sales@example.com "user1@example.com user2@example.com"
Using the prefix RECIP
recipient: resctrictions can be set up as described here
The following redis keys are used
KEY | Description | Example |
---|---|---|
PSA:8.8.8.8 | Bypass postscreen with 'permit' or reject at postscreen with 'reject' | redis-cli add PSA:192.168.0.0/24 permit or to reject redis-cli add PSA:8.8.8.8 reject |
REV:192.168.0.8 | Allow ip without a reverse DNS entry | redis-cli set REV:192.168.0.8 permit |
HLO:REJECTEDMESSAGE | Allow invalid "Helo" message eg from software sending email directly, or reject an unwanted one | redis-cli set HLO:REJECTEDMESSAGE permit |
VDOM:example.com | Virtual domain to accept email for | redis-cli set VDOM:example.com example.com |
VALI:user@example.com | Virtual mailbox alias key, used to check existence and create aliases | redis-cli set VALI:user@example.com user@example.com |
VBOX: | Optional key for virtual mailbox maps | See here |
RECIP: | Optional Recipent Acess Resctriction | See here |
If the STUNNEL environment variable is set then stunnel will be started to pass redis commands over a ssl/tls tunnel. There needs to be a stunnel server at the other end to receive the connection, it is different from redis native ssl support. There should also be a file /etc/stunnel/psk.txt with the pre shared key, see here.
The path for certificates to be mounted in is: /etc/letsencrypt
, the actual certificates should then be in the directory live/$LETSENCRYPT
. This is usually mounted from a letsencrpyt/dnsrobocert container.
Postfix has its own rate limiting for failed emails, for extra security with firewalling use syslog-ng on the docker host and set the docker logging to journald so logs can be parsed by a service like fail2ban
Github Repository: https://github.com/a16bitsysop/docker-postfix-redis
NAME | Description | Default |
---|---|---|
REDIS | Name/container name or IP of the redis server | none |
HOSTNAME | FQDN Hostname for postfix to use (myhostname) | none |
LETSENCRYPT | Folder name for ssl certs (/etc/letsencrypt/live/$LETSENCRYPT/cert.pem) | none |
DOMAIN | FQDN domain for myorigin | $myhostname |
RSPAMD | Name/container name or IP of rspamd, for spam detection, dkim signing, etc | none |
DOVECOT | Name/container name or IP of dovecot, for email storage and auth | none |
STUNNEL | Use stunnel to encrypt redis traffic on port 6379 if set | unset |
TIMEZONE | Timezone to use inside the container, eg Europe/London | unset |
To run connecting to container network exposing ports (accessible from host network), and docker managed volumes. With ssl certificates mounted into /etc/letsencrypt
#docker container run -p 25:25 -p 587:587 --name postfix --restart=unless-stopped --mount source=postfix-var,target=/var/lib/postfix --mount source=ssl-certs,target=/etc/letsencrypt -d a16bitsysop/postfix-redis
Based on configuration here