/docker-postfix-redis

Docker image for postfix with redis support

Primary LanguageCGNU General Public License v3.0GPL-3.0

docker-postfix-redis

Dockerfile to run postfix as a docker container, redis is used for table lookups to reduce footprint.

This repository has moved to: https://gitlab.com/container-email/postfix-redis

Docker Pulls Docker Stars Docker Image Version (tag latest semver) Github SHA GitHub Super-Linter

Compiles postfix-redis (and postfix) during container creation for easy development and testing.

It uses inet lmtp with ssl and auth, for communicating with dovecot instead of sockets as running inside docker network so less dependencies.

Postscreen

Postscreen is configured to reduce load of spammers and bots on the mailserver, ip addresses can bypass postscreen by adding a relevant redis key to the redis container (a seperate redis container for rspamd is needed) eg to allow local lan traffic to bypass postscreen: redis-cli add PSA:192.168.0.0/24 permit

To block an unwanted ip: redis-cli add PSA:8.8.8.8 reject

To unblock an ip: redis-cli del PSA:8.8.8.8

To list all redis keys: redis-cli keys \*

Mailserver Reverse DNS

If posfix receives an email from a mailserver that does not have a reverse dns entry it is rejected (even lan traffic), you can allow with the key: redis-cli set REV:192.168.0.8 permit

Helo hostname

Postfix checks for a valid Helo, an invalid response is rejected, to bypass this check or block a "Helo" use the prefix HLO

redis-cli set HLO:REJECTEDMESSAGE permit
redis-cli set HLO:mail.spammer.bulk reject

Virtual Mailboxes

These are configured with the following prefixes/keys:

virtual_mailbox_domains = redis:${config_directory}/redis-vdomains.cf   #VDOM
virtual_mailbox_maps = redis:${config_directory}/redis-vmailbox-maps.cf #VBOX
virtual_alias_maps = redis:${config_directory}/redis-valias-maps.cf     #VALI

The VDOM prefix is used for virtual domains to accept email for redis-cli set VDOM:example.com example.com

The VBOX prefix/key is optional, see here

The VALI prefix is used to check a user exists, and setup aliases:

redis-cli set VALI:user1@example.com user1@example.com
redis-cli set VALI:user2@example.com user2@example.com
redis-cli set VALI:postmaster@example.com user1@example.com
redis-cli set VALI:sales@example.com "user1@example.com user2@example.com"

Recipient access

Using the prefix RECIP recipient: resctrictions can be set up as described here

Redis Keys

The following redis keys are used

KEY Description Example
PSA:8.8.8.8 Bypass postscreen with 'permit' or reject at postscreen with 'reject' redis-cli add PSA:192.168.0.0/24 permit
or to reject
redis-cli add PSA:8.8.8.8 reject
REV:192.168.0.8 Allow ip without a reverse DNS entry redis-cli set REV:192.168.0.8 permit
HLO:REJECTEDMESSAGE Allow invalid "Helo" message eg from software sending email directly, or reject an unwanted one redis-cli set HLO:REJECTEDMESSAGE permit
VDOM:example.com Virtual domain to accept email for redis-cli set VDOM:example.com example.com
VALI:user@example.com Virtual mailbox alias key, used to check existence and create aliases redis-cli set VALI:user@example.com user@example.com
VBOX: Optional key for virtual mailbox maps See here
RECIP: Optional Recipent Acess Resctriction See here

Stunnel

If the STUNNEL environment variable is set then stunnel will be started to pass redis commands over a ssl/tls tunnel. There needs to be a stunnel server at the other end to receive the connection, it is different from redis native ssl support. There should also be a file /etc/stunnel/psk.txt with the pre shared key, see here.

SSL Certificates

The path for certificates to be mounted in is: /etc/letsencrypt, the actual certificates should then be in the directory live/$LETSENCRYPT. This is usually mounted from a letsencrpyt/dnsrobocert container.

Security

Postfix has its own rate limiting for failed emails, for extra security with firewalling use syslog-ng on the docker host and set the docker logging to journald so logs can be parsed by a service like fail2ban

Github

Github Repository: https://github.com/a16bitsysop/docker-postfix-redis

Environment Variables

NAME Description Default
REDIS Name/container name or IP of the redis server none
HOSTNAME FQDN Hostname for postfix to use (myhostname) none
LETSENCRYPT Folder name for ssl certs (/etc/letsencrypt/live/$LETSENCRYPT/cert.pem) none
DOMAIN FQDN domain for myorigin $myhostname
RSPAMD Name/container name or IP of rspamd, for spam detection, dkim signing, etc none
DOVECOT Name/container name or IP of dovecot, for email storage and auth none
STUNNEL Use stunnel to encrypt redis traffic on port 6379 if set unset
TIMEZONE Timezone to use inside the container, eg Europe/London unset

Examples

To run connecting to container network exposing ports (accessible from host network), and docker managed volumes. With ssl certificates mounted into /etc/letsencrypt

#docker container run -p 25:25 -p 587:587 --name postfix --restart=unless-stopped --mount source=postfix-var,target=/var/lib/postfix --mount source=ssl-certs,target=/etc/letsencrypt -d a16bitsysop/postfix-redis

Sources

Based on configuration here