postfix-relay

Postfix SMTP relay docker image. Useful for sending email without using an external SMTP server, or for forward emails for virtual domains.

Default configuration is an open relay that relies on docker networking for protection. So be careful to not expose it publicly.

Usage

docker pull rylorin/postfix-relay or clone and build it yourself. Default postfix is configured not to be an open relay as it has to be exposed publicly on Internet to receive your virtual domains emails.

Postfix variables

Postfix configuration options can be set using POSTFIX_<name> environment variables. See Dockerfile for default configuration. You probably want to set POSTFIX_myhostname (the FQDN used by 220/HELO).

Note that POSTFIX_myhostname will change the postfix option myhostname.

You can modify master.cf using postconf with POSTFIXMASTER_ variables. All double __ symbols will be replaced with /. For example

Postfix master.cf variables

docker run \
	-e POSTFIX_myhostname=smtp.domain.tld \
	--name smtp \
	rylorin/postfix-relay

will produce

postconf -Me submission/inet="submission inet n - y - - smtpd"

Postfix lookup tables

You can also create multiline tables using POSTMAP_<filename> like this example:

environment:
  - POSTFIX_transport_maps=hash:/etc/postfix/transport
  - |
    POSTMAP_transport=gmail.com smtp
    mydomain.com relay:[relay1.mydomain.com]:587
    * relay:[relay2.mydomain.com]:587

which will generate file /etc/postfix/transport

gmail.com smtp
mydomain.com relay:[relay1.mydomain.com]:587
* relay:[relay2.mydomain.com]:587

and run postmap /etc/postfix/transport.

Relay Client Authentication

The container includes Postfix SASL authentication options that are disabled by default.

Example Basic Client PAM Auth

First, create a passwd file.

echo "myuser:"`docker run --rm mwader/postfix-relay mkpasswd -m sha-512 "mypassword"` >> passwd_file

Then mount the passwd file and add the following postfix configs via enviromental variable.

volumes:
  - /path/to/passwd_file:/etc/postfix/sasl/sasl_passwds
environment:
  - SASL_Passwds=/etc/postfix/sasl/sasl_passwds
  - POSTFIX_smtpd_sasl_auth_enable=yes
  - POSTFIX_cyrus_sasl_config_path=/etc/postfix/sasl
  - POSTFIX_smtpd_sasl_security_options=noanonymous
  - POSTFIX_smtpd_relay_restrictions=permit_sasl_authenticated,reject

OpenDKIM variables

OpenDKIM configuration options can be set using OPENDKIM_<name> environment variables. See Dockerfile for default configuration. For example OPENDKIM_Canonicalization=relaxed/simple.

Using docker run

docker run -e POSTFIX_myhostname=smtp.domain.tld rylorin/postfix-relay

Using docker-compose

app:
  # use hostname "smtp" as SMTP server

smtp:
  image: rylorin/postfix-relay
  restart: always
  environment:
    - POSTFIX_myhostname=smtp.domain.tld
    - OPENDKIM_DOMAINS=smtp.domain.tld

Logging

By default container only logs to stdout. If you also wish to log mail.* messages to file on persistent volume, you can do something like:

environment:
  ...
  - RSYSLOG_LOG_TO_FILE=yes
  - RSYSLOG_TIMESTAMP=yes
volumes:
  - /your_local_path:/var/log/

You can also forward log output to remote syslog server if you define RSYSLOG_REMOTE_HOST variable. It always uses UDP protocol and port 514 as default value, port number can be changed to different one with RSYSLOG_REMOTE_PORT. Default format of forwarded messages is defined by Rsyslog template RSYSLOG_ForwardFormat, you can change it to another template (section Reserved Template Names) if you wish with RSYSLOG_REMOTE_TEMPLATE variable.

environment:
  ...
  - RSYSLOG_REMOTE_HOST=my.remote-syslog-server.com
  - RSYSLOG_REMOTE_PORT=514
  - RSYSLOG_REMOTE_TEMPLATE=RSYSLOG_ForwardFormat

Advanced logging configuration

If configuration via environment variables is not flexible enough it's possible to configure rsyslog directly: .conf files in the /etc/rsyslog.d directory will be sorted alphabetically and included into the primary configuration.

Timezone

Wrong timestamps in log can be fixed by setting proper timezone. This parameter is handled by Debian base image.

environment:
  ...
  - TZ=Europe/Prague

Known issues

I see key data is not secure: /etc/opendkim/keys can be read or written by other users error messages.

Some Docker distributions like Docker for Windows and RancherOS seems to handle volume permission in way that does not work with OpenDKIM default behavior of ensuring safe permissions on private keys.

A workaround is to disable the check using a OPENDKIM_RequireSafeKeys=no environment variable.

SPF

When sending email using your own SMTP server it is probably a good idea to setup SPF for the domain you're sending from.

DKIM

To enable DKIM, specify a whitespace-separated list of domains in the environment variable OPENDKIM_DOMAINS. The default DKIM selector is "mail", but can be changed to "<selector>" using the syntax OPENDKIM_DOMAINS=<domain>=<selector>.

At container start, RSA key pairs will be generated for each domain unless the file /etc/opendkim/keys/<domain>/<selector>.private exists. If you want the keys to persist indefinitely, make sure to mount a volume for /etc/opendkim/keys, otherwise they will be destroyed when the container is removed.

DNS records to configure can be found in the container log or by running docker exec <container> sh -c 'cat /etc/opendkim/keys/*/*.txt you should see something like this:

$ docker exec 7996454b5fca sh -c 'cat /etc/opendkim/keys/*/*.txt'

mail._domainkey.smtp.domain.tld. IN	TXT	( "v=DKIM1; h=sha256; k=rsa; "
	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Dx7wLGPFVaxVQ4TGym/eF89aQ8oMxS9v5BCc26Hij91t2Ci8Fl12DHNVqZoIPGm+9tTIoDVDFEFrlPhMOZl8i4jU9pcFjjaIISaV2+qTa8uV1j3MyByogG8pu4o5Ill7zaySYFsYB++cHJ9pjbFSC42dddCYMfuVgrBsLNrvEi3dLDMjJF5l92Uu8YeswFe26PuHX3Avr261n"
	  "j5joTnYwat4387VEUyGUnZ0aZxCERi+ndXv2/wMJ0tizq+a9+EgqIb+7lkUc2XciQPNuTujM25GhrQBEKznvHyPA6fHsFheymOuB763QpkmnQQLCxyLygAY9mE/5RY+5Q6J9oDOQIDAQAB" )  ; ----- DKIM key mail for smtp.domain.tld

Virtual domains forwarding

You can set up Postfix to forward all mails coming on your domain email to your other address like gmail.

mail for [email protected] ==> [ site.com Postfix server ] ==> forwarded to [email protected]

DNS settings of domain

First it's necessary to ensure that all mail for your domain will be delivered to your Postfix server. You do that by adding a MX record to your DNS, like:

site.com. 85100 IN MX 10 mail.site.com.

where mail.site.com. is your Postfix server address.

Docker host setting

On your docker host you need to setup a directory which will contains your virtual address mapping file. This directory will be mounted to the docker image and shared with Postfix. Your virtual file should look like:

@site.com		[email protected] [email protected]
[email protected]	[email protected]
@site3.com		[email protected]

Read Postfix documentation for more information.

Docker image setup

Assemble everything using docker-compose:

version: '2'
services:
  app:
    # use hostname "smtp" as SMTP server
  smtp:
    image: rylorin/postfix-relay
    environment:
      POSTFIX_virtual_alias_domains: site.com site2.com site3.com
      POSTFIX_myhostname: mail.site.com
    volumes:
    - /path/to/your/host/conf.d:/etc/postfix/conf.d:rw
    ports:
    - 25:25/tcp

License

postfix-relay is licensed under the MIT license. See LICENSE for the full license text.