Rootless postfix? about docker-postfix HOT 7 CLOSED

Postfix drops privileges right after startup. OpenDKIM runs under its own account. Going completely rootless would be great, as you could run the image with higher security and with specific user. However, it does bring its own set of problem. OpenDKIM and Postfix both would need to run under the same account, for one.

Not really sure how I feel about it, but as you mentioned, let's keep the ticket open and see if anybody comes up with any bright ideas.

from docker-postfix.

@thielj Appreciate the update. In this case I will close the ticket, as we need to wait for upstream and I want to ensure no unnecessary comments pop up here.

from docker-postfix.

I have same problem with permission. After restart pod it's not readable

‣ INFO  DKIM_AUTOGENERATE set -- will try to auto-generate keys for ***.com.
‣ INFO  Key for domain ***.com already exists in /etc/opendkim/keys/***.com.private. Will not overwrite.
‣ NOTE  Configuring OpenDKIM.
        ...using socket inet:localhost:8891
        ...for domain ***.com (selector: mail)
        ...trying to reown /etc/opendkim/keys/***.com.private as it's not readable by OpenDKIM...
chown: changing ownership of '/etc/opendkim/keys/***.com.private': Permission denied`

from docker-postfix.

@maxclax unless you're trying to run this with specific securityContext (like in #199), this is most likely not the same issue. And since you have not given me any context (e.g. version of the image, is it Docker or Kubernetes, docker-compose.yaml file or helm values.yaml...) I cannot either comment on help with your problem.

from docker-postfix.

@maxclax unless you're trying to run this with specific securityContext (like in #199), this is most likely not the same issue. And since you have not given me any context (e.g. version of the image, is it Docker or Kubernetes, docker-compose.yaml file or helm values.yaml...) I cannot either comment on help with your problem.

mail:
  enabled: true
  replicaCount: 1
  service:
    type: ClusterIP
    port: 587
    labels: { }
    annotations: { }
  extraVolumeMounts:
    - name: mail
      mountPath: /etc/opendkim/keys
      subPath: dkim
  config:
    general:
      ALLOWED_SENDER_DOMAINS: "app.com"
      ALLOW_EMPTY_SENDER_DOMAINS: 'true'
      ANONYMIZE_EMAILS: 'smart'
      DKIM_AUTOGENERATE: 'true'
    postfix: { }
    opendkim: { }
  persistence:
    enabled: true
    size: 1Gi
    storageClass: local-path
  nodeSelector: { }
  tolerations: [ ]
  affinity: { }

repository: https://bokysan.github.io/docker-postfix/
version: v4.2.1

All by default only dkim folder in persistence. Everything from zero works well but after restart pod that can not read dkim data because Permission denied.

from docker-postfix.

This has nothing to do with this ticket. Please raise another ticket and delete the comment from here. Thank you.

from docker-postfix.

@bokysan I did some research on running postfix without root privileges: it wouldn't be impossible, but it isn't really a scenario the maintainers would want to support. I think this thread sums it up:

https://www.mail-archive.com/[email protected]/msg90253.html

I don't think that pre-loading is a desirable solution to achieve rootless postfix, so I would suggest closing this issue, at least for the foreseeable future 🤷

(sorry for the late reply, I had misplaced the above link and only just came across it again)

from docker-postfix.