simple-login / simplelogin-postfix-docker Goto Github PK

View Code? Open in Web Editor NEW

This project forked from arugifa/simplelogin-postfix-docker

20.0 4.0 22.0 79 KB

The missing Docker image for SimpleLogin Postfix

Home Page: https://hub.docker.com/r/simplelogin/postfix

License: GNU General Public License v3.0

Dockerfile 12.57% Python 53.31% Shell 34.12%

simplelogin-postfix-docker's Introduction

Docker Image for SimpleLogin Postfix

No official Postfix image, tailor-made for SimpleLogin, currently exists.

Let's fix that, by providing to the community something very lightweight, secure* (with Let's Encrypt support) and simple to use 💖

Compatibility: this image has been tested in a production environment with SimpleLogin 4.6.5beta

* if a TLS certificate cannot be automatically generated when starting the container, Postfix will run without TLS activated, until the next attempt (happens every hour)

Can be configured with the following environment variables:

Setting	Description
ALIASES_DEFAULT_DOMAIN	Default domain to use for your aliases.
DB_HOST	Where is hosted your SimpleLogin PostgreSQL database.
DB_USER	User to connect to the database.
DB_PASSWORD	User's password to connect to the database. You can also use DB_PASSWORD_FILE if using with docker secrets.
DB_NAME	Name of the database.
EMAIL_HANDLER_HOST	Where is hosted your SimpleLogin email handler instance.
LETSENCRYPT_EMAIL	Email address used by Let's Encrypt, to send you expiry notices*.
POSTFIX_FQDN	Fully Qualified Domain Name of your Postfix instance (i.e., the MX server address you configured in your DNS zone for your ALIASES_DEFAULT_DOMAIN).
RELAY_HOST	If your Postfix instance's IP address is blacklisted (e.g., because it is not a static address), you must use your Internet Service Provider's mail server as a relay, to be able to send emails to the outer world. If RELAY_HOST_USERNAME and RELAY_HOST_PASSWORD specified in Docker Run / Compose, it will enable authentication to SMTP relay host.
RELAY_PORT	SMTP Relay Host port. Some relays require a specifc port (such as 587).
RELAY_HOST_USERNAME	SMTP Relay Host username.
RELAY_HOST_PASSWORD	SMTP Relay Host password. You can also use RELAY_HOST_PASSWORD_FILE if using with docker secrets.
POSTFIX_DQN_KEY	If you use a recursive DNS (or are on a cloud provider such as Oracle or Amazon that means you are on a recursive DNS), you can't use the zen.spamhaus.org standard rbl. Sign up for a free DQN key here and add this to your config.
TLS_KEY_FILE	Custom key file that provides custom TLS certificate. This disables Let's Encrypt. Useful if you use a reverse proxy which manages your certificates. If you are using Letsencrypt to get certificate, this file name would be: `privkey.pem`.
TLS_CERT_FILE	Custom certificate file that provides custom TLS certificate. This disables Let's Encrypt. Useful if you use a reverse proxy which manages your certificates. If you are using Letsencrypt to get certificate, this file name would be: `fullchain.pem`.
SIMPLELOGIN_COMPATIBILITY_MODE	Compatibility with Simplelogin major application version. The supported values are `v3` and `v4`. If not defined, it will default to `v3`.
ENABLE_PROXY_PROTOCOL	Enables Proxy Protocal if postfix is behind a reverse proxy that can use Proxy Protocol like `trafik` or `haproxy`. The default value is `false`. Note: You must also enable this in your reverse to use this feature.

* automatic renewal is managed with Certbot and shouldn't fail, unless you have reached Let's Encrypt rate limits

NOTE: This project is a fork of Kloügle.

Examples

There are some example compose files in examples that show how to use this container in different scenarios.

Troubleshooting

If you don't receive emails from SimpleLogin, have a look to Postfix logs:

docker logs -f <POSTFIX_CONTAINER>

If Postfix doesn't seem to use TLS, have a look to Certbot logs:

docker exec -ti <POSTFIX_CONTAINER> cat /var/log/letsencrypt/letsencrypt.log

simplelogin-postfix-docker's People

Contributors

Stargazers

Watchers

simplelogin-postfix-docker's Issues

Undelivered Mail Returned to Sender

Hi there,

I tried this image and it worked. The only thing to mention is, that if you send to an unknown email address, the server accepts the mail. After this it sends a completely new mail back to the sender with an "Undelivered Mial Returned to Sender". As fas as I know this is called "bounce".

Is there a way to fix that? After googling it seems to be fixed by changing the bounce in the master.cf - but I cannot change it because it needs to be generated during start.

dkim support

Sending mails via this postfix gives me bad dkim score.
keys are setup in the app-ci, but there is no dkim in this postfix setup.

Or is the mistake in my configuration?

Add support for Docker compose secrets

The environment variable DB_PASSWORD forces you to put the password in the compose file. Please add support for DB_PASSWORD_FILE as an environment variable to allow loading of password from secrets file like this

DB_PASSWORD_FILE: "/run/secrets/postgres"

Relay access denied when using HAProxy

Hi, I'm having trouble getting my e-mails to go through my HAProxy.

My postfix container is not exposed on the Internet. My HAProxy machine is in a separate network.

When setting the ENABLE_PROXY_PROTOCOL=haproxy parameter, all e-mails incoming to the postfix container need to go through the HAProxy.
For example, if I set POSTFIX_SERVER=postfix in simplelogin.env, I get the following error in the SimpleLogin email container:

2024-05-13 17:58:37,012 - SL - ERROR - 1 - "/code/app/mail_sender.py:196" - _send_to_smtp() - 85a0de33-f7aa-413c-bff8-a8bac3b85906 - Could not send message to smtp server postfix:25
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/smtplib.py", line 398, in getreply
    line = self.file.readline(_MAXLINE + 1)
  File "/usr/local/lib/python3.10/socket.py", line 705, in readinto
    return self._sock.recv_into(b)
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/code/app/mail_sender.py", line 148, in _send_to_smtp
    with SMTP(
  File "/usr/local/lib/python3.10/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/local/lib/python3.10/smtplib.py", line 343, in connect
    (code, msg) = self.getreply()
  File "/usr/local/lib/python3.10/smtplib.py", line 401, in getreply
    raise SMTPServerDisconnected("Connection unexpectedly closed: "
smtplib.SMTPServerDisconnected: Connection unexpectedly closed: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/smtplib.py", line 398, in getreply
    line = self.file.readline(_MAXLINE + 1)
  File "/usr/local/lib/python3.10/socket.py", line 705, in readinto
    return self._sock.recv_into(b)
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/code/app/mail_sender.py", line 148, in _send_to_smtp
    with SMTP(
  File "/usr/local/lib/python3.10/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/local/lib/python3.10/smtplib.py", line 343, in connect
    (code, msg) = self.getreply()
  File "/usr/local/lib/python3.10/smtplib.py", line 401, in getreply
    raise SMTPServerDisconnected("Connection unexpectedly closed: "
smtplib.SMTPServerDisconnected: Connection unexpectedly closed: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/smtplib.py", line 398, in getreply
    line = self.file.readline(_MAXLINE + 1)
  File "/usr/local/lib/python3.10/socket.py", line 705, in readinto
    return self._sock.recv_into(b)
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/code/app/mail_sender.py", line 148, in _send_to_smtp
    with SMTP(
  File "/usr/local/lib/python3.10/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/local/lib/python3.10/smtplib.py", line 343, in connect
    (code, msg) = self.getreply()
  File "/usr/local/lib/python3.10/smtplib.py", line 401, in getreply
    raise SMTPServerDisconnected("Connection unexpectedly closed: "
smtplib.SMTPServerDisconnected: Connection unexpectedly closed: timed out

And in the postfix container logs:

May 13 17:58:37 silo postfix/smtpd[628]: warning: haproxy read: EOF
May 13 17:58:37 silo postfix/smtp[633]: 9F75A1532C: to=<***@***.fr>, relay=email[192.168.0.4]:20381, delay=11, delays=0.39/0.01/0/10, dsn=2.0.0, status=sent (250 Message accepted for delivery)
May 13 17:58:37 silo postfix/qmgr[86]: 9F75A1532C: removed
May 13 17:58:37 silo postfix/smtpd[628]: connect from sl-email-1.sl_default[192.168.0.4]
May 13 17:58:37 silo postfix/smtpd[628]: disconnect from sl-email-1.sl_default[192.168.0.4] commands=0/0

Therefore, I have to set POSTFIX_SERVER with the hostname of my HAProxy machine in order for my e-mails to go through it, then to the postfix container.
But when I do this, I have another error:

2024-05-13 18:21:03,895 - SL - ERROR - 1 - "/code/app/mail_sender.py:196" - _send_to_smtp() - b7b44223-7c3a-4f66-8cfd-e9440a90b340 - Could not send message to smtp server ct-proxy.home:25
Traceback (most recent call last):
  File "/code/app/mail_sender.py", line 172, in _send_to_smtp
    smtp.sendmail(
  File "/usr/local/lib/python3.10/smtplib.py", line 901, in sendmail
    raise SMTPRecipientsRefused(senderrs)
smtplib.SMTPRecipientsRefused: {'***@***.fr': (454, b'4.7.1 <***@***.fr>: Relay access denied')}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/code/app/mail_sender.py", line 172, in _send_to_smtp
    smtp.sendmail(
  File "/usr/local/lib/python3.10/smtplib.py", line 901, in sendmail
    raise SMTPRecipientsRefused(senderrs)
smtplib.SMTPRecipientsRefused: {'***@***.fr': (454, b'4.7.1 <***@***.fr>: Relay access denied')}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/code/app/mail_sender.py", line 172, in _send_to_smtp
    smtp.sendmail(
  File "/usr/local/lib/python3.10/smtplib.py", line 901, in sendmail
    raise SMTPRecipientsRefused(senderrs)
smtplib.SMTPRecipientsRefused: {'***@***.fr': (454, b'4.7.1 <***@***.fr>: Relay access denied')}

And in the postfix container logs:

May 13 17:41:18 silo postfix/smtpd[160]: connect from 20.mo581.mail-out.ovh.net[46.105.49.208]
May 13 17:41:18 silo postfix/smtpd[160]: 6A15214F9E: client=20.mo581.mail-out.ovh.net[46.105.49.208]
May 13 17:41:18 silo postfix/cleanup[163]: 6A15214F9E: message-id=<wsjrcwgkKVaOrhYykSwTTAdpSDbnhnxRdQWabJu0o@***.fr>
May 13 17:41:18 silo postfix/qmgr[86]: 6A15214F9E: from=<***@***.fr>, size=15943, nrcpt=1 (queue active)
May 13 17:41:18 silo postfix/smtpd[160]: disconnect from 20.mo581.mail-out.ovh.net[46.105.49.208] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 13 17:41:18 silo postfix/smtpd[160]: connect from ct-docker.home[10.0.3.7]
May 13 17:41:18 silo postfix/smtpd[160]: NOQUEUE: reject: RCPT from ct-docker.home[10.0.3.7]: 454 4.7.1 <***@***.fr>: Relay access denied; from=<sl.lmycyibvgaycyibrgi2dgnzygfoq.oweiy5yulwupg@***.fr> to=<***@***.fr> proto=ESMTP helo=<[192.168.0.4]>
May 13 17:41:18 silo postfix/smtpd[160]: disconnect from ct-docker.home[10.0.3.7] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
May 13 17:41:19 silo postfix/smtpd[160]: connect from ct-docker.home[10.0.3.7]
May 13 17:41:19 silo postfix/smtpd[160]: NOQUEUE: reject: RCPT from ct-docker.home[10.0.3.7]: 454 4.7.1 <***@***.fr>: Relay access denied; from=<sl.lmycyibvgaycyibrgi2dgnzygfoq.oweiy5yulwupg@***.fr> to=<***@***.fr> proto=ESMTP helo=<[192.168.0.4]>
May 13 17:41:19 silo postfix/smtpd[160]: disconnect from ct-docker.home[10.0.3.7] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
May 13 17:41:19 silo postfix/smtpd[160]: connect from ct-docker.home[10.0.3.7]
May 13 17:41:19 silo postfix/smtpd[160]: NOQUEUE: reject: RCPT from ct-docker.home[10.0.3.7]: 454 4.7.1 <***@***.fr>: Relay access denied; from=<sl.lmycyibvgaycyibrgi2dgnzygfoq.oweiy5yulwupg@***.fr> to=<***@***.fr> proto=ESMTP helo=<[192.168.0.4]>
May 13 17:41:19 silo postfix/smtpd[160]: disconnect from ct-docker.home[10.0.3.7] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
May 13 17:41:19 silo postfix/smtp[164]: 6A15214F9E: to=<***@***.fr>, relay=email[192.168.0.4]:20381, delay=1.5, delays=0.41/0.02/0/1.1, dsn=2.0.0, status=sent (250 Message accepted for delivery)
May 13 17:41:19 silo postfix/qmgr[86]: 6A15214F9E: removed

If I remove the mynetworks_style = subnet and set mynetworks with the IP/32 of my HAProxy machine, the e-mails are forwarded correctly.
Do I miss something in the container configuration, or do I really need to set the mynetworks setting in order for this to work properly ?
I already made a patch to replace mynetworks_style with mynetworks with an env variable, so I can make a PR.

URL in repository description links to wrong Docker image

The URL in the description of the repository currently links to the Docker repo of the forked repository instead of Simple Login's one.

Support for Dovecot SASL and/or Cyrus SASL

As more and more home internet providers are blocking port 25; would it be possible to implement support for Dovecot SASL and/or Cyrus SASL with Postfix?

Thank you!

allow external certifcates and smtp for other services

hi,

i would like to use this image but two things are stopping me

allow smtp usage for other services
since if you use this image you can't have any other mail service running at the same time, this image needs the ability for other apps to use it as mail server through smtp for example
external certificate support
i have another app managing my certificates so no need for it to be regenerated again, however i can make it work

hash & btree unsupported!

Hi,
I am trying to run this after building the docker image in my system. Looks like the hash & btree no longer supported. After some searching, I found the replacement is lmdb. After replacing hash & btree with lmdb, I am getting error: open database /etc/aliases.lmdb: No such file or directory this error now.

With hash & btree:

Jun 09 17:23:21 mail postfix/postfix-script[79]: starting the Postfix mail system
Jun 09 17:23:21 mail postfix/master[80]: daemon started -- version 3.5.10, configuration /etc/postfix
Jun 09 17:23:27 mail postfix/smtpd[84]: error: unsupported dictionary type: hash
Jun 09 17:23:27 mail postfix/tlsmgr[86]: error: unsupported dictionary type: btree
Jun 09 17:23:27 mail postfix/tlsmgr[86]: error: unsupported dictionary type: btree
Jun 09 17:23:27 mail postfix/tlsmgr[86]: warning: btree:/var/lib/postfix/smtpd_scache is unavailable. unsupported dictionary type: btree
Jun 09 17:23:27 mail postfix/tlsmgr[86]: warning: btree:/var/lib/postfix/smtp_scache is unavailable. unsupported dictionary type: btree
Jun 09 17:23:27 mail postfix/smtpd[84]: connect from sl-postfix_sut_1.sl-network[240.0.0.6]
Jun 09 17:23:27 mail postfix/smtpd[84]: disconnect from sl-postfix_sut_1.sl-network[240.0.0.6] quit=1 commands=1
Jun 09 17:25:22 mail postfix/smtpd[87]: error: unsupported dictionary type: hash
Jun 09 17:25:22 mail postfix/smtpd[87]: connect from sl-postfix_sut_1.sl-network[240.0.0.6]
Jun 09 17:25:22 mail postfix/smtpd[87]: disconnect from sl-postfix_sut_1.sl-network[240.0.0.6] quit=1 commands=1

After replacing with lmdb:

sl-postfix    | Jun 09 17:34:16 mail postfix/postfix-script[78]: starting the Postfix mail system
sl-postfix    | Jun 09 17:34:16 mail postfix/master[79]: daemon started -- version 3.5.10, configuration /etc/postfix
sl-postfix    | Jun 09 17:34:22 mail postfix/smtpd[83]: error: open database /etc/aliases.lmdb: No such file or directory
sl-postfix    | Jun 09 17:34:22 mail postfix/smtpd[83]: connect from sl-postfix_sut_1.sl-network[240.0.0.6]
sl-postfix    | Jun 09 17:34:22 mail postfix/smtpd[83]: disconnect from sl-postfix_sut_1.sl-network[240.0.0.6] quit=1 commands=1
sut_1         | 220 app.example.com ESMTP Postfix

I don't know how to fix the new error. Can someone please update the code base to make the image compatible with lmdb?

Thanks

Certbot continues to request certificates even when the `SSL_CERT_FOLDER` is used

Certbot continues to request certificates even when the SSL_CERT_FOLDER is used to provide the certificates externally as implemented in #8 . The expectation is that SSL_CERT_FOLDER should disable the certbot completely. This results in lots of erroneous logging.

disable cron when TLS_KEY_FILE is set

I have set a custom
TLS_KEY_FILE and TLS_CERT_FILE, this should disable letsencrypt

however, every hour I get an email:

Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line. Run with '--help plugins' to see a list of options, and see https://eff.org/letsencrypt-plugins for more detail on what the plugins do and how to use them.
run-parts: /etc/periodic/hourly/renew-postfix-tls: exit status 1

This renew-postfix-tls should be removed /not run if one of the .env variables (TLS_KEY_FILE / TLS_CERT_FILE) is set.

for the moment as workaround I have manually deleted the renew-postfix-tls file in my container.

My sl-postfix instance is being used to send spam

I'm having some spam issues with my servers, and I'm investigating the cause.
The problem I have is that anyone can send emails through my server. This is my configuration:

    sl-postfix:
        image: simplelogin/postfix:4
        restart: unless-stopped
        ports:
            - "25:25"
            - "465:465"
        environment:
            ALIASES_DEFAULT_DOMAIN: mydomain.com
            DB_HOST: postgres
            DB_USER: user
            DB_PASSWORD: pw
            DB_NAME: simplelogin
            EMAIL_HANDLER_HOST: sl-email
            POSTFIX_FQDN: mail.mydomain.com
            SSL_CERT_FOLDER: /mnt/certs
            SIMPLELOGIN_COMPATIBILITY_MODE: v4
#            RELAY_HOST: test-relay-server:587
#            RELAY_HOST_USERNAME: myusername
#            RELAY_HOST_PASSWORD: mypassword
        volumes:
            - certs:/mnt/certs
        networks:
            - sl-network
        depends_on:
            - postgres
            - certgen

# Edit: I add relevant info about the network conf, because the email comes from 10.0.0.1
networks:
    sl-network:
        ipam:
            config:
                - subnet: 10.0.0.0/24
                  gateway: 10.0.0.1

When I connect to the port 25 to send an email from my computer with the command:

swaks --to [email protected] --from [email protected] --server mail.mydomain.com:25

=== Trying mail.mydomain.com:25...
=== Connected to mail.mydomain.com.
<-  220 mail.mydomain.com ESMTP Postfix
 -> EHLO desktop
<-  250-mail.mydomain.com
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<[email protected]>
<-  250 2.1.0 Ok
 -> RCPT TO:<[email protected]>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sun, 22 Oct 2023 15:46:07 +0200
 -> To: [email protected]
 -> From: [email protected]
 -> Subject: test Sun, 22 Oct 2023 15:46:07 +0200
 -> Message-Id: <20231022154607.1128647@desktop>
 -> X-Mailer: swaks vDEVRELEASE jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as 86DFA2A5643
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

The email is sent without problems, so everyone can do it too.
This is the sl-postfix log:

simple-login-sl-postfix-1  | Oct 22 13:46:07 mail postfix/smtpd[85]: connect from unknown[10.0.0.1]
simple-login-sl-postfix-1  | Oct 22 13:46:07 mail postfix/smtpd[85]: 86DFA2A5643: client=unknown[10.0.0.1]
simple-login-sl-postfix-1  | Oct 22 13:46:07 mail postfix/cleanup[88]: 86DFA2A5643: message-id=<20231022154607.1128647@desktop>
simple-login-sl-postfix-1  | Oct 22 13:46:07 mail postfix/qmgr[83]: 86DFA2A5643: from=<[email protected]>, size=447, nrcpt=1 (queue active)
simple-login-sl-postfix-1  | Oct 22 13:46:07 mail postfix/smtpd[85]: disconnect from unknown[10.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
simple-login-sl-postfix-1  | Oct 22 13:46:16 mail postfix/smtp[89]: 86DFA2A5643: to=<[email protected]>, relay=mail.protonmail.ch[185.70.42.128]:25, delay=8.8, delays=0.26/0/6.1/2.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4SD0396T4Pz7QQ5S)
simple-login-sl-postfix-1  | Oct 22 13:46:16 mail postfix/qmgr[83]: 86DFA2A5643: removed

Support relayhost authentication

Setting a relayhost (RELAY_HOST variable) is helpful in case of blacklisted IP address or blocked outbound port 25, which are common scenarios when using cloud instances/VPSs. You can use your ISP's mail server or an email service such as AWS SES, SendGrid, Mailjet, Mailgun (as recommended by AWS, Azure, GCP, e.g. https://cloud.google.com/compute/docs/tutorials/sending-mail).
However in most cases these services require authentication, i.e. a username and password.

Please support relay host authentication using appropriate variables/secrets to specify the relay host username and password.

Use stagging letsencrypt endpoint

Instead of production endpoint, which will be throttled