Vulnerability scanners flag this as a vulnerability because it allows an attacker to find if a mailbox exists on the postfix server or not. This doesn't apply specifically to this container as it's just an SMTP relay and has no mailboxes hosted on it, but it would be an easy addition to the configuration file.

Got this issues:

postfix/error[3180]: DF27F16456B: to=<[email protected]>, relay=none, delay=369825, delays=369825/0.15/0/0, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=yahoo.co.id type=MX: Host not found, try again)

Here is my docker compose:

image: panubo/postfix
    environment:
      MAILNAME: domain_name.id 
      MYNETWORKS: "127.0.0.1/32, 10.21.0.0/24"
      USE_TLS: 'no'
    volumes:
      - /etc/resolv.conf:/etc/resolv.conf
      - ./mail/spool/postfix:/var/spool/postfix
    restart: always
    ports:
      - "587:25"

Anyone can help, what i miss in config ?

if the Host server has authentication but is not in TLS. than both smtp_use_tls and smtpd_use_tls should be set to no.
However As seen in the code below the smtp_use_tls is set to true if there is RELAYHOST_AUTH is set.

if [ "${RELAYHOST_AUTH}" == "yes" ]; then
    echo "postfix >> Enabling relayhost authentication"
    touch /etc/postfix/sasl-passwords
    postconf -e smtp_sasl_auth_enable=yes
    postconf -e smtp_sasl_security_options=noanonymous
    postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl-passwords
    # require encryption with relayhost auth
    postconf -e smtp_use_tls=yes
    postconf -e smtp_tls_security_level=encrypt
    postconf -e smtp_sasl_mechanism_filter="PLAIN LOGIN"
fi

in such case both

    postconf -e smtp_use_tls=yes
    postconf -e smtp_tls_security_level=encrypt

Needs to be removed.

Hi, docker-postfix is mostly working great but I'm having some issues with DKIM. I have a valid dkim key that I was using on my system's postfix before migrating to this docker image, and I'm mounting it at /etc/opendkim/dkim.key in the container and setting USE_DKIM to yes. The server signs outgoing emails but mail-tester is saying the DKIM signature is invalid. I've verified that the TXT record is correct.

Do you have any ideas on how to troubleshoot? Do I need to mount any other files for DKIM?

Need to add a function to normalise boolean tokens, yes, no, true, false, True, False to make configuration less error prone.

Hi,

If my receiver server is different than my sending server, we should be able to configure mydestination to localhost.

Thanks in advance,
Best regards.
Sylvain PIRON

AWS SES supports SMTP but a special password needs to be generate from existing AWS IAM keys.

Add a helper script to generate the special password from standard AWS IAM keys. See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html

Currently passwords are stored in env variable RELAYHOST_PASSWORDMAP.

So I think it would be nice if the container either asks for RELAYHOST_PASSWORDMAP or RELAYHOST_PASSWORDMAP_FILE. Then I could set RELAYHOST_PASSWORDMAP_FILE=/run/secrets/relay-password and the container could make sure that postmap is called on that file.

I started using the buster image, because of the non default ports I use.
But I had problem, that postfix was not able to resolve the relay hostname.
I think the problem comes from the change to start postfix directly instead of the service script.
The service script does a lot for postfix, because it's instances runs in chroot environment.

quick and dirty, going into the running container and executing the following worked:
cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf

I forked your version to just copy this file in the run script, which works for me.
But I think it would be cleaner to somehow reuse the init script again. Otherwise you have to re-implement all that again.
i.e. init script calls /usr/lib/postfix/configure-instance.sh for EACH instance of postfix which does a lot more than just copy the resolve.conf file.

When sending or relaying mail on behalf of a customer it would be useful to be able to rewrite the envelope sender to a subdomain that has been delegated to the email service provider (this container) so that DMARC compliance can be achieved.

This doc https://dmarcian.com/how-to-send-dmarc-compliant-email-on-behalf-of-others/ describes getting a subdomain delegated so the mail provider can configured DKIM and SPF independently of the root organisation domain.

It would be good if this container should rewrite the envelope sender to use a subdomain even if the From header is the root organisation domain.

eg. From: [email protected] rewrite to [email protected]

When I want to connect to the postfix from another process on the same machine, I don't want to use TLS.
Can we let the user choose whether to require STARTTLS on port 25 or just disable it by default?

The initialisation and configuration of postfix etc, should be moved out of the s6 scripts and into separate init scripts that are run from entry.sh before the entrypoint.d scripts. This will allow for entrypoint.d scripts to override any config done.

When sending an email to my domain specified in the MAILNAME, getting an error:

smtp-server: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table

SMTP relay is not my mail server. Variable mydestination is responsible for this

postconf -e mydestination="${MAILNAME}"

Just change to

postconf -e mydestination="${MYDESTINATION}"

By default it is better to make a value localhost

Thanks for your image.

Postfix initialization (/etc/s6/postfix/run) includes a call to postfix set-permissions.

This will check the /etc/mailname file and will cause an error (and ultimately a failure to start this Docker image) if the file has hard links.

One can figure out if the problem will manifest itself by running this command:

/usr/bin/docker run -it --rm \
--entrypoint=/bin/bash \
panubo/postfix:latest \
-c '/usr/bin/stat /etc/mailname'

Why would the file have a different number of hard links? So far, my guess is that it's due to the way the overlay Storage Driver for Docker is implemented.

I appears that I can reproduce this problem (the file has 7 hard links for me) when running Docker with the overlay Storage Driver.

I cannot reproduce it on machines that use the the overlay2 or devicemapper drivers.

Looking at the Overlay documentation confirms it:

While the overlay driver only works with a single lower OverlayFS layer and hence requires hard links for implementation of multi-layered images, the overlay2 driver natively supports up to 128 lower OverlayFS layers.

And here's another comment that confirms the Postfix problem.

While this is more of a problem caused by:

• a limitation of the overlay Docker storage driver
• postfix being overly-precautions about hard links

.. it still makes this image fail on Docker systems using the overlay driver.

If you'd like to support those, this image may employ some workaround.

It seems like the following code (to be executed before postfix set-permissions) should be able to work-around the problem, by making sure that a new file is created:

echo 'mail.example.com' > /etc/mailname

Either I am confused about how this is supposed to work, or it is not working. When I enter a value for
SMTPD_USERS (e.g. notblank:notblank ), I can still submit emails to postfix without any credentials and they are accepted and relayed. Is that expected behavior? Here are the relevant log entries:

postfix >> Setting smtpd sasl auth postfix >> Adding user SASL user: notblank Jul 19 06:06:22 saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found Jul 19 06:06:22 saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found Jul 19 06:06:22 saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found Jul 19 06:06:22 saslpasswd2: DIGEST-MD5 common mech free smtp >> Info: "saslpasswd2: error deleting entry from sasldb: BDB0073 DB_NOTFOUND: No matching key/data pair found" can be ignored see https://github.com/cyrusimap/cyrus-sasl/issues/264

Adding support for sender_dependent_relayhost_maps will allow this container to send to different relay hosts based on the sender.

For example we want to send *@example.com via relay 1 and *@example.net via relay 2.

Unable to set the /etc/postfix/sasl-passwords file when a non-default port is used.
when a non default port is set .. the format become like
the format of the file is
[<domain_name>]:<Port> <user>:<Password>
However the code is incorrectly mentioned.

    IFS=',' read -r -a PASSWORDMAP <<< "${RELAYHOST_PASSWORDMAP}"
    for P in "${PASSWORDMAP[@]}"; do
        IFS=':' read -ra MAP <<< "$P"
        HOST=${MAP[0]}
        USER=${MAP[1]}
        PASS=${MAP[2]}

Here the USER becomes <Port> <user> which is incorrect.