fix: Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-2941811
- https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-2941811

.env.example

@@ -5,10 +5,10 @@
 # Optional: (Default value: 587) Port address of the SMTP server to use.
 #SMTP_PORT=
 
-# Mandatory: Username to authenticate with.
+# Optional: Username to authenticate with.
 #SMTP_USERNAME=
 
-# Mandatory: Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used)
+# Optional (Mandatory if SMTP_USERNAME is set): Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used)
 #SMTP_PASSWORD=
 
 # Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.
@@ -17,7 +17,7 @@
 # Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers.
 #SMTP_HEADER_TAG=
 
-# Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers.
+# Optional: Setting this will allow you to add additional, comma seperated, subnets to use the relay. Used like SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx'.
 #SMTP_NETWORKS=
 
 # Optional: Set this to a mounted file containing the password, to avoid passwords in env variables.
@@ -27,4 +27,16 @@
 #ALWAYS_ADD_MISSING_HEADERS=yes
 
 # Optional: This will rewrite the from address overwriting it with the specified address for all email being relayed.
-#OVERWRITE_FROM="Your Name" <email@company.com>
+#OVERWRITE_FROM="Your Name" <email@company.com>
+
+# Optional: This will use allow you to set a custom $mydestination value. Default is localhost.
+#DESTINATION=
+
+# Optional: This will output the subject line of messages in the log.
+#LOG_SUBJECT=yes
+
+# Optional: This will disable (no) or enable (yes) the use of SMTPUTF8
+#SMTPUTF8_ENABLE=no
+
+# Optional: This will use allow you to set a custom $message_size_limit value. Default is 10240000.
+#MESSAGE_SIZE_LIMIT=

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+<!-- BEFORE SUBMITTING YOUR PR, PLEASE REMOVE THIS TEXT -->
+<!-- REMOVE START -->
+**Reporting a bug**
+
+First of all, this is **not** a problem reporting forum, only report if you are pretty sure what you are experiencing is a bug with this image, not a configuration issue, for that you can use the [Github discussions section](https://github.com/juanluisbaptiste/docker-postfix/discussions) and we will do our best to help you to figure out what's going on with your setup.
+
+Also be sure you are using the latest image by doing _docker pull juanluisbaptiste/postfix:latest_.
+<!-- REMOVE END -->
+
+**Please include the contents of:**
+
+  * Your docker-compose.yml file
+  * Your .env file file
+
+**Describe the issue**
+Please include a description of what you are trying to accomplish and what you are facing when running this container.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.

.github/pull_request_template.md

@@ -0,0 +1,39 @@
+<!-- BEFORE SUBMITTING YOUR PR, PLEASE REMOVE THIS TEXT -->
+<!-- REMOVE START -->
+# Creating a Pull Request
+
+We use github actions to do automatic [semantic versioning](https://github.com/semantic-release/semantic-release), so please use the following nomenclature for the commit message according to the type of change:
+
+* Prefix with `feat:`, and it will trigger a minor version bump. 
+* Prefix with `fix:`, and it will trigger a patch version bump.
+* Prefix with `BREAKING CHANGE:`, and it will trigger a major version bump.
+<!-- REMOVE END -->
+
+## Description of the change
+<!--Please be very clear on the intention of the modifications included in the pull request.-->
+<!--If it is a bug, explain what is the issue at hand and how you are fixing it. -->
+<!--If it is an improvement, explain why do you think it is needed and the benefits it brings to the project. -->
+<!--Ideally I would recommend to create an issue first to discuss the new feature with the developers.-->
+
+## Motivation and Context
+<!--- Why is this change required? What problem does it solve? -->
+<!--- If it fixes an open issue, please link to the issue here. -->
+
+## How Has This Been Tested?
+<!--- Please describe in detail how you tested your changes. -->
+<!--- Include details of your testing environment, tests ran to see how -->
+
+## Types of Changes
+<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation (adding or updating documentation)
+
+## Checklist:
+<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
+<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+- [ ] My change requires a change to the documentation and I have updated the documentation accordingly.
+- [ ] My change adds a new configuration variable and I have updated the `.env.example` file accordingly.
+
+And lastly, many thanks for taking your time to help us improve this project !

.github/workflows/release.yml

@@ -0,0 +1,48 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  docker:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.API_GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v2
+        with:
+          images: juanluisbaptiste/postfix
+          tags: |
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=semver,pattern={{version}}
+            alpine
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v3.3.1
+        with:
+          push: true
+          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}

.github/workflows/test.yml

@@ -0,0 +1,36 @@
+name: Test
+
+on:
+  push:
+    branches: [master, develop]
+  pull_request:
+    branches: [master, develop]
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout with token
+        if: github.event_name != 'pull_request'
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.API_GITHUB_TOKEN }}
+
+      - name: Checkout without token
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Docker Build Test
+        run: docker buildx build --load --tag test:test --file ./Dockerfile ./
+
+      - name: Version
+        if: github.event_name != 'pull_request'
+        uses: cycjimmy/semantic-release-action@v3
+        with:
+          semantic_version: 17.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.API_GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1 @@
+.env

.releaserc.yml

@@ -0,0 +1,11 @@
+---
+branches:
+  - name: master
+  - name: develop
+    prerelease: true
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - - "@semantic-release/github"
+    - successComment: false
+      failComment: false

Dockerfile

@@ -1,15 +1,14 @@
 #Dockerfile for a Postfix email relay service
-FROM alpine:3.13
+FROM alpine:3.16
 MAINTAINER Juan Luis Baptiste juan.baptiste@gmail.com
 
 RUN apk update && \
     apk add bash gawk cyrus-sasl cyrus-sasl-login cyrus-sasl-crammd5 mailx \
-    perl supervisor postfix rsyslog && \
+    postfix && \
     rm -rf /var/cache/apk/* && \
     mkdir -p /var/log/supervisor/ /var/run/supervisor/ && \
     sed -i -e 's/inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
 
-COPY etc/ /etc/
 COPY run.sh /
 RUN chmod +x /run.sh
 RUN newaliases

README.md

@@ -3,21 +3,34 @@
 [![Docker Stars](https://img.shields.io/docker/stars/juanluisbaptiste/postfix.svg?style=flat-square)](https://hub.docker.com/r/juanluisbaptiste/postfix/)
 [![Docker Pulls](https://img.shields.io/docker/pulls/juanluisbaptiste/postfix.svg?style=flat-square)](https://hub.docker.com/r/juanluisbaptiste/postfix/)
 
-Simple Postfix SMTP TLS relay [docker](http://www.docker.com) image with no local authentication enabled (to be run in a secure LAN).
+Simple Postfix SMTP TLS relay [docker](http://www.docker.com) alpine based image with no local authentication enabled (to be run in a secure LAN).
 
-It also includes rsyslog to enable logging to stdout.
+This image is available for the following architectures:
 
+* 386
+* amd64 (_latest_ and _alpine_ tags)
+* armv6
+* armv7
+* arm64
 
 _If you want to follow the development of this project check out [my blog](https://www.juanbaptiste.tech/category/postfx)._
 
 ### Available image tags
 
-This image has been built on CentOS 7 since its inception, but the new CentOS 8 does [not include supervisor](https://github.com/juanluisbaptiste/docker-postfix/issues/16) anymore, so I have started migrating this image to Alpine linux. So currently there are two image tags available:
+We use semantic versioning for this image. For all supported architectures there are the following versioned tags:
 
-  * juanluisbaptiste/postfix:latest, current CentOS 7 based image
+* Major (1)
-  * juanluisbaptiste/postfix:alpine, new Alpine based image
+* Minor (1.0)
+* Patch (1.0.0)
 
-If testing goes well for some time, then the current CentOS image will be replaced by the new Alpine one, and _latest_ tag will point to it.
+Additionally the amd64 architecture has the following tags:
+
+* _latest_
+* _alpine_
+
+*_NOTES_*:
+  * The _alpine_ tag has been switched to use the master branch, but it's irrelevant as it is the same as _latest_.
+  * Old CentOS 7 based image is avaiable on the _centos_base_image branch_, but it is not being developed any more.
 
 ### Build instructions
 
@@ -26,7 +39,7 @@ Clone this repo and then:
     cd docker-Postfix
     sudo docker build -t juanluisbaptiste/postfix .
 
-Or you can use the provided [docker-compose](https://github.com/juanluisbaptiste/docker-postfix/blob/master/docker-compose.overrides.yml) files:
+Or you can use the provided [docker-compose](https://github.com/juanluisbaptiste/docker-postfix/blob/master/docker-compose.override.yml) files:
 
     sudo docker-compose build
 
@@ -40,8 +53,8 @@ The following env variables need to be passed to the container:
 
 * `SMTP_SERVER` Server address of the SMTP server to use.
 * `SMTP_PORT` (Optional, Default value: 587) Port address of the SMTP server to use.
-* `SMTP_USERNAME` Username to authenticate with.
+* `SMTP_USERNAME` (Optional) Username to authenticate with.
-* `SMTP_PASSWORD` Password of the SMTP user. If `SMTP_PASSWORD_FILE` is set, not needed.
+* `SMTP_PASSWORD` (Mandatory if `SMTP_USERNAME` is set) Password of the SMTP user. If `SMTP_PASSWORD_FILE` is set, not needed.
 * `SERVER_HOSTNAME` Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.
 
 The following env variable(s) are optional.
@@ -53,12 +66,25 @@ The following env variable(s) are optional.
 * `SMTP_PASSWORD_FILE` Setting this to a mounted file containing the password, to avoid passwords in env variables. Used like
     -e SMTP_PASSWORD_FILE=/secrets/smtp_password
     -v $(pwd)/secrets/:/secrets/
+
+* `SMTP_USERNAME_FILE` Setting this to a mounted file containing the username, to avoid usernames in env variables. Used like
+    -e SMTP_USERNAME_FILE=/secrets/smtp_username
+    -v $(pwd)/secrets/:/secrets/
+
 * `ALWAYS_ADD_MISSING_HEADERS` This is related to the [always\_add\_missing\_headers](http://www.postfix.org/postconf.5.html#always_add_missing_headers) Postfix option (default: `no`). If set to `yes`, Postfix will always add missing headers among `From:`, `To:`, `Date:` or `Message-ID:`.
 
 * `OVERWRITE_FROM` This will rewrite the from address overwriting it with the specified address for all email being relayed. Example settings:
     OVERWRITE_FROM=email@company.com
     OVERWRITE_FROM="Your Name" <email@company.com>
 
+* `DESTINATION` This will define a list of domains from which incoming messages will be accepted.
+
+* `LOG_SUBJECT` This will output the subject line of messages in the log.
+
+* `SMTPUTF8_ENABLE` This will enable (default) or disable support for SMTPUTF8. Valid values are `no` to disable and `yes` to enable. Not setting this variable will use the postfix default, which is `yes`.
+
+* `MESSAGE_SIZE_LIMIT` This will change the default limit of 10240000 bytes (10MB).
+
 To use this container from anywhere, the 25 port or the one specified by `SMTP_PORT` needs to be exposed to the docker host server:
 
     docker run -d --name postfix -p "25:25"  \

etc/rsyslog.conf

@@ -1,90 +0,0 @@
-# rsyslog configuration file
-
-# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
-# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
-
-#### MODULES ####
-
-# The imjournal module bellow is now used as a message source instead of imuxsock.
-$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
-#$ModLoad imklog # reads kernel messages (the same are read from journald)
-#$ModLoad immark  # provides --MARK-- message capability
-
-# Provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
-
-# Provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
-
-#### GLOBAL DIRECTIVES ####
-
-# Where to place auxiliary files
-$WorkDirectory /var/lib/rsyslog
-
-# Use default timestamp format
-$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
-
-# File syncing capability is disabled by default. This feature is usually not required,
-# not useful and an extreme performance hit
-#$ActionFileEnableSync on
-
-# Include all config files in /etc/rsyslog.d/
-$IncludeConfig /etc/rsyslog.d/*.conf
-
-# Turn off message reception via local log socket;
-# local messages are retrieved through imjournal now.
-$OmitLocalLogging off
-
-# File to store the position in the journal
-#$IMJournalStateFile imjournal.state
-
-
-#### RULES ####
-
-# Log all kernel messages to the console.
-# Logging much else clutters up the screen.
-#kern.*                                                 /dev/console
-
-# Log anything (except mail) of level info or higher.
-# Don't log private authentication messages!
-*.info;mail.none;authpriv.none;cron.none                /var/log/messages
-
-# The authpriv file has restricted access.
-authpriv.*                                              /var/log/secure
-
-# Log all the mail messages in one place.
-mail.*                                                  -/var/log/maillog
-
-
-# Log cron stuff
-cron.*                                                  /var/log/cron
-
-# Everybody gets emergency messages
-*.emerg                                                 :omusrmsg:*
-
-# Save news errors of level crit and higher in a special file.
-uucp,news.crit                                          /var/log/spooler
-
-# Save boot messages also to boot.log
-local7.*                                                /var/log/boot.log
-
-
-# ### begin forwarding rule ###
-# The statement between the begin ... end define a SINGLE forwarding
-# rule. They belong together, do NOT split them. If you create multiple
-# forwarding rules, duplicate the whole block!
-# Remote Logging (we use TCP for reliable delivery)
-#
-# An on-disk queue is created for this action. If the remote host is
-# down, messages are spooled to disk and sent when it is up again.
-#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
-#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
-#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
-#$ActionQueueType LinkedList   # run asynchronously
-#$ActionResumeRetryCount -1    # infinite retries if host is down
-# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
-#*.* @@remote-host:514
-# ### end of the forwarding rule ###

etc/rsyslog.d/listen.conf

@@ -1 +0,0 @@
-$SystemLogSocketName /dev/log

etc/supervisord.conf

@@ -1,129 +0,0 @@
-; Sample supervisor config file.
-
-[unix_http_server]
-file=/var/run/supervisor/supervisor.sock   ; (the path to the socket file)
-;chmod=0700                 ; sockef file mode (default 0700)
-;chown=nobody:nogroup       ; socket file uid:gid owner
-;username=user              ; (default is no username (open server))
-;password=123               ; (default is no password (open server))
-
-;[inet_http_server]         ; inet (TCP) server disabled by default
-;port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)
-;username=user              ; (default is no username (open server))
-;password=123               ; (default is no password (open server))
-
-[supervisord]
-logfile=/var/log/supervisor/supervisord.log  ; (main log file;default $CWD/supervisord.log)
-logfile_maxbytes=50MB       ; (max main logfile bytes b4 rotation;default 50MB)
-logfile_backups=10          ; (num of main logfile rotation backups;default 10)
-loglevel=info               ; (log level;default info; others: debug,warn,trace)
-pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-nodaemon=true              ; (start in foreground if true;default false)
-minfds=1024                 ; (min. avail startup file descriptors;default 1024)
-minprocs=200                ; (min. avail process descriptors;default 200)
-;umask=022                  ; (process file creation umask;default 022)
-user=root                 ; (default is current user, required if root)
-;identifier=supervisor       ; (supervisord identifier, default is 'supervisor')
-;directory=/tmp              ; (default is not to cd during start)
-;nocleanup=true              ; (don't clean up tempfiles at start;default false)
-;childlogdir=/tmp            ; ('AUTO' child log dir, default $TEMP)
-;environment=KEY=value       ; (key value pairs to add to environment)
-;strip_ansi=false            ; (strip ansi escape codes in logs; def. false)
-
-; the below section must remain in the config file for RPC
-; (supervisorctl/web interface) to work, additional interfaces may be
-; added by defining them in separate rpcinterface: sections
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl=unix:///var/run/supervisor/supervisor.sock ; use a unix:// URL  for a unix socket
-;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
-;username=chris              ; should be same as http_username if set
-;password=123                ; should be same as http_password if set
-;prompt=mysupervisor         ; cmd line prompt (default "supervisor")
-;history_file=~/.sc_history  ; use readline history if available
-
-; The below sample program section shows all possible program subsection values,
-; create one or more 'real' program: sections to be able to control them under
-; supervisor.
-
-;[program:theprogramname]
-;command=/bin/cat              ; the program (relative uses PATH, can take args)
-;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
-;numprocs=1                    ; number of processes copies to start (def 1)
-;directory=/tmp                ; directory to cwd to before exec (def no cwd)
-;umask=022                     ; umask for process (default None)
-;priority=999                  ; the relative start priority (default 999)
-;autostart=true                ; start at supervisord start (default: true)
-;autorestart=true              ; retstart at unexpected quit (default: true)
-;startsecs=10                  ; number of secs prog must stay running (def. 1)
-;startretries=3                ; max # of serial start failures (default 3)
-;exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
-;stopsignal=QUIT               ; signal used to kill process (default TERM)
-;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
-;user=chrism                   ; setuid to this UNIX account to run the program
-;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
-;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
-;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
-;stdout_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
-;stdout_events_enabled=false   ; emit events on stdout writes (default false)
-;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
-;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stderr_logfile_backups=10     ; # of stderr logfile backups (default 10)
-;stderr_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
-;stderr_events_enabled=false   ; emit events on stderr writes (default false)
-;environment=A=1,B=2           ; process environment additions (def no adds)
-;serverurl=AUTO                ; override serverurl computation (childutils)
-
-; The below sample eventlistener section shows all possible
-; eventlistener subsection values, create one or more 'real'
-; eventlistener: sections to be able to handle event notifications
-; sent by supervisor.
-
-;[eventlistener:theeventlistenername]
-;command=/bin/eventlistener    ; the program (relative uses PATH, can take args)
-;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
-;numprocs=1                    ; number of processes copies to start (def 1)
-;events=EVENT                  ; event notif. types to subscribe to (req'd)
-;buffer_size=10                ; event buffer queue size (default 10)
-;directory=/tmp                ; directory to cwd to before exec (def no cwd)
-;umask=022                     ; umask for process (default None)
-;priority=-1                   ; the relative start priority (default -1)
-;autostart=true                ; start at supervisord start (default: true)
-;autorestart=unexpected        ; restart at unexpected quit (default: unexpected)
-;startsecs=10                  ; number of secs prog must stay running (def. 1)
-;startretries=3                ; max # of serial start failures (default 3)
-;exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
-;stopsignal=QUIT               ; signal used to kill process (default TERM)
-;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
-;user=chrism                   ; setuid to this UNIX account to run the program
-;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
-;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
-;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
-;stdout_events_enabled=false   ; emit events on stdout writes (default false)
-;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
-;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stderr_logfile_backups        ; # of stderr logfile backups (default 10)
-;stderr_events_enabled=false   ; emit events on stderr writes (default false)
-;environment=A=1,B=2           ; process environment additions
-;serverurl=AUTO                ; override serverurl computation (childutils)
-
-; The below sample group section shows all possible group values,
-; create one or more 'real' group: sections to create "heterogeneous"
-; process groups.
-
-;[group:thegroupname]
-;programs=progname1,progname2  ; each refers to 'x' in [program:x] definitions
-;priority=999                  ; the relative start priority (default 999)
-
-; The [include] section can just contain the "files" setting.  This
-; setting can list multiple files (separated by whitespace or
-; newlines).  It can also contain wildcards.  The filenames are
-; interpreted as relative to this file.  Included files *cannot*
-; include files themselves.
-
-[include]
-files = supervisord.d/*.ini

etc/supervisord.d/postfix.ini

@@ -1,5 +0,0 @@
-[program:postfix]
-process_name = master
-command=/usr/sbin/postfix -c /etc/postfix start
-startsecs=0
-autorestart=false

etc/supervisord.d/readlog.ini

@@ -1,4 +0,0 @@
-[program:readlog]
-command=/usr/bin/tail -f /var/log/maillog
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0

etc/supervisord.d/rsyslog.ini

@@ -1,2 +0,0 @@
-[program:rsyslog]
-command=/usr/sbin/rsyslogd -n

run.sh

@@ -13,13 +13,13 @@ function add_config_value() {
  postconf -e "${key} = ${value}"
 }
 
-# Read password from file to avoid unsecure env variables
+# Read password and username from file to avoid unsecure env variables
-if [ -n "${SMTP_PASSWORD_FILE}" ]; then [ -f "${SMTP_PASSWORD_FILE}" ] && read SMTP_PASSWORD < ${SMTP_PASSWORD_FILE} || echo "SMTP_PASSWORD_FILE defined, but file not existing, skipping."; fi
+if [ -n "${SMTP_PASSWORD_FILE}" ]; then [ -e "${SMTP_PASSWORD_FILE}" ] && SMTP_PASSWORD=$(cat "${SMTP_PASSWORD_FILE}") || echo "SMTP_PASSWORD_FILE defined, but file not existing, skipping."; fi
+if [ -n "${SMTP_USERNAME_FILE}" ]; then [ -e "${SMTP_USERNAME_FILE}" ] && SMTP_USERNAME=$(cat "${SMTP_USERNAME_FILE}") || echo "SMTP_USERNAME_FILE defined, but file not existing, skipping."; fi
 
 [ -z "${SMTP_SERVER}" ] && echo "SMTP_SERVER is not set" && exit 1
-[ -z "${SMTP_USERNAME}" ] && echo "SMTP_USERNAME is not set" && exit 1
-[ -z "${SMTP_PASSWORD}" ] && echo "SMTP_PASSWORD is not set" && exit 1
 [ -z "${SERVER_HOSTNAME}" ] && echo "SERVER_HOSTNAME is not set" && exit 1
+[ ! -z "${SMTP_USERNAME}" -a -z "${SMTP_PASSWORD}" ] && echo "SMTP_USERNAME is set but SMTP_PASSWORD is not set" && exit 1
 
 SMTP_PORT="${SMTP_PORT:-587}"
 
@@ -27,24 +27,33 @@ SMTP_PORT="${SMTP_PORT:-587}"
 DOMAIN=`echo ${SERVER_HOSTNAME} | awk 'BEGIN{FS=OFS="."}{print $(NF-1),$NF}'`
 
 # Set needed config options
+add_config_value "maillog_file" "/dev/stdout"
 add_config_value "myhostname" ${SERVER_HOSTNAME}
 add_config_value "mydomain" ${DOMAIN}
-add_config_value "mydestination" 'localhost'
+add_config_value "mydestination" "${DESTINATION:-localhost}"
 add_config_value "myorigin" '$mydomain'
 add_config_value "relayhost" "[${SMTP_SERVER}]:${SMTP_PORT}"
 add_config_value "smtp_use_tls" "yes"
-add_config_value "smtp_sasl_auth_enable" "yes"
+if [ ! -z "${SMTP_USERNAME}" ]; then
-add_config_value "smtp_sasl_password_maps" "lmdb:/etc/postfix/sasl_passwd"
+  add_config_value "smtp_sasl_auth_enable" "yes"
-add_config_value "smtp_sasl_security_options" "noanonymous"
+  add_config_value "smtp_sasl_password_maps" "lmdb:/etc/postfix/sasl_passwd"
+  add_config_value "smtp_sasl_security_options" "noanonymous"
+fi
 add_config_value "always_add_missing_headers" "${ALWAYS_ADD_MISSING_HEADERS:-no}"
+#Also use "native" option to allow looking up hosts added to /etc/hosts via
+# docker options (issue #51)
+add_config_value "smtp_host_lookup" "native,dns"
 
 if [ "${SMTP_PORT}" = "465" ]; then
   add_config_value "smtp_tls_wrappermode" "yes"
   add_config_value "smtp_tls_security_level" "encrypt"
 fi
 
+# Bind to both IPv4 and IPv4
+add_config_value "inet_protocols" "all"
+
 # Create sasl_passwd file with auth credentials
-if [ ! -f /etc/postfix/sasl_passwd ]; then
+if [ ! -f /etc/postfix/sasl_passwd -a ! -z "${SMTP_USERNAME}" ]; then
   grep -q "${SMTP_SERVER}" /etc/postfix/sasl_passwd  > /dev/null 2>&1
   if [ $? -gt 0 ]; then
     echo "Adding SASL authentication configuration"
@@ -55,24 +64,49 @@ fi
 
 #Set header tag
 if [ ! -z "${SMTP_HEADER_TAG}" ]; then
-  postconf -e "header_checks = regexp:/etc/postfix/header_tag"
+  postconf -e "header_checks = regexp:/etc/postfix/header_checks"
-  echo -e "/^MIME-Version:/i PREPEND RelayTag: $SMTP_HEADER_TAG\n/^Content-Transfer-Encoding:/i PREPEND RelayTag: $SMTP_HEADER_TAG" > /etc/postfix/header_tag
+  echo -e "/^MIME-Version:/i PREPEND RelayTag: $SMTP_HEADER_TAG\n/^Content-Transfer-Encoding:/i PREPEND RelayTag: $SMTP_HEADER_TAG" >> /etc/postfix/header_checks
   echo "Setting configuration option SMTP_HEADER_TAG with value: ${SMTP_HEADER_TAG}"
 fi
 
+#Enable logging of subject line
+if [ "${LOG_SUBJECT}" == "yes" ]; then
+  postconf -e "header_checks = regexp:/etc/postfix/header_checks"
+  echo -e "/^Subject:/ WARN" >> /etc/postfix/header_checks
+  echo "Enabling logging of subject line"
+fi
+
 #Check for subnet restrictions
 nets='10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
 if [ ! -z "${SMTP_NETWORKS}" ]; then
-        for i in $(sed 's/,/\ /g' <<<$SMTP_NETWORKS); do
+  declare ipv6re="^((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|\
-                if grep -Eq "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" <<<$i ; then
+    ([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|\
-                        nets+=", $i"
+    ([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|\
-                else
+    ([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|\
-                        echo "$i is not in proper IPv4 subnet format. Ignoring."
+    :((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}|\
-                fi
+    ::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|\
-        done
+    (2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|\
+    (2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/[0-9]{1,3})$"
+
+  for i in $(sed 's/,/\ /g' <<<$SMTP_NETWORKS); do
+    if grep -Eq "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" <<<$i ; then
+      nets+=", $i"
+    elif grep -Eq "$ipv6re" <<<$i ; then
+      readarray -d \/ -t arr < <(printf '%s' "$i")
+      nets+=", [${arr[0]}]/${arr[1]}"
+    else
+      echo "$i is not in proper IPv4 or IPv6 subnet format. Ignoring."
+    fi
+  done
 fi
 add_config_value "mynetworks" "${nets}"
 
+# Set SMTPUTF8
+if [ ! -z "${SMTPUTF8_ENABLE}" ]; then
+  postconf -e "smtputf8_enable = ${SMTPUTF8_ENABLE}"
+  echo "Setting configuration option smtputf8_enable with value: ${SMTPUTF8_ENABLE}"
+fi
+
 if [ ! -z "${OVERWRITE_FROM}" ]; then
   echo -e "/^From:.*$/ REPLACE From: $OVERWRITE_FROM" > /etc/postfix/smtp_header_checks
   postmap /etc/postfix/smtp_header_checks
@@ -80,10 +114,16 @@ if [ ! -z "${OVERWRITE_FROM}" ]; then
   echo "Setting configuration option OVERWRITE_FROM with value: ${OVERWRITE_FROM}"
 fi
 
+# Set message_size_limit
+if [ ! -z "${MESSAGE_SIZE_LIMIT}" ]; then
+  postconf -e "message_size_limit = ${MESSAGE_SIZE_LIMIT}"
+  echo "Setting configuration option message_size_limit with value: ${MESSAGE_SIZE_LIMIT}"
+fi
+
 #Start services
 
 # If host mounting /var/spool/postfix, we need to delete old pid file before
 # starting services
 rm -f /var/spool/postfix/pid/master.pid
 
-exec supervisord -c /etc/supervisord.conf
+exec /usr/sbin/postfix -c /etc/postfix start-fg