fix: Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-5661569
- https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-5661569

.env.example

@@ -28,3 +28,15 @@
 
 # Optional: This will rewrite the from address overwriting it with the specified address for all email being relayed.
 #OVERWRITE_FROM="Your Name" <email@company.com>
+
+# Optional: This will use allow you to set a custom $mydestination value. Default is localhost.
+#DESTINATION=
+
+# Optional: This will output the subject line of messages in the log.
+#LOG_SUBJECT=yes
+
+# Optional: This will disable (no) or enable (yes) the use of SMTPUTF8
+#SMTPUTF8_ENABLE=no
+
+# Optional: This will use allow you to set a custom $message_size_limit value. Default is 10240000.
+#MESSAGE_SIZE_LIMIT=

.github/ISSUE_TEMPLATE/bug_report.md

@@ -6,12 +6,14 @@ labels: ''
 assignees: ''
 
 ---
-
+<!-- BEFORE SUBMITTING YOUR PR, PLEASE REMOVE THIS TEXT -->
+<!-- REMOVE START -->
 **Reporting a bug**
 
 First of all, this is **not** a problem reporting forum, only report if you are pretty sure what you are experiencing is a bug with this image, not a configuration issue, for that you can use the [Github discussions section](https://github.com/juanluisbaptiste/docker-postfix/discussions) and we will do our best to help you to figure out what's going on with your setup.
 
 Also be sure you are using the latest image by doing _docker pull juanluisbaptiste/postfix:latest_.
+<!-- REMOVE END -->
 
 **Please include the contents of:**
 

.github/pull_request_template.md

@@ -0,0 +1,39 @@
+<!-- BEFORE SUBMITTING YOUR PR, PLEASE REMOVE THIS TEXT -->
+<!-- REMOVE START -->
+# Creating a Pull Request
+
+We use github actions to do automatic [semantic versioning](https://github.com/semantic-release/semantic-release), so please use the following nomenclature for the commit message according to the type of change:
+
+* Prefix with `feat:`, and it will trigger a minor version bump. 
+* Prefix with `fix:`, and it will trigger a patch version bump.
+* Prefix with `BREAKING CHANGE:`, and it will trigger a major version bump.
+<!-- REMOVE END -->
+
+## Description of the change
+<!--Please be very clear on the intention of the modifications included in the pull request.-->
+<!--If it is a bug, explain what is the issue at hand and how you are fixing it. -->
+<!--If it is an improvement, explain why do you think it is needed and the benefits it brings to the project. -->
+<!--Ideally I would recommend to create an issue first to discuss the new feature with the developers.-->
+
+## Motivation and Context
+<!--- Why is this change required? What problem does it solve? -->
+<!--- If it fixes an open issue, please link to the issue here. -->
+
+## How Has This Been Tested?
+<!--- Please describe in detail how you tested your changes. -->
+<!--- Include details of your testing environment, tests ran to see how -->
+
+## Types of Changes
+<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation (adding or updating documentation)
+
+## Checklist:
+<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
+<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+- [ ] My change requires a change to the documentation and I have updated the documentation accordingly.
+- [ ] My change adds a new configuration variable and I have updated the `.env.example` file accordingly.
+
+And lastly, many thanks for taking your time to help us improve this project !

.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.API_GITHUB_TOKEN }}
 
@@ -28,19 +28,19 @@ jobs:
             alpine
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3.3.1
         with:
           push: true
           platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64

.github/workflows/test.yml

@@ -13,23 +13,23 @@ jobs:
     steps:
       - name: Checkout with token
         if: github.event_name != 'pull_request'
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.API_GITHUB_TOKEN }}
 
       - name: Checkout without token
         if: github.event_name == 'pull_request'
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Docker Build Test
         run: docker buildx build --load --tag test:test --file ./Dockerfile ./
 
       - name: Version
         if: github.event_name != 'pull_request'
-        uses: cycjimmy/semantic-release-action@v2.5.3
+        uses: cycjimmy/semantic-release-action@v3
         with:
           semantic_version: 17.4
         env:

Dockerfile

@@ -1,15 +1,14 @@
 #Dockerfile for a Postfix email relay service
-FROM alpine:3.13
+FROM alpine:3
 MAINTAINER Juan Luis Baptiste juan.baptiste@gmail.com
 
 RUN apk update && \
     apk add bash gawk cyrus-sasl cyrus-sasl-login cyrus-sasl-crammd5 mailx \
-    perl supervisor postfix rsyslog && \
+    postfix && \
     rm -rf /var/cache/apk/* && \
     mkdir -p /var/log/supervisor/ /var/run/supervisor/ && \
     sed -i -e 's/inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
 
-COPY etc/ /etc/
 COPY run.sh /
 RUN chmod +x /run.sh
 RUN newaliases

README.md

@@ -13,9 +13,6 @@ This image is available for the following architectures:
 * armv7
 * arm64
 
-It also includes rsyslog to enable logging to stdout.
-
-
 _If you want to follow the development of this project check out [my blog](https://www.juanbaptiste.tech/category/postfx)._
 
 ### Available image tags
@@ -69,12 +66,25 @@ The following env variable(s) are optional.
 * `SMTP_PASSWORD_FILE` Setting this to a mounted file containing the password, to avoid passwords in env variables. Used like
     -e SMTP_PASSWORD_FILE=/secrets/smtp_password
     -v $(pwd)/secrets/:/secrets/
+
+* `SMTP_USERNAME_FILE` Setting this to a mounted file containing the username, to avoid usernames in env variables. Used like
+    -e SMTP_USERNAME_FILE=/secrets/smtp_username
+    -v $(pwd)/secrets/:/secrets/
+
 * `ALWAYS_ADD_MISSING_HEADERS` This is related to the [always\_add\_missing\_headers](http://www.postfix.org/postconf.5.html#always_add_missing_headers) Postfix option (default: `no`). If set to `yes`, Postfix will always add missing headers among `From:`, `To:`, `Date:` or `Message-ID:`.
 
 * `OVERWRITE_FROM` This will rewrite the from address overwriting it with the specified address for all email being relayed. Example settings:
     OVERWRITE_FROM=email@company.com
     OVERWRITE_FROM="Your Name" <email@company.com>
 
+* `DESTINATION` This will define a list of domains from which incoming messages will be accepted.
+
+* `LOG_SUBJECT` This will output the subject line of messages in the log.
+
+* `SMTPUTF8_ENABLE` This will enable (default) or disable support for SMTPUTF8. Valid values are `no` to disable and `yes` to enable. Not setting this variable will use the postfix default, which is `yes`.
+
+* `MESSAGE_SIZE_LIMIT` This will change the default limit of 10240000 bytes (10MB).
+
 To use this container from anywhere, the 25 port or the one specified by `SMTP_PORT` needs to be exposed to the docker host server:
 
     docker run -d --name postfix -p "25:25"  \

etc/rsyslog.conf

@@ -1,90 +0,0 @@
-# rsyslog configuration file
-
-# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
-# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
-
-#### MODULES ####
-
-# The imjournal module bellow is now used as a message source instead of imuxsock.
-$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
-#$ModLoad imklog # reads kernel messages (the same are read from journald)
-#$ModLoad immark  # provides --MARK-- message capability
-
-# Provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
-
-# Provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
-
-#### GLOBAL DIRECTIVES ####
-
-# Where to place auxiliary files
-$WorkDirectory /var/lib/rsyslog
-
-# Use default timestamp format
-$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
-
-# File syncing capability is disabled by default. This feature is usually not required,
-# not useful and an extreme performance hit
-#$ActionFileEnableSync on
-
-# Include all config files in /etc/rsyslog.d/
-$IncludeConfig /etc/rsyslog.d/*.conf
-
-# Turn off message reception via local log socket;
-# local messages are retrieved through imjournal now.
-$OmitLocalLogging off
-
-# File to store the position in the journal
-#$IMJournalStateFile imjournal.state
-
-
-#### RULES ####
-
-# Log all kernel messages to the console.
-# Logging much else clutters up the screen.
-#kern.*                                                 /dev/console
-
-# Log anything (except mail) of level info or higher.
-# Don't log private authentication messages!
-*.info;mail.none;authpriv.none;cron.none                /var/log/messages
-
-# The authpriv file has restricted access.
-authpriv.*                                              /var/log/secure
-
-# Log all the mail messages in one place.
-mail.*                                                  -/var/log/maillog
-
-
-# Log cron stuff
-cron.*                                                  /var/log/cron
-
-# Everybody gets emergency messages
-*.emerg                                                 :omusrmsg:*
-
-# Save news errors of level crit and higher in a special file.
-uucp,news.crit                                          /var/log/spooler
-
-# Save boot messages also to boot.log
-local7.*                                                /var/log/boot.log
-
-
-# ### begin forwarding rule ###
-# The statement between the begin ... end define a SINGLE forwarding
-# rule. They belong together, do NOT split them. If you create multiple
-# forwarding rules, duplicate the whole block!
-# Remote Logging (we use TCP for reliable delivery)
-#
-# An on-disk queue is created for this action. If the remote host is
-# down, messages are spooled to disk and sent when it is up again.
-#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
-#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
-#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
-#$ActionQueueType LinkedList   # run asynchronously
-#$ActionResumeRetryCount -1    # infinite retries if host is down
-# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
-#*.* @@remote-host:514
-# ### end of the forwarding rule ###

etc/rsyslog.d/listen.conf

@@ -1 +0,0 @@
-$SystemLogSocketName /dev/log

etc/supervisord.conf

@@ -1,129 +0,0 @@
-; Sample supervisor config file.
-
-[unix_http_server]
-file=/var/run/supervisor/supervisor.sock   ; (the path to the socket file)
-;chmod=0700                 ; sockef file mode (default 0700)
-;chown=nobody:nogroup       ; socket file uid:gid owner
-;username=user              ; (default is no username (open server))
-;password=123               ; (default is no password (open server))
-
-;[inet_http_server]         ; inet (TCP) server disabled by default
-;port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)
-;username=user              ; (default is no username (open server))
-;password=123               ; (default is no password (open server))
-
-[supervisord]
-logfile=/var/log/supervisor/supervisord.log  ; (main log file;default $CWD/supervisord.log)
-logfile_maxbytes=50MB       ; (max main logfile bytes b4 rotation;default 50MB)
-logfile_backups=10          ; (num of main logfile rotation backups;default 10)
-loglevel=info               ; (log level;default info; others: debug,warn,trace)
-pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-nodaemon=true              ; (start in foreground if true;default false)
-minfds=1024                 ; (min. avail startup file descriptors;default 1024)
-minprocs=200                ; (min. avail process descriptors;default 200)
-;umask=022                  ; (process file creation umask;default 022)
-user=root                 ; (default is current user, required if root)
-;identifier=supervisor       ; (supervisord identifier, default is 'supervisor')
-;directory=/tmp              ; (default is not to cd during start)
-;nocleanup=true              ; (don't clean up tempfiles at start;default false)
-;childlogdir=/tmp            ; ('AUTO' child log dir, default $TEMP)
-;environment=KEY=value       ; (key value pairs to add to environment)
-;strip_ansi=false            ; (strip ansi escape codes in logs; def. false)
-
-; the below section must remain in the config file for RPC
-; (supervisorctl/web interface) to work, additional interfaces may be
-; added by defining them in separate rpcinterface: sections
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl=unix:///var/run/supervisor/supervisor.sock ; use a unix:// URL  for a unix socket
-;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
-;username=chris              ; should be same as http_username if set
-;password=123                ; should be same as http_password if set
-;prompt=mysupervisor         ; cmd line prompt (default "supervisor")
-;history_file=~/.sc_history  ; use readline history if available
-
-; The below sample program section shows all possible program subsection values,
-; create one or more 'real' program: sections to be able to control them under
-; supervisor.
-
-;[program:theprogramname]
-;command=/bin/cat              ; the program (relative uses PATH, can take args)
-;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
-;numprocs=1                    ; number of processes copies to start (def 1)
-;directory=/tmp                ; directory to cwd to before exec (def no cwd)
-;umask=022                     ; umask for process (default None)
-;priority=999                  ; the relative start priority (default 999)
-;autostart=true                ; start at supervisord start (default: true)
-;autorestart=true              ; retstart at unexpected quit (default: true)
-;startsecs=10                  ; number of secs prog must stay running (def. 1)
-;startretries=3                ; max # of serial start failures (default 3)
-;exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
-;stopsignal=QUIT               ; signal used to kill process (default TERM)
-;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
-;user=chrism                   ; setuid to this UNIX account to run the program
-;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
-;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
-;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
-;stdout_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
-;stdout_events_enabled=false   ; emit events on stdout writes (default false)
-;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
-;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stderr_logfile_backups=10     ; # of stderr logfile backups (default 10)
-;stderr_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
-;stderr_events_enabled=false   ; emit events on stderr writes (default false)
-;environment=A=1,B=2           ; process environment additions (def no adds)
-;serverurl=AUTO                ; override serverurl computation (childutils)
-
-; The below sample eventlistener section shows all possible
-; eventlistener subsection values, create one or more 'real'
-; eventlistener: sections to be able to handle event notifications
-; sent by supervisor.
-
-;[eventlistener:theeventlistenername]
-;command=/bin/eventlistener    ; the program (relative uses PATH, can take args)
-;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
-;numprocs=1                    ; number of processes copies to start (def 1)
-;events=EVENT                  ; event notif. types to subscribe to (req'd)
-;buffer_size=10                ; event buffer queue size (default 10)
-;directory=/tmp                ; directory to cwd to before exec (def no cwd)
-;umask=022                     ; umask for process (default None)
-;priority=-1                   ; the relative start priority (default -1)
-;autostart=true                ; start at supervisord start (default: true)
-;autorestart=unexpected        ; restart at unexpected quit (default: unexpected)
-;startsecs=10                  ; number of secs prog must stay running (def. 1)
-;startretries=3                ; max # of serial start failures (default 3)
-;exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
-;stopsignal=QUIT               ; signal used to kill process (default TERM)
-;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
-;user=chrism                   ; setuid to this UNIX account to run the program
-;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
-;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
-;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
-;stdout_events_enabled=false   ; emit events on stdout writes (default false)
-;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
-;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
-;stderr_logfile_backups        ; # of stderr logfile backups (default 10)
-;stderr_events_enabled=false   ; emit events on stderr writes (default false)
-;environment=A=1,B=2           ; process environment additions
-;serverurl=AUTO                ; override serverurl computation (childutils)
-
-; The below sample group section shows all possible group values,
-; create one or more 'real' group: sections to create "heterogeneous"
-; process groups.
-
-;[group:thegroupname]
-;programs=progname1,progname2  ; each refers to 'x' in [program:x] definitions
-;priority=999                  ; the relative start priority (default 999)
-
-; The [include] section can just contain the "files" setting.  This
-; setting can list multiple files (separated by whitespace or
-; newlines).  It can also contain wildcards.  The filenames are
-; interpreted as relative to this file.  Included files *cannot*
-; include files themselves.
-
-[include]
-files = supervisord.d/*.ini

etc/supervisord.d/postfix.ini

@@ -1,5 +0,0 @@
-[program:postfix]
-process_name = master
-command=/usr/sbin/postfix -c /etc/postfix start
-startsecs=0
-autorestart=false

etc/supervisord.d/readlog.ini

@@ -1,4 +0,0 @@
-[program:readlog]
-command=/usr/bin/tail -f /var/log/maillog
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0

etc/supervisord.d/rsyslog.ini

@@ -1,2 +0,0 @@
-[program:rsyslog]
-command=/usr/sbin/rsyslogd -n

run.sh

@@ -13,8 +13,9 @@ function add_config_value() {
  postconf -e "${key} = ${value}"
 }
 
-# Read password from file to avoid unsecure env variables
+# Read password and username from file to avoid unsecure env variables
-if [ -n "${SMTP_PASSWORD_FILE}" ]; then [ -f "${SMTP_PASSWORD_FILE}" ] && read SMTP_PASSWORD < ${SMTP_PASSWORD_FILE} || echo "SMTP_PASSWORD_FILE defined, but file not existing, skipping."; fi
+if [ -n "${SMTP_PASSWORD_FILE}" ]; then [ -e "${SMTP_PASSWORD_FILE}" ] && SMTP_PASSWORD=$(cat "${SMTP_PASSWORD_FILE}") || echo "SMTP_PASSWORD_FILE defined, but file not existing, skipping."; fi
+if [ -n "${SMTP_USERNAME_FILE}" ]; then [ -e "${SMTP_USERNAME_FILE}" ] && SMTP_USERNAME=$(cat "${SMTP_USERNAME_FILE}") || echo "SMTP_USERNAME_FILE defined, but file not existing, skipping."; fi
 
 [ -z "${SMTP_SERVER}" ] && echo "SMTP_SERVER is not set" && exit 1
 [ -z "${SERVER_HOSTNAME}" ] && echo "SERVER_HOSTNAME is not set" && exit 1
@@ -26,9 +27,10 @@ SMTP_PORT="${SMTP_PORT:-587}"
 DOMAIN=`echo ${SERVER_HOSTNAME} | awk 'BEGIN{FS=OFS="."}{print $(NF-1),$NF}'`
 
 # Set needed config options
+add_config_value "maillog_file" "/dev/stdout"
 add_config_value "myhostname" ${SERVER_HOSTNAME}
 add_config_value "mydomain" ${DOMAIN}
-add_config_value "mydestination" 'localhost'
+add_config_value "mydestination" "${DESTINATION:-localhost}"
 add_config_value "myorigin" '$mydomain'
 add_config_value "relayhost" "[${SMTP_SERVER}]:${SMTP_PORT}"
 add_config_value "smtp_use_tls" "yes"
@@ -47,6 +49,9 @@ if [ "${SMTP_PORT}" = "465" ]; then
   add_config_value "smtp_tls_security_level" "encrypt"
 fi
 
+# Bind to both IPv4 and IPv4
+add_config_value "inet_protocols" "all"
+
 # Create sasl_passwd file with auth credentials
 if [ ! -f /etc/postfix/sasl_passwd -a ! -z "${SMTP_USERNAME}" ]; then
   grep -q "${SMTP_SERVER}" /etc/postfix/sasl_passwd  > /dev/null 2>&1
@@ -59,24 +64,49 @@ fi
 
 #Set header tag
 if [ ! -z "${SMTP_HEADER_TAG}" ]; then
-  postconf -e "header_checks = regexp:/etc/postfix/header_tag"
+  postconf -e "header_checks = regexp:/etc/postfix/header_checks"
-  echo -e "/^MIME-Version:/i PREPEND RelayTag: $SMTP_HEADER_TAG\n/^Content-Transfer-Encoding:/i PREPEND RelayTag: $SMTP_HEADER_TAG" > /etc/postfix/header_tag
+  echo -e "/^MIME-Version:/i PREPEND RelayTag: $SMTP_HEADER_TAG\n/^Content-Transfer-Encoding:/i PREPEND RelayTag: $SMTP_HEADER_TAG" >> /etc/postfix/header_checks
   echo "Setting configuration option SMTP_HEADER_TAG with value: ${SMTP_HEADER_TAG}"
 fi
 
+#Enable logging of subject line
+if [ "${LOG_SUBJECT}" == "yes" ]; then
+  postconf -e "header_checks = regexp:/etc/postfix/header_checks"
+  echo -e "/^Subject:/ WARN" >> /etc/postfix/header_checks
+  echo "Enabling logging of subject line"
+fi
+
 #Check for subnet restrictions
 nets='10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
 if [ ! -z "${SMTP_NETWORKS}" ]; then
+  declare ipv6re="^((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|\
+    ([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|\
+    ([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|\
+    ([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|\
+    :((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}|\
+    ::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|\
+    (2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|\
+    (2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/[0-9]{1,3})$"
+
   for i in $(sed 's/,/\ /g' <<<$SMTP_NETWORKS); do
     if grep -Eq "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" <<<$i ; then
       nets+=", $i"
+    elif grep -Eq "$ipv6re" <<<$i ; then
+      readarray -d \/ -t arr < <(printf '%s' "$i")
+      nets+=", [${arr[0]}]/${arr[1]}"
     else
-                        echo "$i is not in proper IPv4 subnet format. Ignoring."
+      echo "$i is not in proper IPv4 or IPv6 subnet format. Ignoring."
     fi
   done
 fi
 add_config_value "mynetworks" "${nets}"
 
+# Set SMTPUTF8
+if [ ! -z "${SMTPUTF8_ENABLE}" ]; then
+  postconf -e "smtputf8_enable = ${SMTPUTF8_ENABLE}"
+  echo "Setting configuration option smtputf8_enable with value: ${SMTPUTF8_ENABLE}"
+fi
+
 if [ ! -z "${OVERWRITE_FROM}" ]; then
   echo -e "/^From:.*$/ REPLACE From: $OVERWRITE_FROM" > /etc/postfix/smtp_header_checks
   postmap /etc/postfix/smtp_header_checks
@@ -84,10 +114,16 @@ if [ ! -z "${OVERWRITE_FROM}" ]; then
   echo "Setting configuration option OVERWRITE_FROM with value: ${OVERWRITE_FROM}"
 fi
 
+# Set message_size_limit
+if [ ! -z "${MESSAGE_SIZE_LIMIT}" ]; then
+  postconf -e "message_size_limit = ${MESSAGE_SIZE_LIMIT}"
+  echo "Setting configuration option message_size_limit with value: ${MESSAGE_SIZE_LIMIT}"
+fi
+
 #Start services
 
 # If host mounting /var/spool/postfix, we need to delete old pid file before
 # starting services
 rm -f /var/spool/postfix/pid/master.pid
 
-exec supervisord -c /etc/supervisord.conf
+exec /usr/sbin/postfix -c /etc/postfix start-fg