-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
222 lines (202 loc) · 7.07 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
# AUTOMATICALLY GENERATED
# DO NOT EDIT THIS FILE DIRECTLY, USE /Dockerfile.tmpl.php
# https://hub.docker.com/_/debian
FROM debian:buster
MAINTAINER Instrumentisto Team <developer@instrumentisto.com>
# Build and install Postfix
# https://git.launchpad.net/postfix/tree/debian/rules?id=94dfb9850484db5f47958eaa86f958857ab9834c
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends --no-install-suggests \
inetutils-syslogd \
ca-certificates \
&& update-ca-certificates \
\
# Install Postfix dependencies
&& apt-get install -y --no-install-recommends --no-install-suggests \
libpcre3 libicu63 \
libdb5.3 libpq5 libmariadb3 m4 default-libmysqld-dev default-libmysqlclient-dev libsqlite3-0 \
libsasl2-2 \
libldap-2.4 \
\
# Install tools for building
&& toolDeps=" \
curl make gcc g++ libc-dev \
" \
&& apt-get install -y --no-install-recommends --no-install-suggests \
$toolDeps \
\
# Install Postfix build dependencies
&& buildDeps=" \
libssl-dev \
libpcre3-dev libicu-dev \
libdb-dev libpq-dev libmariadbclient-dev libsqlite3-dev \
libsasl2-dev \
libldap2-dev \
" \
&& apt-get install -y --no-install-recommends --no-install-suggests \
$buildDeps \
\
# Download and prepare Postfix sources
&& curl -fL -o /tmp/postfix.tar.gz \
http://ftp.uma.es/mirror/postfix/src/official/postfix-3.6.4.tar.gz \
&& tar -xzf /tmp/postfix.tar.gz -C /tmp/ \
&& cd /tmp/postfix-* \
&& sed -i -e "s:/usr/local/:/usr/:g" conf/master.cf \
\
# Build Postfix from sources
&& make makefiles \
CCARGS="-DHAS_SHL_LOAD -DUSE_TLS \
-DHAS_PCRE $(pcre-config --cflags) \
-DHAS_PGSQL -I/usr/include/postgresql \
-DHAS_MYSQL $(mysql_config --include) \
-DHAS_SQLITE -I/usr/include \
-DHAS_LDAP -I/usr/include \
-DUSE_CYRUS_SASL -I/usr/include/sasl \
-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\\\"dovecot\\\" \
-DUSE_LDAP_SASL" \
AUXLIBS="-lssl -lcrypto -lsasl2" \
AUXLIBS_PCRE="$(pcre-config --libs)" \
AUXLIBS_PGSQL="-lpq" \
AUXLIBS_MYSQL="$(mysql_config --libs)" \
AUXLIBS_SQLITE="-lsqlite3 -lpthread" \
AUXLIBS_LDAP="-lldap -llber" \
shared=yes \
dynamicmaps=yes \
pie=yes \
daemon_directory=/usr/lib/postfix \
shlibs_directory=/usr/lib/postfix \
# No documentation included to keep image size smaller
manpage_directory=/tmp/man \
readme_directory=/tmp/readme \
html_directory=/tmp/html \
&& make \
\
# Create Postfix user and groups
&& addgroup --system --gid 91 postfix \
&& adduser --system --uid 90 --disabled-password \
--no-create-home --home /var/spool/postfix \
--ingroup postfix --gecos postfix \
postfix \
&& adduser postfix mail \
&& addgroup --system --gid 93 postdrop \
&& adduser --system --uid 92 --disabled-password --shell /sbin/nologin \
--no-create-home --home /var/mail/domains \
--ingroup postdrop --gecos vmail \
vmail \
\
# Install Postfix
&& make upgrade \
# Always execute these binaries under postdrop group
&& chmod g+s /usr/sbin/postdrop \
/usr/sbin/postqueue \
# Ensure spool dir has correct rights
&& install -d -o postfix -g postfix /var/spool/postfix \
# Fix removed directories in default configuration
&& sed -i -e 's,^manpage_directory =.*,manpage_directory = /dev/null,' \
-e 's,^readme_directory =.*,readme_directory = /dev/null,' \
-e 's,^html_directory =.*,html_directory = /dev/null,' \
/etc/postfix/main.cf \
# Prepare directories for drop-in configuration files
&& install -d /etc/postfix/main.cf.d \
&& install -d /etc/postfix/master.cf.d \
# Generate default TLS credentials
&& install -d /etc/ssl/postfix \
&& openssl req -new -x509 -nodes -days 365 \
-subj "/CN=smtp.example.com" \
-out /etc/ssl/postfix/server.crt \
-keyout /etc/ssl/postfix/server.key \
&& chmod 0600 /etc/ssl/postfix/server.key \
# Pregenerate Diffie-Hellman parameters (heavy operation)
&& openssl dhparam -out /etc/postfix/dh2048.pem 2048 \
# Tweak TLS/SSL settings to achieve A grade
&& echo "\n\
\n# TLS PARAMETERS\
\n#\
\ntls_ssl_options = NO_COMPRESSION\
\ntls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256\
\n\
\n# SMTP TLS PARAMETERS (outgoing connections)\
\n#\
\nsmtp_tls_security_level = may\
\nsmtp_tls_CApath = /etc/ssl/certs\
\n\
\n# SMTPD TLS PARAMETERS (incoming connections)\
\n#\
\nsmtpd_tls_security_level = may\
\nsmtpd_tls_ciphers = high\
\nsmtpd_tls_mandatory_ciphers = high\
\nsmtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL\
\nsmtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem\
\nsmtpd_tls_CApath = /etc/ssl/certs\
\nsmtpd_tls_cert_file = /etc/ssl/postfix/server.crt\
\nsmtpd_tls_key_file = /etc/ssl/postfix/server.key\
" >> /etc/postfix/main.cf \
\
# Cleanup unnecessary stuff
&& apt-get purge -y --auto-remove \
-o APT::AutoRemove::RecommendsImportant=false \
$toolDeps $buildDeps \
&& rm -rf /var/lib/apt/lists/* \
/etc/*/inetutils-syslogd \
/tmp/*
# Install s6-overlay
RUN apt-get update \
&& apt-get install -y --no-install-recommends --no-install-suggests \
curl \
&& curl -fL -o /tmp/s6-overlay.tar.gz \
https://github.com/just-containers/s6-overlay/releases/download/v1.21.2.2/s6-overlay-amd64.tar.gz \
# In Debian: /bin -> /usr/bin
# So unpacking s6-overlay.tar.gz to the / will replace /bin symlink with
# /bin directory from archive.
# To avoid this we need to copy content of /bin manually.
&& mkdir -p /tmp/s6-overlay \
&& tar -xzf /tmp/s6-overlay.tar.gz -C /tmp/s6-overlay/ \
&& cp -rf /tmp/s6-overlay/bin/* /bin/ \
&& rm -rf /tmp/s6-overlay/bin \
/tmp/s6-overlay/usr/bin/execlineb \
&& cp -rf /tmp/s6-overlay/* / \
\
# Cleanup unnecessary stuff
&& apt-get purge -y --auto-remove \
-o APT::AutoRemove::RecommendsImportant=false \
curl \
&& rm -rf /var/lib/apt/lists/* \
/tmp/*
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
S6_CMD_WAIT_FOR_SERVICES=1
COPY rootfs /
RUN chmod +x /etc/services.d/*/run \
/etc/cont-init.d/*
## Added by JPR:
## user/password auth
## DKIM
## SRS
RUN apt-get update && apt-get install -y \
sasl2-bin \
libsasl2-modules \
opendkim \
opendkim-tools \
curl \
unzip \
cmake
# apt-get purge -y --auto-remove \
# -o APT::AutoRemove::RecommendsImportant=false \
# && rm -rf /var/lib/apt/lists/* \
# /tmp/*
RUN mkdir /tmp/srs && cd /tmp/srs && \
curl -L -o postsrsd.zip https://github.com/roehling/postsrsd/archive/master.zip && \
unzip postsrsd.zip && \
cd postsrsd-master && \
mkdir build && \
cd build && \
cmake -DCMAKE_INSTALL_PREFIX=/usr ../ && \
make && make install && \
cd / && \
rm -rf /tmp/srs
RUN apt-get purge -y --auto-remove \
-o APT::AutoRemove::RecommendsImportant=false \
&& rm -rf /var/lib/apt/lists/* /tmp/*
EXPOSE 25 465 587
ENTRYPOINT ["/init"]
CMD ["/usr/lib/postfix/master", "-d"]