Postfix SMTP relay docker image. Useful for sending email without using an external SMTP server.
Default configuration is an open relay that relies on docker networking for protection. So be careful to not expose it publicly.
docker pull mwader/postfix-relay
or clone/build it yourself. Docker hub image is built for amd64
, arm/v7
and arm64
.
Postfix configuration options can be set
using POSTFIX_<name>
environment variables. See Dockerfile for default
configuration. You probably want to set POSTFIX_myhostname
(the FQDN used by 220/HELO).
Note that POSTFIX_myhostname
will change the postfix option
myhostname.
You can modify master.cf using postconf with POSTFIXMASTER_
variables. All double __
symbols will be replaced with /
. For example
- POSTFIXMASTER_submission__inet=submission inet n - y - - smtpd
will produce
postconf -Me submission/inet="submission inet n - y - - smtpd"
You can also create multiline tables using POSTMAP_<filename>
like this example:
environment:
- POSTFIX_transport_maps=hash:/etc/postfix/transport
- |
POSTMAP_transport=gmail.com smtp
mydomain.com relay:[relay1.mydomain.com]:587
* relay:[relay2.mydomain.com]:587
which will generate file /etc/postfix/transport
gmail.com smtp
mydomain.com relay:[relay1.mydomain.com]:587
* relay:[relay2.mydomain.com]:587
and run postmap /etc/postfix/transport
.
The container includes Postfix SASL authentication options that are disabled by default.
First, create a passwd file.
echo "myuser:"`docker run --rm mwader/postfix-relay mkpasswd -m sha-512 "mypassword"` >> passwd_file
Then mount the passwd file and add the following postfix configs via enviromental variable.
volumes:
- /path/to/passwd_file:/etc/postfix/sasl/sasl_passwds
environment:
- SASL_Passwds=/etc/postfix/sasl/sasl_passwds
- POSTFIX_smtpd_sasl_auth_enable=yes
- POSTFIX_cyrus_sasl_config_path=/etc/postfix/sasl
- POSTFIX_smtpd_sasl_security_options=noanonymous
- POSTFIX_smtpd_relay_restrictions=permit_sasl_authenticated,reject
OpenDKIM configuration options can be set
using OPENDKIM_<name>
environment variables. See Dockerfile for default
configuration. For example OPENDKIM_Canonicalization=relaxed/simple
.
docker run -e POSTFIX_myhostname=smtp.domain.tld mwader/postfix-relay
app:
# use hostname "smtp" as SMTP server
smtp:
image: mwader/postfix-relay
restart: always
environment:
- POSTFIX_myhostname=smtp.domain.tld
- OPENDKIM_DOMAINS=smtp.domain.tld
By default container only logs to stdout. If you also wish to log mail.*
messages to file on persistent volume, you can do something like:
environment:
...
- RSYSLOG_LOG_TO_FILE=yes
- RSYSLOG_TIMESTAMP=yes
volumes:
- /your_local_path:/var/log/
You can also forward log output to remote syslog server if you define RSYSLOG_REMOTE_HOST
variable. It always uses UDP protocol and port 514
as default value,
port number can be changed to different one with RSYSLOG_REMOTE_PORT
. Default format of forwarded messages is defined by Rsyslog template RSYSLOG_ForwardFormat
,
you can change it to another template (section Reserved Template Names) if you wish with RSYSLOG_REMOTE_TEMPLATE
variable.
environment:
...
- RSYSLOG_REMOTE_HOST=my.remote-syslog-server.com
- RSYSLOG_REMOTE_PORT=514
- RSYSLOG_REMOTE_TEMPLATE=RSYSLOG_ForwardFormat
If configuration via environment variables is not flexible enough it's possible to configure rsyslog directly: .conf
files in the /etc/rsyslog.d
directory will be sorted alphabetically and included into the primary configuration.
Wrong timestamps in log can be fixed by setting proper timezone. This parameter is handled by Debian base image.
environment:
...
- TZ=Europe/Prague
I see key data is not secure: /etc/opendkim/keys can be read or written by other users
error messages.
Some Docker distributions like Docker for Windows and RancherOS seems to handle volume permission in way that does not work with OpenDKIM default behavior of ensuring safe permissions on private keys.
A workaround is to disable the check using a OPENDKIM_RequireSafeKeys=no
environment variable.
When sending email using your own SMTP server it is probably a good idea to setup SPF for the domain you're sending from.
To enable DKIM,
specify a whitespace-separated list of domains in the environment variable
OPENDKIM_DOMAINS
. The default DKIM selector is "mail", but can be changed to
"<selector>
" using the syntax OPENDKIM_DOMAINS=<domain>=<selector>
.
At container start, RSA key pairs will be generated for each domain unless the
file /etc/opendkim/keys/<domain>/<selector>.private
exists. If you want the
keys to persist indefinitely, make sure to mount a volume for
/etc/opendkim/keys
, otherwise they will be destroyed when the container is
removed.
DNS records to configure can be found in the container log or by running docker exec <container> sh -c 'cat /etc/opendkim/keys/*/*.txt
you should see something like this:
$ docker exec 7996454b5fca sh -c 'cat /etc/opendkim/keys/*/*.txt'
mail._domainkey.smtp.domain.tld. IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Dx7wLGPFVaxVQ4TGym/eF89aQ8oMxS9v5BCc26Hij91t2Ci8Fl12DHNVqZoIPGm+9tTIoDVDFEFrlPhMOZl8i4jU9pcFjjaIISaV2+qTa8uV1j3MyByogG8pu4o5Ill7zaySYFsYB++cHJ9pjbFSC42dddCYMfuVgrBsLNrvEi3dLDMjJF5l92Uu8YeswFe26PuHX3Avr261n"
"j5joTnYwat4387VEUyGUnZ0aZxCERi+ndXv2/wMJ0tizq+a9+EgqIb+7lkUc2XciQPNuTujM25GhrQBEKznvHyPA6fHsFheymOuB763QpkmnQQLCxyLygAY9mE/5RY+5Q6J9oDOQIDAQAB" ) ; ----- DKIM key mail for smtp.domain.tld
postfix-relay is licensed under the MIT license. See LICENSE for the full license text.