diff --git a/postfix/Dockerfile b/postfix/Dockerfile new file mode 100644 index 0000000..d97f45b --- /dev/null +++ b/postfix/Dockerfile @@ -0,0 +1,16 @@ +FROM alpine:edge + +RUN apk add --no-cache \ + bash \ + libsasl \ + postfix \ + rsyslog \ + runit + +COPY service /etc/service +COPY runit_bootstrap /usr/sbin/runit_bootstrap +COPY rsyslog.conf /etc/rsyslog.conf + +STOPSIGNAL SIGKILL + +ENTRYPOINT ["/usr/sbin/runit_bootstrap"] diff --git a/postfix/rsyslog.conf b/postfix/rsyslog.conf new file mode 100644 index 0000000..e3e1d57 --- /dev/null +++ b/postfix/rsyslog.conf @@ -0,0 +1,94 @@ +# rsyslog v5: load input modules +# If you do not load inputs, nothing happens! +# You may need to set the module load path if modules are not found. + +$ModLoad immark.so # provides --MARK-- message capability +#$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) +#$ModLoad imklog.so # kernel logging (formerly provided by rklogd) + +# default permissions for all log files. +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# Include configuration files from directory +$IncludeConfig /etc/rsyslog.d/* + +# Check config syntax on startup and abort if unclean (default off) +#$AbortOnUncleanConfig on + +# Reduce repeating messages (default off) +#$RepeatedMsgReduction on + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +#*.info;mail.none;authpriv.none;cron.none -/var/log/messages + +# The authpriv file has restricted access. +#authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/mail.log + +# Log cron stuff +###cron.* -/var/log/cron + +# Everybody gets emergency messages +###*.emerg * + +# Save news errors of level crit and higher in a special file. +###uucp,news.crit -/var/log/spooler + +# Save boot messages also to boot.log +###local7.* /var/log/boot.log + +# More configuration examples: +# +# Remote Logging (we use TCP for reliable delivery) +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#$WorkDirectory /var/spool/rsyslog # where to place spool files +#$ActionQueueFileName uniqName # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinety retries if host is down +#$ActionResumeInterval 30 # retry interval +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @@remote-host + +# Remote Logging with TCP + SSL/TLS +#$DefaultNetstreamDriver gtls +#$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/rsyslog_ca.cert.pem +#$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/rsyslog_CLIENT.cert.pem +#$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/rsyslog_CLIENT.key.pem +#$ActionSendStreamDriverAuthMode x509/name # enable peer authentication +#$ActionSendStreamDriverPermittedPeer foo # authorize to send encrypted data to server foo +#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode + +# ######### Receiving Messages from Remote Hosts ########## +# TCP Syslog Server: +#$ModLoad imtcp # provides TCP syslog reception +#$TCPServerRun 10514 # start a TCP syslog server at port 10514 + +# TCP + SSL/TLS Syslog Server: +#$ModLoad imtcp # provides TCP syslog reception +#$DefaultNetstreamDriver gtls # use gnuTLS for data encryption +#$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/rsyslog_ca.cert.pem +#$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/rsyslog_SERVER.cert.pem +#$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/rsyslog_SERVER.key.pem +#$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode +#$InputTCPServerStreamDriverAuthMode x509/name # enable peer authentication +#$InputTCPServerStreamDriverPermittedPeer bar # authorize client named bar (one line per client) +#$TCPServerRun 10514 # start a TCP syslog server at port 10514 + +# UDP Syslog Server: +$ModLoad imudp.so # provides UDP syslog reception +$UDPServerRun 514 # start a UDP syslog server at standard port 514 + diff --git a/postfix/runit_bootstrap b/postfix/runit_bootstrap new file mode 100755 index 0000000..543e33d --- /dev/null +++ b/postfix/runit_bootstrap @@ -0,0 +1,3 @@ +#!/bin/sh + +exec /sbin/runsvdir /etc/service diff --git a/postfix/service/postfix/run b/postfix/service/postfix/run new file mode 100755 index 0000000..15bde07 --- /dev/null +++ b/postfix/service/postfix/run @@ -0,0 +1,50 @@ +#!/bin/bash +set -e + +# Do we want to modify the config first with the script? +[ -f /etc/service/postfix/run.config ] && source /etc/service/postfix/run.config + +if [ "$MAILNAME" ]; then + echo "$MAILNAME" > /etc/mailname + postconf -e myhostname="$MAILNAME" +fi + +if [ "$MY_NETWORKS" ]; then + postconf -e mynetworks="$MY_NETWORKS" +fi + +if [ "$MY_DESTINATION" ]; then + postconf -e mydestination="$MY_DESTINATION" +fi + +if [ "$ROOT_ALIAS" ]; then + sed -i '/^root:/d' /etc/aliases + echo "root: $ROOT_ALIAS" >> /etc/aliases + newaliases +fi + +if [ "$RELAY" ]; then + # setup the relay + echo "relay_host = $RELAY" >> /etc/postfix/main.cf +fi + +if [ "$SASL_AUTH" ]; then + # setup tls + echo -e "smtp_tls_security_level = encrypt\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd\nsmtp_sasl_security_options = noanonymous" >> /etc/postfix/main.cf + # generate the SASL password map + cat > /etc/postfix/sasl_passwd <<- EOF + $RELAY $SASL_AUTH + EOF + + # generate a .db file + postmap /etc/postfix/sasl_passwd + + # cleanup + rm /etc/postfix/sasl_passwd + + # set permissions + chmod 600 /etc/postfix/sasl_passwd.db +fi + +exec /usr/lib/postfix/master -c /etc/postfix -d 2>&1 +tail -F /var/log/mail.log diff --git a/postfix/service/rsyslog/run b/postfix/service/rsyslog/run new file mode 100755 index 0000000..616d8d7 --- /dev/null +++ b/postfix/service/rsyslog/run @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +exec rsyslogd -n