Add new configuration files and scripts for Postfix

.github/workflows/postfix.yaml

@@ -0,0 +1,83 @@
+name: Build & Push Postfix
+
+on:
+  push:
+    branches:
+      - 'main'
+
+env:
+  ORG_NAME: lostlink
+  APP_NAME: postfix
+
+jobs:
+  should_deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          lfs: true
+
+      - name: Detect File Changes
+        uses: trilom/[email protected]
+
+      - name: Changed Files List
+        run: |
+          jq -r '.[]' $HOME/files.json
+
+      - name: Filter and set Build Status
+        id: build
+        run: |
+          unique_entries=$(jq -r '.[] | select(test("caddy"))' $HOME/files.json | awk -v RS=' ' '!a[$1]++')
+          if [[ ! -z "$unique_entries" ]]
+          then
+            status="deploy"
+          else
+            status="skip"
+          fi
+          echo "status=$status" >> $GITHUB_OUTPUT
+    outputs:
+      status: ${{ steps.build.outputs.status }}
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: should_deploy
+    if: needs.should_deploy.outputs.status == 'deploy'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        build:
+          - {tag: "latest", platforms: "linux/arm64,linux/amd64"}
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          lfs: true
+
+      - name: Import environment variables from a file
+        uses: cardinalby/export-env-action@v2
+        with:
+          envFile: "docker.env"
+          expand: "true"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: "{{defaultContext}}:${{ env.APP_NAME }}"
+          platforms: ${{ matrix.build.platforms }}
+          push: true
+          tags: ${{ env.ORG_NAME }}/${{ env.APP_NAME }}:${{ matrix.build.tag }}

postfix/Dockerfile

@@ -0,0 +1,86 @@
+ARG POSTFIX_TAG=latest
+ARG DEBIAN_TAG=bookworm-slim
+ARG PHP_VERSION=8.3
+
+FROM debian:${DEBIAN_TAG}
+
+LABEL maintainer="Nuno Souto <[email protected]>"
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PDNS_REC_daemon=no \
+    PDNS_REC_setuid=pdns \
+    PDNS_REC_setgid=pdns \
+    PDNS_REC_local_port=53 \
+    PDNS_REC_local_address=0.0.0.0 \
+    PDNS_REC_config_dir=/etc/pdns \
+    PDNS_REC_include_dir=/etc/pdns/recursor.d
+
+RUN apt-get update; \
+    apt-get install -yqq --no-install-recommends --no-install-suggests  \
+            wget \
+            gnupg \
+            lsb-release \
+            ca-certificates \
+            apt-transport-https \
+            software-properties-common; \
+    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg; \
+    sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'; \
+    apt-get update; \
+    apt-get upgrade -yqq; \
+    apt-get install -yqq --no-install-recommends --no-install-suggests \
+            apt-utils \
+            dnsutils \
+            php${PHP_VERSION} \
+            php${PHP_VERSION}-cli \
+            php${PHP_VERSION}-mailparse \
+#            php${PHP_VERSION}-phar \
+            php${PHP_VERSION}-intl \
+#            php${PHP_VERSION}-json \
+            php${PHP_VERSION}-curl \
+#            php${PHP_VERSION}-fileinfo \
+            php${PHP_VERSION}-mbstring \
+            php${PHP_VERSION}-tokenizer \
+            diceware \
+            dovecot-imapd \
+            dovecot-lmtpd \
+            gettext-base \
+            mailutils \
+            opendkim \
+            opendkim-tools \
+            postfix \
+            postfix-pcre \
+            procmail \
+            sasl2-bin \
+            python3 \
+            python3-pip \
+            python3-venv \
+            supervisor \
+            pdns-recursor
+
+RUN apt-get install -yqq --no-install-recommends --no-install-suggests \
+            opendmarc
+
+RUN python3 -m venv /root/venv; \
+    . /root/venv/bin/activate; \
+    pip3 install --no-cache-dir envtpl
+
+RUN apt-get --quiet --quiet clean all \
+    && rm --recursive --force /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY ./etc/postfix/main.cf /etc/postfix/main.cf
+COPY ./etc/postfix/master.cf /etc/postfix/master.cf
+COPY ./etc/postfix/virtual /etc/postfix/virtual
+COPY ./etc/aliases /etc/aliases
+COPY ./etc/pdns/recursor.conf.tpl /etc/pdns/recursor.conf.tpl
+COPY ./etc/pdns/recursor.d /etc/pdns/recursor.d
+COPY ./etc/pdns/zones /etc/pdns/zones
+COPY ./etc/supervisor/ /etc/supervisor/
+
+COPY --chmod=0755 ./usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --chmod=0755 ./usr/local/bin/mailparse.sh /usr/local/bin/mailparse.sh
+
+HEALTHCHECK --interval=10s --timeout=10s --retries=3 --start-period=2s CMD ["postfix", "status"]
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
+EXPOSE 25/TCP 587/TCP 993/TCP

postfix/etc/aliases

@@ -0,0 +1,3 @@
+# See man 5 aliases for format
+postmaster:    root
+catchall:    |/usr/local/bin/mailparse.sh

postfix/etc/opendkim.conf

@@ -0,0 +1,69 @@
+#domain                  *
+#AutoRestart             Yes
+#AutoRestartRate         10/1h
+#Umask                   0002
+#Syslog                  Yes
+#SyslogSuccess           Yes
+#LogWhy                  Yes
+#Canonicalization        relaxed/simple
+#ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
+#InternalHosts           refile:/etc/opendkim/TrustedHosts
+#KeyFile                 /etc/opendkim/keys/${PRIMARY_DOMAIN}/mail.private
+#Selector                mail
+#Mode                    sv
+#PidFile                 /var/run/opendkim/opendkim.pid
+#SignatureAlgorithm      rsa-sha256
+#UserID                  opendkim:opendkim
+#Socket                  inet:12301@localhost
+
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog                  yes
+SyslogSuccess           yes
+#LogWhy                 no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization        relaxed/simple
+#Mode                   sv
+#SubDomains             no
+OversignHeaders         From
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+#Domain                 example.com
+#Selector               2020
+#KeyFile                /etc/dkimkeys/example.private
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID                  opendkim
+UMask                   007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+Socket                  local:/run/opendkim/opendkim.sock
+#Socket                 inet:8891@localhost
+#Socket                 inet:8891
+#Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile                 /run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts          192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile         /usr/share/dns/root.key
+#Nameservers            127.0.0.1

postfix/etc/opendmarc.conf

@@ -0,0 +1,10 @@
+AuthservID ${PRIMARY_DOMAIN}
+PidFile /var/run/opendmarc/opendmarc.pid
+RejectFailures false
+Syslog true
+TrustedAuthservIDs ${PRIMARY_DOMAIN}
+Socket  inet:54321@localhost
+UMask 0002
+UserID opendmarc:opendmarc
+IgnoreHosts /etc/opendmarc/ignore.hosts
+HistoryFile /var/run/opendmarc/opendmarc.dat

postfix/etc/pdns/recursor.conf.tpl

@@ -0,0 +1,2 @@
+{% for key, value in environment('PDNS_REC_') %}{{ key|replace('_', '-') }}={{ value }}
+{% endfor %}

postfix/etc/pdns/recursor.d/auth-zones.conf

@@ -0,0 +1,2 @@
+# Zones for which we have authoritative data, comma separated domain=file pairs
+auth-zones=localhost=/etc/pdns/zones/localhost

postfix/etc/pdns/zones/localhost

@@ -0,0 +1,6 @@
+$ORIGIN localhost.
+@       1D  IN  SOA   @  root 1999010100 3h 15m 1w 1d
+@       1D  IN  NS    @
+@       1D  IN  A     127.0.0.1
+@       1D  IN  AAAA  ::1
+test    1D  IN  TXT   "Result"

postfix/etc/postfix/main.cf

@@ -0,0 +1,47 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = localhost
+luser_relay = catchall
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+virtual_alias_maps = pcre:/etc/postfix/virtual
+mydestination = $myhostname, localhost, localhost.localdomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+
+maillog_file = /dev/stdout