From 82236155ac2cc6d7235d8d0a40b04c2f34996e32 Mon Sep 17 00:00:00 2001
From: Felddy <markf+github@geekpad.com>
Date: Tue, 28 May 2019 18:04:22 -0400
Subject: [PATCH] Add initial postfix templates and configurations

---
 .pre-commit-config.yaml  |  1 +
 Dockerfile               | 26 ++++++++++++++++++++
 docker-compose.yml       | 35 +++++++++++++++++++++++++++
 secrets/fullchain.pem    | 31 ++++++++++++++++++++++++
 secrets/privkey.pem      | 52 ++++++++++++++++++++++++++++++++++++++++
 src/docker-entrypoint.sh | 16 +++++++++++++
 templates/main.cf        | 32 +++++++++++++++++++++++++
 templates/master.cf      |  9 +++++++
 8 files changed, 202 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 docker-compose.yml
 create mode 100644 secrets/fullchain.pem
 create mode 100644 secrets/privkey.pem
 create mode 100755 src/docker-entrypoint.sh
 create mode 100644 templates/main.cf
 create mode 100644 templates/master.cf

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 69ebc03..2ac7afe 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,6 +12,7 @@ repos:
         args:
           - --allow-missing-credentials
       - id: detect-private-key
+        exclude: secrets/privkey.pem
       - id: end-of-file-fixer
         exclude: files/(issue|motd)
       - id: mixed-line-ending
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..7064af7
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,26 @@
+FROM debian:buster-slim
+MAINTAINER Mark Feldhousen <mark.feldhousen@trio.dhs.gov>
+
+RUN apt-get update && \
+apt-get install --no-install-recommends -y \
+ca-certificates \
+gettext-base \
+opendkim \
+opendkim-tools \
+postfix \
+sasl2-bin \
+&& apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+USER root
+WORKDIR /root
+
+RUN mv /etc/postfix/master.cf /etc/postfix/master.cf.orig
+
+COPY ./templates ./templates/
+COPY ./src/docker-entrypoint.sh .
+
+VOLUME ["/var/log", "/var/spool/postfix"]
+EXPOSE 25/TCP 587/TCP
+
+ENTRYPOINT ["./docker-entrypoint.sh"]
+CMD ["postfix", "-v", "start-fg"]
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..525e957
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,35 @@
+---
+version: "3.7"
+
+secrets:
+  fullchain_pem:
+    file: ./secrets/fullchain.pem
+  privkey_pem:
+    file: ./secrets/privkey.pem
+
+
+services:
+  postfix:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: postfix
+    init: true
+    restart: always
+    environment:
+      - PRIMARY_DOMAIN=example.com
+      - RELAY_IP=
+    ports:
+      - target: "25"
+        published: "1025"
+        protocol: tcp
+        mode: host
+      - target: "587"
+        published: "1587"
+        protocol: tcp
+        mode: host
+    secrets:
+      - source: fullchain_pem
+        target: fullchain.pem
+      - source: privkey_pem
+        target: privkey.pem
diff --git a/secrets/fullchain.pem b/secrets/fullchain.pem
new file mode 100644
index 0000000..ddc24ba
--- /dev/null
+++ b/secrets/fullchain.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFXTCCA0WgAwIBAgIJAPWv/2ssPwHVMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTkwNTI4MjAxNDM0WhcNMjAwNTI3MjAxNDM0WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAvclFvQ6WAkQXpwNksjjojlvAKkqTnHJ8vHaM0C3yrSm+aMPH0/lzLTuT
+pv5eaSBUUzi5f/VjBFslH7kAGct4m1MJUfxRYdP4uZXqnfkiMyT8x7z+k6SbD22U
+6Xxa7yV+hwkbhNDFOmcCWawgrERvfkSdyp/l94u+TWg5v/LvmkmsFRixT+U5dl/g
+vSdXbAvjdrn+x/IRVMFrEDTm5QNCHrx1lTQf4giFl7VU820HQiNT3Y3JD7v+JHLO
+DUyYZAA6bpg5vYYMbhxfegZu/C7DkT3/ZtpRXEPv1mR+koS7nPAtZmJ8t76GR/eU
+A5rYLv1P6a4KvUf0/uRPGHQZsj57lVRqyR3TDi37aDywvcdTBQZHe9fNyYYe7g6s
+ToKzY/Z+KwVuI+KcamVH6QLLhHOZ7IFIdB5PrSCMLHlDRP22GWV5lbFjxP+9H/2P
+B5QkoBuPS4vV/GNxMlGlnbCoVDdUluypnsl0pdpae36PiFPlkA3dzJ1OcOt803jR
+E3HHBg4Mq9rO51NQfxx3LsnKPVvajVChcEie1UEH+DQLEVciRBIp9Jho4SMh9xS9
+VXFRXXrnEKkfLOXwkd3Vy4upvyQrxpEMmj1SHSsFqJ4xz1uo5akpgwzB5I14oe+k
+OK/sLP+B4GryWp78cASQQ/0ldbvOWxBxm7OVSPQB6F6vHVKNExsCAwEAAaNQME4w
+HQYDVR0OBBYEFOAh81Tup7BSdYBjAPGyd1GW5GJhMB8GA1UdIwQYMBaAFOAh81Tu
+p7BSdYBjAPGyd1GW5GJhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+ALBpfqJWpTf58mv1n6HuSLI7n/FGA0wxoVPmvG9qBV0uBx0kbsuJVBUXfO+FE/3x
+aiTiCwKweqdRhA2H7TnGs12D1Dweh3jd1gs+inClN7w4Ge9hIMiDcc9K45wgP/Sk
+IIJYgLfctGfzc5EetqWQFq1GEPpNPNpfBMC7Z/KcgiZ8+RmoIACDlJ+EwSkDuXgf
+045n45cF2xqfpeq/qKZDfWwg5+js/LN7abDRxX+JjH1i678Wx+SOlxsRK2plmmIL
+c46vSErWoRddwxyZyP4TqBCTgV6ZcoZSWKFvHrn4c2YZHMuagsBaDIBg05jfxv72
+ewuKeWIC0/2PkbJ+W15X+/Ltgru7gIcidt8Xm+JnBjvz0bCiS2qVGxu0DxBmbmjv
+CW3pvaNhc7NWxnTbJdpC/G2wH1RV06CS2WIWuBXu/AlkVlI/HHqYD4fWdETx9VjM
+821dJY0oGBVqK+2/2d9Q1J1bfzs/J2kLaNocERog2RMapygHoNI0qtfsQIyEecGw
+LoDcYltzKM+tPbWsYc1lI1rNo0v0/Y2TjQ6Jq+P4eZQ9gf6XgmdLg5nIDPkO4til
+epYT2sgG6TAMyzf475BX92ect9KWD1efAavL+aSxwpngWBc7uqYvvbX8w1EePX7G
+EoxN6uctuyBtDpzhdKxEEVBZ7NfU6X/91ZgVdlOR/rN4
+-----END CERTIFICATE-----
diff --git a/secrets/privkey.pem b/secrets/privkey.pem
new file mode 100644
index 0000000..52e5024
--- /dev/null
+++ b/secrets/privkey.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC9yUW9DpYCRBen
+A2SyOOiOW8AqSpOccny8dozQLfKtKb5ow8fT+XMtO5Om/l5pIFRTOLl/9WMEWyUf
+uQAZy3ibUwlR/FFh0/i5leqd+SIzJPzHvP6TpJsPbZTpfFrvJX6HCRuE0MU6ZwJZ
+rCCsRG9+RJ3Kn+X3i75NaDm/8u+aSawVGLFP5Tl2X+C9J1dsC+N2uf7H8hFUwWsQ
+NOblA0IevHWVNB/iCIWXtVTzbQdCI1PdjckPu/4kcs4NTJhkADpumDm9hgxuHF96
+Bm78LsORPf9m2lFcQ+/WZH6ShLuc8C1mYny3voZH95QDmtgu/U/prgq9R/T+5E8Y
+dBmyPnuVVGrJHdMOLftoPLC9x1MFBkd7183Jhh7uDqxOgrNj9n4rBW4j4pxqZUfp
+AsuEc5nsgUh0Hk+tIIwseUNE/bYZZXmVsWPE/70f/Y8HlCSgG49Li9X8Y3EyUaWd
+sKhUN1SW7KmeyXSl2lp7fo+IU+WQDd3MnU5w63zTeNETcccGDgyr2s7nU1B/HHcu
+yco9W9qNUKFwSJ7VQQf4NAsRVyJEEin0mGjhIyH3FL1VcVFdeucQqR8s5fCR3dXL
+i6m/JCvGkQyaPVIdKwWonjHPW6jlqSmDDMHkjXih76Q4r+ws/4HgavJanvxwBJBD
+/SV1u85bEHGbs5VI9AHoXq8dUo0TGwIDAQABAoICAQCRaDhKVXaRXeJRT8RC2F81
+Uw60WFcoMn9nVd0lU07vZWBBnF7qBeE88rx54cIsAV0aNgfKBhRLLhoPaAqvuLk7
+KC+n5Q3lSiby6e3MAyk0zk3uKttR+3fiJi9FhMWXHL8Ibu3qoJm72Vhvo/WUhwp1
+T9UlfcUQGL1BSW2Vp2f0aiWyNC0F7bZM/8CMrCvK2ID6Yh7WypyEt3xz+lQ9enWa
+XwInwrv6zlSsm33u08YP4klLImq952ccPempPtozJAmg2njCwIWdh5ePQoaeKKYm
+Db4062gSrOqA9JYVZCTqZQoju6majhsL4KBC8sxXlDU58OLBivQmpn4DWlClxEGi
+IbY/FIE6WEhOrdoGPzIjAcC3OYYTasIMBDLdA0tODmtv9Nvst30IGZc4Pm/QIJOk
+EGJo4hqWbxiy4gisWxHwYeQ9/EEwrrc3FP94VscVkT8x0i22w5WMLtcrnCGpwzMg
+E10+9v4ZUZ7cu9V+IeWQUkeuP3xhumI7RIDVRHpGC6TfEk/Q2gNdsPL2E8ng2Ytx
+KMI3Pj5FuYi7enIR9AWdBVmVc2u7nzJMF/ODAwY6GmqHxni7PD97cnYwCy7Gxp/S
+DZqiiD32RHwUwBm0AgdLhftkgqyTN/qo/Bhmj9ieO2CkuAvTYoXG0VMzxCb9wBG/
+7BJSGcbwtTJOJGK7LvrDAQKCAQEA6Q45teOKcmOSw5ne2cXzXuaXZ0OOCkjJ2ens
+M89YmKXDVEZRbGoHVtftInUpr0H2UJ/N268Ogfzw62enZ40WIGwNALvp9PkLvdT0
+6LD/4MhcgZGQ5WDwqfqwkOanHdw9HJb752yEJ+3OG+fojmKkOs6OoQk1Ypxv5+5K
+OuG/qtiKKpSLbG/nKAbPsPObArBxyfH9pV5F2E6vy38lYoDTURlA2BXHPoXu9M4c
+/K2BMmO5zvGu5VOpAtnag5CWUwVvnX9DKDYs+k+exErluEj+U8GbKNQUTE+1p6fT
+j4KKNVZBgnavOST3Xm/i4qVbccF/CwUc387HPdK5FU6kn3evewKCAQEA0HiEAytq
+jzlBBHm892tojRzvpQa65fT7khsxETLhABvqeWZ2h9lE8TJTLC46N4cG1MC/hnWB
+Q7XzKd7jAeht41Lp0mlDWv6eqKN4VyXSpAYzATcEO739eja7WNTgkYB91eDSyT+K
+DVaElaXMjw/uX9tBnqaVyEe8JDqHw9E3Gl0MLWi89ztYptaWvKjt0+QqENBc6o+G
+K/qzO+B4o9AyjyYkUYVA87tRrDk746LA5DbkpLQKPmQ3lb1hvVysJOnEdRabu5ly
+mC0HR9n2UwcU98Op/EX3D4MuCUoFB/HQNMXq7oRMg+AcfsG0/ENcbiY6o0yRhxHu
+ACgcjTi/QKAI4QKCAQBbgzB6EZ0diafpkpQFI0uLKjStYcN2mlpYbRhIx9RcLErk
+3q++SGwVV7hP3X2+ycH0qqtk5fpmZHIdnZgIe0gC9yqr7R3TCa/onKSGcmonU8Wv
+Qv+IcmZN+Jg4bbmVahO9FDRaDSxfmWtjXc7dijI+vTkYVstVq2PtyI3xTQ+8AEdQ
+rP+KVu6HsxT+wMlPZwVnbNRSiRAX/d3dpFGDul4/7BCgSPzxuhm4mu6a8W5X4Pzn
+G9O3TQCClBTPsIi2lN3dFEnEknFa4MTRAy/tCwyCyvUoNQ67YFlOOgJCydmHVBVp
+Kz1mzPMta/XFVXTw2DAQnbNW1pU523K9wSG3VIHdAoIBACJTZbE76dzRWZJKFUJM
+DjgGBrOOiyGoF/Azx/2D+iZRcmcw5t1xefeZCLbimbVg51AKuL6EBJfIktRXHdvH
+kKh4k4WQzYVjHW65E+yNjsRxPN67V1ga7Wy9LFXxH1T16kJYNXzrmGif0U7usOLx
+hZeE+6YK2ejTXvg8JvSoM0GFBqdHcq3muK8n8EP6MMbN79s648G/hiEhs3dte4/F
+jT2i0yIVJd+7/TO1bNYLi2VIYJd6CaHCUKC4QSqz4qhlUXLSGSxnlMXXzDYZfoSn
+St2M+yVNw+Nq/x6KcI+hUl4OJKPHZu3j7e01Kf7LfKGqa8dNqTyrSBwAfssGB/+1
+GiECggEAJD0KWTfJrSbgCkMfp1fNkwNExW2+neB+MI1eIR1sWsu8rz1a5d/NIdQq
+pkoJp4FQUgRFEK+CzPWbKBDOxDVwpZ5o84JzxAEc78tL8/QIYwbtw5ZOiHNZ+wS6
+OYk6weY7rro7PwzqsTXcGdg/yxtphwguveSQM8y6McqBNZKqlN2fvXY8a4KZtt8O
+RXBwpsqYulHpMGPh2MsMJBGEEII7Y2WKZG41oU1SGb5J2tBdGixW0buQnr6qwBgL
+Ie8VV5kgbei97WK1lwvosn3HetBYSEE0GWMvjx93yoeozV8L/IF1rf7xss2BSqzF
+UjgsHxWMDJWcER8NHXkE5DQORLtKCA==
+-----END PRIVATE KEY-----
diff --git a/src/docker-entrypoint.sh b/src/docker-entrypoint.sh
new file mode 100755
index 0000000..6436d6f
--- /dev/null
+++ b/src/docker-entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# shellcheck disable=SC2016
+
+set -e
+
+if [ "$1" = 'postfix' ]; then
+
+    # generate confgurations using environment variables
+    envsubst '\$PRIMARY_DOMAIN \$RELAY_IP' < templates/main.cf > /etc/postfix/main.cf
+    cp /etc/postfix/master.cf.orig /etc/postfix/master.cf
+    envsubst '\$PRIMARY_DOMAIN \$RELAY_IP' < templates/master.cf >> /etc/postfix/master.cf
+
+    exec "$@"
+fi
+
+exec "$@"
diff --git a/templates/main.cf b/templates/main.cf
new file mode 100644
index 0000000..d69a9f1
--- /dev/null
+++ b/templates/main.cf
@@ -0,0 +1,32 @@
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+smtpd_tls_cert_file=/run/secrets/fullchain.pem
+smtpd_tls_key_file=/run/secrets/privkey.pem
+smtpd_tls_security_level = may
+smtp_tls_security_level = may
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
+smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = ${PRIMARY_DOMAIN}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = ${PRIMARY_DOMAIN}
+mydestination = ${PRIMARY_DOMAIN}, localhost.com, , localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ${RELAY_IP}
+mailbox_command = procmail -a "\$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:12301,inet:localhost:54321
+non_smtpd_milters = inet:12301,inet:localhost:54321
+disable_vrfy_command = yes
+smtp_tls_note_starttls_offer = yes
+always_bcc = mailarchive@${PRIMARY_DOMAIN}
+maillog_file = /dev/stdout
+compatibility_level = 2
diff --git a/templates/master.cf b/templates/master.cf
new file mode 100644
index 0000000..92ed8a7
--- /dev/null
+++ b/templates/master.cf
@@ -0,0 +1,9 @@
+submission inet n       -       -       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_wrappermode=no
+  -o smtpd_tls_security_level=may
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_sasl_path=private/auth