[DOCKER][MAIL] Switched named volume to shared volume and changed env vars to env file

bin/setup_mail

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+printf "Domain root: "
+read -r domain_root
+printf "Subdomain (can be empty): "
+read -r sub_domain
+
+if [ -z "$sub_domain" ]
+then
+  domain="${domain_root}"
+else
+  domain="${sub_domain}.${domain_root}"
+fi
+
+cat > ./docker/mail/mail.env <<EOF
+#!/bin/sh
+DOMAINNAME=${domain_root}
+MAILNAME=${domain}
+SSL_CERT=/etc/letsencrypt/live/${domain_root}/fullchain.pem
+SSL_KEY=/etc/letsencrypt/live/${domain_root}/privkey.pem
+EOF

docker-compose.yaml

@@ -86,25 +86,19 @@ services:
   
   mail:
     build: docker/mail
-    environment:
-      DOMAINNAME: mail.test
-      MAILNAME: mail.mail.test            
-      POSTMASTER: postmaster@mail.test
     env_file:
-      - ./docker/bootstrap/bootstrap.env
+      - ./docker/mail/mail.env
     ports:
       - 25:25
       - 143:143
       - 587:587
       - 993:993
     volumes:
-      - maildata:/var/mail
-      - mailconf:/etc/mail
+      - ./docker/mail/mail:/var/mail
+      - ./docker/mail/config:/etc/mail
       # Certbot
       - ./docker/certbot/www:/var/www/certbot
       - ./docker/certbot/.files:/etc/letsencrypt
 
 volumes:
   database:
-  maildata:
-  mailconf:

docker/mail/Dockerfile

@@ -1,46 +1,36 @@
 FROM debian:buster-slim
 
-ENV \
-	DEBIAN_FRONTEND=noninteractive \
-	DOMAINNAME=example.com \
-	MAILNAME=mail \
-	POSTMASTER=postmaster@example.com \
-	SSL_CERT=/etc/ssl/cert.pem \
-	SSL_KEY=/etc/ssl/key.pem
+ENV DEBIAN_FRONTEND=noninteractive 
 
 # Install packages
 RUN \
 	apt-get update \
 	&& apt-get upgrade -y \
 	&& apt-get install -y --no-install-recommends \
-		postfix \
-		telnet \
 		dovecot-core \
-		dovecot-pop3d \
 		dovecot-imapd \
 		dovecot-lmtpd \
-		supervisor \
-		rsyslog \
+		dovecot-pop3d \
 		opendkim \
 		opendkim-tools \
 		openssl \
+		postfix \
+		rsyslog \
+		supervisor \
+		telnet \
 	&& apt-get autoclean \
 	&& apt-get autoremove
 
 # Setup folders and users
 RUN \
-	rm /etc/postfix/main.cf /etc/postfix/master.cf /etc/dovecot/dovecot.conf /etc/dovecot/conf.d/* /etc/rsyslog.conf /etc/rsyslog.d/* \
-	&& groupadd -g 2222 vmail \
+	groupadd -g 2222 vmail \
 	&& useradd -d /var/mail -M -s /usr/sbin/nologin -u 2222 -g 2222 vmail \
 	&& usermod -aG vmail postfix \
 	&& usermod -aG vmail dovecot \
 	&& usermod -aG vmail opendkim\
 	&& mkdir -p -m 751 /var/mail/ \
 	&& mkdir -p -m 755 /etc/mail/ \
-	&& mkdir -p -m 755 /etc/ssl/ \
-	&& mkdir -p -m 700 /etc/opendkim/keys \
-	&& chown vmail:vmail /var/mail \
-	&& chown opendkim:opendkim /etc/opendkim/keys
+	&& chown vmail:vmail /var/mail
 	
 # Copy config files
 COPY rootfs/ /

docker/mail/config/dovecot/dovecot.conf

@@ -0,0 +1,73 @@
+protocols = imap pop3 lmtp
+
+ssl = yes
+ssl_cert = </etc/letsencrypt/live/social.org/fullchain.pem
+ssl_key = </etc/letsencrypt/live/social.org/privkey.pem
+ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+listen = *, ::
+dict {
+  #quota = mysql:/etc/mail/dovecot/dovecot-dict-sql.conf.ext
+  #expire = sqlite:/etc/mail/dovecot/dovecot-dict-sql.conf.ext
+}
+
+disable_plaintext_auth = no
+auth_mechanisms = plain login
+mail_access_groups = vmail
+default_login_user = vmail
+first_valid_uid = 2222
+first_valid_gid = 2222
+mail_location = maildir:/var/mail/%d/%n
+auth_verbose_passwords = sha1
+auth_debug = yes
+
+
+passdb { 
+	driver = passwd-file
+	args = scheme=SHA512-CRYPT /etc/mail/passwd
+}
+userdb {
+	driver = static
+	args = uid=2222 gid=2222 home=/var/mail/%d/%n allow_all_users=yes
+	auth_verbose = yes
+}
+
+service auth {
+	unix_listener auth-client {
+		user = postfix
+		group = postfix
+		mode = 0660
+	}
+	user = root
+}
+
+service imap-login {
+	process_min_avail = 1
+	user = vmail
+}
+
+protocol lmtp {
+postmaster_address = 
+	mail_plugins = $mail_plugins sieve
+}
+
+protocol imap {
+	mail_max_userip_connections = 30
+}
+
+service stats {
+    unix_listener stats-reader {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+
+    unix_listener stats-writer {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
+
+!include_try conf.d/*.conf
+!include_try local.conf

docker/mail/config/opendkim/TrustedHosts

@@ -1,13 +1,13 @@
 # OPENDKIM TRUSTED HOSTS
 # To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
-# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
+# option in /etc/mail/opendkim.conf then restart OpenDKIM. Additional hosts
 # may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
 # The localhost IP (127.0.0.1) should always be the first entry in this file.
 127.0.0.1
 ::1
 172.17.0.0/16
 fe80::/64
-%MAIL_HOSTNAME_FQDN%
+social.org
 
 #host.example.com
 #192.168.1.0/24

docker/mail/config/opendkim/opendkim.conf

@@ -101,19 +101,19 @@ KeyFile	/var/opendkim/keys/default.private
 ##  Gives the location of a file mapping key names to signing keys. In simple terms,
 ##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
 ##  directive in the configuration file. Requires SigningTable be enabled.
-# KeyTable	/etc/opendkim/KeyTable
+# KeyTable	/etc/mail/opendkim/KeyTable
 
 ##  Defines a table used to select one or more signatures to apply to a message based
 ##  on the address found in the From: header field. In simple terms, this tells
 ##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
-# SigningTable	refile:/etc/opendkim/SigningTable
+# SigningTable	refile:/etc/mail/opendkim/SigningTable
 
 ##  Identifies a set of "external" hosts that may send mail through the server as one
 ##  of the signing domains without credentials as such.
-# ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
+# ExternalIgnoreList	refile:/etc/mail/opendkim/TrustedHosts
 
 ##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
-InternalHosts	refile:/etc/opendkim/TrustedHosts
+InternalHosts	refile:/etc/mail/opendkim/TrustedHosts
 
 ##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
 ##  whose mail should be neither signed nor verified by this filter.  See man

docker/mail/config/postfix/main.cf

@@ -13,8 +13,7 @@ inet_protocols = all
 mydestination = $myhostname, localhost.$mydomain, localhost
 unknown_local_recipient_reject_code = 550
 mynetworks = 127.0.0.0/8, [::1]/128
-alias_maps = hash:/etc/postfix/aliases
-alias_database = $alias_maps
+alias_maps = hash:/etc/mail/postfix/aliases
 
 mailbox_command = /usr/lib/dovecot/deliver
   

docker/mail/config/rsyslogd/rsyslog.conf

@@ -32,8 +32,8 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 # not useful and an extreme performance hit
 #$ActionFileEnableSync on
 
-# Include all config files in /etc/rsyslog.d/
-$IncludeConfig /etc/rsyslog.d/*.conf
+# Include all config files in /etc/mail/rsyslog.d/
+$IncludeConfig /etc/mail/rsyslog.d/*.conf
 
 # Turn off message reception via local log socket;
 # local messages are retrieved through imjournal now.

docker/mail/config/supervisord/supervisord.conf

@@ -19,7 +19,7 @@ autorestart=true
 stdout_logfile=/dev/fd/1
 stdout_logfile_maxbytes=0
 redirect_stderr=true
-command=opendkim -x /etc/opendkim/opendkim.conf
+command=/usr/sbin/opendkim -x /etc/mail/opendkim/opendkim.conf
 
 [program:postfix]
 autostart=false
@@ -27,7 +27,7 @@ autorestart=true
 stdout_logfile=/dev/fd/1
 stdout_logfile_maxbytes=0
 redirect_stderr=true
-command=postfix -c /etc/postfix/postfix.conf
+command=postfix -c /etc/mail/postfix/postfix.conf
 
 [program:dovecot]
 autostart=false
@@ -35,7 +35,7 @@ autorestart=true
 stdout_logfile=/dev/fd/1
 stdout_logfile_maxbytes=0
 redirect_stderr=true
-command=dovecot -c /etc/dovecot/dovecot.conf
+command=dovecot -c /etc/mail/dovecot/dovecot.conf
 
 [program:rsyslog]
 autostart=false
@@ -43,4 +43,4 @@ autorestart=true
 stdout_logfile=/dev/fd/1
 stdout_logfile_maxbytes=0
 redirect_stderr=true
-command=rsyslog -f /etc/rsyslog/rsyslog.conf
+command=rsyslog -f /etc/mail/rsyslogd/rsyslog.conf

docker/mail/exec.sh

@@ -16,6 +16,7 @@ then
 	then
 		docker exec mail new-user "${*,3}"
 	elif [ "$2" == "alias" ]
+	then
 		docker exec mail new-alias "${*,3}"	
 	fi	
 fi

docker/mail/rootfs/etc/mail/dovecot/15-lda.conf

@@ -0,0 +1,48 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@<your domain>. %d expands to recipient domain.
+#postmaster_address =
+
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
+#hostname = 
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+lda_mailbox_autocreate = yes
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+}

docker/mail/rootfs/etc/mail/dovecot/20-managesieve.conf

@@ -0,0 +1,76 @@
+##
+## ManageSieve specific settings
+##
+
+# Uncomment to enable managesieve protocol:
+protocols = $protocols sieve
+
+# Service definitions
+
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+
+  #inet_listener sieve_deprecated {
+  #  port = 2000
+  #}
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = 64M
+}
+
+service managesieve {
+  # Max. number of ManageSieve processes (connections)
+  process_limit = 1024
+}
+
+# Service configuration
+
+protocol sieve {
+  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+  # not involve overly long command lines, so this setting will not normally
+  # need adjustment
+  #managesieve_max_line_length = 65536
+
+  # Maximum number of ManageSieve connections allowed for a user from each IP
+  # address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (none known to be useful so far).
+  # Do NOT try to load IMAP plugins here.
+  #mail_plugins =
+
+  # MANAGESIEVE logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #managesieve_logout_format = bytes=%i/%o
+
+  # To fool ManageSieve clients that are focused on CMU's timesieved you can
+  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
+  # For example: 'Cyrus timsieved v2.2.13'
+  #managesieve_implementation_string = Dovecot Pigeonhole
+
+  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
+  # before login. If left unassigned these will be reported dynamically
+  # according to what the Sieve interpreter supports by default (after login
+  # this may differ depending on the user).
+  #managesieve_sieve_capability =
+  #managesieve_notify_capability =
+
+  # The maximum number of compile errors that are returned to the client upon
+  # script upload or script verification.
+  #managesieve_max_compile_errors = 5
+
+  # Refer to 90-sieve.conf for script quota configuration and configuration of
+  # Sieve execution limits.
+}

docker/mail/rootfs/etc/mail/dovecot/90-sieve-extprograms.conf

@@ -0,0 +1,44 @@
+# Sieve Extprograms plugin configuration
+
+# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
+# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
+# vnd.dovecot.filter and vnd.dovecot.execute) by adding these	to the
+# sieve_extensions or sieve_global_extensions settings. Restricting these
+# extensions to a global context using sieve_global_extensions is recommended.
+
+plugin {
+
+  # The directory where the program sockets are located for the
+  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+  # respectively. The name of each unix socket contained in that directory
+  # directly maps to a program-name referenced from the Sieve script.
+  #sieve_pipe_socket_dir = sieve-pipe
+  #sieve_filter_socket_dir = sieve-filter
+  #sieve_execute_socket_dir = sieve-execute
+
+  # The directory where the scripts are located for direct execution by the
+  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+  # respectively. The name of each script contained in that directory
+  # directly maps to a program-name referenced from the Sieve script.
+  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
+  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
+  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
+}
+
+# An example program service called 'do-something' to pipe messages to
+#service do-something {
+  # Define the executed script as parameter to the sieve service
+  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
+
+  # Use some unprivileged user for executing the program
+  #user = dovenull
+
+  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
+  # plugin {} section above)
+  #unix_listener sieve-pipe/do-something {
+    # LDA/LMTP must have access
+  #  user = vmail  
+  #  mode = 0600
+  #}
+#}
+

docker/mail/rootfs/etc/mail/dovecot/90-sieve.conf

@@ -0,0 +1,105 @@
+##
+## Settings for the Sieve interpreter
+##
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins= settings.
+
+plugin {
+  # The path to the user's main active script. If ManageSieve is used, this the
+  # location of the symbolic link controlled by ManageSieve.
+  sieve = ~/.dovecot.sieve
+
+  # The default Sieve script when the user has none. This is a path to a global
+  # sieve script file, which gets executed ONLY if user's private Sieve script
+  # doesn't exist. Be sure to pre-compile this script manually using the sievec
+  # command line tool.
+  # --> See sieve_before fore executing scripts before the user's personal
+  #     script.
+  #sieve_default = /var/lib/dovecot/sieve/default.sieve
+
+  # Directory for :personal include scripts for the include extension. This
+  # is also where the ManageSieve service stores the user's scripts.
+  sieve_dir = ~/sieve
+
+  # Directory for :global include scripts for the include extension.
+  #sieve_global_dir =
+
+  # Path to a script file or a directory containing script files that need to be
+  # executed before the user's script. If the path points to a directory, all
+  # the Sieve scripts contained therein (with the proper .sieve extension) are
+  # executed. The order of execution within a directory is determined by the
+  # file names, using a normal 8bit per-character comparison. Multiple script
+  # file or directory paths can be specified by appending an increasing number.
+  #sieve_before =
+  #sieve_before2 =
+  #sieve_before3 = (etc...)
+
+  # Identical to sieve_before, only the specified scripts are executed after the
+  # user's script (only when keep is still in effect!). Multiple script file or
+  # directory paths can be specified by appending an increasing number.
+  #sieve_after =
+  #sieve_after2 =
+  #sieve_after2 = (etc...)
+
+  # Which Sieve language extensions are available to users. By default, all
+  # supported extensions are available, except for deprecated extensions or
+  # those that are still under development. Some system administrators may want
+  # to disable certain Sieve extensions or enable those that are not available
+  # by default. This setting can use '+' and '-' to specify differences relative
+  # to the default. For example `sieve_extensions = +imapflags' will enable the
+	# deprecated imapflags extension in addition to all extensions were already
+  # enabled by default.
+  #sieve_extensions = +notify +imapflags
+
+  # Which Sieve language extensions are ONLY available in global scripts. This
+  # can be used to restrict the use of certain Sieve extensions to administrator
+  # control, for instance when these extensions can cause security concerns.
+  # This setting has higher precedence than the `sieve_extensions' setting
+  # (above), meaning that the extensions enabled with this setting are never
+  # available to the user's personal script no matter what is specified for the
+  # `sieve_extensions' setting. The syntax of this setting is similar to the
+  # `sieve_extensions' setting, with the difference that extensions are
+  # enabled or disabled for exclusive use in global scripts. Currently, no
+  # extensions are marked as such by default.
+  #sieve_global_extensions =
+
+  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
+  # setting, the used plugins can be specified. Check the Dovecot wiki
+  # (wiki2.dovecot.org) or the pigeonhole website
+  # (http://pigeonhole.dovecot.org) for available plugins.
+	# The sieve_extprograms plugin is included in this release.
+  #sieve_plugins =
+
+  # The separator that is expected between the :user and :detail
+  # address parts introduced by the subaddress extension. This may
+  # also be a sequence of characters (e.g. '--'). The current
+  # implementation looks for the separator from the left of the
+  # localpart and uses the first one encountered. The :user part is
+  # left of the separator and the :detail part is right. This setting
+  # is also used by Dovecot's LMTP service.
+  #recipient_delimiter = +
+
+  # The maximum size of a Sieve script. The compiler will refuse to compile any
+  # script larger than this limit. If set to 0, no limit on the script size is
+  # enforced.
+  #sieve_max_script_size = 1M
+
+  # The maximum number of actions that can be performed during a single script
+  # execution. If set to 0, no limit on the total number of actions is enforced.
+  #sieve_max_actions = 32
+
+  # The maximum number of redirect actions that can be performed during a single
+  # script execution. If set to 0, no redirect actions are allowed.
+  #sieve_max_redirects = 4
+
+  # The maximum number of personal Sieve scripts a single user can have. If set
+  # to 0, no limit on the number of scripts is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_scripts = 0
+
+  # The maximum amount of disk storage a single user's scripts may occupy. If
+  # set to 0, no limit on the used amount of disk storage is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_storage = 0
+}

docker/mail/rootfs/etc/mail/dovecot/dovecot.conf

@@ -7,8 +7,8 @@ ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
 
 listen = *, ::
 dict {
-  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
-  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+  #quota = mysql:/etc/mail/dovecot/dovecot-dict-sql.conf.ext
+  #expire = sqlite:/etc/mail/dovecot/dovecot-dict-sql.conf.ext
 }
 
 disable_plaintext_auth = no

docker/mail/rootfs/etc/mail/opendkim/TrustedHosts

@@ -0,0 +1,13 @@
+# OPENDKIM TRUSTED HOSTS
+# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
+# option in /etc/mail/opendkim.conf then restart OpenDKIM. Additional hosts
+# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
+# The localhost IP (127.0.0.1) should always be the first entry in this file.
+127.0.0.1
+::1
+172.17.0.0/16
+fe80::/64
+#HOSTNAME
+
+#host.example.com
+#192.168.1.0/24

docker/mail/rootfs/etc/mail/opendkim/opendkim.conf

@@ -0,0 +1,128 @@
+## BASIC OPENDKIM CONFIGURATION FILE
+## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
+
+## BEFORE running OpenDKIM you must:
+
+## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
+## - generate keys for your domain (if signing)
+## - edit your DNS records to publish your public keys (if signing)
+
+## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
+
+## DEPRECATED CONFIGURATION OPTIONS
+## 
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendkim being unable to start.
+## 
+## Removed in 2.10.0:
+##   AddAllSignatureResults
+##   ADSPAction
+##   ADSPNoSuchDomain
+##   BogusPolicy
+##   DisableADSP
+##   LDAPSoftStart
+##   LocalADSP
+##   NoDiscardableMailTo
+##   On-PolicyError
+##   SendADSPReports
+##   UnprotectedPolicy
+
+## CONFIGURATION OPTIONS
+
+##  Specifies the path to the process ID file.
+PidFile	/var/run/opendkim/opendkim.pid
+
+##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
+##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
+##  messages.
+Mode	s
+
+##  Log activity to the system log.
+Syslog	yes
+
+##  Log additional entries indicating successful signing or verification of messages.
+SyslogSuccess	yes
+
+##  If logging is enabled, include detailed logging about why or why not a message was
+##  signed or verified. This causes an increase in the amount of log data generated
+##  for each message, so set this to No (or comment it out) if it gets too noisy.
+LogWhy	yes
+
+##  Attempt to become the specified user before starting operations.
+UserID	opendkim:opendkim
+
+##  Create a socket through which your MTA can communicate.
+Socket	inet:8891@localhost
+
+##  Required to use local socket with MTAs that access the socket as a non-
+##  privileged user (e.g. Postfix)
+Umask	002
+
+##  This specifies a text file in which to store DKIM transaction statistics.
+##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
+# Statistics	/var/spool/opendkim/stats.dat
+
+##  Specifies whether or not the filter should generate report mail back
+##  to senders when verification fails and an address for such a purpose
+##  is provided. See opendkim.conf(5) for details.
+# SendReports	yes
+
+##  Specifies the sending address to be used on From: headers of outgoing
+##  failure reports.  By default, the e-mail address of the user executing
+##  the filter is used (executing_user@hostname).
+# ReportAddress	"Example.com Postmaster" <postmaster@example.com>
+
+##  Add a DKIM-Filter header field to messages passing through this filter
+##  to identify messages it has processed.
+SoftwareHeader	yes
+
+## SIGNING OPTIONS
+
+##  Selects the canonicalization method(s) to be used when signing messages.
+Canonicalization	relaxed/simple
+
+##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
+##  be verified rather than being signed. Uncomment and use your domain name.
+##  This parameter is not required if a SigningTable is in use.
+Domain	file:/etc/mail/domains
+
+
+##  Defines the name of the selector to be used when signing messages.
+Selector	default
+
+##  Specifies the minimum number of key bits for acceptable keys and signatures.
+MinimumKeyBits	1024
+
+##  Gives the location of a private key to be used for signing ALL messages. This
+##  directive is ignored if KeyTable is enabled.
+KeyFile	/var/opendkim/keys/default.private
+
+##  Gives the location of a file mapping key names to signing keys. In simple terms,
+##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
+##  directive in the configuration file. Requires SigningTable be enabled.
+# KeyTable	/etc/mail/opendkim/KeyTable
+
+##  Defines a table used to select one or more signatures to apply to a message based
+##  on the address found in the From: header field. In simple terms, this tells
+##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
+# SigningTable	refile:/etc/mail/opendkim/SigningTable
+
+##  Identifies a set of "external" hosts that may send mail through the server as one
+##  of the signing domains without credentials as such.
+# ExternalIgnoreList	refile:/etc/mail/opendkim/TrustedHosts
+
+##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
+InternalHosts	refile:/etc/mail/opendkim/TrustedHosts
+
+##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+##  whose mail should be neither signed nor verified by this filter.  See man
+##  page for file format.
+# PeerList	X.X.X.X
+
+##  Always oversign From (sign using actual From and a null From to prevent
+##  malicious signatures header fields (From and/or others) between the signer
+##  and the verifier.  From is oversigned by default in the Fedora package
+##  because it is often the identity key used by reputation systems and thus
+##  somewhat security sensitive.
+OversignHeaders	From

docker/mail/rootfs/etc/mail/postfix/main.cf

@@ -0,0 +1,77 @@
+## STANDARD POSTFIX CONFIG PARAMS ###
+
+queue_directory = /var/spool/postfix
+command_directory = /usr/sbin
+daemon_directory = /usr/lib/postfix/sbin
+data_directory = /var/lib/postfix
+mail_owner = postfix
+myhostname = %MAIL_HOSTNAME%
+mydomain = %MAIL_HOSTNAME_FQDN%
+myorigin = $myhostname
+inet_interfaces = all
+inet_protocols = all
+mydestination = $myhostname, localhost.$mydomain, localhost
+unknown_local_recipient_reject_code = 550
+mynetworks = 127.0.0.0/8, [::1]/128
+alias_maps = hash:/etc/mail/postfix/aliases
+
+mailbox_command = /usr/lib/dovecot/deliver
+  
+debug_peer_level = 2
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+sendmail_path = /usr/sbin/sendmail.postfix
+newaliases_path = /usr/bin/newaliases.postfix
+mailq_path = /usr/bin/mailq.postfix
+setgid_group = postdrop
+html_directory = no
+manpage_directory = /usr/share/man
+sample_directory = /usr/share/doc/postfix-2.10.1/samples
+readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
+
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
+smtp_tls_protocols = !SSLv2
+smtp_tls_exclude_ciphers = EXPORT, LOW
+
+### VIRTUAL MAIL CONFIG PARAMS ###
+relay_domains = *
+virtual_alias_maps = hash:/etc/mail/aliases
+virtual_mailbox_domains = hash:/etc/mail/domains
+virtual_mailbox_maps = hash:/etc/mail/mailboxes
+
+virtual_mailbox_base = /var/mail
+virtual_minimum_uid = 2222
+virtual_transport = dovecot
+virtual_uid_maps = static:2222
+virtual_gid_maps = static:2222
+
+dovecot_destination_recipient_limit = 1
+
+milter_protocol = 2
+milter_default_action = accept
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = inet:localhost:8891
+
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = /var/run/dovecot/auth-client
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
+smtpd_sasl_local_domain = $mydomain
+broken_sasl_auth_clients = yes
+
+smtpd_tls_security_level = may
+smtpd_tls_key_file = /etc/ssl/mail.key
+smtpd_tls_cert_file = /etc/ssl/mail.crt
+smtpd_tls_loglevel = 1
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
+smtpd_tls_protocols = $smtp_tls_protocols
+tls_random_source = dev:/dev/urandom
+tls_random_exchange_name = /var/lib/postfix/prng_exch
+smtpd_tls_auth_only = yes
+
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

docker/mail/rootfs/etc/mail/postfix/master.cf

@@ -0,0 +1,126 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+#smtp      inet  n       -       n       -       1       postscreen
+#smtpd     pass  -       -       n       -       -       smtpd
+#dnsblog   unix  -       -       n       -       0       dnsblog
+#tlsproxy  unix  -       -       n       -       0       tlsproxy
+submission inet n       -       n       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+smtps     inet  n       -       n       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       n       -       -       qmqpd
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+#
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# ====================================================================
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+#
+#scalemail-backend unix -       n       n       -       2       pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+#  ${nexthop} ${user} ${extension}
+#
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
+dovecot   unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

docker/mail/rootfs/etc/mail/rsyslogd/rsyslog.conf

@@ -0,0 +1,91 @@
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### MODULES ####
+
+# The imjournal module bellow is now used as a message source instead of imuxsock.
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+#$ModLoad imjournal # provides access to the systemd journal
+#$ModLoad imklog # reads kernel messages (the same are read from journald)
+#$ModLoad immark  # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# Provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+#$WorkDirectory /var/lib/rsyslog
+
+# Use default timestamp format
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# File syncing capability is disabled by default. This feature is usually not required,
+# not useful and an extreme performance hit
+#$ActionFileEnableSync on
+
+# Include all config files in /etc/mail/rsyslog.d/
+$IncludeConfig /etc/mail/rsyslog.d/*.conf
+
+# Turn off message reception via local log socket;
+# local messages are retrieved through imjournal now.
+$OmitLocalLogging off
+
+# File to store the position in the journal
+# $IMJournalStateFile imjournal.state
+
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none                /var/log/messages
+
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+
+
+# Log cron stuff
+cron.*                                                  /var/log/cron
+
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+
+
+# ### begin forwarding rule ###
+# The statement between the begin ... end define a SINGLE forwarding
+# rule. They belong together, do NOT split them. If you create multiple
+# forwarding rules, duplicate the whole block!
+# Remote Logging (we use TCP for reliable delivery)
+#
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
+#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList   # run asynchronously
+#$ActionResumeRetryCount -1    # infinite retries if host is down
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host:514
+# ### end of the forwarding rule ###

docker/mail/rootfs/etc/mail/supervisord/supervisord.conf

@@ -0,0 +1,46 @@
+[unix_http_server]
+file=/tmp/supervisor.sock
+
+[supervisord]
+nodaemon=true
+user=root
+loglevel=warn
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock
+user=root
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[program:opendkim]
+autostart=false
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+command=/usr/sbin/opendkim -x /etc/mail/opendkim/opendkim.conf
+
+[program:postfix]
+autostart=false
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+command=postfix -c /etc/mail/postfix/postfix.conf
+
+[program:dovecot]
+autostart=false
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+command=dovecot -c /etc/mail/dovecot/dovecot.conf
+
+[program:rsyslog]
+autostart=false
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+command=rsyslog -f /etc/mail/rsyslogd/rsyslog.conf

docker/mail/rootfs/usr/bin/start.sh

@@ -1,32 +1,24 @@
 #!/bin/sh
-
-CERTBOT="/etc/letsencrypt/live/$domain/fullchain.pem"
-KEYBOT="/etc/letsencrypt/live/$domain/privkey.pem"
-
 # Config postfix
 postconf -e myhostname="$MAILNAME"
 postconf -e mydomain="$DOMAINNAME"
-postconf -e smtpd_tls_cert_file="$CERTBOT"
-postconf -e smtpd_tls_key_file="$KEYBOT"
+postconf -e smtpd_tls_cert_file="$SSL_CERT"
+postconf -e smtpd_tls_key_file="$SSL_KEY"
 
 # Config dovecot
-sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <$CERTBOT#" /etc/dovecot/dovecot.conf
-sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <$KEYBOT#" /etc/dovecot/dovecot.conf
-sed -i -e "s#^\s*hostname\s*=.*#hostname = $MAILNAME#" /etc/dovecot/dovecot.conf
-sed -i -e "s#^\s*postmaster_address\s*=.*#postmaster_address = $POSTMASTER#" /etc/dovecot/dovecot.conf
+sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <$SSL_CERT#" /etc/mail/dovecot/dovecot.conf
+sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <$SSL_KEY#" /etc/mail/dovecot/dovecot.conf
+sed -i -e "s#^\s*hostname\s*=.*#hostname = $MAILNAME#" /etc/mail/dovecot/dovecot.conf
+sed -i -e "s#^\s*postmaster_address\s*=.*#postmaster_address = $POSTMASTER#" /etc/mail/dovecot/dovecot.conf
 
 # Config dkim
-sed -i -e "s/#HOSTNAME/$MAILNAME/" /etc/opendkim/TrustedHosts
+sed -i -e "s/#HOSTNAME/$MAILNAME/" /etc/mail/opendkim/TrustedHosts
 
 # Run openssl
-if [ $signed -eq 0 ]
+if [ ! -e "$SSL_CERT" ]
 then
-	openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout "$SSL_KEY" -out "$SSL_CERT" \
-		-subj "/C=UK/ST=England/L=London/O=OrgName/OU=IT Department/CN=$MAILNAME"
-	postconf -e smtpd_tls_cert_file="$SSL_CERT"
-	postconf -e smtpd_tls_key_file="$SSL_KEY"
-	sed -i -e "s#^\s*ssl_cert\s*=.*#ssl_cert = <$SSL_CERT#" /etc/dovecot/dovecot.conf
-	sed -i -e "s#^\s*ssl_key\s*=.*#ssl_key = <$SSL_KEY#" /etc/dovecot/dovecot.conf
+	mkdir -p "$(dirname $SSL_CERT)" "$(dirname $SSL_KEY)"
+	openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "$SSL_CERT" -out "$SSL_KEY"
 fi
 
 # Run opendkim
@@ -45,8 +37,8 @@ fi
 
 
 # Start services
-rsyslogd 				-f /etc/rsyslogd/rsyslog.conf
-/usr/sbin/opendkim 		-x /etc/opendkim/opendkim.conf
-/usr/sbin/dovecot 		-c /etc/dovecot/dovecot.conf
-/usr/sbin/postfix start	-c /etc/postfix
-supervisord 			-c /etc/supervisord/supervisord.conf
+rsyslogd 				-f /etc/mail/rsyslogd/rsyslog.conf
+/usr/sbin/opendkim 		-x /etc/mail/opendkim/opendkim.conf
+/usr/sbin/dovecot 		-c /etc/mail/dovecot/dovecot.conf
+/usr/sbin/postfix start	-c /etc/mail/postfix
+supervisord 			-c /etc/mail/supervisord/supervisord.conf