init

.gitignore

@@ -0,0 +1,2 @@
+environment
+aliases

docker-compose.yml

@@ -0,0 +1,49 @@
+version: '3.5'
+services:
+  postfix:
+    build: postfix
+    restart: unless-stopped
+    env_file:
+      - environment
+    volumes:
+      - ./aliases:/etc/postfix/virtual
+      - /var/lib/acme/:/var/lib/acme/:ro
+    networks:
+      mail:
+    depends_on:
+      - postgrey
+      - dovecot
+
+  postgrey:
+    build: postgrey
+    restart: unless-stopped
+    networks:
+      mail:
+
+  dovecot:
+    build: dovecot
+    restart: unless-stopped
+    env_file:
+      - environment
+    volumes:
+      - /var/lib/docker-volumes/mail/vmail/:/srv/vmail/
+      - /var/lib/acme/:/var/lib/acme/:ro
+    networks:
+      mail:
+      auth:
+
+  rainloop:
+    image: runningman84/rainloop
+    restart: unless-stopped
+    env_file:
+      - environment
+    volumes:
+      - /var/lib/docker-volumes/mail/rainloop/:/var/www/html/data
+    networks:
+      mail:
+
+networks:
+  mail:
+  auth:
+    external: true
+    name: auth_auth

dovecot/10-logging.conf

@@ -0,0 +1,11 @@
+log_path = /dev/stdout
+
+auth_verbose = yes
+
+plugin {
+  # Events to log. Also available: flag_change append
+  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
+  # size and vsize are available only for expunge and copy events.
+  #mail_log_fields = uid box msgid size
+}

dovecot/10-master.conf

@@ -0,0 +1,118 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+#default_vsz_limit = 256M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+  inet_listener imap {
+    #port = 143
+  }
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    #port = 110
+  }
+  inet_listener pop3s {
+    #port = 995
+    #ssl = yes
+  }
+}
+
+service lmtp {
+  unix_listener lmtp {
+    #mode = 0666
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  inet_listener lmtp {
+    port = 24
+  }
+}
+
+service imap {
+  # Most of the memory goes to mmap()ing files. You may need to increase this
+  # limit if you have huge mailboxes.
+  #vsz_limit = $default_vsz_limit
+
+  # Max. number of IMAP processes (connections)
+  #process_limit = 1024
+}
+
+service pop3 {
+  # Max. number of POP3 processes (connections)
+  #process_limit = 1024
+}
+
+service auth {
+  # auth_socket_path points to this userdb socket by default. It's typically
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+  # full permissions to this socket are able to get a list of all usernames and
+  # get the results of everyone's userdb lookups.
+  #
+  # The default 0666 mode allows anyone to connect to the socket, but the
+  # userdb lookups will succeed only if the userdb returns an "uid" field that
+  # matches the caller process's UID. Also if caller's uid or gid matches the
+  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+  #
+  # To give the caller full permissions to lookup all users, set the mode to
+  # something else than 0666 and Dovecot lets the kernel enforce the
+  # permissions (e.g. 0777 allows everyone full permissions).
+  unix_listener auth-userdb {
+    #mode = 0666
+    #user = 
+    #group = 
+  }
+
+  # Postfix smtp-auth
+  inet_listener {
+    port = 100
+  }
+
+  # Auth process is run as this user.
+  #user = $default_internal_user
+}
+
+service auth-worker {
+  # Auth worker process is run as root by default, so that it can access
+  # /etc/shadow. If this isn't necessary, the user should be changed to
+  # $default_internal_user.
+  #user = root
+}
+
+service dict {
+  # If dict proxy is used, mail processes should have access to its socket.
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+  unix_listener dict {
+    #mode = 0600
+    #user = 
+    #group = 
+  }
+}
+

dovecot/Dockerfile

@@ -0,0 +1,22 @@
+FROM alpine:latest
+
+RUN apk add --no-cache \
+        dovecot \
+        dovecot-ldap
+
+RUN sed -i 's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/' /etc/dovecot/conf.d/10-auth.conf \
+    && sed -i 's/!include auth-passwdfile.conf.ext/#!include auth-passwdfile.conf.ext/' /etc/dovecot/conf.d/10-auth.conf
+
+RUN mkdir /ssl-params-cache/ \
+    && ln -s /ssl-params-cache/ssl-parameters.dat /var/lib/dovecot/ssl-parameters.dat
+
+COPY 10-master.conf /etc/dovecot/conf.d/10-master.conf
+COPY 10-logging.conf /etc/dovecot/conf.d/10-logging.conf
+COPY auth-ldap.conf.ext /etc/dovecot/conf.d/auth-ldap.conf.ext
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+VOLUME "/ssl-params-cache/"
+
+EXPOSE 24 100 143

dovecot/auth-ldap.conf.ext

@@ -0,0 +1,8 @@
+passdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+}

dovecot/entrypoint.sh

@@ -0,0 +1,24 @@
+#!/bin/ash
+
+cat > /etc/dovecot/dovecot-ldap.conf.ext << LDAP
+hosts = $LDAP_SERVER
+auth_bind = yes
+base = $LDAP_BASE
+user_filter = (&(objectClass=posixAccount)(mail=%u))
+pass_filter = (&(objectClass=posixAccount)(mail=%u))
+user_attrs = \
+           =home=/var/vmail/%d/%u, \
+           =mail=maildir:/var/vmail/%d/%u/Maildir
+LDAP
+
+cat > /etc/dovecot/conf.d/10-ssl.conf << SSL
+ssl = required
+ssl_cert = <$TLS_FULLCHAIN
+ssl_key = <$TLS_KEY
+
+ssl_dh_parameters_length = 2048
+SSL
+
+ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext
+
+dovecot -F

environment.dist

@@ -0,0 +1,11 @@
+HOSTNAME=mail.example.com
+VIRTUAL_HOSTS=example.com example.net
+RELAYS=
+TLS_CERT=/path/to/cert
+TLS_CHAIN=/path/to/chain
+TLS_FULLCHAIN=/path/to/certandchain
+TLS_KEY=/path/to/key
+LDAP_SERVER=ldap
+LDAP_BASE=dc=ldap,dc=example,dc=com
+RAINLOOP_ADMIN_LOGIN=admin
+RAINLOOP_ADMIN_PASSWORD=password

postfix/Dockerfile

@@ -0,0 +1,19 @@
+FROM alpine:latest
+
+RUN apk add --no-cache \
+        supervisor \
+        rsyslog \
+        ca-certificates \
+        postfix \
+        openssl
+
+COPY postfix.sh /postfix.sh
+COPY supervisord.conf /etc/supervisord.conf
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
+
+VOLUME "/etc/postfix/dh-params/"
+
+EXPOSE 25 587
+
+# Noch submission machen

postfix/postfix.sh

@@ -0,0 +1,73 @@
+#!/bin/sh
+cat > /etc/postfix/main.cf << MAINCF
+# FQDN of system !reverse DNS!
+myhostname = $HOSTNAME
+
+# aliases
+virtual_alias_maps = hash:/etc/postfix/virtual
+
+recipient_delimiter = +
+
+smtpd_relay_restictions =
+
+smtpd_recipient_restrictions =
+# white/blacklists
+        check_recipient_access hash:/etc/postfix/access_recipient
+        check_sender_access hash:/etc/postfix/access_sender,
+        check_helo_access hash:/etc/postfix/access_helo,  
+        check_client_access cidr:/etc/postfix/access_client, 
+# deny mails for nonexistend recipients
+        reject_non_fqdn_sender,   
+        reject_non_fqdn_recipient,   
+        reject_unknown_sender_domain,   
+        reject_unknown_recipient_domain,
+# allow mails of our users
+        permit_sasl_authenticated,
+        permit_mynetworks,
+# deny mails to external destinations
+        reject_unauth_destination,
+# check against RBL
+        reject_rbl_client zen.spamhaus.org,
+        reject_rbl_client ix.dnsbl.manitu.net,
+# check greylisting
+        check_policy_service inet:postgrey:25
+# check if the user exists in dovecot
+        reject_unverified_recipient,
+# let it out
+        permit
+
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path= inet:dovecot:100
+smtpd_sasl_type = dovecot
+
+# out
+smtp_tls_security_level = may
+
+# in
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = $TLS_CERT
+smtpd_tls_CAfile = $TLS_CHAIN
+smtpd_tls_key_file = $TLS_KEY
+
+smtpd_tls_dh1024_param_file = /etc/postfix/dh-params/2048.pem
+smtpd_tls_dh512_param_file = /etc/postfix/dh-params/512.pem
+smtpd_tls_eecdh_grade = strong
+tls_preempt_cipherlist = yes
+
+smtpd_tls_auth_only = yes
+
+# for lmtp relaying to dovecot
+relay_domains = hash:/etc/postfix/relay_domains
+MAINCF
+
+[ -e /etc/postfix/relay_domains ] && rm /etc/postfix/relay_domains
+for virtual_host in $VIRTUAL_HOSTS;do
+	echo "$virtual_host lmtp:[dovecot]" >> /etc/postfix/relay_domains
+done
+postmap /etc/postfix/relay_domains
+
+[ -e /etc/postfix/dh_512.pem ] || openssl gendh -out /etc/postfix/dh-params/512.pem -2 512
+[ -e /etc/postfix/dh_2048.pem ] || openssl gendh -out /etc/postfix/dh-params/2048.pem -2 2048
+
+postmap /etc/postfix/virtual
+/usr/lib/postfix/master -c /etc/postfix -d

postfix/supervisord.conf

@@ -0,0 +1,23 @@
+[supervisord]
+nodaemon=true
+loglevel=critical
+logfile=/dev/stdout
+logfile_maxbytes=0
+
+[program:rsyslog]
+command=/usr/sbin/rsyslogd -n
+stdout_logfile=/dev/null
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+
+[program:postfix]
+command=/postfix.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+
+[program:logs]
+command=/usr/bin/tail -F /var/log/maillog
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true

postgrey/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:latest
+
+RUN apk add --no-cache \
+        perl-netaddr-ip \
+        postgrey
+
+ENTRYPOINT ["postgrey", "--inet=0.0.0.0:25", "--auto-whitelist-clients"]
+
+EXPOSE 25