first

data/Dockerfiles/postfix/Dockerfile

@@ -0,0 +1,63 @@
+FROM debian:bookworm-slim
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+ARG DEBIAN_FRONTEND=noninteractive
+ENV LC_ALL C
+
+RUN dpkg-divert --local --rename --add /sbin/initctl \
+	&& ln -sf /bin/true /sbin/initctl \
+	&& dpkg-divert --local --rename --add /usr/bin/ischroot \
+	&& ln -sf /bin/true /usr/bin/ischroot
+
+# Add groups and users before installing Postfix to not break compatibility
+RUN groupadd -g 102 postfix \
+  && groupadd -g 103 postdrop \
+  && useradd -g postfix -u 101 -d /var/spool/postfix -s /usr/sbin/nologin postfix \
+  && apt-get update && apt-get install -y --no-install-recommends \
+	ca-certificates \
+	curl \
+	dirmngr \
+  	dnsutils \
+	gnupg \
+	libsasl2-modules \
+  	mariadb-client \
+	perl \
+	postfix \
+	postfix-mysql \
+	postfix-pcre \
+	redis-tools \
+	sasl2-bin \
+	sudo \
+	supervisor \
+	syslog-ng \
+	syslog-ng-core \
+	syslog-ng-mod-redis \
+  	tzdata \
+	&& rm -rf /var/lib/apt/lists/* \
+	&& touch /etc/default/locale \
+  && printf '#!/bin/bash\n/usr/sbin/postconf -c /opt/postfix/conf "$@"' > /usr/local/sbin/postconf \
+  && chmod +x /usr/local/sbin/postconf
+
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY postfix.sh /opt/postfix.sh
+COPY rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
+COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
+COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
+COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN chmod +x /opt/postfix.sh \
+  /usr/local/bin/rspamd-pipe-ham \
+  /usr/local/bin/rspamd-pipe-spam \
+  /usr/local/bin/whitelist_forwardinghosts.sh \
+  /usr/local/sbin/stop-supervisor.sh
+RUN rm -rf /tmp/* /var/tmp/*
+
+EXPOSE 588
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/postfix/docker-entrypoint.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+fi
+
+exec "$@"

data/Dockerfiles/postfix/postfix.sh

@@ -0,0 +1,519 @@
+#!/bin/bash
+
+trap "postfix stop" EXIT
+
+[[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
+
+# Wait for MySQL to warm-up
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+  echo "Waiting for database to come up..."
+  sleep 2
+done
+
+until dig +short mailcow.email > /dev/null; do
+  echo "Waiting for DNS..."
+  sleep 1
+done
+
+cat <<EOF > /etc/aliases
+# Autogenerated by mailcow
+null: /dev/null
+watchdog: /dev/null
+ham: "|/usr/local/bin/rspamd-pipe-ham"
+spam: "|/usr/local/bin/rspamd-pipe-spam"
+EOF
+newaliases;
+
+# create sni configuration
+if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  echo -n "" > /opt/postfix/conf/sni.map
+else
+  echo -n "" > /opt/postfix/conf/sni.map;
+  for cert_dir in /etc/ssl/mail/*/ ; do
+    if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
+      continue;
+    fi
+    IFS=" " read -r -a domains <<< "$(cat "${cert_dir}domains")"
+    for domain in "${domains[@]}"; do
+      echo -n "${domain} ${cert_dir}key.pem ${cert_dir}cert.pem" >> /opt/postfix/conf/sni.map;
+      echo "" >> /opt/postfix/conf/sni.map;
+    done
+  done
+fi
+postmap -F hash:/opt/postfix/conf/sni.map;
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_relay_ne.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT IF(EXISTS(SELECT address, domain FROM alias
+      WHERE address = '%s'
+        AND domain IN (
+          SELECT domain FROM domain
+            WHERE backupmx = '1'
+              AND relay_all_recipients = '1'
+              AND relay_unknown_only = '1')
+
+      ), 'lmtp:inet:dovecot:24', NULL) AS 'transport'
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT DISTINCT
+  CASE WHEN '%d' IN (
+    SELECT domain FROM domain
+      WHERE relay_all_recipients=1
+        AND domain='%d'
+        AND backupmx=1
+  )
+  THEN '%s' ELSE (
+    SELECT goto FROM alias WHERE address='%s' AND active='1'
+  )
+  END AS result;
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT CONCAT(policy, ' ', parameters) AS tls_policy FROM tls_policy_override WHERE active = '1' AND dest = '%s'
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT IF(EXISTS(
+  SELECT 'TLS_ACTIVE' FROM alias
+    LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
+      WHERE (address='%s'
+        OR address IN (
+          SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
+            WHERE alias_domain='%d'
+        )
+      ) AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_in')) = '1' AND mailbox.active = '1'
+  ), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
+  FROM (
+    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias
+      LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
+        WHERE (address = '%s'
+          OR address IN (
+            SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
+              WHERE alias_domain = '%d'
+          )
+        )
+        AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_out')) = '1'
+        AND mailbox.active = '1'
+    ), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
+    UNION ALL
+    SELECT COALESCE(
+      (SELECT hostname FROM relayhosts
+      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
+        WHERE relayhosts.active = '1'
+          AND (
+            mailbox.username IN (SELECT alias.goto from alias
+              JOIN mailbox ON mailbox.username = alias.goto
+                WHERE alias.active = '1'
+                  AND alias.address = '%s'
+                  AND alias.address NOT LIKE '@%%'
+            )
+          )
+      ),
+      (SELECT hostname FROM relayhosts
+      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
+        WHERE relayhosts.active = '1'
+          AND (domain.domain = '%d'
+            OR domain.domain IN (
+              SELECT target_domain FROM alias_domain
+                WHERE alias_domain = '%d'
+            )
+          )
+      )
+    )
+  ) AS transport_view;
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_transport_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT CONCAT('smtp_via_transport_maps:', nexthop) AS transport FROM transports
+  WHERE active = '1'
+  AND destination = '%s';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_resource_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT 'null@localhost' FROM mailbox
+  WHERE kind REGEXP 'location|thing|group' AND username = '%s';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts
+  WHERE id IN (
+    SELECT COALESCE(
+      (SELECT id FROM relayhosts
+      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
+      WHERE relayhosts.active = '1'
+        AND (domain.domain = '%d'
+          OR domain.domain IN (
+            SELECT target_domain FROM alias_domain
+            WHERE alias_domain = '%d'
+          )
+        )
+      ),
+      (SELECT id FROM relayhosts
+      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
+      WHERE relayhosts.active = '1'
+        AND (
+          mailbox.username IN (
+            SELECT alias.goto from alias
+              JOIN mailbox ON mailbox.username = alias.goto
+                WHERE alias.active = '1'
+                  AND alias.address = '%s'
+                  AND alias.address NOT LIKE '@%%'
+          )
+        )
+      )
+    )
+  )
+  AND active = '1'
+  AND username != '';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM transports
+  WHERE nexthop = '%s'
+  AND active = '1'
+  AND username != ''
+  LIMIT 1;
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT username FROM mailbox, alias_domain
+  WHERE alias_domain.alias_domain = '%d'
+    AND mailbox.username = CONCAT('%u', '@', alias_domain.target_domain)
+    AND (mailbox.active = '1' OR mailbox.active = '2')
+    AND alias_domain.active='1'
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT goto FROM alias
+  WHERE address='%s'
+    AND (active='1' OR active='2');
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT bcc_dest FROM bcc_maps
+  WHERE local_dest='%s'
+    AND type='rcpt'
+    AND active='1';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT bcc_dest FROM bcc_maps
+  WHERE local_dest='%s'
+    AND type='sender'
+    AND active='1';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT new_dest FROM recipient_maps
+  WHERE old_dest='%s'
+    AND active='1';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT alias_domain from alias_domain WHERE alias_domain='%s' AND active='1'
+  UNION
+  SELECT domain FROM domain
+    WHERE domain='%s'
+      AND active = '1'
+      AND backupmx = '0'
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%u/') FROM mailbox WHERE username='%s' AND (active = '1' OR active = '2')
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '1' AND active = '1'
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+# First select queries domain and alias_domain to determine if domains are active.
+query = SELECT goto FROM alias
+  WHERE id IN (
+      SELECT COALESCE (
+        (
+          SELECT id FROM alias
+            WHERE address='%s'
+            AND (active='1' OR active='2')
+        ), (
+          SELECT id FROM alias
+            WHERE address='@%d'
+            AND (active='1' OR active='2')
+        )
+      )
+    )
+    AND active='1'
+    AND (domain IN
+      (SELECT domain FROM domain
+        WHERE domain='%d'
+          AND active='1')
+      OR domain in (
+        SELECT alias_domain FROM alias_domain
+          WHERE alias_domain='%d'
+            AND active='1'
+      )
+    )
+  UNION
+  SELECT logged_in_as FROM sender_acl
+    WHERE send_as='@%d'
+      OR send_as='%s'
+      OR send_as='*'
+      OR send_as IN (
+        SELECT CONCAT('@',target_domain) FROM alias_domain
+          WHERE alias_domain = '%d')
+      OR send_as IN (
+        SELECT CONCAT('%u','@',target_domain) FROM alias_domain
+          WHERE alias_domain = '%d')
+      AND logged_in_as NOT IN (
+        SELECT goto FROM alias
+          WHERE address='%s')
+  UNION
+  SELECT username FROM mailbox, alias_domain
+    WHERE alias_domain.alias_domain = '%d'
+      AND mailbox.username = CONCAT('%u','@',alias_domain.target_domain)
+      AND (mailbox.active = '1' OR mailbox.active ='2')
+      AND alias_domain.active='1';
+EOF
+
+# MX based routing
+cat <<EOF > /opt/postfix/conf/sql/mysql_mbr_access_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT CONCAT('FILTER smtp_via_transport_maps:', nexthop) as transport FROM transports
+  WHERE '%s' REGEXP destination
+    AND active='1'
+    AND is_mx_based='1';
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT goto FROM spamalias
+  WHERE address='%s'
+    AND validity >= UNIX_TIMESTAMP()
+EOF
+
+if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
+  cat <<EOF > /opt/postfix/conf/dns_blocklists.cf
+# This file can be edited. 
+# Delete this file and restart postfix container to revert any changes.
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+EOF
+fi
+DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')
+
+if [ ! -z "$DNSBL_CONFIG" ]; then
+  echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m"
+  if [ -n "$SPAMHAUS_DQS_KEY" ]; then
+    echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m"
+    echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m"
+    SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[4..7]*6
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4
+  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
+postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
+EOF
+
+  cat <<EOF > /opt/postfix/conf/dnsbl_reply.map
+# Autogenerated by mailcow, using Spamhaus DQS reply domains
+${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
+${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
+${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
+EOF
+    )
+  else
+    if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then
+      rm /opt/postfix/conf/dnsbl_reply.map
+    fi
+    response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
+    if [ "$response" -eq 503 ]; then
+      echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m"
+      echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m"
+      SPAMHAUS_DNSBL_CONFIG=""
+    elif [ "$response" -eq 200 ]; then
+      echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m"
+      echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m"
+      SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+EOF
+      )
+
+    else
+      echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m"
+      echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m"
+      SPAMHAUS_DNSBL_CONFIG=""
+    fi
+  fi
+fi
+
+# Reset main.cf
+sed -i '/Overrides/q' /opt/postfix/conf/main.cf
+echo >> /opt/postfix/conf/main.cf
+# Append postscreen dnsbl sites to main.cf
+if [ ! -z "$DNSBL_CONFIG" ]; then
+  echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf
+fi
+# Append user overrides
+echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf
+touch /opt/postfix/conf/extra.cf
+sed -i '/\$myhostname/! { /myhostname/d }' /opt/postfix/conf/extra.cf
+echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf
+cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf
+
+if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then
+  echo "Creating dummy custom_transport.pcre"
+  touch /opt/postfix/conf/custom_transport.pcre
+fi
+
+if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
+  echo "Creating dummy custom_postscreen_whitelist.cidr"
+  cat <<EOF > /opt/postfix/conf/custom_postscreen_whitelist.cidr
+# Autogenerated by mailcow
+# Rules are evaluated in the order as specified.
+# Blacklist 192.168.* except 192.168.0.1.
+# 192.168.0.1          permit
+# 192.168.0.0/16       reject
+EOF
+fi
+
+# Fix Postfix permissions
+chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
+chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
+chgrp -R postdrop /var/spool/postfix/public
+chgrp -R postdrop /var/spool/postfix/maildrop
+postfix set-permissions
+
+# Check Postfix configuration
+postconf -c /opt/postfix/conf > /dev/null
+
+if [[ $? != 0 ]]; then
+  echo "Postfix configuration error, refusing to start."
+  exit 1
+else
+  postfix -c /opt/postfix/conf start
+  sleep 126144000
+fi

data/Dockerfiles/postfix/rspamd-pipe-ham

@@ -0,0 +1,9 @@
+#!/bin/bash
+FILE=/tmp/mail$$
+cat > $FILE
+trap "/bin/rm -f $FILE" 0 1 2 3 13 15
+
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnham
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
+
+exit 0

data/Dockerfiles/postfix/rspamd-pipe-spam

@@ -0,0 +1,9 @@
+#!/bin/bash
+FILE=/tmp/mail$$
+cat > $FILE
+trap "/bin/rm -f $FILE" 0 1 2 3 13 15
+
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnspam
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
+
+exit 0

data/Dockerfiles/postfix/stop-supervisor.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+printf "READY\n";
+
+while read line; do
+  echo "Processing Event: $line" >&2;
+  kill -3 $(cat "/var/run/supervisord.pid")
+done < /dev/stdin

data/Dockerfiles/postfix/supervisord.conf

@@ -0,0 +1,24 @@
+[supervisord]
+pidfile=/var/run/supervisord.pid
+nodaemon=true
+user=root
+
+[program:syslog-ng]
+command=/usr/sbin/syslog-ng --foreground  --no-caps
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+
+[program:postfix]
+command=/opt/postfix.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=true
+
+[eventlistener:processes]
+command=/usr/local/sbin/stop-supervisor.sh
+events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL

data/Dockerfiles/postfix/syslog-ng-redis_slave.conf

@@ -0,0 +1,53 @@
+@version: 3.38
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  dns_cache(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats_freq(0);
+  bad_hostname("^gconfd$");
+};
+source s_src {
+  unix-stream("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
+  redis(
+    host("`REDIS_SLAVEOF_IP`")
+    persist-name("redis1")
+    port(`REDIS_SLAVEOF_PORT`)
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+  );
+};
+destination d_redis_f2b_channel {
+  redis(
+    host("`REDIS_SLAVEOF_IP`")
+    persist-name("redis2")
+    port(`REDIS_SLAVEOF_PORT`)
+    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
+  );
+};
+filter f_mail { facility(mail); };
+# start
+# overriding warnings are still displayed when the entrypoint runs its initial check
+# warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
+# Some other warnings are ignored
+filter f_ignore {
+  not match("overriding earlier entry" value("MESSAGE"));
+  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
+  not match("no SASL support" value("MESSAGE"));
+  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
+};
+# end
+log {
+  source(s_src);
+  filter(f_ignore);
+  destination(d_stdout);
+  filter(f_mail);
+  destination(d_redis_ui_log);
+  destination(d_redis_f2b_channel);
+};

data/Dockerfiles/postfix/syslog-ng.conf

@@ -0,0 +1,53 @@
+@version: 3.38
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  dns_cache(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats_freq(0);
+  bad_hostname("^gconfd$");
+};
+source s_src {
+  unix-stream("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
+  redis(
+    host("redis-mailcow")
+    persist-name("redis1")
+    port(6379)
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+  );
+};
+destination d_redis_f2b_channel {
+  redis(
+    host("redis-mailcow")
+    persist-name("redis2")
+    port(6379)
+    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
+  );
+};
+filter f_mail { facility(mail); };
+# start
+# overriding warnings are still displayed when the entrypoint runs its initial check
+# warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
+# Some other warnings are ignored
+filter f_ignore {
+  not match("overriding earlier entry" value("MESSAGE"));
+  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
+  not match("no SASL support" value("MESSAGE"));
+  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
+};
+# end
+log {
+  source(s_src);
+  filter(f_ignore);
+  destination(d_stdout);
+  filter(f_mail);
+  destination(d_redis_ui_log);
+  destination(d_redis_f2b_channel);
+};

data/Dockerfiles/postfix/whitelist_forwardinghosts.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+while read QUERY; do
+	QUERY=($QUERY)
+	if [ "${QUERY[0]}" != "get" ]; then
+		echo "500 dunno"
+		continue
+	fi
+	result=$(curl -s http://nginx:8081/forwardinghosts.php?host=${QUERY[1]})
+	logger -t whitelist_forwardinghosts -p mail.info "Look up ${QUERY[1]} on whitelist, result $result"
+	echo ${result}
+done