Merge pull request #316 from dgc1980/master

added option for SSL encryption for postfix relay
anonaddy · Feb 15, 2025 · 3e8757e · 3e8757e
2 parents d98e785 + cbfc1e0
commit 3e8757e
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -55,6 +55,8 @@ RUN apk --no-cache add \
     shadow \
     tar \
     tzdata \
+    cyrus-sasl \
+    cyrus-sasl-login \
   && cp /etc/postfix/master.cf /etc/postfix/master.cf.orig \
   && cp /etc/postfix/main.cf /etc/postfix/main.cf.orig \
   && apk --no-cache add -t build-dependencies \

diff --git a/README.md b/README.md
@@ -165,7 +165,8 @@ linux/arm64
 * `POSTFIX_RELAYHOST_AUTH_ENABLE`: Enable client-side authentication for relayhost (default `false`)
 * `POSTFIX_RELAYHOST_USERNAME`: Postfix SMTP Client username for relayhost authentication
 * `POSTFIX_RELAYHOST_PASSWORD`: Postfix SMTP Client password for relayhost authentication
-* `POSTFIX_SPAMHAUS_DQS_KEY`: Personal key for [Spamhaus DQS](#spamhaus-dqs-configuration)
+* `POSTFIX_RELAYHOST_SSL_ENCRYPTION`: enable SSL encrpytion over SMTP where TLS is not available. (default `false`)
+* `POSTFIX_SPAMAUS_DQS_KEY`: Personal key for [Spamhaus DQS](#spamhaus-dqs-configuration)
 
 > [!NOTE]
 > `POSTFIX_RELAYHOST_USERNAME_FILE` and `POSTFIX_RELAYHOST_PASSWORD_FILE` can be

diff --git a/rootfs/etc/cont-init.d/00-env b/rootfs/etc/cont-init.d/00-env
@@ -85,6 +85,7 @@ POSTFIX_MESSAGE_SIZE_LIMIT=${POSTFIX_MESSAGE_SIZE_LIMIT:-26214400}
 POSTFIX_SMTPD_TLS=${POSTFIX_SMTPD_TLS:-false}
 POSTFIX_SMTP_TLS=${POSTFIX_SMTP_TLS:-false}
 POSTFIX_RELAYHOST_AUTH_ENABLE=${POSTFIX_RELAYHOST_AUTH_ENABLE:-false}
+POSTFIX_RELAYHOST_SSL_ENCRYPTION=${POSTFIX_RELAYHOST_SSL_ENCRYPTION:-false}
 #POSTFIX_SPAMHAUS_DQS_KEY=${POSTFIX_SPAMHAUS_DQS_KEY:-null}
 #POSTFIX_RELAYHOST_USERNAME=${POSTFIX_RELAYHOST_USERNAME:-null}
 #POSTFIX_RELAYHOST_PASSWORD=${POSTFIX_RELAYHOST_PASSWORD:-null}

diff --git a/rootfs/etc/cont-init.d/15-config-postfix.sh b/rootfs/etc/cont-init.d/15-config-postfix.sh
@@ -165,8 +165,18 @@ smtp_tls_mandatory_ciphers = high
 smtp_tls_ciphers = high
 smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
 smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+EOL
+
+  if [ "$POSTFIX_RELAYHOST_SSL_ENCRYPTION" = "true" ]; then
+    cat >>/etc/postfix/main.cf <<EOL
+smtp_tls_wrappermode = yes
+smtp_tls_security_level = encrypt
+EOL
+  else
+  cat >>/etc/postfix/main.cf <<EOL
 smtp_tls_security_level = may
 EOL
+  fi
 fi
 
 if [ "$POSTFIX_RELAYHOST_AUTH_ENABLE" = "true" ]; then