Postfix in Docker

To be a maintainer of an email server is hard. One can’t simply apt install default-mta to get a healthy and robust email system. Even now it still requires extra work.

It takes only a short time after the server has been misconfigured as an open relay to have it compromised by spammers and get its IP caught by multiple anti-spam lists!

A modern email server must support SASL, DKIM and TLS to be treated nicely by huge email providers like GMail.

As a DevOps Engineer, I tend to use Docker as much as I can to support uniform and well-maintainable infrastructure.

So there were multiple occasions in the last years when I was looking for some nice Docker image of a good email server, preferable postfix.

Postfix is the second most-popular mail server in the Internet and default MTA (mail transfer agent) for Ubuntu. (Another one is exim, and they both occupy more than 90% of the Internet servers.)

If you check Docker Hub, there is a noticeable catatnight/postfix image by Elliott Ye. 10 millions of pulls suggest it’s good enough for the modern requirements.

Indeed — it supports SASL authentication as well as DKIM and TLS. If properly configured, they make email service quite well-shaped.

However, the image is quite outdated, as it was last updated five years ago. Hence I’ve decided to fork the project and upgrade it to the current best practices.

Below I will list and comment on all the changes I’ve made in the image.

Ubuntu:Trusty -> Ubuntu:Focal

Ubuntu 14.04 LTS distribution was used as the base of the image. 16, 18, 20… Yes! It’s Ubuntu 20.04 LTS now. :)

Logs to stdout

In Docker/K8s deployments we are used to collecting logs from containers stdout. And we don’t want to experience uncontrolled log files growth inside the container.

While all the relevant logs of the new image are redirected to stdout, one extra mail.log file is kept for Fail2ban service, but it’s being cleaned up nightly.

Mail domain and mail host

They are not necessarily the same. We should be able to maintain mail.domain.com host serving emails for domain.com mail domain.

This is particularly useful for a reverse DNS configuration, which is just another option, treated as mandatory these days.

While supporting the old approach with MAIL_DOMAIN parameter only, an extra variable MAIL_HOST has been added to distinguish the two.

Play nicely with the wild Internet

If you check logs of a SASL-enabled mail server, you will discover a lot of brute-force attempts to guess a password. The attacks are inevitable and persistent.

Fail2ban intrusion detector has been added to the image with postfix-sasl jail pre-installed. It bans repetitive breaking attempts automatically.

You can check how many bad IPs has banned using command

docker exec -it postfix fail2ban-client status postfix-sasl

Add your own configuration easily

There might be a need for additional configuration, i.e. custom mail aliases to forward particular emails (like to abuse@domain.com) to an external email address.

You don’t need to build a new image for that purpose. Just put your configuration in a file and mount it as /configure.sh into the container.

For example:

postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"
echo "abuse@${MAIL_DOMAIN} address@externaldomain.com" >> /etc/postfix/virtual
postmap /etc/postfix/virtual

The image is available for pulling in Docker Hub:
https://hub.docker.com/r/danilsmirnov/postfix