first commit

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Benno Evers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,11 @@
+all: dovecot
+
+.PHONY: dovecot
+
+dovecot:
+	cd dovecot; docker build -t dovecot_made_special:2.1.7 .
+
+run-dovecot:
+	docker run -d -p 25:25 -p 587:587 -p 143:143 -v /opt/dockermail/settings:/mail_settings -v /opt/dockermail/vmail:/vmail dovecot_made_special:2.1.7
+
+run-all: run-dovecot

README.md

@@ -0,0 +1,66 @@
+docker-made-special-mail
+==========
+
+Based on https://github.com/lava/dockermail
+
+A secure, minimal-configuration mail server in a docker container.
+
+This repository is tailored to small private servers, where you own some domain(s) and
+want to receive the mail for and send mail from this domain:
+
+The SMTP and IMAP server. This container uses postfix as MTA and dovecot as IMAP server.
+All incoming mail to your own domains is accepted. For outgoing mail, only authenticated
+(logged in with username and password) clients can send messages via STARTTLS on port 587.
+In theory it works with all mail clients, but it was only tested with Thunderbird.
+
+
+Setup
+=====
+Create 2 folders: one for mail configuration (`/opt/dockermail/settings`), another for mail storage (`/opt/dockermail/vmail`).
+
+
+1) Add all domains you want to receive mail for to the file `/opt/dockermail/settings/domains`, like this:
+
+    example.org
+    example.net
+
+2) Add user aliases to the file `/opt/dockermail/settings/aliases`, like
+
+    johndoe@example.org	        john.doe@example.org
+    john.doe@example.org        john.doe@example.org
+    admin@forum.example.org     forum-admin@example.org
+    @example.net	        catch-all@example.net
+
+An IMAP mail account is created for each entry on the right hand side.
+Every mail sent to one of the addresses in the left column will
+be delivered to the corresponding account in the right column.
+
+3) Add user passwords to the file `/opt/dockermail/settings/passwords` like this
+
+    john.doe@example.org:{PLAIN}password123
+    admin@example.org:{SHA256-CRYPT}$5$ojXGqoxOAygN91er$VQD/8dDyCYOaLl2yLJlRFXgl.NSrB3seZGXBRMdZAr6
+
+To get the hash values, you can either install dovecot locally or use lxc-attach to attach to the running
+container and run `doveadm pw -s <scheme-name>` inside.
+
+4) Build container
+
+    make
+
+5) Run container and map ports 25 and 143 from the host to the container.
+   To store your mail outside the container, map `/opt/dockermail/vmail/` to
+   a directory on your host. (This is recommended, otherwise
+   you have to remember to backup your mail when you want to restart the container)
+
+   `docker run -d -p 25:25 -p 587:587 -p 143:143 -v /opt/dockermail/settings:/mail_settings -v /opt/dockermail/vmail:/vmail dovecot_made_special/2.1.7`
+
+6) Enjoy.
+
+
+Known issues / Todo / Wishlist
+==============================
+- HELO isn't set correctly, which can lead to problems with outgoing mail on some servers
+
+- It would be nice to have a way of catching mail to all subdomains.
+
+Patches welcome!

dovecot/Dockerfile

@@ -0,0 +1,84 @@
+FROM ubuntu:14.04
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty main' | tee /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty main' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty-updates main' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty-updates main' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty universe' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty universe' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty-updates universe' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty-updates universe' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty-updates multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty-updates multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://security.ubuntu.com/ubuntu trusty-security main' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://security.ubuntu.com/ubuntu trusty-security main' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://security.ubuntu.com/ubuntu trusty-security universe' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://security.ubuntu.com/ubuntu trusty-security universe' | tee -a /etc/apt/sources.list
+RUN echo 'deb http://security.ubuntu.com/ubuntu trusty-security multiverse' | tee -a /etc/apt/sources.list
+RUN echo 'deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse' | tee -a /etc/apt/sources.list
+
+RUN locale-gen en_GB en_GB.UTF-8 && dpkg-reconfigure locales
+
+RUN apt-get update
+
+RUN apt-get -y -q autoclean
+RUN apt-get -y -q autoremove
+RUN apt-get clean
+
+# prerequisites
+RUN apt-get update
+
+# install self-signed ssl certs
+RUN apt-get install -y --force-yes ssl-cert
+
+# Install postfix as MTA
+RUN apt-get install -y --force-yes postfix
+
+# Install dovecot as IMAP server
+RUN apt-get install -y --force-yes dovecot-imapd
+
+# postfix configuration
+RUN echo "mail.docker.container" > /etc/mailname
+ADD ./postfix.main.cf /etc/postfix/main.cf
+ADD ./postfix.master.cf.append /etc/postfix/master-additional.cf
+RUN cat /etc/postfix/master-additional.cf >> /etc/postfix/master.cf
+
+# configure settings script
+VOLUME ["/mail_config"]
+COPY process_settings /process_settings
+RUN chmod 755 /process_settings
+
+# add user vmail who own all mail folders
+VOLUME ["/vmail"]
+RUN groupadd -g 5000 vmail
+RUN useradd -g vmail -u 5000 vmail -d /vmail -m
+
+# dovecot configuration
+ADD ./dovecot.mail /etc/dovecot/conf.d/10-mail.conf
+ADD ./dovecot.ssl /etc/dovecot/conf.d/10-ssl.conf
+ADD ./dovecot.auth /etc/dovecot/conf.d/10-auth.conf
+ADD ./dovecot.master /etc/dovecot/conf.d/10-master.conf
+ADD ./dovecot.lda /etc/dovecot/conf.d/15-lda.conf
+ADD ./dovecot.imap /etc/dovecot/conf.d/20-imap.conf
+# add verbose logging
+#ADD ./internal/dovecot.logging /etc/dovecot/conf.d/10-logging.conf
+
+# smtp port for incoming mail
+EXPOSE 25 
+# imap port
+EXPOSE 143
+# smtp port for outgoing
+EXPOSE 587
+
+# todo: enable port 587 for outgoing mail, separate ports 25 and 587
+# http://www.synology-wiki.de/index.php/Zusaetzliche_Ports_fuer_Postfix
+
+# start necessary services for operation (dovecot -F starts dovecot in the foreground to prevent container exit)
+ENTRYPOINT /process_settings; service rsyslog start; service postfix start; dovecot -F
+

dovecot/dovecot.auth

@@ -0,0 +1,14 @@
+auth_mechanisms = plain login
+
+passdb {
+   driver = passwd-file
+   args = /etc/dovecot/passwd
+}
+
+
+userdb {
+    driver = static
+    args = uid=vmail gid=vmail home=/vmail/%d/%n allow_all_users=yes
+}
+
+

dovecot/dovecot.imap

@@ -0,0 +1,3 @@
+protocol imap {
+	imap_client_workarounds = tb-extra-mailbox-sep
+}

dovecot/dovecot.lda

@@ -0,0 +1,5 @@
+protocol lda {
+  hostname = mail.docker.container
+  postmaster_address = postmaster@mail.docker.container
+  mail_plugin_dir = /usr/lib/dovecot/modules/lda
+}

dovecot/dovecot.logging

@@ -0,0 +1,2 @@
+auth_verbose = yes
+auth_debug = yes

dovecot/dovecot.mail

@@ -0,0 +1,19 @@
+mail_location = maildir:/vmail/%d/%n:LAYOUT=fs
+
+namespace inbox {
+  inbox = yes
+
+  # set these to autocreate or else thunderbird will complain
+  mailbox Trash {
+    auto = create
+    special_use = \Trash
+  }
+  mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox Sent {
+    auto = subscribe # autocreate and autosubscribe the Sent mailbox
+    special_use = \Sent
+  }
+  }

dovecot/dovecot.master

@@ -0,0 +1,34 @@
+service imap-login {
+	inet_listener imap {
+
+	}
+
+	#disable imaps since we use TLS connections through the standard imap
+	inet_listener imaps {
+		port = 0
+	}
+}
+
+service imap {
+
+}
+
+# not sure if this is needed
+service lmtp {
+ unix_listener /var/spool/postfix/private/dovecot-lmtp {
+   group = vmail
+   mode = 0660
+   user = postfix
+  }
+}
+
+service auth {
+	unix_listener /var/spool/postfix/private/auth {
+      		mode = 0660
+		user = postfix
+		group = vmail
+	}
+}
+
+service auth-worker {
+}

dovecot/dovecot.ssl

@@ -0,0 +1,5 @@
+ssl = required
+disable_plaintext_auth = yes
+ssl_cert = </etc/dovecot/dovecot.pem
+ssl_key = </etc/dovecot/private/dovecot.pem
+

dovecot/example/aliases

@@ -0,0 +1,2 @@
+admin@example.org	admin@example.org
+@example.org 	catch-all@example.org

dovecot/example/domains

@@ -0,0 +1 @@
+example.org

dovecot/example/passwords

@@ -0,0 +1,2 @@
+catch-all@example.org:{PLAIN}password123
+admin@example.org:{SHA256-CRYPT}$5$3qaCC/fV65Adtfoy$O20EXoSOcgWKf5NyAZnXAtGPQoSgeYRjLm56M25.H12

dovecot/postfix.main.cf

@@ -0,0 +1,74 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+
+myhostname = localhost
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = /etc/mailname, 67b0a2fd2749, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+
+# SMTP configuration for incoming mail (port 25)
+# Outgoing mail (port 587) configuration  is specified in master.cf
+
+# allow all connections (since we want to receive mail from outside)
+smtpd_client_restrictions = permit
+
+# Don't talk to mail systems that don't know their own hostname.
+# With Postfix < 2.3, specify reject_unknown_hostname.
+smtpd_helo_restrictions = permit
+
+# Don't accept mail from domains that don't exist.
+smtpd_sender_restrictions = permit
+
+# Only accept mail where this server is the final destination
+smtpd_relay_restrictions = permit_auth_destination, reject
+
+# Mail thats not for us gets filtered out by smtpd_relay_restrictions
+# When the mail is for us, we just accept everything. (could add spam blocklists/user checking etc. here)
+smtpd_recipient_restrictions = permit
+
+# Delivery to dovecot
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+virtual_alias_maps = hash:/etc/postfix/virtual
+virtual_mailbox_domains = /etc/postfix/virtual-mailbox-domains
+virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+
+# additional authentication settings
+smtpd_tls_auth_only = yes
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+

dovecot/postfix.master.cf.append

@@ -0,0 +1,15 @@
+dovecot   unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
+
+# we need to be permissive with the helo restrictions since the client can only
+# authenticate after HELO has been sent
+submission      inet    n       -       n       -       -       smtpd
+ -o smtpd_etrn_restrictions=reject
+ -o smtpd_sasl_type=dovecot
+ -o smtpd_sasl_path=private/auth
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_helo_restrictions=permit
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

dovecot/process_settings

@@ -0,0 +1,24 @@
+# configure mail delivery to dovecot
+cp /mail_settings/aliases /etc/postfix/virtual
+cp /mail_settings/domains /etc/postfix/virtual-mailbox-domains
+
+# todo: this could probably be done in one line
+mkdir /etc/postfix/tmp
+awk < /etc/postfix/virtual '{ print $2 }' > /etc/postfix/tmp/virtual-receivers
+sed -r 's,(.+)@(.+),\2/\1/,' /etc/postfix/tmp/virtual-receivers > /etc/postfix/tmp/virtual-receiver-folders
+paste /etc/postfix/tmp/virtual-receivers /etc/postfix/tmp/virtual-receiver-folders > /etc/postfix/virtual-mailbox-maps
+
+# give postfix the ownership of his files
+chown -R postfix:postfix /etc/postfix
+
+# map virtual aliases and user/filesystem mappings
+postmap /etc/postfix/virtual
+postmap /etc/postfix/virtual-mailbox-maps
+chown -R postfix:postfix /etc/postfix
+
+# make user vmail own all mail folders
+chown -R vmail:vmail /vmail
+chmod u+w /vmail
+
+# Add password file
+cp /mail_settings/passwords /etc/dovecot/passwd