xavor/smtp-relay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Custom Postfix SMTP relay image — builds via Kaniko, deploys on hermes
4 Commits 1 Branch 0 Tags 32 KiB
Shell 87.4%
Dockerfile 12.6%
main
Go to file
xavor 63dbc331a1
Some checks failed
Build smtp-relay / build (push) Failing after 53s
Details
fix Postfix spool permissions using set-permissions 
Manual chmod 1730 on maildrop caused postsuper scan_dir_push failures
because the group (postdrop) lacked read permission. Let Postfix set
the exact permissions it expects via set-permissions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 21:32:35 +00:00
.gitea/workflows feat(ci): add Gitea Actions workflow for auto-build on push 2026-05-20 20:57:14 +00:00
scripts feat(ci): add Gitea Actions workflow for auto-build on push 2026-05-20 20:57:14 +00:00
Dockerfile feat(smtp-relay): initial custom postfix+sasl relay image 2026-05-20 20:25:04 +00:00
entrypoint.sh fix Postfix spool permissions using set-permissions 2026-05-20 21:32:35 +00:00
main.cf feat(smtp-relay): initial custom postfix+sasl relay image 2026-05-20 20:25:04 +00:00
master.cf feat(smtp-relay): initial custom postfix+sasl relay image 2026-05-20 20:25:04 +00:00
README.md feat(smtp-relay): initial custom postfix+sasl relay image 2026-05-20 20:25:04 +00:00
smtpd.conf feat(smtp-relay): initial custom postfix+sasl relay image 2026-05-20 20:25:04 +00:00

README.md

smtp-relay

Postfix SMTP relay with Cyrus SASL authentication and TLS.

Used by Mailu (personal + Solidaria NGO) on valhalla to route outbound mail through hermes, which has a trusted residential IP accepted by Gmail and Hotmail.

Image: harbor.manabo.org/library/smtp-relay
Deployed on: hermes (clusters/hermes/smtp-relay/ in asgard)

Build

./build.sh 1.0.0

Packages the Dockerfile context, uploads to MinIO, runs Kaniko in-cluster on valhalla, and pushes the resulting image to Harbor.

Configuration

Required Vault secrets (app/smtp-relay/smtp-relay-sasl)

Key Description
relay_user SASL username (e.g. relayuser)
relay_pass SASL password (plaintext — stored in Vault)
relay_domain SASL domain (e.g. manabo.org)

TLS (certs/smtp-relay-tls)

Wildcard cert for relay.manabo.org — pushed to Vault via PushSecret on valhalla.

Env vars (from ExternalSecret)

Var Source
RELAY_AUTH_USER relay_user
RELAY_AUTH_PASS relay_pass
RELAY_AUTH_DOMAIN relay_domain

How it works

  • Listens on ports 25 (SMTP, TLS optional) and 587 (submission, TLS required)
  • Uses hostNetwork: true — ports exposed directly on the hermes host IP
  • Entrypoint creates a sasldb2 user from the env vars on every start
  • Only clients authenticated via SASL can relay mail
  • TLS cert mounted from Vault ExternalSecret

Gotchas

  • sasldb2 recreated on every restart: credentials are read from env vars and saslpasswd2 re-creates the sasldb. This is intentional (stateless SASL).
  • No DKIM: DKIM signing is not implemented in this image. Relay delivers mail as-is; DKIM signatures must be added by the sending MTA (Mailu).