9e21e1e669
Postfix relay image with Cyrus SASL (sasldb2) authentication. Replaces mwader/postfix-relay with a controlled image built via Kaniko and stored in Harbor. Credentials injected from Vault ExternalSecret at startup.
1.8 KiB
1.8 KiB
smtp-relay
Postfix SMTP relay with Cyrus SASL authentication and TLS.
Used by Mailu (personal + Solidaria NGO) on valhalla to route outbound mail through hermes, which has a trusted residential IP accepted by Gmail and Hotmail.
Image: harbor.manabo.org/library/smtp-relay
Deployed on: hermes (clusters/hermes/smtp-relay/ in asgard)
Build
./build.sh 1.0.0
Packages the Dockerfile context, uploads to MinIO, runs Kaniko in-cluster on valhalla, and pushes the resulting image to Harbor.
Configuration
Required Vault secrets (app/smtp-relay/smtp-relay-sasl)
| Key | Description |
|---|---|
relay_user |
SASL username (e.g. relayuser) |
relay_pass |
SASL password (plaintext — stored in Vault) |
relay_domain |
SASL domain (e.g. manabo.org) |
TLS (certs/smtp-relay-tls)
Wildcard cert for relay.manabo.org — pushed to Vault via PushSecret on valhalla.
Env vars (from ExternalSecret)
| Var | Source |
|---|---|
RELAY_AUTH_USER |
relay_user |
RELAY_AUTH_PASS |
relay_pass |
RELAY_AUTH_DOMAIN |
relay_domain |
How it works
- Listens on ports 25 (SMTP, TLS optional) and 587 (submission, TLS required)
- Uses
hostNetwork: true— ports exposed directly on the hermes host IP - Entrypoint creates a
sasldb2user from the env vars on every start - Only clients authenticated via SASL can relay mail
- TLS cert mounted from Vault ExternalSecret
Gotchas
- sasldb2 recreated on every restart: credentials are read from env vars and
saslpasswd2re-creates the sasldb. This is intentional (stateless SASL). - No DKIM: DKIM signing is not implemented in this image. Relay delivers mail as-is; DKIM signatures must be added by the sending MTA (Mailu).