xavor/smtp-relay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
eb2aec5db5
smtp-relay/README.md
xavor 9e21e1e669 feat(smtp-relay): initial custom postfix+sasl relay image 
Postfix relay image with Cyrus SASL (sasldb2) authentication.
Replaces mwader/postfix-relay with a controlled image built via Kaniko and
stored in Harbor. Credentials injected from Vault ExternalSecret at startup.
2026-05-20 20:25:04 +00:00

64 lines
1.8 KiB
Markdown
Raw Blame History

# smtp-relay
Postfix SMTP relay with Cyrus SASL authentication and TLS.
Used by Mailu (personal + Solidaria NGO) on valhalla to route outbound mail through
hermes, which has a trusted residential IP accepted by Gmail and Hotmail.
Image: `harbor.manabo.org/library/smtp-relay`
Deployed on: hermes (`clusters/hermes/smtp-relay/` in asgard)
---
## Build
```bash
./build.sh 1.0.0
```
Packages the Dockerfile context, uploads to MinIO, runs Kaniko in-cluster on valhalla,
and pushes the resulting image to Harbor.
---
## Configuration
### Required Vault secrets (`app/smtp-relay/smtp-relay-sasl`)
| Key | Description |
|-----|-------------|
| `relay_user` | SASL username (e.g. `relayuser`) |
| `relay_pass` | SASL password (plaintext — stored in Vault) |
| `relay_domain` | SASL domain (e.g. `manabo.org`) |
### TLS (`certs/smtp-relay-tls`)
Wildcard cert for `relay.manabo.org` — pushed to Vault via PushSecret on valhalla.
### Env vars (from ExternalSecret)
| Var | Source |
|-----|--------|
| `RELAY_AUTH_USER` | `relay_user` |
| `RELAY_AUTH_PASS` | `relay_pass` |
| `RELAY_AUTH_DOMAIN` | `relay_domain` |
---
## How it works
- Listens on ports **25** (SMTP, TLS optional) and **587** (submission, TLS required)
- Uses `hostNetwork: true` — ports exposed directly on the hermes host IP
- Entrypoint creates a `sasldb2` user from the env vars on every start
- Only clients authenticated via SASL can relay mail
- TLS cert mounted from Vault ExternalSecret
---
## Gotchas
- **sasldb2 recreated on every restart**: credentials are read from env vars and
`saslpasswd2` re-creates the sasldb. This is intentional (stateless SASL).
- **No DKIM**: DKIM signing is not implemented in this image. Relay delivers mail
as-is; DKIM signatures must be added by the sending MTA (Mailu).
Reference in New Issue View Git Blame Copy Permalink