feat: Enable Postfix Postscreen and configure Unbound DNS

cursoragent · jeboehm · cursoragent · commit 98d31346eaf5 · 2025-10-17T16:42:38.000Z
Co-authored-by: j.boehm &lt;j.boehm@ressourcenkonflikt.de&gt;
diff --git a/target/mta/Dockerfile b/target/mta/Dockerfile
@@ -65,7 +65,27 @@ RUN apk --no-cache add \
     postconf smtpd_error_sleep_time=10s && \
     postconf smtpd_soft_error_limit=3 && \
     postconf smtpd_hard_error_limit=5 && \
-    newaliases
+    newaliases && \
+    # enable postscreen on port 25 and supporting services
+    sed -i 's/^smtp\s\+inet\s\+n\s\+-\s\+y\s\+-\s\+-\s\+smtpd/smtp      inet  n       -       y       -       1       postscreen/' /etc/postfix/master.cf && \
+    printf '%s\n' \
+      'smtpd     pass  -       -       y       -       -       smtpd' \
+      'dnsblog   unix  -       -       y       -       0       dnsblog' \
+      'tlsproxy  unix  -       -       y       -       0       tlsproxy' \
+      >> /etc/postfix/master.cf && \
+    postconf postscreen_dnsbl_sites='bl.spamcop.net*2' && \
+    postconf postscreen_dnsbl_threshold=2 && \
+    postconf postscreen_dnsbl_action=enforce && \
+    echo "submission inet n - n - - smtpd" >> /etc/postfix/master.cf && \
+    echo " -o syslog_name=postfix/submission" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_tls_security_level=encrypt" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_sasl_auth_enable=yes" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_tls_auth_only=yes" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_reject_unlisted_recipient=no" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_relay_restrictions=" >> /etc/postfix/master.cf && \
+    echo " -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject" >> /etc/postfix/master.cf && \
+    echo " -o milter_macro_daemon_name=ORIGINATING" >> /etc/postfix/master.cf
 COPY --from=dockerize /bin/dockerize /usr/local/bin/dockerize
 COPY rootfs/ /
 
diff --git a/target/mta/rootfs/usr/local/bin/init.sh b/target/mta/rootfs/usr/local/bin/init.sh
@@ -55,3 +55,23 @@ dockerize \
 	-template /etc/postfix/mysql-recipient-access.cf.templ:/etc/postfix/mysql-recipient-access.cf \
 	-template /etc/postfix/mysql-email-submission.cf.templ:/etc/postfix/mysql-email-submission.cf \
 	/bin/true
+
+# Configure resolver for Postfix to use $UNBOUND_DNS_ADDRESS
+# Accept formats like "host:port" or "ip:port"; default port 53 if omitted
+if [ -n "${UNBOUND_DNS_ADDRESS}" ]; then
+	UNBOUND_DNS_HOST=$(echo "${UNBOUND_DNS_ADDRESS}" | cut -d: -f1)
+	UNBOUND_DNS_PORT=$(echo "${UNBOUND_DNS_ADDRESS}" | cut -s -d: -f2)
+	if [ -z "${UNBOUND_DNS_PORT}" ]; then
+		UNBOUND_DNS_PORT=53
+	fi
+
+	# Resolve hostname to IP if necessary
+	UNBOUND_DNS_IP=$(getent hosts "${UNBOUND_DNS_HOST}" | awk '{print $1}' | head -n1)
+	if [ -z "${UNBOUND_DNS_IP}" ]; then
+		UNBOUND_DNS_IP=${UNBOUND_DNS_HOST}
+	fi
+
+	mkdir -p /var/spool/postfix/etc
+	echo "nameserver ${UNBOUND_DNS_IP}" > /var/spool/postfix/etc/resolv.conf
+	# glibc resolv.conf does not support custom port; rely on Unbound standard port 53
+fi
