Add more features

Add relay mode to set predefined restrictions on relay emails

Dockerfile

@@ -5,7 +5,10 @@ ENV RELAY_MYDOMAIN=domain.com \
     RELAY_MYNETWORKS=127.0.0.0/8 \
     RELAY_HOST=[127.0.0.1]:25 \
     RELAY_USE_TLS=yes \
-    RELAY_TLS_VERIFY=may
+    RELAY_TLS_VERIFY=may \
+    RELAY_DOMAINS=\$mydomain \
+    RELAY_STRICT_SENDER_MYDOMAIN=true \
+    RELAY_MODE=STRICT
     #RELAY_MYHOSTNAME=relay.domain.com
     #RELAY_POSTMASTER=postmaster@domain.com
     #RELAY_LOGIN=loginname
@@ -28,14 +31,11 @@ RUN apk --no-cache add \
     postconf -e 'inet_interfaces = all' && \
     postconf -e 'inet_protocols = all' && \
     postconf -e 'myorigin = $mydomain' && \
-    postconf -e 'relay_domains = $mydomain' && \
 # SMTPD auth
     postconf -e 'smtpd_sasl_auth_enable = yes' && \
     postconf -e 'smtpd_sasl_type = cyrus' && \
     postconf -e 'smtpd_sasl_local_domain = $mydomain' && \
     postconf -e 'smtpd_sasl_security_options = noanonymous' && \
-# Static restrictions for smtp clients
-    postconf -e 'smtpd_relay_restrictions = reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated, reject' && \
 # Other configurations
     postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name RELAY' && \
     postconf -e 'smtputf8_enable = no' && \

README.md

@@ -10,7 +10,7 @@ This relay is restricted to only one domain name. so it means that only mail tha
 
 This relay can take place into a information system if you want to give access to some web or other applications a way to send notification by mail.
 
-The advantage of this configuration is that only the host in theses case are allowed to send mails through this relay :
+The advantage of this configuration is that only the host in theses case are allowed to send emails through this relay :
 
    * The host IP's address is in the range of RELAY_MYNETWORKS
    * The host is authenticated with a valid SASL login/password
@@ -35,20 +35,31 @@ The advantage of this configuration is that only the host in theses case are all
   * This image takes theses environnements variables as parameters
 
 
-| Environment                | Usage                                                                                                                   |
-| ---------------------------- | --------------------------------------------------------                                                                |
-| RELAY_MYHOSTNAME             | The hostname of the SMTP relay (because docker assign a random hostname, you can specify here a human-readable hostname)|
-| RELAY_MYDOMAIN   (mandatory) | The domain name that this relay will forward the mail                                                                   |
-| RELAY_MYNETWORKS             | The list of network(s) which are allowed by default to relay mails                                                      |
-| RELAY_HOST       (mandatory) | The remote host to which send the relayed mails (the relayhost)                                                         |
-| RELAY_LOGIN                  | The login name to present to the relayhost during authentication (optionnal)                                            |
-| RELAY_PASSWORD               | The password to present to the relayhost during authentication (optionnal)                                              |
-| RELAY_USE_TLS                | Specify if you want to require a TLS connection to relayhost                                                            |
-| RELAY_TLS_VERIFY             | How to verify the TLS  : (none, may, encrypt, dane, dane-only, fingerprint, verify, secure)                             |
-| RELAY_TLS_CA                 | The path to the CA file use to check relayhost certificate (path in the container)                                      |
-| RELAY_POSTMASTER             | The email address of the postmaster, in order to send error, and misconfiguration notification                          |
-
-For example of values, you can refer to the Dockerfile
+| Environment                 | Usage                                                                                                                                     |
+| --------------------------- | --------------------------------------------------------                                                               ------------------ |
+| RELAY_MYHOSTNAME            | The hostname of the SMTP relay (because docker assign a random hostname, you can specify here a human-readable hostname)                  |
+| RELAY_MYDOMAIN   (mandatory)| The domain name that this relay will forward the mail                                                                                     |
+| RELAY_MYNETWORKS            | The list of network(s) which are allowed by default to relay emails                                                                       |
+| RELAY_HOST       (mandatory)| The remote host to which send the relayed emails (the relayhost)                                                                          |
+| RELAY_LOGIN                 | The login name to present to the relayhost during authentication (optionnal)                                                              |
+| RELAY_PASSWORD              | The password to present to the relayhost during authentication (optionnal)                                                                |
+| RELAY_USE_TLS               | Specify if you want to require a TLS connection to relayhost                                                                              |
+| RELAY_TLS_VERIFY            | How to verify the TLS  : (none, may, encrypt, dane, dane-only, fingerprint, verify, secure)                                               |
+| RELAY_TLS_CA                | The path to the CA file use to check relayhost certificate (path in the container)                                                        |
+| RELAY_POSTMASTER            | The email address of the postmaster, in order to send error, and misconfiguration notification                                            |
+| RELAY_STRICT_SENDER_MYDOMAIN| If set to 'true' all sender adresses must belong to the relay domains                                                                     |
+| RELAY_MODE                  | The predefined mode of relay behaviour, theses modes has been designed by me. The availables values for this parameter are described below|
+
+#### Relay Mode
+
+Description of parameter
+
+| Relay mode value     | Description                                                                                                                                        | Usage                                                                                                                                                                                                                                                                                             |
+| -------------------- |--------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| STRICT               | Only network and sasl authenticated users can send emails through relay. All emails must have a recipient adress which belong to the relay domains |  Typically you can use this mode to allow one of your application to send email to internals domain emails adresses                                                                                                                                                                               |
+| ALLOW_AUTH_NODOMAIN  | Only network and sasl authenticated users can send emails through relay. All emails send by network authenticated users must have a recipient adress which belong to the relay domains. All emails send by sasl authenticated users can have any recipient adress | You can use this mode to allow one of your (internal) application to send email to external users. In case when some part of your application will be reachable by externals users |
+
+For other examples of values, you can refer to the Dockerfile
 
 ## Installation
 

start.sh

@@ -6,6 +6,23 @@ set -e
 postconf -e "mydomain = $RELAY_MYDOMAIN"
 postconf -e "mynetworks = $RELAY_MYNETWORKS"
 postconf -e "relayhost = $RELAY_HOST"
+postconf -e "relay_domains = $RELAY_DOMAINS"
+
+# Static restrictions for smtp clients
+if [ "$RELAY_MODE" = 'ALLOW_AUTH_NODOMAIN' ]; then
+# set ALLOW_AUTH_NODOMAIN mode
+# only authenticated smtp users can send email to another domain than the relay domains list
+  postconf -e 'smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks, reject'
+elif [ "$RELAY_MODE" = 'STRICT' ]; then
+# set STRICT mode
+# no one can send mail to another domain than the relay domains list
+# only network/sasl authenticated user can send mail through relay
+  postconf -e 'smtpd_relay_restrictions = reject_unauth_destination, permit_sasl_authenticated, permit_mynetworks, reject'
+else
+# set the content of the mode into the restrictions
+  postconf -e "smtpd_relay_restrictions = $RELAY_MODE"
+fi
+
 
 # Set hostname
 if [ -n "$RELAY_MYHOSTNAME" ]; then
@@ -42,18 +59,21 @@ if [ -n "$RELAY_LOGIN" -a -n "$RELAY_PASSWORD" ]; then
     postconf -e "smtp_sasl_password_maps = static:{$RELAY_LOGIN:$RELAY_PASSWORD}"
   fi
   postconf -e 'smtp_sasl_security_options = noanonymous'
-  
+
   if [ -n "$RELAY_USE_TLS" -a "$RELAY_USE_TLS" = 'yes' -a -z "$RELAY_TLS_CA" ]; then
     echo "you must fill RELAY_TLS_CA with the path to the CA file in the container" >&2
-	exit 1
+    exit 1
   fi
   postconf -e "smtp_tls_CAfile = $RELAY_TLS_CA"
   postconf -e "smtp_tls_security_level = $RELAY_TLS_VERIFY"
   postconf -e 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache'
   postconf -e "smtp_use_tls = $RELAY_USE_TLS"
 fi
 
-postconf -e "smtpd_sender_restrictions = check_sender_access inline:{$RELAY_MYDOMAIN=OK}, reject"
+# Restrict sender adresses to only theses of the relay domain
+if [ "$RELAY_STRICT_SENDER_MYDOMAIN" = 'true' ]; then
+  postconf -e "smtpd_sender_restrictions = check_sender_access inline:{$RELAY_MYDOMAIN=OK}, reject"
+fi
 
 # Fill the sasl user database with seed
 if [ -f /etc/postfix/client_sasl_passwd ]; then