through docker, restrictive smarthosts or restrictive facing MXes

introduction

making outgoing emails work can be tricky on a docker container. so here's the full checklist that would also work for a normal system (fr:qui peut le plus peut le moins)

in brief

  • make sure the required packages are installed
  • make sure either the smarthost or some distant MX you are willing to reach does resolve
  • make sure you can also access its tcp port with netcat, telnet or nmap
  • make sure system's hostname is an FQDN so you don't have to tweak postfix myhostname
  • make sure it is able to resolve itself! eventually fix -h or use --add-host for a container
  • now either make sure system's hostname is a public FQDN, or set myorigin = $mydomain
  • eventually also fix the MAIL FROM and From: mapping from root to some real email address so you receive the delivery returns (it helps, even if it is the same as the root alias, as bounces pass through easier). if so, then also fix /etc/passwd name part so you actually know where those mails come from
  • eventually setup postfix relayhost if using a smarthost
  • setup mail aliases and apply
  • on Ubuntu systems, copy /etc/hosts resolv.conf services to Postfix's chroot (/var/spool/postfix/etc/)
  • check that outgoing email is working from the system

requirements

on a RHEL/CentOS system, make sure those are installed,

yum -y install postfix mailx rsyslog bind-utils nmap netcat telnet
cp -pi /etc/postfix/main.cf /etc/postfix/main.cf.dist

on an Ubuntu system, make sure those are installed,

    apt -y install postfix bsd-mailx rsyslog dnsutils nmap netcat telnet alpine
#pmailq

then,

    systemctl restart rsyslog
    systemctl enable rsyslog
    #as for container, if you really want to run it inside it,
    #rsyslogd

    mv /etc/postfix/main.cf /etc/postfix/main.cf.dist
sed '/^[[:space:]]*$/d; /^[[:space:]]*#/d' /etc/postfix/main.cf.dist > /etc/postfix/main.cf
#/usr/share/postfix/main.cf.dist

    postconf compatibility_level=2
systemctl restart postfix
systemctl enable postfix
#container: postfix start/reload

For the record, the default Ubuntu artful looks as such,

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = FQDN-HERE
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, wordpress, localhost.localdomain, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

eventually change,

smtpd_banner = $myhostname ESMTP
myhostname = FQDN-HERE

Also if this is just a smarthost setup, no need to listen on port 25,

#smtp      inet  n       -       y       -       -       smtpd

and submission is disabled by default.

public FQDN

check that your hostname is an FQDN already (either fix that on the system or change postfix myhostname),

hostname

or,

myhostname=host.example.net
mydomain=example.net
myorigin=$myhostname OR $mydomain

does it resolve itself tru DNS?

host `hostname`

#this will not help
#cat /etc/hosts

note. don't edit the hosts file on a docker container, you need to change either docker-run -h or --add-host

does that FQDN exist on the public network? If not, you need to fix myorigin (assuming the domain does exist),

vi /etc/postfix/main.cf

myorigin = $mydomain

postfix reload
#systemctl restart postfix

postfix chroot

if running Ubuntu, you might want to allow Postfix to resolve hosts and services from its chroot land,

cp -pf /etc/hosts /etc/services /etc/resolv.conf /var/spool/postfix/etc/
cat /var/spool/postfix/etc/{hosts,resolv.conf}

(optional) in case you got warnings about that,

mkdir -p /var/spool/postfix/lib/x86_64-linux-gnu/
cd /var/spool/postfix/lib/x86_64-linux-gnu/
cp -vl /lib/x86_64-linux-gnu/libnss_* ./
ls -alhF

using a relay

make sure it resolves,

    host SMARTHOST

or hardcode the name resolution into /etc/hosts.

check that you can reach the smtp relay,

    nmap -p 25,465,587 SMARTHOST
    nc -v -z SMARTHOST 25 465 587

finally tweak Postfix,

vi /etc/postfix/main.cf

relayhost = SMARTHOST

postfix reload

aliases

configure root mail alias to receive crontab and upgrade notifications,

    cd /etc/
    cp -pi aliases alises.dist
    vi aliases

    postmaster:     root
    root:           user@example.com
    wheeleduser:    root
    appuser:        root
    cronuser:       root

    newaliases

ready to go

watch the logs while you proceed,

    #centos,
    tail -20 /var/log/maillog &
    #ubuntu,
    tail -20 /var/log/mail.log &

now check that you receive mails from that host,

date | mailx -s test_from_`hostname` root
mailq
#postfix flush