mailrelay
Minimal Postfix-based SMTP relay with TLS/SASL and docker-friendly logging.
10K+
This project provides a minimal, modern, and debuggable Postfix-based SMTP relay packaged as a Docker container. It is designed to act as a reliable infrastructure component, relaying mail from internal systems to an upstream SMTP server with TLS and SASL authentication.
The image focuses on:
docker logsIn addition, it includes built-in alerting for delivery and identity failures, with optional integration into Zammad as tickets instead of sending alert emails.
docker logsversion: "3.9"
services:
mailrelay:
build: .
container_name: mailrelay
restart: unless-stopped
ports:
- "25:25" # expose only on trusted/internal networks
environment:
HOSTNAME_FQDN: "mailrelay.example.local"
# Fixed sender handling
DEFAULT_FROM: "[email protected]"
FORCE_DEFAULT_FROM: "1"
# Relay target
RELAY_HOST: "smtp.example.local"
RELAY_PORT: "587"
RELAY_TLS: "required"
# Allowed client networks
MYNETWORKS: "127.0.0.0/8,10.0.0.0/8,192.168.0.0/16"
# SASL authentication
RELAY_SASL_USER: "[email protected]"
RELAY_SASL_PASS_FILE: "/run/secrets/relay_sasl_pass"
# Alerting
ALERT_ENABLED: "1"
ALERT_MATCH: "invalid_user,sendas_denied,postfix_bounced,postfix_deferred"
# Zammad integration
ALERT_ZAMMAD_ENABLED: "1"
ZAMMAD_BASE_URL: "https://zammad.example.com"
ZAMMAD_TOKEN_FILE: "/run/secrets/zammad_token"
ZAMMAD_GROUP: "Support"
ZAMMAD_STATE: "new"
ZAMMAD_PRIORITY_ID: "2" # 1=low, 2=normal, 3=high
ZAMMAD_CUSTOMER_EMAIL: "[email protected]"
ZAMMAD_TAGS: "mailrelay,postfix,alert"
# Debugging
DEBUG: "1"
secrets:
- relay_sasl_pass
- zammad_token
volumes:
- postfix_spool:/var/spool/postfix
- postfix_state:/var/lib/postfix
- /etc/ssl/certs:/etc/ssl/certs:ro
secrets:
relay_sasl_pass:
file: ./secrets/relay_sasl_pass.txt
zammad_token:
file: ./secrets/zammad_token.txt
volumes:
postfix_spool:
postfix_state:
relay_sasl_pass.txtThe secret file must contain only the password (no username):
super-secret-password
The username is configured via RELAY_SASL_USER.
zammad_token.txtContains a Zammad API token with permission to create tickets:
zammad-api-token-here
Many SMTP relays reject mails if the sender does not match the authenticated user.
This image enforces a safe default:
DEFAULT_FROM is set โ local senders are rewritten to this addressRELAY_SASL_USERThis avoids errors like:
553 5.7.1 Sender address rejected: not owned by user
Sender rewriting is applied only to local / infrastructure senders (e.g. root, daemon, host-based senders).
The container continuously monitors Postfix logs and triggers alerts on actionable failures, including:
invalid_user โ upstream mailbox or identity does not existsendas_denied โ sender not permitted to send as this addresspostfix_bounced โ delivery permanently failedpostfix_deferred โ delivery temporarily failedAlert detection is regex-based and operates directly on the Postfix log stream.
Alerts are throttled to avoid flooding during repeated failures.
Each alert creates an internal Zammad ticket containing:
postfix_bounced, ErrorInvalidUser)This makes the relay suitable for production use without silent mail loss.
swaksdocker exec -it mailrelay swaks \
--to [email protected] \
--from [email protected] \
--server 127.0.0.1 \
--port 25 \
--header "Subject: Relay test" \
--data "Hello from mailrelay"
sendmaildocker exec -i mailrelay sendmail [email protected] <<EOF
From: [email protected]
To: [email protected]
Subject: Relay test
Hello from mailrelay
EOF
โ ๏ธ Do not use sendmail -v unless you want delivery status notifications sent back to you.
All Postfix logs are written to a file and streamed to stdout:
docker logs -f mailrelay
This makes it possible to audit delivery and alerting via Docker logs alone.
MYNETWORKSMichael Kleger OneSystems GmbH https://www.onesystems.chโ [email protected]โ
MIT License โ free for commercial and private use.
Content type
Image
Digest
sha256:5a6858bfaโฆ
Size
51.7 MB
Last updated
6 months ago
docker pull onesystems/mailrelay