Getting a Docker installation to use host Postfix server


(Paul Apostolos) #1

We are using the Docker image deployment in a Ubutnu VM.

The Ubuntu host has Postfix installed and configured. Is it possible to point Discourse settings in app.yml to the host Postfix?

I tried using localhost as the SMTP host, but I am guessing that is wrong.

Also, do I need to ./launcher rebuild app each time I change a setting in app.yml? It kinda takes a long time.

P.S. We would use SendGrid or Mandrill but we are using Mail List Mode and we will quickly run up a large bill)


Straightforward direct-delivery incoming mail
(Lee_Ars) #2

I run my domain’s postfix instance on the same physical server as Discourse. I just use the mail server’s fqdn in app.yml, like this:

env:
...
  # don't forget to set mail
  DISCOURSE_SMTP_ADDRESS: mail.bigdinosaur.org
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: postasaurus@bigdinosaur.org
  DISCOURSE_SMTP_PASSWORD: <redacted>

If you don’t have internal DNS working correctly, you could also try just the server’s hostname (without domain), or even just the server’s IP address.

Note that because e-mails from Discourse appear to originate from the docker container’s virtual IP address, I had to add that address to the mynetworks line in /etc/postfix/main.cf in order for postfix to accept authentication attempts from it. Depending on your postfix configuration, this may or may not be necessary (but it wouldn’t hurt to do it just in case).


(Paul Apostolos) #3

I tried via IP address and got this error

OpenSSL::SSL::SSLError (hostname "172.17.42.1" does not match the server certificate):

I used the docker host address in ifconfig as the DISCOURSE_SMTP_ADDRESS

DISCOURSE_SMTP_PORT: 25


(Lee_Ars) #4

The error is telling you exactly what’s wrong—the Docker container is identifying itself as “172.17.42.1” and also presenting an SSL cert that doesn’t match that name, which makes sense because that’s not a name—but it’s not telling you why it’s wrong.

If you didn’t already, add “172.17.42.1/32” to the mynetworks= line in /etc/postfix/main.cf. This ought to cause Postfix to be a lot less strict about what it’ll accept from the Docker instance.


(Paul Apostolos) #5

I’m totally getting nowhere with this.

I’m pasting my postfix config…Now I am just getting ECONNREFUSED

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = THE.FULLY.QUALIFIED.HOSTNAME (I removed) for this purpose
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =THE.FULLY.QUALIFIED.HOSTNAME (I removed) for this purpose, localhost
relayhost =
mynetworks = 172.17.42.1/32 172.17.0.2/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

(Jens Maier) #6

First of all, do not run your own MTA until you have a firm understanding of SMTP and the software you’ve chosen.

Unfortunately, I have no experience with Postfix to tell at a glance if there’s anything wrong with your configuration that breaks Discourse, but something is definitely wrong about the mynetworks setting. In particular, 172.17.0.2/8 specifies that any IP address starting with 172. is treated as a trusted IP that is allowed to relay mails through your server, but only 172.16. through 172.31. (or 172.16.0.0/12 in CIDR notation) are reserved for internal use. In other words, a spammer who controls an IP in 172.100. may abuse your server as they see fit.

Apart from that, one possible solution would be to deliver emails via localhost without SSL: smtp_address = localhost, smtp_port = 25, smtp_enable_start_tls = false.


(Paul Apostolos) #7

I actually got it working with Sendmail and I restricted the IP address range allowed appropriately.

The server is behind a firewall and no ports are open for outside hosts to connect to it.

Thanks for making me double check (it never hurts to give security another look)


(Paul Apostolos) #8

As I said I did get this working, but it’s just not worth it. A quick check of the math…

We have ~700 users. So, if there are 10 messages per day to the group (a bit high, but better to over estimate), that’s 7,000 messages per day or 210,000 per month. That is less than $40 per month with Mandrill.

It’s just not worth the time when Mandrill is so cheap and easy. Hopefully, the next person to think Postfix/Sendmail administration is a good idea, will read this and come to a saner conclusion.


(Lee_Ars) #9

Well, it doesn’t have to be that difficult, but it’s certainly not as easy as leaning on Mandrill or another alternative :slight_smile:

If you ever want to go back in and double-check your local setup, I just wrapped up writing a four-part series on self-hosting e-mail with Postfix & Dovecot on Ubuntu. It’s pretty exhaustive—there might be something in there that you missed.

On the other hand, if what you’ve got works, then maybe best to leave it alone!


(Jens Maier) #10

Nice writeup so far… are you going to do local delivery to system user Maildirs or will it use virtual users?


(Lee_Ars) #11

Oh, the whole thing is complete—here’s part 2, part 3, and part 4.

Went with virtual users and delivery via Dovecot.


(Fábio Machado De Oliveira) #12

Could you support using dockermail?


(Sam Saffron) #13

Already works just fire off dovecot and plug in the values…

WARNING: Sending email without stuff bouncing is very hard So You'd Like to Send Some Email (Through Code)


(Satish Gandham) #14

You have to point inet_interfaces to docker bridge (docker0) in post fix config located at set /etc/postfix/main.cf

inet_interfaces = <docker0_ip>

More internal working detail at