From 582f537c9a2703df7946920de4ac42bba8ccc904 Mon Sep 17 00:00:00 2001
From: matfechner <mathias.fechner@gmx.net>
Date: Fri, 20 Feb 2026 20:18:17 +0100
Subject: [PATCH] Add compliance-mailout container file

Signed-off-by: matfechner <mathias.fechner@gmx.net>
---
 compliance-mailout/Dockerfile    | 32 ++++++++++++++++++++++++++++++++
 compliance-mailout/entrypoint.sh |  2 ++
 compliance-mailout/main.cf       | 32 ++++++++++++++++++++++++++++++++
 compliance-mailout/postfix.env   |  2 ++
 compliance-mailout/relay_map     |  1 +
 compliance-mailout/security      |  1 +
 6 files changed, 70 insertions(+)
 create mode 100644 compliance-mailout/Dockerfile
 create mode 100755 compliance-mailout/entrypoint.sh
 create mode 100644 compliance-mailout/main.cf
 create mode 100644 compliance-mailout/postfix.env
 create mode 100644 compliance-mailout/relay_map
 create mode 100644 compliance-mailout/security

diff --git a/compliance-mailout/Dockerfile b/compliance-mailout/Dockerfile
new file mode 100644
index 000000000..0836b3139
--- /dev/null
+++ b/compliance-mailout/Dockerfile
@@ -0,0 +1,32 @@
+FROM alpine:edge
+# install packages
+RUN apk update --no-cache \
+    && apk add --no-cache --update postfix bash openssl tini \
+    && apk add --no-cache --upgrade musl musl-utils \
+    && apk add  dockerize  --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/ \
+    &&  (rm "/tmp/"* 2>/dev/null || true) && (rm -rf /var/cache/apk/* 2>/dev/null || true)
+
+RUN  openssl genrsa -des3 -passout pass:x -out /etc/ssl/private/mailout.pass.key 4096 \
+     && openssl rsa -passin pass:x -in etc/ssl/private/mailout.pass.key \
+     -out /etc/ssl/private/mailout.key  \
+     &&  openssl req -new -key /etc/ssl/private/mailout.key -out /etc/ssl/private/mailout.csr \
+     -subj "/C=DE/ST=Berlin/L=Berlin/O=OrgName/OU=Standards/CN=sovereigncloudstack.org" \
+     && openssl x509 -req -days 3650 -in /etc/ssl/private/mailout.csr -signkey /etc/ssl/private/mailout.key \
+     -out /etc/ssl/certs/mailout.crt \
+     && rm /etc/ssl/private/mailout.pass.key
+
+COPY main.cf /etc/postfix/main.cf.tmpl
+COPY relay_map /etc/postfix/relay_map
+COPY security /etc/postfix/security
+RUN postmap /etc/postfix/security
+RUN postmap /etc/postfix/relay_map
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+RUN rm /etc/postfix/security
+RUN rm /etc/postfix/relay_map
+
+EXPOSE 25
+STOPSIGNAL SIGKILL
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD  ["/entrypoint.sh"]
\ No newline at end of file
diff --git a/compliance-mailout/entrypoint.sh b/compliance-mailout/entrypoint.sh
new file mode 100755
index 000000000..e82e31ca7
--- /dev/null
+++ b/compliance-mailout/entrypoint.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash 
+exec dockerize -template /etc/postfix/main.cf.tmpl:/etc/postfix/main.cf  postfix start-fg
diff --git a/compliance-mailout/main.cf b/compliance-mailout/main.cf
new file mode 100644
index 000000000..19653089b
--- /dev/null
+++ b/compliance-mailout/main.cf
@@ -0,0 +1,32 @@
+alias_database = hash:/etc/aliases
+alias_maps = hash:/etc/aliases
+append_dot_mydomain = no
+biff = no
+compatibility_level = 2
+cyrus_sasl_config_path = /etc/postfix/sasl
+inet_interfaces = all
+inet_protocols = ipv4
+mailbox_size_limit = 0
+maillog_file = /dev/stdout
+mydestination = localhost.localdomain, localhost
+myhostname = {{ .Env.POSTFIX_MYHOSTNAME }}
+mynetworks = 127.0.0.0/8
+myorigin = {{ .Env.POSTFIX_MYORIGIN }}
+readme_directory = no
+recipient_delimiter = +
+relayhost =
+sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
+smtpd_banner = $myhostname ESMTP
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+smtpd_sasl_authenticated_header = yes
+smtpd_tls_cert_file=/etc/ssl/certs/mailout.crt
+smtpd_tls_key_file=/etc/ssl/private/mailoout.key
+smtpd_tls_security_level=encrypt
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_helo_name = {{ .Env.POSTFIX_SMTP_HELO_NAME }}
+smtp_sasl_password_maps=hash:/etc/postfix/security
+smtp_sasl_security_options = noanonymous
+smtp_tls_note_starttls_offer = yes
+smtp_tls_security_level = encrypt
+smtp_tls_security_level=encrypt
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
\ No newline at end of file
diff --git a/compliance-mailout/postfix.env b/compliance-mailout/postfix.env
new file mode 100644
index 000000000..8adfdd673
--- /dev/null
+++ b/compliance-mailout/postfix.env
@@ -0,0 +1,2 @@
+POSTFIX_MYHOSTNAME=foo
+POSTFIX_MYORIGIN=foo.bar 
diff --git a/compliance-mailout/relay_map b/compliance-mailout/relay_map
new file mode 100644
index 000000000..434a396eb
--- /dev/null
+++ b/compliance-mailout/relay_map
@@ -0,0 +1 @@
+@foo.bar  [smtp.bar.foo]:587
diff --git a/compliance-mailout/security b/compliance-mailout/security
new file mode 100644
index 000000000..d1151928e
--- /dev/null
+++ b/compliance-mailout/security
@@ -0,0 +1 @@
+foo@bar.foo foo@bar.foo:mytotalsecuresecret