finn/pmb-pf
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add function to load secret/password from file for security (#25)

Browse Source 
New feature: Load SMTP password from file to avoid using env variables.
This commit is contained in:
dabde
2020-06-19 23:52:21 +02:00
committed by Juan Luis Baptiste
parent 1e0e3be0b6
commit 39ac3ab672
3 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.env.example
View File

@@ -8,7 +8,7 @@
# Mandatory: Username to authenticate with. # Mandatory: Username to authenticate with.
#SMTP_USERNAME= #SMTP_USERNAME=
# Mandatory: Password of the SMTP user. # Mandatory: Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used)
#SMTP_PASSWORD= #SMTP_PASSWORD=
# Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain. # Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.
@@ -19,3 +19,6 @@
# Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers. # Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers.
#SMTP_NETWORKS= #SMTP_NETWORKS=
# Optional: Set this to a mounted file containing the password, to avoid passwords in env variables.
#SMTP_PASSWORD_FILE=

6
README.md
View File

@@ -41,7 +41,7 @@ The following env variables need to be passed to the container:
* `SMTP_SERVER` Server address of the SMTP server to use. * `SMTP_SERVER` Server address of the SMTP server to use.
* `SMTP_PORT` (Optional, Default value: 587) Port address of the SMTP server to use. * `SMTP_PORT` (Optional, Default value: 587) Port address of the SMTP server to use.
* `SMTP_USERNAME` Username to authenticate with. * `SMTP_USERNAME` Username to authenticate with.
* `SMTP_PASSWORD` Password of the SMTP user. * `SMTP_PASSWORD` Password of the SMTP user. If `SMTP_PASSWORD_FILE` is set, not needed.
* `SERVER_HOSTNAME` Server hostname for the Postfix container. Emails will appear to come from the hostname's domain. * `SERVER_HOSTNAME` Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.
The following env variable(s) are optional. The following env variable(s) are optional.
@@ -50,6 +50,10 @@ The following env variable(s) are optional.
* `SMTP_NETWORKS` Setting this will allow you to add additional, comma seperated, subnets to use the relay. Used like * `SMTP_NETWORKS` Setting this will allow you to add additional, comma seperated, subnets to use the relay. Used like
-e SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx' -e SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx'
* `SMTP_PASSWORD_FILE` Setting this to a mounted file containing the password, to avoid passwords in env variables. Used like
-e SMTP_PASSWORD_FILE=/secrets/smtp_password
-v $(pwd)/secrets/:/secrets/
To use this container from anywhere, the 25 port or the one specified by `SMTP_PORT` needs to be exposed to the docker host server: To use this container from anywhere, the 25 port or the one specified by `SMTP_PORT` needs to be exposed to the docker host server:
docker run -d --name postfix -p "25:25" \ docker run -d --name postfix -p "25:25" \

3
run.sh
View File

@@ -13,6 +13,9 @@ function add_config_value() {
postconf -e "${key} = ${value}" postconf -e "${key} = ${value}"
} }
# Read password from file to avoid unsecure env variables
if [ -n "${SMTP_PASSWORD_FILE}" ]; then [ -f "${SMTP_PASSWORD_FILE}" ] && read SMTP_PASSWORD < ${SMTP_PASSWORD_FILE} || echo "SMTP_PASSWORD_FILE defined, but file not existing, skipping."; fi
[ -z "${SMTP_SERVER}" ] && echo "SMTP_SERVER is not set" && exit 1 [ -z "${SMTP_SERVER}" ] && echo "SMTP_SERVER is not set" && exit 1
[ -z "${SMTP_USERNAME}" ] && echo "SMTP_USERNAME is not set" && exit 1 [ -z "${SMTP_USERNAME}" ] && echo "SMTP_USERNAME is not set" && exit 1
[ -z "${SMTP_PASSWORD}" ] && echo "SMTP_PASSWORD is not set" && exit 1 [ -z "${SMTP_PASSWORD}" ] && echo "SMTP_PASSWORD is not set" && exit 1