From af1f46641b4e981eaa8d428535ab3491d0ad34c9 Mon Sep 17 00:00:00 2001 From: dabde <34655672+dabde@users.noreply.github.com> Date: Fri, 19 Jun 2020 23:52:21 +0200 Subject: [PATCH] Add function to load secret/password from file for security (#25) New feature: Load SMTP password from file to avoid using env variables. --- .env.example | 5 ++++- README.md | 6 +++++- run.sh | 3 +++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index 29e0e8a..a711c0a 100644 --- a/.env.example +++ b/.env.example @@ -8,7 +8,7 @@ # Mandatory: Username to authenticate with. #SMTP_USERNAME= -# Mandatory: Password of the SMTP user. +# Mandatory: Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used) #SMTP_PASSWORD= # Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain. @@ -19,3 +19,6 @@ # Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers. #SMTP_NETWORKS= + +# Optional: Set this to a mounted file containing the password, to avoid passwords in env variables. +#SMTP_PASSWORD_FILE= \ No newline at end of file diff --git a/README.md b/README.md index f7f5e0a..a659683 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ The following env variables need to be passed to the container: * `SMTP_SERVER` Server address of the SMTP server to use. * `SMTP_PORT` (Optional, Default value: 587) Port address of the SMTP server to use. * `SMTP_USERNAME` Username to authenticate with. -* `SMTP_PASSWORD` Password of the SMTP user. +* `SMTP_PASSWORD` Password of the SMTP user. If `SMTP_PASSWORD_FILE` is set, not needed. * `SERVER_HOSTNAME` Server hostname for the Postfix container. Emails will appear to come from the hostname's domain. The following env variable(s) are optional. @@ -50,6 +50,10 @@ The following env variable(s) are optional. * `SMTP_NETWORKS` Setting this will allow you to add additional, comma seperated, subnets to use the relay. Used like -e SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx' +* `SMTP_PASSWORD_FILE` Setting this to a mounted file containing the password, to avoid passwords in env variables. Used like + -e SMTP_PASSWORD_FILE=/secrets/smtp_password + -v $(pwd)/secrets/:/secrets/ + To use this container from anywhere, the 25 port or the one specified by `SMTP_PORT` needs to be exposed to the docker host server: docker run -d --name postfix -p "25:25" \ diff --git a/run.sh b/run.sh index 7d0c544..d12a16e 100644 --- a/run.sh +++ b/run.sh @@ -13,6 +13,9 @@ function add_config_value() { postconf -e "${key} = ${value}" } +# Read password from file to avoid unsecure env variables +if [ -n "${SMTP_PASSWORD_FILE}" ]; then [ -f "${SMTP_PASSWORD_FILE}" ] && read SMTP_PASSWORD < ${SMTP_PASSWORD_FILE} || echo "SMTP_PASSWORD_FILE defined, but file not existing, skipping."; fi + [ -z "${SMTP_SERVER}" ] && echo "SMTP_SERVER is not set" && exit 1 [ -z "${SMTP_USERNAME}" ] && echo "SMTP_USERNAME is not set" && exit 1 [ -z "${SMTP_PASSWORD}" ] && echo "SMTP_PASSWORD is not set" && exit 1