feat: Enable Postfix Postscreen and configure Unbound DNS

cursoragent · jeboehm · cursoragent · commit c8758da83c5a · 2025-09-30T15:57:09.000Z
Co-authored-by: j.boehm &lt;j.boehm@ressourcenkonflikt.de&gt;
diff --git a/target/mta/Dockerfile b/target/mta/Dockerfile
@@ -67,6 +67,16 @@ RUN apk --no-cache add \
     postconf smtpd_soft_error_limit=3 && \
     postconf smtpd_hard_error_limit=5 && \
     newaliases && \
+    # enable postscreen on port 25 and supporting services
+    sed -i 's/^smtp\s\+inet\s\+n\s\+-\s\+y\s\+-\s\+-\s\+smtpd/smtp      inet  n       -       y       -       1       postscreen/' /etc/postfix/master.cf && \
+    printf '%s\n' \
+      'smtpd     pass  -       -       y       -       -       smtpd' \
+      'dnsblog   unix  -       -       y       -       0       dnsblog' \
+      'tlsproxy  unix  -       -       y       -       0       tlsproxy' \
+      >> /etc/postfix/master.cf && \
+    postconf postscreen_dnsbl_sites='bl.spamcop.net*2' && \
+    postconf postscreen_dnsbl_threshold=2 && \
+    postconf postscreen_dnsbl_action=enforce && \
     echo "submission inet n - n - - smtpd" >> /etc/postfix/master.cf && \
     echo " -o syslog_name=postfix/submission" >> /etc/postfix/master.cf && \
     echo " -o smtpd_tls_security_level=encrypt" >> /etc/postfix/master.cf && \
diff --git a/target/mta/rootfs/usr/local/bin/init.sh b/target/mta/rootfs/usr/local/bin/init.sh
@@ -39,3 +39,23 @@ dockerize \
 	-template /etc/postfix/mysql-recipient-access.cf.templ:/etc/postfix/mysql-recipient-access.cf \
 	-template /etc/postfix/mysql-email-submission.cf.templ:/etc/postfix/mysql-email-submission.cf \
 	/bin/true
+
+# Configure resolver for Postfix to use $UNBOUND_DNS_ADDRESS
+# Accept formats like "host:port" or "ip:port"; default port 53 if omitted
+if [ -n "${UNBOUND_DNS_ADDRESS}" ]; then
+	UNBOUND_DNS_HOST=$(echo "${UNBOUND_DNS_ADDRESS}" | cut -d: -f1)
+	UNBOUND_DNS_PORT=$(echo "${UNBOUND_DNS_ADDRESS}" | cut -s -d: -f2)
+	if [ -z "${UNBOUND_DNS_PORT}" ]; then
+		UNBOUND_DNS_PORT=53
+	fi
+
+	# Resolve hostname to IP if necessary
+	UNBOUND_DNS_IP=$(getent hosts "${UNBOUND_DNS_HOST}" | awk '{print $1}' | head -n1)
+	if [ -z "${UNBOUND_DNS_IP}" ]; then
+		UNBOUND_DNS_IP=${UNBOUND_DNS_HOST}
+	fi
+
+	mkdir -p /var/spool/postfix/etc
+	echo "nameserver ${UNBOUND_DNS_IP}" > /var/spool/postfix/etc/resolv.conf
+	# glibc resolv.conf does not support custom port; rely on Unbound standard port 53
+fi
