Supports SMTP DANE for outgoing emails #46
Conversation
|
Happy new year 🎉 - this PR looks great at my first sight 🤩 Here some thoughts (not yet tested) to keep it a little bit more simple:
|
|
Hey @chrisblech my best wishes to you too !
Those are great ideas !
I’m trying to have unbound log to stdout but fail to do so. However, it only supports logging to a file. If I configure unbound to log to Based on your comments, I’ll revisit and see if I made some mistakes on my first try. |
|
After digging into this topic a little deeper, I realized that "mvance/unbound" seems to be abandoned for two years now. Some research later, I got this setup working (without need to build a custom image, and logging to stdout): |
|
@chrisblech thanks for investigating. This PR now replaces the private For some reason, the So I just referred to the one hosted in the Alpine image : + # root.hints enable unbound to perform recursive resolution
+ root-hints: "/usr/share/dns-root-hints/named.root"Also, I had a warning upon startup that could not honor the requested socket buffer and instructed me to set # Larger socket buffer. OS may need config.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
- #so-sndbuf: 4m
+ so-sndbuf: 0Overall, this works quite nicely. |
|
@springcomp great 🤩 this looks much more streamlined than before. I also saw the warning regarding socket buffer size, but decided to leave it unchanged. So it will warn on startup, and the decision stays in the responsibility of upstream developer (unbound - to set good defaults) and machine operator who knows their needs and resources, and can change this setting in unbound, or system-wide. As "crazymax" already loads the complete config file (with all its documentation, and quite useful defaults imho), I would suggest to drop the whole |
|
Hint: after dropping |
This PR adds support for Postfix to check STMP DNS-base Authentication of Named Entites (DANE) when sending outgoing emails.
postfix/templates/30-icf-dane.tpl
For reliability, support for DANE in Postfix MUST take advantage of a DNSSEC validating name server under our control. This PR therefore also includes the
mvance/unbound:1.22.0running inside the docker-compose stack.For some reason, docker-compose does not support specifying the DNS server of a service by name.
services: dns: image: mvance/unbound:1.22.0 container_name: dns + networks: + internal: + ipv4_address: '10.0.0.99' volumes: - ./unbound/conf.d/:/opt/unbound/etc/unbound/:rw restart: unless-stopped postfix: image: private/postfix:latest … dns: - - 'dns' + - '10.0.0.99'Unfortunately, there seems to be no way to set a static ip for a service using the default bridge network.
Therefore, this PR changes the default network to a custom network named
internalinstead.This PR also assigns a specific network to all services where the default network was implicitely selected:
… migration: <<: *sl-defaults command: [ "alembic", "upgrade", "head" ] container_name: sl-migration + networks: + - internal depends_on: postgres: condition: service_healthy init: <<: *sl-defaults command: [ "python", "init_app.py" ] container_name: sl-init + networks: + - internal … app: <<: *sl-defaults container_name: sl-app networks: - traefik - - default + - internal … email: <<: *sl-defaults command: ["python", "email_handler.py"] container_name: sl-email + networks: + - internal … job-runner: <<: *sl-defaults command: ["python", "job_runner.py"] container_name: sl-job-runner + networks: + - internal …