2026-01-18 03:51:53 +00:00
22 changed files with 267 additions and 342 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 *~
 \#*
 .#*
 .DS_Store
--- a/13
+++ b/13
@@ -1,6 +1,8 @@
-FROM eumau/debian:bookworm-slim
+FROM debian:trixie-slim
 LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
 ARG DEBIAN_FRONTEND=noninteractive
 ARG TARGETARCH
 ARG GOMPLATE_VERSION=4.3.0
 ENV LC_ALL C
 ENV BIFF=no
@@ -73,6 +75,9 @@ RUN echo "_dev_null: /dev/null" > /etc/aliases \
 	ssl-cert \
 	ca-certificates \
 	bogofilter-sqlite \
 	curl \
  && curl -o /usr/local/bin/gomplate -sSL "https://github.com/hairyhenderson/gomplate/releases/download/v${GOMPLATE_VERSION}/gomplate_linux-${TARGETARCH}" \
  && chmod 755 /usr/local/bin/gomplate \
  && rm -rf /var/lib/apt/lists/* \
  && cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf \
  && mkdir -p /etc/postfix/rules \
@@ -110,10 +115,12 @@ RUN echo "_dev_null: /dev/null" > /etc/aliases \
     anvil/unix/chroot=n \
     scache/unix/chroot=n
-ADD confd /etc/confd/
+COPY --chmod=0755 entrypoint.sh /usr/local/bin/
-ADD postmap_all /usr/local/bin/
+COPY templates /etc/templates
 COPY postmap_all /usr/local/bin/
 VOLUME ["/ssl","/var/spool/postfix"]
 EXPOSE 25/tcp 587/tcp
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["postfix","start-fg"]
--- a/confd/conf.d/noreply.toml.disabled
+++ b/confd/conf.d/noreply.toml.disabled
@@ -1,7 +0,0 @@
 [template]
 src = "noreply.tmpl"
 dest = "/etc/postfix/noreply"
 keys = [
 "/noreply/aliases",
 "/virtual/mailbox/domains",
 ]
--- a/confd/conf.d/setup_main.toml
+++ b/confd/conf.d/setup_main.toml
@@ -1,35 +0,0 @@
 [template]
 src = "setup_main.tmpl"
 dest = "/start.d/99_main"
 mode = "0755"
 keys = [
 "/biff",
 "/message/size/limit",
 "/mydestination",
 "/mydomain",
 "/myhostname",
 "/mynetworks",
 "/mynetworks/style",
 "/propagate/unmatched/extensions",
 "/recipient/delimiter",
 "/smtp/tls/security/level",
 "/smtpd/client/restrictions",
 "/smtpd/data/restrictions",
 "/smtpd/helo/required",
 "/smtpd/helo/restrictions",
 "/smtpd/recipient/restrictions",
 "/smtpd/relay/restrictions",
 "/smtpd/sasl/auth/enable",
 "/smtpd/sasl/path",
 "/smtpd/sasl/type",
 "/smtpd/tls/auth/only",
 "/smtpd/tls/cert/file",
 "/smtpd/tls/key/file",
 "/smtpd/tls/security/level",
 "/smtpd/tls/session/cache/database",
 "/smtputf8/enable",
 "/virtual/alias/maps",
 "/virtual/mailbox/domains",
 "/virtual/mailbox/maps",
 "/virtual/transport",
 ]
--- a/confd/conf.d/setup_milter.toml
+++ b/confd/conf.d/setup_milter.toml
@@ -1,10 +0,0 @@
 [template]
 src = "setup_milter.tmpl"
 dest = "/start.d/10_milter"
 mode = "0755"
 keys = [
 "/internal/mail/filter/classes",
 "/milter/default/action",
 "/non/smtpd/milters",
 "/smtpd/milters",
 ]
--- a/confd/conf.d/setup_postscreen.toml
+++ b/confd/conf.d/setup_postscreen.toml
@@ -1,16 +0,0 @@
 [template]
 src = "setup_postscreen.tmpl"
 dest = "/start.d/89_postscreen"
 mode = "0755"
 keys = [
 "/bogofilter/enable",
 "/postscreen/access/list",
 "/postscreen/blacklist/action",
 "/postscreen/dnsbl/action",
 "/postscreen/dnsbl/reply/map",
 "/postscreen/dnsbl/sites",
 "/postscreen/dnsbl/threshold",
 "/postscreen/dnsbl/whitelist/threshold",
 "/postscreen/enable",
 "/postscreen/greet/action",
 ]
--- a/confd/conf.d/setup_relayhost.toml
+++ b/confd/conf.d/setup_relayhost.toml
@@ -1,16 +0,0 @@
 [template]
 src = "setup_relayhost.tmpl"
 dest = "/start.d/88_relayhost"
 mode = "0755"
 keys = [
 "/relayhost",
 "/smtp/fallback/relay",
 "/smtp/sasl/auth/enable",
 "/smtp/sasl/password/maps",
 "/smtp/sasl/security/options",
 "/smtp/tls/cafile",
 "/smtp/tls/mandatory/protocols",
 "/smtp/tls/note/starttls/offer",
 "/smtp/tls/security/level",
 "/smtp/tls/session/cache/database"
 ]
--- a/confd/conf.d/setup_submission.toml
+++ b/confd/conf.d/setup_submission.toml
@@ -1,7 +0,0 @@
 [template]
 src = "setup_submission.tmpl"
 dest = "/start.d/11_submission"
 mode = "0755"
 keys = [
 "/submission/enable",
 ]
--- a/confd/conf.d/spamfilter.toml
+++ b/confd/conf.d/spamfilter.toml
@@ -1,8 +0,0 @@
 [template]
 src = "spamfilter.tmpl"
 dest = "/usr/local/bin/spamfilter"
 mode = "0755"
 keys = [
 "/bogofilter/ham/cutoff",
 "/bogofilter/spam/cutoff",
 ]
--- a/confd/templates/noreply.tmpl
+++ b/confd/templates/noreply.tmpl
@@ -1,10 +0,0 @@
 # "no-reply" mail aliases.
 # DO NOT edit this file, it will be overwritten.
 # Instead, set the variable NOREPLY_ALIASES
 {{ range split (getv "/noreply/aliases") " " }}
 {{ if (strings.Contains . "@") }}
 {{.}} _dev_null
 {{ else }}
 {{.}}@{{ index (split (getv "/virtual/mailbox/domains") " ") 0 }} _dev_null
 {{ end }}
 {{ end }}
--- a/confd/templates/setup_main.tmpl
+++ b/confd/templates/setup_main.tmpl
@@ -1,77 +0,0 @@
 #!/bin/bash
 # Managing main.cf:
 #     postconf [-dfhHnopvx] [-c config_dir] [-C class,...] [parameter ...]
 #     postconf [-epv] [-c config_dir] parameter=value ...
 #     postconf -# [-pv] [-c config_dir] parameter ...
 #     postconf -X [-pv] [-c config_dir] parameter ...
 # Managing master.cf service entries:
 #     postconf -M [-fovx] [-c config_dir] [service[/type] ...]
 #     postconf -M [-ev] [-c config_dir] service/type=value ...
 #     postconf -M# [-v] [-c config_dir] service/type ...
 #     postconf -MX [-v] [-c config_dir] service/type ...
 # Managing master.cf service fields:
 #     postconf -F [-fhHovx] [-c config_dir] [service[/type[/field]] ...]
 #     postconf -F [-ev] [-c config_dir] service/type/field=value ...
 # Managing master.cf service parameters:
 #     postconf -P [-fhHovx] [-c config_dir] [service[/type[/parameter]] ...]
 #     postconf -P [-ev] [-c config_dir] service/type/parameter=value ...
 #     postconf -PX [-v] [-c config_dir] service/type/parameter ...
 # Managing bounce message templates:
 #     postconf -b [-v] [-c config_dir] [template_file]
 #     postconf -t [-v] [-c config_dir] [template_file]
 # Managing TLS features:
 #     postconf -T mode [-v] [-c config_dir]
 # Managing other configuration:
 #     postconf -a|-A|-l|-m [-v] [-c config_dir]
 postconf maillog_file=/dev/stdout
 postconf alias_maps=hash:/etc/aliases
 {{ with getv "/biff" }}postconf biff='{{.}}'{{ end }}
 {{ with getv "/message/size/limit" }}postconf message_size_limit='{{.}}'{{ end }}
 {{ with getv "/mydestination" }}postconf mydestination='{{.}}'{{ end }}
 {{ with getv "/mydomain" }}postconf mydomain='{{.}}'{{ end }}
 {{ with getv "/myhostname" }}postconf myhostname='{{.}}'{{ end }}
 {{ with getv "/mynetworks" }}postconf mynetworks='{{.}}'{{ end }}
 {{ with getv "/mynetworks/style" }}postconf mynetworks_style='{{.}}'{{ end }}
 {{ with getv "/propagate/unmatched/extensions" }}postconf propagate_unmatched_extensions='{{.}}'{{ end }}
 {{ with getv "/recipient/delimiter" }}postconf recipient_delimiter='{{.}}'{{ end }}
 {{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }}
 {{ with getv "/smtpd/client/restrictions" }}postconf smtpd_client_restrictions='{{.}}'{{ end }}
 {{ with getv "/smtpd/data/restrictions" }}postconf smtpd_data_restrictions='{{.}}'{{ end }}
 {{ with getv "/smtpd/helo/required" }}postconf smtpd_helo_required='{{.}}'{{ end }}
 {{ with getv "/smtpd/helo/restrictions" }}postconf smtpd_helo_restrictions='{{.}}'{{ end }}
 {{ with getv "/smtpd/recipient/restrictions" }}postconf smtpd_recipient_restrictions='{{.}}'{{ end }}
 {{ with getv "/smtpd/relay/restrictions" }}postconf smtpd_relay_restrictions='{{.}}'{{ end }}
 {{ with getv "/smtpd/sasl/auth/enable" }}postconf smtpd_sasl_auth_enable='{{.}}'{{ end }}
 {{ with getv "/smtpd/sasl/path" }}postconf smtpd_sasl_path='{{.}}'{{ end }}
 {{ with getv "/smtpd/sasl/type" }}postconf smtpd_sasl_type='{{.}}'{{ end }}
 {{ with getv "/smtpd/tls/auth/only" }}postconf smtpd_tls_auth_only='{{.}}'{{ end }}
 {{ with getv "/smtpd/tls/cert/file" }}postconf smtpd_tls_cert_file='{{.}}'{{ end }}
 {{ with getv "/smtpd/tls/key/file" }}postconf smtpd_tls_key_file='{{.}}'{{ end }}
 {{ with getv "/smtpd/tls/security/level" }}postconf smtpd_tls_security_level='{{.}}'{{ end }}
 {{ with getv "/smtpd/tls/session/cache/database" }}postconf smtpd_tls_session_cache_database='{{.}}'{{ end }}
 {{ with getv "/smtputf8/enable" }}postconf smtputf8_enable='{{.}}'{{ end }}
 {{ with getv "/virtual/alias/maps" }}postconf virtual_alias_maps='{{.}}'{{ end }}
 {{ with getv "/virtual/mailbox/domains" }}postconf virtual_mailbox_domains='{{.}}'{{ end }}
 {{ with getv "/virtual/mailbox/maps" }}postconf virtual_mailbox_maps='{{.}}'{{ end }}
 {{ with getv "/virtual/transport" }}postconf virtual_transport='{{.}}'{{ end }}
 postconf -M spamfilter/unix | grep -q spamfilter || {
    postconf -M spamfilter/unix="spamfilter unix - n n - - pipe"
 }
 postconf -F spamfilter/unix/private=- \
         spamfilter/unix/unprivileged=n \
         spamfilter/unix/chroot=n \
         spamfilter/unix/wakeup=- \
         spamfilter/unix/process_limit=- \
         spamfilter/unix/command='pipe flags=Rq user=vmail argv=/usr/local/bin/spamfilter -oi -f ${sender} ${recipient}'
 # run postmap for all lookup tables
 postmap_all
--- a/confd/templates/setup_milter.tmpl
+++ b/confd/templates/setup_milter.tmpl
@@ -1,6 +0,0 @@
 #!/bin/bash
 {{ with getv "/internal/mail/filter/classes" }}postconf internal_mail_filter_classes='{{.}}'{{ end }}
 {{ with getv "/milter/default/action" }}postconf milter_default_action='{{.}}'{{ end }}
 {{ with getv "/non/smtpd/milters" }}postconf non_smtpd_milters='{{.}}'{{ end }}
 {{ with getv "/smtpd/milters" }}postconf smtpd_milters='{{.}}'{{ end }}
--- a/confd/templates/setup_postscreen.tmpl
+++ b/confd/templates/setup_postscreen.tmpl
@@ -1,117 +0,0 @@
 #!/bin/bash
 #postconf -M smtpd/pass
 #postconf -Fh smtp/inet/private smtp/inet/unprivileged smtp/inet/chroot smtp/inet/wakeup smtp/inet/process_limit smtp/inet/command
 #postconf -M smtp/inet
 #postconf -M tlsproxy/unix
 #postconf -M dnsblog/unix
 #postconf -h postscreen_access_list
 #postconf -h postscreen_dnsbl_sites
 #postconf -h postscreen_dnsbl_reply_map
 #postconf -h postscreen_dnsbl_action
 #postconf -h postscreen_blacklist_action
 #postconf -h postscreen_dnsbl_whitelist_threshold
 #postconf -h postscreen_greet_action
 #postconf -h postscreen_greet_wait
 # NOT SUPPORTED:
 #postconf -h postscreen_bare_newline_enable
 #postconf -h postscreen_non_smtp_command_enable
 #postconf -h postscreen_pipelining_enable
 #postconf -h postscreen_bare_newline_action
 #postconf -h postscreen_dnsbl_threshold
 #postconf -h postscreen_non_smtp_command_action
 #postconf -h postscreen_pipelining_action
 {{ if eq (getv "/postscreen/enable") "yes"}}
 postconf -M smtpd/pass="smtpd pass - - n - - smtpd"
 postconf -F smtpd/pass/private=- \
 	 smtpd/pass/unprivileged=- \
 	 smtpd/pass/chroot=n \
         smtpd/pass/wakeup=- \
 	 smtpd/pass/process_limit=- \
 	 smtpd/pass/command="smtpd"
 postconf -F smtp/inet/private=n \
 	 smtp/inet/unprivileged=- \
 	 smtp/inet/chroot=n \
         smtp/inet/wakeup=- \
 	 smtp/inet/process_limit=1 \
 	 smtp/inet/command="postscreen"
 postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy"
 postconf -F tlsproxy/unix/private=- \
 	 tlsproxy/unix/unprivileged=- \
 	 tlsproxy/unix/chroot=n \
         tlsproxy/unix/wakeup=- \
 	 tlsproxy/unix/process_limit=0 \
 	 tlsproxy/unix/command="tlsproxy"
 postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog"
 postconf -F dnsblog/unix/private=- \
 	 dnsblog/unix/unprivileged=- \
 	 dnsblog/unix/chroot=n \
         dnsblog/unix/wakeup=- \
 	 dnsblog/unix/process_limit=0 \
 	 dnsblog/unix/command="dnsblog"
 {{ if eq (getv "/bogofilter/enable") "yes" }}
 postconf -P smtpd/pass/content_filter=spamfilter
 {{ else }}
 postconf -X -P smtpd/pass/content_filter
 {{ end }}
 # FIXME: template tables instead of creating empty files
 touch /etc/postfix/rules/postscreen_access_list.cidr
 touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre
 # main.cf options
 # FIXME: allow un-setting options by blanking variable values
 {{ with getv "/postscreen/access/list" }}postconf -e postscreen_access_list='{{.}}'{{ end }}
 {{ with getv "/postscreen/blacklist/action" }}postconf -e postscreen_blacklist_action='{{.}}'{{ end }}
 {{ with getv "/postscreen/dnsbl/action" }}postconf -e postscreen_dnsbl_action='{{.}}'{{ end }}
 {{ with getv "/postscreen/dnsbl/reply/map" }}postconf -e postscreen_dnsbl_reply_map='{{.}}'{{ end }}
 {{ with getv "/postscreen/dnsbl/sites" }}postconf -e postscreen_dnsbl_sites='{{.}}'{{ end }}
 {{ with getv "/postscreen/dnsbl/threshold" }}postconf -e postscreen_dnsbl_threshold='{{.}}'{{ end }}
 {{ with getv "/postscreen/dnsbl/whitelist/threshold" }}postconf -e postscreen_dnsbl_whitelist_threshold='{{.}}'{{ end }}
 {{ with getv "/postscreen/greet/action" }}postconf -e postscreen_greet_action='{{.}}'{{ end }}
 {{ else }}
 # disable postscreen
 postconf -M# smtpd/pass
 postconf -F smtp/inet/private=n \
 	 smtp/inet/unprivileged=- \
 	 smtp/inet/chroot=n \
         smtp/inet/wakeup=- \
 	 smtp/inet/process_limit=- \
 	 smtp/inet/command="smtpd"
 {{ if eq (getv "/bogofilter/enable") "yes" }}
 postconf -P smtp/inet/content_filter=spamfilter
 {{ else }}
 postconf -X -P smtp/inet/content_filter
 {{ end }}
 postconf -M# dnsblog/unix
 {{ end }}
 # TODO: access list:
 # # Ansible-generated postscreen CIDR access table. You can change this
 # # file by setting the host variable `postfix_postscreen_access_list`
 # {% for entry in postfix_postscreen_access_list -%}
 # { { entry.address } } { { entry.action } }
 # {% endfor %}
 # TODO: reply map:
 # # postscreen reply map, matching entries will be replaced
 # # with the resulting text when telling the source of DNS
 # # blacklisting to the remote client.
 # # used to mask passwords contained in dnsbl names
 # # edit this file by setting the "mask" option for items
 # # in the host variable postfix_postscreen_dnsbl_sites
 # {% for entry in postfix_postscreen_dnsbl_sites -%}
 # {% if entry is mapping -%}{% if entry.mask is defined -%}
 # {% if entry.mask is string and entry.mask != "" -%}
 # /^{ { entry.site } }$/ { { entry.mask } }
 # {% else %}
 # /^{ { entry.site } }$/ dnsbl blacklist
 # {% endif %}{% endif %}{% endif %}{% endfor %}
--- a/confd/templates/setup_relayhost.tmpl
+++ b/confd/templates/setup_relayhost.tmpl
@@ -1,14 +0,0 @@
 #!/bin/bash
 # These postfix settings allow for sending all mail through a relay host.
 {{ with getv "/relayhost" }}postconf relayhost='{{.}}'{{ end }}
 {{ with getv "/smtp/fallback/relay" }}postconf smtp_fallback_relay='{{.}}'{{ end }}
 {{ with getv "/smtp/sasl/auth/enable" }}postconf smtp_sasl_auth_enable='{{.}}'{{ end }}
 {{ with getv "/smtp/sasl/password/maps" }}postconf smtp_sasl_password_maps='{{.}}'{{ end }}
 {{ with getv "/smtp/sasl/security/options" }}postconf smtp_sasl_security_options='{{.}}'{{ end }}
 {{ with getv "/smtp/tls/cafile" }}postconf smtp_tls_CAfile='{{.}}'{{ end }}
 {{ with getv "/smtp/tls/mandatory/protocols" }}postconf smtp_tls_mandatory_protocols='{{.}}'{{ end }}
 {{ with getv "/smtp/tls/note/starttls/offer" }}postconf smtp_tls_note_starttls_offer='{{.}}'{{ end }}
 {{ with getv "/smtp/tls/security/level" }}postconf smtp_tls_security_level='{{.}}'{{ end }}
 {{ with getv "/smtp/tls/session/cache/database" }}postconf smtp_tls_session_cache_database='{{.}}'{{ end }}
--- a/confd/templates/spamfilter.tmpl
+++ b/confd/templates/spamfilter.tmpl
@@ -1,6 +0,0 @@
 #!/bin/bash
 # pass mail through spam filter Bogofilter
 # arguments are passed on to sendmail
 /usr/bin/bogofilter -d /vmail/bogofilter -p {{ with getv "/bogofilter/ham/cutoff" }}--ham-cutoff '{{.}}'{{ end }} {{ with getv "/bogofilter/spam/cutoff" }}--spam-cutoff '{{.}}'{{ end }} | /usr/sbin/sendmail "$@"
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -0,0 +1,5 @@
 #!/bin/bash
 set -e
 gomplate --input-dir=/etc/templates --output-dir=/
 run-parts -v --exit-on-error /start.d
 exec "$@"
--- a/templates/start.d/setup_main
+++ b/templates/start.d/setup_main
@@ -0,0 +1,105 @@
 #!/bin/bash
 set -e
 postconf maillog_file=/dev/stdout
 postconf alias_maps=hash:/etc/aliases
 {{- if getenv "BIFF" }}
 postconf biff='{{ getenv "BIFF" }}'
 {{- end }}
 {{- if getenv "MESSAGE_SIZE_LIMIT" }}
 postconf message_size_limit='{{ getenv "MESSAGE_SIZE_LIMIT" }}'
 {{- end }}
 {{- if getenv "MYDESTINATION" }}
 postconf mydestination='{{ getenv "MYDESTINATION" }}'
 {{- end }}
 {{- if getenv "MYDOMAIN" }}
 postconf mydomain='{{ getenv "MYDOMAIN" }}'
 {{- end }}
 {{- if getenv "MYHOSTNAME" }}
 postconf myhostname='{{ getenv "MYHOSTNAME" }}'
 {{- end }}
 {{- if getenv "MYNETWORKS" }}
 postconf mynetworks='{{ getenv "MYNETWORKS" }}'
 {{- end }}
 {{- if getenv "MYNETWORKS_STYLE" }}
 postconf mynetworks_style='{{ getenv "MYNETWORKS_STYLE" }}'
 {{- end }}
 {{- if getenv "PROPAGATE_UNMATCHED_EXTENSIONS" }}
 postconf propagate_unmatched_extensions='{{ getenv "PROPAGATE_UNMATCHED_EXTENSIONS" }}'
 {{- end }}
 {{- if getenv "RECIPIENT_DELIMITER" }}
 postconf recipient_delimiter='{{ getenv "RECIPIENT_DELIMITER" }}'
 {{- end }}
 {{- if getenv "SMTP_TLS_SECURITY_LEVEL" }}
 postconf smtp_tls_security_level='{{ getenv "SMTP_TLS_SECURITY_LEVEL" }}'
 {{- end }}
 {{- if getenv "SMTPD_CLIENT_RESTRICTIONS" }}
 postconf smtpd_client_restrictions='{{ getenv "SMTPD_CLIENT_RESTRICTIONS" }}'
 {{- end }}
 {{- if getenv "SMTPD_DATA_RESTRICTIONS" }}
 postconf smtpd_data_restrictions='{{ getenv "SMTPD_DATA_RESTRICTIONS" }}'
 {{- end }}
 {{- if getenv "SMTPD_HELO_REQUIRED" }}
 postconf smtpd_helo_required='{{ getenv "SMTPD_HELO_REQUIRED" }}'
 {{- end }}
 {{- if getenv "SMTPD_HELO_RESTRICTIONS" }}
 postconf smtpd_helo_restrictions='{{ getenv "SMTPD_HELO_RESTRICTIONS" }}'
 {{- end }}
 {{- if getenv "SMTPD_RECIPIENT_RESTRICTIONS" }}
 postconf smtpd_recipient_restrictions='{{ getenv "SMTPD_RECIPIENT_RESTRICTIONS" }}'
 {{- end }}
 {{- if getenv "SMTPD_RELAY_RESTRICTIONS" }}
 postconf smtpd_relay_restrictions='{{ getenv "SMTPD_RELAY_RESTRICTIONS" }}'
 {{- end }}
 {{- if getenv "SMTPD_SASL_AUTH_ENABLE" }}
 postconf smtpd_sasl_auth_enable='{{ getenv "SMTPD_SASL_AUTH_ENABLE" }}'
 {{- end }}
 {{- if getenv "SMTPD_SASL_PATH" }}
 postconf smtpd_sasl_path='{{ getenv "SMTPD_SASL_PATH" }}'
 {{- end }}
 {{- if getenv "SMTPD_SASL_TYPE" }}
 postconf smtpd_sasl_type='{{ getenv "SMTPD_SASL_TYPE" }}'
 {{- end }}
 {{- if getenv "SMTPD_TLS_AUTH_ONLY" }}
 postconf smtpd_tls_auth_only='{{ getenv "SMTPD_TLS_AUTH_ONLY" }}'
 {{- end }}
 {{- if getenv "SMTPD_TLS_CERT_FILE" }}
 postconf smtpd_tls_cert_file='{{ getenv "SMTPD_TLS_CERT_FILE" }}'
 {{- end }}
 {{- if getenv "SMTPD_TLS_KEY_FILE" }}
 postconf smtpd_tls_key_file='{{ getenv "SMTPD_TLS_KEY_FILE" }}'
 {{- end }}
 {{- if getenv "SMTPD_TLS_SECURITY_LEVEL" }}
 postconf smtpd_tls_security_level='{{ getenv "SMTPD_TLS_SECURITY_LEVEL" }}'
 {{- end }}
 {{- if getenv "SMTPD_TLS_SESSION_CACHE_DATABASE" }}
 postconf smtpd_tls_session_cache_database='{{ getenv "SMTPD_TLS_SESSION_CACHE_DATABASE" }}'
 {{- end }}
 {{- if getenv "SMTPUTF8_ENABLE" }}
 postconf smtputf8_enable='{{ getenv "SMTPUTF8_ENABLE" }}'
 {{- end }}
 {{- if getenv "VIRTUAL_ALIAS_MAPS" }}
 postconf virtual_alias_maps='{{ getenv "VIRTUAL_ALIAS_MAPS" }}'
 {{- end }}
 {{- if getenv "VIRTUAL_MAILBOX_DOMAINS" }}
 postconf virtual_mailbox_domains='{{ getenv "VIRTUAL_MAILBOX_DOMAINS" }}'
 {{- end }}
 {{- if getenv "VIRTUAL_MAILBOX_MAPS" }}
 postconf virtual_mailbox_maps='{{ getenv "VIRTUAL_MAILBOX_MAPS" }}'
 {{- end }}
 {{- if getenv "VIRTUAL_TRANSPORT" }}
 postconf virtual_transport='{{ getenv "VIRTUAL_TRANSPORT" }}'
 {{- end }}
 postconf -M spamfilter/unix | grep -q spamfilter || {
    postconf -M spamfilter/unix="spamfilter unix - n n - - pipe"
 }
 postconf -F spamfilter/unix/private=- \
         spamfilter/unix/unprivileged=n \
         spamfilter/unix/chroot=n \
         spamfilter/unix/wakeup=- \
         spamfilter/unix/process_limit=- \
         spamfilter/unix/command='pipe flags=Rq user=vmail argv=/usr/local/bin/spamfilter -oi -f ${sender} ${recipient}'
 # run postmap for all lookup tables
 postmap_all
--- a/templates/start.d/setup_milter
+++ b/templates/start.d/setup_milter
@@ -0,0 +1,15 @@
 #!/bin/bash
 set -e
 {{- if getenv "INTERNAL_MAIL_FILTER_CLASSES" }}
 postconf internal_mail_filter_classes='{{ getenv "INTERNAL_MAIL_FILTER_CLASSES" }}'
 {{- end }}
 {{- if getenv "MILTER_DEFAULT_ACTION" }}
 postconf milter_default_action='{{ getenv "MILTER_DEFAULT_ACTION" }}'
 {{- end }}
 {{- if getenv "NON_SMTPD_MILTERS" }}
 postconf non_smtpd_milters='{{ getenv "NON_SMTPD_MILTERS" }}'
 {{- end }}
 {{- if getenv "SMTPD_MILTERS" }}
 postconf smtpd_milters='{{ getenv "SMTPD_MILTERS" }}'
 {{- end }}
--- a/templates/start.d/setup_postscreen
+++ b/templates/start.d/setup_postscreen
@@ -0,0 +1,88 @@
 #!/bin/bash
 set -e
 {{ if eq (getenv "POSTSCREEN_ENABLE") "yes" -}}
 postconf -M smtpd/pass="smtpd pass - - n - - smtpd"
 postconf -F smtpd/pass/private=- \
 	 smtpd/pass/unprivileged=- \
 	 smtpd/pass/chroot=n \
         smtpd/pass/wakeup=- \
 	 smtpd/pass/process_limit=- \
 	 smtpd/pass/command="smtpd"
 postconf -F smtp/inet/private=n \
 	 smtp/inet/unprivileged=- \
 	 smtp/inet/chroot=n \
         smtp/inet/wakeup=- \
 	 smtp/inet/process_limit=1 \
 	 smtp/inet/command="postscreen"
 postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy"
 postconf -F tlsproxy/unix/private=- \
 	 tlsproxy/unix/unprivileged=- \
 	 tlsproxy/unix/chroot=n \
         tlsproxy/unix/wakeup=- \
 	 tlsproxy/unix/process_limit=0 \
 	 tlsproxy/unix/command="tlsproxy"
 postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog"
 postconf -F dnsblog/unix/private=- \
 	 dnsblog/unix/unprivileged=- \
 	 dnsblog/unix/chroot=n \
         dnsblog/unix/wakeup=- \
 	 dnsblog/unix/process_limit=0 \
 	 dnsblog/unix/command="dnsblog"
 {{ if eq (getenv "BOGOFILTER_ENABLE") "yes" -}}
 postconf -P smtpd/pass/content_filter=spamfilter
 {{ else -}}
 postconf -X -P smtpd/pass/content_filter
 {{ end -}}
 # FIXME: template tables instead of creating empty files
 touch /etc/postfix/rules/postscreen_access_list.cidr
 touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre
 # main.cf options
 {{- if getenv "POSTSCREEN_ACCESS_LIST" }}
 postconf -e postscreen_access_list='{{ getenv "POSTSCREEN_ACCESS_LIST" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_BLACKLIST_ACTION" }}
 postconf -e postscreen_blacklist_action='{{ getenv "POSTSCREEN_BLACKLIST_ACTION" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_DNSBL_ACTION" }}
 postconf -e postscreen_dnsbl_action='{{ getenv "POSTSCREEN_DNSBL_ACTION" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_DNSBL_REPLY_MAP" }}
 postconf -e postscreen_dnsbl_reply_map='{{ getenv "POSTSCREEN_DNSBL_REPLY_MAP" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_DNSBL_SITES" }}
 postconf -e postscreen_dnsbl_sites='{{ getenv "POSTSCREEN_DNSBL_SITES" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_DNSBL_THRESHOLD" }}
 postconf -e postscreen_dnsbl_threshold='{{ getenv "POSTSCREEN_DNSBL_THRESHOLD" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_DNSBL_WHITELIST_THRESHOLD" }}
 postconf -e postscreen_dnsbl_whitelist_threshold='{{ getenv "POSTSCREEN_DNSBL_WHITELIST_THRESHOLD" }}'
 {{- end }}
 {{- if getenv "POSTSCREEN_GREET_ACTION" }}
 postconf -e postscreen_greet_action='{{ getenv "POSTSCREEN_GREET_ACTION" }}'
 {{- end }}
 {{ else -}}
 # disable postscreen
 postconf -M# smtpd/pass
 postconf -F smtp/inet/private=n \
 	 smtp/inet/unprivileged=- \
 	 smtp/inet/chroot=n \
         smtp/inet/wakeup=- \
 	 smtp/inet/process_limit=- \
 	 smtp/inet/command="smtpd"
 {{ if eq (getenv "BOGOFILTER_ENABLE") "yes" -}}
 postconf -P smtp/inet/content_filter=spamfilter
 {{ else -}}
 postconf -X -P smtp/inet/content_filter
 {{ end -}}
 postconf -M# dnsblog/unix
 {{ end -}}
--- a/templates/start.d/setup_relayhost
+++ b/templates/start.d/setup_relayhost
@@ -0,0 +1,33 @@
 #!/bin/bash
 set -e
 {{- if getenv "RELAYHOST" }}
 postconf relayhost='{{ getenv "RELAYHOST" }}'
 {{- end }}
 {{- if getenv "SMTP_FALLBACK_RELAY" }}
 postconf smtp_fallback_relay='{{ getenv "SMTP_FALLBACK_RELAY" }}'
 {{- end }}
 {{- if getenv "SMTP_SASL_AUTH_ENABLE" }}
 postconf smtp_sasl_auth_enable='{{ getenv "SMTP_SASL_AUTH_ENABLE" }}'
 {{- end }}
 {{- if getenv "SMTP_SASL_PASSWORD_MAPS" }}
 postconf smtp_sasl_password_maps='{{ getenv "SMTP_SASL_PASSWORD_MAPS" }}'
 {{- end }}
 {{- if getenv "SMTP_SASL_SECURITY_OPTIONS" }}
 postconf smtp_sasl_security_options='{{ getenv "SMTP_SASL_SECURITY_OPTIONS" }}'
 {{- end }}
 {{- if getenv "SMTP_TLS_CAFILE" }}
 postconf smtp_tls_CAfile='{{ getenv "SMTP_TLS_CAFILE" }}'
 {{- end }}
 {{- if getenv "SMTP_TLS_MANDATORY_PROTOCOLS" }}
 postconf smtp_tls_mandatory_protocols='{{ getenv "SMTP_TLS_MANDATORY_PROTOCOLS" }}'
 {{- end }}
 {{- if getenv "SMTP_TLS_NOTE_STARTTLS_OFFER" }}
 postconf smtp_tls_note_starttls_offer='{{ getenv "SMTP_TLS_NOTE_STARTTLS_OFFER" }}'
 {{- end }}
 {{- if getenv "SMTP_TLS_SECURITY_LEVEL" }}
 postconf smtp_tls_security_level='{{ getenv "SMTP_TLS_SECURITY_LEVEL" }}'
 {{- end }}
 {{- if getenv "SMTP_TLS_SESSION_CACHE_DATABASE" }}
 postconf smtp_tls_session_cache_database='{{ getenv "SMTP_TLS_SESSION_CACHE_DATABASE" }}'
 {{- end }}
--- a/confd/templates/setup_submission.tmpl
+++ b/confd/templates/setup_submission.tmpl
@@ -1,13 +1,7 @@
 #!/bin/bash
 set -e
-#postconf -M submission/inet
+{{ if eq (getenv "SUBMISSION_ENABLE") "yes" -}}
 #postconf -P -h submission/inet/milter_macro_daemon_name
 #postconf -P -h submission/inet/smtpd_client_restrictions
 #postconf -P -h submission/inet/smtpd_sasl_auth_enable
 #postconf -P -h submission/inet/smtpd_tls_security_level
 #postconf -P -h submission/inet/syslog_name
 {{ if eq (getv "/submission/enable") "yes"}}
 postconf -M submission/inet="submission inet n - n - - smtpd"
 postconf -F submission/inet/private=n \
 	 submission/inet/unprivileged=- \
@@ -20,6 +14,6 @@ postconf -P -e submission/inet/smtpd_helo_restrictions="permit"
 postconf -P -e submission/inet/smtpd_sasl_auth_enable="yes"
 postconf -P -e submission/inet/smtpd_tls_security_level="encrypt"
 postconf -P -e submission/inet/syslog_name="postfix/submission"
-{{ else }}
+{{ else -}}
 postconf -M# submission/inet
-{{ end }}
+{{ end -}}
--- a/templates/start.d/spamfilter
+++ b/templates/start.d/spamfilter
@@ -0,0 +1,6 @@
 #!/bin/bash
 # pass mail through spam filter Bogofilter
 # arguments are passed on to sendmail
 /usr/bin/bogofilter -d /vmail/bogofilter -p {{ if getenv "BOGOFILTER_HAM_CUTOFF" }}--ham-cutoff '{{ getenv "BOGOFILTER_HAM_CUTOFF" }}'{{ end }} {{ if getenv "BOGOFILTER_SPAM_CUTOFF" }}--spam-cutoff '{{ getenv "BOGOFILTER_SPAM_CUTOFF" }}'{{ end }} | /usr/sbin/sendmail "$@"