Postfix support

[hazcod]

Hello,

did anyone try postfix under gvisor?
Since postfix requires root access, this would make a fine candidate to shield off the kernel from.

Also, am I correc to state that the purpose of gvisor is to shield off the kernel implementation using the golang vm?

[prattmic]

You mean Postfix the mail server? I don't think anyone has tried it, but I'd imagine it works.

Why does Postfix require root? Just to listen on a low port number? I believe that would be workable with Docker remapping the port.

[hazcod]

See https://security.stackexchange.com/questions/71922/postfix-master-running-as-root

[ianlewis]

You might be able to mount the right directories to get local mail delivery to work from a sandbox. Could you give it a try and let us know what you find?

[hazcod]

I was unable to get postfix to work under root, this is as far as I got.
A logger.go Go file was used to print out logs sent to the /var/log/ socket:

FROM alpine:latest as gobuilder
COPY logger.go /logger.go
RUN apk add --no-cache musl-dev go \
	&& CGO_ENABLED=0 GOOS=linux go build -ldflags '-w -s -extldflags "-static"' -o /logger /logger.go


FROM alpine

ENV POSTFIX_VERSION="3.3.0-r4"

RUN apk add --no-cache "postfix=${POSTFIX_VERSION}" "postfix-pcre=${POSTFIX_VERSION}" \
	&& echo "mailgroup:x:1999:" >> /etc/group \
	&& rm -r /etc/postfix

COPY --from=gobuilder /logger $APP_DIR/logger
COPY conf/ $CONF_DIR
COPY run.sh $APP_DIR
RUN postmap -v -c $CONF_DIR $CONF_DIR/sender-canonical

RUN $APP_DIR/post-install.sh \
	&& chmod 500 $APP_DIR/logger \
	&& mkdir -p $CONF_DIR/dynamicmaps.cf.d \
	&& mkdir -p $CONF_DIR/postfix-files.d \
	&& chown -R root "$CONF_DIR" \
	&& chown :mailgroup /usr/sbin/postqueue  /usr/sbin/postdrop \
	&& chmod g+s /usr/sbin/postqueue  /usr/sbin/postdrop

EXPOSE 25000
VOLUME "$DATA_DIR"
HEALTHCHECK --interval=5s --timeout=3s --retries=3 CMD nc -zv 127.0.0.1 25000 || exit 1
USER root
CMD $APP_DIR/run.sh