infra/roles/postfix/templates/docker-compose.yml.j2

services:
  postfix:
    image: boky/postfix:latest
    environment:
{% if postfix_relayhost | length > 0 %}
      RELAYHOST: "[{{ postfix_relayhost }}]:{{ postfix_relayhost_port | default('587') }}"
{% if postfix_relayhost_username | length > 0 %}
      RELAYHOST_USERNAME: "{{ postfix_relayhost_username }}"
      RELAYHOST_PASSWORD: "{{ postfix_relayhost_password }}"
{% endif %}
{% endif %}
      POSTFIX_smtp_tls_security_level: "{{ postfix_smtp_tls_security_level }}"
      POSTFIX_smtpd_tls_security_level: may
      POSTFIX_smtpd_tls_cert_file: /etc/ssl/tls.crt
      POSTFIX_smtpd_tls_key_file: /etc/ssl/tls.key
      POSTFIX_smtpd_tls_loglevel: 1
      POSTFIX_relay_domains: "*"
      POSTFIX_smtpd_relay_restrictions: "permit_mynetworks,reject"
      POSTFIX_smtpd_recipient_restrictions: "permit_mynetworks,reject_unauth_destination"
      ALLOWED_SENDER_DOMAINS: "{{ postfix_allowed_sender_domains }},services"
      ALLOW_EMPTY_SENDER_DOMAINS: "{{ postfix_allow_empty_sender_domains | ternary('true', 'false') }}"
      POSTFIX_mynetworks: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
    volumes:
      - /opt/postfix/ssl:/etc/ssl:ro
    ports:
      - "25:25"
    networks:
      - proxy
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true

networks:
  proxy:
    external: true