use multistage docker build

Dockerfile

@@ -1,17 +1,31 @@
-FROM thallian/confd-env:latest
+FROM alpine:3.9 as builder
 
-RUN apk add --no-cache postfix postfix-ldap libressl spamassassin-client libstdc++ g++ make tar libmilter-dev
-
-RUN addgroup -g 2222 access
-RUN addgroup postfix access
+RUN apk add --no-cache \
+    g++ \
+    make \
+    libmilter-dev \
+    spamassassin-client
 
 RUN mkdir /tmp/spamass-milter
 RUN wget -qO- https://download.savannah.gnu.org/releases/spamass-milt/spamass-milter-0.4.0.tar.gz | tar -xz -C /tmp/spamass-milter --strip 1
 WORKDIR /tmp/spamass-milter
 
-RUN ./configure && make && make install
-RUN rm -rf /tmp/spamass-milter
-WORKDIR /
+RUN ./configure && make
+
+FROM thallian/confd-env:latest
+
+COPY --from=builder /tmp/spamass-milter/spamass-milter /bin/spamass-milter
+
+RUN apk add --no-cache \
+    postfix \
+    postfix-ldap \
+    openssl \
+    spamassassin-client \
+    libstdc++ \
+    libmilter
+
+RUN addgroup -g 2222 access
+RUN addgroup postfix access
 
 RUN mkdir /var/run/spamass-milter
 RUN chown postfix:postfix /var/run/spamass-milter

README.md

@@ -89,7 +89,7 @@ Message size limit in bytes.
 Mailbox size limit in bytes. `0` disables the limit.
 
 ## TLS_SECURITY_LEVEL
-- default: may
+- default: encrypt
 
 One of:
 - none: TLS will not be used.
@@ -98,7 +98,7 @@ One of:
   According to [RFC 2487](http://tools.ietf.org/html/rfc2487) this MUST NOT be applied in case of a publicly-referenced SMTP server.
 
 ## TLS_PROTOCOLS
-- default: !SSLv2, !SSLv3
+- default: !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 
 Comma seperated list of accepted TLS protocols.
 

rootfs/etc/confd/templates/main.cf.tmpl

@@ -23,11 +23,22 @@ virtual_transport = lmtp:inet:{{getenv "LMTP_HOST"}}:{{getenv "LMTP_PORT"}}
 smtpd_tls_key_file=/etc/ssl/mail/{{getenv "CERT_DOMAIN"}}.key
 smtpd_tls_cert_file=/etc/ssl/mail/{{getenv "CERT_DOMAIN"}}.crt
 
+smtp_tls_security_level = {{getenv "TLS_SECURITY_LEVEL" "may"}}
+smtp_tls_auth_only = yes
+
 smtpd_tls_security_level = {{getenv "TLS_SECURITY_LEVEL" "may"}}
 smtpd_tls_auth_only = yes
 
-smtpd_tls_mandatory_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3"}}
-smtpd_tls_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3"}}
+smtp_tls_mandatory_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}}
+smtp_tls_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}}
+smtp_tls_mandatory_ciphers = {{getenv "TLS_CIPHERS" "high"}}
+smtp_tls_ciphers = {{getenv "TLS_CIPHERS" "high"}}
+smtp_tls_mandatory_exclude_ciphers = {{getenv "TLS_EXCLUDE_CIPHERS" "aNULL, MD5, 3DES"}}
+smtp_tls_exclude_ciphers = {{getenv "TLS_EXCLUDE_CIPHERS" "aNULL, MD5, 3DES"}}
+smtp_tls_wrappermode = no
+
+smtpd_tls_mandatory_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}}
+smtpd_tls_protocols = {{getenv "TLS_PROTOCOLS" "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"}}
 smtpd_tls_mandatory_ciphers = {{getenv "TLS_CIPHERS" "high"}}
 smtpd_tls_ciphers = {{getenv "TLS_CIPHERS" "high"}}
 smtpd_tls_mandatory_exclude_ciphers = {{getenv "TLS_EXCLUDE_CIPHERS" "aNULL, MD5, 3DES"}}
@@ -48,6 +59,7 @@ smtpd_sasl_path = inet:{{getenv "DOVECOT_HOST"}}:{{getenv "DOVECOT_AUTH_PORT"}}
 smtpd_sasl_auth_enable = yes
 
 smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
 
 smtpd_milters =
     unix:/var/run/spamass-milter/spamass.sock