From d907720cd039c1fc640821823b6e5e89152ceed0 Mon Sep 17 00:00:00 2001
From: PJ Eby <pje@telecommunity.com>
Date: Thu, 5 Mar 2020 14:23:37 -0500
Subject: [PATCH] Support multiple IP addresses

---
 README.md                                 | 11 ++++++---
 files/etc/cont-init.d/25-bind-hostname.sh | 27 +++++++++++++++++------
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 313e0d4..a2c721f 100644
--- a/README.md
+++ b/README.md
@@ -6,10 +6,15 @@ Specifically, in host mode networking, poste.io binds its outward-facing service
 
 As a result, poste.io not only doesn't play well with other mail servers, it doesn't play well with being used on a server that *does anything else*.  (It almost might as well not be a docker container at all!)
 
-So this image fixes these issues, by tweaking service configurations to only bind services on the IP that corresponds to the container's hostname, and replace localhost TCP sockets with unix domain sockets, kept privately within the container.  (Thereby preventing conflicts or confusion with other bindings of those ports on the localhost interface.)
+So this image fixes these issues, by tweaking service configurations to only bind services on the IPs that correspond to the container's hostname, and replace localhost TCP sockets with unix domain sockets, kept privately within the container.  (Thereby preventing conflicts or confusion with other bindings of those ports on the localhost interface.)
 
 Unfortunately, poste's admin tool isn't written with unix sockets in mind, and neither are significant parts of haraka and its plugins.  Thus, in addition to adding the configuration files found under [files/](files/), this image also has to [patch a lot of files](files/patches).  (Most of the patching is done at image build time, but a few are tweaked at container start by an [init script](files/etc/cont-init.d/25-bind-hostname.sh), because nginx and haraka don't allow variable substitution in the part of their config files that set listening ports.)
 
-(Note: this image relies even more on a correct docker hostname than poste.io does.  Make sure that the hostname you assign to the container is public, fully-qualified, and maps to exactly one IPv4 address (and no IPv6 addresses).  You also need to be using host-mode networking, since in any other mode this image isn't needed.)
+### Usage
 
-To use this image, just replace `analogic/poste.io` in your config with `dirtsimple/poste.io`.
\ No newline at end of file
+To use this image, just replace `analogic/poste.io` in your config with `dirtsimple/poste.io`.  But take careful note of the following:
+
+* You **must** configure the container with a fully-qualified hostname, whose IP address(es) **must** be listed in the public DNS system
+* The IP address(es) must be public IPs, and *should* have reverse DNS pointing to the container's hostname
+* You should be using **host-mode networking**, since in any other networking mode, the original `analogic/poste.io` image is sufficiently isolated without these patches!
+* By default, outgoing email to other mail servers will be sent via the first IP address returned by running `hostname -i` in the container.  If you need to override this, configure the container with an `OUTBOUND_MAIL_IP` environment variable specifying the IP address to be used.
\ No newline at end of file
diff --git a/files/etc/cont-init.d/25-bind-hostname.sh b/files/etc/cont-init.d/25-bind-hostname.sh
index e4cf9c8..87f6e5d 100755
--- a/files/etc/cont-init.d/25-bind-hostname.sh
+++ b/files/etc/cont-init.d/25-bind-hostname.sh
@@ -1,15 +1,28 @@
 #!/usr/bin/with-contenv bash
 
-# === Configure Haraka and nginx to use only the container's hostname ==
+# === Configure dovecot and nginx to bind or connect via the container's hostname ===
 
 bindhost=$(hostname)
-
 sed -i 's/__HOST__/'"$bindhost"/                                        /etc/nginx/sites-enabled/administration
-sed -i 's/^listen=.*:25$/listen='"$bindhost/"                           /opt/haraka-smtp/config/smtp.ini
-sed -i 's/^listen=.*:587,.*:465$/listen='"$bindhost:587,$bindhost:465/" /opt/haraka-submission/config/smtp.ini
 sed -i 's/submission_host = .*:587$/submission_host = '"$bindhost:587/" /etc/dovecot/conf.d/15-lda.conf
 
-# Haraka should only do outbound connects on our IP
-hostname -i >/opt/haraka-submission/config/my-ip
-hostname -i >/opt/haraka-smtp/config/my-ip
+
+# === Haraka needs each IP address to be listed explicitly ===
+
+ipaddrs=$(hostname -i)
+listen025=${ipaddrs// /:25,}:25
+listen465=${ipaddrs// /:465,}:465
+listen587=${ipaddrs// /:587,}:587
+
+sed -i 's/^listen=.*:25$/listen='"$listen025/"                    /opt/haraka-smtp/config/smtp.ini
+sed -i 's/^listen=.*:587,.*:465$/listen='"$listen587,$listen465/" /opt/haraka-submission/config/smtp.ini
+
+
+# === Haraka should only do outbound connects on one IP ===
+
+# If OUTBOUND_MAIL_IP is set, use that, otherwise use the host's first IP
+outbound=${OUTBOUND_MAIL_IP:-${ipaddrs%% *}}
+
+echo "$outbound" >/opt/haraka-submission/config/my-ip
+echo "$outbound" >/opt/haraka-smtp/config/my-ip