docker-mailserver/docs/content/a-mail-server's-101.md
2020-06-10 02:57:53 +02:00

12 KiB

What is a mail server and how does it perform its duty?
Here's an introduction to the field that covers everything you need to know to get started with docker-mailserver.

Anatomy of a mail server

A mail server is only a part of a client-server relationship aimed at exchanging information in the form of emails. Exchanging emails requires using specific means (programs and protocols).

This project provides with the server portion, whereas "the" client can be anything from a console, text-only software (eg. Mutt) to a fully-fledged desktop application (eg. Mozilla Thunderbird, Microsoft Outlook…), to a webmail, etc.

Unlike the client side where usually a single program is used, there are many components making up the server. Specialized piece of software handle atomic tasks, such as receiving emails, dropping emails into mailboxes, sending emails to other mail servers, filtering emails, exposing emails to authorized clients, etc.

The docker-mailserver project has made some informed choices about those components and offers a comprehensive platform to run a feature-full mail server.

Components

The following components are required to create a complete delivery chain:

  • MUA: a Mail User Agent is basically any client/program capable of sending emails to arbitrary mail servers; and most of the times, capable of fetching emails from such mail servers.
  • MTA: a Mail Transfer Agent is the so-called "mail server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails: either from MUAs or from other MTA (the latter task being symmetrical, meaning a MTA is also is capable of sending/transferring emails to other MTA, hence the name).
  • MDA: a Mail Delivery Agent is responsible for accepting emails from an MTA, but instead of forwarding it, it is capable of dropping those emails into their recipients' mailboxes, whichever the form.

There may be other moving parts or sub-divisions. For instance, at several point specialized programs may be filtering, bouncing, editing… exchanged emails.

In a nutshell, docker-mailserver provides you with the following agents:

  • MTA: Postfix
  • MDA: Dovecot

and with some specialized, companion programs to form a complete delivery chain (minus the MUA of course).

One important thing to know is that both the MTA and MDA programs actually handle multiple tasks. For instance, Postfix is both an SMTP server (accepting email) and an MTA (transfering email); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called mail server). On top of that, Postfix may rely on Dovecot's authentication capabilities. The exact relationship between all the components and their respective or, sometimes, shared responsibilities is beyond the scope of this document. Explore the wiki to get more insights about the toolchain.

About security, ports…

For both Postfix and Dovecot need to be accessible from the outside to act as servers, they expose themselves through TCP ports, which may be secured using different schemes.

SMTP

A MUA sending an email to a SMTP server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Postfix. The MUA may be anything, and its submission/request is (most frequently!) performed as TCP packets sent over the public internet. This exchange of information may, or may not, be secured in order to counter eavesdropping.

The best practice as of 2020 would be SMTPS over port 465. It has the server enforce the client into using an encrypted TCP connection, using TLS (see RFC 8314). With this setup, the mail server should deny any client attempting at submitting emails in plain text; it should require a TLS-encrypted exchange to exist from the get go (no connection upgrade using an opt-in STARTTLS mechanism, see next paragraph). That SMTPS setup is said to Implicit (aka. enforced) TLS encryption.

Another well-documented, extensively used mail submission setup is SMTP+STARTTLS. It uses Explicit (aka. opportunistic) TLS over port 587, with an opt-in TLS upgrade of the client-to-server connection using using STARTTLS. With this setup, the mail server should accept unencrypted requests but should automatically respond to the client with an "offer" to upgrade the connection to a TLS-encrypted one; but it also should allow the client to deny that proposal and eventually still accept unencrypted mail exchange (although some servers may eventually deny unencrypted trafic). Overall, this setup requires more configuration and is less secure by design (hence the name "opportunistic"). As of 2020, it is recommended by RFC 8314 for mail servers to support it, but as a to-be-deprecated protocol and to encourage clients to switch to SMTPS.

A final setup exists and is akin SMTP+STARTTLS, but over port 25. That port has historically been reserved specifically for plain text mail exchange. One may upgrade the connection on port 25 to a TLS-encrypted one, but that should be considered a non-normative usage. It's better reserving port 25 for plain text trafic in order to support older clients, and inter-MTA exchange (although obviously non-secure).

IMAP

A MUA reading emails from an IMAP server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Dovecot. The MUA may be anything, and its retrieval request is (most frequently!) performed as TCP packets sent over the public internet. This exchange of information may, or may not, be secured in order to counter eavesdropping.

As with SMTP (described above), the IMAP protocol may be secured with either: Implicit (enforced) TLS (aka. IMAPS, sometimes written IMAP4S); or Explicit (opportunistic) TLS using STARTTLS.

The best practice as of 2020 would be IMAPS over port 993, rather than IMAP+STARTTLS over port 143 (see RFC 8314).

POP3

Similarly to IMAP, POP3 may be secured with either: Implicit (enforced) TLS (aka. POP3S); or Explicit (opportunistic) TLS using STARTTLS.

The best practice as of 2020 would be POP3S over port 995, rather than POP3+STARTTLS over port 110 (see RFC 8314).

Summary of ports/security setups

When talking about emails, the following applies:

Protocol Purpose Default port w/ opt-in Encryption1 Enforced Encryption
SMTP Transfer2 25 N/A
ESMTP Submission 587 (deprecated4) SMTPS 4653
POP3 Retrieval 110 (deprecated4) POP3S 995
IMAP4 Retrieval 143 (deprecated4) IMAPS 993
  1. An insecure, unencrypted connection may be upgraded to a secured one (over TLS) when both ends support the STARTTLS mechanism. On ports 110, 143 and 587, docker-mailserver will reject a connection that cannot be secured with STARTTLS (preventing MITM attacks trough a downgrading). Note that port 25 is required to support insecure connections; whereas other ports are not and may be limited to STARTTLS (which docker-mailserver enforces).
  2. Port 25 is for incoming mail transfer_, ie. it receives email and may filter for spam and viruses upon reception. For transferring outgoing mail (eg. sending emails from within docker-mailserver to another mail server), you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will leave the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall).
  3. Port 465 is a submission port again since 2018, see RFC 8314. Originally a secure variant of port 25, it is now dedicated to SMTPS.
  4. RFC 8314 is recommending that clear text exchanges to be abandoned and that all three common IETF mail protocols to be used only in implicit mode (no STARTTLS).

How does docker-mailserver help with setting everything up?

As a batteries included Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the env-mailserver configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control!

When it comes to security, one may consider docker-mailserver's default configuration to not be 100% secure, as it uses opportunistic connections using STARTTLS instead of enforcing TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, by default and without custom configuration required, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections, but still capable of handling opportunistic TLS. Please note though that no plain text exchange will occur in case a client denies a STARTTLS offer, for docker-mailserver is using a strict offer (encrypt) by default and will drop the client unencrypted request 😌

We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond RFC 2487 "old" (1999) recommandation and abides by the "newest" (2018) RFC 8314, under the assumption that most MUA (clients) nowadays support TLS. It does mean clients without support for TLS are not supported by default though. Eventually, it is up to you deciding which kind of transportation encryption to use / enforce, and customize your instance accordingly (looser or stricter security), with the help of the project's documentation.

The README is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security.