* Add #394: Postfix Virtual Transport This makes it possible to specify a lmtp config file, by providing POSTFIX_DAGENT. Update - Readme with informations about #394 * Add Variable ENABLE_POSTFIX_VIRTUAL_TRANSPORT (task) * Add Variable POSTFIX_DAGENT (section) Added Unit tests for virtual transport * Fix syntax error in test/tests.bats * Fix Unit Test
9.4 KiB
docker-mailserver
A fullstack but simple mail server (smtp, imap, antispam, antivirus...). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade.
Includes:
- postfix with smtp or ldap auth
- dovecot for sasl, imap (and optional pop3) with ssl support, with ldap auth
- saslauthd with ldap auth
- amavis
- spamassasin supporting custom rules
- clamav with automatic updates
- opendkim
- opendmarc
- fail2ban
- fetchmail
- basic sieve support using dovecot
- LetsEncrypt and self-signed certificates
- persistent data and state (but think about backups!)
- integration tests
- automated builds on docker hub
Why I created this image: Simple mail server with Docker
Before you open an issue, please have a look this README
, the Wiki and Postfix/Dovecot documentation.
Usage
Get latest image
docker pull tvial/docker-mailserver:latest
Create a docker-compose.yml
Adapt this file with your FQDN. Install docker-compose in the version 1.6
or higher.
Your configs must be mounted in /tmp/docker-mailserver/
. To understand how things work on boot, please have a look to start-mailserver.sh
version: '2'
services:
mail:
image: tvial/docker-mailserver:2.1
hostname: mail
domainname: domain.com
container_name: mail
ports:
- "25:25"
- "143:143"
- "587:587"
- "993:993"
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- ./config/:/tmp/docker-mailserver/
environment:
- ENABLE_SPAMASSASSIN=1
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ONE_DIR=1
- DMS_DEBUG=0
cap_add:
- NET_ADMIN
volumes:
maildata:
driver: local
mailstate:
driver: local
Create your mail accounts
Don't forget to adapt MAIL_USER and MAIL_PASS to your needs
mkdir -p config
touch config/postfix-accounts.cf
docker run --rm \
-e MAIL_USER=user1@domain.tld \
-e MAIL_PASS=mypassword \
-ti tvial/docker-mailserver:latest \
/bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf
Generate DKIM keys
docker run --rm \
-v "$(pwd)/config":/tmp/docker-mailserver \
-ti tvial/docker-mailserver:latest generate-dkim-config
Now the keys are generated, you can configure your DNS server by just pasting the content of config/opendkim/keys/domain.tld/mail.txt
in your domain.tld.hosts
zone.
Note: you can also manage email accounts, DKIM keys and more with the setup.sh convenience script.
Start the container
docker-compose up -d mail
You're done!
Environment variables
Please check how the container starts to understand what's expected.
Value in bold is the default value.
DMS_DEBUG
- 0 => Debug disabled
- 1 => Enables debug on startup
ENABLE_CLAMAV
- 0 => Clamav is disabled
- 1 => Clamav is enabled
ENABLE_SPAMASSASSIN
- 0 => Spamassassin is disabled
- 1 => Spamassassin is enabled
SA_TAG
- 2.0 => add spam info headers if at, or above that level
Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1
SA_TAG2
- 6.31 => add 'spam detected' headers at that level
Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1
SA_KILL
- 6.31 => triggers spam evasive actions
Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1
ONE_DIR
- 0 => state in default directories
- 1 => consolidate all states into a single directory (
/var/mail-state
) to allow persistence using docker volumes
ENABLE_POP3
- empty => POP3 service disabled
- 1 => Enables POP3 service
ENABLE_FAIL2BAN
- 0 => fail2ban service disabled
- 1 => Enables fail2ban service
If you enable Fail2Ban, don't forget to add the following lines to your docker-compose.yml
:
cap_add:
- NET_ADMIN
Otherwise, iptables
won't be able to ban IPs.
ENABLE_MANAGESIEVE
- empty => Managesieve service disabled
- 1 => Enables Managesieve on port 4190
ENABLE_FETCHMAIL
- 0 =>
fetchmail
disabled - 1 =>
fetchmail
enabled
ENABLE_LDAP
- empty => LDAP authentification is disabled
- 1 => LDAP authentification is enabled
- NOTE:
- A second container for the ldap service is necessary (e.g. docker-openldap)
- For preparing the ldap server to use in combination with this continer this article may be helpful
LDAP_SERVER_HOST
- empty => mail.domain.com
- => Specify the dns-name/ip-address where the ldap-server
- NOTE: If you going to use the mailserver in combination with docker-compose you can set the service name here
LDAP_SEARCH_BASE
- empty => ou=people,dc=domain,dc=com
- => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
LDAP_BIND_DN
- empty => cn=admin,dc=domain,dc=com
- => take a look at examples of SASL_LDAP_BIND_DN
LDAP_BIND_PW
- empty => admin
- => Specify the password to bind against ldap
POSTMASTER_ADDRESS
- empty => postmaster@domain.com
- => Specify the postmaster address
ENABLE_SASLAUTHD
- 0 =>
saslauthd
is disabled - 1 =>
saslauthd
is enabled
SASLAUTHD_MECHANISMS
- empty => pam
- ldap => authenticate against ldap server
- shadow => authenticate against local user db
- mysql => authenticate against mysql db
- rimap => authenticate against imap server
- NOTE: can be a list of mechanisms like pam ldap shadow
SASLAUTHD_MECH_OPTIONS
- empty => None
- e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_LDAP_SERVER
- empty => localhost
SASLAUTHD_LDAP_SSL
- empty or 0 => ldap:// will be used
- 1 => ldaps:// will be used
SASLAUTHD_LDAP_BIND_DN
- empty => anonymous bind
- specify an object with priviliges to search the directory tree
- e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
- e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_PASSWORD
- empty => anonymous bind
SASLAUTHD_LDAP_SEARCH_BASE
- empty => Reverting to SASLAUTHD_MECHANISMS pam
- specify the search base
SASLAUTHD_LDAP_FILTER
- empty => default filter (&(uniqueIdentifier=%u)(mailEnabled=TRUE))
- e.g. for active directory: (&(sAMAccountName=%U)(objectClass=person))
- e.g. for openldap: (&(uid=%U)(objectClass=person))
SASL_PASSWD
- empty => No sasl_passwd will be created
- string =>
/etc/postfix/sasl_passwd
will be created with the string as password
SMTP_ONLY
- empty => all daemons start
- 1 => only launch postfix smtp
SSL_TYPE
- empty => SSL disabled
- letsencrypt => Enables Let's Encrypt certificates
- custom => Enables custom certificates
- manual => Let's you manually specify locations of your SSL certificates for non-standard cases
- self-signed => Enables self-signed certificates
Please read the SSL page in the wiki for more information.
PERMIT_DOCKER
Set different options for mynetworks option (can be overwrite in postfix-main.cf)
- empty => localhost only
- host => Add docker host (ipv4 only)
- network => Add all docker containers (ipv4 only)
VIRUSMAILS_DELETE_DELAY
Set how many days a virusmail will stay on the server before being deleted
- empty => 7 days
ENABLE_POSTFIX_VIRTUAL_TRANSPORT
This Option is activating the Usage of POSTFIX_DAGENT to specify a ltmp client different from default dovecot socket. - empty => disabled - 1 => enabled
POSTFIX_DAGENT
Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix - empty: fail - lmtp:unix:private/dovecot-lmtp (use socket) - lmtps:inet:: (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/) - lmtp::2003 (use kopano as mailstore) - etc.