:warning:

This docker image is no longer maintained.

:warning:

hardware/mailserver

Chat & questions

Build

Docker image

hardware/mailserver is a simple and full-featured mail server build as a set of multiple docker images, including:

• Postfix : a full-set smtp email server
• Dovecot : secure IMAP and POP3 email server
• Rspamd : anti-spam filter with SPF, DKIM, DMARC, ARC, ratelimit and greylisting capabilities
• Clamav : antivirus with automatic updates and third-party signature databases
• Zeyple : automatic GPG encryption of all your emails
• Sieve : email filtering (vacation auto-responder, auto-forward, etc...)
• Fetchmail : fetch emails from external IMAP/POP3 server into local mailbox
• Rainloop : web based email client
• Postfixadmin : web-based administration interface
• Unbound: recursive caching DNS resolver with DNSSEC support
• NSD : authoritative DNS server with DNSSEC support
• Træfik : modern HTTP reverse proxy
• SSL : let's encrypt with auto-renewal (SAN and wildcard certificates), custom and self-signed certificates support
• OpenLDAP : [BETA] ldap support available (only in 1.1-latest for now)
• Supporting multiple virtual domains over MySQL/PostgreSQL backend
• Integration tests with Travis CI
• Automated builds on DockerHub

Summary

• hardware/mailserver
  • Chat & questions
  • Build
  • Docker image
  • Summary
  • System Requirements
    • With MariaDB/PostgreSQL and Redis on the same host
    • With MariaDB/PostgreSQL and Redis hosted on another server
  • Prerequisites
    • Cleaning
    • Ports
    • DNS setup
    • DNS records and reverse PTR
    • Testing
  • Installation
    • 1 - Prepare your environment
    • 2 - Postfixadmin installation
    • 3 - Rainloop installation (optional)
    • 4 - Done, congratulation ! :tada:
  • Rancher Catalog
  • Ansible Playbooks
  • Environment variables
  • Automatic GPG encryption of all your emails
    • How does it work ?
    • Enable automatic GPG encryption
    • Import your public key
    • Import all recipients public keys
    • Specify another gpg keyserver
    • Run other GPG options
  • Relaying from other networks
  • SSL certificates
    • Let's Encrypt certificates generated by Traefik
    • Custom certificates
    • Testing
  • MTA-STS
  • Third-party clamav signature databases
    • Required Ports
    • Enable clamav-unofficial-sigs
  • Unbound DNS resolver
  • PostgreSQL support
  • LDAP support
  • IPv6 support
  • Persistent files and folders in /mnt/docker/mail Docker volume
  • Override postfix configuration
  • Custom configuration for dovecot
  • Postfix blacklist
  • Email client settings
  • Components
  • Migration from 1.0 to 1.1
  • Community projects
  • Some useful Thunderbird extensions
  • Donation

System Requirements

Please check, if your system meets the following minimum requirements :

With MariaDB/PostgreSQL and Redis on the same host

| Type | Without ClamAV | With ClamAV | | ---- | -------------- | ----------- | | CPU | 1 GHz | 1 GHz | | RAM | 1.5 GiB | 2 GiB |

With MariaDB/PostgreSQL and Redis hosted on another server

| Type | Without ClamAV | With ClamAV | | ---- | -------------- | ----------- | | CPU | 1 GHz | 1 GHz | | RAM | 512 MiB | 1 GiB |

<p align="right"><a href="#summary">Back to table of contents :arrow_up_small:</a></p>

Prerequisites

Cleaning

Please remove any web server and mail services running on your server. I recommend using a clean installation of your prefered distro. If you are using Debian, remember to remove the default MTA Exim4 :

# apt-get purge exim4*

Also make sure that no other application is interfering with mail server configuration :

# netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190'

If this command returns any results please remove or stop the application running on that port.

Ports

If you have a firewall, unblock the following ports, according to your needs :

| Service | Software | Protocol | Port | | ------- | -------- | -------- | ---- | | SMTP | Postfix | TCP | 25 | | HTTP | Nginx | TCP | 80 | | POP3 | Dovecot | TCP | 110 | | IMAP | Dovecot | TCP | 143 | | HTTPS | Nginx | TCP | 443 | | SMTPS | Postfix | TCP | 465 | | Submission | Postfix | TCP | 587 | | IMAPS | Dovecot | TCP | 993 | | POP3S | Dovecot | TCP | 995 | | ManageSieve | Dovecot | TCP | 4190 |

DNS setup

I recommend you to use hardware/nsd-dnssec as an authoritative name server with DNSSEC capabilities. NSD is an authoritative only, high performance, simple and open source name server.

DNS records and reverse PTR

A correct DNS setup is required, this step is very important.

| HOSTNAME | CLASS | TYPE | PRIORITY | VALUE | | -------- | ----- | ---- | -------- | ----- | | mail | IN | A/AAAA | any | 1.2.3.4 | | spam | IN | CNAME | any | mail.domain.tld. | | webmail | IN | CNAME | any | mail.domain.tld. | | postfixadmin | IN | CNAME | any | mail.domain.tld. | | @ | IN | MX | 10 | mail.domain.tld. | | @ | IN | TXT | any | "v=spf1 a mx ip4:SERVER_IPV4 ~all" | | mail._domainkey | IN | TXT | any | "v=DKIM1; k=rsa; p=YOUR DKIM Public Key" | | _dmarc | IN | TXT | any | "v=DMARC1; p=reject; rua=mailto:postmaster@domain.tld; ruf=mailto:admin@domain.tld; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" |

Notes:

• Make sure that the PTR record of your IP matches the FQDN (default : mail.domain.tld) of your mailserver host. This record is usually set in your web hosting interface.
• DKIM, SPF and DMARC records are recommended to build a good reputation score.
• The DKIM public key will be available on host after the container startup :

/mnt/docker/mail/dkim/domain.tld/public.key

To regenerate your public and private keys, remove the /mnt/docker/mail/dkim/domain.tld folder. By default a 1024-bit key is generated, you can increase this size by setting the OPENDKIM_KEY_LENGTH environment variable with a higher value. Check your domain registrar support to verify that it supports a TXT record long enough for a key larger than 1024 bits.

These DNS record will raise your trust reputation score and reduce abuse of your domain name. You can find more information here :

• http://www.openspf.org/
• http://www.opendkim.org/
• https://dmarc.org/
• http://arc-spec.org/

Testing

You can audit your mailserver with the following assessment services :

• https://www.mail-tester.com/
• https://www.hardenize.com/
• https://observatory.mozilla.org/
• https://www.emailprivacytester.com/ (MUA side)

<p align="right"><a href="#summary">Back to table of contents :arrow_up_small:</a></p>

Installation

1 - Prepare your environment

:bulb: The reverse proxy used in this setup is Traefik, but you can use the solution of your choice (Nginx, Apache, Haproxy, Caddy, H2O...etc).

:warning: This docker image may not work with some hardened Linux distribution using security-enhancing kernel patches like GrSecurity, please use a supported platform.

# Create a new docker network for Traefik (IPv4 only)
docker network create http_network
# If you want to support IPv6, please refer to [IPv6 support]

# Create the required folders and files
mkdir -p /mnt/docker/traefik/acme && cd /mnt/docker \
&& curl https://raw.githubusercontent.com/hardware/mailserver/master/docker-compose.sample.yml -o docker-compose