A fullstack but simple mailserver (smtp, imap, antispam, antivirus, ssl...) using Docker.
Shell Makefile SourcePawn
Latest commit 3d55396 Feb 23, 2017 @tomav committed on GitHub Added Gitter badge

README.md

docker-mailserver

Build Status Docker Pulls Github Stars Github Stars Github Forks Gitter

A fullstack but simple mail server (smtp, imap, antispam, antivirus...). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade.

Includes:

  • postfix with smtp or ldap auth
  • dovecot for sasl, imap (and optional pop3) with ssl support, with ldap auth
  • saslauthd with ldap auth
  • amavis
  • spamassasin supporting custom rules
  • clamav with automatic updates
  • opendkim
  • opendmarc
  • fail2ban
  • fetchmail
  • postgrey
  • basic sieve support using dovecot
  • LetsEncrypt and self-signed certificates
  • persistent data and state (but think about backups!)
  • integration tests
  • automated builds on docker hub

Why I created this image: Simple mail server with Docker

Before you open an issue, please have a look this README, the Wiki and Postfix/Dovecot documentation.

Usage

Get latest image

docker pull tvial/docker-mailserver:latest

Create a docker-compose.yml

Adapt this file with your FQDN. Install docker-compose in the version 1.6 or higher.

Your configs must be mounted in /tmp/docker-mailserver/. To understand how things work on boot, please have a look to start-mailserver.sh

version: '2'

services:
  mail:
    image: tvial/docker-mailserver:2.1
    hostname: mail
    domainname: domain.com
    container_name: mail
    ports:
    - "25:25"
    - "143:143"
    - "587:587"
    - "993:993"
    volumes:
    - maildata:/var/mail
    - mailstate:/var/mail-state
    - ./config/:/tmp/docker-mailserver/
    environment:
    - ENABLE_SPAMASSASSIN=1
    - ENABLE_CLAMAV=1
    - ENABLE_FAIL2BAN=1
    - ENABLE_POSTGREY=1
    - ONE_DIR=1
    - DMS_DEBUG=0
    cap_add:
    - NET_ADMIN

volumes:
  maildata:
    driver: local
  mailstate:
    driver: local

Create your mail accounts

Don't forget to adapt MAIL_USER and MAIL_PASS to your needs

mkdir -p config
touch config/postfix-accounts.cf
docker run --rm \
  -e MAIL_USER=user1@domain.tld \
  -e MAIL_PASS=mypassword \
  -ti tvial/docker-mailserver:latest \
  /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf

Generate DKIM keys

docker run --rm \
  -v "$(pwd)/config":/tmp/docker-mailserver \
  -ti tvial/docker-mailserver:latest generate-dkim-config

Now the keys are generated, you can configure your DNS server by just pasting the content of config/opendkim/keys/domain.tld/mail.txt in your domain.tld.hosts zone.

Note: you can also manage email accounts, DKIM keys and more with the setup.sh convenience script.

Start the container

docker-compose up -d mail

You're done!

Environment variables

Please check how the container starts to understand what's expected.

Value in bold is the default value.

DMS_DEBUG
  • 0 => Debug disabled
  • 1 => Enables debug on startup

ENABLE_CLAMAV

  • 0 => Clamav is disabled
  • 1 => Clamav is enabled

ENABLE_SPAMASSASSIN

  • 0 => Spamassassin is disabled
  • 1 => Spamassassin is enabled
SA_TAG
  • 2.0 => add spam info headers if at, or above that level

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1

SA_TAG2
  • 6.31 => add 'spam detected' headers at that level

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1

SA_KILL
  • 6.31 => triggers spam evasive actions

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1

ONE_DIR
  • 0 => state in default directories
  • 1 => consolidate all states into a single directory (/var/mail-state) to allow persistence using docker volumes
ENABLE_POP3
  • empty => POP3 service disabled
  • 1 => Enables POP3 service
ENABLE_FAIL2BAN
  • 0 => fail2ban service disabled
  • 1 => Enables fail2ban service

If you enable Fail2Ban, don't forget to add the following lines to your docker-compose.yml:

cap_add:
  - NET_ADMIN

Otherwise, iptables won't be able to ban IPs.

ENABLE_MANAGESIEVE
  • empty => Managesieve service disabled
  • 1 => Enables Managesieve on port 4190
ENABLE_FETCHMAIL
  • 0 => fetchmail disabled
  • 1 => fetchmail enabled
ENABLE_LDAP
  • empty => LDAP authentification is disabled
  • 1 => LDAP authentification is enabled
  • NOTE:
    • A second container for the ldap service is necessary (e.g. docker-openldap)
    • For preparing the ldap server to use in combination with this continer this article may be helpful
LDAP_SERVER_HOST
  • empty => mail.domain.com
  • => Specify the dns-name/ip-address where the ldap-server
  • NOTE: If you going to use the mailserver in combination with docker-compose you can set the service name here
LDAP_SEARCH_BASE
  • empty => ou=people,dc=domain,dc=com
  • => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
LDAP_BIND_DN
  • empty => cn=admin,dc=domain,dc=com
  • => take a look at examples of SASL_LDAP_BIND_DN
LDAP_BIND_PW
  • empty => admin
  • => Specify the password to bind against ldap
OVERRIDE_HOSTNAME
  • empty => uses the hostname command to get the mail server's canonical hostname
  • => Specify a fully-qualified domainname to serve mail for. This is used for many of the config features so if you can't set your hostname (e.g. you're in a container platform that doesn't let you) specify it in this environment variable.
POSTMASTER_ADDRESS

ENABLE_POSTGREY

  • 0 => postgrey is disabled
  • 1 => postgrey is enabled
POSTGREY_DELAY
  • 300 => greylist for N seconds

Note: This postgrey setting needs ENABLE_POSTGREY=1

POSTGREY_MAX_AGE
  • 35 => delete entries older than N days since the last time that they have been seen

Note: This postgrey setting needs ENABLE_POSTGREY=1

POSTGREY_TEXT
  • Delayed by postgrey => response when a mail is greylisted

Note: This postgrey setting needs ENABLE_POSTGREY=1

ENABLE_SASLAUTHD
  • 0 => saslauthd is disabled
  • 1 => saslauthd is enabled
SASLAUTHD_MECHANISMS
  • empty => pam
  • ldap => authenticate against ldap server
  • shadow => authenticate against local user db
  • mysql => authenticate against mysql db
  • rimap => authenticate against imap server
  • NOTE: can be a list of mechanisms like pam ldap shadow
SASLAUTHD_MECH_OPTIONS
  • empty => None
  • e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_LDAP_SERVER
  • empty => localhost
SASLAUTHD_LDAP_SSL
  • empty or 0 => ldap:// will be used
  • 1 => ldaps:// will be used
SASLAUTHD_LDAP_BIND_DN
  • empty => anonymous bind
  • specify an object with priviliges to search the directory tree
  • e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
  • e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_PASSWORD
  • empty => anonymous bind
SASLAUTHD_LDAP_SEARCH_BASE
  • empty => Reverting to SASLAUTHD_MECHANISMS pam
  • specify the search base
SASLAUTHD_LDAP_FILTER
  • empty => default filter (&(uniqueIdentifier=%u)(mailEnabled=TRUE))
  • e.g. for active directory: (&(sAMAccountName=%U)(objectClass=person))
  • e.g. for openldap: (&(uid=%U)(objectClass=person))
SASL_PASSWD
  • empty => No sasl_passwd will be created
  • string => /etc/postfix/sasl_passwd will be created with the string as password
SMTP_ONLY
  • empty => all daemons start
  • 1 => only launch postfix smtp
SSL_TYPE
  • empty => SSL disabled
  • letsencrypt => Enables Let's Encrypt certificates
  • custom => Enables custom certificates
  • manual => Let's you manually specify locations of your SSL certificates for non-standard cases
  • self-signed => Enables self-signed certificates

Please read the SSL page in the wiki for more information.

PERMIT_DOCKER

Set different options for mynetworks option (can be overwrite in postfix-main.cf)

  • empty => localhost only
  • host => Add docker host (ipv4 only)
  • network => Add all docker containers (ipv4 only)
VIRUSMAILS_DELETE_DELAY

Set how many days a virusmail will stay on the server before being deleted

  • empty => 7 days
ENABLE_POSTFIX_VIRTUAL_TRANSPORT

This Option is activating the Usage of POSTFIX_DAGENT to specify a ltmp client different from default dovecot socket. - empty => disabled - 1 => enabled

POSTFIX_DAGENT

Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix - empty: fail - lmtp:unix:private/dovecot-lmtp (use socket) - lmtps:inet:: (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/) - lmtp::2003 (use kopano as mailstore) - etc.