- Explore
- mailserver2
mailserver
mailserver2/mailserver
Simple and full-featured mail server using Docker
500K+
mailserver2/mailserver repository overview
mailserver2/mailserver
Fork
This is a fork that provides the bare minimum of maintenance for the excellent hardware/mailserver. Thank you very much.
Chat & questions
Build
Docker image
mailserver2/mailserver is a simple and full-featured mail server build as a set of multiple docker images, including:
- Postfix: a full-set SMTP email server
- Dovecot: secure IMAP and POP3 email server
- Rspamd: anti-spam filter with SPF, DKIM, DMARC, ARC, rate limiting and greylisting capabilities
- Clamav: antivirus with automatic updates and third-party signature databases
- Zeyple: automatic GPG encryption of all your emails
- Sieve: email filtering (vacation auto-responder, auto-forward, etc...)
- Fetchmail: fetch emails from external IMAP/POP3 server into local mailbox
- Rainloop: web based email client
- Postfixadmin: web-based administration interface
- Unbound: recursive caching DNS resolver with DNSSEC support
- NSD: authoritative DNS server with DNSSEC support
- Træfik: modern HTTP reverse proxy
- SSL: Let's Encrypt with auto-renewal (SAN and wildcard certificates), custom and self-signed certificates support
- *OpenLDAP: [BETA] LDAP support available (only in
1.1-latestfor now) - Supporting multiple virtual domains over MySQL/PostgreSQL backend
- Integration tests with Travis CI
- Automated builds on DockerHub
Summary
- mailserver2/mailserver
- Fork
- Chat & questions
- Build
- Docker image
- Summary
- System Requirements
- Prerequisites
- Installation
- Rancher Catalog
- Ansible Playbooks
- Environment variables
- Automatic GPG encryption of all your emails
- Relaying from other networks
- SSL certificates
- MTA-STS
- Third-party Clamav signature databases
- Unbound DNS resolver
- PostgreSQL support
- LDAP support
- IPv6 support
- Persistent files and folders in /mnt/docker/mail Docker volume
- Override postfix configuration
- Custom configuration for Dovecot
- Postfix blacklist
- Email client settings
- Components
- Migration from 1.0 to 1.1
- Migration from hardware/mailserver to mailserver2/mailserver
- Community projects
- Some useful Thunderbird extensions
System Requirements
Please check, if your system meets the following minimum requirements:
With MariaDB/PostgreSQL and Redis on the same host
With MariaDB/PostgreSQL and Redis hosted on another server
| Type | Without ClamAV | With ClamAV |
|---|---|---|
| CPU | 1 GHz | 1 GHz |
| RAM | 512 MiB | 1 GiB |
Back to table of contents :arrow_up_small:
Prerequisites
Cleaning
Please remove any web server and mail services running on your server. I recommend using a clean installation of your preferred distribution. If you are using Debian, remember to remove the default MTA Exim4:
# apt-get purge exim4*
Also make sure that no other application is interfering with mail server configuration:
# netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190'
If this command returns any results please remove or stop the application running on that port.
Ports
If you have a firewall, unblock the following ports, according to your needs:
| Service | Software | Protocol | Port |
|---|---|---|---|
| SMTP | Postfix | TCP | 25 |
| HTTP | Nginx | TCP | 80 |
| POP3 | Dovecot | TCP | 110 |
| IMAP | Dovecot | TCP | 143 |
| HTTPS | Nginx | TCP | 443 |
| SMTPS | Postfix | TCP | 465 |
| Submission | Postfix | TCP | 587 |
| IMAPS | Dovecot | TCP | 993 |
| POP3S | Dovecot | TCP | 995 |
| ManageSieve | Dovecot | TCP | 4190 |
DNS setup
I recommend you to use hardware/nsd-dnssec as an authoritative name server with DNSSEC capabilities. NSD is an authoritative only, high performance, simple and open source name server.
DNS records and reverse PTR
A correct DNS setup is required, this step is very important.
| HOSTNAME | CLASS | TYPE | PRIORITY | VALUE |
|---|---|---|---|---|
| IN | A/AAAA | any | 1.2.3.4 | |
| spam | IN | CNAME | any | mail.domain.tld. |
| webmail | IN | CNAME | any | mail.domain.tld. |
| postfixadmin | IN | CNAME | any | mail.domain.tld. |
| @ | IN | MX | 10 | mail.domain.tld. |
| @ | IN | TXT | any | "v=spf1 a mx ip4:SERVER_IPV4 ~all" |
| {{selector}}._domainkey | IN | TXT | any | "v=DKIM1; k=rsa; p=YOUR DKIM Public Key" |
| _dmarc | IN | TXT | any | "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" |
Notes:
- Make sure that the PTR record of your IP matches the FQDN (default: mail.domain.tld) of your mailserver host. This record is usually set in your web hosting interface.
- {{selector}} defaults to
mailunless changed viaDKIM_SELECTOR - DKIM, SPF and DMARC records are recommended to build a good reputation score.
- The DKIM public key will be available on host after the container startup:
/mnt/docker/mail/dkim/domain.tld/{{selector}}.public.key
To regenerate your public and private keys, remove the /mnt/docker/mail/dkim/domain.tld folder. By default a 1024-bit key is generated, you can increase this size by setting the DKIM_KEY_LENGTH environment variable with a higher value. Check your domain registrar support to verify that it supports a TXT record long enough for a key larger than 1024 bits.
These DNS record will raise your trust reputation score and reduce abuse of your domain name. You can find more information here:
Testing
You can audit your mailserver with the following assessment services:
- https://www.mail-tester.com/
- https://www.hardenize.com/
- https://observatory.mozilla.org/
- https://www.emailprivacytester.com/ (MUA side)
Back to table of contents :arrow_up_small:
Installation
1 - Prepare your environment
:bulb: The reverse proxy used in this setup is Traefik, but you can use the solution of your choice (Nginx, Apache, Haproxy, Caddy, H2O, etc pp).
:warning: This docker image may not work with some hardened Linux distribution using security-enhancing kernel patches like GrSecurity, please use a supported platform.
# Create a new docker network for Traefik (IPv4 only)
docker network create http_network
# If you want to support IPv6, please refer to [IPv6 support]
# Create the required folders and files
mkdir -p /mnt/docker/traefik/acme && cd /mnt/docker \
&& curl https://raw.githubusercontent.com/mailserver2/mailserver/master/docker-compose.sample.yml -o docker-compose.yml \
&& curl https://raw.githubusercontent.com/mailserver2/mailserver/master/sample.env -o .env \
&& curl https://raw.githubusercontent.com/mailserver2/mailserver/master/traefik.sample.toml -o traefik/traefik.toml \
&& touch traefik/acme/acme.json \
&& chmod 600 docker-compose.yml .env traefik/traefik.toml traefik/acme/acme.json
Edit the .env and traefik.toml, adapt to your needs, then start all services:
docker-compose up -d
2 - Postfixadmin installation
PostfixAdmin is a web based interface used to manage mailboxes, virtual domains and aliases.
- Docker image: https://github.com/hardware/postfixadmin
- How to setup: Postfixadmin initial configuration
3 - Rainloop installation (optional)
Rainloop is a simple, modern and fast web mail front end with Sieve scripts support (filters and vacation message), GPG and a modern user interface.
- Docker image: https://github.com/hardware/rainloop
- How to setup: Rainloop initial configuration
4 - Done, congratulation ! :tada:
At first launch, the container takes few minutes to generate SSL certificates (if needed), DKIM keypair generation and update Clamav database, all of this takes some time (1/2 minutes). This image comes with a snake-oil self-signed certificate, please use your own trusted certificates. See below for configuration.
List of webservices available:
| Service | URI |
|---|---|
| Traefik dashboard | https://mail.domain.tld/ |
| Rspamd dashboard | https://spam.domain.tld/ |
| Administration | https://postfixadmin.domain.tld/ |
| Webmail | https://webmail.domain.tld/ |
Traefik dashboard use a basic authentication (user:admin, password:12345), the password can be encoded in MD5, SHA1 and BCrypt. You can use htpasswd to generate those ones. Users can be specified directly in the traefik.toml file. Rspamd dashboard use the password defined in your docker-compose.yml.
You can check the startup logs with this command:
# docker logs -f mailserver
[INFO] Let's encrypt live directory found
[INFO] Using /etc/letsencrypt/live/mail.domain.tld folder
[INFO] Creating DKIM keys for domain domain.tld
[INFO] Database hostname found in /etc/hosts
[INFO] Fetchmail forwarding is enabled.
[INFO] Automatic GPG encryption is enabled.
[INFO] ManageSieve protocol is enabled.
[INFO] POP3 protocol is enabled.
-------------------------------------------------------------------------------------
2017-08-26T11:06:58.885562+00:00 mail root: s6-supervise : spawning clamd process
2017-08-26T11:06:59.059077+00:00 mail root: s6-supervise : spawning freshclam process
2017-08-26T11:06:59.395214+00:00 mail root: s6-supervise : spawning rspamd process
2017-08-26T11:07:01.615597+00:00 mail root: s6-supervise : spawning unbound process
2017-08-26T11:07:01.870856+00:00 mail root: s6-supervise : spawning postfix process
2017-08-26T11:07:03.303536+00:00 mail root: s6-supervise : spawning dovecot process
...
Back to table of contents :arrow_up_small:
Rancher Catalog

https://github.com/hardware/mailserver-rancher
This catalog provides a basic template to easily deploy an email server based on hardware/mailserver very quickly. To use it, just add this repository to your Rancher system as a catalog in Admin > Settings page and follow the readme. This catalog has been initiated by @MichelDiz.

Back to table of contents :arrow_up_small:
Ansible Playbooks

If you use Ansible, I recommend you to go to see @ksylvan playbooks here: https://github.com/ksylvan/docker-mail-server
Back to table of contents :arrow_up_small:
Environment variables
| Variable | Description | Type | Default value |
|---|---|---|---|
| VMAILUID | vmail user id | optional | 1024 |
| VMAILGID | vmail group id | optional | 1024 |
| VMAIL_SUBDIR | Individual mailbox' subdirectory | optional | |
| DKIM_KEY_LENGTH | Size of your DKIM RSA key pair | optional | 1024 |
| DKIM_SELECTOR | Your DKIM selector | optional | mail |
| DEBUG_MODE | Enable Postfix, Dovecot, Rspamd and Unbound verbose logging | optional | false |
| PASSWORD_SCHEME | Passwords encryption scheme | optional | SHA512-CRYPT |
| DBDRIVER | Database type: mysql, pgsql, ldap | optional | mysql |
| DBHOST | Database instance ip/hostname | optional | mariadb |
| DBPORT | Database instance port | optional | 3306 / 389 (sql/ldap) |
| DBUSER | Database username | optional | postfix |
| DBNAME | Database name | optional | postfix |
| DBPASS | Database password or location of a file containing it | required *1) | null |
| REDIS_HOST | Redis instance ip/hostname | optional | redis |
| REDIS_PORT | Redis instance port | optional | 6379 |
| REDIS_PASS | Redis database password or location of a file containing it | optional | null |
| REDIS_NUMB | Redis database number | optional | 0 |
| RSPAMD_PASSWORD | Rspamd WebUI and controller password or location of a file containing it | required | null |
| ADD_DOMAINS | Add additional domains to the mailserver separated by commas (needed for dkim keys etc.) | optional | null |
| RELAY_NETWORKS | Additional IPs or networks the mailserver relays without authentication | optional | null |
| WHITELIST_SPAM_ADDRESSES | List of whitelisted email addresses separated by commas | optional | null |
| DISABLE_RSPAMD_MODULE | List of disabled modules separated by commas | optional | null |
| DISABLE_CLAMAV | Disable virus scanning | optional | false |
| DISABLE_SIEVE | Disable ManageSieve protocol | optional | false |
| DISABLE_SIGNING | Disable DKIM/ARC signing | optional | false |
| DISABLE_GREYLISTING | Disable greylisting policy | optional | false |
| DISABLE_RATELIMITING | Disable rate limiting policy | optional | true |
| DISABLE_DNS_RESOLVER | Disable the local DNS resolver | optional | false |
| DISABLE_SSL_WATCH | Disable watching of acme.json and the Let's Encrypt directory | optional | false |
| ENABLE_POP3 | Enable POP3 protocol | optional | false |
| ENABLE_FETCHMAIL | Enable fetchmail forwarding | optional | false |
| ENABLE_ENCRYPTION | Enable automatic GPG encryption | optional | false |
| FETCHMAIL_INTERVAL | Fetchmail polling interval | optional | 10 |
| RECIPIENT_DELIMITER | RFC 5233 subaddress extension separator (single character only) | optional | + |
*1) DBPASS is NOT required when using LDAP authentication
- Use DEBUG_MODE to enable the debug mode. Switch to
trueto enable verbose logging forpostfix,dovecot,rspamdandUnbound. To debug components separately, use this syntax:DEBUG_MODE=postfix,rspamd. - VMAIL_SUBDIR is the mail location subdirectory name
/var/mail/vhosts/%domain/%user/$subdir. For more information, read this: https://wiki.dovecot.org/VirtualUsers/Home - PASSWORD_SCHEME for compatible schemes, read this: https://wiki.dovecot.org/Authentication/PasswordSchemes
- Currently, only a single RECIPIENT_DELIMITER is supported. Support for multiple delimiters will arrive with Dovecot v2.3.
- FETCHMAIL_INTERVAL must be a number between 1 and 59 minutes.
- Use DISABLE_DNS_RESOLVER if you have some DNS troubles and DNSSEC lookup issues with the local DNS resolver.
- Use DISABLE_RSPAMD_MODULE to disable any module listed here: https://rspamd.com/doc/modules/
- OPENDKIM_KEY_LENGTH has been renamed to DKIM_KEY_LENGTH, but falls back to OPENDKIM_KEY_LENGTH for backwards compatability
When using LDAP authentication the following additional variables become available. All DBUSER, DBNAME and DBPASS variables will not be used in this case:
Back to table of contents :arrow_up_small:
Automatic GPG encryption of all your emails
How does it work ?
Zeyple catches email from the postfix queue, then encrypts it if a corresponding recipient's GPG public key is found. Finally, it puts it back into the queue.

Enable automatic GPG encryption
:heavy_exclamation_mark: Please enable this option carefully and only if you know what you are doing.
Switch ENABLE_ENCRYPTION environment variable to true. The public keyring will be saved in /var/mail/zeyple/keys.
Please don't change the default value of RECIPIENT_DELIMITER (default = "+"). If encryption is enabled with another delimiter, Zeyple could have an unpredictable behavior.
Import your public key
:warning: Make sure to send your public key on a GPG keyserver before to run the following command.
docker exec -ti mailserver encryption.sh import-key YOUR_KEY_ID
Import all recipients public keys
This command browses all /var/mail/vhosts/* domains directories and users subdirectories to find all the recipients addresses in the mailserver.
docker exec -ti mailserver encryption.sh import-all-keys
Specify another GPG keyserver
docker exec -ti mailserver encryption.sh import-key YOUR_KEY
Tag summary
Content type
Image
Digest
sha256:4b72e9abe…
Size
153.9 MB
Last updated
22 days ago
docker pull mailserver2/mailserver