tvial/docker-mailserver docker image 镜像

 docker pull tvial/docker-mailserver 

# docker-mailserver

A fullstack but simple mail server (SMTP, IMAP, Antispam, Antivirus...). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade.

Why this image was created.

1. Announcements
2. Includes
3. Issues & Contributing
4. Requirements
5. Usage
6. Examples
7. Environment Variables

Announcements

1. Since version v7.1.0, the use of default variables has changed slightly. Please consult the environment Variables sections
2. New contributing guidelines were added
3. Added coherent coding style and linting
4. Added option to use non-default network interface

Includes

• Postfix with SMTP or LDAP auth
• Dovecot for SASL, IMAP (and optional POP3) with SSL support, with LDAP auth, Sieve and quotas
• Amavis
• Spamassasin supporting custom rules
• ClamAV with automatic updates
• OpenDKIM
• OpenDMARC
• Fail2ban
• Fetchmail
• Postscreen
• Postgrey
• LetsEncrypt and self-signed certificates
• Setup script to easily configure and maintain your mailserver
• basic Sieve support using dovecot
• SASLauthd with LDAP auth
• persistent data and state (but think about backups!)
• Integration tests
• Automated builds on docker hub
• Plus addressing (a.k.a. extension delimiters) works out of the box: email for [email protected] go to [email protected]

Issues & Contributing

Before opening an issue, please have a look this README, the Wiki and the Postfix/Dovecot documentation.

If you'd like to contribute, read CONTRIBUTING.md thoroughly.

Requirements

Recommended:

• 1 Core
• 1-2GB RAM
• Swap enabled for the container

Minimum:

• 1 vCore
• 512MB RAM

Note: You'll need to deactivate some services like ClamAV to be able to run on a host with 512MB of RAM. Even with 1G RAM you may run into problems without swap, see FAQ.

Usage

Get the tools

Download the docker-compose.yml, compose.env, mailserver.env and the setup.sh files:

wget https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh
wget https://raw.githubusercontent.com/tomav/docker-mailserver/master/docker-compose.yml
wget https://raw.githubusercontent.com/tomav/docker-mailserver/master/mailserver.env
curl -o .env https://raw.githubusercontent.com/tomav/docker-mailserver/master/compose.env

chmod a+x ./setup.sh

Create a docker-compose environment

• Install the latest docker-compose
• Edit the files .env and mailserver.env to your liking:
  • .env contains the configuration for docker-compose
  • mailserver.env contains the configuration for the mailserver container
  • These files supports only simple VAR=VAL lines (see Documentation).
  • Don't quote your values.
  • Variable substitution is not supported (e.g. OVERRIDE_HOSTNAME=$HOSTNAME.$DOMAINNAME).

Note: Variables in .env are expanded in the docker-compose.yml file only and not in the container. The file mailserver.env serves this case where environment variables are used in the container.

Note: If you want to use a bare domain (host name equals domain name) see FAQ.

Get up and running

Default - Without SELinux

docker-compose up -d mail

./setup.sh email add <user@domain> [<password>]
./setup.sh config dkim

With SELinux

Edit the files .env and docker-compose.yml. In .env uncomment the variable SELINUX_LABEL. If you want the volume bind mount to be shared among other containers switch -Z to -z. In docker-compose.yml, uncomment the line that contains ${SELINUX_LABEL} and comment out or remove the line above.

Note: When using setup.sh use the option -z or -Z. This should match the value of SELINUX_LABEL in the .env file. See the wiki for more information regarding setup.sh.

docker-compose up -d mail

./setup.sh -Z email add <user@domain> [<password>]
./setup.sh -Z config dkim

DNS - DKIM

Now that the keys are generated, you can configure your DNS server by just pasting the content of config/opendkim/keys/domain.tld/mail.txt in your domain.tld.hosts zone.

Miscellaneous

Restart and update the container

docker-compose down
docker pull tvial/docker-mailserver:<VERSION TAG>
docker-compose up -d mail

You're done! And don't forget to have a look at the remaining functions of the setup.sh script with ./setup.sh -h.

SPF/Forwarding Problems

If you got any problems with SPF and/or forwarding mails, give SRS a try. You enable SRS by setting ENABLE_SRS=1. See the variable description for further information.

Exposed ports

Protocol	Opt-in Encryption ¹	Enforced Encryption	Purpose
SMTP	25	N/A	Transfer²
ESMTP	587	465³	Submission
POP3	110	995	Retrieval
IMAP4	143	993	Retrieval

1. A connection may be secured over TLS when both ends support STARTTLS. On ports 110, 143 and 587, docker-mailserver will reject a connection that cannot be secured. Port 25 is required to support insecure connections.
2. Receives email and filters for spam and viruses. For submitting outgoing mail you should prefer the submission ports(465, 587), which require authentication. Unless a relay host is configured, outgoing email will leave the server via port 25(thus outbound traffic must not be blocked by your provider or firewall).
3. A submission port since 2018, RFC 8314. Originally a secure variant of port 25.

See the wiki for further details and best practice advice, especially regarding security concerns.

Examples

With Relevant Environmental Variables

version: '3.8'

services:
  mail:
    image: tvial/docker-mailserver:latest
    hostname: mail          # ${HOSTNAME}
    domainname: domain.com  # ${DOMAINNAME}
    container_name: mail    # ${CONTAINER_NAME}
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - ./config/:/tmp/docker-mailserver/
    environment:
      - ENABLE_SPAMASSASSIN=1
      - SPAMASSASSIN_SPAM_TO_INBOX=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1
      - ONE_DIR=1
      - DMS_DEBUG=0
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    restart: always

volumes:
  maildata:
  mailstate:
  maillogs:

LDAP setup

version: '3.8'

services:
  mail:
    image: tvial/docker-mailserver:latest
    hostname: mail          # ${HOSTNAME}
    domainname: domain.com  # ${DOMAINNAME}
    container_name: mail    # ${CONTAINER_NAME}
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - ./config/:/tmp/docker-mailserver/
    environment:
      - ENABLE_SPAMASSASSIN=1
      - SPAMASSASSIN_SPAM_TO_INBOX=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1
      - ONE_DIR=1
      - DMS_DEBUG=0
      - ENABLE_LDAP=1
      - LDAP_SERVER_HOST=ldap # your ldap container/IP/ServerName
      - LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain
      - LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain
      - LDAP_BIND_PW=admin
      - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
      - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
      - LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))
      - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
      - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))
      - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_SERVER=ldap
      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain
      - SASLAUTHD_LDAP_PASSWORD=admin
      - SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain
      - SASLAUTHD_LDAP_FILTER=(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%U))
      - [email protected]
      - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    restart: always

volumes:
  maildata:
  mailstate:
  maillogs:

Environment variables

If an option doesn't work as documented here, check if you are running the latest image! Values in bold are the default values.

Note: Since docker-mailserver v7.1.0, comparisons for environment variables are executed differently. If you previously used VARIABLE='' as the empty value, please update to now use VARIABLE=.

Assignments

General

DMS_DEBUG

• 0 => Debug disabled
• 1 => Enables debug on startup

ENABLE_CLAMAV

• 0 => Clamav is disabled
• 1 => Clamav is enabled

ONE_DIR

• 0 => state in default directories
• 1 => consolidate all states into a single directory (/var/mail-state) to allow persistence using docker volumes

ENABLE_POP3

• empty => POP3 service disabled
• 1 => Enables POP3 service

ENABLE_FAIL2BAN

• 0 => fail2ban service disabled
• 1 => Enables fail2ban service

If you enable Fail2Ban, don't forget to add the following lines to your docker-compose.yml:

cap_add:
  - NET_ADMIN

Otherwise, iptables won't be able to ban IPs.

SMTP_ONLY

• empty => all daemons start
• 1 => only launch postfix smtp

SSL_TYPE

• empty => SSL disabled
• letsencrypt => Enables Let's Encrypt certificates
• custom => Enables custom certificates
• manual => Let you manually specify locations of your SSL certificates for non-standard cases
  • self-signed => Enables self-signed certificates
  • any other value => SSL required, settings by default

Please read the SSL page in the wiki for more information.

TLS_LEVEL

• empty => modern
• modern => Enables TLSv1.2 and modern ciphers only. (default)
• intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
• old => NOT implemented. If you really need it, then customize the TLS ciphers overriding postfix and dovecot settings wiki

SPOOF_PROTECTION

Configures the handling of creating mails with forged sender addresses.

• empty => Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address. See also Wikipedia(not recommended, but default for backwards compatibility reasons)
• 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with extension delimiters are not able to send messages.

ENABLE_SRS

Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See postsrsd for further explanation.

• 0 => Disabled
• 1 => Enabled

PERMIT_DOCKER

Set different options for mynetworks option (can be overwrite in postfix-main.cf) WARNING: Adding the docker network's gateway to the list of trusted hosts, e.g. using the network or connected-networks option, can create an open relay, for instance if IPv6 is enabled on the host machine but not in Docker.

• empty => localhost only
• host => Add docker host (ipv4 only)
• network => Add the docker default bridge network (172.16.0.0/12); WARNING: docker-compose might use others (e.g. 192.168.0.0/16) use PERMIT_DOCKER=connected-networks in this case
• connected-networks => Add all connected docker networks (ipv4 only)

Note: you probably want to set POSTFIX_INET_PROTOCOLS=ipv4 to make it work fine with Docker.

NETWORK_INTERFACE

In case your network interface differs from eth0, e.g. when you are using HostNetworking in Kubernetes, you can set this to whatever interface you want. This interface will then be used.

• empty => eth0

VIRUSMAILS_DELETE_DELAY

Set how many days a virusmail will stay on the server before being deleted

• empty => 7 days

ENABLE_POSTFIX_VIRTUAL_TRANSPORT

This Option is activating the Usage of POSTFIX_DAGENT to specify a ltmp client different from default dovecot socket.

• empty => disabled
• 1 => enabled

POSTFIX_DAGENT

Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix

• empty: fail
• lmtp:unix:private/dovecot-lmtp (use socket)
• lmtps:inet:<host>:<port> (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/)
• lmtp:<kopano-host>:2003 (use kopano as mailstore)
• etc.

POSTFIX_MAILBOX_SIZE_LIMIT

Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).

• empty => 0 (no limit)

ENABLE_QUOTAS

• 1 => Dovecot quota is enabled
• 0 => Dovecot quota is disabled

See mailbox quota.

POSTFIX_MESSAGE_SIZE_LIMIT

Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)

• empty => 10240000 (~10 MB)

ENABLE_MANAGESIEVE

• empty => Managesieve service disabled
• 1 => Enables Managesieve on port 4190

OVERRIDE_HOSTNAME

• empty => uses the hostname command to get the mail server's canonical hostname
• => Specify a fully-qualified domainname to serve mail for. This is used for many of the config features so if you can't set your hostname (e.g. you're in a container platform that doesn't let you) specify it in this environment variable.

POSTMASTER_ADDRESS

• empty => [email protected]
• => Specify the postmaster address

POSTSCREEN_ACTION

• enforce => Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
• drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
• ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.

DOVECOT_MAILBOX_FORMAT

• maildir => uses very common Maildir format, one file contains one message
• sdbox => (experimental) uses Dovecot high-performance mailbox format, one file contains one message
• mdbox ==> (experimental) uses Dovecot high-performance mailbox format, multiple messages per file and multiple files per box

This option has been added in November 2019. Using other format than Maildir is considered as experimental in docker-mailserver and should only be used for testing purpose. For more details, please refer to Dovecot Documentation.

POSTFIX_INET_PROTOCOLS

• all => All possible protocols.
• ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
• ipv6 => Use only IPv6 traffic.

Note: More details in http://www.postfix.org/postconf.5.html#inet_protocols

Reports

PFLOGSUMM_TRIGGER

Enables regular pflogsumm mail reports.

• not set => No report
• daily_cron => Daily report for the previous day
• logrotate => Full report based on the mail log when it is rotated

This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used.

PFLOGSUMM_RECIPIENT

Recipient address for pflogsumm reports.

• not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
• => Specify the recipient address(es)

PFLOGSUMM_SENDER

From address for pflogsumm reports.

• not set => Use REPORT_SENDER or POSTMASTER_ADDRESS
• => Specify the sender address

LOGWATCH_INTERVAL

Interval for logwatch report.

• none => No report is generated
• daily => Send a daily report
• weekly => Send a report every week

LOGWATCH_RECIPIENT

Recipient address for logwatch reports if they are enabled.

• not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
• => Specify the recipient address(es)

REPORT_RECIPIENT (deprecated)

Enables a report being sent (created by pflogsumm) on a regular basis.

• 0 => Report emails are disabled unless enabled by other options
• 1 => Using POSTMASTER_ADDRESS as the recipient
• => Specify the recipient address

REPORT_SENDER (deprecated)

Change the sending address for mail report

• empty => mailserver-report@hostname
• => Specify the report sender (From) address

REPORT_INTERVAL (deprecated)

Changes the interval in which logs are rotated and a report is being sent (deprecated).

• daily => Send a daily report
• weekly => Send a report every week
• monthly => Send a report every month

Note: This variable used to control logrotate inside the container and sent the pflogsumm report when the logs were rotated. It is still supported for backwards compatibility, but the new option LOGROTATE_INTERVAL has been added that only rotates the logs.

LOGROTATE_INTERVAL

Defines the interval in which the mail log is being rotated.

• daily => Rotate daily.
• weekly => Rotate weekly.
• monthly => Rotate monthly.

Note that only the log inside the container is affected. The full log output is still available via docker logs mail (or your respective container name). If you want to control logrotation for the docker generated logfile see: Docker Logging Drivers.

Also note that by default the logs are lost when the container is recycled. To keep the logs, mount a volume.

Finally the logrotate interval may affect the period for generated reports. That is the case when the reports are triggered by log rotation.

Spamassassin

ENABLE_SPAMASSASSIN

• 0 => Spamassassin is disabled
• 1 => Spamassassin is enabled

/!\ Spam delivery: when Spamassassin is enabled, messages marked as spam WILL NOT BE DELIVERED. Use SPAMASSASSIN_SPAM_TO_INBOX=1 for receiving spam messages.

SPAMASSASSIN_SPAM_TO_INBOX

• 0 => Spam messages will be bounced (rejected) without any notification (dangerous).
• 1 => Spam messages will be delivered to the inbox and tagged as spam using SA_SPAM_SUBJECT.

MOVE_SPAM_TO_JUNK

• 1 => Spam messages will be delivered in the Junk folder.
• 0 => Spam messages will be delivered in the mailbox.

Note: this setting needs SPAMASSASSIN_SPAM_TO_INBOX=1

SA_TAG

• 2.0 => add spam info headers if at, or above that level

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1

SA_TAG2

• 6.31 => add 'spam detected' headers at that level

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1

SA_KILL

• 6.31 => triggers spam evasive actions

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1. By default, the mailserver is configured to quarantine spam emails. If emails are quarantined, they are compressed and stored in a location dependent on the ONE_DIR setting above. If ONE_DIR=1 the location is /var/mail-state/lib-amavis/virusmails/. If ONE_DIR=0 it is /var/lib/amavis/virusmails/. These paths are inside the docker container. To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. 100.0.

SA_SPAM_SUBJECT

• ***SPAM*** => add tag to subject if spam detected

Note: this spamassassin setting needs ENABLE_SPAMASSASSIN=1. Add the spamassassin score to the subject line by inserting the keyword SCORE: ***SPAM(SCORE)***.

SA_SHORTCIRCUIT_BAYES_SPAM

• 1 => will activate spamassassin short circuiting for bayes spam detection.

This will uncomment the respective line in /etc/spamassasin/local.cf

Note: activate this only if you are confident in your bayes database for identifying spam.

SA_SHORTCIRCUIT_BAYES_HAM

• 1 => will activate spamassassin short circuiting for bayes ham detection

This will uncomment the respective line in /etc/spamassasin/local.cf

Note: activate this only if you are confident in your bayes database for identifying ham.

Fetchmail

ENABLE_FETCHMAIL

• 0 => fetchmail disabled
• 1 => fetchmail enabled

FETCHMAIL_POLL

• 300 => fetchmail The number of seconds for the interval

LDAP

ENABLE_LDAP

• empty => LDAP authentification is disabled
• 1 => LDAP authentification is enabled
• NOTE:
  • A second container for the ldap service is necessary (e.g. docker-openldap)
  • For preparing the ldap server to use in combination with this container this article may be helpful

LDAP_START_TLS

• empty => no
• yes => LDAP over TLS enabled for Postfix

LDAP_SERVER_HOST

• empty => mail.domain.com
• => Specify