complete mail server with docker

Retour

the host hosting the mail server is mail.raphaelpiccolo.com

the domain is the part after the @. it means that emails will be sendable to *@raphaelpiccolo.com

compose

create this docker-compose.yml file :

mail:
    image: tvial/docker-mailserver:stable
    restart: always
    container_name: mail
    ports:
        # smtp (accept starttls) for transfer
        - "25:25"
        # esmtp (accept starttls) for submission
        - "587:587"
        # esmtp (forced encryption) for submission
        # - "465:465"
        # imap4 (accept starttls) for retrieval
        - "143:143"
        # imap4 (forced encryption) for retrieval
        - "993:993"
        # pop3 (accept starttls) for retrieval
        # - "110:110"
        # pop3 (forced encryption) for retrieval
        # - "995:995"
    cap_add:
        - NET_ADMIN
        - SYS_PTRACE
    hostname: mail.raphaelpiccolo.com
    domainname: raphaelpiccolo.com
    volumes:
        - ./mail/maildata:/var/mail
        - ./mail/mailstate:/var/mail-state
        - ./mail/maillogs:/var/log/mail
        - ./mail/config/:/tmp/docker-mailserver/
        - ./traefik/acme.json:/etc/letsencrypt/acme.json:ro
    environment:
        - "SSL_TYPE=letsencrypt"
        - "SPOOF_PROTECTION=1"

# only useful to generate the https certificate used in mailserver
mailssl:
    image: containous/whoami
    container_name: mailssl
    labels:
        - traefik.enable=true
        - traefik.http.routers.mail.rule=Host(`mail.raphaelpiccolo.com`)
        - traefik.http.services.mail.loadbalancer.server.port=143
        - traefik.http.routers.mail.tls.certresolver=le
        - traefik.http.routers.mail.entrypoints=websecure
        - traefik.http.routers.mail.middlewares=securityheaders

webmail:
    image: hardware/rainloop
    restart: always
    container_name: webmail
    depends_on:
        - mail
    volumes:
        - ./webmail:/rainloop/data
    environment:
        - LOG_TO_STDOUT=true
    labels:
        - traefik.enable=true
        - traefik.http.routers.webmail.rule=Host(`webmail.raphaelpiccolo.com`)
        - traefik.http.routers.webmail.tls.certresolver=le
        - traefik.http.routers.webmail.entrypoints=websecure
        - traefik.http.routers.webmail.middlewares=securityheaders

get the setup script

curl -o setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh

check the dns of your domain :

# the A record tells what is the ip of the server
IN A      X.X.X.X
mail IN A      X.X.X.X

# the mx record tells which server to call when you need to send emails ending like this @raphaelpiccolo.com
# they will call port 25 on this server
IN MX     10 mail.raphaelpiccolo.com.

create an email account

execute this command

bash setup.sh email add contact@raphaelpiccolo.com xxx

it will create a line in the file

emacs config/postfix-accounts.cf
contact@raphaelpiccolo.com|xxxxxxxxxx

catchall address:

now every mails sent to *@raphaelpiccolo.com will be redirected to contact@raphaelpiccolo.com

emacs config/postfix-virtual.cf

@raphaelpiccolo.com contact@raphaelpiccolo.com

test working

to test that local smtp is working and that the mailserver delivers the mails to the mailbox :

docker-compose up -d --force-recreate mail

swaks -t contact@raphaelpiccolo.com -f contact@raphaelpiccolo.com --header "Subject: foo"

will show this for success

<-  250 2.0.0 Ok: queued as EEF106F804EE

you can see the delivered mail in maildata/raphaelpiccolo.com/contact/new

you can download this mail from your phone or from a webmail.

do not send directly our mails to spam :)

DKIM to sign the message

run this to create keys

bash setup.sh config dkim

it will create this file containing what you should add in your dns

emacs ./config/opendkim/keys/raphaelpiccolo.com/mail.txt

then add this in dns

mail._domainkey        IN TXT    ( "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8XOWBJea+/0q8FOnbdWx7micDDhXv5r4dYlF6fLnA8nOzm6OAUZpppD8nXZN5SbBU9UxVRJcmBe/cVUaXbgL9vo5TxcjYpEOpx5/1nd3GsgNsPm9Ur8DhOTBN0yKSRfbRNWJXSL273jP7j/9heQI3ah4KUOh3LIjT5xCGyd3vlZTZ2/Qio" "V0xC5zckkS7HNaH3Bi655fMvlXhULM79mvw2aJAG83JfPc4ybwAPthFTIMsxyQ9sAIiEpBP2+OHscL4H42ul0MoAxrNTUW468QD5RuruKA3z5IBBngwKu7EELJQduSoQV1XfZB7rQCOMjtFCs6jpHu9Izr2CyUgBBeewIDAQAB" )

the spf record tells which server are authorized to send emails

authorise all the servers listed in mx. "~" means no problem if its another server
consider switching to "-" when everything works

IN TXT    "v=spf1 mx ~all"

dmarc record uses dkim and spf for more quality

_dmarc                 IN TXT    "v=DMARC1; p=none; rua=mailto:dmarc.report@raphaelpiccolo.com; ruf=mailto:dmarc.report@raphaelpiccolo.com; sp=none; ri=86400"

now you can restart and test

docker-compose up -d --force-recreate mail

rainloop

its a webmail, it connects to the server to retrieve emails.
(you can also configure email reception directly on your phone)

use default password to first log

https://webmail.raphaelpiccolo.com/?admin
admin
12345

then change password

then add a domain : raphaelpiccolo.com

imap:
    server : mail.raphaelpiccolo.com
    port: 143
    security : starttls

smtp
    server : mail.raphaelpiccolo.com
    port: 587
    security : starttls
    use authentification

the whitelist can stay empty

multiple domains

if you want to add a new domain to the existing server

configure mx on new.com to point to raphaelpiccolo.com

add a new account for the new domain :

bash setup.sh email add contact@new.com xxx

generate dkim agaim

add dkim + spf + dmarc in your dns

generate the ssl certificate :
replace this line

traefik.http.routers.mail.rule=Host(`mail.raphaelpiccolo.com`)

with

traefik.http.routers.mail.rule=Host(`mail.raphaelpiccolo.com`, `mail.new.com`, )