A fullstack but simple mail server (smtp, imap, antispam, antivirus...). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade.

Includes:

• postfix with smtp or ldap auth
• dovecot for sasl, imap (and optional pop3) with ssl support, with ldap auth
• saslauthd with ldap auth
• amavis
• spamassasin supporting custom rules
• clamav with automatic updates
• opendkim
• opendmarc
• fail2ban
• fetchmail
• basic sieve support using dovecot
• LetsEncrypt and self-signed certificates
• integration tests
• automated builds on docker hub

Why I created this image: Simple mail server with Docker

Before you open an issue, please have a look this README, the Wiki and Postfix/Dovecot documentation.

docker pull tvial/docker-mailserver:latest

Adapt this file with your FQDN. Install docker-compose in the version 1.6 or higher.

version: '2'

services:
  mail:
    image: tvial/docker-mailserver:latest
    # build: .
    hostname: mail
    domainname: domain.com
    container_name: mail
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - ./config/:/tmp/docker-mailserver/

volumes:
  maildata:
    driver: local

Don't forget to adapt MAIL_USER and MAIL_PASS to your needs

mkdir -p config
touch config/postfix-accounts.cf
docker run --rm \
  -e [email protected] \
  -e MAIL_PASS=mypassword \
  -ti tvial/docker-mailserver:latest \
  /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf

docker run --rm \
  -v "$(pwd)/config":/tmp/docker-mailserver \
  -ti tvial/docker-mailserver:latest generate-dkim-config

Now the keys are generated, you can configure your DNS server by just pasting the content of config/opendkim/keys/domain.tld/mail.txt in your domain.tld.hosts zone.

docker-compose up -d mail

You're done!

Please check how the container starts to understand what's expected.

Value in bold is the default value.

• empty => POP3 service disabled
• 1 => Enables POP3 service

• empty => fail2ban service disabled
• 1 => Enables fail2ban service

If you enable Fail2Ban, don't forget to add the following lines to your docker-compose.yml:

cap_add:
  - NET_ADMIN

Otherwise, iptables won't be able to ban IPs.

• empty => Managesieve service disabled
• 1 => Enables Managesieve on port 4190

• empty => fetchmail disabled
• 1 => fetchmail enabled

• empty => LDAP authentification is disabled
• 1 => LDAP authentification is enabled
• NOTE:
  • A second container for the ldap service is necessary (e.g. docker-openldap)
  • For preparing the ldap server to use in combination with this continer this article may be helpful

• empty => mail.domain.com
• => Specify the dns-name/ip-address where the ldap-server
• NOTE: If you going to use the mailserver in combination with docker-compose you can set the service name here

• empty => ou=people,dc=domain,dc=com
• => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local

• empty => cn=admin,dc=domain,dc=com
• => take a look at examples of SASL_LDAP_BIND_DN

• empty => admin
• => Specify the password to bind against ldap

• empty => [email protected]
• => Specify the postmaster address

• 2.0 => add spam info headers if at, or above that level

• 6.31 => add 'spam detected' headers at that level

• 6.31 => triggers spam evasive actions

• empty => saslauthd is disabled
• 1 => saslauthd is enabled

• empty => pam
• ldap => authenticate against ldap server
• shadow => authenticate against local user db
• mysql => authenticate against mysql db
• rimap => authenticate against imap server
• NOTE: can be a list of mechanisms like pam ldap shadow

• empty => None
• e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx

• empty => localhost

• empty or 0 => ldap:// will be used
• 1 => ldaps:// will be used

• empty => anonymous bind
• specify an object with priviliges to search the directory tree
• e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
• e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net

• empty => anonymous bind

• empty => Reverting to SASLAUTHD_MECHANISMS pam
• specify the search base

• empty => default filter (&(uniqueIdentifier=%u)(mailEnabled=TRUE))
• e.g. for active directory: (&(sAMAccountName=%U)(objectClass=person))
• e.g. for openldap: (&(uid=%U)(objectClass=person))

• empty => No sasl_passwd will be created
• string => /etc/postfix/sasl_passwd will be created with the string as password

• empty => all daemons start
• 1 => only launch postfix smtp

• empty => SSL disabled
• letsencrypt => Enables Let's Encrypt certificates
• custom => Enables custom certificates
• manual => Let's you manually specify locations of your SSL certificates for non-standard cases
• self-signed => Enables self-signed certificates

Please read the SSL page in the wiki for more information.

Set different options for mynetworks option (can be overwrite in postfix-main.cf)

• empty => localhost only
• host => Add docker host (ipv4 only)
• network => Add all docker containers (ipv4 only)

Set how many days a virusmail will stay on the server before being deleted

• empty => 7 days