Definitive Guide to Running a Full-Stack Email Server with Docker-Mailbox on Rocky Linux VPS

Setting up a full-stack mail server using docker-mailserver on a Rocky Linux 9 VPS involves several steps. This guide will walk you through the process, starting from a fresh VPS setup to running your mail server. We’ll cover setting up Docker, configuring docker-mailserver, securing your server with SSL/TLS, and testing the mail server. This setup is suitable for small to medium-sized organizations or personal use.

Prerequisites

• A fresh Rocky Linux 9 VPS with root access
• A fully-qualified domain name pointed to your VPS’s IP address
• Basic familiarity with Linux terminal commands

Step 1: Initial Server Setup

Before installing any software, it’s a good practice to update your system packages.

sudo dnf update -y
sudo dnf install -y curl vim

Step 2: Install Docker and Docker Compose

Docker is a containerization platform, and Docker Compose is a tool for defining and running multi-container Docker applications. docker-mailserver runs as a set of Docker containers.

1. Install Docker:

sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install docker-ce docker-ce-cli containerd.io -y
sudo systemctl start docker
sudo systemctl enable docker

1. Install Docker Compose:

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Step 3: Setup docker-mailserver

Now, set up the docker-mailserver on your Rocky Linux server.

1. Create a directory for docker-mailserver and navigate into it:

mkdir -p docker-mailserver && cd docker-mailserver

1. Create a docker-compose.yml file:

Here is a basic configuration. You’ll need to replace yourdomain.com with your actual domain name.

version: '3.8'

services:
  mailserver:
    image: mailserver/docker-mailserver:latest
    hostname: mail
    domainname: yourdomain.com
    container_name: mailserver
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - ./config/:/tmp/docker-mailserver/
    environment:
      - ENABLE_SPAMASSASSIN=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1
      - ONE_DIR=1
      - DMS_DEBUG=0
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    restart: always

volumes:
  maildata:
  mailstate:
  maillogs:

1. Start your mail server:

docker-compose up -d

Step 4: Configure DNS Records

For your mail server to function correctly, you must configure your DNS settings properly.

• MX Record: Points to your mail server. E.g., @ IN MX 10 mail.yourdomain.com.
• A Record: For mail.yourdomain.com pointing to your VPS IP.
• TXT Records: For SPF, DKIM, and DMARC to improve email deliverability and security.

Step 5: Securing the Mail Server

1. Obtain SSL/TLS Certificates:

You can use Let’s Encrypt to get free SSL/TLS certificates.

sudo dnf install certbot -y
sudo certbot certonly --standalone -d mail.yourdomain.com

1. Configure docker-mailserver to use the certificates:

Copy the certificates to the docker-mailserver configuration directory and adjust the permissions.

1. Update your docker-compose.yml to use the certificates.

Step 6: Testing Your Mail Server

• Use tools like Mail Tester to test the spamminess of your emails.
• Test sending and receiving emails using a client like Thunderbird or your smartphone.

Maintenance and Monitoring

• Regularly update your Docker images and monitor your server’s logs.
• Implement backups for your email data.

This guide provides a starting point for setting up a full-stack mail server using docker-mailserver. Depending on your specific needs, you may need to customize your setup further, including advanced security measures, configuring additional mail protocols, or integrating with external services.

Continuing from where we left off, let’s delve into some of the additional configurations, advanced security measures, and best practices to ensure your docker-mailserver is robust, secure, and efficient.

Step 7: Advanced Configuration

Implementing DKIM

DomainKeys Identified Mail (DKIM) helps prevent email spoofing. docker-mailserver supports DKIM out of the box.

1. Generate DKIM keys:

docker-compose exec mailserver setup.sh config dkim

1. Configure your DNS:

After generating the DKIM keys, add them to your DNS settings as specified by the docker-mailserver setup output.

Configuring Sieve for Filtering

Sieve is a powerful scripting language for filtering incoming email. To use Sieve scripts:

1. Enable the ManageSieve service by adding ENABLE_MANAGESIEVE=1 to the environment section of your docker-compose.yml.
2. Create and upload Sieve scripts using a ManageSieve client.

Step 8: Advanced Security Measures

Rate Limiting

To prevent abuse, consider implementing rate limiting on port 25 (SMTP). This can be achieved through your VPS provider’s firewall settings or using custom iptables rules.

Using Fail2Ban for Additional Security

Although docker-mailserver enables Fail2Ban by default, you can customize its configuration to better suit your needs:

1. Access Fail2Ban settings:

docker-compose exec mailserver bash
cd /etc/fail2ban

1. Edit or create custom filter rules in /etc/fail2ban/jail.local.

Step 9: Email Client Configuration

To access your email, configure your email client with the following settings:

• IMAP (for incoming emails):
  • Server: mail.yourdomain.com
  • Port: 993
  • Security: SSL/TLS
  • Username: Your full email address
  • Password: Your email account password
• SMTP (for outgoing emails):
  • Server: mail.yourdomain.com
  • Port: 587
  • Security: STARTTLS
  • Username: Your full email address
  • Password: Your email account password

Step 10: Backup and Restore

Regular backups are crucial. To back up your docker-mailserver, consider the following strategy:

1. Back up the Docker volumes: Use docker-compose to stop your services and copy the volumes to a backup location.
2. Automate backups: Schedule regular backups using cron or a similar scheduler.
3. Offsite backups: Store backups in an offsite location or cloud storage for added redundancy.

Step 11: Monitoring and Logs

Monitoring your mail server is key to maintaining its health and performance.

• Use Docker commands to monitor logs: docker-compose logs -f mailserver
• Implement a monitoring solution like Prometheus and Grafana for in-depth analysis and alerting.

Final Thoughts

Setting up and maintaining a full-stack mail server using docker-mailserver on Rocky Linux 9 requires careful planning, ongoing maintenance, and regular security assessments. By following this guide, you’ve taken a significant step toward having a private, secure, and fully-functional mail server. Remember, the email landscape constantly evolves, so stay informed about best practices and security updates to ensure your server remains robust and secure.

docker-mailserver itself does not provide a web-based login interface for checking email directly. It is a backend service that manages email delivery, receiving, and other server-side functionalities. For accessing emails, you typically need an email client that supports IMAP/SMTP protocols, such as Thunderbird, Microsoft Outlook, or mobile email apps.

However, if you’re looking for a webmail interface to use with docker-mailserver, you can integrate it with third-party webmail applications. Popular choices include:

• Roundcube: A browser-based, multilingual IMAP client with an app-like user interface.
• RainLoop: A simple, modern, and fast web-based email client.
• SquirrelMail: An older, but still functional web-based email client, known for its simplicity and compatibility.

Integrating a Webmail Client

Integrating a webmail client with docker-mailserver involves setting up the webmail application in a separate Docker container or on a separate server, and then configuring it to connect to your mail server using the appropriate IMAP and SMTP settings. Here’s a general approach using Roundcube as an example:

1. Deploy Roundcube: You can either use a Docker image for Roundcube or install it manually on a web server. If you’re going with Docker, you can find a suitable image on Docker Hub.
2. Configure Roundcube: After deployment, access the Roundcube installer via your web browser (typically found at http://your-roundcube-instance/installer). Follow the setup instructions, ensuring you input the correct IMAP and SMTP settings to connect to your docker-mailserver instance.
3. Secure Your Webmail: Ensure that your Roundcube instance is secured with SSL/TLS if it’s publicly accessible. You can use Let’s Encrypt for a free SSL certificate.
4. DNS Configuration: If you’re hosting Roundcube on the same domain as your mail server but on a subdomain (e.g., webmail.yourdomain.com), ensure you have an A record pointing to the correct IP address.

Security Considerations

When integrating a webmail client with docker-mailserver, keep the following security considerations in mind:

• Keep software up to date: Regularly update both docker-mailserver and your webmail application to protect against vulnerabilities.
• Use strong passwords: Enforce strong passwords for email accounts to prevent unauthorized access.
• Implement HTTPS: Always use HTTPS to encrypt the connection between the webmail client and the users to ensure that login credentials and emails are transmitted securely.

By following these guidelines, you can successfully integrate a webmail client with docker-mailserver, providing a convenient interface for users to access their email from a web browser.

Integrating Let’s Encrypt with docker-mailserver to secure your email communication with SSL/TLS certificates involves several steps. This guide will show you how to obtain and renew Let’s Encrypt certificates and configure docker-mailserver to use them.

We’ll use Certbot, the recommended Let’s Encrypt client, for obtaining certificates. Since docker-mailserver does not natively handle SSL certificates, we will manually set up the certificates and ensure they’re correctly mounted and recognized by the mail server.

Prerequisites

• A domain name properly set up and pointing to your server
• Docker and Docker Compose installed on your server
• docker-mailserver setup and running

Step 1: Obtain SSL/TLS Certificates from Let’s Encrypt

1. Install Certbot:
   First, install Certbot on your host system (not inside Docker).

   sudo dnf install epel-release -y
   sudo dnf install certbot -y
   

2. Generate Certificates:
   Use Certbot to generate your SSL/TLS certificates. Replace mail.yourdomain.com with your actual domain.

   sudo certbot certonly --standalone -d mail.yourdomain.com
   

   The --standalone option runs a temporary web server on your host to complete the domain validation process. Make sure that no other service (like Nginx or Apache) is using port 80 or 443.

3. Certificate Location:
   Certbot stores the generated certificates in /etc/letsencrypt/live/mail.yourdomain.com/. Note this location as you’ll need it for the next steps.

Step 2: Configure docker-mailserver to Use SSL/TLS Certificates

To use the SSL/TLS certificates with docker-mailserver, you need to make them accessible inside the container.

1. Update docker-compose.yml:
   Modify your docker-compose.yml to mount the Let’s Encrypt certificate directory to the container. Add the following under the volumes section of the mailserver service:

   - /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem:/tmp/ssl/cert/fullchain.pem:ro
   - /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem:/tmp/ssl/private/privkey.pem:ro
   

   Your docker-compose.yml file should now include these lines under the mailserver service.

2. Configure the Mail Server to Use the Certificates:
   Set the environment variables in your docker-compose.yml to specify the SSL certificate paths inside the container. Add these lines to the environment section of the mailserver service:

   - SSL_TYPE=manual
   - SSL_CERT_PATH=/tmp/ssl/cert/fullchain.pem
   - SSL_KEY_PATH=/tmp/ssl/private/privkey.pem
   

Step 3: Apply Changes

After configuring the SSL/TLS certificates, apply the changes by restarting the docker-mailserver container.

docker-compose down
docker-compose up -d

Step 4: Automate Certificate Renewal

Let’s Encrypt certificates are valid for 90 days. Use a cron job to automate the renewal process.

1. Edit the crontab:

   sudo crontab -e
   

2. Add a cron job to renew the certificates and restart docker-mailserver:Add the following line to renew the certificates every two months automatically and reload the docker-mailserver to apply the renewed certificates:

   0 0 1 */2 * certbot renew --quiet && docker-compose -f /path/to/your/docker-compose.yml down && docker-compose -f /path/to/your/docker-compose.yml up -d
   

   Replace /path/to/your/docker-compose.yml with the actual path to your docker-compose.yml file.

Conclusion

You have now configured Let’s Encrypt SSL/TLS certificates with your docker-mailserver, enhancing the security of your email communications. Remember to check the logs after the first automated renewal to ensure everything is working as expected.