Mail Server Deployment

For this example we will assume the domain mydomain.online. Change accordingly. we also
assume that the docker compose and certificates renewal script are located
in /home/ubuntu/docker-mailserver/.

Documentation
https://docker-mailserver.github.io/docker-mailserver/latest/

Steps
1. Register a domain
2. Secure a fixed IP address
3. Create an 'A' DNS record in your domain for your server
4. Configure Reverse DNS for this IP address
5. Generate mail certificates
6. Register SPF record for the server on DNS
7. Publish DMARC Policy
8. Deploy the server
9. Open in and outboud ports

1. Register a domain

There are many registrars. Check out https://www.cloudflare.com/products/registrar/

2. Secure a fixed IP address

In aws you need an "Elastic IP address". Other providers also have this product.

3. Create an 'A' DNS record in your domain for your server

You must create a type 'A' record for your email server. for instance:

Type Name Content TTL Proxy

A mail 108.128.117.83 Auto DNS only

4. Configure Reverse DNS for this IP address

The reverse DNS of the IP must match the DNS of the server. For instance, executing nslookup
108.128.117.83 should return the FDQN of the mail server: 83.117.128.108.in-
addr.arpa name = mail.mydomain.online. For aws check "Use reverse DNS for email
applications" in https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-
eip.html
5. Generate mail certificates
https://eff-certbot.readthedocs.io/en/latest/install.html#running-with-docker
https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl/#lets-encrypt-
recommended Before even starting the mail server you must get certificates. You can do that by
running the letsencrypt certbot and answer some questions, like the full DNS name of the mail
server. In our case: mail.mydomain.online

docker run -it --rm --name certbot \

-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
-p 80:80 \
-p 443:443 \
certbot/certbot certonly

Create a cron job to run every week to renew certificates

sudo crontab -e
# add the followin line:

10 3 * * 0 /home/ubuntu/docker-mailserver/renewcerts.sh >>
/home/ubuntu/docker-mailserver/renewcerts.log 2>&1
The renewcerts.sh file:

#!/bin/bash

# Navigate to the directory containing docker-compose.yml file

cd /home/ubuntu/docker-mailserver

docker compose down

echo "Docker Compose has stopped and removed the containers."

echo "Renew certificates if needed"

docker run -i --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
-p 80:80 \
-p 443:443 \
certbot/certbot renew

echo "Starting mail server"

docker compose up -d
If running interactively the command should use "-it":
#!/bin/bash

# Navigate to the directory containing docker-compose.yml file

cd /home/ubuntu/docker-mailserver

docker compose down

echo "Docker Compose has stopped and removed the containers."

echo "Renew certificates if needed"

docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
-p 80:80 \
-p 443:443 \
certbot/certbot renew

echo "Starting mail server"

docker compose up -d

What are DMARC, DKIM, and SPF?

https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

6. Register SPF record for the server on DNS

Create a TXT recode in DNS:

Type Name Content TTL Proxy

TXT @ v=spf1 a:mail.mydomain.online -all Auto DNS only

This indicates that the only server trusted to send mail from mydomain.online is the
server mail.mydomain.online and no other.

7. Publish DMARC Policy

Create a TXT recode in DNS:

Type Name Content TTL Proxy

v=DMARC1; p=reject; rua=mailto:dmarc-

DNS
TXT _dmarc [email protected]; ruf=mailto:dmarc- Auto
only
[email protected]; fo=1; adkim=r; aspf=r
8 Deploy the server
Docker compose file:

version: "3.8"

services:
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:13.3.1
container_name: mailserver
restart: always
# Provide the FQDN of your mail server here (Your DNS MX record
should point to this value)
hostname: mail.mydomain.online
ports:
- "25:25"
- "465:465"
- "587:587"
- "993:993"
volumes:
- ./docker-data/dms/mail-data/:/var/mail/
- ./docker-data/dms/mail-state/:/var/mail-state/
- ./docker-data/dms/mail-logs/:/var/log/mail/
- ./docker-data/dms/config/:/tmp/docker-mailserver/
# https://docker-mailserver.github.io/docker-
mailserver/latest/config/security/ssl/#lets-encrypt-recommended
- /etc/letsencrypt:/etc/letsencrypt
- /etc/localtime:/etc/localtime:ro
environment:
# https://docker-mailserver.github.io/docker-
mailserver/latest/config/environment/
- LOG_LEVEL=info # info
- ENABLE_RSPAMD=0
- ENABLE_FAIL2BAN=0
- ENABLE_POSTGREY=0
- ENABLE_CLAMAV=0
- ENABLE_SPAMASSASSIN=0
- ENABLE_IMAP=1
- POSTFIX_MAILBOX_SIZE_LIMIT=1
- TZ=Europe/Lisbon
# Using letsencrypt for SSL/TLS certificates. Enable only after
creating first request. Fails if there are no certificates
- SSL_TYPE=letsencrypt
 - TLS_LEVEL=modern
# Allow sending emails from other docker containers:
# Beware creating an Open Relay: https://docker-
mailserver.github.io/docker-
mailserver/latest/config/environment/#permit_docker
# - PERMIT_DOCKER=network
# You may want to enable this: https://docker-
mailserver.github.io/docker-
mailserver/latest/config/environment/#spoof_protection
# See step 6 below, which demonstrates setup with
enabled/disabled SPOOF_PROTECTION:
- SPOOF_PROTECTION=1
# cap_add:
# - NET_ADMIN # For Fail2Ban to work
Before the mail server fully starts you must create at least one mailbox.

docker compose up -d
docker exec -it mailserver /bin/bash
setup email add [email protected] mySuperSecretPass-01!
exit
docker compose down
docker compose up -d
https://docker-mailserver.github.io/docker-mailserver/latest/config/user-management/

Before trying to send emails you need configure DKIM.

Server and DKIM Setup

https://docker-mailserver.github.io/docker-mailserver/edge/config/best-
practices/dkim_dmarc_spf/
https://docker-mailserver.github.io/docker-mailserver/edge/config/best-
practices/dkim_dmarc_spf/

Setting up DKIM (DomainKeys Identified Mail) for your Docker Mailserver is an essential step to
improve email deliverability and help prevent email spoofing. DKIM adds a digital signature to
the emails sent from your domain, which receiving mail servers can use to verify that the email
was indeed sent from an authorized mail server for your domain.

Here's a general outline on how to generate DKIM keys for your Docker Mailserver:

Generate DKIM Keys:

First you must have te container up and running. Using the previous docker-compose.yaml file
you must execute (and wait for it to be ready):
docker compose up -d
Then you go inside the container to generate DKIM keys by running the setup.sh script with
the config dkim option. You'll also need to specify the domain for which you're generating the
DKIM keys. Here's how you can do it:

docker exec -ti mailserver setup config dkim help

docker exec -ti mailserver setup config dkim keysize 4096 domain
mydomain.online

Locating the DKIM Keys:

After running the command, the DKIM keys will be generated and stored in a specific directory
within your container, usually under /tmp/docker-
mailserver/opendkim/keys/mydomain.online/. You can find the public key in a file
named mail.txt within this directory. From the container outside, in our case: ~/docker-
mailserver/docker-data/dms/config/opendkim/keys/mydomain.online

Add DKIM Record to Your DNS:

You'll need to add the DKIM public key to your domain's DNS records. Open the mail.txt file,
and you'll see a TXT record that you need to add to your DNS settings. This record will usually
have a format like:

mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..." ) ; ----- DKIM key mail
for your_domain.com
You need to add this as a TXT record in your DNS:

Type Name Content TTL Proxy

TXT mail._domainkey **(X)** Auto DNS only

(X) it the key (example for mydomain.online):

Take the value immediately after “p=” and encode it to base 64 using (for
example https://www.base64encode.org/) and the value (in this example)

"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4BrmmqBmibHi2FGEXe2Eixgw9GX2le
TyLcAIN9Z3z83+kPj+E6gRBUaMDew24qpBXUdb4nKCV1iO6zXHMomDQkAbbcXT5o3jRGMlc6syX
Cae86Arz82prfC63uIJVn6N/6MbOn3ytP/QkhzAXRUA4J8hpin269EuzhUuFMaIRxrde1xssepT3yEuT/
cV8bHQUzrnF7182jz+"

Becomes:

"TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFwNEJybW1xQm1pYk
hpMkZHRVhlMkVpeGd3OUdYMmxlVHlMY0FJTjlaM3o4MytrUGorRTZnUkJVYU1EZXcyNHFwQkdY
VWRiNG5LQ1YxaU82elhITW9tRFFrQWJiY1hUN8zalJHTWxjNnN5WENhZTg2QXJ6ODJwcmZDNjN1
SUpWbjZOLzZNYk9uM3l0UC9Ra2h6QVhSVUE0SjhocGluMjY5RXV6aFV1Rk1hSVJ4cmRlMXhzc2Vw
VDN5RXVUL2NWOGJIUVV6cm5GNzE4Mmp6Kw=="

Now you just create a TXT record named "mail._domainkey" with the following content (don't
break lines, should be a single line):
v=DKIM1; h=sha256; k=rsa;
p=TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFwN
EJybW1xQm1pYkhpMkZHRVhlMkVpeGd3OUdYMmxlVHlMY0FJTjlaM3o4MytrUGor
RTZnUkJVYU1EZXcyNHFwQkdYVWRiNG5LQ1YxaU82elhITW9tRFFrQWJiY1hUNW8
zalJHTWxjNnN5WENhZTg2QXJ6ODJwcmZDNjN1SUpWbjZOLzZNYk9uM3l0UC9Ra2
h6QVhSVUE0SjhocGluMjY5RXV6aFV1Rk1hSVJ4cmRlMXhzc2VwVDN5RXVUL2NWO
GJIUVV6cm5GNzE4Mmp6Kw==

Verify the DKIM Record

After updating your DNS, it may take some time for the changes to propagate. You can verify the
DKIM record using https://mxtoolbox.com/SuperTool.aspx?action=dkim where you should input
"mydomain.online:mail" and then press "DKIM Lookup". Check the output.

Restart the Mailserver:

docker compose down && docker compose up -d

Remember, DNS propagation can take some time, from a few minutes up to 48 hours in some
cases. Ensure you give it enough time before testing the DKIM setup. Also, be aware that the
specific paths and commands may vary depending on the Docker Mailserver setup you are using,
so refer to the official documentation for your mail server solution for the most accurate
instructions.

Other Setup Configurations:

https://docker-mailserver.github.io/docker-mailserver/latest/config/setup.sh/

docker exec -ti mailserver setup help

9. Open inboud ports

22, 25, 80, 443, 465, 587, 993

Important note:
If running on aws you must open a support ticket to open ports 25 and 587 outbound. Even if
you specify these in the outbound rules, aws will block them:
https://repost.aws/knowledge-center/ec2-port-25-throttle

User management
Creating a new Account
https://docker-mailserver.github.io/docker-mailserver/latest/config/user-management/

docker exec -it mailserver /bin/bash

setup email add [email protected] mySuperSecretPass-01!
exit