Free Mail Server on OCI

Free Mail Server on OCI – Docker-Mailserver

Spread the love

This is the series of articles about how to setup free own mailserver on OCI.

Docker-Mailserver

As I mentioned earlier, our Mail Server is based on the Dockerized Container Image Docker-Mailserver, documentation is here.

Edit your compose.yaml file and add mailserver service so it’ll look like this:

services:
  # mailserver container
  mailserver:
    image: mailserver/docker-mailserver:latest
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    hostname: mail.mymail.com
    env_file: ./mailserver.env
    ports:
      - "25:25" # SMTP (explicit TLS => STARTTLS)
      - "143:143" # IMAP4 (explicit TLS => STARTTLS)
      - "465:465" # ESMTP (implicit TLS)
      - "587:587" # ESMTP (explicit TLS => STARTTLS)
      - "993:993" # IMAP4 (implicit TLS)
    volumes:
      - /data/dms/mail-data/:/var/mail/
      - /data/dms/mail-state/:/var/mail-state/
      - /data/dms/mail-logs/:/var/log/mail/
      - /data/dms/config/:/tmp/docker-mailserver/
      - /data/certbot/certs/:/etc/letsencrypt/:ro
      - /etc/localtime:/etc/localtime:ro
    restart: always
    stop_grace_period: 1m
    # Uncomment if using `ENABLE_FAIL2BAN=1`:
    cap_add:
      - NET_ADMIN
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

  # certbot generate SSL certs
  certbot-cloudflare:
    image: certbot/dns-cloudflare:latest
    command: certonly --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare.ini -d mail.mymail.com
    volumes:
      - /data/certbot/certs/:/etc/letsencrypt/
      - /data/certbot/logs/:/var/log/letsencrypt/
    secrets:
      - source: cloudflare
        target: cloudflare.ini

  # certbot renew SSL certs
  certbot-cloudflare-renew:
    image: certbot/dns-cloudflare:latest
    command: renew --reuse-key --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare.ini
    volumes:
      - /data/certbot/certs/:/etc/letsencrypt/
      - /data/certbot/logs/:/var/log/letsencrypt/
    secrets:
      - source: cloudflare
        target: cloudflare.ini

secrets:
  cloudflare:
    file: /data/secrets/cloudflare.ini

Also, follow the instruction from this document and download the mailserver.env file, edit it as you need, I just add that I’ve changed the following ENV parameters for my mailserver (read comments in mailserver.enf file for more details and meaning of each parameter):

  • TLS_LEVEL=intermediate
  • SPOOF_PROTECTION=1
  • ENABLE_OPENDKIM=0 (I’m using rspamd)
  • ENABLE_OPENDMARC=0 (I’m using rspamd)
  • ENABLE_POLICYD_SPF=0 (I’m using rspamd)
  • ENABLE_POP3= (disabled)
  • ENABLE_IMAP=1 (enabled)
  • ENABLE_RSPAMD=1
  • RSPAMD_LEARN=1
  • RSPAMD_GREYLISTING=1
  • RSPAMD_HFILTER=1
  • ENABLE_FAIL2BAN=1
  • FAIL2BAN_BLOCKTYPE=reject
  • SSL_TYPE=letsencrypt
  • POSTFIX_MAILBOX_SIZE_LIMIT=104857600 (100MB)
  • ENABLE_QUOTAS=1
  • PFLOGSUMM_TRIGGER=daily_cron
  • ENABLE_SPAMASSASSIN=0

Upload compose.yaml and mailserver.env files to your OCI Virtual Machine /data/docker folder, mailserver.env should be located at the same folder as compose.yaml, and run the following command:

sudo docker compose -f /data/docker/compose.yaml up mailserver

You should see an error message that at least one email address shall be created to properly run mailserver.

Press CTRL+C and stop your mailserver for now.

Follow the instructions on configuring your mail server from Docker-Mailserver documentation.

When you finish all your settings and run the docker container again:

sudo docker compose -f /data/docker/compose.yaml up -d mailserver

And then check the logs of your Mail Server:

sudo docker logs mailserver --tail 100

You should see the message like this:

ubuntu@mailserver:/$ sudo docker logs mailserver --tail 20
[   INF   ]  Welcome to docker-mailserver v13.3.1
[   INF   ]  Checking configuration
[   INF   ]  Configuring mail server
[   INF   ]  Starting daemons
[   INF   ]  mail.mymail.com is up and running
Mar 27 17:49:17 mail postfix/postfix-script[1057]: starting the Postfix mail system
Mar 27 17:49:17 mail postfix/master[1058]: daemon started -- version 3.5.23, configuration /etc/postfix

This means that the Mail Server started successfully, you have at least one email address added/created, all systems works fine.

Open ports in OCI

To make your Mail Server able to receive the mails or connect your Mail App to your Mail Server via IMAP, SMTP or eSMTP protocols you need to open those ports in OCI Network security list.

Go to Networking -> Virtual cloud networks -> [click on your network (mailserver)] -> Security Lists (2) -> [click on your preferred/public security list] -> [Add Ingress rules]. Add ingress rules as on the following screenshot (sample for port 25):

Repeat this process for other ports used in your Mail Server: 143, 465, 587, 993

Don’t forget about your IPv6 ports if enabled.

You can also add RSPAMD port (11334), but make sure that you’ve applied all security precausings. If you don’t want to open RSPAMD port to public you can install cloudflared on your VM machine, create a security token on cloudflare and link it to your cloudflare tunnel (Zero Trust), so then only you will be able to open RSPAMD from your browser (add the security token to your browser’s headers).

DNS Records

Have a look at the Docker Mailserver documentation about the best practices and DNS records you will need to set up to secure your mailserver, such as SPF, DKIM, DMARC, DANE, MTA-STS, TLS RPT.

Congratulations! That’s it. You’ve configured your own Mail Server on Oracle Cloud Infrastructure completely Free of charge, if you use the resources within the Always Free (or Free Tier) plan of course.