Free Mail Server on OCI – Docker-Mailserver

This is the series of articles about how to setup free own mailserver on OCI.

• Free Mail Server on OCI – Oracle Cloud Account
• Free Mail Server on OCI – Your Domain Name
• Free Mail Server on OCI – IPv4 Address, PTR
• Free Mail Server on OCI – Data Block Volume
• Free Mail Server on OCI – Virtual Cloud Network
• Free Mail Server on OCI – Compute Instance
• Free Mail Server on OCI – Swapfile
• Free Mail Server on OCI – OCFS2
• Free Mail Server on OCI – Docker, Cron, Certbot
• Free Mail Server on OCI – Docker-Mailserver

How to create Oracle Cloud Account and basic setup you can find in this article.
How to link your Domain Name to OCI you can find in this article.
How to reserve public IPv4 address and setup PTR in OCI you can find in this article.
How to create and link Data Block Volume to OCI you can find in this article.
How to create Virtual Cloud Network in OCI you can find in this article.
How to create Compute instance Virtual Machine in OCI you can find in this article.
About Swapfile and why it needs to be created you can find in this article.
What is OCFS2 and why we need to configure it you can find out in this article.
How to install Docker, Compose and Certbot to generate certificates you can find in this article.

Docker-Mailserver

As I mentioned earlier, our Mail Server is based on the Dockerized Container Image Docker-Mailserver, documentation is here.

Edit your compose.yaml file and add mailserver service so it’ll look like this:

services:
  # mailserver container
  mailserver:
    image: mailserver/docker-mailserver:latest
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    hostname: mail.mymail.com
    env_file: ./mailserver.env
    ports:
      - "25:25" # SMTP (explicit TLS => STARTTLS)
      - "143:143" # IMAP4 (explicit TLS => STARTTLS)
      - "465:465" # ESMTP (implicit TLS)
      - "587:587" # ESMTP (explicit TLS => STARTTLS)
      - "993:993" # IMAP4 (implicit TLS)
    volumes:
      - /data/dms/mail-data/:/var/mail/
      - /data/dms/mail-state/:/var/mail-state/
      - /data/dms/mail-logs/:/var/log/mail/
      - /data/dms/config/:/tmp/docker-mailserver/
      - /data/certbot/certs/:/etc/letsencrypt/:ro
      - /etc/localtime:/etc/localtime:ro
    restart: always
    stop_grace_period: 1m
    # Uncomment if using `ENABLE_FAIL2BAN=1`:
    cap_add:
      - NET_ADMIN
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

  # certbot generate SSL certs
  certbot-cloudflare:
    image: certbot/dns-cloudflare:latest
    command: certonly --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare.ini -d mail.mymail.com
    volumes:
      - /data/certbot/certs/:/etc/letsencrypt/
      - /data/certbot/logs/:/var/log/letsencrypt/
    secrets:
      - source: cloudflare
        target: cloudflare.ini

  # certbot renew SSL certs
  certbot-cloudflare-renew:
    image: certbot/dns-cloudflare:latest
    command: renew --reuse-key --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare.ini
    volumes:
      - /data/certbot/certs/:/etc/letsencrypt/
      - /data/certbot/logs/:/var/log/letsencrypt/
    secrets:
      - source: cloudflare
        target: cloudflare.ini

secrets:
  cloudflare:
    file: /data/secrets/cloudflare.ini

Also, follow the instruction from this document and download the mailserver.env file, edit it as you need, I just add that I’ve changed the following ENV parameters for my mailserver (read comments in mailserver.enf file for more details and meaning of each parameter):

• TLS_LEVEL=intermediate
• SPOOF_PROTECTION=1
• ENABLE_OPENDKIM=0 (I’m using rspamd)
• ENABLE_OPENDMARC=0 (I’m using rspamd)
• ENABLE_POLICYD_SPF=0 (I’m using rspamd)
• ENABLE_POP3= (disabled)
• ENABLE_IMAP=1 (enabled)
• ENABLE_RSPAMD=1
• RSPAMD_LEARN=1
• RSPAMD_GREYLISTING=1
• RSPAMD_HFILTER=1
• ENABLE_FAIL2BAN=1
• FAIL2BAN_BLOCKTYPE=reject
• SSL_TYPE=letsencrypt
• POSTFIX_MAILBOX_SIZE_LIMIT=104857600 (100MB)
• ENABLE_QUOTAS=1
• PFLOGSUMM_TRIGGER=daily_cron
• ENABLE_SPAMASSASSIN=0

Upload compose.yaml and mailserver.env files to your OCI Virtual Machine /data/docker folder, mailserver.env should be located at the same folder as compose.yaml, and run the following command:

sudo docker compose -f /data/docker/compose.yaml up mailserver

You should see an error message that at least one email address shall be created to properly run mailserver.

Press CTRL+C and stop your mailserver for now.

Follow the instructions on configuring your mail server from Docker-Mailserver documentation.

When you finish all your settings and run the docker container again:

sudo docker compose -f /data/docker/compose.yaml up -d mailserver

And then check the logs of your Mail Server:

sudo docker logs mailserver --tail 100

You should see the message like this:

ubuntu@mailserver:/$ sudo docker logs mailserver --tail 20
[   INF   ]  Welcome to docker-mailserver v13.3.1
[   INF   ]  Checking configuration
[   INF   ]  Configuring mail server
[   INF   ]  Starting daemons
[   INF   ]  mail.mymail.com is up and running
Mar 27 17:49:17 mail postfix/postfix-script[1057]: starting the Postfix mail system
Mar 27 17:49:17 mail postfix/master[1058]: daemon started -- version 3.5.23, configuration /etc/postfix

This means that the Mail Server started successfully, you have at least one email address added/created, all systems works fine.

Open ports in OCI

To make your Mail Server able to receive the mails or connect your Mail App to your Mail Server via IMAP, SMTP or ESMTP protocols you need to open those ports in OCI Network security list.

Go to Networking -> Virtual cloud networks -> [click on your network (mailserver)] -> Security Lists (2) -> [click on your preferred security list] -> [Add Ingress rules]. Add ingress rules as on the following screenshot (sample for port 25):

Repeat this process for other ports used in your Mail Server: 143, 465, 587, 993

You can also add RSPAMD port (11334), but make sure that you’ve applied all security precausings. If you don’t want to open RSPAMD port to public you can install cloudflared on your VM machine, create a security token on cloudflare and link it to your cloudflare tunnel (Zero Trust), so then only you will be able to open RSPAMD from your browser (add the security token to your browser’s headers).

Congratulations! That’s it. You’ve configured your own Mail Server on Oracle Cloud Infrastructure completely Free of charge, if you use the resources within the Always Free (or Free Tier) plan of course.