[Postfix](http://www.postfix.org/) with dovecot authentication and [spamassassin](http://spamassassin.apache.org/) + [OpenDKIM](http://www.opendkim.org/) in postgres. # Volumes - `/etc/ssl/mail:ro`: certificates have to be here. # Environment Variables ## MYHOSTNAME Fully qualified hostname. ## MYDOMAIN The internet domain name of the mail system. ## SMTP_BANNER Text prepended to `$myhostname ESMTP $mail_name` for the smtp banner. ## SPAMASSASSIN_HOST Hostname for the spamassassin host. ## DOVECOT_HOST Hostname for the dovecot host. ## DOVECOT_AUTH_PORT Port for the dovecot host. ## DKIM_HOST Hostname for the OpenDkim host. ## DKIM_PORT Port for the OpenDkim host. ## LMTP_HOST Hostname for the lmtp host (probably dovecot). ## LMTP_PORT Port for the lmtp host. ## CERT_DOMAIN Name of the certificate domain. Name of the key file. ## DB_HOST Postgre database host. ## DB_USER - default: email User to connect to the database. ## DB_PASSWORD Password to use for the database user. ## DB_NAME - default: email Name of the postgre database to connect to. ## MESSAGE_SIZELIMIT - default: 20000000 Message size limit in bytes. ## MAILBOX_SIZELIMIT - default: 0 Mailbox size limit in bytes. `0` disables the limit. ## TLS_SECURITY_LEVEL - default: may One of: - none: TLS will not be used. - may: Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. - encrypt: Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to [RFC 2487](http://tools.ietf.org/html/rfc2487) this MUST NOT be applied in case of a publicly-referenced SMTP server. ## TLS_PROTOCOLS - default: !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 Comma seperated list of accepted TLS protocols. ## TLS_CIPHERS - default: high The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. ## TLS_EXCLUDE_CIPHERS - default: aNULL, MD5, 3DES Comma seperated list of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. # Ports - 25 - 587 # Capabilities - DAC_OVERRIDE - NET_BIND_SERVICE - SETGID - SETUID