# Poste.io behind Traefik (Coolify)

Self-hosted poste.io with HTTP(S) served by Traefik (managed by Coolify) and mail protocols exposed directly to the host.

## Network scheme (per poste.io docs)
- Mail ports (SMTP/IMAP/POP3/Sieve) are published directly on the host so clients and remote MTAs reach the real server IP.
- HTTP(S) for the admin UI and webmail is terminated by Traefik and forwarded internally to poste.io on port 8080 (poste runs with `HTTPS=OFF`).
- Set Docker `userland-proxy` to `false` to avoid losing real client IPs when publishing mail ports (poste.io warns about open relay risk when proxying mail ports).

## Prerequisites
- Domain with A/AAAA record for `POSTE_HOSTNAME` (e.g., `mail.example.com`) pointing to the server public IP.
- MX record pointing to `POSTE_HOSTNAME`.
- Optional but recommended: PTR (rDNS) matching `POSTE_HOSTNAME`.
- DNS access to add SPF/TXT, DKIM (after initial setup), and DMARC records.
- Coolify with its Traefik stack running and an external Docker network available (default name `coolify-overlay`).

## Configure Docker for real client IPs
Create or update `/etc/docker/daemon.json`:

```json
{
	"userland-proxy": false
}
```

Restart Docker (`sudo systemctl restart docker`). This keeps source IPs visible to poste.io while using published ports.

## Environment variables
Create `.env` next to `docker-compose.yml` (adjust values):

```
POSTE_HOSTNAME=mail.example.com
TZ=UTC
TRAEFIK_NETWORK=coolify-overlay
TRAEFIK_CERTRESOLVER=coolify
DISABLE_CLAMAV=false
DISABLE_RSPAMD=false
```

## Deploy with Coolify
1) Ensure the Traefik network exists (default `coolify-overlay`). If not, create it: `docker network create coolify-overlay`.
2) Import this `docker-compose.yml` into a Coolify “Docker Compose” app. Set the environment variables above in Coolify.
3) Attach the app to Coolify’s Traefik network (`TRAEFIK_NETWORK`). Coolify will inject the network automatically when selected.
4) Deploy. Traefik will request a certificate via `TRAEFIK_CERTRESOLVER` and route `https://POSTE_HOSTNAME` to poste.io on port 8080.

If running outside Coolify, you can still deploy with `docker compose up -d` after creating the network.

## Exposed ports (host)
- 25 SMTP, 465 SMTPS, 587 Submission
- 110 POP3, 995 POP3S
- 143 IMAP, 993 IMAPS
- 4190 ManageSieve

## First-time setup
1) Wait for containers to start: `docker compose ps`.
2) Open `https://POSTE_HOSTNAME` to reach the admin UI (proxied by Traefik). Complete the poste.io onboarding (admin mailbox + password, DKIM key generation, etc.).
3) Add generated DKIM TXT record and ensure SPF and DMARC records are present.
4) Test SMTP/IMAP with your client against the host IP/hostname.

## Notes
- Poste.io still handles STARTTLS on mail ports directly; Traefik is only for HTTP(S).
- If you need Let’s Encrypt inside poste.io instead of Traefik, remove `HTTPS=OFF` and forward `/.well-known` from Traefik, but avoid port conflicts with Traefik’s 80/443.
- Keep an eye on spam/relay checks in the poste.io admin UI to confirm real client IPs are detected.