KNet/knet-mailserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
knet-mailserver/readme.md
karmacoma 0fe5927a0d poste
2025-12-27 03:14:53 +01:00

3 KiB
Raw Permalink Blame History

Poste.io behind Traefik (Coolify)

Self-hosted poste.io with HTTP(S) served by Traefik (managed by Coolify) and mail protocols exposed directly to the host.

Network scheme (per poste.io docs)

  • Mail ports (SMTP/IMAP/POP3/Sieve) are published directly on the host so clients and remote MTAs reach the real server IP.
  • HTTP(S) for the admin UI and webmail is terminated by Traefik and forwarded internally to poste.io on port 8080 (poste runs with HTTPS=OFF).
  • Set Docker userland-proxy to false to avoid losing real client IPs when publishing mail ports (poste.io warns about open relay risk when proxying mail ports).

Prerequisites

  • Domain with A/AAAA record for POSTE_HOSTNAME (e.g., mail.example.com) pointing to the server public IP.
  • MX record pointing to POSTE_HOSTNAME.
  • Optional but recommended: PTR (rDNS) matching POSTE_HOSTNAME.
  • DNS access to add SPF/TXT, DKIM (after initial setup), and DMARC records.
  • Coolify with its Traefik stack running and an external Docker network available (default name coolify-overlay).

Configure Docker for real client IPs

Create or update /etc/docker/daemon.json:

{
	"userland-proxy": false
}

Restart Docker (sudo systemctl restart docker). This keeps source IPs visible to poste.io while using published ports.

Environment variables

Create .env next to docker-compose.yml (adjust values):

POSTE_HOSTNAME=mail.example.com
TZ=UTC
TRAEFIK_NETWORK=coolify-overlay
TRAEFIK_CERTRESOLVER=coolify
DISABLE_CLAMAV=false
DISABLE_RSPAMD=false

Deploy with Coolify

  1. Ensure the Traefik network exists (default coolify-overlay). If not, create it: docker network create coolify-overlay.
  2. Import this docker-compose.yml into a Coolify “Docker Compose” app. Set the environment variables above in Coolify.
  3. Attach the app to Coolifys Traefik network (TRAEFIK_NETWORK). Coolify will inject the network automatically when selected.
  4. Deploy. Traefik will request a certificate via TRAEFIK_CERTRESOLVER and route https://POSTE_HOSTNAME to poste.io on port 8080.

If running outside Coolify, you can still deploy with docker compose up -d after creating the network.

Exposed ports (host)

  • 25 SMTP, 465 SMTPS, 587 Submission
  • 110 POP3, 995 POP3S
  • 143 IMAP, 993 IMAPS
  • 4190 ManageSieve

First-time setup

  1. Wait for containers to start: docker compose ps.
  2. Open https://POSTE_HOSTNAME to reach the admin UI (proxied by Traefik). Complete the poste.io onboarding (admin mailbox + password, DKIM key generation, etc.).
  3. Add generated DKIM TXT record and ensure SPF and DMARC records are present.
  4. Test SMTP/IMAP with your client against the host IP/hostname.

Notes

  • Poste.io still handles STARTTLS on mail ports directly; Traefik is only for HTTP(S).
  • If you need Lets Encrypt inside poste.io instead of Traefik, remove HTTPS=OFF and forward /.well-known from Traefik, but avoid port conflicts with Traefiks 80/443.
  • Keep an eye on spam/relay checks in the poste.io admin UI to confirm real client IPs are detected.