Client-Ansible-Setup/services/service_mail/docker-compose.yml

# {{ ansible_managed }}

services:
  # Gluetun is used to connect container to VPN
  mailserver-gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
      - WIREGUARD_PRIVATE_KEY={{ mail_service_privkey }}
      - WIREGUARD_ADDRESSES=10.0.0.2/32
      - FIREWALL_VPN_INPUT_PORTS=25,465,587,993,143
    ports:
      - "25:25" # Cleartext
      - "465:465" # ESMTP Implicit TLS / Appears to be used
      - "587:587" # SMTP+STARTTLS Explicit TLS / Appears to be used
      - "993:993" # IMAPS Implicit TLS / Appears to not be used
      - "143:143" # IMAPS IMAP+STARTTLS Explicit TLS / Appears to be used
  mailserver:
    network_mode: "service:mailserver-gluetun"
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    # hostname: mail.{{ domain_name }}
    volumes:
      - ./data/mail-data/:/var/mail/
      - ./data/mail-state/:/var/mail-state/
      - ./data/mail-logs/:/var/log/mail/
      - ./data/config/:/tmp/docker-mailserver/
      - ./data/certbot/certs/:/etc/letsencrypt
      - /etc/localtime:/etc/localtime:ro
    environment:
      - OVERRIDE_HOSTNAME=mail.{{ domain_name }}

      # SSL Configuration
      # Having issues with letsencrypt SSL_TYPE not being able to find the paths so just adding the keys manually
        #      - SSL_TYPE=letsencrypt
      - SSL_TYPE=manual
      # Values should match the file paths inside the container:
      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem
      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem

      - ENABLE_SASLAUTHD=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_RSPAMD=1
      - ENABLE_OPENDKIM=0
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      - ENABLE_AMAVIS=0
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_CLAMAV=0
    cap_add:
      - NET_ADMIN # For Fail2Ban to work
    restart: always