mirror/docker-mailserver.docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-08-04 10:05:00 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

deploy: a0ee472501

Browse source
This commit is contained in:
github-actions[bot] 2021-09-22 23:30:04 +00:00
parent 07afd2c901
commit 4d20a99272
46 changed files with 847 additions and 862 deletions
Download patch file Download diff file Expand all files Collapse all files

59
edge/introduction/index.html
View file

@ -6,7 +6,7 @@
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="A fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) using Docker.">
<meta name="description" content="A fullstack but simple mail-server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) using Docker.">
@ -16,15 +16,15 @@
<link rel="canonical" href="https://docker-mailserver.github.io/docker-mailserver/edge/introduction/">
<link rel="icon" href="../assets/logo/favicon-32x32.png">
<meta name="generator" content="mkdocs-1.2.2, mkdocs-material-7.2.6">
<meta name="generator" content="mkdocs-1.2.2, mkdocs-material-7.2.8">
<title>An Introduction to Mail Servers - Docker Mailserver</title>
<title>An overview of Mail-Server infrastructure - Docker Mailserver</title>
<link rel="stylesheet" href="../assets/stylesheets/main.802231af.min.css">
<link rel="stylesheet" href="../assets/stylesheets/main.92558b1b.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.3f5d1f46.min.css">
@ -73,7 +73,7 @@
<div data-md-component="skip">
<a href="#an-introduction-to-mail-servers" class="md-skip">
<a href="#anatomy-of-a-mail-server" class="md-skip">
Skip to content
</a>
@ -102,7 +102,7 @@
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
An Introduction to Mail Servers
An overview of Mail-Server infrastructure
</span>
</div>
@ -382,8 +382,6 @@
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Introduction
@ -399,8 +397,6 @@
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
@ -410,7 +406,7 @@
<li class="md-nav__item">
<a href="#anatomy-of-a-mail-server" class="md-nav__link">
Anatomy of a Mail Server
Anatomy of a Mail-Server
</a>
</li>
@ -1149,7 +1145,7 @@
<li class="md-nav__item">
<a href="../examples/tutorials/mailserver-behind-proxy/" class="md-nav__link">
Mailserver behind Proxy
Mail-Server behind a Proxy
</a>
</li>
@ -1200,7 +1196,7 @@
<li class="md-nav__item">
<a href="../examples/uses-cases/forward-only-mailserver-with-ldap-authentication/" class="md-nav__link">
Forward-Only Mailserver with LDAP
Forward-Only Mail-Server with LDAP
</a>
</li>
@ -1369,8 +1365,6 @@
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
@ -1380,7 +1374,7 @@
<li class="md-nav__item">
<a href="#anatomy-of-a-mail-server" class="md-nav__link">
Anatomy of a Mail Server
Anatomy of a Mail-Server
</a>
</li>
@ -1483,19 +1477,20 @@
</a>
<h1 id="an-introduction-to-mail-servers"><a class="toclink" href="#an-introduction-to-mail-servers">An Introduction to Mail Servers</a></h1>
<p>What is a mail server and how does it perform its duty?</p>
<h1>Introduction</h1>
<p>What is a mail-server, and how does it perform its duty?</p>
<p>Here's an introduction to the field that covers everything you need to know to get started with <code>docker-mailserver</code>.</p>
<h2 id="anatomy-of-a-mail-server"><a class="toclink" href="#anatomy-of-a-mail-server">Anatomy of a Mail Server</a></h2>
<p>A mail server is only a part of a <a href="https://en.wikipedia.org/wiki/Client%E2%80%93server_model">client-server relationship</a> aimed at exchanging information in the form of <a href="https://en.wikipedia.org/wiki/Email">emails</a>. Exchanging emails requires using specific means (programs and protocols).</p>
<h2 id="anatomy-of-a-mail-server"><a class="toclink" href="#anatomy-of-a-mail-server">Anatomy of a Mail-Server</a></h2>
<p>A mail-server is only a part of a <a href="https://en.wikipedia.org/wiki/Client%E2%80%93server_model">client-server relationship</a> aimed at exchanging information in the form of <a href="https://en.wikipedia.org/wiki/Email">emails</a>. Exchanging emails requires using specific means (programs and protocols).</p>
<p><code>docker-mailserver</code> provides you with the server portion, whereas the client can be anything from a terminal via text-based software (eg. <a href="https://en.wikipedia.org/wiki/Mutt_(email_client)">Mutt</a>) to a fully-fledged desktop application (eg. <a href="https://en.wikipedia.org/wiki/Mozilla_Thunderbird">Mozilla Thunderbird</a>, <a href="https://en.wikipedia.org/wiki/Microsoft_Outlook">Microsoft Outlook</a>…), to a web interface, etc.</p>
<p>Unlike the client-side where usually a single program is used to perform retrieval and viewing of emails, the server-side is composed of many specialized components. The mail server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software. All of these "agents" must be integrated with one another for the exchange to take place.</p>
<p><code>docker-mailserver</code> has made informed choices about those components and their (default) configuration. It offers a comprehensive platform to run a fully featured mail server in no time!</p>
<p>Unlike the client-side where usually a single program is used to perform retrieval and viewing of emails, the server-side is composed of many specialized components. The mail-server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software. All of these "agents" must be integrated with one another for the exchange to take place.</p>
<p><code>docker-mailserver</code> has made informed choices about those components and their (default) configuration. It offers a comprehensive platform to run a fully featured mail-server in no time!</p>
<h2 id="components"><a class="toclink" href="#components">Components</a></h2>
<p>The following components are required to create a <a href="https://en.wikipedia.org/wiki/Email_agent_(infrastructure)">complete delivery chain</a>:</p>
<ul>
<li>MUA: a <a href="https://en.wikipedia.org/wiki/Email_client">Mail User Agent</a> is basically any client/program capable of sending emails to arbitrary mail servers; while also capable of fetching emails from mail servers for presenting them to the end users.</li>
<li>MTA: a <a href="https://en.wikipedia.org/wiki/Message_transfer_agent">Mail Transfer Agent</a> is the so-called "mail server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting submitted emails, then forwarding them-where exactly will depend on an email's final destination. If the receiving MTA is responsible for the hostname the email is sent to, then an MTA is to forward that email to an MDA (see below). Otherwise, it is to transfer (ie. forward, relay) to another MTA, "closer" to the email's final destination.</li>
<li>MUA: a <a href="https://en.wikipedia.org/wiki/Email_client">Mail User Agent</a> is basically any client/program capable of sending emails to a mail-server; while also capable of fetching emails from a mail-server for presenting them to the end users.</li>
<li>MTA: a <a href="https://en.wikipedia.org/wiki/Message_transfer_agent">Mail Transfer Agent</a> is the so-called "mail-server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting submitted emails, then forwarding them-where exactly will depend on an email's final destination. If the receiving MTA is responsible for the FQDN the email is sent to, then an MTA is to forward that email to an MDA (see below). Otherwise, it is to transfer (ie. forward, relay) to another MTA, "closer" to the email's final destination.</li>
<li>MDA: a <a href="https://en.wikipedia.org/wiki/Mail_delivery_agent">Mail Delivery Agent</a> is responsible for accepting emails from an MTA and dropping them into their recipients' mailboxes, whichever the form.</li>
</ul>
<p>Here's a schematic view of mail delivery:</p>
@ -1526,7 +1521,7 @@ B) Bob sends an email to <code>alice@gmail.com</code> =&gt; the email is first s
<p>The main takeaway is that when a third-party sends an email to a <code>docker-mailserver</code> instance(MTA) (or any MTA for that matter), it does <em>not</em> establish a direct connection with that MTA. Email submission first goes through the sender's MTA, then some relaying between at least two MTAs is required to deliver the email. That will prove very important when it comes to security management.</p>
</div>
<p>One important thing to note is that MTA and MDA programs may actually handle <em>multiple</em> tasks (which is the case with <code>docker-mailserver</code>'s Postfix and Dovecot).</p>
<p>For instance, Postfix is both an SMTP server (accepting emails) and a relaying MTA (transferring, ie. sending emails to other MTA/MDA); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the <em>mail server</em>). On top of that, Postfix may rely on Dovecot's authentication capabilities.</p>
<p>For instance, Postfix is both an SMTP server (accepting emails) and a relaying MTA (transferring, ie. sending emails to other MTA/MDA); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the <em>mail-server</em>). On top of that, Postfix may rely on Dovecot's authentication capabilities.</p>
<p>The exact relationship between all the components and their respective (sometimes shared) responsibilities is beyond the scope of this document. Please explore this wiki &amp; the web to get more insights about <code>docker-mailserver</code>'s toolchain.</p>
<h2 id="about-security-ports"><a class="toclink" href="#about-security-ports">About Security &amp; Ports</a></h2>
<p>In the previous section, different components were outlined. Each one of those is responsible for a specific task, it has a specific purpose.</p>
@ -1610,7 +1605,7 @@ Me ---------------&gt; ┤ ├ -----------------&gt; ┊
<p>The best practice as of 2020 when it comes to securing Outward Submission is to use <em>Implicit TLS connection via ESMTP on port 465</em> (see <a href="https://tools.ietf.org/html/rfc8314">RFC 8314</a>). Let's break it down.</p>
<ul>
<li>Implicit TLS means the server <em>enforces</em> the client into using an encrypted TCP connection, using <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS</a>. With this kind of connection, the MUA <em>has</em> to establish a TLS-encrypted connection from the get go (TLS is implied, hence the name "Implicit"). Any client attempting to either submit email in cleartext (unencrypted, not secure), or requesting a cleartext connection to be upgraded to a TLS-encrypted one using <code>STARTTLS</code>, is to be denied. Implicit TLS is sometimes called Enforced TLS for that reason.</li>
<li><a href="https://en.wikipedia.org/wiki/ESMTP">ESMTP</a> is <a href="https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</a> + extensions. It's the version of the SMTP protocol that most mail servers speak nowadays. For the purpose of this documentation, ESMTP and SMTP are synonymous.</li>
<li><a href="https://en.wikipedia.org/wiki/ESMTP">ESMTP</a> is <a href="https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</a> + extensions. It's the version of the SMTP protocol that a mail-server commonly communicates with today. For the purpose of this documentation, ESMTP and SMTP are synonymous.</li>
<li>Port 465 is the reserved TCP port for Implicit TLS Submission (since 2018). There is actually a boisterous history to that ports usage, but let's keep it simple.</li>
</ul>
<div class="admonition warning">
@ -1618,7 +1613,7 @@ Me ---------------&gt; ┤ ├ -----------------&gt; ┊
<p>This Submission setup is sometimes refered to as <a href="https://en.wikipedia.org/wiki/SMTPS">SMTPS</a>. Long story short: this is incorrect and should be avoided.</p>
</div>
<p>Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a cleartext connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client <em>may</em> eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as <a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">STARTTLS</a> that both ends need to implement.</p>
<p>In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or <a href="https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp">misled by a hacker</a> about STARTTLS not being available), and the server accepts unencrypted (cleartext) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. <a href="https://tools.ietf.org/html/rfc8314#section-3.3">RFC 8314 (section 3.3)</a> recommends for mail servers to support both Implicit and Explicit TLS for Submission, <em>and</em> to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly <code>docker-mailserver</code>'s default configuration: abiding by RFC 8314, it <a href="http://www.postfix.org/postconf.5.html#smtpd_tls_security_level">enforces a strict (<code>encrypt</code>) STARTTLS policy</a>, where a denied TLS upgrade terminates the connection thus (hopefully but at the client's discretion) preventing unencrypted (cleartext) Submission.</p>
<p>In many implementations, the mail-server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or <a href="https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp">misled by a hacker</a> about STARTTLS not being available), and the server accepts unencrypted (cleartext) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. <a href="https://tools.ietf.org/html/rfc8314#section-3.3">RFC 8314 (section 3.3)</a> recommends for a mail-server to support both Implicit and Explicit TLS for Submission, <em>and</em> to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly <code>docker-mailserver</code>'s default configuration: abiding by RFC 8314, it <a href="http://www.postfix.org/postconf.5.html#smtpd_tls_security_level">enforces a strict (<code>encrypt</code>) STARTTLS policy</a>, where a denied TLS upgrade terminates the connection thus (hopefully but at the client's discretion) preventing unencrypted (cleartext) Submission.</p>
<ul>
<li><strong><code>docker-mailserver</code>'s default configuration enables and <em>requires</em> Explicit TLS (STARTTLS) on port 587 for Outward Submission.</strong></li>
<li>It does not enable Implicit TLS Outward Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission.</li>
@ -1647,7 +1642,7 @@ Me -- STARTTLS ---&gt; ┤(587) My MTA │ ┊ Third-p
┗━━━━━━━━━━ Inward Submission ━━━━━━━━━━┛
</code></pre></div>
<h3 id="retrieval-imap"><a class="toclink" href="#retrieval-imap">Retrieval - IMAP</a></h3>
<p>A MUA willing to fetch an email from a mail server will most likely communicate with its <a href="https://en.wikipedia.org/wiki/IMAP">IMAP</a> server. As with SMTP described earlier, communication will take place in the form of data packets exchanged over a network that both the client and the server are connected to. The IMAP protocol makes the server capable of handling <em>Retrieval</em>.</p>
<p>A MUA willing to fetch an email from a mail-server will most likely communicate with its <a href="https://en.wikipedia.org/wiki/IMAP">IMAP</a> server. As with SMTP described earlier, communication will take place in the form of data packets exchanged over a network that both the client and the server are connected to. The IMAP protocol makes the server capable of handling <em>Retrieval</em>.</p>
<p>In the case of <code>docker-mailserver</code>, the IMAP server is Dovecot. The MUA (client) may vary, yet its Retrieval request is performed as <a href="https://en.wikipedia.org/wiki/Transmission_Control_Protocol">TCP</a> packets sent over the <em>public</em> internet. This exchange of information may be secured in order to counter eavesdropping.</p>
<p>Again, as with SMTP described earlier, the IMAP protocol may be secured with either Implicit TLS (aka. <a href="https://en.wikipedia.org/wiki/IMAPS">IMAPS</a> / IMAP4S) or Explicit TLS (using STARTTLS).</p>
<p>The best practice as of 2020 is to enforce IMAPS on port 993, rather than IMAP+STARTTLS on port 143 (see <a href="https://tools.ietf.org/html/rfc8314">RFC 8314</a>); yet the latter is usually provided for backwards compatibility.</p>
@ -1657,7 +1652,7 @@ Me -- STARTTLS ---&gt; ┤(587) My MTA │ ┊ Third-p
<p>The best practice as of 2020 would be <a href="https://en.wikipedia.org/wiki/POP3S">POP3S</a> on port 995, rather than <a href="https://en.wikipedia.org/wiki/POP3">POP3</a>+STARTTLS on port 110 (see <a href="https://tools.ietf.org/html/rfc8314">RFC 8314</a>).</p>
<p><strong><code>docker-mailserver</code>'s default configuration disables POP3 altogether.</strong> One should expect MUAs to use TLS-encrypted IMAP for Retrieval.</p>
<h2 id="how-does-docker-mailserver-help-with-setting-everything-up"><a class="toclink" href="#how-does-docker-mailserver-help-with-setting-everything-up">How does <code>docker-mailserver</code> help with setting everything up?</a></h2>
<p>As a <em>batteries included</em> Docker image, <code>docker-mailserver</code> provides you with all the required components and a default configuration, to run a decent and secure mail server.</p>
<p>As a <em>batteries included</em> Docker image, <code>docker-mailserver</code> provides you with all the required components and a default configuration, to run a decent and secure mail-server.</p>
<p>One may then customize all aspects of its internal components.</p>
<ul>
<li>Simple customization is supported through <a href="https://github.com/docker-mailserver/docker-mailserver/blob/master/docker-compose.yml">docker-compose configuration</a> and the <a href="https://github.com/docker-mailserver/docker-mailserver/blob/master/mailserver.env">env-mailserver</a> configuration file.</li>
@ -1670,7 +1665,7 @@ Me -- STARTTLS ---&gt; ┤(587) My MTA │ ┊ Third-p
</ul>
<p>We believe <code>docker-mailserver</code>'s default configuration to be a good middle ground: it goes slightly beyond "old" (1999) <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a>; and with developer friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) <a href="https://tools.ietf.org/html/rfc8314">RFC 8314</a>.</p>
<p>Eventually, it is up to <em>you</em> deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports on your server can only go so far with security; third-party MTAs might relay your emails on insecure connections, man-in-the-middle attacks might still prove effective, etc. Advanced counter-measure such as DANE, MTA-STS and/or full body encryption (eg. PGP) should be considered as well for increased confidentiality, but ideally without compromising backwards compatibility so as to not block emails.</p>
<p>The <a href="https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md">README</a> is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security.</p>
<p>The <a href="https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md">README</a> is the best starting point in configuring and running your mail-server. You may then explore this wiki to cover additional topics, including but not limited to, security.</p>
@ -1752,10 +1747,10 @@ Me -- STARTTLS ---&gt; ┤(587) My MTA │ ┊ Third-p
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["navigation.tabs", "navigation.top", "navigation.expand", "navigation.instant"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.409db549.min.js", "version": {"provider": "mike"}}</script>
<script id="__config" type="application/json">{"base": "..", "features": ["navigation.tabs", "navigation.top", "navigation.expand", "navigation.instant"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.94ec81fe.min.js", "version": {"provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.756773cc.min.js"></script>
<script src="../assets/javascripts/bundle.48dfec6c.min.js"></script>
</body>