Docker network schemes
- SPAM filters, karma system, relaying itself needs to see real source IP. Lot of containerized network schemes has problem with loosing real source IP due packet manipulation. While processing at HTTP(s) ports are built to be tolerant to not know real IP and can be reverse-proxied, hiding souce IP to core mailserver ports can get your mailserver to state of open relay.
- If you will use reverse proxy and want to use free certificates from Let's encrypt you need to properly redirect .well-known folder. If your proxy is issuing certificate itself for other containers it might be sufficient to share folder between containers via volume.
- Inbound IP should be same as outbound or you need to adjust SPF records
- If you don't understand how IPv6 works, it is better to not use it at all especially when using other than network=host mode
Recommended: dedicated server for poste.io only (network=host)
Reverse proxy, poste.io, other web containers and network=host
network=bridge (dockerd userland-proxy=false)
network=bridge (dockerd userland-proxy=true)