Docker network schemes
- SPAM filters, karma system, relaying itself needs to see real source IP. Many containerised network schemes have problems with losing the real source IP due to packet manipulation. While processing on HTTP(s) ports is designed to be tolerant of not knowing the real IP and can be reverse-proxied, hiding the source IP on core mail server ports can put your mail server in an open relay state.
- If you're using a reverse proxy and want to use free certificates from Let's Encrypt, you'll need to redirect the .well-known folder properly. If your proxy itself issues certificates for other containers, it may be sufficient to share the folder between containers via volume.
- Inbound IP should be the same as outbound or you need to adjust SPF records
- If you don't understand how IPv6 works, it's better not to use it at all, especially if you're using anything other than network=host mode
Recommended: dedicated server for poste.io only (network=host)
Reverse proxy, poste.io, other web containers and network=host (when you run other HTTP services at same server)
network=bridge (dockerd userland-proxy=false)
network=bridge (dockerd userland-proxy=true)