poste.io2

Docker network schemes

Requirements notes:

  • SPAM filters, karma system, relaying itself needs to see real source IP. Lot of containerized network schemes has problem with loosing real source IP due packet manipulation. While processing at HTTP(s) ports are built to be tolerant to not know real IP and can be reverse-proxied, hiding souce IP to core mailserver ports can get your mailserver to state of open relay.
  • If you will use reverse proxy and want to use free certificates from Let's encrypt you need to properly redirect .well-known folder. If your proxy is issuing certificate itself for other containers it might be sufficient to share folder between containers via volume.
  • Inbound IP should be same as outbound or you need to adjust SPF records
  • If you don't understand how IPv6 works, it is better to not use it at all especially when using other than network=host mode
  1. Recommended: dedicated server for poste.io only (network=host)

    IPv4 and IPv6 fully compatible

    compatible with host's iptables firewall

    Let's encrypt certificates working by default

    network=host

  2. Reverse proxy, poste.io, other web containers and network=host

    administration access IPs might be hidden when using dockerd userland-proxy mode

    host's iptables firewall for port 80 and 443 might require adjust if docker is bridging in iptables mode

    Let's encrypt certificates requires "/.well-known" folder properly redirected to poste container

    network=host

  3. network=bridge (dockerd userland-proxy=false)

    IPv6 will not work at all by default

    host's firewall will require adjusting if you want use iptables

    Let's encrypt certificates requires "/.well-known" folder properly redirected to poste container

    network=host

  4. network=bridge (dockerd userland-proxy=true)

    Impossible to set up properly

    Prone to open relay

    Multiple SPAM meassures will not work