version: "3.8"

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:14
    hostname: mail.scanner.meghsakha.com
    domainname: scanner.meghsakha.com
    container_name: mailserver
    ports:
      - "25:25"      # SMTP (inbound mail)
      - "993:993"    # IMAPS (TLS-only)
      - "587:587"    # Submission (STARTTLS)
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - /etc/localtime:/etc/localtime:ro
      - /etc/letsencrypt:/etc/letsencrypt:ro
    environment:
      # Hostname
      - OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com

      # Disable features we don't need
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_CLAMAV=0
      - ENABLE_FAIL2BAN=0
      - ENABLE_POSTGREY=0
      - ENABLE_AMAVIS=0

      # Enable what we need
      - ENABLE_IMAP=1
      - ENABLE_POP3=0

      # Plus-addressing (critical for pentest)
      - POSTFIX_RECIPIENT_DELIMITER=+

      # TLS — use Let's Encrypt certs mounted from Coolify/Caddy
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem
      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem

      # Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance)
      # Disable plaintext auth on unencrypted connections
      - DOVECOT_DISABLE_PLAINTEXT_AUTH=yes

      # Accept mail for our domain
      - PERMIT_DOCKER=none

      # Disable inbound SPF checking — we need to accept verification
      # emails from Keycloak and other external senders
      - ENABLE_OPENDKIM=0
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      - SPOOF_PROTECTION=0

      # One domain
      - POSTFIX_MYDESTINATION=scanner.meghsakha.com, localhost

    restart: unless-stopped
    healthcheck:
      test: ["CMD", "ss", "-tlnp", "|", "grep", "25"]
      interval: 30s
      timeout: 10s
      retries: 3

volumes:
  maildata:
  mailstate:
  maillogs: