compliance-scanner-agent/deploy/docker-compose.mailserver.yml

version: "3.8"

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:14
    hostname: mail.scanner.meghsakha.com
    domainname: scanner.meghsakha.com
    container_name: mailserver
    ports:
      - "25:25"      # SMTP (inbound mail)
      - "143:143"    # IMAP (orchestrator reads mail)
      - "993:993"    # IMAPS (TLS)
      - "587:587"    # Submission (outbound, if needed)
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - /etc/localtime:/etc/localtime:ro
    environment:
      # Hostname
      - OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com

      # Disable features we don't need
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_CLAMAV=0
      - ENABLE_FAIL2BAN=0
      - ENABLE_POSTGREY=0
      - ENABLE_AMAVIS=0

      # Enable what we need
      - ENABLE_IMAP=1
      - ENABLE_POP3=0

      # Plus-addressing (critical for pentest)
      - POSTFIX_RECIPIENT_DELIMITER=+

      # SSL (start with no TLS, add Let's Encrypt later)
      - SSL_TYPE=

      # Accept mail for our domain
      - PERMIT_DOCKER=none

      # Disable inbound SPF checking — we need to accept verification
      # emails from Keycloak and other external senders
      - ENABLE_OPENDKIM=0
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      - SPOOF_PROTECTION=0

      # One domain
      - POSTFIX_MYDESTINATION=scanner.meghsakha.com, localhost

    restart: unless-stopped
    healthcheck:
      test: ["CMD", "ss", "-tlnp", "|", "grep", "25"]
      interval: 30s
      timeout: 10s
      retries: 3

volumes:
  maildata:
  mailstate:
  maillogs: