sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
a509bdcb2e8c3999a1d64c5629a67b6648b821f4
compliance-scanner-agent/deploy/docker-compose.mailserver.yml
Sharang Parnerkar a509bdcb2e
All checks were successful
CI / Check (push) Has been skipped
Details
CI / Detect Changes (push) Successful in 7s
Details
CI / Deploy Agent (push) Successful in 2s
Details
CI / Deploy Dashboard (push) Successful in 1s
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Successful in 2s
Details
fix: require TLS for IMAP auth, close port 143 (CERT-Bund compliance) 
- Remove port 143 from mailserver (only expose 993/IMAPS)
- Enable SSL_TYPE=manual with Let's Encrypt certs
- Set DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
- Add pentest_imap_tls config field (defaults to true)

Fixes CERT-Bund report: IMAP PLAIN/LOGIN without TLS on 46.225.100.82:143

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 09:29:34 +01:00

70 lines
1.9 KiB
YAML
Raw Blame History

version: "3.8"
services:
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:14
hostname: mail.scanner.meghsakha.com
domainname: scanner.meghsakha.com
container_name: mailserver
ports:
- "25:25" # SMTP (inbound mail)
- "993:993" # IMAPS (TLS-only)
- "587:587" # Submission (STARTTLS)
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- maillogs:/var/log/mail
- /etc/localtime:/etc/localtime:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
environment:
# Hostname
- OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com
# Disable features we don't need
- ENABLE_SPAMASSASSIN=0
- ENABLE_CLAMAV=0
- ENABLE_FAIL2BAN=0
- ENABLE_POSTGREY=0
- ENABLE_AMAVIS=0
# Enable what we need
- ENABLE_IMAP=1
- ENABLE_POP3=0
# Plus-addressing (critical for pentest)
- POSTFIX_RECIPIENT_DELIMITER=+
# TLS — use Let's Encrypt certs mounted from Coolify/Caddy
- SSL_TYPE=manual
- SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem
# Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance)
# Disable plaintext auth on unencrypted connections
- DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
# Accept mail for our domain
- PERMIT_DOCKER=none
# Disable inbound SPF checking — we need to accept verification
# emails from Keycloak and other external senders
- ENABLE_OPENDKIM=0
- ENABLE_OPENDMARC=0
- ENABLE_POLICYD_SPF=0
- SPOOF_PROTECTION=0
# One domain
- POSTFIX_MYDESTINATION=scanner.meghsakha.com, localhost
restart: unless-stopped
healthcheck:
test: ["CMD", "ss", "-tlnp", "|", "grep", "25"]
interval: 30s
timeout: 10s
retries: 3
volumes:
maildata:
mailstate:
maillogs:
Reference in New Issue View Git Blame Copy Permalink