Docker

An experimental docker image is available, this article documents how to use it with docker-composer.

Forwards, replies, notifies and vacations have not been tested and are unlikely to work.

All the files in this article can be found on GitHub.

The aim is to become an official dbmail image.

DBMail Docker

Using the Docker philosophy, there is a single dbmail image that is used for imap, lmtp and sieve. This image is intended to be configured and run using compose.yaml.

DBMail applications

DBMail is a collection of apps that work together to deliver an IMAP service. dbmail-deliver and dbmail-lmtp for delivery, dbmail-sieve for managing SIEVE automation and dbmail-imapd for the IMAP service.

The Dockerfile is used for creating the dbmail image.

As good Docker practice is to build a container per service, there is a docker compose.yaml for managing the three services.

These services are generated from the dbmail:latest image using compose.yaml.

Configuration

Including any sensitive information in a docker image is inadvisable. Docker Compose provides a way to use secrets without having to use environment variables to store information, these files are copied into /var/run/secrets/.

DBMail requires access to database credentials stored in dbmail.conf, Transport Layer Security requires x509 certificates and private keys. These are protected using docker compose secrets.

The complete dbmail configuration file should be included in the secrets:dbmail.conf:file entry in compose.yaml, the following [DBMAIL] entries are of particular note:

  • dburi
  • authdriver
  • errorlog = /var/log/dbmail/dbmail.err
  • syslog_logging_levels
  • file_logging_levels = 31
  • syslog_logging_levels = 0
  • library_directory = /usr/local/lib/dbmail
  • tls_cafile = /var/run/secrets/ca.crt
  • tls_cert = /var/run/secrets/cert.pem
  • tls_key = /var/run/secrets/key.pem

If you use Lightweight Directory Access Protocol for authentication (authdriver=ldap) you also need to configure the [LDAP] section.

Logging

DBMail doesn't output logs via docker log.

The following can be used to view the log and manage its size. DBMail is a non-interactive process, workarounds from Apache and Nginx are unsuitable.

View the log file:

docker exec -it [container] tail -f /var/log/dbmail/dbmail.err

To avoid disk-exhaustion, run the following to truncate the error log to about 1k:

docker exec -it [container] truncate -s '<1k' /var/log/dbmail/dbmail.err

Security

DBMail requires various sensitive information that must be protected. The mechanism used is docker compose secrets.

DBMail uses Transport Layer Security (TLS) with X.509 public-key certificates to securely communicate with clients such as Microsoft Outlook, Mozilla Thunderbird, K-9 Mail, RoundCube and SquirrelMail.

In order to establish secure communications dbmail needs access to the certificate authority's public certificate (tls_cafile), your public certificate (tls_cert) and your private key (tls_key). It's your private key that needs protecting and your public certificate that needs to be updated every time it's renewed. The authority's public certificate is rarely changed but should be included in any updates.

Include passwords for database access and LDAP if you use it for authentication.

The four sensitive files configured using docker compose secrets are:

  • dbmail.conf - the dbmail configuration file;
  • ca.crt - the certificate authority;
  • cert.pem - your public certificate;
  • key.pem - your private key.

Why you shouldn't use ENV variables for secret data

compose.yaml

The following compose.yaml generates the three service images:

services:
  dbmail-imap:
    image: alanhicks/dbmail:latest
    command: [ "/usr/local/sbin/dbmail-imapd", "-p", "/var/run/dbmail/dbmail-imapd.pid", "-f", "/var/run/secrets/dbmail.conf", "-D" ]
    expose:
      - "143"
      - "993"
    ports:
      - "143:143"
      - "993:993"
    secrets:
      - dbmail.conf
      - ca.crt
      - cert.pem
      - key.pem
    working_dir: /
  dbmail-lmtp:
    image: alanhicks/dbmail:latest
    command: [ "/usr/local/sbin/dbmail-lmtpd", "-p", "/var/run/dbmail/dbmail-lmtpd.pid", "-f", "/var/run/secrets/dbmail.conf", "-D" ]
    expose:
      - "24"
    ports:
      - "24:24"
    secrets:
      - dbmail.conf
      - ca.crt
      - cert.pem
      - key.pem
    working_dir: /
  dbmail-sieve:
    image: alanhicks/dbmail:latest
    command: [ "/usr/local/sbin/dbmail-sieved", "-p", "/var/run/dbmail/dbmail-sieved.pid", "-f", "/var/run/secrets/dbmail.conf", "-D" ]
    expose:
      - "4190"
    ports:
      - "4190:4190"
    secrets:
      - dbmail.conf
      - ca.crt
      - cert.pem
      - key.pem
    working_dir: /
secrets:
  dbmail.conf:
    file: ./dbmail.conf
  ca.crt:
    file: ./ca.crt
  cert.pem:
    file: ./cert.pem
  key.pem:
    file: ./key.pem

 

DBMail is sponsored by