Docker-mailserver: Unable to receive mails

Please check your logs (docker logs mail or in /var/log/mail in the container) and post relevant parts.

I would also advise you to re-enable the security checks and run as close to the default settings as possible, possibly except fail2ban (I personally don't want my containers to mess with the host firewall). If you do keep fail2ban disabled then remove NET_ADMIN as it is a security risk and is only needed by fail2ban. It should be possible to make things work with the standard security measures in place.

Finally connected-networks is very liberal, so make sure to test your server so that it is not an open relay. If it is you will soon find yourself blocked. I haven't tested the service so I can't vouch for it, but https://mxtoolbox.com/diagnostic.aspx seems to do the job.

Yes i will reenable these security checks, but I want to make it work first :-)

Here is the mail.log from sending a email from [email protected] and [email protected]

Sep 30 09:30:51 mail postfix/smtps/smtpd[20188]: connect from .....
Sep 30 09:30:51 mail postfix/smtps/smtpd[20188]: Anonymous TLS connection established from .....: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 30 09:30:51 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:51 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:51 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:51 mail postfix/smtps/smtpd[20188]: E41251E071C: client=....., sasl_method=PLAIN, [email protected]
Sep 30 09:30:52 mail postfix/sender-cleanup/cleanup[20193]: E41251E071C: message-id=<[email protected]>
Sep 30 09:30:52 mail postfix/sender-cleanup/cleanup[20193]: E41251E071C: replace: header MIME-Version: 1.0 from .....; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.138]>: Mime-Version: 1.0
Sep 30 09:30:52 mail opendkim[195]: E41251E071C: DKIM-Signature field added (s=mail, d=subdomain.domain.com)
Sep 30 09:30:52 mail postfix/qmgr[960]: E41251E071C: from=<[email protected]>, size=361, nrcpt=1 (queue active)
Sep 30 09:30:52 mail postfix/smtps/smtpd[20188]: disconnect from ..... ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Sep 30 09:30:52 mail postfix/smtpd[20196]: connect from localhost[127.0.0.1]
Sep 30 09:30:52 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:52 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:52 mail postfix/smtpd[20196]: 349401E071E: client=localhost[127.0.0.1]
Sep 30 09:30:52 mail postfix/cleanup[20197]: 349401E071E: message-id=<[email protected]>
Sep 30 09:30:52 mail postfix/qmgr[960]: 349401E071E: from=<[email protected]>, size=1081, nrcpt=1 (queue active)
Sep 30 09:30:52 mail postfix/smtpd[20196]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 30 09:30:52 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:52 mail amavis[315]: (00315-13) Passed CLEAN {RelayedInbound}, [XXX.XXX.XXX.XXX]:7040 [XXX.XXX.XXX.XXX] <[email protected]> -> <[email protected]>, Queue-ID: E41251E071C, Message-ID: <[email protected]>, mail_id: F9vhhI5mM80u, Hits: -, size: 866, queued_as: 349401E071E, 131 ms
Sep 30 09:30:52 mail postfix/smtp[20194]: E41251E071C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.32, delays=0.17/0.01/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 349401E071E)
Sep 30 09:30:52 mail postfix/qmgr[960]: E41251E071C: removed
Sep 30 09:30:52 mail postfix/local[20198]: 349401E071E: to=<[email protected]>, relay=local, delay=0.03, delays=0.01/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "info")
Sep 30 09:30:52 mail postfix/cleanup[20197]: 3A6FA1E071F: message-id=<[email protected]>
Sep 30 09:30:52 mail postfix/bounce[20199]: 349401E071E: sender non-delivery notification: 3A6FA1E071F
Sep 30 09:30:52 mail postfix/qmgr[960]: 3A6FA1E071F: from=<>, size=2952, nrcpt=1 (queue active)
Sep 30 09:30:52 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
Sep 30 09:30:52 mail postfix/qmgr[960]: 349401E071E: removed
Sep 30 09:30:52 mail postfix/local[20198]: warning: required alias not found: postmaster
Sep 30 09:30:52 mail postfix/local[20198]: 3A6FA1E071F: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=2.0.0, status=sent (discarded)
Sep 30 09:30:52 mail postfix/qmgr[960]: 3A6FA1E071F: removed
Sep 30 09:30:52 mail dovecot: imap([email protected])<26255><fsbPFMCTlRdbEKP3>: Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=690 out=1651 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Sep 30 09:30:58 mail dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, mpid=20221, TLS, session=<I+Ku5MGTgRtbEKP3>

This error message is reasonably clear:
Sep 30 09:30:52 mail postfix/local[20198]: 349401E071E: to=<[email protected]>, relay=local, delay=0.03, delays=0.01/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "info")
And:
Sep 30 09:30:52 mail postfix/local[20198]: warning: required alias not found: postmaster
Have you created a user or alias for [email protected] and [email protected]?

Plus you get:
Sep 30 09:30:51 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
If you think you have created the info and postmaster accounts that could be the problem.

Have you created a user or alias for [email protected] and [email protected]?

-> A user -> my postfix-accounts.cf is filled with these two accounts and postfix-aliases.cf is empty

Sep 30 09:30:51 mail postfix/trivial-rewrite[20192]: warning: do not list domain subdomain.domain.com in BOTH mydestination and virtual_mailbox_domains
If you think you have created the info and postmaster accounts that could be the problem.

what do you mean here ?

?

I meant that if you had defined the users, then that warning would be next in line.

My theory is that the problem is caused by confusing subdomain and host. The way you have configured your yaml file the server should have a domain named domain.com and the server itself should have the host name subdomain. If that is what you want then you should define the two accounts as [email protected] and [email protected].

If on the other hand you are really managing mail for subdomain.domain.com then you should probably define the domain to be subdomain.domain.com, the host to be something else (mail?) and then the users are fine as they are. The environment variables in the .env file must be updated as well as the yaml file.

I don't have a .env file. Is therefore any needed ?

To make it more understandable what I want:
the email address of postmaster should be [email protected]
So I thought that hostname is mail and domainname the mydomain.com.
Is that right ? But why can I send emails as them to google without any problems ?

Excuse me for standing on the hose

well... sometimes i don't see the wood for the trees...
So my main problem was solved. My hostname was with mail okay, but the domainname should include the subdomain ... (if I'd looked a little bit more detailed the manual, I could see that the described mail in the hostname was not used for the mail.example.com...)

So last problem before I start the security mechanisms again:
thunderbird throws an security exception, in which I have to download the certificate. I don't think that it should be done.

Okay weird situation now..

I'd figured out that if I define hostname as empty, then I can receive mails, but got the security exception, because the hostname of the container does not match the one in the letsencrypt cert. And if I define an override_hostname, then I cannot receive, but I can send mails.

I'd also figured out what you mean with .env files. I don't use them. I am using only the docker-compose.yaml and writing the environment args down there.

Is there someone who could help me out of that little trap ?

here is my current docker-compose.yml:

version: '2'

services:
  mail:
    image: tvial/docker-mailserver:latest
    hostname: ""
    domainname: mail.domain.tld
    container_name: mailserver
    ports:
      - "25:25"
      - "993:993"
      - "465:465"
    volumes:
      - ./data:/var/mail
      - ./state:/var/mail-state
      - /var/log/mail:/var/log/mail
      - ./config/:/tmp/docker-mailserver/
      - /etc/letsencrypt:/etc/letsencrypt
    environment:
      - ENABLE_SPAMASSASSIN=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1
      - ONE_DIR=1
      - DMS_DEBUG=1
      - PERMIT_DOCKER=connected-networks
      - SPOOF_PROTECTION=1
      - SSL_TYPE=letsencrypt
      - OVERRIDE_HOSTNAME=mail.domain.tld
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
volumes:
  maildata:
    driver: local
  mailstate:
    driver: local
  maillogs:
    driver: local

I'd ran now through the start_mailserver.sh. It uses only the hostname for the SSL. So it does not matter what is defined inside the domainname.
So now the question: Why can't I receive emails, when domainname and hostname are defined as mail.domain.tld. And emails registered are also: [email protected] and [email protected]?

Somewhat simplified there are two types of mail accounts. One is for real users, i.e. users that can login and that have a home directory. The other is for virtual users that can read and send mail, but that should not have accounts on the host. If the host is mail.domain.tld and you define a user as [email protected] then that is a local user on that host and the user is assumed to exist and permissions must be in place to allow the mail server to deliver mail to the user's home directory. If on the other hand you define the user as [email protected] then it is a virtual user.

That is one part of the story. The other is that the start_mailserver.sh script makes some assumptions and uses the docker-mailserver specific accounts file for populating several Postfix configuration files. That breaks down and you get warnings when you don't follow the conventions.

I think you should either follow the conventions, stay close to the defaults and read up on the letsencrypt configuration, or make a deep-dive into Postfix and Dovecot to tweak the configuration the way you want it. Many are using letsencrypt so I very much doubt that your issue is unique. Check the wiki and see if you can adapt one of the working examples. Good luck!

Yes and I try to do like in the example, but I have trouble here, because of the errors above. The mails are having now a correct ssl cert, but the mails are bounced, because the email user is not found.
So is this docker-mailserver using local users? If yes, what rights should they have?
If no: why does my system say that it does not find any user although they are defined inside postfix-accounts.cf via setup.sh?

current status is that I've found the users "home" directory under /var/mail/mail.domain.tld/. The emails send to them were bounced, because the users were not found. Dovecot itself has listed the users under its userdb file with the correct path. I am pretty frustrated now..

So the last problem was solved... problem was the mydestination definition from postfix.
Fixed with adding a postfix-main.cf inside config folder and added mydestination = localhost.$mydomain, localhost instead of mydestination = $myhostname, localhost.$mydomain, localhost

Now I can send emails to external and receive from external. As well as sending emails completely internal.