docker-mailserver LXC für Proxmox: Stack + Admin-UI + Webmail + Hardening

- dms-lxc.sh: Proxmox-Host-Installer (unprivilegierter LXC, Debian 13, Docker), curl-Self-Download, Multi-Domain-DKIM, SnappyMail-Provisionierung, PVE-Firewall - Stack: docker-mailserver, Node-Admin-API (Supabase-Auth), React-Admin-UI (OPENBUREAU-Look), SnappyMail (Shibui-Theme), Rspamd-Web-UI, docker-socket-proxy - Admin: Postfächer/Aliase/Catch-all/Quota, editierbare Domains+Settings, Server (Quota/Queue über abgesicherte Bridge), Status & DNS - Hardening: no-new-privileges, Whitelisted exec-Bridge, Rspamd-Passwort, .env chmod 600, PVE-CT-Firewall, generisch/teilbar (keine festen Domains) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 02:26:28 +02:00
commit 1d3818e725
36 changed files with 5523 additions and 0 deletions
@@ -0,0 +1,89 @@
+# ============================================================================
+#  LOKALES TEST-COMPOSE  (OrbStack/Colima/Docker Desktop auf dem Mac)
+#  NICHT für Produktion — getrennt vom Deploy-Artefakt unter stack/.
+#
+#    docker compose -f docker-compose.local.yml up -d --build         # Admin-Stack
+#    docker compose -f docker-compose.local.yml --profile mail up -d  # + Mailserver
+#    docker compose -f docker-compose.local.yml down -v
+#
+#  Besonderheiten:
+#   - admin-api mit AUTH_DISABLED=true (kein Supabase nötig)
+#   - Mail-Ports auf hohe Ports gemappt (kein Konflikt/keine Root-Rechte)
+# ============================================================================
+name: dms-local
+
+services:
+  # docker-socket-proxy: gibt der API NUR exec frei (kein create/delete/volumes ...)
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    restart: always
+    environment:
+      - CONTAINERS=1
+      - EXEC=1
+      - POST=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  admin-api:
+    build: ./stack/api
+    environment:
+      - AUTH_DISABLED=true
+      - CONFIG_DIR=/config
+      - MAIL_DOMAIN=example.com
+      - MAIL_DOMAINS=example.com gabrielevarano.ch karimgabrielevarano.xyz openbureau.ch
+      - MAIL_FQDN=mail.example.com
+      - BRAND=Example
+      - WEBMAIL_FQDN=mail.example.com
+      - ADMIN_FQDN=admin.example.com
+      - DOCKER_PROXY=socket-proxy:2375
+      - MAILSERVER_CONTAINER=dms-local-mailserver-1
+    depends_on:
+      - socket-proxy
+    volumes:
+      - ./stack/docker-data/dms/config/:/config/
+    ports:
+      - "3000:3000"
+
+  admin-ui:
+    build: ./stack/admin
+    environment:
+      - AUTH_DISABLED=true       # nur lokal: UI ohne Supabase-Login ansehen
+      - SUPABASE_URL=
+      - SUPABASE_ANON_KEY=
+    depends_on:
+      - admin-api
+    ports:
+      - "8090:80"
+
+  snappymail:
+    image: djmaze/snappymail:latest
+    ports:
+      - "8888:8888"
+    volumes:
+      - ./stack/docker-data/snappymail/:/var/lib/snappymail/   # echter Datenpfad der djmaze-Image
+      - ./stack/snappymail-theme/:/snappymail/themes/:ro       # KGVA "Shibui"-Theme
+
+  # Nur mit  --profile mail  starten (großer Image-Pull, bindet Mail-Ports)
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    hostname: mail.example.com
+    env_file: ./stack/mailserver.env
+    environment:
+      - OVERRIDE_HOSTNAME=mail.example.com
+      - POSTMASTER_ADDRESS=postmaster@example.com
+    profiles: ["mail"]
+    ports:
+      - "2525:25"
+      - "1143:143"
+      - "4465:465"
+      - "5587:587"
+      - "9993:993"
+      - "11334:11334"   # Rspamd Web-UI (lokaler Test)
+    volumes:
+      - ./stack/docker-data/dms/mail-data/:/var/mail/
+      - ./stack/docker-data/dms/mail-state/:/var/mail-state/
+      - ./stack/docker-data/dms/mail-logs/:/var/log/mail/
+      - ./stack/docker-data/dms/config/:/tmp/docker-mailserver/
+      - ./stack/docker-data/certs/:/etc/letsencrypt/:ro
+    cap_add:
+      - NET_ADMIN