docker-mailserver LXC für Proxmox: Stack + Admin-UI + Webmail + Hardening

- dms-lxc.sh: Proxmox-Host-Installer (unprivilegierter LXC, Debian 13, Docker),
  curl-Self-Download, Multi-Domain-DKIM, SnappyMail-Provisionierung, PVE-Firewall
- Stack: docker-mailserver, Node-Admin-API (Supabase-Auth), React-Admin-UI
  (OPENBUREAU-Look), SnappyMail (Shibui-Theme), Rspamd-Web-UI, docker-socket-proxy
- Admin: Postfächer/Aliase/Catch-all/Quota, editierbare Domains+Settings,
  Server (Quota/Queue über abgesicherte Bridge), Status & DNS
- Hardening: no-new-privileges, Whitelisted exec-Bridge, Rspamd-Passwort,
  .env chmod 600, PVE-CT-Firewall, generisch/teilbar (keine festen Domains)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stack/docker-compose.yml

@@ -0,0 +1,114 @@
+# ============================================================================
+#  docker-mailserver Stack
+#    mailserver   – Postfix/Dovecot/Rspamd (docker-mailserver)
+#    admin-api    – Node.js API (Supabase-Auth) verwaltet DMS-Config-Dateien
+#    admin-ui     – React-Admin Oberfläche (nginx, proxyt /api -> admin-api)
+#    snappymail   – schlankes Webmail für die Mitarbeiter
+#
+#  TLS/HTTPS für admin-ui & snappymail macht der Nginx Proxy Manager
+#  (separater Stack), der auf ADMIN_PORT / WEBMAIL_PORT dieses Hosts zeigt.
+# ============================================================================
+services:
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:${DMS_TAG:-latest}
+    container_name: mailserver
+    hostname: ${MAIL_FQDN}
+    env_file: mailserver.env
+    environment:
+      - OVERRIDE_HOSTNAME=${MAIL_FQDN}
+      - POSTMASTER_ADDRESS=postmaster@${MAIL_DOMAIN}
+    ports:
+      - "25:25"      # SMTP (eingehender MX-Verkehr)
+      - "143:143"    # IMAP (STARTTLS)
+      - "465:465"    # SMTP Submission (implicit TLS)
+      - "587:587"    # SMTP Submission (STARTTLS)
+      - "993:993"    # IMAP (implicit TLS)
+      - "${RSPAMD_PORT:-11334}:11334"  # Rspamd Web-UI — NUR über NPM/Firewall öffnen!
+    volumes:
+      - ./docker-data/dms/mail-data/:/var/mail/
+      - ./docker-data/dms/mail-state/:/var/mail-state/
+      - ./docker-data/dms/mail-logs/:/var/log/mail/
+      - ./docker-data/dms/config/:/tmp/docker-mailserver/
+      - ./docker-data/certs/:/etc/letsencrypt/:ro   # Zertifikate (NPM DNS-Challenge)
+      - /etc/localtime:/etc/localtime:ro
+    restart: always
+    stop_grace_period: 1m
+    cap_add:
+      - NET_ADMIN    # für Fail2ban
+    healthcheck:
+      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
+      timeout: 3s
+      retries: 0
+
+  # docker-socket-proxy: gibt der Admin-API NUR exec frei (kein create/delete/...)
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    container_name: dms-socket-proxy
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - CONTAINERS=1
+      - EXEC=1
+      - POST=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  admin-api:
+    build: ./api
+    container_name: dms-admin-api
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - CONFIG_DIR=/config
+      - MAIL_DOMAIN=${MAIL_DOMAIN}
+      - MAIL_DOMAINS=${MAIL_DOMAINS}
+      - MAIL_FQDN=${MAIL_FQDN}
+      - BRAND=${BRAND}
+      - WEBMAIL_FQDN=${WEBMAIL_FQDN}
+      - ADMIN_FQDN=${ADMIN_FQDN}
+      - SUPABASE_URL=${SUPABASE_URL}
+      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
+      - ADMIN_ALLOWED_EMAILS=${ADMIN_ALLOWED_EMAILS}
+      # Bridge zum Mailserver: nur exec über den socket-proxy, Whitelist in der API
+      - DOCKER_PROXY=socket-proxy:2375
+      - MAILSERVER_CONTAINER=mailserver
+    depends_on:
+      - socket-proxy
+    volumes:
+      # Schreibzugriff auf die DMS-Config-Dateien (kein direkter Docker-Socket!)
+      - ./docker-data/dms/config/:/config/
+    expose:
+      - "3000"
+
+  admin-ui:
+    build:
+      context: ./admin
+      args:
+        # Werden zur Laufzeit via /config.js injiziert (siehe entrypoint)
+        - VITE_SUPABASE_URL=${SUPABASE_URL}
+        - VITE_SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
+    container_name: dms-admin-ui
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    depends_on:
+      - admin-api
+    environment:
+      - SUPABASE_URL=${SUPABASE_URL}
+      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
+    ports:
+      - "${ADMIN_PORT:-8080}:80"
+
+  snappymail:
+    image: djmaze/snappymail:latest
+    container_name: snappymail
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - "${WEBMAIL_PORT:-8888}:8888"
+    volumes:
+      - ./docker-data/snappymail/:/var/lib/snappymail/   # echter Datenpfad der djmaze-Image
+      - ./snappymail-theme/:/snappymail/themes/:ro       # KGVA "Shibui"-Theme