Skip to content

Navigation Menu

Sign in
Appearance settings
docker-mailserver

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

@docker-mailserver Docker Mailserver

Discussion options

jASSSSSSON
Nov 27, 2025

Moved to: #4617

Hello everyone, I am trying to use Docker Mailserver, but I encountered an issue. The IP address I obtained in the log is the address of the Docker network card, regardless of where I logged in from. I also used caddy-l4 at the same time( https://github.com/mholt/caddy-l4 )Perform TCP forwarding. Here are log and docker-compose.yaml and caddy json.
At the same time, I used the official documentation to add support for reverse proxy, but none of them were effective. I think even if the reverse proxy configuration is invalid, the IP should still be the IP where the proxy is located, not the internal IP of Docker. Did I miss anything?

2025-11-27T14:15:14.054831+08:00 mail dovecot: imap-login: Login: user=<test@mydomain.com>, method=PLAIN, rip=172.24.0.1, lip=172.24.0.2, mpid=612, TLS, session=</iSfb41E2tWsGAAB>

2025-11-27T14:15:14.219948+08:00 mail dovecot: imap(test@mydomain.com)<612></iSfb41E2tWsGAAB>: Disconnected: Logged out in=82 out=819 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

services:
  mailserver:
    image: mailserver/docker-mailserver
    container_name: Mailserver
    hostname: mail.mydomain.com
    networks:
      - mail-network
    environment:
      - ENABLE_RSPAMD=1
      - ENABLE_OPENDKIM=0
      - ENABLE_OPENDMARC=0
      - ENABLE_AMAVIS=0
      - ENABLE_POLICYD_SPF=0
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_POSTGREY=0
      - RSPAMD_GREYLISTING=1
      - ENABLE_CLAMAV=1
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/tmp/dms/custom-certs/fullchain.pem
      - SSL_KEY_PATH=/tmp/dms/custom-certs/privkey.pem
      - ENABLE_OAUTH2=1
      - OAUTH2_INTROSPECTION_URL=https://id.mydomain.com/api/oidc/userinfo
      - ENABLE_FAIL2BAN=1
    cap_add:
      - NET_ADMIN
    ports:
      - "25:25"    # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
      - "465:465"  # ESMTP (implicit TLS)
      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
      - "993:993"  # IMAP4 (implicit TLS)
    volumes:
      - ./dms/mail-data/:/var/mail/
      - ./dms/mail-state/:/var/mail-state/
      - ./dms/mail-logs/:/var/log/mail/
      - ./dms/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      - ./custom-certs/_archive/7ed5th/:/tmp/dms/custom-certs/
    restart: always
    stop_grace_period: 1m
    healthcheck:
      test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
      timeout: 3s
      retries: 0

networks:
  mail-network:
    driver: bridge

{
    "apps": {
        "layer4": {
            "@id": "layer4",
            "servers": {
                "test": {
                    "@id": "test-id-1246",
                    "listen": [
                        "0.0.0.0:993"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "proxy",
                                    "upstreams": [
                                        {
                                            "dial": [
                                                "mailserver_ip:993"
                                            ]
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        }
    }
}
You must be logged in to vote

Replies: 2 comments · 4 replies

Comment options

jASSSSSSON
Nov 27, 2025
Author

My login method is roundcube, which interacts with SSL 993 and SSL 587
You must be logged in to vote
4 replies
@xkl
Comment options

xkl Jan 9, 2026

thanks for sharing your issue. I am seeing the same issue, at least sometimes. I don't have any kind of proxy configured.

$ awk '$4~/^imap-login:$/ && $5~/^Login:$/ {count[$8]++}END{for (k in count){printf "%s: %d\n", k, count[k]}}' ~/dms/docker/docker-data/dms/mail-logs/mail.log | sort -nk2 |column -t
rip=<ext>,:            1
rip=<ext>,:            1
rip=<ext>,:            1
rip=<ext>,:            2
rip=<ext>,:            3
rip=<ext>,:            6
rip=<ext>,:            9
rip=<ext>,:            20
rip=172.20.0.1,:       29
rip=172.19.0.1,:       32
rip=172.23.0.1,:       34
rip=172.24.0.1,:       37
rip=172.18.0.1,:       102
rip=172.21.0.1,:       266
rip=<ext>,:            388
rip=192.168.240.1,:    1535

this is the result of a family setup with eight users. Logs for the last ~24 hours with a few restarts of the container while configuring SPF where I see the same issue:

$ awk '$3~/^policyd-spf\[[0-9]*\]:$/{print}' ~/dms/docker/docker-data/dms/mail-logs/mail.log | grep 'client-ip='|wc
    906   12158  195329
$ awk '$3~/^policyd-spf\[[0-9]*\]:$/{print}' ~/dms/docker/docker-data/dms/mail-logs/mail.log | grep 'client-ip=172'|wc
    587    7867  119571

it shows that about the half of the connections come from 172.0.0.0/8. For the spf configuration I need to exclude this ip range.

Maybe someone can disclose the reason for having sometimes internal connections. I don't even know if this is a bug or and intended behaviour.
@xkl
Comment options

xkl Jan 9, 2026

update: although I do not understand the behaviour, I solved the issue after reading the fine manual at Bind outbound SMTP to a specific network.....
@xkl
Comment options

xkl Jan 9, 2026

and read and disable: IPv6. This explains the "sometimes". ipv6 connections lead to internal bridged ip, ipv4 go to public ip.
@jASSSSSSON
Comment options

jASSSSSSON Jan 10, 2026
Author

Hello, could you please share how to set it specifically? I changed the settings but the problem was not resolved.Thank you.
Comment options

xkl
Jan 10, 2026

sure, I removed the AAAA entry from the DNS record, so that no one gets the ipv6 address of the mailserver, and secondly I added the following driver_opts to my compose.yaml (this might not be needed anymore, but I did not test).

$ cat compose.yaml
networks:
  default:
    driver_opts:
      # Inbound IP (sets the host IP that published ports receive traffic from):
      com.docker.network.bridge.host_binding_ipv4: <hard-coded ip4 address>
      # Outbound IP (sets the host IP that external hosts will receive connections from):
      com.docker.network.host_ipv4: <hard-coded ip4 address>
services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    hostname: <FQDN>
    env_file: mailserver.env
    # More information about the mail-server ports:
    # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
    ports:
      - "25:25"    # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465 instead)
      - "465:465"  # ESMTP (implicit TLS)
      - "993:993"  # IMAP4 (implicit TLS)
      - "4190:4190" # SIEVE (explicit TLS => STARTTLS)
      - "127.0.0.1:8003:11334" # RSPAMD WEB UI (use ssh port forwarding to connect)
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - ./docker-data/certbot/certs/:/etc/letsencrypt
      - /etc/localtime:/etc/localtime:ro
    restart: always
    stop_grace_period: 1m
    # Uncomment if using `ENABLE_FAIL2BAN=1`:
    cap_add:
      - NET_ADMIN
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
🙏
Q&A
Labels
None yet
2 participants
@jASSSSSSON @xkl
Morty Proxy This is a proxified and sanitized view of the page, visit original site.