Full System Architecture, Mail Flow Diagrams, Monitoring, Backups, Hardening & Performance Tuning

Posted on by Rico

Mail Server Series — Part 10

At this stage of the series, we have successfully built an enterprise-grade, fully-containerized email system that includes:

  • MariaDB + PostfixAdmin (virtual domains & mailboxes)
  • Postfix (SMTP server)
  • Dovecot (IMAP/POP3 + LMTP + Sieve)
  • Amavis + SpamAssassin + ClamAV (content filtering)
  • Piler (email archiving)
  • Manticore (index/search engine with full Chinese support)
  • Roundcube (webmail)
  • Pilermilter (header extraction for Piler)
  • Let’s Encrypt, Apache reverse proxy, and Docker networking

In Part 10, we will summarize the entire system, provide complete diagrams, monitoring guidelines, backup strategies, hardening recommendations, and performance tuning tips.

🔶 1. Final System Architecture Diagram

                 ┌────────────┐
                 │   Internet │
                 └─────┬──────┘
                       │ 25/465/587/993
                ┌──────▼──────┐
                │ Nginx/Apache │  ← HTTPS Reverse Proxy
                └──────┬──────┘
                       │ (Docker Network)
 ┌──────────────────────────────────────────────────────────┐
 │                   Docker intranet-net                     │
 │                                                          │
 │   ┌──────────┐     ┌──────────────┐     ┌──────────┐    │
 │   │ Postfix  │◄───►│   Amavis      │◄───►│ ClamAV   │    │
 │   │  SMTP    │     │ SA + ClamAV   │     │ Antivirus│    │
 │   └─────┬────┘     └──────▲───────┘     └─────┬────┘    │
 │         │25           Spam/Ham  |            3310│        │
 │         │                          ┌───────────▼─────────┐
 │   ┌─────▼────────┐                 │ SpamAssassin Server │
 │   │   Dovecot    │                 │  remote spamc:783   │
 │   │IMAP/LMTP/Sieve│◄───────────────└─────────────────────┘
 │   └─────┬────────┘
 │         │ LMTP
 │   ┌─────▼────────┐
 │   │   Piler      │ ← always_bcc from Postfix
 │   │ Email Archive│
 │   └─────┬────────┘
 │         │ SQL + Index
 │   ┌─────▼────────┐
 │   │ Manticore     │ ← Chinese search support
 │   └───────────────┘
 │
 │   ┌─────────────┐
 │   │ Roundcube    │ → IMAP/SMTP + ManageSieve
 │   └─────────────┘
 └──────────────────────────────────────────────────────────┘

This architecture provides:

  • Full modularization
  • Independent containers for each service
  • Full antivirus and spam filtering
  • DKIM, SPF, DMARC
  • Real-time archiving
  • Chinese search support
  • Multi-domain capability
  • SNI TLS support
  • Webmail integration

🔶 2. Complete Mail Flow (Inbound / Outbound)

📥 Inbound Flow (External → Your Server)

Internet → Postfix(25) → Amavis → SA → ClamAV → Dovecot(LMTP) → Mailbox
                                     │
                                     └→ Piler (via always_bcc)

Steps:

  1. External server connects to Postfix via port 25
  2. Postfix hands message to Amavis
  3. SA + ClamAV classify spam/virus
  4. Amavis sends cleaned mail back to Postfix (10025)
  5. Postfix delivers via LMTP to Dovecot
  6. A copy is archived by Piler

📤 Outbound Flow (Users → Outside)

Roundcube / User → Postfix(587) → SASL Auth → Amavis → ClamAV → Internet

Steps:

  1. User authenticates through TLS/587
  2. Postfix forwards to Amavis
  3. Amavis signs the message using DKIM
  4. Message is delivered to external servers

🔶 3. Monitoring and Log Analysis

Monitoring is essential for reliability and incident response.

📌 3.1 SMTP / IMAP & Service Health Monitoring

ServicePortWhat to monitor
Postfix25, 587TLS, queue size, rejects
Dovecot143, 993Login success rate, TLS cipher, concurrent users
Amavis10024/10026Processing time, backlog
SpamAssassin783Rule updates, Bayes DB
ClamAV3310Version, update health
Piler80Archive success rate
Manticore9306Index status, slow queries

Recommended tools:

  • Postfix exporter
  • Dovecot exporter
  • Node exporter
  • Grafana dashboards

📌 3.2 Critical Logs to Watch

ComponentLog PathWhat to check
Postfix/var/log/postfix/postfix.logreject reasons, queue issues
Dovecot/var/log/dovecot/dovecot.logauthentication failures
Amavis/var/log/amavis/amavis.logscan issues, timeouts
ClamAV/var/log/clamav/clamd.logsignature problems
Piler/var/log/pilerarchive failures
Roundcube/var/log/webmailSMTP errors

🔶 4. Backup Strategy (Critical!)

A mail system must have reliable backups.
There are three critical components to back up.

📌 4.1 User Mailboxes (Dovecot Maildir)

/opt/docker/mail/dovecot/usermail

Recommended:

  • Daily incremental backups
  • Weekly full snapshot

📌 4.2 MariaDB (PostfixAdmin / Piler / SA / Dovecot Quota Info)

Use:

mysqldump --single-transaction --default-character-set=utf8mb4

📌 4.3 Piler Archive Storage

/opt/docker/mail/piler/piler_store

Recommendation:

  • Local snapshot
  • NAS replication
  • Cloud (S3 Glacier) for long-term retention

🔶 5. Security Hardening

📌 5.1 TLS & Certificate Management

  • Use Let’s Encrypt + automated renewal
  • Use SNI for multi-domain SMTP
  • Enforce TLS on port 587
  • Ensure strong cipher suites

📌 5.2 Anti-Brute-Force

  • Deploy fail2ban on Host OS
  • Monitor IMAP/SMTP failed logins
  • Add IP blocking rules

📌 5.3 Network Restriction

mynetworks = 127.0.0.0/8 172.18.0.0/16

Only authorized networks should bypass authentication.

📌 5.4 Reverse Proxy Security

Use:

  • HSTS
  • Strict-Transport-Security
  • CSP
  • Disable SSLv3/TLS1.0

📌 5.5 SPF + DKIM + DMARC

Essential for email deliverability:

  • SPF via DNS TXT
  • DKIM handled by Amavis
  • DMARC policy with aggregate reports

🔶 6. Performance Tuning

📌 6.1 Postfix Tuning

  • Store queue on SSD
  • Avoid excessive DNS lookups
  • Match worker count to CPU cores

📌 6.2 Dovecot Tuning

  • Store Maildir on SSD
  • Tune LMTP concurrency

📌 6.3 Amavis + SA Tuning

  • Enable sa-compile
  • Increase server workers
  • Allocate large temp storage

📌 6.4 ClamAV Tuning

  • Allocate 512M–1G RAM
  • Increase max threads

📌 6.5 Manticore Tuning

  • Put index files on SSD
  • Chinese tokenizer ngram + ICU already optimized

🔶 7. Automation

📌 7.1 Automatic SSL Renewal

renewssl.sh
0 1 * * * /opt/docker/wwwapp/renewssl.sh

📌 7.2 SpamAssassin Rule Updating

Cron job:

sa-update && sa-compile && HUP amavisd

📌 7.3 Automatic Queue Cleanup

postsuper -d ALL deferred

🔶 8. Final Recommendations

✔ Keep Host OS Minimal

Only run:

  • Docker
  • iptables
  • SSL renewal tasks

✔ Periodically Validate DKIM/SPF/DMARC

Tools:

  • MXToolbox
  • mail-tester.com

✔ Perform Load Testing

swaks --to user@example.com --server mail.example.com

✔ Regularly Back Up Mailboxes, DB, and Archives

Email loss can be critical for business operations.

✔ Keep Monitoring the Spam/Ham Learning Logs

Ensure:

  • Dovecot moves spam correctly
  • SA learning works via milter

🎉 Conclusion: Your Mail System Reaches Enterprise-Grade Quality

Your system now offers:

  • Full multi-domain capability
  • DKIM/SPF/DMARC security
  • Antivirus + spam detection with continuous learning
  • Real-time archiving with Chinese full-text search
  • Docker modular architecture
  • Stable, secure, scalable operation
  • Professional webmail and mobile access