Final Architecture, Operations Checklist, and Future Expansion

Posted on by Rico

Mail Server Series — Part 14

After going through the previous 13 parts, we now have a fully working, containerized mail system built on Docker. In this final article, we’ll step back and look at the whole picture:

  • Review the overall architecture
  • Summarize the mail flow (inbound / outbound / archive)
    -Organize an operations checklist (what you should watch daily / weekly / monthly)
  • List security hardening points
  • Talk about future expansion and optimization ideas

This part is less about commands, and more about helping you “own” the system as a long-term platform.

1. Final Architecture Overview

Let’s quickly recap the main components and their roles. All of them are running in Docker, connected via the intranet-net network, and protected by iptables on the host.

1.1 Core Services

  • Postfix (postfix container)
    • Handles SMTP (port 25, 587)
    • Uses MySQL (MariaDB) for virtual domains and users
    • Integrates with Amavis + SpamAssassin + ClamAV as a content filter
    • Uses PostfixAdmin’s database as the source of virtual users/domains
    • Sends a copy of all mail to Piler via transport (archive.local -> smtp:[172.18.0.1]:2525)
  • Dovecot (dovecot container)
    • Provides POP3/POP3S (110/995), IMAP/IMAPS (143/993), LMTP (24), ManageSieve (4190)
    • Uses MySQL (same Postfix DB) for user authentication
    • Stores user mail under /var/vmail (mounted from host)
    • Implements quota, per-user spam learning via remote spamc to SpamAssassin
    • Supports SNI certificates via shared Let’s Encrypt paths
  • MariaDB (maildb container)
    • Stores Postfix/PostfixAdmin DB (postfix DB)
    • Stores SpamAssassin Bayes / TxRep / user prefs (sa40 DB)
    • Stores Piler metadata (piler DB)

1.2 Security and Content Filtering

  • SpamAssassin (spamassassin container)
    • Runs spamd on port 783
    • Uses MySQL Bayes + TxRep (per-user learning)
    • Dovecot’s Sieve scripts send learned HAM/SPAM to spamc -L ham/spam
    • Combines global rules + per-user scoring
  • ClamAV (clamav container)
    • Runs clamd listening on port 3310
    • Maintains virusDB under /var/lib/clamav
    • Freshclam runs in the same container to update signatures
  • Amavis (amavis container)
    • Listens on 10024/10026 for content filtering
    • Integrates with ClamAV (clamdscan) and SpamAssassin (spamd)
    • Verifies DKIM, and signs outbound mail for it.demo.tw
    • Provides policy banks for inbound/outbound, with different threshold and behavior

1.3 Management, Archive, and Web Access

  • PostfixAdmin (mailsetup container)
    • Web management interface for domains, mailboxes, aliases
    • Uses MariaDB (postfix DB) and is reverse proxied via mailsetup.it.demo.tw
    • Only exposed through Apache reverse proxy with HTTPS
  • Piler + Manticore + Memcached (piler, manticore, memcached containers)
    • Piler archives all messages (inbound/outbound), storing bodies in /var/piler/store
    • Manticore provides full-text search with Chinese support (ICU + CJK n-gram)
    • Piler-Web integrates with Dovecot IMAP for user authentication; permission model is based on X-Envelope-To headers
    • Access via https://archive.it.demo.tw/
  • Roundcube Webmail (webmail container)
    • Webmail with IMAP over TLS (tls://it.demo.tw:143), SMTP submission (tls://it.demo.tw:587)
    • Uses managesieve plugin to manage Sieve rules on Dovecot (4190)
    • Reverse proxied via https://webmail.it.demo.tw/
  • piler-milter (pilermilter container)
    • A Sendmail::PMilter Perl milter
    • Adds X-Envelope-From / X-Envelope-To headers for each envelope recipient
    • Helps Piler identify per-user authorization for archive browsing
  • Apache Reverse Proxy (wwwapp container)
    • Public entry point for:
      • it.demo.tw (dummy landing)
      • mail.it.demo.tw (optional)
      • mailsetup.it.demo.tw (PostfixAdmin)
      • webmail.it.demo.tw (Roundcube)
      • archive.it.demo.tw (Piler)
    • Manages all Let’s Encrypt certificates through certbot
    • Hosts ACME HTTP-01 challenge directories

2. Mail Flow Summary (End-to-End)

2.1 Inbound Flow (Internet → User Mailbox + Archive)

  1. Remote mail server connects to postfix :25.
  2. Postfix checks:
    • HELO, sender, recipient restrictions
    • Virtual domain / mailbox via MySQL
    • Milter (piler-milter) to inject X-Envelope-To
  3. Postfix passes mail to Amavis via content_filter = smtp-amavis:[amavis]:10024.
  4. Amavis:
    • Scans with ClamAV
    • Runs SpamAssassin (Bayes + TxRep)
    • Applies policies, modifies headers (e.g., spam score)
  5. Cleaned mail returns from Amavis to Postfix via port 10025.
  6. Postfix delivers:
    • Main copy: lmtp:inet:dovecot:24 → Dovecot → /var/vmail/...
    • Archive copy: via transport to archive.local -> smtp:[172.18.0.1]:2525 → Piler
  7. Piler stores and indexes message into Manticore; user can later search via archive.it.demo.tw.

2.2 Outbound Flow (User → Internet + Archive)

  1. User sends via:
    • Outlook / Thunderbird → postfix :587 (submission, TLS required)
    • Roundcube → postfix :587 from webmail
  2. Submission in Postfix:
    • Requires SASL auth (dovecot as SASL backend)
    • Validates sender matches login (reject_authenticated_sender_login_mismatch)
  3. Postfix sends to Amavis via smtp-amavis:[amavis]:10026 (policy bank ORIGINATING)
  4. Amavis:
    • Applies spam check (for outgoing spam)
    • Adds DKIM signature for it.demo.tw
  5. Amavis returns via 10027 to Postfix, then Postfix relays to the Internet.
  6. Again, always_bcc = piler@archive.local ensures every outbound mail is archived.

3. Operations Checklist (Daily / Weekly / Monthly)

3.1 Daily Checks

  • Mail flow health
    • Log in to Roundcube, send/receive a test mail (internal + external address)
    • Check in Piler whether the message appears in the archive
  • Container health
    • docker ps to ensure all containers (postfix, dovecot, amavis, spamassassin, clamav, piler, manticore, webmail, mailsetup, wwwapp, maildb, memcached, pilermilter) are up
    • Check critical logs:
      • /opt/docker/mail/postfix/log/postfix.log
      • /opt/docker/mail/dovecot/log/dovecot.log
      • /opt/docker/mail/amavis/log/amavis.log
      • /opt/docker/mail/spamassassin/log/spamd.log / sa-learn.log
      • /opt/docker/mail/clamav/log/clamd.log
      • /opt/docker/mail/piler/piler_etc/piler.log (or wherever Piler logs)
  • Disk space
    • Check space on:
      • /opt/docker/mail/dovecot/usermail (user mailboxes)
      • /opt/docker/mail/piler/piler_store (archive store)
      • /opt/docker/mail/piler/piler_manticore (Manticore data)

3.2 Weekly Checks

  • SpamAssassin rules & Bayes DB
    • Confirm sa-update / sa-compile are running via cron (in Amavis container)
    • Check Bayes DB growth and whether auto-learning is working
  • ClamAV
    • Check freshclam logs, ensure virus DB updates regularly
  • Piler & Manticore
    • Run several search tests, including Chinese keywords
    • Confirm tag / note / audit features are working as expected
  • Let’s Encrypt Renewal Dry Run
    • Check renewssl.sh logs
    • Optionally run a manual dry run:
      • certbot renew --dry-run

3.3 Monthly / Quarterly Tasks

  • Full backup
    • MariaDB backups:
      • postfix, sa40, piler
    • File backups:
      • /var/vmail (Dovecot mailstore)
      • /var/piler/store (archive)
      • /etc-equivalent config directories under /opt/docker (postfix, dovecot, amavis, spamassassin, piler, manticore, webmail, apache, etc.)
  • Security review
    • Confirm firewall rules (iptables / DOCKER-USER) are still correct
    • Review admin accounts in PostfixAdmin and Piler
    • Check that there are no unknown user accounts or suspicious login attempts
  • Capacity planning
    • How fast is /var/vmail and /var/piler/store growing?
    • Do you need larger disks, or retention policy adjustment in Piler?

4. Security Hardening Checklist

You already implemented many secure practices. Here is a concise checklist for future review:

  1. TLS Everywhere
    • Let’s Encrypt certificates for:
      • it.demo.tw, mail.it.demo.tw
      • webmail.it.demo.tw, mailsetup.it.demo.tw, archive.it.demo.tw
    • Postfix: enforce TLS on submission (587) and SMTPS (465)
    • Dovecot: IMAPS (993) and POP3S (995) enabled; disable plaintext auth without TLS
  2. Authentication and Authorization
    • Postfix uses Dovecot as SASL provider; invalid logins are rejected
    • smtpd_sender_login_maps ensures that authenticated user cannot spoof another “From” address
    • Piler and Roundcube both rely on IMAP auth to keep account control centralized
  3. Network Isolation
    • Use intranet-net for internal container traffic
    • Limit host firewall to:
      • Allow necessary ports from Internet (25, 443, 587/465 if needed)
      • Allow internal traffic from 172.18.0.0/16 to host where needed (e.g., Roundcube → Dovecot, Apache → containers)
      • Drop everything else by default
  4. DKIM + SPF + DMARC
    • Amavis signs outbound mail with DKIM for it.demo.tw
    • Configure SPF record for it.demo.tw in DNS
    • Configure DMARC policy and monitor reports for your domain reputation
  5. Log Retention and Auditing
    • Syslog + file logs with logrotate (especially for Dovecot, Postfix, Amavis, Piler, Manticore)
    • Piler’s audit log allows you to trace who opened which message and when, which is important for compliance

5. Future Expansion Ideas

Once this platform is stable, there are many directions for further improvement.

5.1 High Availability

  • Multi-node deployment
    • Run Postfix + Dovecot on two hosts with a shared storage backend (or object storage)
    • Use a load balancer / keepalived / HAProxy in front of SMTP/IMAP/Web
  • DB and search HA
    • Migrate MariaDB to a replicated setup (Galera/primary-standby)
    • Use Manticore clustering for index redundancy

5.2 Multi-Domain and Multi-Company

  • You already use Postfix virtual domains; it’s easy to:
    • Add more domains in PostfixAdmin
    • Use Dovecot`s SQL auth to serve different domains from the same infrastructure
  • For each new domain:
    • Add DNS: MX/SPF/DKIM/DMARC
    • Add virtual domain in PostfixAdmin
    • Generate new DKIM key in Amavis (if required)

5.3 Deeper Integration

  • Integration with company SSO / LDAP
    • Use OpenLDAP / AD as the user source
    • Map LDAP attributes to mailboxes and aliases
    • Dovecot and Postfix both have LDAP auth support configs
  • Monitoring & Alerting
    • Integrate with Prometheus + Grafana / Zabbix to monitor:
      • MX latency, queue length, rejection rate, spam ratio, ClamAV stats, SA stats
    • Add alert rules for:
      • Queue backlog too high
      • Disk usage over threshold
      • Containers down or restarts too often

5.4 User Self-Service Improvements

  • Roundcube plugins:
    • Password change integration (if you store passwords in SQL/LDAP)
    • Two-factor authentication plugin
  • Piler:
    • Better role-based access for managers / auditors
    • Department-based access control through Piler’s user/group features

6. Closing Thoughts

In this 14-part series, we went from raw Docker images to a production-grade mail system with:

  • Full SMTP/IMAP stack (Postfix + Dovecot)
  • Centralized virtual user/domain management (PostfixAdmin + MariaDB)
  • Spam filtering + virus scanning (SpamAssassin + ClamAV + Amavis)
  • Full mail archiving and search with Chinese support (Piler + Manticore + piler-milter)
  • Modern web frontends (Roundcube, Piler Web UI)
  • Proper TLS certificates and reverse proxy (Apache + Certbot)

The goal of this series isn’t just to “spin up a mail server,” but to build a platform you can understand, maintain, and extend over years.