Skip to content

feat: add Mailu mail server template#1033

Open
Siumauricio wants to merge 1 commit into
canaryfrom
feat/mailu
Open

feat: add Mailu mail server template#1033
Siumauricio wants to merge 1 commit into
canaryfrom
feat/mailu

Conversation

@Siumauricio

Copy link
Copy Markdown
Contributor

Adds a Mailu 2024.06 mail server template (ghcr.io/mailu/*:2024.06, currently 2024.06.54).

Stack

Minimal Mailu deployment: front (nginx + mail proxy), admin, imap (Dovecot), smtp (Postfix), antispam (Rspamd), webmail (Roundcube) and redis. ClamAV/webdav/fetchmail are left out to keep the footprint reasonable (ClamAV alone needs >1 GB RAM); they can be added following the Mailu docs.

Design decisions

  • Service discovery by name (Mailu's default *_ADDRESS=front/admin/imap/...), no fixed subnets and no pinned IPs, so it works with the dynamic networks of both normal and isolated deployments. The upstream resolver (unbound, needs a static IP) is replaced by public DNSSEC-validating upstreams (dns: 1.1.1.1, 8.8.8.8) — required because the admin container refuses to boot without DNSSEC validation and Postfix uses DANE.
  • SUBNET=172.16.0.0/12 (user-editable env): the CIDR Mailu trusts for internal relay/XCLIENT/proxying. It covers Docker's default address pools; documented in instructions.md for hosts with custom pools.
  • Front healthcheck override (the interesting bug): the image's built-in healthcheck requires Dovecot inside front, but Dovecot only starts once TLS certs exist. Behind Traefik this deadlocks — unhealthy → Traefik drops the router → the ACME challenge can never be answered → certs never arrive. The template checks only nginx (127.0.0.1:10204/health), which breaks the cycle: web UI is routable immediately and Mailu's internal certbot can complete the HTTP-01 challenge through Traefik.
  • TLS_FLAVOR=mail-letsencrypt: Traefik terminates HTTPS for the web UI; Mailu obtains its own Let's Encrypt certificate for the mail protocols via HTTP-01 through Traefik.
  • Host ports 25/465/587/993 published directly (same approach as the existing poste.io template), with a conflict warning + DNS/rDNS/SPF/DKIM guidance in instructions.md.
  • Initial admin account admin@<domain> auto-created (INITIAL_ADMIN_MODE=ifmissing) with a generated password.

Evidence (deployed on the demo instance)

  • All 7 containers running, front healthy; deploy done.
  • / → 302 /sso/login?url=/webmail/ (200 «Mailu-Admin | Mailu»), /admin → SSO login 200.
  • Admin login E2E over HTTPS with the generated credentials: POST /sso/login → 302 → /admin/user/settings 200 showing the logged-in admin@<domain> and the Mail domains UI.
  • SMTP reachable on host port 25: 220 <domain> ESMTP ready.
  • Pre-certificate state behaves as documented (mail TLS listeners and webmail IMAP login activate once the ACME challenge can complete — not reachable for a sslip.io demo domain, works on a real domain with HTTPS enabled).

Closes #19

🤖 Generated with Claude Code

Mailu 2024.06 mail server: front (nginx), admin, imap (dovecot),
smtp (postfix), antispam (rspamd), Roundcube webmail and redis.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. new-template labels Jul 16, 2026
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
templates ✅ Ready (View Log) Visit Preview f6245f8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

new-template size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Mailu

1 participant