fix: update mailserver configuration to sync Traefik certificates and adjust SSL settings

swarm/mailserver/README.md

@@ -1,19 +1,30 @@
 # Self-hosted Mail Server (Docker Swarm)
 
-This stack uses Docker Mailserver and is deployed with:
-
-make deploy-mailserver
+This stack uses Docker Mailserver and can reuse the certificate issued by Traefik.
 
 ## 1) Configure mail domain
 
-Edit swarm/mailserver/docker-mailserver.env:
+Edit [swarm/mailserver/docker-mailserver.env](swarm/mailserver/docker-mailserver.env):
 
 - OVERRIDE_HOSTNAME: mail host FQDN (example: mail.example.com)
 - OVERRIDE_DOMAINNAME: root mail domain (example: example.com)
 - POSTMASTER_ADDRESS: postmaster mailbox
-- SSL_DOMAIN: certificate domain for mail TLS
 
-## 2) DNS records (required)
+## 2) Sync Traefik cert for mailserver
+
+Traefik stores certificates in `/var/data/config/traefik/acme.json`.
+Mailserver needs cert files (`fullchain.pem` and `privkey.pem`).
+
+Run:
+
+`./scripts/mailserver-sync-traefik-cert.sh /var/data/config/traefik/acme.json mail.example.com`
+
+This writes:
+
+- `/var/data/docker-mailserver/ssl/fullchain.pem`
+- `/var/data/docker-mailserver/ssl/privkey.pem`
+
+## 3) DNS records (required)
 
 Create these DNS records for your mail domain:
 
@@ -23,7 +34,7 @@ Create these DNS records for your mail domain:
 - DKIM TXT: mail._domainkey.example.com -> generated DKIM key
 - DMARC TXT: _dmarc.example.com -> v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com
 
-## 3) Open ports
+## 4) Open ports
 
 Ensure inbound TCP is open to your Traefik manager node for:
 
@@ -32,27 +43,20 @@ Ensure inbound TCP is open to your Traefik manager node for:
 - 993 (IMAPS)
 - 995 (POP3S)
 
-Mail ports are exposed by the Traefik service in [swarm/core.yml](swarm/core.yml), then routed to the mail service using TCP labels in [swarm/mailserver.yml](swarm/mailserver.yml).
+Mail ports are exposed by [swarm/core.yml](swarm/core.yml) and routed to [swarm/mailserver.yml](swarm/mailserver.yml) via TCP labels.
 
-## 4) Deploy
+## 5) Deploy
 
-make deploy-mailserver
+`make deploy-mailserver`
 
-## 5) Create mailbox accounts
+## 6) Create mailbox accounts
 
-Use the Docker Mailserver setup helper from a manager node:
+`docker exec -it $(docker ps --filter name=mailserver_mail --format '{{.ID}}' | head -n 1) setup email add user@example.com 'StrongPasswordHere'`
 
-docker exec -it $(docker ps --filter name=mailserver_mail --format '{{.ID}}' | head -n 1) setup email add user@example.com 'StrongPasswordHere'
+`docker exec -it $(docker ps --filter name=mailserver_mail --format '{{.ID}}' | head -n 1) setup alias add postmaster@example.com user@example.com`
 
-docker exec -it $(docker ps --filter name=mailserver_mail --format '{{.ID}}' | head -n 1) setup alias add postmaster@example.com user@example.com
+## 7) Verify
 
-## 6) Verify
+- Check service status: `docker service ls | grep mailserver`
+- Check logs: `docker service logs -f mailserver_mail`
 
-- Check service status: docker service ls | grep mailserver
-- Check logs: docker service logs -f mailserver_mail
-- Send a test from an external mailbox and confirm delivery.
-
-## Notes
-
-- Mail data is persisted in named volumes: mail_data, mail_state, mail_logs, mail_config.
-- For high deliverability, add PTR/rDNS with your server provider and keep SPF/DKIM/DMARC aligned.

swarm/mailserver/docker-mailserver.env

@@ -6,5 +6,6 @@ OVERRIDE_HOSTNAME=mail.furyhawk.lol
 OVERRIDE_DOMAINNAME=furyhawk.lol
 POSTMASTER_ADDRESS=postmaster@furyhawk.lol
 PERMIT_DOCKER=network
-SSL_TYPE=letsencrypt
-SSL_DOMAIN=mail.furyhawk.lol
+SSL_TYPE=manual
+SSL_CERT_PATH=/tmp/docker-mailserver/ssl/fullchain.pem
+SSL_KEY_PATH=/tmp/docker-mailserver/ssl/privkey.pem