services:

  mailserver:
    build:
      context: .
      dockerfile: Dockerfile
    image: dms-custom:latest
    container_name: mailserver

    # Node-spezifischer Hostname - A-Record zeigt auf DIESEN Server.
    # email-srvr.com selbst zeigt auf einen anderen Server und wird hier NICHT verwendet.
    hostname: node1.email-srvr.com

    ports:
      - "25:25"
      - "587:587"
      - "465:465"
      - "143:143"
      - "993:993"
      - "110:110"
      - "995:995"
      - "127.0.0.1:11334:11334"

    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - ./docker-data/dms/config/dovecot/conf.d/95-sieve-redirect.conf:/etc/dovecot/conf.d/95-sieve-redirect.conf:ro
      - /etc/localtime:/etc/localtime:ro
      - ./sync_dynamodb_to_sieve.py:/scripts/sync.py:ro
      - ./sieve-cron:/etc/cron.d/sieve-sync:ro

      # -------------------------------------------------------
      # Caddy Zertifikate: gesamtes Cert-Verzeichnis mounten.
      #
      # Caddy legt Wildcard-Certs so ab:
      #   *.andreasknuth.de/
      #     *.andreasknuth.de.crt
      #     *.andreasknuth.de.key
      #   node1.email-srvr.com/
      #     node1.email-srvr.com.crt
      #     node1.email-srvr.com.key
      #
      # setup-dms-tls.sh referenziert per:
      #   /etc/mail/certs/*.domain/*.domain.crt|.key
      # -------------------------------------------------------
      - /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory:/etc/mail/certs:ro
      # -------------------------------------------------------
      # Dovecot SNI Konfiguration (generiert von setup-dms-tls.sh)
      # DMS lädt /tmp/docker-mailserver/dovecot-sni.cf automatisch.
      # -------------------------------------------------------
      - ./docker-data/dms/config/dovecot-sni.cf:/etc/dovecot/conf.d/99-sni.conf:ro

    environment:
      # -------------------------------------------------------
      # SSL Default-Cert: node1.email-srvr.com
      # Das ist das Fallback-Cert wenn kein SNI-Match gefunden wird
      # (z.B. bei direktem IP-Connect ohne Hostname).
      # Kundendomain-SNI wird über postfix-main.cf + dovecot-sni.cf gesteuert.
      # -------------------------------------------------------
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/etc/mail/certs/node1.email-srvr.com/node1.email-srvr.com.crt
      - SSL_KEY_PATH=/etc/mail/certs/node1.email-srvr.com/node1.email-srvr.com.key

      # SPAM / Rspamd
      - ENABLE_OPENDKIM=1
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      - ENABLE_RSPAMD=1
      - RSPAMD_GREYLISTING=0
      - RSPAMD_CHECK_AUTHENTICATED=0
      - RSPAMD_HFILTER=1
      - MOVE_SPAM_TO_JUNK=1
      - ENABLE_AMAVIS=0
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_POSTGREY=0
      - ENABLE_CLAMAV=0

      # Sicherheit
      - ENABLE_FAIL2BAN=1
      - ENABLE_UNBOUND=1

      # Sonstige
      - ENABLE_MANAGESIEVE=0
      - ENABLE_POP3=1
      - RSPAMD_LEARN=1
      - ONE_DIR=1
      - ENABLE_UPDATE_CHECK=0
      - PERMIT_DOCKER=network
      - SPOOF_PROTECTION=0
      - ENABLE_SRS=0
      - LOG_LEVEL=info

      # Amazon SES Relay
      - RELAY_HOST=email-smtp.us-east-2.amazonaws.com
      - RELAY_PORT=587
      - RELAY_USER=${SES_SMTP_USER}
      - RELAY_PASSWORD=${SES_SMTP_PASSWORD}

      # AWS Credentials
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_REGION=us-east-2

      # Postfix
      # POSTFIX_OVERRIDE_HOSTNAME: Was Postfix im EHLO/HELO Banner sendet.
      # node1.email-srvr.com passt zum TLS-Cert und ist der echte Hostname.
      - POSTFIX_OVERRIDE_HOSTNAME=node1.email-srvr.com
      - POSTFIX_MYNETWORKS=172.16.0.0/12 172.17.0.0/12 172.18.0.0/12 [::1]/128 [fe80::]/64
      - POSTFIX_MAILBOX_SIZE_LIMIT=0
      - POSTFIX_MESSAGE_SIZE_LIMIT=0

    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    restart: unless-stopped
    networks:
      mail_network:
        aliases:
          - mailserver
          - node1.email-srvr.com

  roundcube:
    image: roundcube/roundcubemail:latest
    container_name: roundcube
    depends_on:
      - roundcube-db
      - mailserver
    environment:
      - ROUNDCUBEMAIL_DEFAULT_LANGUAGE=en_US
      - ROUNDCUBEMAIL_DB_TYPE=pgsql
      - ROUNDCUBEMAIL_DB_HOST=roundcube-db
      - ROUNDCUBEMAIL_DB_NAME=roundcube
      - ROUNDCUBEMAIL_DB_USER=roundcube
      - ROUNDCUBEMAIL_DB_PASSWORD=${ROUNDCUBE_DB_PASSWORD}
      # Roundcube verbindet intern über den Docker-Alias
      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://node1.email-srvr.com
      - ROUNDCUBEMAIL_DEFAULT_PORT=993
      - ROUNDCUBEMAIL_SMTP_SERVER=ssl://node1.email-srvr.com     # intern, kein externer DNS-SNI-Chaos
      - ROUNDCUBEMAIL_SMTP_PORT=465
      - ROUNDCUBEMAIL_PLUGINS=password,email_config
      # NEU: Schaltet die strikte PHP-Zertifikatsprüfung für interne Verbindungen ab
      - ROUNDCUBEMAIL_IMAP_CONN_OPTIONS={"ssl":{"verify_peer":false,"verify_peer_name":false}}
      - ROUNDCUBEMAIL_SMTP_CONN_OPTIONS={"ssl":{"verify_peer":false,"verify_peer_name":false}}      
    ports:
      - "8888:80"
    volumes:
      # - ./docker-data/roundcube/config:/var/www/html/config
      - ./docker-data/roundcube/plugins/email_config:/var/www/html/plugins/email_config:ro
    networks:
      - mail_network
    restart: unless-stopped

  roundcube-db:
    image: postgres:15
    container_name: roundcube-db
    environment:
      - POSTGRES_DB=roundcube
      - POSTGRES_USER=roundcube
      - POSTGRES_PASSWORD=${ROUNDCUBE_DB_PASSWORD}
    ports:
      - "5555:5432"
    volumes:
      - ./docker-data/roundcube/db:/var/lib/postgresql/data
    networks:
      - mail_network
    restart: unless-stopped

networks:
  mail_network:
    external: true