Simplelogin

Caution

Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.

Strategy

Notes

• Check the reputation of your VPS IP before proceeding.
• Follow the official documentation to set up the domain.
• Read about each environment variable of simplelogin and postfix.
• Using SWAG to generate certs and then mounting the certs to postfix.
• SWAG has the following post-renewal hook under ./swag/etc/letsencrypt/renewal-hooks/post/postfix.sh:

#!/usr/bin/with-contenv bash

touch /config/etc/letsencrypt/postfix_renew

• Postfix has the following script mounted to /etc/periodic/hourly/renew-postfix-tls for reloading on cert updates:

#!/usr/bin/env bash

set -e

if [ -f ${RENEW_PATH} ]; then
    /src/generate_config.py --postfix
    postfix reload
    rm -f ${RENEW_PATH}
fi

• Setting up Crowdsec, Geoblock, and Firehol is highly recommended.
• Check the dmarc once you finish setting everything up.
• Check the spammyness once you finish setting everything up.

Example compose

simplelogin:
  image: lscr.io/linuxserver-labs/simplelogin:latest
  container_name: simplelogin
  volumes:
    - ./mail/sl:/config
  environment:
    - PUID=1000
    - PGID=1000
    - TZ=Europe/London
    - DB_URI=postgresql://dbuser:dbpassword@sldb:5432/simplelogin
  ports:
    - 7777:7777
  restart: unless-stopped
sldb:
  image: postgres:12.1-alpine
  container_name: sldb
  volumes:
    - ./mail/db:/var/lib/postgresql/data
  environment:
    - POSTGRES_USER=dbuser
    - POSTGRES_PASSWORD=dbpassword
    - POSTGRES_DB=simplelogin
  restart: unless-stopped
postfix:
  container_name: postfix
  image: simplelogin/postfix:4.2.0
  ports:
    - "0.0.0.0:25:25"
    - "0.0.0.0:465:465"
  volumes:
    - ./mail/db:/var/lib/postgresql/data
    - ./swag/etc/letsencrypt:/etc/letsencrypt
    - ./mail/check-cert.sh:/etc/periodic/hourly/renew-postfix-tls:ro
  environment:
    - DB_HOST=sldb
    - DB_USER=dbuser
    - DB_PASSWORD=dbpassword
    - DB_NAME=simplelogin
    - EMAIL_HANDLER_HOST=simplelogin
    - POSTFIX_FQDN=mail.domain.com
    - ALIASES_DEFAULT_DOMAIN=domain.com
    - LETSENCRYPT_EMAIL=support@domain.com
    - TLS_KEY_FILE=/etc/letsencrypt/live/domain.com/privkey.pem
    - TLS_CERT_FILE=/etc/letsencrypt/live/domain.com/fullchain.pem
    - RENEW_PATH=/etc/letsencrypt/postfix_renew
    - POSTFIX_DQN_KEY=dqnkey
    - SIMPLELOGIN_COMPATIBILITY_MODE=v4
  restart: unless-stopped

Example ENV file

URL=https://simplelogin.domain.com
EMAIL_DOMAIN=domain.com
SUPPORT_EMAIL=support@domain.com
ADMIN_EMAIL=support@domain.com
EMAIL_SERVERS_WITH_PRIORITY=[(10, "mail.domain.com.")]
DKIM_PRIVATE_KEY_PATH=/config/dkim.key
DB_URI=postgresql://dbuser:dbpassword@sldb:5432/simplelogin
FLASK_SECRET=secret123
GNUPGHOME=/config/gnupg
LOCAL_FILE_UPLOAD=1
POSTFIX_SERVER=postfix
DISABLE_ONBOARDING=true
NAMESERVERS="1.1.1.1"
DISABLE_REGISTRATION=0

Self test

Create test aliases for each domain and disable them so you won’t get emails. Add the following to your host’s cron, edit the TARGETS and curl command accordingly.

#!/bin/bash

TARGETS=("test@domain1.com" "test@domain2.com" "test@domain3.com")

for TARGET in "${TARGETS[@]}"; do
    docker exec postfix sendmail $TARGET
    sleep 10
    result=$(docker exec sldb psql -U dbuser simplelogin -AXqtc "SELECT COUNT(*) FROM email_log JOIN alias ON email_log.alias_id = alias.id WHERE alias.email = '$TARGET' AND email_log.created_at BETWEEN NOW() - INTERVAL '5 MINUTES' AND NOW();")
    if [[ "$result" -lt 1 ]]; then
        curl -d "Email test failed for $TARGET" "https://ntfy.domain1.com/topic"
    fi
done