Wiki LogoWiki - The Power of Many
Projects

E-mail

E-mail

  • 不要忽视E-mail服务对性能的需求
  • 不要忽视E-mail服务对存储的需求
  • E-mail服务远比我们认为的复杂

IMAP + SMTP + CalDAV + CardDAV Cyrus IMAP + JMAP + EAS Gateway(z-push.org or SOGo), we choose SOGo.

You'll be setting up a groupware mail stack with:

Cyrus IMAP — handles IMAP, LMTP, sieve filters, and JMAP.

Postfix — SMTP in/out.

nginx — TLS reverse proxy for HTTPS and JMAP.

Let's Encrypt / Certbot — SSL certificates.

DNS — MX, SPF, DKIM, DMARC records.

  • MX, Mail Exchange
  • SPF, Sender Policy Framework
  • DKIM, DomainKeys Identified Mail
  • DMARC, Domain-based Message Authentication, Reporting, and Conformance

Optional — Sieve for filtering, SpamAssassin + ClamAV for anti-spam/virus, and PostgreSQL for auth/meta.

Feature list:

  1. Intergated with AD

  2. IMAP + SMTP + CalDAV + CardDAV + JMAP + Sieve + EAS

  3. Multi-domain, Domain aliases support

  4. Plus Addressing/Sub-addressing support

  5. automatically backup all send/receive mail to a shadow mailbox, called shadow@mydomain.com

  6. Monitoring and statistically mail traffic, for analyze data

  7. Welcom letter for new user(from template html + systemd-timer).

  8. Disclaimer and Signature (with AD Lookup). (部分实现, 覆盖100%场景全强制不现实)

  9. 区分实习生和正式员工, 实习生只能发内部邮件

  10. Intergated with PMG(Gatekeeper), 病毒查杀, 垃圾拦截, 流量统计, 审计.

Let's go step by step for Cyrus + Postfix + SOGo (EAS + CalDAV + CardDAV + Webmail) — with a visual architecture summary at the end.

🧱 Architecture Overview

📱 Mobile/Outlook Clients

    │ HTTPS (ActiveSync, JMAP, Web)

   ┌───────────────┐
   │   Nginx   │ ← TLS termination + proxy
   └───────────────┘


   ┌───────────────┐
   │   SOGo   │ ← Webmail, CalDAV, CardDAV, EAS gateway
   └───────────────┘

  ┌────────────────────┐
  │ Cyrus IMAP (Mail, JMAP, Cal/CardDAV) │
  └────────────────────┘


   ┌───────────────┐
   │  Postfix   │ ← SMTP in/out, DKIM, spam filters
   └───────────────┘

更新后的架构

再次更新架构

要求通信加密

更新

  1. MTA 流量 (Port 25): 强制经过 PMG 清洗.

  2. 客户端流量 (Port 465/587/993): 绕过 PMG, 直达 Postfix/Cyrus 进行 SASL 认证 (因为 PMG 通常不处理终端用户认证) , 但发出的邮件会回流给 PMG 签名.

  3. 全链路加密: 明确标注了 STARTTLS, SMTPS, IMAPS, LDAPS.

最新架构

风险 本地部署E-mail服务的最大风险并非服务本身出问题导致不可用, 而是被全球各大mail provider拦截甚至加入黑名单. MXTOolbox Blacklist Check

截止2025.11.24的精确统计 邮件数据大于2G的用户有108个, 占总人数44.1%. 这些用户合计共4330888封邮件, 存储量 1044.2G. 依据此精确数据预估 预估总邮件数量 600万封, 存储量 1.5T.

需考虑的问题: 当前哪些服务集成了邮件服务? 该如何处理

架构图亮点:

  • 🟣 紫色虚线区域 (Feature Zone): 专门展示了你要求的"静默归档 (Shadow Copy)"和"自动化欢迎脚本".
  • 🔴 红色流 (Inbound): 外部邮件如何经过 PMG 清洗后进入内部.
  • 🔵 蓝色流 (Outbound): 内部发信如何经过 Postfix 认证, 再转给 PMG 签名出网.
  • 🟢 绿色流 (Access): 用户如何安全读取邮件.

⚙️ Step 2 — Connect SOGo to Cyrus IMAP + Postfix sogo.conf

{
 "WOWorkersCount": 10,
 "SOGoIMAPServer": "imaps://127.0.0.1:993",
 "SOGoSMTPServer": "127.0.0.1",
 "SOGoMailDomain": "yourdomain.com",
 "SOGoSieveServer": "sieve://127.0.0.1:4190",
 "SOGoMailingMechanism": "smtp",
 "SOGoUserSources": [
  {
   "type": "sql",
   "id": "directory",
   "viewURL": "postgresql://sogo:sogo@127.0.0.1/sogo/sogo_users",
   "canAuthenticate": true,
   "isAddressBook": true
  }
 ],
 "SOGoCalendarDefaultRoles": ["PublicViewer"],
 "SOGoAppointmentSendEMailNotifications": true,
 "SOGoDraftsFolderName": "Drafts",
 "SOGoSentFolderName": "Sent",
 "SOGoTrashFolderName": "Trash",
 "SOGoMailShowSubscribedFoldersOnly": true,
 "SOGoEnableEMailAlarms": true
}

Create the SOGo PostgreSQL database:

sudo -u postgres psql
CREATE DATABASE sogo;
CREATE USER sogo WITH PASSWORD 'StrongPassword';
GRANT ALL PRIVILEGES ON DATABASE sogo TO sogo;
\q

⚙️ Step 3 — Integrate with nginx

server {
  listen 443 ssl;
  server_name mail.yourdomain.com;

  ssl_certificate /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem;

  # Webmail
  location /SOGo {
    proxy_pass http://127.0.0.1:20000/SOGo;
    proxy_set_header Host $host;
    proxy_set_header x-webobjects-server-protocol https;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
  }

  # EAS endpoint
  location /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:20000/Microsoft-Server-ActiveSync;
    proxy_set_header Host $host;
    proxy_set_header x-webobjects-server-protocol https;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
  }

  # JMAP proxy (from previous setup)
  location /jmap {
    proxy_pass http://127.0.0.1:8080/jmap;
  }
}

✅ Step 6 — Verify Everything

Feature URL Notes Webmail https://mail.yourdomain.com/SOGo Fully featured interface EAS https://mail.yourdomain.com/Microsoft-Server-ActiveSync iOS/Android/Outlook CalDAV https://mail.yourdomain.com/SOGo/dav/username/Calendar/personal/ Any CalDAV client CardDAV https://mail.yourdomain.com/SOGo/dav/username/Contacts/personal/ Contacts sync JMAP https://mail.yourdomain.com/jmap/ Modern mail API



🧠 Summary

✅ What you get now:

IMAP + JMAP via Cyrus

SMTP (Postfix)

CalDAV + CardDAV + Webmail + EAS (SOGo)

Single domain or multi-domain capable

TLS secured reverse proxy (nginx)

Sieve filtering, public calendars, and address book sharing

postfix

myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mydestination = localhost
relay_domains =
home_mailbox = Maildir/
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_sasl_auth_enable=yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination

imapd.conf

configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
admins: cyrus
sievedir: /var/lib/cyrus/sieve
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
tls_cert_file: /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
tls_key_file: /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
httpmodules: jmap caldav carddav
httpallowcompress: 1
httpallowplaintext: no

cyrus.conf

SERVICES {
 imap   cmd="imapd" listen="imap" prefork=0
 imaps   cmd="imapd -s" listen="imaps" prefork=0
 lmtp   cmd="lmtpd" listen="lmtp" prefork=0
 sieve   cmd="timsieved" listen="sieve" prefork=0
 http   cmd="httpd" listen="localhost:8080" prefork=0
}

Requirements

  • multi domains, alias
  • Address book, CardDAV
  • Calendar, iCal, calDAV (personal, internal, public holidays)
  • Contacts, vCard, vCardDAV

Architecture

  • DNS (MX, SPF, DKIM, DMARC)
  • MTA
  • IMAP, SMTP
  • Webmail (Mailcow, Modoboa)
  • Amavis, ClamAV, SpamAssassin
  • Mail message queue
  • Storage
  • audit, log, alert
  • Mailbox management
  • User authentication and authorization
  • Email delivery and routing
  • Email filtering and processing
  • Email archiving and retention policies
  • Email spam filtering and protection
  • Email encryption and security features
  • Email integration with other applications and services

Features

  • Multi-domain email hosting
  • Email forwarding and aliasing
  • Address book and contact management
  • Calendar and event scheduling
  • Email notifications and alerts
  • Email archiving and retention policies
  • Email spam filtering and protection
  • Email encryption and security features
  • Email integration with other applications and services

Implementation

  • Backend: Django, PostgreSQL
  • Frontend: React, Redux
  • Email server: Postfix, Dovecot
  • Webmail: Roundcube, Rainloop

Security

  • SSL/TLS encryption for all communication channels
  • Two-factor authentication for user accounts
  • Rate limiting and IP blocking for suspicious activity
  • Regular security audits and penetration testing
  • Compliance with industry standards and regulations (e.g., GDPR, HIPAA)

Compliance

  • GDPR compliance for data protection and privacy
  • HIPAA compliance for healthcare data security and privacy
  • SOC 2 compliance for service organization control
  • PCI DSS compliance for payment card industry data security
  • SOC 3 compliance for service organization control
  • ISO 27001 compliance for information security management system
  • ISO 27017 compliance for cloud security
  • ISO 27018 compliance for cloud privacy
  • ISO 27701 compliance for privacy management system
  • ISO 27021 compliance for cloud security
  • ISO 27022 compliance for cloud security

Management

  • User and Quota
  • Domains and aliases
  • Monitoring and logging
  • Security and compliance

CubeFS

Previous Page

Debian 13 Email Server Implementation Guide

Next Page

On this page

E-mailRequirementsArchitectureFeaturesImplementationSecurityComplianceManagement