Operational

Mail Server Architecture

Self-hosted email infrastructure for viktorbarzin.me on Kubernetes with CrowdSec protection

docker-mailserver 15.0.0 | Updated 2026-04-12

DNS Records

10m

Probe Interval

30m

Alert Threshold

Security Layers

Local

Traffic Policy

Inbound Mail Flow

📧

Sender MTA

MX lookup

:25

🌐

mail.viktorbarzin.me

176.12.22.76

NAT

🛡

pfSense

port 25 fwd

10.0.20.202

⚖

MetalLB

ETP: Local

📬

Postfix

+ CrowdSec

🔍

Rspamd

spam/DKIM/DMARC

📥

Dovecot

IMAP :993

Outbound Mail Flow

📬

Postfix

relayhost

SASL+TLS :587

🚀

Mailgun EU

smtp.eu.mailgun.org

📧

Recipient

IP reputation handled

DNS Records

Type	Name	Value	Status
MX	viktorbarzin.me	mail.viktorbarzin.me (pri 1)	OK
A	mail.viktorbarzin.me	176.12.22.76 (DNS-only)	OK
AAAA	mail.viktorbarzin.me	2001:470:6e:43d::2	OK
SPF	viktorbarzin.me	v=spf1 include:mailgun.org -all	Hard Fail
DKIM	s1._domainkey	RSA 1024-bit (Mailgun outbound)	OK
DKIM	mail._domainkey	RSA 2048-bit (Rspamd signing)	OK
DMARC	_dmarc	p=quarantine; pct=100	OK
MTA-STS	_mta-sts	v=STSv1; id=20260412	OK
TLSRPT	_smtp._tls	rua=mailto:postmaster@viktorbarzin.me	OK

⚠

PTR Mismatch: Reverse DNS returns 176-12-22-76.pon.spectrumnet.bg (ISP-assigned) instead of mail.viktorbarzin.me. ISP-controlled, cannot fix. Minimal impact — Gmail/Outlook rely on SPF/DKIM/DMARC.

Security Layers

🛡 CrowdSec

crowdsecurity/postfix + dovecot collections
Real client IPs via ETP: Local on 10.0.20.202
Automatic brute-force detection & ban

🔍 Rspamd

Spam filtering + phishing detection
DKIM signing (selector: mail, 2048-bit)
DMARC verification on inbound
Auto-learns from Junk folder

🚦 Postfix Rate Limiting

10 connections/min per client
30 messages/min per client
Now effective with real IPs (ETP: Local)

🔒 TLS Enforcement

Let's Encrypt wildcard cert
MTA-STS enforces TLS for inbound
TLSRPT for failure reporting
STARTTLS on SMTP, SSL on IMAP

Monitoring & Alerts

📊

MailServerDown

No replicas for 5m

📧

EmailRoundtripFailing

Probe failing for 30m

⏱

EmailRoundtripStale

No success in >40m

❓

EmailRoundtripNeverRun

Metric absent for 40m

Monitor	Type	Target	Interval
E2E Roundtrip Probe	CronJob	Mailgun API → MX → IMAP	/10 * * *
SMTP External	Uptime Kuma	176.12.22.76:25	60s
Dovecot Exporter	Prometheus	:9166/metrics	scrape

Terraform Stacks

Stack	Path	Resources
Mailserver	stacks/mailserver/	Namespace, Deployment, Service, CronJob, PVCs
DNS	stacks/cloudflared/	MX, SPF, DKIM x2, DMARC, MTA-STS, TLSRPT
Monitoring	stacks/monitoring/	Prometheus alert rules
CrowdSec	stacks/crowdsec/	postfix + dovecot collections, log acquisition