دليل Mail-in-a-Box الشامل للمؤسسات: حاوية Docker والتشغيل على Kubernetes
⏱️ وقت القراءة المقدر: 18 دقيقة
هل تفكر في تشغيل خادم بريد خاص بك في بيئة مؤسسية؟ Mail-in-a-Box هو حل مفتوح المصدر لخادم البريد حصل على 14.6k نجمة، يبسّط إعداد خادم البريد المعقد إلى عملية بنقرة واحدة. يتناول هذا الدليل الأساليب العملية لتحسين Mail-in-a-Box لبيئات المؤسسات، وتحويله إلى حاويات Docker، وتشغيله على Kubernetes.
نظرة عامة على Mail-in-a-Box
الميزات الرئيسية
- حل متكامل بالكامل: يشمل جميع الوظائف - SMTP وIMAP والبريد الإلكتروني عبر الويب وDNS وإدارة الشهادات وغيرها
- تثبيت بنقرة واحدة: تثبيت آلي كامل على Ubuntu 22.04 LTS
- أمان مدمج: التهيئة التلقائية لـ SPF وDKIM وDMARC وDNSSEC وLet’s Encrypt
- لوحة إدارة: لوحة تحكم عبر الويب وواجهة REST API
- حماية الخصوصية: تحكم كامل في البيانات من خلال الاستضافة الذاتية
المكونات
| الخدمة | البرنامج | الوظيفة |
|---|---|---|
| SMTP | Postfix | إرسال واستقبال البريد |
| IMAP | Dovecot | إدارة صندوق البريد |
| البريد عبر الويب | Roundcube | عميل البريد في المتصفح |
| التقويم/جهات الاتصال | Nextcloud | CardDAV/CalDAV |
| المزامنة عبر الهاتف المحمول | Z-Push | Exchange ActiveSync |
| DNS | NSD4 | خادم أسماء النطاقات |
| خادم الويب | Nginx | واجهة الويب |
| قاعدة البيانات | SQLite | إدارة المستخدمين والإعدادات |
اعتبارات بيئة المؤسسات
1. قيود Mail-in-a-Box الحالي
بنية خادم واحد
- نقص في التوفر العالي
- قيود في التوسع
- توقف كامل للخدمة عند حدوث عطل
تخصيص محدود
- صعوبة تطبيق سياسات المؤسسة
- عدم دعم قواعد التوجيه المعقدة
- محدودية التكامل مع الأنظمة الخارجية
2. متطلبات المؤسسات
التوفر العالي (HA)
- استهداف توفر بنسبة 99.9% أو أعلى
- استرداد تلقائي من الأعطال
- تحديثات بدون توقف
تعزيز الأمان
- المصادقة متعددة العوامل (MFA)
- تشفير البريد الإلكتروني
- سجلات التدقيق
- الامتثال التنظيمي (GDPR وSOX وغيرها)
قابلية التوسع
- دعم الآلاف من المستخدمين
- معالجة البريد بحجم كبير
- مراقبة الأداء
استراتيجية تحويل الحاويات
1. تحليل الخدمات المصغّرة
# docker-compose.yml
version: '3.8'
services:
postfix:
build: ./containers/postfix
volumes:
- postfix-data:/var/lib/postfix
- mail-data:/var/mail
environment:
- DOMAIN=${MAIL_DOMAIN}
- HOSTNAME=${MAIL_HOSTNAME}
networks:
- mail-network
dovecot:
build: ./containers/dovecot
volumes:
- dovecot-data:/var/lib/dovecot
- mail-data:/var/mail
networks:
- mail-network
roundcube:
build: ./containers/roundcube
environment:
- DB_HOST=mysql
- DB_USER=${DB_USER}
- DB_PASS=${DB_PASS}
networks:
- mail-network
- web-network
nginx:
image: nginx:alpine
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ssl-certs:/etc/ssl/certs
ports:
- "80:80"
- "443:443"
networks:
- web-network
mysql:
image: mysql:8.0
environment:
- MYSQL_ROOT_PASSWORD=${DB_ROOT_PASS}
- MYSQL_DATABASE=roundcube
volumes:
- mysql-data:/var/lib/mysql
networks:
- mail-network
networks:
mail-network:
driver: bridge
web-network:
driver: bridge
volumes:
postfix-data:
dovecot-data:
mail-data:
mysql-data:
ssl-certs:
2. تهيئة صور الحاويات
حاوية Postfix
# containers/postfix/Dockerfile
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y \
postfix \
postfix-mysql \
opendkim \
opendkim-tools \
&& rm -rf /var/lib/apt/lists/*
COPY configs/postfix/ /etc/postfix/
COPY configs/opendkim/ /etc/opendkim/
COPY scripts/postfix-start.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/postfix-start.sh
EXPOSE 25 587 465
CMD ["/usr/local/bin/postfix-start.sh"]
حاوية Dovecot
# containers/dovecot/Dockerfile
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y \
dovecot-core \
dovecot-imapd \
dovecot-pop3d \
dovecot-lmtpd \
dovecot-mysql \
&& rm -rf /var/lib/apt/lists/*
COPY configs/dovecot/ /etc/dovecot/
COPY scripts/dovecot-start.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/dovecot-start.sh
EXPOSE 143 993 110 995 24
CMD ["/usr/local/bin/dovecot-start.sh"]
3. إدارة الإعدادات
الإعداد المبني على ConfigMap
# k8s/configmaps/postfix-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: postfix-config
data:
main.cf: |
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mail.crt
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# Restrictions
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# Virtual domains
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
master.cf: |
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
تهيئة النشر على Kubernetes
1. مساحة الأسماء والأمان
# k8s/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: mail-system
labels:
name: mail-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mail-service-account
namespace: mail-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mail-system
name: mail-role
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mail-role-binding
namespace: mail-system
subjects:
- kind: ServiceAccount
name: mail-service-account
namespace: mail-system
roleRef:
kind: Role
name: mail-role
apiGroup: rbac.authorization.k8s.io
2. تهيئة التخزين
# k8s/storage.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mail-storage
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp3
encrypted: "true"
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail-data-pvc
namespace: mail-system
spec:
accessModes:
- ReadWriteOnce
storageClassName: mail-storage
resources:
requests:
storage: 100Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-data-pvc
namespace: mail-system
spec:
accessModes:
- ReadWriteOnce
storageClassName: mail-storage
resources:
requests:
storage: 50Gi
3. قاعدة بيانات MySQL
# k8s/mysql.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql
namespace: mail-system
spec:
serviceName: mysql
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
serviceAccountName: mail-service-account
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: root-password
- name: MYSQL_DATABASE
value: "mailserver"
ports:
- containerPort: 3306
volumeMounts:
- name: mysql-data
mountPath: /var/lib/mysql
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
livenessProbe:
exec:
command:
- mysqladmin
- ping
- -h
- localhost
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- mysql
- -h
- localhost
- -e
- "SELECT 1"
initialDelaySeconds: 5
periodSeconds: 5
volumeClaimTemplates:
- metadata:
name: mysql-data
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: mail-storage
resources:
requests:
storage: 50Gi
---
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: mail-system
spec:
selector:
app: mysql
ports:
- port: 3306
targetPort: 3306
clusterIP: None
4. نشر Postfix
# k8s/postfix.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: postfix
namespace: mail-system
spec:
replicas: 2
selector:
matchLabels:
app: postfix
template:
metadata:
labels:
app: postfix
spec:
serviceAccountName: mail-service-account
containers:
- name: postfix
image: your-registry/mail-postfix:latest
env:
- name: MAIL_DOMAIN
value: "your-company.com"
- name: DB_HOST
value: "mysql"
- name: DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: mail-user
- name: DB_PASS
valueFrom:
secretKeyRef:
name: mysql-secret
key: mail-password
ports:
- containerPort: 25
- containerPort: 587
- containerPort: 465
volumeMounts:
- name: postfix-config
mountPath: /etc/postfix
- name: mail-data
mountPath: /var/mail
- name: ssl-certs
mountPath: /etc/ssl/certs
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
livenessProbe:
tcpSocket:
port: 25
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 25
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: postfix-config
configMap:
name: postfix-config
- name: mail-data
persistentVolumeClaim:
claimName: mail-data-pvc
- name: ssl-certs
secret:
secretName: mail-tls-secret
---
apiVersion: v1
kind: Service
metadata:
name: postfix
namespace: mail-system
spec:
selector:
app: postfix
ports:
- name: smtp
port: 25
targetPort: 25
- name: submission
port: 587
targetPort: 587
- name: smtps
port: 465
targetPort: 465
type: LoadBalancer
5. نشر Dovecot
# k8s/dovecot.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: dovecot
namespace: mail-system
spec:
replicas: 2
selector:
matchLabels:
app: dovecot
template:
metadata:
labels:
app: dovecot
spec:
serviceAccountName: mail-service-account
containers:
- name: dovecot
image: your-registry/mail-dovecot:latest
env:
- name: DB_HOST
value: "mysql"
- name: DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: mail-user
- name: DB_PASS
valueFrom:
secretKeyRef:
name: mysql-secret
key: mail-password
ports:
- containerPort: 143
- containerPort: 993
- containerPort: 110
- containerPort: 995
- containerPort: 24
volumeMounts:
- name: dovecot-config
mountPath: /etc/dovecot
- name: mail-data
mountPath: /var/mail
- name: ssl-certs
mountPath: /etc/ssl/certs
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
livenessProbe:
tcpSocket:
port: 143
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 143
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: dovecot-config
configMap:
name: dovecot-config
- name: mail-data
persistentVolumeClaim:
claimName: mail-data-pvc
- name: ssl-certs
secret:
secretName: mail-tls-secret
---
apiVersion: v1
kind: Service
metadata:
name: dovecot
namespace: mail-system
spec:
selector:
app: dovecot
ports:
- name: imap
port: 143
targetPort: 143
- name: imaps
port: 993
targetPort: 993
- name: pop3
port: 110
targetPort: 110
- name: pop3s
port: 995
targetPort: 995
- name: lmtp
port: 24
targetPort: 24
type: LoadBalancer
تهيئة التوفر العالي
1. مجموعة قواعد البيانات
# k8s/mysql-cluster.yaml
apiVersion: mysql.oracle.com/v2
kind: InnoDBCluster
metadata:
name: mysql-cluster
namespace: mail-system
spec:
secretName: mysql-secret
tlsUseSelfSigned: true
instances: 3
router:
instances: 2
datadirVolumeClaimTemplate:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: mail-storage
mycnf: |
[mysqld]
max_connections = 200
innodb_buffer_pool_size = 1G
innodb_log_file_size = 256M
2. تهيئة موازن التحميل
# k8s/load-balancer.yaml
apiVersion: v1
kind: Service
metadata:
name: mail-lb
namespace: mail-system
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
spec:
type: LoadBalancer
selector:
app: postfix
ports:
- name: smtp
port: 25
targetPort: 25
protocol: TCP
- name: submission
port: 587
targetPort: 587
protocol: TCP
- name: smtps
port: 465
targetPort: 465
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mail-web-ingress
namespace: mail-system
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- mail.your-company.com
secretName: mail-web-tls
rules:
- host: mail.your-company.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: roundcube
port:
number: 80
3. التوسع التلقائي
# k8s/hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: postfix-hpa
namespace: mail-system
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: postfix
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: dovecot-hpa
namespace: mail-system
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: dovecot
minReplicas: 2
maxReplicas: 8
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
تعزيز الأمان
1. سياسة الشبكة
# k8s/network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mail-network-policy
namespace: mail-system
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: mail-system
ports:
- protocol: TCP
port: 25
- protocol: TCP
port: 587
- protocol: TCP
port: 465
- protocol: TCP
port: 143
- protocol: TCP
port: 993
- from: []
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
egress:
- to: []
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 3306
2. معايير أمان Pod
# k8s/pod-security.yaml
apiVersion: v1
kind: Namespace
metadata:
name: mail-system
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: postfix-pdb
namespace: mail-system
spec:
minAvailable: 1
selector:
matchLabels:
app: postfix
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: dovecot-pdb
namespace: mail-system
spec:
minAvailable: 1
selector:
matchLabels:
app: dovecot
3. إدارة الأسرار
# k8s/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
namespace: mail-system
type: Opaque
data:
root-password: <base64-encoded-password>
mail-user: <base64-encoded-username>
mail-password: <base64-encoded-password>
---
apiVersion: v1
kind: Secret
metadata:
name: mail-admin-secret
namespace: mail-system
type: Opaque
data:
admin-user: <base64-encoded-admin-user>
admin-password: <base64-encoded-admin-password>
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-secret-store
namespace: mail-system
spec:
provider:
vault:
server: "https://vault.your-company.com"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "mail-role"
المراقبة والتسجيل
1. مراقبة Prometheus
# k8s/monitoring.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: mail-services
namespace: mail-system
spec:
selector:
matchLabels:
monitoring: "true"
endpoints:
- port: metrics
interval: 30s
path: /metrics
---
apiVersion: v1
kind: Service
metadata:
name: postfix-metrics
namespace: mail-system
labels:
monitoring: "true"
spec:
selector:
app: postfix
ports:
- name: metrics
port: 9154
targetPort: 9154
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: mail-alerts
namespace: mail-system
spec:
groups:
- name: mail.rules
rules:
- alert: PostfixDown
expr: up{job="postfix"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "Postfix service is down"
description: "Postfix has been down for more than 5 minutes"
- alert: HighMailQueueSize
expr: postfix_showq_messages_total > 1000
for: 10m
labels:
severity: warning
annotations:
summary: "High mail queue size"
description: "Mail queue size is {{ $value }} messages"
- alert: DovecotDown
expr: up{job="dovecot"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "Dovecot service is down"
description: "Dovecot has been down for more than 5 minutes"
2. تجميع السجلات
# k8s/logging.yaml
apiVersion: logging.coreos.com/v1
kind: ClusterLogForwarder
metadata:
name: mail-log-forwarder
namespace: openshift-logging
spec:
outputs:
- name: mail-elasticsearch
type: elasticsearch
url: "https://elasticsearch.your-company.com:9200"
secret:
name: elasticsearch-secret
pipelines:
- name: mail-logs
inputRefs:
- application
filterRefs:
- mail-filter
outputRefs:
- mail-elasticsearch
---
apiVersion: logging.coreos.com/v1
kind: ClusterLogFilter
metadata:
name: mail-filter
spec:
type: json
json:
javascript: |
const log = record.log;
if (log.kubernetes && log.kubernetes.namespace_name === 'mail-system') {
return record;
}
return null;
النسخ الاحتياطي والتعافي من الكوارث
1. استراتيجية النسخ الاحتياطي
# k8s/backup.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: mail-backup
namespace: mail-system
spec:
schedule: "0 2 * * *" # يومياً في الساعة 2 صباحاً
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: your-registry/mail-backup:latest
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: backup-secret
key: access-key
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: backup-secret
key: secret-key
- name: S3_BUCKET
value: "your-company-mail-backup"
command:
- /bin/bash
- -c
- |
# MySQL backup
mysqldump -h mysql -u root -p${MYSQL_ROOT_PASSWORD} --all-databases > /tmp/mysql-backup.sql
# Mail data backup
tar -czf /tmp/mail-data-backup.tar.gz /var/mail
# Upload to S3
aws s3 cp /tmp/mysql-backup.sql s3://${S3_BUCKET}/$(date +%Y%m%d)/
aws s3 cp /tmp/mail-data-backup.tar.gz s3://${S3_BUCKET}/$(date +%Y%m%d)/
volumeMounts:
- name: mail-data
mountPath: /var/mail
volumes:
- name: mail-data
persistentVolumeClaim:
claimName: mail-data-pvc
restartPolicy: OnFailure
2. إجراء التعافي من الكوارث
#!/bin/bash
# disaster-recovery.sh
# 1. إنشاء مساحة الأسماء
kubectl create namespace mail-system-dr
# 2. استعادة البيانات من النسخة الاحتياطية
aws s3 cp s3://your-company-mail-backup/latest/mysql-backup.sql /tmp/
aws s3 cp s3://your-company-mail-backup/latest/mail-data-backup.tar.gz /tmp/
# 3. استعادة MySQL
kubectl exec -n mail-system-dr mysql-0 -- mysql -u root -p${MYSQL_ROOT_PASSWORD} < /tmp/mysql-backup.sql
# 4. استعادة بيانات البريد
kubectl cp /tmp/mail-data-backup.tar.gz mail-system-dr/postfix-0:/tmp/
kubectl exec -n mail-system-dr postfix-0 -- tar -xzf /tmp/mail-data-backup.tar.gz -C /
# 5. التحقق من الخدمات
kubectl get pods -n mail-system-dr
kubectl get svc -n mail-system-dr
تحسين الأداء
1. ضبط الموارد
# k8s/performance-tuning.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: postfix-performance
namespace: mail-system
data:
main.cf: |
# إعدادات تحسين الأداء
default_process_limit = 100
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 30
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
# تحسين إدارة قائمة الانتظار
maximal_queue_lifetime = 5d
bounce_queue_lifetime = 5d
maximal_backoff_time = 4000s
minimal_backoff_time = 300s
queue_run_delay = 300s
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dovecot-performance
namespace: mail-system
data:
dovecot.conf: |
# إعدادات تحسين الأداء
login_max_processes_count = 128
login_max_connections = 256
default_process_limit = 100
default_client_limit = 1000
# إعدادات ذاكرة التخزين المؤقت لصندوق البريد
mailbox_list_index = yes
maildir_very_dirty_syncs = yes
# تحسين أداء IMAP
imap_capability = +IDLE +COMPRESS=DEFLATE
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
2. استراتيجية التخزين المؤقت
# k8s/redis-cache.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: mail-system
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7-alpine
command:
- redis-server
- --maxmemory
- 512mb
- --maxmemory-policy
- allkeys-lru
ports:
- containerPort: 6379
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "200m"
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: mail-system
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
أتمتة العمليات
1. مخطط Helm
# helm/mail-in-a-box/Chart.yaml
apiVersion: v2
name: mail-in-a-box
description: Enterprise Mail-in-a-Box Helm Chart
type: application
version: 1.0.0
appVersion: "v72"
dependencies:
- name: mysql
version: 9.4.0
repository: https://charts.bitnami.com/bitnami
- name: redis
version: 17.3.0
repository: https://charts.bitnami.com/bitnami
# helm/mail-in-a-box/values.yaml
global:
storageClass: "mail-storage"
mail:
domain: "your-company.com"
hostname: "mail.your-company.com"
postfix:
replicaCount: 2
image:
repository: your-registry/mail-postfix
tag: "latest"
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
dovecot:
replicaCount: 2
image:
repository: your-registry/mail-dovecot
tag: "latest"
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
mysql:
enabled: true
auth:
rootPassword: "secure-root-password"
database: "mailserver"
primary:
persistence:
size: 50Gi
redis:
enabled: true
auth:
enabled: false
master:
persistence:
size: 8Gi
2. سير عمل GitOps
# .github/workflows/deploy.yml
name: Deploy Mail-in-a-Box
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Helm
uses: azure/setup-helm@v3
with:
version: '3.10.0'
- name: Lint Helm Chart
run: helm lint helm/mail-in-a-box
- name: Template Helm Chart
run: helm template mail-in-a-box helm/mail-in-a-box --values helm/mail-in-a-box/values-test.yaml
deploy:
if: github.ref == 'refs/heads/main'
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Configure kubectl
uses: azure/k8s-set-context@v3
with:
method: kubeconfig
kubeconfig: $
- name: Deploy to Production
run: |
helm upgrade --install mail-in-a-box helm/mail-in-a-box \
--namespace mail-system \
--create-namespace \
--values helm/mail-in-a-box/values-prod.yaml \
--wait --timeout=10m
لوحة مراقبة العمليات
1. لوحة Grafana
{
"dashboard": {
"title": "Mail-in-a-Box Enterprise Dashboard",
"panels": [
{
"title": "Mail Queue Size",
"type": "graph",
"targets": [
{
"expr": "postfix_showq_messages_total",
"legendFormat": " - Queue Size"
}
]
},
{
"title": "SMTP Connections",
"type": "graph",
"targets": [
{
"expr": "rate(postfix_smtpd_connects_total[5m])",
"legendFormat": " - Connections/sec"
}
]
},
{
"title": "IMAP Sessions",
"type": "stat",
"targets": [
{
"expr": "dovecot_imap_logged_in_users"
}
]
},
{
"title": "Disk Usage",
"type": "graph",
"targets": [
{
"expr": "100 - (node_filesystem_avail_bytes{mountpoint=\"/var/mail\"} / node_filesystem_size_bytes{mountpoint=\"/var/mail\"} * 100)",
"legendFormat": "Mail Storage Usage %"
}
]
}
]
}
}
2. قواعد التنبيه
# k8s/alerting-rules.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: mail-critical-alerts
namespace: mail-system
spec:
groups:
- name: mail.critical
rules:
- alert: MailServiceDown
expr: up{job=~"postfix|dovecot"} == 0
for: 2m
labels:
severity: critical
team: infrastructure
annotations:
summary: "Critical mail service {{ $labels.job }} is down"
description: "{{ $labels.job }} service has been down for more than 2 minutes"
runbook_url: "https://wiki.company.com/mail-service-down"
- alert: MailQueueBacklog
expr: postfix_showq_messages_total > 10000
for: 5m
labels:
severity: warning
team: infrastructure
annotations:
summary: "Mail queue backlog detected"
description: "Mail queue has {{ $value }} messages pending"
runbook_url: "https://wiki.company.com/mail-queue-backlog"
- alert: DiskSpaceMailStorage
expr: 100 - (node_filesystem_avail_bytes{mountpoint="/var/mail"} / node_filesystem_size_bytes{mountpoint="/var/mail"} * 100) > 85
for: 10m
labels:
severity: warning
team: infrastructure
annotations:
summary: "Mail storage disk space running low"
description: "Mail storage is {{ $value }}% full"
runbook_url: "https://wiki.company.com/disk-cleanup"
الخلاصة
يتطلب تشغيل Mail-in-a-Box بنجاح في بيئة مؤسسية نهجاً شاملاً لبنية المؤسسات يتجاوز مجرد تحويل الحاويات.
عوامل النجاح الرئيسية
- تحليل الخدمات المصغّرة: توسيع كل مكون بصورة مستقلة
- تصميم التوفر العالي: التكرار والاسترداد التلقائي من الأعطال
- تعزيز الأمان: سياسات الشبكة وإدارة الأسرار وعمليات التدقيق الأمني المنتظمة
- أتمتة العمليات: النشر القائم على GitOps والمراقبة
النتائج المتوقعة
تخفيض التكاليف: توفير 70% في التكاليف مقارنة بخدمات البريد الخارجية السيادة على البيانات: تحكم كامل في بيانات البريد الإلكتروني التهيئة المخصصة: إعداد مرن يتوافق مع سياسات المؤسسة قابلية التوسع: دعم آلاف المستخدمين
يوفر استقرار Mail-in-a-Box الذي تشهد له 14.6k نجمة، إلى جانب التحسينات المؤسسية الواردة في هذا الدليل، أساساً متيناً لبناء خادم بريد مؤسسي يلبي متطلبات التشغيل الحديثة.
موارد إضافية: