services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    # Passe den Hostnamen an deinen tatsächlichen Mail-Server (nicht den DC) an
    hostname: mail.bytetrail.at
    extra_hosts:
      - "WIN-GKCQRMNC3AU.bytetrail.local:192.168.56.10"
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - ./dms/mail-data/:/var/mail/
      - ./dms/mail-state/:/var/mail-state/
      - ./dms/mail-logs/:/var/log/mail/
      - ./dms/config/:/tmp/docker-mailserver/
      - ./mailserver-certs/:/tmp/dms/custom-certs/:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - ENABLE_SPAMASSASSIN=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1

      # >>> LDAP / Active Directory Basis-Verbindung
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST=ldap://WIN-GKCQRMNC3AU.bytetrail.local
      - LDAP_START_TLS=yes
      - DOVECOT_TLS=yes
      - SASLAUTHD_LDAP_START_TLS=yes

      # Bind-User (Hier der Standard-Administrator, besser wäre ein dedizierter Service-Account)
      - LDAP_BIND_DN=CN=Mailserver Service Account,OU=Server,DC=bytetrail,DC=local
      - LDAP_BIND_PW=Mail$$3rv!ceAcc2026
      - LDAP_SEARCH_BASE=DC=bytetrail,DC=local

      # >>> Postfix LDAP Integration
      - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
      - LDAP_QUERY_FILTER_USER=(&(objectclass=person)(mail=%s))
      - LDAP_QUERY_FILTER_ALIAS=(&(objectclass=person)(proxyAddresses=smtp:%s))
      - LDAP_QUERY_FILTER_GROUP=(&(objectClass=group)(mail=%s))

      # SPOOF_PROTECTION: Beachte hier "CN=Domänen-Admins" aus deinem Screenshot
      - SPOOF_PROTECTION=1
      - LDAP_QUERY_FILTER_SENDERS=(|(mail=%s)(proxyAddresses=smtp:%s)(memberOf=CN=Domänen-Admins,CN=Users,DC=bytetrail,DC=local))

      # >>> Dovecot LDAP Integration
      - DOVECOT_AUTH_BIND=yes
      - DOVECOT_USER_FILTER=(&(objectclass=person)(sAMAccountName=%n))
      - DOVECOT_PASS_ATTRS=sAMAccountName=user,userPassword=password
      # AD Workaround laut Doku: Hardcoded UID/GID 5000, um Rechte-Probleme zu vermeiden
      - DOVECOT_USER_ATTRS==uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir

      # >>> SASL LDAP Authentication
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))

      - SSL_TYPE=manual
      - SSL_CERT_PATH=/tmp/dms/custom-certs/cert.pem
      - SSL_KEY_PATH=/tmp/dms/custom-certs/key.pem

      - PERMIT_DOCKER=host
    cap_add:
      - NET_ADMIN