Mailserver behind HAProxy

[dfoxg]

Subject

• I would like to contribute to the project (code, documentation, advocacy, integration, ...)
• I would like some help for integrating this container with another service (rainloop, PostFWD, ...)
• I would like to configure a not documented mail server use case
• I would like some feedback concerning a use case
• I have questions about TLS/SSL/STARTTLS/OpenSSL
• Other

Description

In my Setup is a HAProxy before my Docker-Swarm-Cluster. I want to integrate the mailserver, but dont wont to expose the Ports directly from the Swarm-Nodes. Also my HAProxy takes care of the SSL-Certificates. So my Idea is following:

HAProxy (TCP-Ports 993 and 465, with SSL-Offloading) -> Swarm-Node (TCP-Ports 143 and 587).

Is this possible?

My configs are following:

HAProxy

# Floating IP. SMTP
listen lb_smtp_465
        bind xxx:465 ssl crt /media/shared/ssl/
        mode tcp

        timeout client 30000

        # use unencrypted port 587. haproxy make ssl
        server email_l0004 10.0.0.4:587 check


# Floating IP. IMAP
listen lb_imap_993
        bind xxx:993 ssl crt /media/shared/ssl/
        mode tcp

        timeout client 30000

        # use unencrypted port 143. haproxy make ssl
        server email_l0004 10.0.0.4:143 check

Docker:
Env-File:

ENABLE_SPAMASSASSIN=1
ENABLE_CLAMAV=1
ENABLE_POSTGREY=1
ONE_DIR=1
OVERRIDE_HOSTNAME=mail.xxx
OVERRIDE_DOMAINNAME=mail.xxx
POSTMASTER_ADDRESS=admin@xxx
SSL_TYPE=empty

Compose:

  mail:
    image: tvial/docker-mailserver:latest
    logging:
      driver: loki
      options:
        loki-url: "https://xxxx/loki/api/v1/push"
    ports:
      # unencrpyted esmtp
      - target: 587
        published: 587
        protocol: tcp
        mode: host
      # unencrpyted imap
      - target: 143
        published: 143
        protocol: tcp
        mode: host
    volumes:
      - /media/shared/docker/mailserver/maildata:/var/mail
      - /media/shared/docker/mailserver/mailstate:/var/mail-state
      - /media/shared/docker/mailserver/config:/tmp/docker-mailserver
    env_file: /media/shared/configs/swarm/mailserver/docker-mailserver.env
    networks:
      - default
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.mail == 1

Thanks for helping!

[erik-wramner]

It will be odd as I think 587 will insist on STARTTLS and the client has already connected with TLS on port 465. I think it makes more sense to let haproxy connect to the encrypted ports. It will be a little bit slower but if you don't want to configure proper TLS in the mail server you can make haproxy trust the self-signed certs.

[dfoxg]

Thanks for the tip, i will try it.

[dfoxg]

It works now. Here are my configs:

HAProxy

# Floating IP. EMAIL
listen lb_smtp_465
        bind xxx:465
        mode tcp
        option tcplog

        server email_l0004 10.0.0.4:465 send-proxy


# Floating IP. SMTP 25
listen lb_smtp_25
        bind xxx:25
        mode tcp
        option tcplog

        server email_l0004 10.0.0.4:25 send-proxy


# Floating IP Email IMAP
listen lb_imap_993
        bind xxx:993
        mode tcp
        option tcplog

        server email_l0004 10.0.0.4:10993 send-proxy-v2

Docker-Compose:

services:
  mail:
    image: tvial/docker-mailserver:latest
    logging:
      driver: loki
    ports:
      - target: 25
        published: 25
        protocol: tcp
        mode: host
      - target: 465
        published: 465
        protocol: tcp
        mode: host
      - target: 10993
        published: 10993
        protocol: tcp
        mode: host
    volumes:
      - /media/shared/docker/mailserver/maildata:/var/mail
      - /media/shared/docker/mailserver/mailstate:/var/mail-state
      - /media/shared/docker/mailserver/config:/tmp/docker-mailserver
      - /media/shared/configs/swarm/mailserver/config/dovecot-haproxy.conf:/etc/dovecot/conf.d/haproxy.conf
      - /media/shared/configs/swarm/mailserver/certs/fullchain.pem:/etc/letsencrypt/live/mail.fuchs-informatik.de/fullchain.pem
      - /media/shared/configs/swarm/mailserver/certs/privkey.pem:/etc/letsencrypt/live/mail.fuchs-informatik.de/privkey.pem
    env_file: /media/shared/configs/swarm/mailserver/docker-mailserver.env
    networks:
      - default
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.mail == 1

Env-File:

ENABLE_SPAMASSASSIN=1
SPAMASSASSIN_SPAM_TO_INBOX=1
ENABLE_CLAMAV=1
ENABLE_POSTGREY=1
ONE_DIR=1
OVERRIDE_HOSTNAME=mail.fuchs-informatik.de
POSTMASTER_ADDRESS=admin@fuchs-informatik.de
SSL_TYPE=letsencrypt

Custom Dovecot:

haproxy_timeout = 5 secs
haproxy_trusted_networks = 10.0.0.1 10.0.0.2
service imap-login {
  inet_listener imaps {
    haproxy = yes
    ssl = yes
    port = 10993
  }
}

Postfix-main.cf
postscreen_upstream_proxy_protocol = haproxy

postfix-master.cf

#https://github.com/tomav/docker-mailserver/wiki/Using-in-Kubernetes
submission/inet/smtpd_upstream_proxy_protocol=haproxy
smtps/inet/smtpd_upstream_proxy_protocol=haproxy