-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: How to configure Traefik to proxy inbound mail connections via Port 25 (StartTLS) #3563
Comments
You've not filled a proper bug template. It's usually helpful not just for maintainers but others that arrive here with the same issue to have more information about your configuration. Just to confirm, have you verified you can connect to Port 465 via Traefik? Two users are struggling with this currently with ThunderBird unable to connect via Traefik to submit mail, but successful if connecting to DMS port 465 directly:
ESMTP is an improvement on SMTP, but it's not a specific port. You refer to sending mail, and that you must enable TLS passthrough for it to work. Are you referring to port 465 or 587 here? Or also outbound port 25?
Can you clarify the difference between:
Internal mail sent from outside? Is this referring to a mail client like ThunderBird successfully connecting to DMS to send mail to DMS mail account? Send mail to outside. How are you testing this one? Is your mail client from the outside not able to also accomplish this? It should if it connects to DMS on port 587 / 465 as that authenticates with a DMS account to establish trust. Port 25 is not given this trust as there is no authentication (since the port is only intended for receiving inbound mail, and sending authorized outbound mail).
By "another", do you mean you can receive mail for an account that DMS will accept? How does it differ from one that fails? Or are you referring to only mail with a sender address of a DMS account is accepted? Configuration being shared here would be helpful. I'd like to know:
See the last section of my response here. It should be helpful to debug against internal DMS container, and also against the Traefik port from host/container that should route to DMS. |
yes port 465 and 993 works correctly just need to add "tls.passthrough=true" for each in traefik config
esmtp is port 465 in my configuration
mail I use on DMS in test@domain.eu I can send a mail to test2@domain.eu with success
I can send a mail from test@domain.eu to test@gmail.com
if I send mail from test@gmail.com to test@domain.eu i don't receive the mail
yes I use a subdomain like mail.domain.eu |
Can you drop the Traefik reverse proxy for port 25, and verify that DMS will work correctly then? |
Yes DMS works correctly on port 25 without traefik |
You should share more information, such as config then. The two other Traefik issues AFAIK have Port 25 working with Traefik to receive mail, but unlike you have trouble with Port 465 🤷♂️ Something must be different between your configs or environments. Both seem to have configured Port 25 like this (which seems to match an example from our docs): labels:
- "traefik.enable=true"
- "traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
- "traefik.tcp.routers.smtp.entrypoints=smtp"
- "traefik.tcp.routers.smtp.service=smtp"
- "traefik.tcp.services.smtp.loadbalancer.server.port=25"
- "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1" If I understand the Traefik docs right, this leaves TLS enabled to be terminated by Traefik (no passthrough), but this port like 587 should not be using implicit TLS. See the following references:
It seems you need to use plain TCP router, and have the connection negotiate StartTLS from client to DMS. Traefik can't leverage SNI in router without TLS, so must be wildcard. |
I have pretty the same for port 25
doesn't use "traefik.tcp.services.smtp.loadbalancer.server.port=25" because on server side port is not 25 I use consul/nomad as service discovery/orchestrator so port diagram is like this flowchart LR
A[outside] -->|port 25| B[traefik]
B --> |random port| C[docker]
C -->|port 25| D[postfix]
|
traefik config file
|
Did you follow advice in my last message to ensure Traefik port 25 router is not using TLS? As mentioned here, Traefik doesn't yet support STARTTLS, so advice is to:
The same should work for port 587 or any other DMS port with STARTTLS. You only need to be concerned with Port 25 and can use implicit TLS everywhere else though. |
yes I have try to set off tls on traefik router and same issue |
I am out of ideas then 😅 Perhaps your addition of consul / nomad is affecting this in some way since the other Traefik users don't seem to have this problem 🤷♂️ It would be great to know what is different between your environments that causes the inconsistency.
It might turn out that you're affected by this: traefik/traefik#9929 Although that seems to be about Traefik v3, and possibly specific to their Postgres STARTTLS support feature, but the discussion at the end seems to suggest it might be a bug with any starttls connection? |
thanks for your help By the way do we need to add the tls.passthrough=true for other port in DMS docs? |
Probably yes to any port that is for implicit TLS: |
Just found root cause of my proxy issue according traefik documentation https://doc.traefik.io/traefik/routing/routers/#entrypoints_1 "How to handle Server First protocols?" |
Subject
I would like some feedback concerning a use case
Description
HI I try to configure docker mail server behind traefik following thins works:
send internal mail from outside
send mail to outside
note: for that I must add "traefik.tcp.routers.esmtp.tls.passthrough=true" to esmtp and imap on traefik
but I can't receive mail from another domain behind traefik but telnet on port 25 works
I have try to put docker-mail server port 25 in front and in this case everything works
I have correctly put following parameter (using edge)
and
try to change traefik service terminaison time but doesn't work too
I don't see any log for this request in DMS so I suposse that traefik drop request but don't know why or missing something in postscreen config for reverse proxy?
The text was updated successfully, but these errors were encountered: