docs: Kubernetes - Add proxy example with Traefik

[cfis]

Subject

I would like to configure a not documented mail server use case

Description

This could be nice to add to the Kubernetes documentation page.

This is an example of configuring Traefik as a reverse proxy that was taken from a PR request (docker-mailserver/docker-mailserver-helm#62).

Running behind Traefik as reverse proxy

Setup according to the official DMS guide with traefik.

values.yaml

service:
  type: ClusterIP
  behind_proxy: true
  proxy_trusted_networks: "10.42.0.0/16"

Using the following TCP Route.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: smtp
  namespace: mail
spec:
  entryPoints:
    - smtp
  routes:
    - match: HostSNI(`*`)
      services:
        - name: mail-docker-mailserver
          namespace: mail
          port: 25
          proxyProtocol:
            version: 1
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: smtps
  namespace: mail
spec:
  entryPoints:
    - smtps
  tls:
    passthrough: true
  routes:
    - match: HostSNI(`*`)
      services:
        - name: mail-docker-mailserver
          namespace: mail
          port: 465
          proxyProtocol:
            version: 1
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: imaps
  namespace: mail
spec:
  entryPoints:
    - imaps
  tls:
    passthrough: true
  routes:
    - match: HostSNI(`*`)
      services:
        - name: mail-docker-mailserver
          namespace: mail
          port: 10993
          proxyProtocol:
            version: 2
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: submission
  namespace: mail
spec:
  entryPoints:
    - submission
  routes:
    - match: HostSNI(`*`)
      services:
        - name: mail-docker-mailserver
          namespace: mail
          port: 587
          proxyProtocol:
            version: 1

[polarathene]

Feel free to contribute it to the docs, it's just markdown 👍

https://github.com/docker-mailserver/docker-mailserver/blob/v13.3.1/docs/content/config/advanced/kubernetes.md

We do have some extra syntax you can use, such as the purple collapsed admonition feature:

docker-mailserver/docs/content/config/advanced/kubernetes.md

Lines 450 to 454 in 45935f5

	??? example "HAProxy Example"
	```yaml
	kind: ConfigMap
	apiVersion: v1

This is just ??? example (??? for collapsed, example is the admonition type), followed by indenting 4 spaces content to place inside it. Really easy! :)

---

If you want to work on it locally to see a live preview before your PR, just clone the repo and run this:

docker run --rm -it -p 80:8000 -v "./docs:/docs" squidfunk/mkdocs-material

You can then view the docs at http://localhost:80, they'll live update in the browser each time you save the file.

Then later, once you submit a PR; the CI will also build a preview we can all check before merging it.

[georglauterbach]

I am using Traefik as well, but not for DMS yet; hence, these changes are very intriguing to me!

Just a quick question here that immediately struck me:

1. Does Postfix/Dovecot only support ProxyProtocol v1?
2. And why do we not forward the traffic in the IngressRouteTCP to the proxied ports of Postfix (i.e., 10465 and 10587)?

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: smtps
  namespace: mail
spec:
  entryPoints:
    - smtps
  tls:
    passthrough: true
  routes:
    - match: HostSNI(`*`)
      services:
        - name: mail-docker-mailserver
          namespace: mail
          port: subs-proxy # <-- !!! i.e. 10465 ? !!!
          proxyProtocol:
            version: 1

3. Finally, what is the actual benefit? TLS passthrough on Traefik's side will require TLS termination on the mail server's side, correct? If so, could we also let Traefik handle TLS completely?

[polarathene]

3. If so, could we also let Traefik handle TLS completely?

• There are issues with Traefik and StartTLS support IIRC. I chimed in on one of those so you'd find details there.
• TLS passthrough delegates to the service, so I don't think Traefik has anything to do with TLS / certs in that case if this was for port 465?
• Likewise for port 587 (or any other STARTTLS port) with passthrough Traefik shouldn't be an issue and AFAIK that is the way to go from our Traefik users configs / troubleshooting in our issues history.

I don't use Traefik myself, or have much familiarity with the Proxy Protocol, I know we have a couple docs pages with several examples covering both of those, so it'd be good if they get a review to ensure they're not stale 👍

When the test suite migrates to compose.yaml, it may also be good to have a reverse proxy integration test 🤔

[cfis]

Well, speaking of the PROXY protocol - see #3866.

[cfis]

@georglauterbach - Sure, I'm not using Traefik so I don't know the best setup. Remember though the ingress spec does not support TCP routes (the new Gateway API does though)!

I'm using ingress-nginx, which has a different way of proxying traffic:

• https://docker-mailserver.github.io/docker-mailserver/v13.3/config/advanced/kubernetes/#configure-your-ingress
• https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/

Version 3.5+ and higher of postfix support Proxy protocol 2. Not sure about dovecot, but its working fine with whatever version ingress-nginx is using.

[polarathene]

Here's my comment citing issues with Traefik and STARTTLS.

---

1. Does Postfix/Dovecot only support ProxyProtocol v1?

• Postfix supports HAProxy v2 (Presumably ProxyProtocol v2) since Postfix 3.5 (Released March 2020, available since Debian Bullseye in Aug 2021)
• Finding equivalent information from Dovecot wasn't as easy. Probably could verify by looking through source but we have this issue with a config that implies version 2 is supported as well.

Finally, what is the actual benefit?

I forgot to mention the benefit of the proxy is to preserve the real client IP (if that wasn't already clear), avoiding problems from all external traffic appearing to come from a single IP / container.

[georglauterbach]

Thanks for the update! Preserving the client IP makes sense; but this can also be achieved in other ways; hence I was not sure whether there are more benefits to using a proxy.

[polarathene]

Just chiming in to say that I noticed v3 of Traefik got merged into their master branch recently, so that may get released in the near future. It has changes notably in deprecating some existing k8s config/support in favor of non-alpha/beta status.

If anyone contributes docs for this issue, they should wait until v3 👍

[github-actions]

This issue has become stale because it has been open for 20 days without activity.
This issue will be closed in 10 days automatically unless:

• a maintainer removes the meta/stale label or adds the stale-bot/ignore label
• new activity occurs, such as a new comment

[georglauterbach]

I will take this and update the docs.