DMS/Roundcube/Caddy - fail2ban blocks docker gateway #3273

peracchi · 2023-04-18T23:11:42Z

peracchi
Apr 18, 2023

DMS/Roundcube/Caddy - fail2ban blocks docker gateway

Complex "puzzle", I suspect that needs configuration at DMS and Roundcube containers.

Caddy container appears to be doing his part: delivering X-Real-IP and X-Forwarded-For to Roundcube.

Problem occurs when someone tries to login on Roundcube... Three failed attempts and fail2ban on Docker Mailserver blocks docker gateway, 172.18.0.1; then, nobody can login on Roundcube until ban expires. Would like to pin/understand right configuration and not circunvent/disable fail2ban.

After two days of intense research, I suspect that solution may envolve:

"$config['use_https'] = true;" and "$config['proxy_whitelist'] = ['172.18.0.0/16'];" on Roundcube
"login_trusted_networks = 172.18.0.0/16" on Dovecot

Tried so many things that I got lost at the problem...

 external IP  | Linux Server with Containers
----------------------------------------------------------------
                          (172.18.0.2)
                |-  80 -|
              |-|       |--- Caddy ---|
              | |- 443 -|             |          (172.18.0.3)
              |                       |      |                 |
              |                       |- 80 -|--- Roundcube ---|
20.112.52.29 -|                              |        |        |
              |                                       |
              |           (172.18.0.4)                |
              | |-  25 -|             |               |
              | |- 143 -|             |               |
              |-|- 465 -|---  DMS  ---|---------------|
                |- 587 -|             |
                |- 993 -|             |
----------------------------------------------------------------
 external IP  | Linux Server with Containers

Caddyfile block relative to Roundcube:

webmail.mydomain.net {
	reverse_proxy http://roundcube:80 {
		header_up X-Real-IP {remote_host}
	}
}

Any ideas/suggestions are welcome.

One year ago I tried to solve this problem but despite some help/ideas I could not discover how to do it.
https://github.com/orgs/docker-mailserver/discussions/2603

Instead of "ressurrect" that old discussion I thought it would be better start a new topic.

# Caddy / docker-compose.yml
version: "3.9"
services:
  caddy:
    image: caddy-with-cloudflare:2.6.4
    hostname: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/srv:/srv
      - data:/data
      - config:/config
volumes:
  data:
  config:
networks:
  default:
    name: caddy_net
    external: true

# OpenLDAP & phpLDAPadmin / docker-compose.yml
version: "3.9"
services:
  openldap:
    image: osixia/openldap:latest
    container_name: openldap
    hostname: ldap
    restart: unless-stopped
    ports:
      #- "389:389"
      - "636:636"
    volumes:
      - config:/etc/ldap/slapd.d
      - data:/var/lib/ldap
      - /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ldap.mydomain.net:/container/service/slapd/assets/certs
    environment:
      LDAP_LOG_LEVEL: 256
      LDAP_ORGANISATION: MYDOMAIN Net
      LDAP_DOMAIN: mydomain.net
      LDAP_BASE_DN: 
      LDAP_ADMIN_PASSWORD: admin-password-123
      LDAP_CONFIG_PASSWORD: config-password-123
      LDAP_READONLY_USER: false
      #LDAP_READONLY_USER_USERNAME: readonly
      #LDAP_READONLY_USER_PASSWORD: readonly
      LDAP_RFC2307BIS_SCHEMA: true
      LDAP_BACKEND: mdb
      LDAP_TLS: true
      LDAP_TLS_CRT_FILENAME: ldap.mydomain.net.crt
      LDAP_TLS_KEY_FILENAME: ldap.mydomain.net.key
      LDAP_TLS_CA_CRT_FILENAME: ldap.mydomain.net.crt
      #LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
      LDAP_TLS_ENFORCE: false
      LDAP_TLS_CIPHER_SUITE: NORMAL:SECURE256:-VERS-SSL3.0
      LDAP_TLS_VERIFY_CLIENT: try
      LDAP_REPLICATION: false
      KEEP_EXISTING_CONFIG: false
      LDAP_REMOVE_CONFIG_AFTER_SETUP: true
      LDAP_SSL_HELPER_PREFIX: ldap
      LDAP_OPENLDAP_UID: 0
      LDAP_OPENLDAP_GID: 0
    tty: true
    stdin_open: true
    domainname: mydomain.net
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    hostname: phpldapadmin
    restart: unless-stopped
    #ports:
    # - "8080:80"
    volumes:
      - phpldapadmin:/var/www/phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: ldap
      PHPLDAPADMIN_HTTPS: false
    depends_on:
      - openldap
volumes:
  config:
  data:
  phpldapadmin:
networks:
  default:
    name: caddy_net
    external: true

# Docker Mailserver / docker-compose.yml
version: "3.9"
services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:12.0.0
    container_name: dms
    hostname: mail
    domainname: mydomain.net
    ports:
      - "25:25"     # SMTP  (explicit TLS => STARTTLS)
      - "143:143"   # IMAP4 (explicit TLS => STARTTLS)
      - "465:465"   # ESMTP (implicit TLS)
      - "587:587"   # ESMTP (explicit TLS => STARTTLS)
      - "993:993"   # IMAP4 (implicit TLS)
      - "4190:4190" # Managesieve
    volumes:
      - $PWD/config/:/tmp/docker-mailserver/
      - $PWD/mail-data/:/var/mail/
      - $PWD/mail-logs/:/var/log/mail/
      - $PWD/mail-state/:/var/mail-state/
      - /etc/localtime:/etc/localtime:ro
      - /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory:/tmp/dms/custom-certs/:ro
    environment:
      - OVERRIDE_HOSTNAME=mail.mydomain.net
      - LOG_LEVEL=info
      - ACCOUNT_PROVISIONER=LDAP
      - TZ=America/Sao_Paulo
      - SPOOF_PROTECTION=1
      - ENABLE_POLICYD_SPF=0
      - ENABLE_CLAMAV=1
      - ENABLE_RSPAMD=1
      - RSPAMD_LEARN=1
      - RSPAMD_GREYLISTING=1
      - ENABLE_DNSBL=1
      - ENABLE_FAIL2BAN=1
      - FAIL2BAN_BLOCKTYPE=reject
      - ENABLE_MANAGESIEVE=1
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/tmp/dms/custom-certs/mail.mydomain.net/mail.mydomain.net.crt
      - SSL_KEY_PATH=/tmp/dms/custom-certs/mail.mydomain.net/mail.mydomain.net.key
      - POSTFIX_MAILBOX_SIZE_LIMIT=1073741824
      - POSTFIX_MESSAGE_SIZE_LIMIT=52428800
      - PFLOGSUMM_TRIGGER=logrotate
      - LOGWATCH_INTERVAL=weekly
      - REPORT_SENDER=no-reply@mydomain.net
      - LOGROTATE_INTERVAL=monthly
      - POSTFIX_INET_PROTOCOLS=ipv4
      - DOVECOT_INET_PROTOCOLS=ipv4
      - ENABLE_SPAMASSASSIN=1
      - SPAMASSASSIN_SPAM_TO_INBOX=1
      - ENABLE_SPAMASSASSIN_KAM=1
      - MOVE_SPAM_TO_JUNK=1
      - ENABLE_POSTGREY=1
      - LDAP_START_TLS=yes
      - LDAP_SERVER_HOST=ldap
      - LDAP_SEARCH_BASE=dc=mydomain,dc=net
      - LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
      - LDAP_BIND_PW=admin-password-123
      - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
      - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
      - LDAP_QUERY_FILTER_ALIAS=(&(mailAlias=%s)(mailEnabled=TRUE))
      - LDAP_QUERY_FILTER_GROUP=(&(objectclass=groupOfUniqueNames)(cn=%s))
      - LDAP_QUERY_FILTER_SENDERS=(|(mail=%s)(mailAlias=%s)(mail=admin@*))
      - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%u)(mailEnabled=TRUE))
      - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%u)(mailEnabled=TRUE))
      - DOVECOT_AUTH_BIND=yes
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_SERVER=ldap
      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
      - SASLAUTHD_LDAP_PASSWORD=admin-password-123
      - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=net
      - SASLAUTHD_LDAP_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%u@%r)(mailEnabled=TRUE))
    cap_add:
      - NET_ADMIN # For Fail2Ban to work
    restart: always
networks:
  default:
    name: caddy_net
    external: true

# Roundcube / docker-compose.yml
version: "3.9"
services:
  roundcube:
    image: roundcube/roundcubemail:1.6.1-apache
    container_name: roundcube
    hostname: roundcube
    restart: unless-stopped
    volumes:
      - $PWD/config:/var/roundcube/config
      - app:/var/www/html
      - data:/var/roundcube/db
    environment:
      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.mydomain.net
      - ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.mydomain.net
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=25M
volumes:
  app:
  data:
networks:
  default:
    name: caddy_net
    external: true

Answered by peracchi

Apr 21, 2023

Finally I made it work only to discover a logical flaw in my idea...

 external IP  | Linux Server with Containers
----------------------------------------------------------------
                          (172.18.0.2)
                |-  80 -|
              |-|       |--- Caddy ---|
              | |- 443 -|             |          (172.18.0.3)
              |                       |      |                 |
              |                       |- 80 -|--- Roundcube ---|
20.112.52.29 -|                              |        |        |
              |                                       |
              |           (172.18.0.4)                |
              | |-  25 -|             |     …

View full answer

polarathene · 2023-04-18T23:42:04Z

polarathene
Apr 18, 2023
Maintainer

- ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.mydomain.net
- ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.mydomain.net

Your RoundCube is connecting to DMS via the server ingress, so not going through Caddy for the mail login connection (and I don't think Caddy can proxy that, unless using a proxy plugin that I don't recall the status of).

This results in the Gateway IP if IPv6 is used to connect to the server and your container is IPv4 only. Even for IPv4 however, the connection is coming from RoundCube at this point, so I doubt it'd make a difference?

You can connect to the DMS container directly from the RoundCube one, but I don't think that helps with the IP concern? You probably need Fail2Ban to ignore login failures from the RoundCube IP and if you want to still ban on RoundCube failures, then have Fail2Ban configured to monitor RoundCube logs for that and get the correct IP to ban?

4 replies

polarathene Apr 18, 2023
Maintainer

This works?:

- ROUNDCUBEMAIL_DEFAULT_HOST=tls://dms
- ROUNDCUBEMAIL_SMTP_SERVER=tls://dms

TLS may fail to verify certs for dms though. You could probably add to the service config the additional host for mail.mydomain.net to the local container IP (or add it as an alias in the service network maybe), which might work around that without maintaining an extra self-signed cert.

polarathene Apr 18, 2023
Maintainer

For IMAP login, you can apparently have RoundCube connect to Dovecot with the remote IP preserved via a plugin. Although it seems outdated, perhaps there is something newer?

polarathene Apr 18, 2023
Maintainer

On the Dovecot side of things, there is these docs for capturing that information apparently. See related RoundCube issue discussion.

peracchi Apr 19, 2023
Author

Tried with "corbosman/dovecot_ident" but can't make it work. Too old, Roundcube codebase must be changed...

Also trying this other one (newer) but still got no sucess: https://packagist.org/packages/takerukoushirou/roundcube-dovecot_client_ip

peracchi · 2023-04-19T15:45:34Z

peracchi
Apr 19, 2023
Author

Use case: Firefox on Android phone tries to login on Roundcube using existing user with wrong password.

Pay attention that Roundcube received (and knows) X-Real-IP and X-Forwarded-For.

So, some configuration must be done at Roundcube and DMS to use that information, X-Real-IP and/or X-Forwarded-For.

At Roundcube config level, maybe one or more of this parameters must be adjusted:

// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
// this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
$config['use_https'] = false;

// List of trusted proxies
// X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
$config['proxy_whitelist'] = [];

Complete config file at https://github.com/roundcube/roundcubemail/blob/master/config/defaults.inc.php

At DMS config level, for sure something on Dovecot, like:

https://doc.dovecot.org/configuration_manual/forwarding_parameters/

and

https://doc.dovecot.org/settings/core/#core_setting-login_trusted_networks

Below, pertinent parts of Caddy, DMS and Roundcube logs.

Caddy

{"level":"debug","ts":1681916661.9339685,"logger":"events","msg":"event","name":"tls_get_certificate","id":"b8601155-3447-473f-bb9b-522bbd7da25f","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"webmail.mydomain.net","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1681916661.934012,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1b68c16c-098b-4cd2-ab51-b32485f52f76","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"webmail.mydomain.net","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1681916661.9340677,"logger":"tls.handshake","msg":"choosing certificate","identifier":"webmail.mydomain.net","num_choices":1}
{"level":"debug","ts":1681916661.9340942,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"webmail.mydomain.net","subjects":["webmail.mydomain.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"a84086c43057cf2b1f145e9a5517a43ec6a1d1f16960a61b3532ed5be71c408d"}
{"level":"debug","ts":1681916661.9341176,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"177.57.148.177","remote_port":"47936","subjects":["webmail.mydomain.net"],"managed":true,"expiration":1689620154,"hash":"a84086c43057cf2b1f145e9a5517a43ec6a1d1f16960a61b3532ed5be71c408d"}
{"level":"debug","ts":1681916661.9340973,"logger":"tls.handshake","msg":"choosing certificate","identifier":"webmail.mydomain.net","num_choices":1}
{"level":"debug","ts":1681916661.934206,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"webmail.mydomain.net","subjects":["webmail.mydomain.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"a84086c43057cf2b1f145e9a5517a43ec6a1d1f16960a61b3532ed5be71c408d"}
{"level":"debug","ts":1681916661.9342194,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"177.57.148.177","remote_port":"47948","subjects":["webmail.mydomain.net"],"managed":true,"expiration":1689620154,"hash":"a84086c43057cf2b1f145e9a5517a43ec6a1d1f16960a61b3532ed5be71c408d"}
{"level":"debug","ts":1681916662.0356827,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.081922,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.046146776,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/","headers":{"Accept-Language":["pt-BR"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Host":["webmail.mydomain.net"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"X-Forwarded-For":["177.57.148.177"],"Sec-Fetch-Site":["cross-site"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Sec-Fetch-Dest":["document"],"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-Proto":["https"],"X-Real-Ip":["177.57.148.177"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Expires":["Wed, 19 Apr 2023 15:04:22 GMT"],"Cache-Control":["private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0"],"Server":["Apache/2.4.56 (Debian)"],"Set-Cookie":[],"Last-Modified":["Wed, 19 Apr 2023 15:04:22 GMT"],"X-Frame-Options":["sameorigin"],"Content-Type":["text/html; charset=UTF-8"],"X-Powered-By":["PHP/8.1.17"],"Pragma":["no-cache"],"Content-Language":["pt"],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"]},"status":200}
{"level":"debug","ts":1681916662.2242327,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2243013,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2243478,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2242417,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2244506,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2245445,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.224565,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2246442,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2247772,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2277172,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.002817661,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/plugins/jqueryui/js/i18n/datepicker-pt-BR.js?s=1674504193","headers":{"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["pt-BR"],"Referer":["https://webmail.mydomain.net/"],"Sec-Fetch-Dest":["script"],"X-Real-Ip":["177.57.148.177"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["webmail.mydomain.net"],"X-Forwarded-For":["177.57.148.177"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Accept":["*/*"],"Cookie":[],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Last-Modified":["Mon, 23 Jan 2023 20:03:13 GMT"],"Etag":["\"51f-5f2f3e3994240-gzip\""],"Content-Encoding":["gzip"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Content-Length":["673"],"Content-Type":["application/javascript"],"Accept-Ranges":["bytes"],"Vary":["Accept-Encoding"]},"status":200}
{"level":"debug","ts":1681916662.228843,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.004052655,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/program/js/common.min.js?s=1674504194","headers":{"X-Forwarded-For":["177.57.148.177"],"X-Forwarded-Proto":["https"],"Referer":["https://webmail.mydomain.net/"],"X-Forwarded-Host":["webmail.mydomain.net"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept":["*/*"],"Cookie":[],"Sec-Fetch-Dest":["script"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"X-Real-Ip":["177.57.148.177"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["no-cors"],"Accept-Language":["pt-BR"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Accept-Ranges":["bytes"],"Vary":["Accept-Encoding"],"Content-Type":["application/javascript"],"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Etag":["\"31fd-5f2f3e3a88480-gzip\""],"Content-Encoding":["gzip"],"Content-Length":["4860"]},"status":200}
{"level":"debug","ts":1681916662.2317295,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2329412,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.001070873,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/images/logo.svg?s=1674504194","headers":{"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Sec-Fetch-Mode":["no-cors"],"Accept-Language":["pt-BR"],"Te":["trailers"],"Sec-Fetch-Dest":["image"],"Accept":["image/avif,image/webp,*/*"],"X-Forwarded-Proto":["https"],"Referer":["https://webmail.mydomain.net/"],"X-Forwarded-Host":["webmail.mydomain.net"],"X-Forwarded-For":["177.57.148.177"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":[],"X-Real-Ip":["177.57.148.177"],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Vary":["Accept-Encoding"],"Content-Length":["395"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Etag":["\"378-5f2f3e3a88480-gzip\""],"Accept-Ranges":["bytes"],"Server":["Apache/2.4.56 (Debian)"],"Content-Encoding":["gzip"],"Content-Type":["image/svg+xml"]},"status":200}
{"level":"debug","ts":1681916662.235411,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.010888161,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/styles/styles.min.css?s=1674504194","headers":{"X-Forwarded-Host":["webmail.mydomain.net"],"Accept-Language":["pt-BR"],"Accept":["text/css,*/*;q=0.1"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"X-Forwarded-For":["177.57.148.177"],"Sec-Fetch-Dest":["style"],"X-Forwarded-Proto":["https"],"X-Real-Ip":["177.57.148.177"],"Sec-Fetch-Site":["same-origin"],"Cookie":[],"Te":["trailers"],"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br"],"Referer":["https://webmail.mydomain.net/"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Content-Type":["text/css"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Etag":["\"1d5ee-5f2f3e3a88480-gzip\""],"Accept-Ranges":["bytes"],"Content-Length":["22353"]},"status":200}
{"level":"debug","ts":1681916662.2358449,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.011193576,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/deps/bootstrap.min.css?s=1674504210","headers":{"Te":["trailers"],"Sec-Fetch-Site":["same-origin"],"Referer":["https://webmail.mydomain.net/"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-For":["177.57.148.177"],"X-Real-Ip":["177.57.148.177"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Dest":["style"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Cookie":[],"X-Forwarded-Host":["webmail.mydomain.net"],"Accept":["text/css,*/*;q=0.1"],"Accept-Language":["pt-BR"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Etag":["\"2725b-5f2f3e49ca880-gzip\""],"Accept-Ranges":["bytes"],"Content-Encoding":["gzip"],"Server":["Apache/2.4.56 (Debian)"],"Last-Modified":["Mon, 23 Jan 2023 20:03:30 GMT"],"Content-Length":["23877"],"Content-Type":["text/css"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Vary":["Accept-Encoding"]},"status":200}
{"level":"debug","ts":1681916662.2384002,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.013762068,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/plugins/jqueryui/js/jquery-ui.min.js?s=1674504193","headers":{"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-For":["177.57.148.177"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Cookie":[],"X-Forwarded-Proto":["https"],"X-Real-Ip":["177.57.148.177"],"Sec-Fetch-Dest":["script"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-Host":["webmail.mydomain.net"],"Referer":["https://webmail.mydomain.net/"],"Accept-Language":["pt-BR"],"Te":["trailers"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Accept-Ranges":["bytes"],"Vary":["Accept-Encoding"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Last-Modified":["Mon, 23 Jan 2023 20:03:13 GMT"],"Etag":["\"40164-5f2f3e3994240-gzip\""],"Content-Encoding":["gzip"],"Content-Type":["application/javascript"]},"status":200}
{"level":"debug","ts":1681916662.271781,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2718287,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916662.2785757,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.00663477,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/ui.min.js?s=1674504194","headers":{"X-Real-Ip":["177.57.148.177"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["pt-BR"],"Te":["trailers"],"X-Forwarded-Host":["webmail.mydomain.net"],"Sec-Fetch-Mode":["no-cors"],"Cookie":[],"Sec-Fetch-Dest":["script"],"X-Forwarded-Proto":["https"],"Referer":["https://webmail.mydomain.net/"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["*/*"],"X-Forwarded-For":["177.57.148.177"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Accept-Ranges":["bytes"],"Content-Length":["19673"],"Content-Type":["application/javascript"],"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Etag":["\"efc2-5f2f3e3a88480-gzip\""],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"]},"status":200}
{"level":"debug","ts":1681916662.279461,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.007586008,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/deps/bootstrap.bundle.min.js?s=1674504210","headers":{"Accept":["*/*"],"Sec-Fetch-Site":["same-origin"],"X-Real-Ip":["177.57.148.177"],"Sec-Fetch-Dest":["script"],"Accept-Language":["pt-BR"],"X-Forwarded-Host":["webmail.mydomain.net"],"Cookie":[],"X-Forwarded-For":["177.57.148.177"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["no-cors"],"Referer":["https://webmail.mydomain.net/"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Etag":["\"14888-5f2f3e49ca880-gzip\""],"Vary":["Accept-Encoding"],"Content-Length":["21767"],"Content-Type":["application/javascript"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Last-Modified":["Mon, 23 Jan 2023 20:03:30 GMT"],"Accept-Ranges":["bytes"],"Content-Encoding":["gzip"]},"status":200}
{"level":"debug","ts":1681916662.8606536,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.63609011,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/program/js/jquery.min.js?s=1674504197","headers":{"Te":["trailers"],"Cookie":[],"Accept":["*/*"],"X-Forwarded-For":["177.57.148.177"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-Host":["webmail.mydomain.net"],"X-Real-Ip":["177.57.148.177"],"Referer":["https://webmail.mydomain.net/"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["script"],"Accept-Language":["pt-BR"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Etag":["\"1632e-5f2f3e3d64b40-gzip\""],"Content-Encoding":["gzip"],"Last-Modified":["Mon, 23 Jan 2023 20:03:17 GMT"],"Accept-Ranges":["bytes"],"Vary":["Accept-Encoding"],"Content-Length":["31705"],"Content-Type":["application/javascript"],"Date":["Wed, 19 Apr 2023 15:04:22 GMT"],"Server":["Apache/2.4.56 (Debian)"]},"status":200}
{"level":"debug","ts":1681916663.8583593,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":1.633902582,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/program/js/jstz.min.js?s=1674504197","headers":{"Cookie":[],"Accept-Language":["pt-BR"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"X-Real-Ip":["177.57.148.177"],"Accept":["*/*"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-Proto":["https"],"Referer":["https://webmail.mydomain.net/"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"X-Forwarded-For":["177.57.148.177"],"X-Forwarded-Host":["webmail.mydomain.net"],"Sec-Fetch-Dest":["script"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Vary":["Accept-Encoding"],"Server":["Apache/2.4.56 (Debian)"],"Etag":["\"360b-5f2f3e3d64b40-gzip\""],"Accept-Ranges":["bytes"],"Content-Encoding":["gzip"],"Content-Length":["5013"],"Content-Type":["application/javascript"],"Date":["Wed, 19 Apr 2023 15:04:23 GMT"],"Last-Modified":["Mon, 23 Jan 2023 20:03:17 GMT"]},"status":200}
{"level":"debug","ts":1681916663.85913,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":1.634721745,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/plugins/jqueryui/themes/elastic/jquery-ui.min.css?s=1674504193","headers":{"Referer":["https://webmail.mydomain.net/"],"Sec-Fetch-Dest":["style"],"X-Forwarded-For":["177.57.148.177"],"X-Forwarded-Proto":["https"],"X-Real-Ip":["177.57.148.177"],"X-Forwarded-Host":["webmail.mydomain.net"],"Accept-Language":["pt-BR"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["no-cors"],"Accept":["text/css,*/*;q=0.1"],"Cookie":[],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Content-Type":["text/css"],"Date":["Wed, 19 Apr 2023 15:04:23 GMT"],"Last-Modified":["Mon, 23 Jan 2023 20:03:13 GMT"],"Etag":["\"727d-5f2f3e3994240-gzip\""],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Server":["Apache/2.4.56 (Debian)"],"Accept-Ranges":["bytes"],"Content-Length":["7377"]},"status":200}
{"level":"debug","ts":1681916664.8699195,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":2.645267415,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/program/js/app.min.js?s=1674504194","headers":{"Sec-Fetch-Site":["same-origin"],"X-Forwarded-Host":["webmail.mydomain.net"],"Accept":["*/*"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br"],"Referer":["https://webmail.mydomain.net/"],"Te":["trailers"],"Sec-Fetch-Dest":["script"],"X-Real-Ip":["177.57.148.177"],"Cookie":[],"X-Forwarded-For":["177.57.148.177"],"Accept-Language":["pt-BR"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Content-Encoding":["gzip"],"Content-Type":["application/javascript"],"Date":["Wed, 19 Apr 2023 15:04:24 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Etag":["\"29f1c-5f2f3e3a88480-gzip\""],"Accept-Ranges":["bytes"],"Vary":["Accept-Encoding"],"Content-Length":["48058"]},"status":200}
{"level":"debug","ts":1681916665.144567,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916665.1473453,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.002651986,"request":{"remote_ip":"177.57.148.177","remote_port":"47948","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/fonts/fa-solid-900.woff2","headers":{"Accept-Encoding":["identity"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-For":["177.57.148.177"],"X-Forwarded-Host":["webmail.mydomain.net"],"Sec-Fetch-Dest":["font"],"Accept":["application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Cookie":[],"Te":["trailers"],"Accept-Language":["pt-BR"],"Referer":["https://webmail.mydomain.net/skins/elastic/styles/styles.min.css?s=1674504194"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-Proto":["https"],"X-Real-Ip":["177.57.148.177"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Server":["Apache/2.4.56 (Debian)"],"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Etag":["\"126b0-5f2f3e3a88480\""],"Accept-Ranges":["bytes"],"Content-Length":["75440"],"Vary":["Accept-Encoding"],"Content-Type":["font/woff2"],"Date":["Wed, 19 Apr 2023 15:04:25 GMT"]},"status":200}
{"level":"debug","ts":1681916665.2738264,"logger":"events","msg":"event","name":"tls_get_certificate","id":"2dbcab70-722b-4f81-8169-6aa9ba418011","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"webmail.mydomain.net","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[771,770,769],"Conn":{}}}}
{"level":"debug","ts":1681916665.2739298,"logger":"tls.handshake","msg":"choosing certificate","identifier":"webmail.mydomain.net","num_choices":1}
{"level":"debug","ts":1681916665.2739568,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"webmail.mydomain.net","subjects":["webmail.mydomain.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"a84086c43057cf2b1f145e9a5517a43ec6a1d1f16960a61b3532ed5be71c408d"}
{"level":"debug","ts":1681916665.27397,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"177.57.148.177","remote_port":"47968","subjects":["webmail.mydomain.net"],"managed":true,"expiration":1689620154,"hash":"a84086c43057cf2b1f145e9a5517a43ec6a1d1f16960a61b3532ed5be71c408d"}
{"level":"debug","ts":1681916665.3943474,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916665.3975608,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":0.003095402,"request":{"remote_ip":"177.57.148.177","remote_port":"47968","proto":"HTTP/2.0","method":"GET","host":"webmail.mydomain.net","uri":"/skins/elastic/images/favicon.ico?s=1674504194","headers":{"X-Forwarded-For":["177.57.148.177"],"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-Host":["webmail.mydomain.net"],"Cookie":[],"X-Real-Ip":["177.57.148.177"],"Accept-Language":["pt-BR"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Dest":["empty"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Accept":["*/*"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["none"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Content-Encoding":["gzip"],"Content-Type":["image/vnd.microsoft.icon"],"Server":["Apache/2.4.56 (Debian)"],"Accept-Ranges":["bytes"],"Vary":["Accept-Encoding"],"Content-Length":["1693"],"Date":["Wed, 19 Apr 2023 15:04:25 GMT"],"Last-Modified":["Mon, 23 Jan 2023 20:03:14 GMT"],"Etag":["\"423e-5f2f3e3a88480-gzip\""]},"status":200}
{"level":"debug","ts":1681916677.1044688,"logger":"events","msg":"event","name":"tls_get_certificate","id":"00c88450-f793-44df-b9d0-bac2d8377870","origin":"tls","data":{"client_hello":{"CipherSuites":[49199,49195,49169,49159,49171,49161,49172,49162,5,47,53,49170,10],"ServerName":"","SupportedCurves":[23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1025,1027,513,515,1025,1281,1537],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{}}}}
{"level":"debug","ts":1681916677.1045449,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"172.18.0.2"}
{"level":"debug","ts":1681916677.1045544,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"142.93.65.94","remote_port":"46166","sni":""}
{"level":"debug","ts":1681916677.1045647,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"142.93.65.94","remote_port":"46166","server_name":"","remote":"142.93.65.94:46166","identifier":"172.18.0.2","cipher_suites":[49199,49195,49169,49159,49171,49161,49172,49162,5,47,53,49170,10],"cert_cache_fill":0.0005,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1681916677.104681,"logger":"http.stdlib","msg":"http: TLS handshake error from 142.93.65.94:46166: no certificate available for '172.18.0.2'"}

...

{"level":"debug","ts":1681916848.0987942,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"roundcube:80","total_upstreams":1}
{"level":"debug","ts":1681916851.1674604,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"roundcube:80","duration":3.06851015,"request":{"remote_ip":"177.57.148.177","remote_port":"47974","proto":"HTTP/2.0","method":"POST","host":"webmail.mydomain.net","uri":"/?_task=login","headers":{"Sec-Fetch-Mode":["navigate"],"User-Agent":["Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"],"Referer":["https://webmail.mydomain.net/"],"X-Forwarded-Host":["webmail.mydomain.net"],"Te":["trailers"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["document"],"X-Real-Ip":["177.57.148.177"],"Origin":["https://webmail.mydomain.net"],"Content-Type":["application/x-www-form-urlencoded"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Site":["same-origin"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Cookie":[],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["pt-BR"],"X-Forwarded-For":["177.57.148.177"],"Content-Length":["154"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"webmail.mydomain.net"}},"headers":{"Connection":["close"],"Content-Type":["text/html; charset=UTF-8"],"Cache-Control":["private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0"],"Last-Modified":["Wed, 19 Apr 2023 15:07:28 GMT"],"Set-Cookie":[],"Vary":["Accept-Encoding"],"Date":["Wed, 19 Apr 2023 15:07:28 GMT"],"Server":["Apache/2.4.56 (Debian)"],"Pragma":["no-cache"],"X-Frame-Options":["sameorigin"],"Content-Language":["pt"],"Content-Encoding":["gzip"],"X-Powered-By":["PHP/8.1.17"],"Expires":["Wed, 19 Apr 2023 15:07:28 GMT"]},"status":401}

DMS

[   INF   ]  Welcome to docker-mailserver 12.0.0
[   INF   ]  Checking configuration
[   INF   ]  Configuring mail server
[ WARNING ]  Rspamd integration is work in progress - expect (breaking) changes at any time
[ WARNING ]  (Rspamd setup) Running Amavis/SA & Rspamd at the same time is discouraged
[   INF   ]  Starting daemons
[   INF   ]  mail.mydomain.net is up and running
Apr 19 11:58:21 mail amavis[1204]: starting. /usr/sbin/amavisd-new at mail.mydomain.net amavisd-new-2.11.1 (20181009), Unicode aware, LC_CTYPE="C.UTF-8"
Apr 19 11:58:21 mail amavis[1204]: perl=5.032001, user=, EUID: 109 (109);  group=, EGID: 111 111 (111 111)
Apr 19 11:58:21 mail amavis[1204]: Net::Server: Group Not Defined.  Defaulting to EGID '111 111'
Apr 19 11:58:21 mail amavis[1204]: Net::Server: User Not Defined.  Defaulting to EUID '109'
Apr 19 11:58:21 mail amavis[1204]: No ext program for   .zoo, tried: zoo
Apr 19 11:58:21 mail amavis[1204]: No ext program for   .doc, tried: ripole
Apr 19 11:58:21 mail amavis[1204]: No decoder for       .F
Apr 19 11:58:21 mail amavis[1204]: No decoder for       .doc
Apr 19 11:58:21 mail amavis[1204]: No decoder for       .zoo
Apr 19 11:58:21 mail amavis[1204]: Using primary internal av scanner code for ClamAV-clamd
Apr 19 11:58:21 mail amavis[1204]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

...

Apr 19 12:07:28 mail dovecot: auth: ldap(myusername@mydomain.net,172.18.0.1,<H5pGyLH5YpusEgAB>): Password mismatch (for LDAP bind) (SHA1 of given password: 2e6f9b)
Apr 19 12:07:30 mail dovecot: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 2 secs): user=<myusername@mydomain.net>, method=PLAIN, rip=172.18.0.1, lip=172.18.0.7, TLS, session=<H5pGyLH5YpusEgAB>

Roundcube

roundcubemail found in /var/www/html - installing update...
Target installation already in version 1.6.1. Do you want to update again? (y/N)
Copying files to target location...done.

Running update script at target...
Executing database schema update.
/usr/bin/composer
Executing /usr/bin/composer to update dependencies...
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file
Nothing to install, update or remove
Generating autoload files
4 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found
This instance of Roundcube is up-to-date.
Have fun!
All done.
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file
Nothing to install, update or remove
Generating autoload files
4 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found
Write Docker config to /var/www/html/config/config.docker.inc.php
Checking for database schema updates...
Generating locales (this might take a while)...
  en_US.UTF-8... done
Generation complete.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.6. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.6. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 19 15:00:54.610207 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.56 (Debian) PHP/8.1.17 configured -- resuming normal operations
[Wed Apr 19 15:00:54.610224 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

...

172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET / HTTP/1.1" 200 2956 "-" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /plugins/jqueryui/js/i18n/datepicker-pt-BR.js?s=1674504193 HTTP/1.1" 200 967 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /program/js/common.min.js?s=1674504194 HTTP/1.1" 200 5156 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /skins/elastic/images/logo.svg?s=1674504194 HTTP/1.1" 200 680 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /skins/elastic/styles/styles.min.css?s=1674504194 HTTP/1.1" 200 22637 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /skins/elastic/deps/bootstrap.min.css?s=1674504210 HTTP/1.1" 200 24161 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /plugins/jqueryui/js/jquery-ui.min.js?s=1674504193 HTTP/1.1" 200 70755 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /skins/elastic/ui.min.js?s=1674504194 HTTP/1.1" 200 19970 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /skins/elastic/deps/bootstrap.bundle.min.js?s=1674504210 HTTP/1.1" 200 22065 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:22 +0000] "GET /program/js/jquery.min.js?s=1674504197 HTTP/1.1" 200 32003 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:23 +0000] "GET /program/js/jstz.min.js?s=1674504197 HTTP/1.1" 200 5309 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:23 +0000] "GET /plugins/jqueryui/themes/elastic/jquery-ui.min.css?s=1674504193 HTTP/1.1" 200 7659 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:24 +0000] "GET /program/js/app.min.js?s=1674504194 HTTP/1.1" 200 48356 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:25 +0000] "GET /skins/elastic/fonts/fa-solid-900.woff2 HTTP/1.1" 200 75697 "https://webmail.mydomain.net/skins/elastic/styles/styles.min.css?s=1674504194" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
172.18.0.2 - - [19/Apr/2023:15:04:25 +0000] "GET /skins/elastic/images/favicon.ico?s=1674504194 HTTP/1.1" 200 1991 "-" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"
127.0.0.1 - - [19/Apr/2023:15:04:26 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:27 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:28 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:29 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:30 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:31 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:32 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:33 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:34 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"
127.0.0.1 - - [19/Apr/2023:15:04:35 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) PHP/8.1.17 (internal dummy connection)"

...

errors: <bb16ea71> IMAP Error: Login failed for myusername@mydomain.net against mail.mydomain.net from 172.18.0.2 (X-Real-IP: 177.57.148.177,X-Forwarded-For: 177.57.148.177). AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
172.18.0.2 - - [19/Apr/2023:15:07:28 +0000] "POST /?_task=login HTTP/1.1" 401 3120 "https://webmail.mydomain.net/" "Mozilla/5.0 (Android 10; Mobile; rv:109.0) Gecko/111.0 Firefox/111.0"

0 replies

peracchi · 2023-04-19T23:20:42Z

peracchi
Apr 19, 2023
Author

Making progress with https://packagist.org/packages/takerukoushirou/roundcube-dovecot_client_ip and some other adjustments!

😄

Still needs to pinpoint exact needed changes but it can be done. 🤓

6 replies

polarathene Apr 19, 2023
Maintainer

Great to hear :)

If you're successful it would be good for us to document the integration for other users that want to use RoundCube with DMS, I know this has been an issue for a few users in the past.

peracchi Apr 20, 2023
Author

Sure, documentation of Docker Mailserver is excellent but always can be improved and extended.

If you look at the docker-compose.yml I showed previously you can see that I managed to use Docker Mailserver with LDAP. Works great!

polarathene Apr 20, 2023
Maintainer

I managed to use Docker Mailserver with LDAP.

Yes I noticed you were using LDAP. If I find time to get familiar with it I think I will reference the config you've shared here, that may help improve our tests and docs in future 😅

peracchi Apr 21, 2023
Author

Finally I made it work only to discover a logical flaw in my idea...

 external IP  | Linux Server with Containers
----------------------------------------------------------------
                          (172.18.0.2)
                |-  80 -|
              |-|       |--- Caddy ---|
              | |- 443 -|             |          (172.18.0.3)
              |                       |      |                 |
              |                       |- 80 -|--- Roundcube ---|
20.112.52.29 -|                              |        |        |
              |                                       |
              |           (172.18.0.4)                |
              | |-  25 -|             |               |
              | |- 143 -|             |               |
              |-|- 465 -|---  DMS  ---|---------------|
                |- 587 -|             |
                |- 993 -|             |
----------------------------------------------------------------
 external IP  | Linux Server with Containers

a) external client using a browser reaches Roundcube through Caddy
b) Caddy gives external client IP to Roundcube
c) Roundcube gives external client IP to Docker Mailserver
d) if external user gives wrong password to Roundcube, Docker Mailserver blocks (fail2ban) external client IP

The flaw is that external client isn't going directly to Docker Mailserver (using Thunderbird, for example); it goes to Caddy then Roundcube and then Docker Mailserver.

So, for authentication failures at Roundcube "level" fail2ban needs to be implemented at Roundcube "level".

Answering my own question, to prevent Docker Mailserver from block docker gateway and thus preventing even right Roundcube user/password from login, you must add to Dovecot config:

login_trusted_networks = 172.18.0.0/16

Answer selected by peracchi

polarathene Apr 21, 2023
Maintainer

Answering my own question, to prevent Docker Mailserver from block docker gateway and thus preventing even right Roundcube user/password from login, you must add to Dovecot config:

As I mentioned earlier, you shouldn't need to trust the docker gateway / subnet like that if you have RoundCube connect to DMS directly (not through external connection that loops back into the same server). That should avoid having an IP from the gateway instead of the RoundCube container.

It doesn't look like there is anything specifically tying to that subnet either besides your external network being created and assigned that subnet, so if not obvious to others that would need to be adjusted accordingly.

So, for authentication failures at Roundcube "level" fail2ban needs to be implemented at Roundcube "level".

Are you referring to Fail2Ban log monitoring? The failures occur in the SASL provider (Dovecot), so monitoring logs there should be correct. If the client IP is the docker gateway at this point that Fail2Ban bans on, the logs should contain the additional headers with real client IP. Fail2Ban needs config adjusted to ban the IP from those forwarded headers instead when they're present.

s1lvester Dec 11, 2023

@peracchi Are you sure you don't have a AAAA Record for your MX Domain? Because doing so would force all ipv6 Connections to be mapped through the Docker Network Gateway. Every ipv6 client then gets forwarded with the gateway address.

polarathene · 2024-02-08T10:28:29Z

polarathene
Feb 8, 2024
Maintainer

FWIW, this discussion might be a helpful reference. It's focused on PROXY protocol support and with Traefik, but I did add a Caddy example in there.

I haven't given Roundcube a look, but I have read it supports PROXY protocol at least for STARTTLS, while you'd otherwise need the plugin approach for implicit TLS I think.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker Mailserver

DMS/Roundcube/Caddy - fail2ban blocks docker gateway #3273

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments 10 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Docker Mailserver

DMS/Roundcube/Caddy - fail2ban blocks docker gateway #3273

peracchi Apr 18, 2023