traefik as TCP loadbalancer for MTA is not working as expected #4875
Description
Do you want to request a feature or report a bug?
Possible Bug
Did you try using a 1.7.x configuration for the version 2.0?
- Yes
- No
What did you do?
I'd like to use traefik's 2.x new TCP routing feature upfront of my MTA (postfix).
I've created two separate docker-compose stacks: one for traefik and the other one is a mailu (https://mailu.io) stack. traefik service and mailu's frontend service are connected via an external network named mailu.
I've also replaced mailu stack with a plain postfix docker instance, but the result is the same as for mailu stack.
What did you expect to see?
- MTA's banner should be presented on raw telnet connection to MTA behind traefik upfront
- successful openssl handshake (openssl s_client -connect mail.domain.tld:25 -starttls smtp)
- mxtoolbox.com smtp tests pass successfully
What did you see instead?
- testing TCP route with raw telnet connection shows that MTA's banner is not presented. ehlo request responds with
250 domain.tld
250 STARTTLS
- testing TCP route with openssl client starttls connection (openssl s_client -connect mail.domain.tld:25 -starttls smtp) reponds with:
CONNECTED(00000003)
no further output - connection is stuck
Output of traefik version: (What version of Traefik are you using?)
version: '3.7'
services:
reverse-proxy:
image: traefik:2.0.0-alpha4-alpine
restart: always
ports:
- "80:80"
- "443:443"
- "8080:8080"
- "25:25"
- "465:465"
- "587:587"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik_http.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik_https.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik_https.tls=true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
- /var/log/:/var/log/
networks:
- default
- mailu
mailu:
external: trueWhat is your environment & configuration (arguments, toml, provider, platform, ...)?
- docker 18.09.5 / docker-compose 1.24.0
- host CentOS Linux release 7.6.1810
[global]
debug = true
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.http]
address = ":80"
[entrypoints.https]
address = ":443"
[entrypoints.smtp]
address = ":25"
[entrypoints.smtp-ssl]
address = ":465"
[entrypoints.smtp-client]
address = ":587"
#[log]
# filePath = "/var/log/traefik.log"
# level = "DEBUG"
#[accessLog]
# filePath = "/var/log/traefik.access.log"
# format = "common"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultmode = "keep"
[accessLog.fields.names]
"clientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
[api]
[ping]
[providers.file]
[http.middlewares.http-chain.chain]
middlewares = ["redirect-https"]
[http.middlewares.https-chain.chain]
middlewares = ["headers-sts", "compress"]
[http.middlewares.redirect-https.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.headers-sts.headers]
STSSeconds = 315360000
STSIncludeSubdomains = true
STSPreload = true
forceSTSHeader = true
[http.middlewares.compress.compress]
[providers.docker]
defaultRule = "Host(`{{ normalize .Name }}.domain.tld`)"
exposedByDefault = false
[TLSOptions]
[TLSOptions.Default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
[ACME]
email = "admin@domain.tld"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
[ACME.DNSChallenge]
provider = "route53"
delayBeforeCheck = 5
[[ACME.Domains]]
main = "*.domain.tld"
sans = ["domain.tld"]