docker-mailserver: question: How to configure Traefik for port 465? (Postfix smtpd throws TLS library error)

📝 Preliminary Checks

I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

Hello, after having carefully followed every step reported in #3063 I still do not manage in any way running implicit TLS SMTP meanwhile implicit imap works, wondering how to interpret these logs I get

👟 Reproduction Steps

Use DMS behind Traefik reverse proxy

🐋 DMS Version

v12.1.0

💻 Operating System and Architecture

Linux server 5.15.0-83-generic #92-Ubuntu SMP Mon Aug 14 09:30:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

⚙️ Container configuration files

Dovecot config override:

haproxy_trusted_networks = 172.25.0.2, 32
haproxy_timeout = 3 secs
service imap-login {
  inet_listener imaps {
    haproxy = yes
    ssl = yes
    port = 10993
  }
}

postfix-master.cf:

submission/inet/smtpd_upstream_proxy_protocol=haproxy
submissions/inet/smtpd_upstream_proxy_protocol=haproxy

postfix-main.cf

postscreen_upstream_proxy_protocol = haproxy

compose.yaml:

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    restart: always
    container_name: mailserver
    hostname: mail.domain.com
    env_file: mailserver.env
    volumes:
      - ${DOCKER_VOLUMES_FOLDER}/dms/mail-data/:/var/mail/
      - ${DOCKER_VOLUMES_FOLDER}/dms/mail-state/:/var/mail-state/
      - ${DOCKER_VOLUMES_FOLDER}/dms/mail-logs/:/var/log/mail/
      - ${DOCKER_VOLUMES_FOLDER}/dms/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/etc/letsencrypt/acme.json:ro
    cap_add:
      - NET_ADMIN
    stop_grace_period: 1m
    environment:
      - SSL_TYPE=letsencrypt
      - SSL_DOMAIN=domain.com # using wildcard cert

    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.smtp.entrypoints=smtp"
      - "traefik.tcp.routers.smtp.service=smtp"
      - "traefik.tcp.services.smtp.loadbalancer.server.port=25"
      - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1"
      - "traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.smtp-ssl.tls=false"
      - "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl"
      - "traefik.tcp.routers.smtp-ssl.service=smtp-ssl"
      - "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465"
      - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1"
      - "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl"
      - "traefik.tcp.routers.imap-ssl.service=imap-ssl"
      - "traefik.tcp.services.imap-ssl.loadbalancer.server.port=10993"
      - "traefik.tcp.services.imap-ssl.loadbalancer.proxyProtocol.version=2"
      - "traefik.tcp.routers.sieve.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.sieve.entrypoints=sieve"
      - "traefik.tcp.routers.sieve.service=sieve"
      - "traefik.tcp.services.sieve.loadbalancer.server.port=4190"
    
    networks:
      proxy:
        ipv4_address: 172.25.0.12

📜 Relevant log output

Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: disconnect from traefik.proxy[172.25.0.2] commands=0/0

About this issue

Original URL
State: closed
Created 9 months ago
Comments: 24 (14 by maintainers)

Most upvoted comments

Hello, thank you for the help…

compose.yml

version: '3.5'
services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    restart: always
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    hostname: mail.domain.com
#    env_file: mailserver.env
    volumes:
      - ${DOCKER_VOLUMES_FOLDER}/dms/mail-data/:/var/mail/
      - ${DOCKER_VOLUMES_FOLDER}/dms/mail-state/:/var/mail-state/
      - ${DOCKER_VOLUMES_FOLDER}/dms/mail-logs/:/var/log/mail/
      - ${DOCKER_VOLUMES_FOLDER}/dms/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/etc/letsencrypt/acme.json:ro # /live:ro

    cap_add:
      - NET_ADMIN # For Fail2Ban to work
    stop_grace_period: 1m
    environment:
      - SSL_TYPE=letsencrypt
#      - SSL_DOMAIN=domain.com

    # healthcheck:
    #   test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
    #   timeout: 3s
    #   retries: 0

    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.smtp.entrypoints=smtp"
      - "traefik.tcp.routers.smtp.service=smtp"
      - "traefik.tcp.services.smtp.loadbalancer.server.port=25"
      - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1"
      - "traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.smtp-ssl.tls=false"
      - "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl"
      - "traefik.tcp.routers.smtp-ssl.service=smtp-ssl"
      - "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465"
      - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1"
      - "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl"
      - "traefik.tcp.routers.imap-ssl.service=imap-ssl"
      - "traefik.tcp.services.imap-ssl.loadbalancer.server.port=10993"
      - "traefik.tcp.services.imap-ssl.loadbalancer.proxyProtocol.version=2"
      - "traefik.tcp.routers.sieve.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.sieve.entrypoints=sieve"
      - "traefik.tcp.routers.sieve.service=sieve"
      - "traefik.tcp.services.sieve.loadbalancer.server.port=4190"
    
    networks:
      proxy:
        ipv4_address: 172.25.0.14


  traefik:
    image: traefik:2.10
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
      - "853:853"
      - "25:25"
      - "465:465"
      - "993:993"
      - "4190:4190"
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_DNS_API_TOKEN=${CF_API_TOKEN}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/traefik.yml:/traefik.yml:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/acme.json
      - ${DOCKER_VOLUMES_FOLDER}/traefik/config.yml:/config.yml:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.com`)"


      - "traefik.http.routers.traefik-secure.service=api@internal"
    networks:
       proxy:
          ipv4_address: 172.25.0.2


networks:
  proxy:
    driver: bridge
    name: proxy
    ipam:
      config:
        - subnet: 172.25.0.0/16
          gateway: 172.25.0.1

traefik.yml

api:
  dashboard: true
  debug: true

accessLog:
  filePath: "/var/log/access.log"

log:
  level: INFO
  format: json
  filePath: /var/log/traefik/traefik.log

accesslog:
   format: json
   filePath: /var/log/traefik/access.log

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: cloudflare
        domains:
          - main: domain.com
            sans:
              - '*.domain.com'

  dot:
    address: ":853"
    
  smtp:
    address: ":25"

  smtp-ssl:
    address: ":465"

  imap-ssl:
    address: ":993"

  sieve:
    address: ":4190"


serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: mail@domain.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

I commented out the mailserver.env and deleted the imap config file

$ docker exec -it mailserver sh -c 'timeout 1 openssl s_client -connect localhost:465'

 Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5036 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

When including -servername flag I also get “Verification: OK” (same output)

Looking the docker logs of the container:

Sep 24 19:32:01 mail postfix/smtps/smtpd[9526]: connect from localhost[127.0.0.1]
Sep 24 19:32:01 mail postfix/smtps/smtpd[9526]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Sep 24 19:32:01 mail opendmarc[464]: ignoring connection from localhost
Sep 24 19:32:02 mail postfix/smtps/smtpd[9526]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 24 19:32:02 mail postfix/smtps/smtpd[9526]: disconnect from localhost[127.0.0.1] commands=0/0

However when connecting from an external client (no vpn), or a client from the server itself (with wireguard vpn & split dns) the same error logs happen:

Sep 24 19:30:13 mail postfix/smtps/smtpd[9352]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

Trying with Thunderbird returns: “Thunderbird failed to find the settings for your account”

I thank you again for the very detailed answer, if you have no time please I will just keep trying by myself.

mich2k on Sep 25, 2023

@polarathene I have use VSCode, it’s seems to be the default behavior https://stackoverflow.com/questions/50162952/vs-code-end-of-file-new-line-not-persisting. Thank for the fix, it probably will prevent some headaches 😉

cypx on Jan 24, 2024

this smtps to submission change isn’t an easy one to spot as part of examples section in documentation (https://docker-mailserver.github.io/docker-mailserver/latest/examples/tutorials/mailserver-behind-proxy/) Maybe it worth to highlight this part in documentation?

What did you want to highlight?? It’s right there on the page you linked:

If you switch to a version prior to v13, such as v12.1 you have the old config:

While on the v13 release page I linked, under the “Breaking Changes” section (which you should always check when upgrading major versions of DMS) we also highlight this change:

If you know that you have a custom postfix-master.cf config related to smtps, then you’d know to adjust for that too (or at least check the docs page related to that change you added).

polarathene on Jan 21, 2024

@polarathene I’m using latest tag for docker images, maybe I did some tries to make it work back in a past with older version and this smtps to submission change isn’t an easy one to spot as part of examples section in documentation (https://docker-mailserver.github.io/docker-mailserver/latest/examples/tutorials/mailserver-behind-proxy/) Maybe it worth to highlight this part in documentation?

moookino on Jan 21, 2024

Can confirm after @cypx change in config 465 started to work for me with traefik and config from examples

moookino on Jan 21, 2024

I just run into the same issue with version 13.1.0 & 13.2.0.

To fix the problem I need to add smtps/inet/smtpd_upstream_proxy_protocol=haproxy line to the postfix-main.cf file:

submission/inet/smtpd_upstream_proxy_protocol=haproxy
submissions/inet/smtpd_upstream_proxy_protocol=haproxy
smtps/inet/smtpd_upstream_proxy_protocol=haproxy

Also it’s seems the container must be delete to update the configuration when the line is added or removed (so it’s easy to mislead) .

cypx on Jan 9, 2024

Alright, well I’m out of ideas for now sorry 😭

At the same time another user reported roughly the same problem with configuring Traefik to work with DMS. I’d love to help but I don’t have the time right now to invest into figuring it out 😦

Hello, as said since the first comment your help and time was very appreciated. I always managed to have DMS working with nginx-proxy, had to switch to traefik and now I’m in the same situation as the author of the issue you linked: thunderbird not working (auto discover failing) and have been trying to make this work for three weeks now, I think many misunderstandings could have been avoided with a better documentation, if I will ever manage I can cover this providing a working traefik config even because I’m on an ideal environment I guess: vps, open ports with ufw, having only 3 containers running and nothing fancy; plus traefik gained popularity so other duplicate (useless) issues like mine may be even more in the close future (quite curious that the issue you linked has been opened few days after mine). I even checked with a ticket if my hosting was blocking some ports since I read somewhere that it may happen (mostly with 25 but asked anyway).

mich2k on Sep 28, 2023

traefik never terminated with tls on the dms endpoints, indeed we already have, for each endpoint - "traefik.tcp.routers.smtp-ssl.tls=false"

Are you sure that should be false when using passthrough?: https://doc.traefik.io/traefik/routing/routers/#passthrough

The docs for Traefik seem to mention pasthrough as an option for when TLS is enabled by Traefik, but instructs it to not terminate and pass the encrypted connection to the proxied service.

At the time of my last comment I knew that passthrough makes sense only when tls is enabled too but, just for safety, I did try all the permutations with no success before commenting

mich2k on Sep 28, 2023

With Traefik, is it terminating TLS on it’s end? Instead of passing through the TLS connection to DMS on port 465?

When you use a reverse proxy it is common to have it handle TLS termination at the reverse proxy when using it for web services with HTTPS, then the internal web service does not need to bother with HTTPS / TLS, and just exposes a HTTP port for the reverse proxy to connect to.

With DMS, port 465 is expected to be a secure connection, and that is why it gets configured with TLS certs. You would need the reverse proxy to not terminate TLS, but pass that through to the DMS port 465 service.

With port 25 you would be fine as it would always be plain text (if it can’t properly communicate StartTLS protocol due to reverse proxy?). Port 587 will confirm that as it should not allow an insecure connection as working StartTLS protocol is mandatory. Traefik would not use TLS on port 587 AFAIK, since StartTLS must negotiate establishing the secure connection (unlike port 465 where TLS is implicit and expects the connection to begin secured).

traefik never terminated with tls on the dms endpoints, indeed we already have, for each endpoint - "traefik.tcp.routers.smtp-ssl.tls=false" and, just for safety I also enabled - "traefik.tcp.routers.smtp-ssl.tls.passthrough=true"

but still same error

mich2k on Sep 26, 2023