- marked as bug
Traefik proxy and IMAP certificate mismatch
Issue #731
resolved
I used the following docker-compose configuration to setup traefik proxy to route traffic for mail.domain.io to the poste container. This works. I can access the poste container from outside and set it up. The only issue that pops up is when I try to access IMAP from another device, the TLS certificate is not matched to my hostname ie. mail.domain.io. It still uses the following credentials when establishing an IMAP connection.
Sample IMAP connection certificate header
CONNECTED(00000005)
depth=1 C = XY, ST = unknown, L = unknown, O = QSMTPD, OU = CA, CN = poste, emailAddress = postmaster@poste
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=Server/CN=poste/emailAddress=postmaster@poste
i:/C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=poste/emailAddress=postmaster@poste
Credentials poste uses :
mail : postmaster@poste
CN : poste
Docker-compose :
version: '3'
services:
##################################################
#---Traefik
##################################################
traefik:
container_name: traefik
# The official v2.0 Traefik docker image
image: traefik
# Enables the web UI and tells Traefik to listen to docker
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
command:
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Use HTTP challenge to get certificate.
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencryptresolver.acme.email=mail@domain.io"
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
# The HTTPS port
- "443:443"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.io`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencryptresolver"
- "traefik.http.routers.traefik.service=api@internal"
# Router to redirect all traffic from http to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
# Middlewares #
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.traefik-auth.basicauth.users=var:$$apr1$$Uaw1MeVe$$vav3THCcxzTR2Y/eI2eV7/"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
# To persist certificates
- ./letsencrypt:/letsencrypt
##################################################
#---Poste
##################################################
poste:
hostname: mail.domain.io
image: analogic/poste.io
container_name: poste
restart: always
ports:
- '25:25' # SMTP - mostly processing incoming mails
- '110:110' # POP3 - standard protocol for accessing mailbox, STARTTLS is required before client auth
- '143:143' # IMAP - standard protocol for accessing mailbox, STARTTLS is required before client auth
- '587:587' # MSA - SMTP port used primarily for email clients after STARTTLS and auth
- '993:993' # IMAPS - alternative port for IMAP encrypted since connection
- '995:995' # POP3S - encrypted POP3 since connections
- '4190:4190' # Sieve - Filters
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
- HTTPS=OFF
#- DISABLE_CLAMAV=TRUE
labels:
- "traefik.enable=true"
- "traefik.http.routers.poste.rule=Host(`mail.domain.io`)"
- "traefik.http.routers.poste.tls.certresolver=letsencryptresolver"
# Enter the domain via https , but route traffic to port 80 of container.
- "traefik.http.routers.poste.entrypoints=websecure"
- "traefik.http.services.poste.loadbalancer.server.port=80"
volumes:
- /etc/localtime:/etc/localtime:ro
- ./poste/data:/data
I tried to look for a way to pass the ./well-known request to the container, but I think that already happens with traefik. Is there a way to change the credentials on the IMAP certificate using docker-compose environment variables? If not, is there a way to add custom TLS for IMAPS and POP3S so that the certificates match that of the ones issued by LE(traefik)?
Comments (5)
-
reporter
-
You could extract traefik certs from acme.json file and mount them to poste data folder.
version: "3.3" services: traefik: # Traefik config volumes: - traefik_acme:/letsencrypt traefik-certs: image: sebt3/traefik-certs environment: - ACME_PATH=/acme - CERT_PATH=/certs volumes: - traefik_acme:/acme - /opt/traefik/certs:/certs poste: # Poste config volumes: # Mount traefik certs to poste ssl folder - /opt/traefik/certs/mail.domain.io.key:/data/ssl/server.key:ro - /opt/traefik/certs/mail.domain.io.crt:/data/ssl/server.crt:ro - /opt/traefik/certs/mail.domain.io.chain.crt:/data/ssl/ca.crt:ro
-
reporter
This works! TY so much.
Poste works as expected.
-
reporter
- edited description
-
reporter
- changed status to resolved
Fixed, use config by Pavel.
- Log in to comment
