Do you have an example for reverse proxying all mailserver traffic through Nginx ?

[LeVraiRoiDHyrule]

Hi,

I am using Nginx as my reverse proxy, with multiple plugins such as geoip restrictions, crowdsec bouncer... so I would like all my mailserver traffic (including mail traffic on ports 25, 587, imap...) to go through Nginx.

I have read https://docker-mailserver.github.io/docker-mailserver/latest/examples/tutorials/mailserver-behind-proxy/#reverse-proxy . That is what I want to achieve, but with Nginx instead of Traefik.

Nginx does provide a starting point, but I believe there is much more to set up to tailor it to DMS https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/. So far I have tried the following:

        mail {
          server_name mail.example.com;
          auth_http localhost:9000/cgi-bin/nginxauth.cgi;
          proxy_pass_error_message on;
          ssl on;
          ssl_certificate /etc/letsencrypt/live/mail.${DOMAIN}/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/mail.${DOMAIN}/privkey.pem;
          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers HIGH:!aNULL:!MD5;
          ssl_session_cache shared:SSL:10m;
          ssl_session_timeout 10m;

          server {
              listen 25;
              protocol smtp;
              smtp_auth login plain cram-md5;
          }

          server {
              listen 110;
              protocol pop3;
              pop3_auth plain apop cram-md5;
          }

          server {
              listen 143;
              protocol imap;
          }

          server {
              listen 465;
              protocol smtps;
          }

          server {
              listen 587;
              protocol smtp;
              smtp_auth login plain cram-md5;
          }

          server {
              listen 993;
              protocol imaps;
          }
        }

but with no success.

Do you have an example, somewhere, of the equivalent configuration for Nginx ?
I would like to ask for help to set that up.

Thanks in advance for any answer, have a nice day.

[polarathene]

Generally there is little value in putting DMS behind a reverse proxy. You rarely have more than one service that needs to route from those ports that DMS is using for mail, so what other benefits are you seeking beyond TLS being terminated at the reverse proxy instead of DMS?

There is often a misunderstanding with that guide, it is meant to demonstrate how to support deployments where such a setup is necessary (it was documented for kubernetes ingress). It's otherwise extra complexity to manage with no real benefit?

Publish the DMS ports and give DMS access to the certificate it needs to manage TLS on it's end. Unless you know a specific reason to require this setup, you shouldn't need it.

---

Nginx feedback

If you still choose to pursue this, I cannot assist you that much. I will provide you with some context and corrections to get you started.

smtp_auth / pop3_auth I think are probably only ever plain with DMS, so you might want to align with that. By default STARTTLS ports that require credentials for auth will reject the connection if it fails to upgrade from uncrypted cleartext to TLS, but keep in mind some clients may still attempt to send the credentials through despite TLS upgrade failing and being rejected, in which case if someone was monitoring the traffic, the plain auth would have the credentials leaked.

Nginx is a little different there in having protocol support for mail servers. This is not something Traefik or Caddy L4 support AFAIK. Logically for STARTLS ports, Nginx could handle these and send the traffic back to DMS after (optionally?) terminating TLS. I'm not quite sure how that interacts with DMS though, but DMS is configured to enforce TLS on it's end (except for port 25).

For port 465, protocol smtps may be invalid. Notice that unlike pot 587 you have omitted auth (something your IMAP ports probably should have too?):

• SMTPS is legacy (port 25 with implicit TLS for third-party delivery) which never officially became a standard so no mail client should be trying to deliver mail like that, it'd always be over port 25 without authentication.
• Since 2018 port 465 is like port 587, except it's implicit TLS instead of explicit (STARTTLS). That said DMS is configured to expect that as a direct connection where it ensures and terminates TLS, not a reverse proxy. You would have to change that in /etc/postfix/master.cf and only trust traffic from the reverse proxy IP.

If instead you want to configure Nginx more like the existing Traefik guide does, you pass the connection through to DMS. There were two configurations covered in that guide:

• Public ports (standard mail server ports) through Traefik to the same private container ports.
• Optionally duplicating those private ports to non-standard ports (1xxxx), and having the reverse proxy route traffic to the non-standard ones instead. This allows traffic connecting to DMS within the Docker host to connect directly instead of indirectly through the reverse proxy, but it complicates the setup more.

In both cases the DMS ports that the reverse proxy routes traffic to are modified via config to use PROXY Protocol. You have no configured Nginx to use that. You must do this to correctly preserve the client IP, otherwise all traffic to DMS would be appearing to come from the reverse proxy IP (which is likely in the same private subnet of the DMS container, and thus some config may trust this IP to bypass some security IIRC), you do not want this mistake.