How do I debug "SSL routines::wrong version number "

[DougReeder]

I have just set up the current version of docker-mailserver, using the Helm chart docker-mailserver-4.2.1.

Kubernetes versions are:

• Client Version: v1.32.2
• Kustomize Version: v5.5.0
• Server Version: v1.31.6

My cluster is managed by DigitalOcean and has one node at present.

The logs appeared normal until I used setup email add to create the first account. Then I get an endless cycle of these log messages:

2025-06-06T17:15:36.301891-04:00 docker-mailserver-85489f7d67-pb9t8 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number (no auth attempts in 0 secs): user=<>, rip=10.244.0.53, lip=10.244.0.83, TLS handshaking: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number, session=<6Sg2u+02TpsK9AA1>
2025-06-06T17:15:36.425376-04:00 docker-mailserver-85489f7d67-pb9t8 dovecot: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=10.244.0.53, lip=10.244.0.83, TLS handshaking: read(size=1026) failed: Connection reset by peer, session=<NAs4u+023swK9AA1>
2025-06-06T17:15:36.506849-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/postscreen[1071]: warning: getpeername: Transport endpoint is not connected -- dropping this connection
2025-06-06T17:15:36.635336-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/smtp-proxy/postscreen[1061]: warning: getpeername: Transport endpoint is not connected -- dropping this connection
2025-06-06T17:15:36.836187-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submission/smtpd[1065]: connect from unknown[unknown]
2025-06-06T17:15:36.836234-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submission/smtpd[1065]: improper command pipelining after CONNECT from unknown[unknown]: \r\n\r\n\000\r\nQUIT\n \000\000\000
2025-06-06T17:15:36.837158-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submission/smtpd[1065]: lost connection after QUIT from unknown[unknown]
2025-06-06T17:15:36.838001-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submission/smtpd[1065]: disconnect from unknown[unknown] quit=0/1 commands=0/1
2025-06-06T17:15:36.956504-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submissions/smtpd[1067]: connect from unknown[unknown]
2025-06-06T17:15:36.958919-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submissions/smtpd[1067]: SSL_accept error from unknown[unknown]: -1
2025-06-06T17:15:36.958953-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submissions/smtpd[1067]: warning: TLS library problem: error:0A00010B:SSL routines::wrong version number:../ssl/record/ssl3_record.c:354:
2025-06-06T17:15:36.959096-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submissions/smtpd[1067]: lost connection after CONNECT from unknown[unknown]
2025-06-06T17:15:36.959111-04:00 docker-mailserver-85489f7d67-pb9t8 postfix/submissions/smtpd[1067]: disconnect from unknown[unknown] commands=0/0

---

setup email list gives me a list of accounts without any errors.

When I use swaks to a just-created user from a shell in the docker-mailserver pod:

swaks --server docker-mailserver --port 25 -tls \
  --from probe@new.hominidsoftware.com \
  --to skapi@new.hominidsoftware.com \
  --helo dms.hominidsoftware.com

I get the error Recipient address rejected: User unknown in virtual mailbox table and the log contains dovecot: auth: passwd-file(skapi@new.hominidsoftware.com): unknown user amid all the stuff above.

A second email using swaks is rejected with 554 5.7.1 Spam message rejected and that also appears in the log amid all the stuff above.

I didn't see anything that appears relevant in https://docker-mailserver.github.io/docker-mailserver/latest/faq/

How do i go about debugging this?

[polarathene]

How do i go about debugging this?

Start with a minimal reproduction example. I would suggest just a plain Docker container or with Docker Compose first to get that working well, then you can troubleshoot to the equivalent config in the helm chart.

Generally you start with the bare minimum and slowly introduce any additional config until the problem appears, then you can better identify the cause. It can sometimes be a slow process, and while additional effort if you share your solution (especially if you contribute to docs), it can help others avoid that mistake (or resolve it faster).

---

Basic DMS config

compose.yaml:

name: basic-dms

services:
  dms:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0
    hostname: mail.example.test
    environment:
      # Minimize container startup time and reduce complexity:
      ENABLE_AMAVIS: 0
      ENABLE_OPENDKIM: 0
      ENABLE_OPENDMARC: 0
      ENABLE_POLICYD_SPF: 0
    configs:
      - source: dms-accounts
        target: /tmp/docker-mailserver/postfix-accounts.cf

# NOTE:
# - `$$` is required to escape `$` from ENV interpolation (Docker Compose feature)
# - Both accounts have the same password: `secret`
configs:
  dms-accounts:
    content: |
      jane.doe@example.test|{SHA512-CRYPT}$$6$$sbgFRCmQ.KWS5ryb$$EsWrlYosiadgdUOxCBHY0DQ3qFbeudDhNMqHs6jZt.8gmxUwiLVy738knqkHD4zj4amkb296HFqQ3yDq4UXt8.
      john.doe@example.test|{SHA512-CRYPT}$$6$$sbgFRCmQ.KWS5ryb$$EsWrlYosiadgdUOxCBHY0DQ3qFbeudDhNMqHs6jZt.8gmxUwiLVy738knqkHD4zj4amkb296HFqQ3yDq4UXt8.

with-tls.yaml:

services:
  dms:
    environment:
      SSL_TYPE: manual
      SSL_KEY_PATH: /srv/tls/key.pem
      SSL_CERT_PATH: /srv/tls/cert.pem
    configs:
      - source: tls-cert
        target: /srv/tls/cert.pem
      - source: tls-key
        target: /srv/tls/key.pem
      # Optional - Allows clients in the container to verify cert trust with the CA that signed it:
      #- source: tls-ca-cert
      #  target: /usr/local/share/ca-certificates/ca-smallstep.crt
      #- source: script-trust-private-ca
      #  target: /tmp/docker-mailserver/user-patches.sh

configs:
  script-trust-private-ca:
    content: |
      #!/bin/bash

      update-ca-certificates

  # Example ECDSA cert files for testing locally:
  tls-ca-cert:
    content: |
      -----BEGIN CERTIFICATE-----
      MIIBfTCCASKgAwIBAgIRAMAZttlRlkcuSun0yV0z4RwwCgYIKoZIzj0EAwIwHDEa
      MBgGA1UEAxMRU21hbGxzdGVwIFJvb3QgQ0EwHhcNMjEwMTAxMDAwMDAwWhcNMzEw
      MTAxMDAwMDAwWjAcMRowGAYDVQQDExFTbWFsbHN0ZXAgUm9vdCBDQTBZMBMGByqG
      SM49AgEGCCqGSM49AwEHA0IABJX2hCtoK3+bM5I3rmyApXLJ1gOcVhtoSSwM8XXR
      SEl25Kkc0n6mINuMK8UrBkiBUgexf6CYayx3xVr9TmMkg4KjRTBDMA4GA1UdDwEB
      /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQD8sBrApbyYyqU
      y+/TlwGynx2V5jAKBggqhkjOPQQDAgNJADBGAiEAi8N2eOETI+6hY3+G+kzNMd3K
      Sd3Ke8b++/nlwr5Fb/sCIQDYAjpKp/MpTDWICeHC2tcB5ptxoTdWkTBuG4rKcktA
      0w==
      -----END CERTIFICATE-----

  tls-key:
    content: |
      -----BEGIN EC PRIVATE KEY-----
      MHcCAQEEIOc6wqZmSDmT336K4O26dMk1RCVc0+cmnsO2eK4P5K5yoAoGCCqGSM49
      AwEHoUQDQgAEFOWNgekKKvUZE89vJ7henUYxODYIvCiHitRc2ylwttjqt1KUY1cp
      q3jof2fhURHfBUH3dHPXLHig5V9Jw5gqeg==
      -----END EC PRIVATE KEY-----

  tls-cert:
    content: |
      -----BEGIN CERTIFICATE-----
      MIIB9DCCAZqgAwIBAgIQE53a/y2c//YXRsz2kLm6gDAKBggqhkjOPQQDAjAcMRow
      GAYDVQQDExFTbWFsbHN0ZXAgUm9vdCBDQTAeFw0yMTAxMDEwMDAwMDBaFw0zMTAx
      MDEwMDAwMDBaMBkxFzAVBgNVBAMTDlNtYWxsc3RlcCBMZWFmMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAEFOWNgekKKvUZE89vJ7henUYxODYIvCiHitRc2ylwttjq
      t1KUY1cpq3jof2fhURHfBUH3dHPXLHig5V9Jw5gqeqOBwDCBvTAOBgNVHQ8BAf8E
      BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSz
      w74g+O6dcBbwienD70D8A9ESmDAfBgNVHSMEGDAWgBQD8sBrApbyYyqUy+/TlwGy
      nx2V5jBMBgNVHREERTBDghFtYWlsLmV4YW1wbGUudGVzdIIVbWFpbC5kZXN0aW5h
      dGlvbi50ZXN0ghdzbXRwLnJlbGF5LXNlcnZpY2UudGVzdDAKBggqhkjOPQQDAgNI
      ADBFAiEAoety5oClZtuBMkvlUIWRmWlyg1VIOZ544LSEbplsIhcCIHb6awMwNdXP
      m/xHjFkuwH1+UjDDRW53Ih7KZoLrQ6Cp
      -----END CERTIFICATE-----

Test commands

Example swaks commands. You can remove the --silent option if you like, but otherwise you'll only get output when sending was unsuccessful.

# Start DMS:
docker compose up -d --force-recreate

# Shell into the container to use swaks CLI:
docker compose exec -it dms bash

# Send test mail to port 25 via plain text (unencrypted):
swaks --server mail.example.test --port 25 --from jane.doe@example.test --to john.doe@example.test --silent

This time with TLS, we'll specify both YAML configs this time to merge the TLS config into the main compose.yaml:

# Start DMS again, now with TLS enabled:
docker compose --file compose.yaml --file with-tls.yaml up -d --force-recreate
docker compose exec -it dms bash

# Sending test mail to port 25 via STARTTLS (encrypted):
swaks --server mail.example.test --port 25 -tls --from jane.doe@example.test --to john.doe@example.test --silent

This example was a little simplified because we skipped DNS records and we also did it all within the same container and system. However that seems to be sufficient for the failure you were running into, so it might not need to be complicated beyond that.

[DougReeder]

Thanks!

I've uninstalled docker-mailserver and re-installed it, and now some emails are accepted.

I've checked that there is a PEM certificate and PEM RSA private key at the locations specified by SSL_CERT_PATH and SSL_KEY_PATH.

Using the directions at the DMS TLS docs I have verified the certificate is ok.

Now emails sent to port 25 on the pod are accepted:

swaks -tls --server docker-mailserver-6f79f49b8-9p9rt --port 25 --from second@hominidsoftware.com --to first@hominidsoftware.com --helo dms.hominidsoftware.com --auth-optional --auth-user second

but TLS appears to fail because the pod DNS name doesn't match my certificate:

TLS peer certificate passed CA verification, failed host verification

*** Host did not advertise authentication

Sending the same command to port 587 on the pod gets a similar message re: TLS, but authentication fails:

535 5.7.8 Error: authentication failed: (reason unavailable)

Sending the same command to port 465 on the pod outright fails with timeout:

 Timeout (30 secs) waiting for server response

The Helm chart creates this user-patches script to create proxy ports, so ports 25, 587 and 465 shouldn't have the PROXY Protocol enabled, as the docs say.

  user-patches.sh: |
      #!/bin/bash
      # Make sure to keep this file in sync with https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/master.cf!
      cat <<EOS >> /etc/postfix/master.cf
      
      # Submission with proxy
      10587     inet  n       -       n       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_sasl_type=dovecot
        -o smtpd_reject_unlisted_recipient=no
        -o smtpd_sasl_authenticated_header=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o smtpd_sender_restrictions=\$mua_sender_restrictions
        -o smtpd_discard_ehlo_keywords=
        -o milter_macro_daemon_name=ORIGINATING
        -o cleanup_service_name=sender-cleanup
        -o smtpd_upstream_proxy_protocol=haproxy  
      
      # Submissions with proxy
      10465     inet  n       -       n       -       -       smtpd
        -o syslog_name=postfix/submissions
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_sasl_type=dovecot
        -o smtpd_reject_unlisted_recipient=no
        -o smtpd_sasl_authenticated_header=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o smtpd_sender_restrictions=\$mua_sender_restrictions
        -o smtpd_discard_ehlo_keywords=
        -o milter_macro_daemon_name=ORIGINATING
        -o cleanup_service_name=sender-cleanup
        -o smtpd_upstream_proxy_protocol=haproxy
      
      # Smtp with proxy
      12525     inet  n       -       n       -       1       postscreen
        -o syslog_name=postfix/smtp-proxy
        -o postscreen_upstream_proxy_protocol=haproxy
        -o postscreen_cache_map=btree:$data_directory/postscreen_10025_cache
      EOS

I have documentation for how to configure HAProxy ingress controller to use or not use the PROXY Protocol to upstream servers, and I think I've followed it, but I'm still trying to track down what's happening there.

[polarathene]

but TLS appears to fail because the pod DNS name doesn't match my certificate:
TLS peer certificate passed CA verification, failed host verification

Ok, but this is because the hostname you are connecting to with swaks is set via --server docker-mailserver-6f79f49b8-9p9r. Nothing related to the DMS container, just that this hostname from the client side does not match the one in the certificate, that's why that fails.

I guess that is a tricky one in k8s if you cannot adjust the DNS name that your internal containers would connect to DMS container through to match the certificate.

If you're able to add an entry to /etc/hosts of the client with the expected hostname and IP of the DMS container, you could probably workaround that way. Or try with the public DNS name (which might be a bit awkward as I think that will hop through ingress instead of direct container connection?), I assume other k8s users may be trusting the connection internally and opt to skip verification 🤔 (@cfis @georglauterbach probably have better insights with their experience)

If you're able to provision a certificate with the hostname that would work too, but a single DNS label isn't an FQDN I believe, so no public CA should support that. Technically you could provide a 2nd certificate, but I'm not sure how well that works when Postfix / Dovecot are configured for the public FQDN.

Generally it should be fine to skip verification internally, even publicly MTAs won't enforce it between each other on port 25. Only really matters there for ports behind authentication. If the MTA is using MTA-STS then TLS can be enforced, but I'm not sure if that also enforces verification on port 25 🤔

---

syslog_name=postfix/smtp-proxy

That should probably be smtpd-proxy rather than smtp-proxy, since it'd be for port 25 inbound and Postfix uses smtpd prefix for that to better differentiate in logs I think.

This doesn't matter much beyond that, just making a mention of it.

---

I've checked that there is a PEM certificate and PEM RSA private key at the locations specified by SSL_CERT_PATH and SSL_KEY_PATH

Are you also using OVERRIDE_HOSTNAME btw? It should match a SAN in your certificate.

If you were provisioning with a public CA and connecting from public into ingress that should be working correctly?

[DougReeder]

Thanks, again!

Sorry, should have earlier included my values.yaml file for the Helm chart:

certificate: dms-hominidsoftware-com

deployment:
  env:
    OVERRIDE_HOSTNAME: dms.hominidsoftware.com
    TZ: America/Toronto

  resources:
    requests:
      cpu: "750m"

service:
  annotations:
    haproxy.org/send-proxy-protocol: proxy-v2

The certificate is created as here: https://github.com/docker-mailserver/docker-mailserver-helm/blob/master/charts/docker-mailserver/README.md#getting-started

The resource request is just to prevent cluster autoscaling, which would be a distraction.

The annotation is the same as used in my Ingresses for my non-mail services, and the HAProxy ingress controller docs say it works the same on a Service upstream from the controller: https://www.haproxy.com/documentation/kubernetes-ingress/enterprise/configuration-reference/service/#send-proxy-protocol

With the above configuration of the proxy ports, PROXY Protocol 2 [binary] is required, yes?

The certificate CN is hominidsoftware.com and and the Dns names are dms.hominidsoftware.com and hominidsoftware.com

In /etc/hosts I set dms.hominidsoftware.com to 127.0.0.1 and then the certificate was validated using port 587:
TLS peer certificate passed CA verification, passed host verification (using host dms.hominidsoftware.com to verify)
It also passed setting those to the IP address of the service.
Port 465 works with the -tlsc flag.

Unfortunately, authentication still fails with:

535 5.7.8 Error: authentication failed: (reason unavailable)

The value for --auth-password is the same as the password used in the command, yes?

setup email add <EMAIL ADDRESS> [<PASSWORD>] 

For the different auth-types, I get

LOGIN   535 5.7.8 Error: authentication failed: (reason unavailable)
PLAIN   535 5.7.8 Error: authentication failed: (reason unavailable)
CRAM-MD5   Auth not attempted, requested type not available
DIGEST-MD5   AUTH DIGEST-MD5 not available: requires Authen::SASL
CRAM-SHA1   Auth not attempted, requested type not available
NTLM   AUTH NTLM not available: requires Authen::NTLM
SPA   AUTH NTLM not available: requires Authen::NTLM
MSN   AUTH NTLM not available: requires Authen::NTLM

[polarathene]

In /etc/hosts I set dms.hominidsoftware.com to 127.0.0.1 and then the certificate was validated using port 587:
TLS peer certificate passed CA verification, passed host verification (using host dms.hominidsoftware.com to verify)

Just to share one observation I've noticed, while the /etc/hosts entry can be helpful (when it contains the original container hostname for the same entry as well, allowing some services to infer OVERRIDE_HOSTNAME as the container FQDN), there was one negative impact where an rDNS lookup from a client of the IP for that FQDN would then be checked to have the same IP as the client, but /etc/hosts would then match it to your internal IP which fails that check.

The check in our default config for Postfix only raises a warning in logs, but a report from some time ago said it also resulted in mail from such a client as being considered spam.

---

I am curious how you went about modifying /etc/hosts in kubernetes setup? In Docker this file is an implicit bind mount from the host which required editing the file without changing the inode.

Port 465 works with the -tlsc flag.
Unfortunately, authentication still fails with

535 5.7.8 Error: authentication failed: (reason unavailable)

The value for --auth-password is the same as the password used in the command, yes?

It should be no different apart from the change in port and using -tlsc instead of -tls as you mentioned. I don't have experience with k8s / helm so I cannot verify there, but it works fine on our officially supported Docker Compose.

[DougReeder]

I am curious how you went about modifying /etc/hosts in kubernetes setup?

For testing, I just exec-ed into the container and edited /etc/hosts directly. For production, normally you'd create ConfigMap and volumeMount, but that's a whole directory, and there's a lot in /etc you wouldn't want to change, so I'm not sure what contortions you'd have to go to.

[cfis]

You setup looks similar to mine. I would say make it work first without the proxy protocol. Once that works, then you know the host name and certificate line up.

It has been quite a while since I looked at this, but port 465 needed special handling:

smtpd_tls_wrappermode=yes

See:

https://www.postfix.org/postconf.5.html

And:

https://github.com/docker-mailserver/docker-mailserver-helm/blob/master/charts/docker-mailserver/values.yaml#L611C12-L611C33

Maybe HaProxy is doing something different than nginx (https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/) which is what I am using to forward ports to the k8 cluster?

[DougReeder]

smtpd_tls_wrappermode=yes

This is set for port 10465, the port for submissions w/ mandatory TLS and the PROXY Protocol

smtpd_discard_ehlo_keywords=

If I understand correctly, this is for outbound connections to other SMTP servers.

Maybe HaProxy is doing something different than nginx

The data in the ConfigMap for TCP connections is identical:

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-controller-tcp
  namespace: haproxy-controller
  labels:
    app.kubernetes.io/name: kubernetes-ingress
    app.kubernetes.io/instance: haproxy-controller
data:
  12525: "mail/docker-mailserver:12525"
  10465: "mail/docker-mailserver:10465"
  10587: "mail/docker-mailserver:10587"
  10993: "mail/docker-mailserver:10993"

[DougReeder]

The Helm chart currently appends this to /etc/postfix/master.cf

      # Smtp with proxy
      12525     inet  n       -       n       -       1       postscreen
        -o syslog_name=postfix/smtp-proxy
        -o postscreen_upstream_proxy_protocol=haproxy
        -o postscreen_cache_map=btree:$data_directory/postscreen_10025_cache

Do I understand correctly that https://docker-mailserver.github.io/docker-mailserver/latest/examples/tutorials/mailserver-behind-proxy/ says the last line should be

-o postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache

or should it be

-o postscreen_cache_map = proxy:btree:$data_directory/postscreen_10025_cache

[polarathene]

I don't think the name difference there should matter much.

I recall our docs guide shares the postscreen cache with both variants (ports 25 and 12525), but the helm chart only set it for the added port because of the way they approached configuration differently. I explain this at the end of this comment on the helm repo back in April, but I don't think that feedback was applied.

I just looked at our docs advice, and we are using postfix-main.cf to supply an override for port 25, which our documented user-patches.sh will duplicate that port and make some modifications with sed, so it inherits that same postscreen_cache_map. The reason we do this config change can be found via git blame on the docs to this PR, which describes how it fixed a bug by having the two share this cache map vs the default config which conflicted IIRC.

---

UPDATE: Created an issue for this at the helm repo: docker-mailserver/docker-mailserver-helm#173