I have created a TCP router with one endpoint (port 587) and mapped it to an SMTP service. When I open a connection to the endpoint, I get an HTTP error 400 (bad request). In other words, a HTTP router is listening on that endpoint, instead of the TCP router that I want to listen.
I have several HTTP/HTTPS routers on other endpoints, but all of them use explicit endpoints, so nothing except the TCP router should listen "by default". This is also what the Traefik user interface shows.
Here are the HTTP(s) routes, note that none of them is connected to "smtptls":
$ telnet mail.mydomain.com 587
Trying 1.2.3.4...
Connected to mail.mydomain.com.
Escape character is '^]'.
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close
If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.
Thank you for the the tips! I tried to comment out the line as suggested and since it doesn't seem to change the behavior it seems indeed not needed; however, it also doesn't fix the problem.
I checked the logs (using docker service logs -n10000 -f myswarm_traefik).
Since both, the debug log and the access log are by default written to stdout according to the docs, everything ends up visible there.
However, I found no errors, and the access log entry looks like this:
Using GET / HTTP/1.0 is how I got that log message I posted .
Good idea about shutting down all services. I tried that (and shut down all other stacks, too), but even with only Traefik and mail_relay running, the issue remains the same. The info in the access log also didn't improve.
I also replaced HTTPChallenge with TLSChallenge, again with no effect on the problem.
On plain TCP connections you don't have the domain information. This is only included in a http request - or - within a TLS/SSL request.
Hypothesis: When you do a telnet to the IP, you don't use TLS (which is set as required for mail-forward), so Traefik will not have any matching service and fall back to http.
To test a TLS-encrypted TCP connection to your mail-forward just use
openssl s_client -connect mail.example.com:587
This worked for me to connect to a standard istio/tcp-echo-server.