Routing SMTP and IMAP with letsencrypt

Hi,
I am trying to set-up a mail server with dovecot/postfix behind traefik reverse proxy.

What I'm trying to do is basically this (just focusing on dovecot):

|client| ----imap-ssl/tls----> |(993) traefik| ----imap-plaintext---->|(143) dovecot|

I know that I have to enable some sort of passthrough, to let the mail services "know" the client's IP (There is some sort of haproxy protocol that both postfix and dovecot implement).

On top of that I want to use traefik's letsencrypt certs for this tcp connection (to let traefik "enrich" the connection only between it and the client).

Pretty much all sollutions that i found using traefik and tcp is to have a dummy service for letsencrypt's http challenge, dump the certificates somehow, use the certificates directly in dovecot/postfix, and just use tls passthrough in traefik (seems a bit "hacky" to me).

So my question is: Is the setup for imap and smtp I mentioned above even possible with traefik's letsencrypt management? I know that this kind of setup is possible with haproxy, but I preffer traefik much more.

Attachment:

  • here what I'm trying to achieve in a "pseudo"-docker-compose.yml:
---
version: '3.3'

services:

  traefik:
    image: "traefik:v2.8"
    container_name: "traefik"
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.imaps.address=:993"
      - "--certificatesresolvers.mailresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.mailresolver.acme.email=postmaster@example.com"
      - "--certificatesresolvers.mailresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "993:993"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"

  mailserver:
    image: some-mail-image:latest
    container_name: mail
    volumes:
      - "./mail/:/var/mail"
    environment:
      - SUBDOMAIN=mail
      - DOMAIN=example.com
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.imaps.entrypoints=imaps"
      - "traefik.tcp.routers.imaps.rule=HostSNI(`mail.example.com`)"
      - "traefik.tcp.services.imaps.loadbalancer.server.port=143"
      - "traefik.tcp.routers.imaps.tls.certresolver=mailresolver" 
  • the error I get regarding letsencrypt:
level=error msg="Unable to obtain ACME certificate for domains \"mail.example.com\": unable to generate a certificate for the domains [mail.example.com]: error: one or more domains had a problem:\n[mail.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 123.123.123.123: Connection refused\n" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=imaps@docker rule="HostSNI(`mail.example.com`)" providerName=mailresolver.acme

Any help would be appreciated! Thanks.