Setting up email behind traefik. Email client seeinfg the wrong certificate

Traefik Traefik v3 (latest)
,
1

Hello. I've been racking my brain on this one. I have an existing traefik setup for a few other applications and all works well. I'm trying to put my mail server behind traefik so traefik can handle the certificates with letsencrypt. At least one problem I'm having is that my mail client is seeing the traefik default cert, BUT when I connect using curl to ports 993 and 465, the proper certs are given.

Less important... My clients are using 465 for sending mail. I've always had 587 as well, but not sure how that will work through traefik if the mail server is no longer maintaining a certificate. I don't have many options on the mail server for changing how 587 is handled. Any thoughts here?

Here's my current config if anyone is able to help or point me in a direction. As you can see i'm not on the latest. (not sure if this the right way to post a config file.

Any help is appreciated

configs:
  plex.yml:
    file: ./config/plex.yml

services:
  traefik:
    image: "traefik:v3.0"
    container_name: traefik
    hostname: traefik
    command:
      - --log.level=DEBUG
      - --api.dashboard=true
      - --api.insecure=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entryPoints.imaps.address=:993
      - --entryPoints.pop3s.address=:995
      - --entryPoints.smtps.address=:465
      - --entryPoints.smtp.address=:587
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      - --api
      - --certificatesresolvers.le.acme.email=user@mydomain.com
      - --certificatesresolvers.le.acme.storage=./acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
    ports:
      - "80:80"
      - "443:443"
      - "8880:8080"
      - "993:993"
      - "995:995"
      - "465:465"
      - "587:587"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      # Disable Compression Middleware
      - "traefik.http.middlewares.disable-compression.compress=false"

      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.mydomain.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.middlewares=authtraefik"
      - "traefik.http.middlewares.authtraefik.basicauth.users=user:password/"

      # Plex
      - "traefik.http.routers.plex.rule=Host(`plex.mydomain.com`)"
      - "traefik.http.routers.plex.entrypoints=websecure"
      - "traefik.http.routers.plex.tls=true"
      - "traefik.http.routers.plex.tls.certresolver=le"
      - "traefik.http.services.plex.loadbalancer.server.port=38400"
      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      #mail server
      # Mail services should only be TCP routers
      - "traefik.tcp.services.mail.loadbalancer.server.address=192.168.1.16"

      # IMAPS (993)
      - "traefik.tcp.routers.mail-imaps.rule=HostSNI(`mail.mydomain.com`)"
      - "traefik.tcp.routers.mail-imaps.entrypoints=imaps"
      - "traefik.tcp.routers.mail-imaps.tls=true"
      - "traefik.tcp.routers.mail-imaps.tls.certresolver=le"
      - "traefik.tcp.routers.mail-imaps.tls.options=default"
      - "traefik.tcp.routers.mail-imaps.service=mail-imaps"
      - "traefik.tcp.services.mail-imaps.loadbalancer.server.address=192.168.1.16:143"  # Plain IMAP

      # POP3S (995)
      - "traefik.tcp.routers.mail-pop3s.rule=HostSNI(`mail.mydomain.com`)"
      - "traefik.tcp.routers.mail-pop3s.entrypoints=pop3s"
      - "traefik.tcp.routers.mail-pop3s.tls=true"
      - "traefik.tcp.routers.mail-pop3s.tls.certresolver=le"
      - "traefik.tcp.routers.mail-pop3s.tls.options=default"
      - "traefik.tcp.routers.mail-pop3s.service=mail-pop3s"
      - "traefik.tcp.services.mail-pop3s.loadbalancer.server.address=192.168.1.16:110"  # Plain POP3

      # SMTPS (465)
      - "traefik.tcp.routers.mail-smtps.rule=HostSNI(`mail.mydomain.com`)"
      - "traefik.tcp.routers.mail-smtps.entrypoints=smtps"
      - "traefik.tcp.routers.mail-smtps.tls=true"
      - "traefik.tcp.routers.mail-smtps.tls.certresolver=le"
      - "traefik.tcp.routers.mail-smtps.tls.options=default"
      - "traefik.tcp.routers.mail-smtps.service=mail-smtps"
      - "traefik.tcp.services.mail-smtps.loadbalancer.server.address=192.168.1.16:25"  # Plain SMTP

      # SMTP Submission (587)
      - "traefik.tcp.routers.mail-smtp.rule=HostSNI(`mail.mydomain.com`)"
      - "traefik.tcp.routers.mail-smtp.entrypoints=smtp"
      - "traefik.tcp.routers.mail-smtp.tls=true"
      - "traefik.tcp.routers.mail-smtp.tls.certresolver=le"
      - "traefik.tcp.routers.mail-smtp.tls.options=default"
      - "traefik.tcp.routers.mail-smtp.service=mail-smtp"
      - "traefik.tcp.services.mail-smtp.loadbalancer.server.address=192.168.1.16:587"  # STARTTLS SMTP

    restart: unless-stopped
    networks:
      - proxy


  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
    ports:
      - 8088:80
    networks:
      - proxy

networks:
  proxy:
    external: true
    name: proxy
2

Port 587 is used for SMTP protocol with STARTTLS, so you can not use HostSNI(`mail.mydomain.com`), try HostSNI(`*`) instead.

And set default LetsEncrypt certificates (doc).