TCP Route IMAPS / SMTPS traffic - HELP!

Hi there,

I have the following setup, I have three physical servers, 10.10.10.1 (Traefik Dockerized) and 10.10.10.2 (Mailserver Dockerized) and 10.10.10.3 (Wordpress Farm Dockerized)

I have set up Traefik doing the DNS-ACME job and routing HTTPS following entrypoints and HostSNI rules. The certificates are generated and the HTTPS routing works like a charm.

Now I want to set up a TCP route for SMTPS and IMAPS services on 465 / 587 respectively and 993.

When I run openssl on FQDN level, traefik issues the correct certificates but then timeouts.

When I run openssl on my local network I get the IMAP and SMTP server prompts on 465 / 587 and 993 without problems - but of course with self-signed certificates.

When I route 993 to 143 and 465 to 25 I do receive correct certificates but then of course the Mail clients get confused because IMAP and SMTP prompts don't match to SSL specs.

Anyone has an idea, what I am doing wrong?

Anybody? I really need your help, guys!

Please guys, any idea what I am doing wrong?

Previusly answered.

Hi, unfortunately, it's not a real answer to my problem.
The only answer is "it is possbible to use HostSNI('FQDN') for every service but SMTP".

My problem is that when using a tcp route for IMAPS (local ip and port 993) the pass through simply dies after handing out the correct ssl certificates to the client. I don't get the imap server prompt (something like this: * OK imapserver.example.com Cyrus IMAP4 v47.11 server ready" which I should because I can connect to the local imaps service without any problems. So my question is, why doesn't traefik pass through the imap server prompt?

How are you testing?

Can you post your config?

I tested with mailu setup with no issues(certificate errors ignored)

openssl s_client -connect 127.0.0.1:993 -crlf -servername example.com -quiet
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
* OK IMAP4 ready
a login user@example.com 0o9i8u7y6t
a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE LITERAL+ NOTIFY SPECIAL-USE QUOTA] Logged in
  traefik:
    image: traefik:2.3
    command:
      - --providers.docker=true
      - --entrypoints.imaps.address=:993
    ports:
      - "993:993"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
...
  front:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    labels:
      traefik.tcp.routers.imaps.rule: HostSNI(`example.com`)
      traefik.tcp.routers.imaps.tls:
      traefik.tcp.services.imaps.loadbalancer.server.port: 143
...

Again, I am not connecting to a docker socket but to a real machine

Testing against the real machine on port 993 returns

openssl s_client -connect 192.168.1.35:993 -quiet  

depth=0 O = mailcow, CN = mail.example.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = mailcow, CN = mail.example.org
verify error:num=21:unable to verify the first certificate
verify return:1
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Testing against traefik on port 993 returns

openssl s_client -connect mx.xxx.yyy:993 -servername mx.xxx.yyy -quiet 

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mx.xxx.yyy
verify return:1

My config

insecureSkipVerify is 'true' in my static configuration


tcp:
  routers:
...
    to-mailcow-imaps:
      entryPoints:
        - "imaps"
      rule: "HostSNI(`mx.xxx.yyy`)"
      service: mailcow-imap-ssl
      tls:
        certResolver: myresolver
  services:
 ....
    mailcow-imap-ssl:
      loadBalancer:
        servers:
          - address: "192.168.1.35:993"

Sorry I missed the physical servers part.

Your service is on 993 so is encrypted. I believe you need to use passthrough if you are doing that but I have no personal experience with that.

These should work. I'm not sure what you mean here when you say prompts don't match to SSL specs'

Exactly, that is the problem, it wouldn't be much of a problem to forward to docker. The big deal is to forward to physical servers!

See the different prompts depending on the ports

IMAP prompt on 143

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot ready.

IMAP prompt on 993

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

When I use the passthrough option, traefik doesn't handle SSL certificates anymore.
But that is my main argument to use traefik - besides loadbalancing or routing traffic through single IP connections. If you activate passthrough for a connection, traefik will proxy all encrypted communication AS IS, and as you saw above my mail server only has a self-signed certificate and I cannot let it handle ACME procedures because of the specific setup.

Okay you would have to reconfigure Dovecot to allow login on port 143. Its giving a secure default(or you configured it this way) and not allowing plain text login.

Or setup a dedicated port for traefik.

Okay, just a quick update how I solved this issue even though I am not really satisfied with that "tweak".

I managed to get it up and running by tweaking my mail servers configuration for Dovecot (port 143) and Postfix (port 25 / 587) to accept unsecure connections on port 143 and 587 and allow authentification methods without enforcing STARTTLS.

Like this I could prevent to weaken security settings on port 25.

As both SSL ports 993 and 587 are routed from the internet internally directly to Traefik , the mail server will stay safe and the 'original' ports accept local traffic only. Only port 25 is routed directly for inter MX connections.