I have the following setup, I have three physical servers, 10.10.10.1 (Traefik Dockerized) and 10.10.10.2 (Mailserver Dockerized) and 10.10.10.3 (Wordpress Farm Dockerized)
I have set up Traefik doing the DNS-ACME job and routing HTTPS following entrypoints and HostSNI rules. The certificates are generated and the HTTPS routing works like a charm.
Now I want to set up a TCP route for SMTPS and IMAPS services on 465 / 587 respectively and 993.
When I run openssl on FQDN level, traefik issues the correct certificates but then timeouts.
When I run openssl on my local network I get the IMAP and SMTP server prompts on 465 / 587 and 993 without problems - but of course with self-signed certificates.
When I route 993 to 143 and 465 to 25 I do receive correct certificates but then of course the Mail clients get confused because IMAP and SMTP prompts don't match to SSL specs.
Hi, unfortunately, it's not a real answer to my problem.
The only answer is "it is possbible to use HostSNI('FQDN') for every service but SMTP".
My problem is that when using a tcp route for IMAPS (local ip and port 993) the pass through simply dies after handing out the correct ssl certificates to the client. I don't get the imap server prompt (something like this: * OK imapserver.example.com Cyrus IMAP4 v47.11 server ready" which I should because I can connect to the local imaps service without any problems. So my question is, why doesn't traefik pass through the imap server prompt?
Exactly, that is the problem, it wouldn't be much of a problem to forward to docker. The big deal is to forward to physical servers!
See the different prompts depending on the ports
IMAP prompt on 143
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot ready.
IMAP prompt on 993
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
When I use the passthrough option, traefik doesn't handle SSL certificates anymore.
But that is my main argument to use traefik - besides loadbalancing or routing traffic through single IP connections. If you activate passthrough for a connection, traefik will proxy all encrypted communication AS IS, and as you saw above my mail server only has a self-signed certificate and I cannot let it handle ACME procedures because of the specific setup.
Okay you would have to reconfigure Dovecot to allow login on port 143. Its giving a secure default(or you configured it this way) and not allowing plain text login.
Okay, just a quick update how I solved this issue even though I am not really satisfied with that "tweak".
I managed to get it up and running by tweaking my mail servers configuration for Dovecot (port 143) and Postfix (port 25 / 587) to accept unsecure connections on port 143 and 587 and allow authentification methods without enforcing STARTTLS.
Like this I could prevent to weaken security settings on port 25.
As both SSL ports 993 and 587 are routed from the internet internally directly to Traefik , the mail server will stay safe and the 'original' ports accept local traffic only. Only port 25 is routed directly for inter MX connections.