TCP route to mail server

jaros85 · February 17, 2023, 7:03pm

Hello everyone.
On docker I run traefik with with the following configuration:

version: "3.8"

services:

  traefik:
    container_name: Traefik
    image: traefik:latest
    environment:
#      TRAEFIK_LOG_LEVEL: 'DEBUG'
      TRAEFIK_GLOBAL_CHECKNEWVERSION: 'true'
      TRAEFIK_PROVIDERS_DOCKER: 'true'
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: 'false'
      TRAEFIK_PROVIDERS_FILE_FILENAME: '/configurations/dynamic.yml'
      TRAEFIK_API: 'true'
      TRAEFIK_API_DASHBOARD: 'true'
      TRAEFIK_API_INSECURE: 'true'
      OVH_ENDPOINT: 'ovh-eu'
      OVH_APPLICATION_KEY: 'xxx'
      OVH_APPLICATION_SECRET: 'xxx'
      OVH_CONSUMER_KEY: 'xxx'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot: 'true'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE: 'true'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE_PROVIDER: 'ovh'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_EMAIL: 'info@mydomain.com'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_STORAGE: '/letsencrypt/acme.json'
      TRAEFIK_ENTRYPOINTS_web: 'true'
      TRAEFIK_ENTRYPOINTS_websec: 'true'
      TRAEFIK_ENTRYPOINTS_web_ADDRESS: ':80'
      TRAEFIK_ENTRYPOINTS_websec_ADDRESS: ':443'
      TRAEFIK_ENTRYPOINTS_smtp: 'true'
      TRAEFIK_ENTRYPOINTS_imap: 'true'
      TRAEFIK_ENTRYPOINTS_smtp_ADDRESS: ':465'
      TRAEFIK_ENTRYPOINTS_imap_ADDRESS: ':993'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: 'websec'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT: 'true'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: 'https'

    ports:
      - 8051:80/tcp # Trafeik HTTP
      - 8052:8080/tcp # Trafeik WebUI
      - 4351:443/tcp # Trafeik HTTPs
      - 465:465/tcp # Trafeik SMTPs
      - 993:993/tcp # Trafeik IMAPs
    restart: unless-stopped

Also contain dynamic configuration file

http:
  middlewares:
    WebHeaderMain:
      headers:
        frameDeny: true
        browserXssFilter: true
        stsincludesubdomains: false
        stspreload: true
        stsseconds: 31536000
        isdevelopment: false
        contentTypeNosniff: true
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: no-referrer
        contentSecurityPolicy: default-src 'self'

tcp:
  middlewares:
    MailLimitsSMTP:
      inFlightConn:
        amount: 25
    MailLimitsIMAP:
      inFlightConn:
        amount: 25

I got two http web servers one for main domain "mydomain.com" second for "subdomain.mydomain.com"

    labels:
       - "traefik.enable=true"
       - "traefik.http.routers.httpd_main.entrypoints=web, websec"
       - "traefik.http.routers.httpd_main.rule=Host(`mydomain.com`)"
       - "traefik.http.routers.httpd_main.service=WebHTTPmain"
       - 'traefik.http.services.WebHTTPmain.loadbalancer.server.port=80'
       - "traefik.http.routers.httpd_main.tls=true"
       - "traefik.http.routers.httpd_main.tls.certresolver=certbot"
       - "traefik.http.routers.httpd_main.middlewares=WebHeaderMain@file"

    labels:
       - "traefik.enable=true"
       - "traefik.http.routers.httpd_info.entrypoints=web, websec"
       - "traefik.http.routers.httpd_info.rule=Host(`subdomain.mydomain.com`)"
       - "traefik.http.routers.httpd_info.service=WebHTTPinfo"
       - 'traefik.http.services.WebHTTPinfo.loadbalancer.server.port=80'
       - "traefik.http.routers.httpd_info.tls=true"
       - "traefik.http.routers.httpd_info.tls.certresolver=certbot"
       - "traefik.http.routers.httpd_info.middlewares=WebHeaderMain@file"

Third configuration is my mail server and two services on port 465 and 993 which are available on mail.mydomain.com

  mailserver:
    container_name: MailServer
    image: docker.io/mailserver/docker-mailserver:latest

    labels:
       - "traefik.enable=true"
       ### SMTPs
       - "traefik.tcp.routers.poczta_smtp.entrypoints=smtp"
#       - "traefik.tcp.routers.poczta_smtp.middlewares=MailLimitsSMTP@file"
       - "traefik.tcp.routers.poczta_smtp.rule=HostSNI(`mail.mydomain.com`)"
       - "traefik.tcp.routers.poczta_smtp.service=MailSMTPservice"
       - "traefik.tcp.routers.poczta_smtp.tls=true"
       - "traefik.tcp.routers.poczta_smtp.tls.certresolver=certbot"
       - 'traefik.tcp.services.MailSMTPservice.loadbalancer.server.port=465'
       ### IMAPs
       - "traefik.tcp.routers.poczta_imap.entrypoints=imap"
#       - "traefik.tcp.routers.poczta_imap.middlewares=MailLimitsIMAP@file"
       - "traefik.tcp.routers.poczta_imap.rule=HostSNI(`mail.mydomain.com`)"
       - "traefik.tcp.routers.poczta_imap.service=MailIMAPservice"
       - "traefik.tcp.routers.poczta_imap.tls=true"
       - "traefik.tcp.routers.poczta_imap.tls.certresolver=certbot"
       - 'traefik.tcp.services.MailIMAPservice.loadbalancer.server.port=993'

On Traefik GUI everything looks ok. Both web servers works correctly.

I only got problem with TCP Routs.

When I send telnet to port 465 I don't receive standard mail server greeting but HTTP error 400
Even if I disable mailserver container I receiv the same error.
On Docker I have several other containers but they are connected to different networks and they don't use traefik.

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request

bluepuma77 · February 17, 2023, 10:49pm

If you connect with telnet to a Traefik TLS port without sending TLS/SSL, it will fall back to http error message, because it can’t find TLS and HostSNI, therefore can not find your matching router for plain TCP.

Try using openssl s_client instead.

jaros85 · February 19, 2023, 10:02pm

Thank you for information.
On port 465 certificate looks ok.

I only got problem on port 993.
I got question when destination service on container don't working certificate also is not available ?

C:\OpenSSL-1.1.1h_win32>openssl.exe s_client -connect mail.mydomain.com:993
CONNECTED(00000200)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

C:\OpenSSL-1.1.1h_win32>

Topic		Replies	Views
TeamSpeak Config - High Package Loss Traefik v2 (latest) docker , tcp	4	2960	February 14, 2021
Configuration of non http port without TLS Traefik v2 (latest) docker , tcp	4	5607	May 14, 2020
Creating a TCP Router for Docker Swarm Traefik v2 (latest) docker-swarm , tcp	1	1241	June 20, 2023
Why does TCP router try to perform SSL handshake even if TLS is set to false? Traefik v2 (latest) docker-swarm , tcp	8	582	May 24, 2023
Tcp router with tls and default certs Traefik v2 (latest) docker	4	199	March 26, 2024

TCP route to mail server

Related Topics