I tried to solve this problem, but not being a specialist, I couldn't do it...
Everyting seems to work except the connection on port 587.
Just to let you know that I have a Nginx service that redirects mail.mydomain.fr on port 8082 and mydomain.fr on port 443 then 8082 (that's my API)
Here is my docker-compose.yml file :
version: '2'
services:
front:
image: mailu/nginx:$VERSION
restart: always
env_file: .env
ports:
- "$BIND_ADDRESS4:8082:80"
- "$BIND_ADDRESS4:4430:443"
- "$BIND_ADDRESS4:110:110"
- "$BIND_ADDRESS4:143:143"
- "$BIND_ADDRESS4:993:993"
- "$BIND_ADDRESS4:995:995"
- "$BIND_ADDRESS4:25:25"
- "$BIND_ADDRESS4:465:465"
- "$BIND_ADDRESS4:587:587"
- "$BIND_ADDRESS6:8082:80"
- "$BIND_ADDRESS6:4430:443"
- "$BIND_ADDRESS6:110:110"
- "$BIND_ADDRESS6:143:143"
- "$BIND_ADDRESS6:993:993"
- "$BIND_ADDRESS6:995:995"
- "$BIND_ADDRESS6:25:25"
- "$BIND_ADDRESS6:465:465"
- "$BIND_ADDRESS6:587:587"
volumes:
- "/etc/letsencrypt/live/mail.mydomain.fr:/certs"
When I do a netstat
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 925/postgres
tcp 0 0 XXX.XXX.XXX.XXX:25 0.0.0.0:* LISTEN 25507/docker-proxy
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4016/nginx: master
tcp 0 0 XXX.XXX.XXX.XXX:993 0.0.0.0:* LISTEN 25132/docker-proxy
tcp 0 0 XXX.XXX.XXX.XXX:995 0.0.0.0:* LISTEN 25051/docker-proxy
tcp 0 0 XXX.XXX.XXX.XXX:587 0.0.0.0:* LISTEN 25166/docker-proxy
tcp 0 0 XXX.XXX.XXX.XXX:110 0.0.0.0:* LISTEN 25484/docker-proxy
tcp 0 0 XXX.XXX.XXX.XXX:4430 0.0.0.0:* LISTEN 25446/docker-proxy
tcp 0 0 XXX.XXX.XXX.XXX:143 0.0.0.0:* LISTEN 25472/docker-proxy
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4016/nginx: master
tcp 0 0 XXX.XXX.XXX.XXX:465 0.0.0.0:* LISTEN 25202/docker-proxy
tcp 0 0 XXX.XXX.XXX.XXX:8082 0.0.0.0:* LISTEN 25108/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 758/sshd
tcp6 0 0 ::1:25 :::* LISTEN 25494/docker-proxy
tcp6 0 0 ::1:993 :::* LISTEN 25137/docker-proxy
tcp6 0 0 ::1:995 :::* LISTEN 25064/docker-proxy
tcp6 0 0 ::1:587 :::* LISTEN 25145/docker-proxy
tcp6 0 0 ::1:110 :::* LISTEN 25488/docker-proxy
tcp6 0 0 ::1:4430 :::* LISTEN 25450/docker-proxy
tcp6 0 0 ::1:143 :::* LISTEN 25458/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 4016/nginx: master
tcp6 0 0 :::8080 :::* LISTEN 10862/out/backend
tcp6 0 0 ::1:465 :::* LISTEN 25170/docker-proxy
tcp6 0 0 :::35729 :::* LISTEN 27079/gulp
tcp6 0 0 ::1:8082 :::* LISTEN 25079/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 758/sshd
I can connect to the webmail, send or receive new messages, but with the same credentials I can't do it through my API :
dial tcp XXX.XXX.XXX.XXX:587: connect: connection refused
nc -zv XXX.XXX.XXX.XXX 587
nc: connect to XXX.XXX.XXX.XXX port 587 (tcp) failed: Connection refused
Here is my .env :
ROOT=/mailu
VERSION=master
SECRET_KEY=XXXXXXXXXXXXXXXXX
BIND_ADDRESS4=XXX.XXX.XXX.XXX
BIND_ADDRESS6=::1
DOMAIN=xxxxxx.fr
HOSTNAMES=mail.xxxxxx.fr
POSTMASTER=admin
TLS_FLAVOR=mail
TLS_CERT_FILENAME=fullchain.pem
TLS_KEYPAIR_FILENAME=privkey.pem
AUTH_RATELIMIT=10/minute;1000/hour
DISABLE_STATISTICS=False
ADMIN=true
WEBMAIL=rainloop
WEBDAV=none
ANTIVIRUS=clamav
MESSAGE_SIZE_LIMIT=50000000
RELAYNETS=172.19.0.0/16
RELAYHOST=
FETCHMAIL_DELAY=600
RECIPIENT_DELIMITER=+
DMARC_RUA=admin
DMARC_RUF=admin
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
WEB_ADMIN=/admin
WEB_WEBMAIL=/webmail
SITENAME=xxxx
WEBSITE=https://mail.xxxxx.fr
COMPOSE_PROJECT_NAME=mailu
PASSWORD_SCHEME=SHA512-CRYPT
Here are my nginx configurations
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
server {
listen 80;
listen [::]:80;
server_name xxxxxx.fr;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default_server ssl;
server_name xxxxx.fr;
ssl_certificate /etc/letsencrypt/live/xxxxx.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxx.fr/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass https://127.0.0.1:8080;
}
}
server {
listen 80;
listen [::]:80;
server_name mail.xxxxxx.fr;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mail.xxxxxx.fr;
ssl_certificate /etc/letsencrypt/live/mail.xxxxxx.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.xxxxxx.fr/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass http://XXX.XXX.XXX.XXX:8082;
}
}
I don't understand why the connection is denied on port 587 while docker is listening to it.
Even if it's in my .env file, just to make it clear, I'm working with the master version, to be able to use TLS_CERT_FILENAME and TLS_KEYPAIR_FILENAME.
Julien2313
All 6 comments
How do you try and connect to that port? Does connecting to 465 with TLS works instead?
kaiyou
on 19 Sep 2018
When I change in my code 487 to 465, It doesn't work either, same error.
I'm using Go and this library https://gopkg.in/gomail.v2
It worked a month ago with mailu and this library.
Julien2313
on 19 Sep 2018
Could you check if the port is open first, (using netcat or hping for example) and then if starttls and TLS are working (using openssl s_client for instance) properly?
kaiyou
on 20 Sep 2018
netstat stil doesn't work
netcat -v XXX.XXX.XXX.XXX 587
netcat: connect to XXX.XXX.XXX.XXX port 587 (tcp) failed: Connection refused
To be honest, I don't really know how to check if starttls and TLS are working. If they should be daemons, so they are not working.
nmap XXX.XXX.XXX.XXX
Starting Nmap 7.01 ( https://nmap.org ) at 2018-09-20 01:22 PDT
Nmap scan report for 145.ip-XXX.XXX.XXX.XXX.eu (XXX.XXX.XXX.XXX)
Host is up (0.069s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
8080/tcp open http-proxy
8082/tcp open blackice-alerts
This looks like the front container is failing to serve tls/starttls, probably due to a wring cert.
I fear the /live folder your are mounting only contains symlinks, which fail to resolve inside the container. Maybe you should mount one of the parent directories instead so the symlinks resolve properly.
kaiyou
on 20 Sep 2018
Just to test it, I copied the files and it works ! Thanks.
I'll check how to mount them on docker.
Julien2313
on 20 Sep 2018
Related issues
Diman0
路
3Comments
fabiorauber
路
3Comments
v1ru535
路
4Comments
v1ru535
路
4Comments
binaryfire
路
3Comments
Most helpful comment
This looks like the front container is failing to serve tls/starttls, probably due to a wring cert.
I fear the /live folder your are mounting only contains symlinks, which fail to resolve inside the container. Maybe you should mount one of the parent directories instead so the symlinks resolve properly.