Mailu: Incoming mail does not use TLS

@elandorr TLS termination is done at NGINX (which acts as mail proxy and does authentication). Nginx is properly configured for TLS. Unfortunately, the downstream protocol allows to set the remote IP but not the SSL information (http://www.postfix.org/XCLIENT_README.html). So postfix has no information that it could add to the header because it sees only an unencrypted connection.
Seems that there's no easy way to prove that TLS actually works - in doubt try to sniff between the external smtp server and nginx with tcpdump or wireshark.

@micw Thank you for the explanation! That is very unfortunate. I've been using this for years: https://addons.thunderbird.net/en-US/thunderbird/addon/paranoia/
Why is NGINX used for that? I see no benefits. Is there any chance this may be changed in the future?

Mailu has been a pleasure to use so that's a bummer.

Main benefit is that nginx can delegate authentication to a http backend in a standardized way

This has nothing to do with nginx afaik, nginx exposes starttls over port 25, and senders should use opportunistic starttls when connecting.

I will have to check that starttls is not broken on port 25, because that would indeed be a serious regression.

Oh. I am now understanding that you are facing this error when sending mail. Are you using SMTPS?

@kaiyou Only incoming mails are affected. I checked the headers on the other end and they're fine. Check the header of a github e-mail for instance - they definitely do use TLS. Mailu does not show it.

@micw's explanation seems reasonable albeit I find it rather comical that such a basic matter cannot be handled by the protocol.

Oh, are you referring to the headers of the email as received by Postfix? That would mostly be because TLS is terminated before the email is received by Postfix.

And no, this is not a trivial issue. TLS is actually one of the most difficult issues when building anything over the internet today, email being the worst of all. So by any mean, if you have an easy solution, please suggest it :)

@kaiyou Yes, micw already said exactly that in the first reply.

It _is_ a trivial issue indeed: Don't do what micw just explained :) Any plain old standard mail setup does not run into this issue. Depends on your values of course - personally I don't like compromising header integrity.

If you have any idea how to properly set this up so the header reflect the originating connection security, any PR on the matter is welcome. We will keep ending TLS in front of Postfix however.

This annoyed the heck out of me as well and I ended up forwarding port 25 directly to postfix container. I haven't found any issues with this approach as apparently Nginx does nothing but terminate TLS and offer authentication to users which is usually not needed on port 25 anyway (clients should use 587).
Of course getting Lets Encrypt auto renewal support would require some extra work but I'm not using that anyway.

Please point out any issues I might have missed.

I mounted the certificates to postfix in addition to front and added override configuration for postfix:

smtpd_tls_cert_file = /certs/{{ mailu.certfile }}
smtpd_tls_key_file = /certs/{{ mailu.keyfile }}

# Offer STARTTLS
smtpd_use_tls = yes

# Add TLS info to Received-header
smtpd_tls_received_header = yes

Hi There,

The Mailu-Project is currently in a bit of a bind! We are short on man-power, and we need to judge if it is possible for us to put in some work on this issue.

To help with that, we are currently trying to find out which issues are actively keeping users from using Mailu, which issues have someone who want to work on them — and which issues may be less important. These a less important ones could be discarded for the time being, until the project is in a more stable and regular state once again.

In order for us to better assess this, it would be helpful if you could put a reaction on this post (use the :smiley: icon to the top-right).

• 👍️ if you need this to be able to use Mailu. Ideally, you’d also be able to test this on your installation, and provide feedback …
• 🎉 if you find it a nice bonus, but no deal-breaker
• 🚀 if you want to work on it yourself!
  We want to keep this voting open for 2 weeks from now, so please help out!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This hasn't been properly solved and I think it's still relevant

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue is still relevant

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue has not seen activity since as it has become stale. It will now be automatically closed. Please note that this is an automatic action, and not meant in any offensive way.

This issue is still relevant

I concur. I do not know how to solve it, but I'd like to see a fix. Is there a design document for Mailu? I found myself lost in the code without a little guidance.