Hello,
i am loving the mailu system, but i struggle implementing it in my environment.
I am running a Traefik2.2 instance as reverse proxy and to handle all SSL stuff in one place.
Starting with the webmailer everything went well, sending and receiving mails worked out of the box.
Extending the usage to an imap client (Thunderbird) worked also, connecting via 993 to Traefik and Traefik sends all requests unencrypted to the nginx container.
I am struggling to get SMTP to work.
Traefik is in a different subnet than Mailu, to encapsulate different types of services.
When i add the Traefik net to the Relaynets in Mailu.env, i get an open relay, due to the fact that Traefik tunnels all traffic to the respective nginx container. Doing so is a bad idea, cause everyone could use the server for spam.
I tried to find out, why mailu does not authenticate my mail address and my user, though i am using port 465, but i simply failed.
Could you provide any hints, how to configure mailu to either authenticate everything coming from a specific host (Traefik) via SASL, or any idea, how i could change my setup to get the stuff rolling?
Is there any way to let Traefik handle all the ports and simply redirect them?
Kind regards,
LarsTi
LarsTi
All 14 comments
Add the front-container to the traefik-subnet (here: traefik_frontend) and set the appropriate traefik-labels:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_frontend"
- "traefik.http.routers.front.rule=Host(`mail.foo.bar`)"
- "traefik.http.services.front.loadbalancer.server.port=80"
# TLS-Support
- "traefik.http.routers.front.tls.domains[0].main=mail.foo.bar"
- "traefik.http.routers.front.tls.domains[0].sans=imap.foo.bar, smtp.foo.bar"
- "traefik.http.routers.front.entrypoints=websecure"
- "traefik.http.routers.front.tls=true"
- "traefik.http.routers.front.tls.certresolver=myhttpchallenge_live"
# Admin-Interface
- "traefik.http.routers.front_admin.rule=Host(`mail.foo.bar`) && PathPrefix(`/admin`)"
- "traefik.http.routers.front_admin.entrypoints=websecure"
- "traefik.http.routers.front_admin.tls=true"
- "traefik.http.routers.front_admin.tls.certresolver=myhttpchallenge_live"
I only let traefik handle the ports 80 and 443, the other stuff is done by the front-nginx from mailu though.
sholl
on 27 Mar 2020
Thanks for your hint.
I figured out, how to route the frontend, HTTP and HTTPS, even the IMAP works via traefik.
Just SMTP does not work due to the open Relaynet.
How do you provide the certs for the mailu ssl ports?
LarsTi
on 27 Mar 2020
@LarsTi , I use the certdumper-container:
certdumper:
restart: always
env_file: mailu.env
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}traefik-certdumper:master
environment:
- DOMAIN=mail.foo.bar
# Set TRAEFIK_VERSION to v2 in your .env if you're using Traefik v2
- TRAEFIK_VERSION=${TRAEFIK_VERSION:-v2}
volumes:
- "/docker/traefik/letsencrypt/acme.json:/traefik/acme.json"
- "/docker/traefik/letsencrypt/certs:/tmp/work"
- "/docker/mailu/certs:/output"
labels:
# Set watchtower label
- "com.centurylinklabs.watchtower.enable=true"
@LarsTi
Hello,
could you do me a favor and post the docker-compose file and the .env?
johabk
on 30 Mar 2020
@johabk
Hi, i am sorry i could not answer earlier.
Traefik Compose (indents are correctly, sorry, the pasting did not work properly):
version: '3'
services:
traefik:
restart: unless-stopped
image: "traefik:latest"
command:
- "--log.level=INFO"
#- "--accesslog=true"
- "--global.sendAnonymousUsage=false"
#Self Signed backend zulassen
- "--serversTransport.insecureSkipVerify=true"
#Prometheus aktivieren
- "--metrics.prometheus=true"
- "--entrypoints.metrics.address=:8082"
- "--metrics.prometheus.entrypoint=metrics"
#- "--api.insecure=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# HTTPS/HTTP Entrypoints
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.websecure.address=:443"
#Mail Entryproints
- "--entrypoints.smtp.address=:25"
- "--entrypoints.smtp_ssl.address=:465"
- "--entrypoints.smtp_start.address=:587"
- "--entrypoints.pop3.address=:110"
- "--entrypoints.pop3_ssl.address=:995"
- "--entrypoints.imap.address=:143"
- "--entrypoints.imap_ssl.address=:993"
#Letsencrypt
- "--certificatesresolvers.le_challenge.acme.httpchallenge=true"
- "--certificatesresolvers.le_challenge.acme.httpchallenge.entrypoint=web"
#- "--certificatesresolvers.le_challenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.le_challenge.acme.[email protected]"
- "--certificatesresolvers.le_challenge.acme.storage=/letsencrypt/acme.json"
labels:
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.docker.network=traefik"
#HTTPS service
- "traefik.http.routers.api.rule=Host(\"traefik.XXX.TLD\โ)โ
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=le_challenge"
- "traefik.http.routers.api.service=api@internal"
ports:
# HTTP
- "80:80"
- "443:443"
- "25:25" #SMTP
- "465:465" #SMTP SSL
- "587:587" #SMTP START
- "110:110" #POP3
- "995:995" #POP3 SSL
- "143:143" #IMAP
- "993:993" #IMAP SSL
volumes:
- "./volumes/letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefiknetworks:
traefik:
external: true
Mailu.env (truncated to variables only):
SECRET_KEY=XXXX
SUBNET=192.168.203.0/24
DOMAIN=XXX.TLD
HOSTNAMES=XXX.TLD,smtp.XXX.TLD,mail.XXX.TLD,imap.XXX.TLD
POSTMASTER=admin
TLS_FLAVOR=notls
AUTH_RATELIMIT=100/minute;1000/hour
DISABLE_STATISTICS=True
ADMIN=true
WEBMAIL=rainloop
WEBDAV=radicaleANTIVIRUS=clamav
MESSAGE_SIZE_LIMIT=500000000
RELAYNETS=
RELAYHOST=
FETCHMAIL_DELAY=600
RECIPIENT_DELIMITER=+
DMARC_RUA=admin
DMARC_RUF=admin
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
COMPRESSION=
COMPRESSION_LEVEL=
WEBROOT_REDIRECT=/
WEB_ADMIN=/admin
WEB_WEBMAIL=/
SITENAME=Webmailer
WEBSITE=https://mail.XXX.TLDLOG_DRIVER=json-file
COMPOSE_PROJECT_NAME=mail
PASSWORD_SCHEME=BLF-CRYPT
REAL_IP_HEADER=X-Forwarded-For
REAL_IP_FROM=
REJECT_UNLISTED_RECIPIENT=no
LOG_LEVEL=WARNING
DB_FLAVOR=postgresql
DB_PW=XXXXX
The Mail - Compose file, shortened only for the nginx reverse proxy:
version: '3'
services:
#mailu
front:
image: mailu/nginx:1.7
restart: unless-stopped
env_file: mailu.env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
#Webinterface
- "traefik.http.routers.mailu_websecure.rule=Host(\"mail.XXX.TLD\")"
- "traefik.http.routers.mailu_websecure.entrypoints=websecure"
#Dadurch, dass kein tls in mailu eingestellt ist, ist nur port 80 offen
- "traefik.http.services.mailu_websecure.loadBalancer.server.port=80"
- "traefik.http.routers.mailu_websecure.tls.certresolver=le_challenge"
#SMTP: Nicht SSL
- "traefik.tcp.routers.mailu_smtp.rule=HostSNI(\"\")"
- "traefik.tcp.routers.mailu_smtp.entrypoints=smtp"
- "traefik.tcp.routers.mailu_smtp.service=mailu_smtp"
#SMTP: SSL
- "traefik.tcp.routers.mailu_smtp_ssl1.rule=HostSNI(\"smtp.XXX.TLD\", \"XXX.TLD\", \"mail.XXX.TLD\")"
- "traefik.tcp.routers.mailu_smtp_ssl1.entrypoints=smtp_ssl"
- "traefik.tcp.routers.mailu_smtp_ssl1.tls=true"
- "traefik.tcp.routers.mailu_smtp_ssl1.tls.certresolver=le_challenge"
- "traefik.tcp.routers.mailu_smtp_ssl1.service=mailu_smtp"
#STARTTLS
- "traefik.tcp.routers.mailu_smtp_start1.rule=HostSNI(\"smtp.XXX.TLD\", \"XXX.TLD\", \"mail.XXX.TLD\")"
- "traefik.tcp.routers.mailu_smtp_start1.entrypoints=smtp_start"
- "traefik.tcp.routers.mailu_smtp_start1.tls=true"
- "traefik.tcp.routers.mailu_smtp_start1.tls.certresolver=le_challenge"
- "traefik.tcp.routers.mailu_smtp_start1.service=mailu_smtp"
# SMTP Zielport
- "traefik.tcp.services.mailu_smtp.loadBalancer.server.port=25"
#POP3: Nicht SSL
- "traefik.tcp.routers.mailu_pop3.rule=HostSNI(\"\")"
- "traefik.tcp.routers.mailu_pop3.entrypoints=pop3"
- "traefik.tcp.routers.mailu_pop3.service=mailu_pop3"
#POP3: SSL
- "traefik.tcp.routers.mailu_pop3_ssl1.rule=HostSNI(\"pop3.XXX.TLD\", \"XXX.TLD\", \"mail.XXX.TLD\")"
#- "traefik.tcp.routers.mailu_pop3_ssl1.rule=HostSNI(\"pop3.XXX.TLD\")"
- "traefik.tcp.routers.mailu_pop3_ssl1.entrypoints=pop3_ssl"
- "traefik.tcp.routers.mailu_pop3_ssl1.tls=true"
- "traefik.tcp.routers.mailu_pop3_ssl1.tls.certresolver=le_challenge"
- "traefik.tcp.routers.mailu_pop3_ssl1.service=mailu_pop3"
# POP3 Zielport
- "traefik.tcp.services.mailu_pop3.loadBalancer.server.port=110"
#IMAP: Nicht SSL
- "traefik.tcp.routers.mailu_imap.rule=HostSNI(\"*\")"
- "traefik.tcp.routers.mailu_imap.entrypoints=imap"
- "traefik.tcp.routers.mailu_imap.service=mailu_imap"
#IMAP: SSL
- "traefik.tcp.routers.mailu_imap_ssl1.rule=HostSNI(\"imap.XXX.TLD\", \"XXX.TLD\", \"mail.XXX.TLD\")"
#- "traefik.tcp.routers.mailu_imap_ssl1.rule=HostSNI(\"imap.XXX.TLD\")"
- "traefik.tcp.routers.mailu_imap_ssl1.entrypoints=imap_ssl"
- "traefik.tcp.routers.mailu_imap_ssl1.tls=true"
- "traefik.tcp.routers.mailu_imap_ssl1.tls.certresolver=le_challenge"
- "traefik.tcp.routers.mailu_imap_ssl1.service=mailu_imap"
# IMAP Zielport
- "traefik.tcp.services.mailu_imap.loadBalancer.server.port=143"
networks:
- traefik
networks:
traefik:
external: true
mail:
driver: bridge
ipam:
driver: default
config:
- subnet: 192.168.203.0/24
I hope you understand whats happening.
To clarify:
- the traefik network was created by: docker network create traefik
- nginx and traefik are in the same network, routing is working, all packets arive at their destinations
- nginx is also in the default network for mailu (as are all other containers related to mailu)
- there is no other container than the one generated by the tool (https://setup.mailu.io/1.7/) in the mailu network
- i want a single point of entry to my server, that is traefik. I could hand over the certs to mailu and let mailu do the encryption, but this is not my favorite solution
@sholl : i will try and test it with certdumper, but it might take me a few days.
Thank you for your help :)
LarsTi
LarsTi
on 30 Mar 2020
Hey @LarsTi
Any update on this?
I am struggling to make SSL work...
I tried with certdumper wich generates cert and key from my acme.json and passes it to mailu but with no luck.
Thanks for your help.
AntoinedeChassey
on 2 Apr 2020
Seems like the night was good.
I managed to make SSL work by letting the front container (Nginx) exposing all the mail ports.
docker-compose.yml
ports:
- 'SERVER_IP:110:110'
- 'SERVER_IP:143:143'
- 'SERVER_IP:993:993'
- 'SERVER_IP:995:995'
- 'SERVER_IP:25:25'
- 'SERVER_IP:465:465'
- 'SERVER_IP:587:587'
Therefore, Traefik is not catching any of the TCP connections anymore (a pitty), but only generating the SSL cert for my "mail.XXX.YYY" domain and certdumper passes it to Nginx.
That's the only way I made it to work...
I would love Traefik to be able to do all the TCP SSL TLS part... instead of forwarding this to the Nginx container directly. It would be a better security and manageable layer IMO.
For those struggling, below are my configuration files:
docker-compose.yml
version: '3.7'
services:
certdumper:
restart: always
image: mailu/traefik-certdumper:${MAILU_VERSION:-master}
environment:
- DOMAIN=mail.YOUR_DOMAIN
- TRAEFIK_VERSION=v2
volumes:
- '/home/antoine/git/traefik/letsencrypt/acme.json:/traefik/acme.json'
- '/data/docker/volumes/mailu/certs:/output'
# External dependencies
redis:
image: redis:alpine
restart: always
volumes:
- '/data/docker/volumes/mailu/redis:/data'
# Core services
front:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
logging:
driver: json-file
volumes:
- '/data/docker/volumes/mailu/certs:/certs'
- '/data/docker/volumes/mailu/overrides/nginx:/overrides'
ports:
- 'YOUR_IP:110:110'
- 'YOUR_IP:143:143'
- 'YOUR_IP:993:993'
- 'YOUR_IP:995:995'
- 'YOUR_IP:25:25'
- 'YOUR_IP:465:465'
- 'YOUR_IP:587:587'
networks:
- default
- traefik-public
labels:
- 'traefik.enable=true'
# Web UI
- 'traefik.http.routers.mailu-websecure.rule=Host(`mail.YOUR_DOMAIN`)'
- 'traefik.http.routers.mailu-websecure.entrypoints=websecure'
- 'traefik.http.routers.mailu-websecure.tls.certresolver=letsencrypt'
- 'traefik.http.routers.mailu-websecure.service=mailu-websecure-svc'
- 'traefik.http.services.mailu-websecure-svc.loadbalancer.server.port=80'
# # SMTP: No SSL
# # - 'traefik.tcp.routers.mailu-smtp.rule=HostSNI(`*`)'
# # - 'traefik.tcp.routers.mailu-smtp.entrypoints=smtp'
# # - 'traefik.tcp.routers.mailu-smtp.service=mailu-smtp-svc'
# # - 'traefik.tcp.services.mailu-smtp-svc.loadbalancer.server.port=25'
# # SMTP: SSL
# # - 'traefik.tcp.routers.mailu-smtp_ssl.rule=HostSNI(`smtp.YOUR_DOMAIN`, `YOUR_DOMAIN`, `mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-smtp_ssl.rule=HostSNI(`mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-smtp_ssl.entrypoints=smtp_ssl'
# # - 'traefik.tcp.routers.mailu-smtp_ssl.tls.passthrough=true'
# - 'traefik.tcp.routers.mailu-smtp_ssl.tls=true'
# - 'traefik.tcp.routers.mailu-smtp_ssl.tls.certresolver=letsencrypt'
# - 'traefik.tcp.routers.mailu-smtp_ssl.service=mailu-smtp_ssl-svc'
# - 'traefik.tcp.services.mailu-smtp_ssl-svc.loadbalancer.server.port=465'
# # # STARTTLS
# # - 'traefik.tcp.routers.mailu-smtp_start.rule=HostSNI(`smtp.YOUR_DOMAIN`, `YOUR_DOMAIN`, `mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-smtp_start.rule=HostSNI(`mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-smtp_start.entrypoints=smtp_start'
# # - 'traefik.tcp.routers.mailu-smtp_start.tls.passthrough=true'
# - 'traefik.tcp.routers.mailu-smtp_start.tls=true'
# - 'traefik.tcp.routers.mailu-smtp_start.tls.certresolver=letsencrypt'
# - 'traefik.tcp.routers.mailu-smtp_start.service=mailu-smtp_start-svc'
# - 'traefik.tcp.services.mailu-smtp_start-svc.loadbalancer.server.port=587'
# # POP3: No SSL
# - 'traefik.tcp.routers.mailu-pop3.rule=HostSNI(`*`)'
# - 'traefik.tcp.routers.mailu-pop3.entrypoints=pop3'
# - 'traefik.tcp.routers.mailu-pop3.service=mailu-pop3-svc'
# - 'traefik.tcp.services.mailu-pop3-svc.loadbalancer.server.port=110'
# # POP3: SSL
# # - 'traefik.tcp.routers.mailu-pop3_ssl.rule=HostSNI(`pop3.YOUR_DOMAIN`, `YOUR_DOMAIN`, `mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-pop3_ssl.rule=HostSNI(`mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-pop3_ssl.entrypoints=pop3_ssl'
# - 'traefik.tcp.routers.mailu-pop3_ssl.tls.passthrough=true'
# # - 'traefik.tcp.routers.mailu-pop3_ssl.tls=true'
# # - 'traefik.tcp.routers.mailu-pop3_ssl.tls.certresolver=letsencrypt'
# - 'traefik.tcp.routers.mailu-pop3_ssl.service=mailu-pop3_ssl-svc'
# - 'traefik.tcp.services.mailu-pop3_ssl-svc.loadbalancer.server.port=995'
# # IMAP: No SSL
# - 'traefik.tcp.routers.mailu-imap.rule=HostSNI(`*`)'
# - 'traefik.tcp.routers.mailu-imap.entrypoints=imap'
# - 'traefik.tcp.routers.mailu-imap.service=mailu-imap-svc'
# - 'traefik.tcp.services.mailu-imap-svc.loadbalancer.server.port=143'
# # IMAP: SSL
# # - 'traefik.tcp.routers.mailu-imap_ssl.rule=HostSNI(`imap.YOUR_DOMAIN`, `YOUR_DOMAIN`, `mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-imap_ssl.rule=HostSNI(`mail.YOUR_DOMAIN`)'
# - 'traefik.tcp.routers.mailu-imap_ssl.entrypoints=imap_ssl'
# - 'traefik.tcp.routers.mailu-imap_ssl.tls.passthrough=true'
# # - 'traefik.tcp.routers.mailu-imap_ssl.tls=true'
# # - 'traefik.tcp.routers.mailu-imap_ssl.tls.certresolver=letsencrypt'
# - 'traefik.tcp.routers.mailu-imap_ssl.service=mailu-imap_ssl-svc'
# - 'traefik.tcp.services.mailu-imap_ssl-svc.loadbalancer.server.port=993'
# resolver:
# image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.7}
# env_file: mailu.env
# restart: always
# networks:
# default:
# ipv4_address: 192.168.203.254
admin:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/data:/data'
- '/data/docker/volumes/mailu/dkim:/dkim'
depends_on:
- redis
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/mail:/mail'
- '/data/docker/volumes/mailu/overrides:/overrides'
depends_on:
- front
smtp:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/overrides:/overrides'
depends_on:
- front
# - resolver
# dns:
# - 192.168.203.254
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/filter:/var/lib/rspamd'
- '/data/docker/volumes/mailu/dkim:/dkim'
- '/data/docker/volumes/mailu/overrides/rspamd:/etc/rspamd/override.d'
depends_on:
- front
# - resolver
# dns:
# - 192.168.203.254
# Optional services
antivirus:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/filter:/data'
# depends_on:
# - resolver
# dns:
# - 192.168.203.254
# webdav:
# image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}radicale:${MAILU_VERSION:-1.7}
# restart: always
# env_file: mailu.env
# volumes:
# - '/data/docker/volumes/mailu/dav:/data'
# fetchmail:
# image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-1.7}
# restart: always
# env_file: mailu.env
# depends_on:
# - resolver
# dns:
# - 192.168.203.254
webmail:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rainloop:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/webmail:/data'
depends_on:
- imap
database:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postgresql:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
volumes:
- '/data/docker/volumes/mailu/data/psql_db:/data'
- '/data/docker/volumes/mailu/data/psql_backup:/backup'
networks:
traefik-public:
name: traefik-public
default:
driver: bridge
ipam:
driver: default
config:
- subnet: 192.168.203.0/24
# default:
# driver: bridge
# ipam:
# driver: default
# config:
# - subnet: 192.168.203.0/24
mailu.env
# Mailu main configuration file
#
# This file is autogenerated by the configuration management wizard for compose flavor.
# For a detailed list of configuration variables, see the documentation at
# https://mailu.io
###################################
# Common configuration variables
###################################
# Set to a randomly generated 16 bytes string
SECRET_KEY=SECRET_HERE
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET=192.168.203.0/24
# Main mail domain
DOMAIN=YOUR_DOMAIN
# Hostnames for this server, separated with comas
HOSTNAMES=mail.YOUR_DOMAIN
# Postmaster local part (will append the main mail domain)
POSTMASTER=admin
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=mail
# Authentication rate limit (per source IP address)
AUTH_RATELIMIT=10/minute;1000/hour
# Opt-out of statistics, replace with "True" to opt out
DISABLE_STATISTICS=True
###################################
# Optional features
###################################
# Expose the admin interface (value: true, false)
ADMIN=true
# Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=rainloop
# Dav server implementation (value: radicale, none)
WEBDAV=none
# Antivirus solution (value: clamav, none)
#ANTIVIRUS=clamav
###################################
# Mail settings
###################################
# Message size limit in bytes
# Default: accept messages up to 50MB
# Max attachment size will be 33% smaller
MESSAGE_SIZE_LIMIT=50000000
# Networks granted relay permissions
# Use this with care, all hosts in this networks will be able to send mail without authentication!
RELAYNETS=
# Will relay all outgoing mails if configured
RELAYHOST=
# Fetchmail delay
FETCHMAIL_DELAY=600
# Recipient delimiter, character used to delimiter localpart from custom address part
RECIPIENT_DELIMITER=+
# DMARC rua and ruf email
DMARC_RUA=admin
DMARC_RUF=admin
# Welcome email, enable and set a topic and body if you wish to send welcome
# emails to all users.
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
# Maildir Compression
# choose compression-method, default: none (value: bz2, gz)
COMPRESSION=
# change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL=
###################################
# Web settings
###################################
# Path to redirect / to
WEBROOT_REDIRECT=/webmail
# Path to the admin interface if enabled
WEB_ADMIN=/admin
# Path to the webmail if enabled
WEB_WEBMAIL=/webmail
# Website name
SITENAME=Mail
# Linked Website URL
WEBSITE=https://mail.YOUR_DOMAIN
###################################
# Advanced settings
###################################
# Log driver for front service. Possible values:
# json-file (default)
# journald (On systemd platforms, useful for Fail2Ban integration)
# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
# LOG_DRIVER=json-file
# Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu
# Default password scheme used for newly created accounts and changed passwords
# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=BLF-CRYPT
# Header to take the real ip from
REAL_IP_HEADER=
# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=
# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
REJECT_UNLISTED_RECIPIENT=
# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
LOG_LEVEL=WARNING
###################################
# Database settings
###################################
DB_FLAVOR=postgresql
DB_PW=PASSWORD
Cheers.
AntoinedeChassey
on 2 Apr 2020
Dear @AntoinedeChassey and @sholl,
i finally got it working with a traefik frontend and mailu backend.
I dont like my solution, cause i did not forward the ports via traefik, but only used Traefik for the certs and exported them. I used cert-dumper as solution for this.
The mailu-nginx container is set to "certs" and got the ports for all Mail Traefik (SMTP and IMAP) on the host system.
Is there anyway to proxy the SASL Authentication? Or let Traefik do the authentication? In this case Traefik would need access to the endpoints of Mailu, cause itself is just a reverse proxy.
Kind regards,
LarsTi
LarsTi
on 2 Apr 2020
hello @LarsTi ,
I would like to setup mailu with traefik.
I would like to know if you have find an improve to your configuration ?
Best regards
jericho
jericho63
on 21 Apr 2020
Dear @jericho63,
i use certdumper to get the ssl cert and only use Traefik to handle the http traffic. I am currently not able to find the time to investigate this deeper.
Sorry.
Best regards,
LarsTi
LarsTi
on 25 Apr 2020
Hi There,
The Mailu-Project is currently in a bit of a bind! We are short on man-power, and we need to judge if it is possible for us to put in some work on this issue.
To help with that, we are currently trying to find out which issues are actively keeping users from using Mailu, which issues have someone who want to work on them โ and which issues may be less important. These a less important ones could be discarded for the time being, until the project is in a more stable and regular state once again.
In order for us to better assess this, it would be helpful if you could put a reaction on this post (use the :smiley: icon to the top-right).
- ๐๏ธ if you need this to be able to use Mailu. Ideally, youโd also be able to test this on your installation, and provide feedback โฆ
- ๐ if you find it a nice bonus, but no deal-breaker
- ๐ if you want to work on it yourself!
We want to keep this voting open for 2 weeks from now, so please help out!
Nebukadneza
on 17 Aug 2020
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 24 Sep 2020
Since people have voted for it, I have added a label to prevent the issue going stale. I cannot help you unfortunately since I use do not have experience with traefik.
Diman0
on 27 Sep 2020
Hi!
I hope to add something to this discussion and also am seeking help in understanding what exactly is not working atm.
I managed to get mailu working completly in regards of webmail. So admin, webamail, sending and receiving of emails works via traefik (no exposed ports "around" traefik). But sending mails via local mailclient (not webmail) via smtp is not working.
Via https://www.gmass.co/smtp-test i get the most promissing error message:
Connected to smtps://smtp.mydomain.tld:587/
<< 220 mydomain.tld ESMTP ready
>> EHLO [172.31.xx.xx]
<< 250 mydomain.tld
ERROR: The SMTP server does not support authentication.
But I do not understand what this error indicates. Can you point me in any direction? I think I am getting around with traefik, but I struggle with inner workings of mailu / smtp.
For documentation and hopefully starting point for somebody else:
My configuration, follows here. I enabled certdumper, but do not use certificates in mailu at all. Further I changed in front service from ports to expose. Expose is more or less only informational. By defining specific entryPoints in traefik and mapping those to tcp.services I was able to avoid exposing the front container directly.
version: '3.7'
services:
# External dependencies
redis:
image: redis:alpine
restart: always
volumes:
- "/srv/mailu/redis:/data"
labels:
- "traefik.enable=false"
# Core services
front:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
logging:
driver: json-file
expose:
- "80"
- "993"
- "143"
- "465"
- "587"
- "25"
volumes:
- "/srv/mailu/certs:/certs"
- "/srv/mailu/overrides/nginx:/overrides"
networks:
- intranet
- default
labels:
- "traefik.enable=true"
- "traefik.http.services.front-mailu.loadbalancer.server.port=80"
- "traefik.http.services.front-mailu.loadbalancer.server.scheme=http"
- "traefik.http.routers.mailu.tls=true"
- "traefik.http.routers.mailu.tls.certresolver=myresolver"
- "traefik.http.routers.mailu.rule=Host(`mailu.mydomain.tld`)"
- "traefik.http.routers.mailu.entrypoints=web,websecure"
- "traefik.tcp.services.front-imap-mailu-service.loadbalancer.server.port=993"
- "traefik.tcp.services.front-imap-mailu-service.loadbalancer.server.port=143"
- "traefik.tcp.routers.front-imap-mailu-router.service=front-imap-mailu-service"
- "traefik.tcp.routers.front-imap-mailu-router.rule=HostSNI(`imap.mydomain.tld`)"
- "traefik.tcp.routers.front-imap-mailu-router.entrypoints=imap,imaps"
- "traefik.tcp.routers.front-imap-mailu-router.tls=true"
- "traefik.tcp.routers.front-imap-mailu-router.tls.certresolver=myresolver"
- "traefik.tcp.services.front-smtp-mailu-service.loadbalancer.server.port=25"
- "traefik.tcp.routers.front-smtp-mailu-router.service=front-smtp-mailu-service"
- "traefik.tcp.routers.front-smtp-mailu-router.entrypoints=smtp"
- "traefik.tcp.routers.front-smtp-mailu-router.tls=false"
- "traefik.tcp.routers.front-smtp-mailu-router.rule=HostSNI(`*`)"
- "traefik.tcp.services.front-smtps-mailu-service.loadbalancer.server.port=465"
- "traefik.tcp.routers.front-smtps-mailu-router.service=front-smtps-mailu-service"
- "traefik.tcp.routers.front-smtps-mailu-router.entrypoints=smtps"
- "traefik.tcp.routers.front-smtps-mailu-router.tls=true"
- "traefik.tcp.routers.front-smtps-mailu-router.tls.certresolver=myresolver"
- "traefik.tcp.routers.front-smtps-mailu-router.rule=HostSNI(`smtp.mydomain.tld`,`mydomain.tld`)"
- "traefik.tcp.services.front-submission-mailu-service.loadbalancer.server.port=587"
- "traefik.tcp.routers.front-submission-mailu-router.service=front-submission-mailu-service"
- "traefik.tcp.routers.front-submission-mailu-router.entrypoints=submission"
- "traefik.tcp.routers.front-submission-mailu-router.tls=true"
- "traefik.tcp.routers.front-submission-mailu-router.tls.certresolver=myresolver"
- "traefik.tcp.routers.front-submission-mailu-router.rule=HostSNI(`smtp.mydomain.tld`,`mydomain.tld`)"
resolver:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.7}
env_file: mailu.env
restart: always
labels:
- "traefik.enable=false"
networks:
default:
ipv4_address: 192.168.203.254
admin:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
labels:
- "traefik.enable=false"
volumes:
- "/srv/mailu/data:/data"
- "/srv/mailu/dkim:/dkim"
depends_on:
- redis
networks:
- default
- intranet
imap:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
labels:
- "traefik.enable=false"
volumes:
- "/srv/mailu/mail:/mail"
- "/srv/mailu/overrides:/overrides"
depends_on:
- front
smtp:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
labels:
- "traefik.enable=false"
volumes:
- "/srv/mailu/overrides:/overrides"
depends_on:
- front
- resolver
dns:
- 192.168.203.254
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
labels:
- "traefik.enable=false"
volumes:
- "/srv/mailu/filter:/var/lib/rspamd"
- "/srv/mailu/dkim:/dkim"
- "/srv/mailu/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- resolver
dns:
- 192.168.203.254
# Optional services
antivirus:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
labels:
- "traefik.enable=false"
volumes:
- "/srv/mailu/filter:/data"
depends_on:
- resolver
dns:
- 192.168.203.254
# Webmail
webmail:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rainloop:${MAILU_VERSION:-1.7}
restart: always
env_file: mailu.env
labels:
- "traefik.enable=false"
volumes:
- "/srv/mailu/webmail:/data"
depends_on:
- imap
networks:
default:
#enable_ipv6: true
driver: bridge
ipam:
driver: default
config:
- subnet: 192.168.203.0/24
- subnet: 2a03:4000:4d:fb7::/64
intranet:
name: intranet
external: true
```# Mailu main configuration file
#
This file is autogenerated by the configuration management wizard for compose flavor.
For a detailed list of configuration variables, see the documentation at
https://mailu.io
#
Common configuration variables
#
Set to a randomly generated 16 bytes string
SECRET_KEY=XXXXXXX
Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET=192.168.203.0/24
SUBNET6=2a03::/64
Main mail domain
DOMAIN=mydomain.tld
Hostnames for this server, separated with comas
HOSTNAMES=mydomain.tld
Postmaster local part (will append the main mail domain)
POSTMASTER=admin
Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=notls
Authentication rate limit (per source IP address)
AUTH_RATELIMIT=10/minute;1000/hour
Opt-out of statistics, replace with "True" to opt out
DISABLE_STATISTICS=False
#
Optional features
#
Expose the admin interface (value: true, false)
ADMIN=true
Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=rainloop
Dav server implementation (value: radicale, none)
WEBDAV=none
Antivirus solution (value: clamav, none)
ANTIVIRUS=clamav
#
Mail settings
#
Message size limit in bytes
Default: accept messages up to 50MB
Max attachment size will be 33% smaller
MESSAGE_SIZE_LIMIT=50000000
Networks granted relay permissions
Use this with care, all hosts in this networks will be able to send mail without authentication!
RELAYNETS=
Will relay all outgoing mails if configured
RELAYHOST=
Fetchmail delay
FETCHMAIL_DELAY=600
Recipient delimiter, character used to delimiter localpart from custom address part
RECIPIENT_DELIMITER=+
DMARC rua and ruf email
DMARC_RUA=admin
DMARC_RUF=admin
Welcome email, enable and set a topic and body if you wish to send welcome
emails to all users.
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
Maildir Compression
choose compression-method, default: none (value: bz2, gz)
COMPRESSION=
change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL=
#
Web settings
#
Path to redirect / to
WEBROOT_REDIRECT=/
Path to the admin interface if enabled
WEB_ADMIN=/admin
Path to the webmail if enabled
WEB_WEBMAIL=/
Website name
SITENAME=Mailu
Linked Website URL
WEBSITE=https://mailu.io
#
Advanced settings
#
Log driver for front service. Possible values:
json-file (default)
journald (On systemd platforms, useful for Fail2Ban integration)
syslog (Non systemd platforms, Fail2Ban integration. Disables docker-compose log for front!)
LOG_DRIVER=json-file
Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu
Default password scheme used for newly created accounts and changed passwords
(value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=BLF-CRYPT
Header to take the real ip from
REAL_IP_HEADER=
IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=
choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
REJECT_UNLISTED_RECIPIENT=
Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
LOG_LEVEL=WARNING
#
Database settings
#
DB_FLAVOR=postgresql
DB_USER=mailu
DB_PW=xxxx
DB_HOST=pgsql
DB_NAME=mailu
traefik.toml:
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.imap]
address = ":143"
[entryPoints.imaps]
address = ":993"
[entryPoints.smtps]
address = ":465"
[entryPoints.submission]
address = ":587"
[entryPoints.smtp]
address = ":25"
```
Edit: Found some error exposing smtp ports. Changed traefik labels accordingly
huehnerhose
on 7 Feb 2021
Related issues
Thorsten1976
ยท
4Comments
gizocz
ยท
4Comments
v1ru535
ยท
4Comments
alizowghi
ยท
3Comments
v1ru535
ยท
4Comments
Most helpful comment
Hi There,
The
Mailu-Project is currently in a bit of a bind! We are short on man-power, and we need to judge if it is possible for us to put in some work on this issue.To help with that, we are currently trying to find out which issues are actively keeping users from using
Mailu, which issues have someone who want to work on them โ and which issues may be less important. These a less important ones could be discarded for the time being, until the project is in a more stable and regular state once again.In order for us to better assess this, it would be helpful if you could put a reaction on this post (use the :smiley: icon to the top-right).
We want to keep this voting open for 2 weeks from now, so please help out!