Docker Mailcow: Nginx as Mail reverse proxy to docker container images using SMTP, POP3 and IMAP

dockerimappop3reverse-proxysmtp

On my server I am running a mailcow:dockerized solution on a debian server and I want to use the nginx not only as an http reverse proxy but also as an SMTP imap and pop3 too as seen in https://www.nginx.com/resources/admin-guide/mail-proxy/

But the further I read in the link the difficult it becomes to figure out how this will be done. In http it is obvious how this will be done:

 server {
   listen 80;
   server_name mail.example.tk;

   location /.well-known {
        proxy_pass http://127.0.0.1:8080/.well-known ;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 100m;

   }

   location / {
        rewrite ^(.*) https://$server_name$1 permanent;
   }

}

server {
 listen 443 ssl;
 server_name mail.example.tk;

 ssl_certificate     /opt/docker-mailcow/data/assets/ssl/cert.pem;
 ssl_certificate_key /opt/docker-mailcow/data/assets/ssl/key.pem;
 ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers         HIGH:!aNULL:!MD5;


 location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 100m;
 }

}

But using smtp, pop3 and imap how will this be done? Please keep in ming that the docker images run on the same server with nginx and these are:

827c20cee898        mailcow/dovecot:1.0     "/docker-entrypoin..."   50 minutes ago      Up 50 minutes             24/tcp, 10001/tcp, 0.0.0.0:2110->110/tcp, 0.
76a977a8064e        mailcow/postfix:1.0     "/bin/sh -c 'exec ..."   50 minutes ago      Up 50 minutes             588/tcp, 0.0.0.0:2525->25/tcp, 0.0.0.0:2465-

Any ideas?

Best Answer

Based on comments, it sounds like the question is around the HTTP authentication server for the mail proxy. The bit of of the guide talks about this:

Each POP3/IMAP/SMTP request from the client will be first authenticated on an external HTTP authentication server or by an authentication script. Having an authentication server is obligatory for NGINX mail server proxy. The server can be created by yourself in accordance with the NGINX authentication protocol which is based on the HTTP protocol.

It links to http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol which goes further into what the request and response should look like. It gives this as a request example:

GET /auth HTTP/1.0
Host: localhost
Auth-Method: plain # plain/apop/cram-md5/external
Auth-User: user
Auth-Pass: password
Auth-Protocol: imap # imap/pop3/smtp
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org

This is what your auth_http server will receive. Then, your auth_http server will need to respond with something like:

HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: 198.51.100.1
Auth-Port: 143

The response from your server contains the server IP and port that the request will be proxied to.

Unfortunately, they don't give any example HTTP server or code to run. However, I found another article that gives a PHP server script as an example at https://www.nginx.com/resources/wiki/start/topics/examples/imapauthenticatewithapachephpscript/.

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Reverse proxy for multiple SMTP / IMAP servers

There is no need to put nginx or any other form of load balancer in front of your border SMTP servers. If you don't get the configuration right, it is likely to hurt your ability to successfully deliver mail. Just put your servers in your DMZ.

Incoming traffic will be part way through a conversation before you can route it appropriately. IMAP users will be attempting to login. SMTP servers will be at the RCPT TO command, and may be attempting to deliver the same message to different domains for which you are listed as the MX.

It is common to use names like smtp01.example.com for farms of servers. For each of these servers. The domain you use for your mail server(s) rarely matches the server name. For common services like SMTP, Web, IMAP, POP and other it is common to publish and use service names in addition (or instead of) host names. Load balance your MX servers by publishing them at the same priority.

Publish an A record in DNS for your mail server's IP address. Also add an AAAA record for the mail server's IPv6 IP. if you want to support IPv6. (You will need two PTR records if you are configuring both IPv4 and IPv6 support.)
Have you IP provider configure the PTR record to return the service (SMTP) name of the server. This will enable reverse DNS (rDNS) validation to work.
Configure your mail server to bind to the above address(es) when sending email.
Configure the mail server to use the service name as its identity. This will allow rDNS validation to work on the HELO or EHLO command.

Consider adding an SPF record like v=spf1 a -all to the DNS entries for each SMTP server. This will allow recipients to verify that this server is intended to send mail. (SPF can be used to verify the server as well as the sender.)

While it is common for the MX servers to also be the outbound mail servers, it is not necessary. List the outbound SMTP servers in the SPF record for the domains used in email addresses (usually example.com rather than george.example.com).

Your SMTP servers should belong to one domain. The MX servers for a domain do not have to be in the same domain. If you are configuring multiple domains, pick one for the mail servers and use that for all the domains.

In larger installations, it is common for the border (externally facing) SMTP servers to forward to internal mail servers for final delivery of incoming mail. All outgoing mail should be sent to the border servers for delivery. If you have split your incoming MX (mail exchange) servers from outgoing MTA (Mail Transfer Agent) servers outgoing messages should be sent via the outgoing MTAs rather than the MX servers. It is a good idea to include MX in the SPF records anyway. This will allow your MX servers to send delayed delivery notifications without the message being considered spam.

For roaming users you may need authenticated SMTP access to allow the users to send email. This is best done on the Submission port (587) rather than the SMTP port (25). This should be secured with TLS (SSL) using the startTLS command after connecting. Authentication should only be allows on encrypted connections. This can be offered on the servers configured above, or on the servers providing IMAP access.

Depending on your needs you can use an IMAP server that supports proxying connections, or just allow the users to connect to the server for their domain. It is common to use a service domain for this purpose, usually imap.example.com or mail.example.com. These can be configured in DNS as A records or CNAMES. Many mail clients will auto-configure correctly to the common service accounts for the domain. If joe@example.com is entered as the user during configuration, the software is likely to find service domains like mail.example.com, imap.example.com, pop.example.com and smtp.example.com. It is relatively common to use different service names for IMAP and STMP traffic.

Best Answer

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Reverse proxy for multiple SMTP / IMAP servers

Related Topic