Bind WebUI to certain IP and subdomain only

teaservice

Hey all,

I’ll first describe my whole setup so everthing is clear.
I have a dedicated server with one IPv4 and a /64 IPv6 subnet. The server is running Proxmox with a routed NAT setup for IPv4 and dedicated IPv6 (aaaa:dead:beef::a) for VMs and containers. Mailcow is running on a qemu KVM, port 25 is forwarded to that KVM everything else uses a dedicated IPv6 address. I have set the DNS to use the subdomain a.domain.tld for the mx record and also set the a.domain.tld A and AAAA records. This is working without any problem E-Mails get sent through either IPv4 or IPv6 depending what the reciever or sender uses. WebUI is reachable over a.domain.tld but as Port 80 and 443 are not forwarded to the VM it uses the assigned IPv6 to resolve to the WebUI.

I wanted to access my WebUI while beeing behind an IPv4 only connection (at work) and wanted to do this by using cloudflares DNS proxy. Obviously that does not work out of the box as the mx record needs to resolve to the real IPv6 (aaaa:dead:beef::a) and it does not when behind the cloudflare proxy. So I assaigned another IPv6 to the VM like this:

iface eno1 inet6 static
          address aaaa:dead:beef::a
          gateway aaaa:dead:beef::1
iface eno1 inet6 static
          address aaaa:dead:beef::b
          gateway aaaa:dead:beef::1

Both IPs are pingable and seem to work.

Ok so the next thing I did was looking at the documentation on how to bind to certain IP addresses. The page itself has the information I needed altough I was not sure if i need to set both IPv4 and IPv6 to make it work. But I found this comment on github saying so. As I only need port 25 to be IPv4 I made this mailcow.conf:

HTTP_PORT=80 
HTTP_BIND=127.0.0.1

HTTPS_PORT=443 
HTTPS_BIND=127.0.0.1

------------------------------
Other bindings
------------------------------

You should leave that alone
Format: 11.22.33.44:25 or 12.34.56.78:465 etc.

SMTP_PORT=my_ipv4_ip:25 
SMTPS_PORT=127.0.0.1:465 
SUBMISSION_PORT=127.0.0.1:587 
IMAP_PORT=127.0.0.1:143 
IMAPS_PORT=127.0.0.1:993 
POP_PORT=127.0.0.1:110 
POPS_PORT=127.0.0.1:995 
SIEVE_PORT=127.0.0.1:4190 
DOVEADM_PORT=127.0.0.1:19991 
SQL_PORT=127.0.0.1:13306 
SOLR_PORT=127.0.0.1:18983 
REDIS_PORT=127.0.0.1:7654

I also created the following docker-compose.override.yml:

version: '2.1'
services:
dovecot-mailcow:
  ports:
    - '[aaaa:dead:beef::a]:143:143'
    - '[aaaa:dead:beef::a]:993:993'
    - '[aaaa:dead:beef::a]:110:110'
    - '[aaaa:dead:beef::a]:995:995'
    - '[aaaa:dead:beef::a]:4190:4190'

postfix-mailcow:
  ports:

    - '[aaaa:dead:beef::a]:465:465'
    - '[aaaa:dead:beef::a]:587:587'

nginx-mailcow:
  ports:
    - '[aaaa:dead:beef::b]:8080:80'
    - '[aaaa:dead:beef::b]:8443:443'

The hostname is set to b.domain.tld which resolves to aaaa:dead:beef::b behind cloudflare DNS proxy. additional_san includes a.domain.tld which should be used for everthing other than the WebUI. Another AAAA record was added pointing to aaaa:dead:beef::b. So Two AAAA records (a. and b. subdomain) and one A record (a. subdomain)
At first this seemed to work just fine as the WebUI was reachable over b.domain.tld. But the WebUI was also still reachable over a.domain.tld. Removing the a.domain.tld from mailcow.conf makes the WebUI reachable only over b.domain.tld but it causes a lot of problems with acme and autodiscover.

Sorry that this is getting so long. It boils down to this one question.

How can I make the WebUI reachable only over b.domain.tld with the IPv6 (aaaa:dead:beef::b) without breaking any funcionality?

Edit: totaly forgot to add that I did try to just forward connections from a.domain to b.domain using nginx but this also made autodiscover break (probably because requests also get redirected to the wrong IP?)