Hi All,
I have more problems but for now I’ll try to solve the innermost one.
My full network is compose from 3 layers.
1) Firewall (OPNSense)
2) Reverse Proxy (Traefik)
3) MailCow
The 2nd and 3rd layers is on Docker.
The problem arises from the fact that I cannot send emails.

I try to use:

openssl s_client -starttls imap -connect docker:143 | openssl x509 -noout -text

but I receive the error:
Warning: Reading certificate from stdin since no -in or -new option is given
00D044DC01000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:646:
Could not find certificate from <stdin>
00D044DC01000000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
instead of the starttls certificate, so I tried:

telnet docker 143

and I received:
** OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot ready.**

In the log I find:
dovecot-mailcow-1 | Dec 27 01:26:54 7037e05affb9 dovecot: auth: Debug: auth client connected (pid=179)
dovecot-mailcow-1 | Dec 27 01:26:54 7037e05affb9 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() syscall failed: Invalid argument (no auth attempts in 0 secs): user=<>, rip=192.168.1.1, lip=172.22.1.250, TLS handshaking: SSL_accept() syscall failed: Invalid argument

I’ve been trying to figure out what’s happening for a week without success. At first I thought it was the firewall, then I thought about the reverse proxy, but I started contacting docker directly and it still doesn’t work for me.
The problem is on port 143 and 993, but I received the certificate correctly on 465 and 587.

I used to use the Firewall directly with docker and it seemed to work, but I never checked properly. Now I change the docker server by backing up the previous one and restoring on the new one and add the traefik.
Another piece of information, perhaps useful, is that I changed the directory where I put the restore from /opt to /home/<user>

Thank You

You have tried to run a TLS connection over a non-TLS port (143)… There is no certificate bound. And you probably missed the “-servername” option.
Try this openssl command with port 993 which is IMAP over TLS:
openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com
What is the outcome?

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

I try your commanad:

openssl s_client -showcerts -connect docker:993 -servername mail.domain.tld

where mail.domain.tld is my mail server and MX record and the result is:

CONNECTED(00000006)

00D044DC01000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:646:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 342 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

Verify return code: 0 (ok)

Any sugestion?

I solved my first problem.
I reinstall all under /opt.
I restore the backup and now work.

Now I have only one doubt:
1)
MAILCOW_HOSTNAME=docker.domain.tld
ADDITIONAL_SAN=mail.domain.tld,mail.domain2.tld
ADDITIONAL_SERVER_NAMES=<ip treafik>
2)
MAILCOW_HOSTNAME=mail.domain.tld
ADDITIONAL_SAN=
ADDITIONAL_SERVER_NAMES=

the problem with the 1st is that when you connect to smtp it write:

220 docker.domain.tld ESMTP Postcow

instead of

220 mail.domain.tld ESMTP Postcow

For my second problem I go to the traefik forum because the TCP router is not working properly.

traefik.tcp.routers.imaps.rule: “HostSNI(*)”
traefik.tcp.routers.imaps.entrypoints: “imap-ssl”
traefik.tcp.routers.imaps.service: “imaps”
traefik.tcp.services.imaps.loadbalancer.server.port: “993”
traefik.tcp.services.imaps.loadbalancer.proxyProtocol.version: “2”
traefik.tcp.routers.imaps.tls.passthrough: true

thank you

    What do you suggest setting in MAILCOW_HOSTNAME ?

    The basics of using Traefik are explained in the documentation, but there are many examples on the internet for setting up SMTP and IMAP. My problem is that I’m not sure how reliable it is to point the service directly to docker without reverse proxy.

    Please follow the documentation for DNS and hostnames, so that would be “mail.domain.xyz”:
    https://docs.mailcow.email/prerequisite/prerequisite-dns/

    docs.mailcow.email
    https://docs.mailcow.email/prerequisite/prerequisite-dns/
    No preview could be generated for this link

    It is reliable, it was designed in that way that you do not need reverse proxies.
    If you use Traefik for SMTP and IMAP, fail2ban/netfilter and spam filters are not working properly, so you actually end up with higher risk. That is also the reason why it is not included in the mailcow example config for Traefik…

    No one is typing