I have probably a bit of a unique setup. I’ll outline that first
VPS hosted
pfsense and a linux server in the vps
i have the public ip of the vps setup for the pfsense server and mailcow on the linux server in the vps. ports all forwarded over for regular mail function. this all works as expected. i have multiple domains sending and receiving mail through smtp/pop/imap. all works. i do NOT have 80 and 443 forwarded to the mailcow server.

for sogo access, i have a separate process. i have my one domain set up in cloudflare, i have a tunnel going to my proxy server where i have nginx(swag lsio). for that domain i have a subdomain address and this routes through that tunnel and points to my swag nginx for the webmail access in sogo and now the latest changes to the access page, from there i have definitions that send over to the server on the VPS. this works.

Below is my nginx directive for routing the request from my proxy to mailcow, this is essentially from the mailcow help docs

    location / {
        proxy_pass https://10.0.0.2/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 75;
        proxy_send_timeout 3650;
        proxy_read_timeout 3650;
        proxy_buffers 64 512k;
        client_body_buffer_size 512k;
        client_max_body_size 0;
    }

The problem I’m seeing is that if I fail authentication, the nginx container or maybe the php-fpm container for mailcow seems to be using my proxy’s IP and not the one I’d expect to be sent over from my proxy with the X-Real_IP directives in my proxy. Here is the log for a failed login attempt.

php-fpm-mailcow-1    | [30-Mar-2025 15:13:36] WARNING: [pool web-worker] child 45 said into stderr: "NOTICE: PHP message: mailcow UI: Invalid password for my@email.address by MY.PROXY.IP.#"
netfilter-mailcow-1  | MY.PROXY.IP.# matched rule id 1 (mailcow UI: Invalid password for my@email.address by MY.PROXY.IP.#)
netfilter-mailcow-1  | Address MY.PROXY.IP.#/32 is whitelisted by rule MY.PROXY.IP.CIDR

The problem as you can see is I have my internal ip range allow listed so with my setup configured this way the netfilter/fail2ban will not work properly. Is there something I need to adjust in my nginx config or perhaps something in one of the mailcow containers?

5 days later

Anyone have ideas on this? I do have other systems which are behind my proxy which handle the x-real-ip appropriately.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

No one is typing