Mailcow + Traefik v2 = 404

vonAlenberg

Description:

Pretty simple, nothing works as it should and I have no idea why.
Containers are spawned, ports are in use, mail.DOMAIN_JS returns a 404.

Setup:

Ubuntu 20.04 on VPS with KVM
docker-compose version 1.25.0, build unknown
static IPv4 address, no IPv6 possible

Other services currently running:

Bitwarden
Wordpress
Gitea

Config:

traefik docker-compose.yml

   version: "3"

networks:
  external:
    external : true

services:
  traefik:
    container_name: traefik
    restart: always
    image: traefik:latest
    ports:
      # Web
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - CLOUDFLARE_EMAIL=${CF_API_EMAIL}
      - CLOUDFLARE_API_KEY=${CF_API_KEY}
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN}
    volumes:
      - ./traefik/letsencrypt/:/letsencrypt:rw
      - /run/docker.sock:/var/run/docker.sock:ro
    command:
      # All entrypoints
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      # Docker provider
      - --providers.docker.exposedByDefault=true
      - --providers.docker.endpoint=unix:///run/docker.sock
      - --providers.docker.network=external
      # Use of API
      - --api
      # Better logging
      - --log.level=DEBUG
      # Creating LE certs
#      - --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesResolvers.le.acme.email=${LE_MAIL}
      - --certificatesResolvers.le.acme.storage=letsencrypt/acme.json
      - --certificatesResolvers.le.acme.dnschallenge=true
      - --certificatesResolvers.le.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0
      # No SSL communication between traefik <-> apps
#      - --serverstransport.insecureskipverify=true
    labels:
      # Middleware for http redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=http"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
      # Traefik dashboard available
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_JS}`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.middlewares=sts_headers"
      # Set STS-header for security
      - "traefik.http.middlewares.sts_headers.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains=True"
      - "traefik.http.middlewares.sts_headers.headers.stsPreload=true"
      # CalDAV / CardDAV discovery
      - "traefik.http.middlewares.dav_discovery.replacepathregex.regex=^/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.dav_discovery.replacepathregex.replacement=/remote.php/dav/"
      # Webfinger discovery
      - "traefik.http.middlewares.webfinger.replacepathregex.regex=^/.well-known/webfinger"
      - "traefik.http.middlewares.webfinger.replacepathregex.replacement=/public.php?service=webfinger"
    networks:
      - external
  
  my-app:
    image: containous/whoami:v1.3.0
    labels:
      - traefik.http.routers.my-app.rule=Host(`whoami.${DOMAIN_JS}`)
      - traefik.http.routers.my-app.tls=true
      - traefik.http.routers.my-app.tls.certresolver=le
      - traefik.http.routers.my-app.entrypoints=https
    networks:
      - external

Mailcow docker-compose.yml

   #      ports:
   #        - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
   #        - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

docker-compose.override.yml

   version: '2.1'

services:
    nginx-mailcow:
      expose:
        - "8080"
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.nginx-mailcow.entrypoints=http"
        - "traefik.http.routers.nginx-mailcow.rule=HostRegexp(`{host:(autodiscover|autoconfig|webmail|mail|email).+}`)"
        - "traefik.http.middlewares.nginx-mailcow-https-redirect.redirectscheme.scheme=https"
        - "traefik.http.routers.nginx-mailcow.middlewares=nginx-mailcow-https-redirect"
        - "traefik.http.routers.nginx-mailcow-secure.entrypoints=https"
        - "traefik.http.routers.nginx-mailcow-secure.rule=Host(`mail.${DOMAIN-JS}`)" 
        - "traefik.http.routers.nginx-mailcow-secure.tls=true"
        - "traefik.http.routers.nginx-mailcow-secure.tls.certresolver=le"
        - "traefik.http.routers.nginx-mailcow-secure.service=nginx-mailcow"
        - "traefik.http.services.nginx-mailcow.loadbalancer.server.port=8080"
        - "traefik.docker.network=external"
      networks:
        external:


    certdumper:
        image: humenius/traefik-certs-dumper
        container_name: traefik_certdumper
        restart: unless-stopped
        network_mode: none
        command: --restart-containers mailcowdockerized_postfix-mailcow_1,mailcowdockerized_dovecot-mailcow_1
        volumes:
          # mount the folder which contains Traefik's `acme.json' file
          #   in this case Traefik is started from its own docker-compose in ../traefik
          - ./..//traefik/letsencrypt:/traefik:ro
          # mount mailcow's SSL folder
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - ./data/assets/ssl:/output:rw
        environment:
          # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
          #- DOMAIN=${MAILCOW_HOSTNAME}
          - DOMAIN=${DOMAIN-JS}   
networks:
  external:
    external: true

mailcow.conf

   # ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"

MAILCOW_HOSTNAME=mail.DOMAIN_JS

# Password hash algorithm
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/
MAILCOW_PASS_SCHEME=BLF-CRYPT

# ------------------------------
# SQL database configuration
# ------------------------------

DBNAME=mailcow
DBUSER=mailcow

# Please use long, random alphanumeric strings (A-Za-z0-9)

DBPASS=***
DBROOT=***

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!

HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1

# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 0.0.0.0:465 etc.

SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654

# Your timezone

TZ=Europe/Berlin

# Fixed project name
# Please use lowercase letters only

COMPOSE_PROJECT_NAME=mailcowdockerized

# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to "All authenticated users"
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow

# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly

MAILDIR_GC_TIME=7200

# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net"
# plus every domain you add in the future.
#
# You can also just add static names...
#ADDITIONAL_SAN=srv1.example.net
# ...or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#

ADDITIONAL_SAN=

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

SKIP_LETS_ENCRYPT=y

# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://wiki.dovecot.org/SSL/SNIClientSupport
ENABLE_SSL_SNI=n

# Skip IPv4 check in ACME container - y/n

SKIP_IP_CHECK=n

# Skip HTTP verification in ACME container - y/n

SKIP_HTTP_VERIFICATION=n

# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n

SKIP_CLAMD=y

# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n

SKIP_SOGO=n

# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.

SKIP_SOLR=n

# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.

SOLR_HEAP=1024

# Allow admins to log into SOGo as email user (without any password)

ALLOW_ADMIN_EMAIL_LOGIN=n

# Enable watchdog (watchdog-mailcow) to restart unhealthy containers

USE_WATCHDOG=y

# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces

#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
#WATCHDOG_NOTIFY_EMAIL=

# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n

# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n

# Max log lines per service to keep in Redis logs

LOG_LINES=9999

# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

IPV4_NETWORK=172.22.1

# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

# Use this IPv4 for outgoing connections (SNAT)

#SNAT_TO_SOURCE=

# Use this IPv6 for outgoing connections (SNAT)

#SNAT6_TO_SOURCE=

# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY

#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1

# mail_home is ~/Maildir
MAILDIR_SUB=Maildir

# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480

# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to DOVECOT_MASTER_USER@mailcow.local
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=

DNS at Cloudflare

   ;; A Records
DOMAIN_JS.			1	IN	A	IPv4
mail.DOMAIN_JS.		1	IN	A	IPv4

;; CNAME Records
autoconfig.DOMAIN_JS.	1	IN	CNAME	mail.DOMAIN_JS m.
autodiscover.DOMAIN_JS.	1	IN	CNAME	mail.DOMAIN_JS.
git.DOMAIN_JS.		1	IN	CNAME	DOMAIN_JS.
passwords.DOMAIN_JS.	1	IN	CNAME	DOMAIN_JS.
whoami.DOMAIN_JS.		1	IN	CNAME	DOMAIN_JS.
www.DOMAIN_JS.		1	IN	CNAME	DOMAIN_JS.

;; MX Records
DOMAIN_JS.			1	IN	MX	10 mail.DOMAIN_JS.

;; TXT Records
_acme-challenge.DOMAIN_JS.	1	IN	TXT	***
_dmarc.DOMAIN_JS.			1	IN	TXT	"\"v=DMARC1; p=reject; rua=mailto:mailauth-reports@DOMAIN_JS\""
DOMAIN_JS.				1	IN	TXT	"\"v=spf1 mx -all\""

Support in English or German highly appreciated 😉

vonAlenberg

So far this support forum is as useful as the software it’s about - not at all…
Is more information needed on my part?

Psi

tldr;

# cat docker-compose.override.yml 
version: '3'

services:
  # set fixed container names that certdumper can trigger restart on cert-updates
  dovecot-mailcow:
    container_name: mailcow_dovecot

  postfix-mailcow:
    container_name: mailcow_postfix

  nginx-mailcow:
    container_name: mailcow_nginx
    networks:
      # add Traefik's network
      - public
    labels:
      - traefik.enable=true
      - traefik.http.routers.moo.rule=Host(`${MAILCOW_HOSTNAME}`)
      - traefik.http.services.moo.loadbalancer.server.port=2580 // see HTTP_PORT=2580 in mailcow.conf

  certdumper:
      image: humenius/traefik-certs-dumper
      restart: unless-stopped
      command: --restart-containers mailcow_postfix,mailcow_dovecot,mailcow_nginx
      network_mode: none
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
        # mount the folder which contains Traefik's `acme.json' file
        #   in this case Traefik is started from its own docker-compose in ../traefik
        - /opt/traefik/acme.json:/traefik/acme.json:ro
        # mount mailcow's SSL folder
        - ./data/assets/ssl/:/output:rw
      environment:
        # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
        - DOMAIN=${MAILCOW_HOSTNAME}


networks:
  public:
    external: true

and my traefik setup

# cat docker-compose.yml
version: "3.3"

services:
  traefik:
    image: "traefik:2.3"
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    networks:
      - public
    command:
      - "--log.level=INFO"
      - "--entrypoints.web.address=:80" # HTTP listener
      - "--entrypoints.websecure.address=:443" # HTTPS listener
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure" # global http to https redirect to entrypoint websecure
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https" # global http to https redirect schema rewrite
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false" # every exposed service needs a treafik.enable=true label
      - "--providers.docker.network=public" # the docker network to use to connect to the service containers
      - "--api" # enable the traefik api
      - "--certificatesresolvers.le.acme.email=admin@example.com"
      - "--certificatesresolvers.le.acme.storage=/acme.json" // create file before first start and chmod 600
      - "--certificatesresolvers.le.acme.tlschallenge=true"
      - "--entrypoints.websecure.http.tls.certresolver=le" # websecure entrypoint (https) should use lets enctypt resolver by default
      - "--entrypoints.websecure.http.tls=true" # websecure entrypoint is always tls
    ports:
      - "80:80"
      - "443:443"
    networks:
      - public
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
    labels:
      # Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=admin"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.middlewares.admin.basicauth.users=admin:...."

networks:
  public:
    external: true