New Traefik Reverse Proxy Configuration ?

castro

Good morning, everyone! I’m setting up Traefik as a reverse proxy for Mailcow, following the official Mailcow documentation: https://docs.mailcow.email/post_installation/reverse-proxy/r_p-traefik2/. However, I have a few questions.

Should I create a dedicated network for Traefik and add it to Mailcow’s override file, or use the same network as Mailcow and include it in Traefik’s compose file? For context, my VPS hosts only the Mailcow service, and I’m using a separate Traefik compose file, independent of Mailcow.
The local IP and port for Mailcow mentioned in the tutorial—do they refer to the IP of the Nginx container or to the address modified in mailcow.conf (HTTP_BIND) from the previous step?

HTTP_PORT=8080
HTTP_BIND=127.0.0.1
HTTPS_PORT=8444
HTTPS_BIND=127.0.0.1
Additionally, my Traefik docker-compose.yml is currently set up as follows:
services:
traefik:
image: traefik:v2.11
container_name: traefik
restart: always
ports:
- “80:80”
- “443:443”
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/etc/traefik/acme.json
- ./dynamic_mail.yml:/etc/traefik/dynamic_mail.yml:ro
- ./usersfile:/etc/traefik/usersfile:ro
- ./logs:/var/log/traefik
labels:
- “traefik.enable=true”

dashboard

- “traefik.http.routers.dashboard.rule=Host(traefik.domain...)”
- “traefik.http.routers.dashboard.entrypoints=websecure”
- “traefik.http.routers.dashboard.service=api@internal”
- “traefik.http.routers.dashboard.tls.certresolver=letsencrypt”
- “traefik.http.routers.dashboard.middlewares=auth”

Middleware auth

- “traefik.http.middlewares.auth.basicauth.usersfile=/etc/traefik/usersfile”
networks:
- traefik_web
networks:
traefik_web:
name: traefik_web
external: true

And my dynamic_mail.yml for Traefik is configured as follows:
… default configurations..
services:
mailcow-acme:
loadBalancer:
servers:
- url: “http://127.0.0.1:8080”
mailcow-frontend:
loadBalancer:
servers:
- url: “http://127.0.0.1:8080”

traefik.yml
entryPoints:
web:
address: “:80”
websecure:
address: “:443”

api:
dashboard: true
insecure: false

accessLog:
filePath: “/var/log/traefik/access.log”
bufferingSize: 100
filters:
statusCodes: [“400-499”, “500-599”]

certificatesResolvers:
letsencrypt:
acme:
email: example..@mail.com
storage: /etc/traefik/acme.json
httpChallenge:
entryPoint: web

providers:
docker:
endpoint: “unix:///var/run/docker.sock”
exposedByDefault: false
file:
filename: /etc/traefik/dynamic_mail.yml
watch: true

log:
level: INFO

When I try to access the service (e.g., mail.domain..), I get a 404 Page Not Found error. Could this be related to the network configuration, the IP/port settings, or something else in my Traefik setup?
Thank you in advance for your help and the amazing work everyone does!

esackbauer

castro nd I’m using a separate Traefik compose file, independent of Mailcow.

Does that mean Traefik runs on another VM/VPS? Regarding network it sounds that you run Traefik and Mailcow on the same host.
I would not mess around with the network configuration - mailcow is changing them during installations and updates (iptables etc).
Assuming you have a firewall in front of your VPS, its better to use the IP address of the VPS host where all services from mailcow are exposed.
So in that case you would only change the HTTP(S)_PORT parameter to not conflict with Traefic, but not the BIND parameter.

castro

Yes, I’m running both Traefik and Mailcow on the same VM, and I have an iptables firewall in front of them. I created the traefik_web network to share with Mailcow. Would it be more stable to do the opposite, i.e., use the Mailcow network in the Traefik configuration instead?

I removed the HTTP_BIND setting from mailcow.conf and updated the dynamic_mail.yml to use the real VM IP with port 8080, but I’m still getting the 404 Page Not Found error. When I use the container name nginx-mailcow:8080 directly in the dynamic_mail.yml, it works, but I’m not sure if this is the correct approach.

esackbauer

CodeShellDev

Hi I am also running Mailcow with traefik, my docker-compose.yml file looks like this:

services:
    nginx-mailcow:
      depends_on:
        - redis-mailcow
        - php-fpm-mailcow
        - sogo-mailcow
        - rspamd-mailcow
      image: ghcr.io/mailcow/nginx:1.03
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - HTTPS_PORT=${HTTPS_PORT:-443}
        - HTTP_PORT=${HTTP_PORT:-80}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
        - TZ=${TZ}
        - SKIP_SOGO=${SKIP_SOGO:-n}
        - SKIP_RSPAMD=${SKIP_RSPAMD:-n}
        - DISABLE_IPv6=${DISABLE_IPv6:-n}
        - HTTP_REDIRECT=${HTTP_REDIRECT:-n}
        - PHPFPMHOST=${PHPFPMHOST:-}
        - SOGOHOST=${SOGOHOST:-}
        - RSPAMDHOST=${RSPAMDHOST:-}
        - REDISHOST=${REDISHOST:-}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - NGINX_USE_PROXY_PROTOCOL=${NGINX_USE_PROXY_PROTOCOL:-n}
        - TRUSTED_PROXIES=${TRUSTED_PROXIES:-}
      volumes:
        - ./data/web:/web:ro,z
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
        - ./data/conf/nginx/:/etc/nginx/conf.d/:z
        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
        - ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
        - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
        - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
        - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
      expose:
        - 8080
      labels:
        - traefik.enable=true
        - traefik.http.routers.nginx-mail-auto.entrypoints=web
        - traefik.http.routers.nginx-mail-auto.rule=(Host(`autodiscover.yourdomain.com`) || Host(`autoconfig.yourdomain.com`)) && (Path(`/mail/config-v1.1.xml`) || Path(`/autodiscover/autodiscover.xml`))
        - traefik.http.routers.nginx-mail-auto.middlewares=https-redirect@file

        - traefik.http.routers.nginx-mail-auto-secure.entrypoints=websecure
        - traefik.http.routers.nginx-mail-auto-secure.tls.certresolver=cloudflare

        - traefik.http.routers.nginx-mailcow-root-secure.entrypoints=websecure
        - traefik.http.routers.nginx-mailcow-root-secure.rule=Host(`mailcow.home.yourdomain.com`) && Path(`/`)
        - traefik.http.routers.nginx-mailcow-root-secure.tls=true
        - traefik.http.routers.nginx-mailcow-root-secure.tls.certresolver=cloudflare
        - traefik.http.routers.nginx-mailcow-root-secure.middlewares=redirect-to-mailcow-admin

        - traefik.http.routers.nginx-mailcow-secure.entrypoints=websecure
        - traefik.http.routers.nginx-mailcow-secure.rule=Host(`mailcow.home.yourdomain.com`) && (PathPrefix(`/admin`) || PathPrefix(`/domainadmin`) || PathPrefix(`/`))
        - traefik.http.routers.nginx-mailcow-secure.tls=true
        - traefik.http.routers.nginx-mailcow-secure.tls.certresolver=cloudflare
        - traefik.http.routers.nginx-mailcow-secure.service=nginx-mailcow

        - traefik.http.routers.nginx-mail-secure-redirect.entrypoints=websecure
        - traefik.http.routers.nginx-mail-secure-redirect.rule=Host(`mail.yourdomain.com`) && (!PathPrefix(`/admin`) && !PathPrefix(`/domainadmin`))
        - traefik.http.routers.nginx-mail-secure-redirect.tls=true
        - traefik.http.routers.nginx-mail-secure-redirect.tls.certresolver=cloudflare
        - traefik.http.routers.nginx-mail-secure.service=nginx-mailcow

        - traefik.http.middlewares.redirect-to-mailcow-admin.redirectregex.regex=^(.*)
        - traefik.http.middlewares.redirect-to-mailcow-admin.redirectregex.replacement=/admin
        - traefik.http.middlewares.redirect-to-mailcow-admin.redirectregex.permanent=true

        - traefik.http.services.nginx-mailcow.loadbalancer.server.port=8080
        - traefik.docker.network=proxy
      restart: always
      networks:
        mailcow-network:
          aliases:
            - nginx
        proxy:

networks:
  proxy:
    external: true

My setup is a bit more complicated, I want admins to use mailcow.home.yourdomain.com, so that everyone outside of LAN can’t access the admin interface.
But essentially you need:

        - traefik.http.routers.nginx-mail-secure-redirect.entrypoints=websecure
        - traefik.http.routers.nginx-mail-secure-redirect.rule=Host(`mail.yourdomain.com`) 
        - traefik.http.routers.nginx-mail-secure-redirect.tls=true
        - traefik.http.routers.nginx-mail-secure-redirect.tls.certresolver=cloudflare
        - traefik.http.routers.nginx-mail-secure.service=nginx-mailcow

        - traefik.http.services.nginx-mailcow.loadbalancer.server.port=8080
        - traefik.docker.network=proxy

And don’t forget to add traefik to your TRUSTED_PROXIES.
Hope this helps a bit

404 Not found, without any styling etc. is most likely traefik, you should maybe if not already done check the traefik logs.

And you will probably need to add:

    certdumper:
      image: ghcr.io/kereis/traefik-certs-dumper:latest
      container_name: traefik_certdumper
      restart: unless-stopped
      network_mode: none
      command: --restart-containers mailcow_postfix-mailcow_1,mailcow_dovecot-mailcow_1
      volumes:
        - /home/xa4/traefik/data/certs:/traefik:ro
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - ./data/assets/ssl:/output:rw
      environment:
        - DOMAIN=yourdomain.com
        - ACME_FILE_PATH=/traefik/cloudflare-acme.json

That mailcow doesn’t use the acme container instead just grab them from traefik.
To disable ssl on mailcow you need to set

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

SKIP_LETS_ENCRYPT=y

afterglow4

To help make the Traefik documentation clearer, following are my Obsidian documentation ramblings:

The acme-mailcow container retrieves a .well-known text file necessary for the HTTP-01 challenge. This is used to verify the domains you’ve configured in Mailcow.

The nginx-mailcow container serves this .well-known file so Let’s Encrypt can confirm domain ownership during the verification process.

You can continue using the DNS-01 challenge (such as Cloudflare) configured in your Traefik compose.yml for the mailcow-frontend service. This covers your frontend, autoconfig, and autodiscover URLs.

If you use the HTTP-01 challenge (acme-mailcow), ensure you disable Cloudflare’s orange proxy for your root domain. HTTP-01 validation only works on port 80, and Cloudflare’s orange proxy redirects all traffic permanently to port 443, causing Let’s Encrypt validation to fail. Though the orange proxy offers significant benefits like WAF and DDoS protection, it isn’t compatible with HTTP-01 challenges.

You’ll need a simple compose override to enable communication between Traefik and nginx-mailcow:

nginx-mailcow:
  labels:
    - 'traefik.docker.network=traefik_proxy' # 2 networks on container, Traefik needs to know the network to use
  networks:
    traefik_proxy:

networks:
  traefik_proxy:
    external: true

Since I prefer having a WAF protecting my main website, I can’t use the acme-mailcow container, as certificate generation always fails due to its current limitation to HTTP-01 challenges only (see Issue #5435). To overcome this, I will need to use a cert-dumper container, like what @CodeShellDev mentioned above. This will essentially dump the certificates obtained by Traefik (remember it used superior DNS-01 method) inside the ./data/assets/ssl common mount for all mailcow services (especially Postfix and Dovecot). We use a cert-dumper because traefik stores certificates in json and we need real cert.pem/key.pem files.

afterglow4

I’ve had some more time to fiddle around and migrate from traefik dynamic.yml configuration to CLI/labels. The following override essentially does the same thing as mentioned in the document using only the CLI labels:

  nginx-mailcow:
    labels:
      - "traefik.enable=true"
      - 'traefik.docker.network=traefik_proxy'

      # --- ACME HTTP Challenge Router (HTTP only) ---
      - "traefik.http.routers.mailcow-acme.rule=(Host(`mail.example.com`) && PathPrefix(`/.well-known/acme-challenge/`))"
      - "traefik.http.routers.mailcow-acme.entrypoints=web"

      # HTTPS for frontend services
      - "traefik.http.routers.mailcow-frontend.entrypoints=websecure"
      - 'traefik.http.routers.mailcow-frontend.rule=Host(`mail.example.com`) || Host(`autodiscover.example.com`) || Host(`autoconfig.example.com`)'
      - "traefik.http.routers.mailcow-frontend.service=nginx-mailcow"
      - "traefik.http.services.nginx-mailcow.loadbalancer.server.port=8080"
    networks:
        traefik_proxy:
networks:
  traefik_proxy:
    external: true

The entrypoint websecure already has a certificate resolver attached in the traefik container itself.

CodeShellDev

Hi, there I added Labels Config. to the official Traefik Documentation

I‘m not sure the

[unknown] # — ACME HTTP Challenge Router (HTTP only) —
- “traefik.http.routers.mailcow-acme.rule=(Host(mail.example.com) && PathPrefix(/.well-known/acme-challenge/))”
- “traefik.http.routers.mailcow-acme.entrypoints=web”

I‘m not sure this is needed, but I could be wrong…

Sorry linked to the wrong doc… https://docs.mailcow.email/post_installation/reverse-proxy/r_p-traefik3/

afterglow4

Hello, that is only needed if you are not using cert-dumper container rather want to use mailcow ACME container to get certificates for the added domain. Also, it was an apple to apple conversion from the already given dynamic.yml example, especially this block of rule:

    mailcow-autoconfig:
      entryPoints: "websecure"
      rule: "(Host(`autoconfig.domain.com`) && Path(`/autodiscover/autodiscover.xml`))"
      service: mailcow-svc
      tls:
        certResolver: cloudflare