"No mailbox selected" in SOGo after enabling PROXY_PROTOCOL=y

logxen

I have an nginx reverse proxy set up in front of my mailcow server. In order to get mailcow working and be able to see the real sending server IPs (and not have everything appear to be sent from the proxy server) I had to enable PROXY_PROTOCOL in my mailcow.conf. Now external clients can connect and operate just fine but the SOGo server is no longer able to connect to dovecot.

Here is the SOGo log when I attempt to log in (I have masked my public IP as 66.66.66.66 and email as email@domain.com):

sogo-mailcow-1  | Jan 27 11:10:54 436facba235b sogod [89]: 66.66.66.66 "GET /SOGo/so/email@domain.com/Mail/view HTTP/1.0" 200 109686/0 0.187 - - 3M - 11
sogo-mailcow-1  | Jan 27 11:10:54 436facba235b sogod [88]: <0x0x5bb3b67b8cf0[SOGoWebDAVAclManager]> entry '{DAV:}write' already exists in DAV permissions table
sogo-mailcow-1  | Jan 27 11:10:54 436facba235b sogod [88]: <0x0x5bb3b67b8cf0[SOGoWebDAVAclManager]> entry '{DAV:}write-properties' already exists in DAV permissions table
sogo-mailcow-1  | Jan 27 11:10:54 436facba235b sogod [88]: <0x0x5bb3b67b8cf0[SOGoWebDAVAclManager]> entry '{DAV:}write-content' already exists in DAV permissions table
sogo-mailcow-1  | Jan 27 11:10:54 436facba235b sogod [88]: 66.66.66.66 "GET /SOGo/so/email@domain.com/Calendar/alarmslist?browserTime=1769541052 HTTP/1.0" 200 60/0 0.025 - - 512K - 13
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod[86:86] ERROR(-[NSException(NGMiscellaneous) initWithFormat:]): missing format!
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [86]: <0x0x5bb3b67efa50[NGImap4Client]> ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched non-IMAP4 parsing exception NGSocketException: NGActiveSocket is not open
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [86]: [ERROR] <0x0x5bb3b6b32520[NGImap4ConnectionManager]> IMAP4 login failed:
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b host=172.22.1.250, user=email@domain.com, pwd=yes
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b url=imap://email%40domain.com@172.22.1.250/?tls=NO&tlsVerifyMode=none
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b base=(null)
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b base-class=(null))
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b = <0x0x5bb3b67efa50[NGImap4Client]: login=email@domain.com(pwd) socket=<NGActiveSocket[0x0x5bb3b6b23720]: mode=<closed> address=<0x0x5bb3b6b23790[NGInternetSocketAddress]: host=436facba235b port=39968>>>
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [86]: <0x5bb3b690d570[SOGoMailAccount]:0> renewing imap4 password
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [86]: [ERROR] <0x5bb3b690d570[SOGoMailAccount]:0> no IMAP4 password available
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [86]: [ERROR] <0x5bb3b690d570[SOGoMailAccount]:0> Could not connect IMAP4
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod[81:81] ERROR(-[NSException(NGMiscellaneous) initWithFormat:]): missing format!
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [81]: <0x0x5bb3b6851b90[NGImap4Client]> ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched non-IMAP4 parsing exception NGSocketException: NGActiveSocket is not open
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [81]: [ERROR] <0x0x5bb3b6b6f070[NGImap4ConnectionManager]> IMAP4 login failed:
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b host=172.22.1.250, user=email@domain.com, pwd=yes
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b url=imap://email%40domain.com@172.22.1.250/?tls=NO&tlsVerifyMode=none
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b base=(null)
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b base-class=(null))
sogo-mailcow-1  | Jan 27 19:10:57 436facba235b = <0x0x5bb3b6851b90[NGImap4Client]: login=email@domain.com(pwd) socket=<NGActiveSocket[0x0x5bb3b6b797b0]: mode=<closed> address=<0x0x5bb3b6b79820[NGInternetSocketAddress]: host=436facba235b port=39980>>>
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [81]: <0x5bb3b6b3a6e0[SOGoMailAccount]:0> renewing imap4 password
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [81]: [ERROR] <0x5bb3b6b3a6e0[SOGoMailAccount]:0> no IMAP4 password available
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [81]: [ERROR] <0x5bb3b6b3a6e0[SOGoMailAccount]:0> Could not connect IMAP4
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [86]: 66.66.66.66 "GET /SOGo/so/email@domain.com/Mail/0/view HTTP/1.0" 200 16/0 3.056 - - 0 - 11
sogo-mailcow-1  | Jan 27 11:10:57 436facba235b sogod [81]: 66.66.66.66 "POST /SOGo/so/email@domain.com/Mail/0/folderINBOX/changes HTTP/1.0" 200 18/126 3.059 - - 1M - 12
sogo-mailcow-1  | Jan 27 11:11:00 436facba235b sogod[81:81] ERROR(-[NSException(NGMiscellaneous) initWithFormat:]): missing format!
sogo-mailcow-1  | Jan 27 11:11:00 436facba235b sogod [81]: <0x0x5bb3b682e570[NGImap4Client]> ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched non-IMAP4 parsing exception NGSocketException: NGActiveSocket is not open
sogo-mailcow-1  | Jan 27 11:11:00 436facba235b sogod [81]: [ERROR] <0x0x5bb3b6b6f070[NGImap4ConnectionManager]> IMAP4 login failed:
sogo-mailcow-1  | Jan 27 19:11:00 436facba235b host=172.22.1.250, user=email@domain.com, pwd=yes
sogo-mailcow-1  | Jan 27 19:11:00 436facba235b url=imap://email%40domain.com@172.22.1.250/?tls=NO&tlsVerifyMode=none
sogo-mailcow-1  | Jan 27 19:11:00 436facba235b base=(null)
sogo-mailcow-1  | Jan 27 19:11:00 436facba235b base-class=(null))
sogo-mailcow-1  | Jan 27 19:11:00 436facba235b = <0x0x5bb3b682e570[NGImap4Client]: login=email@domain.com(pwd) socket=<NGActiveSocket[0x0x5bb3b6b49cc0]: mode=<closed> address=<0x0x5bb3b6b49d30[NGInternetSocketAddress]: host=436facba235b port=38946>>>
sogo-mailcow-1  | Jan 27 11:11:00 436facba235b sogod [81]: <0x5bb3b63ed170[SOGoMailAccount]:0> renewing imap4 password
sogo-mailcow-1  | Jan 27 11:11:00 436facba235b sogod [81]: [ERROR] <0x5bb3b63ed170[SOGoMailAccount]:0> no IMAP4 password available
sogo-mailcow-1  | Jan 27 11:11:00 436facba235b sogod [81]: [ERROR] <0x5bb3b63ed170[SOGoMailAccount]:0> Could not connect IMAP4

When I try to log in to SOGo the dovecot log shows:

dovecot-mailcow-1  | Jan 27 19:17:19 33cf799c9a13 dovecot: imap-login: Error: haproxy: Client timed out (rip=172.22.1.248)
dovecot-mailcow-1  | Jan 27 19:17:19 33cf799c9a13 dovecot: imap-login: Error: haproxy: Client timed out (rip=172.22.1.248)
dovecot-mailcow-1  | Jan 27 19:17:22 33cf799c9a13 dovecot: imap-login: Error: haproxy: Client timed out (rip=172.22.1.248)

Here is the output of iptables -L -vn -t nat (which helped identify the problem in other cases I have seen online but I don’t seem to have the conflicting POSTROUTING line from those cases):

Chain PREROUTING (policy ACCEPT 934K packets, 72M bytes)
 pkts bytes target     prot opt in     out     source               destination
32015 1921K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 21693 packets, 2465K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 507K packets, 33M bytes)
 pkts bytes target     prot opt in     out     source               destination
 4596  358K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.5:3306
    9   540 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:10025
    3   180 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:10465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:10587
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.11:80
  229 13740 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.11:443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    4   240 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    4   240 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345

I think what is going on is that dovecot now expects proxy headers but SOGo is connecting directly to dovecot’s container IP and so there are no proxy headers. I have tried making a side port at 11143 that has haproxy set to off but I have not figured out how to get SOGo to connect to the alternate port. The google ai suggested adding a SOGoIMAPServer value to sogo.conf but that didn’t seem to do anything.

Let me know if there’s any more information I can provide. Thanks in advance! 🙂

ETNyx

Well this I never done whit MC, but my guess is to make new dovecot listener something like this in extra.conf

service imap-login {
  inet_listener imap-internal {
    port = 10143
    haproxy = no
  }
}

and force Sogo to use it change bootstrap-sogo.sh

<string>imap://${IPV4_NETWORK}.250:10143/?TLS=YES&amp;tlsVerifyMode=none</string>

So since this is not part of config you I would suggest to make yourself a fork,…

PS: Or mayby other way around so you do not need to change bootstrap-sogo.sh may work,… internet -> 143 Proxy 10143 -> new Dovecot listener

logxen

yeah that’s basically what I tried but I couldn’t figure out how to redirect SOGo to the new port.

I think doing it the other way around might work though… I’ll give that a go.