Mailcow behind Traefik (No cert https cert)

amit

Hi,

I am trying to setup the mailcow behind Traefik proxy. But Traefik is unable to recognize the nginx-mailcow container and does not create a certificate. Does someone know how to fix the problem? I also created an issue on github but it was closed there github is used for only bug tracking. So I am attaching the link to the issue for more information on the certificate issue I am facing.

Link to Issue on Github

diekuh

Thanks for moving it here. 🙂

konradw

I got mailcow running for over a year behind traefik without any problems. But I’m still on the 1.7.x version of traefik as I had not found the time to migrate my configuration to v2.x, so configuration for v2.x might differ slightly!
These are my configurations:
The traefik_proxy network has to be added prior starting the containers, of course:
docker network create traefik_proxy
Traefiks docker-compose.yml:

version: '3'

services:
  traefik:
    hostname: traefik
    image: traefik:1.7.24  # The official Traefik docker image
    container_name: traefik
    restart: always
    domainname: mydomain.com
    networks:
      - default
      - traefik_proxy
    ports:
      - "80:80"      # The HTTP port
      - "443:443"      # The HTTPS port
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # So that Traefik can listen to the Docker events
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    environment:
      - OVH_ENDPOINT=ovh-eu
      - OVH_APPLICATION_KEY=MY_APPLICATION_KEY
      - OVH_APPLICATION_SECRET=MY_APPLICATION_SECRET
      - OVH_CONSUMER_KEY=MY_CONSUMER_KEY
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik:1.7.24"
      - "traefik.frontend.rule=mydomain.com"
      - "traefik.frontend.rule=Host:traefik.mydomain.com"
      - "traefik.port=8081"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=mydomain.com"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"
      - "traefik.frontend.auth.basic.users=admin:PASSWORDHASH"
      - 
networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

Traefiks rules.toml:

[frontends]
    [frontends.frontend1.redirect]
      entryPoint = "https"
      regex=^https?://webmail.mydomain.com/(.*)
      replacement=https:/mail.mydomain.com/SOGo/$${1}
      permanent = true
      
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      regex=^https?://webmail.mydomain.com/(.*)
      replacement=https:/mail.mydomain.com/SOGo/$${1}

Mailcows docker-compose.override.yml:

version: '2.1'

services:
    nginx-mailcow:
      expose:
         - "8080"
      labels:
        - "traefik.enable=true"
        - "traefik.backend=nginx-mailcow"
        - "traefik.frontend.rule=Host:${MAILCOW_HOSTNAME}"
        - "traefik.port=8080"
        - "traefik.docker.network=traefik_proxy"
        - "traefik.frontend.headers.SSLRedirect=true"
        - "traefik.frontend.headers.STSSeconds=315360000"
        - "traefik.frontend.headers.browserXSSFilter=true"
        - "traefik.frontend.headers.contentTypeNosniff=true"
        - "traefik.frontend.headers.forceSTSHeader=true"
        - "traefik.frontend.headers.SSLHost=mydomain.com"
        - "traefik.frontend.headers.STSIncludeSubdomains=true"
        - "traefik.frontend.headers.STSPreload=true"
        - "traefik.frontend.headers.frameDeny=true"
      networks:
        - traefik_proxy

networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

Mailcows mailcow.conf:

# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail.mydomain.com

# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow

# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=xxx
DBROOT=yyy

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1
#HTTP_PORT=80
#HTTP_BIND=0.0.0.0

#HTTPS_PORT=443
#HTTPS_BIND=0.0.0.0

# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 0.0.0.0:465 etc.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT

SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306

# Your timezone
TZ=Europe/Berlin

# Fixed project name
COMPOSE_PROJECT_NAME=mailcowdockerized

# Additional SAN for the certificate
ADDITIONAL_SAN=

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=n

# Skip IPv4 check in ACME container - y/n
SKIP_IP_CHECK=n

# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
SKIP_CLAMD=n

# Enable watchdog (watchdog-mailcow) to restart unhealthy containers (experimental)
USE_WATCHDOG=n
# Send notifications by mail (no DKIM signature, sent from watchdog@MAILCOW_HOSTNAME)
#WATCHDOG_NOTIFY_EMAIL=

# Max log lines per service to keep in Redis logs
LOG_LINES=9999

# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)
IPV4_NETWORK=172.22.1

# Internal IPv6 subnet in fc00::/7
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

# Use this IPv4 for outgoing connections (SNAT)
#SNAT_TO_SOURCE=

# Use this IPv6 for outgoing connections (SNAT)
#SNAT6_TO_SOURCE=

# Disable IPv6
# mailcow-network will still be created as IPv6 enabled, all containers will be created
# without IPv6 support.
# Use 1 for disabled, 0 for enabled
SYSCTL_IPV6_DISABLED=0

# Create or override API key for web uI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
#API_KEY=
#API_ALLOW_FROM=127.0.0.1,1.2.3.4

# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly
MAILDIR_GC_TIME=1440
# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to "All authenticated users"
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow
# Solr heap size, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM on large systems and should be monitored. Unmonitored Solr setups are not recommended.
# Solr will refuse to start with total system memory below or equal to 2 GB.
SOLR_HEAP=1024
# Solr is disabled by default after upgrading from non-Solr to Solr-enabled mailcows.
# Disable Solr or if you do not want to store a readable index of your mails in solr-vol-1.
SKIP_SOLR=n
# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.
#MAILDIR_SUB=Maildir
MAILDIR_SUB=
ALLOW_ADMIN_EMAIL_LOGIN=n
SKIP_HTTP_VERIFICATION=n
# Notify about banned IP. Includes whois lookup.
WATCHDOG_NOTIFY_BAN=y
# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480
# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://wiki.dovecot.org/SSL/SNIClientSupport
ENABLE_SSL_SNI=n
# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n
REDIS_PORT=127.0.0.1:7654

in Mailcows docker-compose.yml I disabled the ports section used by nginx-mailcow:, because I did not knew a way of commenting something out via the override file:

#      ports:
#        - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
#        - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

amit

konradw Thanks very much for posting your working configuration. Actually the labels in Traefik Version 2 are quite different. But I read the documentation extensively and finally able to spot the problem. I made a mistake in assigning the labels.

konradw

amit hey, good to hear it is working on your side. I would really appreciate if you could post your working config for traefik v2.x!

amit

Hi, Happy to share my configurations.

First I commented out ports in mailcow docker-compose.yml (nginx-mailcow service)
I also created the external network called ‘proxy’ (docker network create proxy) beforehand.

      # ports:
      #   - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
      #   - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

Second I created docker-compose.override.yml for mailcow with the following contents:

version: '2.1'

services:
  nginx-mailcow:
    expose:
      - "8080"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx-mailcow.rule=HostRegexp(`{host:(autodiscover|autoconfig|webmail|mail|email).+}`)"
      - "traefik.http.middlewares.nginx-mailcow-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nginx-mailcow.middlewares=nginx-mailcow-https-redirect"
      - "traefik.http.routers.nginx-mailcow.entrypoints=https"
      - "traefik.http.routers.nginx-mailcow.rule=Host(`mail.example.com`)"
      - "traefik.http.routers.nginx-mailcow.tls=true"
      - "traefik.http.routers.nginx-mailcow.tls.certresolver=http"
      - "traefik.http.routers.nginx-mailcow.service=nginx-mailcow"
      - "traefik.http.services.nginx-mailcow.loadbalancer.server.port=8080"
      - "traefik.docker.network=proxy"
    networks:
      proxy:


  certdumper:
      image: humenius/traefik-certs-dumper
      container_name: traefik_certdumper
      network_mode: none
      command: --restart-containers mailcowdockerized_postfix-mailcow_1,mailcowdockerized_dovecot-mailcow_1
      volumes:
        # mount the folder which contains Traefik's `acme.json' file
        #   in this case Traefik is started from its own docker-compose in ../traefik
        - /opt/containers/traefik/data:/traefik:ro
        # mount mailcow's SSL folder
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - ./data/assets/ssl:/output:rw
      environment:
        # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
        #- DOMAIN=${MAILCOW_HOSTNAME}
        - DOMAIN=example.com

networks:
  proxy:
    external: true

The contents of my Traefik docker-compose.yml:

version: '3'

services:
  traefik:
    image: traefik:v2.1
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:pass"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

Contents of my traefik.yml (I used yml instead of toml format)

api:
    dashboard: true
  
entryPoints:
    http:
        address: ":80"
    https:
        address: ":443"

providers:
    docker:
        endpoint: "unix:///var/run/docker.sock"
        exposedByDefault: false

certificatesResolvers:
    http:
        acme:
            email: me@email.com
            storage: acme.json
            httpChallenge:
                entryPoint: http

I hope this helps. Please let me know if you have questions.

vonAlenberg

Even after reading your post / config I’m not able to get it running, so maybe someone can help me here?
The biggest diffeerence I feel is that I use a global HTTPS redirect.

docker-compose.override.yml
version: '2.1'

services:
    nginx-mailcow:
      expose:
         - "80"
      labels:
         - "traefik.http.routers.nginx-mailcow.rule=HostRegexp(`{host:(autodiscover|autoconfig|webmail|mail|email).+}`)"
         - "traefik.hhtp.routers.nginx-mailcow.rule=Host(`${MAILCOW_HOSTNAME}`)"
         - "traefik.http.routers.nginx-mailcow.tls=true"
         - "traefik.http.routers.nginx-mailcow.tls.certresolver=le"
         - "traefik.http.routers.nginx-mailcow.entrypoints=https"
         - "traefik.http.routers.nginx-mailcow.service=nginx-mailcow"         
         - "traefik.http.services.nginx-mailcow.loadbalancer.server.port=80"
         - "traefik.docker.network=external"
      networks:
        external:

    certdumper:
        image: humenius/traefik-certs-dumper
        container_name: traefik_certdumper
        network_mode: none
        command: --restart-containers mailcowdockerized_postfix-mailcow_1,mailcowdockerized_dovecot-mailcow_1
        volumes:
          # mount the folder which contains Traefik's `acme.json' file
          #   in this case Traefik is started from its own docker-compose in ../traefik
          - ${DOCKERDIR}/traefik/letsencrypt:/traefik:ro
          # mount mailcow's SSL folder
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - ./data/assets/ssl:/output:rw
        environment:
          # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
          - DOMAIN=${DOMAIN_JS}

networks:
  external:
    external: true

traefik.yml
version: "3"

networks:
  external:
    external : true

services:
  traefik:
    container_name: traefik
    restart: always
    image: traefik:latest
    ports:
      # Web
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - CLOUDFLARE_EMAIL=${CF_API_EMAIL}
      - CLOUDFLARE_API_KEY=${CF_API_KEY}
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN}
    volumes:
      - ${DOCKERDIR}/traefik/letsencrypt/:/letsencrypt:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command:
      # All entrypoints
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --entrypoints.vnc-code.address=:9001
      # Docker provider
      - --providers.docker.exposedByDefault=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.network=external
      # Use of API
      - --api
      # Better logging
      - --log.level=DEBUG
      # Creating LE certs
#      - --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesResolvers.le.acme.email=${LE_MAIL}
      - --certificatesResolvers.le.acme.storage=letsencrypt/acme.json
      - --certificatesResolvers.le.acme.dnschallenge=true
      - --certificatesResolvers.le.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0
      # No SSL communication between traefik <-> apps
#      - --serverstransport.insecureskipverify=true
    labels:
      # Middleware for http redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=http"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
      # Traefik dashboard available
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_JS}`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.middlewares=sts_headers"
      # Set STS-header for security
      - "traefik.http.middlewares.sts_headers.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains=True"
      - "traefik.http.middlewares.sts_headers.headers.stsPreload=true"
      # CalDAV / CardDAV discovery
      - "traefik.http.middlewares.dav_discovery.replacepathregex.regex=^/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.dav_discovery.replacepathregex.replacement=/remote.php/dav/"
      # Webfinger discovery
      - "traefik.http.middlewares.webfinger.replacepathregex.regex=^/.well-known/webfinger"
      - "traefik.http.middlewares.webfinger.replacepathregex.replacement=/public.php?service=webfinger"
    networks:
      - external

Thanks in advance guys!

hlippke

Just a side note: when I migrated to Traefik v2 is fell into the pitfall which is the difference between static and dynamic configurations. Depending on what you observe make sure you configure in the right places, as dynamic configuration options in the static configuration sections are parsed but not applied - so they throw lots of errors when wrong and just nothing happens when they are right but in the wrong place.
So I split the configuration in a static traefik.yml and multiple dynamic conf yml’s in a seperate folder for frontends, services and middlewares.
Maybe this helps.

amit

I added the solution on Stackoverflow here: Link

diekuh

Guys, whatever you work out in this thread, please post it to the docs, once it is working. 😃 🙂 Thank you!!!

amit

@diekuh I helped another person in resolving the similiar issue per email. So if it works for @hlippke and @vonAlenberg then I would agree to adapt the documentation. I certainly see the need to update the Traefik part of the documentation.

hlippke

My comment was just a general note. My Traefik setup was for a different service, and I just wanted to share that Traefik2 now distinguishes static and dynamic configuration.