From b5dc7ed8c1e1a3909d64e102501d81fda2cf2861 Mon Sep 17 00:00:00 2001
From: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
Date: Sun, 24 Jan 2021 17:09:12 +0100
Subject: [PATCH] Add section to use mailserver with proxy protocol

---
 .../tutorials/installation-examples.md        | 114 +++++++++++++++++-
 1 file changed, 113 insertions(+), 1 deletion(-)

diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md
index b84447fa..2c8310bb 100644
--- a/docs/content/tutorials/installation-examples.md
+++ b/docs/content/tutorials/installation-examples.md
@@ -154,4 +154,116 @@ We are going to use this docker based mailserver:
   - **SMTP hosts**: `mail.example.org:465`
   - **SMTP security**: `SSL`
   - **SMTP username**: `info@example.org`
-  - **SMTP password**: `passwd123`
\ No newline at end of file
+  - **SMTP password**: `passwd123`
+
+## Using docker-mailserver behind proxy
+### Information
+If you are hiding your container behind a proxy service you might have discovered that the proxied requests from now on contain the proxy IP as the request origin. Whilst this behavior is technical correct it produces certain problems on the containers behind the proxy as they cannot distinguish the real origin of the requests anymore.
+
+To solve this problem on TCP connections we can make use of the [proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). Compared to other workarounds that exist (`X-Forwarded-For` which only works for HTTP requests or `Tproxy` that requires you to recompile your kernel the proxy protocol:
+- it is protocol agnostic (can work with any layer 7 protocols, even when encrypted).
+- it does not require any infrastructure changes
+- nat-ing firewalls have no impact it
+- it is scalable
+The is only one condition: **both endpoints** of the connection MUST be compatible with proxy protocol.
+
+Luckily `dovecot` and `postfix` are both Proxy-Protocol ready softwares so it depends only on your used reverse-proxy/loadbalancer.
+
+### Configuration of the used proxy software
+
+The configuration depends on the used proxy system. I will provide the configuration examples of [traefik v2](https://traefik.io/) using IMAP and SMTP with implicit TLS. Feel free to add your configuration if you achived the same goal using different proxy software below:
+
+<details>
+  <summary>traefik v2</summary>
+
+  Truncated configuration of traefik itself:
+```
+version: '3.7'
+services:
+  reverse-proxy:
+    image: traefik:v2.4
+    container_name: docker-traefik
+    restart: always
+    command:
+      - "--providers.docker"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=proxy"
+      - "--entrypoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
+      - "--entryPoints.smtp.address=:25"
+      - "--entryPoints.smtp-ssl.address=:465"
+      - "--entryPoints.imap-ssl.address=:993"
+      - "--entryPoints.sieve.address=:4190"
+    ports:
+      - "25:25"
+      - "465:465"
+      - "993:993"
+      - "4190:4190"
+[...]
+```
+
+Truncated list of neccessary labels on the mailserver container:
+
+```
+version: '2'
+services:
+  mail:
+    image: tvial/docker-mailserver:release-v7.2.0
+    restart: always
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.smtp.entrypoints=smtp"
+      - "traefik.tcp.routers.smtp.service=smtp"
+      - "traefik.tcp.services.smtp.loadbalancer.server.port=25"
+      - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1"
+      - "traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl"
+      - "traefik.tcp.routers.smtp-ssl.service=smtp-ssl"
+      - "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465"
+      - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1"
+      - "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl"
+      - "traefik.tcp.routers.imap-ssl.service=imap-ssl"
+      - "traefik.tcp.services.imap-ssl.loadbalancer.server.port=10993"
+      - "traefik.tcp.services.imap-ssl.loadbalancer.proxyProtocol.version=2"
+      - "traefik.tcp.routers.sieve.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.sieve.entrypoints=sieve"
+      - "traefik.tcp.routers.sieve.service=sieve"
+      - "traefik.tcp.services.sieve.loadbalancer.server.port=4190"
+[...]
+```
+Keep in mind that it is neccessary to use port `10993` here. More information below at `dovecot` configuration.
+
+</details>
+
+### Configuration of the backend (`dovecot` and `postfix`)
+
+The following changes can be achived completely by adding the content to the appropriate files by using the projects [function to overwrite config files](https://github.com/docker-mailserver/docker-mailserver/wiki/List-of-optional-config-files-&-directories).
+
+Changes for `postfix` can be applied by adding the following content to `config/postfix-main.cf`:
+```
+postscreen_upstream_proxy_protocol = haproxy
+```
+
+and to `config/postfix-master.cd`:
+```
+submission/inet/smtpd_upstream_proxy_protocol=haproxy
+smtps/inet/smtpd_upstream_proxy_protocol=haproxy
+```
+
+Changes for `dovecot` can be applied by adding the following content to `config/dovecot.cf`:
+```
+haproxy_trusted_networks = <your-proxy-ip>, <optional-cidr-notation>
+haproxy_timeout = 3 secs
+service imap-login {
+  inet_listener imaps {
+    haproxy = yes
+    ssl = yes
+    port = 10993
+  }
+}
+```
+Note that port `10993` is used here to avoid conflicts with internal systems like `postscreen` and `amavis` as they will exchange messages on the default port and obviously have a different origin then compared to the proxy.
\ No newline at end of file