Complex "puzzle", I suspect that needs configuration at DMS and Roundcube containers.Caddy container appears to be doing his part: delivering
X-Real-IP and
X-Forwarded-For to Roundcube.
Problem occurs when someone tries to login on Roundcube... Three failed attempts and fail2ban on Docker Mailserver blocks docker gateway, 172.18.0.1; then, nobody can login on Roundcube until ban expires. Would like to pin/understand right configuration and not circunvent/disable fail2ban.
After two days of intense research, I suspect that solution may envolve:
- "$config['use_https'] = true;" and "$config['proxy_whitelist'] = ['172.18.0.0/16'];" on Roundcube
- "login_trusted_networks = 172.18.0.0/16" on Dovecot
Tried so many things that I got lost at the problem...
external IP | Linux Server with Containers
----------------------------------------------------------------
(172.18.0.2)
|- 80 -|
|-| |--- Caddy ---|
| |- 443 -| | (172.18.0.6)
| | | |
| |- 80 -|--- Roundcube ---|
20.112.52.29 -| | | |
| |
| (172.18.0.6) |
| |- 25 -| | |
| |- 143 -| | |
|-|- 465 -|--- DMS ---|---------------|
|- 587 -| |
|- 993 -| |
----------------------------------------------------------------
external IP | Linux Server with Containers
Caddyfile block relative to Roundcube:
webmail.mydomain.net {
reverse_proxy http://roundcube:80 {
header_up X-Real-IP {remote_host}
}
}
Any ideas/suggestions are welcome.
One year ago I tried to solve this problem but despite some help/ideas I could not discover how to do it.
https://github.com/orgs/docker-mailserver/discussions/2603Instead of "ressurrect" that old discussion I thought it would be better start a new topic.
---
# Caddy / docker-compose.yml
version: "3.9"
services:
caddy:
image: caddy-with-cloudflare:2.6.4
hostname: caddy
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- $PWD/Caddyfile:/etc/caddy/Caddyfile
- $PWD/srv:/srv
- data:/data
- config:/config
volumes:
data:
config:
networks:
default:
name: caddy_net
external: true
# OpenLDAP & phpLDAPadmin / docker-compose.yml
version: "3.9"
services:
openldap:
image: osixia/openldap:latest
container_name: openldap
hostname: ldap
restart: unless-stopped
ports:
#- "389:389"
- "636:636"
volumes:
- config:/etc/ldap/slapd.d
- data:/var/lib/ldap
- /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ldap.mydomain.net:/container/service/slapd/assets/certs
environment:
LDAP_LOG_LEVEL: 256
LDAP_ORGANISATION: MYDOMAIN Net
LDAP_DOMAIN: mydomain.net
LDAP_BASE_DN:
LDAP_ADMIN_PASSWORD: admin-password-123
LDAP_CONFIG_PASSWORD: config-password-123
LDAP_READONLY_USER: false
#LDAP_READONLY_USER_USERNAME: readonly
#LDAP_READONLY_USER_PASSWORD: readonly
LDAP_RFC2307BIS_SCHEMA: true
LDAP_BACKEND: mdb
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.mydomain.net.crt
LDAP_TLS_KEY_FILENAME: ldap.mydomain.net.key
LDAP_TLS_CA_CRT_FILENAME: ldap.mydomain.net.crt
#LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: NORMAL:SECURE256:-VERS-SSL3.0
LDAP_TLS_VERIFY_CLIENT: try
LDAP_REPLICATION: false
KEEP_EXISTING_CONFIG: false
LDAP_REMOVE_CONFIG_AFTER_SETUP: true
LDAP_SSL_HELPER_PREFIX: ldap
LDAP_OPENLDAP_UID: 0
LDAP_OPENLDAP_GID: 0
tty: true
stdin_open: true
domainname: mydomain.net
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
hostname: phpldapadmin
restart: unless-stopped
#ports:
# - "8080:80"
volumes:
- phpldapadmin:/var/www/phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: ldap
PHPLDAPADMIN_HTTPS: false
depends_on:
- openldap
volumes:
config:
data:
phpldapadmin:
networks:
default:
name: caddy_net
external: true
# Docker Mailserver / docker-compose.yml
version: "3.9"
services:
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:12.0.0
container_name: dms
hostname: mail
domainname: mydomain.net
ports:
- "25:25" # SMTP (explicit TLS => STARTTLS)
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
- "465:465" # ESMTP (implicit TLS)
- "587:587" # ESMTP (explicit TLS => STARTTLS)
- "993:993" # IMAP4 (implicit TLS)
- "4190:4190" # Managesieve
volumes:
- $PWD/config/:/tmp/docker-mailserver/
- $PWD/mail-data/:/var/mail/
- $PWD/mail-logs/:/var/log/mail/
- $PWD/mail-state/:/var/mail-state/
- /etc/localtime:/etc/localtime:ro
- /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory:/tmp/dms/custom-certs/:ro
environment:
- OVERRIDE_HOSTNAME=mail.mydomain.net
- LOG_LEVEL=info
- ACCOUNT_PROVISIONER=LDAP
- TZ=America/Sao_Paulo
- SPOOF_PROTECTION=1
- ENABLE_POLICYD_SPF=0
- ENABLE_CLAMAV=1
- ENABLE_RSPAMD=1
- RSPAMD_LEARN=1
- RSPAMD_GREYLISTING=1
- ENABLE_DNSBL=1
- ENABLE_FAIL2BAN=1
- FAIL2BAN_BLOCKTYPE=reject
- ENABLE_MANAGESIEVE=1
- SSL_TYPE=manual
- SSL_CERT_PATH=/tmp/dms/custom-certs/mail.mydomain.net/mail.mydomain.net.crt
- SSL_KEY_PATH=/tmp/dms/custom-certs/mail.mydomain.net/mail.mydomain.net.key
- POSTFIX_MAILBOX_SIZE_LIMIT=1073741824
- POSTFIX_MESSAGE_SIZE_LIMIT=52428800
- PFLOGSUMM_TRIGGER=logrotate
- LOGWATCH_INTERVAL=weekly
- REPORT_SENDER=no-reply@mydomain.net
- LOGROTATE_INTERVAL=monthly
- POSTFIX_INET_PROTOCOLS=ipv4
- DOVECOT_INET_PROTOCOLS=ipv4
- ENABLE_SPAMASSASSIN=1
- SPAMASSASSIN_SPAM_TO_INBOX=1
- ENABLE_SPAMASSASSIN_KAM=1
- MOVE_SPAM_TO_JUNK=1
- ENABLE_POSTGREY=1
- LDAP_START_TLS=yes
- LDAP_SERVER_HOST=ldap
- LDAP_SEARCH_BASE=dc=mydomain,dc=net
- LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
- LDAP_BIND_PW=admin-password-123
- LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
- LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_ALIAS=(&(mailAlias=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_GROUP=(&(objectclass=groupOfUniqueNames)(cn=%s))
- LDAP_QUERY_FILTER_SENDERS=(|(mail=%s)(mailAlias=%s)(mail=admin@*))
- DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%u)(mailEnabled=TRUE))
- DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%u)(mailEnabled=TRUE))
- DOVECOT_AUTH_BIND=yes
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_SERVER=ldap
- SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
- SASLAUTHD_LDAP_PASSWORD=admin-password-123
- SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=net
- SASLAUTHD_LDAP_FILTER=(&(objectClass=PostfixBookMailAccount)(mail=%u@%r)(mailEnabled=TRUE))
cap_add:
- NET_ADMIN # For Fail2Ban to work
restart: always
networks:
default:
name: caddy_net
external: true
# Roundcube / docker-compose.yml
version: "3.9"
services:
roundcube:
image: roundcube/roundcubemail:1.6.1-apache
container_name: roundcube
hostname: roundcube
restart: unless-stopped
volumes:
- $PWD/config:/var/roundcube/config
- app:/var/www/html
- data:/var/roundcube/db
environment:
- ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.mydomain.net
- ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.mydomain.net
- ROUNDCUBEMAIL_DB_TYPE=sqlite
- ROUNDCUBEMAIL_SKIN=elastic
- ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=25M
volumes:
app:
data:
networks:
default:
name: caddy_net
external: true