How to use Traefik with TLS + Auth #68
Description
Hi there,
had a great experience with mailrise so far! However, I am struggling by using Auth behind Traefik proxy (tls). I tried e.g. with Bitwarden but could not get it to work...
Tested e.g. also with swaks:
swaks --to test@mailrise.example.com --server mailrise.example.com --protocol SMTPS --auth LOGIN --auth-user username
Password: password
=== Trying mailrise.example.com:465...
=== Connected to mailrise.example.com.
=== TLS started with cipher TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
=== TLS no local certificate set
=== TLS peer DN="/CN=TRAEFIK DEFAULT CERT"
<~ 220 eb1dfe93fb00 Mailrise 0.0.post1.dev1+g79b73fd
~> HELO fancyhostname
<~ 250 eb1dfe93fb00
*** Host did not advertise authentication
~> QUIT
<~ 221 Bye
=== Connection closed with remote host.
Mailrise config:
configs:
test@mailrise.example.com
urls:
- signals://xxxxx
# Finally, you can enable TLS encryption and/or SMTP authentication if you
# want them.
# tls:
# mode: starttls
# certfile: /path/to/certificate.pem
# keyfile: /path/to/privatekey.pem
#!env_var MAILRISE_PASSWORD
smtp:
auth:
basic:
username: password
Mailrise logs:
[2023-04-09 17:39:33] WARNING:mail.log:auth_required == True but auth_require_tls == False
/home/mailrise/.local/lib/python3.11/site-packages/aiosmtpd/smtp.py:372: UserWarning: Requiring AUTH while not requiring TLS can lead to security vulnerabilities!
warn("Requiring AUTH while not requiring TLS "
[2023-04-09 17:39:33] INFO:mail.log:Available AUTH mechanisms: LOGIN(builtin) PLAIN(builtin)
[2023-04-09 17:39:33] INFO:mail.log:Peer: ('192.168.XXX.XXX', 59120)
[2023-04-09 17:39:33] INFO:mail.log:('192.168.XXX.XXX', 59120) handling connection
[2023-04-09 17:39:33] DEBUG:mail.log:('192.168.XXX.XXX', 59120) << b'220 eb1dfe93fb00 Mailrise 0.0.post1.dev1+g79b73fd'
[2023-04-09 17:39:33] DEBUG:mail.log:_handle_client readline: b'HELO fancyhostname\r\n'
[2023-04-09 17:39:33] INFO:mail.log:('192.168.XXX.XXX', 59120) >> b'HELO fancyhostname
[2023-04-09 17:39:33] DEBUG:mail.log:('192.168.XXX.XXX', 59120) << b'250 eb1dfe93fb00'
[2023-04-09 17:39:33] DEBUG:mail.log:_handle_client readline: b'QUIT\r\n'
[2023-04-09 17:39:33] INFO:mail.log:('192.168.XXX.XXX', 59120) >> b'QUIT'
[2023-04-09 17:39:33] DEBUG:mail.log:('192.168.XXX.XXX', 59120) << b'221 Bye'
[2023-04-09 17:39:33] INFO:mail.log:('192.168.XXX.XXX', 59120) connection lost
[2023-04-09 17:39:33] INFO:mail.log:('192.168.XXX.XXX', 59120) Connection lost during _handle_client()
Is there something I miss here? Mailrise is configured in plaintext (without TLS), but connection from client to Traefik reverseproxy is done via TLS... So only traffic from traffic from Traefik to mailrise should be plaintext am I right? Is there a config flag to suppress the warning / does the fact, that mailrise itself is in "plaintext mode" cause problems with auth?
Bitwarden SMTP config:
Bitwarden error:
EDIT:
This seems to work:
curl -vvv smtps://mailrise.example.com -u username:password --ssl-reqd \
--mail-from 'username@gmail.com' --mail-rcpt 'test@mailrise.example.com' --upload-file mail.txt;
* Connected to mailrise.example.com (192.168.xxx.xxx) port 465 (#0)
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
} [310 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [6 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [4301 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* Server certificate:
* subject: CN=example.com
* start date: Feb 23 13:27:42 2023 GMT
* expire date: May 24 13:27:41 2023 GMT
* subjectAltName: host "mailrise.example.com" matched cert's "*.example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
< 220 eb1dfe93fb00 Mailrise 0.0.post1.dev1+g79b73fd
> EHLO mail.txt
< 250-eb1dfe93fb00
< 250-SIZE 33554432
< 250-8BITMIME
< 250-SMTPUTF8
< 250-AUTH LOGIN PLAIN
< 250 HELP
> AUTH PLAIN
< 334
> AHVzZXJuYW1lAHBhc3N3b3Jk
< 235 2.7.0 Authentication successful
> MAIL FROM:<username@gmail.com> SIZE=14
< 250 OK
> RCPT TO:<signal@mailrise.example.com>
< 250 OK
> DATA
< 354 End data with <CR><LF>.<CR><LF>
} [14 bytes data]
Am I doing something wrong in terms of configuration (bitwarden) or cli parameters (swaks)?
Would be nice, if you could me point to the right direction :).
Thank you!