Mailproxy : nginx or postscript ?!?

dflahaut · 8 April 2020 20:53

hi,
I need some help …
context :
-> latest ipfire (with nginx as reverse proxy for let’s encrypt)
-> some servers on the LAN (later on DMZ maybe) : NAS (syno), home assistant (raspberry), WEB server (raspberry)
-> I’ve a permanent IP (with a three domain names) that permit access from Internet all these servers with https (let’s encrypt).
Now, I’ve build a mail server (iredmail) …

I can send and receive some mails (with NAT) … but not all : because (?) of authentification (?) smtp, pop3 and imap ?

I’ve read some articles … two solutions (for now ?!?)
1- mailproxy with nginx (on ipfire) :
/// https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/
/// https://www.nginx.com/resources/wiki/start/topics/examples/imapproxyexample/
(for example)

2- mail proxy with postfix (on ipfire)
/// https://wiki.ipfire.org/optimization/mailproxy

Two questions
1/ what solution should I choose : nginx or postfix ? did you find a tuto ?
2/ did you eard about a better solution than iredmail (with SOGo) as mail server ?

pike_it · 9 April 2020 01:03

Why put a proxy on mail traffic? Which ports are you forwarding?
Does the reverse pointer for the mailserver hostname point to your public ip address?

dflahaut · 9 April 2020 06:14

when I use port forwarding (imap, pop and smtp), some providers like (google) accept to send or receive mail from my mail server but others (gandi, outlook, …) refuse because MTA’s poor réputation or lack of authentification, … So I need authentification with let’s encrypt for example ; self signed certificates are not enough !

pike_it · 9 April 2020 07:39

Authentication certificates are two very different things.

For authentication you can achieve it via the common email ports, plain and encrypted.
If you buy a certificate you can install it to your email and webserver.

Let’sencrypt it’s another way to make certificate work. The client has to talk with webserver to provide challenge and response, therefore install certificates to the services that need it.
There’s quite no proxy involved (to add) on the setup.

dflahaut · 9 April 2020 09:17

More explanations :
On ipfire, I’ve nginx as reverse proxy with let’s encrypt to access my NAS and my webserver via https://my.domain.com (it’s a private use). This config is ok.
But now, I want a personal mailserver (with Iredmail ?) - Iredmail works ok but the matter is “certificates” … “sending MTA’s reputation” … “smtp auth” “imap auth”.
I’m not clear because I probably doesn’t use right words.

I fund a very interesting tuto from nginx (https://www.nginx.com/resources/wiki/start/topics/examples/imapauthenticatewithapachephpscript/) … May be use ipfire as imap auth backend ?
What about https://wiki.ipfire.org/optimization/mailproxy ?
What about smtp auth ? Is it MTA’s reputation ?

rschnell · 19 May 2020 20:18

I too am trying to set this up… Same setup (Outisde world --> IPFire w/nginx and Let’s Encrypt for web servers/sites–>web servers) want to add iredmail as separate server with all of it basic features (SMNP, IMAP, webmail).

I can port forward in the firewall rules the needed ports but how (without manually copying the LE Certs every time they update) can I either forward the certs to the iRedmail server via proxy or some form of UUCP type thing for dovecot/postfix. I can proxy the webmail portion like I do the other webservers but so far not the dovecot/postifx portion.