Jump to content

Mail server behind reverse proxy can't connect to Outlook

Tad Bittoomuch
 Share
Posted

Hi everyone,

 

I apologise if this is posted in the wrong subforum, it was a toss up between this and Networking.


Background Information

I few months ago I posted this thread  asking for any suggestions on how to install a mail server behind a reverse proxy.  Now, I've done it - mostly.

For the initial installation of postfix and s-nail, I used this guide from digitalocean which allowed me to get the server up and running to send and receive mail to and from my three different domains, although without SSL.

To secure the server with SSL and authenticate users, I followed this guide from UpCloud.  The server is still capable of sending and receiving emails, through the command line.

 

I've port forwarded all the mail ports (see below) and sent all mail port traffic to the mail server (.6).

 

image.thumb.png.65a381d088526b595cad24fe5c86289d.png
(For those wondering, my router is OPNsense, which a fork of pfSense.  My friend set it up for me and I'm still not entirely familiar with it, but I do like to think I know what I'm doing regarding networking/server admin.  Or maybe not, if this post is believed ¯\_(ツ)_/¯)

All other traffic goes to the reverse proxy (.7), which is then distributed to all the different services I have on my network (GitLab, Mattermost, Web, etc).

There is a wildcard subdomain rule in the nginx config that takes all non existent subdomains and throws you onto the domain landing page.  Therefore I added a mail.domain.com redirect and pointed it to the mail server (below): 

server {
        server_name mail.domain.com;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6";
          proxy_redirect off;
        }
}

For the other services, I append the proxy_pass with a port, usually 80 for http.

 

EDIT: I forgot to mention on the reverse proxy and mail server I allowed ports  80, 443, 143, 995, 25, 110, 993 and 465 through Ubuntu's UFW in case that was causing any issues.  It wasn't.


Problem #1
When I go to add my email account to outlook, it says it can't connect to the incoming mail server (this is using my linux account credentials - there's a linux user for every mail recipient) and returns a 504 Gateway Timeout.

 

Problem #2

In the advanced options of the outlook account configuration, should I use the same mail address (mail.domain.com) and the same port for incoming and outgoing mail?  Outlook autofills this with different ports, so maybe I'm thinking I need to have two mail servers, one for incoming and one for outgoing mail?  It's entirely possible that every combination of these settings I've tried so far has been wrong.

image.png.9d79e21def32f605aadec578c6e322ba.png

(also should I tick the 'Require logon using SPA' box?  I don't know...)

 

Problem #3
In the event I have got the proxy redirection policies wrong, should I route all traffic through the reverse proxy and have specific rules for each port?  Kind of like this: 

server {
        server_name mail.domain.com:995;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:995";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:465;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:465";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:993;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:993";
          proxy_redirect off;
        }
}

... or can you not do this?

Do I also need to/should I allow http traffic into the mail server with a redirection policy like the above for user authentication?

 

I have tried to include as much information as possible, hopefully it makes sense.  Also thanks for reading, any help/advice is really, really appreciated :D

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I'm very confused to what you have done and why you've done it..

 

I'm guessing 192.168.1.7 is your proxy?

Why is 192.168.1.6 forwarded? and what is it? If this is your mainserver these should be on the proxy IP. This does not send your mailserver requests through the proxy..

 

Also, why do you have a proxy for the mailserver if you only need one server for the mail hosting you need? This is pointless, unless you have plans to "need" ALOT more in the future.

 

Some questions for you..

 

Do you have or have plans on having serval web hosting servers (bare metal servers) in the future, or just this one?

Do you have or have plans on having serval mailservers (bare metal servers) in the future, or just this one?

 

I understand that you are trying to learn as you go. But it seems to me that you have your head a little deep under water at the moment.

And i mean that in the nicest way :)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
15 minutes ago, AbsoluteFool said:

I'm very confused to what you have done and why you've done it..

 

I'm guessing 192.168.1.7 is your proxy?

Why is 192.168.1.6 forwarded? and what is it? If this is your mainserver these should be on the proxy IP. This does not send your mailserver requests through the proxy..

 

Also, why do you have a proxy for the mailserver if you only need one server for the mail hosting you need? This is pointless, unless you have plans to "need" ALOT more in the future.

 

Some questions for you..

 

Do you have or have plans on having serval web hosting servers (bare metal servers) in the future, or just this one?

Do you have or have plans on having serval mailservers (bare metal servers) in the future, or just this one?

 

I understand that you are trying to learn as you go. But it seems to me that you have your head a little deep under water at the moment.

And i mean that in the nicest way :)

 

.6 is the mail server, and .7 is the proxy.

.6 is forwarded because I'm not sure what redirection policies to add to the reverse proxy to handle the different mail port traffic.  i.e. do I need to prepend http to the address of the mail server?  Do I need to add the port to the server name?  These are things I don't know, nor apparently, does Google.

 

I'm using a reverse proxy because I have multiple fully qualified domain names with multiple subdomains with web services (http & https) hosted on different servers on my local network, and I need to direct http & https traffic to different machines depending on what the request is.  For example gitlab.domain3.com is hosted on the gitlab server, while mattermost.domain1.com is hosted on a completely different machine, and drive.domain2.com is hosted on another completely different server.

Also I probably forgot to mention the proxy handles SSL (not on the mail server though).

Here's a map of my network.  It's not completely accurate, but you should get the idea.

image.thumb.png.66f04eeb7808b913be029c7531779e9b.png

I would like the mail server to be behind the proxy, but I'm not completely sure how to do that with the redirection rules.

 

The mailserver works (i.e. it can send and receive mail) in the current configuration (see above) but I can't connect it to outlook because mail.domain1.com, mail.domain2.com and mail.domain3.com go to the proxy resulting in a 502 bad gateway/504 gateway timeout.

 

I don't have any plans for any more web hosting servers, however in my current configuration, gitlab, mattermost, office and drive are all on separate machines but have web interfaces.  This is a form of redundancy as if a single service breaks, the issue is isolated to a single machine and all the others are unaffected.

 

I'm probably only ever going to have a single mail server, because with postfix I know it's possible to host multiple domains, e.g. emails addressed to user@domain1.com and user2@domain2.com are both delivered to the same mail server.

 

I hope this is helpful, and believe me - absolutely no offence taken :D

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Well as far as i can understand without looking at your proxy config.

 

You need to add the mail.domain1.com (2,3 etc w/e you have) to proxy.

 

server {

listen 80; /*For the mail.domain1.com*/

location / {

proxy_pass /*Goes to mail server*/

}

Also all the port forwards should be one the proxy server. So .7

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Ok, this makes sense.

I changed the port forwards to now be directed to the proxy server.

Just one question though - for all the mail ports (143, 995, 25, 110, 993 and 465) should I have a separate server block in the proxy config for each port or will a catch-all block like the one below take all traffic regardless of port and throw it onto the mail server?

 

Catch-all server block

(Update: This doesn't work because it breaks the server's ability to receive mail) 

server {
        server_name mail.domain.com;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6";
          proxy_redirect off;
        }
}

 

Separate server block for each port

(Update: This doesn't work because nginx says there's a conflicting server name and ignores the rule.) 

server {
        server_name mail.domain.com;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:995";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:465";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:993";
          proxy_redirect off;
        }
}

and so on for all the other ports

 

Update:

I tried this (below) and ran into the same issue as the catch-all server block: 

server {
        server_name mail.domain.com;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:80";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:143;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:143";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:995;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:995";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:25;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:25";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:110;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:110";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:993;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:993";
          proxy_redirect off;
        }
}

server {
        server_name mail.domain.com:465;
        location / {
          proxy_set_header Host $host;
          proxy_pass "http://192.168.1.6:465";
          proxy_redirect off;
        }
}

I also tried removing the http:// from the start of the proxy_pass lines, but nginx didn't like that.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Servers, NAS, and Home Lab

×