Use SWAG TLS for Mailrise

[karlis-vagalis]

Example:
Domain: example.com
Mailrise open port: 25
IP addr where Mailrise is running: 192.168.1.100
NGINX Mailrise port: 465

A short description to get SSL/TLS termination done by NGINX for Mailrise. As I could only find tutorial for Mailrise to use Traefik, I tried many ways to get it working with reverse proxy I use: NGINX (SWAG, linuxserver.io) flavour.

NGINX settings

As we are going to use NGINX stream to route requests to our domain on specific port to the machine running Mailrise, we should mount /etc/nginx/stream.d folder of SWAG container (the conf files in this directory are loaded as streams for NGINX):

In SWAG docker compose that would be additional entry for volumes and port:

volumes:
	- <folder_of_your_choice>:/etc/nginx/stream.d
ports:
	- 465:465

Secondly, in the <folder_of_your_choice> we create a new file with .conf ending, for example, mailrise.conf

In this file we enter:

server {
	listen 465 ssl;

	ssl_certificate /config/keys/cert.crt;
	ssl_certificate_key /config/keys/cert.key;
	ssl_trusted_certificate /config/keys/cert.crt;

	proxy_pass 192.168.1.100:25;
}

Explained:
This server block will listen to port 465 running on NGINX machine and force SSL usage and will use already downloaded certificates for your domain name and pass them to the IP 192.168.1.100 and port 25 where the Mailrise is running.

Make sure to open that port for Mailrise container like:

ports:
	- 25:8025

Restart SWAG.

Try to send email to your domain name (examples.org) on port 465.

Also, do not forget to open router port 465 if you want to access Mailrise from outside the local network. Would not recommend. This tutorial is more for use in LAN where example.org is resolved by DNS to local address.

[YoRyan]

I personally would connect to the Mailrise container by hostname/container name rather than IP address, but this is a fantastic guide regardless. Thanks for your contribution!

[karlis-vagalis]

That is a good point, I played out a bit and think have a more elegant solution for proposed mailrise.conf file:

map $ssl_server_name $stream_backend {
    smtp.example.com	mailrise_backend;
}

upstream mailrise_backend {
    server	mailrise:8025;
}

server {
    listen  465 ssl;
    listen	[::]:465 ssl;

    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;

    ssl_protocols TLSv1.2 TLSv1.3;

    include /config/nginx/resolver.conf;
    proxy_pass $stream_backend;
}

This assumes the docker container running mailrise is named mailrise and uses default 8025 port. Instead of using original example.com:465 ir now limits the access to 'smtp.ecample.com:465' which is cleaner solution.

[pd-448482]

@karlis-vagalis Is this setup still valid? I have tried it per the instructions with your new file and I'm not able to connect via my domain on port 465. So inside the SWAG container, at /etc/nginx/stream.d/mailrise.conf is the configuration you have above but I have replaced example.com with the domain already used by SWAG. It seems that the file is not being used as the output of netstat -lntu does not include anything running on port 465.

[karlis-vagalis]

@pd-448482 yes, I think so. It is obviously somewhat hard to debug, without knowing your exact setup, but my suggestion would be to investigate this https://github.com/linuxserver/docker-swag?tab=readme-ov-file#versions. The Versions section indicates, that on 04.03.24 changes to stream.conf were made to allow custom user config. As I am not using SWAG anymore, I unfortunately do not know how current config differs.