Using the docker container with existing Nginx server

[ShanahJr]

I have installed the container but I am only able to access iredmail through https:myip:444/mail or iredadmin. I have an mx record and A record for mail.mydomain.com.
What am I missing? Below are the settings I used

docker run -p 81:80 -p 444:443 \
           -h mail.mydomain.com \
           -e "MYSQL_ROOT_PASSWORD=MySuperPassword" \
           -e "SOGO_WORKERS=1" \
           -e "TZ=Europe/Prague" \
           -e "POSTMASTER_PASSWORD={PLAIN}MySuperPassword?" \
           -e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \
           -v /srv/iredmail/mysql:/var/lib/mysql \
           -v /srv/iredmail/vmail:/var/vmail \
           -v /srv/iredmail/clamav:/var/lib/clamav \
           --name=iredmail lejmr/iredmail:mysql-latest

Do I need to create an nginx server block and redirect the request to the port I specified :444? Because I tried that. Below is what I Tried.

server {
        #listen  127.0.0.1:444 ssl;
        server_name mail.mydomain.com;

        location / {
        proxy_pass https://127.0.0.1:444;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = mail.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    listen       [::]:80;
        server_name mail.mydomain.com;
    return 404; # managed by Certbot
        location / {
        proxy_pass https://127.0.0.1:81;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }

}

when I try accessing mail.mydomain.com/mail in my browser I get the following error -> Nginx 404 NotFound. And when I access mail.mydomain.com I see welcome to Nginx html page

Otherwise everything is wrorking s expected except receiving emails when I use https:myip:444/mail or iredadmin to access the mail server

[TitanFighter]

Read this thread, maybe it can help.

[ShanahJr]

@TitanFighter I went through that thread a couple of times. It should have helped but I didnt understand some things. It is because if your answer there that I tried creating a server block for mail.mydomain.com with the prox-pass to the port I specified for the container. That is not working for me as expected.

[digitalap3]

FWIW I combined the two answers from the previous thread and have success:

    location / {
        proxy_pass https://iredmail;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }

This is the full conf:

server {

    listen  80;
    server_name mailserver.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name mailserver.example.com;

    include /ssl_files/nginx/proxy-confs/*.subfolder.conf;
    include /ssl_files/nginx/ssl.conf;

    access_log /var/log/nginx/nginx-access.log;
    error_log /var/log/nginx/nginx-error.log;

    location / {
        proxy_pass https://iredmail; #this is the container name set in compose file
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }

    # Error pages
    error_page 500 502 503 504 /500.html;
    location = /500.html {
        root ./static/;
    }
}

Hope this helps.

[ShanahJr]

@digitalap3 This is most definitely worth a lot. There are just a few things I need to confirm. Where do I place this server block you have defined above? I have placed it in /etc/nginx/sites-available/mailserver.example.com. Upon running sudo nginx -t I was shown the follwowing issue :
nginx: [emerg] host not found in upstream "iredmail" in /etc/nginx/sites-enabled/mailserver.example.com:12 nginx: configuration file /etc/nginx/nginx.conf test failed

I believe I am getting this error because the host name iredmail has not been defined in /etc/hosts. Am I correct about that? And If so, would I use 127.0.0.1 or 127.0.1.1 or something else entirely?

p.s I have replaced my actual domain with mailserver.example.com in the information above, I am making use of my actual domain in the implementation.

[digitalap3]

My configuration is a little different from yours. The full configuration file is named mail.conf and is placed in /etc/nginx/conf.d/mail.conf. I am not using the upstream block to define the server name.

The name 'iredmail' is the container's named defined in either the run command with --name iredmail or docker-compose with container_name: iredmail. So when you docker ps you should see a running container named 'iredmail'.

Also - and this may be your problem - the nginx container and the iredmail container have to be on the same network. Here is my docker-compose file:

version: '3.5'
services:
  iredmail:
    image: lejmr/iredmail:mysql-latest
    container_name: iredmail 
    restart: unless-stopped
    hostname: mailserver.example.com
    privileged: yes
    ports:
      - "25:25"
      - "587:587"

    volumes:
      - iredmail:/var

    environment:
      - MYSQL_ROOT_PASSWORD=mysecretpassword
      - POSTMASTER_PASSWORD={PLAIN}mysecretpassword
      - IREDAPD_PLUGINS= ['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']
      - TZ=America/New_York
    networks:
      - nginxmain

networks:
  nginxmain:
    external: true

volumes:
  iredmail:
    external: true

Notice the last block of the iredmail service 'networks: -ngmain'. This is also available with run command. That network was created with the docker network create command and is included in the service block of my nginx reverse proxy container as well.

When two containers are on the same network they are 'aware' of each other by the container name and all exposed ports are available to them. So it is not necessary to use localhost or any variation of that or to define any names in /etc/hosts. AFAIK.

Apologies if all the network talk is familiar. Hopefully something in there will help.

[ShanahJr]

@digitalap3 I would just like to say thank you for taking the time to deal with me. It is highly appreciated. I am very new to handling all this Linux VPS stuff and it is very nice to know that people like you exist.

I noticed that you mentioned "nginx container". I am not using an Nginx container, only iredmail container. Is it possible to get the iredmail container to "communicate" with the Nginx server I already have installed on my system?

[digitalap3]

Yes I thought that was what this was about lol. I am sorry. Too much screen time and initially reading through my own filter of the questions I have. I have several servers behind a main nginx container and was having trouble getting it to reverse proxy. I hope I have not confused you.

[digitalap3]

If I am reading you right I think the problem you are having is that you are trying to point your domain to your server. So you are on say google domains putting the ip address of your server in?

[ShanahJr]

I believe I have successfully pointed my domain to my server. I think the issue is pointing my Nginx server to the iredmail container. so that when i access mail.example.com/iredadmin, that the iredmail container will be "accessed"/"pointed to".

[digitalap3]

The only way to access your container is over port 80 or 443 unless you specify a port number. When you try to go to mailserver.example.com the port 80 or 443 is understood. It is pointing to the nginx container that is on port 80. That is why you get the default page - it is from that container. When you put in the specific port number you get access since the container is mapped to that port.

The only way to be able to access your iredmail container without putting in a port number is either to map it to 80 and 443 on your server or reverse proxy through the nginx container that is mapped to those ports. That is what I described.

[ShanahJr]

docker run -p 81:80 -p 444:443 \ -h mail.mydomain.com \ -e "MYSQL_ROOT_PASSWORD=MySuperPassword" \ -e "SOGO_WORKERS=1" \ -e "TZ=Europe/Prague" \ -e "POSTMASTER_PASSWORD={PLAIN}MySuperPassword?" \ -e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \ -v /srv/iredmail/mysql:/var/lib/mysql \ -v /srv/iredmail/vmail:/var/vmail \ -v /srv/iredmail/clamav:/var/lib/clamav \ --name=iredmail lejmr/iredmail:mysql-latest
According to the docker-compose file above, I specified port 444 and 81 because 443 and 80 are already taken by the Nginx sever I have running on my host (Not Container, I have not installed a Nginx container).

So how would i forward requests to 81 or 444 when I access mailserver.example.com?

[digitalap3]

the only way to access mailserver.example.com is by using the server that is mapped already to 443 and 80. Lets call that Main Server. You would put the mail.conf file in the directory of the Main Server and it would then reverse-proxy all traffic between outside the VPS and into your iredmail container.

Everything I initially described beginning with the FWIW post is how to do that. So with that in mind - I am describing how to set up Main Server to reverse proxy to the iredmail server - go back to where we started at 'FWIW'.

Especially the part about the Main Server and the iredmail server being on the same named network created with the docker network create command.

This is assuming that the Main Server is a docker container as well.

[ShanahJr]

@digitalap3 I have spent alot of time trying to get this to work. But still no luck. Let me just make sure I understand the situation correctly.

The setup I have is Nginx installed directly on my Ubuntu Server. I then have an iredmail container. I want to forward requests made using mailserver.example.com to the iredmail docker container. From what I understand, this is what a reverse proxy does. But I want to use the Nginx server installed directly on my Ubuntu Server. Is this not possible?

Is the only way to use the iredmail container to use an Nginx container to reverse proxy to it? and if that is the case, would I need to uninstall the Nginx server I have installed on my Ubuntu Server?

[TitanFighter]

@ShanahJr it is possible. I have done it few times. Tomorrow I will explain how to do it (need PC).

[ShanahJr]

@TitanFighter Thank you very much.

[TitanFighter]

@ShanahJr
I do not use anymore such approach that you have because of this headache but I checked all configs of different projects I have and I see that the digitalap3's setting regarding proxy_pass https://iredmail; is correct (and probably you need to remove -p 81:80 -p 444:443 - do not remember exactly - the last time I had this issue was ~2 years ago) .

Regarding this nginx: [emerg] host not found in upstream "iredmail" in /etc/nginx/sites-enabled/mailserver.example.com:12. As far as I remember you need to run docker first and just after that start nginx

[ShanahJr]

@TitanFighter i will try starting docker first then nginx.
So to avoid the headache, do you suggest that I use an nginx container to host all of my websites and handle the iredmail as well?

Instead of using nginx directly on my Linux server?

[TitanFighter]

@ShanahJr Also you can try nginx config file from here, especially the part proxy_pass https://127.0.0.1:8443;. Just try to run iredmail container first then nginx (as I remember this is important).

do you suggest that I use an nginx container to host all of my websites and handle the iredmail as well?

Yes, as shown here. It is reverse proxy nginx which automatically proxies requests to containers which are behind nginx. Your method to install nginx directly on the server is an old approach.

[ShanahJr]

I have found a solution to my problem. One that is not stressful at all. instead of using proxy_pass https://127.0.0.1:8443; , I have used proxy_pass https://0.0.0.0:8443;and I am able to connect to my docker container with no stress at all.

[TitanFighter]

How about proxy_pass https://iredmail:8443; ?

[ShanahJr]

using proxy_pass https://iredmail:8443 gave me this error since I am not using an nginx container, only an iredmail container nginx: [emerg] host not found in upstream "iredmail" in /etc/nginx/sites-enabled/mailserver.example.com:12 nginx: configuration file /etc/nginx/nginx.conf test failed

But all is okay with 0.0.0.0

[peterpekny]

I started solving same issue now, but seems to me , only way will be to mount external voulume to container /iredmail/data/custom/nginx/ and do the setup of nginx (inside container) port here.

looks amazing the proxy_pass https://0.0.0.0:8443; (nearly no issue i found) but the loading contacts from list , in case of writing message is not in this setup. so seems something still not working properly.

[peterpekny]

Ok .. I was playing a bit , and it gets worked with this nginx vhost for me . I did not wanted to customize the iredmail contrainer, and it looks without any issue..

server {
    listen 443 ssl;
    server_name mail.mymail.com;

    # Logging properties
    error_log /var/log/nginx/mail-error.log debug;
    access_log /var/log/nginx/mail-access.log;

    # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mail.mymail.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.mymail.com/privkey.pem; # managed by Certbot

    # HSTS - HSTS (custom)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # reverse proxy setup
    location / {
        proxy_pass https://127.0.0.1:444; # Forward to docker container
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header X-Forwarded-Proto $scheme; # I am not sure which one is better
        proxy_set_header X-Forwarded-Proto https;  # I am not sure which one is better
        proxy_set_header X-Forwarded-Port 443;

        # Do not check certificate
        proxy_ssl_verify off; 

        # Required for new HTTP-based CLI
        proxy_http_version 1.1; # important for contact form
        proxy_request_buffering off;
        proxy_buffering off;

    }
}
# Allways https redirect
server {
    listen 80;
    server_name mail.mymail.com;

    return 301 https://$host$request_uri;
}

Command runnung iredmail container :

docker run -d --restart unless-stopped --name iredmail --env-file /iredmail/iredmail-docker.conf --hostname mail.mymail.com -p 81:80 -p 444:443 -p 110:110 -p 995:995 -p 143:143 -p 993:993 -p 25:25 -p 465:465 -p 587:587 -v /iredmail/data/backup-mysql:/var/vmail/backup/mysql -v /iredmail/data/mailboxes:/var/vmail/vmail1 -v /iredmail/data/mlmmj:/var/vmail/mlmmj -v /iredmail/data/mlmmj-archive:/var/vmail/mlmmj-archive -v /iredmail/data/imapsieve_copy:/var/vmail/imapsieve_copy -v /iredmail/data/custom:/opt/iredmail/custom -v /iredmail/data/ssl:/opt/iredmail/ssl -v /iredmail/data/mysql:/var/lib/mysql -v /iredmail/data/clamav:/var/lib/clamav -v /iredmail/data/sa_rules:/var/lib/spamassassin -v /iredmail/data/postfix_queue:/var/spool/postfix iredmail/mariadb:stable