Question about Kerio & Traefik

Question

Question about Kerio & Traefik

Closed this issue 2 years ago · 3 comments

Hey, youre the only one i seen that uses kerio in combination with traefik.
At least it looks that way to me.

You are running even kerio in a docker container xD

However, you can expose all ports through the firewall, but you have to expose 443 through traefik.
And i don't see how youre doing that, can you post your labels or trafic snippets?

What i mean for example is, i have a pretty nice nginx reverse proxy for it and im exposing:

mail.mydomain.com ->
location        /               { return 301 /webmail/; }
location        /integration    { proxy_pass https://127.0.0.1:8843/integration; }
location        /ews            { proxy_pass https://127.0.0.1:8843/ews; }
location        /Microsoft-Server-ActiveSync    { proxy_pass https://127.0.0.1:8843/Microsoft-Server-ActiveSync; }
location        /setup          { proxy_pass https://127.0.0.1:8843/setup; }
location        /custom         { proxy_pass https://127.0.0.1:8843/custom; }
location        /webmail        { proxy_pass https://127.0.0.1:8843/webmail; }
location        /weblib         { proxy_pass https://127.0.0.1:8843/weblib; }
location        = /favicon.ico  { empty_gif; }

and additionally:

autodiscover.mydomain.com ->
location /autodiscover { proxy_pass https://127.0.0.1:8843/autodiscover; }
location /Autodiscover { proxy_pass https://127.0.0.1:8843/Autodiscover; }
if ($host ~* ^autodiscover\.(.*)) {
        set $discover_mail mail.$1;
}
proxy_set_header        Host            $discover_mail;

The last snippet rewrites autodiscover.mydomain.tld to mail.mydomain.tld in the Host header, because Kerio is stupid...

And aditionally as you see above, that i don't expose the Kerio Admin interface for security reasons on mail.mydomain.tld
im exposing it to a separate domain -> mailadmin.domain.tld (this one i dont't expose to public web, only to a vpn network.
But thats the snippet:

location        /admin          { proxy_pass https://127.0.0.1:4040/admin; }
location        /custom         { proxy_pass https://127.0.0.1:4040/custom; }
location        /webmail        { proxy_pass https://127.0.0.1:4040/webmail; }
location        /weblib         { proxy_pass https://127.0.0.1:4040/weblib; }
location = /favicon.ico { empty_gif; }

Additionally traefik would need like nginx some headers, but thats easy, at least i know how to do that.

However, my problem is, that i really have troubles with traefik.
Nginx is so easy for me, because i know there everythin, but traefik....

Im not asking you to rewrite my configs or anything.

Just if you have traefik related snippets for kerio that could help me, so i could take them as examples.

Thank you :-)

Answer 1 · 2022-11-28T16:24:24.000Z

I could certainly proxy kerio's webmail/admin interfaces through traefik as a reverse proxy the way you are describing. In fact, all of the IMAP/POP/XMPP/whatever ports could also be passed through traefik via TCP/UDP entrypoints.

The reason I am completely bypassing traefik and exposing kerio directly to the internet is that I am co-locating kerio on a server with a completely different host of software for separate projects, I just have dedicated IP addresses for kerio and haven't mixed it with any other services. This is just an implementation detail on my end. My kerio installation isn't even actively used anymore and just exists to fetch historical email so I haven't bothered to make it any cleaner.

However, you can expose all ports through the firewall, but you have to expose 443 through traefik.
And i don't see how youre doing that, can you post your labels or trafic snippets?

If I understand correctly, you are asking me how I am exposing both traefik and kerio on port 443. This is simply because I bind traefik and kerio to separate IP addresses, both on port 443.

Just if you have traefik related snippets for kerio that could help me, so i could take them as examples.

I don't have any on hand for Kerio specifically, but there are tons of examples on the web on how traefik's config works. You'll need an EntryPoint and a Service for every service port you want to proxy to kerio, and a bunch of Routers which will direct traffic from your entrypoints to the backend services. The routers will contain the rules equivalent to your nginx location and proxy_path directives.

I'll close this issue but leave it open for comments since it isn't really an issue with regards to the contents of the repo.

Answer 2 · 2022-11-28T17:58:16.000Z

Nah if you have a separate ip for kerio, that makes everything a lot easier :-)
I have a proxmox server with one ip xD
passing the whole network card to the opnsense vm, and have an internal virtual bridged network xD

However, i could simply get a second ip, but thats like extra 5€/Month, so not worth it.

About the basic how traefik works, i know that, just probably need an example about /locations, but i think ill find that either somewhere.

What did you switched to? if you don't use kerio anymore?
There isn't much that supports activesync and yes i know, there if an php activesync project that adds activesync functionality to every imap server...
But php is too slow for that in my opinion and so i tryed it and abandoned xD

Thanks for the fast reply btw!

Answer 3 · 2022-11-28T18:11:47.000Z

About the basic how traefik works, i know that, just probably need an example about /locations, but i think ill find that either somewhere.

Take a look at the traefik routing Rules. This should cover your use case.

What did you switched to?

Nothing, I still use kerio for old mail and I simply don't run email anymore for this particular setup. Sorry but I can't help on that front 😂