To run docker-mailserver behind a reverse proxy (e.g. Traefik) and preserve client IPs, enable PROXY protocol and point internal addresses at the proxy.
In .env:
MDA_UPSTREAM_PROXY=true
MTA_UPSTREAM_PROXY=trueMDA_UPSTREAM_PROXY applies to IMAP, IMAPS, POP3, POP3S. MTA_UPSTREAM_PROXY applies to SMTP and submission (587).
If the web interface is behind a proxy, set trusted proxy IPs:
TRUSTED_PROXIES=10.0.0.0/8Use your proxy’s CIDR range(s).
When traffic goes through the proxy, configure internal service addresses to point at the proxy’s internal host/ports, not directly at MTA/MDA. Example for a Traefik internal service:
MDA_IMAP_ADDRESS=traefik-internal:33143
MDA_IMAPS_ADDRESS=traefik-internal:33993
MDA_POP3_ADDRESS=traefik-internal:33110
MDA_POP3S_ADDRESS=traefik-internal:33995
MTA_SMTP_ADDRESS=traefik-internal:3325
MTA_SMTP_SUBMISSION_ADDRESS=traefik-internal:33587Adjust host and port names to match your Traefik configuration.
To use the provided Traefik ingress with Kustomize, add:
resources:
- deploy/kustomize/ingress/traefikThis adds IngressRoutes for SMTP (25), submission (587), IMAP (143), IMAPS (993), POP3 (110), POP3S (995). Configure entry points and PROXY protocol (v2) on the Traefik side to match.
- Check Traefik logs and IngressRoutes.
- Test connectivity to SMTP, submission, IMAP, and POP3 on the proxy’s public ports.
For variable details, see Environment variables reference (Proxy Protocol and Service Addresses). For a Docker Compose example, see Traefik reverse proxy example.