nginx proxy manager and certificate

[ljubomirb]

Hi, I've installed mail server in docker behind nginx proxy manager, passing mail.domain.com to domain.com:somedockerport_8080.
I've also opened 25, 465, 993 ports in digital ocean firewall (and pass this ports in docker).

Nginx proxy manger received lets encrypt certificate, I can open mail.domain.com in browser, it is as expected. However, when i do:
openssl s_client -connect domain.com:465

I can see in first lines that certificate is self signed.

I also cannot make it "autoconfigure" or "autoconnect" in K-9 mail, or thunderbird (don't know it is same self signed cert problem).

Is this expected? Should i not do let's encrypt on npm, but pass it as https simply to mail server, and there see if i can generate lets encrypt certificate?
I'm sorry, I can't find nothing in instructions about this, other then if I use proxy, i skip generate certificate part.

[afontenot]

I bumped into this while I was setting up Stalwart behind Nginx.

passing mail.domain.com to domain.com:somedockerport_8080

Which ports exactly are you listening for in your Nginx configuration, and are they all forwarded to 8080? Is Stalwart listening for HTTP or HTTPS on that port?

Nginx proxy manger received lets encrypt certificate, I can open mail.domain.com in browser, it is as expected. However, when i do: openssl s_client -connect domain.com:465

I can see in first lines that certificate is self signed.

Unless you've set up a stream configuration as described in the documentation, then the issue is that you're terminating TLS for the HTTPS protocol with Nginx, but port 465 (smtp) is also TLS encrypted and is handled in your configuration by Stalwart. You need to provide Stalwart with a valid certificate for your mail domain, as otherwise it will fall back to a self-signed cert.

See the notes in the documentation for how to do that. If you're using certbot and automated renewals, you might check out this user's solution to provide Stalwart with access to an updated certificate in a secure and automatic way. I imagine using Docker will introduce some additional complications.

If you switch to using the stream module as recommended, you can either have Stalwart procure it's own TLS certificate, or you can terminate TLS for all protocols via Nginx with ngx_stream_ssl_module if you'd prefer. Note that the latter approach is incompatible with STARTTLS.

[ljubomirb]

So, the main issue here is probably that I did not understand that ssl certificate is needed twice. Once for web admin part, and other time for mail itself. I'm probably wrong. In any case, after a lot of experimenting, i've come to conclusion that for me, the least pain solution is to simply open certificate from disk, where nginx proxy manager gets it, copy paste its content to stalwart certificate spaces, and do this every 2-3 months.
This means a lot of work that will be forgotten sometimes, but if developers recognize this issue as something more in common, they will make some solution. Otherwise, my experience tells me that anything I do as "hackish" solution will fall apart in 1 year at most, with either newer version of software, OS change or my error. But thanks for your effort!