Try #2300:

core/nginx/conf/nginx.conf

@@ -286,6 +286,12 @@ mail {
     ssl_session_cache shared:SSLMAIL:50m;
     {% endif %}
 
+    {% if PROXY_PROTOCOL == 'true' %}
+    {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
+    set_real_ip_from {{ from_ip }};
+    {% endfor %}{% endif %}
+    {% endif %}
+
     # Advertise real capabilites of backends (postfix/dovecot)
     smtp_capabilities PIPELINING SIZE {{ MESSAGE_SIZE_LIMIT }} ETRN ENHANCEDSTATUSCODES 8BITMIME DSN;
     pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
@@ -309,8 +315,8 @@ mail {
 
     # SMTP is always enabled, to avoid losing emails when TLS is failing
     server {
-      listen 25;
-      listen [::]:25;
+      listen 25 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:25 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       {% if TLS and not TLS_ERROR %}
       {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
       ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
@@ -329,8 +335,8 @@ mail {
     # All other protocols are disabled if TLS is failing
     {% if not TLS_ERROR %}
     server {
-      listen 143;
-      listen [::]:143;
+      listen 143 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:143 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       {% if TLS %}
       starttls only;
       {% endif %}
@@ -340,8 +346,8 @@ mail {
     }
 
     server {
-      listen 110;
-      listen [::]:110;
+      listen 110 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:110 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       {% if TLS %}
       starttls only;
       {% endif %}
@@ -351,8 +357,8 @@ mail {
     }
 
     server {
-      listen 587;
-      listen [::]:587;
+      listen 587 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:587 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       {% if TLS %}
       starttls only;
       {% endif %}
@@ -361,26 +367,53 @@ mail {
       auth_http_header Auth-Port 587;
     }
 
+    {% if EMAIL_PROXYED == 'true' %}
+    # Proxied endpoints (no encryption, but authentication)
+    server {
+      listen 11587 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:11587 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      protocol smtp;
+      smtp_auth plain login;
+      auth_http_header Auth-Port 587;
+    }
+
+    server {
+      listen 11143 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:11143 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      protocol imap;
+      imap_auth plain;
+      auth_http_header Auth-Port 143;
+    }
+
+    server {
+      listen 11110 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:11110 {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      protocol pop3;
+      pop3_auth plain;
+      auth_http_header Auth-Port 110;
+    }
+    {% endif %}
+
     {% if TLS %}
     server {
-      listen 465 ssl;
-      listen [::]:465 ssl;
+      listen 465 ssl {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:465 ssl {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       protocol smtp;
       smtp_auth plain login;
       auth_http_header Auth-Port 465;
     }
 
     server {
-      listen 993 ssl;
-      listen [::]:993 ssl;
+      listen 993 ssl {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:993 ssl {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       protocol imap;
       imap_auth plain;
       auth_http_header Auth-Port 993;
     }
 
     server {
-      listen 995 ssl;
-      listen [::]:995 ssl;
+      listen 995 ssl {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
+      listen [::]:995 ssl {% if PROXY_PROTOCOL == 'true' %}proxy_protocol{% endif %};
       protocol pop3;
       pop3_auth plain;
       auth_http_header Auth-Port 995;

docs/configuration.rst

@@ -205,6 +205,14 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
 
 The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designating which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
 
+The ``EMAIL_PROXYED`` enables an additional sets of ports that can be used as entrypoint
+to Mailu for a mail proxy. Enabling this does not impact the other port sets.
+Thi sets of ports (``11587``, ``11143``, ``11110``) have authentication enabled and login throttleing.
+
+The ``PROXY_PROTOCOL`` enables the front container to receive TCP connections with the
+`HA PROXY <https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt>`_  protocol, enabling this require all ports sets 
+with the exception of 80 and 443, to use the ``PROXY`` protocol. Ths requires to have a valid ``REAL_IP_FROM``. See more :ref:`reverse_proxy`.
+
 The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``. Warning: if you are observing different timestamps in your log files you should change your hosts timezone to UTC instead of changing TZ to your local timezone. Using UTC allows easy log correlation with remote MTAs.
 
 .. _`TZ database name`: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

docs/reverse.rst

@@ -1,3 +1,4 @@
+.. _reverse_proxy:
 Using an external reverse proxy
 ===============================
 

towncrier/newsfragments/1472.feature

@@ -0,0 +1 @@
+Provide HA Proxy protocol support for email endpoints