Port configuration when Chatmail and Nginx are on different machines

Ms.Irrelevant · November 19, 2025, 10:50pm

Hello,

I have installed a Chatmail server, it works but it is very slow. I wonder it might have something to do with my port configuration.

I have a VPS where I run Wireguard, it acts as a VPN server.

Then, at home, I have two different servers: the Chatmail relay and an Nginx Proxy Manager. They both run wireguard to make their services available through the VPS public IP address, so each of these two servers has its own tunnel ending in my VPN server.

I am not sure which ports I should funnel through each of the two tunnels. I would say ports 8443, 443 and 80 should be configured in the Nginx Proxy Manager (NPM) tunnel, and ports 25, 587 465, 143, 993 and all UDP ports should be configured in the Chatmail tunnel, however there is this line in the documentation which makes me hesitate:

“443 (HTTPS) which multiplexes HTTPS, IMAP and SMTP using ALPN to redirect connections to ports 8443, 465 or 993”

I do not fully understand it, but it makes me doubt about my configuration with different machines and different tunnels.

Is my suggested configuration ok? Should I change anything?

In case it is needed, Nginx Proxy Manager also has this “Streams” feature which allows you to forward ports.

Thank you.

Ms.Irrelevant · November 22, 2025, 9:26am

Sorry, I meant it is sometimes very slow, sometimes it works ok, so maybe that’s another story. But anyway I still have the same questions.

alxndr · November 22, 2025, 3:07pm

If you used the standard deployment script, then according to Setting up a reverse proxy, it should be sufficient to forward the necessary ports to the Chatmail relay, without an additional Proxy Manager.

Did you run scripts/cmdeploy test, and what did it say?

My understanding of the ALPN configuration is that it allows connections to SMTPS and IMAPS over port 443, for situations where mail ports are blocked.

az2g6a4rm · November 27, 2025, 8:43pm

In your Nginx proxy manager you should still be able to use this configuration:


load_module modules/ngx_stream_module.so;

stream {
        map $ssl_preread_alpn_protocols $proxy {
            default 127.0.0.1:8443; # keep this, make all your other vhosts listen on 127.0.0.1:8443 so they keep working, and add a new vhost for chatmail which will proxy HTTPS to the chatmail server ip
            ~\bsmtp\b 127.0.0.1:465; # change this to chatmail server ip
            ~\bimap\b 127.0.0.1:993;  # change this to chatmail server ip
        }

        server {
                listen 443;
                listen [::]:443;

                proxy_pass $proxy;
                ssl_preread on;
        }
}

Just change the 127.0.0.1 to the IP address of the other server where the rest of the Chatmail services are running. Though if you have other 443 related services on this Nginx Proxy manager, you’ll need to make those all listen on 127.0.0.1:8443 now. Then setup a vhost on 127.0.0.1:8443 to match your chatmail domain which will then reverse proxy over to the same server you’re forwarding the smtp and imap to. Everything should work correctly then.