👍

Reference:

• https://doc.traefik.io/traefik/routing/routers/#passthrough
• https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/#what-about-passthrough

Doesn't require tls=false, but should hand the traffic over to DMS on port 465 encrypted, and DMS will handle the connection (and presumably certs).

Related:

• HostSNI must either be an explicit value with no wildcard, or only *.
• Ports that use StartTLS instead should not proxy through Traefik for TLS/certs, they need to establish a plain-text connection to DMS ports to upgrade to TLS explicitly, so .tls=false is appropriate for those TCP router port configs AFAIK as Traefik does not support StartTLS:
  • question: How to configure Traefik to proxy inbound mail connections via Port 25 (StartTLS) #3563 (comment)
  • question: How to configure Traefik to proxy inbound mail connections via Port 25 (StartTLS) #3563 (comment)

I think you meant to reference the imap-ssl router not esmtp?:

I'm not familiar with why the proxyProtocol.version is sometimes 1 or 2, perhaps due to Postfix / Dovecot support? I understand it's to ensure that the original client IP is handed over correctly so it doesn't get misunderstood as directly from Traefik. But I'm not sure if that's required for each different supported way that Traefik routes to different DMS ports 🤷‍♂️