Issues getting non-encrypted smtp relay to work with plausible

[tvaril]

Hi, I have been searching some help but could not find any working solution yet here. I have docker stack with 19 other containers one of them is postfix as smtp-relay host for all containers on port 25. It is simple, it listens within docker network called caddynet and it accepts request without SSL/TLS or STARTTLS. It is working with matomo, nextcloud, grafana and wordpress. But cannot get plausible to work. Any idea, what might help? Seems like plausible is always forcing some sort of encryption even when I disabled it in compose.override.yml. Plausible is running in its own stack.

Here is my compose.override.yml:

services:
  plausible_db:
    networks:
      default:
      caddynet: {}

  plausible_events_db:
    networks:
      default:
      caddynet: {}

  plausible:
    image: ghcr.io/plausible/community-edition:v3.1.0
    environment:
      - TOTP_VAULT_KEY=XXXXXXX
      - DISABLE_REGISTRATION=invite_only
      - GOOGLE_CLIENT_ID=xxxxxxxxxxxxxxx.apps.googleusercontent.com
      - GOOGLE_CLIENT_SECRET=XXXXXXX
      - MAXMIND_LICENSE_KEY=XXXXXXX
      - MAXMIND_EDITION=GeoLite2-City
      - MAILER_ADAPTER=Bamboo.Mua
      - [email protected]
      - MAILER_NAME="Plausible Analytics"
      - SMTP_HOST_ADDR=smtp-relay
      - SMTP_HOST_PORT=25
      - SMTP_USER_NAME=
      - SMTP_USER_PWD=
      - SMTP_HOST_SSL_ENABLED=false
      - SMTP_HOST_TLS_ENABLED=false
    networks:
      default:
      caddynet: {}

networks:
  caddynet:
    external: true

Here is plausible container error log:

plausible-1  | 19:13:04.583 [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2181 generated CLIENT ALERT: Fatal - Bad Certificate
plausible-1  |  - :selfsigned_peer
plausible-1  | 19:13:04.588 [error] Task #PID<0.5981.0> started from #PID<0.5980.0> terminating
plausible-1  | ** (Mua.TransportError) TLS client: In state wait_cert_cr at ssl_handshake.erl:2181 generated CLIENT ALERT: Fatal - Bad Certificate
plausible-1  |  selfsigned_peer
plausible-1  |     (bamboo 2.5.0) lib/bamboo/strategies/task_supervisor_strategy.ex:24: anonymous fn/3 in Bamboo.TaskSupervisorStrategy.deliver_later/3
plausible-1  |     (elixir 1.18.3) lib/task/supervised.ex:101: Task.Supervised.invoke_mfa/2
plausible-1  | Function: #Function<0.95237244/0 in Bamboo.TaskSupervisorStrategy.deliver_later/3>
plausible-1  |     Args: []

Here is postfix container log:

smtp-relay  | 2025-11-19T19:13:04.574744+00:00 INFO    postfix/smtpd[10056]: connect from plausible-ce-plausible-1.caddynet[172.19.0.11]
smtp-relay  | 2025-11-19T19:13:04.583985+00:00 INFO    postfix/smtpd[10056]: SSL_accept error from plausible-ce-plausible-1.caddynet[172.19.0.11]: -1
smtp-relay  | 2025-11-19T19:13:04.584010+00:00 WARNING postfix/smtpd[10056]: warning: TLS library problem: error:0A000412:SSL routines::sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1605:SSL alert number 42:
smtp-relay  | 2025-11-19T19:13:04.584063+00:00 INFO    postfix/smtpd[10056]: lost connection after STARTTLS from plausible-ce-plausible-1.caddynet[172.19.0.11]
smtp-relay  | 2025-11-19T19:13:04.584211+00:00 INFO    postfix/smtpd[10056]: disconnect from plausible-ce-plausible-1.caddynet[172.19.0.11] ehlo=1 starttls=0/1 commands=1/2

I also tried to remove following lines from compose.override.yml but did not help

- SMTP_USER_NAME=
- SMTP_USER_PWD=
- SMTP_HOST_TLS_ENABLED=false

[tvaril]

Finally found the root cause, so if anyone will encounter the same issue with postfix in docker, it is by default set to use TLS, so if you do not specify it in your docker compose file, it will be on. If you are using postfix within docker network a you want to use NO encryption at all, you need to add these lines in postfix docker compose file:

POSTFIX_smtpd_tls_security_level: "none"