diff --git a/docker/kolab/utils/24-roundcubeconfig.sh b/docker/kolab/utils/24-roundcubeconfig.sh
--- a/docker/kolab/utils/24-roundcubeconfig.sh
+++ b/docker/kolab/utils/24-roundcubeconfig.sh
@@ -11,3 +11,24 @@
 
 echo "\$config['enigma_woat'] = true;" >> /etc/roundcubemail/enigma.inc.php
 
+# Run it over nginx for 2fa. We need to use startls because otherwise the proxy protocol doesn't work.
+sed -i -r -e "s|$config\['default_host'\] = .*$|$config['default_host'] = 'tls://127.0.0.1';|g" /etc/roundcubemail/config.inc.php
+sed -i -r -e "s|$config\['default_port'\] = .*$|$config['default_port'] = 144;|g" /etc/roundcubemail/config.inc.php
+
+# So we can just append
+sed -i "s/?>//g" /etc/roundcubemail/config.inc.php
+
+# Enable the PROXY protocol
+cat << EOF >> /etc/roundcubemail/config.inc.php
+    \$config['imap_conn_options'] = Array(
+            'ssl' => Array(
+                    'verify_peer_name' => false,
+                    'verify_peer' => false,
+                    'allow_self_signed' => true
+                ),
+            'proxy_protocol' => 2
+        );
+    \$config['proxy_whitelist'] = array('127.0.0.1');
+EOF
+
+echo "?>" >> /etc/roundcubemail/config.inc.php
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
--- a/docker/nginx/nginx.conf
+++ b/docker/nginx/nginx.conf
@@ -32,6 +32,20 @@
     }
 
     server {
+        listen 144 proxy_protocol;
+        protocol imap;
+
+        proxy on;
+        starttls on;
+
+        ssl_certificate SSL_CERTIFICATE_CERT;
+        ssl_certificate_key SSL_CERTIFICATE_KEY;
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+    }
+
+    server {
         listen 465 ssl;
         protocol smtp;
 
diff --git a/src/app/Http/Controllers/API/V4/NGINXController.php b/src/app/Http/Controllers/API/V4/NGINXController.php
--- a/src/app/Http/Controllers/API/V4/NGINXController.php
+++ b/src/app/Http/Controllers/API/V4/NGINXController.php
@@ -177,12 +177,18 @@
          */
 
         $password = $request->headers->get('Auth-Pass', null);
+        $username = $request->headers->get('Auth-User', null);
+        $ip = $request->headers->get('Client-Ip', null);
+        $proxy_ip = $request->headers->get('Proxy-Protocol-Addr', null);
+        if ($proxy_ip) {
+            $ip = $proxy_ip;
+        }
 
         try {
             $user = $this->authorizeRequest(
-                $request->headers->get('Auth-User', null),
+                $username,
                 $password,
-                $request->headers->get('Client-Ip', null),
+                $ip,
             );
         } catch (\Exception $e) {
             return $this->byebye($request, $e->getMessage());