diff --git a/core/base/libs/socrate/socrate/system.py b/core/base/libs/socrate/socrate/system.py
index fe233a5b..ec726433 100644
--- a/core/base/libs/socrate/socrate/system.py
+++ b/core/base/libs/socrate/socrate/system.py
@@ -108,8 +108,39 @@ def set_env(required_secrets=[], log_filters=[]):
            }
 
 def clean_env():
-    """ remove all secret keys """
+    """ remove all secret keys, normalize PROXY_PROTOCOL """
     [os.environ.pop(key, None) for key in os.environ.keys() if key.endswith("_KEY")]
+    # Configure PROXY_PROTOCOL
+    PROTO_MAIL=['25', '110', '995', '143', '993', '587', '465', '4190']
+    PROTO_ALL_BUT_HTTP=PROTO_MAIL.copy()
+    PROTO_ALL_BUT_HTTP.extend(['443'])
+    PROTO_ALL=PROTO_ALL_BUT_HTTP.copy()
+    PROTO_ALL.extend(['80'])
+    for item in os.environ.get('PROXY_PROTOCOL', '').split(','):
+        if item.isdigit():
+            os.environ[f'PROXY_PROTOCOL_{item}']=True
+        elif item == 'mail':
+            for p in PROTO_MAIL: os.environ[f'PROXY_PROTOCOL_{p}']=True
+        elif item == 'all-but-http':
+            for p in PROTO_ALL_BUT_HTTP: os.environ[f'PROXY_PROTOCOL_{p}']=True
+        elif item == 'all':
+            for p in PROTO_ALL: os.environ[f'PROXY_PROTOCOL_{p}']=True
+        elif item == '':
+            pass
+        else:
+            log.error(f'Not sure what to do with {item} in PROXY_PROTOCOL ({args.get("PROXY_PROTOCOL")})')
+
+    PORTS_REQUIRING_TLS=['443', '465', '993', '995']
+    ALL_PORTS='25,80,443,465,993,995,4190'
+    for item in os.environ.get('PORTS', ALL_PORTS).split(','):
+        if item in PORTS_REQUIRING_TLS and os.environ['TLS_FLAVOR'] == 'notls':
+            continue
+        os.environ[f'PORT_{item}']=True
+
+    if os.environ['TLS_FLAVOR'] != 'notls':
+        for item in os.environ.get('TLS', ALL_PORTS).split(','):
+            if item in PORTS_REQUIRING_TLS:
+                os.environ[f'TLS_{item}']=True
 
 def drop_privs_to(username='mailu'):
     pwnam = getpwnam(username)
diff --git a/core/nginx/config.py b/core/nginx/config.py
index 4a381c2c..96812dba 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -70,38 +70,6 @@ with open("/etc/resolv.conf") as handle:
     resolver = content[content.index("nameserver") + 1]
     args["RESOLVER"] = f"[{resolver}]" if ":" in resolver else resolver
 
-# Configure PROXY_PROTOCOL
-PROTO_MAIL=['25', '110', '995', '143', '993', '587', '465', '4190']
-PROTO_ALL_BUT_HTTP=PROTO_MAIL.copy()
-PROTO_ALL_BUT_HTTP.extend(['443'])
-PROTO_ALL=PROTO_ALL_BUT_HTTP.copy()
-PROTO_ALL.extend(['80'])
-for item in args.get('PROXY_PROTOCOL', '').split(','):
-    if item.isdigit():
-        args[f'PROXY_PROTOCOL_{item}']=True
-    elif item == 'mail':
-        for p in PROTO_MAIL: args[f'PROXY_PROTOCOL_{p}']=True
-    elif item == 'all-but-http':
-        for p in PROTO_ALL_BUT_HTTP: args[f'PROXY_PROTOCOL_{p}']=True
-    elif item == 'all':
-        for p in PROTO_ALL: args[f'PROXY_PROTOCOL_{p}']=True
-    elif item == '':
-        pass
-    else:
-        log.error(f'Not sure what to do with {item} in PROXY_PROTOCOL ({args.get("PROXY_PROTOCOL")})')
-
-PORTS_REQUIRING_TLS=['443', '465', '993', '995']
-ALL_PORTS='25,80,443,465,993,995,4190'
-for item in args.get('PORTS', ALL_PORTS).split(','):
-    if item in PORTS_REQUIRING_TLS and args['TLS_FLAVOR'] == 'notls':
-        continue
-    args[f'PORT_{item}']=True
-
-if args['TLS_FLAVOR'] != 'notls':
-    for item in args.get('TLS', ALL_PORTS).split(','):
-        if item in PORTS_REQUIRING_TLS:
-            args[f'TLS_{item}']=True
-
 # TLS configuration
 cert_name = args.get("TLS_CERT_FILENAME", "cert.pem")
 keypair_name = args.get("TLS_KEYPAIR_FILENAME", "key.pem")
diff --git a/docs/mailu-network-diagram.ipynb b/docs/mailu-network-diagram.ipynb
index 6d2a87d8..2ef1457d 100644
--- a/docs/mailu-network-diagram.ipynb
+++ b/docs/mailu-network-diagram.ipynb
@@ -561,7 +561,7 @@
     "    antispam -> antivirus [label = \"3310/tcp\";];\n",
     "    \n",
     "    fetchmail -> admin [label = \"8080/tcp\"]\n",
-    "    fetchmail -> front [label = \"25/tcp\"]\n",
+    "    fetchmail -> proxy [label = \"25/tcp\"]\n",
     "    fetchmail -> front [label = \"2525/tcp\"]\n",
     "    #\n",
     "    # those don't need internet:\n",
diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py
index a298cf53..410ce4fb 100755
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@@ -60,7 +60,7 @@ def run(debug):
                 protocol=fetch["protocol"],
                 host=escape_rc_string(fetch["host"]),
                 port=fetch["port"],
-                smtphost=f'{os.environ["FRONT_ADDRESS"]}' if fetch['scan'] else f'{os.environ["FRONT_ADDRESS"]}/2525',
+                smtphost=f'{os.environ["HOSTNAMES"].split(",")[0]}' if fetch['scan'] and os.environ.get('PROXY_PROTOCOL_25', False) else f'{os.environ["FRONT_ADDRESS"]}' if fetch['scan'] else f'{os.environ["FRONT_ADDRESS"]}/2525',
                 username=escape_rc_string(fetch["username"]),
                 password=escape_rc_string(fetch["password"]),
                 options=options,