• Resources
  • USEnglish
  • [HOWTO] Install mailcow in a LXC container on Proxmox 6.4-13 for home usage

I guess its MUCH easier to run Mailcow in a Proxmox VM with debian and docker. There is almost no overhead, as Debians footprint is quite small if you install it without GUI.

    aukfood just for limit usage of RAM, CPU etc…
    I use it on a Celeron / 8GB / SSD computer with 3 LXC containers on it.

    Not possible with 3 regular KVM machine, but ok with LXC CT.

    3 months later

    Hi all,
    Just migrate my old Proxmox 6.x to the new version 8.0.3.
    Backup the Proxmox VM (CT) and restore on the new Proxmox.

    It works like a charmn, without any preparation on the new Proxmox (Overlay and Naufs) just restore and run.
    So now, you can at least skip the first step “I - Prepare your proxmox hypervisor”

      2 months later

      esackbauer I guess its MUCH easier to run Mailcow in a Proxmox VM with debian and docker. There is almost no overhead, as Debians footprint is quite small if you install it without GUI.

      Good day, I’m new to mailcow, so this is my first post/question.

      Here’s my setup:
      one static IP –> opnsense –> proxmox –> debian 12 as VM –> mailcow-dockerized. The opnsense, proxmox and debian VM are in the same subnet. On the proxmox is running a not containerized server, also in the same subnet. No firewall(s) on the proxmox.

      Install of debian 12 went smooth, the VM is up and running. Same with mailcow-dockerized, no problems so far. mailcow is connected to a domain, DNS records are set as described. mailcow is able to send and receive email.

      During acme-challenge the static IP is detected, but it stalls with the hostname. No cert is created, BTW the server in the other machine has no problem with let’s encrypt certs. Difference for sure is docker.

      I’m not firm with docker. But if I’m guided I’m able to provide any information to work this through. I’ve access to the opnsense and to the network over VPN.

      So while reading the intro of mailcow that installations in a VM are supported or possible, where did I miss the point? I tried to get information in opnsense- and proxmox-forum but I must admit, the more I read the more I’m confused. I also read the mailcow docs, but I simply don’t understand where do I have to investigate. Is it the opnsense part or is it the mailcow part, or both?

      Any help would be greatly appreciated.
      regards, stefan

        stefan21 BTW the server in the other machine has no problem with let’s encrypt certs.

        That seems the problem. You need to NAT all ports in this list to the mailcow VM:
        https://docs.mailcow.email/prerequisite/prerequisite-system/#default-ports


        The Acme challence for mailcow certs cannot work if port 80 goes to another server.
        So you are better off to disable Acme in mailcow and use a proper nginxproxymanager.com Icon reverse proxy
        nginxproxymanager.com Icon nginxproxymanager.com
        Nginx Proxy Manager
        Docker container and built in Web Application for managing Nginx proxy hosts with a simple, powerful interface, providing free SSL support via Let's Encrypt
        nginxproxymanager.com
        which handles all certificates for all your VMs.
        Configure mailcow for reverse proxy:
        docs.mailcow.email Icon Overview - mailcow: dockerized documentation
        docs.mailcow.email Icon docs.mailcow.email
        Overview - mailcow: dockerized documentation
        None
        docs.mailcow.email

        Then you need to copy the certificates from that reverse proxy to the mailcow VM:
        docs.mailcow.email Icon Advanced SSL - mailcow: dockerized documentation
        docs.mailcow.email Icon docs.mailcow.email
        Advanced SSL - mailcow: dockerized documentation
        None
        docs.mailcow.email

        Yes, esackbauer is right !

        My certificate was renewed with the ACME challenge by my NAS (Port 80/433 routed on it).
        I made a script to copy the generated certificate each night to my mailcow server (reboot it also to take the new certificate).

        Works well since months !

        First I’d like to thank for taking the time to reply to my questions.

        I understand the easy advice as follows:

        1. in opnsense I install the acme plugin and let the opnsense take care for the let’s encrypt certs. I already tested this way, this plugin works.
        2. I daily copy, preferably with a cron job, the certs to mailcow - what path/location exactly?
        3. the mailcow VM has to be daily rebooted, to recognize the new certs?

        @esackbauer

        Thank you for describing the way with a reverse proxy. I tried this but honestly, as a part time admin, this is way too complicated for me.

        Everything works really pretty well out of the box, if mailcow does not sit in a VM (and probably in lxc container) and behind a firewall like opnsense or pfsense. I tested mailcow at home on a laptop running with arch linux. There’s an asus router in front of the home network. No problem to configure a port forward to the laptop, so everything works as intended.

        Anyway, if I take the road kicou suggests, where in mailcow can acme be safely disabled? Is it in the GUI or better with the command line?

          stefan21 what path/location exactly?
          mailcow VM has to be daily rebooted, to recognize the new certs?

          All your questions are already answered in the last link of my previous posting…

          My script on the NAS (Auth by key) :
          #!/bin/bash
          scp -i /root/.ssh/id_rsa /usr/syno/etc/certificate/archive/hkbWEi/fullchain.pem root@192.168.0.3:/root
          scp -i /root/.ssh/id_rsa /usr/syno/etc/certificate/
          archive/hkbWEi/privkey.pem root@192.168.0.3:/root

          My daily cron script on mailcow server :
          #!/bin/sh

          copy cert to data folder

          cp -f /root/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem
          cp -f /root/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem
          rm -f /root/fullchain.pem
          rm -f /root/privkey.pem

          restart needed docker

          docker restart $(docker ps -qaf name=postfix-mailcow)
          docker restart $(docker ps -qaf name=nginx-mailcow)
          docker restart $(docker ps -qaf name=dovecot-mailcow)

            Doing this daily seems unnecessary. Certs are good for 90 days with renewal possible after 60.

            I run a script on mailcow instance itself to check renewal weekly using dns challenge (cloudflare) as I don’t want any more open ports than absolutely necessary. Dns challenge requires the use of an api key to update the require txt record.

            kicou

            I managed to fetch certs with opnsense acme-plugin. Already tested, works fine. I also managed to automate the deploy of the cert to mailcow. In the mailcow-docs is said:
            "How to use your own certificate¶

            Make sure you disable mailcows internal LE client (see above).

            To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem and the corresponding key to data/assets/ssl/key.pem"

            The copy of the certs from the opnsense is in:

            /opt/mailcow-dockerized/data/assets/ssl/FQHN/

            • ca.pem
            • cert.pem
            • fullchain.pem
            • key.pem

            Will that work?

            It won’t. No problem to write a cron job.

            Some other questions are popping up:

            In the doc I read: "Die mailcow Daten (wie bspw. E-Mails, Userdaten etc.) werden in Docker-Volumes aufbewahrt - geben Sie gut auf diese Volumes acht:

            clamd-db-vol-1
            crypt-vol-1
            mysql-socket-vol-1
            mysql-vol-1
            postfix-vol-1
            redis-vol-1
            rspamd-vol-1
            sogo-userdata-backup-vol-1
            sogo-web-vol-1
            solr-vol-1
            vmail-index-vol-1
            vmail-vol-1

            "
            O.k. Got it. Are those volumes covered within the backup-script?

            While I’m migrating from another email-server, is it possible to upload bulk white/black lists?

            10 months later

            Friends, I have to ask you for help. mailcow is behind nginx proxy manager on 192.168.12.15, mailcow address is 192.168.12.41. It runs on mail.example.com the interface works, but when you start docker compose upd, an error pops up: Your hands are already dropping

            [unknown] Any help is greatly appreciated

            4 months later

            kicou

            Hi
            Really its not needed to prepare Proxmox host form MailCow LXC?