How to use mailcow behind nginx proxy manager via external domain?

apoorv569

I recently purchased a domain and VPS on which I am hosting Wireguard VPN and NginxProxyManager. The NginxProxyManager redirects all domain and sub-domains to another instance of NginxProxyManager running in a VM on my Proxmox server at home which is connected to the Wireguard VPN, which then redirects the same domain/sub-domain to their respective IP on my LAN.

So I recently decided to self host a mail server just for using as a email service for my other services running at home, for example Nextcloud needs a Email server to send recovery codes, forgotten password and all.

And I chose MailCow for that, as it seemed easy to get up and running using the Docker compose file.

Now I have a A record say mydomain.com and I created bunch of CNAME records for all my services using this A record. One of them is mail.mydomain.com which I wanted to use as my Email server’s domain so to say.

I installed it and set the hostname that the generate_config.sh script asks as mail.mydomain.com. It installed correctly I can access the web admin page using LAN IP and external domain as well. I created a domain and alias and a mailbox and I can login to the mailbox on LAN but using external domain I cannot login in the newly created mailbox.

I did create all the TXT, MX, SPF, DMARC records and all necessary but it doesn’t help.

What am i doing wrong here? Is it not possible to access it behind proxy?

mhadjih

So Mailcow will work well behind NPM, that’s no problem. You need to make Let’s Encrypt certificate in NPM, by name mail.domain.com and download that cert from the SSL menu in NPM. Once downloaded you need to copy the file cert1.pem to cert.pem and privkey1.pem to key.pem in the /opt/mailcow-dockerized/data/assets/ssl folder, in place of the ones that probably are already there. Before copying these files do a ‘docker-compose down’, and after having copied the beforementioned certs in the ssl-directory, do a ‘docker-compose up -d’. Now the certs should be good.

In the mailcow.conf file, inde the /opt/mailcow-dockerized directory, set HTTP-PORT to 8090, or any port you don’t already use, HTTP_BIND to 127.0.0.1, HTTPS-PORT to 8443, or another portnumber if already in use, and the HTTPS_BIND to 127.0.0.1.

In NPM set the ‘Destination’ as the Dockercontainer-name or the IP-address of the container, and the portnumber to 8090 (HTTP-PORT in mailcow.conf), block common exploits, set Websockets-support as on, set the SSL certificate and force SSL on the SSL page.

In the router or modem, make sure that all required ports are open and forwarded to the container with NPM (80/443). All other ports for the mailcow-server can be pointed to the ip of the Mailcow Docker container.

Hope this will help! Good luck!

apoorv569

mhadjih Hello, Thank you for the response.

I did everything as you mentioned, but I still having the same issue. I noticed you said I need to open ports on my modem/router, but I don’t have a public IP and in my case I am using a VPS with Wireguard VPN installed on it and a instance of NPM forwarding to another instance of NPM running at my home which is connected to the Wireguard VPN.

The SSL certificates are on the NPM installed on VPS and the forward to mailcow docker running at home is done via NPM running at home.

I can’t login to Webmail when using external domain, but if I try Webmail from local IP I can login.

I also noticed setting HTTP_BIND and HTTPS_BIND to 127.0.0.1 I am not able to access the website I have to set it to the local IP of the machine which is 10.10.10.192 in my case.

abongile

Hallie Hallo,

esackbauer If you have configured mailcow to get the certificates

I don’t know if I have or not. Per my previous; I got the certificates for the hosts via NPM which I copied to the …ssl directory pre mailcow.conf edits and installation (docker pull/up).

So: (1) How do I check if I have configured mailcow to get the certificates?

I am reading; https://docs.mailcow.email/post_installation/firststeps-ssl/#the-lets-encrypt-subjectaltname-limit-of-100-domains, thinking that’s where the answer is but I am unfortunately nowhere near clear as to how best to proceed or be confident in answering the question of whether or not I have configured mailcow to get the certificates.

(2) Do I or is it an option to get the certificates manually via NPM?

For this one I am still lookiing at:

esackbauer This is when you use mailcows example reverse proxy config docs.mailcow.emailNginx - mailcow: dockerized documentationNone .

https://docs.mailcow.email/post_installation/reverse-proxy/r_p-nginx/ and still nonplussed. Admittedly I am averse to dropping into either container via terminal (docker exec -it). It just doesn’t feel like it’s something the devs would be expecting noobs to do.

esackbauer It depends… check if there are subdirectories. There should be none.

Right on! But it’s not exactly none. There is a directory …/acme with files account.pem and key.pem in it. The other directory is where I moved the example certificates before copying the NPM generated ones to the location (…ssl/).

Also not sure if it is of interest or relevance but I originally copied a certificate.zip archive which had four files (cert1, chain1, fullchain1 and pivkey1) but the directory also contains cert.pem, dhparams.pem, and key.pem.

Just noticed:

mhadjih You need to make Let’s Encrypt certificate in NPM, by name mail.domain.com and download that cert

Per my previous,

(3) Do I need to request certs via NPM per mail domain and copy these to the …ssl/ directory. As it is I only requested certs for the hosts and not mail domains per (2).

abongile

Hi MCC,

Thank you MC Devs and Community. This is an awesome service/solution.

To solve the 502 Bad Gateway issue I added the mailcowdockerized-nginx-mailcow-1 container to the Nginx Network (nginx-net) using Portainer. I also tried to add it in the Network section of the docker-compose.yml file. That didn’t work. Perhaps it needs to be added to the mailcowdockerized-nginx-mailcow-1 container’s network section.

All seems to be working. Annoyingly Thunderbird complains about certs and requires adding security exception.

Keep Rising!!

esackbauer

abongile Annoyingly Thunderbird complains about certs and requires adding security exception.

Reverse proxies based on nginx do not proxy other protocols like IMAP or SMTP.
So those ports (25, 143, 587, 993 etc) will be served with the certificates which are present on mailcow itself.
So if you get the Lets Encrypt certificates at the reverse proxy, copy them to mailcow as well:
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate

abongile

esackbauer

Thank you Esack. I did request the certificates for the hosts via NPM and copied them to /opt/mailcowdockerised/data/assets/ssl before installation. Do I need to request certificates for the mail domains separately and also copy these to the same location? Does the mailcowdockerized-acme-mailcow-1 container not do this automatically for added domains?

From running; helper-scripts/expiry-dates.sh, I get:

Could not read certificate from <stdin>
Unable to load certificate
TLS expiry dates:
Postfix: Jan 22 15:52:08 2026 GMT
Dovecot: Jan 22 15:52:08 2026 GMT
Nginx:

So I gather Postfix and Dovecot are picking up the certificates but Nginx is not. Other than /opt/…/ssl is there another location that the certificates also need to be copied to?

Thanks again.

esackbauer

If you have configured mailcow to get the certificates, your reverse proxy should forward those requests to mailcows nginx. This is when you use mailcows example reverse proxy config.

abongile Other than /opt/…/ssl is there another location that the certificates also need to be copied to?

It depends… check if there are subdirectories. There should be none.

mhadjih

Well, I figured it out:

I copy the downloaded certificates from NPM (look in the ‘SSL Certificates’-tab for this one) and use the ‘fullchain.pem’ from these and ‘privkey.pem’. Bot of them need to be copied to, in my case:

/opt/mailcow-dockerized/data/assets/ssl

Then I rename the fullchain.pem to cert.pem and privkey.pem to key.pem (I leave the originals, because you’ll need them later on.)

Now in mailcow.conf set SKIP_LETS_ENCRYPT=y (so set it to ‘y’ instead of ‘n’)

Then you first need to bring down all containers from the directory where docker-compose.yml is:

docker compose down

Then bring up the containers again:

docker compose up -d

If all went well then you have https enabled on the domain where the nginx module of mailcow has been made reachable through the NPM dashboard.

If you update Mailcow, then don’t forget to copy/rename the certificates again to cert.pem and key.pem, because they still will be overwritten on first start of the containers.

My flow is:

./update.sh

wait for containers to be up,

docker compose down

rename certificates in data/assets/ssl

go back to install directory with docker-compose.yml

docker-compose up -d

Hope everything will work out for you. There might be a more elegant way to do this, but I don’t know and this one works.

abongile

mhadjih

Hi Mhadjih,

Thank you for the guidance, very much appreciated.

mhadjih use the ‘fullchain.pem’ from these and ‘privkey.pem’. Bot of them need to be copied

After requesting the certificates via NPM by hostname (FQDN), I downloaded a Certificate.zip archive which I SCPd to server. On unzipping I had four files not only two. I also had Cert1.pem and Chain1.pem. I moved all four into the …/ssl directory. No changes or renaming.

mhadjih leave the originals, because you’ll need them later on.

Which would be the originals? Those that were in the …/examples folder?

mhadjih If you update Mailcow, then don’t forget to copy/rename the certificates again to cert.pem and key.pem, because they still will be overwritten on first start of the containers.

I am looking forward to doing so (updating MC). Before I can, I need to first ensure that I have a properly configured and functioning Mail Server. I like the flow, will adopt into my own - thank you :-).

Now I am thinking…:

(1) Get separate SSL for each mail domain? I think not. Then;
(2) Have I caused a misconfiguration by moving the examples folder and not renaming the certificates? Possibly.
(3) If I have caused a misconfiguration, what’s the cause? How do I fix it? How will I know it’s fixed?

Ps. Mail Server is working. Hosting two domains. Both able to send and recieve. Both with decent scores on mail-tester. MC and Sogo groupware are moognificent. But it’s not perfect: Thunderbird required a security exception. Mobile clients sometimes are not picking up autodiscover and autoconfig. Nextcloud server can’t connect to SMTP 587 or 465 (suspecting a TLS version conflict).

Thanks again,

esackbauer

abongile I also had Cert1.pem and Chain1.pem. I moved all four into the …/ssl directory. No changes or renaming.

You need to copy only fullchain.pem and the private key file. And rename them accordingly!
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate

abongile Get separate SSL for each mail domain? I think not. Then;

No, you need all names in one certificate.

abongile Have I caused a misconfiguration by moving the examples folder and not renaming the certificates? Possibly.

Check your configuration:
https://docs.mailcow.email/post_installation/firststeps-ssl/#check-your-configuration

abongile

esackbauer

Thank you :-).

I have gone through the guide (still learning) docs.mailcow.email Icon Advanced SSL - mailcow: dockerized documentation and mhadjih’s flow. I think I am making progress. Because:

(1) Nextcloud can now send via MC’s SMTP :-) :-). It works only with server hostname (FQDN) though and not mail domain name (e.g. smtp.example.tld. Would love to know why). I have added the domains in mailcow.conf’s Additional_SANS sections, Set Skip_SSL=y and Enable_SAN_SSL=y.

(2) Thunderbird still wants a security exception to be added. It is complaining that the cert is not valid. Which I assume means that the additional SANS are not on the certificate. Do I perhaps need to add the additional domains to the Hostname section of mailcow.conf and re-run acme-mailcow (change Skip_SSL back to =n)? As I have already added them to Additional SANs section, I hope not.

esackbauer No, you need all names in one certificate.

I suppose if I did this step (all names in one certificate) correctly then the Thunderbird security issue would be resolved. I have the followed SSL guide (per the link) but seems I am still missing something. What am I missing (doing wrong)?

mhadjih The reason I said to keep them in data/assets/ssl as orginals is that you need them when having updated the Mailcow

Done. even the update went s-mooh-thly :-).

On another leaf: Where does one find this file; https://docs.mailcow.email/post_installation/reverse-proxy/r_p-nginx/ ?

A moovelous day to you :-).

mhadjih

@esackbauer is absolutely right. You need only the fullchain and the private key. The reason I said to keep them in data/assets/ssl as orginals is that you need them when having updated the Mailcow, because this will also disturb the certificates, at least in my case.

That’s why I keep the files there and then use these originals (created with NPM dashboard and then downloaded) to use to copy to cert.pem and key.pem again, as I explained in my previous post.

Hope everything will work out fine! Mailcow is awesome!