Deny access to mailcow ui and sogo from WAN

stefan21

I’d like to restrict access to mailcow. Only access I want to give is from LAN and VPN. NO access to mailcow ui, rspamd and sogo from WAN. PWD and 2auth is not my choice.

I assume it could be somewhere set in the nginx conf section. I tried a few settings in a few conf-files, but I’m stuck. Basically I’d like to

allow 192.168.x.x./24;
allow VPN/24;
…?
deny all;

Anybody out there who could give me a hint or guide me?

Any help is appreciated

regards,
stefan

D4niel

Imho you should use a reverse proxy for that. It’s easier to manage something independently, so stuff won’t brake on the next update. Another nginx is barely noticeable in terms of load.

esackbauer

And if you do not allow port 443 to mailcow, CalDAV and CardDAV and ActiveSync is not available on the WAN.
If that is not what you intend, you need a reverse proxy or WAF that allows whitelisting specific URLs.

stefan21

Thank’s for giving a direction.

Syncing with mobile devices is intended but only via VPN wireguard.

I’ll try this out and let you know.

stefan21

Mailcow behind OPNsense with HAProxy is working the way I want. Access only through VPN or LAN. Thank’s to @D4niel and @esackbauer