Reverse Proxy - cert renewal & TLSA validation on 443 vs mail service ports?

thumpco

I’ve moved my mailcow web interface behind a reverse proxy (Nginx Proxy Manager/NPM) and setup a script to copy the *.myhostdomain.com wildcard certificate and key from NPM to mailcow’s nginx. The mail services (smtp, imap. pop, etc) are not proxied.

When using mailcow behind a reverse proxy, how do others deal with managing these 2 different sets of certs and associated TLSA dns hashes?

In my setup:
1) The HTTPS cert is generated via NPM and copied to mailcow-nginx (opt/mailcow-dockerized/data/assets/ssl). This cert only covers the primary “*.myhostdomain.com” domain of the Mailcow UI and not any of the other mail domains my host supports. My “443.tcp.mail” TLSA DNS record for myhostdomain.com presents the hash of the NPM generated certificate.

2) The other mail service ports (23. 465, 587, etc) ports are not proxied by NPM so mailcow presents the certificate that was originally created by mailcow and my “25.tcp.mail” and other mail ports present the hash of the mailcow generated cert. This cert includes my myhostdomain.com subdomains as well as all the other domains I host mail for as SAN dNSName domains.

So, my myhostdomain.com DNS zone TLSA records for port 443 present the hash of the NPM generated cert, and the TLSA records for all my other mail service ports present the hash of the Mailcow generated cert.

With this setup I am able to get successful DANE verification for every individual https and mail port using https://www.huque.com/bin/danecheck

So, my questions:
1) Do I continue using both sets of certs? If so, I’m assuming I’d have to shutdown NPM and “un-proxy” mailcow at least once every 90 days to restart acme-mailcow and allow it to generate new sets of SAN certs from LetsEncrypt for the mail services? Or:

2) Is it possible/reasonable to try to use NPM to reverse proxy all the mail service ports, and if so, where to I copy the NPM renewed LetsEncrypt cert so that all mailcow services use it?

How do any of you pros that care about your DNSSEC & DANE handle this when using reverse proxy for mailcow? (Open to switching from NPM if there’s a better answer, but it would appear to my simple mind that this same problem would apply to Caddy, Traefik, etc?)

Footnote - all the hosted mail domains directly CNAME to my primary mail.myhostdomain.com as the MX (and autodiscover/autoconfig) dns record. None are trying to alias/cname any of the mail service dns records (mail/smtp/imap/auto*) under their own domain name.

Thank you!

Clarification:

“Footnote - all the hosted mail domains directly point (MX, SPF, DMARC, autoconfig./autodiscover.) to my primary mail.myhostdomain.com as dns record….”

Clarification:

“Footnote - all the hosted mail domains directly point (MX, SPF, DMARC, autoconfig./autodiscover.) to my primary mail.myhostdomain.com as dns record….”

Clarification:

“Footnote - all the hosted mail domains directly point (MX, SPF, DMARC, autoconfig./autodiscover.) to my primary mail.myhostdomain.com as dns record….”

Clarification:

“Footnote - all the hosted mail domains directly point (MX, SPF, DMARC, autoconfig./autodiscover.) to my primary mail.myhostdomain.com as dns record….”

Clarification:

“Footnote - all the hosted mail domains on this mailhost directly point (MX, SPF, DMARC, autoconfig./autodiscover.) to my primary mail.myhostdomain.com domain in their dns records….”

Clarification:

“Footnote - all the hosted mail domains on this mailhost directly point (MX, SPF, DMARC, autoconfig./autodiscover.) to my primary mail.myhostdomain.com domain in their dns records….”
.

Sorry for the multiple ^^^. The site kept saying “oops - something went wrong” when trying to reply.

esackbauer

Please use only one instance to get the certs.
Once you have renewed the certs at the reverse proxy manager, copy them to your mailcow:
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate
The “own certificate” in this case is the LE certificates created at your reverse proxy (use fullchain.pem and privkey.pem).

I have the same setup (but with Sophos Firewall instead of NPM), and automated the copy and restart with ansible.
And I do not use DANE. Its optional (as some TLDs do not support DNSSEC at all)

thumpco

Ahhh.. @esackbauer I think it starting to click for me. Thank you! To confirm, using he above method mailcow will then utilize my NPM certs for not just https, but all the mail service ports? If so, does it matter that I would only have *.myprimary.domain as the cert without all the additional hosted mail domains as SANs? (again, these all refer MX DNS directly to my mailhost domain without any aliasing)

esackbauer

thumpco utilize my NPM certs for not just https, but all the mail service ports?

Yes.

thumpco If so, does it matter that I would only have *.myprimary.domain as the cert

Depending on your client configuration. If you want to use the SANs for IMAP or SMTP port 587, then the certificate should have all SAN inside.

Are there subfolders with domain names under/opt/mailcow-dockerized/data/assets/ssl/ ?

thumpco

@esackbauer I feel slow..

I tried as you recommended and followed the “How to use your own certificate” instructions from the link, but it seems to have the same issue as my original post. NPM responds with it’s key on the proxied 443 https port using it’s NPM created LE cert, but mailcow continues to respond for STARTTLS on mail ports the one it originally created itself that also includes all the additional hosted domains as SANs. (After cert copy I restarted the mailcow services both individually and via docker compose down/up).

The script I’m using for cert copying is:
cp /opt/nginx-proxy-manager/letsencrypt/live/npm-1/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem cp /opt/nginx-proxy-manager/letsencrypt/live/npm-1/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem postfix_c=$(docker ps -qaf name=postfix-mailcow) dovecot_c=$(docker ps -qaf name=dovecot-mailcow) nginx_c=$(docker ps -qaf name=nginx-mailcow) docker restart ${postfix_c} ${dovecot_c} ${nginx_c}

But when testing port 25 smtps using https://www.huque.com/bin/danecheck it still shows mailcow presenting it’s own cert, not the one copied from the script above.

Right now I’m able to get everything to DANE validate by presenting a separate hash for each cert on duplicate TLSA entries per port (allowed under RFC), but would again have the issue managing 2 sets of certs and the mailcow not being able to renew with LE without being occasionally un-proxied.

thumpco

I’m at a loss.

I’ve ensured that /opt/mailcow-dockerized/data/assets/ssl/cert.pem contains only the correct NPM generated cert using “openssl x509 -in cert.pem -text”.

I’ve disabled mailcow’s LE (SKIP_LETS_ENCRYPT=y) in mailcow.conf

I’ve restarted mailcow individually by component and altogether using “docker compose up -d –force-recreate”

But when I query my mailcow server mail ports it still persists on presenting only the original mailcow cert that includes all the SAN domains. I’ve queried this from half a dozen other hosted servers I have, plus my local machine and various testing sites:
openssl s_client -starttls smtp -connect mail.mydomain.com:587 | openssl x509 -noout -text

Checking acme-mailcow logs shows it’s skipping checks:
:/opt/mailcow-dockerized# docker compose logs --tail=200 acme-mailcow mailcowdockerized-acme-mailcow-1 | Mon Dec 11 02:25:55 MST 2023 - SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt... mailcowdockerized-acme-mailcow-1 | Mon Dec 11 02:28:57 MST 2023 - SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt...

I’m not sure how, but it appears mailcow has somehow cached it’s original cert and refuses to use the cert from /opt/mailcow-dockerized/data/assets/ssl/cert.pem for anything. This is on a fully updated 2023-11a instance.

Happy to buy a beer for anyone that can help.. spent half a Sunday just spinning on this : /

thumpco

esackbauer Thank you again. Not sure if you saw my most recent replies, but no matter what I do, I can’t seem to get mailcow to utilize my new NPM cert in /opt/mailcow-dockerized/data/assets/ssl/cert.pem

It seems to have cached the original and won’t let go. I’ve disabled mailcow-acme and even recreated all containers with “docker compose up -d –force-recreate”

@“esackbauer” Just saw your edit.. Aaahhhh! Yes there are subdirectories:

/opt/mailcow-dockerized/data/assets/ssl# ls -al total 44 drwxr-xr-x 5 root root 4096 Dec 11 02:06 . drwxr-xr-x 8 root root 4096 Dec 3 01:16 .. drwxr-xr-x 2 root root 4096 Dec 3 01:33 acme drwxr-xr-x 3 root root 4096 Dec 3 03:16 backups -rw-r--r-- 1 root root 3351 Dec 11 01:26 cert.pem -rw-r--r-- 1 root root 6661 Dec 9 03:23 .cert.pem-orig -rw-r--r-- 1 root root 424 Dec 3 01:16 dhparams.pem -rw------- 1 root root 306 Dec 11 01:26 key.pem -rw------- 1 root root 3272 Dec 9 03:23 .key.pem-orig drwxr-xr-x 2 root root 4096 Dec 11 00:30 mail.mydomain.com
It looks like the mail.mydomain.com directory includes the original mailcow cert and key as well.

1) Do I need to continually replace the cert copies in both /ssl/* and /ssl/mail.mydomain.com/*, or does one take precedence over the other?

2) does having this subdomain structure allow me to include separate individual certs for my other (non-primary) hosted domains?

@“esackbauer” Just saw your edit.. Aaahhhh! Yes there are subdirectories:

1) Do I need to continually replace the cert copies in both /ssl/* and /ssl/mail.mydomain.com/*, or does one take precedence over the other?

2) does having this subdomain structure allow me to include separate individual certs for my other (non-primary) hosted domains?

@“esackbauer” Just saw your edit.. Aaahhhh! Yes there are subdirectories:

1) Do I need to continually replace the cert copies in both /ssl/* and /ssl/mail.mydomain.com/*, or does one take precedence over the other?

2) does having this subdomain structure allow me to include separate individual certs for my other (non-primary) hosted domains?

My lord.. (the browser errors causing multi-posts) sorry

esackbauer

I really don’t know how about to handle this with subdirectories, for me the one in the ssl folder is working.
Please search here in the forums or in github issues, I have seen some postings regarding this.

thumpco

esackbauer Understood. I’ll look around to see what I can find on this behavior as it doesn’t quite follow the posted documentation. Changing out the cert/key in the subdirectory at least solved my original issue. Now getting the NPM cert on all ports. THANK YOU!!!

esackbauer

I think it has to do with the ACME Lets Encrypt running on mailcow with SAN’s. I guess then it does a subfolder for each SAN domain.
It seems impossible to revert this, and documentation is assuming you are using a fresh installation where LE ACME never has run with SAN’s.