I want to start this by saying, I feel really dumb that I cannot understand how custom Nginx configuration works and I feel like I have searched the whole internet to try and understand them but I am just not able to comprehend what I am doing wrong.

I am aware there is a page dedicated to the configuration of Mailcow behind an Nginx reverse proxy (docs.mailcow.email Icon Nginx - mailcow: dockerized documentation

docs.mailcow.email Icon docs.mailcow.email
Nginx - mailcow: dockerized documentation
None
docs.mailcow.email
) but my issue is where do I actually put this configuration?

When I customise this configuration to what I believe is my correct details and add it to the Advanced section on the Nginx proxy host for my mail server it goes instantly offline when I push save. I have added it to a .conf file and added it as an additional volume on my Nginx docker container then specified it as a custom location for Mailcow on Nginx but I get the same issue. restarting both Mailcow and Nginx or removing and recomposing the containers still yields the exact same issues of being offline.

I am using Mailcow in docker using this guide christianlempa/videostree/main/mailcow-tutorial for installing Mailcow.

I changed Mailcow HTTP to 85 and HTTPS to 445 and have 80 and 443 ported forward to my Nginx reverse proxy. I have swapped the listening ports of the config below to both 80 and 85 and 443 and 445 for testing but still cannot get it to work.

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mail.mydomain.com autodiscover.mydomain.com autoconfig.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mail.mydomain.com autodiscover.mydomain.com autoconfig.mydomain.com;

ssl_certificate docker_volumes/mailcow-dockerized/data/assets/ssl/cert.pem;
ssl_certificate_key docker_volumes/mailcow-dockerized/data/assets/ssl/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

See ssl-config.mozilla.org Icon Mozilla SSL Configuration Generator
ssl-config.mozilla.org Icon ssl-config.mozilla.org
Mozilla SSL Configuration Generator
 for the latest ssl settings recommendations

An example config is given below

ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
ssl_prefer_server_ciphers off;

location /Microsoft-Server-ActiveSync {
proxy_pass http://192.168.50.250:85/Microsoft-Server-ActiveSync;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 75;
proxy_send_timeout 3650;
proxy_read_timeout 3650;
proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
client_body_buffer_size 512k;
client_max_body_size 0;
}

location / {
proxy_pass http://192.168.50.250:85/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;

The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update

Otherwise a Login will fail like this: mailcow/mailcow-dockerized4537

proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
}
}

Thank you in advance and any help in understanding how custom configurations work would be greatly appreciated!

  • Rightio, so here is everything I have learned!

    This is everything you need to configure in the Advanced tab (adjust the IP and port according to your setup for both locations.) Everything else above this from the Mailcow website is already configured elsewhere in Nginx Reverse Proxy so you are doubling up and causing issues if you try to use it. Well done to @DocFraggle for giving me the complete answer without me realising.

    location /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 75;
    proxy_send_timeout 3650;
    proxy_read_timeout 3650;
    proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
    client_body_buffer_size 512k;
    client_max_body_size 0;
    }

    location / {
    proxy_pass http://127.0.0.1:8080/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 0;

    The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update

    Otherwise a Login will fail like this: mailcow/mailcow-dockerized4537

    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
    }

    Port any other ports you need for mail server 25, 465, 587, 993, 4190, etc to the IP of docker host.

    make sure you add all 3 hostnames (mail.domain.com, autodiscover.domain.com and autoconfig.domain.com) to the domains names section on your Nginx reverse proxy host as well as on the SSL certificate tab.

    You will need to download the SSL certificate, copy it to YOUR_MAILCOW_PATH//data/assets/ssl/ and rename the cert and key file to cert.pem and key.pem then restart your container. You will need to copy the new certificate every 3 months to this location manually, I have not figured out a way do get the ACME request to work through proxy.

    I hope this helps someone! Huge shoutout to @DocFraggle especially for his persistence and patience!

    If anyone has any ideas how to maybe get the certificate request to work, let me know and we might be able to work it out together.

Please, PLEASE use the “Insert code” button to wrap your config, nobody can read this…

What exactly did you configure in your mailcow.conf, especially this part as stated in the overview page (example below):

HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_BIND=127.0.0.1
HTTPS_PORT=8443

You set the proxy_pass part to an upstream IP address (192.168.50.250), that’s why I’m asking. If you used 127.0.0.1 in your mailcow.conf this can’t work

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Thank you for replying, I really appreciate it!

This is what I currently have configured in that section. I have tried with the loopback address and the actual IP in the BIND section but still no good.

HTTP_PORT=85
HTTP_BIND=

HTTPS_PORT=445
HTTPS_BIND=

    EverythingBySam Set this in mailcow.conf:

    HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_BIND=127.0.0.1
HTTPS_PORT=8443

    RESTART mailcow afterwards!!!

    docker compose down
docker compose up -d

    And this in your prox_pass lines:

      location /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 75;
    proxy_send_timeout 3650;
    proxy_read_timeout 3650;
    proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
    client_body_buffer_size 512k;
    client_max_body_size 0;
  }

  location / {
    proxy_pass http://127.0.0.1:8080/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 0;
  # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
  # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
  }

    Just like in the docs,

      That seems to of worked and did not knock it offline so thank you but I would like Autodiscover to work as well if possible.

      Autodiscover should work as well then as long as you set your DNS config according to the docs, and the certificate was enrolled correctly

        DocFraggle I have a CNAME autodiscover record for autodiscover.domain.com to go to mail.autodiscover.com. I do not have anything configured on my Nginx itself to recognise autodiscover.domain.com

        When I add those extra lines from the recommend config it goes offline again.

            EverythingBySam When I add those extra lines from the recommend config

            What do you mean? These lines?

            server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;

                DocFraggle nah this whole section:

                server {
                listen 80 default_server;
                listen [::]:80 default_server;
                server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.;
                return 301 https://$host$request_uri;
                }
                server {
                listen 443 ssl http2;
                listen [::]:443 ssl http2;
                server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.                 autoconfig.*;

                ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
                ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
                ssl_session_timeout 1d;
                ssl_session_cache shared:SSL:50m;
                ssl_session_tickets off;

                See ssl-config.mozilla.org Icon Mozilla SSL Configuration Generator
                ssl-config.mozilla.org Icon ssl-config.mozilla.org
                Mozilla SSL Configuration Generator
                 for the latest ssl settings recommendations

                An example config is given below

                ssl_protocols TLSv1.2;
                ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
                ssl_prefer_server_ciphers off;

                  DocFraggle I did use that but if I add the top section I put in my previous comment it takes the proxy offline and no longer works.

                    Well, I don’t know about your current Nginx config. Why do you use the reverse proxy config in the first place? Do you have other vhosts running on the server?

                      DocFraggle Yup, got multiple virtual and non virtual hosts that I provide SSL certificates for instead of having to add all the certificates manually for each host and changing them every 3 months.

                      Not a fan or having unencrypted services accessed externally from my network.

                        OK, then you have to debug your Nginx config. Maybe leave out the “default_server” directive, I guess that may be the problem. So try this:

                        server {
  listen 80;
  listen [::]:80;
  server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
  return 301 https://$host$request_uri;
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
...
...

                        And have a look at the Nginx logs, you’ll find the problem in there

                          I have pretty much the same issue and somehow cannot get it to run properly. Mailcow is behind an NGINX Proxy Manager that are hosted on different VM´S. I´m having troubles with connecting Mac OS Clients with autodiscover. Would there be anybody offering a paid screen sharing session to fix this installation ? thanks in advance, Frank

                          So if I just have this configuration in the advanced tab I get a 502 bad gateway but my host at least shows online in Nginx.

                          location /Microsoft-Server-ActiveSync {
                          proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;
                          proxy_set_header Host $http_host;
                          proxy_set_header X-Real-IP $remote_addr;
                          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                          proxy_set_header X-Forwarded-Proto $scheme;
                          proxy_connect_timeout 75;
                          proxy_send_timeout 3650;
                          proxy_read_timeout 3650;
                          proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
                          client_body_buffer_size 512k;
                          client_max_body_size 0;
                          }

                          location / {
                          proxy_pass http://127.0.0.1:8080/;
                          proxy_set_header Host $http_host;
                          proxy_set_header X-Real-IP $remote_addr;
                          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                          proxy_set_header X-Forwarded-Proto $scheme;
                          client_max_body_size 0;

                          The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update

                          Otherwise a Login will fail like this: mailcow/mailcow-dockerized4537

                          proxy_buffer_size 128k;
                          proxy_buffers 64 512k;
                          proxy_busy_buffers_size 512k;
                          }

                          But if I added the full recommended Advanced config the host shows offline and I get a SSL_ERROR_UNRECOGNIZED_NAME_ALERT on the web page.

                          If I go to the IP and port of the mail server both HTTP (8080) and HTTPS (8443) it works and the SSL certificate shows correctly as valid and issued to the mail server domain name. I copied the SSL cert and key from Nginx Proxy into the Mailcow SSL folder so it is ready the SSL certificate correct.

                          There is a Logs folder in the nginx/data folder but all the files in there are blank. The audit logs page on the Nginx dashboard is just showing when I have made a change to a host.

                          even adding just this section in causes the host to go offline.

                          server {
                          listen 80 default_server;
                          listen [::]:80 default_server;
                          server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.;
                          return 301 https://$host$request_uri;
                          }

                          DocFraggle Rightio, lots of progress but still not quite right.

                          To solve the 502 gateway error because I had not put my proxy network in the Mailcow docker-compose file as some people recommended/suggested I change the HTTP and HTTPS port binds in the mailcow.conf file to the local IP address of my docker server (192.168.50.250).

                          I also configured on the Nginx reverse proxy Forward Hostname/IP to also be the local IP address of the Docker server and lastly on the advanced configuration to also use the local IP instead of the loopback address.

                          This bit here is where it all goes downhill and goes offline.

                          server {
                          listen 80 default_server;
                          listen [::]:80 default_server;
                          server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.;
                          return 301 https://$host$request_uri;
                          }
                          server {
                          listen 443 ssl http2;
                          listen [::]:443 ssl http2;
                          server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.                           autoconfig.*;

                          ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
                          ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
                          ssl_session_timeout 1d;
                          ssl_session_cache shared:SSL:50m;
                          ssl_session_tickets off;

                          See ssl-config.mozilla.org Icon Mozilla SSL Configuration Generator
                          ssl-config.mozilla.org Icon ssl-config.mozilla.org
                          Mozilla SSL Configuration Generator
                           for the latest ssl settings recommendations

                          An example config is given below

                          ssl_protocols TLSv1.2;
                          ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
                          ssl_prefer_server_ciphers off;

                          I even tried modify the one from here but still failed: ssl-config.mozilla.org Icon Mozilla SSL Configuration Generator

                          ssl-config.mozilla.org Icon ssl-config.mozilla.org
                          Mozilla SSL Configuration Generator

                          server {
                          listen 80 default_server;
                          listen [::]:80 default_server;

                          location / {
    return 301 https://$host$request_uri;
}

                          }

                          server {
                          listen 443 ssl http2;
                          listen [::]:443 ssl http2;

                          ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /path/to/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

# replace with the IP address of your resolver
resolver 127.0.0.1;

                          }

                            Dumb question, but you did change stuff like

                            MAILCOW_PATH/data/assets/ssl/cert.pem
                            or
                            CHANGE_TO_MAILCOW_HOSTNAME

                            to the correct path and hostname, right?

                              DocFraggle I work in IT mate, stuff like that is never a dumb question to ask lol

                              so the full location from my home directory is docker_volumes/mailcow-dockerized/data/assets/ssl/cert.pem and I have manually copied the cert.pem and key.pem from Nginx to this location. I have disabled Mailcow from being able to get its own SSL certificate in the mailcow.conf file by changing this line SKIP_LETS_ENCRYPT=y

                              I have got autodiscovery working (mostly) exchange activesync works but IMAPS does not work (I have port 25, 587,465 993 and 4190 ported forward to my docker server for Mailcow plus 80 and 443 for Nginx itself.

                              The bit I am unsure of for that section is the Mailcow path itself, do I start its location from the home directory or from the Nginx folder or the Mailcow folder.

                              I added mail.domain.com autodiscover.domain.com and autoconfig.domain.com to the advanced configuration, the let’s encrypt SSL certificate, and to the proxy host domains section (I am a HUGE dumbarse and should have realised adding all 3 subdomains was necessary…)

                                Rightio, I am making good progress I believe.

                                I solved the IMAPS issue, I had the port forward wrong, this is all I will say on this matter…..

                                When I put in the full, filled-out version of the Nginx advanced configuration for Mailcow it knocks it offline as we all know but what I didn’t know is you can hover your mouse over the offline area and it will give you a sippet of what is causing the error.

                                Doing a bit more searching I am still stumped on how to fix it though.