esackbauer Ah is that how you do it, thank you. Sorry I am not really a forum type person most of the time I just search the entire internet in silence.

So Ansible does it automatically or does it require manual intervention?

I will look into it as I would like to do a complete guide to help others who don’t quite understand just like I was.

      esackbauer I am always up for learning something useful which why I didn’t give up on this and ended up learning how the whole Nginx proxy worked.

      Looks like I have a busy weekend ahead

      Thanks for the suggestion and link.

        Hello everyone,
        What a great project mailcow, thank you very much for it. But I’m still failing with the setup.

        I have also successfully installed mailcow in a VM. All containers are running without errors. But I also have an NPM Nginx Proxy Manager running in another VM like here.
        I have now proceeded as described here in the article. Then I get a “502 Bad Gateway” when I want accessing the mailcow login. The access is then not visible in the Mailcow log.
        If I leave the ports in mailcow.conf at default and do not bind it to 127.0.0.1, and delete the entries on the advanced tab in NPM I at least get a “403 forbidden” and the access can be seen in mailcow.conf with the IP of the NPM with “permission denied”
        Does anyone have an idea what I am doing wrong?
        How should the forwarding in the NPM look like? I currently have https set to IP:8443.
        Oh and I have deactivated certificates in mailcow, I would like to do this via the NPM.

        Thank for any help…..

          mailer If I leave the ports in mailcow.conf at default and do not bind it to 127.0.0.1,

          mailer I currently have https set to IP:8443

          These 2 are contradicting. If you leave the mailcow ports at default (which is OK if you run NPM and mailcow on different VMs), then you need to forward from NPM to Mailcow VMs IP address on port 443 of course.

          Regarding certificates, you need to copy the fullchain.pem and privkey.key to mailcow VM as described here:
          docs.mailcow.email Icon Advanced SSL - mailcow: dockerized documentation

          docs.mailcow.email Icon docs.mailcow.email
          Advanced SSL - mailcow: dockerized documentation
          None
          docs.mailcow.email

              Thank you for your fast answer.
              Ok I have now do the following:

              1. mailcow.conf standard, Port 80/443 and no IP bind
              2. NPM: delete the entries on advanced tab as in the thread above describes and forward to VM-IP:443

              I recieve now “403 Forbidden” and “Permission denied” in the log of mailcow. The permission denied is about the IP from the NPM…..

              Something doesn’t fit and I don’t know what or where. Mailcow does not allow my NPM to access it.

              I understood about the certificate, thank you. But I can do that in the end, right? Not until the 403 problem is solved?

              I don’t understand correctly. Do I have to log in for Fail2Ban? I can’t log in because the page says 403 Forbidden. Can I just stop the Netfilter container? I also have Fail2Ban in the operating system but that stopped.

                mailer I also have Fail2Ban in the operating system

                Please don’t do this in the mailcow VM, you are adding error sources. Mailcow has already Netfilter/fail2ban function built in. Remove the fail2ban altogether and leave that job for mailcow itself or your NPM.
                In the Netfilter page in your mailcow UI you should see who is blocked. I have a similar setup as you have, I have whitelisted the IP address of my reverse proxy in netfilter.
                Try first to publish mailcow without the NPM, directly with SNAT rule, and then check Netfilter settings

                  I removed fail2ban completely with apt purge. But it was also stopped beforehand. It didn’t change anything. Still 403 forbidden.
                  I don’t know how to configure access without NPM, can you describe it in more detail? Do you mean access directly with https://IP

                  ip
                  https://ip/
                  No preview could be generated for this link
                  in the browser? Sorry I am not really an expert at the moment.

                    Ok then I understood it correctly and I also tested access via the IP beforehand. There is always the 403 forbidden error and a “Permission denied” entry in the mailcow nginx container. If I want direct access, do I have to change anything in mailcow.conf?

                      mailer do I have to change anything in mailcow.conf?

                      No, it should work out of the box unless you fiddled with some settings.
                      Also important to know is any changes to config files in mailcow directory need docker compose up -d to make them active. Rebooting alone does not apply changes!

                        Ok then it’s weird. Yes, I run docker compose down and docker compose up -d every time.
                        The mailcow.conf is standard except for Let’s Encrypt skip yes and an address for watchtower notification is entered.

                        If you are logged in in your mailcow VM, what output does curl http://local-IP give? Local-IP being the IP address of your mailcow VM.
                        Is it just a short error message or does it show the html code of the login page?

                        This here:
                        [root@mail /opt/mailcow-dockerized]# curl http://192.168.1.13
                        <html>
                        <head><title>403 Forbidden</title></head>
                        <body>
                        <center><h1>403 Forbidden</h1></center>
                        <hr><center>nginx</center>
                        </body>
                        </html>

                        And in mailcow nginx container:
                        `2024/05/13 11:11:15 [error] 20#20: *20 “/web/index.php” is forbidden (13: Permission denied), client: 192.168.1.13, server: urlname, request: “GET / HTTP/1.1”, host: “192.168.1.13”

                        192.168.1.13 - - [13/May/2024:11:11:15 +0200] “GET / HTTP/1.1” 403 146 “-” “curl/8.5.0”`

                        Is there another nginx installation running in that mailcow VM itself or in another container?

                        No I think not:

                        [root@mail /opt/mailcow-dockerized]# ps -efwww | grep nginx
                        root 4518 4498 0 10:29 ? 00:00:00 nginx: master process nginx -g daemon off;
                        systemd+ 4633 4518 0 10:29 ? 00:00:00 nginx: worker process
                        systemd+ 4634 4518 0 10:29 ? 00:00:00 nginx: worker process
                        systemd+ 4635 4518 0 10:29 ? 00:00:00 nginx: worker process
                        systemd+ 4636 4518 0 10:29 ? 00:00:00 nginx: worker process
                        systemd+ 4637 4518 0 10:29 ? 00:00:00 nginx: cache manager process
                        If this were the case, no log entries should arrive in mailcow nginx or?
                        The only docker containers are in the root context is portainer, watchtower and mailcow.

                          mailer If this were the case, no log entries should arrive in mailcow nginx or?

                          correct.
                          Then I can only assume that your mailcow installation is somehow broken, and I do not know where to search further. Maybe somebody else has an idea, lets wait.

                            Thank you for your effort, I had actually already deleted everything and reinstalled it, but maybe I’ll try this again, maybe on a different VM.