I removed fail2ban completely with apt purge. But it was also stopped beforehand. It didn’t change anything. Still 403 forbidden.
I don’t know how to configure access without NPM, can you describe it in more detail? Do you mean access directly with https://IP

ip
https://ip/
No preview could be generated for this link
in the browser? Sorry I am not really an expert at the moment.

    Ok then I understood it correctly and I also tested access via the IP beforehand. There is always the 403 forbidden error and a “Permission denied” entry in the mailcow nginx container. If I want direct access, do I have to change anything in mailcow.conf?

      mailer do I have to change anything in mailcow.conf?

      No, it should work out of the box unless you fiddled with some settings.
      Also important to know is any changes to config files in mailcow directory need docker compose up -d to make them active. Rebooting alone does not apply changes!

        Ok then it’s weird. Yes, I run docker compose down and docker compose up -d every time.
        The mailcow.conf is standard except for Let’s Encrypt skip yes and an address for watchtower notification is entered.

        If you are logged in in your mailcow VM, what output does curl http://local-IP give? Local-IP being the IP address of your mailcow VM.
        Is it just a short error message or does it show the html code of the login page?

        This here:
        [root@mail /opt/mailcow-dockerized]# curl http://192.168.1.13
        <html>
        <head><title>403 Forbidden</title></head>
        <body>
        <center><h1>403 Forbidden</h1></center>
        <hr><center>nginx</center>
        </body>
        </html>

        And in mailcow nginx container:
        `2024/05/13 11:11:15 [error] 20#20: *20 “/web/index.php” is forbidden (13: Permission denied), client: 192.168.1.13, server: urlname, request: “GET / HTTP/1.1”, host: “192.168.1.13”

        192.168.1.13 - - [13/May/2024:11:11:15 +0200] “GET / HTTP/1.1” 403 146 “-” “curl/8.5.0”`

        Is there another nginx installation running in that mailcow VM itself or in another container?

        No I think not:

        [root@mail /opt/mailcow-dockerized]# ps -efwww | grep nginx
        root 4518 4498 0 10:29 ? 00:00:00 nginx: master process nginx -g daemon off;
        systemd+ 4633 4518 0 10:29 ? 00:00:00 nginx: worker process
        systemd+ 4634 4518 0 10:29 ? 00:00:00 nginx: worker process
        systemd+ 4635 4518 0 10:29 ? 00:00:00 nginx: worker process
        systemd+ 4636 4518 0 10:29 ? 00:00:00 nginx: worker process
        systemd+ 4637 4518 0 10:29 ? 00:00:00 nginx: cache manager process
        If this were the case, no log entries should arrive in mailcow nginx or?
        The only docker containers are in the root context is portainer, watchtower and mailcow.

          mailer If this were the case, no log entries should arrive in mailcow nginx or?

          correct.
          Then I can only assume that your mailcow installation is somehow broken, and I do not know where to search further. Maybe somebody else has an idea, lets wait.

            Thank you for your effort, I had actually already deleted everything and reinstalled it, but maybe I’ll try this again, maybe on a different VM.

              mailer I have had this error when I was messing around with everything. Make sure your HTTP and HTTPS bind are set to the IP of your docker container or VM with Mailcow not the loopback address (127.0.0.1) and the correct HTTP and HTTPS port that you have exposed for Mailcow access.

              Make sure NPM is also set to use the IP of the Docker machine or VM you have Mailcow installed on, not the loop address as well as the correct HTTP or HTTPS port you set it to.

              Finally, make sure the advanced configure is set to use the actual IP address of the VM or Docket machine not the loop back address.

              Like previously stated, don’t forget to download and copy the SSL certificate into correct location in your Mailcow folder.

              All this has to match!

                Ok, I’m a little confused now. In the history of this article the address 127.0.0.1 is used everywhere for example as bind address or in the advanced tab from NPM, but I shouldn’t use this now but the IP of the VM, right?
                And the certificate that the NPM generated has to be imported now and cannot only be done at the end when access is working, right?

                  mailer In the history of this article the address 127.0.0.1 is used everywhere for example as bind address

                  No, the default in mailcow.conf is NOT 127.0.0.1. That can only be used if NPM runs on the same VM, for obious reason as 127.0.0.1 ist called LOCALHOST.
                  Seems you have a lot to learn on networking…

                  So in your case, if you have mailcow running in a separate VM than your NPM/reverse proxy, leave mailcow bindings as thei are, and simply point the NPM to the default ports on the IP of the mailcow VM.
                  Certificate in mailcow is a self signed when it starts up the first time. So you are able to access mailcow.

                    Ok, I have now entered the IP address in “bind” and inserted the advanced tab in NPM and also adjusted the IP address and port there. It remains 403 forbidden. Even if I want to call mailcow locally with the IP address.
                    I haven’t transferred the certificate yet, I’ll do that now but I don’t think that will change anything.

                      mailer I have now entered the IP address in “bind”

                      leave them empty, that is the default.
                      Don’t forget to do docker compose up -d afterwards.

                      The nginx 403 error could also be wrong rights on the docker volumes or installation directory, maybe there something was messed up? Are you trying to start mailcow as non-root?

                      mailer but I don’t think that will change anything.

                      correct. Won’t change the error message.

                          Ok, I’m one step further now. I looked at everything again and realized that I had hardened my VM a long time ago. I changed the umask. I have now set this back to 0022 as described in the documentation. I’m sorry I didn’t notice it sooner.
                          I downloaded mailcow again from Github and recreated the containers.
                          I haven’t entered a bind in mailcow.conf and nothing in the NPM under advanced tab at the moment.
                          If I now want to call mailcow via NPM or https://IP

                          ip
                          https://ip/
                          No preview could be generated for this link
                          , I see a “Preparing” page with the following text:

                          `What is happening?
Please do not stop the stack while we are initializing the database or do other preparations.
What is happening? - Nginx cannot connect to an upstream server or other services are not ready yet.
This is fine if mailcow was just installed or updated and can take a few minutes to complete.
Please check the logs or contact support if the error persists.
Quick debugging
Check Nginx and PHP logs:

docker compose logs --tail=200 php-fpm-mailcow nginx-mailcow

Make sure your SQL credentials in mailcow.conf (a link to .env) do fit your initialized SQL volume. If you see an access denied, you might have the wrong mailcow.conf:
source mailcow.conf ; docker compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}

In case of a previous failed installation, create a backup of your existing data, followed by removing all volumes and starting over (NEVER do this with a production system, it will remove ALL data):

BACKUP_LOCATION=/tmp/ ./helper-scripts/backup_and_restore.sh backup all
docker compose down --volumes ; docker compose up -d

Make sure your timezone is correct. Use "America/New_York" for example, do not use spaces. Check here for a list.
Click to learn more about getting support.`

                          With this command:
                          docker compose logs --tail=200 php-fpm-mailcow nginx-mailcow
                          I see the following log:

                          `[root@mail /opt/mailcow-dockerized]# docker compose logs --tail=200 php-fpm-mailcow nginx-mailcow
WARN[0000] /opt/mailcow-dockerized/docker-compose.yml: `version` is obsolete 
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: using the "epoll" event method
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: nginx/1.25.5
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014) 
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: OS: Linux 6.8.0-31-generic
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start worker processes
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start worker process 20
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start worker process 21
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start worker process 22
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start worker process 23
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start cache manager process 24
nginx-mailcow-1  | 2024/05/13 22:01:36 [notice] 1#1: start cache loader process 25
nginx-mailcow-1  | 2024/05/13 22:02:29 [error] 20#20: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.19.0.1, server: MYURL, request: "GET / HTTP/1.1", upstream: "fastcgi://172.22.1.7:9002", host: "MYURL"
nginx-mailcow-1  | 2024/05/13 22:02:29 [error] 20#20: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.19.0.1, server: MYURL, request: "GET / HTTP/1.1", upstream: "fastcgi://[fd4d:6169:6c63:6f77::a]:9002", host: "MYURL"
nginx-mailcow-1  | 172.19.0.1 - - [13/May/2024:22:02:29 +0200] "GET / HTTP/1.1" 502 2015 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0"
nginx-mailcow-1  | 2024/05/13 22:02:36 [notice] 25#25: http file cache: /tmp 0.000M, bsize: 4096
nginx-mailcow-1  | 2024/05/13 22:02:36 [notice] 1#1: signal 17 (SIGCHLD) received from 25
nginx-mailcow-1  | 2024/05/13 22:02:36 [notice] 1#1: cache loader process 25 exited with code 0
nginx-mailcow-1  | 2024/05/13 22:02:36 [notice] 1#1: signal 29 (SIGIO) received
nginx-mailcow-1  | 2024/05/13 22:05:30 [error] 22#22: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 172.19.0.1, server: MYURL, request: "GET / HTTP/1.1", upstream: "fastcgi://172.22.1.7:9002", host: "MYURL"
nginx-mailcow-1  | 2024/05/13 22:05:30 [error] 22#22: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 172.19.0.1, server: MYURL, request: "GET / HTTP/1.1", upstream: "fastcgi://[fd4d:6169:6c63:6f77::a]:9002", host: "MYURL"
nginx-mailcow-1  | 172.19.0.1 - - [13/May/2024:22:05:30 +0200] "GET / HTTP/1.1" 502 2015 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0"
nginx-mailcow-1  | 2024/05/13 22:05:42 [error] 21#21: *7 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.73, server: MYURL, request: "GET / HTTP/2.0", upstream: "fastcgi://172.22.1.7:9002", host: "192.168.1.13"
nginx-mailcow-1  | 2024/05/13 22:05:42 [error] 21#21: *7 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.73, server: MYURL, request: "GET / HTTP/2.0", upstream: "fastcgi://[fd4d:6169:6c63:6f77::a]:9002", host: "192.168.1.13"
nginx-mailcow-1  | 192.168.1.73 - - [13/May/2024:22:05:42 +0200] "GET / HTTP/2.0" 502 2015 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0"
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
php-fpm-mailcow-1  | Waiting for SQL...
`

                          Now what could this be?
                          I left the mailcow.conf completely standard except for my URL

                            mailer Not sure if this will help you but I had the same issue but clearing out the entire folder helps

                            docker compose down -v

                            docker compose up -d

                                GREAT! Thats it. I do docker compose down but without the -v parameter. After using this parameter I see the login mask and can login. Thank you very much @EverythingBySam and @esackbauer for your time and patience.

                                EverythingBySam but clearing out the entire folder

                                FYI, that’s not clearing a folder, that’s just restarting the whole mailcow installation 😉

                                  No one is typing