I need help to start Mailcow in Docker environment

AKarakutsa

I’ve started the actual version on Mailcow using docker-compose.

I removed NGINX and added HAProxy.

    haproxy:
      image: haproxy:latest
      container_name: haproxy
      restart: always
      ports:
        - "80:80"
        - "443:443"
      volumes:
        - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
        - ./haproxy/letsencrypt:/etc/letsencrypt:ro
        - ./haproxy/errors:/etc/haproxy/errors:ro
      networks:
        - mailcow-network
#    nginx-mailcow:
#      depends_on:
#        - sogo-mailcow
#        - php-fpm-mailcow
#        - redis-mailcow
#      image: nginx:mainline-alpine
#      dns:
#        - ${IPV4_NETWORK:-172.22.1}.254
#      command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
#        envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
#        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
#        . /etc/nginx/conf.d/templates/server_name.template.sh > /etc/nginx/conf.d/server_name.active &&
#        . /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active &&
#        . /etc/nginx/conf.d/templates/sogo_eas.template.sh > /etc/nginx/conf.d/sogo_eas.active &&
#        nginx -qt &&
#        until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
#        until ping sogo -c1 > /dev/null; do sleep 1; done &&
#        until ping redis -c1 > /dev/null; do sleep 1; done &&
#        until ping rspamd -c1 > /dev/null; do sleep 1; done &&
#        exec nginx -g 'daemon off;'"
#      environment:
#        - HTTPS_PORT=${HTTPS_PORT:-443}
#        - HTTP_PORT=${HTTP_PORT:-80}
#        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
#        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
#        - TZ=${TZ}
#        - SKIP_SOGO=${SKIP_SOGO:-n}
#        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
#        - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
#      volumes:
#        - ./data/web:/web:ro,z
#        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
#        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
#        - ./data/conf/nginx/:/etc/nginx/conf.d/:z
#        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
#        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
#      ports:
#        - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
#        - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
#      restart: always
#      networks:
#        mailcow-network:
#          aliases:
#            - nginx

I also disabled IPv6

networks:
  mailcow-network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-mailcow
      com.docker.network.driver.mtu: 1450
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}

here is haproxy.cnf:

global
    daemon
    maxconn 256000
    log /dev/log local0
    log /dev/log local1 notice
    user haproxy
    group haproxy
    daemon
    tune.ssl.default-dh-param 2048

defaults
    mode http
    log global
    option httplog
    option dontlognull
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend https-in
  bind :::80 v4v6
  bind :::443 v4v6 ssl crt /etc/letsencrypt/haproxy.pem

  acl mailcow_acme path -i -m beg /.well-known/

  redirect scheme https unless { ssl_fc || mailcow_acme }

  default_backend mailcow

backend mailcow
  option forwardfor
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server mailcow phpfpm:8080 check

Here is haproxy logs:

2024-08-20 23:22:47 [NOTICE]   (1) : haproxy version is 3.0.3-95a607c
2024-08-20 23:22:47 [NOTICE]   (1) : path to executable is /usr/local/sbin/haproxy
2024-08-20 23:22:47 [ALERT]    (1) : config : [/usr/local/etc/haproxy/haproxy.cfg:41] : 'server mailcow/mailcow' : could not resolve address 'phpfpm'.
2024-08-20 23:22:47 [ALERT]    (1) : config : Failed to initialize server(s) addr.
2024-08-20 23:22:52 [NOTICE]   (1) : New worker (8) forked
2024-08-20 23:22:52 [NOTICE]   (1) : Loading success.
2024-08-20 23:22:52 [NOTICE]   (8) : haproxy version is 3.0.3-95a607c
2024-08-20 23:22:52 [NOTICE]   (8) : path to executable is /usr/local/sbin/haproxy
2024-08-20 23:22:52 [WARNING]  (8) : [haproxy.main()] Failed to drop supplementary groups. Using 'gid'/'group' without 'uid'/'user' is generally useless.
2024-08-20 23:22:53 [WARNING]  (8) : Server mailcow/mailcow is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 869ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
2024-08-20 23:22:53 [ALERT]    (8) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2)
2024-08-20 23:22:53 [ALERT]    (8) : backend 'mailcow' has no server available!

mailcow-network settings:

andrii@andrii-MS-7B33:~/IdeaProjects/Infrastructure/mailcow/mailcow-dockerized$ docker network inspect mailcow-network
[
    {
        "Name": "mailcow-network",
        "Id": "d47a599e70311a42adc06eae5e4cbd190f342d3231698ff5aa3b4690e434e94d",
        "Created": "2024-08-19T19:25:31.808137982Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

esackbauer

you cannot remove containers from mailcow.
Do not change the docker compose file.
Either use it as its coming out of the box, or use the official documentation to modify its settings.
Anything else will break it.
If you want haproxy then use it with an additional docker compose file.

AKarakutsa

I am using official documentation to setup HAProxy instead of NGINX:
https://docs.mailcow.email/post_installation/reverse-proxy/r_p-haproxy/

I checked docker ps and saw that phpfpm is on port 9000.
mailcow/phpfpm:1.88 9000/tcp

It seems to be a docker network setup problem, but I do not know how to fix it.

esackbauer

And where is written to replace nginx with HAproxy? A reverse proxy like HAProxy sits in front of a web server like nginx.
You seem to lack understanding what is nginx is used for, and what HAproxy is. HAProxy is not a web server like nginx!

AKarakutsa

Yeah, I am not a DevOps.
Okay, nginx-mailcow must be used as a web server and I should use nginx-mailcow as a web server.
After that, I can use NGINX or HAProxy setup over the nginx-mailcow web server to implement HTTPS protection and probably load balancing.
Do you think the setup should work like this?

esackbauer

AKarakutsa Do you think the setup should work like this?

Mailcow itself handles already https protection, you do not need an additional HA Proxy or nginx for that.
And what do you want to load balance? There is only one instance of mailcow, you cannot run it active-active.
Seems you are very new to all of this…

DocFraggle

I guess you didn’t have a look at the official docs…

https://docs.mailcow.email/post_installation/reverse-proxy/r_p/

AKarakutsa

I started Mailcow at https://127.0.0.1/ and now I have a problem with HTTPS proper setup.
I checked the documentation, and it said I should add a script to use generated certificates and make an access by domain available.

Here is this script:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name mail.somesite.com autodiscover.* autoconfig.*;
  return 301 https://$host$request_uri;
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mail.somesite.com autodiscover.* autoconfig.*;

  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
  # An example config is given below
  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
  ssl_prefer_server_ciphers off;

  location /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 75;
    proxy_send_timeout 3650;
    proxy_read_timeout 3650;
    proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
    client_body_buffer_size 512k;
    client_max_body_size 0;
  }

  location / {
    proxy_pass http://127.0.0.1:8080/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 0;
  # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
  # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
  }
}

Here are the actual part of docker-compose:

    nginx-mailcow:
      depends_on:
        - sogo-mailcow
        - php-fpm-mailcow
        - redis-mailcow
      image: nginx:mainline-alpine
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
        envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
        . /etc/nginx/conf.d/templates/server_name.template.sh > /etc/nginx/conf.d/server_name.active &&
        . /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active &&
        . /etc/nginx/conf.d/templates/sogo_eas.template.sh > /etc/nginx/conf.d/sogo_eas.active &&
        nginx -qt &&
        until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
        until ping sogo -c1 > /dev/null; do sleep 1; done &&
        until ping redis -c1 > /dev/null; do sleep 1; done &&
        until ping rspamd -c1 > /dev/null; do sleep 1; done &&
        exec nginx -g 'daemon off;'"
      environment:
        - HTTPS_PORT=${HTTPS_PORT:-443}
        - HTTP_PORT=${HTTP_PORT:-80}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
        - TZ=${TZ}
        - SKIP_SOGO=${SKIP_SOGO:-n}
        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
        - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
      volumes:
        - ./data/web:/web:ro,z
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
        - ./data/conf/nginx/:/etc/nginx/conf.d/:z
        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
      ports:
        - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
        - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
      restart: always
      networks:
        mailcow-network:
          aliases:
            - nginx

    acme-mailcow:
      depends_on:
        nginx-mailcow:
          condition: service_started
        unbound-mailcow:
          condition: service_healthy
      image: mailcow/acme:1.89
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - LOG_LINES=${LOG_LINES:-9999}
        - ACME_CONTACT=${ACME_CONTACT:-}
        - ADDITIONAL_SAN=${ADDITIONAL_SAN}
        - AUTODISCOVER_SAN=${AUTODISCOVER_SAN:-y}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
        - DBPASS=${DBPASS}
        - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
        - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
        - DIRECTORY_URL=${DIRECTORY_URL:-}
        - ENABLE_SSL_SNI=${ENABLE_SSL_SNI:-n}
        - SKIP_IP_CHECK=${SKIP_IP_CHECK:-n}
        - SKIP_HTTP_VERIFICATION=${SKIP_HTTP_VERIFICATION:-n}
        - ONLY_MAILCOW_HOSTNAME=${ONLY_MAILCOW_HOSTNAME:-n}
        - LE_STAGING=${LE_STAGING:-n}
        - TZ=${TZ}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
        - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
        - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
      volumes:
        - ./data/web/.well-known/acme-challenge:/var/www/acme:z
        - ./data/assets/ssl:/var/lib/acme/:z
        - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
        - mysql-socket-vol-1:/var/run/mysqld/
      restart: always
      networks:
        mailcow-network:
          aliases:
            - acme

Here are logs from the NGINX container:

2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:8
2024-08-21 23:28:49 nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:8
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:9
2024-08-21 23:28:49 nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:9
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: conflicting server name "mail.somesite.com" on 0.0.0.0:443, ignored
2024-08-21 23:28:49 nginx: [warn] conflicting server name "mail.somesite.com" on 0.0.0.0:443, ignored
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: conflicting server name "autodiscover.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:49 nginx: [warn] conflicting server name "autodiscover.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: conflicting server name "autoconfig.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:49 nginx: [warn] conflicting server name "autoconfig.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: conflicting server name "mail.somesite.com" on [::]:443, ignored
2024-08-21 23:28:49 nginx: [warn] conflicting server name "mail.somesite.com" on [::]:443, ignored
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: conflicting server name "autodiscover.*" on [::]:443, ignored
2024-08-21 23:28:49 nginx: [warn] conflicting server name "autodiscover.*" on [::]:443, ignored
2024-08-21 23:28:49 2024/08/21 23:28:49 [warn] 15#15: conflicting server name "autoconfig.*" on [::]:443, ignored
2024-08-21 23:28:49 nginx: [warn] conflicting server name "autoconfig.*" on [::]:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:8
2024-08-21 23:28:50 nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:8
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:9
2024-08-21 23:28:50 nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/redirect.conf:9
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: conflicting server name "mail.somesite.com" on 0.0.0.0:443, ignored
2024-08-21 23:28:50 nginx: [warn] conflicting server name "mail.somesite.com" on 0.0.0.0:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: conflicting server name "autodiscover.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:50 nginx: [warn] conflicting server name "autodiscover.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: conflicting server name "autoconfig.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:50 nginx: [warn] conflicting server name "autoconfig.*" on 0.0.0.0:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: conflicting server name "mail.somesite.com" on [::]:443, ignored
2024-08-21 23:28:50 nginx: [warn] conflicting server name "mail.somesite.com" on [::]:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: conflicting server name "autodiscover.*" on [::]:443, ignored
2024-08-21 23:28:50 nginx: [warn] conflicting server name "autodiscover.*" on [::]:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [warn] 1#1: conflicting server name "autoconfig.*" on [::]:443, ignored
2024-08-21 23:28:50 nginx: [warn] conflicting server name "autoconfig.*" on [::]:443, ignored
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: using the "epoll" event method
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: nginx/1.27.1
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: built by gcc 13.2.1 20240309 (Alpine 13.2.1_git20240309) 
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: OS: Linux 6.6.32-linuxkit
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker processes
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker process 20
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker process 21
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker process 22
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker process 23
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker process 24
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start worker process 25
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start cache manager process 26
2024-08-21 23:28:50 2024/08/21 23:28:50 [notice] 1#1: start cache loader process 27
2024-08-21 23:29:50 2024/08/21 23:29:50 [notice] 27#27: http file cache: /tmp 0.000M, bsize: 4096
2024-08-21 23:29:50 2024/08/21 23:29:50 [notice] 1#1: signal 17 (SIGCHLD) received from 27
2024-08-21 23:29:50 2024/08/21 23:29:50 [notice] 1#1: cache loader process 27 exited with code 0
2024-08-21 23:29:50 2024/08/21 23:29:50 [notice] 1#1: signal 29 (SIGIO) received
2024-08-21 23:28:59 172.22.1.10 - - [21/Aug/2024:23:28:59 +0300] "HEAD /forwardinghosts.php HTTP/1.1" 200 0 "-" "rspamd-3.9.1"
2024-08-21 23:28:59 172.22.1.10 - - [21/Aug/2024:23:28:59 +0300] "HEAD /settings.php HTTP/1.1" 304 0 "-" "rspamd-3.9.1"
2024-08-21 23:29:04 172.22.1.10 - - [21/Aug/2024:23:29:04 +0300] "GET /forwardinghosts.php HTTP/1.1" 200 27 "-" "rspamd-3.9.1"
2024-08-21 23:29:12 172.22.1.12 - - [21/Aug/2024:23:29:12 +0300] "HEAD / HTTP/1.1" 200 0 "-" "curl/8.9.0"
2024-08-21 23:29:13 172.22.1.12 - - [21/Aug/2024:23:29:13 +0300] "GET / HTTP/1.1" 301 169 "-" "curl/8.9.0" "-"
2024-08-21 23:29:42 172.22.1.10 - - [21/Aug/2024:23:29:42 +0300] "HEAD /settings.php HTTP/1.1" 304 0 "-" "rspamd-3.9.1"
2024-08-21 23:29:43 172.22.1.13 - - [21/Aug/2024:23:29:43 +0300] "GET / HTTP/1.1" 200 15 "-" "check_http/v (nagios-plugins 2.4.5)"
2024-08-21 23:29:52 172.22.1.10 - - [21/Aug/2024:23:29:52 +0300] "HEAD /forwardinghosts.php HTTP/1.1" 200 0 "-" "rspamd-3.9.1"
2024-08-21 23:29:57 172.22.1.10 - - [21/Aug/2024:23:29:57 +0300] "GET /forwardinghosts.php HTTP/1.1" 200 27 "-" "rspamd-3.9.1"
2024-08-21 23:30:19 127.0.0.1 - - [21/Aug/2024:23:30:19 +0300] "GET / HTTP/1.0" 200 26586 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

.env:

MAILCOW_HOSTNAME=mail.somesite.com

HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=443
HTTPS_BIND=127.0.0.1

DocFraggle

AKarakutsa I should add a script

It’s a config file, not a script. And the config you are referring to is for the Nginx instance acting as reverse proxy which is installed separately. Did you add the config to your mailcow Nginx directory? That’s the wrong place… it has to be added to your Nginx package config directory

esackbauer

AKarakutsa now I have a problem with HTTPS proper setup.

I guess you have no problem with mailcow if you set it up according to the documentation.
Lets Encrypt ACME client will get the certificates automatically, as written here:
https://docs.mailcow.email/post_installation/firststeps-ssl/#lets-encrypt-out-of-the-box

BUT the prerequisite is that your DNS setup is correct and that all needed firewall ports are open.
There is no need to mess around with mailcows nginx config files or docker compose files for a plain installation.
Any changes to the docker compose file will be overwritten by next update.

AKarakutsa

It looks like the config file was placed correctly, here is the path:

/mailcow/mailcow-dockerized/data/conf/nginx/redirect.conf

Here is docker-compose.yml path:

/mailcow/mailcow-dockerized/docker-compose.yml

nginx volumes:

      volumes:
        - ./data/web:/web:ro,z
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
        **- ./data/conf/nginx/:/etc/nginx/conf.d/:z**
        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/

acme volumes

      volumes:
        - ./data/web/.well-known/acme-challenge:/var/www/acme:z
        - ./data/assets/ssl:/var/lib/acme/:z
        **- ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z**
        - mysql-socket-vol-1:/var/run/mysqld/

Will Let’s Encrypt keys will be generated authomatically or should I generate them separately and put them to

/mailcow/mailcow-dockerized/data/assets/ssl

/mailcow/mailcow-dockerized/data/assets/ssl/acme

/mailcow/mailcow-dockerized/data/assets/ssl-example

DocFraggle

AKarakutsa It looks like the config file was placed correctly

No. As I said before, this config is for your reverse proxy Nginx. You have to install Nginx on your server and use it’s own config directory, normally /etc/nginx

I suggest you try to understand what you want to achieve first…

AKarakutsa

I have proper setup for MAILCOW_HOSTNAME and DNS Rules were set correctly as for Jira Infrastructure on the same machine with HAProxy I have HTTPS on subdomains fully working. HAProxy is turned off now.

I can open Mailcow at URL https://127.0.0.1/ and see that the certificate verified by Mailcow and the browser set the connection as not secure. I cannot open the page using the domain name.

In mailcowdockerized_acme-mailcow_1 I see log:

2024-08-22 22:37:33 Thu Aug 22 22:37:33 EEST 2024 - Initializing, please wait...
2024-08-22 22:37:34 Thu Aug 22 22:37:34 EEST 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
2024-08-22 22:37:34 Thu Aug 22 22:37:34 EEST 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
2024-08-22 22:37:34 Thu Aug 22 22:37:34 EEST 2024 - Detecting IP addresses...
2024-08-22 22:37:43 Thu Aug 22 22:37:43 EEST 2024 - OK: 188.239.100.183, 0000:0000:0000:0000:0000:0000:0000:0000
2024-08-22 22:37:58 Thu Aug 22 22:37:58 EEST 2024 - No A or AAAA record found for hostname mail.somedomain.com
2024-08-22 22:37:58 Thu Aug 22 22:37:58 EEST 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
2024-08-22 22:37:58 Thu Aug 22 22:37:58 EEST 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
2024-08-22 22:37:58 OK
2024-08-22 22:37:33 Could not find certificate from <stdin>

and in NGINX I see this logs:

2024-08-22 22:36:56 2024/08/22 22:36:56 [warn] 1#1: conflicting server name "autoconfig.*" on 0.0.0.0:443, ignored
2024-08-22 22:36:56 nginx: [warn] conflicting server name "autoconfig.*" on 0.0.0.0:443, ignored
2024-08-22 22:36:56 2024/08/22 22:36:56 [warn] 1#1: conflicting server name "mail.somedomain.com" on [::]:443, ignored
2024-08-22 22:36:56 nginx: [warn] conflicting server name "mail.somedomain.com" on [::]:443, ignored

If I change

a configuration like this:

HTTP_PORT=80
HTTP_BIND=0.0.0.0

HTTPS_PORT=443
HTTPS_BIND=0.0.0.0

Access to Mailcow using https://127.0.0.1/ and https://mail.somedomain.com blocked by NGINX with error 502 Bad Gateway and errors in logs:

2024-08-22 23:19:22 2024/08/22 23:19:22 [error] 20#20: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.1.1, server: mail.somedomain.ua, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:9000/", host: "mail.somedomain.ua"
2024-08-22 23:19:24 2024/08/22 23:19:24 [error] 22#22: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.1.1, server: mail.somedomain.ua, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:9000/", host: "127.0.0.1"

I checked network using command docker network inspect mailcow-network and defined that containers network is empty:

andrii@andrii-MS-7B33:~/IdeaProjects/Infrastructure/mailcow/mailcow-dockerized$ docker network inspect mailcow-network
[
    {
        "Name": "mailcow-network",
        "Id": "d47a599e70311a42adc06eae5e4cbd190f342d3231698ff5aa3b4690e434e94d",
        "Created": "2024-08-19T19:25:31.808137982Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

I’ve added php-fpm container to network manually using command “docker network connect mailcow-network mailcowdockerized_php-fpm-mailcow_1”

andrii@andrii-MS-7B33:~/IdeaProjects/Infrastructure/mailcow/mailcow-dockerized$ docker network inspect mailcow-network
[
    {
        "Name": "mailcow-network",
        "Id": "d47a599e70311a42adc06eae5e4cbd190f342d3231698ff5aa3b4690e434e94d",
        "Created": "2024-08-19T19:25:31.808137982Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "7e1779ded75cc04ec3a9eeac4c0028de133373612df0fb7f830cbfa5c5e4f7de": {
                "Name": "mailcowdockerized_php-fpm-mailcow_1",
                "EndpointID": "abb8ace28d3fe4aecb1997cb434fc375eae7f9f29231d946c71f4be477fbc4f6",
                "MacAddress": "02:42:ac:14:00:02",
                "IPv4Address": "172.20.0.2/16",
                "IPv6Address": ""
            },
            "c5fef02228420a5547f0443ede4d106f7aac97bd4a1ac5a7de41f7a80646abd8": {
                "Name": "mailcowdockerized_nginx-mailcow_1",
                "EndpointID": "d9e271a1d1898a4da190c22ca9b1e737d5848a7668c8c7456923f435deb4c200",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

but still got the same error in logs.

I’ve also tried to update NGINX settings to add line:

proxy_pass http://php-fpm-mailcow:9000/;

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name mail.somedomain.ua autodiscover.* autoconfig.*;
  return 301 https://$host$request_uri;
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mail.somedomain.ua autodiscover.* autoconfig.*;

  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
  # An example config is given below
  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
  ssl_prefer_server_ciphers off;

  location /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 75;
    proxy_send_timeout 3650;
    proxy_read_timeout 3650;
    proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
    client_body_buffer_size 512k;
    client_max_body_size 0;
  }

  location / {
    proxy_pass http://php-fpm-mailcow:9000/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 0;
  # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
  # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
  }
}

but still got errors

for NGINX:

2024-08-22 23:31:05 2024/08/22 23:31:05 [error] 20#20: *8 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.20.0.1, server: mail.somedomain.ua, request: "GET / HTTP/2.0", upstream: "http://172.22.1.7:9000/", host: "mail.somedomain.ua"

for acme:

2024-08-22 23:10:10 Thu Aug 22 23:10:10 EEST 2024 - Initializing, please wait...
2024-08-22 23:10:11 Thu Aug 22 23:10:11 EEST 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
2024-08-22 23:10:11 Thu Aug 22 23:10:11 EEST 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
2024-08-22 23:10:11 Thu Aug 22 23:10:11 EEST 2024 - Detecting IP addresses...
2024-08-22 23:10:20 Thu Aug 22 23:10:20 EEST 2024 - OK: 188.239.100.183, 0000:0000:0000:0000:0000:0000:0000:0000
2024-08-22 23:10:32 Thu Aug 22 23:10:32 EEST 2024 - No A or AAAA record found for hostname mail.somedomain.ua
2024-08-22 23:10:32 Thu Aug 22 23:10:32 EEST 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
2024-08-22 23:10:32 Thu Aug 22 23:10:32 EEST 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

And there are several questions:

Why containers are not available in mailcow docker network?
Why access through localhost and through domain name is blocked by NGINX?

AKarakutsa

I’ve removed the old variant and reinstalled Mailcow.

.env settings:

HTTP_PORT=80
HTTP_BIND=0.0.0.0

HTTPS_PORT=443
HTTPS_BIND=0.0.0.0

I can open Mailcow at https://127.0.0.1/ and the domain https://mail.somedomain.com, but the connection is not secure as the certificate is self-signed.

In acme logs:

2024-08-23 23:13:22 Fri Aug 23 23:13:22 EEST 2024 - Initializing, please wait...
2024-08-23 23:13:23 Fri Aug 23 23:13:23 EEST 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
2024-08-23 23:13:23 Fri Aug 23 23:13:23 EEST 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
2024-08-23 23:13:23 Fri Aug 23 23:13:23 EEST 2024 - Detecting IP addresses...
2024-08-23 23:13:59 Fri Aug 23 23:13:59 EEST 2024 - OK: 188.239.100.183, 0000:0000:0000:0000:0000:0000:0000:0000
2024-08-23 23:14:11 Fri Aug 23 23:14:11 EEST 2024 - No A or AAAA record found for hostname mail.somedomain.com
2024-08-23 23:14:11 Fri Aug 23 23:14:11 EEST 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
2024-08-23 23:14:11 Fri Aug 23 23:14:11 EEST 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
2024-08-23 23:14:11 OK

It is a clear setup and this should work from the box as I understood. How to generate Let’s Encrypt certificates?

DocFraggle

AKarakutsa No A or AAAA record found for hostname

Your still didn’t answer the question if you setup your DNS correctly… and as you didn’t disclose your fqdn we can’t help you checking

AKarakutsa

DNS looks correct and I see Mailcow at https://mail.akon.ua/, but connection is not secure

DocFraggle

Are you blocking outgoing DNS traffic?

AKarakutsa

Can you tell me how DNS blocking can be checked? It should work fine from what I see.
I have Jira Infrastructure (multiple subdomains) + HAProxy + Let’s Encrypt on the same machine and encryption works well.
I fully turned off Jira Infrastructure + HAProxy and turned on Mailcow using the manual.
Is this okay that in the log after IP Address a lot of zero? Is it IPv6?

2024-08-23 23:13:59 Fri Aug 23 23:13:59 EEST 2024 - OK: 188.239.100.183, 0000:0000:0000:0000:0000:0000:0000:0000

Server ports status:

andrii@andrii-MS-7B33:~/IdeaProjects/Infrastructure/mailcow/mailcow-dockerized$ sudo netstat -tuln
[sudo] password for andrii: 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:19991         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:18983         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:34453         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:5938            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:7654          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:5939          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:13306         0.0.0.0:*               LISTEN     
tcp6       0      0 :::4190                 :::*                    LISTEN     
tcp6       0      0 :::5938                 :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::110                  :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
tcp6       0      0 :::143                  :::*                    LISTEN     
tcp6       0      0 :::465                  :::*                    LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     
tcp6       0      0 :::587                  :::*                    LISTEN     
tcp6       0      0 :::995                  :::*                    LISTEN     
tcp6       0      0 :::993                  :::*                    LISTEN     
tcp6       0      0 127.0.0.1:63342         :::*                    LISTEN     
udp        0      0 0.0.0.0:52719           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:58375           0.0.0.0:*                          
udp        0      0 0.0.0.0:46357           0.0.0.0:*                          
udp        0      0 0.0.0.0:46558           0.0.0.0:*                          
udp        0      0 0.0.0.0:47924           0.0.0.0:*                          
udp        0      0 127.0.0.53:53           0.0.0.0:*                          
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:50303           0.0.0.0:*                          
udp6       0      0 :::5353                 :::*                               
udp6       0      0 :::60006                :::*

andrii@andrii-MS-7B33:~/IdeaProjects/Infrastructure/mailcow/mailcow-dockerized$ docker ps
CONTAINER ID   IMAGE                    COMMAND                  CREATED          STATUS                    PORTS                                                                                                                                                                                                                               NAMES
70c6c6bdb8d2   robbertkl/ipv6nat        "/docker-ipv6nat-com…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_ipv6nat-mailcow_1
032760d24d3a   mailcow/watchdog:2.05    "/watchdog.sh"           14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_watchdog-mailcow_1
647a9b4da561   mailcow/acme:1.90        "/sbin/tini -g -- /s…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_acme-mailcow_1
1f197e688876   mailcow/postfix:1.76     "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes             0.0.0.0:25->25/tcp, :::25->25/tcp, 0.0.0.0:465->465/tcp, :::465->465/tcp, 0.0.0.0:587->587/tcp, :::587->587/tcp, 588/tcp                                                                                                            mailcowdockerized_postfix-mailcow_1
83ceafcd111e   mailcow/clamd:1.66       "/sbin/tini -g -- /c…"   14 minutes ago   Up 14 minutes (healthy)                                                                                                                                                                                                                                       mailcowdockerized_clamd-mailcow_1
053ca04cfb55   mcuadros/ofelia:latest   "/usr/bin/ofelia dae…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_ofelia-mailcow_1
82788365c0a0   mailcow/rspamd:1.97      "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_rspamd-mailcow_1
6cd647ab876e   nginx:mainline-alpine    "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes             0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                                                                                                                                                                            mailcowdockerized_nginx-mailcow_1
7c15526a0e10   mailcow/dovecot:2.1      "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes             0.0.0.0:110->110/tcp, :::110->110/tcp, 0.0.0.0:143->143/tcp, :::143->143/tcp, 0.0.0.0:993->993/tcp, :::993->993/tcp, 0.0.0.0:995->995/tcp, :::995->995/tcp, 0.0.0.0:4190->4190/tcp, :::4190->4190/tcp, 127.0.0.1:19991->12345/tcp   mailcowdockerized_dovecot-mailcow_1
91cf26586ed0   mailcow/phpfpm:1.89      "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes             9000/tcp                                                                                                                                                                                                                            mailcowdockerized_php-fpm-mailcow_1
e09f18435dae   mariadb:10.5             "docker-entrypoint.s…"   14 minutes ago   Up 14 minutes             127.0.0.1:13306->3306/tcp                                                                                                                                                                                                           mailcowdockerized_mysql-mailcow_1
9fd3867727e5   redis:7-alpine           "docker-entrypoint.s…"   14 minutes ago   Up 14 minutes             127.0.0.1:7654->6379/tcp                                                                                                                                                                                                            mailcowdockerized_redis-mailcow_1
ddab3e3e2cab   mailcow/solr:1.8.3       "docker-entrypoint.s…"   14 minutes ago   Up 14 minutes             127.0.0.1:18983->8983/tcp                                                                                                                                                                                                           mailcowdockerized_solr-mailcow_1
58d37706ba48   memcached:alpine         "docker-entrypoint.s…"   14 minutes ago   Up 14 minutes             11211/tcp                                                                                                                                                                                                                           mailcowdockerized_memcached-mailcow_1
300795849d1b   mailcow/unbound:1.23     "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes (healthy)   53/tcp, 53/udp                                                                                                                                                                                                                      mailcowdockerized_unbound-mailcow_1
071a2ee24b7a   mailcow/sogo:1.125       "/docker-entrypoint.…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_sogo-mailcow_1
f29a203e8716   mailcow/dockerapi:2.08   "/bin/sh /app/docker…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_dockerapi-mailcow_1
59def9766f0a   mailcow/netfilter:1.59   "/bin/sh -c /app/doc…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_netfilter-mailcow_1
fc881d5d00af   mailcow/olefy:1.13       "python3 -u /app/ole…"   14 minutes ago   Up 14 minutes                                                                                                                                                                                                                                                 mailcowdockerized_olefy-mailcow_1

AKarakutsa

I missed this part:

Open mailcow.conf and set HTTP_BIND= - if not already set.

Create a new file data/conf/nginx/redirect.conf and add the following server config to the file:


server {
  root /web;
  listen 80 default_server;
  listen [::]:80 default_server;
  include /etc/nginx/conf.d/server_name.active;
  if ( $request_uri ~* "%0A|%0D" ) { return 403; }
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://$host$uri$is_args$args;
  }
}

I added redirect.conf and restarted containers, and still, acme failed the encryption process.

DocFraggle

AKarakutsa Create a new file data/conf/nginx/redirect.conf

Where exactly did you find these instructions??