As I had many problems with my certificates and I did a lot of unneeded configurations, I will be re-installing mailcow on a new virtual machine.
My setup is following:
A firewall sends all web traffic to my main virtual web server (80/443), on this web server I have a reverse proxy forwarding web traffic per name to my mail server. On my web server I use let’s encrypt and it works nicely since years. Automatic renewal is working.
All other ports are pointing directly to my mail server.
So my thoughts are now these:
I keep running let’s encrypt on my web server and then per script sending each renewed ssl certs to my mail server putting them via rsync into
/opt/mailcow-dockerized/data/assets/ssl
Which of these 4 I need? cert.pem is an obvious one. privkey.pem? Change that name to key.pem?
SSLCertificateFile /etc/letsencrypt/live/mail.server.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.server.net/privkey.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.server.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.server.net/privkey.pem
then restarting the
docker-compose restart postfix-mailcow dovecot-mailcow

Anything I should know for mail clients? Outlook? Mail(MacOS)? iPhone? Android?

Did I miss something? Am I wrong with this plan? Please let me know. Thanks in advance.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

  • esackbauer

    • Community Hero
    Moolevel 372
  • Post #3
  • Edited

You need fullchain and privkey. And NOT cert.pem! And the documentation link above says which containers to restart.

10 days later

I am doing mine slightly differently. I have an nginx reverse proxy on the front end using docker with a let’s encrypt container and config generator for when container starts. This reverse proxies web for mailcow. I leave mailcow to trend to its own certificates which while not a single process is clean. I have mapped the web directory of the mailcow acme container directory to my reverse proxy web directory for let’s encrypt. On the reverse proxy any let’s encrypt request will look at the shared directory. This way mailcow writes to a directory that the front end proxy can deliver from. You end to with two certificates for the solution but it is clean. No copying of certs and each responsible for their area. Can draw a picture if requested or provide more information

No one is typing