My configuration relies on an apache frontend to handle incoming traffic. I’d like to extend this to SMTP also, instead of offloading the SSl processing to Mailcow as defined in . Apache can handle incoming on other ports, so is there any issue with adjusting the ports defined in mailcow.conf to listen on, for example, 10143 and 10587? Or does this change the internal port?
English
Using frontend to handle TLS
- Edited
Apache can only handle http and https traffic. For all other protocols like SMTP and IMAP this will not work. You have to NAT the traffic to mailcow.
And you must use the certificates which are handled by your reverse proxy, as mailcow then would not renew the certificates.
You have to copy them from reverse proxy (your apache) to mailcow like this:
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
You could switch to haproxy, it can handle SMTP, IMAP and POP3 as well
Apache is the frontend because it also hosts websites, so haproxy isn’t a viable option at present.
I’ve run into some issues with the certificate copying process, though. Whilst it all looks fine in a browser, the mail client isn’t happy with it at all. Openssl reports it is unable to see the local issuer cert, and when using LetsDebug, the mailcow nginx instance redirects <domain>/.well-known/acme-challenge/letsdebug-test
to <domain>.wellknown/acme-challenge/letsdebug-test
. I am unsure if the two are related.
- Edited
DocFraggle haproxy, it can handle SMTP, IMAP and POP3 as well
Does the netfilter/fail2ban still work with that solution?
[unknown] l. Openssl reports it is unable to see the local issuer cert,
Please post the error message.
It sounds like you have not copied the fullchain.pem as per my doc link above:
"just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem
[unknown] l. Openssl reports it is unable to see the local issuer cert,
Please post the error message.
It sounds like you have not copied the fullchain.pem as per my doc link above:
“just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem”
northernscrub Apache is the frontend because it also hosts websites, so haproxy isn’t a viable option at present.
So use haproxy only for the SMTP services
Oh I’m an idiot. Came back after a few hours and realised I was copying cert.pem
and not fullchain.pem
. Thanks @esackbauer
@DocFraggle I’m intrigued by haproxy. It might actually be a viable solution, at some point I’m going to have to substantially change this network architecture and put the mailcow machine on another domain, potentially over the WWW. haproxy sounds like a much easier solution than trying to tunnel or rsync certs when this happens, thanks!
northernscrub It might actually be a viable solution
Sure, I used it for years before switching to mailcow.