My configuration relies on an apache frontend to handle incoming traffic. I’d like to extend this to SMTP also, instead of offloading the SSl processing to Mailcow as defined in docs.mailcow.email Icon Apache 2.4 - mailcow: dockerized documentation

. Apache can handle incoming on other ports, so is there any issue with adjusting the ports defined in mailcow.conf to listen on, for example, 10143 and 10587? Or does this change the internal port?

  • esackbauer

    • Community Hero
    Moolevel 362
  • Edited

Apache can only handle http and https traffic. For all other protocols like SMTP and IMAP this will not work. You have to NAT the traffic to mailcow.
And you must use the certificates which are handled by your reverse proxy, as mailcow then would not renew the certificates.
You have to copy them from reverse proxy (your apache) to mailcow like this:
docs.mailcow.email Icon Advanced SSL - mailcow: dockerized documentation

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

  • DocFraggle

    • Community Hero
    Moolevel 263

You could switch to haproxy, it can handle SMTP, IMAP and POP3 as well

    Apache is the frontend because it also hosts websites, so haproxy isn’t a viable option at present.

    I’ve run into some issues with the certificate copying process, though. Whilst it all looks fine in a browser, the mail client isn’t happy with it at all. Openssl reports it is unable to see the local issuer cert, and when using LetsDebug, the mailcow nginx instance redirects <domain>/.well-known/acme-challenge/letsdebug-test to <domain>.wellknown/acme-challenge/letsdebug-test. I am unsure if the two are related.

      • esackbauer

        • Community Hero
        Moolevel 362
      • Edited

      DocFraggle haproxy, it can handle SMTP, IMAP and POP3 as well

      Does the netfilter/fail2ban still work with that solution?

      [unknown] l. Openssl reports it is unable to see the local issuer cert,

      Please post the error message.
      It sounds like you have not copied the fullchain.pem as per my doc link above:

      "just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem

      [unknown] l. Openssl reports it is unable to see the local issuer cert,

      Please post the error message.
      It sounds like you have not copied the fullchain.pem as per my doc link above:

      “just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem”

      • DocFraggle

        • Community Hero
        Moolevel 263

      northernscrub Apache is the frontend because it also hosts websites, so haproxy isn’t a viable option at present.

      So use haproxy only for the SMTP services

      Oh I’m an idiot. Came back after a few hours and realised I was copying cert.pem and not fullchain.pem. Thanks @esackbauer

      @DocFraggle I’m intrigued by haproxy. It might actually be a viable solution, at some point I’m going to have to substantially change this network architecture and put the mailcow machine on another domain, potentially over the WWW. haproxy sounds like a much easier solution than trying to tunnel or rsync certs when this happens, thanks!

        • DocFraggle

          • Community Hero
          Moolevel 263

        northernscrub It might actually be a viable solution

        Sure, I used it for years before switching to mailcow.

        No one is typing