Using frontend to handle TLS

northernscrub

My configuration relies on an apache frontend to handle incoming traffic. I’d like to extend this to SMTP also, instead of offloading the SSl processing to Mailcow as defined in https://docs.mailcow.email/post_installation/reverse-proxy/r_p-apache24/. Apache can handle incoming on other ports, so is there any issue with adjusting the ports defined in mailcow.conf to listen on, for example, 10143 and 10587? Or does this change the internal port?

esackbauer

Apache can only handle http and https traffic. For all other protocols like SMTP and IMAP this will not work. You have to NAT the traffic to mailcow.
And you must use the certificates which are handled by your reverse proxy, as mailcow then would not renew the certificates.
You have to copy them from reverse proxy (your apache) to mailcow like this:
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate

DocFraggle

You could switch to haproxy, it can handle SMTP, IMAP and POP3 as well

esackbauer

DocFraggle haproxy, it can handle SMTP, IMAP and POP3 as well

Does the netfilter/fail2ban still work with that solution?

[unknown] l. Openssl reports it is unable to see the local issuer cert,

Please post the error message.
It sounds like you have not copied the fullchain.pem as per my doc link above:

"just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem

[unknown] l. Openssl reports it is unable to see the local issuer cert,

Please post the error message.
It sounds like you have not copied the fullchain.pem as per my doc link above:

“just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem”

northernscrub

Apache is the frontend because it also hosts websites, so haproxy isn’t a viable option at present.

I’ve run into some issues with the certificate copying process, though. Whilst it all looks fine in a browser, the mail client isn’t happy with it at all. Openssl reports it is unable to see the local issuer cert, and when using LetsDebug, the mailcow nginx instance redirects <domain>/.well-known/acme-challenge/letsdebug-test to <domain>.wellknown/acme-challenge/letsdebug-test. I am unsure if the two are related.

DocFraggle

northernscrub Apache is the frontend because it also hosts websites, so haproxy isn’t a viable option at present.

So use haproxy only for the SMTP services

northernscrub

Oh I’m an idiot. Came back after a few hours and realised I was copying cert.pem and not fullchain.pem. Thanks @esackbauer

@DocFraggle I’m intrigued by haproxy. It might actually be a viable solution, at some point I’m going to have to substantially change this network architecture and put the mailcow machine on another domain, potentially over the WWW. haproxy sounds like a much easier solution than trying to tunnel or rsync certs when this happens, thanks!

DocFraggle

northernscrub It might actually be a viable solution

Sure, I used it for years before switching to mailcow.