Hello,

I’m new using Mailcow and not too good with coding.
I’m using an Opnsense as firewall with HA proxy and Mailcow in a Ubuntu server 24.04 only for Mailcow.
I noted Mailcow as by default fail2ban, because it is behind a proxy, I had to adjust the settings to make it to read the proxy setting and then read the real IP for incoming connections.
I think after that the domain check stopped working, I had enabled in Opnsense DNS override for the domains in Mailcow, I changed the DNS for the server to 1.1.1..1, disabled the DNS override in Opnsense.
The DNS is working fine but the DNS record check for the domains still falling.
I rebooted the server, cleared the cache, and restarted the docker and still having the issue.
After reading in the community I realized could be the setting I made for HAproxy.
Can you help me to understand what setting must be adjusted to make it work?

My nginx config, I think is it:
root@mailcow:/home/uroot# cat /opt/mailcow-dockerized/data/conf/nginx/templates/nginx.conf.j2
user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

# map-size.conf:
map_hash_max_size 256;
map_hash_bucket_size 256;

# site.conf:
proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;

map $http_x_forwarded_proto $client_req_scheme {
set_real_ip_from 10.17.17.254;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

    default $scheme;
    https https;
}

{% if HTTP_REDIRECT %}
# HTTP to HTTPS redirect
server {
    root /web;
    listen {{ HTTP_PORT }} proxy_protocol;
    listen [::]:{{ HTTP_PORT }} proxy_protocol;

    server_name {{ mailcow }} autodiscover.* autoconfig.* {{ ADDITIONAL_SERVER_NAMES | join(' ') }};

    if ( $request_uri ~* "%0A|%0D" ) { return 403; }
    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
    }
    location / {
        return 301 https://$host$uri$is_args$args;
    }
}
{%endif%}

# Default Server Name
server {
    listen 127.0.0.1:65510; # sogo-auth verify internal

    {% if not HTTP_REDIRECT %}
    listen {{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
    {%endif%}
    listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;

    {% if not DISABLE_IPv6 %}
    {% if not HTTP_REDIRECT %}
    listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
    {%endif%}
    listen [::]:{{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;
    {%endif%}

    http2 on;

    ssl_certificate /etc/ssl/mail/cert.pem;
    ssl_certificate_key /etc/ssl/mail/key.pem;

    server_name {{ mailcow }} autodiscover.* autoconfig.*;

    include /etc/nginx/includes/sites-default.conf;
}

# Additional Server Names
{% for SERVER_NAME in ADDITIONAL_SERVER_NAMES %}
server {
    listen 127.0.0.1:65510; # sogo-auth verify internal

    {% if not HTTP_REDIRECT %}
    listen {{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
    {%endif%}
    listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;

    {% if not DISABLE_IPv6 %}
    {% if not HTTP_REDIRECT %}
    listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
    {%endif%}
    listen [::]:{{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;
    {%endif%}

    http2 on;

    ssl_certificate /etc/ssl/mail/cert.pem;
    ssl_certificate_key /etc/ssl/mail/key.pem;

    server_name {{ SERVER_NAME }};

    include /etc/nginx/includes/sites-default.conf;
}
{% endfor %}

# rspamd dynmaps:
server {
    listen 8081;
    {% if not DISABLE_IPv6 %}
    listen [::]:8081;
    {%endif%}
    index index.php index.html;
    server_name _;
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /dynmaps;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass {{ PHPFPMHOST }}:9001;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

# rspamd meta_exporter:
server {
    listen 9081;
    index index.php index.html;
    server_name _;
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /meta_exporter;
    client_max_body_size 10M;
    location ~ \.php$ {
        client_max_body_size 10M;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass {{ PHPFPMHOST }}:9001;
        fastcgi_index pipe.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

{% for cert in valid_cert_dirs %}
server {
    {% if not HTTP_REDIRECT %}
    listen {{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
    {%endif%}
    listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;

    {% if not DISABLE_IPv6 %}
    {% if not HTTP_REDIRECT %}
    listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
    {%endif%}
    listen [::]:{{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;
    {%endif%}

    http2 on;

    ssl_certificate {{ cert.cert_path }}cert.pem;
    ssl_certificate_key {{ cert.cert_path }}key.pem;

    server_name {{ cert.domains }};

    include /etc/nginx/includes/sites-default.conf;
}
{% endfor %}

include /etc/nginx/conf.d/*.conf;

}
root@mailcow:/home/uroot#

Thanks in advance for your help and patience.

Regards!

Update:
Using private IP it works, problem testing from outside.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

No one is typing