I like everything about Mailcow except the Let’s Encrypt process. It is so cumbersome and it is a hit or miss when it comes to renewal. My Mailcow Docker instance Let’s Encrypt cert was up for renewal last night and it never renewed. Gave me some errors about my browser’s time was ahead and then the logs has some messages about not connecting to my IP. I wish Mailcow’s team would improve the way they implement the Let’s Encrypt process. I spent three hours trying to figure it out (i.e., . modifying the TZ, ducker down and up). Then reinstalled Mailcow on a clean Debian 12. Thinking that would solve the issue. Ran the docker compose up -d (down) edited the config file with my mail server domain and the silly thing could never assign a cert. DNS were right, reverse IP was right. I even disabled fail2ban and ufw and no luck. Finally I gave up and install a different mail server (will not post here which one because it is not fair to the Mailcow team to promote some other open source mail server). This is a temporary solution until Mailcow can update or modify the process of issuing and renewing the Let’s Encrypt cert. I will go back to Mailcow because it is a great docker mail server.
Sorry to have to put this here. Like I said. I like Mailcow and will go back to it as soon as they change the way the Let’s Encrypt cert are issued and renewed.
EnglishCannot validate any hostnames, skipping Let’s Encrypt for 1 hour
- Edited
It’s working perfectly for 99.99% of the mailcow users. If it’s not working it’s mostly due to DNS config errors or firewall issues.
Good luck with your new nail server. If I may ask, how did you generate the working (?) certificate there?
Edit:
emailcowboy I even disabled fail2ban and ufw
ufw should be disabled completely as the docs state:
Prepare your system - mailcow: dockerized documentation docs.mailcow.email
Danger
There are several problems with running mailcow on a firewalld/ufw enabled system.
You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead.
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
- Edited
@DocFraggle oFraggle I think you are right. I should have posted the logs here. The group here is always supportive and provide solutions. I was to quick to find a solution (and perhaps unfairly judged Mailcow too quickly) I will install it again soon and get it up and running again. I like Mailcow. Only a few hours and I already miss seeing the fat yellow cow. I think I didn’t disabled ufw completely. I will be back to Mailcow in two days.
The other software has a section on the main admin portal where you issue the cert and reload it and restart it and it is up and running. It even has a section that you can select when to autorenew (30 days or 10 days).
I usually install fail2ban and ufw per the instructions I followed from Opentaq ( - YouTube
youtu.be
I will be back to Mailcow soon and if I run into any issues I will post here. I am even thinking of deleting this post because Mailcow is great and I don’t want to discourage others from using it.
Thanks!
emailcowboy I usually install fail2ban and ufw per the instructions I followed from Opentaq (
).
You don’t need to do this at all, Mailcow has it’s own Fail2Ban integration and uses netfilter as firewall solution
DocFraggle You don’t need to do this at all, Mailcow has it’s own Fail2Ban integration and uses netfilter as firewall solution
Yes, but MC netfilter does not cover all service on you server for 99% users, so additional protection is good idea. I ended to removing ufw and start using iptables binary to setup firewall,.. in general and specifically for ufw look 
here GitHub