Hey there,

so currently, my web UI is running under “mail.mydomainname.com”. I am getting close to finishing the whole configuration stuff, and now I was wondering - what’s the best practice to hide the Web UI? Is there a way to disable / enable it, only for when you need to make some changes?

I definitely do NOT want it to be publicly accessible, and I do not have any other people that need to log in. Me myself? I will probably just use Outlook or something for my inboxes to receive / send mails. I basically just need mailcow to run in the background and handle everything, but I do not want the Webmail and Web UI to be publicly accessible.

What do you guys usually do?

    shadesofcyber
    Hi
    You can disable SOGo by editing the mailcow.conf file (/opt/mailcow-dockerized/mailcow.conf) ,locate the following line and modify accordingly, n to use SOGo and y to not use SOGo

    # Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
SKIP_SOGO=n

    and then apply the new configuration:

    docker compose down
docker compose up -d

        Have something to say?

        Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

        And for rest of UI you can hide behind firewall or reverse proxy, but I believe it’s unnecessary make your accounts used 2FA and for Outlook generate strong “App password” and you are good,..

          Cisco30 Thank you!

          ETNyx Hey, what exactly do you mean by “the rest of the UI”? If I disable Sogo like the user before mentioned, what else will there still be left?

                shadesofcyber Hey, what exactly do you mean by “the rest of the UI”? If I disable Sogo like the user before mentioned, what else will there still be left?

                Now (2025-03) you have at least 4 UI routes /, /admin, /domainadmin, /SOGo one can argue there is also +1 on /api, just disabling SOGo does not hide rest. Also now /SOGo is kind of hidden since you got redirect for unauth users to /.

                    ETNyx So since my whole mail server runs on mail.domainname.com, what if I just shut down the nginx container (http and https) for mailcow? That way the mail server would run in the background and only the web UI wouldnt be there. I would like potential attackers to not know that mail.domainname.com offers anything. Idk if I am making sense here…

                        Nope bad idea, if you stop nginx you will not be able to renew ssl cert needed in dovecot, postfix and so,…

                          ETNyx Now (2025-03) you have at least 4 UI routes /, /admin, /domainadmin, /SOGo one can argue there is also +1 on /api, just disabling SOGo does not hide rest. Also now /SOGo is kind of hidden since you got redirect for unauth users to /.

                          The standard answer of the gurus would be “no problem at all. Use 2 auth and strong passwds, and you are safe.” As I stated already many times - I don’t like especially a mailserver exposed in this way to the public. Port 25 is enough for public. And safe.

                          shadesofcyber So since my whole mail server runs on mail.domainname.com, what if I just shut down the nginx container (http and https) for mailcow? That way the mail server would run in the background and only the web UI wouldnt be there. I would like potential attackers to not know that mail.domainname.com offers anything. Idk if I am making sense here…

                          Best way to hide is behind a VPN. Allow your users only access via vpn or LAN. Put caddy or any other reverse proxy in front. No public access to anything. The price you pay is a VPN connection.

                              ETNyx Oh, my mailcow server actually gets its SSL from a different nginx that runs inside of a docker container (which also manages my web app).

                              But nonetheless, what would you suggest then? Just return a 403 code for all the UI routes?

                                  shadesofcyber Guess that depend on your personal preference, since you want some kind of stealth instance i would just do drop (no response).

                                    No one is typing