• gorby

      Moolevel 6

    Hello 🙂

    What is the best practice to secure mailcow UI’s admin access ?
    Correct me if I’m wrong, but I think admin access shouldn’t be exposed publicly on the web like users’s access.

    Is there a way to add a layer of security upon that admin log in page ?
    Thanks 🙂

    –
    Léo.

    Install a Firewall before the Mailcow and hide the admin URL. I have created a new Account for the Admin with a special name, deleted the original admin and setup 2FA. Thats enough for me.

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    • gorby

        Moolevel 6

      Thanks @Ganzjahresgriller for your feedback.
      I didn’t think about the 2FA, that’s a great (and simple) start.

      Unfortunately, I don’t have the knowledge to install a firewall and hide the admin URL.
      If you could share me a tutorial to make this happen, I’d be grateful 🙂

      • esackbauer

        • Community Hero
        Moolevel 432

      For me, 2FA and a secure complex random password is enough.

        • gorby

            Moolevel 6

          esackbauer Okay, the main goal was to prevent potential exploitation of a security flaw in the submission form under /admin/. A exploit that could lead to avoid 2FA for example ? But if that’s not possible, maybe I’m just being paranoid…

            • esackbauer

              • Community Hero
              Moolevel 432
            • Edited

            gorby
            Any brute force will be handled by NetFilter and the IP will be blocked.
            An exploit for e.g. Nginx would affect the whole stack, not only the admin portal.
            If you are really paranoid, put a Web Application Firewall with Intrusion Prevention in front of mailcow.

            I mean It’s not impossible, and there are several ways to limit access to the admin login or increase security, which also depend on the environment you’re running Mailcow on.

            One way would be to put a reverse proxy in front of it and then limit access to /admin to certain IP addresses or IP ranges.

            Or maybe you could change the nginx config on Mailcow itself, but I’m not sure to what extent this can be done without breaking things, and whether the changes will be overwritten during upgrades.

            Another approach to secure things would be to use an identity provider/SSO solution like Authentik or Keykloak, but I have no experience with them.

            • DocFraggle

              • Community Hero
              Moolevel 304

            The fastest (but manual and non-persistent) way is to put this on top of your PHP files in data/web/admin

            if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') {
                http_response_code(403);
                exit('Forbidden');
            }

            This way you can access it only by using SSH port forwarding. No idea if it breaks something else

            • gorby

                Moolevel 6
              • Edited

              And what experts think about adding an extra.conf file in the data/conf/nginx/ folder and put something like that inside :

              server { location /admin {
                      allow 192.168.1.100;  # Allow this specific IP
                      allow 203.0.113.0/24; # Allow this IP range
                      deny all;             # Deny all other IPs
                  }
              }

              Is it a good practice ?
              Will it be persistent ?

              Thanks 🙂

              –
              Léo.

              No one is typing