What config to secure mailcow UI admin access ?

gorby · 2025-04-07T13:25:41+00:00

Hello

What is the best practice to secure mailcow UI’s admin access ?
Correct me if I’m wrong, but I think admin access shouldn’t be exposed publicly on the web like users’s access.

Is there a way to add a layer of security upon that admin log in page ?
Thanks

–
Léo.

Ganzjahresgriller · 2025-04-07T13:41:38+00:00

Install a Firewall before the Mailcow and hide the admin URL. I have created a new Account for the Admin with a special name, deleted the original admin and setup 2FA. Thats enough for me.

gorby · 2025-04-07T13:49:45+00:00

Thanks @Ganzjahresgriller for your feedback.
I didn’t think about the 2FA, that’s a great (and simple) start.

Unfortunately, I don’t have the knowledge to install a firewall and hide the admin URL.
If you could share me a tutorial to make this happen, I’d be grateful

esackbauer · 2025-04-07T15:02:53+00:00

For me, 2FA and a secure complex random password is enough.

gorby · 2025-04-07T19:05:27+00:00

esackbauer Okay, the main goal was to prevent potential exploitation of a security flaw in the submission form under /admin/. A exploit that could lead to avoid 2FA for example ? But if that’s not possible, maybe I’m just being paranoid…

esackbauer · 2025-04-08T07:41:11+00:00

gorby
Any brute force will be handled by NetFilter and the IP will be blocked.
An exploit for e.g. Nginx would affect the whole stack, not only the admin portal.
If you are really paranoid, put a Web Application Firewall with Intrusion Prevention in front of mailcow.

Mmlcwuser · 2025-04-08T07:42:31+00:00

I mean It’s not impossible, and there are several ways to limit access to the admin login or increase security, which also depend on the environment you’re running Mailcow on.

One way would be to put a reverse proxy in front of it and then limit access to /admin to certain IP addresses or IP ranges.

Or maybe you could change the nginx config on Mailcow itself, but I’m not sure to what extent this can be done without breaking things, and whether the changes will be overwritten during upgrades.

Another approach to secure things would be to use an identity provider/SSO solution like Authentik or Keykloak, but I have no experience with them.

DocFraggle · 2025-04-08T08:21:24+00:00

The fastest (but manual and non-persistent) way is to put this on top of your PHP files in data/web/admin

if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') {
    http_response_code(403);
    exit('Forbidden');
}

This way you can access it only by using SSH port forwarding. No idea if it breaks something else

gorby · 2025-04-08T08:29:47+00:00

And what experts think about adding an extra.conf file in the data/conf/nginx/ folder and put something like that inside :

server { location /admin {
        allow 192.168.1.100;  # Allow this specific IP
        allow 203.0.113.0/24; # Allow this IP range
        deny all;             # Deny all other IPs
    }
}

Is it a good practice ?
Will it be persistent ?

Thanks

–
Léo.