I am planning on backing up everything every 1-2 days via cronjob using the "backup_and_restore.sh" script. Where do you guys usually store your backup? Considering the possibility of a malicious attack, it is probably not the smartest idea to just dump it somewhere on the VPS / dedicated server again. But what other good and suitable options are there? Amazon S3 buckets?

I put the backups on my NAS at home

@"DocFraggle"#p24362 I read about that too, however, a NAS costs between 150-300 bucks, therefore, I am looking for a cheaper alternative...

@"esackbauer"#p24380 Isn't that problematic considering the fact that I'd need to use rclone to upload my backups to Google Drive, which would let a potential attacker (in case he gains access to my VPS) see and download everything from my Google Drive?

Hetzner Storagebox, 1TB / € 3,81 Month

@"shadesofcyber"#p24381 Simply use a google account only for this mailcow backup. rclone can encrypt the backup data, too.

From your reply in this thread I'd guess that my method is a bit over-the-top fpr you: I clone the entire docker container & data to a fallback VM in a different data center every night, so that even in the very unlikely case that the main server somehow ends up "broken beyond repair" some DNS changes will get the fallback up and running. Apart from that, backups created with the on-board script go to rented storage space in two different data centers twice a day (via sshfs). I wouldn't do the clone-to-different-VM-part if it was only for private use, but even my private backups involve multiple offsite-backups.

I too use a local NAS that I already had. Since cost is a concern, you could use any available local device instead of a NAS, even a Raspberry PI. In the long run, using a local device might prove more cost effective ;-)

I use the MC cold backup script to push to a local VM which only sits there as a disaster recovery. this vm is then backed up to my nas, which the nas then pushes an encrypted backup up to either google drive or backblaze. I use truenas for the nas storage which has backup jobs (which is actually rclone) where you can set the encryption of the backup at the destination you choose(like google drive or backblaze).

Backblaze is definitely the best. Very easy to configure with rclone. Only $6 per TB, or $0.006 per GB. Much cheaper than S3, which costs $23 per TB. S3 also charges for backup extraction, but Backblaze doesn't.

The most cost effective backup storage I have found is [Hetzner Storagebox](https://www.hetzner.com/storage/storage-box/), for around 2EUR/TB (the largest box) or a straight 3,20EUR for the 1TB box.

Where do you store your backups?

stefan21

shadesofcyber on the VPS / dedicated server again.

I assume you’re running a dedicated mailserver?

get a cert (if you already don’t have one)
get yourself an image from your server. Can be done from time to time. I.e. netcup charges an extra fee (don’t remember the exact price, could be 1,50 Eur) for exporting. Store it somewhere safe local.
install and configure properly fail2ban for the vps. Mailcow has its own netfilter system.
use the mailcow backup script. The path to the backups can be on your vps.
create a wireguard vpn between your vps server and a local machine, which is always online. Can be i.e. a raspberry PI. Cheap while running 24/24. USB thumb is better as a sdcard out of several reasons.
plug a USB thumbdrive in this RPI
create a ssh key on the PI
on your vps server install open-ssh. Chnage the port. Configure the sshd_conf in a way, that access is allowed only via wireguard VPN and the client key. +++ NO OTHER ACCESS METHODS +++. You have to transfer in some way the key to your vps.
take special care to the iptables on the vps. Make sure you have the mailcow ports in the chain. Then you want to allow ONLY the IP from the PI via wireguard VPN. Take care of the ssh port. Everything else should be DROPPED. This ensures that mailcow will work properly and access is only allowed via your WG-VPN and ssh-key.
create a script that uses rsync to mirror the mailcow backup to your local (RPI USB thumb) drive.
create a cron job that fires your VPN up
create a cron job that runs your rsync script
create a cron job, that shuts your VPN down
create a cron job, that purges the number of backups, you don’t want to keep any longer

Works rock stable. Unattended. Does not interfere with blacklist tables (abuse IPDB) here in the forum. If you like add (a second) more blacklists like firehol and spamhouse. And your VPS is very safe. Mailcow takes care of the rest (if properly configured).

Did this in parts with help of claude.ai

So - back to the question: I store them local.

zx1100e1

Good points above. My vps instance is used as a relay. Periodically I’ll login and mount a clonezilla iso, then generate a local backup image over ssh. Not much changes on the vps other than logs. Email is retained very rarely (only when the target mailcow is under maintenance).

If I did use it to actually store emails, I think using the inbuilt backup daily to a local nas target would be a good method.

stefan21

esackbauer Google Drive is about 20$ per year for 100GB.

Well - I don’t like the idea of sharing my emails/any data with the U.S. gov. –> US cloud act 2018. M$ and bitlocker is another violation against EU law. And so on…

If you want to keep your email (or any other data) private, stay away from any US cloud service including any M$ windows, outlook, office 365, bla, bla product. They’re all violating the DSGVO.

Sorry for beeing inconvinient. It’s my personal opinion.

esackbauer

stefan21 I don’t like the idea of sharing my emails/any data with the U.S. gov.

I don’t share emails, backup data is encrypted.

stefan21 They’re all violating the DSGVO.

I dont actually care. I care about encryption.

I hope you never send to peopke with MS365 account or gmail account, your mails will be stored and read there 😉

stefan21

esackbauer I don’t share emails
Therefore we do use our own email server, right?

esackbauer backup data is encrypted.
Yeah, the funny thing is, that people thought data is really encrypted wile using bitlocker…

“Careful with that axe, Eugene”. Pink Floyd 1968.

esackbauer

stefan21 Therefore we do use our own email server, right

We are talking about backup location here (which is not hopefully not the same as the email server 😉). Pls dont shift goal posts.

stefan21 that people thought data is really encrypted wile using bitlocker…

It is, if done right (e.g. not using your MS account to have the key stored). This is why I wrote “I care about encryption”.

stefan21

esackbauer Pls dont shift goal posts.

Alright.

mlcwuser

In the end, it’s actually quite simple (politics aside). If Mailcow is hosted in the cloud, i.e., on a VPS, there should be at least one backup stored somewhere else, either in another cloud storage location or on-premises.

If Mailcow is hosted on-premises, then at least one backup should be off-site. In most cases, that will be the cloud, unless you’re a company that has multiple physical locations or you’re doing some kind of “buddy backup” arrangement.

The cloud provider doesn’t have to be a US company. In practice, though, it doesn’t matter that much, because backups stored in the cloud should be encrypted anyway, as @esackbauer already said.

Personally, I run Mailcow (persona/homel use only) on a VPS. I create backups using the integrated Mailcow backup script to /opt/backups/, and then store them encrypted on Backblaze via Rclone. In addition, I run a local MailPiler instance at home where all emails are archived.

The “Mailcow backup script to Backblaze backup” is primarily intended to beable to restore the entire instance, not to restore individual emails. For that purpose, I use my MailPiler instance, where you can actually search and retrieve old emails if needed. In my case (as I sad, home user), I can count on one hand how often I’ve actually needed to do that.

Alternatively, if your Mailcow instance is on a VPS, for example, and you would prefer to keep your backups on-premises, you could use rsync to pull them from the VPS to your NAS/on-prem server instead of sending them to cloud storage. However, if your NAS or on-premises server fails, you might then be without a backup for days or weeks, especially given the current HW supply chain situation. 😉

Also, in the event of a catastrophic event such as a fire or burglary, having another backup in the cloud may be beneficial. 😉

CK_beats

mlcwuser
However, a cloud backup is only accessible as long as the hoster exists.
If the cloud service provider becomes corrupt, the backup can no longer be accessed.

But as the saying goes: No system is safe!

It’s just a matter of doing everything possible to avoid a total failure.
There is always a residual risk. No matter what the solution.

mlcwuser

Yes, you’re right, of course. And that’s why it’s best to do both if your mail server is mission critical i.e. if you are using it for your business. 3-2-1, you know? ;-)

But the Mailcow backup script is more of an availability thing anyway, because you don’t want to have to restore a single mailbox or even induvidual emails from an encrypted backup. Those backups are mainly about being able to migrate a Mailcow instance or restore it if you’ve screwed up or, as with OVH, the place your Mailcow is hosted is on fire ;-)

zx1100e1

@maybl8 Given your issues in the other thread. I think it’s time to rethink your backup strategy. I don’t recall if you mentioned how you’re actually running it, if there’s a relay involved or not. If virtualized, i’d make use of the hypervisor backup function.

Around post 16 I described my backup strategy. If I should royally screw something up, I have access to past 90 days of incremental backups to recover a config file from. Failing that, I restore to yesterday snapshot. At worst I lose a day’s of emails. Though if that were to happen, I’d save volume contents elsewhere first and try to migrate with the restored data.

I know there’s a backup function provided, but the above seems more foolproof, especially if the issue is not with mailcow but the underlying OS.

maybl8

zx1100e1
Thanks for the advice.
My mailcow is running on a dedicated server and only mailcow is running on it. It is mostly being used for my personal email and a learning experience for me about running a mail server. Granted I have been using it for over a year now I obviously have alot to learn.
For backing up I haven’t been to systematic in my approach. Just doing a manual backup and restore with the backup and restore script provided with mailcow.
I have been managing the server through the gui since I run the server out of my house. It started out as more of a hobby for me but now the email has alot of information in there I don’t want to lose and I use that email address for everything. So if it goes down I lose communication with alot of services and people.
I do have a backup email address I use in case of emergency.
So back to backing up. I run the script and it backs up to a share on my nas i have here at home. I am keeping 3 backups at a time. I would like to do a incremental backup at some point but my nas only has smb shares and that is not recommended for rsync backing up so everyone of my backups are full backups. That is ok it doesn’t take that long. The next task in my backup adventure is using a cron job to do the backups.
I just started learning how to use ssh and will start to manage my server remotely from my laptop that I use for almost everything.

I have the backup script with the parameter –delete-days 3
I did a backup today and see this . I thought I would only see 3 backups:

[root@mail demo]# ls /mnt/mailbackup/
mailcow-2026-02-25-18-03-20  mailcow-2026-02-26-09-29-18  mailcow-2026-02-27-07-40-34  mailcow-2026-02-28-08-09-30

zx1100e1

I’d say learn to get intimate with console. Mailcow gui exposes a number of settings, but many more are possible. Always save the original file you’re editing BEFORE making any changes.

As for backup mx, I still have the original webhosting provider active. Thats where emails went BEFORE mailcow. It’s still listed in my dns records too, but with a much lower (higher numerically) priority than the others. If both the relay and target are down, mails end up there.

A whole box for the mail server…. I couldn’t justify (or afford) that. My server (also home use), does a number of things including;

firewall
dns
nas
voip + fax
mail
some other things
It’s based on a 5800x/x570/64gb platform. Still _20gb of ram remaining for future expansion. Mailcow gets 8gb and 2vcores.

maybl8

zx1100e1 A whole box for the mail server…. I couldn’t justify (or afford) that. My server (also home use), does a number of things including;

firewall
dns
nas
voip + fax
mail
some other things
It’s based on a 5800x/x570/64gb platform. Still 20gb of ram remaining for future expansion. Mailcow gets 8gb and 2vcores.

My firewall if you could call it that is just my deco router .
And then the blocking I’m doing at the mail server for it.
DNS is Cloudflare
Nas is a separate box (Synology)
No landline phones
Mailserver (Mailcow) This is only Intel Pentium G4400 (2) 8 GB ram 1TB drive
I have a rustdesk box (Old dell machine)
A desktop
My laptop
I have a pi400 i don’t do much with.
I have a website but it is on AWS just a hobby. www.dccwebsite.com

Just a not to my previous post .
I backed up today and there are only 3 backups as expected.

Pooja23

Hi,
I definitely don’t want the backups sitting on the same server, so my current setup dedicated server. I rsync the backup folder to a secondary storage VPS server from DedicatedCore.
It gives me high-bandwidth servers that I only use for storage/backups. I connect them via WireGuard, so the main Mailcow box only ever talks to them over the VPN tunnel. Even if an attacker gets root, they can’t reach the backup locations without the WireGuard keys.

« Previous Page