Nginx Reverse Proxy SSL TLS 1.3 ec-384 ECC EcDSA Certificate

DanielFerster

Hey guys,

well after some playing and testing i figured out:
I love Mailcow!
So the next step is to host it on my vps and get my own domain and mails on it.

This will only be for me - so i’m the only user and want it to be bulletproof. All my devices are up-to-date and very new, so i want to use latest cryptography regarding TLS/SSL/HTTPS. This means ECC/EcDSA certificates and TLS 1.3 only with newes ciphers like Mozilla ssl generator under modern. Mozilla SSL Modern Config TLS 1.3

The certificates will be from Let‘s Encrypt and since they will use their own Root Certificate on January 11, 2021 with ECC/EcDSA (check their news blog Lets Encrypt - i will only use ECC certificates. I already found the issues and pull requests on github regarding ecc certificates in mailcow but right now it‘s not implemented. As far as i understood, because it‘s hard to accomplish compatibility with own certificates if someone doesn’t use Let’s Encrypt ECC or RSA gernerally.

So my first idea was to change the Nginx config in Mailcow-container to use only TLS 1.3 and change the acme-container to obtain an ecc certificate. But I guess this is an risky operation due to Mailcow updates and maybe breakdowns then. Therefore I decided to use a reverse proxy like Nginx to use in front of Mailcow.

I already found this helpful documentation Mailcow Reverse Proxy and the Post-hook when I use my own acme client.

I guess the connection to Mailcow (80 and 443) will be served via the Nginx reverse proxy and the certificates i obtained.

What do I have to do with Dovecot and Postfix?
Where does these get their certificates?

Until now i only got knowledge about websites (happy Nextcloud user) but don’t know so much about Dovecot and postfix. I guess they must communicate with certificates too. Especially to the client and when sending mails - from server to server for sure. Already found some config files about the ssl versions and the ciphers for that. But I won’t change this because I think it’s well configured to send and receive mail from all other mailservers.

So would that certificate with the Nginx reverse proxy only be used for the Mailcow website (80/443)?
Do I have to turn in Let’s Encrypt in Mailcow too, to get certificates for Dovecot and postfix?

Maybe the answer is pretty simple and I just can’t figure out myself.
Anyways: I would be very happy to hear from you guys

Cheers
Daniel