Zertifikate werden nicht erstellt

EyyupA

Hi Community,

ich habe mir neulich mailcow als Mailserver aufgesetzt. Ich habe es hinter dem reverse Proxy Traefik am laufen dafür habe ich die Anleitung hier verwendet: Traefik v2.

Ich bekomme aber trotzdem im mailcow logs unter ACME diese Meldungen.

Dort steht Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently., das sollte doch nicht der Fall sein oder? Denn das ganze soll ja mit einem Zertifikat laufen.

Meine Frage ist jetzt, was muss ich machen damit ich das zum laufen bekomme?

Weitere Infos:
Meine aktuelle compose-compose.yml: (Diese Poste ich mit denn dafür musste ich die Netzwerk IPs ändern, da es sich mit einem anderen überlappt hatte.)


  unbound-mailcow:
    image: ghcr.io/mailcow/unbound:1.24
    environment:
      - TZ=${TZ}
      - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n}
    volumes:
      - ./data/hooks/unbound:/hooks:Z
      - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z
    restart: always
    tty: true
    networks:
      mailcow-network:
        ipv4_address: ${IPV4_NETWORK:-10.52.1}.254
        aliases:
          - unbound

  mysql-mailcow:
    image: mariadb:10.11
    depends_on:
      - unbound-mailcow
      - netfilter-mailcow
    stop_grace_period: 45s
    volumes:
      - mysql-vol-1:/var/lib/mysql/
      - mysql-socket-vol-1:/var/run/mysqld/
      - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
    environment:
      - TZ=${TZ}
      - MYSQL_ROOT_PASSWORD=${DBROOT}
      - MYSQL_DATABASE=${DBNAME}
      - MYSQL_USER=${DBUSER}
      - MYSQL_PASSWORD=${DBPASS}
      - MYSQL_INITDB_SKIP_TZINFO=1
    restart: always
    ports:
      - "${SQL_PORT:-127.0.0.1:13306}:3306"
    networks:
      mailcow-network:
        aliases:
          - mysql

  redis-mailcow:
    image: redis:7.4.2-alpine
    entrypoint: [ "/bin/sh", "/redis-conf.sh" ]
    volumes:
      - redis-vol-1:/data/
      - ./data/conf/redis/redis-conf.sh:/redis-conf.sh:z
    restart: always
    depends_on:
      - netfilter-mailcow
    ports:
      - "${REDIS_PORT:-127.0.0.1:7654}:6379"
    environment:
      - TZ=${TZ}
      - REDISPASS=${REDISPASS}
      - REDISMASTERPASS=${REDISMASTERPASS:-}
    sysctls:
      - net.core.somaxconn=4096
    networks:
      mailcow-network:
        ipv4_address: ${IPV4_NETWORK:-10.52.1}.249
        aliases:
          - redis

  clamd-mailcow:
    image: ghcr.io/mailcow/clamd:1.70
    restart: always
    depends_on:
      unbound-mailcow:
        condition: service_healthy
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    environment:
      - TZ=${TZ}
      - SKIP_CLAMD=${SKIP_CLAMD:-n}
    volumes:
      - ./data/conf/clamav/:/etc/clamav/:Z
      - clamd-db-vol-1:/var/lib/clamav
    networks:
      mailcow-network:
        aliases:
          - clamd

  rspamd-mailcow:
    image: ghcr.io/mailcow/rspamd:2.2
    stop_grace_period: 30s
    depends_on:
      - dovecot-mailcow
      - clamd-mailcow
    environment:
      - TZ=${TZ}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      # - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:ff77::/64}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - SPAMHAUS_DQS_KEY=${SPAMHAUS_DQS_KEY:-}
    volumes:
      - ./data/hooks/rspamd:/hooks:Z
      - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
      - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z
      - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z
      - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z
      - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z
      - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z
      - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z
      - rspamd-vol-1:/var/lib/rspamd
    restart: always
    hostname: rspamd
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    networks:
      mailcow-network:
        aliases:
          - rspamd

  php-fpm-mailcow:
    image: ghcr.io/mailcow/phpfpm:1.93
    command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
    depends_on:
      - redis-mailcow
    volumes:
      - ./data/hooks/phpfpm:/hooks:Z
      - ./data/web:/web:z
      - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
      - ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
      - ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
      - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
      - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
      - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
      - ./data/web/inc/functions.mailbox.inc.php:/mailcowauth/functions.mailbox.inc.php:z
      - ./data/web/inc/functions.ratelimit.inc.php:/mailcowauth/functions.ratelimit.inc.php:z
      - ./data/web/inc/functions.acl.inc.php:/mailcowauth/functions.acl.inc.php:z
      - rspamd-vol-1:/var/lib/rspamd
      - mysql-socket-vol-1:/var/run/mysqld/
      - ./data/conf/sogo/:/etc/sogo/:z
      - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
      - ./data/conf/phpfpm/crons:/crons:z
      - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z
      - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z
      - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z
      - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini:Z
      - ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini:Z
      - ./data/conf/dovecot/global_sieve_before:/global_sieve/before:z
      - ./data/conf/dovecot/global_sieve_after:/global_sieve/after:z
      - ./data/assets/templates:/tpls:z
      - ./data/conf/nginx/:/etc/nginx/conf.d/:z
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    environment:
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - LOG_LINES=${LOG_LINES:-9999}
      - TZ=${TZ}
      - DBNAME=${DBNAME}
      - DBUSER=${DBUSER}
      - DBPASS=${DBPASS}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
      - IMAP_PORT=${IMAP_PORT:-143}
      - IMAPS_PORT=${IMAPS_PORT:-993}
      - POP_PORT=${POP_PORT:-110}
      - POPS_PORT=${POPS_PORT:-995}
      - SIEVE_PORT=${SIEVE_PORT:-4190}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      # - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:ff77::/64}
      - SUBMISSION_PORT=${SUBMISSION_PORT:-587}
      - SMTPS_PORT=${SMTPS_PORT:-465}
      - SMTP_PORT=${SMTP_PORT:-25}
      - API_KEY=${API_KEY:-invalid}
      - API_KEY_READ_ONLY=${API_KEY_READ_ONLY:-invalid}
      - API_ALLOW_FROM=${API_ALLOW_FROM:-invalid}
      - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
      - SKIP_FTS=${SKIP_FTS:-y}
      - SKIP_CLAMD=${SKIP_CLAMD:-n}
      - SKIP_OLEFY=${SKIP_OLEFY:-n}
      - SKIP_SOGO=${SKIP_SOGO:-n}
      - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
      - MASTER=${MASTER:-y}
      - DEV_MODE=${DEV_MODE:-n}
      - DEMO_MODE=${DEMO_MODE:-n}
      - WEBAUTHN_ONLY_TRUSTED_VENDORS=${WEBAUTHN_ONLY_TRUSTED_VENDORS:-n}
      - CLUSTERMODE=${CLUSTERMODE:-}
      - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
    restart: always
    labels:
      ofelia.enabled: "true"
      ofelia.job-exec.phpfpm_keycloak_sync.schedule: "@every 1m"
      ofelia.job-exec.phpfpm_keycloak_sync.no-overlap: "true"
      ofelia.job-exec.phpfpm_keycloak_sync.command: "/bin/bash -c \"php /crons/keycloak-sync.php || exit 0\""
      ofelia.job-exec.phpfpm_ldap_sync.schedule: "@every 1m"
      ofelia.job-exec.phpfpm_ldap_sync.no-overlap: "true"
      ofelia.job-exec.phpfpm_ldap_sync.command: "/bin/bash -c \"php /crons/ldap-sync.php || exit 0\""
    networks:
      mailcow-network:
        aliases:
          - phpfpm

  sogo-mailcow:
    image: ghcr.io/mailcow/sogo:1.133
    environment:
      - DBNAME=${DBNAME}
      - DBUSER=${DBUSER}
      - DBPASS=${DBPASS}
      - TZ=${TZ}
      - LOG_LINES=${LOG_LINES:-9999}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
      - ACL_ANYONE=${ACL_ANYONE:-disallow}
      - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      - SOGO_EXPIRE_SESSION=${SOGO_EXPIRE_SESSION:-480}
      - SKIP_SOGO=${SKIP_SOGO:-n}
      - MASTER=${MASTER:-y}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    volumes:
      - ./data/hooks/sogo:/hooks:Z
      - ./data/conf/sogo/:/etc/sogo/:z
      - ./data/web/inc/init_db.inc.php:/init_db.inc.php:z
      - ./data/conf/sogo/custom-favicon.ico:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo.ico:z
      - ./data/conf/sogo/custom-shortlogo.svg:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-compact.svg:z
      - ./data/conf/sogo/custom-fulllogo.svg:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg:z
      - ./data/conf/sogo/custom-fulllogo.png:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-logo.png:z
      - ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z
      - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z
      - mysql-socket-vol-1:/var/run/mysqld/
      - sogo-web-vol-1:/sogo_web
      - sogo-userdata-backup-vol-1:/sogo_backup
    labels:
      ofelia.enabled: "true"
      ofelia.job-exec.sogo_sessions.schedule: "@every 1m"
      ofelia.job-exec.sogo_sessions.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool -v expire-sessions $${SOGO_EXPIRE_SESSION} || exit 0\""
      ofelia.job-exec.sogo_ealarms.schedule: "@every 1m"
      ofelia.job-exec.sogo_ealarms.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-ealarms-notify -p /etc/sogo/cron.creds || exit 0\""
      ofelia.job-exec.sogo_eautoreply.schedule: "@every 5m"
      ofelia.job-exec.sogo_eautoreply.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool update-autoreply -p /etc/sogo/cron.creds || exit 0\""
      ofelia.job-exec.sogo_backup.schedule: "@every 24h"
      ofelia.job-exec.sogo_backup.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool backup /sogo_backup ALL || exit 0\""
    restart: always
    networks:
      mailcow-network:
        ipv4_address: ${IPV4_NETWORK:-10.52.1}.248
        aliases:
          - sogo

  dovecot-mailcow:
    image: ghcr.io/mailcow/dovecot:2.33
    depends_on:
      - mysql-mailcow
      - netfilter-mailcow
      - redis-mailcow
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    cap_add:
      - NET_BIND_SERVICE
    volumes:
      - ./data/hooks/dovecot:/hooks:Z
      - ./data/conf/dovecot:/etc/dovecot:z
      - ./data/assets/ssl:/etc/ssl/mail/:ro,z
      - ./data/conf/sogo/:/etc/sogo/:z
      - ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/:z
      - vmail-vol-1:/var/vmail
      - vmail-index-vol-1:/var/vmail_index
      - crypt-vol-1:/mail_crypt/
      - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
      - ./data/assets/templates:/templates:z
      - rspamd-vol-1:/var/lib/rspamd
      - mysql-socket-vol-1:/var/run/mysqld/
    environment:
      - DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-}
      - DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-}
      - MAILCOW_REPLICA_IP=${MAILCOW_REPLICA_IP:-}
      - DOVEADM_REPLICA_PORT=${DOVEADM_REPLICA_PORT:-}
      - LOG_LINES=${LOG_LINES:-9999}
      - DBNAME=${DBNAME}
      - DBUSER=${DBUSER}
      - DBPASS=${DBPASS}
      - TZ=${TZ}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
      - MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-7200}
      - ACL_ANYONE=${ACL_ANYONE:-disallow}
      - SKIP_FTS=${SKIP_FTS:-y}
      - FTS_HEAP=${FTS_HEAP:-512}
      - FTS_PROCS=${FTS_PROCS:-3}
      - MAILDIR_SUB=${MAILDIR_SUB:-}
      - MASTER=${MASTER:-y}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
    ports:
      - "${DOVEADM_PORT:-127.0.0.1:19991}:12345"
      - "${IMAP_PORT:-143}:143"
      - "${IMAPS_PORT:-993}:993"
      - "${POP_PORT:-110}:110"
      - "${POPS_PORT:-995}:995"
      - "${SIEVE_PORT:-4190}:4190"
    restart: always
    tty: true
    labels:
      ofelia.enabled: "true"
      ofelia.job-exec.dovecot_imapsync_runner.schedule: "@every 1m"
      ofelia.job-exec.dovecot_imapsync_runner.no-overlap: "true"
      ofelia.job-exec.dovecot_imapsync_runner.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu nobody /usr/local/bin/imapsync_runner.pl || exit 0\""
      ofelia.job-exec.dovecot_trim_logs.schedule: "@every 1m"
      ofelia.job-exec.dovecot_trim_logs.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/trim_logs.sh || exit 0\""
      ofelia.job-exec.dovecot_quarantine.schedule: "@every 20m"
      ofelia.job-exec.dovecot_quarantine.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/quarantine_notify.py || exit 0\""
      ofelia.job-exec.dovecot_clean_q_aged.schedule: "@every 24h"
      ofelia.job-exec.dovecot_clean_q_aged.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/clean_q_aged.sh || exit 0\""
      ofelia.job-exec.dovecot_maildir_gc.schedule: "@every 30m"
      ofelia.job-exec.dovecot_maildir_gc.command: "/bin/bash -c \"source /source_env.sh ; /usr/local/bin/gosu vmail /usr/local/bin/maildir_gc.sh\""
      ofelia.job-exec.dovecot_sarules.schedule: "@every 24h"
      ofelia.job-exec.dovecot_sarules.command: "/bin/bash -c \"/usr/local/bin/sa-rules.sh\""
      ofelia.job-exec.dovecot_fts.schedule: "@every 24h"
      ofelia.job-exec.dovecot_fts.command: "/bin/bash -c \"/usr/local/bin/gosu vmail /usr/local/bin/optimize-fts.sh\""
      ofelia.job-exec.dovecot_repl_health.schedule: "@every 5m"
      ofelia.job-exec.dovecot_repl_health.command: "/bin/bash -c \"/usr/local/bin/gosu vmail /usr/local/bin/repl_health.sh\""
    ulimits:
      nproc: 65535
      nofile:
        soft: 20000
        hard: 40000
    networks:
      mailcow-network:
        ipv4_address: ${IPV4_NETWORK:-10.52.1}.250
        aliases:
          - dovecot

  postfix-mailcow:
    image: ghcr.io/mailcow/postfix:1.80
    depends_on:
      mysql-mailcow:
        condition: service_started
      unbound-mailcow:
        condition: service_healthy
    volumes:
      - ./data/hooks/postfix:/hooks:Z
      - ./data/conf/postfix:/opt/postfix/conf:z
      - ./data/assets/ssl:/etc/ssl/mail/:ro,z
      - postfix-vol-1:/var/spool/postfix
      - crypt-vol-1:/var/lib/zeyple
      - rspamd-vol-1:/var/lib/rspamd
      - mysql-socket-vol-1:/var/run/mysqld/
    environment:
      - LOG_LINES=${LOG_LINES:-9999}
      - TZ=${TZ}
      - DBNAME=${DBNAME}
      - DBUSER=${DBUSER}
      - DBPASS=${DBPASS}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - SPAMHAUS_DQS_KEY=${SPAMHAUS_DQS_KEY:-}
    cap_add:
      - NET_BIND_SERVICE
    ports:
      - "${SMTP_PORT:-25}:25"
      - "${SMTPS_PORT:-465}:465"
      - "${SUBMISSION_PORT:-587}:587"
    restart: always
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    networks:
      mailcow-network:
        ipv4_address: ${IPV4_NETWORK:-10.52.1}.253
        aliases:
          - postfix

  memcached-mailcow:
    image: memcached:alpine
    restart: always
    environment:
      - TZ=${TZ}
    networks:
      mailcow-network:
        aliases:
          - memcached

  nginx-mailcow:
    depends_on:
      - redis-mailcow
      - php-fpm-mailcow
      - sogo-mailcow
      - rspamd-mailcow
    image: ghcr.io/mailcow/nginx:1.03
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    environment:
      - HTTPS_PORT=${HTTPS_PORT:-443}
      - HTTP_PORT=${HTTP_PORT:-80}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
      - TZ=${TZ}
      - SKIP_SOGO=${SKIP_SOGO:-n}
      - SKIP_RSPAMD=${SKIP_RSPAMD:-n}
      - DISABLE_IPv6=${DISABLE_IPv6:-n}
      - HTTP_REDIRECT=${HTTP_REDIRECT:-n}
      - PHPFPMHOST=${PHPFPMHOST:-}
      - SOGOHOST=${SOGOHOST:-}
      - RSPAMDHOST=${RSPAMDHOST:-}
      - REDISHOST=${REDISHOST:-}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      - NGINX_USE_PROXY_PROTOCOL=${NGINX_USE_PROXY_PROTOCOL:-n}
      - TRUSTED_PROXIES=${TRUSTED_PROXIES:-}
    volumes:
      - ./data/web:/web:ro,z
      - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
      - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
      - ./data/conf/nginx/:/etc/nginx/conf.d/:z
      - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
      - ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
      - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
      - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
      - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
      - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
    # ports:
    #   - "${HTTPS_BIND:-}:${HTTPS_PORT:-8443}:${HTTPS_PORT:-8443}"
    #   - "${HTTP_BIND:-}:${HTTP_PORT:-8000}:${HTTP_PORT:-8080}"
    restart: always
    networks:
      mailcow-network:
        aliases:
          - nginx
      traefik_web:


  acme-mailcow:
    depends_on:
      nginx-mailcow:
        condition: service_started
      unbound-mailcow:
        condition: service_healthy
    image: ghcr.io/mailcow/acme:1.92
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    environment:
      - LOG_LINES=${LOG_LINES:-9999}
      - ACME_CONTACT=${ACME_CONTACT:-}
      - ADDITIONAL_SAN=${ADDITIONAL_SAN}
      - AUTODISCOVER_SAN=${AUTODISCOVER_SAN:-y}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - DBNAME=${DBNAME}
      - DBUSER=${DBUSER}
      - DBPASS=${DBPASS}
      - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
      - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
      - DIRECTORY_URL=${DIRECTORY_URL:-}
      - ENABLE_SSL_SNI=${ENABLE_SSL_SNI:-n}
      - SKIP_IP_CHECK=${SKIP_IP_CHECK:-n}
      - SKIP_HTTP_VERIFICATION=${SKIP_HTTP_VERIFICATION:-n}
      - ONLY_MAILCOW_HOSTNAME=${ONLY_MAILCOW_HOSTNAME:-n}
      - LE_STAGING=${LE_STAGING:-n}
      - TZ=${TZ}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
      - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
    volumes:
      - ./data/web/.well-known/acme-challenge:/var/www/acme:z
      - ./data/assets/ssl:/var/lib/acme/:z
      - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
      - mysql-socket-vol-1:/var/run/mysqld/
    restart: always
    networks:
      mailcow-network:
        aliases:
          - acme

  netfilter-mailcow:
    image: ghcr.io/mailcow/netfilter:1.61
    stop_grace_period: 30s
    restart: always
    privileged: true
    environment:
      - TZ=${TZ}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      # - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:ff77::/64}
      - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
      - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - MAILCOW_REPLICA_IP=${MAILCOW_REPLICA_IP:-}
      - DISABLE_NETFILTER_ISOLATION_RULE=${DISABLE_NETFILTER_ISOLATION_RULE:-n}
    network_mode: "host"
    volumes:
      - /lib/modules:/lib/modules:ro

  watchdog-mailcow:
    image: ghcr.io/mailcow/watchdog:2.08
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    tmpfs:
      - /tmp
    volumes:
      - rspamd-vol-1:/var/lib/rspamd
      - mysql-socket-vol-1:/var/run/mysqld/
      - postfix-vol-1:/var/spool/postfix
      - ./data/assets/ssl:/etc/ssl/mail/:ro,z
    restart: always
    depends_on:
      - postfix-mailcow
      - dovecot-mailcow
      - mysql-mailcow
      - acme-mailcow
      - redis-mailcow
    environment:
      # - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:ff77::/64}
      - LOG_LINES=${LOG_LINES:-9999}
      - TZ=${TZ}
      - DBNAME=${DBNAME}
      - DBUSER=${DBUSER}
      - DBPASS=${DBPASS}
      - DBROOT=${DBROOT}
      - USE_WATCHDOG=${USE_WATCHDOG:-n}
      - WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL:-}
      - WATCHDOG_NOTIFY_BAN=${WATCHDOG_NOTIFY_BAN:-y}
      - WATCHDOG_NOTIFY_START=${WATCHDOG_NOTIFY_START:-y}
      - WATCHDOG_SUBJECT=${WATCHDOG_SUBJECT:-Watchdog ALERT}
      - WATCHDOG_NOTIFY_WEBHOOK=${WATCHDOG_NOTIFY_WEBHOOK:-}
      - WATCHDOG_NOTIFY_WEBHOOK_BODY=${WATCHDOG_NOTIFY_WEBHOOK_BODY:-}
      - WATCHDOG_EXTERNAL_CHECKS=${WATCHDOG_EXTERNAL_CHECKS:-n}
      - WATCHDOG_MYSQL_REPLICATION_CHECKS=${WATCHDOG_MYSQL_REPLICATION_CHECKS:-n}
      - WATCHDOG_VERBOSE=${WATCHDOG_VERBOSE:-n}
      - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
      - IPV4_NETWORK=${IPV4_NETWORK:-10.52.1}
      - IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0}
      - CHECK_UNBOUND=${CHECK_UNBOUND:-1}
      - SKIP_CLAMD=${SKIP_CLAMD:-n}
      - SKIP_OLEFY=${SKIP_OLEFY:-n}
      - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
      - SKIP_SOGO=${SKIP_SOGO:-n}
      - HTTPS_PORT=${HTTPS_PORT:-443}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
      - EXTERNAL_CHECKS_THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD:-1}
      - NGINX_THRESHOLD=${NGINX_THRESHOLD:-5}
      - UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5}
      - REDIS_THRESHOLD=${REDIS_THRESHOLD:-5}
      - MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5}
      - MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1}
      - SOGO_THRESHOLD=${SOGO_THRESHOLD:-3}
      - POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8}
      - CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15}
      - DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12}
      - DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20}
      - PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5}
      - RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1}
      - FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1}
      - ACME_THRESHOLD=${ACME_THRESHOLD:-1}
      - RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5}
      - OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5}
      - MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20}
      - MAILQ_CRIT=${MAILQ_CRIT:-30}
    networks:
      mailcow-network:
        aliases:
          - watchdog

  dockerapi-mailcow:
    image: ghcr.io/mailcow/dockerapi:2.11
    security_opt:
      - label=disable
    restart: always
    dns:
      - ${IPV4_NETWORK:-10.52.1}.254
    environment:
      - DBROOT=${DBROOT}
      - TZ=${TZ}
      - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
      - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
      - REDISPASS=${REDISPASS}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      mailcow-network:
        aliases:
          - dockerapi

  olefy-mailcow:
    image: ghcr.io/mailcow/olefy:1.15
    restart: always
    environment:
      - TZ=${TZ}
      - OLEFY_BINDADDRESS=0.0.0.0
      - OLEFY_BINDPORT=10055
      - OLEFY_TMPDIR=/tmp
      - OLEFY_PYTHON_PATH=/usr/bin/python3
      - OLEFY_OLEVBA_PATH=/usr/bin/olevba
      - OLEFY_LOGLVL=20
      - OLEFY_MINLENGTH=500
      - OLEFY_DEL_TMP=1
      - SKIP_OLEFY=${SKIP_OLEFY:-n}
    networks:
      mailcow-network:
        aliases:
          - olefy

  ofelia-mailcow:
    image: mcuadros/ofelia:latest
    restart: always
    command: daemon --docker -f label=com.docker.compose.project=${COMPOSE_PROJECT_NAME}
    environment:
      - TZ=${TZ}
      - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME}
    depends_on:
      - sogo-mailcow
      - dovecot-mailcow
    labels:
      ofelia.enabled: "true"
    security_opt:
      - label=disable
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      mailcow-network:
        aliases:
          - ofelia

  ipv6nat-mailcow:
    depends_on:
      - unbound-mailcow
      - mysql-mailcow
      - redis-mailcow
      - clamd-mailcow
      - rspamd-mailcow
      - php-fpm-mailcow
      - sogo-mailcow
      - dovecot-mailcow
      - postfix-mailcow
      - memcached-mailcow
      - nginx-mailcow
      - acme-mailcow
      - netfilter-mailcow
      - watchdog-mailcow
      - dockerapi-mailcow
    environment:
      - TZ=${TZ}
    image: robbertkl/ipv6nat
    security_opt:
      - label=disable
    restart: always
    privileged: true
    network_mode: "host"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /lib/modules:/lib/modules:ro

networks:
  mailcow-network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-mailcow
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: ${IPV4_NETWORK:-10.52.1}.0/24
        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:ff77::/64}
  traefik_web:
    external: true

volumes:
  vmail-vol-1:
  vmail-index-vol-1:
  mysql-vol-1:
  mysql-socket-vol-1:
  redis-vol-1:
  rspamd-vol-1:
  postfix-vol-1:
  crypt-vol-1:
  sogo-web-vol-1:
  sogo-userdata-backup-vol-1:
  clamd-db-vol-1:

Meine Mailcow config:

# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"

MAILCOW_HOSTNAME=mail.domain.tld

# Password hash algorithm
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
# see https://docs.mailcow.email/models/model-passwd/
MAILCOW_PASS_SCHEME=BLF-CRYPT

# ------------------------------
# SQL database configuration
# ------------------------------

DBNAME=mailcow
DBUSER=mailcow

# Please use long, random alphanumeric strings (A-Za-z0-9)

DBPASS=ABC
DBROOT=DEF

# ------------------------------
# REDIS configuration
# ------------------------------

REDISPASS=EFG

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081, 9082 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/

HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1

# Redirect HTTP connections to HTTPS - y/n
HTTP_REDIRECT=n

# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.

SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
REDIS_PORT=127.0.0.1:7654

# Your timezone
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'

TZ=Europe/Berlin

# Fixed project name
# Please use lowercase letters only

COMPOSE_PROJECT_NAME=mailcowdockerized

# Used Docker Compose version
# Switch here between native (compose plugin) and standalone
# For more informations take a look at the mailcow docs regarding the configuration options.
# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.

DOCKER_COMPOSE_VERSION=native

# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to "All authenticated users"
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow

# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly

MAILDIR_GC_TIME=7200

# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
# plus every domain you add in the future.
#
# You can also just add static names...
#ADDITIONAL_SAN=srv1.example.net
# ...or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#

ADDITIONAL_SAN=

# Obtain certificates for autodiscover.* and autoconfig.* domains.
# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
# between services. So acme-mailcow obtains for maildomains and all web-things get handled
# in the reverse proxy.
AUTODISCOVER_SAN=n

# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

ADDITIONAL_SERVER_NAMES=

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

SKIP_LETS_ENCRYPT=n

# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://doc.dovecot.org/admin_manual/ssl/sni_support
ENABLE_SSL_SNI=n

# Skip IPv4 check in ACME container - y/n

SKIP_IP_CHECK=n

# Skip HTTP verification in ACME container - y/n

SKIP_HTTP_VERIFICATION=n

# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n

SKIP_UNBOUND_HEALTHCHECK=n

# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n

SKIP_CLAMD=n

# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n

SKIP_OLEFY=n

# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n

SKIP_SOGO=n

# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
# Dovecot inside mailcow use Flatcurve as FTS Backend.

SKIP_FTS=n

# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
# Flatcurve (Xapian backend) is used as the FTS Indexer. It is supposed to be efficient in CPU and RAM consumption.
# However: Please always monitor your Resource consumption!

FTS_HEAP=128

# Controls how many processes the Dovecot indexing process can spawn at max.
# Too many indexing processes can use a lot of CPU and Disk I/O.
# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations

FTS_PROCS=1

# Allow admins to log into SOGo as email user (without any password)

ALLOW_ADMIN_EMAIL_LOGIN=n

# Enable watchdog (watchdog-mailcow) to restart unhealthy containers

USE_WATCHDOG=y

# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces

#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
#WATCHDOG_NOTIFY_EMAIL=

# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
# You can use this to send notifications to services like Discord, Slack and others.
#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# JSON body included in the webhook POST request. Needs to be in single quotes.
# Following variables are available: SUBJECT, BODY
#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "****\n"}'

# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n

# Send a notification when the watchdog is started.
WATCHDOG_NOTIFY_START=y

# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
#WATCHDOG_SUBJECT=

# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n

# Enable watchdog verbose logging
WATCHDOG_VERBOSE=n

# Max log lines per service to keep in Redis logs

LOG_LINES=9999

# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

IPV4_NETWORK=10.52.1

# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

IPV6_NETWORK=fd4d:6169:6c63:ff77::/64

# Use this IPv4 for outgoing connections (SNAT)

#SNAT_TO_SOURCE=

# Use this IPv6 for outgoing connections (SNAT)

#SNAT6_TO_SOURCE=

# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY

#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1

# mail_home is ~/Maildir
MAILDIR_SUB=Maildir

# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480

# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to DOVECOT_MASTER_USER@mailcow.local
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=

# Let's Encrypt registration contact information
# Optional: Leave empty for none
# This value is only used on first order!
# Setting it at a later point will require the following steps:
# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
ACME_CONTACT=

# WebAuthn device manufacturer verification
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
WEBAUTHN_ONLY_TRUSTED_VENDORS=n

# Spamhaus Data Query Service Key
# Optional: Leave empty for none
# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
# Otherwise it will work normally.
SPAMHAUS_DQS_KEY=

# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
DISABLE_NETFILTER_ISOLATION_RULE=n

Meine traefik config:

http:
  routers:
    mailcow-acme:
      entryPoints: "web"
      rule: "(Host(`mx.domain.tld`) && PathPrefix(`/.well-known/acme-challenge/`))" # "Host" should be equal to your `MAILCOW_HOSTNAME` 
      service: mailcow-acme
      tls: false

    mailcow-mta-sts:
      entryPoints: "web"
      rule: "(Host(`mta-sts.domain.tld`) && PathPrefix(`/.well-known/mta-sts.txt`))" # "Host" should be equal to your `MAILCOW_HOSTNAME` 
      service: mailcow-acme
      tls: false

    mailcow-frontend:
      entryPoints: "https"
      rule: "Host(`mail.domain.tld`)"
      service: mailcow-frontend
      tls:
        certResolver: le

    mailcow-autoconfig:
      entryPoints: "https"
      rule: "Host(`autoconfig.domain.tld`)" 
      service: mailcow-frontend
      tls:
        certResolver: le

    mailcow-autodiscover:
      entryPoints: "https"
      rule: "Host(`autodiscover.domain.tld`)"
      service: mailcow-frontend
      tls:
        certResolver: le

  services:
    mailcow-acme:
      loadBalancer:
        servers:
          - url: "http://mailcowdockerized-nginx-mailcow-1:8080" # mailcow local IP and web port
    mailcow-frontend:
      loadBalancer:
        servers:
          - url: "http://mailcowdockerized-nginx-mailcow-1:8080" # mailcow local IP and web port

Meine Traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false
log:
 level: DEBUG
api:
   dashboard: true
   insecure: true

providers:
  docker:
    watch: true
    # -- (Optional) Enable this, if you want to expose all containers automatically
    exposedByDefault: false
    # for mailu
    allowEmptyServices: true
    network: traefik_web
    endpoint: "unix:///var/run/docker.sock"
  file:
    directory: "/etc/traefik/conf/"
    watch: true

# -- Change EntryPoints here...
entryPoints:
  web:
    address: ":80"
    reusePort: true
    forwardedHeaders:
      trustedIPs:
        - "172.22.0.0/16"
  http:
    address: :80
    reusePort: true
    forwardedHeaders:
      trustedIPs:
        - "172.22.0.0/16" # Docker Gateway
    http:
      middlewares:
        - cloudflarewarp@file
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: :443
    forwardedHeaders:
      trustedIPs:
        - "172.22.0.0/16" # Docker Gateway
    http:
      middlewares:
        - cloudflarewarp@file
      tls:
        certResolver: le

certificatesResolvers:
  le:
    acme:
      email: info@domain.tld # change to you mail
      storage: /etc/traefik/certs/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10 #Optional to wait x second before checking with the DNS Server
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"

experimental:
  plugins:
    cloudflarewarp:
      modulename: github.com/BetterCorp/cloudflarewarp
      version: v1.3.3

DocFraggle

Kenne mich mit Treafik nicht aus, aber Du musst auch Port 80 zur Mailcow umleiten. Das nutzt Letsencrypt für die Validierung.

EyyupA

DocFraggle

Laut der Anleitung zu Traefik soll in der mailcow config

HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1

geändert werden dachte.

Deswegen muss es auf 8080 sein. Denn so ist ja auch das Frontend, also die Admin Seite erreichbar.

DocFraggle

EyyupA Solange Port 80 von Treafik zu Port 8080 von Mailcow weitergeleitet wird. Ist das so bei Dir?

EyyupA

DocFraggle
Ja das ist der Fall

esackbauer

EyyupA Ja das ist der Fall

Ich kann das in deiner traefik config nicht erkennen.
Kenne traefik allerdings auch nicht, aber deine Config unterscheidet sich erheblich von der Beispiel config in der Doku:
https://docs.mailcow.email/post_installation/reverse-proxy/r_p-traefik2/#step-2-configure-traefik-dynamic-configuration

EyyupA

esackbauer

Meine Config ist die selbe, bis auf das ich für MTA-STS einen weiteren router hinzugefügt habe.

  services:
    mailcow-acme:
      loadBalancer:
        servers:
          - url: "http://mailcowdockerized-nginx-mailcow-1:8080" # mailcow local IP and web port
    mailcow-frontend:
      loadBalancer:
        servers:
          - url: "http://mailcowdockerized-nginx-mailcow-1:8080" # mailcow local IP and web port

Hier unten bei den services ist der Port 8080 angegeben

[unknown]

Ich werde, dass versuchen und mich melden

[unknown]

Ich werde, dass versuchen und mich melden

[unknown]

Ich werde, dass versuchen und mich melden

[unknown]

Ich werde, dass versuchen und mich melden

[unknown]

Ich werde es versuchen und mich melden

[unknown]

Ich werde es versuchen und mein Ergebnis mitteilen

So oft wollte ich es nicht posten 😆

Habe jedes mal eine Fehlermeldung bekommen, dachte er hat es nicht gepostet. Nachdem Neuladen der Seite habe ich gesehen, dass es mehrfach gepostet wurde aber nicht richtig, aber Antwort ging an @[deleted]

DocFraggle

Du kannst das recht simpel testen: erstelle ein File im ACME Validation Folder:

echo test > /opt/mailcow-dockerized/data/web/.well-known/acme-challenge/test.txt

Dieses solltest Du dann von einem externen Client aus aufrufen können und “test” angezeigt bekommen via

curl http://dein.mail.server/.well-known/acme-challenge/test.txt

test

Wenn das klappt sollte alles passen

EyyupA

DocFraggle

Das funktioniert:

username@user-MacBook-Air ~ % curl -v https://mail.domain.tld/.well-known/acme-challenge/test.txt
* Host mail.domain.tld:443 was resolved.
* IPv6: <IPV6>
* IPv4: <IPV4>
*   Trying <IPV4>:443...
* Connected to mail.domain.tld (<IPV4>) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mail.domain.tld
*  start date: May 18 18:51:15 2025 GMT
*  expire date: Aug 16 18:51:14 2025 GMT
*  subjectAltName: host "mail.domain.tld" matched cert's "mail.domain.tld"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://mail.domain.tld/.well-known/acme-challenge/test.txt
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: mail.domain.tld]
* [HTTP/2] [1] [:path: /.well-known/acme-challenge/test.txt]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /.well-known/acme-challenge/test.txt HTTP/2
> Host: mail.domain.tld
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 200 
< accept-ranges: bytes
< content-type: text/plain; charset=utf-8
< date: Fri, 23 May 2025 18:17:40 GMT
< etag: "683088ae-5"
< last-modified: Fri, 23 May 2025 14:39:42 GMT
< referrer-policy: strict-origin
< server: nginx
< strict-transport-security: max-age=15768000;
< x-content-type-options: nosniff
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-robots-tag: none
< x-xss-protection: 1; mode=block
< content-length: 5
< 
test
* Connection #0 to host mail.domain.tld left intact
username@user-MacBook-Air ~ %

Aber trotzdem funktioniert das leider nicht.
Die Logs sagen das:

//MOD edit by @pkernstock: Removed IPs as per request.

Ganzjahresgriller

Du kannst doch ganz einfach via telnet prüfen ob Dein Server auf dem Port 80 antwortet

DocFraggle

Ganzjahresgriller Du kannst doch ganz einfach via telnet prüfen ob Dein Server auf dem Port 80 antwortet

Dann weisst Du aber immer noch nicht wo Du raus kommst 🙂 Könnte dann ja durch die Traefik Config auf einem anderen Webserver dahinter landen

Ganzjahresgriller

Ok, da hast Du natürlich recht

DocFraggle

Nicht via HTTPS sondern via HTTP!

Also

curl -v http://mail.domain.tld/.well-known/acme-challenge/test.txt

EyyupA

DocFraggle

Geändert,

username@user-MacBook-Air ~ % curl -v http://mail.domain.tld/.well-known/acme-challenge/test.txt
* Host mail.domain.tld:80 was resolved.
* IPv6: x
* IPv4: x
*   Trying x:80...
* Connected to mail.domain.tld (x) port 80
> GET /.well-known/acme-challenge/test.txt HTTP/1.1
> Host: mail.domain.tld
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
< Date: Fri, 23 May 2025 18:57:04 GMT
< Etag: "683088ae-5"
< Last-Modified: Fri, 23 May 2025 14:39:42 GMT
< Referrer-Policy: strict-origin
< Server: nginx
< Strict-Transport-Security: max-age=15768000;
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
test
* Connection #0 to host mail.domain.tld left intact
username@user-MacBook-Air ~ %

Aber leider immer noch selbes Problem.

Habe danach mal in der config SKIP_HTTP_VERIFICATIONauf y geändert, wenn ich das so restarte bekomme ich folgende Meldung:

DocFraggle

Hmm, da wird es jetzt schwierig weiter zu helfen ohne den FQDN Deines Mailservers zu kennen und mal alles quer zu checken… kann ich aber verstehen wenn Du den nicht rausgeben willst.

EyyupA

DocFraggle

Soooo habs geschafft:

Geändert habe ich:

# Skip IPv4 check in ACME container - y/n

SKIP_IP_CHECK=y

# Skip HTTP verification in ACME container - y/n

SKIP_HTTP_VERIFICATION=y

Danach lief es

Nur bekomme jetzt immer noch keine Mails von außen und auch mit Outlook kann ich mich nicht mit IMAP und SMTP anmelden, wohl auch die Ports offen sind.

Gelöst war mein Problem mit der Firewall

DocFraggle

EyyupA Gelöst war mein Problem mit der Firewall

Evtl war das ja auch das Problem mit der Verification… denn so wirklich sauber ist das nicht mit SKIP_IP_CHECK=y und SKIP_HTTP_VERIFICATION=y

EyyupA

DocFraggle
Ja ganz gut möglich