Let's Encrypt renewal with restrictive firewall

iggydob

Hi everyone! 👋
I encountered an interesting issue today. After adding a new domain to my mail server, I configured autodiscover/autoconfig DNS records and updated mailcow.conf for multiple domains according to the documentation.
However, when accessing the server via browser, I noticed the SSL certificate was untrusted. It turns out the problem is my previously configured inbound firewall rules were blocking HTTP traffic to the ACME container, preventing Let’s Encrypt validation. After allowing inbound HTTP traffic and restarting the acme-mailcow container everything works perfectly.
What’s the best approach for handling automatic certificate renewals in my case? I initially implemented the restrictive firewall because my Postfix logs were getting spammed with bot attacks, making them difficult to read.

pkernstock

TCP/80 is only used for HTTP and for certificate renewals. It’s required. Postfix doesn’t have anything to do with it?

And IMHO a ‘restrictive’ firewall in front of a PUBLIC mailserver makes only limited sense… You never know which emails you don’t get, when they get blocked. If you use strict fail2ban settings and high-quality App Passwords, I highly doubt anyone getting access within our both’s lifespan.