Using NGINX in Front of mailcow: dockerzied on Dedicated Server

saurabh-mish

Hello,

I’ve installed mailcow: dockerized on a dedicated server and can access the UI using its IPv4 address with HTTP.

However, I’m trying to setup NGINX in front of mailcow but facing difficulties.
I plan on using MAILCOW_HOSTNAME with HTTPS to access the mailcow UI - ADDITIONAL_SAN and ADDITIONAL_SERVER_NAMES are not applicable.

I have done:

generate_config.sh
docker compose pull && docker compose up -d

(at this point, I can access the mailcow UI by http://server_public_ip4)

after which I manually updated the below lines in mailcow.conf (based on the reverse proxy overview):

HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_BIND=127.0.0.1
HTTPS_PORT=8443

but the next section on NGINX reverse proxy is not clear:-

What is the name of the file an where is it located ?
What needs to be taken care of in the last highlighted line proxy_pass http://127.0.0.1:8080/; ?

Is there some other changes that I should be making ?

ETNyx

Hello,

saurabh-mish What is the name of the file an where is it located ?

This Ngnix config is for your proxy. Where this file is located depend on your setup, it’s relation to MC is purely by its content.

saurabh-mish What needs to be taken care of in the last highlighted line proxy_pass http://127.0.0.1:8080/; ?

Also depended on your setup, is your ngnix on your host, or another server? Update link as needed (point to MC).

saurabh-mish

This Ngnix config is for your proxy. Where this file is located depend on your setup, it’s relation to MC is purely by its content.

Also depended on your setup, is your ngnix on your host, or another server? Update link as needed (point to MC).

Ive installed NGINX on the same server as mailcow. I plan on doing:

Create a MAILCOW_HOSTNAME.conf file in /etc/nginx/conf.d
Paste the contents of from this link in it, and update MAILCOW_HOSTNAME and MAILCOW_PATH, and leave the last highlighted line as it is

Validate the file and reload nginx:

  nginx -t
  sysyemctl reload nginx

Restart docker compose:

  docker compose down
  docker compose up -d

Is this right ?

Sorry for being pedantic, Im getting started with self hosting email and its a lot of effort 🙂

ETNyx

No problem, on the first look it seem to be right.

While your reverse proxy is on the same host, I have one more suggestion to you. Keep MC on own server (VPS, machine,…) and do not mix other services there. If you keep it separated you do not need proxy server in front.

saurabh-mish

While your reverse proxy is on the same host, I have one more suggestion to you. Keep MC on own server (VPS, machine,…) and do not mix other services there. If you keep it separated you do not need proxy server in front.

An email server is the only thing I’m trying to self host. I would imagine this to be more valuable when there are other services (like mailcow) in the mix. At the moment I dont feel confident enough - my plan to start with something minimal so that I can understand things better., which is why I’d like to have mailcow and NGINX on the same server.

on the first look it seem to be right.

I’d like to share some more information - I’ve installed mailcow and NGINX on a Hetzner Cloud instance, other than these packages and their dependencies the server is clean.

The changes made to files are also minimal - I’ve only edited mailcow.conf (based on this), deleted /etc/nginx/sites-enabled/default and /etc/nginx/sites-available/default, and finally created /etc/nginx/conf.d/mail.mshr.ac.conf, which has:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name mail.mshr.ac autodiscover.* autoconfig.*;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mail.mshr.ac autodiscover.* autoconfig.*;
  
  ssl_certificate /opt/mailcow/data/assets/ssl/cert.pem;
  ssl_certificate_key /opt/mailcow/data/assets/ssl/key.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  
  # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
  # An example config is given below
  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
  ssl_prefer_server_ciphers off;
  
  location /Microsoft-Server-ActiveSync {
  proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_connect_timeout 75;
  proxy_send_timeout 3650;
  proxy_read_timeout 3650;
  proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
  client_body_buffer_size 512k;
  client_max_body_size 0;
  }
  
  location / {
  proxy_pass http://127.0.0.1:8080/;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  client_max_body_size 0;
  # The following Proxy Buffers has to be set if you want to use SOGo after the 2022-04 (April 2022) Update
  # Otherwise a Login will fail like this: https://github.com/mailcow/mailcow-dockerized/issues/4537
  proxy_buffer_size 128k;
  proxy_buffers 64 512k;
  proxy_busy_buffers_size 512k;
  }
}

I’ve also opened ports 8080 and 8443 on the Hetzner firewall.

On visiting https://mail.mshr.ac from my laptop’s browser I see:

Ganzjahresgriller

As @ETNyx said: Use a dedicated VPS or Hardware for Mailcow and use another VPS for any other services

saurabh-mish

Ganzjahresgriller Is there a link you can share which has documentation for this ?

mlcwuser

saurabh-mish Is there a link you can share which has documentation for this ?

For other services no. For Mailcow yes: https://docs.mailcow.email/

saurabh-mish Its still a complicated setup, which I’m not confident with doing

It’s your manually installed Nginx that makes it complicated. 😉

Seriously, hosting an email server is not the easiest thing to do, but Mailcow makes it as easy as it gets. Just set up Mailcow on a VPS according to the documentation. There’s no need to install another Nginx instance on the host for TLS. Mailcow comes with its own Nginx and an ACME client that will automatically install TLS certificates. Just follow the docs and set up your DNS correctly.

…and, as @Ganzjahresgriller said, if you want to host more services, e.g. a website, rent another VPS or sign up for a web hosting plan and set up those things there.

Btw. Most web hosting providers also offer email services. Just saying. 😉

Ganzjahresgriller

That’s experience; you can often find that here in this forum with a little searching.

saurabh-mish

Its still a complicated setup, which I’m not confident with doing