Hi. I have been running mailcow-dockerized on Debian for just over a year without issue. (Mailcow up to date and debian updated to 13 and up to date). I would appreciate advice (or links to resources) on how to better harden my system against potential threats. Below is a list of what i have done: - UFW implemented with "deny-incomming" with the exception of specific ports for mailcow and ssh. -SSH implemented on a non standard port, with non root user access and ssh key on my laptop, password auth and empty passwords switched off, fail2ban implemented for SSH. Users not allowed IMAP without TLS (configured in mailcow GUI), should i block the corresponding ports in UFW if i do not need my server to allow un-encrypted submission and IMAP. -SPF, DKIM, DMARC, DANE, DNSSEC, MTA-STS have been all implemented, they appear to be working fine?. Things i have not yep implemented (unsure if i need to): Port scan detection, intrusion detection.

@"Ganzjahresgriller"#p31193 Thanks do you have any suggestions?

Yes i was expected this, just want to be clear for @"Basil"#17893 what you mean.

Hardening mailcow-dockerized on Debian

Basil

Hi.

I have been running mailcow-dockerized on Debian for just over a year without issue. (Mailcow up to date and debian updated to 13 and up to date).

I would appreciate advice (or links to resources) on how to better harden my system against potential threats. Below is a list of what i have done:

UFW implemented with “deny-incomming” with the exception of specific ports for mailcow and ssh.
-SSH implemented on a non standard port, with non root user access and ssh key on my laptop, password auth and empty passwords switched off, fail2ban implemented for SSH.

Users not allowed IMAP without TLS (configured in mailcow GUI), should i block the corresponding ports in UFW if i do not need my server to allow un-encrypted submission and IMAP.

-SPF, DKIM, DMARC, DANE, DNSSEC, MTA-STS have been all implemented, they appear to be working fine?.

Things i have not yep implemented (unsure if i need to): Port scan detection, intrusion detection.

ETNyx

I must ask: UFW is not usually the best choice as a firewall when using Mailcow. Due to Docker’s ‘firewall’ implementation, Mailcow bypasses UFW settings by default. So did you manage this, or did you unknowingly give yourself a false sense of security?

Basil

I learned something new. docker will open the ports specified in the docker-compose file. This takes effect before UFW. This means UFW is still blocking all other ports, but has no controll over the ports specified in the compose file.

Am i understanding this correctly?
Is this solution still acceptable, it blocks all non specified ports except my SSH port?

Ganzjahresgriller

If you want to do it properly, you should put a separate firewall in front of Mailcow.

Basil

Ganzjahresgriller Thanks

do you have any suggestions?

Ganzjahresgriller

pfSense, OPNsense for example

ETNyx

Ganzjahresgriller I believe this solution expect separate HW in front of your machine?

Anyway, you can modify /etc/ufw/after.rules and fix this use there,…

Or you can disable ufw and use iptables.service and ip6tables.service to manage your firewall.

Ganzjahresgriller

ETNyx Yes, of course, on a separate VPS or hardware; otherwise, it wouldn’t make sense. It also offers other advantages, but that’s beyond the scope of this discussion.

ETNyx

Yes i was expected this, just want to be clear for @Basil what you mean.

Basil

Okay.

I can use my VPS providers firewall to lock down the ports not used by MailCow, i guess that is better than nothing.

Are their any other precautions i should be taking that I am not?