Splitting setup to different servers

fixundfertig123

Hello everyone.
I am new to mailcow so please excuse my incompetence. I would consider myself as familiar to the mail server world, having started with cyrus mail and sendmail 25 years ago. Currently - for private use - I am still hosting use a kopano server system, but I urgently need to move. Evaluating alternatives mailcow looks very attractive to me.

For some - maybe nowadays non-sense reason - I am a fan of splitting services to individual server in particular to be able to monitor traffic, performance and security. I know its total overkill but it gives me a better felling. Therefore - as of today - I split my mails services to 4 server (VMs). MDA, MTA, Web-Applications (Logic) each on a separate VMs. And a 4th server as a reverse proxy to allow access “Webmail access” from the internet. I - yet - use an external email provider and I am internally pulling the emails via fetchmail

So now my questions, can you do a “split-server setup” with mailcow- and if so is there a best practice somewhere? I am aware of the container overview at https://docs.mailcow.email/. I assume I would need to adapt the yaml config, but I am quite sure I would miss some dependencies in my setup.

Therefore I would be very thankful for some help or reference to starting points.

esackbauer

Short answer: No you cannot. Mailcow is very integrated, in monitoring itself, security and deployment and update process. Tearing that all apart will leave nothing from mailcows core strengths.

Longer answer: you could fork mailcow and get inspired how they do the deployment and upgrade, you could tweak it to your liking, like separating the containers on different VMs. Or as a last resort do a manual or ansible deployment on bare VM without docker.
However you are then already so far away from mailcow (and probably have to “reinvent” much of its features), that it makes more sense to work with postfix, SOGo etc on themselves directly. But that is so much work to do…

You are talking about “security” and in the next sentence “it gives me a better feeling”. That does not fit together, you should be experienced enough to estimate your risk exposition and know postfix’s etc. security. Security has no place for feelings, but for best practices. And putting services in VMs because it “feels better” is not one.
Mailcow was designed in a secure way, shielding containers with own iptable rules.

if you are into monitoring there is a great solution of one of our forum members:
https://community.mailcow.email/d/5704-mailcow-logs-viewer-a-faster-cool-way-to-monitor-your-emails

Or you could use a hardened solution like Sophos Firewall which can act as both WAF (and reverse proxy) and MTA in front of mailcow. Its free for home use and I find it a great product.

fixundfertig123

Hi, thank you for your time and detailed insights. I really appreciate this.

In terms of feelings I meant more, that everyone has strength and weaknesses. And I am quite good a setting up highly scalable and secure distributed systems, since I worked a bit in IDS/IPS and low level network and OS level forensics. Thereby isolation beyond iptables worked quite well for me in the past.

Anyway thanks again, as said I really appreciate your help! I will dive into it a little bit more.

Ganzjahresgriller

If you’re looking for features like HA, scalability, or similar, you could take a look at Stalwart.

fixundfertig123

@Ganzjahresgriller Thank you for your hint. I will have a look as well!