OCSP Stapling for mailcow-dockerized?

maathimself

[TLDR: I need help to add the intermediate cert as well as enabling OCSP Stapling. (Mailcow-Dockerized - Ubuntu 20.04 VM - No reverse-proxy - No LetsEncrypt, bought my own cert)]

Hi everyone, I have been using mailcow for a few months now and love it. Recently, however, I looked through my logs and noticed that there have been a significant amount of scans and attempts to compromise my server. I ran a couple standard online security tests against my server and one(immuniweb) came back as A+(with some notes) and the other(ssllabs) gave me a B. After reviewing these scans I would like to make some changes to my server to make sure I am doing everything I can to keep it secure. 
The first thing I would like to accomplish is I would like to find some way to upload my intermediate certificate to complete the chain. I have looked through the official documentation, reddit and google and cannot find how this is done. I tried to modify the config file in the nginx container, but obviously all changes made are reverted back to default.

The second thing I would like to resolve is to enable OCSP Stapling on my server, I have done the same research and testing as above but with no luck.

If anyone has any idea of how to accomplish this, or could point me in the right direction, I would greatly appreciate it.

odobrev

Hello there.

Not sure about your Nginx problem since I’m using an Apache Reverse Proxy for My Mailcow WebUI including Admin and SoGO interfaces but I can anwser right now your question about OCSP Stapling.

Thing is, Mailcow uses Postfix as MTA and Postfix developper categorically refuses to port this into Postfix.
You can read his anwser there : https://marc.info/?l=postfix-users&m=151119229905817.

The justification there is that it’s too complicated and brings more pain to deal with when it does not work than benefits, especially when using short lived certificates such as Let’s Encrypt ACME ones.

As of today I’ve been using mailcow for some months as a personnal mail solution and have yet to see my domain beeing reported or blacklisted so I guess the man know what he says.

I still hardened my setup quite a bit.
You may want to check some of my discussions about it there : https://community.mailcow.email/d/2796-pci-dss-hipaa-nist-compliance-adjustments/6 and there https://community.mailcow.email/d/2797-watchdog-container-feaks-out-if-smtpd-tls-is-enforced-on-encrypt/3

I also hardened my pfsense firewall a little :
I only opened ports 587,4190,143 and 25 since I don’t use the others and I don’t use autodiscovery and Outlook (I’m using Thunderbird as mail client and a dedicated Nextcloud Server as CalvDav / CardDav server for contacts and shared calendars).

I ususally don’t even use SoGo since Nextcloud Mail handles my minimal needs of Sieve and I find it more reliable than SoGO rules anyway.