gorby

Hello community,

I’m trying to use nginx to restrict the access of mailcow UI for /admin/ location.
I followed the docs ( Custom sites - mailcow: dockerized documentation

docs.mailcow.email

Custom sites - mailcow: dockerized documentation

None

server {
   location /admin/ {
        allow 192.168.1.100;  # Allow this specific IP
        deny all;             # Deny all other IPs
   }
}

But /admin/ is still open to every IP after a compose down & up.
Someone has an idea ?

–
Léo.

Thank you everyone for the feedback.
I’m still testing the solution, and I’m still hesitating between SoGo and Roundcube.
In one hand I only use email (not caldav etc..) and I’m used to Roundcube look & feel and its plugins, and on the other hand SoGo seems to have some nice features for email.

I know some of you would answer me that if I only need email, maybe mailcow is not the good project for that, but I disagree : Just because I only need a fraction of the software doesn’t mean I should turn to solutions that seem better suited to my needs, but rather less aligned with the community spirit and the connection I feel to the project.

esackbauer Okay, the main goal was to prevent potential exploitation of a security flaw in the submission form under /admin/. A exploit that could lead to avoid 2FA for example ? But if that’s not possible, maybe I’m just being paranoid…

Hello (again..),

Something unclear : I followed the tutorial to generate a configuration profile for my iOS smartphone, and I installed it. I followed this guide ( Apple macOS / iOS - mailcow: dockerized documentation

docs.mailcow.email

Apple macOS / iOS - mailcow: dockerized documentation

None

But after installing it, I go to the mailcow UI for users, click on “App Password” tab, and there are no App Password generated in the form.

Shouldn’t there be one ?
Thanks in advance for any clarification.

–
Léo.

Thanks @Ganzjahresgriller for your feedback.
I didn’t think about the 2FA, that’s a great (and simple) start.

Unfortunately, I don’t have the knowledge to install a firewall and hide the admin URL.
If you could share me a tutorial to make this happen, I’d be grateful

Hello

What is the best practice to secure mailcow UI’s admin access ?
Correct me if I’m wrong, but I think admin access shouldn’t be exposed publicly on the web like users’s access.

Is there a way to add a layer of security upon that admin log in page ?
Thanks

–
Léo.

Thanks @torbho, but that’s exactly what I’m trying to do here : access mailcow UI through mail.domain.com and not through mail.domain.com.
Yes, I used docker compose down && docker compose up -d ️

As described in the docs :

# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

I’m wondering if I have to declare “mailcow.*” in the ADDITIONAL_SAN section also to make it work… ?

Ah!
So what’s ADDITIONAL_SERVER_NAMES is for exactly ?