post-kuh

  • Jan 5, 2024
  • Joined Feb 22, 2023
  • 2 discussions
  • 9 posts
  • 2 best answers
  • Post posted... wait what? You got the answer! You like it! Starter
  • In Multiple domains without one TLS certificate containing all domain names as SAN

    I solved the problem on my own and thought it would be useful to share here with you.

    So first of all, I forgot about the fact that I am running a nginx reverse proxy outside mailcow-dockerized natively on my host system. This is because I have other services on my system that should also be accessible over HTTPS. In order to serve multiple websites listening on different domains/servernames, a centralized nginx reverse proxy is necessary.

    Now to the point with the autoconfiguration of Thunderbird. Wenn you add a new mailbox to Thunderbird, it tries to get the server configuration via HTTPS from a webserver listening on the domain of the mailbox you want to add to Thunderbird. If you want to add mail@second.org, Thunderbird tries to get https://second.org/.well-known/autoconfig/mail/config-v1.1.xml

    second.org
    https://second.org/.well-known/autoconfig/mail/config-v1.1.xml
    No preview could be generated for this link
    . This file contains the parameters for protocols, ports and the mailserver Thunderbird should use. You can see all web requests from Thunderbird in the error console of it.

    However, if you only have a nginx reverse proxy configuration exactly like this: https://docs.mailcow.email/post_installation/firststeps-rp/#nginx

    docs.mailcow.email
    https://docs.mailcow.email/post_installation/firststeps-rp/#nginx
    No preview could be generated for this link
    with just one SSL certificate for the mailserver domain, this would require the SSL certificate to contain all hosted mail domains as SAN, because it would be only valid for the mailserver domain (in this case example.org). The autoconfiguration would only work for the mailserver domain with no exception in Thunderbird, because the SSL certificate would be only valid for it. For the mailbox mail@example.org the resource https://example.org/.well-known/autoconfig/mail/config-v1.1.xml
    example.org
    https://example.org/.well-known/autoconfig/mail/config-v1.1.xml
    No preview could be generated for this link
     would be requested for autoconfiguration and the certificate would be valid, because its issued for (*.)example.org.

    Solution 1: don’t use a reverse proxy but the nginx that comes shipped with mailcow-dockerized instead. In addition with the acme-container, it will request separate certificates for each domain for access to Mailcow-UI, SOGo, autoconfiguration files, calender paths, etc. [Haven’t tried this myself yet]

    Solution 2: setup Traefik like stated here https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported

    docs.mailcow.email
    https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported
    No preview could be generated for this link
    . [Haven’t tried this myself yet]

    Solution 3: serve the xml-file separately and statically with the nginx reverse proxy for each domain you added to your mailserver with corresponding servernames and different certificates. This means one nginx site for example.org with a SSL certificate issued for example.org, one nginx site for second.org with a SSL certificate issued for second.org etc.

    The third solution is what I came up with, because it limits HTTPS access to only the xml-file needed for Thunderbird autoconfiguration, which I find convenient. I added access for SOGo with another nginx site listening under a specific servername and Mailcow-UI access with yet another nginx site, which is only accessible over a secured VPN tunnel.

    If you have questions, remarks or you found this helpful, feel free to leave a reply here.

  • In Multiple domains without one TLS certificate containing all domain names as SAN

    I need advice configuring my mailcow instance with another mail domain, which is not the mailserver domain.

    I currently have a setup that is working fine, sending and receiving mails on all domains with no problems so far. The problem comes when trying to add a mailbox in Mozilla Thunderbird. The settings for mailserver only get correctly automatically configured for the mailservers domain (example.org). For other mail domains (like second.org), wrong server settings are getting configured automatically (Thunderbird thinks second.org is the mailserver). However, if I manually type in the correct server settings and hit apply, I get a warning, because the TLS certificate issued for srv.example.org does not match second.org, although I typed srv.example.org as servername. I read that you need to have one single TLS certificate with the other domains as SAN to solve this.

    My question: how to configure the system properly without the need of having a said TLS certificate with all other registered domains as SANs? I don’t want to “expose” all my registered domains in that certificate. How are the big mail hosting providers doing this: if you buy a domain with mail hosting included, the mailhoster also does not have a single TLS certificate for his or her mailserver including every single domain on it.

    I am hosting a mailcow instance on a server with FQDN srv.example.org. My DNS setup is the following (IPs and domains are exemplary):

    For domain example.org
    example.org A 1.2.3.4
    example.org AAAA 2a00::1234
    example.org MX 10 srv.example.org
    example.org TXT v=spf1 mx a -all
    _dmarc.example.org TXT v=DMARC1;p=reject;rua=mailto:reports@example.org
    dkim.example.org TXT v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkq[...]
    autoconfig.example.org CNAME srv.example.org
    autodiscover srv.example.org CNAME srv.example.org
    srv.example.org A 1.2.3.4 [1.2.3.4 PTR srv.example.org]
    srv.example.org AAAA 2a00::1234 [2a00::1234 PTR srv.example.org]

    For second mail domain second.org
    second.org A 1.2.3.4
    second.org AAAA 2a00::1234
    second.org MX 10 srv.example.org
    second.org TXT v=spf1 mx a -all
    _dmarc.second.org TXT v=DMARC1;p=reject;rua=mailto:reports@second.org
    dkim.second.org TXT v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkq[...]
    autoconfig.second.org CNAME srv.example.org
    autodiscover srv.second.org CNAME srv.example.org
    _autodiscover._tcp SRV 0 1 443 srv.example.org

    I am thankful in advance for any ideas or approaches to solve this!

    • post-kuh likes this.

    • I solved the problem on my own and thought it would be useful to share here with you.

      So first of all, I forgot about the fact that I am running a nginx reverse proxy outside mailcow-dockerized natively on my host system. This is because I have other services on my system that should also be accessible over HTTPS. In order to serve multiple websites listening on different domains/servernames, a centralized nginx reverse proxy is necessary.

      Now to the point with the autoconfiguration of Thunderbird. Wenn you add a new mailbox to Thunderbird, it tries to get the server configuration via HTTPS from a webserver listening on the domain of the mailbox you want to add to Thunderbird. If you want to add mail@second.org, Thunderbird tries to get https://second.org/.well-known/autoconfig/mail/config-v1.1.xml. This file contains the parameters for protocols, ports and the mailserver Thunderbird should use. You can see all web requests from Thunderbird in the error console of it.

      However, if you only have a nginx reverse proxy configuration exactly like this: https://docs.mailcow.email/post_installation/firststeps-rp/#nginx with just one SSL certificate for the mailserver domain, this would require the SSL certificate to contain all hosted mail domains as SAN, because it would be only valid for the mailserver domain (in this case example.org). The autoconfiguration would only work for the mailserver domain with no exception in Thunderbird, because the SSL certificate would be only valid for it. For the mailbox mail@example.org the resource https://example.org/.well-known/autoconfig/mail/config-v1.1.xml would be requested for autoconfiguration and the certificate would be valid, because its issued for (*.)example.org.

      Solution 1: don’t use a reverse proxy but the nginx that comes shipped with mailcow-dockerized instead. In addition with the acme-container, it will request separate certificates for each domain for access to Mailcow-UI, SOGo, autoconfiguration files, calender paths, etc. [Haven’t tried this myself yet]

      Solution 2: setup Traefik like stated here https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported. [Haven’t tried this myself yet]

      Solution 3: serve the xml-file separately and statically with the nginx reverse proxy for each domain you added to your mailserver with corresponding servernames and different certificates. This means one nginx site for example.org with a SSL certificate issued for example.org, one nginx site for second.org with a SSL certificate issued for second.org etc.

      The third solution is what I came up with, because it limits HTTPS access to only the xml-file needed for Thunderbird autoconfiguration, which I find convenient. I added access for SOGo with another nginx site listening under a specific servername and Mailcow-UI access with yet another nginx site, which is only accessible over a secured VPN tunnel.

      If you have questions, remarks or you found this helpful, feel free to leave a reply here.

  • In Change autodiscover settings

    As you can see in the image below, thunderbird automatically tries to use the first part of my mail as my username.
    Now that is wrong, it needs to be the complete e-mail.
    How can I configure mailcow to send the correct information?
    Also is it possible to configure what mailcow sends as a hostname?
    I would like to use “mail.example.com” instead of “smtp/imap/*.example.com”

    Thank you in advance

    • post-kuh likes this.

    • I stumbled at the same problem. For me, the autoconfiguration did not work in Thunderbird, but only for email domains other than the mailserver domain. So if my mailserver domain is example.org and I have another domain second.org registered to send emails over that server, the autoconfiguration would work for mail@example.org, but not for mail@second.org.

      In order to solve your problem, you need to know how Thunderbird does the autoconfiguration. When you add a new mailbox to Thunderbird, it tries to get the server configuration via HTTPS from a webserver listening on the domain of the mailbox you want to add to Thunderbird. If you want to add mail@second.org, Thunderbird tries to get https://second.org/.well-known/autoconfig/mail/config-v1.1.xml. This file contains the parameters for protocols, ports and the mailserver Thunderbird should use. You can see all web requests from Thunderbird in the error console of it.

      If you are running the nginx-container shipped with mailcow-dockerized as webserver accessible from the internet, it should do that automatically for all registered email domains. If you are not running it or the port 443 is not allowed in your firewall, the autoconfiguration won’t work.

      If you are running an additional reverse proxy, you have to set it up according to https://docs.mailcow.email/post_installation/firststeps-rp/#nginx (this is for nginx). However, if you have multiple domains registered on your mailserver, your nginx reverse proxy e. g. needs to serve a single SSL certificate for all domains in order to prevent Thunderbird from giving you an error message regarding SSL certificate domain mismatch trying to get the autoconfiguration. You could also serve the configuration file manually and statically. Please see my own thread https://community.mailcow.email/d/2246-multiple-domains-without-one-tls-certificate-containing-all-domain-names-as-san as this could help you or others having similar problems.

      I haven’t looked it up yet, where you can directly manually edit the autoconfiguration settings in mailcow, but I hope my answer should point you in the right direction.

  • In POP3 deaktivieren

    Ich weiß, dass diese Antwort etwas spät kommt, aber da ich selbst nach diesem Problem gesucht habe hier einmal meine Lösung.

    Zur “Deaktivierung” von POP3/POP3S habe ich folgende Einstellung in der mailcow.conf gesetzt:

    POP_PORT=127.0.0.1:110
POPS_PORT=127.0.0.1:995

    Das verhindert zumindest die Erreichbarkeit von außen, gesetzt den Fall, dass es keinen weiteren Proxy gibt.

    Zusätzlich habe ich folgende DNS Einträge gesetzt, was die Änderungen auch in den autoconfig Dienst propagiert:

    _pop3._tcp      IN     SRV     0 1 110 .
_pop3s._tcp     IN     SRV     0 1 995 .

    Achtung: Diese Einträge müssen für jede Domain gesetzt werden, für die es Mail-Konten gibt, die mit autoconfig konfiguriert werden können.

    (DNS Einträge siehe: mailcow/mailcow-dockerized1382)

  • In POP3 deaktivieren

    • pkernstock

      • Forum Staff
      • volunteer
      Moolevel 54
    • Post #2
    • This post is in German

    Man kann pro Mailbox POP deaktivieren:

    Oder ist deine Frage spezifisch ob das unter autoconfig/autodiscover ebenfalls reflektiert?