3,7 KiB
You don't need to change the Nginx site that comes with mailcow: dockerized. mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy.
1. Make sure you change HTTP_BIND and HTTPS_BIND in mailcow.conf to a local address and set the ports accordingly, for example:
HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_BIND=127.0.0.1
HTTPS_PORT=8443
This will also change the bindings inside the Nginx container! This is important, if you decide to use a proxy within Docker.
IMPORTANT: Do not use port 8081, 9081 or 65510!
Recreate affected containers by running the command:
=== "docker compose (Plugin)"
``` bash
docker compose up -d
```
=== "docker-compose (Standalone)"
``` bash
docker-compose up -d
```
Important information, please read them carefully!
!!! info If you plan to use a reverse proxy and want to use another server name that is not MAILCOW_HOSTNAME, you need to read Adding additional server names for mailcow UI at the bottom of this page.
!!! warning
Make sure you run generate_config.sh before you enable any site configuration examples below.
The script generate_config.sh copies snake-oil certificates to the correct location, so the services will not fail to start due to missing files.
!!! warning
If you enable TLS SNI (ENABLE_TLS_SNI in mailcow.conf), the certificate paths in your reverse proxy must match the correct paths in data/assets/ssl/{hostname}. The certificates will be split into data/assets/ssl/{hostname1,hostname2,etc} and therefore will not work when you copy the examples from below pointing to data/assets/ssl/cert.pem etc.
!!! info Using the site configs below will forward ACME requests to mailcow and let it handle certificates itself. The downside of using mailcow as ACME client behind a reverse proxy is, that you will need to reload your webserver after acme-mailcow changed/renewed/created the certificate. You can either reload your webserver daily or write a script to watch the file for changes. On many servers logrotate will reload the webserver daily anyway.
If you want to use a local certbot installation, you will need to change the SSL certificate parameters accordingly.
**Make sure you run a post-hook script** when you decide to use external ACME clients. You will find an example at the bottom of this page.
2. Configure your local webserver as reverse proxy:
Optional: Post-hook script for non-mailcow ACME clients
Using a local certbot (or any other ACME client) requires to restart some containers, you can do this with a post-hook script. Make sure you change the paths accordingly:
#!/bin/bash
cp /etc/letsencrypt/live/my.domain.tld/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem
cp /etc/letsencrypt/live/my.domain.tld/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem
postfix_c=$(docker ps -qaf name=postfix-mailcow)
dovecot_c=$(docker ps -qaf name=dovecot-mailcow)
nginx_c=$(docker ps -qaf name=nginx-mailcow)
docker restart ${postfix_c} ${dovecot_c} ${nginx_c}
Adding additional server names for mailcow UI
If you plan to use a server name that is not MAILCOW_HOSTNAME in your reverse proxy, make sure to populate that name in mailcow.conf via ADDITIONAL_SERVER_NAMES first. Names must be separated by commas and must not contain spaces. If you skip this step, mailcow may respond to your reverse proxy with an incorrect site.
ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld
Run the following command to apply:
=== "docker compose (Plugin)"
``` bash
docker compose up -d
```
=== "docker-compose (Standalone)"
``` bash
docker-compose up -d
```