1,8 KiB
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in data/assets/ssl
. Please use your own trusted certificates.
mailcow uses 3 domain names that should be covered by your new certificate:
- ${MAILCOW_HOSTNAME}
- autodiscover.example.org
- autoconfig.example.org
Let's Encrypt
This is just an example of how to obtain certificates with certbot. There are several methods!
1. Get the certbot client:
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
2. Make sure you set HTTP_BIND=0.0.0.0
and HTTP_PORT=80
in mailcow.conf
or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
docker-compose up -d
3. Request the certificate with the webroot method:
cd /path/to/git/clone/mailcow-dockerized
source mailcow.conf
certbot certonly \
--webroot \
-w ${PWD}/data/web \
-d ${MAILCOW_HOSTNAME} \
-d autodiscover.example.org \
-d autoconfig.example.org \
--email you@example.org \
--agree-tos
Remember to replace the example.org domain with your own domain, this command will not work if you dont.
4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
5. Restart affected containers:
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.