mailcow-dockerized-docs/post_installation/firststeps-ssl/index.html

2838 Zeilen
Kein EOL
73 KiB
HTML

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="canonical" href="https://mailcow.github.io/mailcow-dockerized-docs/post_installation/firststeps-ssl/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.2.15">
<title>Advanced SSL - mailcow: dockerized documentation</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.c382b1dc.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.cc9b2e1e.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../assets/stylesheets/extra.css">
<script>__md_scope=new URL("../..",location),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent="">
<script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#lets-encrypt-out-of-the-box" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="mailcow: dockerized documentation" class="md-header__button md-logo" aria-label="mailcow: dockerized documentation" data-md-component="logo">
<img src="../../assets/images/logo.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
mailcow: dockerized documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Advanced SSL
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent="" aria-label="Dark Mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Dark Mode" for="__palette_2" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 6H7c-3.31 0-6 2.69-6 6s2.69 6 6 6h10c3.31 0 6-2.69 6-6s-2.69-6-6-6zm0 10H7c-2.21 0-4-1.79-4-4s1.79-4 4-4h10c2.21 0 4 1.79 4 4s-1.79 4-4 4zM7 9c-1.66 0-3 1.34-3 3s1.34 3 3 3 3-1.34 3-3-1.34-3-3-3z"/></svg>
</label>
<input class="md-option" data-md-color-media="" data-md-color-scheme="slate" data-md-color-primary="" data-md-color-accent="" aria-label="Light Mode" type="radio" name="__palette" id="__palette_2">
<label class="md-header__button md-icon" title="Light Mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 7H7a5 5 0 0 0-5 5 5 5 0 0 0 5 5h10a5 5 0 0 0 5-5 5 5 0 0 0-5-5m0 8a3 3 0 0 1-3-3 3 3 0 0 1 3-3 3 3 0 0 1 3 3 3 3 0 0 1-3 3Z"/></svg>
</label>
</form>
<div class="md-header__option">
<div class="md-select">
<button class="md-header__button md-icon" aria-label="Select language">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m12.87 15.07-2.54-2.51.03-.03A17.52 17.52 0 0 0 14.07 6H17V4h-7V2H8v2H1v2h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04M18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12m-2.62 7 1.62-4.33L19.12 17h-3.24Z"/></svg>
</button>
<div class="md-select__inner">
<ul class="md-select__list">
<li class="md-select__item">
<a href="./" hreflang="en" class="md-select__link">
English
</a>
</li>
<li class="md-select__item">
<a href="../../de/post_installation/firststeps-ssl/" hreflang="de" class="md-select__link">
Deutsch
</a>
</li>
</ul>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/mailcow/mailcow-dockerized" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
mailcow/mailcow-dockerized
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="mailcow: dockerized documentation" class="md-nav__button md-logo" aria-label="mailcow: dockerized documentation" data-md-component="logo">
<img src="../../assets/images/logo.svg" alt="logo">
</a>
mailcow: dockerized documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/mailcow/mailcow-dockerized" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
mailcow/mailcow-dockerized
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
Information & Support
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Prerequisites
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Prerequisites" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Prerequisites
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../prerequisite/prerequisite-system/" class="md-nav__link">
Prepare your system
</a>
</li>
<li class="md-nav__item">
<a href="../../prerequisite/prerequisite-dns/" class="md-nav__link">
DNS setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3">
Installation, Update & Migration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Installation, Update & Migration" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Installation, Update & Migration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../i_u_m/i_u_m_install/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../../i_u_m/i_u_m_update/" class="md-nav__link">
Update
</a>
</li>
<li class="md-nav__item">
<a href="../../i_u_m/i_u_m_migration/" class="md-nav__link">
Migration
</a>
</li>
<li class="md-nav__item">
<a href="../../i_u_m/i_u_m_deinstall/" class="md-nav__link">
Deinstallation
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4">
Post Installation Tasks
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Post Installation Tasks" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Post Installation Tasks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Advanced SSL
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Advanced SSL
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#lets-encrypt-out-of-the-box" class="md-nav__link">
Let's Encrypt (out-of-the-box)
</a>
<nav class="md-nav" aria-label="Let's Encrypt (out-of-the-box)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#additional-domain-names" class="md-nav__link">
Additional domain names
</a>
</li>
<li class="md-nav__item">
<a href="#force-renewal" class="md-nav__link">
Force renewal
</a>
</li>
<li class="md-nav__item">
<a href="#validation-errors-and-how-to-skip-validation" class="md-nav__link">
Validation errors and how to skip validation
</a>
</li>
<li class="md-nav__item">
<a href="#disable-lets-encrypt" class="md-nav__link">
Disable Let's Encrypt
</a>
<nav class="md-nav" aria-label="Disable Let's Encrypt">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#disable-lets-encrypt-completely" class="md-nav__link">
Disable Let's Encrypt completely
</a>
</li>
<li class="md-nav__item">
<a href="#skip-all-names-but-mailcow_hostname" class="md-nav__link">
Skip all names but ${MAILCOW_HOSTNAME}
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#the-lets-encrypt-subjectaltname-limit-of-100-domains" class="md-nav__link">
The Let's Encrypt subjectAltName limit of 100 domains
</a>
</li>
<li class="md-nav__item">
<a href="#how-to-use-your-own-certificate" class="md-nav__link">
How to use your own certificate
</a>
</li>
<li class="md-nav__item">
<a href="#test-against-staging-acme-directory" class="md-nav__link">
Test against staging ACME directory
</a>
</li>
<li class="md-nav__item">
<a href="#custom-directory-url" class="md-nav__link">
Custom directory URL
</a>
</li>
<li class="md-nav__item">
<a href="#check-your-configuration" class="md-nav__link">
Check your configuration
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../firststeps-disable_ipv6/" class="md-nav__link">
Disable IPv6
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-dmarc_reporting/" class="md-nav__link">
DMARC Reporting
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-ip_bindings/" class="md-nav__link">
IP bindings
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-local_mta/" class="md-nav__link">
Local MTA on Docker host
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-logging/" class="md-nav__link">
Logging
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-rp/" class="md-nav__link">
Reverse Proxy
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-rspamd_ui/" class="md-nav__link">
Rspamd UI
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-snat/" class="md-nav__link">
SNAT
</a>
</li>
<li class="md-nav__item">
<a href="../firststeps-sync_jobs_migration/" class="md-nav__link">
Sync job migration
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
Models
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Models" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Models
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../models/model-acl/" class="md-nav__link">
ACL
</a>
</li>
<li class="md-nav__item">
<a href="../../models/model-passwd/" class="md-nav__link">
Password hashing
</a>
</li>
<li class="md-nav__item">
<a href="../../models/model-sender_rcv/" class="md-nav__link">
Sender and receiver model
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6">
General Troubleshooting
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="General Troubleshooting" data-md-level="1">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
General Troubleshooting
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../troubleshooting/debug/" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-admin_login_sogo/" class="md-nav__link">
Admin login to SOGo
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-rspamd_memory_leaks/" class="md-nav__link">
Advanced: Find memory leaks in Rspamd
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-attach_service/" class="md-nav__link">
Attach to a Container
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-common_problems/" class="md-nav__link">
Common Problems
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-logs/" class="md-nav__link">
Logs
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-mysql_upgrade/" class="md-nav__link">
Manual MySQL upgrade
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-mysql_aria/" class="md-nav__link">
Recover crashed Aria storage engine
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-rm_volumes/" class="md-nav__link">
Remove Persistent Data
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-reset_pw/" class="md-nav__link">
Reset Passwords (incl. SQL)
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/debug-reset_tls/" class="md-nav__link">
Reset TLS certificates
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7">
Backup & Restore
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Backup & Restore" data-md-level="1">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Backup & Restore
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_1" type="checkbox" id="__nav_7_1" >
<label class="md-nav__link" for="__nav_7_1">
Component backup & restore
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Component backup & restore" data-md-level="2">
<label class="md-nav__title" for="__nav_7_1">
<span class="md-nav__icon md-icon"></span>
Component backup & restore
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../backup_restore/b_n_r-backup/" class="md-nav__link">
Backup
</a>
</li>
<li class="md-nav__item">
<a href="../../backup_restore/b_n_r-restore/" class="md-nav__link">
Restore
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../backup_restore/b_n_r-coldstandby/" class="md-nav__link">
Cold-standby (rolling backup)
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" >
<label class="md-nav__link" for="__nav_7_3">
Manual backups
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Manual backups" data-md-level="2">
<label class="md-nav__title" for="__nav_7_3">
<span class="md-nav__icon md-icon"></span>
Manual backups
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../backup_restore/b_n_r-backup_restore-maildir/" class="md-nav__link">
Maildir
</a>
</li>
<li class="md-nav__item">
<a href="../../backup_restore/b_n_r-backup_restore-mysql/" class="md-nav__link">
MySQL (mysqldump)
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_4" type="checkbox" id="__nav_7_4" >
<label class="md-nav__link" for="__nav_7_4">
mailcow-internal backups
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="mailcow-internal backups" data-md-level="2">
<label class="md-nav__title" for="__nav_7_4">
<span class="md-nav__icon md-icon"></span>
mailcow-internal backups
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../backup_restore/b_n_r-accidental_deletion/" class="md-nav__link">
Recover accidentally deleted data
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8">
Manual/Guides/Examples
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Manual/Guides/Examples" data-md-level="1">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Manual/Guides/Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_1" type="checkbox" id="__nav_8_1" >
<label class="md-nav__link" for="__nav_8_1">
mailcow UI
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="mailcow UI" data-md-level="2">
<label class="md-nav__title" for="__nav_8_1">
<span class="md-nav__icon md-icon"></span>
mailcow UI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-bl_wl/" class="md-nav__link">
Blacklist / Whitelist
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-config/" class="md-nav__link">
Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-css/" class="md-nav__link">
CSS overrides
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-netfilter/" class="md-nav__link">
Netfilter
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-pushover/" class="md-nav__link">
Pushover
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-spamfilter/" class="md-nav__link">
Spamfilter
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-sub_addressing/" class="md-nav__link">
Sub-addressing
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-tags/" class="md-nav__link">
Tags (for Domains and Mailboxes)
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-spamalias/" class="md-nav__link">
Temporary email aliases
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/" class="md-nav__link">
Two-Factor Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/mailcow-UI/u_e-mailcow_ui-fido/" class="md-nav__link">
WebAuthn / FIDO2
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_2" type="checkbox" id="__nav_8_2" >
<label class="md-nav__link" for="__nav_8_2">
Postfix
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Postfix" data-md-level="2">
<label class="md-nav__title" for="__nav_8_2">
<span class="md-nav__icon md-icon"></span>
Postfix
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-trust_networks/" class="md-nav__link">
Add trusted networks
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-custom_transport/" class="md-nav__link">
Custom transport maps
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-extra_cf/" class="md-nav__link">
Customize/Expand main.cf
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-disable_sender_verification/" class="md-nav__link">
Disable Sender Addresses Verification
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-attachment_size/" class="md-nav__link">
Max. message size (attachment size)
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-relayhost/" class="md-nav__link">
Relayhosts
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-pflogsumm/" class="md-nav__link">
Statistics with pflogsumm
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Postfix/u_e-postfix-postscreen_whitelist/" class="md-nav__link">
Whitelist IP in Postscreen
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_3" type="checkbox" id="__nav_8_3" >
<label class="md-nav__link" for="__nav_8_3">
Unbound
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Unbound" data-md-level="2">
<label class="md-nav__title" for="__nav_8_3">
<span class="md-nav__icon md-icon"></span>
Unbound
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/Unbound/u_e-unbound-fwd/" class="md-nav__link">
Using an external DNS service
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_4" type="checkbox" id="__nav_8_4" >
<label class="md-nav__link" for="__nav_8_4">
Dovecot
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Dovecot" data-md-level="2">
<label class="md-nav__title" for="__nav_8_4">
<span class="md-nav__icon md-icon"></span>
Dovecot
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-extra_conf/" class="md-nav__link">
Customize/Expand dovecot.conf
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-any_acl/" class="md-nav__link">
Enable "any" ACL settings
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-expunge/" class="md-nav__link">
Expunge a Users mails
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-fts/" class="md-nav__link">
FTS (Solr)
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-idle_interval/" class="md-nav__link">
IMAP IDLE interval
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-mail-crypt/" class="md-nav__link">
Mail crypt
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-more/" class="md-nav__link">
More Examples with DOVEADM
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-vmail-volume/" class="md-nav__link">
Move Maildir (vmail)
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-public_folder/" class="md-nav__link">
Public folders
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-static_master/" class="md-nav__link">
Static master user
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Dovecot/u_e-dovecot-catchall_vacation/" class="md-nav__link">
Vacation replies for catchall addresses
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_5" type="checkbox" id="__nav_8_5" >
<label class="md-nav__link" for="__nav_8_5">
Nginx
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Nginx" data-md-level="2">
<label class="md-nav__title" for="__nav_8_5">
<span class="md-nav__icon md-icon"></span>
Nginx
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/Nginx/u_e-nginx_webmail-site/" class="md-nav__link">
Create subdomain webmail.example.org
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Nginx/u_e-nginx_custom/" class="md-nav__link">
Custom sites
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_6" type="checkbox" id="__nav_8_6" >
<label class="md-nav__link" for="__nav_8_6">
Watchdog
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Watchdog" data-md-level="2">
<label class="md-nav__title" for="__nav_8_6">
<span class="md-nav__icon md-icon"></span>
Watchdog
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/Watchdog/u_e-watchdog-thresholds/" class="md-nav__link">
Thresholds
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Redis/u_e-redis/" class="md-nav__link">
Redis
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Rspamd/u_e-rspamd/" class="md-nav__link">
Rspamd
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_9" type="checkbox" id="__nav_8_9" >
<label class="md-nav__link" for="__nav_8_9">
ClamAV
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="ClamAV" data-md-level="2">
<label class="md-nav__title" for="__nav_8_9">
<span class="md-nav__icon md-icon"></span>
ClamAV
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/ClamAV/u_e-clamav-whitelist/" class="md-nav__link">
Whitelist
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/ClamAV/u_e-clamav-additional_dbs/" class="md-nav__link">
Additional Databases
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/SOGo/u_e-sogo/" class="md-nav__link">
SOGo
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_11" type="checkbox" id="__nav_8_11" >
<label class="md-nav__link" for="__nav_8_11">
Docker
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Docker" data-md-level="2">
<label class="md-nav__title" for="__nav_8_11">
<span class="md-nav__icon md-icon"></span>
Docker
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../manual-guides/Docker/u_e-docker-cust_dockerfiles/" class="md-nav__link">
Customize Dockerfiles
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/Docker/u_e-docker-dc_bash_compl/" class="md-nav__link">
Docker Compose Bash Completion
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/u_e-why_unbound/" class="md-nav__link">
Why unbound?
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/u_e-autodiscover_config/" class="md-nav__link">
Autodiscover / Autoconfig
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/u_e-80_to_443/" class="md-nav__link">
Redirect HTTP to HTTPS
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/u_e-reeanble-weak-protocols/" class="md-nav__link">
Re-enable TLS 1.0 and TLS 1.1
</a>
</li>
<li class="md-nav__item">
<a href="../../manual-guides/u_e-update-hooks/" class="md-nav__link">
Run scripts before and after updates
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_9" type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9">
Client Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Client Configuration" data-md-level="1">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Client Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../client/client/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-android/" class="md-nav__link">
Android
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-apple/" class="md-nav__link">
Apple macOS / iOS
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-emclient/" class="md-nav__link">
eM Client
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-kontact/" class="md-nav__link">
KDE Kontact
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-outlook/" class="md-nav__link">
Microsoft Outlook
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-thunderbird/" class="md-nav__link">
Mozilla Thunderbird
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-windows/" class="md-nav__link">
Windows Mail
</a>
</li>
<li class="md-nav__item">
<a href="../../client/client-manual/" class="md-nav__link">
Manual configuration
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10">
Third party apps
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Third party apps" data-md-level="1">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Third party apps
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../third_party/third_party-borgmatic/" class="md-nav__link">
Borgmatic Backup
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-exchange_onprem/" class="md-nav__link">
Exchange Hybrid Setup
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-gitea/" class="md-nav__link">
Gitea
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-gogs/" class="md-nav__link">
Gogs
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-mailman3/" class="md-nav__link">
Mailman 3
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-mailpiler_integration/" class="md-nav__link">
Mailpiler Integration
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-nextcloud/" class="md-nav__link">
Nextcloud
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-portainer/" class="md-nav__link">
Portainer
</a>
</li>
<li class="md-nav__item">
<a href="../../third_party/third_party-roundcube/" class="md-nav__link">
Roundcube
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#lets-encrypt-out-of-the-box" class="md-nav__link">
Let's Encrypt (out-of-the-box)
</a>
<nav class="md-nav" aria-label="Let's Encrypt (out-of-the-box)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#additional-domain-names" class="md-nav__link">
Additional domain names
</a>
</li>
<li class="md-nav__item">
<a href="#force-renewal" class="md-nav__link">
Force renewal
</a>
</li>
<li class="md-nav__item">
<a href="#validation-errors-and-how-to-skip-validation" class="md-nav__link">
Validation errors and how to skip validation
</a>
</li>
<li class="md-nav__item">
<a href="#disable-lets-encrypt" class="md-nav__link">
Disable Let's Encrypt
</a>
<nav class="md-nav" aria-label="Disable Let's Encrypt">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#disable-lets-encrypt-completely" class="md-nav__link">
Disable Let's Encrypt completely
</a>
</li>
<li class="md-nav__item">
<a href="#skip-all-names-but-mailcow_hostname" class="md-nav__link">
Skip all names but ${MAILCOW_HOSTNAME}
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#the-lets-encrypt-subjectaltname-limit-of-100-domains" class="md-nav__link">
The Let's Encrypt subjectAltName limit of 100 domains
</a>
</li>
<li class="md-nav__item">
<a href="#how-to-use-your-own-certificate" class="md-nav__link">
How to use your own certificate
</a>
</li>
<li class="md-nav__item">
<a href="#test-against-staging-acme-directory" class="md-nav__link">
Test against staging ACME directory
</a>
</li>
<li class="md-nav__item">
<a href="#custom-directory-url" class="md-nav__link">
Custom directory URL
</a>
</li>
<li class="md-nav__item">
<a href="#check-your-configuration" class="md-nav__link">
Check your configuration
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/mailcow/mailcow-dockerized-docs/edit/master/docs/post_installation/firststeps-ssl.en.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg>
</a>
<h1>Advanced SSL</h1>
<h2 id="lets-encrypt-out-of-the-box">Let's Encrypt (out-of-the-box)<a class="headerlink" href="#lets-encrypt-out-of-the-box" title="Permanent link">&para;</a></h2>
<p>The "acme-mailcow" container will try to obtain a LE certificate for <code>${MAILCOW_HOSTNAME}</code>, <code>autodiscover.ADDED_MAIL_DOMAIN</code> and <code>autoconfig.ADDED_MAIL_DOMAIN</code>.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>mailcow <strong>must</strong> be available on port 80 for the acme-client to work. Our reverse proxy example configurations do cover that. You can also use any external ACME client (certbot for example) to obtain certificates, but you will need to make sure, that they are copied to the correct location and a post-hook reloads affected containers. See more in the Reverse Proxy documentation.</p>
</div>
<p>By default, which means <strong>0 domains</strong> are added to mailcow, it will try to obtain a certificate for <code>${MAILCOW_HOSTNAME}</code>.</p>
<p>For each domain you add, it will try to resolve <code>autodiscover.ADDED_MAIL_DOMAIN</code> and <code>autoconfig.ADDED_MAIL_DOMAIN</code> to its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request.</p>
<p>Only names that can be validated, will be added as SAN.</p>
<p>For every domain you remove, the certificate will be moved and a new certificate will be requested. It is not possible to keep domains in a certificate, when we are not able validate the challenge for those.</p>
<p>If you want to re-run the ACME client, use <code>docker-compose restart acme-mailcow</code> and monitor its logs with <code>docker-compose logs --tail=200 -f acme-mailcow</code>.</p>
<h3 id="additional-domain-names">Additional domain names<a class="headerlink" href="#additional-domain-names" title="Permanent link">&para;</a></h3>
<p>Edit "mailcow.conf" and add a parameter <code>ADDITIONAL_SAN</code> like this:</p>
<p>Do not use quotes (<code>"</code>) and do not use spaces between the names!</p>
<div class="highlight"><pre><span></span><code>ADDITIONAL_SAN=smtp.*,cert1.example.com,cert2.example.org,whatever.*
</code></pre></div>
<p>Each name will be validated against its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address.</p>
<p>A wildcard name like <code>smtp.*</code> will try to obtain a smtp.DOMAIN_NAME SAN for each domain added to mailcow.</p>
<p>Run <code>docker-compose up -d</code> to recreate affected containers automatically.</p>
<div class="admonition info">
<p class="admonition-title">Info</p>
<p>Using names other name <code>MAILCOW_HOSTNAME</code> to access the mailcow UI may need further configuration.</p>
</div>
<p>If you plan to use a server name that is not <code>MAILCOW_HOSTNAME</code> to access the mailcow UI (for example by adding <code>mail.*</code> to <code>ADDITIONAL_SAN</code> make sure to populate that name in mailcow.conf via <code>ADDITIONAL_SERVER_NAMES</code>. Names must be separated by commas and <strong>must not</strong> contain spaces. If you skip this step, mailcow may respond with an incorrect site.</p>
<div class="highlight"><pre><span></span><code>ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld
</code></pre></div>
<p>Run <code>docker-compose up -d</code> to apply.</p>
<h3 id="force-renewal">Force renewal<a class="headerlink" href="#force-renewal" title="Permanent link">&para;</a></h3>
<p>To force a renewal, you need to create a file named <code>force_renew</code> and restart the <code>acme-mailcow</code> container:</p>
<div class="highlight"><pre><span></span><code>cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker-compose restart acme-mailcow
# Now check the logs for a renewal
docker-compose logs --tail=200 -f acme-mailcow
</code></pre></div>
<p>The file will be deleted automatically.</p>
<h3 id="validation-errors-and-how-to-skip-validation">Validation errors and how to skip validation<a class="headerlink" href="#validation-errors-and-how-to-skip-validation" title="Permanent link">&para;</a></h3>
<p>You can skip the <strong>IP verification</strong> by setting <code>SKIP_IP_CHECK=y</code> in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP address. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts.</p>
<p>If you encounter problems with "HTTP validation", but your IP address confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from <code>br-mailcow</code> to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (<code>docker-compose down</code>), stop the firewall service, flush the chains and restart Docker.</p>
<p>You can also skip this validation method by setting <code>SKIP_HTTP_VERIFICATION=y</code> in "mailcow.conf". Be warned that this is discouraged. In most cases, the HTTP verification is skipped to workaround unknown NAT reflection issues, which are not resolved by ignoring this specific network misconfiguration. If you encounter problems generating TLSA records in the DNS overview within mailcow, you are most likely having issues with NAT reflection you should fix.</p>
<p>If you changed a SKIP_* parameter, run <code>docker-compose up -d</code> to apply your changes.</p>
<h3 id="disable-lets-encrypt">Disable Let's Encrypt<a class="headerlink" href="#disable-lets-encrypt" title="Permanent link">&para;</a></h3>
<h4 id="disable-lets-encrypt-completely">Disable Let's Encrypt completely<a class="headerlink" href="#disable-lets-encrypt-completely" title="Permanent link">&para;</a></h4>
<p>Set <code>SKIP_LETS_ENCRYPT=y</code> in "mailcow.conf" and recreate "acme-mailcow" by running <code>docker-compose up -d</code>.</p>
<h4 id="skip-all-names-but-mailcow_hostname">Skip all names but ${MAILCOW_HOSTNAME}<a class="headerlink" href="#skip-all-names-but-mailcow_hostname" title="Permanent link">&para;</a></h4>
<p>Add <code>ONLY_MAILCOW_HOSTNAME=y</code> to "mailcow.conf" and recreate "acme-mailcow" by running <code>docker-compose up -d</code>.</p>
<h3 id="the-lets-encrypt-subjectaltname-limit-of-100-domains">The Let's Encrypt subjectAltName limit of 100 domains<a class="headerlink" href="#the-lets-encrypt-subjectaltname-limit-of-100-domains" title="Permanent link">&para;</a></h3>
<p>Let's Encrypt currently has <a href="https://letsencrypt.org/docs/rate-limits/">a limit of 100 Domain Names per Certificate</a>.</p>
<p>By default, "acme-mailcow" will create a single SAN certificate for all validated domains
(see the <a href="#lets-encrypt-out-of-the-box">first section</a> and <a href="#additional-domain-names">Additional domain names</a>).
This provides best compatibility but means the Let's Encrypt limit exceeds if you add too many domains to a single mailcow installation.</p>
<p>To solve this, you can configure <code>ENABLE_SSL_SNI</code> to generate:</p>
<ul>
<li>A main server certificate with <code>MAILCOW_HOSTNAME</code> and all fully qualified domain names in the <code>ADDITIONAL_SAN</code> config</li>
<li>One additional certificate for each domain found in the database with autodiscover.<em>, autoconfig.</em> and any other <code>ADDITIONAL_SAN</code> configured in this format (subdomain.*).</li>
<li>Limitations: A certificate name <code>ADDITIONAL_SAN=test.example.com</code> will be added as SAN to the main certificate. A separate certificate/key pair will <strong>not</strong> be generated for this format.</li>
</ul>
<p>Postfix, Dovecot and Nginx will then serve these certificates with SNI.</p>
<p>Set <code>ENABLE_SSL_SNI=y</code> in "mailcow.conf" and recreate "acme-mailcow" by running <code>docker-compose up -d</code>.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Not all clients support SNI, <a href="https://wiki.dovecot.org/SSL/SNIClientSupport">see Dovecot documentation</a> or <a href="https://en.wikipedia.org/wiki/Server_Name_Indication#Support">Wikipedia</a>.
You should make sure these clients use the <code>MAILCOW_HOSTNAME</code> for secure connections if you enable this feature.</p>
</div>
<p>Here is an example:</p>
<ul>
<li><code>MAILCOW_HOSTNAME=server.email.tld</code></li>
<li><code>ADDITIONAL_SAN=webmail.email.tld,mail.*</code></li>
<li>Mailcow email domains: "domain1.tld" and "domain2.tld"</li>
</ul>
<p>The following certificates will be generated:</p>
<ul>
<li><code>server.email.tld, webmail.email.tld</code> -&gt; this is the default certificate, all clients can connect with these domains</li>
<li><code>mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld</code> -&gt; individual certificate for domain1.tld, cannot be used by clients without SNI support</li>
<li><code>mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld</code> -&gt; individual certificate for domain2.tld, cannot be used by clients without SNI support</li>
</ul>
<h3 id="how-to-use-your-own-certificate">How to use your own certificate<a class="headerlink" href="#how-to-use-your-own-certificate" title="Permanent link">&para;</a></h3>
<p>Make sure you disable mailcows internal LE client (see above).</p>
<p>To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to <code>data/assets/ssl/cert.pem</code> and the corresponding key to <code>data/assets/ssl/key.pem</code>.</p>
<p><strong>IMPORTANT:</strong> Do not use symbolic links! Make sure you copy the certificates and do not link them to <code>data/assets/ssl</code>.</p>
<p>Restart affected services afterwards:</p>
<div class="highlight"><pre><span></span><code>docker restart $(docker ps -qaf name=postfix-mailcow)
docker restart $(docker ps -qaf name=nginx-mailcow)
docker restart $(docker ps -qaf name=dovecot-mailcow)
</code></pre></div>
<p>See <a href="../firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients">Post-hook script for non-mailcow ACME clients</a> for a full example script.</p>
<h3 id="test-against-staging-acme-directory">Test against staging ACME directory<a class="headerlink" href="#test-against-staging-acme-directory" title="Permanent link">&para;</a></h3>
<p>Edit <code>mailcow.conf</code> and add <code>LE_STAGING=y</code>.</p>
<p>Run <code>docker-compose up -d</code> to activate your changes.</p>
<h3 id="custom-directory-url">Custom directory URL<a class="headerlink" href="#custom-directory-url" title="Permanent link">&para;</a></h3>
<p>Edit <code>mailcow.conf</code> and add the corresponding directory URL to the new variable <code>DIRECTORY_URL</code>:</p>
<div class="highlight"><pre><span></span><code>DIRECTORY_URL=https://acme-custom-v9000.api.letsencrypt.org/directory
</code></pre></div>
<p>You cannot use <code>LE_STAGING</code> with <code>DIRECTORY_URL</code>. If both are set, only <code>LE_STAGING</code> is used.</p>
<p>Run <code>docker-compose up -d</code> to activate your changes.</p>
<h3 id="check-your-configuration">Check your configuration<a class="headerlink" href="#check-your-configuration" title="Permanent link">&para;</a></h3>
<p>Run <code>docker-compose logs acme-mailcow</code> to find out why a validation fails.</p>
<p>To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.</p>
<p>To check the certificate served by Postfix, Dovecot and Nginx we will use <code>openssl</code>:</p>
<div class="highlight"><pre><span></span><code># Connect via SMTP (587)
echo &quot;Q&quot; | openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587
# Connect via IMAP (143)
echo &quot;Q&quot; | openssl s_client -starttls imap -showcerts -connect mx.mailcow.email:143
# Connect via HTTPS (443)
echo &quot;Q&quot; | openssl s_client -connect mx.mailcow.email:443
</code></pre></div>
<p>To validate the expiry dates as returned by openssl against MAILCOW_HOSTNAME, you are able to use our helper script:</p>
<div class="highlight"><pre><span></span><code>cd /opt/mailcow-dockerized
bash helper-scripts/expiry-dates.sh
</code></pre></div>
<hr>
<div class="md-source-file">
<small>
Last update:
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_datetime">2022-02-16 12:41:22</span>
</small>
</div>
</article>
</div>
</div>
<a href="#" class="md-top md-icon" data-md-component="top" data-md-state="hidden">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</a>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../../i_u_m/i_u_m_deinstall/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Deinstallation" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Deinstallation
</div>
</div>
</a>
<a href="../firststeps-disable_ipv6/" class="md-footer__link md-footer__link--next" aria-label="Next: Disable IPv6" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Disable IPv6
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
<div class="md-copyright__highlight">
Copyright &copy; 2022 Servercow Team & Community
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-social">
<a href="https://mailcow.email" target="_blank" rel="noopener" title="mailcow.email" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M512 256c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0s256 114.6 256 256zM57.71 192.1l9.36 17.3a64.042 64.042 0 0 0 38.03 29.8l57 16.5c18.1 4.9 29.9 20.6 29.9 38.5v39.9c0 11 6.2 21 16 25 9.8 5.8 16 15.8 16 26.8v39c0 15.6 14.9 26.8 29.9 22.5 16.2-4.6 28.6-18.3 32.7-33.7l2.8-11.2c4.2-16.9 15.2-31.4 30.3-40.1l8.1-4.6c15-8.5 24.2-24.4 24.2-41.7v-8.2c0-12.8-5.1-25-14.1-34l-3.8-3.8c-9-9-21.3-15-34-15h-44c-10.2 0-21.2-2-30.9-7.5l-34.5-19.8c-4.3-2.4-7.6-6.4-9.1-11.1-3.2-9.6 1.1-20 10.1-24.6l6-2.9c6.6-3.3 14.2-3.9 20.4-1.5l24.1 7.7c8.1 2.7 17.1-.4 21.9-7.5 4.7-7.1 4.2-16.4-1.2-22.9l-13.6-16.2c-10-12-9.9-29.5.3-41.3l15.7-18.38c8.8-10.27 10.2-24.96 3.5-36.7l-2.4-4.16c-4.3-.17-6.9-.26-10.4-.26-92.9 0-171.6 60.9-198.29 144.1zm379.89-37.6L412 164.8c-15.7 6.3-23.8 23.7-18.5 39.8l16.9 50.7c3.5 10.4 12 18.3 22.6 21l29.2 7.2c1.2-9 1.8-18.2 1.8-27.5 0-36.8-9.6-71.4-26.4-101.5z"/></svg>
</a>
<a href="https://github.com/mailcow" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 480 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1zM480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2zm-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3zm-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1z"/></svg>
</a>
<a href="https://twitter.com/mailcow_email" target="_blank" rel="noopener" title="twitter.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["navigation.top", "navigation.tracking"], "search": "../../assets/javascripts/workers/search.2a1c317c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.a6c66575.min.js"></script>
<script src="../../assets/javascripts/client.js"></script>
</body>
</html>