Bloggings

Back

Mailcow with Nginx reverse proxy

2025-04-19

Using other web services with Mailcow

This is roughly what I did to have an Nginx web server on the same machine as dockerized Mailcow

Change the default http and https ports (for example 8080 and 8443)
and set SKIP_LETS_ENCRYPT=y in /opt/mailcow-dockerized/mailcow.conf
Restart Mailcow by executing
cd /opt/mailcow-dockerized;docker compose restart
Make sure the DNS entry mail.xxxxx.com points to the server
Create the folder /var/www/mail.xxxxx.com
Create the writable folder /var/www/mail.xxxxx.com/.well-known
Edit /etc/nginx/sites-available/mail.xxxxx.com

server {
    listen 80;
    server_name mail.xxxxx.com;
    root /var/www/mail.xxxxx.com;
    index index.html;
    location / {
       try_files $uri $uri/ =404;
    }
}

ln -s /etc/nginx/sites-available/mail.xxxxx.com
/etc/nginx/sites-enabled/mail.xxxxx.com
systemctl restart nginx
Run certbot -d mail.xxxxx.com to add the mail.xxxxx.com certificate
Re-edit /etc/nginx/sites-available/mail.xxxxx.com to
include port 443 and the certificates like so:

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name mail.xxxxx.com;

  charset UTF-8;
  access_log /var/log/nginx/access.mail.xxxxx.com;
  error_log /var/log/nginx/error.mail.xxxxx.com;
  include snippets/error_pages.conf;

  ssl_certificate /etc/letsencrypt/live/mail.xxxxx.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mail.xxxxx.com/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams-2048.pem;

  location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_buffering off;
    include /etc/nginx/proxy_params;
  }
}

server {
    listen 80;
    listen [::]:80;
    server_name mail.xxxxx.com;
    return 301 https://mail.xxxxx.com$request_uri;
}

Test with nginx -t, if all is well run sudo systemctl restart nginx
Pointing your browser to https://mail.xxxxx.com should show you the Mailcow login page.
You can remove the folder /var/www/mail.xxxxx.com

Problem

The problem is that Mailcow can no longer use port 80 to update it's ssl certificates that are used by postfix and dovecot. Instead certbot puts them in /etc/letsencrypt/live. To fix this the following script runs from crontab daily.

#!/usr/bin/env bash

# we are running behind an nginx proxy, where certbot is run  by systemd,
# so the mail.xxxxx.com certificates are updated, but not copied to the mailcow folder
# in case the certificate isn't renewed automatically, run this:
# sudo certbot -n certonly --webroot -w /var/www/html/letsencrypt -d mail.xxxxx.com

t1="/etc/letsencrypt/live/mail.xxxxx.com/fullchain.pem"
t2="/opt/mailcow-dockerized/data/assets/ssl/mail.xxxxx.com/cert.pem" 

# test if certificate has been updated
differ=$(cmp -b $t1 $t2 | grep -c "differ")

[[ "$differ" = "0" ]] && exit 0

# these files are required in /data/assets/ssh/mail.xxxxx.com
cp /etc/letsencrypt/live/mail.xxxxx.com/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/mail.xxxxx.com/cert.pem
cp /etc/letsencrypt/live/mail.xxxxx.com/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/mail.xxxxx.com/key.pem

# these files are required in /data/assets/ssl/ (turns out sending failed otherwise)
cp /etc/letsencrypt/live/mail.xxxxx.com/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem
cp /etc/letsencrypt/live/mail.xxxxx.com/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem

# update postfix & docker
docker exec $(/usr/bin/docker ps -qaf name=postfix-mailcow) postfix reload
docker exec $(/usr/bin/docker ps -qaf name=dovecot-mailcow) dovecot reload

Inspiration: Felix Moesbauer