From 94050b639e00aef09a55e958394b52316a4d8fe3 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Thu, 17 Jul 2025 17:01:26 -0600 Subject: [PATCH] Update Servers/Email/Mailcow.md --- Servers/Email/Mailcow.md | 55 ++++++++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 10 deletions(-) diff --git a/Servers/Email/Mailcow.md b/Servers/Email/Mailcow.md index 4d76791..d3ce76f 100644 --- a/Servers/Email/Mailcow.md +++ b/Servers/Email/Mailcow.md @@ -44,6 +44,13 @@ docker-compose up -d ### Reverse-Proxy Configuration For the purposes of this document, it will be assumed that you are deploying Mailcow behind Traefik. You can use the following dynamic configuration file to achieve this: ```yaml title="/srv/containers/traefik/config/dynamic/mail.bunny-lab.io.yml" +# ======================== +# Mailcow / Traefik Config +# ======================== + +# ---------------------------------------------------- +# HTTP Section - Handles Mailcow web UI via Traefik +# ---------------------------------------------------- http: routers: mailcow-server: @@ -60,96 +67,124 @@ http: - url: http://192.168.3.61:80 passHostHeader: true +# ---------------------------------------------------- +# TCP Section - Handles all mail protocols +# ---------------------------------------------------- tcp: routers: + # ----------- + # SMTP Router (Port 25, non-TLS, all mail deliveries) + # ----------- mailcow-smtp: entryPoints: - smtp - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "" # Empty rule = accept ALL connections on port 25 (plain SMTP) service: mailcow-smtp - tls: - passthrough: true + # ----------- + # SMTPS Router (Port 465, implicit TLS) + # ----------- mailcow-smtps: entryPoints: - smtps - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "HostSNI(`*`)" # Match any SNI (required for TLS) service: mailcow-smtps tls: passthrough: true + # ----------- + # Submission Router (Port 587, implicit TLS or STARTTLS) + # ----------- mailcow-submission: entryPoints: - submission - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "HostSNI(`*`)" # Match any SNI (required for TLS) service: mailcow-submission tls: passthrough: true + # ----------- + # IMAPS Router (Port 993, implicit TLS) + # ----------- mailcow-imaps: entryPoints: - imaps - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "HostSNI(`*`)" # Match any SNI (required for TLS) service: mailcow-imaps tls: passthrough: true + # ----------- + # IMAP Router (Port 143, can be STARTTLS) + # ----------- mailcow-imap: entryPoints: - imap - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "HostSNI(`*`)" # Match any SNI (for TLS connections) service: mailcow-imap tls: passthrough: true - # Optional: POP3(s) + # ----------- + # POP3S Router (Port 995, implicit TLS) + # ----------- mailcow-pop3s: entryPoints: - pop3s - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "HostSNI(`*`)" # Match any SNI (required for TLS) service: mailcow-pop3s tls: passthrough: true + # ----------- + # Dovecot Managesieve (Port 4190, implicit TLS) + # ----------- mailcow-dovecot-managesieve: entryPoints: - pop3s - rule: "HostSNI(`mail.bunny-lab.io`)" + rule: "HostSNI(`*`)" # Match any SNI (required for TLS) service: dovecot-managesieve tls: passthrough: true services: + # SMTP (Port 25, plain) mailcow-smtp: loadBalancer: servers: - address: "192.168.3.61:25" + # SMTPS (Port 465, implicit TLS) mailcow-smtps: loadBalancer: servers: - address: "192.168.3.61:465" + # Submission (Port 587, implicit TLS or STARTTLS) mailcow-submission: loadBalancer: servers: - address: "192.168.3.61:587" + # IMAPS (Port 993, implicit TLS) mailcow-imaps: loadBalancer: servers: - address: "192.168.3.61:993" + # IMAP (Port 143, plain/STARTTLS) mailcow-imap: loadBalancer: servers: - address: "192.168.3.61:143" + # POP3S (Port 995, implicit TLS) mailcow-pop3s: loadBalancer: servers: - address: "192.168.3.61:995" + # Dovecot Managesieve (Port 4190, implicit TLS) dovecot-managesieve: loadBalancer: servers: