--- tags: * Mailcow * Email * Docker --- !!! warning "Under Construction" The deployment of Mailcow is mostly correct here. Mail protocol ports should be forwarded directly to the Mailcow server from the firewall. Traefik should only sit in front of Mailcow for web traffic, and it should pass HTTPS through transparently so Mailcow can manage and serve its own certificates. ## Purpose The purpose of this document is to illustrate how to deploy Mailcow in a dockerized format. !!! note "Assumptions" It is assumed that you are deploying Mailcow into an existing Ubuntu Server environment. If you are using a different operating system, refer to the [official documentation](https://docs.mailcow.email/getstarted/install/). ### Setting Up Docker Go ahead and set up docker and docker-compose with the following commands: ```bash sudo su # (1) curl -sSL https://get.docker.com/ | CHANNEL=stable sh # (2) apt install docker-compose-plugin # (3) systemctl enable --now docker # (4) ``` 1. Make yourself root. 2. Install `Docker` 3. Install `Docker-Compose` 4. Make docker run automatically when the server is booted. ### Download and Deploy Mailcow Run the following commands to pull down the mailcow deployment files and install them with docker. Go get a cup of coffee as the `docker compose pull` command may take a while to run. !!! note "Potential `Docker Compose` Issues" If you run the `docker-compose pull` command and it fails for some reason, change the command to `docker compose pull` instead. This is just the difference between the plugin version of compose versus the standalone version. Both will have the same result. ```bash cd /opt git clone https://github.com/mailcow/mailcow-dockerized cd mailcow-dockerized ./generate_config.sh # (1) docker-compose pull # (2) docker-compose up -d ``` 1. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked. 2. If you get an error about the ports of the `nginx-mailcow` service in the `docker-compose.yml` stack, change the ports for that service as follows: ```yaml ports: - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" ``` ### Firewall / NAT Configuration Forward Mailcow service ports as follows: ```text WAN :80 -> Traefik :80 WAN :443 -> Traefik :443 WAN :25 -> Mailcow :25 WAN :465 -> Mailcow :465 WAN :587 -> Mailcow :587 WAN :993 -> Mailcow :993 WAN :995 -> Mailcow :995 WAN :110 -> Mailcow :110 WAN :143 -> Mailcow :143 WAN :4190 -> Mailcow :4190 ``` Mail protocol ports should be sent directly to the Mailcow server. Traefik should not terminate or proxy the SMTP, SMTPS, Submission, IMAP, IMAPS, POP3, POP3S, or ManageSieve ports. ### Reverse-Proxy Configuration For the purposes of this document, it will be assumed that you are deploying Mailcow behind Traefik for web traffic only. Traefik should pass HTTPS through transparently, allowing Mailcow to manage and serve its own certificates. You can use the following dynamic configuration file to achieve this: ```yaml title="/srv/containers/traefik/config/dynamic/mail.bunny-lab.io.yml" # ===================================================================== # Mailcow / Traefik Dynamic Configuration # Hostname: mail.bunny-lab.io # # Mailcow owns certificates. # Traefik forwards HTTP and passes HTTPS through. # Mail protocol ports are handled directly by pfSense -> Mailcow. # ===================================================================== http: routers: mailcow-http: entryPoints: - web rule: Host(`mail.bunny-lab.io`) service: mailcow-http priority: 100 services: mailcow-http: loadBalancer: passHostHeader: true servers: - url: "http://192.168.3.61:80" tcp: routers: mailcow-https-passthrough: entryPoints: - websecure rule: HostSNI(`mail.bunny-lab.io`) service: mailcow-https tls: passthrough: true services: mailcow-https: loadBalancer: servers: - address: "192.168.3.61:443" ``` ### Traefik-Specific Configuration Traefik only needs the standard HTTP and HTTPS entrypoints for Mailcow web traffic. Mail protocol ports should not be exposed through Traefik if the firewall is forwarding those ports directly to Mailcow. ```yaml #Entrypoints - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" #Ports - "80:80" - "443:443" ``` Do not add Mailcow mail protocol entrypoints or port bindings to Traefik unless you intentionally want Traefik to proxy those ports. ### Certificate Validation Mailcow should manage and serve the certificate for `mail.bunny-lab.io`. To verify the active Mailcow certificate on disk, run the following on the Mailcow server: ```bash cd /opt/mailcow-dockerized openssl x509 \ -in /opt/mailcow-dockerized/data/assets/ssl/cert.pem \ -noout -subject -issuer -dates -serial -fingerprint -sha256 ``` If the certificate has renewed but services are still presenting an old certificate, restart the Mailcow services that serve TLS: ```bash cd /opt/mailcow-dockerized docker compose restart postfix-mailcow dovecot-mailcow nginx-mailcow ``` ### Login to Mailcow At this point, the Mailcow server has been deployed so you can log into it. * **Administrators**: `https://${MAILCOW_HOSTNAME}/admin` (Username: `admin` | Password: `moohoo`) * **Regular Mailbox Users**: `https://${MAILCOW_HOSTNAME}` (*FQDN only*) ### Mail-Client Considerations You need to ensure that you generate an app password if you have MFA enabled within Mailcow. (MFA is non-functional in Roundcube/SoGo, you set it up via Mailcow itself). You can access it via the Mailcow configuration page: https://mail.bunny-lab.io/user, then look for the "**App Passwords**" tab. ### Running Updates If you want to run updates, just SSH into the server, and navigate to `/opt/mailcow-dockerized` and run `./update.sh`. I recommend avoiding the IPv6 implementation section. Be patient, and the upgrade will be fully-automated.