Host Mailcow with Traefik reverse Proxy

How do I host securely my Mailcow Server in Docker?

Traefik

Traefik is a reverse proxy for docker container that organises the network trafic und updates the https certificates.

Scope of this Tutorial

• Install Docker
• Download Mailcow
• Setup docker-compose.override
• Launch Mailcow
• Add DNS Entrys

Install Docker & Git

Arch

yay -S docker docker-compose git

Ubuntu

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
sudo apt-get install git

Start & Enable Docker service

sudo systemctl start docker
sudo sysyemctl enable docker

Download Mailcow

In the next step we'll clone the Mailcow git Repoisitory.

Clone Git Repoisitory

git clone https://github.com/mailcow/mailcow-dockerized /opt

Change directory to /opt/mailcow-dockerized

cd /opt/mailcow-dockerized

Generate config

./generate_config.sh

Remove exposed ports from Mailcow Docker-Compose File

nginx-mailcow:
...
      #ports:
        #- "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
        #- "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

Create Docker-Compose Override

	version: '2.1'
	services:
	nginx-mailcow:
	labels:
	- "traefik.enable=true"
	- "traefik.http.routers.nginx-mailcow.entrypoints=web"
	- "traefik.http.routers.nginx-mailcow.rule=HostRegexp(`{host:(autodiscover|autoconfig|webmail|mail|email).+}`)"
	- "traefik.http.middlewares.nginx-mailcow-https-redirect.redirectscheme.scheme=https"
	- "traefik.http.routers.nginx-mailcow.middlewares=nginx-mailcow-https-redirect"
	- "traefik.http.routers.nginx-mailcow-secure.entrypoints=web-secure"
	- "traefik.http.routers.nginx-mailcow-secure.rule=Host(`mail.example.de`)" # YOUR EMAIL SUBDMAIN
	- "traefik.http.routers.nginx-mailcow-secure.tls=true"
	- "traefik.http.routers.registry-secured.tls.certresolver=myCertResolver" # ADD your Certresolver here
	- "traefik.http.routers.nginx-mailcow-secure.service=nginx-mailcow"
	- "traefik.http.services.nginx-mailcow.loadbalancer.server.port=80"
	- "traefik.docker.network=main"
	networks:
	main:
	certdumper:
	image: humenius/traefik-certs-dumper
	container_name: traefik_certdumper
	restart: unless-stopped
	network_mode: none
	command: --restart-containers mailcowdockerized_postfix-mailcow_1,mailcowdockerized_dovecot-mailcow_1
	volumes:
	# mount the folder which contains Traefik's `acme.json' file
	# in this case Traefik is started from its own docker-compose in ../traefik
	- /home/niklas/letsencrypt:/traefik:ro
	# mount mailcow's SSL folder
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- ./data/assets/ssl:/output:rw
	environment:
	- DOMAIN=mail.example.de # YOUR EMAIL SUBDOMAIN HERE
	networks:
	main: # YOUR TRAEFIK NETWORK HERE
	external: true

view raw docker-compose.override.yml hosted with ❤ by GitHub

Download Docker-Compose.Override

wget https://gist.githubusercontent.com/corusm/063de56d133aa688f9d36a82bd78e607/raw/cdb03c2c5ef8b2ee62808a04b3aff935ab1e02e7/docker-compose.override.yml

Edit File

Now edit the File in line 12, 33, 35 as in the comments explained.

Edit Mailcow.conf

1. Change SKIP_LETS_ENCRYPT=n to SKIP_LETS_ENCRYPT=y
2. Change SKIP_CLAMD=n to SKIP_CLAMD=y

Add your subdomain mail.example.com to the certs file

Therefore we must run a test docker-compose.yml file, because I haven't got a different solution yet to create the certs for the new domain.

	version: '3.7'
	networks:
	main:
	external: true
	services:
	whoami:
	image: "containous/whoami"
	container_name: Traefik-whoami-main
	restart: always
	networks:
	- "main"
	labels:
	- traefik.enable=true
	- traefik.http.routers.whoami.rule=Host(`mail.example.com`) # Change to your email subdomain
	- traefik.http.routers.whoami.entrypoints=web
	- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
	- traefik.http.routers.whoami.middlewares=redirect-to-https@docker
	- traefik.http.routers.whoami-secured.rule=Host(`mail.example.com`) # Change to your email subdomain
	- traefik.http.routers.whoami-secured.tls=true
	- traefik.http.routers.whoami-secured.tls.certresolver=myhttpchallenge
	- traefik.http.routers.whoami-secured.entrypoints=web-secure

view raw docker-compose.yml hosted with ❤ by GitHub

1. Make directory newcerts
2. Download this git in the directory wget https://gist.githubusercontent.com/corusm/f36fc12022668ee1972f004fd46385f6/raw/9da0364cd40deb4ebac50a173cedae0c636f218c/docker-compose.yml
3. Change Commented Values to your mail.example.com
4. Run Docker-Compose sudo docker-compose up --force-recreate
5. Wait until container is running
6. Stop Docker-Compose ctrl + c

Now run the Mailcow Server

• Go back to the Mailcow Directory /opt/mailcow-dockerized

Run Docker-Compose

sudo docker-compose up

If you are done with this tutorial you can add the -d flag to run docker compose in the background.

Open mail.example.com

Start configuring your Mailcow Server!

Configure Mailcow

Goto Configuration > Mail Setup

Add Domain

Goto Configuration > Mail Setup > Domains

Add Mailbox (E-Mail Adress)

Goto Configuration > Mail Setup > Mailbox

Open Webmail

https://mail.example.com/SOGo

Login

User: user@domain.com

Add DNS Config

Add DMARC Entry

_dmarc.domain.com. TXT 3600 "v=DMARC1;p=none;rua=mailto:postmaster@domain.com;ruf=mailto:postmaster@domain.com"

Add MX Entry

domain.de MX 3600 10 mail.example.com

Add DKIM Entry

• Goto Configuration > ARC/DKIM-Keys
• Add ARC/DKIM key
• Copy Private Key to DNS Server

dkim._domainkey.corusm.de. TXT 3600 YOUR_DKIM_KEY

INFO

It takes some time for the DNS Servers to spread the information. Give this process some time!

Check the Spammyness of your email

https://www.mail-tester.com/

1. Open the Website
2. Send E-Mail to this address
3. Get the review!

YOU'RE DONE!

Comments

[Maty]

Hello. My container gets stuck on: Waiting for database to come up... Any fix?