Mailcow-dockerized: Reverse Proxy in different network

Im also interested in how to use the jwilder image with mailcow. The docs are not sufficient on how to reverse proxy mailcow. There are many issues here regarding proxying mailcow. Why not inculde proxy already with mailcow so users dont stumble here?

There are a lot of issues which happen due to misconfiguration.

We actually use Nginx as reverse proxy for all mailcow services. It is up to each user to reverse-proxy to his mailcow instance from whereever. So there is no reason to include another reverse proxy in mailcow.

I don't see our docs to be not sufficient. :/ Using a reverse proxy inside Docker to proxy to mailcows reverse proxy could be a guide in the docs. :P

I didnt want to imply that the docs are lacking information. Just wanted a hint, how to configure the whole thing in a clean way, so that I dont run into problems with the next update.

to set it up with the jwilder image, I set it up using the following docker-compose,yml:

version: '2'
services:
  frontproxy:
    image: jwilder/nginx-proxy:alpine
    container_name: frontproxy
    restart: always
    environment:
      DEFAULT_HOST: default.vhost
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./vhosts.d/mydomain.domain.conf:/etc/nginx/conf.d/my_proxy.conf:ro
      - /usr/share/nginx/html
      - ./certs:/etc/nginx/certs
      - /var/run/docker.sock:/tmp/docker.sock:ro

  letsencrypt-nginx-proxy:
    image: 'jrcs/letsencrypt-nginx-proxy-companion'
    container_name: letsencrypt-nginx-proxy
    volumes:
      - ./certs:/etc/nginx/certs
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    volumes_from:
      - frontproxy

then, in the .. dir, I put mailcow-dockerized into a folder called mail.mydomain.domain, and modified the configuration a little bit (added just the differences):

nginx-mailcow:
      environment:
        - LETSENCRYPT_HOST=mail.mydomain.domain
        - [email protected]
        - VIRTUAL_HOST=mail.mydomain.domain
        - VIRTUAL_PORT=80
        - HTTPS_PORT=${HTTPS_PORT:-443}
        - HTTP_PORT=${HTTP_PORT:-80}
        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
      #ports:
      #  - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
      #  - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
      expose:
         - "80"
      networks:
        mailcow-network:
          ipv4_address: 172.22.1.251
          aliases:
            - nginx
        frontproxy_default:
          aliases:
            - mail.mydomain.domain

networks:
  frontproxy_default:
    external: true

hope this is sufficient to set it up. It actually works quite well, although im afraid, that it breaks with the next mailcow update, since im messing around with the compose configuration...

@Reitz86 I'm trying almost the same setup, but I'm going with the docs and added custom server in the nginx.tmpl. My Problem is Letsencrypt not creating the certificate, how is yours working?

I'm just in another issue:
https://github.com/mailcow/mailcow-dockerized/issues/341#issuecomment-331707354

@Reitz86 How does your vhosts.d/mydomain.domain.conf file looks like? For me it doesn't work yet,i'm still getting connection refused messages like you in your first message.

@rotlaus @Reitz86 Did you get it to work?

Here are my settings. Mine is finally working!

Environment:
jwilder proxy (https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion)

./vhost.d/domain_location (plus subdomains used by mailcow)

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100m;

Mailcow docker-compose.yml (only changes)

nginx-mailcow:
  environment:
    - VIRTUAL_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
    - VIRTUAL_PORT=8080
    - LETSENCRYPT_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
    - LETSENCRYPT_EMAIL={LETSENCRYPT_EMAIL}
    - HTTPS_PORT=${HTTPS_PORT:-443}
    - HTTP_PORT=${HTTP_PORT:-80}
    - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
  networks:
    mailcow-network:
      ipv4_address: 172.22.1.251
      aliases:
        - nginx
    webproxy:

 networks:
   mailcow-network:
     driver: bridge
     enable_ipv6: true
     ipam:
       driver: default
       config:
         - subnet: 172.22.1.0/24
         - subnet: fd4d:6169:6c63:6f77::/64
   webproxy:
     external:
       name: webproxy

The one problem I still had, is that mailcow didn't forward my real IP, but I found out why.
Nginx is only accepting the IP from a certain IP-Address. So I had to add my own proxy subnet.
After starting the nginx docker execute: docker network inspect {your proxy networkname}

[
    {
        "Name": "webproxy",
        "Id": "15a8c8f",
        "Created": "2018-01-10T18:26:23.951855433+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },

Then you can add your Subnet to the Mailcow nginx.conf (data/conf/nginx/site.conf)

# If behind reverse proxy, forwards the correct IP
set_real_ip_from 172.22.1.1;
set_real_ip_from 172.18.0.0/16; (added at two points in this config)
real_ip_header X-Forwarded-For;
real_ip_recursive on;

You can test this setup easily, when visiting https://{mailcow-domain}/rspamd/ .
At first you can type any password and after adding the set_real_ip_from it's protected, like it should be.

Hope this helps anyone trying to use Mailcow behind another Proxy.

Edited:
Well I disabled LetEncrypt in my Mailcow.conf, had to copy the generated certificates from my letsencrypt proxy over to mailcow tho. Isn't perfect yet.

@andryyy would it be worthwhile modifying the guide at https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/ for an explicit set of rules for ActiveSync?

I've noticed regular 504's on the frontend reverse proxy which result in 499's in mailcow's instance of nginx, on ActiveSync Ping's.
Perhaps configuring some of the timeout settings on the /Microsoft-Server-ActiveSync location in the frontend reverse proxy to ensure values are consistent?

Just to add a little more information and value here, I've included some snippets to explain what I mean.
nginx reverse proxy config:

server {
    server_name mail.example.com autodiscover.example.com;
    listen 443 ssl http2;
    include /config/nginx/options-ssl.conf;

    location ~ /\. {
        access_log off;
        log_not_found off;
        deny all;
    }

    location / {
        proxy_pass http://host:9000/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 100m;
    }
}

nginx reverse proxy log:

xxx.xxx.xxx.xxx - [email protected] [06/Feb/2018:13:47:39 +1100] "POST /[email protected]&DeviceId=SKMHDAGKID1I72NVQEK44VMPMO&DeviceType=iPhone&Cmd=Ping HTTP/2.0" 504 183 "-" "Apple-iPhone10C3/1503.202"

nginx-mailcow log:

nginx-mailcow_1      | xxx.xxx.xxx.xxx - [email protected] [06/Feb/2018:02:27:40 +0000] "POST /[email protected]&DeviceId=SKMHDAGKID1I72NVQEK44VMPMO&DeviceType=iPhone&Cmd=Ping HTTP/1.0" 499 0 "-" "Apple-iPhone10C3/1503.202"

Would adding in an extra location block similarly or perhaps identical to the ActiveSync config in mailcow-nginx here:

location ^~ /Microsoft-Server-ActiveSync {
proxy_pass http://host:9000/SOGo/Microsoft-Server-ActiveSync;
proxy_connect_timeout 1000;
proxy_send_timeout 1000;
proxy_read_timeout 1000;

Atleast have consistent configuration for ActiveSync which seems to have different options associated with the location to pass-through?
I'm not sure if the above settings are the respective ones that would have a significant bearing, perhaps you might have some feedback and we can update the guides?

@denis-ev

I had to change the following in the current Mailcow version

Environment:
jwilder proxy (https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion)

..(proxydir).../vhost.d/# (# = "default_location" or "yourdomain.de_location" (for each domain))
https://github.com/jwilder/nginx-proxy
https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/#nginx

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100m;

../mailcow-dockerized/docker-compose.override.yml
"webproxy" is the network from docker-compose-letsencrypt-nginx-proxy-companion.

version: '2.1'
services:

    nginx-mailcow:
      environment:
        - LETSENCRYPT_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
        - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
        - VIRTUAL_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
        - VIRTUAL_PROTO=http 
        - VIRTUAL_PORT=80
      networks:
        webproxy:


networks:
  webproxy:
    external:
      name: webproxy

../mailcow-dockerized/docker-compose.yml
disable HTTPS and HTTP port, i have no idea how to overwrite this

    nginx-mailcow:
   .....
#      ports:
#        - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
#        - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

../mailcow-dockerized/mailcow.conf
"LETSENCRYPT_EMAIL" is a new variable

[email protected]

../mailcow-dockerized/data/conf/nginx/site.conf
http to https redirect must be disabled.
Please also deactivate the Strict-Transport-Security header in the http section, otherwise there will be an duplicate HSTS header error on https://www.ssllabs.com/ssltest

#server {
#  listen 80 default_server;
#  listen [::]:80 default_server;
#  include /etc/nginx/conf.d/server_name.active;
#  return 301 https://$host$request_uri;
#}


server {
  include /etc/nginx/mime.types;
  charset utf-8;
  override_charset on;

# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
  add_header X-Content-Type-Options nosniff;

This is really cumbersome. I set up a somewhat working setup with heavily modifying nearly all of the config files and I doubt it will survive a few updates of mailcow.

I'd really like the option to run this behind JrCs/docker-letsencrypt-nginx-proxy-companion without changing half of the service definitions.

Hey Crack Duck,
I got it working behind the proxy without changing too much. It already survived a couple of updates.
I can’t access it right now, but I can let you know what I’ve changed if you want. But it’ll be Saturday or Sunday.
Let me know.

Best,
Denis

Am 23.05.2018 um 21:08 schrieb Crack Duck notifications@github.com:

This is really cumbersome. I set up a somewhat working setup with heavily modifying nearly all of the config files and I doubt it will survive a few updates of mailcow.

I'd really like the option to run this behind JrCs/docker-letsencrypt-nginx-proxy-companion without changing half of the service definitions.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@denis-ev that would be absolutely lovely. Do you still need to copy the LE certs around to use them for the mail server? I solved that with mounting the certificates into a shared volume, but unfortunately that made some changes necessary…

@denis-ev hate to annoy you, but can you access your changes and post them ITT? They might help some people. I tried to set this up myself and it works but I had to completely rewrite my docker-compose.yml – I'll do some clean-up and post it here, too.

Maybe if we find out how to make mailcow-dockerized more modular we can even create a PR and make the mailcow devs consider supporting it officially.

@n1trux sorry man, totally forgot to post it. Thanks for reminding me!

So this is a little cheaterfile to keep the certificate renewed.

update_ssl.sh (just run as cron, didn't find a cleaner way yet)

rm /root/docker/mailcow-dockerized/data/assets/ssl/key.pem
cp  /root/docker/proxy/data/certs/{domain}/key.pem /root/docker/mailcow-dockerized/data/assets/ssl/key.pem -f
rm /root/docker/mailcow-dockerized/data/assets/ssl/cert.pem
cp  /root/docker/proxy/data/certs/{domain}/fullchain.pem /root/docker/mailcow-dockerized/data/assets/ssl/cert.pem -f

jwilder-proxy (https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion.git)

/data/vhost/{domain}_location (repeat for every SAN or use ln -s)

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100m;

mailcow-dockerized
docker-compose.override.yml

version: '2.1'
services:

    nginx-mailcow:
      environment:
        - VIRTUAL_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
        - VIRTUAL_PORT=8080
        - LETSENCRYPT_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
        - LETSENCRYPT_EMAIL={email-address}
      networks:
        webproxy:
          ipv4_address: 172.18.0.6

    postfix-mailcow:
      networks:
         webproxy:
          ipv4_address: 172.18.0.7

networks:
  webproxy:
    external:
      name: webproxy

mailcow.conf (only changes shown)

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=9443
HTTPS_BIND=127.0.0.1

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=y

uncomment in /data/nginx/site.conf (my HSTS is forced by jwilder-proxy, otherwise it would be double)

#  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

I'm not quite sure if I forgot something, just let me know.

Best of luck
Denis

I'm also trying to add mailcow dockerized in my nginx-proxy environment where I already have apps and a blog running.

I'm using docker-machine and cloned this repo on my Mac. After having generated the config file, where I changed the SKIP_LETS_ENCRYPT to y, and the HTTP_PORT and HTTP_PORT, I'm now building a docker-compose.override.yml file in order to avoid conflicts on updates.

Here is my docker-compose.override.yml :

version: '2.1'
services:
  unbound-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro
    networks:
      default:

  mysql-mailcow:
    volumes:
      - /opt/mailcow-dockerized/data/conf/mysql/:/etc/mysql/conf.d/:ro
    networks:
      default:

  redis-mailcow:
    networks:
      default:

  clamd-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/clamav/:/etc/clamav/
    networks:
      default:

  rspamd-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/rspamd/custom/:/etc/rspamd/custom:ro
      - /opt/mailcow-dockerized/data/conf/rspamd/override.d/:/etc/rspamd/override.d:rw
      - /opt/mailcow-dockerized/data/conf/rspamd/local.d/:/etc/rspamd/local.d:ro
      - /opt/mailcow-dockerized/data/conf/rspamd/lua/:/etc/rspamd/lua/:ro
    networks:
      default:

  php-fpm-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/web:/web:rw
      - /opt/mailcow-dockerized/data/conf/rspamd/dynmaps:/dynmaps:ro
      - /opt/mailcow-dockerized/data/conf/rspamd/meta_exporter:/meta_exporter:ro
      - /opt/mailcow-dockerized/data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf
      - /opt/mailcow-dockerized/data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
      - /opt/mailcow-dockerized/data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini
      - /opt/mailcow-dockerized/data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini
    networks:
      default:

  sogo-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/sogo/:/etc/sogo/
    networks:
      default:

  dovecot-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/dovecot:/usr/local/etc/dovecot
      - /opt/mailcow-dockerized/data/assets/ssl:/etc/ssl/mail/:ro
      - /opt/mailcow-dockerized/data/conf/sogo/:/etc/sogo/
    networks:
      default:

  postfix-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/postfix:/opt/postfix/conf
      - /opt/mailcow-dockerized/data/assets/ssl:/etc/ssl/mail/:ro
    networks:
      default:

  memcached-mailcow:
    networks:
      default:

  nginx-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/web:/web:ro
      - /opt/mailcow-dockerized/data/conf/rspamd/dynmaps:/dynmaps:ro
      - /opt/mailcow-dockerized/data/assets/ssl/:/etc/ssl/mail/:ro
      - /opt/mailcow-dockerized/data/conf/nginx/:/etc/nginx/conf.d/:rw
      - /opt/mailcow-dockerized/data/conf/rspamd/meta_exporter:/meta_exporter:ro
    environment:
      - [email protected]
      - LETSENCRYPT_HOST=${MAILCOW_HOSTNAME}
      - VIRTUAL_HOST=${MAILCOW_HOSTNAME}
    networks:
      default:

  acme-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/web/.well-known/acme-challenge:/var/www/acme:rw
      - /opt/mailcow-dockerized/data/assets/ssl:/var/lib/acme/:rw
      - /opt/mailcow-dockerized/data/assets/ssl-example:/var/lib/ssl-example/:ro
    networks:
      default:

  netfilter-mailcow:
    build: ''

  watchdog-mailcow:
    build: ''
    networks:
      default:

  dockerapi-mailcow:
    build: ''
    volumes:
      - /opt/mailcow-dockerized/data/conf/rspamd/override.d/worker-controller-password.inc:/access.inc:rw
    networks:
      default:

networks:
  default:
    external:
      name: webproxy

It is currently doing the following :

• Removing all the build instructions
• Replacing all the ./data by /opt/mailcow-dockerized/data
• Forces all the services to use the default network defined at the bottom of the file (following what has been said on this issue)
• Adds to the nginx-mailcow service the LETSENCRYPT_EMAIL, LETSENCRYPT_HOST and VIRTUAL_HOST environment variable so that my nginx-proxy will map the domain to the container, and the letsencrypt-nginx-proxy-companion will create and maintain a free LetsEncrypt SSL certificate
• Connects to the default webproxy network of my nginx-proxy instance.

So I'd like to know how to update my config so that I can reach the Mailcow UI?

Closed? 🤔 What is the solution @andryyy that I should use ?

I closed some old issues to clean up.

Search for @bplein - he did some research and posted his results. Many thanks again, Bill.

Hi,
has anyone an actually working solution?

I try to build a machine with mailcow-dockerized and 3 Wordpress instances all connected through nginx reverse proxy.

• the mailcow is then mail.domain.com (imap, sogo...)
• Wordpress1 is www.domain1.com (just WP)
• Wordpress2 is www.domain2.com (just WP)
• Wordpress3 is www.domain3.com (just WP)

kind regards Stefan

Mine is working EXCEPT that I do not know what will happen when the certificate is renewed... will find out sooner or later.

see https://github.com/mailcow/mailcow-dockerized/issues/1657

Can this be added to the documentation?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

I can’t get it to work anyone?

here's my setup: I have nginx-proxy with the Letsencrypt Companion installed in a different directory, and refer to it in the override file. I point at its certificate directory.

docker-compose.override.yml

version: '2.1'
services:
    clamd-mailcow:
      mem_limit: 1G
    redis-mailcow:
      mem_limit: 1G
    solr-mailcow:
      mem_limit: 1G
    portainer-mailcow:
      image: portainer/portainer
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - ./data/conf/portainer:/data
      restart: always
      dns:
        - 172.22.1.254
      dns_search: mailcow-network
      networks:
        mailcow-network:
          aliases:
            - portainer
    nginx-mailcow:
      networks:
        proxy-tier:
      environment:
        - VIRTUAL_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
        - VIRTUAL_PORT=9080
        - LETSENCRYPT_HOST=${MAILCOW_HOSTNAME},${ADDITIONAL_SAN}
        - [email protected]
    dovecot-mailcow:
      volumes:
        - ../nginx-proxy/certs/${MAILCOW_HOSTNAME}:/etc/ssl/mail/
        - ../nginx-proxy/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
    postfix-mailcow:
      volumes:
        - ../nginx-proxy/certs/${MAILCOW_HOSTNAME}/fullchain.pem:/etc/ssl/mail/cert.pem:ro
        - ../nginx-proxy/certs/${MAILCOW_HOSTNAME}/key.pem:/etc/ssl/mail/key.pem:ro

volumes:
  vmail-vol-1:
    driver_opts:
      type: none
      device: /data/mailcow/vmail
      o: bind
  mysql-vol-1:
    driver_opts:
      type: none
      device: /data/mailcow/mysql
      o: bind
  redis-vol-1:
    driver_opts:
      type: none
      device: /data/mailcow/redis
      o: bind
  rspamd-vol-1:
    driver_opts:
      type: none
      device: /data/mailcow/rspamd
      o: bind
  postfix-vol-1:
    driver_opts:
      type: none
      device: /data/mailcow/postfix
      o: bind
  crypt-vol-1:
    driver_opts:
      type: none
      device: /data/mailcow/crypt
      o: bind
  rspamd-sock:
    driver_opts:
      type: none
      device: /data/mailcow/rspamd-sock
      o: bind
networks:
  proxy-tier:
    external:
      name: nginx-proxy