They are used for all secured transfers in Dovecot, Postfix and Nginx.

Set SKIP_LETS_ENCRYPT=y in mailcow.conf and run docker-compose up -d.
Hard links seem not to work for some setups (depends on your storage driver in Docker, I think). Just copy the files to data/assets/ssl as described in the docs. Symlinks will never work, don't try that. :-)

Restart nginx-mailcow, postfix-mailcow and dovecot-mailcow after copying the files. It is pretty much that. Just copy the files and restart the services.

Ok, I will try an actual copy. 👍Do you have any advice on how I could handle automatic certificate updates with certbot when using a copy?
Oh and yes, I forgot to mention that I already configured SKIP_LETS_ENCRYPT=y...

I still get the warning by my email client after using a copy of the certificate. Which domains should be included in the certificate for it to work? Maybe I missed some?

I have in my

docker-compose.override.yml

version: '2.1'
services:
    dovecot-mailcow:
      volumes:
        - ./data/assets/ssl:/etc/ssl/mail/:rw
        - /opt/data/nginx/certs/fullchain.pem:/etc/ssl/mail/cert.pem:ro
        - /opt/data/nginx/certs/key.pem:/etc/ssl/mail/key.pem:ro
        - /opt/data/nginx/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
    postfix-mailcow:
      volumes:
        - ./data/assets/ssl:/etc/ssl/mail/:rw
        - /opt/data/nginx/certs/fullchain.pem:/etc/ssl/mail/cert.pem:ro
        - /opt/data/nginx/certs/key.pem:/etc/ssl/mail/key.pem:ro
        - /opt/data/nginx/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
    nginx-mailcow:
      volumes:
        - ./data/assets/ssl:/etc/ssl/mail/:rw
        - /opt/data/nginx/certs/fullchain.pem:/etc/ssl/mail/cert.pem:ro
        - /opt/data/nginx/certs/key.pem:/etc/ssl/mail/key.pem:ro
        - /opt/data/nginx/certs/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro

so you can use certbot or any other renewer.

@daschxx could you please explain this? I am new to docker and not really understand it.

What is stored in etc/ssl/mail?

My letsencrypt certs are stored in /etc/letsencrypt/live/domain/*

Are your stuff is based in /opt/data/nginx/?

Sorry I just got confused.

Is there any issue of certbot updates the certificates?

Looking forward to your answer! Thx

Yes my letsencrypt certs are stored in /opt/data/nginx/certs
I think you have to use:
```
...
dovecot-mailcow:
volumes:
- ./data/assets/ssl:/etc/ssl/mail/:rw
- /etc/letsencrypt/live/domain/domain.org/fullchain.pem:/etc/ssl/mail/cert.pem:ro
- /etc/letsencrypt/live/domain/domain.org/key.pem:/etc/ssl/mail/key.pem:ro
- /etc/letsencrypt/live/domain/domain.org/dhparam.pem:/etc/ssl/mail/dhparams.pem:ro
...

And turn off mailcows lets encrypt container in mailcow.conf:

Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

SKIP_LETS_ENCRYPT=y
```

Hey thx for your answer!

If I understand it right, you replace the original path for ssl certificates (data/assets/ssl) with /etc/ssl/mail
and than you copy the letsencrypt files into it?

But what to do, if the certificates will get renewed?

I now just use the --post-hook to cp the files into /data/assets/ssl and than restart die postfix and devecote container.

I also changed from the standard certbot to the backport version 0.25, so I can use --reuse-key and don't have to re-edit the TLSA DNS records

But if your way works, without restarting the containers, I would like to give it a try!
Can I use --reuse-key within the acme container?

You need to restart the containers either way. Mounting the certificate path into the container just gets rid of having to copy the certificate.

The ACME container does not use certbot, but it does reuse the key.

Hab dies auch probiert. Bekomme aber diesen Fehler.

ERROR: for b5dd35b8e5fb_mailcowdockerized_postfix-mailcow_1 Cannot start service postfix-mailcow: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:58: mounting \\\"/opt/data/nginx/certs/dhparam.pem\\\" to rootfs \\\"/var/lib/docker/overlay2/c464c1924ff2b79d4f1b862d502da49fc624b394a17f4a32bd5d4cb728874333/merged\\\" at \\\"/var/lib/docker/overlay2/c464c1924ff2b79d4f1b862d502da49fc624b394a17f4a32bd5d4cb728874333/merged/etc/ssl/mail/dhparams.pem\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified hosRecreating 7aa484d101d7_mailcowdockerized_nginx-mailcow_1 ... error

@daschxx What is dhparam.pem and is that necessary ? But I could not find that in /etc/letsencrypt . Thanks !

@Happyfeet01 dhparm.pem fehlt in /opt/data/nginx/certs/dhparam.pem
wenn sie nicht da ist mit: openssl dhparam -out /opt/data/nginx/certs/dhparam.pem 4096 generieren.

@twikor look at wikipedia: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

The advantage in changing the links to the certificates in a docker-compose override file is you do not have to copy the certificate and key file to /opt/mailcow-dockerized/assets/ssl/ BUT you have to restart mailcow, if a certificate changes, gets renewed, etc from certbot to make it work in mailcow (like @mkuron said).

If the certbot is running on the same server like mailcow maybe a post-hook in certbot to restart mailcow can be a solution. In my scenario the nginx proxy with certbot runs on another server and I simply mount the directory containing the certificate and key file into the mailcow server and use a shell script that regularly copys the certificate and key to the mailcow directory and restarts mailcow. Works without problems.

If you want to try the shell script:

#!/bin/bash
cd /opt/mailcow-dockerized
cp /etc/letsencrypt/live/<subdomain.domain.com>/fullchain.pem data/assets/ssl/cert.pem
cp /etc/letsencrypt/live/<subdomain.domain.com>/privkey.pem data/assets/ssl/key.pem
docker-compose down && docker-compose up -d

I regularly start this script via cron:

0 4 * * 2 /root/scripts/restart_mailcow_acme.sh >/dev/null 2>&1

This starts the script every Tuesday at 4:00 am - copys the (new) files into mailcow and restarts it.

@Skydiver84de - yea also would be an solution, but as I just run certbot on the same machine, I will stay with post-hook, as I dont have to restart my mailcow every tuesday at 4:00 am.

But your bash script also seems to run on the same machine like mailcow, as you just copy the files from /etc/lets...

The certificate files (/etc/letsencrypt) are just mounted into the vm from another machine ;-)

Hi guys

I'm using Traefik and I'm also doing something like that to deal with the certificates. It works pretty well even I can't wait mailcow find a better way to deal with reverse proxy.

Now I would like to use multiple SSL certificates because I'm using multiple domains. data/assets/ssl/cert.pem and data/assets/ssl/key.pemworks great but only with the main domain. How to add certificates for each other domains? Is it something like data/assets/ssl/domain2.com/cert.pem or maybe something else? I can't find it.

Of course, I could have only one certificate for the main domain, but in this case my clients have to indicate a different domain name to configure their IMAP and SMTP access than the one from their email address and I don't think it's very elegant.

If someone know how to achieve this it would be awesome.

Thank you,

@homlett, the Postfix and Dovecot (the IMAP and SMTP servers) can only use one certificate. So your only option is to use a certificate with multiple domain names. While you could put some kind of proxy in front of these services, we don’t recommend it as it would break fail2ban and some other stuff.

@mkuron Hum, I see. It's a bit more tricky than I expected. I'm going to keep it simple for now and I'll look for what you mentioned later. Thank you for your very quick and accurate answer!