Mailcow-dockerized: SOGo as a Subdomain on Apache (Reverse DNS)

You can maybe set a redirect from webmail.* to mail.example.com/SOGo that's what I'm doing on my instance

REF: https://github.com/mailcow/mailcow-dockerized/issues/2121

Thanks,

But your reference points to a nginx solution. I'm looking for something for Apache.

I'm gonna disclaim this right off the bat by saying that I don't work with Apache often so this may not be a 'best practice' type solution. Also, I'm going with a pretty plain-jane default setup like in the Mailcow documentation -- i.e. no advanced SSL security configs, etc.

I spun up a VM and installed a fresh Mailcow setup with Apache to test this out and it seems to work. But, I only did some pretty quick testing, so I'd suggest you test it more exhaustively before putting it into production.

### Mailcow reverse proxy
### root redirected to SOGo and admin panel redirected to /config

<VirtualHost *:80>
    ServerName myserver.net
    ServerAlias autodiscover.*
    ServerAlias autoconfig.*

    RewriteEngine On

    # rewrite all URLs to HTTPS
    # if URL starts with 'autoconfig' (NC means case-insensitive) then skip the
    # HTTPS rewrite rule (S=n means skip next n rules) and re-submit URL as 
    # URL/autoconfig.php (PT=pass-through, ie. re-process as URL not path)
    # L=last command, no further processing
    # NE=no escaping (converting space to %20, etc.)
    # R=redirect type
    RewriteCond %{HTTP_HOST} ^autoconfig\. [NC]
    RewriteRule ^ - [S=1]
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}# [L,NE,R=permanent]
    RewriteRule ^ /autoconfig.php [PT]

    # only autoconfig stuff should be processed here due to rewrite above
    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/

    ProxyAddHeaders On
    RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>

<VirtualHost *:443>
    ServerName myserver.net
    ServerAlias autodiscover.*

    RewriteEngine On

    # rewrite all root URI requests to /SOGo and pass-through as new request
    RewriteCond %{REQUEST_URI} ^/$
    RewriteRule ^(.*)$ /SOGo [L,PT]

    # rewrite all /config URI requests to root and pass-through as new request    
    RewriteCond %{REQUEST_URI} ^/config$
    RewriteRule ^(.*)$ / [L,PT]

    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/

    ProxyAddHeaders On
    RequestHeader set X-Forwarded-Proto "https"

    SSLCertificateFile /etc/ssl/certs/dummy.cer
    SSLCertificateKeyFile /etc/ssl/private/dummy.key
</VirtualHost>

This should redirect all requests except autoconfig.* to SSL and then process them from there. Any requests to myserver.net should be rewritten as myserver.net/SOGo and any requests to myserver.net/config would be rewritten to myserver.net (i.e. the admin panel).

Like I said, I only briefly tested it (created a user, logged into SOGO, checked rspamd). But, seemed to work pretty well. Also, forgive my ignorance of Apache, but I'm not totally sure the [L,PT] flags are necessary on the rewrites in the SSL section, but, as I understand things that's what allows the request to be resubmitted so the proxypass directive works instead of Apache looking for a folder in its document root.

Obviously, if you want to use something other than /config, you can change that as desired. Quick note: I used to use /admin but I found it caused loops with recent Mailcow builds since that seems to be used internally somewhere. So, I decided to go with /config or /setup, or really anything except /admin. Don't know if this still applies in the most recent build, but I thought I'd mention it.

Hope that helps/points you in the right direction/works :-) Let me know how it goes or if you need any more help.

I just re-read your question... I noticed you want to run this as a subdomain. That's not a problem, same setup. Just change 'mysever.net' to 'subdomain.myserver.net' and also update your DNS as necessary. Sorry if that wasn't clear. I'm assuming this is what you meant, right?

That's right, I wanted it as a subdomain for my added domains that i configured in Mailcow. I set it up as a separate virtualhost conf, I don't want to mess with the mailcow.conf.

Good thing you mentioned setting up the DNS for the subdomains, i'd have forgotten about that :/

DNS is propagating now, i'll report back on how it goes.

Right,

So the re-direct works. Except that the SSL certs are not registered:

This server could not prove that it is webmail.domain2.co.za; its security certificate is from mail.domain1.co.za. This may be caused by a misconfiguration or an attacker intercepting your connection.

Looks like I may have to create an Apache conf for each of the subdomains, and then use letsencrypt certbot for certificates.

Not sure if one would be able to use the mailcow acme client for this. I haven't had much luck with installing certificates for domains listed in the ADDITIONAL_SAN setting.

But yes, step 1 is working! Thanks very much for the assist!

Cool... glad I got you started. Yes, you need a different VHost for each subdomain if you're using different certificates or you need a cert with all relevant subdomains defined as SANs (easier). If you need help setting up the certificate part, check out my blog post here which might help you get it all set up automatically. My instructions there let you manually set things up, so it doesn't generate the .conf files for you (which is good in this case). The instructions are geared toward nginx, but the process is the same, you just have to change paths were relevant. I use that exact setup on my reverse proxy host and disable the acme client in mailcow. That way, I get the certs I need. Then I modify the docker-compose yml file to symlink the certs over to mailcow so the renewal is automatic. If you're interested in that, I can post my yml config here too.

Let us know how it goes and if you need any more help! Hopefully my butchering of Apache has given you a place to start at least :-)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.