Mailcow-dockerized: Tutorial for configuring best practice firewall

Best practice: don't use a firewall. If the only thing you're running is Mailcow, an SSH server and maybe a web server, you don't need a firewall.

If you're running anything more advanced (like a VPN server), there is no "standard" configuration that we could recommend for everyone.

Docker and custom firewall rules simply don't go together very well. The Docker daemon just blindly inserts its own rules. That's why the documentation and the issue template say that we don't support customized firewalls. Troubleshooting firewall-related issues usually is troubleshooting Docker, not troubleshooting Mailcow, so our issue tracker and documentation are not the right place for it. This is not a Mailcow-specific problem, it just surfaces very commonly in Mailcow due to its complex use of inter-container networking.

Its really sad, that you closed the issue, if you dont want to help, that doesnt mean that maybe someone else could :(
I understand that everything outside docker is non of your business, i respect your opinion on not using firewall at all, but still i would like to add this protection layer, because of future possible vulnerabilities.

that doesnt mean that maybe someone else could

We had so many firewall-related issues in the past. In most cases, people didn't even tell us about the firewall in the beginning, making troubleshooting difficult. We wouldn't want to encourage people to cause more of these issues by documenting best practices, especially if firewalls are not needed by anyone but the most advanced users (and these generally know what they are doing)... If Docker ever becomes more respectful of people's iptables configurations, we could start supporting it, but right now it's just an endless headache.

because of future possible vulnerabilities

That's not how firewalls work. They just restrict access to network services. If you don't have services listening on network ports that shouldn't be listening, then firewalls don't add security.

All mailcow services are open to the world anyway. :) IMAP, SMTP etc.

Even if there are 200 issue, we can only point you to the desired rules. Make sure acme-mailcow can cannot to the bridge. Ufw and firewalld block this traffic. Trace it, create a rule and post it to the docs. :)

Or give me a test machine. I will gladly create rules and post them to the docs when I find time.

Test machine it is, i will pm connection specs tommorow, also i found this, looks usefull. https://github.com/chaifeng/ufw-docker

You can probably use it.

I don't know when I will find time to check it anyway. So you should go ahead and try whatever it suggests there yourself.

I didn't read the code or checked wether it helps with the hair pin problem in ufw. Just try and report.

Hi,
so we don´t need to run a firewall on a server with mailcow and daily os updates only,
but maybe we can try to get it work together with ufw and docker.
I just found some hints, to get it maybe right.
This maybe work, but i / you have to test it :
--- removed not working well this way ....
*be aware i´m not a professional*

It's pretty simple to make mailcow-dockerized work with firewalld actually, just take four steps:

1. Enable masquerade to default zone firewall-cmd --permanent --add-masquerade

2. Enable the port and service you need firewall-cmd --permanent --add-service=<http|https|smtp|smtps|smtp-submission|imap|imaps|pop3|pop3s|managesieve>

3. Add interface br-mailcow to trusted zone firewall-cmd --permanent --zone=trusted --add-interface=br-mailcow

4. Reload firewalld firewall-cmd --reload

This is it, works with my instance, maybe we could add it to the document as an example?

firewall-cmd --permanent --add-masquerade

That can be dangerous... why?

Furthermore, allowing INPUT rules like you do with add-services does probably not affect FORWARD rules at all. The ports are available anyway because of the order in which Docker added/injected its own rules on top of that chain.

Stopping firewalld, recreating the stack, starting firewalld can be dangerous, too.
Firewalld may add now deprecated rules it saved when you stopped it.