Score:0

Mailcow SSL not working

cn flag

Using Apache/mailcow I’m setting up a home email server. I followed the mailcow dockerized tutorial. And was able to connect to my mailcow site at:

http://mail.example.com:8080

I had to use 8080, because I have my website also setup on this server.

I ran into a problem trying to connect my nextcloud client up to my mail server, thought it was an issue with SSL. So I finally installed ssl using certbot.

I had tutorials tell me to make both the redirect.conf and site.conf files.

I now can’t access my mail site from any of the below urls.

Mail.example.com
Mail.example.com:8080 or 8443
http://mail.example.com
https://mail.example.com
http(s)://mail.example.com:8080 or 8443

I know this has something to do with rewrites or “proxy” or “reverse proxy” but, I don’t really know what any of that means, so I don’t know what to check for.

I don’t know how Apache knows where to send anything since the documentroot value isn’t in the config. I don’t know what the redirect or site config files are for.

What am I missing? Why can’t I get on my site through the simple mail.example.com. In the end, I’d like all the above urls to go to/be rewritten to the ssl secure mail.example.com site. No, :8080 or :8443

Virtualhost file

<VirtualHost *:80>
  ServerName mail.example.com
  ServerAlias autodiscover.*
  ServerAlias autoconfig.*
  RewriteEngine on

  ProxyPass / http://mail.example.com:8080/
  ProxyPassReverse / http://mail.example.com:8080/

  RewriteCond %{HTTPS} off
  RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]

</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName mail.example.com
  ServerAlias autodiscover.*
  ServerAlias autoconfig.*

  # You should proxy to a plain HTTP session to offload SSL processing
  #ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontim>
  #ProxyPassReverse /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync
  ProxyPass / http://mail.example.com:8080/
  ProxyPassReverse / http://mail.example.com:8080/
  ProxyPreserveHost On
  ProxyAddHeaders On
  RequestHeader set X-Forwarded-Proto “https”

  Include /etc/letsencrypt/options-ssl-apache.conf

  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # If you plan to proxy to a HTTPS host:
  #SSLProxyEngine On

  # If you plan to proxy to an untrusted HTTPS host:
  #SSLProxyVerify none
  #SSLProxyCheckPeerCN off
  #SSLProxyCheckPeerName off
  #SSLProxyCheckPeerExpire off
</VirtualHost>
</IfModule>

Mailcow.conf

# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is “admin”
# Default password is “moohoo”

MAILCOW_HOSTNAME=mail.example.com

# Password hash algorithm
# Only certain password hash algorithm are supported. For a fully list of supported schemes,
# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/
MAILCOW_PASS_SCHEME=BLF-CRYPT

# ------------------------------
# SQL database configuration
# ------------------------------

DBNAME=example
DBUSER=example

# Please use long, random alphanumeric strings (A-Za-z0-9)

DBPASS=**************
DBROOT=*************

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
# Might be important: This will also change the binding within the container.
# If you use a proxy within Docker, point it to the ports you set below.
# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
# IMPORTANT: Do not use port 8081, 9081 or 65510!
# Example: HTTP_BIND=1.2.3.4
# For IPv4 and IPv6 leave it empty: HTTP_BIND= & HTTPS_PORT=
# For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ip_bindings/

HTTP_PORT=8080
HTTP_BIND=

HTTPS_PORT=8443
HTTPS_BIND=

# ------------------------------
# Other bindings
# ------------------------------
# You should leave that alone
# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.

SMTP_PORT=25
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
IMAPS_PORT=993
POP_PORT=110
POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654

# Your timezone
# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
# Use the row named ‘TZ database name’ + pay attention for ‘Notes’ row

TZ=****

# Fixed project name
# Please use lowercase letters only

COMPOSE_PROJECT_NAME=mailcowdockerized

# Set this to “allow” to enable the anyone pseudo user. Disabled by default.
# When enabled, ACL can be created, that apply to “All authenticated users”
# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
# Otherwise a user might share data with too many other users.
ACL_ANYONE=disallow

# Garbage collector cleanup
# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
# How long should objects remain in the garbage until they are being deleted? (value in minutes)
# Check interval is hourly

MAILDIR_GC_TIME=7200

# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains “example.com” and “example.net” to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to “imap.example.com”, “smtp.example.com”, “imap.example.net”, “imap.example.net”
# plus every domain you add in the future.
#
# You can also just add static names…
#ADDITIONAL_SAN=srv1.example.net
# …or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#

ADDITIONAL_SAN=

# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

ADDITIONAL_SERVER_NAMES=

# Skip running ACME (acme-mailcow, Let’s Encrypt certs) – y/n

SKIP_LETS_ENCRYPT=y

# Create separate certificates for all domains – y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://wiki.dovecot.org/SSL/SNIClientSupport
ENABLE_SSL_SNI=y

# Skip IPv4 check in ACME container – y/n

SKIP_IP_CHECK=n

# Skip HTTP verification in ACME container – y/n

SKIP_HTTP_VERIFICATION=n

# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) – y/n

SKIP_CLAMD=n

# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) – y/n

SKIP_SOGO=n

# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.

SKIP_SOLR=n

# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.

SOLR_HEAP=1024

# Allow admins to log into SOGo as email user (without any password)

ALLOW_ADMIN_EMAIL_LOGIN=n

# Enable watchdog (watchdog-mailcow) to restart unhealthy containers

USE_WATCHDOG=y

# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
# CAUTION:
# 1. You should use external recipients
# 2. Mails are sent unsigned (no DKIM)
# 3. If you use DMARC, create a separate DMARC policy (“v=DMARC1; p=none;” in _dmarc.MAILCOW_HOSTNAME)
# Multiple rcpts allowed, NO quotation marks, NO spaces

#[email protected],[email protected],[email protected]
#WATCHDOG_NOTIFY_EMAIL=

# Notify about banned IP (includes whois lookup)
WATCHDOG_NOTIFY_BAN=n

# Subject for watchdog mails. Defaults to “Watchdog ALERT” followed by the error message.
#WATCHDOG_SUBJECT=

# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
# https://www.servercow.de/mailcow?lang=en
# https://www.servercow.de/mailcow?lang=de
# No data is collected. Opt-in and anonymous.
# Will only work with unmodified mailcow setups.
WATCHDOG_EXTERNAL_CHECKS=n

# Enable watchdog verbose logging
WATCHDOG_VERBOSE=n

# Max log lines per service to keep in Redis logs

LOG_LINES=9999

# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

IPV4_NETWORK=172.22.1

# Internal IPv6 subnet in fc00::/7
# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

# Use this IPv4 for outgoing connections (SNAT)

#SNAT_TO_SOURCE=

# Use this IPv6 for outgoing connections (SNAT)

#SNAT6_TO_SOURCE=

# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access
# An API key defined as API_KEY_READ_ONLY has read-only access
# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
# You can define API_KEY and/or API_KEY_READ_ONLY

#API_KEY=
#API_KEY_READ_ONLY=
#API_ALLOW_FROM=172.22.1.1,127.0.0.1

# mail_home is ~/Maildir
MAILDIR_SUB=Maildir

# SOGo session timeout in minutes
SOGO_EXPIRE_SESSION=480

# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
# Empty by default to auto-generate master user and password on start.
# User expands to [email protected]
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_USER=
# LEAVE EMPTY IF UNSURE
DOVECOT_MASTER_PASS=

# Let’s Encrypt registration contact information
# Optional: Leave empty for none
# This value is only used on first order!
# Setting it at a later point will require the following steps:
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
ACME_CONTACT=

# WebAuthn device manufacturer verification
# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
WEBAUTHN_ONLY_TRUSTED_VENDORS=n

Site.conf

Server {
Listen 80 default_server;
Listen [::]:80 default_server;
Include /etc/nginx/conf.d/server_name.active;
If ( $request_uri ~* “%0A|%0D” ) { return 403; }
Return 301 https://$host$uri$is_args$args;
}

Redirect.conf

    Server {
  Root /web;
  Listen 80 default_server;
  Listen [::]:80 default_server;
  Include /etc/nginx/conf.d/server_name.active;
  If ( $request_uri ~* “%0A|%0D” ) { return 403; }
  Location ^~ /.well-known/acme-challenge/ {
    Allow all;
    Default_type “text/plain”;
  }
  Location / {
    Return 301 https://$host$uri$is_args$args;
  }
}
user3779539 avatar
cn flag
Reposted from Stack Overflow.
in flag
And off topic here as well. Sorry.
user3779539 avatar
cn flag
Can you help me figure out how this is off topic? I can't ask questions about my code on stack Overflow because it's server related, even though that's where other questions about this similar topic were asked. Can't ask the question here because it's off topic? What's off topic about it? It's a server? I don't even know what I don't know, and instead of getting help I'm told I can't ask for help?
in flag
You can ask question about your home setup on [su] or [unix.se]
djdomi avatar
za flag
i suggests that you join https://t.me/mailcow on telegram sunce tgis is the official support channel for the mailcow
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.