Mailcow Setup - Jordan Handboy Tech Blog

# Mailcow Dockerized on Debian 12 VPS This covers: 1. **Opening the correct ports** in `iptables` 2. **Cloning & running Mailcow** with Docker Compose 3. **Setting DNS / reverse DNS** for `mail.handboy.net` 4. First-time hardening and a deliverability test --- ## 1 · Firewall – open the mail + web ports ```bash # as root or with sudo for p in 80 443 4190 995 110 993 143 587 465 25; do sudo iptables -I DOCKER-USER -p tcp --dport "$p" -j ACCEPT done # persist across reboots sudo netfilter-persistent save ``` --- ## 2 · Set the server’s FQDN ```bash sudo hostnamectl set-hostname mail.handboy.net ``` --- ## 3 · Grab and configure Mailcow ```bash sudo apt update && sudo apt install git docker.io docker-compose-plugin -y # REQUIRED: correct default permissions for the cloned repo umask 0022 cd /opt sudo git clone https://github.com/mailcow/mailcow-dockerized cd mailcow-dockerized sudo ./generate_config.sh # → answer every prompt for your domain: mail.handboy.net ``` ### Bind the UI to localhost for a reverse-proxy setup Because Caddy will terminate TLS, **change these four lines** in `mailcow.conf` before first start: ```bash vim mailcow.conf HTTP_PORT=8081 HTTP_BIND=127.0.0.1 HTTPS_PORT=8443 HTTPS_BIND=127.0.0.1 ``` ## Caddyfile ```bash https://mail.handboy.net:443 { reverse_proxy 127.0.0.1:8081 } ``` ```bash sudo systemctl restart caddy ``` --- ## 4 · Start the stack ```bash sudo docker compose pull sudo docker compose up -d ``` ![[Pasted image 20250427032624.png]] ![[Pasted image 20250427032915.png]] --- ## 5 · First login Browse to `https://mail.handboy.net/admin/` (or `https://<VPS-IP>:8443` if the proxy isn’t in front yet). | User | Pass | |-------|-------| | admin | moohoo | Change that password immediately and create your own admin account. Then add domain info. ![[Pasted image 20250427033437.png]] --- ## 6 · DNS & reverse DNS | Record | Example | |--------|---------| | **A / AAAA** | `mail.handboy.net → your VPS IP` | | **MX** | `handboy.net → mail.handboy.net.` (prio 10) | | **SPF** | `v=spf1 mx -all` | | **DKIM** | TXT from **Configuration ▸ DKIM Keys** | | **DMARC** | `_dmarc.handboy.net v=DMARC1; p=quarantine; rua=mailto:[email protected]` | | **PTR** | `<your-IP> → mail.handboy.net` (set in provider panel) | ![[Pasted image 20250427033714.png]] More details: <https://docs.mailcow.email/getstarted/prerequisite-dns/> --- ## 7 · Hardening & housekeeping * Change **admin** password ASAP. * Enable **2 FA** (TOTP or U2F) for UI logins. * Backups: ```bash cd /opt/mailcow-dockerized sudo ./mailcow-backup.sh -c all -t /srv/backup/mailcow ``` * Monthly updates: ```bash sudo docker compose pull && sudo docker compose up -d ``` --- ## 8 · Deliverability test 1. Log into SOGo at `https://mail.handboy.net/SOGo/`. 2. Send a mail to `[email protected]`. ![[Pasted image 20250427042123.png]] 3. Aim for **9 / 10** or better; fix SPF/DKIM/DMARC or rDNS if needed. --- 🎉 **All done!** You now have Mailcow running behind your reverse proxy with the correct firewall, DNS, and security basics in place.