--- title: MailCow Overview description: Self-hosted mail stack — architecture, domains, and key decisions published: true date: 2026-04-12T00:00:00.000Z tags: keystone, mail, mailcow editor: markdown dateCreated: 2026-04-12T00:00:00.000Z --- # MailCow Overview MailCow runs on `docker4` (hermes, 192.168.5.16) via Docker Compose — not Swarm. It manages mail for all 8 domains. --- ## Architecture | Component | Role | |-----------|------| | MailCow stack | Postfix, Dovecot, Rspamd, ClamAV, SOGo, Roundcube, nginx-mailcow | | MXRoute | Inbound filtering + outbound relay for all domains | | nginx-mailcow | Only MailCow container connected to `netgrimoire` overlay | **Critical:** Only `nginx-mailcow` is attached to the `netgrimoire` overlay network. All other MailCow containers stay on the internal `mailcow-network` bridge. Connecting other containers to the overlay causes Redis and PHP-FPM to resolve to wrong IPs, breaking the entire stack. --- ## Domains `netgrimoire.com` · `pncharris.com` · `wasted-bandwidth.net` · `nucking-futz.com` · `florosafd.org` · `gnarlypandaproductions.com` · `pncfishandmore.com` · `pncharrisenterprises.com` --- ## Mail Flow **Inbound:** MXRoute filters → forwards to MailCow → Dovecot delivers **Outbound:** Postfix → MXRoute relay → recipient **SRS rewriting:** MXRoute rewrites the envelope sender on forwarded mail. All domains using MXRoute inbound forwarding **must** have catch-all aliases configured in MailCow, or `reject_unlisted_sender` will reject the rewritten addresses. --- ## DKIM Two selectors required: | Selector | Purpose | |----------|---------| | `mailcow` | Direct sends from MailCow | | `mxroute` | MXRoute relay path | --- ## Key Limits (must match across all three) Attachment size limits must be set identically in Postfix, Rspamd, and ClamAV. Changing only Postfix is insufficient — Rspamd and ClamAV reject large messages before Postfix processes them. --- ## Roundcube SSL Internal connections to Dovecot use self-signed certs. In `config.inc.php`: ```php $config['imap_conn_options'] = ['ssl' => ['verify_peer' => false, 'verify_peer_name' => false]]; ``` --- ## Related Docs - [MXRoute Integration](/Keystone-Grimoire/Mail/MXRoute-Integration) - [Domain Setup](/Keystone-Grimoire/Mail/Domain-Setup) - [MailCow Hardening](/Keystone-Grimoire/Mail/Hardening) - [MailCow Backup](/Vault-Grimoire/Backups/MailCow-Backup) --- ## Pending - [ ] Dedicated ATT_Mail static IP for outbound mail (OPNsense outbound NAT rule) - [ ] Second DKIM selector (`mxroute`) validation - [ ] MTA-STS validation (supported since Sep 2025 update)