85 lines
2.6 KiB
Markdown
85 lines
2.6 KiB
Markdown
---
|
|
title: MailCow Overview
|
|
description: Self-hosted mail stack — architecture, domains, and key decisions
|
|
published: true
|
|
date: 2026-04-12T00:00:00.000Z
|
|
tags: keystone, mail, mailcow
|
|
editor: markdown
|
|
dateCreated: 2026-04-12T00:00:00.000Z
|
|
---
|
|
|
|
# MailCow Overview
|
|
|
|
MailCow runs on `docker4` (hermes, 192.168.5.16) via Docker Compose — not Swarm. It manages mail for all 8 domains.
|
|
|
|
---
|
|
|
|
## Architecture
|
|
|
|
| Component | Role |
|
|
|-----------|------|
|
|
| MailCow stack | Postfix, Dovecot, Rspamd, ClamAV, SOGo, Roundcube, nginx-mailcow |
|
|
| MXRoute | Inbound filtering + outbound relay for all domains |
|
|
| nginx-mailcow | Only MailCow container connected to `netgrimoire` overlay |
|
|
|
|
**Critical:** Only `nginx-mailcow` is attached to the `netgrimoire` overlay network. All other MailCow containers stay on the internal `mailcow-network` bridge. Connecting other containers to the overlay causes Redis and PHP-FPM to resolve to wrong IPs, breaking the entire stack.
|
|
|
|
---
|
|
|
|
## Domains
|
|
|
|
`netgrimoire.com` · `pncharris.com` · `wasted-bandwidth.net` · `nucking-futz.com` · `florosafd.org` · `gnarlypandaproductions.com` · `pncfishandmore.com` · `pncharrisenterprises.com`
|
|
|
|
---
|
|
|
|
## Mail Flow
|
|
|
|
**Inbound:** MXRoute filters → forwards to MailCow → Dovecot delivers
|
|
|
|
**Outbound:** Postfix → MXRoute relay → recipient
|
|
|
|
**SRS rewriting:** MXRoute rewrites the envelope sender on forwarded mail. All domains using MXRoute inbound forwarding **must** have catch-all aliases configured in MailCow, or `reject_unlisted_sender` will reject the rewritten addresses.
|
|
|
|
---
|
|
|
|
## DKIM
|
|
|
|
Two selectors required:
|
|
|
|
| Selector | Purpose |
|
|
|----------|---------|
|
|
| `mailcow` | Direct sends from MailCow |
|
|
| `mxroute` | MXRoute relay path |
|
|
|
|
---
|
|
|
|
## Key Limits (must match across all three)
|
|
|
|
Attachment size limits must be set identically in Postfix, Rspamd, and ClamAV. Changing only Postfix is insufficient — Rspamd and ClamAV reject large messages before Postfix processes them.
|
|
|
|
---
|
|
|
|
## Roundcube SSL
|
|
|
|
Internal connections to Dovecot use self-signed certs. In `config.inc.php`:
|
|
|
|
```php
|
|
$config['imap_conn_options'] = ['ssl' => ['verify_peer' => false, 'verify_peer_name' => false]];
|
|
```
|
|
|
|
---
|
|
|
|
## Related Docs
|
|
|
|
- [MXRoute Integration](/Keystone-Grimoire/Mail/MXRoute-Integration)
|
|
- [Domain Setup](/Keystone-Grimoire/Mail/Domain-Setup)
|
|
- [MailCow Hardening](/Keystone-Grimoire/Mail/Hardening)
|
|
- [MailCow Backup](/Vault-Grimoire/Backups/MailCow-Backup)
|
|
|
|
---
|
|
|
|
## Pending
|
|
|
|
- [ ] Dedicated ATT_Mail static IP for outbound mail (OPNsense outbound NAT rule)
|
|
- [ ] Second DKIM selector (`mxroute`) validation
|
|
- [ ] MTA-STS validation (supported since Sep 2025 update)
|