traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Keystone-Grimoire/Mail/MailCow-Overview.md
traveler cc574f8aed New Grimoire
2026-04-12 09:53:51 -05:00

2.6 KiB
Raw Blame History

title description published date tags editor dateCreated
MailCow Overview Self-hosted mail stack — architecture, domains, and key decisions true 2026-04-12T00:00:00.000Z keystone, mail, mailcow markdown 2026-04-12T00:00:00.000Z

MailCow Overview

MailCow runs on docker4 (hermes, 192.168.5.16) via Docker Compose — not Swarm. It manages mail for all 8 domains.

Architecture

Component Role
MailCow stack Postfix, Dovecot, Rspamd, ClamAV, SOGo, Roundcube, nginx-mailcow
MXRoute Inbound filtering + outbound relay for all domains
nginx-mailcow Only MailCow container connected to netgrimoire overlay

Critical: Only nginx-mailcow is attached to the netgrimoire overlay network. All other MailCow containers stay on the internal mailcow-network bridge. Connecting other containers to the overlay causes Redis and PHP-FPM to resolve to wrong IPs, breaking the entire stack.

Domains

netgrimoire.com · pncharris.com · wasted-bandwidth.net · nucking-futz.com · florosafd.org · gnarlypandaproductions.com · pncfishandmore.com · pncharrisenterprises.com

Mail Flow

Inbound: MXRoute filters → forwards to MailCow → Dovecot delivers

Outbound: Postfix → MXRoute relay → recipient

SRS rewriting: MXRoute rewrites the envelope sender on forwarded mail. All domains using MXRoute inbound forwarding must have catch-all aliases configured in MailCow, or reject_unlisted_sender will reject the rewritten addresses.

DKIM

Two selectors required:

Selector Purpose
mailcow Direct sends from MailCow
mxroute MXRoute relay path

Key Limits (must match across all three)

Attachment size limits must be set identically in Postfix, Rspamd, and ClamAV. Changing only Postfix is insufficient — Rspamd and ClamAV reject large messages before Postfix processes them.

Roundcube SSL

Internal connections to Dovecot use self-signed certs. In config.inc.php:

$config['imap_conn_options'] = ['ssl' => ['verify_peer' => false, 'verify_peer_name' => false]];

Related Docs

Pending

  • Dedicated ATT_Mail static IP for outbound mail (OPNsense outbound NAT rule)
  • Second DKIM selector (mxroute) validation
  • MTA-STS validation (supported since Sep 2025 update)