Initial infrastructure: NPM + Mailcow on Proxmox

- VM 200: Nginx Proxy Manager (10.48.200.80)
- VM 201: Mailcow email server (10.48.200.82)
- Cloud-init automation for both VMs
- FortiGate VIP/policy documentation
- DNS records for web.orbishosting.com
- NPM proxy host setup guide
- Mailcow post-install checklist
- Cert sync script (NPM → Mailcow)

External IP: 97.176.15.26
This commit is contained in:
2026-04-23 04:37:56 +00:00
parent ca6fd7688e
commit b60db8a0d0
10 changed files with 917 additions and 2 deletions
+68
View File
@@ -0,0 +1,68 @@
# DNS Records — web.orbishosting.com
Configure these at your DNS registrar/provider. External IP: **97.176.15.26**
## Required Records
### A Records
| Name | Type | Value | TTL |
|------|------|-------|-----|
| `web.orbishosting.com` | A | `97.176.15.26` | 3600 |
| `mail.web.orbishosting.com` | A | `97.176.15.26` | 3600 |
| `npm.web.orbishosting.com` | A | `97.176.15.26` | 3600 |
### MX Record
| Name | Type | Priority | Value | TTL |
|------|------|----------|-------|-----|
| `web.orbishosting.com` | MX | `10` | `mail.web.orbishosting.com` | 3600 |
### SPF (TXT)
| Name | Type | Value |
|------|------|-------|
| `web.orbishosting.com` | TXT | `v=spf1 mx a ip4:97.176.15.26 ~all` |
### DMARC (TXT)
| Name | Type | Value |
|------|------|-------|
| `_dmarc.web.orbishosting.com` | TXT | `v=DMARC1; p=quarantine; rua=mailto:postmaster@web.orbishosting.com; ruf=mailto:postmaster@web.orbishosting.com; fo=1` |
### Autodiscover / Autoconfig (for mail clients)
| Name | Type | Value |
|------|------|-------|
| `autodiscover.web.orbishosting.com` | CNAME | `mail.web.orbishosting.com` |
| `autoconfig.web.orbishosting.com` | CNAME | `mail.web.orbishosting.com` |
### DKIM (add AFTER Mailcow is running)
1. Log into Mailcow admin: https://mail.web.orbishosting.com
2. Go to **Configuration → Domains → web.orbishosting.com → DKIM**
3. Copy the TXT record value shown
4. Add to DNS:
| Name | Type | Value |
|------|------|-------|
| `dkim._domainkey.web.orbishosting.com` | TXT | *(copy from Mailcow admin)* |
### PTR Record (Reverse DNS)
Contact your ISP and request a PTR record:
- IP: `97.176.15.26`
- Points to: `mail.web.orbishosting.com`
This is critical for email deliverability. Without it, many servers will reject your mail.
---
## Verification Commands (run after DNS propagates)
```bash
# Check A record
dig mail.web.orbishosting.com A
# Check MX record
dig web.orbishosting.com MX
# Check SPF
dig web.orbishosting.com TXT
# Test mail score
# Visit: https://www.mail-tester.com and send a test email
```
+194
View File
@@ -0,0 +1,194 @@
# FortiGate Configuration Changes
FortiGate URL: https://10.48.200.1:9443
Login: admin / (your password)
**REVIEW BEFORE APPLYING. FusionPBX rules are NOT touched.**
---
## Step 1 — Create Virtual IPs (VIPs)
Go to: **Policy & Objects → Virtual IPs → Create New → Virtual IP**
### VIP 1: NPM (Web Traffic)
| Field | Value |
|-------|-------|
| Name | `VIP-NPM-HTTP` |
| Interface | WAN interface (the one with 97.176.15.26) |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.80` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `80` |
| Mapped Port | `80` |
### VIP 2: NPM (HTTPS)
| Field | Value |
|-------|-------|
| Name | `VIP-NPM-HTTPS` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.80` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `443` |
| Mapped Port | `443` |
### VIP 3: Mailcow SMTP (Port 25)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-SMTP` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `25` |
| Mapped Port | `25` |
### VIP 4: Mailcow SMTPS (Port 465)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-SMTPS` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `465` |
| Mapped Port | `465` |
### VIP 5: Mailcow Submission (Port 587)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-SUBMISSION` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `587` |
| Mapped Port | `587` |
### VIP 6: Mailcow IMAP (Port 143)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-IMAP` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `143` |
| Mapped Port | `143` |
### VIP 7: Mailcow IMAPS (Port 993)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-IMAPS` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `993` |
| Mapped Port | `993` |
### VIP 8: Mailcow POP3 (Port 110) — Optional
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-POP3` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `110` |
| Mapped Port | `110` |
### VIP 9: Mailcow POP3S (Port 995) — Optional
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-POP3S` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `995` |
| Mapped Port | `995` |
---
## Step 2 — Create Firewall Policies
Go to: **Policy & Objects → Firewall Policy → Create New**
### Policy 1: Allow Web Traffic to NPM
| Field | Value |
|-------|-------|
| Name | `WAN-to-NPM-Web` |
| Incoming Interface | WAN |
| Outgoing Interface | LAN (internal) |
| Source | `all` |
| Destination | `VIP-NPM-HTTP`, `VIP-NPM-HTTPS` |
| Schedule | `always` |
| Service | `HTTP`, `HTTPS` |
| Action | `ACCEPT` |
| NAT | Enabled |
| Log | Enabled (recommended) |
### Policy 2: Allow Mail Traffic to Mailcow
| Field | Value |
|-------|-------|
| Name | `WAN-to-Mailcow-Mail` |
| Incoming Interface | WAN |
| Outgoing Interface | LAN (internal) |
| Source | `all` |
| Destination | `VIP-MAIL-SMTP`, `VIP-MAIL-SMTPS`, `VIP-MAIL-SUBMISSION`, `VIP-MAIL-IMAP`, `VIP-MAIL-IMAPS` |
| Schedule | `always` |
| Service | Custom (ports 25, 465, 587, 143, 993) |
| Action | `ACCEPT` |
| NAT | Enabled |
| Log | Enabled |
> **NOTE:** If you also want POP3, add `VIP-MAIL-POP3` and `VIP-MAIL-POP3S` to Policy 2.
---
## Step 3 — Verify FusionPBX Rules Are Intact
After applying the above, confirm your existing SIP/RTP rules still exist:
- Port `5060` UDP/TCP → FusionPBX host
- Port `5061` UDP/TCP → FusionPBX host
- Ports `10000-20000` UDP → FusionPBX host (RTP)
Do NOT remove or modify these.
---
## Step 4 — (Optional) Block SMTP relay abuse
Add a firewall policy to prevent internal hosts from sending SMTP directly (forces use of Mailcow):
- Outgoing port 25 from LAN → blocked (except from 10.48.200.82)
---
## Verification
After applying:
```bash
# Test from external network or use mxtoolbox.com:
# https://mxtoolbox.com/SuperTool.aspx
# Test SMTP
telnet 97.176.15.26 25
# Test IMAP
telnet 97.176.15.26 143
# Test web
curl -I http://97.176.15.26
curl -Ik https://97.176.15.26
```