mirror of
https://github.com/myronblair/ProxMailcow
synced 2026-06-30 17:50:40 -05:00
Initial infrastructure: NPM + Mailcow on Proxmox
- VM 200: Nginx Proxy Manager (10.48.200.80) - VM 201: Mailcow email server (10.48.200.82) - Cloud-init automation for both VMs - FortiGate VIP/policy documentation - DNS records for web.orbishosting.com - NPM proxy host setup guide - Mailcow post-install checklist - Cert sync script (NPM → Mailcow) External IP: 97.176.15.26
This commit is contained in:
@@ -0,0 +1,68 @@
|
||||
# DNS Records — web.orbishosting.com
|
||||
|
||||
Configure these at your DNS registrar/provider. External IP: **97.176.15.26**
|
||||
|
||||
## Required Records
|
||||
|
||||
### A Records
|
||||
| Name | Type | Value | TTL |
|
||||
|------|------|-------|-----|
|
||||
| `web.orbishosting.com` | A | `97.176.15.26` | 3600 |
|
||||
| `mail.web.orbishosting.com` | A | `97.176.15.26` | 3600 |
|
||||
| `npm.web.orbishosting.com` | A | `97.176.15.26` | 3600 |
|
||||
|
||||
### MX Record
|
||||
| Name | Type | Priority | Value | TTL |
|
||||
|------|------|----------|-------|-----|
|
||||
| `web.orbishosting.com` | MX | `10` | `mail.web.orbishosting.com` | 3600 |
|
||||
|
||||
### SPF (TXT)
|
||||
| Name | Type | Value |
|
||||
|------|------|-------|
|
||||
| `web.orbishosting.com` | TXT | `v=spf1 mx a ip4:97.176.15.26 ~all` |
|
||||
|
||||
### DMARC (TXT)
|
||||
| Name | Type | Value |
|
||||
|------|------|-------|
|
||||
| `_dmarc.web.orbishosting.com` | TXT | `v=DMARC1; p=quarantine; rua=mailto:postmaster@web.orbishosting.com; ruf=mailto:postmaster@web.orbishosting.com; fo=1` |
|
||||
|
||||
### Autodiscover / Autoconfig (for mail clients)
|
||||
| Name | Type | Value |
|
||||
|------|------|-------|
|
||||
| `autodiscover.web.orbishosting.com` | CNAME | `mail.web.orbishosting.com` |
|
||||
| `autoconfig.web.orbishosting.com` | CNAME | `mail.web.orbishosting.com` |
|
||||
|
||||
### DKIM (add AFTER Mailcow is running)
|
||||
1. Log into Mailcow admin: https://mail.web.orbishosting.com
|
||||
2. Go to **Configuration → Domains → web.orbishosting.com → DKIM**
|
||||
3. Copy the TXT record value shown
|
||||
4. Add to DNS:
|
||||
|
||||
| Name | Type | Value |
|
||||
|------|------|-------|
|
||||
| `dkim._domainkey.web.orbishosting.com` | TXT | *(copy from Mailcow admin)* |
|
||||
|
||||
### PTR Record (Reverse DNS)
|
||||
Contact your ISP and request a PTR record:
|
||||
- IP: `97.176.15.26`
|
||||
- Points to: `mail.web.orbishosting.com`
|
||||
|
||||
This is critical for email deliverability. Without it, many servers will reject your mail.
|
||||
|
||||
---
|
||||
|
||||
## Verification Commands (run after DNS propagates)
|
||||
|
||||
```bash
|
||||
# Check A record
|
||||
dig mail.web.orbishosting.com A
|
||||
|
||||
# Check MX record
|
||||
dig web.orbishosting.com MX
|
||||
|
||||
# Check SPF
|
||||
dig web.orbishosting.com TXT
|
||||
|
||||
# Test mail score
|
||||
# Visit: https://www.mail-tester.com and send a test email
|
||||
```
|
||||
@@ -0,0 +1,194 @@
|
||||
# FortiGate Configuration Changes
|
||||
|
||||
FortiGate URL: https://10.48.200.1:9443
|
||||
Login: admin / (your password)
|
||||
|
||||
**REVIEW BEFORE APPLYING. FusionPBX rules are NOT touched.**
|
||||
|
||||
---
|
||||
|
||||
## Step 1 — Create Virtual IPs (VIPs)
|
||||
|
||||
Go to: **Policy & Objects → Virtual IPs → Create New → Virtual IP**
|
||||
|
||||
### VIP 1: NPM (Web Traffic)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-NPM-HTTP` |
|
||||
| Interface | WAN interface (the one with 97.176.15.26) |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.80` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `80` |
|
||||
| Mapped Port | `80` |
|
||||
|
||||
### VIP 2: NPM (HTTPS)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-NPM-HTTPS` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.80` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `443` |
|
||||
| Mapped Port | `443` |
|
||||
|
||||
### VIP 3: Mailcow SMTP (Port 25)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-SMTP` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `25` |
|
||||
| Mapped Port | `25` |
|
||||
|
||||
### VIP 4: Mailcow SMTPS (Port 465)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-SMTPS` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `465` |
|
||||
| Mapped Port | `465` |
|
||||
|
||||
### VIP 5: Mailcow Submission (Port 587)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-SUBMISSION` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `587` |
|
||||
| Mapped Port | `587` |
|
||||
|
||||
### VIP 6: Mailcow IMAP (Port 143)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-IMAP` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `143` |
|
||||
| Mapped Port | `143` |
|
||||
|
||||
### VIP 7: Mailcow IMAPS (Port 993)
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-IMAPS` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `993` |
|
||||
| Mapped Port | `993` |
|
||||
|
||||
### VIP 8: Mailcow POP3 (Port 110) — Optional
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-POP3` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `110` |
|
||||
| Mapped Port | `110` |
|
||||
|
||||
### VIP 9: Mailcow POP3S (Port 995) — Optional
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `VIP-MAIL-POP3S` |
|
||||
| Interface | WAN interface |
|
||||
| External IP | `97.176.15.26` |
|
||||
| Mapped IP | `10.48.200.82` |
|
||||
| Port Forwarding | Enabled |
|
||||
| Protocol | TCP |
|
||||
| External Port | `995` |
|
||||
| Mapped Port | `995` |
|
||||
|
||||
---
|
||||
|
||||
## Step 2 — Create Firewall Policies
|
||||
|
||||
Go to: **Policy & Objects → Firewall Policy → Create New**
|
||||
|
||||
### Policy 1: Allow Web Traffic to NPM
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `WAN-to-NPM-Web` |
|
||||
| Incoming Interface | WAN |
|
||||
| Outgoing Interface | LAN (internal) |
|
||||
| Source | `all` |
|
||||
| Destination | `VIP-NPM-HTTP`, `VIP-NPM-HTTPS` |
|
||||
| Schedule | `always` |
|
||||
| Service | `HTTP`, `HTTPS` |
|
||||
| Action | `ACCEPT` |
|
||||
| NAT | Enabled |
|
||||
| Log | Enabled (recommended) |
|
||||
|
||||
### Policy 2: Allow Mail Traffic to Mailcow
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Name | `WAN-to-Mailcow-Mail` |
|
||||
| Incoming Interface | WAN |
|
||||
| Outgoing Interface | LAN (internal) |
|
||||
| Source | `all` |
|
||||
| Destination | `VIP-MAIL-SMTP`, `VIP-MAIL-SMTPS`, `VIP-MAIL-SUBMISSION`, `VIP-MAIL-IMAP`, `VIP-MAIL-IMAPS` |
|
||||
| Schedule | `always` |
|
||||
| Service | Custom (ports 25, 465, 587, 143, 993) |
|
||||
| Action | `ACCEPT` |
|
||||
| NAT | Enabled |
|
||||
| Log | Enabled |
|
||||
|
||||
> **NOTE:** If you also want POP3, add `VIP-MAIL-POP3` and `VIP-MAIL-POP3S` to Policy 2.
|
||||
|
||||
---
|
||||
|
||||
## Step 3 — Verify FusionPBX Rules Are Intact
|
||||
|
||||
After applying the above, confirm your existing SIP/RTP rules still exist:
|
||||
- Port `5060` UDP/TCP → FusionPBX host
|
||||
- Port `5061` UDP/TCP → FusionPBX host
|
||||
- Ports `10000-20000` UDP → FusionPBX host (RTP)
|
||||
|
||||
Do NOT remove or modify these.
|
||||
|
||||
---
|
||||
|
||||
## Step 4 — (Optional) Block SMTP relay abuse
|
||||
|
||||
Add a firewall policy to prevent internal hosts from sending SMTP directly (forces use of Mailcow):
|
||||
- Outgoing port 25 from LAN → blocked (except from 10.48.200.82)
|
||||
|
||||
---
|
||||
|
||||
## Verification
|
||||
|
||||
After applying:
|
||||
```bash
|
||||
# Test from external network or use mxtoolbox.com:
|
||||
# https://mxtoolbox.com/SuperTool.aspx
|
||||
|
||||
# Test SMTP
|
||||
telnet 97.176.15.26 25
|
||||
|
||||
# Test IMAP
|
||||
telnet 97.176.15.26 143
|
||||
|
||||
# Test web
|
||||
curl -I http://97.176.15.26
|
||||
curl -Ik https://97.176.15.26
|
||||
```
|
||||
Reference in New Issue
Block a user