Initial infrastructure: NPM + Mailcow on Proxmox

- VM 200: Nginx Proxy Manager (10.48.200.80)
- VM 201: Mailcow email server (10.48.200.82)
- Cloud-init automation for both VMs
- FortiGate VIP/policy documentation
- DNS records for web.orbishosting.com
- NPM proxy host setup guide
- Mailcow post-install checklist
- Cert sync script (NPM → Mailcow)

External IP: 97.176.15.26
This commit is contained in:
2026-04-23 04:37:56 +00:00
parent ca6fd7688e
commit b60db8a0d0
10 changed files with 917 additions and 2 deletions
+194
View File
@@ -0,0 +1,194 @@
# FortiGate Configuration Changes
FortiGate URL: https://10.48.200.1:9443
Login: admin / (your password)
**REVIEW BEFORE APPLYING. FusionPBX rules are NOT touched.**
---
## Step 1 — Create Virtual IPs (VIPs)
Go to: **Policy & Objects → Virtual IPs → Create New → Virtual IP**
### VIP 1: NPM (Web Traffic)
| Field | Value |
|-------|-------|
| Name | `VIP-NPM-HTTP` |
| Interface | WAN interface (the one with 97.176.15.26) |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.80` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `80` |
| Mapped Port | `80` |
### VIP 2: NPM (HTTPS)
| Field | Value |
|-------|-------|
| Name | `VIP-NPM-HTTPS` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.80` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `443` |
| Mapped Port | `443` |
### VIP 3: Mailcow SMTP (Port 25)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-SMTP` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `25` |
| Mapped Port | `25` |
### VIP 4: Mailcow SMTPS (Port 465)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-SMTPS` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `465` |
| Mapped Port | `465` |
### VIP 5: Mailcow Submission (Port 587)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-SUBMISSION` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `587` |
| Mapped Port | `587` |
### VIP 6: Mailcow IMAP (Port 143)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-IMAP` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `143` |
| Mapped Port | `143` |
### VIP 7: Mailcow IMAPS (Port 993)
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-IMAPS` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `993` |
| Mapped Port | `993` |
### VIP 8: Mailcow POP3 (Port 110) — Optional
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-POP3` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `110` |
| Mapped Port | `110` |
### VIP 9: Mailcow POP3S (Port 995) — Optional
| Field | Value |
|-------|-------|
| Name | `VIP-MAIL-POP3S` |
| Interface | WAN interface |
| External IP | `97.176.15.26` |
| Mapped IP | `10.48.200.82` |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | `995` |
| Mapped Port | `995` |
---
## Step 2 — Create Firewall Policies
Go to: **Policy & Objects → Firewall Policy → Create New**
### Policy 1: Allow Web Traffic to NPM
| Field | Value |
|-------|-------|
| Name | `WAN-to-NPM-Web` |
| Incoming Interface | WAN |
| Outgoing Interface | LAN (internal) |
| Source | `all` |
| Destination | `VIP-NPM-HTTP`, `VIP-NPM-HTTPS` |
| Schedule | `always` |
| Service | `HTTP`, `HTTPS` |
| Action | `ACCEPT` |
| NAT | Enabled |
| Log | Enabled (recommended) |
### Policy 2: Allow Mail Traffic to Mailcow
| Field | Value |
|-------|-------|
| Name | `WAN-to-Mailcow-Mail` |
| Incoming Interface | WAN |
| Outgoing Interface | LAN (internal) |
| Source | `all` |
| Destination | `VIP-MAIL-SMTP`, `VIP-MAIL-SMTPS`, `VIP-MAIL-SUBMISSION`, `VIP-MAIL-IMAP`, `VIP-MAIL-IMAPS` |
| Schedule | `always` |
| Service | Custom (ports 25, 465, 587, 143, 993) |
| Action | `ACCEPT` |
| NAT | Enabled |
| Log | Enabled |
> **NOTE:** If you also want POP3, add `VIP-MAIL-POP3` and `VIP-MAIL-POP3S` to Policy 2.
---
## Step 3 — Verify FusionPBX Rules Are Intact
After applying the above, confirm your existing SIP/RTP rules still exist:
- Port `5060` UDP/TCP → FusionPBX host
- Port `5061` UDP/TCP → FusionPBX host
- Ports `10000-20000` UDP → FusionPBX host (RTP)
Do NOT remove or modify these.
---
## Step 4 — (Optional) Block SMTP relay abuse
Add a firewall policy to prevent internal hosts from sending SMTP directly (forces use of Mailcow):
- Outgoing port 25 from LAN → blocked (except from 10.48.200.82)
---
## Verification
After applying:
```bash
# Test from external network or use mxtoolbox.com:
# https://mxtoolbox.com/SuperTool.aspx
# Test SMTP
telnet 97.176.15.26 25
# Test IMAP
telnet 97.176.15.26 143
# Test web
curl -I http://97.176.15.26
curl -Ik https://97.176.15.26
```