Files
ProxMailcow/docs/fortigate-changes.md
myron b60db8a0d0 Initial infrastructure: NPM + Mailcow on Proxmox
- VM 200: Nginx Proxy Manager (10.48.200.80)
- VM 201: Mailcow email server (10.48.200.82)
- Cloud-init automation for both VMs
- FortiGate VIP/policy documentation
- DNS records for web.orbishosting.com
- NPM proxy host setup guide
- Mailcow post-install checklist
- Cert sync script (NPM → Mailcow)

External IP: 97.176.15.26
2026-04-23 04:37:56 +00:00

4.7 KiB

FortiGate Configuration Changes

FortiGate URL: https://10.48.200.1:9443
Login: admin / (your password)

REVIEW BEFORE APPLYING. FusionPBX rules are NOT touched.


Step 1 — Create Virtual IPs (VIPs)

Go to: Policy & Objects → Virtual IPs → Create New → Virtual IP

VIP 1: NPM (Web Traffic)

Field Value
Name VIP-NPM-HTTP
Interface WAN interface (the one with 97.176.15.26)
External IP 97.176.15.26
Mapped IP 10.48.200.80
Port Forwarding Enabled
Protocol TCP
External Port 80
Mapped Port 80

VIP 2: NPM (HTTPS)

Field Value
Name VIP-NPM-HTTPS
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.80
Port Forwarding Enabled
Protocol TCP
External Port 443
Mapped Port 443

VIP 3: Mailcow SMTP (Port 25)

Field Value
Name VIP-MAIL-SMTP
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 25
Mapped Port 25

VIP 4: Mailcow SMTPS (Port 465)

Field Value
Name VIP-MAIL-SMTPS
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 465
Mapped Port 465

VIP 5: Mailcow Submission (Port 587)

Field Value
Name VIP-MAIL-SUBMISSION
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 587
Mapped Port 587

VIP 6: Mailcow IMAP (Port 143)

Field Value
Name VIP-MAIL-IMAP
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 143
Mapped Port 143

VIP 7: Mailcow IMAPS (Port 993)

Field Value
Name VIP-MAIL-IMAPS
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 993
Mapped Port 993

VIP 8: Mailcow POP3 (Port 110) — Optional

Field Value
Name VIP-MAIL-POP3
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 110
Mapped Port 110

VIP 9: Mailcow POP3S (Port 995) — Optional

Field Value
Name VIP-MAIL-POP3S
Interface WAN interface
External IP 97.176.15.26
Mapped IP 10.48.200.82
Port Forwarding Enabled
Protocol TCP
External Port 995
Mapped Port 995

Step 2 — Create Firewall Policies

Go to: Policy & Objects → Firewall Policy → Create New

Policy 1: Allow Web Traffic to NPM

Field Value
Name WAN-to-NPM-Web
Incoming Interface WAN
Outgoing Interface LAN (internal)
Source all
Destination VIP-NPM-HTTP, VIP-NPM-HTTPS
Schedule always
Service HTTP, HTTPS
Action ACCEPT
NAT Enabled
Log Enabled (recommended)

Policy 2: Allow Mail Traffic to Mailcow

Field Value
Name WAN-to-Mailcow-Mail
Incoming Interface WAN
Outgoing Interface LAN (internal)
Source all
Destination VIP-MAIL-SMTP, VIP-MAIL-SMTPS, VIP-MAIL-SUBMISSION, VIP-MAIL-IMAP, VIP-MAIL-IMAPS
Schedule always
Service Custom (ports 25, 465, 587, 143, 993)
Action ACCEPT
NAT Enabled
Log Enabled

NOTE: If you also want POP3, add VIP-MAIL-POP3 and VIP-MAIL-POP3S to Policy 2.


Step 3 — Verify FusionPBX Rules Are Intact

After applying the above, confirm your existing SIP/RTP rules still exist:

  • Port 5060 UDP/TCP → FusionPBX host
  • Port 5061 UDP/TCP → FusionPBX host
  • Ports 10000-20000 UDP → FusionPBX host (RTP)

Do NOT remove or modify these.


Step 4 — (Optional) Block SMTP relay abuse

Add a firewall policy to prevent internal hosts from sending SMTP directly (forces use of Mailcow):

  • Outgoing port 25 from LAN → blocked (except from 10.48.200.82)

Verification

After applying:

# Test from external network or use mxtoolbox.com:
# https://mxtoolbox.com/SuperTool.aspx

# Test SMTP
telnet 97.176.15.26 25

# Test IMAP
telnet 97.176.15.26 143

# Test web
curl -I http://97.176.15.26
curl -Ik https://97.176.15.26