Files
ProxMailcow/nginx-proxy-manager/npm-proxy-setup.md
T
myron b60db8a0d0 Initial infrastructure: NPM + Mailcow on Proxmox
- VM 200: Nginx Proxy Manager (10.48.200.80)
- VM 201: Mailcow email server (10.48.200.82)
- Cloud-init automation for both VMs
- FortiGate VIP/policy documentation
- DNS records for web.orbishosting.com
- NPM proxy host setup guide
- Mailcow post-install checklist
- Cert sync script (NPM → Mailcow)

External IP: 97.176.15.26
2026-04-23 04:37:56 +00:00

2.9 KiB

Nginx Proxy Manager — Proxy Host Configuration

After NPM is running, configure it via the web UI at http://10.48.200.80:81

Default login: admin@example.com / changemechange immediately


Proxy Host 1: Mailcow Web UI (HTTPS)

Go to: Hosts → Proxy Hosts → Add Proxy Host

Details Tab

Field Value
Domain Names mail.web.orbishosting.com
Scheme http
Forward Hostname / IP 10.48.200.82
Forward Port 8080
Cache Assets Off
Block Common Exploits On
Websockets Support On (required for Mailcow)

SSL Tab

Field Value
SSL Certificate Request a new SSL Certificate
Force SSL On
HTTP/2 Support On
HSTS Enabled On
Let's Encrypt Email postmaster@web.orbishosting.com
I Agree to ToS Checked

Click Save — NPM will automatically get a Let's Encrypt certificate.


Proxy Host 2: NPM Admin UI (Optional — for remote management)

If you want to access the NPM admin panel via your domain:

Details Tab

Field Value
Domain Names npm.web.orbishosting.com
Scheme http
Forward Hostname / IP 127.0.0.1
Forward Port 81
Block Common Exploits On

SSL Tab

Field Value
SSL Certificate Request a new SSL Certificate
Force SSL On
Let's Encrypt Email postmaster@web.orbishosting.com

Proxy Host 3: Redirect www → root domain (Optional)

Details Tab

Field Value
Domain Names www.web.orbishosting.com
Scheme https
Forward Hostname / IP web.orbishosting.com
Forward Port 443

Enable Mailcow's Own ACME (for mail protocol SSL)

After NPM proxy is working for mail.web.orbishosting.com, SSH into the Mailcow VM and enable its own Let's Encrypt:

ssh ubuntu@10.48.200.82

# Edit mailcow.conf
sudo nano /opt/mailcow-dockerized/mailcow.conf

# Ensure these settings:
# SKIP_LETS_ENCRYPT=n        ← Mailcow will get its own cert via HTTP challenge
# HTTP_PORT=8080             ← NPM forwards port 80 → this port
# HTTPS_PORT=8443
# HTTPS_BIND=127.0.0.1

# Restart acme container
cd /opt/mailcow-dockerized
sudo docker compose restart acme-mailcow

# Watch the ACME container get the cert
sudo docker compose logs -f acme-mailcow

The ACME challenge goes: Let's Encrypt → port 80 → FortiGate → NPM → port 8080 on Mailcow → acme responds

Once Mailcow's ACME succeeds, it will automatically use that cert for Postfix/Dovecot.


Verify Everything Works

# From outside your network or use mxtoolbox.com:

# Test HTTPS web UI
curl -I https://mail.web.orbishosting.com

# Test SMTP banner
telnet 97.176.15.26 25

# Test IMAP
openssl s_client -connect 97.176.15.26:993

# Test SMTP with TLS
openssl s_client -starttls smtp -connect 97.176.15.26:587