mirror of
https://github.com/myronblair/ProxMailcow
synced 2026-06-30 17:50:40 -05:00
b60db8a0d0
- VM 200: Nginx Proxy Manager (10.48.200.80) - VM 201: Mailcow email server (10.48.200.82) - Cloud-init automation for both VMs - FortiGate VIP/policy documentation - DNS records for web.orbishosting.com - NPM proxy host setup guide - Mailcow post-install checklist - Cert sync script (NPM → Mailcow) External IP: 97.176.15.26
4.7 KiB
4.7 KiB
FortiGate Configuration Changes
FortiGate URL: https://10.48.200.1:9443
Login: admin / (your password)
REVIEW BEFORE APPLYING. FusionPBX rules are NOT touched.
Step 1 — Create Virtual IPs (VIPs)
Go to: Policy & Objects → Virtual IPs → Create New → Virtual IP
VIP 1: NPM (Web Traffic)
| Field | Value |
|---|---|
| Name | VIP-NPM-HTTP |
| Interface | WAN interface (the one with 97.176.15.26) |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.80 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 80 |
| Mapped Port | 80 |
VIP 2: NPM (HTTPS)
| Field | Value |
|---|---|
| Name | VIP-NPM-HTTPS |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.80 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 443 |
| Mapped Port | 443 |
VIP 3: Mailcow SMTP (Port 25)
| Field | Value |
|---|---|
| Name | VIP-MAIL-SMTP |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 25 |
| Mapped Port | 25 |
VIP 4: Mailcow SMTPS (Port 465)
| Field | Value |
|---|---|
| Name | VIP-MAIL-SMTPS |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 465 |
| Mapped Port | 465 |
VIP 5: Mailcow Submission (Port 587)
| Field | Value |
|---|---|
| Name | VIP-MAIL-SUBMISSION |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 587 |
| Mapped Port | 587 |
VIP 6: Mailcow IMAP (Port 143)
| Field | Value |
|---|---|
| Name | VIP-MAIL-IMAP |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 143 |
| Mapped Port | 143 |
VIP 7: Mailcow IMAPS (Port 993)
| Field | Value |
|---|---|
| Name | VIP-MAIL-IMAPS |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 993 |
| Mapped Port | 993 |
VIP 8: Mailcow POP3 (Port 110) — Optional
| Field | Value |
|---|---|
| Name | VIP-MAIL-POP3 |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 110 |
| Mapped Port | 110 |
VIP 9: Mailcow POP3S (Port 995) — Optional
| Field | Value |
|---|---|
| Name | VIP-MAIL-POP3S |
| Interface | WAN interface |
| External IP | 97.176.15.26 |
| Mapped IP | 10.48.200.82 |
| Port Forwarding | Enabled |
| Protocol | TCP |
| External Port | 995 |
| Mapped Port | 995 |
Step 2 — Create Firewall Policies
Go to: Policy & Objects → Firewall Policy → Create New
Policy 1: Allow Web Traffic to NPM
| Field | Value |
|---|---|
| Name | WAN-to-NPM-Web |
| Incoming Interface | WAN |
| Outgoing Interface | LAN (internal) |
| Source | all |
| Destination | VIP-NPM-HTTP, VIP-NPM-HTTPS |
| Schedule | always |
| Service | HTTP, HTTPS |
| Action | ACCEPT |
| NAT | Enabled |
| Log | Enabled (recommended) |
Policy 2: Allow Mail Traffic to Mailcow
| Field | Value |
|---|---|
| Name | WAN-to-Mailcow-Mail |
| Incoming Interface | WAN |
| Outgoing Interface | LAN (internal) |
| Source | all |
| Destination | VIP-MAIL-SMTP, VIP-MAIL-SMTPS, VIP-MAIL-SUBMISSION, VIP-MAIL-IMAP, VIP-MAIL-IMAPS |
| Schedule | always |
| Service | Custom (ports 25, 465, 587, 143, 993) |
| Action | ACCEPT |
| NAT | Enabled |
| Log | Enabled |
NOTE: If you also want POP3, add
VIP-MAIL-POP3andVIP-MAIL-POP3Sto Policy 2.
Step 3 — Verify FusionPBX Rules Are Intact
After applying the above, confirm your existing SIP/RTP rules still exist:
- Port
5060UDP/TCP → FusionPBX host - Port
5061UDP/TCP → FusionPBX host - Ports
10000-20000UDP → FusionPBX host (RTP)
Do NOT remove or modify these.
Step 4 — (Optional) Block SMTP relay abuse
Add a firewall policy to prevent internal hosts from sending SMTP directly (forces use of Mailcow):
- Outgoing port 25 from LAN → blocked (except from 10.48.200.82)
Verification
After applying:
# Test from external network or use mxtoolbox.com:
# https://mxtoolbox.com/SuperTool.aspx
# Test SMTP
telnet 97.176.15.26 25
# Test IMAP
telnet 97.176.15.26 143
# Test web
curl -I http://97.176.15.26
curl -Ik https://97.176.15.26