Mailcow

Lock down your Mailcow server against spam, brute-force, and unauthorized access.

Contents

  1. Change Default Admin Password
  2. Enforce TLS on All Connections
  3. Configure UFW Firewall
  4. Enable fail2ban
  5. Rotate API Keys and DKIM Keys

Lock down your Mailcow server with TLS hardening, fail2ban, and firewall rules.

Change Default Admin Password

Login to the Mailcow UI and immediately change the default admin / moohoo credentials.

Enforce TLS on All Connections

# Edit mailcow.conf
sudo nano /opt/mailcow-dockerized/mailcow.conf

# Set TLS version minimum
SKIP_LETS_ENCRYPT=n
ADDITIONAL_SAN=

Configure UFW Firewall

sudo ufw allow 22/tcp    # SSH
sudo ufw allow 25/tcp    # SMTP
sudo ufw allow 80/tcp    # HTTP (redirect)
sudo ufw allow 443/tcp   # HTTPS
sudo ufw allow 465/tcp   # SMTP TLS
sudo ufw allow 587/tcp   # SMTP submission
sudo ufw allow 993/tcp   # IMAP TLS
sudo ufw allow 995/tcp   # POP3 TLS
sudo ufw allow 4190/tcp  # Sieve
sudo ufw enable

Enable fail2ban

Mailcow ships with built-in fail2ban via its netfilter-mailcow container, which automatically bans IPs with repeated authentication failures. Verify it’s running:

cd /opt/mailcow-dockerized
sudo docker compose ps netfilter-mailcow

Rotate API Keys and DKIM Keys

In the Mailcow UI, regularly rotate DKIM keys under Email → Configuration → ARC/DKIM Keys and regenerate the Rspamd password.