Hardening Mailcow Security

Lock down your Mailcow server with TLS hardening, fail2ban, and firewall rules.

Category: Mailcow

Change Default Admin Password

Login to the Mailcow UI and immediately change the default admin / moohoo credentials.

Enforce TLS on All Connections

# Edit mailcow.conf
sudo nano /opt/mailcow-dockerized/mailcow.conf

# Set TLS version minimum
SKIP_LETS_ENCRYPT=n
ADDITIONAL_SAN=

Configure UFW Firewall

sudo ufw allow 22/tcp    # SSH
sudo ufw allow 25/tcp    # SMTP
sudo ufw allow 80/tcp    # HTTP (redirect)
sudo ufw allow 443/tcp   # HTTPS
sudo ufw allow 465/tcp   # SMTP TLS
sudo ufw allow 587/tcp   # SMTP submission
sudo ufw allow 993/tcp   # IMAP TLS
sudo ufw allow 995/tcp   # POP3 TLS
sudo ufw allow 4190/tcp  # Sieve
sudo ufw enable

Enable fail2ban

Mailcow ships with built-in fail2ban via its netfilter-mailcow container, which automatically bans IPs with repeated authentication failures. Verify it’s running:

cd /opt/mailcow-dockerized
sudo docker compose ps netfilter-mailcow

Rotate API Keys and DKIM Keys

In the Mailcow UI, regularly rotate DKIM keys under Email → Configuration → ARC/DKIM Keys and regenerate the Rspamd password.