Definable port for the Admin UI

[B-Interactive]

Summary

The Admin UI and SoGo currently share the same port of 443.

My users need access to SoGo, but it's not always necessary that they should have access to the Admin UI.

I'd like to be able to define a separate port to access the Admin UI on (eg: 8443). This allows the port to be explicitly firewalled (external cloud firewall) to permit access only from my IP, when necessary.

Motivation

For those who desire it, this permits another layer of security, protecting knowledge of, and access to the Admin UI.

The Admin UI has the "MailCow" branding, which announces to all what system this is, as well as where to start when looking for exploits.

Currently, the Admin UI occupies the web root: mail.mydomain.com/

Most users visiting this page, would need to click on the Webmail link to take them to SOGo, which sits at: mail.mydomain.com/SOGo

With separate ports, they can both occupy the web root, which is more streamlined for all involved.

mail.mydomain.com:8443 = Admin UI mail.mydomain.com:443 = SOGo

Additional context

The recent security advisory may be relevant to this request: CVE-2022-31245: IMAPSYNC (Syncjobs) Debug Extended Rights (pipemess)

* Edited to remove reference to "obscurity".

[ghost]

Obscurity has really nothing to do with security, it seems really silly to me that in 2022 people still believe that. 😓

[B-Interactive]

Obscurity has really nothing to do with security, it seems really silly to me that in 2022 people still believe that. sweat

Reference to "obscurity" removed, so as not to distract from the greater request. Obscurity was a side-effect, security is possible by means of firewalling the Admin UI.

[MAGICCC]

It's not an admin ui per se because normal users can and should login to the interface using their mail and mailpassword. They can change their settings there: e.g. add apppasswords add alias mails, download profiles for their mobile devices and much more.

Indeed its not possible to change the port for the webinterface and would be also somewhat difficult todo since you would need to alter the nginx conf for this. Best option for now is todo it via a reverseproxy

[B-Interactive]

Thanks @MAGICCC. The reverse proxy wasn't something I'd considered, I'll explore that.

[zaee-k]

Thanks @MAGICCC. The reverse proxy wasn't something I'd considered, I'll explore that.

I'll add my $0.02 here. You can use nginx as reverse proxy, and specify custom link only for Admin UI access, while normal SOGo access can remain as domain root. Most likely what you want to achieve is:

https://webmail.domain.com <-- access to webmail https://webmain.domain.com/AccountAdministration <-- access to Admin UI

The upside to reverse proxy is possibility to add any middleware you want (SSO, even basic authentication) and some flexibility in routing the requests. The downside here comes at comfort of use, as you cannot use bundled letsencrypt container for automatic SSL renewal. Either you create a set of rules to route letsencrypt http requests directly into acme container OR you most likely install certbot at reverse proxy, get certificates and copy pubkey+privkey into mailcow assets folder (docker compose) and restart mailcow.

[B-Interactive]

That's much appreciated @zaee-k, in particular the heads up and considerations around handling SSL renewal.

[zaee-k]

Just make sure you somehow automate the copying procedure of fullchain.pem and priv.key (letsencrypt assets from reverse proxy) into mail server assets (mailcow ssl assets folder). Remember that from security perspective, you should be really careful in what you are doing, as priv.key is a secret used to encrypt data between users and your mail server. Setup some cronjob on dedicated user with SSH key authentication or automate this with Ansible. If you dont automate, you will have to manually copy those ssl keys each 2.5 month, and restart some containers to apply new certs for IMAP/SMTP/POP3 connections.