Skip to content

Pangolin (community supported)

Important

First read the overview.

Danger

This is an community supported contribution. Feel free to provide fixes.

Pangolin's declarative configuration is very simple using so-called Blueprints.

In this example, certificate creation is handled by Pangolin. Pangolin's SSO is active and provides additional protection. Autodiscover, Autoconfig, and MTA-STS, as well as the API for status, are publicly accessible.

Blueprint for Pangolin

It is assumed that mailcow is accessible on port 4443 via TLS. The domain example.com should be replaced accordingly. Relevant lines are marked below.

public-resources:
  mailcow:
    auth:
      sso-enabled: true
    full-domain: autoconfig.example.com
    name: Mail - mailcow - Autoconfig
    protocol: http
    ssl: true
    targets:
      - hostname: localhost
        method: https
        port: 4443
    rules:
      - action: allow
        match: path
        value: /api/v1/get/status/*

  mailcow-autoconfig:
    auth:
      sso-enabled: true
    full-domain: autoconfig.example.com
    name: Mail - mailcow - Autoconfig
    protocol: http
    ssl: true
    targets:
      - hostname: localhost
        method: https
        port: 4443
    rules:
      - action: allow
        match: path
        value: /mail/config-v1.1.xml

  mailcow-autodiscover:
    auth:
      sso-enabled: true
    full-domain: autodiscover.example.com
    name: Mail - mailcow - Autodiscover
    protocol: http
    ssl: true
    targets:
      - hostname: localhost
        method: https
        port: 4443
    rules:
      - action: allow
        match: path
        value: /autodiscover/autodiscover.xml

  mailcow-mta-sts:
    auth:
      sso-enabled: true
    full-domain: mta-sts.example.com
    name: Mail - mailcow - MTA-STS
    protocol: http
    ssl: true
    targets:
      - hostname: localhost
        method: https
        port: 4443
    rules:
      - action: allow
        match: path
        value: /.well-known/mta-sts.txt

  mailcow-openpgpkey:
    auth:
      sso-enabled: true
    full-domain: openpgpkey.example.com
    name: Mail - mailcow - OpenPGP-Key
    protocol: http
    ssl: true
    targets:
      - hostname: localhost
        method: https
        port: 4443
    rules:
      - action: allow
        match: path
        value: /.well-known/openpgpkey/*

Integrate into local Pangolin instance

If Pangolin and mailcow are running on the same server, you can just add the blueprint via the web interface.

Organization > Blueprints > Add Blueprint

Integrate into remote Pangolin instance

Integration into an existing remote Pangolin instance is quick and easy with newt:

Sites > Create Sites > Newt Site > Docker

The environment variable BLUEPRINT_FILE is added. As an example, the configuration file above is located at /opt/blueprint_mailcow.yml.

services:
  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=https://pangolin.example.com
      - NEWT_ID=<YOUR_ID>
      - NEWT_SECRET=<YOUR_SECRET>
      - BLUEPRINT_FILE=/opt/blueprint_mailcow.yml

Export certificates

As Pangolin will now renew the certificates, you need to update them for mailcow.

Add this to Pangolin's compose configuration, modify the marked lines:

services:

  [...]

  traefik_certdumper:
    command:
      - --restart-containers=mailcowdockerized-postfix-mailcow-1,mailcowdockerized-dovecot-mailcow-1,mailcowdockerized-nginx-mailcow-1
    container_name: traefik_certdumper
    depends_on:
      traefik:
        condition: service_started
    environment:
      - DOMAIN=*.example.com
    image: ghcr.io/kereis/traefik-certs-dumper:latest
    network_mode: none
    restart: unless-stopped
    volumes:
      - /run/docker.sock:/var/run/docker.sock:ro
      - ./config/letsencrypt:/traefik:ro
      - /opt/mailcow-dockerized/data/assets/ssl:/output:rw