| Hostname | — |
|---|---|
| Architecture | — |
| IPs | |
| Version | — |
| System Time | — |
| Timezone | — |
| Uptime | — |
| Disk usage |
—
|
Container Information
Container logs
Select a container to view logs.
All domains
| Domain | Status | Mailboxes | Aliases | Statistics | Quota | Actions |
|---|
Mailboxes
Manage email accounts and access settings
| Username | Last mail login | Message # | Active | Action |
|---|
Aliases
Forward mail to one or more destinations
| ID | Alias | Goto address | Domain | SOGo | Public comment | Private comment | Internal | Active | Action |
|---|
Resources
Bookable rooms, equipment and shared assets
| Description | Alias | Kind | Domain | Multiple bookings | Active | Action |
|---|
Sync jobs
IMAP mailbox synchronization via imapsync
| ID | Owner | Server | Last run | Last run result | Log | Active | Status | Action |
|---|
Filters
Sieve mail filtering rules
keep; will stop processing of further scripts.
Changes to global sieve scripts will trigger a restart of Dovecot.
| ID | Active | Type | Owner | Description | Action |
|---|
BCC maps
Silently forward copies of messages to another address
| ID | BCC type | Local destination | BCC destination | Domain | Active | Action |
|---|
Recipient maps
Replace destination addresses before delivery
| ID | Original recipient | New recipient | Active | Action |
|---|
Outgoing TLS policy map overrides
Override outgoing TLS transport rules per destination
| ID | Destination | Policy | Parameters | Active | Action |
|---|
Administrators
Manage global administrator accounts
| Username | TFA | Active | Action |
|---|
Interactive docs:
/api/swagger
— authenticate with header X-API-Key (keys below).
Read-Only Access
API key:
Read-Write Access
API key:
Domain administrators
| Username | Domain assignments | TFA | Active | Action |
|---|
Configure an external Provider for Authentication. User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.
Identity Provider
Attribute Mapping
Advanced settings
For the following settings to work, the mail client in Keycloak needs a Service account and the permission to view-users.
In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the mailcow_password attribute, which is mapped in Keycloak.
OAuth2 Apps
This implementation supports the Authorization Code grant type and the issuance of refresh tokens. Refresh tokens are automatically re-issued after use.
- Default scope is
profile. Only mailbox users can authenticate. - The
stateparameter is required for authorize requests.
Authorization endpoint: /oauth/authorize
Token endpoint: /oauth/token
Resource page: /oauth/profile
Regenerating a client secret does not expire existing authorization codes, but prevents renewal of access tokens. Revoking tokens terminates all active sessions and requires re-authentication.
Registered clients
Manage OAuth2 client applications
| ID | Client ID | Client secret | Redirect URI | Action |
|---|
Quarantine
The quarantine module saves rejected mail to the database without giving the sender the impression of a delivered message. Messages can be released to the recipient inbox or learned as spam.
Learn as spam and delete uses Bayesian learning and fuzzy hashes. Learning multiple messages can be time-consuming. Denylisted elements are excluded from learning.
Quarantined messages
Rspamd rejected and held messages
| ID | Rspamd QID | Sender (SMTP) | Subject | Rspamd result | Recipient | Danger | Score | Notified | Received | Action |
|---|
Queue Manager
The mail queue contains all e-mails that are waiting for delivery. If an email is stuck in the mail queue for a long time, it is automatically deleted by the system. The error message of the respective mail gives information about why the mail could not be delivered.
- Deliver: Attempts to redeliver selected mails.
- Unhold: Releases selected mails for delivery (Requires prior hold).
- Hold: Holds the selected mails (Prevents further delivery attempts).
Mail queue
Live Postfix queue entries
| QID | Queue | Arrival time (server time) | Message size | Sender | Recipients | Action |
|---|
ARC/DKIM keys
Add ARC/DKIM key
Forwarding Hosts
Incoming messages are unconditionally accepted from any hosts listed here. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected, but optionally it can be filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a rule that forwards incoming emails to your mail server.
Forwarding hosts
Trusted sources bypassing DNSBL and greylisting
| Host | Source | Spam filter | Action |
|---|
Add Forwarding Host
You can either enter IP addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses using SPF records or, in their absence, MX records).
Fail2ban parameters
Fail2ban will still maintain the banlist, but it will not actively set rules to block traffic. Use the generated banlist below to externally block the traffic.
A denylisted host or network will always outweigh an allowlist entity. List updates will take a few seconds to be applied.
See a list of banned IPs below: network (remaining ban time) — [actions]. IPs queued to be unbanned will be removed from the active ban list within a few seconds. Red labels indicate active permanent bans by denylisting.
Quarantine
Password Settings
Password policy
Password Recovery Settings
{{link}} — The generated password reset link.{{username}} — The mailbox name of the user who requested the reset.{{username2}} — The recovery mailbox name.{{date}} — The date the request was made.{{token_lifetime}} — The token lifetime in minutes.{{hostname}} — The mail server hostname.Routing
Sender-dependent transports
Define sender-dependent transports to be able to select them in a domains configuration dialog. The transport service is always smtp: and will therefore try TLS when offered. Wrapped TLS (SMTPS) is not supported. A users individual outbound TLS policy setting is taken into account. Affects selected domains including alias domains.
Sender-dependent transports
| ID | Host | Username | In use by | Active | Action |
|---|
Add sender-dependent transport
Please be aware that authentication data, if any, will be stored as plain text.
Transport Maps
- A transport map entry overrules a sender-dependent transport map.
- MX-based transports are preferably used.
- Outbound TLS policy settings per-user are ignored and can only be enforced by TLS policy map entries.
- The transport service for defined transports is always smtp: and will therefore try TLS when offered. Wrapped TLS (SMTPS) is not supported.
- Addresses matching
/localhost$/will always be transported via local:, therefore a*destination will not apply to those addresses. - To determine credentials for an exemplary next hop
[host]:25, Postfix always queries for host before searching for[host]:25. This behavior makes it impossible to usehostand[host]:25at the same time.
Transport Maps
| ID | Destination | Next hop | Username | Active | Action |
|---|
Add transport
Please be aware that authentication data, if any, will be stored as plain text.
Warning: Adding a new transport map entry will update the credentials for all entries with a matching next hop column.
System mails
By default — with no selection — all mailboxes are addressed.