mailcow is secure by default, but additional hardening measures help in production. This page is the index for a split security guide with more detailed sub-pages.
- Enforce TLS inbound and outbound; verify certificate renewal.
- Enable 2FA for admins; enforce strong passwords and lockouts.
- Restrict exposed ports via host or cloud firewall; review netfilter rules.
- Tune Rspamd and outbound rate limits to prevent abuse.
- Harden containers carefully (no-new-privileges, drop caps, limits); test before applying.
- Publish SPF, DKIM, DMARC, and MTA-STS for domains.
- Review logs and blocked IPs routinely; set log retention.
- Encrypt backups and test restores.
- Track upstream advisories and update mailcow regularly.