mailcow includes netfilter-mailcow for basic firewalling.
# View current rules
docker compose exec netfilter-mailcow iptables -L -n
# Custom rules (create override file)
nano /opt/mailcow-dockerized/data/conf/netfilter/override.conf
Use an external firewall (UFW, firewalld, or cloud firewall) so only required ports are reachable.
# UFW example (Ubuntu)
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 465/tcp # SMTPS
sudo ufw allow 587/tcp # Submission
sudo ufw allow 110/tcp # POP3
sudo ufw allow 143/tcp # IMAP
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow 995/tcp # POP3S
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 80/tcp # HTTP (optional; ACME/redirect)
sudo ufw enable
If you do not use IPv6, mailcow can be configured to skip it:
# Edit mailcow.conf
nano /opt/mailcow-dockerized/mailcow.conf
# Set
SKIP_IPV6=true
# Restart mailcow
docker compose down
docker compose up -d