Chatmail certificates under a reverse proxy

amuuza · September 5, 2025, 8:26pm

Hi.

I would like to install a Chatmail server under a reverse proxy, but I am having problems with the certificate.

My reverse proxy is already forwading traffic to my other backend servers, so I cannot directly stream port 80 and 443 towards the chatmail server in order to let Chatmail handle its own certificates.

I guess one solution would be to make the reverse proxy manage Chatmail’s certificates.

Would that be a problem?

Is there anything at cmdeploy I could easily modify -without breaking anything- so that Chatmail forgets about certificates and everything works ok?

If so, please let me know.

Thank you!

amuuza · September 6, 2025, 2:32pm

I guess another solution to my problem would be to make Chatmail negotiate its own certificates through DNS challenge.

Is that possible?

How should I proceed?

amuuza · September 10, 2025, 4:37pm

I solved it.

I am using Nginx Proxy Manager. I created a Proxy Host (http/80) with the three hostnames mychatmail.mydomain.tld, mta-sts.mychatmail.mydomain.tld and www.mychatmail.mydomain.tld and then, on the advanced tab I added:

location / {
  return 404;
}
location ^~ /.well-known/acme-challenge/ {
  proxy_set_header Host $host;
  proxy_pass http://<my_chatmail_local_IP>:80;
}

amuuza · September 10, 2025, 7:27pm

My previous post only solved passing the scripts/cmdeploy run but when I ran scripts/cmdeploy test I got errors.

So, the final solution was a proxy host https/443 for domain names mychatmail.mydomain.tld, mta-sts.mychatmail.mydomain.tld and www.mychatmail.mydomain.tld, letting NPM request letsencrypt certificate and adding the following custom configuration on the Advanced tab:

proxy_ssl_server_name on;
proxy_ssl_name mychatmail.mydomain.tld;

I enabled the options:

Block Common Exploits
Websocket Support

And on the SSL tab:

Force SSL
HTTP/2 Support
HSTS Enabled