Knowledgebase › Mailcow on a LYLIX VPS — sizing, install, the post-install hardening pass

Mailcow on a LYLIX VPS — sizing, install, the post-install hardening pass

Mailcow is the easiest way to run a complete production mail stack on a single VPS — Postfix + Dovecot + Rspamd + SOGo webmail + a friendly admin UI, wrapped in Docker Compose. This article covers the sizing, install, and the things you should do right after the install completes.

Sizing

Mailcow needs:

  • RAM: 4 GB minimum, 8 GB comfortable. Rspamd and the JVM-based components are not light.
  • CPU: 2 cores minimum, 4+ for active deployments.
  • Disk: 20 GB for the install, plus your mailbox storage growth. Plan generously.
  • IP: dedicated IPv4 with PTR set to your mail hostname.
  • Outbound port 25 reachable from your VPS.

Mailcow on a 2 GB VPS will work for testing but feel cramped in production. Save yourself the headache and start at 4 GB.

Install

Mailcow ships as Docker Compose. Install Docker first on Debian 12:

apt update
apt install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg \
    -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
    https://download.docker.com/linux/debian \
    $(lsb_release -cs) stable" \
    > /etc/apt/sources.list.d/docker.list
apt update
apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Then mailcow:

cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
./generate_config.sh

Answer the prompts. The hostname is the most important question — set it to mail.example.com (or whatever your mail server's PTR will resolve to). Don't change it later without effort.

Then start everything:

docker compose pull
docker compose up -d

First-time pull is a few GB. Subsequent updates are incremental.

First login

Open https://mail.example.com/ in a browser. Log in with username admin, password moohoo. Change this password immediately under System → Configuration → Access.

DNS records

Mailcow's admin UI generates the DNS records you need. Look under Configuration → Domains → DNS for your domain. You'll get:

  • MX → mail.example.com
  • SPF TXT
  • DKIM TXT — Mailcow generates the key automatically; you publish the record it shows.
  • DMARC TXT (start with p=none to monitor before enforcing).
  • Autodiscover / Autoconfig records for mail clients.

Publish all of them on your DNS host. Wait for propagation (a few minutes typically).

TLS

Mailcow uses Let's Encrypt by default. The acme-mailcow container fetches and renews certs for the mailcow hostname and all configured domains via HTTP-01.

If port 80 is blocked or you need wildcards, configure DNS-01 in mailcow.conf:

SKIP_LETS_ENCRYPT=n
LE_STAGING=n
ADDITIONAL_SAN=autodiscover.example.com,autoconfig.example.com

Post-install hardening

  1. Change all default credentials. Admin password, any mailbox passwords from the demo.
  2. Restrict admin UI access. If only you and your team manage Mailcow, restrict /admin by source IP in nginx config (see Mailcow docs for the customize path).
  3. Enable 2FA for the admin account. System → Configuration → Access.
  4. Set DMARC to quarantine then reject after a week or two of monitoring with p=none and clean SPF/DKIM passing.
  5. Set up backups— Mailcow ships with a backup script. Run it nightly to off-host storage: 
    cd /opt/mailcow-dockerized
./helper-scripts/backup_and_restore.sh backup all
    Then sync the output dir off-host (see Restic with B2).
  6. Enable Rspamd reject thresholds. The default Rspamd config is permissive; tune the reject score down (e.g., from 15 to 12) once you're sure your legitimate traffic isn't being false-positive'd.
  7. Set up monitoring. The mailcow dashboard shows the basics. Add Netdata on the host (see Netdata quickstart) for resource alerts.

Common operational tasks

Add a new mailbox

  • Admin UI → Email → Mailboxes → Add mailbox.
  • Set username, password, quota.
  • User can log in via SOGo webmail at https://mail.example.com/SOGo/, or set up any IMAP/SMTP client with the autodiscover info.

Add an alias

  • Admin UI → Email → Configuration → Aliases.
  • From: address → To: mailbox.

View Rspamd insights

  • Admin UI → Status → Containers → click rspamd's web link.
  • The Rspamd UI shows reject/spam/junk decisions, per-rule breakdowns, and lets you reclassify mistakes (which improves the per-mailbox spam classifier).

Update mailcow

cd /opt/mailcow-dockerized
./update.sh

The update script pulls new images and re-deploys. Run nightly or weekly. Read release notes for breaking changes periodically.

When Mailcow isn't the right fit

  • You want a single mailbox for one user — Mailcow is overkill. Roll Postfix + Dovecot manually (see Postfix + Dovecot from scratch) or use a hosted service.
  • You want to script-manage mailboxes via API at scale. Mailcow has an API but the data model is opinionated. Plain Postfix + scripting may be more flexible.
  • You don't want Docker. Mailcow doesn't exist outside of Docker Compose.

Restoring from backup

cd /opt/mailcow-dockerized
./helper-scripts/backup_and_restore.sh restore

Walks you through picking a backup to restore. Test this once on a scratch VPS so you know it works before you need it.

Also Read

Getting delisted from Spamhaus, UCEProtect, Barracuda — the realistic process (Views: 3)
Sender reputation for a brand-new VPS IP — the warm-up strategy that actually works (Views: 3)
Postfix + Dovecot from scratch — production-grade mail on a LYLIX VPS (Views: 4)
DKIM key rotation playbook — rolling keys without breaking inbound mail (Views: 3)
Reading DMARC reports without losing your mind — the XML, the patterns, the action items (Views: 4)

« « Back

Powered by WHMCompleteSolution