diff --git a/03frontends.cfg b/03frontends.cfg
index 1a819c7..33d856d 100644
--- a/03frontends.cfg
+++ b/03frontends.cfg
@@ -309,6 +309,7 @@ frontend frontend_default
   acl kanboard hdr(host) -i kanboard.benoit.jp.net
   acl laminar hdr(host) -i laminar.benoit.jp.net
   acl linkding hdr(host) -i linkding.benoit.jp.net
+  acl mailcow hdr(host) -i mail.benoit.jp.net
   acl mastodon hdr(host) -i mastodon.benoit.jp.net
   acl miniflux hdr(host) -i miniflux.benoit.jp.net
   acl navidrome hdr(host) -i navidrome.benoit.jp.net
@@ -319,6 +320,7 @@ frontend frontend_default
 
   http-request deny if adguard !JP !SG !letsencrypt
   http-request deny if kanboard !JP !SG !letsencrypt
+  http-request deny if mailcow !JP !SG !letsencrypt
   http-request deny if miniflux !JP !SG !letsencrypt
   http-request deny if navidrome !JP !SG !letsencrypt
   http-request deny if photoprism !JP !SG !letsencrypt
@@ -331,6 +333,7 @@ frontend frontend_default
   use_backend laminar if laminar
   use_backend letsencrypt if letsencrypt
   use_backend linkding if linkding
+  use_backend mailcow if mailcow
   use_backend mastodon if mastodon
   use_backend miniflux if miniflux
   use_backend navidrome if navidrome
diff --git a/04listen.cfg b/04listen.cfg
index 5d3ee73..39a7dfa 100644
--- a/04listen.cfg
+++ b/04listen.cfg
@@ -8,30 +8,30 @@ listen ssh
   server git-ssh forgejo.incus:10022 send-proxy check
 
 # Mailcow
-#  listen smtp
-#    bind :25
-#    bind :::25 v6only
-#      mode tcp
-#      option tcplog
-#    server mail 10.78.127.231:10025 send-proxy
-#  listen smtps
-#    bind :465
-#    bind :::465 v6only
-#      mode tcp
-#      option tcplog
-#    server mail 10.78.127.231:10465 send-proxy
-#  listen imaps
-#    bind :993
-#    bind :::993 v6only
-#      mode tcp
-#      option tcplog
-#    server mail 10.78.127.231:10993 send-proxy
-#  listen sieve
-#    bind :4190
-#    bind :::4190 v6only
-#      mode tcp
-#      option tcplog
-#    server mail 10.78.127.231:14190 send-proxy
+  listen smtp
+    bind :25
+    bind :::25 v6only
+      mode tcp
+      option tcplog
+    server mailcow mailcow.incus:10025 send-proxy
+  listen smtps
+    bind :465
+    bind :::465 v6only
+      mode tcp
+      option tcplog
+    server mailcow mailcow.incus:10465 send-proxy
+  listen imaps
+    bind :993
+    bind :::993 v6only
+      mode tcp
+      option tcplog
+    server mailcow mailcow.incus:10993 send-proxy
+  listen sieve
+    bind :4190
+    bind :::4190 v6only
+      mode tcp
+      option tcplog
+    server mailcow mailcow.incus:14190 send-proxy
 
 # Adguard
 listen adguard-dot
diff --git a/05backends.cfg b/05backends.cfg
index 50e5e9d..63cec5b 100644
--- a/05backends.cfg
+++ b/05backends.cfg
@@ -127,3 +127,13 @@ backend navidrome
   http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
   http-response set-header Cross-Origin-Resource-Policy "same-origin"
   server navidrome navidrome.incus:4533 check
+
+backend mailcow
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # add some Security headers
+  http-response set-header X-Frame-Options "SAMEORIGIN"
+  http-response set-header X-Content-Type-Options "nosniff"
+  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+  http-response set-header Cross-Origin-Resource-Policy "same-origin"
+  server navidrome mailcow.incus:80 check