My configuration is probably not very elegant but it is working.
I have configured mailcow to issue its own certificate and i use caddy as a reverse proxy in front of the mailcow docker compose stack (the site address block in the caddyfile essentially issues a second set of certificates).
The reason why i let mailcow issue its own certificate is to use the automatic renewal of the certificate. Since caddy has no possibility for a post-hook (https://mailcow.github.io/mailcow-dockerized-docs/post_installation/firststeps-ssl/#how-to-use-your-own-certificate) -at least to my knowledge- and i didn’t want to copy the caddy certificate(s) manually over to mailcow after every certificate renewal, this seemed the best solution.
Caddy’s task is to be the reverse proxy in front of the docker compose stack. The site address block looks like this
Here only the mail.domain.tld is used to reach the https mailcow admin panel. I couldn’t find a way to exclude the other site addresses from issuing certificates.
Perhaps it would be possible to point caddy to the mailcow certificates, but i didn’t try that yet.