Mailu/core/nginx/proxy.conf

###############
# General
###############
log_path = /dev/stderr
auth_verbose=yes
mail_debug=yes
login_log_format_elements = user=<%u> method=%m rip=%r rport=%b lip=%l lport=%a mpid=%e %c
protocols = sieve
postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }}
hostname = {{ HOSTNAMES.split(",")[0] }}
submission_host = {{ FRONT_ADDRESS }}

default_internal_user = dovecot
default_login_user = mail
default_internal_group = dovecot

haproxy_trusted_networks = {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}{{ from_ip }} {% endfor %}{% endif %}

###############
# Authentication
###############
auth_username_chars =
auth_mechanisms = plain login

{%- if TLS %}
ssl = required
ssl_cert = <{{ TLS[0] }}
ssl_key = <{{ TLS[1] }}
{%- if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
ssl_alt_cert = <{{ TLS[2] }}
ssl_alt_key = <{{ TLS[3] }}
{% endif %}
# intermediate configuration
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
ssl_dh = </conf/dhparam.pem
{% else %}
disable_plaintext_auth = no
protocol sieve {
  ssl = no
}
{% endif %}

passdb {
  driver = lua
  args = file=/etc/dovecot/login.lua blocking=yes
}

service auth-worker {
  user = dovenull
  group = dovenull
}

service managesieve-login {
  executable = managesieve-login
  inet_listener sieve {
    port = 4190
{%- if PROXY_PROTOCOL in ['all', 'mail'] %}
    haproxy = yes
{% endif %}
  }
}