2021-10-29 14:26:23 +02:00
|
|
|
# Basic configuration
|
2017-09-24 13:09:12 +02:00
|
|
|
user nginx;
|
2017-11-13 00:21:00 +02:00
|
|
|
worker_processes auto;
|
2021-10-30 15:39:13 +02:00
|
|
|
error_log /dev/stderr notice;
|
2017-09-24 13:09:12 +02:00
|
|
|
pid /var/run/nginx.pid;
|
|
|
|
load_module "modules/ngx_mail_module.so";
|
|
|
|
|
|
|
|
events {
|
2021-10-29 14:26:23 +02:00
|
|
|
worker_connections 1024;
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
http {
|
|
|
|
# Standard HTTP configuration with slight hardening
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
2021-10-29 14:26:23 +02:00
|
|
|
keepalive_timeout 65;
|
2017-09-24 13:09:12 +02:00
|
|
|
server_tokens off;
|
2017-09-24 22:43:16 +02:00
|
|
|
absolute_redirect off;
|
2022-03-20 13:11:50 +02:00
|
|
|
resolver {{ RESOLVER }} valid=30s;
|
2017-09-24 13:09:12 +02:00
|
|
|
|
2017-12-05 01:21:58 +02:00
|
|
|
{% if REAL_IP_HEADER %}
|
|
|
|
real_ip_header {{ REAL_IP_HEADER }};
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
{% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
|
|
|
|
set_real_ip_from {{ from_ip }};
|
|
|
|
{% endfor %}{% endif %}
|
|
|
|
|
2017-12-04 23:19:17 +02:00
|
|
|
# Header maps
|
|
|
|
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
|
|
default $http_x_forwarded_proto;
|
|
|
|
'' $scheme;
|
|
|
|
}
|
2021-09-02 20:48:44 +02:00
|
|
|
map $uri $expires {
|
|
|
|
default off;
|
2021-09-06 09:10:59 +02:00
|
|
|
~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
|
2021-09-02 20:48:44 +02:00
|
|
|
}
|
|
|
|
|
2021-10-30 15:30:59 +02:00
|
|
|
map $request_uri $loggable {
|
|
|
|
/health 0;
|
|
|
|
/auth/email 0;
|
|
|
|
default 1;
|
|
|
|
}
|
|
|
|
access_log /dev/stdout combined if=$loggable;
|
|
|
|
|
2021-09-02 20:48:44 +02:00
|
|
|
# compression
|
|
|
|
gzip on;
|
|
|
|
gzip_static on;
|
|
|
|
gzip_types text/plain text/css application/xml application/javascript
|
|
|
|
gzip_min_length 1024;
|
|
|
|
# TODO: figure out how to server pre-compressed assets from admin container
|
2017-12-04 23:19:17 +02:00
|
|
|
|
2020-09-09 21:35:08 +02:00
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
|
2020-09-03 23:13:40 +02:00
|
|
|
# Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
|
2021-10-29 14:26:23 +02:00
|
|
|
#
|
2020-09-03 23:13:40 +02:00
|
|
|
server {
|
|
|
|
# Listen over HTTP
|
|
|
|
listen 80;
|
|
|
|
listen [::]:80;
|
2021-10-29 14:26:23 +02:00
|
|
|
{% if TLS_FLAVOR == 'letsencrypt' %}
|
2020-09-03 23:13:40 +02:00
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
proxy_pass http://127.0.0.1:8008;
|
|
|
|
}
|
|
|
|
{% endif %}
|
|
|
|
# redirect to https
|
|
|
|
location / {
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
2021-09-02 20:48:44 +02:00
|
|
|
|
2020-09-03 23:13:40 +02:00
|
|
|
}
|
|
|
|
{% endif %}
|
|
|
|
|
2017-10-22 15:01:04 +02:00
|
|
|
# Main HTTP server
|
2017-09-24 13:09:12 +02:00
|
|
|
server {
|
2019-01-06 15:49:40 +02:00
|
|
|
# Favicon stuff
|
|
|
|
root /static;
|
2017-11-13 22:38:04 +02:00
|
|
|
# Variables for proxifying
|
2019-02-18 14:46:48 +02:00
|
|
|
set $admin {{ ADMIN_ADDRESS }};
|
2022-12-08 13:46:31 +02:00
|
|
|
set $antispam {{ ANTISPAM_ADDRESS }}:11334;
|
2019-08-21 21:54:42 +02:00
|
|
|
{% if WEBMAIL_ADDRESS %}
|
2019-02-18 14:46:48 +02:00
|
|
|
set $webmail {{ WEBMAIL_ADDRESS }};
|
2019-08-21 21:54:42 +02:00
|
|
|
{% endif %}
|
|
|
|
{% if WEBDAV_ADDRESS %}
|
2022-12-08 13:46:31 +02:00
|
|
|
set $webdav {{ WEBDAV_ADDRESS }}:5232;
|
2019-08-21 21:54:42 +02:00
|
|
|
{% endif %}
|
2022-01-07 09:55:55 +02:00
|
|
|
client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
|
2017-11-13 22:38:04 +02:00
|
|
|
|
2020-09-03 23:13:40 +02:00
|
|
|
# Listen on HTTP only in kubernetes or behind reverse proxy
|
2021-10-29 14:26:23 +02:00
|
|
|
{% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %}
|
2017-09-24 13:09:12 +02:00
|
|
|
listen 80;
|
2017-10-21 19:50:49 +02:00
|
|
|
listen [::]:80;
|
2020-09-03 23:13:40 +02:00
|
|
|
{% endif %}
|
2017-09-24 13:09:12 +02:00
|
|
|
|
2019-08-29 10:21:52 +02:00
|
|
|
# Only enable HTTPS if TLS is enabled with no error and not on kubernetes
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
|
2018-10-19 19:51:33 +02:00
|
|
|
listen 443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
2017-10-22 11:31:32 +02:00
|
|
|
|
2017-09-24 18:43:14 +02:00
|
|
|
include /etc/nginx/tls.conf;
|
2020-09-12 01:32:03 +02:00
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
2022-12-29 12:03:55 +02:00
|
|
|
ssl_session_cache shared:SSLHTTP:3m;
|
2017-12-05 01:21:58 +02:00
|
|
|
add_header Strict-Transport-Security 'max-age=31536000';
|
2017-09-24 14:01:03 +02:00
|
|
|
|
2017-12-05 01:21:58 +02:00
|
|
|
{% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
|
|
|
|
if ($proxy_x_forwarded_proto = http) {
|
2017-09-24 14:01:03 +02:00
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
|
|
|
{% endif %}
|
2017-11-07 17:16:41 +02:00
|
|
|
{% endif %}
|
2017-09-24 14:01:03 +02:00
|
|
|
|
2019-09-26 11:43:29 +02:00
|
|
|
# Remove headers to prevent duplication and information disclosure
|
|
|
|
proxy_hide_header X-XSS-Protection;
|
|
|
|
proxy_hide_header X-Powered-By;
|
2021-09-02 20:48:44 +02:00
|
|
|
|
2018-02-11 23:56:26 +02:00
|
|
|
add_header X-Frame-Options 'SAMEORIGIN';
|
2017-12-05 01:21:58 +02:00
|
|
|
add_header X-Content-Type-Options 'nosniff';
|
|
|
|
add_header X-Permitted-Cross-Domain-Policies 'none';
|
|
|
|
add_header Referrer-Policy 'same-origin';
|
|
|
|
|
2022-03-10 10:28:10 +02:00
|
|
|
# mozilla autoconfiguration
|
2022-03-10 11:00:51 +02:00
|
|
|
location ~ ^/(\.well\-known/autoconfig/)?mail/config\-v1\.1\.xml {
|
|
|
|
rewrite ^ /internal/autoconfig/mozilla break;
|
|
|
|
include /etc/nginx/proxy.conf;
|
|
|
|
proxy_pass http://$admin;
|
|
|
|
}
|
|
|
|
# microsoft autoconfiguration
|
2022-03-15 11:26:29 +02:00
|
|
|
location ~* ^/Autodiscover/Autodiscover.json {
|
|
|
|
rewrite ^ /internal/autoconfig/microsoft.json break;
|
|
|
|
include /etc/nginx/proxy.conf;
|
|
|
|
proxy_pass http://$admin;
|
|
|
|
}
|
2022-03-10 11:00:51 +02:00
|
|
|
location ~* ^/Autodiscover/Autodiscover.xml {
|
|
|
|
rewrite ^ /internal/autoconfig/microsoft break;
|
2022-03-10 10:28:10 +02:00
|
|
|
include /etc/nginx/proxy.conf;
|
|
|
|
proxy_pass http://$admin;
|
|
|
|
}
|
2022-03-10 11:29:11 +02:00
|
|
|
# apple mobileconfig
|
2022-03-10 15:51:14 +02:00
|
|
|
location ~ ^/(apple\.)?mobileconfig {
|
2022-03-10 11:29:11 +02:00
|
|
|
rewrite ^ /internal/autoconfig/apple break;
|
|
|
|
include /etc/nginx/proxy.conf;
|
|
|
|
proxy_pass http://$admin;
|
|
|
|
}
|
2022-03-10 10:28:10 +02:00
|
|
|
|
2021-10-29 10:18:50 +02:00
|
|
|
{% if TLS_FLAVOR == 'mail-letsencrypt' %}
|
2017-09-24 17:50:10 +02:00
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
2017-11-13 22:38:04 +02:00
|
|
|
proxy_pass http://127.0.0.1:8008;
|
2017-09-24 17:50:10 +02:00
|
|
|
}
|
|
|
|
{% endif %}
|
|
|
|
|
2017-10-22 11:31:32 +02:00
|
|
|
# If TLS is failing, prevent access to anything except certbot
|
2020-11-17 11:26:41 +02:00
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS_ERROR and not (TLS_FLAVOR in [ 'mail-letsencrypt', 'mail' ]) %}
|
2017-09-24 17:50:10 +02:00
|
|
|
location / {
|
2017-10-21 15:54:09 +02:00
|
|
|
return 403;
|
2017-09-24 17:50:10 +02:00
|
|
|
}
|
|
|
|
{% else %}
|
2018-11-27 01:12:12 +02:00
|
|
|
include /overrides/*.conf;
|
|
|
|
|
2017-10-22 11:31:32 +02:00
|
|
|
# Actual logic
|
2021-09-24 15:29:28 +02:00
|
|
|
{% if ADMIN == 'true' or WEBMAIL != 'none' %}
|
2021-12-14 17:10:28 +02:00
|
|
|
location ~ ^/(sso|static)/ {
|
2021-09-02 18:02:20 +02:00
|
|
|
include /etc/nginx/proxy.conf;
|
|
|
|
proxy_pass http://$admin;
|
2021-09-02 17:08:50 +02:00
|
|
|
}
|
2021-10-26 09:35:06 +02:00
|
|
|
{% endif %}
|
2021-10-25 19:24:41 +02:00
|
|
|
|
2020-10-05 16:13:07 +02:00
|
|
|
{% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
|
2017-09-24 13:09:12 +02:00
|
|
|
location / {
|
2021-09-06 13:45:48 +02:00
|
|
|
expires $expires;
|
2018-12-19 16:20:24 +02:00
|
|
|
{% if WEBROOT_REDIRECT %}
|
2019-01-07 14:08:00 +02:00
|
|
|
try_files $uri {{ WEBROOT_REDIRECT }};
|
2018-12-07 16:10:52 +02:00
|
|
|
{% else %}
|
2019-01-07 14:08:00 +02:00
|
|
|
try_files $uri =404;
|
2018-06-25 15:45:43 +02:00
|
|
|
{% endif %}
|
2018-12-07 16:44:42 +02:00
|
|
|
}
|
2018-12-19 16:20:24 +02:00
|
|
|
{% endif %}
|
2017-09-24 13:09:12 +02:00
|
|
|
|
2018-11-27 01:12:12 +02:00
|
|
|
{% if WEBMAIL != 'none' %}
|
2017-09-24 18:16:36 +02:00
|
|
|
location {{ WEB_WEBMAIL }} {
|
2018-10-18 14:27:28 +02:00
|
|
|
{% if WEB_WEBMAIL != '/' %}
|
2017-11-10 17:04:40 +02:00
|
|
|
rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
|
2017-09-24 18:16:36 +02:00
|
|
|
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
|
2018-10-18 14:27:28 +02:00
|
|
|
{% endif %}
|
2017-12-04 22:16:08 +02:00
|
|
|
include /etc/nginx/proxy.conf;
|
2021-10-29 14:26:23 +02:00
|
|
|
auth_request /internal/auth/user;
|
2021-02-06 18:23:05 +02:00
|
|
|
error_page 403 @webmail_login;
|
2021-10-25 21:21:38 +02:00
|
|
|
proxy_pass http://$webmail;
|
2021-02-06 18:23:05 +02:00
|
|
|
}
|
2021-02-08 11:16:03 +02:00
|
|
|
|
2021-12-14 17:10:28 +02:00
|
|
|
{% if WEB_WEBMAIL == '/' %}
|
|
|
|
location /sso.php {
|
2021-12-15 11:53:47 +02:00
|
|
|
{% else %}
|
2021-02-06 18:23:05 +02:00
|
|
|
location {{ WEB_WEBMAIL }}/sso.php {
|
2021-12-14 17:10:28 +02:00
|
|
|
{% endif %}
|
2021-02-06 18:23:05 +02:00
|
|
|
{% if WEB_WEBMAIL != '/' %}
|
|
|
|
rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
|
|
|
|
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
|
|
|
|
{% endif %}
|
|
|
|
include /etc/nginx/proxy.conf;
|
|
|
|
auth_request /internal/auth/user;
|
|
|
|
auth_request_set $user $upstream_http_x_user;
|
|
|
|
auth_request_set $token $upstream_http_x_user_token;
|
|
|
|
proxy_set_header X-Remote-User $user;
|
|
|
|
proxy_set_header X-Remote-User-Token $token;
|
|
|
|
error_page 403 @webmail_login;
|
2021-10-25 21:21:38 +02:00
|
|
|
proxy_pass http://$webmail;
|
2021-02-06 18:23:05 +02:00
|
|
|
}
|
2021-02-08 11:16:03 +02:00
|
|
|
|
2021-10-29 10:18:50 +02:00
|
|
|
location @webmail_login {
|
2021-10-27 23:51:49 +02:00
|
|
|
return 302 /sso/login;
|
2021-10-29 14:26:23 +02:00
|
|
|
}
|
2021-10-25 21:21:38 +02:00
|
|
|
{% endif %}
|
2017-09-24 14:01:03 +02:00
|
|
|
{% if ADMIN == 'true' %}
|
2021-10-27 20:36:50 +02:00
|
|
|
location {{ WEB_ADMIN }} {
|
2021-10-29 10:18:50 +02:00
|
|
|
include /etc/nginx/proxy.conf;
|
2021-10-27 20:36:50 +02:00
|
|
|
proxy_pass http://$admin;
|
|
|
|
expires $expires;
|
|
|
|
}
|
2017-11-10 15:49:36 +02:00
|
|
|
|
2021-10-29 14:26:23 +02:00
|
|
|
location {{ WEB_ADMIN }}/antispam {
|
2017-11-10 15:49:36 +02:00
|
|
|
rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
|
|
|
|
auth_request /internal/auth/admin;
|
|
|
|
proxy_set_header X-Real-IP "";
|
|
|
|
proxy_set_header X-Forwarded-For "";
|
2017-11-13 22:38:04 +02:00
|
|
|
proxy_pass http://$antispam;
|
2017-11-10 15:49:36 +02:00
|
|
|
}
|
2017-09-24 14:01:03 +02:00
|
|
|
{% endif %}
|
2017-09-24 13:09:12 +02:00
|
|
|
|
2017-09-24 14:01:03 +02:00
|
|
|
{% if WEBDAV != 'none' %}
|
2017-09-24 13:09:12 +02:00
|
|
|
location /webdav {
|
2017-09-24 15:43:46 +02:00
|
|
|
rewrite ^/webdav/(.*) /$1 break;
|
2017-11-20 01:09:19 +02:00
|
|
|
auth_request /internal/auth/basic;
|
|
|
|
auth_request_set $user $upstream_http_x_user;
|
2017-12-04 22:16:08 +02:00
|
|
|
include /etc/nginx/proxy.conf;
|
2017-11-20 01:09:19 +02:00
|
|
|
proxy_set_header X-Remote-User $user;
|
2017-11-30 23:03:22 +02:00
|
|
|
proxy_set_header X-Script-Name /webdav;
|
2017-11-13 22:38:04 +02:00
|
|
|
proxy_pass http://$webdav;
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|
2017-11-30 23:03:22 +02:00
|
|
|
|
|
|
|
location ~ ^/.well-known/(carddav|caldav) {
|
|
|
|
return 301 /webdav/;
|
|
|
|
}
|
2017-09-24 14:01:03 +02:00
|
|
|
{% endif %}
|
2017-09-24 17:50:10 +02:00
|
|
|
{% endif %}
|
2017-11-10 15:49:36 +02:00
|
|
|
|
|
|
|
location /internal {
|
|
|
|
internal;
|
|
|
|
|
2021-09-23 18:40:49 +02:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2017-11-20 01:09:19 +02:00
|
|
|
proxy_set_header Authorization $http_authorization;
|
|
|
|
proxy_pass_header Authorization;
|
2017-11-13 22:38:04 +02:00
|
|
|
proxy_pass http://$admin;
|
2017-11-10 15:49:36 +02:00
|
|
|
proxy_pass_request_body off;
|
|
|
|
proxy_set_header Content-Length "";
|
|
|
|
}
|
2018-10-21 19:45:41 +02:00
|
|
|
|
|
|
|
location /health {
|
|
|
|
return 204;
|
|
|
|
}
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|
2017-10-22 15:01:04 +02:00
|
|
|
|
|
|
|
# Forwarding authentication server
|
|
|
|
server {
|
2017-11-18 16:22:03 +02:00
|
|
|
# Variables for proxifying
|
2019-02-18 14:46:48 +02:00
|
|
|
set $admin {{ ADMIN_ADDRESS }};
|
2017-11-18 16:22:03 +02:00
|
|
|
|
2017-10-22 15:01:04 +02:00
|
|
|
listen 127.0.0.1:8000;
|
|
|
|
|
2017-10-22 16:43:06 +02:00
|
|
|
location / {
|
2017-11-18 17:40:01 +02:00
|
|
|
proxy_pass http://$admin/internal$request_uri;
|
2017-10-22 15:01:04 +02:00
|
|
|
}
|
|
|
|
}
|
2022-02-09 08:19:49 +02:00
|
|
|
|
|
|
|
include /etc/nginx/conf.d/*.conf;
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
mail {
|
2017-09-24 17:50:10 +02:00
|
|
|
server_name {{ HOSTNAMES.split(",")[0] }};
|
2017-10-22 16:43:06 +02:00
|
|
|
auth_http http://127.0.0.1:8000/auth/email;
|
2017-09-24 13:09:12 +02:00
|
|
|
proxy_pass_error_message on;
|
2022-07-06 10:51:59 +02:00
|
|
|
resolver {{ RESOLVER }} valid=30s;
|
2021-10-30 15:39:13 +02:00
|
|
|
error_log /dev/stderr info;
|
2017-09-24 13:09:12 +02:00
|
|
|
|
2017-09-24 18:43:14 +02:00
|
|
|
{% if TLS and not TLS_ERROR %}
|
|
|
|
include /etc/nginx/tls.conf;
|
2022-12-29 12:03:55 +02:00
|
|
|
ssl_session_cache shared:SSLMAIL:3m;
|
2017-09-24 18:43:14 +02:00
|
|
|
{% endif %}
|
|
|
|
|
2022-10-19 19:36:13 +02:00
|
|
|
# Advertise real capabilities of backends (postfix/dovecot)
|
2022-10-22 01:42:33 +02:00
|
|
|
smtp_capabilities PIPELINING "SIZE {{ MESSAGE_SIZE_LIMIT }}" ETRN ENHANCEDSTATUSCODES 8BITMIME DSN;
|
2019-09-04 17:37:28 +02:00
|
|
|
pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
|
|
|
|
imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;
|
|
|
|
|
2017-10-22 11:31:32 +02:00
|
|
|
# Default SMTP server for the webmail (no encryption, but authentication)
|
|
|
|
server {
|
|
|
|
listen 10025;
|
|
|
|
protocol smtp;
|
|
|
|
smtp_auth plain;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 10025;
|
2017-10-22 11:31:32 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Default IMAP server for the webmail (no encryption, but authentication)
|
|
|
|
server {
|
|
|
|
listen 10143;
|
|
|
|
protocol imap;
|
|
|
|
smtp_auth plain;
|
2021-12-14 13:26:33 +02:00
|
|
|
auth_http_header Auth-Port 10143;
|
2023-01-03 16:57:57 +02:00
|
|
|
# ensure we talk HAPROXY protocol to the backends
|
|
|
|
proxy_protocol on;
|
2017-10-22 11:31:32 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# SMTP is always enabled, to avoid losing emails when TLS is failing
|
2017-09-24 13:09:12 +02:00
|
|
|
server {
|
|
|
|
listen 25;
|
2017-10-21 19:50:49 +02:00
|
|
|
listen [::]:25;
|
2017-10-21 18:58:18 +02:00
|
|
|
{% if TLS and not TLS_ERROR %}
|
2022-02-19 15:26:17 +02:00
|
|
|
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
|
2022-02-20 12:56:21 +02:00
|
|
|
ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
|
|
|
|
ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem;
|
2022-02-19 15:26:17 +02:00
|
|
|
{% endif %}
|
2022-09-14 11:03:44 +02:00
|
|
|
{% if TLS_PERMISSIVE %}
|
2020-09-10 20:30:06 +02:00
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
|
|
|
ssl_prefer_server_ciphers on;
|
2022-09-12 12:53:57 +02:00
|
|
|
{% endif %}
|
2017-09-24 18:43:14 +02:00
|
|
|
starttls on;
|
|
|
|
{% endif %}
|
2017-09-24 13:09:12 +02:00
|
|
|
protocol smtp;
|
2017-09-24 18:43:14 +02:00
|
|
|
smtp_auth none;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 25;
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|
|
|
|
|
2017-10-22 11:31:32 +02:00
|
|
|
# All other protocols are disabled if TLS is failing
|
2017-09-24 18:43:14 +02:00
|
|
|
{% if not TLS_ERROR %}
|
2017-09-24 13:09:12 +02:00
|
|
|
server {
|
|
|
|
listen 143;
|
2017-10-21 19:50:49 +02:00
|
|
|
listen [::]:143;
|
2017-09-24 18:43:14 +02:00
|
|
|
{% if TLS %}
|
|
|
|
starttls only;
|
|
|
|
{% endif %}
|
|
|
|
protocol imap;
|
|
|
|
imap_auth plain;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 143;
|
2023-01-03 16:57:57 +02:00
|
|
|
# ensure we talk HAPROXY protocol to the backends
|
|
|
|
proxy_protocol on;
|
2017-09-24 18:43:14 +02:00
|
|
|
}
|
|
|
|
|
2017-11-10 11:14:58 +02:00
|
|
|
server {
|
|
|
|
listen 110;
|
|
|
|
listen [::]:110;
|
|
|
|
{% if TLS %}
|
|
|
|
starttls only;
|
|
|
|
{% endif %}
|
|
|
|
protocol pop3;
|
|
|
|
pop3_auth plain;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 110;
|
2023-01-03 16:57:57 +02:00
|
|
|
# ensure we talk HAPROXY protocol to the backends
|
|
|
|
proxy_protocol on;
|
2017-11-10 11:14:58 +02:00
|
|
|
}
|
|
|
|
|
2017-09-24 18:43:14 +02:00
|
|
|
server {
|
2017-10-22 15:01:04 +02:00
|
|
|
listen 587;
|
|
|
|
listen [::]:587;
|
|
|
|
{% if TLS %}
|
|
|
|
starttls only;
|
|
|
|
{% endif %}
|
2017-09-24 18:43:14 +02:00
|
|
|
protocol smtp;
|
2021-08-10 09:05:02 +02:00
|
|
|
smtp_auth plain login;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 587;
|
2017-09-24 18:43:14 +02:00
|
|
|
}
|
|
|
|
|
2017-10-22 15:01:04 +02:00
|
|
|
{% if TLS %}
|
2017-09-24 18:43:14 +02:00
|
|
|
server {
|
2017-10-22 15:01:04 +02:00
|
|
|
listen 465 ssl;
|
|
|
|
listen [::]:465 ssl;
|
2017-09-24 18:43:14 +02:00
|
|
|
protocol smtp;
|
2021-08-10 09:05:02 +02:00
|
|
|
smtp_auth plain login;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 465;
|
2017-09-24 18:43:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 993 ssl;
|
2017-10-21 19:50:49 +02:00
|
|
|
listen [::]:993 ssl;
|
2017-09-24 13:09:12 +02:00
|
|
|
protocol imap;
|
|
|
|
imap_auth plain;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 993;
|
2023-01-03 16:57:57 +02:00
|
|
|
# ensure we talk HAPROXY protocol to the backends
|
|
|
|
proxy_protocol on;
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|
2017-11-10 11:14:58 +02:00
|
|
|
|
|
|
|
server {
|
|
|
|
listen 995 ssl;
|
|
|
|
listen [::]:995 ssl;
|
|
|
|
protocol pop3;
|
|
|
|
pop3_auth plain;
|
2021-08-09 20:10:49 +02:00
|
|
|
auth_http_header Auth-Port 995;
|
2023-01-03 16:57:57 +02:00
|
|
|
# ensure we talk HAPROXY protocol to the backends
|
|
|
|
proxy_protocol on;
|
2017-11-10 11:14:58 +02:00
|
|
|
}
|
2017-09-24 18:43:14 +02:00
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
2017-09-24 13:09:12 +02:00
|
|
|
}
|