Add specific unencrypted servers for internal connexions (webmails)

2025-05-31 23:10:01 +02:00 · 2017-10-22 11:31:32 +02:00 · 2017-10-22 11:31:32 +02:00 · 04a25fc4e3
commit 04a25fc4e3
parent ec6d5acc18
3 changed files with 27 additions and 6 deletions
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@ -20,13 +20,15 @@ http {
    absolute_redirect off;

    server {
+      # Always listen over HTTP
      listen 80;
      listen [::]:80;

-      # TLS configuration
+      # Only enable HTTPS if TLS is enabled with no error
      {% if TLS and not TLS_ERROR %}
      listen 443 ssl;
      listen [::]:443 ssl;
+
      include /etc/nginx/tls.conf;
      ssl_session_cache shared:SSLHTTP:50m;
      add_header Strict-Transport-Security max-age=15768000;
@ -36,18 +38,21 @@ http {
      }
      {% endif %}

+      # In any case, enable the proxy for certbot if the flavor is letsencrypt
      {% if TLS_FLAVOR == 'letsencrypt' %}
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://localhost:8000;
      }
      {% endif %}

-      # Actual logic
+      # If TLS is failing, prevent access to anything except certbot
      {% if TLS_ERROR %}
      location / {
        return 403;
      }
      {% else %}
+
+      # Actual logic
      {% if WEBMAIL != 'none' %}
      location / {
        return 301 $scheme://$host/webmail/;
@ -90,6 +95,21 @@ mail {
    ssl_session_cache shared:SSLMAIL:50m;
    {% endif %}

+    # Default SMTP server for the webmail (no encryption, but authentication)
+    server {
+      listen 10025;
+      protocol smtp;
+      smtp_auth plain;
+    }
+
+    # Default IMAP server for the webmail (no encryption, but authentication)
+    server {
+      listen 10143;
+      protocol imap;
+      smtp_auth plain;
+    }
+
+    # SMTP is always enabled, to avoid losing emails when TLS is failing
    server {
      listen 25;
      listen [::]:25;
@ -100,6 +120,7 @@ mail {
      smtp_auth none;
    }

+    # All other protocols are disabled if TLS is failing
    {% if not TLS_ERROR %}
    server {
      listen 143;
--- a/rainloop/default.ini
+++ b/rainloop/default.ini
@ -1,5 +1,5 @@
 imap_host = "front"
-imap_port = 143
+imap_port = 10143
 imap_secure = "None"
 imap_short_login = Off
 sieve_use = On
@ -8,7 +8,7 @@ sieve_host = "imap"
 sieve_port = 4190
 sieve_secure = "TLS"
 smtp_host = "front"
-smtp_port = 25
+smtp_port = 10025
 smtp_secure = "None"
 smtp_short_login = Off
 smtp_auth = On
--- a/roundcube/config.inc.php
+++ b/roundcube/config.inc.php
@ -18,9 +18,9 @@ $config['plugins'] = array(

 // Mail servers
 $config['default_host'] = 'front';
-$config['default_port'] = 143;
+$config['default_port'] = 10143;
 $config['smtp_server'] = 'front';
-$config['smtp_port'] = 25;
+$config['smtp_port'] = 10025;
 $config['smtp_user'] = '%u';
 $config['smtp_pass'] = '%p';