mirror of
https://github.com/Mailu/Mailu.git
synced 2024-12-16 10:59:53 +02:00
585549ce92
2924: Remove the usage of capabilities, use port 8080 for admin r=nextgens a=nextgens ## What type of PR? bug-fix ## What does this PR do? In the real world users can't get them to work... I wonder if they use patched-up kernels or if xattrs are lost somehow... in any case, we can do without capabilities so let's do that. Ensure that dovecot doesn't attempt to bind a v6 socket if SUBNET6 is not configured Also, document that systemd-resolve may cause trouble with DNSSEC. ### Related issue(s) - closes #2906 - closes #2913 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
163 lines
3.5 KiB
Plaintext
163 lines
3.5 KiB
Plaintext
###############
|
|
# General
|
|
###############
|
|
log_path = /dev/stderr
|
|
auth_verbose=yes
|
|
mail_debug=yes
|
|
login_log_format_elements = user=<%u> method=%m rip=%r rport=%b lip=%l lport=%a mpid=%e %c
|
|
protocols = sieve imap pop3 lmtp submission
|
|
postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }}
|
|
hostname = {{ HOSTNAMES.split(",")[0] }}
|
|
submission_host = {{ SMTP_ADDRESS }}
|
|
submission_relay_host = {{ SMTP_ADDRESS }}
|
|
submission_relay_port = 10025
|
|
submission_relay_trusted = yes
|
|
submission_relay_ssl = no
|
|
submission_max_mail_size = {{ MESSAGE_SIZE_LIMIT }}
|
|
submission_backend_capabilities = 8BITMIME DSN VRFY
|
|
submission_client_workarounds = mailbox-for-path whitespace-before-path
|
|
# disable BURL
|
|
imap_urlauth_host=
|
|
lmtp_proxy = yes
|
|
lmtp_client_workarounds = whitespace-before-path mailbox-for-path
|
|
|
|
{%- if SUBNET6 %}
|
|
listen = *,::
|
|
{% else %}
|
|
listen = *
|
|
{% endif %}
|
|
|
|
default_internal_user = dovecot
|
|
default_login_user = mail
|
|
default_internal_group = dovecot
|
|
|
|
haproxy_trusted_networks = {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}{{ from_ip }} {% endfor %}{% endif %}
|
|
|
|
###############
|
|
# Authentication
|
|
###############
|
|
auth_username_chars =
|
|
auth_mechanisms = plain login
|
|
|
|
{%- if TLS %}
|
|
ssl = required
|
|
ssl_cert = <{{ TLS[0] }}
|
|
ssl_key = <{{ TLS[1] }}
|
|
{%- if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
|
|
ssl_alt_cert = <{{ TLS[2] }}
|
|
ssl_alt_key = <{{ TLS[3] }}
|
|
{% endif %}
|
|
# intermediate configuration
|
|
ssl_min_protocol = TLSv1.2
|
|
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
|
|
ssl_prefer_server_ciphers = no
|
|
ssl_options = no_compression no_ticket
|
|
{% else %}
|
|
disable_plaintext_auth = no
|
|
ssl = no
|
|
{% endif %}
|
|
|
|
passdb {
|
|
driver = lua
|
|
args = file=/etc/dovecot/login.lua blocking=yes
|
|
}
|
|
|
|
service auth-worker {
|
|
user = dovenull
|
|
group = dovenull
|
|
unix_listener auth-worker {
|
|
}
|
|
}
|
|
|
|
service anvil {
|
|
unix_listener anvil-auth-penalty {
|
|
mode = 0
|
|
}
|
|
}
|
|
|
|
service managesieve-login {
|
|
executable = managesieve-login
|
|
inet_listener sieve {
|
|
port = 4190
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
inet_listener sieve-webmail {
|
|
port = 14190
|
|
}
|
|
}
|
|
|
|
protocol imap {
|
|
mail_max_userip_connections = 20
|
|
imap_idle_notify_interval = 29mins
|
|
}
|
|
|
|
service imap-login {
|
|
inet_listener imap {
|
|
port = 143
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
inet_listener imaps {
|
|
port = 993
|
|
{%- if TLS %}
|
|
ssl = yes
|
|
{% endif %}
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
inet_listener imap-webmail {
|
|
port = 10143
|
|
}
|
|
}
|
|
|
|
service pop3-login {
|
|
inet_listener pop3 {
|
|
port = 110
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
inet_listener pop3s {
|
|
port = 995
|
|
{%- if TLS %}
|
|
ssl = yes
|
|
{% endif %}
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
}
|
|
|
|
recipient_delimiter = {{ RECIPIENT_DELIMITER }}
|
|
service lmtp {
|
|
user = $default_internal_user
|
|
inet_listener lmtp {
|
|
port = 2525
|
|
}
|
|
}
|
|
|
|
service submission-login {
|
|
inet_listener submission {
|
|
port = 587
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
inet_listener submissions {
|
|
port = 465
|
|
{%- if TLS %}
|
|
ssl = yes
|
|
{% endif %}
|
|
{%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %}
|
|
haproxy = yes
|
|
{% endif %}
|
|
}
|
|
inet_listener submission-webmail {
|
|
port = 10025
|
|
}
|
|
}
|