feat: add SMTP submission listener and enhance stalwart configuration
Build / precommit (pull_request) Successful in 5m1s

- add SMTP submission listener on port 587 with TLS requirement
- configure HAProxy frontend/backend for submission with send-proxy-v2 support
- add send-proxy-v2 support to all listeners
- add dynamic HAProxy node discovery for proxy trusted networks
- use service hostname instead of node FQDN for autoconfig/autodiscover
- remove redundant IMAP/IMAPS/SMTP alt-names from TLS certificates
- update VRRP CNAME configuration to use mail.main.unkin.net
This commit is contained in:
2025-11-09 14:07:49 +11:00
parent 35614060bd
commit 368a8a5e89
7 changed files with 112 additions and 9 deletions
+42 -1
View File
@@ -2,7 +2,7 @@
# Generated by Puppet - DO NOT EDIT MANUALLY
[server]
hostname = "<%= $node_facts['networking']['fqdn'] %>"
hostname = "<%= $service_hostname %>"
greeting = "Stalwart ESMTP"
[server.listener."smtp-relay"]
@@ -10,10 +10,33 @@ bind = ["<%= $bind_address %>:25"]
protocol = "smtp"
greeting = "Stalwart SMTP Relay"
<% if !$haproxy_ips.empty { -%>
[server.listener."smtp-relay".proxy]
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
<% } -%>
<% if $enable_smtp_submission { -%>
[server.listener."submission"]
bind = ["<%= $bind_address %>:587"]
protocol = "smtp"
greeting = "Stalwart SMTP Submission"
tls.require = true
<% if !$haproxy_ips.empty { -%>
[server.listener."submission".proxy]
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
<% } -%>
<% } -%>
<% if $enable_imap { -%>
[server.listener."imap"]
bind = ["<%= $bind_address %>:143"]
protocol = "imap"
<% if !$haproxy_ips.empty { -%>
[server.listener."imap".proxy]
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
<% } -%>
<% } -%>
<% if $enable_imap_tls { -%>
@@ -21,6 +44,11 @@ protocol = "imap"
bind = ["<%= $bind_address %>:993"]
protocol = "imap"
tls.implicit = true
<% if !$haproxy_ips.empty { -%>
[server.listener."imaps".proxy]
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
<% } -%>
<% } -%>
<% if $enable_http { -%>
@@ -28,6 +56,11 @@ tls.implicit = true
bind = ["<%= $bind_address %>:443"]
protocol = "http"
tls.implicit = true
<% if !$haproxy_ips.empty { -%>
[server.listener."https".proxy]
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
<% } -%>
<% } -%>
[server.tls]
@@ -35,6 +68,7 @@ enable = true
implicit = false
certificate = "default"
[webadmin]
path = "<%= $webadmin_unpack_path %>"
auto-update = <%= $webadmin_auto_update %>
@@ -167,6 +201,12 @@ directory = "internal"
[imap.protocol]
max-requests = 64
# Inbound rate limiting
[[queue.limiter.inbound]]
key = ["remote_ip"]
rate = "500/1s"
enable = true
# SMTP configuration for postfix relay
[session.data]
pipe.command = "sendmail"
@@ -212,6 +252,7 @@ max-message-size = 52428800
[certificate."default"]
cert = "%{file:<%= $tls_cert %>}%"
private-key = "%{file:<%= $tls_key %>}%"
default = true
# Logging configuration
[tracer]