feat: add SMTP submission listener and enhance stalwart configuration (#425)

- add SMTP submission listener on port 587 with TLS requirement
- configure HAProxy frontend/backend for submission with send-proxy-v2 support
- add send-proxy-v2 support to all listeners
- add dynamic HAProxy node discovery for proxy trusted networks
- use service hostname instead of node FQDN for autoconfig/autodiscover
- remove redundant IMAP/IMAPS/SMTP alt-names from TLS certificates
- update VRRP CNAME configuration to use mail.main.unkin.net

Reviewed-on: #425
This commit was merged in pull request #425.
This commit is contained in:
2025-11-09 18:48:06 +11:00
parent 35614060bd
commit 9eff241003
7 changed files with 112 additions and 9 deletions
@@ -13,8 +13,7 @@ profiles::haproxy::dns::vrrp_cnames:
- dashboard.ceph.unkin.net
- mail-webadmin.main.unkin.net
- mail-in.main.unkin.net
- imap.main.unkin.net
- imaps.main.unkin.net
- mail.main.unkin.net
- autoconfig.main.unkin.net
- autodiscover.main.unkin.net
@@ -333,7 +332,7 @@ profiles::haproxy::backends:
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect port 143
- connect port 143 send-proxy
- expect string "* OK"
- send "A001 STARTTLS\r\n"
- expect rstring "A001 (OK|2.0.0)"
@@ -349,7 +348,7 @@ profiles::haproxy::backends:
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect ssl
- connect ssl send-proxy
- expect string "* OK"
be_stalwart_smtp:
description: Backend for Stalwart SMTP
@@ -363,7 +362,21 @@ profiles::haproxy::backends:
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect port 25
- connect port 25 send-proxy
- expect string "220 "
be_stalwart_submission:
description: Backend for Stalwart SMTP Submission
collect_exported: false
options:
mode: tcp
balance: roundrobin
option:
- tcp-check
- prefer-last-server
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect port 587 send-proxy
- expect string "220 "
profiles::haproxy::certlist::enabled: true
+11
View File
@@ -196,6 +196,17 @@ profiles::haproxy::frontends:
tcp-request:
- inspect-delay 5s
- content accept if { req_len 0 }
fe_submission:
description: 'Frontend for Stalwart SMTP Submission'
bind:
0.0.0.0:587: []
mode: 'tcp'
options:
log: global
default_backend: be_stalwart_submission
tcp-request:
- inspect-delay 5s
- content accept if { req_len 0 }
profiles::haproxy::backends:
be_letsencrypt:
+1 -3
View File
@@ -8,9 +8,6 @@ hiera_include:
profiles::pki::vault::alt_names:
- mail.main.unkin.net
- mail-webadmin.main.unkin.net
- imap.main.unkin.net
- imaps.main.unkin.net
- smtp.main.unkin.net
- main-in.main.unkin.net
- autoconfig.main.unkin.net
- autodiscovery.main.unkin.net
@@ -41,6 +38,7 @@ stalwart::s3_region: "%{facts.region}"
stalwart::domains:
- 'mail.unkin.net'
stalwart::postfix_relay_host: 'out-mta.main.unkin.net'
stalwart::service_hostname: 'mail.main.unkin.net'
stalwart::manage_dns_records: false
## With load balancer: