feat: add SMTP submission listener and enhance stalwart configuration (#425)

- add SMTP submission listener on port 587 with TLS requirement
- configure HAProxy frontend/backend for submission with send-proxy-v2 support
- add send-proxy-v2 support to all listeners
- add dynamic HAProxy node discovery for proxy trusted networks
- use service hostname instead of node FQDN for autoconfig/autodiscover
- remove redundant IMAP/IMAPS/SMTP alt-names from TLS certificates
- update VRRP CNAME configuration to use mail.main.unkin.net

Reviewed-on: #425
This commit was merged in pull request #425.
This commit is contained in:
2025-11-09 18:48:06 +11:00
parent 35614060bd
commit 9eff241003
7 changed files with 112 additions and 9 deletions
+3
View File
@@ -29,6 +29,7 @@ class stalwart::config {
content => epp('stalwart/config.toml.epp', {
'cluster_size' => $stalwart::cluster_size,
'other_cluster_members' => $stalwart::other_cluster_members,
'haproxy_ips' => $stalwart::haproxy_ips,
'effective_node_id' => $stalwart::effective_node_id,
'bind_address' => $stalwart::bind_address,
'advertise_address' => $stalwart::advertise_address,
@@ -49,10 +50,12 @@ class stalwart::config {
'enable_imap' => $stalwart::enable_imap,
'enable_imap_tls' => $stalwart::enable_imap_tls,
'enable_http' => $stalwart::enable_http,
'enable_smtp_submission' => $stalwart::enable_smtp_submission,
'data_dir' => $stalwart::data_dir,
'tls_cert' => $stalwart::tls_cert,
'tls_key' => $stalwart::tls_key,
'log_level' => $stalwart::log_level,
'service_hostname' => $stalwart::service_hostname,
'fallback_admin_user' => $stalwart::fallback_admin_user,
'fallback_admin_password' => $stalwart::fallback_admin_password,
'webadmin_unpack_path' => $stalwart::webadmin_unpack_path,
+20
View File
@@ -86,6 +86,15 @@
# @param enable_smtp_relay
# Enable SMTP for postfix relay communication
#
# @param enable_smtp_submission
# Enable SMTP submission listener on port 587
#
# @param haproxy_role
# Role name for HAProxy nodes to include in proxy trusted networks
#
# @param service_hostname
# Service hostname used for autoconfig/autodiscover and SMTP greeting
#
# @param package_ensure
# Package version to install
#
@@ -133,6 +142,9 @@ class stalwart (
Boolean $enable_imap_tls = true,
Boolean $enable_http = true,
Boolean $enable_smtp_relay = true,
Boolean $enable_smtp_submission = true,
String $haproxy_role = 'roles::infra::halb::haproxy2',
Stdlib::Fqdn $service_hostname = $facts['networking']['fqdn'],
String $package_ensure = 'present',
Stdlib::Absolutepath $config_dir = '/opt/stalwart/etc',
Stdlib::Absolutepath $data_dir = '/var/lib/stalwart',
@@ -166,6 +178,14 @@ class stalwart (
$other_cluster_members = $sorted_cluster_members.filter |$member| { $member != $my_fqdn }
$cluster_size = length($sorted_cluster_members)
# Query HAProxy nodes for proxy trusted networks
$haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
$haproxy_members_raw = query_nodes($haproxy_query, 'networking.ip')
$haproxy_ips = $haproxy_members_raw ? {
undef => [],
default => sort($haproxy_members_raw),
}
# Extract last 4 digits from hostname (e.g., ausyd1nxvm1234 -> 1234)
if $hostname =~ /^.*(\d{4})$/ {
$hostname_digits = $1