feat: add SMTP submission listener and enhance stalwart configuration (#425)
- add SMTP submission listener on port 587 with TLS requirement - configure HAProxy frontend/backend for submission with send-proxy-v2 support - add send-proxy-v2 support to all listeners - add dynamic HAProxy node discovery for proxy trusted networks - use service hostname instead of node FQDN for autoconfig/autodiscover - remove redundant IMAP/IMAPS/SMTP alt-names from TLS certificates - update VRRP CNAME configuration to use mail.main.unkin.net Reviewed-on: #425
This commit was merged in pull request #425.
This commit is contained in:
@@ -2,7 +2,7 @@
|
||||
# Generated by Puppet - DO NOT EDIT MANUALLY
|
||||
|
||||
[server]
|
||||
hostname = "<%= $node_facts['networking']['fqdn'] %>"
|
||||
hostname = "<%= $service_hostname %>"
|
||||
greeting = "Stalwart ESMTP"
|
||||
|
||||
[server.listener."smtp-relay"]
|
||||
@@ -10,10 +10,33 @@ bind = ["<%= $bind_address %>:25"]
|
||||
protocol = "smtp"
|
||||
greeting = "Stalwart SMTP Relay"
|
||||
|
||||
<% if !$haproxy_ips.empty { -%>
|
||||
[server.listener."smtp-relay".proxy]
|
||||
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
||||
<% } -%>
|
||||
|
||||
<% if $enable_smtp_submission { -%>
|
||||
[server.listener."submission"]
|
||||
bind = ["<%= $bind_address %>:587"]
|
||||
protocol = "smtp"
|
||||
greeting = "Stalwart SMTP Submission"
|
||||
tls.require = true
|
||||
|
||||
<% if !$haproxy_ips.empty { -%>
|
||||
[server.listener."submission".proxy]
|
||||
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
||||
<% } -%>
|
||||
<% } -%>
|
||||
|
||||
<% if $enable_imap { -%>
|
||||
[server.listener."imap"]
|
||||
bind = ["<%= $bind_address %>:143"]
|
||||
protocol = "imap"
|
||||
|
||||
<% if !$haproxy_ips.empty { -%>
|
||||
[server.listener."imap".proxy]
|
||||
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
||||
<% } -%>
|
||||
<% } -%>
|
||||
|
||||
<% if $enable_imap_tls { -%>
|
||||
@@ -21,6 +44,11 @@ protocol = "imap"
|
||||
bind = ["<%= $bind_address %>:993"]
|
||||
protocol = "imap"
|
||||
tls.implicit = true
|
||||
|
||||
<% if !$haproxy_ips.empty { -%>
|
||||
[server.listener."imaps".proxy]
|
||||
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
||||
<% } -%>
|
||||
<% } -%>
|
||||
|
||||
<% if $enable_http { -%>
|
||||
@@ -28,6 +56,11 @@ tls.implicit = true
|
||||
bind = ["<%= $bind_address %>:443"]
|
||||
protocol = "http"
|
||||
tls.implicit = true
|
||||
|
||||
<% if !$haproxy_ips.empty { -%>
|
||||
[server.listener."https".proxy]
|
||||
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
||||
<% } -%>
|
||||
<% } -%>
|
||||
|
||||
[server.tls]
|
||||
@@ -35,6 +68,7 @@ enable = true
|
||||
implicit = false
|
||||
certificate = "default"
|
||||
|
||||
|
||||
[webadmin]
|
||||
path = "<%= $webadmin_unpack_path %>"
|
||||
auto-update = <%= $webadmin_auto_update %>
|
||||
@@ -167,6 +201,12 @@ directory = "internal"
|
||||
[imap.protocol]
|
||||
max-requests = 64
|
||||
|
||||
# Inbound rate limiting
|
||||
[[queue.limiter.inbound]]
|
||||
key = ["remote_ip"]
|
||||
rate = "500/1s"
|
||||
enable = true
|
||||
|
||||
# SMTP configuration for postfix relay
|
||||
[session.data]
|
||||
pipe.command = "sendmail"
|
||||
@@ -212,6 +252,7 @@ max-message-size = 52428800
|
||||
[certificate."default"]
|
||||
cert = "%{file:<%= $tls_cert %>}%"
|
||||
private-key = "%{file:<%= $tls_key %>}%"
|
||||
default = true
|
||||
|
||||
# Logging configuration
|
||||
[tracer]
|
||||
|
||||
Reference in New Issue
Block a user