Ben Vincent
9eff241003
- add SMTP submission listener on port 587 with TLS requirement - configure HAProxy frontend/backend for submission with send-proxy-v2 support - add send-proxy-v2 support to all listeners - add dynamic HAProxy node discovery for proxy trusted networks - use service hostname instead of node FQDN for autoconfig/autodiscover - remove redundant IMAP/IMAPS/SMTP alt-names from TLS certificates - update VRRP CNAME configuration to use mail.main.unkin.net Reviewed-on: #425
297 lines
6.1 KiB
Plaintext
297 lines
6.1 KiB
Plaintext
# Stalwart Mail Server Configuration
|
|
# Generated by Puppet - DO NOT EDIT MANUALLY
|
|
|
|
[server]
|
|
hostname = "<%= $service_hostname %>"
|
|
greeting = "Stalwart ESMTP"
|
|
|
|
[server.listener."smtp-relay"]
|
|
bind = ["<%= $bind_address %>:25"]
|
|
protocol = "smtp"
|
|
greeting = "Stalwart SMTP Relay"
|
|
|
|
<% if !$haproxy_ips.empty { -%>
|
|
[server.listener."smtp-relay".proxy]
|
|
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
|
<% } -%>
|
|
|
|
<% if $enable_smtp_submission { -%>
|
|
[server.listener."submission"]
|
|
bind = ["<%= $bind_address %>:587"]
|
|
protocol = "smtp"
|
|
greeting = "Stalwart SMTP Submission"
|
|
tls.require = true
|
|
|
|
<% if !$haproxy_ips.empty { -%>
|
|
[server.listener."submission".proxy]
|
|
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
|
<% } -%>
|
|
<% } -%>
|
|
|
|
<% if $enable_imap { -%>
|
|
[server.listener."imap"]
|
|
bind = ["<%= $bind_address %>:143"]
|
|
protocol = "imap"
|
|
|
|
<% if !$haproxy_ips.empty { -%>
|
|
[server.listener."imap".proxy]
|
|
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
|
<% } -%>
|
|
<% } -%>
|
|
|
|
<% if $enable_imap_tls { -%>
|
|
[server.listener."imaps"]
|
|
bind = ["<%= $bind_address %>:993"]
|
|
protocol = "imap"
|
|
tls.implicit = true
|
|
|
|
<% if !$haproxy_ips.empty { -%>
|
|
[server.listener."imaps".proxy]
|
|
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
|
<% } -%>
|
|
<% } -%>
|
|
|
|
<% if $enable_http { -%>
|
|
[server.listener."https"]
|
|
bind = ["<%= $bind_address %>:443"]
|
|
protocol = "http"
|
|
tls.implicit = true
|
|
|
|
<% if !$haproxy_ips.empty { -%>
|
|
[server.listener."https".proxy]
|
|
trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
|
|
<% } -%>
|
|
<% } -%>
|
|
|
|
[server.tls]
|
|
enable = true
|
|
implicit = false
|
|
certificate = "default"
|
|
|
|
|
|
[webadmin]
|
|
path = "<%= $webadmin_unpack_path %>"
|
|
auto-update = <%= $webadmin_auto_update %>
|
|
resource = "<%= $webadmin_resource_url %>"
|
|
|
|
# Cluster Configuration
|
|
[cluster]
|
|
node-id = <%= $effective_node_id %>
|
|
|
|
<% if $cluster_size > 1 { -%>
|
|
# Peer-to-peer coordination
|
|
[cluster.coordinator]
|
|
type = "peer-to-peer"
|
|
addr = "<%= $bind_address %>:11200"
|
|
advertise-addr = "<%= $advertise_address %>:11200"
|
|
|
|
<% $other_cluster_members.each |$node| { -%>
|
|
[[cluster.coordinator.peers]]
|
|
addr = "<%= $node %>:11200"
|
|
<% } -%>
|
|
|
|
# Cluster roles for 3-node setup
|
|
[cluster.roles.purge]
|
|
stores = ["1", "2", "3"]
|
|
accounts = ["1", "2"]
|
|
|
|
[cluster.roles.acme]
|
|
renew = ["1"]
|
|
|
|
[cluster.roles.metrics]
|
|
calculate = ["1", "2"]
|
|
push = ["1"]
|
|
|
|
[cluster.roles.push-notifications]
|
|
push-notifications = ["1", "3"]
|
|
|
|
[cluster.roles.fts-indexing]
|
|
fts-indexing = ["2", "3"]
|
|
|
|
[cluster.roles.bayes-training]
|
|
bayes-training = ["1"]
|
|
|
|
[cluster.roles.imip-processing]
|
|
imip-processing = ["2"]
|
|
|
|
[cluster.roles.calendar-alerts]
|
|
calendar-alerts = ["3"]
|
|
<% } -%>
|
|
|
|
# Storage Configuration
|
|
|
|
# PostgreSQL store for data, FTS, and in-memory
|
|
[store."postgresql"]
|
|
type = "postgresql"
|
|
host = "<%= $postgresql_host %>"
|
|
port = <%= $postgresql_port %>
|
|
database = "<%= $postgresql_database %>"
|
|
user = "<%= $postgresql_user %>"
|
|
password = "<%= $postgresql_password %>"
|
|
timeout = "15s"
|
|
|
|
[store."postgresql".tls]
|
|
enable = <%= $postgresql_ssl %>
|
|
allow-invalid-certs = false
|
|
|
|
[store."postgresql".pool]
|
|
max-connections = 10
|
|
|
|
[store."postgresql".purge]
|
|
frequency = "0 3 *"
|
|
|
|
# S3/Ceph-RGW store for blobs
|
|
[store."s3"]
|
|
type = "s3"
|
|
bucket = "<%= $s3_bucket %>"
|
|
region = "<%= $s3_region %>"
|
|
access-key = "<%= $s3_access_key %>"
|
|
secret-key = "<%= $s3_secret_key %>"
|
|
endpoint = "<%= $s3_endpoint %>"
|
|
timeout = "30s"
|
|
key-prefix = "<%= $s3_key_prefix %>"
|
|
compression = "lz4"
|
|
|
|
[store."s3".purge]
|
|
frequency = "30 5 *"
|
|
|
|
# Storage assignment
|
|
[storage]
|
|
data = "postgresql"
|
|
fts = "postgresql"
|
|
blob = "s3"
|
|
lookup = "postgresql"
|
|
directory = "internal"
|
|
in-memory = "postgresql"
|
|
|
|
# Directory configuration
|
|
[directory.internal]
|
|
type = "internal"
|
|
store = "postgresql"
|
|
|
|
# Authentication configuration
|
|
[authentication.fallback-admin]
|
|
user = "<%= $fallback_admin_user %>"
|
|
secret = "<%= pw_hash($fallback_admin_password.unwrap, 'SHA-512', 'stalwart') %>"
|
|
|
|
[authentication]
|
|
[authentication.directory]
|
|
directories = ["internal"]
|
|
|
|
# Authorization configuration
|
|
[authorization]
|
|
directory = "internal"
|
|
|
|
# JMAP configuration
|
|
[jmap]
|
|
directory = "internal"
|
|
|
|
[jmap.protocol]
|
|
request-max-size = 10485760
|
|
get.max-objects = 500
|
|
query.max-results = 5000
|
|
changes.max-results = 5000
|
|
upload.max-size = 50000000
|
|
upload.ttl = "1h"
|
|
|
|
# IMAP configuration
|
|
[imap]
|
|
directory = "internal"
|
|
|
|
[imap.protocol]
|
|
max-requests = 64
|
|
|
|
# Inbound rate limiting
|
|
[[queue.limiter.inbound]]
|
|
key = ["remote_ip"]
|
|
rate = "500/1s"
|
|
enable = true
|
|
|
|
# SMTP configuration for postfix relay
|
|
[session.data]
|
|
pipe.command = "sendmail"
|
|
pipe.arguments = ["-i", "-f", "{sender}", "{recipient}"]
|
|
|
|
# Outbound SMTP configuration
|
|
[queue]
|
|
path = "<%= $data_dir %>/queue"
|
|
|
|
[queue.schedule]
|
|
retry = ["2s", "5s", "1m", "5m", "15m", "30m", "1h", "2h"]
|
|
notify = ["1d", "3d"]
|
|
expire = "5d"
|
|
|
|
[session.extensions]
|
|
future-release = "7d"
|
|
|
|
# Relay configuration for postfix
|
|
[remote."postfix"]
|
|
address = "<%= $postfix_relay_host %>"
|
|
port = 25
|
|
protocol = "smtp"
|
|
|
|
# HTTP configuration
|
|
[server.http]
|
|
use-x-forwarded = false
|
|
permissive-cors = false
|
|
|
|
# Disable spam filtering (handled by postfix)
|
|
[session.ehlo]
|
|
reject-non-fqdn = false
|
|
|
|
[session.rcpt]
|
|
type = "internal"
|
|
store = "postgresql"
|
|
max-recipients = 25
|
|
|
|
[session.data]
|
|
max-messages = 10
|
|
max-message-size = 52428800
|
|
|
|
# TLS configuration
|
|
[certificate."default"]
|
|
cert = "%{file:<%= $tls_cert %>}%"
|
|
private-key = "%{file:<%= $tls_key %>}%"
|
|
default = true
|
|
|
|
# Logging configuration
|
|
[tracer]
|
|
type = "log"
|
|
level = "<%= $log_level %>"
|
|
ansi = false
|
|
multiline = true
|
|
|
|
[tracer.file]
|
|
path = "/var/log/stalwart/stalwart.log"
|
|
rotate = "daily"
|
|
keep = 30
|
|
|
|
# Report storage
|
|
[report]
|
|
path = "<%= $data_dir %>/reports"
|
|
hash = "sha256"
|
|
encrypt = false
|
|
|
|
# Metrics configuration
|
|
[metrics]
|
|
prometheus.enable = true
|
|
prometheus.port = 9090
|
|
|
|
# Queue routing configuration
|
|
[queue.strategy]
|
|
route = [ { if = "is_local_domain('', rcpt_domain)", then = "'local'" },
|
|
{ else = "'relay'" } ]
|
|
|
|
[queue.route."local"]
|
|
type = "local"
|
|
|
|
[queue.route."relay"]
|
|
type = "relay"
|
|
address = "<%= $postfix_relay_host %>"
|
|
port = 25
|
|
protocol = "smtp"
|
|
|
|
[queue.route."relay".tls]
|
|
implicit = false
|
|
allow-invalid-certs = false
|