Stalwart: Difference between revisions

(6 intermediate revisions by one other user not shown)

Line 29:

bind = "[::]:465";

protocol = "smtp";

tls.implicit = true

tls.implicit = true;

};

imaps = {

bind = "[::]:993";

protocol = "imap";

tls.implicit = true

tls.implicit = true;

};

jmap = {

Line 222:

_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==

=== Running behind reverse proxy ===

When running behind a load balancer or reverse proxy, Stalwart will not be able to see the "real" sender IP-addresses of incoming mails in case of simple port forwarding. [[HAProxy]] or Proxy Protocol solves this problem and should be used on the reverse proxy server to forward SMTP traffic. Stalwart will start parsing the Proxy Protocol packages if correctly configured on the listener.{{file|||3=services.stalwart-mail = {

settings = {

server = {

listener = {

smtp = {

protocol = "smtp";

bind = "[::]:25";

proxy.trusted-networks = [

"10.250.0.1/32"

"fdc9:281f:4d7:9ee9::1/128"

];

};

[...]

};

};|name=/etc/nixos/configuration.nix|lang=nix}}In this example we set <code>proxy.trusted-networks</code> with an array of the gateway IP-addresses in the <code>smtp</code> listener section.

== Configuration ==

Line 254:

Line 272:

Following script is a possible workaounrd. It extracts the ACME cert every five minute, calculates the TLSA hash and compares it with the upstream record. If it doesn't match, it uses [https://github.com/Stenstromen/gotlsaflare gotlsaflare] to update the TLSA record on Cloudflare.

~~{{file|/etc/~~nixos~~/configuration.nix|nix|3=~~

systemd.services.tlsa-cloudflare-update = {

description = "Check and update TLSA/DANE record for mx1 from Stalwart ACME Cert";

Line 271:

Line 289:

User = "stalwart-mail";

Group = "stalwart-mail";

EnvironmentFile = config.age.secrets.~~stalwart-mail~~-cloudflare-~~secret~~.path;

EnvironmentFile = config.age.secrets.gotlsaflare-cloudflare-token.path;

RuntimeDirectory = "stalwart-tlsa";

};

environment = {

DOMAIN = "example.org";

SUBDOMAIN = "mail";

PORT = "25";

ACME_PROVIDER_ID = "cloudflare";

};

path = with pkgs; [

bash

Line 288:

Line 311:

set -eu

~~DOMAIN="example.org"~~

~~SUBDOMAIN="mail"~~

~~PORT="25"~~

~~ACME_PROVIDER_ID="cloudflare"~~

TLSA_RECORD="_$PORT._tcp.$SUBDOMAIN.$DOMAIN"

DB_PATH="/var/lib/stalwart-mail/db"

Line 339:

Line 358:

};

}}

</syntaxhighlight>

Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...].

=== Sending from subaddresses ===

Receiving mails to subaddresses like <code>john+secondary@example.org</code> is enabled by default. Sending from subaddresses will fail with "You are not allowed to send from this address" as long as they are not an configured alias address. You can disable this check but it will allow any authenticated user to send from any other address.

{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {

settings = {

[...]

session.auth.must-match-sender = false;

};

};}}

A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature].

=== Test mail server ===

You can use several online tools to test your mail server configuration:

@@ Line 29: / Line 29: @@
            bind = "[::]:465";
            protocol = "smtp";
-           tls.implicit = true
+           tls.implicit = true;
          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";
-           tls.implicit = true
+           tls.implicit = true;
          };
          jmap = {
@@ Line 222: / Line 222: @@
   _25._tcp.mx1.example.org. 10800 IN RRSIG	TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==
+=== Running behind reverse proxy ===
+When running behind a load balancer or reverse proxy, Stalwart will not be able to see the "real" sender IP-addresses of incoming mails in case of simple port forwarding. [[HAProxy]] or Proxy Protocol solves this problem and should be used on the reverse proxy server to forward SMTP traffic. Stalwart will start parsing the Proxy Protocol packages if correctly configured on the listener.{{file|||3=services.stalwart-mail = {
+  settings = {
+    server = {
+      listener = {
+        smtp = {
+          protocol = "smtp";
+          bind = "[::]:25";
+          proxy.trusted-networks = [
+            "10.250.0.1/32"
+            "fdc9:281f:4d7:9ee9::1/128"
+          ];
+        };
+        [...]
+      };
+    };
+  };
+};|name=/etc/nixos/configuration.nix|lang=nix}}In this example we set <code>proxy.trusted-networks</code> with an array of the gateway IP-addresses in the <code>smtp</code> listener section.
 == Configuration ==
@@ Line 254: / Line 272: @@
 Following script is a possible workaounrd. It extracts the ACME cert every five minute, calculates the TLSA hash and compares it with the upstream record. If it doesn't match, it uses [https://github.com/Stenstromen/gotlsaflare gotlsaflare] to update the TLSA record on Cloudflare.
-{{file|/etc/nixos/configuration.nix|nix|3=
+<syntaxhighlight lang="nixos">
 systemd.services.tlsa-cloudflare-update = {
    description = "Check and update TLSA/DANE record for mx1 from Stalwart ACME Cert";
@@ Line 271: / Line 289: @@
      User = "stalwart-mail";
      Group = "stalwart-mail";
-     EnvironmentFile = config.age.secrets.stalwart-mail-cloudflare-secret.path;
+     EnvironmentFile = config.age.secrets.gotlsaflare-cloudflare-token.path;
      RuntimeDirectory = "stalwart-tlsa";
    };
+  environment = {
+    DOMAIN = "example.org";
+    SUBDOMAIN = "mail";
+    PORT = "25";
+    ACME_PROVIDER_ID = "cloudflare";
+  };
    path = with pkgs; [
      bash
@@ Line 288: / Line 311: @@
      set -eu
-    DOMAIN="example.org"
-    SUBDOMAIN="mail"
-    PORT="25"
-    ACME_PROVIDER_ID="cloudflare"
      TLSA_RECORD="_$PORT._tcp.$SUBDOMAIN.$DOMAIN"
      DB_PATH="/var/lib/stalwart-mail/db"
@@ Line 339: / Line 358: @@
    };
 };
-}}
+</syntaxhighlight>
+Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...].
+=== Sending from subaddresses ===
+Receiving mails to subaddresses like <code>john+secondary@example.org</code> is enabled by default. Sending from subaddresses will fail with "You are not allowed to send from this address" as long as they are not an configured alias address. You can disable this check but it will allow any authenticated user to send from any other address.
+{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
+  settings = {
+    [...]
+    session.auth.must-match-sender = false;
+  };
+};}}
+A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature].
 === Test mail server ===
 You can use several online tools to test your mail server configuration: