Stalwart: Difference between revisions

(4 intermediate revisions by 2 users not shown)

Line 29:

bind = "[::]:465";

protocol = "smtp";

tls.implicit = true

tls.implicit = true;

};

imaps = {

bind = "[::]:993";

protocol = "imap";

tls.implicit = true

tls.implicit = true;

};

jmap = {

Line 222:

_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==

=== Running behind reverse proxy ===

When running behind a load balancer or reverse proxy, Stalwart will not be able to see the "real" sender IP-addresses of incoming mails in case of simple port forwarding. [[HAProxy]] or Proxy Protocol solves this problem and should be used on the reverse proxy server to forward SMTP traffic. Stalwart will start parsing the Proxy Protocol packages if correctly configured on the listener.{{file|||3=services.stalwart-mail = {

settings = {

server = {

listener = {

smtp = {

protocol = "smtp";

bind = "[::]:25";

proxy.trusted-networks = [

"10.250.0.1/32"

"fdc9:281f:4d7:9ee9::1/128"

];

};

[...]

};

};|name=/etc/nixos/configuration.nix|lang=nix}}In this example we set <code>proxy.trusted-networks</code> with an array of the gateway IP-addresses in the <code>smtp</code> listener section.

== Configuration ==

Line 344:

Line 362:

Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...].

=== Sending from subaddresses ===

Receiving mails to subaddresses like <code>john+secondary@example.org</code> is enabled by default. Sending from subaddresses will fail with "You are not allowed to send from this address" as long as they are not an configured alias address. You can disable this check but it will allow any authenticated user to send from any other address.

{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {

settings = {

[...]

session.auth.must-match-sender = false;

};

};}}

A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature].

=== Test mail server ===

You can use several online tools to test your mail server configuration:

* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.

* [https://www.hardenize.com/ hardenize.com]: Test your mail server configuration for validity and security. Checks DANE validity even when not all MX servers support DANE.

* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.

* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.

@@ Line 29: / Line 29: @@
            bind = "[::]:465";
            protocol = "smtp";
-           tls.implicit = true
+           tls.implicit = true;
          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";
-           tls.implicit = true
+           tls.implicit = true;
          };
          jmap = {
@@ Line 222: / Line 222: @@
   _25._tcp.mx1.example.org. 10800 IN RRSIG	TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==
+=== Running behind reverse proxy ===
+When running behind a load balancer or reverse proxy, Stalwart will not be able to see the "real" sender IP-addresses of incoming mails in case of simple port forwarding. [[HAProxy]] or Proxy Protocol solves this problem and should be used on the reverse proxy server to forward SMTP traffic. Stalwart will start parsing the Proxy Protocol packages if correctly configured on the listener.{{file|||3=services.stalwart-mail = {
+  settings = {
+    server = {
+      listener = {
+        smtp = {
+          protocol = "smtp";
+          bind = "[::]:25";
+          proxy.trusted-networks = [
+            "10.250.0.1/32"
+            "fdc9:281f:4d7:9ee9::1/128"
+          ];
+        };
+        [...]
+      };
+    };
+  };
+};|name=/etc/nixos/configuration.nix|lang=nix}}In this example we set <code>proxy.trusted-networks</code> with an array of the gateway IP-addresses in the <code>smtp</code> listener section.
 == Configuration ==
@@ Line 344: / Line 362: @@
 Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...].
+=== Sending from subaddresses ===
+Receiving mails to subaddresses like <code>john+secondary@example.org</code> is enabled by default. Sending from subaddresses will fail with "You are not allowed to send from this address" as long as they are not an configured alias address. You can disable this check but it will allow any authenticated user to send from any other address.
+{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
+  settings = {
+    [...]
+    session.auth.must-match-sender = false;
+  };
+};}}
+A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature].
 === Test mail server ===
 You can use several online tools to test your mail server configuration:
 * [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.
+* [https://www.hardenize.com/ hardenize.com]: Test your mail server configuration for validity and security. Checks DANE validity even when not all MX servers support DANE.
 * [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.
 * Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.