Stalwart: Difference between revisions
→Tips and tricks: Sending from subaddresses |
Add hardenize.com online tool |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 29: | Line 29: | ||
bind = "[::]:465"; | bind = "[::]:465"; | ||
protocol = "smtp"; | protocol = "smtp"; | ||
tls.implicit = true | tls.implicit = true; | ||
}; | }; | ||
imaps = { | imaps = { | ||
bind = "[::]:993"; | bind = "[::]:993"; | ||
protocol = "imap"; | protocol = "imap"; | ||
tls.implicit = true | tls.implicit = true; | ||
}; | }; | ||
jmap = { | jmap = { | ||
| Line 222: | Line 222: | ||
_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw== | _25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw== | ||
=== Running behind reverse proxy === | |||
When running behind a load balancer or reverse proxy, Stalwart will not be able to see the "real" sender IP-addresses of incoming mails in case of simple port forwarding. [[HAProxy]] or Proxy Protocol solves this problem and should be used on the reverse proxy server to forward SMTP traffic. Stalwart will start parsing the Proxy Protocol packages if correctly configured on the listener.{{file|||3=services.stalwart-mail = { | |||
settings = { | |||
server = { | |||
listener = { | |||
smtp = { | |||
protocol = "smtp"; | |||
bind = "[::]:25"; | |||
proxy.trusted-networks = [ | |||
"10.250.0.1/32" | |||
"fdc9:281f:4d7:9ee9::1/128" | |||
]; | |||
}; | |||
[...] | |||
}; | |||
}; | |||
}; | |||
};|name=/etc/nixos/configuration.nix|lang=nix}}In this example we set <code>proxy.trusted-networks</code> with an array of the gateway IP-addresses in the <code>smtp</code> listener section. | |||
== Configuration == | == Configuration == | ||
| Line 355: | Line 373: | ||
};}} | };}} | ||
A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature]. | |||
=== Test mail server === | === Test mail server === | ||
You can use several online tools to test your mail server configuration: | You can use several online tools to test your mail server configuration: | ||
* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security. | * [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security. | ||
* [https://www.hardenize.com/ hardenize.com]: Test your mail server configuration for validity and security. Checks DANE validity even when not all MX servers support DANE. | |||
* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server. | * [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server. | ||
* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds. | * Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds. | ||