Stalwart: Difference between revisions
→Sending from subaddresses: Add note on planned feature |
change references in nix configuration examples from `stalwart-mail` to `stalwart` |
||
| (6 intermediate revisions by 3 users not shown) | |||
| Line 4: | Line 4: | ||
The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission (<code>25, 465</code>), IMAPS (<code>993</code>) and JMAP ports (8080/443) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet. | The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission (<code>25, 465</code>), IMAPS (<code>993</code>) and JMAP ports (8080/443) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet. | ||
{{file| | {{file|||3=environment.etc = { | ||
"stalwart/mail-pw1".text = "foobar"; | "stalwart/mail-pw1".text = "foobar"; | ||
"stalwart/mail-pw2".text = "foobar"; | "stalwart/mail-pw2".text = "foobar"; | ||
| Line 11: | Line 11: | ||
}; | }; | ||
services.stalwart | services.stalwart = { | ||
enable = true; | enable = true; | ||
openFirewall = true; | openFirewall = true; | ||
credentials = { | |||
mail-pw1 = /etc/stalwart/mail-pw1; | |||
mail-pw2 = /etc/stalwart/mail-pw2; | |||
acme-secret = /etc/stalwart/acme-secret; | |||
}; | |||
settings = { | settings = { | ||
server = { | server = { | ||
| Line 29: | Line 34: | ||
bind = "[::]:465"; | bind = "[::]:465"; | ||
protocol = "smtp"; | protocol = "smtp"; | ||
tls.implicit = true | tls.implicit = true; | ||
}; | }; | ||
imaps = { | imaps = { | ||
bind = "[::]:993"; | bind = "[::]:993"; | ||
protocol = "imap"; | protocol = "imap"; | ||
tls.implicit = true | tls.implicit = true; | ||
}; | }; | ||
jmap = { | jmap = { | ||
| Line 57: | Line 62: | ||
domains = [ "example.org" "mx1.example.org" ]; | domains = [ "example.org" "mx1.example.org" ]; | ||
provider = "cloudflare"; | provider = "cloudflare"; | ||
secret = "%{file:/ | secret = "%{file:/run/credentials/stalwart.service/acme-secret}%"; | ||
}; | }; | ||
session.auth = { | session.auth = { | ||
| Line 72: | Line 77: | ||
class = "individual"; | class = "individual"; | ||
name = "User 1"; | name = "User 1"; | ||
secret = "%{file:/ | secret = "%{file:/run/credentials/stalwart.service/mail-pw1}%"; | ||
email = [ "user1@example.org" ]; | email = [ "user1@example.org" ]; | ||
} | } | ||
| Line 78: | Line 83: | ||
class = "individual"; | class = "individual"; | ||
name = "postmaster"; | name = "postmaster"; | ||
secret = "%{file:/ | secret = "%{file:/run/credentials/stalwart.service/mail-pw1}%"; | ||
email = [ "postmaster@example.org" ]; | email = [ "postmaster@example.org" ]; | ||
} | } | ||
| Line 85: | Line 90: | ||
authentication.fallback-admin = { | authentication.fallback-admin = { | ||
user = "admin"; | user = "admin"; | ||
secret = "%{file:/ | secret = "%{file:/run/credentials/stalwart.service/admin-pw}%"; | ||
}; | }; | ||
}; | }; | ||
| Line 105: | Line 110: | ||
}; | }; | ||
}; | }; | ||
};}} | };|name=/etc/nixos/configuration.nix|lang=nix}} | ||
TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates]. | TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates]. | ||
| Line 222: | Line 227: | ||
_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw== | _25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw== | ||
=== Running behind reverse proxy === | |||
When running behind a load balancer or reverse proxy, Stalwart will not be able to see the "real" sender IP-addresses of incoming mails in case of simple port forwarding. [[HAProxy]] or Proxy Protocol solves this problem and should be used on the reverse proxy server to forward SMTP traffic. Stalwart will start parsing the Proxy Protocol packages if correctly configured on the listener.{{file|||3=services.stalwart = { | |||
settings = { | |||
server = { | |||
listener = { | |||
smtp = { | |||
protocol = "smtp"; | |||
bind = "[::]:25"; | |||
proxy.trusted-networks = [ | |||
"10.250.0.1/32" | |||
"fdc9:281f:4d7:9ee9::1/128" | |||
]; | |||
}; | |||
[...] | |||
}; | |||
}; | |||
}; | |||
};|name=/etc/nixos/configuration.nix|lang=nix}}In this example we set <code>proxy.trusted-networks</code> with an array of the gateway IP-addresses in the <code>smtp</code> listener section. | |||
== Configuration == | == Configuration == | ||
| Line 229: | Line 252: | ||
Considering the configuration above, we could add a mail alias for <code>user1@example.org</code> by simply adding further addresses to the <code>email</code>-array such as <code>user1real@example.org</code> | Considering the configuration above, we could add a mail alias for <code>user1@example.org</code> by simply adding further addresses to the <code>email</code>-array such as <code>user1real@example.org</code> | ||
{{file| | {{file|||3=services.stalwart = { | ||
settings = { | settings = { | ||
[...] | [...] | ||
| Line 238: | Line 261: | ||
class = "individual"; | class = "individual"; | ||
name = "User 1"; | name = "User 1"; | ||
secret = "%{file:/ | secret = "%{file:/run/credentials/stalwart.service/mail-pw1}%"; | ||
email = [ "user1@example.org" "user1real@example.org ]; | email = [ "user1@example.org" "user1real@example.org ]; | ||
} | } | ||
| Line 244: | Line 267: | ||
}; | }; | ||
}; | }; | ||
};}} | };|name=/etc/nixos/configuration.nix|lang=nix}} | ||
=== Blocking mail sender address === | |||
If you don't want to receive any mails from a specific address, even not into your spam folder, you can add it to the spam-trap array.{{file|||3=services.stalwart = { | |||
settings = { | |||
lookup = { | |||
spam-trap = { | |||
"malicious_sender1@spamhost.com" = ""; | |||
"malicious_sender2@spamhost.com" = ""; | |||
}; | |||
}; | |||
};|name=/etc/nixos/configuration.nix|lang=nix}} | |||
== Tips and tricks == | == Tips and tricks == | ||
| Line 254: | Line 287: | ||
Following script is a possible workaounrd. It extracts the ACME cert every five minute, calculates the TLSA hash and compares it with the upstream record. If it doesn't match, it uses [https://github.com/Stenstromen/gotlsaflare gotlsaflare] to update the TLSA record on Cloudflare. | Following script is a possible workaounrd. It extracts the ACME cert every five minute, calculates the TLSA hash and compares it with the upstream record. If it doesn't match, it uses [https://github.com/Stenstromen/gotlsaflare gotlsaflare] to update the TLSA record on Cloudflare. | ||
<syntaxhighlight lang="nixos"> | <syntaxhighlight lang="nixos">systemd.services.tlsa-cloudflare-update = { | ||
systemd.services.tlsa-cloudflare-update = { | |||
description = "Check and update TLSA/DANE record for mx1 from Stalwart ACME Cert"; | description = "Check and update TLSA/DANE record for mx1 from Stalwart ACME Cert"; | ||
after = [ | after = [ | ||
"network-online.target" | "network-online.target" | ||
"stalwart | "stalwart.service" | ||
]; | ]; | ||
wants = [ | wants = [ | ||
"network-online.target" | "network-online.target" | ||
"stalwart | "stalwart.service" | ||
]; | ]; | ||
serviceConfig = { | serviceConfig = { | ||
Type = "oneshot"; | Type = "oneshot"; | ||
User = "stalwart | User = "stalwart"; | ||
Group = "stalwart | Group = "stalwart"; | ||
EnvironmentFile = config.age.secrets.gotlsaflare-cloudflare-token.path; | EnvironmentFile = config.age.secrets.gotlsaflare-cloudflare-token.path; | ||
RuntimeDirectory = "stalwart-tlsa"; | RuntimeDirectory = "stalwart-tlsa"; | ||
| Line 294: | Line 326: | ||
TLSA_RECORD="_$PORT._tcp.$SUBDOMAIN.$DOMAIN" | TLSA_RECORD="_$PORT._tcp.$SUBDOMAIN.$DOMAIN" | ||
DB_PATH="/var/lib/stalwart | DB_PATH="/var/lib/stalwart/db" | ||
TEMP_RAW="/run/stalwart-tlsa/cert.bundle" | TEMP_RAW="/run/stalwart-tlsa/cert.bundle" | ||
TEMP_CRT="/run/stalwart-tlsa/cert.crt" | TEMP_CRT="/run/stalwart-tlsa/cert.crt" | ||
| Line 338: | Line 370: | ||
OnUnitActiveSec = "5m"; | OnUnitActiveSec = "5m"; | ||
Unit = "tlsa-cloudflare-update.service"; | Unit = "tlsa-cloudflare-update.service"; | ||
}; | |||
};</syntaxhighlight> | |||
Adapt the variables <code>DOMAIN</code>, <code>SUBDOMAIN</code>, and <code>PORT</code> according to your needs. The variable <code>ACME_PROVIDER_ID</code> corresponds to the ACME profile name you've setup in the Stalwart webadmin interface. <code>EnvironmentFile</code> points to a file containing the secret Cloudflare api token in the format: TOKEN=12345678[...]. | |||
==== deSEC.io ==== | |||
In case you want to update your TLSA records at deSEC you can use [https://codeberg.org/Cameo007/dyndns-tlsa-desec dyndns-tlsa-desec] ('''install via flake''') which checks your existing records and updates them if necessary. The certificate and key are taken from the specified directory (like your [[ACME]] directory) | |||
It defaults to <code>3 1 1</code> but you can choose other values as described [[wikipedia:DNS-based_Authentication_of_Named_Entities#RR_data_fields|here]].<syntaxhighlight lang="nixos"> | |||
services.dyndns-tlsa-desec = { | |||
enable = true; | |||
api_token_file = config.age.secrets.dyndns-tlsa-desec-api-key.path; | |||
tlsa_zones."example.com" = { | |||
cert_path = "/var/lib/acme/example.com/"; | |||
records."_25._tcp.mail" = { }; | |||
}; | }; | ||
}; | }; | ||
</syntaxhighlight>The program is executed hourly per default but you can set the <code>interval</code> option to any [https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events systemd calendar event].<syntaxhighlight lang="nixos"> | |||
services.dyndns-tlsa-desec.interval = "5m"; # Every 5 minutes | |||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Sending from subaddresses === | === Sending from subaddresses === | ||
| Line 348: | Line 398: | ||
Receiving mails to subaddresses like <code>john+secondary@example.org</code> is enabled by default. Sending from subaddresses will fail with "You are not allowed to send from this address" as long as they are not an configured alias address. You can disable this check but it will allow any authenticated user to send from any other address. | Receiving mails to subaddresses like <code>john+secondary@example.org</code> is enabled by default. Sending from subaddresses will fail with "You are not allowed to send from this address" as long as they are not an configured alias address. You can disable this check but it will allow any authenticated user to send from any other address. | ||
{{file| | {{file|||3=services.stalwart = { | ||
settings = { | settings = { | ||
[...] | [...] | ||
session.auth.must-match-sender = false; | session.auth.must-match-sender = false; | ||
}; | }; | ||
};}} | };|name=/etc/nixos/configuration.nix|lang=nix}} | ||
A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature]. | A configuration option to customize the pattern of authorized sender addresses is a [https://github.com/stalwartlabs/stalwart/issues/394#issuecomment-3705990056 planned feature]. | ||
| Line 360: | Line 410: | ||
* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security. | * [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security. | ||
* [https://www.hardenize.com/ hardenize.com]: Test your mail server configuration for validity and security. Checks DANE validity even when not all MX servers support DANE. | |||
* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server. | * [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server. | ||
* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds. | * Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds. | ||
=== Unsecure setup for testing environments === | === Unsecure setup for testing environments === | ||
The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file| | The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|||3=services.stalwart = { | ||
enable = true; | enable = true; | ||
settings = { | settings = { | ||
| Line 407: | Line 458: | ||
}; | }; | ||
}; | }; | ||
};}} | };|name=/etc/nixos/configuration.nix|lang=nix}} | ||
== See also == | == See also == | ||