diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index 61011dc6..d82d4e16 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -20,13 +20,15 @@ http { absolute_redirect off; server { + # Always listen over HTTP listen 80; listen [::]:80; - # TLS configuration + # Only enable HTTPS if TLS is enabled with no error {% if TLS and not TLS_ERROR %} listen 443 ssl; listen [::]:443 ssl; + include /etc/nginx/tls.conf; ssl_session_cache shared:SSLHTTP:50m; add_header Strict-Transport-Security max-age=15768000; @@ -36,18 +38,21 @@ http { } {% endif %} + # In any case, enable the proxy for certbot if the flavor is letsencrypt {% if TLS_FLAVOR == 'letsencrypt' %} location ^~ /.well-known/acme-challenge/ { proxy_pass http://localhost:8000; } {% endif %} - # Actual logic + # If TLS is failing, prevent access to anything except certbot {% if TLS_ERROR %} location / { return 403; } {% else %} + + # Actual logic {% if WEBMAIL != 'none' %} location / { return 301 $scheme://$host/webmail/; @@ -90,6 +95,21 @@ mail { ssl_session_cache shared:SSLMAIL:50m; {% endif %} + # Default SMTP server for the webmail (no encryption, but authentication) + server { + listen 10025; + protocol smtp; + smtp_auth plain; + } + + # Default IMAP server for the webmail (no encryption, but authentication) + server { + listen 10143; + protocol imap; + smtp_auth plain; + } + + # SMTP is always enabled, to avoid losing emails when TLS is failing server { listen 25; listen [::]:25; @@ -100,6 +120,7 @@ mail { smtp_auth none; } + # All other protocols are disabled if TLS is failing {% if not TLS_ERROR %} server { listen 143; diff --git a/rainloop/default.ini b/rainloop/default.ini index 53545bef..0cb96d69 100644 --- a/rainloop/default.ini +++ b/rainloop/default.ini @@ -1,5 +1,5 @@ imap_host = "front" -imap_port = 143 +imap_port = 10143 imap_secure = "None" imap_short_login = Off sieve_use = On @@ -8,7 +8,7 @@ sieve_host = "imap" sieve_port = 4190 sieve_secure = "TLS" smtp_host = "front" -smtp_port = 25 +smtp_port = 10025 smtp_secure = "None" smtp_short_login = Off smtp_auth = On diff --git a/roundcube/config.inc.php b/roundcube/config.inc.php index a867a169..60deb614 100644 --- a/roundcube/config.inc.php +++ b/roundcube/config.inc.php @@ -18,9 +18,9 @@ $config['plugins'] = array( // Mail servers $config['default_host'] = 'front'; -$config['default_port'] = 143; +$config['default_port'] = 10143; $config['smtp_server'] = 'front'; -$config['smtp_port'] = 25; +$config['smtp_port'] = 10025; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p';