From 04a25fc4e33da6e2181b4af80012660f25fe67d0 Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 22 Oct 2017 11:31:32 +0200
Subject: [PATCH] Add specific unencrypted servers for internal connexions
 (webmails)

---
 nginx/conf/nginx.conf    | 25 +++++++++++++++++++++++--
 rainloop/default.ini     |  4 ++--
 roundcube/config.inc.php |  4 ++--
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
index 61011dc6..d82d4e16 100644
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -20,13 +20,15 @@ http {
     absolute_redirect off;
 
     server {
+      # Always listen over HTTP
       listen 80;
       listen [::]:80;
 
-      # TLS configuration
+      # Only enable HTTPS if TLS is enabled with no error
       {% if TLS and not TLS_ERROR %}
       listen 443 ssl;
       listen [::]:443 ssl;
+
       include /etc/nginx/tls.conf;
       ssl_session_cache shared:SSLHTTP:50m;
       add_header Strict-Transport-Security max-age=15768000;
@@ -36,18 +38,21 @@ http {
       }
       {% endif %}
 
+      # In any case, enable the proxy for certbot if the flavor is letsencrypt
       {% if TLS_FLAVOR == 'letsencrypt' %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://localhost:8000;
       }
       {% endif %}
 
-      # Actual logic
+      # If TLS is failing, prevent access to anything except certbot
       {% if TLS_ERROR %}
       location / {
         return 403;
       }
       {% else %}
+
+      # Actual logic
       {% if WEBMAIL != 'none' %}
       location / {
         return 301 $scheme://$host/webmail/;
@@ -90,6 +95,21 @@ mail {
     ssl_session_cache shared:SSLMAIL:50m;
     {% endif %}
 
+    # Default SMTP server for the webmail (no encryption, but authentication)
+    server {
+      listen 10025;
+      protocol smtp;
+      smtp_auth plain;
+    }
+
+    # Default IMAP server for the webmail (no encryption, but authentication)
+    server {
+      listen 10143;
+      protocol imap;
+      smtp_auth plain;
+    }
+
+    # SMTP is always enabled, to avoid losing emails when TLS is failing
     server {
       listen 25;
       listen [::]:25;
@@ -100,6 +120,7 @@ mail {
       smtp_auth none;
     }
 
+    # All other protocols are disabled if TLS is failing
     {% if not TLS_ERROR %}
     server {
       listen 143;
diff --git a/rainloop/default.ini b/rainloop/default.ini
index 53545bef..0cb96d69 100644
--- a/rainloop/default.ini
+++ b/rainloop/default.ini
@@ -1,5 +1,5 @@
 imap_host = "front"
-imap_port = 143
+imap_port = 10143
 imap_secure = "None"
 imap_short_login = Off
 sieve_use = On
@@ -8,7 +8,7 @@ sieve_host = "imap"
 sieve_port = 4190
 sieve_secure = "TLS"
 smtp_host = "front"
-smtp_port = 25
+smtp_port = 10025
 smtp_secure = "None"
 smtp_short_login = Off
 smtp_auth = On
diff --git a/roundcube/config.inc.php b/roundcube/config.inc.php
index a867a169..60deb614 100644
--- a/roundcube/config.inc.php
+++ b/roundcube/config.inc.php
@@ -18,9 +18,9 @@ $config['plugins'] = array(
 
 // Mail servers
 $config['default_host'] = 'front';
-$config['default_port'] = 143;
+$config['default_port'] = 10143;
 $config['smtp_server'] = 'front';
-$config['smtp_port'] = 25;
+$config['smtp_port'] = 10025;
 $config['smtp_user'] = '%u';
 $config['smtp_pass'] = '%p';