Add specific unencrypted servers for internal connexions (webmails)

master
kaiyou 7 years ago
parent ec6d5acc18
commit 04a25fc4e3

@ -20,13 +20,15 @@ http {
absolute_redirect off; absolute_redirect off;
server { server {
# Always listen over HTTP
listen 80; listen 80;
listen [::]:80; listen [::]:80;
# TLS configuration # Only enable HTTPS if TLS is enabled with no error
{% if TLS and not TLS_ERROR %} {% if TLS and not TLS_ERROR %}
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
include /etc/nginx/tls.conf; include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLHTTP:50m; ssl_session_cache shared:SSLHTTP:50m;
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
@ -36,18 +38,21 @@ http {
} }
{% endif %} {% endif %}
# In any case, enable the proxy for certbot if the flavor is letsencrypt
{% if TLS_FLAVOR == 'letsencrypt' %} {% if TLS_FLAVOR == 'letsencrypt' %}
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
proxy_pass http://localhost:8000; proxy_pass http://localhost:8000;
} }
{% endif %} {% endif %}
# Actual logic # If TLS is failing, prevent access to anything except certbot
{% if TLS_ERROR %} {% if TLS_ERROR %}
location / { location / {
return 403; return 403;
} }
{% else %} {% else %}
# Actual logic
{% if WEBMAIL != 'none' %} {% if WEBMAIL != 'none' %}
location / { location / {
return 301 $scheme://$host/webmail/; return 301 $scheme://$host/webmail/;
@ -90,6 +95,21 @@ mail {
ssl_session_cache shared:SSLMAIL:50m; ssl_session_cache shared:SSLMAIL:50m;
{% endif %} {% endif %}
# Default SMTP server for the webmail (no encryption, but authentication)
server {
listen 10025;
protocol smtp;
smtp_auth plain;
}
# Default IMAP server for the webmail (no encryption, but authentication)
server {
listen 10143;
protocol imap;
smtp_auth plain;
}
# SMTP is always enabled, to avoid losing emails when TLS is failing
server { server {
listen 25; listen 25;
listen [::]:25; listen [::]:25;
@ -100,6 +120,7 @@ mail {
smtp_auth none; smtp_auth none;
} }
# All other protocols are disabled if TLS is failing
{% if not TLS_ERROR %} {% if not TLS_ERROR %}
server { server {
listen 143; listen 143;

@ -1,5 +1,5 @@
imap_host = "front" imap_host = "front"
imap_port = 143 imap_port = 10143
imap_secure = "None" imap_secure = "None"
imap_short_login = Off imap_short_login = Off
sieve_use = On sieve_use = On
@ -8,7 +8,7 @@ sieve_host = "imap"
sieve_port = 4190 sieve_port = 4190
sieve_secure = "TLS" sieve_secure = "TLS"
smtp_host = "front" smtp_host = "front"
smtp_port = 25 smtp_port = 10025
smtp_secure = "None" smtp_secure = "None"
smtp_short_login = Off smtp_short_login = Off
smtp_auth = On smtp_auth = On

@ -18,9 +18,9 @@ $config['plugins'] = array(
// Mail servers // Mail servers
$config['default_host'] = 'front'; $config['default_host'] = 'front';
$config['default_port'] = 143; $config['default_port'] = 10143;
$config['smtp_server'] = 'front'; $config['smtp_server'] = 'front';
$config['smtp_port'] = 25; $config['smtp_port'] = 10025;
$config['smtp_user'] = '%u'; $config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p'; $config['smtp_pass'] = '%p';

Loading…
Cancel
Save