From 842be9b7c35dc55e5c21bedeec8ad4134198d70b Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 25 Jan 2023 15:55:35 +0100 Subject: [PATCH] Skip listen to v6 when SUBNET6 is not set --- core/nginx/conf/nginx.conf | 20 ++++++++++++++++++++ core/postfix/conf/main.cf | 4 ++-- webmails/nginx-webmail.conf | 2 ++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index db161862..38cf7871 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -59,7 +59,9 @@ http { server { # Listen over HTTP listen 80; +{% if SUBNET6 %} listen [::]:80; +{% endif %} {% if TLS_FLAVOR == 'letsencrypt' %} location ^~ /.well-known/acme-challenge/ { proxy_pass http://127.0.0.1:8008; @@ -91,13 +93,17 @@ http { # Listen on HTTP only in kubernetes or behind reverse proxy {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %} listen 80; +{% if SUBNET6 %} listen [::]:80; +{% endif %} {% endif %} # Only enable HTTPS if TLS is enabled with no error and not on kubernetes {% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %} listen 443 ssl http2; +{% if SUBNET6 %} listen [::]:443 ssl http2; +{% endif %} include /etc/nginx/tls.conf; ssl_stapling on; @@ -341,7 +347,9 @@ mail { # SMTP is always enabled, to avoid losing emails when TLS is failing server { listen 25; +{% if SUBNET6 %} listen [::]:25; +{% endif %} {% if TLS and not TLS_ERROR %} {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem; @@ -363,7 +371,9 @@ mail { {% if not TLS_ERROR %} server { listen 143; +{% if SUBNET6 %} listen [::]:143; +{% endif %} {% if TLS %} starttls only; {% endif %} @@ -376,7 +386,9 @@ mail { server { listen 110; +{% if SUBNET6 %} listen [::]:110; +{% endif %} {% if TLS %} starttls only; {% endif %} @@ -389,7 +401,9 @@ mail { server { listen 587; +{% if SUBNET6 %} listen [::]:587; +{% endif %} {% if TLS %} starttls only; {% endif %} @@ -401,7 +415,9 @@ mail { {% if TLS %} server { listen 465 ssl; +{% if SUBNET6 %} listen [::]:465 ssl; +{% endif %} protocol smtp; smtp_auth plain login; auth_http_header Auth-Port 465; @@ -409,7 +425,9 @@ mail { server { listen 993 ssl; +{% if SUBNET6 %} listen [::]:993 ssl; +{% endif %} protocol imap; imap_auth plain; auth_http_header Auth-Port 993; @@ -419,7 +437,9 @@ mail { server { listen 995 ssl; +{% if SUBNET6 %} listen [::]:995 ssl; +{% endif %} protocol pop3; pop3_auth plain; auth_http_header Auth-Port 995; diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 0f6fd392..2e038f61 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -14,7 +14,7 @@ queue_directory = /queue message_size_limit = {{ MESSAGE_SIZE_LIMIT }} # Relayed networks -mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {% if SUBNET6 %}{{ "[{}]/{}".format(*SUBNET6.split("/")) }}{% endif %} {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(" ") }}{% endif %} +mynetworks = 127.0.0.1/32 {{ SUBNET }} {% if SUBNET6 %}[::1]/128 {{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %} {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(" ") }}{% endif %} # Empty alias list to override the configuration variable and disable NIS alias_maps = @@ -121,7 +121,7 @@ smtpd_relay_restrictions = unverified_recipient_reject_reason = Address lookup failure -smtpd_authorized_xclient_hosts={{ SUBNET }}{% if SUBNET6 %},[{{ SUBNET6 }}]{% endif %} +smtpd_authorized_xclient_hosts={{ SUBNET }}{% if SUBNET6 %},{{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %} ############### # Milter diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf index fde7adfd..8772c8c8 100644 --- a/webmails/nginx-webmail.conf +++ b/webmails/nginx-webmail.conf @@ -1,6 +1,8 @@ server { listen 80 default_server; +{% if SUBNET6 %} listen [::]:80 default_server; +{% endif %} resolver {{ RESOLVER }} valid=30s; {% if WEBMAIL == 'roundcube' %}