|
|
@ -59,7 +59,9 @@ http {
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
# Listen over HTTP
|
|
|
|
# Listen over HTTP
|
|
|
|
listen 80;
|
|
|
|
listen 80;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:80;
|
|
|
|
listen [::]:80;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% if TLS_FLAVOR == 'letsencrypt' %}
|
|
|
|
{% if TLS_FLAVOR == 'letsencrypt' %}
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
proxy_pass http://127.0.0.1:8008;
|
|
|
|
proxy_pass http://127.0.0.1:8008;
|
|
|
@ -91,13 +93,17 @@ http {
|
|
|
|
# Listen on HTTP only in kubernetes or behind reverse proxy
|
|
|
|
# Listen on HTTP only in kubernetes or behind reverse proxy
|
|
|
|
{% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %}
|
|
|
|
{% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %}
|
|
|
|
listen 80;
|
|
|
|
listen 80;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:80;
|
|
|
|
listen [::]:80;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
# Only enable HTTPS if TLS is enabled with no error and not on kubernetes
|
|
|
|
# Only enable HTTPS if TLS is enabled with no error and not on kubernetes
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
|
|
|
|
listen 443 ssl http2;
|
|
|
|
listen 443 ssl http2;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
include /etc/nginx/tls.conf;
|
|
|
|
include /etc/nginx/tls.conf;
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling on;
|
|
|
@ -341,7 +347,9 @@ mail {
|
|
|
|
# SMTP is always enabled, to avoid losing emails when TLS is failing
|
|
|
|
# SMTP is always enabled, to avoid losing emails when TLS is failing
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 25;
|
|
|
|
listen 25;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:25;
|
|
|
|
listen [::]:25;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% if TLS and not TLS_ERROR %}
|
|
|
|
{% if TLS and not TLS_ERROR %}
|
|
|
|
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
|
|
|
|
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
|
|
|
|
ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
|
|
|
|
ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
|
|
|
@ -363,7 +371,9 @@ mail {
|
|
|
|
{% if not TLS_ERROR %}
|
|
|
|
{% if not TLS_ERROR %}
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 143;
|
|
|
|
listen 143;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:143;
|
|
|
|
listen [::]:143;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% if TLS %}
|
|
|
|
{% if TLS %}
|
|
|
|
starttls only;
|
|
|
|
starttls only;
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
@ -376,7 +386,9 @@ mail {
|
|
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 110;
|
|
|
|
listen 110;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:110;
|
|
|
|
listen [::]:110;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% if TLS %}
|
|
|
|
{% if TLS %}
|
|
|
|
starttls only;
|
|
|
|
starttls only;
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
@ -389,7 +401,9 @@ mail {
|
|
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 587;
|
|
|
|
listen 587;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:587;
|
|
|
|
listen [::]:587;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% if TLS %}
|
|
|
|
{% if TLS %}
|
|
|
|
starttls only;
|
|
|
|
starttls only;
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
@ -401,7 +415,9 @@ mail {
|
|
|
|
{% if TLS %}
|
|
|
|
{% if TLS %}
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 465 ssl;
|
|
|
|
listen 465 ssl;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:465 ssl;
|
|
|
|
listen [::]:465 ssl;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
protocol smtp;
|
|
|
|
protocol smtp;
|
|
|
|
smtp_auth plain login;
|
|
|
|
smtp_auth plain login;
|
|
|
|
auth_http_header Auth-Port 465;
|
|
|
|
auth_http_header Auth-Port 465;
|
|
|
@ -409,7 +425,9 @@ mail {
|
|
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 993 ssl;
|
|
|
|
listen 993 ssl;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:993 ssl;
|
|
|
|
listen [::]:993 ssl;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
protocol imap;
|
|
|
|
protocol imap;
|
|
|
|
imap_auth plain;
|
|
|
|
imap_auth plain;
|
|
|
|
auth_http_header Auth-Port 993;
|
|
|
|
auth_http_header Auth-Port 993;
|
|
|
@ -419,7 +437,9 @@ mail {
|
|
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
listen 995 ssl;
|
|
|
|
listen 995 ssl;
|
|
|
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
listen [::]:995 ssl;
|
|
|
|
listen [::]:995 ssl;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
protocol pop3;
|
|
|
|
protocol pop3;
|
|
|
|
pop3_auth plain;
|
|
|
|
pop3_auth plain;
|
|
|
|
auth_http_header Auth-Port 995;
|
|
|
|
auth_http_header Auth-Port 995;
|
|
|
|