From ba4ed579df94743460706f99017716a81ce23fe9 Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 24 Sep 2017 18:43:14 +0200
Subject: [PATCH] Support TLS and STARTTLS for mail

---
 nginx/conf/nginx.conf | 47 ++++++++++++++++++++++++++++++++++---------
 nginx/conf/tls.conf   |  7 +++++++
 nginx/config.py       |  1 +
 3 files changed, 45 insertions(+), 10 deletions(-)
 create mode 100644 nginx/conf/tls.conf

diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
index a7e07a13..23f81563 100644
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -24,15 +24,8 @@ http {
       # TLS configuration
       {% if TLS and not TLS_ERROR %}
       listen 443 ssl;
-
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
-      ssl_prefer_server_ciphers on;
-      ssl_session_timeout 5m;
-      ssl_session_cache shared:SSL:50m;
-      ssl_certificate {{ TLS[0] }};
-      ssl_certificate_key {{ TLS[1] }};
-
+      include /etc/nginx/tls.conf;
+      ssl_session_cache shared:SSLHTTP:50m;
       add_header Strict-Transport-Security max-age=15768000;
 
       if ($scheme = http) {
@@ -89,15 +82,49 @@ mail {
     auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx;
     proxy_pass_error_message on;
 
+    {% if TLS and not TLS_ERROR %}
+    include /etc/nginx/tls.conf;
+    ssl_session_cache shared:SSLMAIL:50m;
+    {% endif %}
+
     server {
       listen 25;
+      {% if TLS_FLAVOR != 'notls' %}
+      starttls on;
+      {% endif %}
+      protocol smtp;
+      smtp_auth none;
+    }
+
+    {% if not TLS_ERROR %}
+    server {
+      listen 143;
+      {% if TLS %}
+      starttls only;
+      {% endif %}
+      protocol imap;
+      imap_auth plain;
+    }
+
+    {% if TLS %}
+    server {
+      listen 465 ssl;
       protocol smtp;
       smtp_auth plain;
     }
 
     server {
-      listen 143;
+      listen 597;
+      starttls only;
+      protocol smtp;
+      smtp_auth plain;
+    }
+
+    server {
+      listen 993 ssl;
       protocol imap;
       imap_auth plain;
     }
+    {% endif %}
+    {% endif %}
 }
diff --git a/nginx/conf/tls.conf b/nginx/conf/tls.conf
new file mode 100644
index 00000000..e362bab4
--- /dev/null
+++ b/nginx/conf/tls.conf
@@ -0,0 +1,7 @@
+ssl_protocols TLSv1.1 TLSv1.2;
+ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+ssl_prefer_server_ciphers on;
+ssl_session_timeout 5m;
+ssl_certificate {{ TLS[0] }};
+ssl_certificate_key {{ TLS[1] }};
+
diff --git a/nginx/config.py b/nginx/config.py
index 7408a5c6..5f1e0355 100755
--- a/nginx/config.py
+++ b/nginx/config.py
@@ -23,5 +23,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
     args["TLS_ERROR"] = "yes"
 
 
+convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
 convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
 os.system("nginx -s reload")