Add a new TLS flavor named 'mail'

core/nginx/conf/nginx.conf

@@ -34,10 +34,12 @@ http {
       ssl_session_cache shared:SSLHTTP:50m;
       add_header Strict-Transport-Security max-age=15768000;
 
+      {% if not TLS_FLAVOR == "mail" %}
       if ($scheme = http) {
         return 301 https://$host$request_uri;
       }
       {% endif %}
+      {% endif %}
 
       # In any case, enable the proxy for certbot if the flavor is letsencrypt
       {% if TLS_FLAVOR == 'letsencrypt' %}

core/nginx/config.py

@@ -2,13 +2,14 @@
 
 import jinja2
 import os
-	
+
 convert = lambda src, dst, args: open(dst, "w").write(jinja2.Template(open(src).read()).render(**args))
 
 args = os.environ.copy()
 
 args["TLS"] = {
     "cert": ("/certs/cert.pem", "/certs/key.pem"),
+    "mail": ("/certs/cert.pem", "/certs/key.pem"),
     "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
         "/certs/letsencrypt/live/mailu/privkey.pem"),
     "notls": None

docs/compose/setup.rst

@@ -47,8 +47,11 @@ The behavior is identical to ``BIND_ADDRESS4``.
 
 Set the ``TLS_FLAVOR`` to one of the following
 values:
+
 - ``cert`` is the default and requires certificates to be setup manually;
 - ``letsencrypt`` will use the Letsencrypt! CA to generate automatic ceriticates;
+- ``mail`` is similar to ``cert`` except that TLS will only be served for
+  emails (IMAP and SMTP), not HTTP (use it behind reverse proxies);
 - ``notls`` will disable TLS, this is not recommended except for testing.
 
 Enable optional features