NGINX: Add MTA-STS

env.yml

@@ -138,6 +138,7 @@ volumes:
   etebase_datadir: /mnt/etebasedata
   hedgedoc_uploadsdir: /mnt/hedgedocuploads
   lldap_datadir: /mnt/lldapdata
+  mailserver_datadir: /mnt/mailserver
   mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem"
   mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem"
   postgres_datadir: /mnt/postgresdata

roles/lldap/templates/docker-compose.yaml

@@ -7,7 +7,6 @@ services:
     env_file: .env
     networks:
       - authelia
-      - mailserver
     ports:
       - {{ ports['lldap'] }}:17170
     volumes:
@@ -16,5 +15,3 @@ services:
 networks:
   authelia:
     name: authelia
-  mailserver:
-    name: mailserver

roles/mailserver/tasks/backup.yml

@@ -1,10 +1,11 @@
-- name: "Backup PostgreSQL stalwart database"
+- name: "Backup PostgreSQL stalwart database & {{ volumes['mailserver_datadir'] }}/etc/config.toml"
   shell: >
     docker exec postgres
     pg_dump -c {{ role_name }} |
     borg create
     --compression lzma
     "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
+    "{{ volumes['mailserver_datadir'] }}/etc/config.toml"
     -
     --stdin-name dump_{{ role_name }}.sql
   environment:

roles/mailserver/tasks/setup.yml

@@ -6,16 +6,24 @@
     - absent
     - directory
 
-- name: Template docker-compose.yaml & config.toml to project directory
+- name: Template docker-compose.yaml to project directory
   template:
     src: "{{ item }}"
     dest: "{{ project_dir }}/{{ item }}"
     owner: "{{ host_uid }}"
-    group: "{{ users['mailserver'] + uid_shift }}"
+    group: "{{ host_uid }}"
     mode: '660'
   loop:
     - docker-compose.yaml
-    - config.toml
+  become: true
+
+- name: "Create (if not exists) directory {{ volumes['mailserver_datadir'] }} & set permissions"
+  file:
+    path: "{{ volumes['mailserver_datadir'] }}"
+    state: directory
+    owner: "{{ users['mailserver'] + uid_shift }}"
+    group: "{{ users['mailserver'] + uid_shift }}"
+    mode: '700'
   become: true
 
 - name: Set limited permissions on certificate directories

roles/mailserver/templates/config.toml

@@ -1,92 +0,0 @@
-authentication.fallback-admin.secret = "{{ mailserver_secrets['admin_secret'] }}"
-authentication.fallback-admin.user = "{{ mailserver_secrets['admin_user'] }}"
-cluster.node-id = 1
-lookup.default.hostname = "mail.{{ domain }}"
-lookup.default.domain = "{{ domain }}"
-
-
-# Server settings
-server.http.permissive-cors = false
-server.http.url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"
-server.http.use-x-forwarded = true
-server.max-connections = 8192
-server.socket.backlog = 1024
-server.socket.nodelay = true
-server.socket.reuse-addr = true
-server.socket.reuse-port = true
-
-
-# Listeners
-server.listener.https.bind = "[::]:443"
-server.listener.https.protocol = "http"
-server.listener.https.tls.implicit = true
-server.listener.imaptls.bind = "[::]:993"
-server.listener.imaptls.protocol = "imap"
-server.listener.imaptls.tls.implicit = true
-server.listener.smtp.bind = "[::]:25"
-server.listener.smtp.protocol = "smtp"
-server.listener.smtp.tls.implicit = false
-server.listener.submissions.bind = "[::]:465"
-server.listener.submissions.protocol = "smtp"
-server.listener.submissions.tls.implicit = true
-
-
-# Certificate settings
-certificate."default".cert = "%{file:///etc/fullchain.pem}%"
-certificate."default".default = true
-certificate."default".private-key = "%{file:///etc/privkey.pem}%"
-
-
-# Storage settings
-storage.blob = "postgresql"
-storage.data = "postgresql"
-storage.directory = "ldap"
-storage.fts = "postgresql"
-storage.lookup = "postgresql"
-
-
-# Directory settings
-# Note: 'directory.ldap.attributes.secret' must not be defined 
-# to correctly disable OAuth, if the LDAP server doesn't expose passwords hashes.
-directory.ldap.attributes.class = "objectClass"
-directory.ldap.attributes.description = "distinguishedName"
-directory.ldap.attributes.email = "mail"
-directory.ldap.attributes.email-alias = "mailAlias"
-directory.ldap.attributes.groups = "memberOf"
-directory.ldap.attributes.name = "uid"
-directory.ldap.attributes.quota = "diskQuota"
-directory.ldap.base-dn = "{{ ldap_base_dn }}"
-directory.ldap.bind.auth.dn = "uid=?,ou=people,{{ ldap_base_dn }}"
-directory.ldap.bind.auth.enable = true
-directory.ldap.bind.dn = "{{ mailserver_secrets['ldap_user'] }}"
-directory.ldap.bind.secret = "{{ mailserver_secrets['ldap_password'] }}"
-directory.ldap.cache.entries = 500
-directory.ldap.filter.domains = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=*@?)(mailAlias=*@?)))"
-directory.ldap.filter.email = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=?)(mailAlias=?)(mailList=?))(mail=*@{{ domain }}))"
-directory.ldap.filter.expand = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(mailList=?))"
-directory.ldap.filter.name = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(uid=?))"
-directory.ldap.filter.verify = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=*?*)(mailAlias=*?*)))"
-directory.ldap.tls.allow-invalid-certs = false
-directory.ldap.tls.enable = false
-directory.ldap.type = "ldap"
-directory.ldap.url = "ldap://lldap:3890"
-
-
-# Store settings
-store.postgresql.compression = "lz4"
-store.postgresql.database = "stalwart"
-store.postgresql.host = "postgres.{{ domain }}"
-store.postgresql.password = "{{ mailserver_secrets['postgres_password'] }}"
-store.postgresql.port = "5432"
-store.postgresql.purge.frequency = "0 3 *"
-store.postgresql.tls.allow-invalid-certs = true
-store.postgresql.tls.enable = true
-store.postgresql.type = "postgresql"
-store.postgresql.user = "{{ mailserver_secrets['postgres_user'] }}"
-
-
-# Logs settings
-tracer.stdout.ansi = true
-tracer.stdout.enable = true
-tracer.stdout.level = "info"
-tracer.stdout.type = "stdout"

roles/mailserver/templates/docker-compose.yaml

@@ -1,21 +1,15 @@
 services:  
   mailserver:
-    image: docker.io/stalwartlabs/mail-server:v0.8.3
     container_name: mailserver
+    image: docker.io/stalwartlabs/mail-server:v0.8.3
     restart: always
     user: "{{ users['mailserver'] }}:{{ users['mailserver'] }}"
-    networks:
-      - mailserver
     ports:
       - "{{ ports['mailserver_smtp'] }}:25"
       - {{ ports['mailserver_smtps'] }}:465
       - {{ ports['mailserver_imaps'] }}:993
       - {{ ports['mailserver_https'] }}:443
     volumes:
-      - {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem
+      - {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem:ro
-      - {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem
+      - {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem:ro
-      - ./config.toml:/opt/stalwart-mail/etc/config.toml
+      - {{ volumes['mailserver_datadir'] }}:/opt/stalwart-mail
-
-networks:
-  mailserver:
-    name: mailserver

roles/nginx/templates/sites-enabled/mail.conf

@@ -11,3 +11,18 @@ server {
         include /etc/nginx/snippets/proxy.conf;
     }
 }
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name mta-sts.{{ domain }};
+
+    location / {
+        return 404;
+    }
+
+    location = /.well-known/mta-sts.txt {
+        proxy_pass https://127.0.0.1:{{ ports['mailserver_https'] }};
+    }
+}

secrets.yml.example

@@ -52,11 +52,6 @@ lldap_secrets:
   postgres_password:
 
 mailserver_secrets:
-  admin_user:
-  # Hash obtained with openssl passwd -6
-  admin_secret:
-  ldap_user:
-  ldap_password:
   postgres_user:
   postgres_password: