simplify

core/dovecot/conf/dovecot.conf

@@ -5,7 +5,7 @@ log_path = /dev/stderr
 protocols = imap pop3 lmtp sieve
 postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }}
 hostname = {{ HOSTNAMES.split(",")[0] }}
-{%- if PROXY_PROTOCOL_SMTP %}
+{%- if PROXY_PROTOCOL_25 %}
 submission_host = {{ HOSTNAMES.split(",")[0] }}
 {% else %}
 submission_host = {{ FRONT_ADDRESS }}

core/nginx/conf/nginx.conf

@@ -22,7 +22,7 @@ http {
 
     {% if REAL_IP_HEADER %}
     real_ip_header {{ REAL_IP_HEADER }};
-    {% elif (PROXY_PROTOCOL_HTTPS or PROXY_PROTOCOL_HTTP) and REAL_IP_FROM %}
+    {% elif (PROXY_PROTOCOL_80 or PROXY_PROTOCOL_443) and REAL_IP_FROM %}
     real_ip_header proxy_protocol;
     {% endif %}
 
@@ -59,9 +59,9 @@ http {
     #
     server {
       # Listen over HTTP
-      listen 80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %};
+      listen 80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %};
 {% if SUBNET6 %}
-      listen [::]:80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %};
+      listen [::]:80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %};
 {% endif %}
       {% if TLS_FLAVOR in ['letsencrypt', 'mail-letsencrypt'] %}
       location ^~ /.well-known/acme-challenge/ {
@@ -96,17 +96,17 @@ http {
 
       # Listen on HTTP only in kubernetes or behind reverse proxy
       {% if TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %}
-      listen 80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %};
+      listen 80{% if PROXY_HTTPPROTOCOL_80 %} proxy_protocol{% endif %};
 {% if SUBNET6 %}
-      listen [::]:80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %};
+      listen [::]:80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %};
 {% endif %}
       {% endif %}
 
       # Only enable HTTPS if TLS is enabled with no error
       {% if TLS_443 and not TLS_ERROR %}
-      listen 443 ssl http2{% if PROXY_PROTOCOL_HTTPS %} proxy_protocol{% endif %};
+      listen 443 ssl http2{% if PROXY_PROTOCOL_443 %} proxy_protocol{% endif %};
 {% if SUBNET6 %}
-      listen [::]:443 ssl http2{% if PROXY_PROTOCOL_HTTPS %} proxy_protocol{% endif %};
+      listen [::]:443 ssl http2{% if PROXY_PROTOCOL_443 %} proxy_protocol{% endif %};
 {% endif %}
 
       include /etc/nginx/tls.conf;
@@ -315,7 +315,7 @@ mail {
     ssl_session_cache shared:SSLMAIL:3m;
     {% endif %}
 
-    {% if PROXY_PROTOCOL_SMTP and REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
+    {% if PROXY_PROTOCOL_25 and REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
     set_real_ip_from {{ from_ip }};
     {% endfor %}{% endif %}
 
@@ -324,9 +324,9 @@ mail {
 
     # SMTP is always enabled, to avoid losing emails when TLS is failing
     server {
-      listen 25{% if PROXY_PROTOCOL_SMTP %} proxy_protocol{% endif %};
+      listen 25{% if PROXY_PROTOCOL_25 %} proxy_protocol{% endif %};
 {% if SUBNET6 %}
-      listen [::]:25{% if PROXY_PROTOCOL_SMTP %} proxy_protocol{% endif %};
+      listen [::]:25{% if PROXY_PROTOCOL_25 %} proxy_protocol{% endif %};
 {% endif %}
       {% if TLS_25 and not TLS_ERROR %}
       {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}

core/nginx/conf/proxy.conf

@@ -6,7 +6,7 @@ proxy_hide_header True-Client-IP;
 proxy_hide_header CF-Connecting-IP;
 
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
-{% if (REAL_IP_HEADER or (PROXY_PROTOCOL_HTTP or PROXY_PROTOCOL_HTTPS)) and REAL_IP_FROM %}
+{% if (REAL_IP_HEADER or (PROXY_PROTOCOL_80 or PROXY_PROTOCOL_443)) and REAL_IP_FROM %}
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-By $realip_remote_addr;
 {% else %}

core/nginx/config.py

@@ -71,29 +71,22 @@ with open("/etc/resolv.conf") as handle:
     args["RESOLVER"] = f"[{resolver}]" if ":" in resolver else resolver
 
 # Configure PROXY_PROTOCOL
-PROTO_MAIL=['SMTP', 'POP3', 'POP3S', 'IMAP', 'IMAPS', 'SUBMISSION', 'SUBMISSIONS', 'MANAGESIEVE']
+PROTO_MAIL=['25', '110', '995', '143', '993', '587', '465', '4190']
 PROTO_ALL_BUT_HTTP=PROTO_MAIL.copy()
-PROTO_ALL_BUT_HTTP.extend(['HTTPS'])
+PROTO_ALL_BUT_HTTP.extend(['443'])
 PROTO_ALL=PROTO_ALL_BUT_HTTP.copy()
-PROTO_ALL.extend(['HTTP'])
+PROTO_ALL.extend(['80'])
 for item in args.get('PROXY_PROTOCOL', '').split(','):
-    match item:
-        case '25': args['PROXY_PROTOCOL_SMTP']=True; continue
-        case '80': args['PROXY_PROTOCOL_HTTP']=True; continue
-        case '110': args['PROXY_PROTOCOL_POP3']=True; continue
-        case '143': args['PROXY_PROTOCOL_IMAP']=True; continue
-        case '443': args['PROXY_PROTOCOL_HTTPS']=True; continue
-        case '465': args['PROXY_PROTOCOL_SUBMISSIONS']=True; continue
-        case '587': args['PROXY_PROTOCOL_SUBMISSION']=True; continue
-        case '993': args['PROXY_PROTOCOL_IMAPS']=True; continue
-        case '995': args['PROXY_PROTOCOL_POP3S']=True; continue
-        case '4190': args['PROXY_PROTOCOL_MANAGESIEVE']=True; continue
-        case 'mail':
-            for p in PROTO_MAIL: args[f'PROXY_PROTOCOL_{p}']=True; continue
-        case 'all-but-http':
-            for p in PROTO_ALL_BUT_HTTP: args[f'PROXY_PROTOCOL_{p}']=True; continue
-        case 'all':
-            for p in PROTO_ALL: args[f'PROXY_PROTOCOL_{p}']=True; continue
+    if item.isdigit():
+        args[f'PROXY_PROTOCOL_{item}']=True
+    elif item == 'mail':
+        for p in PROTO_MAIL: args[f'PROXY_PROTOCOL_{p}']=True
+    elif item == 'all-but-http':
+        for p in PROTO_ALL_BUT_HTTP: args[f'PROXY_PROTOCOL_{p}']=True
+    elif item == 'all':
+        for p in PROTO_ALL: args[f'PROXY_PROTOCOL_{p}']=True
+    else:
+        log.error(f'Not sure what to do with {item} in PROXY_PROTOCOL ({args.get("PROXY_PROTOCOL")})')
 
 PORTS_REQUIRING_TLS=['443', '465', '993', '995']
 ALL_PORTS='25,80,443,465,587,993,995,4190'
@@ -102,11 +95,10 @@ for item in args.get('PORTS', ALL_PORTS).split(','):
         continue
     args[f'PORT_{item}']=True
 
-for item in args.get('TLS', ALL_PORTS).split(','):
-    if item in PORTS_REQUIRING_TLS:
-        if args['TLS_FLAVOR'] == 'notls':
-            continue
-        args[f'TLS_{item}']=True
+if args['TLS_FLAVOR'] != 'notls':
+    for item in args.get('TLS', ALL_PORTS).split(','):
+        if item in PORTS_REQUIRING_TLS:
+            args[f'TLS_{item}']=True
 
 # TLS configuration
 cert_name = args.get("TLS_CERT_FILENAME", "cert.pem")

core/nginx/dovecot/proxy.conf

@@ -80,7 +80,7 @@ service managesieve-login {
   executable = managesieve-login
   inet_listener sieve {
     port = 4190
-{%- if PROXY_PROTOCOL_MANAGESIEVE %}
+{%- if PROXY_PROTOCOL_4190 %}
     haproxy = yes
 {% endif %}
   }
@@ -99,7 +99,7 @@ service imap-login {
 {%- if PORT_143 %}
   inet_listener imap {
     port = 143
-{%- if PROXY_PROTOCOL_IMAP %}
+{%- if PROXY_PROTOCOL_143 %}
     haproxy = yes
 {% endif %}
   }
@@ -108,7 +108,7 @@ service imap-login {
   inet_listener imaps {
     port = 993
     ssl = yes
-{%- if PROXY_PROTOCOL_IMAPS %}
+{%- if PROXY_PROTOCOL_993 %}
     haproxy = yes
 {% endif %}
   }
@@ -122,7 +122,7 @@ service pop3-login {
 {%- if PORT_110 %}
   inet_listener pop3 {
     port = 110
-{%- if PROXY_PROTOCOL_POP3 %}
+{%- if PROXY_PROTOCOL_110 %}
     haproxy = yes
 {% endif %}
   }
@@ -131,7 +131,7 @@ service pop3-login {
   inet_listener pop3s {
     port = 995
     ssl = yes
-{%- if PROXY_PROTOCOL_POP3S %}
+{%- if PROXY_PROTOCOL_995 %}
     haproxy = yes
 {% endif %}
   }
@@ -147,19 +147,22 @@ service lmtp {
 }
 
 service submission-login {
-{%- if PORT_587 %}
    inet_listener submission {
+{%- if PORT_587 %}
     port = 587
-{%- if PROXY_PROTOCOL_SUBMISSION %}
+{%- if PROXY_PROTOCOL_587 %}
     haproxy = yes
 {% endif %}
-   }
+{%- else %}
+# if the section is unset the port is bound anyways
+   port = 0
 {% endif %}
+   }
 {%- if TLS_465 and PORT_465 %}
    inet_listener submissions {
     port = 465
     ssl = yes
-{%- if PROXY_PROTOCOL_SUBMISSIONS %}
+{%- if PROXY_PROTOCOL_645 %}
     haproxy = yes
 {% endif %}
    }