diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index 75bd3a66..ef28efb1 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -5,7 +5,7 @@ log_path = /dev/stderr protocols = imap pop3 lmtp sieve postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }} hostname = {{ HOSTNAMES.split(",")[0] }} -{%- if PROXY_PROTOCOL_SMTP %} +{%- if PROXY_PROTOCOL_25 %} submission_host = {{ HOSTNAMES.split(",")[0] }} {% else %} submission_host = {{ FRONT_ADDRESS }} diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index a29c570b..d67ce65a 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -22,7 +22,7 @@ http { {% if REAL_IP_HEADER %} real_ip_header {{ REAL_IP_HEADER }}; - {% elif (PROXY_PROTOCOL_HTTPS or PROXY_PROTOCOL_HTTP) and REAL_IP_FROM %} + {% elif (PROXY_PROTOCOL_80 or PROXY_PROTOCOL_443) and REAL_IP_FROM %} real_ip_header proxy_protocol; {% endif %} @@ -59,9 +59,9 @@ http { # server { # Listen over HTTP - listen 80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %}; + listen 80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %}; {% if SUBNET6 %} - listen [::]:80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %}; + listen [::]:80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %}; {% endif %} {% if TLS_FLAVOR in ['letsencrypt', 'mail-letsencrypt'] %} location ^~ /.well-known/acme-challenge/ { @@ -96,17 +96,17 @@ http { # Listen on HTTP only in kubernetes or behind reverse proxy {% if TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %} - listen 80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %}; + listen 80{% if PROXY_HTTPPROTOCOL_80 %} proxy_protocol{% endif %}; {% if SUBNET6 %} - listen [::]:80{% if PROXY_PROTOCOL_HTTP %} proxy_protocol{% endif %}; + listen [::]:80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %}; {% endif %} {% endif %} # Only enable HTTPS if TLS is enabled with no error {% if TLS_443 and not TLS_ERROR %} - listen 443 ssl http2{% if PROXY_PROTOCOL_HTTPS %} proxy_protocol{% endif %}; + listen 443 ssl http2{% if PROXY_PROTOCOL_443 %} proxy_protocol{% endif %}; {% if SUBNET6 %} - listen [::]:443 ssl http2{% if PROXY_PROTOCOL_HTTPS %} proxy_protocol{% endif %}; + listen [::]:443 ssl http2{% if PROXY_PROTOCOL_443 %} proxy_protocol{% endif %}; {% endif %} include /etc/nginx/tls.conf; @@ -315,7 +315,7 @@ mail { ssl_session_cache shared:SSLMAIL:3m; {% endif %} - {% if PROXY_PROTOCOL_SMTP and REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %} + {% if PROXY_PROTOCOL_25 and REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %} set_real_ip_from {{ from_ip }}; {% endfor %}{% endif %} @@ -324,9 +324,9 @@ mail { # SMTP is always enabled, to avoid losing emails when TLS is failing server { - listen 25{% if PROXY_PROTOCOL_SMTP %} proxy_protocol{% endif %}; + listen 25{% if PROXY_PROTOCOL_25 %} proxy_protocol{% endif %}; {% if SUBNET6 %} - listen [::]:25{% if PROXY_PROTOCOL_SMTP %} proxy_protocol{% endif %}; + listen [::]:25{% if PROXY_PROTOCOL_25 %} proxy_protocol{% endif %}; {% endif %} {% if TLS_25 and not TLS_ERROR %} {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf index 9f6402cd..7a3d8721 100644 --- a/core/nginx/conf/proxy.conf +++ b/core/nginx/conf/proxy.conf @@ -6,7 +6,7 @@ proxy_hide_header True-Client-IP; proxy_hide_header CF-Connecting-IP; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; -{% if (REAL_IP_HEADER or (PROXY_PROTOCOL_HTTP or PROXY_PROTOCOL_HTTPS)) and REAL_IP_FROM %} +{% if (REAL_IP_HEADER or (PROXY_PROTOCOL_80 or PROXY_PROTOCOL_443)) and REAL_IP_FROM %} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-By $realip_remote_addr; {% else %} diff --git a/core/nginx/config.py b/core/nginx/config.py index 966a402c..3d92d1b9 100755 --- a/core/nginx/config.py +++ b/core/nginx/config.py @@ -71,29 +71,22 @@ with open("/etc/resolv.conf") as handle: args["RESOLVER"] = f"[{resolver}]" if ":" in resolver else resolver # Configure PROXY_PROTOCOL -PROTO_MAIL=['SMTP', 'POP3', 'POP3S', 'IMAP', 'IMAPS', 'SUBMISSION', 'SUBMISSIONS', 'MANAGESIEVE'] +PROTO_MAIL=['25', '110', '995', '143', '993', '587', '465', '4190'] PROTO_ALL_BUT_HTTP=PROTO_MAIL.copy() -PROTO_ALL_BUT_HTTP.extend(['HTTPS']) +PROTO_ALL_BUT_HTTP.extend(['443']) PROTO_ALL=PROTO_ALL_BUT_HTTP.copy() -PROTO_ALL.extend(['HTTP']) +PROTO_ALL.extend(['80']) for item in args.get('PROXY_PROTOCOL', '').split(','): - match item: - case '25': args['PROXY_PROTOCOL_SMTP']=True; continue - case '80': args['PROXY_PROTOCOL_HTTP']=True; continue - case '110': args['PROXY_PROTOCOL_POP3']=True; continue - case '143': args['PROXY_PROTOCOL_IMAP']=True; continue - case '443': args['PROXY_PROTOCOL_HTTPS']=True; continue - case '465': args['PROXY_PROTOCOL_SUBMISSIONS']=True; continue - case '587': args['PROXY_PROTOCOL_SUBMISSION']=True; continue - case '993': args['PROXY_PROTOCOL_IMAPS']=True; continue - case '995': args['PROXY_PROTOCOL_POP3S']=True; continue - case '4190': args['PROXY_PROTOCOL_MANAGESIEVE']=True; continue - case 'mail': - for p in PROTO_MAIL: args[f'PROXY_PROTOCOL_{p}']=True; continue - case 'all-but-http': - for p in PROTO_ALL_BUT_HTTP: args[f'PROXY_PROTOCOL_{p}']=True; continue - case 'all': - for p in PROTO_ALL: args[f'PROXY_PROTOCOL_{p}']=True; continue + if item.isdigit(): + args[f'PROXY_PROTOCOL_{item}']=True + elif item == 'mail': + for p in PROTO_MAIL: args[f'PROXY_PROTOCOL_{p}']=True + elif item == 'all-but-http': + for p in PROTO_ALL_BUT_HTTP: args[f'PROXY_PROTOCOL_{p}']=True + elif item == 'all': + for p in PROTO_ALL: args[f'PROXY_PROTOCOL_{p}']=True + else: + log.error(f'Not sure what to do with {item} in PROXY_PROTOCOL ({args.get("PROXY_PROTOCOL")})') PORTS_REQUIRING_TLS=['443', '465', '993', '995'] ALL_PORTS='25,80,443,465,587,993,995,4190' @@ -102,11 +95,10 @@ for item in args.get('PORTS', ALL_PORTS).split(','): continue args[f'PORT_{item}']=True -for item in args.get('TLS', ALL_PORTS).split(','): - if item in PORTS_REQUIRING_TLS: - if args['TLS_FLAVOR'] == 'notls': - continue - args[f'TLS_{item}']=True +if args['TLS_FLAVOR'] != 'notls': + for item in args.get('TLS', ALL_PORTS).split(','): + if item in PORTS_REQUIRING_TLS: + args[f'TLS_{item}']=True # TLS configuration cert_name = args.get("TLS_CERT_FILENAME", "cert.pem") diff --git a/core/nginx/dovecot/proxy.conf b/core/nginx/dovecot/proxy.conf index 40ed607a..95972547 100644 --- a/core/nginx/dovecot/proxy.conf +++ b/core/nginx/dovecot/proxy.conf @@ -80,7 +80,7 @@ service managesieve-login { executable = managesieve-login inet_listener sieve { port = 4190 -{%- if PROXY_PROTOCOL_MANAGESIEVE %} +{%- if PROXY_PROTOCOL_4190 %} haproxy = yes {% endif %} } @@ -99,7 +99,7 @@ service imap-login { {%- if PORT_143 %} inet_listener imap { port = 143 -{%- if PROXY_PROTOCOL_IMAP %} +{%- if PROXY_PROTOCOL_143 %} haproxy = yes {% endif %} } @@ -108,7 +108,7 @@ service imap-login { inet_listener imaps { port = 993 ssl = yes -{%- if PROXY_PROTOCOL_IMAPS %} +{%- if PROXY_PROTOCOL_993 %} haproxy = yes {% endif %} } @@ -122,7 +122,7 @@ service pop3-login { {%- if PORT_110 %} inet_listener pop3 { port = 110 -{%- if PROXY_PROTOCOL_POP3 %} +{%- if PROXY_PROTOCOL_110 %} haproxy = yes {% endif %} } @@ -131,7 +131,7 @@ service pop3-login { inet_listener pop3s { port = 995 ssl = yes -{%- if PROXY_PROTOCOL_POP3S %} +{%- if PROXY_PROTOCOL_995 %} haproxy = yes {% endif %} } @@ -147,19 +147,22 @@ service lmtp { } service submission-login { -{%- if PORT_587 %} inet_listener submission { +{%- if PORT_587 %} port = 587 -{%- if PROXY_PROTOCOL_SUBMISSION %} +{%- if PROXY_PROTOCOL_587 %} haproxy = yes {% endif %} - } +{%- else %} +# if the section is unset the port is bound anyways + port = 0 {% endif %} + } {%- if TLS_465 and PORT_465 %} inet_listener submissions { port = 465 ssl = yes -{%- if PROXY_PROTOCOL_SUBMISSIONS %} +{%- if PROXY_PROTOCOL_645 %} haproxy = yes {% endif %} }