mxvin · January 9, 2023 07:13
diff --git a/0_mailu-lite2.txt b/0_mailu-lite2.txt
 RESERVED
diff --git a/conf.d~~mail.conf b/conf.d~~mail.conf
 mail {
    server_name [DOMAIN, IMPORTANT];
    auth_http http://192.168.203.10/internal/auth/email;
    proxy_pass_error_message on;
    resolver 1.1.1.1 valid=30s;
 #    error_log /dev/stderr info;

 include nginxconfig.io/ssl.conf;
    ssl_session_cache shared:SSLMAIL:50m;

    # Advertise real capabilites of backends (postfix/dovecot)
    smtp_capabilities PIPELINING SIZE 50000000 ETRN ENHANCEDSTATUSCODES 8BITMIME DSN;
    pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
    imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;

    # Default SMTP server for the webmail (no encryption, but authentication)
    server {
      listen 10025;
      protocol smtp;
      smtp_auth plain;
      auth_http_header Auth-Port 10025;
    }

    # Default IMAP server for the webmail (no encryption, but authentication)
    server {
      listen 10143;
      protocol imap;
      smtp_auth plain;
      auth_http_header Auth-Port 10143;
    }

    # SMTP is always enabled, to avoid losing emails when TLS is failing
    server {
      listen 25;
      listen [::]:25;
 include nginxconfig.io/ssl.conf;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
      ssl_prefer_server_ciphers on;
      starttls on;
      protocol smtp;
      smtp_auth none;
      auth_http_header Auth-Port 25;
    }

    # All other protocols are disabled if TLS is failing
    server {
      listen 143;
      listen [::]:143;
      starttls only;
      protocol imap;
      imap_auth plain;
      auth_http_header Auth-Port 143;
    }

    server {
      listen 110;
      listen [::]:110;
      starttls only;
      protocol pop3;
      pop3_auth plain;
      auth_http_header Auth-Port 110;
    }

    server {
      listen 587;
      listen [::]:587;
      starttls only;
      protocol smtp;
      smtp_auth plain login;
      auth_http_header Auth-Port 587;
    }

    server {
      listen 465 ssl;
      listen [::]:465 ssl;
      protocol smtp;
      smtp_auth plain login;
      auth_http_header Auth-Port 465;
    }

    server {
      listen 993 ssl;
      listen [::]:993 ssl;
      protocol imap;
      imap_auth plain;
      auth_http_header Auth-Port 993;
    }

    server {
      listen 995 ssl;
      listen [::]:995 ssl;
      protocol pop3;
      pop3_auth plain;
      auth_http_header Auth-Port 995;
    }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
 # This file is auto-generated by the Mailu configuration wizard.
 # Please read the documentation before attempting any change.
 # Generated for compose flavor

 version: '2.2'

 services:

  # External dependencies
  redis:
    image: redis:alpine
    restart: always
    volumes:
      - "/mailu/redis:/data"
    depends_on:
      - resolver
    dns:
      - 192.168.203.254

  resolver:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.9}
    env_file: mailu.env
    restart: always
    networks:
      default:
        ipv4_address: 192.168.203.254

  admin:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.9}
    restart: always
    env_file: mailu.env
    volumes:
      - "/mailu/data:/data"
      - "/mailu/dkim:/dkim"
    depends_on:
      - redis
      - resolver
    dns:
      - 192.168.203.254
    networks:
      default:
        ipv4_address: 192.168.203.10

  imap:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.9}
    restart: always
    env_file: mailu.env
    volumes:
      - "/mailu/mail:/mail"
      - "/mailu/overrides/dovecot:/overrides:ro"
    depends_on:
      - resolver
    dns:
      - 192.168.203.254
    networks:
      default:
        ipv4_address: 192.168.203.11


  smtp:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.9}
    restart: always
    env_file: mailu.env
    volumes:
      - "/mailu/mailqueue:/queue"
      - "/mailu/overrides/postfix:/overrides:ro"
    depends_on:
      - resolver
    dns:
      - 192.168.203.254
    networks:
      default:
        ipv4_address: 192.168.203.12

  antispam:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.9}
    hostname: antispam
    restart: always
    env_file: mailu.env
    volumes:
      - "/mailu/filter:/var/lib/rspamd"
      - "/mailu/overrides/rspamd:/etc/rspamd/override.d:ro"
    depends_on:
      - resolver
    dns:
      - 192.168.203.254
    networks:
      default:
        ipv4_address: 192.168.203.13

 networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.203.0/24
diff --git a/nginx.conf b/nginx.conf
 user                 nginx;
 pid                  /var/run/nginx.pid;
 worker_processes     auto;
 worker_rlimit_nofile 65535;

 # Load modules
 include              /etc/nginx/modules-enabled/*.conf;

 events {
    multi_accept       on;
    worker_connections 65535;
 }

 http {
    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    client_max_body_size   16M;

    # MIME
    include                mime.types;
    default_type           application/octet-stream;

    log_format main '$proxy_protocol_addr - $remote_user [$time_local]'
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent"';


    # Logging
    access_log             /var/log/nginx/access.log main;
    error_log              /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout    1d;
    ssl_session_cache      shared:SSL:10m;
    ssl_session_tickets    off;

    # Mozilla Modern configuration
    ssl_protocols          TLSv1.3;

    # OCSP Stapling
    ssl_stapling           on;
    ssl_stapling_verify    on;
    resolver               1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout       2s;

    # Connection header for WebSocket reverse proxy
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ""      close;
    }

    map $remote_addr $proxy_forwarded_elem {

        # IPv4 addresses can be sent as-is
        ~^[0-9.]+$        "for=$remote_addr";

        # IPv6 addresses need to be bracketed and quoted
        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";

        # Unix domain socket names cannot be represented in RFC 7239 syntax
        default           "for=unknown";
    }

    map $http_forwarded $proxy_add_forwarded {

        # If the incoming Forwarded header is syntactically valid, append to it
        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";

        # Otherwise, replace it
        default "$proxy_forwarded_elem";
    }

    # Load configs
    include /etc/nginx/sites-enabled/*;
 }
 include conf.d/*.conf;
diff --git a/sites_enabled~~mailu-admin.conf b/sites_enabled~~mailu-admin.conf
 # Main HTTP server
    server {
      # Variables for proxifying
      set $admin 192.168.203.10;
      set $antispam 192.168.203.13:11334;
      listen 10.10.0.1:4431 ssl; # guard admin access by listening on specific IP
      include nginxconfig.io/ssl.conf;
      
      client_max_body_size 58388608;

      # Listen on HTTP only in kubernetes or behind reverse proxy
      

      # Only enable HTTPS if TLS is enabled with no error and not on kubernetes
      

      # Remove headers to prevent duplication and information disclosure
      proxy_hide_header X-XSS-Protection;
      proxy_hide_header X-Powered-By;

      add_header X-Frame-Options 'SAMEORIGIN';
      add_header X-Content-Type-Options 'nosniff';
      add_header X-Permitted-Cross-Domain-Policies 'none';
      add_header X-XSS-Protection '1; mode=block';
      add_header Referrer-Policy 'same-origin';

      
      # If TLS is failing, prevent access to anything except certbot
       location /admin {
 include nginxconfig.io/proxy.conf;
         proxy_pass http://$admin;
         #proxy_set_header Host $http_host:8888;
       }
      
 location ~ ^/(sso|static)/ {
 include nginxconfig.io/proxy.conf;
        proxy_pass http://$admin;
      }

 location /admin/antispam {
        rewrite ^/admin/antispam/(.*) /$1 break;
        auth_request /internal/auth/admin;
        proxy_set_header X-Real-IP "";
        proxy_set_header X-Forwarded-For "";
        proxy_pass http://$antispam;
      }
 }
	mail {
	server_name [DOMAIN, IMPORTANT];
	auth_http http://192.168.203.10/internal/auth/email;
	proxy_pass_error_message on;
	resolver 1.1.1.1 valid=30s;
	# error_log /dev/stderr info;

	include nginxconfig.io/ssl.conf;
	ssl_session_cache shared:SSLMAIL:50m;

	# Advertise real capabilites of backends (postfix/dovecot)
	smtp_capabilities PIPELINING SIZE 50000000 ETRN ENHANCEDSTATUSCODES 8BITMIME DSN;
	pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
	imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;

	# Default SMTP server for the webmail (no encryption, but authentication)
	server {
	listen 10025;
	protocol smtp;
	smtp_auth plain;
	auth_http_header Auth-Port 10025;
	}

	# Default IMAP server for the webmail (no encryption, but authentication)
	server {
	listen 10143;
	protocol imap;
	smtp_auth plain;
	auth_http_header Auth-Port 10143;
	}

	# SMTP is always enabled, to avoid losing emails when TLS is failing
	server {
	listen 25;
	listen [::]:25;
	include nginxconfig.io/ssl.conf;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
	ssl_prefer_server_ciphers on;
	starttls on;
	protocol smtp;
	smtp_auth none;
	auth_http_header Auth-Port 25;
	}

	# All other protocols are disabled if TLS is failing
	server {
	listen 143;
	listen [::]:143;
	starttls only;
	protocol imap;
	imap_auth plain;
	auth_http_header Auth-Port 143;
	}

	server {
	listen 110;
	listen [::]:110;
	starttls only;
	protocol pop3;
	pop3_auth plain;
	auth_http_header Auth-Port 110;
	}

	server {
	listen 587;
	listen [::]:587;
	starttls only;
	protocol smtp;
	smtp_auth plain login;
	auth_http_header Auth-Port 587;
	}

	server {
	listen 465 ssl;
	listen [::]:465 ssl;
	protocol smtp;
	smtp_auth plain login;
	auth_http_header Auth-Port 465;
	}

	server {
	listen 993 ssl;
	listen [::]:993 ssl;
	protocol imap;
	imap_auth plain;
	auth_http_header Auth-Port 993;
	}

	server {
	listen 995 ssl;
	listen [::]:995 ssl;
	protocol pop3;
	pop3_auth plain;
	auth_http_header Auth-Port 995;
	}
	}
	# This file is auto-generated by the Mailu configuration wizard.
	# Please read the documentation before attempting any change.
	# Generated for compose flavor

	version: '2.2'

	services:

	# External dependencies
	redis:
	image: redis:alpine
	restart: always
	volumes:
	- "/mailu/redis:/data"
	depends_on:
	- resolver
	dns:
	- 192.168.203.254

	resolver:
	image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.9}
	env_file: mailu.env
	restart: always
	networks:
	default:
	ipv4_address: 192.168.203.254

	admin:
	image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.9}
	restart: always
	env_file: mailu.env
	volumes:
	- "/mailu/data:/data"
	- "/mailu/dkim:/dkim"
	depends_on:
	- redis
	- resolver
	dns:
	- 192.168.203.254
	networks:
	default:
	ipv4_address: 192.168.203.10

	imap:
	image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.9}
	restart: always
	env_file: mailu.env
	volumes:
	- "/mailu/mail:/mail"
	- "/mailu/overrides/dovecot:/overrides:ro"
	depends_on:
	- resolver
	dns:
	- 192.168.203.254
	networks:
	default:
	ipv4_address: 192.168.203.11


	smtp:
	image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.9}
	restart: always
	env_file: mailu.env
	volumes:
	- "/mailu/mailqueue:/queue"
	- "/mailu/overrides/postfix:/overrides:ro"
	depends_on:
	- resolver
	dns:
	- 192.168.203.254
	networks:
	default:
	ipv4_address: 192.168.203.12

	antispam:
	image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.9}
	hostname: antispam
	restart: always
	env_file: mailu.env
	volumes:
	- "/mailu/filter:/var/lib/rspamd"
	- "/mailu/overrides/rspamd:/etc/rspamd/override.d:ro"
	depends_on:
	- resolver
	dns:
	- 192.168.203.254
	networks:
	default:
	ipv4_address: 192.168.203.13

	networks:
	default:
	driver: bridge
	ipam:
	driver: default
	config:
	- subnet: 192.168.203.0/24
	user nginx;
	pid /var/run/nginx.pid;
	worker_processes auto;
	worker_rlimit_nofile 65535;

	# Load modules
	include /etc/nginx/modules-enabled/*.conf;

	events {
	multi_accept on;
	worker_connections 65535;
	}

	http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	types_hash_bucket_size 64;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	log_format main '$proxy_protocol_addr - $remote_user [$time_local]'
	'"$request" $status $body_bytes_sent '
	'"$http_referer" "$http_user_agent"';


	# Logging
	access_log /var/log/nginx/access.log main;
	error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Mozilla Modern configuration
	ssl_protocols TLSv1.3;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# Connection header for WebSocket reverse proxy
	map $http_upgrade $connection_upgrade {
	default upgrade;
	"" close;
	}

	map $remote_addr $proxy_forwarded_elem {

	# IPv4 addresses can be sent as-is
	~^[0-9.]+$ "for=$remote_addr";

	# IPv6 addresses need to be bracketed and quoted
	~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";

	# Unix domain socket names cannot be represented in RFC 7239 syntax
	default "for=unknown";
	}

	map $http_forwarded $proxy_add_forwarded {

	# If the incoming Forwarded header is syntactically valid, append to it
	"~^(,[ \\t])([!#$%&'+.^_`\|~0-9A-Za-z-]+=([!#$%&'+.^_`\|~0-9A-Za-z-]+\|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]\|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])\"))?(;([!#$%&'+.^_`\|~0-9A-Za-z-]+=([!#$%&'+.^_`\|~0-9A-Za-z-]+\|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]\|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])\"))?)([ \\t],([ \\t]([!#$%&'+.^_`\|~0-9A-Za-z-]+=([!#$%&'+.^_`\|~0-9A-Za-z-]+\|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]\|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])\"))?(;([!#$%&'+.^_`\|~0-9A-Za-z-]+=([!#$%&'+.^_`\|~0-9A-Za-z-]+\|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]\|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])\"))?))?)*$" "$http_forwarded, $proxy_forwarded_elem";

	# Otherwise, replace it
	default "$proxy_forwarded_elem";
	}

	# Load configs
	include /etc/nginx/sites-enabled/*;
	}
	include conf.d/*.conf;
	# Main HTTP server
	server {
	# Variables for proxifying
	set $admin 192.168.203.10;
	set $antispam 192.168.203.13:11334;
	listen 10.10.0.1:4431 ssl; # guard admin access by listening on specific IP
	include nginxconfig.io/ssl.conf;

	client_max_body_size 58388608;

	# Listen on HTTP only in kubernetes or behind reverse proxy


	# Only enable HTTPS if TLS is enabled with no error and not on kubernetes


	# Remove headers to prevent duplication and information disclosure
	proxy_hide_header X-XSS-Protection;
	proxy_hide_header X-Powered-By;

	add_header X-Frame-Options 'SAMEORIGIN';
	add_header X-Content-Type-Options 'nosniff';
	add_header X-Permitted-Cross-Domain-Policies 'none';
	add_header X-XSS-Protection '1; mode=block';
	add_header Referrer-Policy 'same-origin';


	# If TLS is failing, prevent access to anything except certbot
	location /admin {
	include nginxconfig.io/proxy.conf;
	proxy_pass http://$admin;
	#proxy_set_header Host $http_host:8888;
	}

	location ~ ^/(sso\|static)/ {
	include nginxconfig.io/proxy.conf;
	proxy_pass http://$admin;
	}

	location /admin/antispam {
	rewrite ^/admin/antispam/(.*) /$1 break;
	auth_request /internal/auth/admin;
	proxy_set_header X-Real-IP "";
	proxy_set_header X-Forwarded-For "";
	proxy_pass http://$antispam;
	}
	}