diff --git a/stalwart-mail/Chart.yaml b/stalwart-mail/Chart.yaml index 79820e4..bc012c9 100644 --- a/stalwart-mail/Chart.yaml +++ b/stalwart-mail/Chart.yaml @@ -3,9 +3,9 @@ name: stalwart-mail description: Helm Chart for Stalwart Mail Server - Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP) icon: https://stalw.art/home/apple-touch-icon.png type: application -version: 0.0.4 +version: 0.0.5 # renovate: image=docker.io/stalwartlabs/mail-server -appVersion: "0.6.0" +appVersion: "0.8.1" maintainers: - name: WrenIX url: https://wrenix.eu diff --git a/stalwart-mail/README.adoc b/stalwart-mail/README.adoc index 876b2bf..446c7f7 100644 --- a/stalwart-mail/README.adoc +++ b/stalwart-mail/README.adoc @@ -2,9 +2,9 @@ = stalwart-mail -image::https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square[Version: 0.0.4] +image::https://img.shields.io/badge/Version-0.0.5-informational?style=flat-square[Version: 0.0.5] image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] -image::https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square[AppVersion: 0.6.0] +image::https://img.shields.io/badge/AppVersion-0.8.1-informational?style=flat-square[AppVersion: 0.8.1] == Maintainers .Maintainers @@ -56,7 +56,41 @@ helm uninstall stalwart-mail-release == Values -.Values +.Values DKIM +|=== +| Key | Type | Default | Description + +| config.auth.dkim.sign +| list +| `[{"if":"listener != 'smtp'","then":"['rsa', 'ed25519']"},{"else":false}]` +| auth rule for signing with dkim + +| config.auth.dkim.verify +| string +| `"relaxed"` +| verify of dkim signature (relaxed, strict, disable) +|=== + +.Values Authentification +|=== +| Key | Type | Default | Description + +| config.authentication.fallback-admin.secret +| string +| `"%{env:FALLBACK_ADMIN_SECRET}%"` +| password for fallback authentfication (use env for store in secrets of kubernetes) + +| config.authentication.fallback-admin.user +| string +| `"admin"` +| username for fallback authentfication + +| secrets.env.FALLBACK_ADMIN_SECRET +| string +| `"supersecret"` +| password for fallback authentfication (env) +|=== +.Values Other Values |=== | Key | Type | Default | Description @@ -115,765 +149,205 @@ helm uninstall stalwart-mail-release | `nil` | not needed if certmanager is used -| config.acme.letsencrypt -| object -| `{"cache":"/opt/stalwart-mail/etc/acme","contact":["postmaster@%{DEFAULT_DOMAIN}%"],"directory":"https://acme-v02.api.letsencrypt.org/directory","port":443,"renew-before":"30d"}` -| acme with name letsencrypt (from: common/tls.toml) - -| config.acme.letsencrypt.cache +| config.directory.internal.store | string -| `"/opt/stalwart-mail/etc/acme"` -| acme cache (from: common/tls.toml) - -| config.acme.letsencrypt.contact -| list -| `["postmaster@%{DEFAULT_DOMAIN}%"]` -| acme contact (from: common/tls.toml) - -| config.acme.letsencrypt.directory -| string -| `"https://acme-v02.api.letsencrypt.org/directory"` -| acme directory (from: common/tls.toml) - -| config.acme.letsencrypt.port -| int -| `443` -| acme port (from: common/tls.toml) - -| config.acme.letsencrypt.renew-before -| string -| `"30d"` -| acme renew-before (from: common/tls.toml) - -| config.certificate.default -| object -| `{"cert":"file:///opt/stalwart-mail/etc/certs/tls.crt","private-key":"file:///opt/stalwart-mail/etc/certs/tls.key"}` -| certificate with name default (from: common/tls.toml) - -| config.certificate.default.cert -| string -| `"file:///opt/stalwart-mail/etc/certs/tls.crt"` -| certificate cert (from: common/tls.toml) - -| config.certificate.default.private-key -| string -| `"file:///opt/stalwart-mail/etc/certs/tls.key"` -| certificate private-key (from: common/tls.toml) - -| config.directory.memory -| object -| `{"disable":false,"options":{"catch-all":true,"subaddressing":true},"principals":[{"description":"Superuser","mail":["postmaster@%{DEFAULT_DOMAIN}%"],"name":"admin","secret":"changeme","type":"admin"}],"type":"memory"}` -| directory - with name memory (from: directory/internal.yaml) - -| config.directory.memory.disable -| bool -| `false` -| overwrite me, if not wanted - -| config.global.shared-map.capacity -| int -| `10` -| global shared-map capacity (from: common/server.toml) - -| config.global.shared-map.shard -| int -| `32` -| global shared-map shard (from: common/server.toml) - -| config.global.thread-pool -| string -| `nil` -| global thead-pool (from: common/server.toml) - -| config.global.tracing -| object -| `{"level":"info","method":"stdout"}` -| global tracing (from: common/tracing.toml) - -| config.imap.auth.allow-plain-text -| bool -| `false` -| imap auth allow-plain-text (from: imap/settings.toml) - -| config.imap.auth.max-failures -| int -| `3` -| imap auth max-failures(from: imap/settings.toml) - -| config.imap.folders.name.shared -| string -| `"Shared Folders"` -| imap folders name shared (from: imap/settings.toml) - -| config.imap.protocol.uidplus -| bool -| `false` -| imap protocol uidplus (from: imap/settings.toml) - -| config.imap.rate-limit.concurrent -| int -| `6` -| imap rate-limit concurrent (from: imap/settings.toml) - -| config.imap.rate-limit.requests -| string -| `"2000/1m"` -| imap rate-limit requests (from: imap/settings.toml) - -| config.imap.request.max-size -| int -| `52428800` -| imap request max-size (from: imap/settings.toml) - -| config.imap.timeout.anonymous -| string -| `"1m"` -| imap timeout anonymous (from: imap/settings.toml) - -| config.imap.timeout.authenticated -| string -| `"30m"` -| imap timeout authenticated (from: imap/settings.toml) - -| config.imap.timeout.idle -| string -| `"30m"` -| imap timeout idle (from: imap/settings.toml) - -| config.jmap.directory -| string -| `"%{DEFAULT_DIRECTORY}%"` -| jmap-directory (from: jmap/auth.yaml) - -| config.jmap.email -| object -| `{"max-attachment-size":50000000,"max-size":75000000,"parse":{"max-items":10}}` -| jmap-email - -| config.jmap.event-source -| object -| `{"throttle":"1s"}` -| jmap-event-source - -| config.jmap.mailbox -| object -| `{"max-depth":10,"max-name-length":255}` -| jmap-mailbox - -| config.jmap.principal -| object -| `{"allow-lookups":true}` -| jmap-principal - -| config.jmap.protocol -| object -| `{"changes":{"max-results":5000},"get":{"max-objects":500},"query":{"max-results":5000},"request":{"max-calls":16,"max-concurrent":4,"max-size":10000000},"set":{"max-objects":500},"upload":{"max-concurrent":4,"max-size":50000000,"quota":{"files":1000,"size":50000000},"ttl":"1h"}}` -| jmap-protocol (from: jmap/protocol.yaml) - -| config.jmap.push -| object -| `{"attempts":{"interval":"1m","max":3},"max-total":100,"retry":{"interval":"1s"},"throttle":"1ms","timeout":{"request":"10s","verify":"1s"}}` -| jmap-push (from: jmap/push.yaml) - -| config.jmap.rate-limit -| object -| `{"account":"1000/1m","anonymous":"100/1m","authentication":"10/1m","cache":{"size":1024},"use-forwarded":true}` -| jmap-rate-limit (from: jmap/ratelimit.yaml) - -| config.jmap.session -| object -| `{"cache":{"size":100,"ttl":"1h"},"purge":{"frequency":"0 3 *"}}` -| jmap-session (from: jmap/auth.yaml) - -| config.jmap.web-sockets -| object -| `{"heartbeat":"1m","throttle":"1s","timeout":"10m"}` -| jmap-web-sockets (from: jmap/websocket.yaml) - -| config.macros -| object -| `{"default_directory":"memory","default_domain":"__DOMAIN__","default_store":"sqlite","host":"__HOST__"}` -| macros (from: config.toml) - -| config.oauth.auth -| object -| `{"max-attempts":3}` -| oauth - auth - -| config.oauth.cache -| object -| `{"size":128}` -| oauth - cache - -| config.oauth.expiry -| object -| `{"auth-code":"10m","refresh-token":"30d","refresh-token-renew":"4d","token":"1h","user-code":"30m"}` -| oauth - expiry - -| config.oauth.key -| string -| `"__OAUTH_KEY__"` -| oauth - key - -| config.queue.hash -| int -| `64` -| queue-hash - -| config.queue.outbound -| object -| `{"ip-strategy":"ipv4_then_ipv6","limits":{"multihomed":2,"mx":7},"next-hop":[{"if":"is_local_domain('%{DEFAULT_DIRECTORY}%', rcpt_domain)","then":"'local'"},{"else":false}],"timeouts":{"connect":"3m","data":"10m","ehlo":"3m","greeting":"3m","mail-from":"3m","mta-sts":"2m","rcpt-to":"3m","tls":"2m"},"tls":{"allow-invalid-certs":false,"dane":"optional","mta-sts":"optional","starttls":"require"}}` -| queue-outbound - -| config.queue.path -| string -| `"/data/queue"` -| queue-path - -| config.queue.quota[0].key -| string -| `nil` +| `"rocksdb"` | -| config.queue.quota[0].match +| config.directory.internal.type | string -| `nil` +| `"internal"` | -| config.queue.quota[0].messages -| int -| `100000` -| - -| config.queue.quota[0].size -| int -| `10737418240` -| - -| config.queue.schedule -| object -| `{"expire":"5d","notify":"[1d, 3d]","retry":"[2m, 5m, 10m, 15m, 30m, 1h, 2h]"}` -| queue-schedule - -| config.queue.throttle[0].concurrency -| int -| `5` -| - -| config.queue.throttle[0].key[0] +| config.server.listener.https.bind[0] | string -| `"rcpt_domain"` +| `"[::]:80"` | -| config.queue.throttle[0].rate +| config.server.listener.https.protocol | string -| `nil` +| `"http"` | -| config.report.analysis -| object -| `{"addresses":["dmarc@*","abuse@*","postmaster@*"],"forward":true}` -| report-analysis - -| config.report.dkim -| object -| `{"from-address":"'noreply-dkim@%{DEFAULT_DOMAIN}%'","from-name":"'Report Subsystem'","send":"[1, 1d]","sign":"['rsa']","subject":"'DKIM Authentication Failure Report'"}` -| report-dkim - -| config.report.dmarc -| object -| `{"aggregate":{"from-address":"'noreply-dmarc@%{DEFAULT_DOMAIN}%'","from-name":"'DMARC Report'","max-size":26214400,"org-name":"'%{DEFAULT_DOMAIN}%'","send":"daily","sign":"['rsa']"},"from-address":"'noreply-dmarc@%{DEFAULT_DOMAIN}%'","from-name":"'Report Subsystem'","send":"[1, 1d]","sign":"['rsa']","subject":"'DMARC Authentication Failure Report'"}` -| report-dmarc - -| config.report.dmarc.aggregate.max-size -| int -| `26214400` -| default: 25 mb - -| config.report.dsn -| object -| `{"from-address":"'MAILER-DAEMON@%{DEFAULT_DOMAIN}%'","from-name":"'Mail Delivery Subsystem'","sign":"['rsa']"}` -| report-dsn - -| config.report.hash -| int -| `64` -| report-hash - -| config.report.path -| string -| `"/data/reports"` -| report-path - -| config.report.spf -| object -| `{"from-address":"'noreply-spf@%{DEFAULT_DOMAIN}%'","from-name":"'Report Subsystem'","send":"[1, 1d]","sign":"['rsa']","subject":"'SPF Authentication Failure Report'"}` -| report-spf - -| config.report.tls -| object -| `{"aggregate":{"from-address":"'noreply-tls@%{DEFAULT_DOMAIN}%'","from-name":"'TLS Report'","max-size":26214400,"org-name":"'%{DEFAULT_DOMAIN}%'","send":"daily","sign":"['rsa']"}}` -| report-tls - -| config.report.tls.aggregate.max-size -| int -| `26214400` -| default: 25 mb - -| config.resolver.attempts -| int -| `2` -| resolver-attempts - -| config.resolver.cache -| object -| `{"ipv4":1024,"ipv6":1024,"mta-sts":1024,"mx":1024,"ptr":1024,"tlsa":1024,"txt":2048}` -| resolver-cache - -| config.resolver.concurrency -| int -| `2` -| resolver-concurrency - -| config.resolver.preserve-intermediates +| config.server.listener.https.tls.implicit | bool | `true` -| resolver-preserve-intermediates +| -| config.resolver.public-suffix -| list -| `["https://publicsuffix.org/list/public_suffix_list.dat","file:///opt/stalwart-mail/etc/spamfilter/maps/suffix_list.dat.gz"]` -| resolver-public-suffix - -| config.resolver.timeout +| config.server.listener.imap.bind[0] | string -| `"5s"` -| resolver-timeout +| `"[::]:143"` +| -| config.resolver.try-tcp-on-error +| config.server.listener.imap.protocol +| string +| `"imap"` +| + +| config.server.listener.imaptls.bind[0] +| string +| `"[::]:993"` +| + +| config.server.listener.imaptls.protocol +| string +| `"imap"` +| + +| config.server.listener.imaptls.tls.implicit | bool | `true` -| resolver-try-tcp-on-error +| -| config.resolver.type +| config.server.listener.sieve.bind[0] | string -| `"system"` -| resolver-type +| `"[::]:4190"` +| -| config.server.hostname +| config.server.listener.sieve.protocol | string -| `"%{HOST}%"` -| server hostname (from: common/server.toml) +| `"managesieve"` +| -| config.server.listener -| object -| `{"http":{"bind":["[::]:80"],"protocol":"jmap","url":"https://%{HOST}%"},"imap":{"bind":["[::]:143"],"protocol":"imap"},"imaps":{"bind":["[::]:993"],"protocol":"imap","tls":{"implicit":true}},"sieve":{"bind":["[::]:4190"],"protocol":"managesieve","tls":{"implicit":true}},"smtp":{"bind":["[::]:25"],"protocol":"smtp"},"smtp-submission":{"bind":["[::]:587"],"protocol":"smtp"},"smtps":{"bind":["[::]:465"],"protocol":"smtp","tls":{"implicit":true}}}` -| server listener +| config.server.listener.smtp.bind[0] +| string +| `"[::]:25"` +| -| config.server.listener.http -| object -| `{"bind":["[::]:80"],"protocol":"jmap","url":"https://%{HOST}%"}` -| jmap/listener.yaml +| config.server.listener.smtp.protocol +| string +| `"smtp"` +| -| config.server.listener.imap -| object -| `{"bind":["[::]:143"],"protocol":"imap"}` -| server listener with name imap (from: imap/listener.toml) +| config.server.listener.submission.bind[0] +| string +| `"[::]:587"` +| -| config.server.listener.imaps -| object -| `{"bind":["[::]:993"],"protocol":"imap","tls":{"implicit":true}}` -| server listener with name imaps (from: imap/listener.toml) +| config.server.listener.submission.protocol +| string +| `"smtp"` +| -| config.server.listener.sieve -| object -| `{"bind":["[::]:4190"],"protocol":"managesieve","tls":{"implicit":true}}` -| server listener with name sieve (from: imap/listener.toml) +| config.server.listener.submissions.bind[0] +| string +| `"[::]:465"` +| + +| config.server.listener.submissions.protocol +| string +| `"smtp"` +| + +| config.server.listener.submissions.tls.implicit +| bool +| `true` +| | config.server.run-as.group | string | `"stalwart-mail"` -| server run-as group (from: common/server.toml) +| server run-as group | config.server.run-as.user | string | `"stalwart-mail"` -| server run-as user (from: common/server.toml) - -| config.server.security.blocked-networks -| object -| `{}` -| server security blocked-networks (from: common/server.toml) - -| config.server.security.fail2ban -| string -| `"100/1d"` -| server security fail2ban (from: common/server.toml) - -| config.server.socket.backlog -| int -| `1024` -| server socket backlog (from: common/server.toml) - -| config.server.socket.linger -| int -| `1` -| server socket linger (from: common/server.toml) - -| config.server.socket.nodelay -| bool -| `true` -| server socket nodelay (from: common/server.toml) - -| config.server.socket.recv-buffer-size -| int -| `65535` -| server socket recv-buffer-size (from: common/server.toml) - -| config.server.socket.reuse-addr -| bool -| `true` -| server socket reuse-addr (from: common/server.toml) - -| config.server.socket.reuse-port -| bool -| `false` -| server socket reuse-port (from: common/server.toml) - -| config.server.socket.send-buffer-size -| int -| `65535` -| server socket send-buffer-size (from: common/server.toml) - -| config.server.socket.tos -| int -| `1` -| server socket tos (from: common/server.toml) - -| config.server.socket.ttl -| int -| `3600` -| server socket ttl (from: common/server.toml) - -| config.server.tls.acme -| string -| `nil` -| server tls acme (from: common/tls.toml) example: "letsencrypt" - -| config.server.tls.certificate -| string -| `"default"` -| server tls certificate (from: common/tls.toml) - -| config.server.tls.ciphers -| string -| `nil` -| server tls #ciphers (from: common/tls.toml) example: [ "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256", "TLS13_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] - -| config.server.tls.enable -| bool -| `true` -| server tls enable (from: common/tls.toml) - -| config.server.tls.ignore-client-order -| bool -| `true` -| server tls ignore-client-order (from: common/tls.toml) - -| config.server.tls.implicit -| bool -| `false` -| server tls implicit (from: common/tls.toml) - -| config.server.tls.protocols -| string -| `nil` -| server tls protocols (from: common/tls.toml) example: ["TLSv1.2", "TLSv1.3"] - -| config.server.tls.sni -| string -| `nil` -| server tls sni (from: common/tls.toml) example: [{subject: "", certificate: ""}] - -| config.server.tls.timeout -| string -| `"1m"` -| server tls timeout (from: common/tls.toml) - -| config.sieve.trusted.from-addr -| string -| `"no-reply@%{DEFAULT_DOMAIN}%"` -| sieve trusted from-addr (from: common/sieve.toml) - -| config.sieve.trusted.from-name -| string -| `"Automated Message"` -| sieve trusted from-name (from: common/sieve.toml) - -| config.sieve.trusted.hostname -| string -| `"%{HOST}%"` -| sieve trusted hostname (from: common/sieve.toml) - -| config.sieve.trusted.limits.cpu -| int -| `1048576` -| sieve trusted limits cpu (from: common/sieve.toml) - -| config.sieve.trusted.limits.duplicate-expiry -| string -| `"7d"` -| sieve trusted limits duplicate-expiry (from: common/sieve.toml) - -| config.sieve.trusted.limits.nested-includes -| int -| `5` -| sieve trusted limits nested-includes (from: common/sieve.toml) - -| config.sieve.trusted.limits.out-messages -| int -| `5` -| sieve trusted limits out-messages (from: common/sieve.toml) - -| config.sieve.trusted.limits.received-headers -| int -| `50` -| sieve trusted limits received-headers (from: common/sieve.toml) - -| config.sieve.trusted.limits.redirects -| int -| `3` -| sieve trusted limits redirects (from: common/sieve.toml) - -| config.sieve.trusted.no-capability-check -| bool -| `true` -| sieve trusted no-capability-check (from: common/sieve.toml) - -| config.sieve.trusted.return-path -| string -| `""` -| sieve trusted return-path (from: common/sieve.toml) - -| config.sieve.trusted.scripts.connect -| string -| `nil` -| sieve trusted scripts connect (from: common/sieve.toml) - -| config.sieve.trusted.scripts.ehlo -| string -| `nil` -| sieve trusted scripts ehlo (from: common/sieve.toml) - -| config.sieve.trusted.scripts.mail -| string -| `nil` -| sieve trusted scripts mail (from: common/sieve.toml) - -| config.sieve.trusted.sign -| list -| `["rsa"]` -| sieve trusted sign (from: common/sieve.toml) - -| config.sieve.untrusted.default-expiry.duplicate -| string -| `"7d"` -| sieve untrusted default-expiry duplicate (from: common/sieve.toml) - -| config.sieve.untrusted.default-expiry.vacation -| string -| `"30d"` -| sieve untrusted default-expiry vacation (from: common/sieve.toml) - -| config.sieve.untrusted.disable-capabilities -| list -| `[]` -| sieve untrusted disable-capabilities (from: common/sieve.toml) - -| config.sieve.untrusted.limits.cpu -| int -| `5000` -| sieve untrusted limit cpu (from: common/sieve.toml) - -| config.sieve.untrusted.limits.header-size -| int -| `1024` -| sieve untrusted limit header-size (from: common/sieve.toml) - -| config.sieve.untrusted.limits.includes -| int -| `3` -| sieve untrusted limit includes (from: common/sieve.toml) - -| config.sieve.untrusted.limits.local-variables -| int -| `128` -| sieve untrusted limit local-variables (from: common/sieve.toml) - -| config.sieve.untrusted.limits.match-variables -| int -| `30` -| sieve untrusted limit match-variables (from: common/sieve.toml) - -| config.sieve.untrusted.limits.max-scripts -| int -| `256` -| sieve untrusted limit max-scripts (from: common/sieve.toml) - -| config.sieve.untrusted.limits.name-length -| int -| `512` -| sieve untrusted limit name-length (from: common/sieve.toml) - -| config.sieve.untrusted.limits.nested-blocks -| int -| `15` -| sieve untrusted limit nested-blocks (from: common/sieve.toml) - -| config.sieve.untrusted.limits.nested-foreverypart -| int -| `3` -| sieve untrusted limit nested-foreverypart (from: common/sieve.toml) - -| config.sieve.untrusted.limits.nested-includes -| int -| `3` -| sieve untrusted limit nested-includes (from: common/sieve.toml) - -| config.sieve.untrusted.limits.nested-tests -| int -| `15` -| sieve untrusted limit nested-tests (from: common/sieve.toml) - -| config.sieve.untrusted.limits.outgoing-messages -| int -| `3` -| sieve untrusted limit outgoing-messages (from: common/sieve.toml) - -| config.sieve.untrusted.limits.received-headers -| int -| `10` -| sieve untrusted limit received-headers (from: common/sieve.toml) - -| config.sieve.untrusted.limits.redirects -| int -| `1` -| sieve untrusted limit redirects (from: common/sieve.toml) - -| config.sieve.untrusted.limits.script-size -| int -| `102400` -| sieve untrusted limit script-size (from: common/sieve.toml) - -| config.sieve.untrusted.limits.string-length -| int -| `4096` -| sieve untrusted limit string-length (from: common/sieve.toml) - -| config.sieve.untrusted.limits.variable-name-length -| int -| `32` -| sieve untrusted limit variable-name-length (from: common/sieve.toml) - -| config.sieve.untrusted.limits.variable-size -| int -| `4096` -| sieve untrusted limit variable-size (from: common/sieve.toml) - -| config.sieve.untrusted.notification-uris -| list -| `["mailto"]` -| sieve untrusted notification-uris (from: common/sieve.toml) - -| config.sieve.untrusted.protected-headers -| list -| `["Original-Subject","Original-From","Received","Auto-Submitted"]` -| sieve untrusted protected-headers (from: common/sieve.toml) - -| config.sieve.untrusted.vacation.default-subject -| string -| `"Automated reply"` -| sieve untrusted vacation default-subject (from: common/sieve.toml) - -| config.sieve.untrusted.vacation.subject-prefix -| string -| `"Auto: "` -| sieve untrusted vacation subject-prefix (from: common/sieve.toml) - -| config.signature.rsa -| object -| `{"algorithm":"rsa-sha256","canonicalization":"relaxed/relaxed","domain":"%{DEFAULT_DOMAIN}%","headers":["From","To","Date","Subject","Message-ID"],"private-key":"file://opt/stalwart-mail/etc/dkim/private.key","report":true,"selector":"stalwart","set-body-length":false}` -| signature-rsa +| server run-as user | config.storage.blob | string -| `"%{DEFAULT_STORE}%"` -| storage blob (from: common/store.toml) - -| config.storage.cluster.node-id -| string -| `nil` -| storage - cluster - node-id (from: common/store.toml) +| `"rocksdb"` +| | config.storage.data | string -| `"%{DEFAULT_STORE}%"` -| storage data (from: common/store.toml) +| `"rocksdb"` +| | config.storage.directory | string -| `"%{DEFAULT_DIRECTORY}%"` -| storage directory (from: common/store.toml) - -| config.storage.encryption.append -| bool -| `false` -| storage encryption append (from: common/store.toml) - -| config.storage.encryption.enable -| bool -| `true` -| storage encryption enable (from: common/store.toml) +| `"internal"` +| | config.storage.fts | string -| `"%{DEFAULT_STORE}%"` -| storage fts (from: common/store.toml) BROKEN / TODO see: https://github.com/stalwartlabs/mail-server/issues/211 - -| config.storage.fts-table-duplicated-workaround.default-language -| string -| `"en"` -| storage - fts - default-language (from: common/store.toml) +| `"rocksdb"` +| | config.storage.lookup | string -| `"%{DEFAULT_STORE}%"` -| storage lookup (from: common/store.toml) +| `"rocksdb"` +| -| config.storage.spam.header +| config.store.rocksdb.compression | string -| `"X-Spam-Status: Yes"` -| storage spam header (from: common/store.toml) +| `"lz4"` +| -| config.store.fs -| object -| `{"depth":2,"disable":false,"path":"/data/blobs","purge":{"frequency":"0 3 *"},"type":"fs"}` -| store - with name fs +| config.store.rocksdb.path +| string +| `"/data"` +| -| config.store.fs.disable +| config.store.rocksdb.type +| string +| `"rocksdb"` +| + +| config.tracer.otel.enable | bool | `false` -| overwrite me, if not wanted +| -| config.store.sqlite -| object -| `{"disable":false,"path":"/data/index.sqlite3","purge":{"frequency":"0 3 *"},"query":{"domains":"SELECT 1 FROM emails WHERE address LIKE '%@' || ? LIMIT 1","emails":"SELECT address FROM emails WHERE name = ? AND type != 'list' ORDER BY type DESC, address ASC","expand":"SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = ? AND l.type = 'list' ORDER BY p.address LIMIT 50","members":"SELECT member_of FROM group_members WHERE name = ?","name":"SELECT name, type, secret, description, quota FROM accounts WHERE name = ? AND active = true","recipients":"SELECT name FROM emails WHERE address = ?","verify":"SELECT address FROM emails WHERE address LIKE '%' || ? || '%' AND type = 'primary' ORDER BY address LIMIT 5"},"type":"sqlite"}` -| store - with name sqlite +| config.tracer.otel.endpoint +| string +| `"https://127.0.0.1/otel"` +| -| config.store.sqlite.disable +| config.tracer.otel.headers +| list +| `[]` +| headers for usage with http (e.g. 'Authorization: ') + +| config.tracer.otel.level +| string +| `"info"` +| + +| config.tracer.otel.transport +| string +| `"grpc"` +| grpc or http + +| config.tracer.otel.type +| string +| `"open-telemetry"` +| + +| config.tracer.stdout.ansi | bool | `false` -| overwrite me, if not wanted +| + +| config.tracer.stdout.enable +| bool +| `true` +| + +| config.tracer.stdout.level +| string +| `"info"` +| + +| config.tracer.stdout.type +| string +| `"stdout"` +| + +| env +| list +| `[]` +| | fullnameOverride | string diff --git a/stalwart-mail/templates/configmap.yaml b/stalwart-mail/templates/configmap.yaml new file mode 100644 index 0000000..ae34beb --- /dev/null +++ b/stalwart-mail/templates/configmap.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "stalwart-mail.fullname" . }} + labels: + {{- include "stalwart-mail.labels" . | nindent 4 }} +data: + "config.toml": | + {{- toToml .Values.config | replace ".0\n" "\n" | nindent 4 }} diff --git a/stalwart-mail/templates/deployment.yaml b/stalwart-mail/templates/deployment.yaml index c7f63df..9aee1cd 100644 --- a/stalwart-mail/templates/deployment.yaml +++ b/stalwart-mail/templates/deployment.yaml @@ -14,7 +14,8 @@ spec: template: metadata: annotations: - confighash: {{ toYaml .Values.config | sha256sum | trunc 32 }} + config-hash: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + secret-env-hash: {{ include (print $.Template.BasePath "/secrets-env.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -39,6 +40,13 @@ spec: image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} {{- end }} + {{- with .Values.env }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + envFrom: + - secretRef: + name: {{ include "stalwart-mail.fullname" . }}-env ports: {{- range $name, $port := .Values.service.ports }} - name: {{ $name }} @@ -62,9 +70,7 @@ spec: - name: config mountPath: "/opt/stalwart-mail/etc/config.toml" subPath: "config.toml" - - name: config - mountPath: "/opt/stalwart-mail/etc/dkim/private.key" - subPath: "dkim.key" + readOnly: true {{- if or .Values.certificate.secretName .Values.certificate.certmanager.enabled }} - name: certificate mountPath: "/opt/stalwart-mail/etc/certs" @@ -74,8 +80,8 @@ spec: {{- end }} volumes: - name: "config" - secret: - secretName: {{ include "stalwart-mail.fullname" . }} + configMap: + name: {{ include "stalwart-mail.fullname" . }} {{- if or .Values.certificate.secretName .Values.certificate.certmanager.enabled }} - name: certificate secret: diff --git a/stalwart-mail/templates/secrets-env.yaml b/stalwart-mail/templates/secrets-env.yaml new file mode 100644 index 0000000..14a9584 --- /dev/null +++ b/stalwart-mail/templates/secrets-env.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "stalwart-mail.fullname" . }}-env + labels: + {{- include "stalwart-mail.labels" . | nindent 4 }} +data: + {{- range $key, $value := .Values.secrets.env }} + {{ $key }}: {{ $value | b64enc }} + {{- end }} diff --git a/stalwart-mail/templates/secrets.yaml b/stalwart-mail/templates/secrets.yaml deleted file mode 100644 index 74efdf2..0000000 --- a/stalwart-mail/templates/secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "stalwart-mail.fullname" . }} - labels: - {{- include "stalwart-mail.labels" . | nindent 4 }} - annotations: - confighash: {{ toYaml .Values.config | sha256sum | trunc 32 }} -data: - "config.toml": {{ regexReplaceAll - "trusted-networks = \\[(.*)\\]" - ( - toToml .Values.config - | replace ".0\n" "\n" - | replace "fts-table-duplicated-workaround" "fts" - ) - "trusted-networks = {${1}}" - | b64enc }} - "dkim.key": {{ genPrivateKey "rsa" | b64enc }} diff --git a/stalwart-mail/templates/traefik.yaml b/stalwart-mail/templates/traefik.yaml index c6be692..1be77ef 100644 --- a/stalwart-mail/templates/traefik.yaml +++ b/stalwart-mail/templates/traefik.yaml @@ -9,10 +9,10 @@ spec: entryPoints: - {{ $entryport }} routes: - - match: HostSNI(`{{ $.Values.config.macros.host }}`) + - match: HostSNI(`{{ $.Values.traefik.host }}`) services: - name: {{ include "stalwart-mail.fullname" $ }} - port: {{ $port}} + port: {{ $port }} proxyProtocol: version: 2 tls: diff --git a/stalwart-mail/values.yaml b/stalwart-mail/values.yaml index bf9a103..142ecdf 100644 --- a/stalwart-mail/values.yaml +++ b/stalwart-mail/values.yaml @@ -21,713 +21,105 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" - -## -# Configuration of stalwart mail-server -# defaults taken from: https://github.com/stalwartlabs/mail-server/tree/6aeadb9cda301ec5f210d8e8390515e6292592fa/resources/config -# -# files import completed: -# - config.toml -# - common/*.toml -# - imap/*.toml -# -## config: - - - ## - # macros - ## - - # -- macros (from: config.toml) - macros: - host: "__HOST__" - default_domain: "__DOMAIN__" - default_directory: "memory" - default_store: "sqlite" - - - ## - # global - ## - - global: - shared-map: - # -- global shared-map capacity (from: common/server.toml) - capacity: 10 - # -- global shared-map shard (from: common/server.toml) - shard: 32 - - # -- global thead-pool (from: common/server.toml) - thread-pool: - - # -- global tracing (from: common/tracing.toml) - tracing: - method: "stdout" - level: "info" - - - ## - # server - ## - server: - # -- server hostname (from: common/server.toml) - hostname: "%{HOST}%" - - security: - # -- server security blocked-networks (from: common/server.toml) - blocked-networks: {} - # -- server security fail2ban (from: common/server.toml) - fail2ban: "100/1d" - - run-as: - # -- server run-as user (from: common/server.toml) - user: "stalwart-mail" - # -- server run-as group (from: common/server.toml) - group: "stalwart-mail" - - socket: - # -- server socket nodelay (from: common/server.toml) - nodelay: true - # -- server socket reuse-addr (from: common/server.toml) - reuse-addr: true - # -- server socket reuse-port (from: common/server.toml) - reuse-port: false - # -- server socket backlog (from: common/server.toml) - backlog: 1024 - # -- server socket ttl (from: common/server.toml) - ttl: 3600 - # -- server socket send-buffer-size (from: common/server.toml) - send-buffer-size: 65535 - # -- server socket recv-buffer-size (from: common/server.toml) - recv-buffer-size: 65535 - # -- server socket linger (from: common/server.toml) - linger: 1 - # -- server socket tos (from: common/server.toml) - tos: 1 - - tls: - # -- server tls enable (from: common/tls.toml) - enable: true - # -- server tls implicit (from: common/tls.toml) - implicit: false - # -- server tls timeout (from: common/tls.toml) - timeout: "1m" - # -- server tls certificate (from: common/tls.toml) - certificate: "default" - # -- server tls acme (from: common/tls.toml) - # example: "letsencrypt" - acme: - # -- server tls sni (from: common/tls.toml) - # example: [{subject: "", certificate: ""}] - sni: - # -- server tls protocols (from: common/tls.toml) - # example: ["TLSv1.2", "TLSv1.3"] - protocols: - # -- server tls #ciphers (from: common/tls.toml) - # example: [ "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256", - # "TLS13_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - # "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - # "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] - ciphers: - # -- server tls ignore-client-order (from: common/tls.toml) - ignore-client-order: true - - # -- server listener listener: smtp: - protocol: "smtp" bind: ["[::]:25"] - smtp-submission: protocol: "smtp" + submission: bind: ["[::]:587"] - smtps: protocol: "smtp" + submissions: bind: ["[::]:465"] + protocol: "smtp" tls: implicit: true - - # -- server listener with name imap (from: imap/listener.toml) imap: bind: ["[::]:143"] protocol: "imap" - - # -- server listener with name imaps (from: imap/listener.toml) - imaps: + imaptls: bind: ["[::]:993"] protocol: "imap" tls: implicit: true - # -- server listener with name sieve (from: imap/listener.toml) sieve: bind: ["[::]:4190"] protocol: "managesieve" + + https: + protocol: "http" + bind: ["[::]:80"] tls: implicit: true - # -- jmap/listener.yaml - http: - protocol: "jmap" - bind: ["[::]:80"] - url: "https://%{HOST}%" - - - ## - # sieve - ## - - sieve: - untrusted: - # -- sieve untrusted disable-capabilities (from: common/sieve.toml) - disable-capabilities: [] - # -- sieve untrusted notification-uris (from: common/sieve.toml) - notification-uris: ["mailto"] - # -- sieve untrusted protected-headers (from: common/sieve.toml) - protected-headers: ["Original-Subject", "Original-From", "Received", "Auto-Submitted"] - - limits: - # -- sieve untrusted limit name-length (from: common/sieve.toml) - name-length: 512 - # -- sieve untrusted limit max-scripts (from: common/sieve.toml) - max-scripts: 256 - # -- sieve untrusted limit script-size (from: common/sieve.toml) - script-size: 102400 - # -- sieve untrusted limit string-length (from: common/sieve.toml) - string-length: 4096 - # -- sieve untrusted limit variable-name-length (from: common/sieve.toml) - variable-name-length: 32 - # -- sieve untrusted limit variable-size (from: common/sieve.toml) - variable-size: 4096 - # -- sieve untrusted limit nested-blocks (from: common/sieve.toml) - nested-blocks: 15 - # -- sieve untrusted limit nested-tests (from: common/sieve.toml) - nested-tests: 15 - # -- sieve untrusted limit nested-foreverypart (from: common/sieve.toml) - nested-foreverypart: 3 - # -- sieve untrusted limit match-variables (from: common/sieve.toml) - match-variables: 30 - # -- sieve untrusted limit local-variables (from: common/sieve.toml) - local-variables: 128 - # -- sieve untrusted limit header-size (from: common/sieve.toml) - header-size: 1024 - # -- sieve untrusted limit includes (from: common/sieve.toml) - includes: 3 - # -- sieve untrusted limit nested-includes (from: common/sieve.toml) - nested-includes: 3 - # -- sieve untrusted limit cpu (from: common/sieve.toml) - cpu: 5000 - # -- sieve untrusted limit redirects (from: common/sieve.toml) - redirects: 1 - # -- sieve untrusted limit received-headers (from: common/sieve.toml) - received-headers: 10 - # -- sieve untrusted limit outgoing-messages (from: common/sieve.toml) - outgoing-messages: 3 - - vacation: - # -- sieve untrusted vacation default-subject (from: common/sieve.toml) - default-subject: "Automated reply" - # -- sieve untrusted vacation subject-prefix (from: common/sieve.toml) - subject-prefix: "Auto: " - - default-expiry: - # -- sieve untrusted default-expiry vacation (from: common/sieve.toml) - vacation: "30d" - # -- sieve untrusted default-expiry duplicate (from: common/sieve.toml) - duplicate: "7d" - - trusted: - # -- sieve trusted from-name (from: common/sieve.toml) - from-name: "Automated Message" - # -- sieve trusted from-addr (from: common/sieve.toml) - from-addr: "no-reply@%{DEFAULT_DOMAIN}%" - # -- sieve trusted return-path (from: common/sieve.toml) - return-path: "" - # -- sieve trusted hostname (from: common/sieve.toml) - hostname: "%{HOST}%" - # -- sieve trusted no-capability-check (from: common/sieve.toml) - no-capability-check: true - # -- sieve trusted sign (from: common/sieve.toml) - sign: ["rsa"] - - limits: - # -- sieve trusted limits redirects (from: common/sieve.toml) - redirects: 3 - # -- sieve trusted limits out-messages (from: common/sieve.toml) - out-messages: 5 - # -- sieve trusted limits received-headers (from: common/sieve.toml) - received-headers: 50 - # -- sieve trusted limits cpu (from: common/sieve.toml) - cpu: 1048576 - # -- sieve trusted limits nested-includes (from: common/sieve.toml) - nested-includes: 5 - # -- sieve trusted limits duplicate-expiry (from: common/sieve.toml) - duplicate-expiry: "7d" - - scripts: - # -- sieve trusted scripts connect (from: common/sieve.toml) - connect: - # -- sieve trusted scripts ehlo (from: common/sieve.toml) - ehlo: - # -- sieve trusted scripts mail (from: common/sieve.toml) - mail: - - ## - # storage - ## + run-as: + # -- server run-as user + user: "stalwart-mail" + # -- server run-as group + group: "stalwart-mail" storage: - # -- storage data (from: common/store.toml) - data: "%{DEFAULT_STORE}%" - # -- storage fts (from: common/store.toml) - # BROKEN / TODO - # see: https://github.com/stalwartlabs/mail-server/issues/211 - fts: "%{DEFAULT_STORE}%" - # -- storage blob (from: common/store.toml) - blob: "%{DEFAULT_STORE}%" - # -- storage lookup (from: common/store.toml) - lookup: "%{DEFAULT_STORE}%" - # -- storage directory (from: common/store.toml) - directory: "%{DEFAULT_DIRECTORY}%" - encryption: - # -- storage encryption enable (from: common/store.toml) - enable: true - # -- storage encryption append (from: common/store.toml) - append: false - spam: - # -- storage spam header (from: common/store.toml) - header: "X-Spam-Status: Yes" - # BROKEN / TODO - # should be fts: - # see: https://github.com/stalwartlabs/mail-server/issues/211 - fts-table-duplicated-workaround: - # -- storage - fts - default-language (from: common/store.toml) - default-language: "en" - cluster: - # -- storage - cluster - node-id (from: common/store.toml) - node-id: - - - ## - # ACME - ## - - acme: - # -- acme with name letsencrypt (from: common/tls.toml) - letsencrypt: - # -- acme directory (from: common/tls.toml) - directory: "https://acme-v02.api.letsencrypt.org/directory" - # -- acme contact (from: common/tls.toml) - contact: ["postmaster@%{DEFAULT_DOMAIN}%"] - # -- acme cache (from: common/tls.toml) - cache: "/opt/stalwart-mail/etc/acme" - # -- acme port (from: common/tls.toml) - port: 443 - # -- acme renew-before (from: common/tls.toml) - renew-before: "30d" - - ## - # certificate - ## - - certificate: - # -- certificate with name default (from: common/tls.toml) - default: - # -- certificate cert (from: common/tls.toml) - cert: "file:///opt/stalwart-mail/etc/certs/tls.crt" - # -- certificate private-key (from: common/tls.toml) - private-key: "file:///opt/stalwart-mail/etc/certs/tls.key" - - - ## - # directory - ## - - directory: - - # -- directory - with name memory (from: directory/internal.yaml) - memory: - type: memory - # -- overwrite me, if not wanted - disable: false - options: - catch-all: true - subaddressing: true - principals: - - type: "admin" - description: "Superuser" - name: "admin" - secret: "changeme" - mail: - - "postmaster@%{DEFAULT_DOMAIN}%" - - - ## - # store - ## + data: "rocksdb" + fts: "rocksdb" + blob: "rocksdb" + lookup: "rocksdb" + directory: "internal" store: + rocksdb: + type: rocksdb + path: "/data" + compression: "lz4" - # -- store - with name sqlite - sqlite: - type: "sqlite" - # -- overwrite me, if not wanted - disable: false - path: "/data/index.sqlite3" - purge: - frequency: "0 3 *" - query: - name: "SELECT name, type, secret, description, quota FROM accounts WHERE name = ? AND active = true" - members: "SELECT member_of FROM group_members WHERE name = ?" - recipients: "SELECT name FROM emails WHERE address = ?" - emails: "SELECT address FROM emails WHERE name = ? AND type != 'list' ORDER BY type DESC, address ASC" - verify: "SELECT address FROM emails WHERE address LIKE '%' || ? || '%' AND type = 'primary' ORDER BY address LIMIT 5" - expand: "SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = ? AND l.type = 'list' ORDER BY p.address LIMIT 50" - domains: "SELECT 1 FROM emails WHERE address LIKE '%@' || ? LIMIT 1" + directory: + internal: + type: "internal" + store: "rocksdb" - # -- store - with name fs - fs: - type: "fs" - # -- overwrite me, if not wanted - disable: false - path: "/data/blobs" - depth: 2 - purge: - frequency: "0 3 *" + tracer: + otel: + enable: false + type: "open-telemetry" + level: "info" + # -- grpc or http + transport: "grpc" + endpoint: "https://127.0.0.1/otel" + # -- headers for usage with http (e.g. 'Authorization: ') + headers: [] + stdout: + enable: true + type: "stdout" + level: "info" + ansi: false - - ## - # OAuth - ## - - oauth: - - # -- oauth - key - key: "__OAUTH_KEY__" - - # -- oauth - auth - auth: - max-attempts: 3 - - # -- oauth - expiry - expiry: - user-code: "30m" - auth-code: "10m" - token: "1h" - refresh-token: "30d" - refresh-token-renew: "4d" - - # -- oauth - cache - cache: - size: 128 - - - ## - # SMTP configuration (smtp/*.yaml) - ## - - - ## - # query (from: smtp/queue.yaml) - ## - - queue: - # -- queue-path - path: "/data/queue" - # -- queue-hash - hash: 64 - - # -- queue-schedule - schedule: - retry: "[2m, 5m, 10m, 15m, 30m, 1h, 2h]" - notify: "[1d, 3d]" - expire: "5d" - - # -- queue-outbound - outbound: - # hostname: "%{HOST}%" - next-hop: - - if: "is_local_domain('%{DEFAULT_DIRECTORY}%', rcpt_domain)" - then: "'local'" - - else: false - ip-strategy: "ipv4_then_ipv6" - tls: - dane: "optional" - mta-sts: "optional" - starttls: "require" - allow-invalid-certs: false - limits: - mx: 7 - multihomed: 2 - timeouts: - connect: "3m" - greeting: "3m" - tls: "2m" - ehlo: "3m" - mail-from: "3m" - rcpt-to: "3m" - data: "10m" - mta-sts: "2m" - quota: - - match: - # match: "sender_domain = 'foobar.org'" - # key: ["rcpt"] - key: - messages: 100000 - # 10gb - size: 10737418240 - throttle: - - key: ["rcpt_domain"] - # rate: "100/1h" - rate: - concurrency: 5 - - - ## - # Report (from: smtp/report.yaml) - ## - - report: - # -- report-path - path: "/data/reports" - # -- report-hash - hash: 64 - # submitter: "%{HOST}%" - - # -- report-analysis - analysis: - addresses: ["dmarc@*", "abuse@*", "postmaster@*"] - forward: true - # store: "/data/incoming" - - # -- report-dsn - dsn: - from-name: "'Mail Delivery Subsystem'" - from-address: "'MAILER-DAEMON@%{DEFAULT_DOMAIN}%'" - sign: "['rsa']" - - # -- report-dkim + auth: dkim: - from-name: "'Report Subsystem'" - from-address: "'noreply-dkim@%{DEFAULT_DOMAIN}%'" - subject: "'DKIM Authentication Failure Report'" - sign: "['rsa']" - send: "[1, 1d]" + # -- auth rule for signing with dkim + # @section -- DKIM + sign: + - if: "listener != 'smtp'" + then: "['rsa', 'ed25519']" + - else: false + # -- verify of dkim signature (relaxed, strict, disable) + # @section -- DKIM + verify: "relaxed" - # -- report-spf - spf: - from-name: "'Report Subsystem'" - from-address: "'noreply-spf@%{DEFAULT_DOMAIN}%'" - subject: "'SPF Authentication Failure Report'" - sign: "['rsa']" - send: "[1, 1d]" + authentication: + fallback-admin: + # -- username for fallback authentfication + # @section -- Authentification + user: "admin" + # -- password for fallback authentfication (use env for store in secrets of kubernetes) + # @section -- Authentification + secret: "%{env:FALLBACK_ADMIN_SECRET}%" - # -- report-dmarc - dmarc: - from-name: "'Report Subsystem'" - from-address: "'noreply-dmarc@%{DEFAULT_DOMAIN}%'" - subject: "'DMARC Authentication Failure Report'" - sign: "['rsa']" - send: "[1, 1d]" - aggregate: - from-name: "'DMARC Report'" - from-address: "'noreply-dmarc@%{DEFAULT_DOMAIN}%'" - org-name: "'%{DEFAULT_DOMAIN}%'" - # contact-info: "" - send: "daily" - # -- default: 25 mb - max-size: 26214400 - sign: "['rsa']" - - # -- report-tls - tls: - aggregate: - from-name: "'TLS Report'" - from-address: "'noreply-tls@%{DEFAULT_DOMAIN}%'" - org-name: "'%{DEFAULT_DOMAIN}%'" - # contact-info: "" - send: "daily" - # -- default: 25 mb - max-size: 26214400 - sign: "['rsa']" - - - ## - # resolver (from: smtp/resolver.yaml) - ## - - resolver: - # -- resolver-type - type: "system" - # -- resolver-preserve-intermediates - preserve-intermediates: true - # -- resolver-concurrency - concurrency: 2 - # -- resolver-timeout - timeout: "5s" - # -- resolver-attempts - attempts: 2 - # -- resolver-try-tcp-on-error - try-tcp-on-error: true - # -- resolver-public-suffix - public-suffix: - - "https://publicsuffix.org/list/public_suffix_list.dat" - - "file:///opt/stalwart-mail/etc/spamfilter/maps/suffix_list.dat.gz" - - # -- resolver-cache - cache: - txt: 2048 - mx: 1024 - ipv4: 1024 - ipv6: 1024 - ptr: 1024 - tlsa: 1024 - mta-sts: 1024 - - - ## - # signature (from: smtp/signature.yaml) - ## - - signature: - # -- signature-rsa - rsa: - # public-key: "file://opt/stalwart-mail/etc/dkim/%{DEFAULT_DOMAIN}%.cert" - private-key: "file://opt/stalwart-mail/etc/dkim/private.key" - domain: "%{DEFAULT_DOMAIN}%" - selector: "stalwart" - headers: ["From", "To", "Date", "Subject", "Message-ID"] - algorithm: "rsa-sha256" - canonicalization: "relaxed/relaxed" - # expire: "10d" - # third-party: "" - # third-party-algo: "" - # auid: "" - set-body-length: false - report: true - - - ## - # IMAP - ## - - imap: - request: - # -- imap request max-size (from: imap/settings.toml) - max-size: 52428800 - auth: - # -- imap auth max-failures(from: imap/settings.toml) - max-failures: 3 - # -- imap auth allow-plain-text (from: imap/settings.toml) - allow-plain-text: false - folders: - name: - # -- imap folders name shared (from: imap/settings.toml) - shared: "Shared Folders" - timeout: - # -- imap timeout authenticated (from: imap/settings.toml) - authenticated: "30m" - # -- imap timeout anonymous (from: imap/settings.toml) - anonymous: "1m" - # -- imap timeout idle (from: imap/settings.toml) - idle: "30m" - rate-limit: - # -- imap rate-limit requests (from: imap/settings.toml) - requests: "2000/1m" - # -- imap rate-limit concurrent (from: imap/settings.toml) - concurrent: 6 - protocol: - # -- imap protocol uidplus (from: imap/settings.toml) - uidplus: false - - - ## - # JMAP - ## - - jmap: - # -- jmap-directory (from: jmap/auth.yaml) - directory: "%{DEFAULT_DIRECTORY}%" - # -- jmap-session (from: jmap/auth.yaml) - session: - cache: - ttl: "1h" - size: 100 - purge: - frequency: "0 3 *" - - # -- jmap-protocol (from: jmap/protocol.yaml) - protocol: - get: - max-objects: 500 - set: - max-objects: 500 - request: - max-concurrent: 4 - max-size: 10000000 - max-calls: 16 - query: - max-results: 5000 - upload: - max-size: 50000000 - max-concurrent: 4 - ttl: "1h" - quota: - files: 1000 - size: 50000000 - changes: - max-results: 5000 - - # -- jmap-mailbox - mailbox: - max-depth: 10 - max-name-length: 255 - - # -- jmap-email - email: - max-attachment-size: 50000000 - max-size: 75000000 - - parse: - max-items: 10 - - # -- jmap-principal - principal: - allow-lookups: true - - # -- jmap-push (from: jmap/push.yaml) - push: - max-total: 100 - throttle: "1ms" - attempts: - interval: "1m" - max: 3 - retry: - interval: "1s" - timeout: - request: "10s" - verify: "1s" - - # -- jmap-event-source - event-source: - throttle: "1s" - - # -- jmap-rate-limit (from: jmap/ratelimit.yaml) - rate-limit: - account: "1000/1m" - authentication: "10/1m" - anonymous: "100/1m" - use-forwarded: true - cache: - size: 1024 - - # -- jmap-web-sockets (from: jmap/websocket.yaml) - web-sockets: - throttle: "1s" - timeout: "10m" - heartbeat: "1m" +secrets: + env: + # -- password for fallback authentfication (env) + # @section -- Authentification + FALLBACK_ADMIN_SECRET: supersecret serviceAccount: # Specifies whether a service account should be created @@ -743,6 +135,8 @@ serviceAccount: podAnnotations: {} podLabels: {} +env: [] + podSecurityContext: {} # fsGroup: 2000