fix(stalwart-mail): update AppVersion to v0.8.1

2024-03-09 10:09:48 +00:00 · 2024-03-09 10:09:48 +00:00 · 3d1999fd7a
commit 3d1999fd7a
parent 9b48a048d4
8 changed files with 278 additions and 1403 deletions
--- a/stalwart-mail/Chart.yaml
+++ b/stalwart-mail/Chart.yaml
@ -3,9 +3,9 @@ name: stalwart-mail
 description: Helm Chart for Stalwart Mail Server - Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP)
 icon: https://stalw.art/home/apple-touch-icon.png
 type: application
-version: 0.0.4
+version: 0.0.5
 # renovate: image=docker.io/stalwartlabs/mail-server
-appVersion: "0.6.0"
+appVersion: "0.8.1"
 maintainers:
  - name: WrenIX
    url: https://wrenix.eu
--- a/stalwart-mail/README.adoc
+++ b/stalwart-mail/README.adoc
@ -2,9 +2,9 @@
 = stalwart-mail
-image::https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square[Version: 0.0.4]
+image::https://img.shields.io/badge/Version-0.0.5-informational?style=flat-square[Version: 0.0.5]
 image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
-image::https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square[AppVersion: 0.6.0]
+image::https://img.shields.io/badge/AppVersion-0.8.1-informational?style=flat-square[AppVersion: 0.8.1]
 == Maintainers
 .Maintainers
@ -56,7 +56,41 @@ helm uninstall stalwart-mail-release
 == Values
-.Values
+.Values DKIM
 |===
 | Key | Type | Default | Description
 | config.auth.dkim.sign
 | list
 | `[{"if":"listener != 'smtp'","then":"['rsa', 'ed25519']"},{"else":false}]`
 | auth rule for signing with dkim
 | config.auth.dkim.verify
 | string
 | `"relaxed"`
 | verify of dkim signature (relaxed, strict, disable)
 |===
 .Values Authentification
 |===
 | Key | Type | Default | Description
 | config.authentication.fallback-admin.secret
 | string
 | `"%{env:FALLBACK_ADMIN_SECRET}%"`
 | password for fallback authentfication (use env for store in secrets of kubernetes)
 | config.authentication.fallback-admin.user
 | string
 | `"admin"`
 | username for fallback authentfication
 | secrets.env.FALLBACK_ADMIN_SECRET
 | string
 | `"supersecret"`
 | password for fallback authentfication (env)
 |===
 .Values Other Values
 |===
 | Key | Type | Default | Description
@ -115,765 +149,205 @@ helm uninstall stalwart-mail-release
 | `nil`
 | not needed if certmanager is used
-| config.acme.letsencrypt
+| config.directory.internal.store
 | object
 | `{"cache":"/opt/stalwart-mail/etc/acme","contact":["postmaster@%{DEFAULT_DOMAIN}%"],"directory":"https://acme-v02.api.letsencrypt.org/directory","port":443,"renew-before":"30d"}`
 | acme with name letsencrypt (from: common/tls.toml)
 | config.acme.letsencrypt.cache
 | string
-| `"/opt/stalwart-mail/etc/acme"`
+| `"rocksdb"`
 | acme cache (from: common/tls.toml)
 | config.acme.letsencrypt.contact
 | list
 | `["postmaster@%{DEFAULT_DOMAIN}%"]`
 | acme contact (from: common/tls.toml)
 | config.acme.letsencrypt.directory
 | string
 | `"https://acme-v02.api.letsencrypt.org/directory"`
 | acme directory (from: common/tls.toml)
 | config.acme.letsencrypt.port
 | int
 | `443`
 | acme port (from: common/tls.toml)
 | config.acme.letsencrypt.renew-before
 | string
 | `"30d"`
 | acme renew-before (from: common/tls.toml)
 | config.certificate.default
 | object
 | `{"cert":"file:///opt/stalwart-mail/etc/certs/tls.crt","private-key":"file:///opt/stalwart-mail/etc/certs/tls.key"}`
 | certificate with name default (from: common/tls.toml)
 | config.certificate.default.cert
 | string
 | `"file:///opt/stalwart-mail/etc/certs/tls.crt"`
 | certificate cert (from: common/tls.toml)
 | config.certificate.default.private-key
 | string
 | `"file:///opt/stalwart-mail/etc/certs/tls.key"`
 | certificate private-key (from: common/tls.toml)
 | config.directory.memory
 | object
 | `{"disable":false,"options":{"catch-all":true,"subaddressing":true},"principals":[{"description":"Superuser","mail":["postmaster@%{DEFAULT_DOMAIN}%"],"name":"admin","secret":"changeme","type":"admin"}],"type":"memory"}`
 | directory - with name memory (from: directory/internal.yaml)
 | config.directory.memory.disable
 | bool
 | `false`
 | overwrite me, if not wanted
 | config.global.shared-map.capacity
 | int
 | `10`
 | global shared-map capacity (from: common/server.toml)
 | config.global.shared-map.shard
 | int
 | `32`
 | global shared-map shard (from: common/server.toml)
 | config.global.thread-pool
 | string
 | `nil`
 | global thead-pool (from: common/server.toml)
 | config.global.tracing
 | object
 | `{"level":"info","method":"stdout"}`
 | global tracing (from: common/tracing.toml)
 | config.imap.auth.allow-plain-text
 | bool
 | `false`
 | imap auth allow-plain-text (from: imap/settings.toml)
 | config.imap.auth.max-failures
 | int
 | `3`
 | imap auth max-failures(from: imap/settings.toml)
 | config.imap.folders.name.shared
 | string
 | `"Shared Folders"`
 | imap folders name shared (from: imap/settings.toml)
 | config.imap.protocol.uidplus
 | bool
 | `false`
 | imap protocol uidplus (from: imap/settings.toml)
 | config.imap.rate-limit.concurrent
 | int
 | `6`
 | imap rate-limit concurrent (from: imap/settings.toml)
 | config.imap.rate-limit.requests
 | string
 | `"2000/1m"`
 | imap rate-limit requests (from: imap/settings.toml)
 | config.imap.request.max-size
 | int
 | `52428800`
 | imap request max-size (from: imap/settings.toml)
 | config.imap.timeout.anonymous
 | string
 | `"1m"`
 | imap timeout anonymous (from: imap/settings.toml)
 | config.imap.timeout.authenticated
 | string
 | `"30m"`
 | imap timeout authenticated (from: imap/settings.toml)
 | config.imap.timeout.idle
 | string
 | `"30m"`
 | imap timeout idle (from: imap/settings.toml)
 | config.jmap.directory
 | string
 | `"%{DEFAULT_DIRECTORY}%"`
 | jmap-directory (from: jmap/auth.yaml)
 | config.jmap.email
 | object
 | `{"max-attachment-size":50000000,"max-size":75000000,"parse":{"max-items":10}}`
 | jmap-email
 | config.jmap.event-source
 | object
 | `{"throttle":"1s"}`
 | jmap-event-source
 | config.jmap.mailbox
 | object
 | `{"max-depth":10,"max-name-length":255}`
 | jmap-mailbox
 | config.jmap.principal
 | object
 | `{"allow-lookups":true}`
 | jmap-principal
 | config.jmap.protocol
 | object
 | `{"changes":{"max-results":5000},"get":{"max-objects":500},"query":{"max-results":5000},"request":{"max-calls":16,"max-concurrent":4,"max-size":10000000},"set":{"max-objects":500},"upload":{"max-concurrent":4,"max-size":50000000,"quota":{"files":1000,"size":50000000},"ttl":"1h"}}`
 | jmap-protocol (from: jmap/protocol.yaml)
 | config.jmap.push
 | object
 | `{"attempts":{"interval":"1m","max":3},"max-total":100,"retry":{"interval":"1s"},"throttle":"1ms","timeout":{"request":"10s","verify":"1s"}}`
 | jmap-push (from: jmap/push.yaml)
 | config.jmap.rate-limit
 | object
 | `{"account":"1000/1m","anonymous":"100/1m","authentication":"10/1m","cache":{"size":1024},"use-forwarded":true}`
 | jmap-rate-limit (from: jmap/ratelimit.yaml)
 | config.jmap.session
 | object
 | `{"cache":{"size":100,"ttl":"1h"},"purge":{"frequency":"0 3 *"}}`
 | jmap-session (from: jmap/auth.yaml)
 | config.jmap.web-sockets
 | object
 | `{"heartbeat":"1m","throttle":"1s","timeout":"10m"}`
 | jmap-web-sockets (from: jmap/websocket.yaml)
 | config.macros
 | object
 | `{"default_directory":"memory","default_domain":"__DOMAIN__","default_store":"sqlite","host":"__HOST__"}`
 | macros (from: config.toml)
 | config.oauth.auth
 | object
 | `{"max-attempts":3}`
 | oauth - auth
 | config.oauth.cache
 | object
 | `{"size":128}`
 | oauth - cache
 | config.oauth.expiry
 | object
 | `{"auth-code":"10m","refresh-token":"30d","refresh-token-renew":"4d","token":"1h","user-code":"30m"}`
 | oauth - expiry
 | config.oauth.key
 | string
 | `"__OAUTH_KEY__"`
 | oauth - key
 | config.queue.hash
 | int
 | `64`
 | queue-hash
 | config.queue.outbound
 | object
 | `{"ip-strategy":"ipv4_then_ipv6","limits":{"multihomed":2,"mx":7},"next-hop":[{"if":"is_local_domain('%{DEFAULT_DIRECTORY}%', rcpt_domain)","then":"'local'"},{"else":false}],"timeouts":{"connect":"3m","data":"10m","ehlo":"3m","greeting":"3m","mail-from":"3m","mta-sts":"2m","rcpt-to":"3m","tls":"2m"},"tls":{"allow-invalid-certs":false,"dane":"optional","mta-sts":"optional","starttls":"require"}}`
 | queue-outbound
 | config.queue.path
 | string
 | `"/data/queue"`
 | queue-path
 | config.queue.quota[0].key
 | string
 | `nil`
 |
-| config.queue.quota[0].match
+| config.directory.internal.type
 | string
-| `nil`
+| `"internal"`
 |
-| config.queue.quota[0].messages
+| config.server.listener.https.bind[0]
 | int
 | `100000`
 |
 | config.queue.quota[0].size
 | int
 | `10737418240`
 |
 | config.queue.schedule
 | object
 | `{"expire":"5d","notify":"[1d, 3d]","retry":"[2m, 5m, 10m, 15m, 30m, 1h, 2h]"}`
 | queue-schedule
 | config.queue.throttle[0].concurrency
 | int
 | `5`
 |
 | config.queue.throttle[0].key[0]
 | string
-| `"rcpt_domain"`
+| `"[::]:80"`
 |
-| config.queue.throttle[0].rate
+| config.server.listener.https.protocol
 | string
-| `nil`
+| `"http"`
 |
-| config.report.analysis
+| config.server.listener.https.tls.implicit
 | object
 | `{"addresses":["dmarc@*","abuse@*","postmaster@*"],"forward":true}`
 | report-analysis
 | config.report.dkim
 | object
 | `{"from-address":"'noreply-dkim@%{DEFAULT_DOMAIN}%'","from-name":"'Report Subsystem'","send":"[1, 1d]","sign":"['rsa']","subject":"'DKIM Authentication Failure Report'"}`
 | report-dkim
 | config.report.dmarc
 | object
 | `{"aggregate":{"from-address":"'noreply-dmarc@%{DEFAULT_DOMAIN}%'","from-name":"'DMARC Report'","max-size":26214400,"org-name":"'%{DEFAULT_DOMAIN}%'","send":"daily","sign":"['rsa']"},"from-address":"'noreply-dmarc@%{DEFAULT_DOMAIN}%'","from-name":"'Report Subsystem'","send":"[1, 1d]","sign":"['rsa']","subject":"'DMARC Authentication Failure Report'"}`
 | report-dmarc
 | config.report.dmarc.aggregate.max-size
 | int
 | `26214400`
 | default: 25 mb
 | config.report.dsn
 | object
 | `{"from-address":"'MAILER-DAEMON@%{DEFAULT_DOMAIN}%'","from-name":"'Mail Delivery Subsystem'","sign":"['rsa']"}`
 | report-dsn
 | config.report.hash
 | int
 | `64`
 | report-hash
 | config.report.path
 | string
 | `"/data/reports"`
 | report-path
 | config.report.spf
 | object
 | `{"from-address":"'noreply-spf@%{DEFAULT_DOMAIN}%'","from-name":"'Report Subsystem'","send":"[1, 1d]","sign":"['rsa']","subject":"'SPF Authentication Failure Report'"}`
 | report-spf
 | config.report.tls
 | object
 | `{"aggregate":{"from-address":"'noreply-tls@%{DEFAULT_DOMAIN}%'","from-name":"'TLS Report'","max-size":26214400,"org-name":"'%{DEFAULT_DOMAIN}%'","send":"daily","sign":"['rsa']"}}`
 | report-tls
 | config.report.tls.aggregate.max-size
 | int
 | `26214400`
 | default: 25 mb
 | config.resolver.attempts
 | int
 | `2`
 | resolver-attempts
 | config.resolver.cache
 | object
 | `{"ipv4":1024,"ipv6":1024,"mta-sts":1024,"mx":1024,"ptr":1024,"tlsa":1024,"txt":2048}`
 | resolver-cache
 | config.resolver.concurrency
 | int
 | `2`
 | resolver-concurrency
 | config.resolver.preserve-intermediates
 | bool
 | `true`
-| resolver-preserve-intermediates
+|
-| config.resolver.public-suffix
+| config.server.listener.imap.bind[0]
 | list
 | `["https://publicsuffix.org/list/public_suffix_list.dat","file:///opt/stalwart-mail/etc/spamfilter/maps/suffix_list.dat.gz"]`
 | resolver-public-suffix
 | config.resolver.timeout
 | string
-| `"5s"`
+| `"[::]:143"`
-| resolver-timeout
+|
-| config.resolver.try-tcp-on-error
+| config.server.listener.imap.protocol
 | string
 | `"imap"`
 |
 | config.server.listener.imaptls.bind[0]
 | string
 | `"[::]:993"`
 |
 | config.server.listener.imaptls.protocol
 | string
 | `"imap"`
 |
 | config.server.listener.imaptls.tls.implicit
 | bool
 | `true`
-| resolver-try-tcp-on-error
+|
-| config.resolver.type
+| config.server.listener.sieve.bind[0]
 | string
-| `"system"`
+| `"[::]:4190"`
-| resolver-type
+|
-| config.server.hostname
+| config.server.listener.sieve.protocol
 | string
-| `"%{HOST}%"`
+| `"managesieve"`
-| server hostname (from: common/server.toml)
+|
-| config.server.listener
+| config.server.listener.smtp.bind[0]
-| object
+| string
-| `{"http":{"bind":["[::]:80"],"protocol":"jmap","url":"https://%{HOST}%"},"imap":{"bind":["[::]:143"],"protocol":"imap"},"imaps":{"bind":["[::]:993"],"protocol":"imap","tls":{"implicit":true}},"sieve":{"bind":["[::]:4190"],"protocol":"managesieve","tls":{"implicit":true}},"smtp":{"bind":["[::]:25"],"protocol":"smtp"},"smtp-submission":{"bind":["[::]:587"],"protocol":"smtp"},"smtps":{"bind":["[::]:465"],"protocol":"smtp","tls":{"implicit":true}}}`
+| `"[::]:25"`
-| server listener
+|
-| config.server.listener.http
+| config.server.listener.smtp.protocol
-| object
+| string
-| `{"bind":["[::]:80"],"protocol":"jmap","url":"https://%{HOST}%"}`
+| `"smtp"`
-| jmap/listener.yaml
+|
-| config.server.listener.imap
+| config.server.listener.submission.bind[0]
-| object
+| string
-| `{"bind":["[::]:143"],"protocol":"imap"}`
+| `"[::]:587"`
-| server listener with name imap (from: imap/listener.toml)
+|
-| config.server.listener.imaps
+| config.server.listener.submission.protocol
-| object
+| string
-| `{"bind":["[::]:993"],"protocol":"imap","tls":{"implicit":true}}`
+| `"smtp"`
-| server listener with name imaps (from: imap/listener.toml)
+|
-| config.server.listener.sieve
+| config.server.listener.submissions.bind[0]
-| object
+| string
-| `{"bind":["[::]:4190"],"protocol":"managesieve","tls":{"implicit":true}}`
+| `"[::]:465"`
-| server listener with name sieve (from: imap/listener.toml)
+|
 | config.server.listener.submissions.protocol
 | string
 | `"smtp"`
 |
 | config.server.listener.submissions.tls.implicit
 | bool
 | `true`
 |
 | config.server.run-as.group
 | string
 | `"stalwart-mail"`
-| server run-as group (from: common/server.toml)
+| server run-as group
 | config.server.run-as.user
 | string
 | `"stalwart-mail"`
-| server run-as user (from: common/server.toml)
+| server run-as user
 | config.server.security.blocked-networks
 | object
 | `{}`
 | server security blocked-networks (from: common/server.toml)
 | config.server.security.fail2ban
 | string
 | `"100/1d"`
 | server security fail2ban (from: common/server.toml)
 | config.server.socket.backlog
 | int
 | `1024`
 | server socket backlog (from: common/server.toml)
 | config.server.socket.linger
 | int
 | `1`
 | server socket linger (from: common/server.toml)
 | config.server.socket.nodelay
 | bool
 | `true`
 | server socket nodelay (from: common/server.toml)
 | config.server.socket.recv-buffer-size
 | int
 | `65535`
 | server socket recv-buffer-size (from: common/server.toml)
 | config.server.socket.reuse-addr
 | bool
 | `true`
 | server socket reuse-addr (from: common/server.toml)
 | config.server.socket.reuse-port
 | bool
 | `false`
 | server socket reuse-port (from: common/server.toml)
 | config.server.socket.send-buffer-size
 | int
 | `65535`
 | server socket send-buffer-size (from: common/server.toml)
 | config.server.socket.tos
 | int
 | `1`
 | server socket tos (from: common/server.toml)
 | config.server.socket.ttl
 | int
 | `3600`
 | server socket ttl (from: common/server.toml)
 | config.server.tls.acme
 | string
 | `nil`
 | server tls acme (from: common/tls.toml) example: "letsencrypt"
 | config.server.tls.certificate
 | string
 | `"default"`
 | server tls certificate (from: common/tls.toml)
 | config.server.tls.ciphers
 | string
 | `nil`
 | server tls #ciphers (from: common/tls.toml) example: [ "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256",            "TLS13_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
 | config.server.tls.enable
 | bool
 | `true`
 | server tls enable (from: common/tls.toml)
 | config.server.tls.ignore-client-order
 | bool
 | `true`
 | server tls ignore-client-order (from: common/tls.toml)
 | config.server.tls.implicit
 | bool
 | `false`
 | server tls implicit (from: common/tls.toml)
 | config.server.tls.protocols
 | string
 | `nil`
 | server tls protocols (from: common/tls.toml) example: ["TLSv1.2", "TLSv1.3"]
 | config.server.tls.sni
 | string
 | `nil`
 | server tls sni (from: common/tls.toml) example: [{subject: "", certificate: ""}]
 | config.server.tls.timeout
 | string
 | `"1m"`
 | server tls timeout (from: common/tls.toml)
 | config.sieve.trusted.from-addr
 | string
 | `"no-reply@%{DEFAULT_DOMAIN}%"`
 | sieve trusted from-addr (from: common/sieve.toml)
 | config.sieve.trusted.from-name
 | string
 | `"Automated Message"`
 | sieve trusted from-name (from: common/sieve.toml)
 | config.sieve.trusted.hostname
 | string
 | `"%{HOST}%"`
 | sieve trusted hostname (from: common/sieve.toml)
 | config.sieve.trusted.limits.cpu
 | int
 | `1048576`
 | sieve trusted limits cpu (from: common/sieve.toml)
 | config.sieve.trusted.limits.duplicate-expiry
 | string
 | `"7d"`
 | sieve trusted limits duplicate-expiry (from: common/sieve.toml)
 | config.sieve.trusted.limits.nested-includes
 | int
 | `5`
 | sieve trusted limits nested-includes (from: common/sieve.toml)
 | config.sieve.trusted.limits.out-messages
 | int
 | `5`
 | sieve trusted limits out-messages (from: common/sieve.toml)
 | config.sieve.trusted.limits.received-headers
 | int
 | `50`
 | sieve trusted limits received-headers (from: common/sieve.toml)
 | config.sieve.trusted.limits.redirects
 | int
 | `3`
 | sieve trusted limits redirects (from: common/sieve.toml)
 | config.sieve.trusted.no-capability-check
 | bool
 | `true`
 | sieve trusted no-capability-check (from: common/sieve.toml)
 | config.sieve.trusted.return-path
 | string
 | `""`
 | sieve trusted return-path (from: common/sieve.toml)
 | config.sieve.trusted.scripts.connect
 | string
 | `nil`
 | sieve trusted scripts connect (from: common/sieve.toml)
 | config.sieve.trusted.scripts.ehlo
 | string
 | `nil`
 | sieve trusted scripts ehlo (from: common/sieve.toml)
 | config.sieve.trusted.scripts.mail
 | string
 | `nil`
 | sieve trusted scripts mail (from: common/sieve.toml)
 | config.sieve.trusted.sign
 | list
 | `["rsa"]`
 | sieve trusted sign (from: common/sieve.toml)
 | config.sieve.untrusted.default-expiry.duplicate
 | string
 | `"7d"`
 | sieve untrusted default-expiry duplicate (from: common/sieve.toml)
 | config.sieve.untrusted.default-expiry.vacation
 | string
 | `"30d"`
 | sieve untrusted default-expiry vacation (from: common/sieve.toml)
 | config.sieve.untrusted.disable-capabilities
 | list
 | `[]`
 | sieve untrusted disable-capabilities (from: common/sieve.toml)
 | config.sieve.untrusted.limits.cpu
 | int
 | `5000`
 | sieve untrusted limit cpu (from: common/sieve.toml)
 | config.sieve.untrusted.limits.header-size
 | int
 | `1024`
 | sieve untrusted limit header-size (from: common/sieve.toml)
 | config.sieve.untrusted.limits.includes
 | int
 | `3`
 | sieve untrusted limit includes (from: common/sieve.toml)
 | config.sieve.untrusted.limits.local-variables
 | int
 | `128`
 | sieve untrusted limit local-variables (from: common/sieve.toml)
 | config.sieve.untrusted.limits.match-variables
 | int
 | `30`
 | sieve untrusted limit match-variables (from: common/sieve.toml)
 | config.sieve.untrusted.limits.max-scripts
 | int
 | `256`
 | sieve untrusted limit max-scripts (from: common/sieve.toml)
 | config.sieve.untrusted.limits.name-length
 | int
 | `512`
 | sieve untrusted limit name-length (from: common/sieve.toml)
 | config.sieve.untrusted.limits.nested-blocks
 | int
 | `15`
 | sieve untrusted limit nested-blocks (from: common/sieve.toml)
 | config.sieve.untrusted.limits.nested-foreverypart
 | int
 | `3`
 | sieve untrusted limit nested-foreverypart (from: common/sieve.toml)
 | config.sieve.untrusted.limits.nested-includes
 | int
 | `3`
 | sieve untrusted limit nested-includes (from: common/sieve.toml)
 | config.sieve.untrusted.limits.nested-tests
 | int
 | `15`
 | sieve untrusted limit nested-tests (from: common/sieve.toml)
 | config.sieve.untrusted.limits.outgoing-messages
 | int
 | `3`
 | sieve untrusted limit outgoing-messages (from: common/sieve.toml)
 | config.sieve.untrusted.limits.received-headers
 | int
 | `10`
 | sieve untrusted limit received-headers (from: common/sieve.toml)
 | config.sieve.untrusted.limits.redirects
 | int
 | `1`
 | sieve untrusted limit redirects (from: common/sieve.toml)
 | config.sieve.untrusted.limits.script-size
 | int
 | `102400`
 | sieve untrusted limit script-size (from: common/sieve.toml)
 | config.sieve.untrusted.limits.string-length
 | int
 | `4096`
 | sieve untrusted limit string-length (from: common/sieve.toml)
 | config.sieve.untrusted.limits.variable-name-length
 | int
 | `32`
 | sieve untrusted limit variable-name-length (from: common/sieve.toml)
 | config.sieve.untrusted.limits.variable-size
 | int
 | `4096`
 | sieve untrusted limit variable-size (from: common/sieve.toml)
 | config.sieve.untrusted.notification-uris
 | list
 | `["mailto"]`
 | sieve untrusted notification-uris (from: common/sieve.toml)
 | config.sieve.untrusted.protected-headers
 | list
 | `["Original-Subject","Original-From","Received","Auto-Submitted"]`
 | sieve untrusted protected-headers (from: common/sieve.toml)
 | config.sieve.untrusted.vacation.default-subject
 | string
 | `"Automated reply"`
 | sieve untrusted vacation default-subject (from: common/sieve.toml)
 | config.sieve.untrusted.vacation.subject-prefix
 | string
 | `"Auto: "`
 | sieve untrusted vacation subject-prefix (from: common/sieve.toml)
 | config.signature.rsa
 | object
 | `{"algorithm":"rsa-sha256","canonicalization":"relaxed/relaxed","domain":"%{DEFAULT_DOMAIN}%","headers":["From","To","Date","Subject","Message-ID"],"private-key":"file://opt/stalwart-mail/etc/dkim/private.key","report":true,"selector":"stalwart","set-body-length":false}`
 | signature-rsa
 | config.storage.blob
 | string
-| `"%{DEFAULT_STORE}%"`
+| `"rocksdb"`
-| storage blob (from: common/store.toml)
+|
 | config.storage.cluster.node-id
 | string
 | `nil`
 | storage - cluster - node-id (from: common/store.toml)
 | config.storage.data
 | string
-| `"%{DEFAULT_STORE}%"`
+| `"rocksdb"`
-| storage data (from: common/store.toml)
+|
 | config.storage.directory
 | string
-| `"%{DEFAULT_DIRECTORY}%"`
+| `"internal"`
-| storage directory (from: common/store.toml)
+|
 | config.storage.encryption.append
 | bool
 | `false`
 | storage encryption append (from: common/store.toml)
 | config.storage.encryption.enable
 | bool
 | `true`
 | storage encryption enable (from: common/store.toml)
 | config.storage.fts
 | string
-| `"%{DEFAULT_STORE}%"`
+| `"rocksdb"`
-| storage fts (from: common/store.toml) BROKEN / TODO see: https://github.com/stalwartlabs/mail-server/issues/211
+|
 | config.storage.fts-table-duplicated-workaround.default-language
 | string
 | `"en"`
 | storage - fts - default-language (from: common/store.toml)
 | config.storage.lookup
 | string
-| `"%{DEFAULT_STORE}%"`
+| `"rocksdb"`
-| storage lookup (from: common/store.toml)
+|
-| config.storage.spam.header
+| config.store.rocksdb.compression
 | string
-| `"X-Spam-Status: Yes"`
+| `"lz4"`
-| storage spam header (from: common/store.toml)
+|
-| config.store.fs
+| config.store.rocksdb.path
-| object
+| string
-| `{"depth":2,"disable":false,"path":"/data/blobs","purge":{"frequency":"0 3 *"},"type":"fs"}`
+| `"/data"`
-| store - with name fs
+|
-| config.store.fs.disable
+| config.store.rocksdb.type
 | string
 | `"rocksdb"`
 |
 | config.tracer.otel.enable
 | bool
 | `false`
-| overwrite me, if not wanted
+|
-| config.store.sqlite
+| config.tracer.otel.endpoint
-| object
+| string
-| `{"disable":false,"path":"/data/index.sqlite3","purge":{"frequency":"0 3 *"},"query":{"domains":"SELECT 1 FROM emails WHERE address LIKE '%@' || ? LIMIT 1","emails":"SELECT address FROM emails WHERE name = ? AND type != 'list' ORDER BY type DESC, address ASC","expand":"SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = ? AND l.type = 'list' ORDER BY p.address LIMIT 50","members":"SELECT member_of FROM group_members WHERE name = ?","name":"SELECT name, type, secret, description, quota FROM accounts WHERE name = ? AND active = true","recipients":"SELECT name FROM emails WHERE address = ?","verify":"SELECT address FROM emails WHERE address LIKE '%' || ? || '%' AND type = 'primary' ORDER BY address LIMIT 5"},"type":"sqlite"}`
+| `"https://127.0.0.1/otel"`
-| store - with name sqlite
+|
-| config.store.sqlite.disable
+| config.tracer.otel.headers
 | list
 | `[]`
 | headers for usage with http (e.g. 'Authorization: <place_auth_here>')
 | config.tracer.otel.level
 | string
 | `"info"`
 |
 | config.tracer.otel.transport
 | string
 | `"grpc"`
 | grpc or http
 | config.tracer.otel.type
 | string
 | `"open-telemetry"`
 |
 | config.tracer.stdout.ansi
 | bool
 | `false`
-| overwrite me, if not wanted
+|
 | config.tracer.stdout.enable
 | bool
 | `true`
 |
 | config.tracer.stdout.level
 | string
 | `"info"`
 |
 | config.tracer.stdout.type
 | string
 | `"stdout"`
 |
 | env
 | list
 | `[]`
 |
 | fullnameOverride
 | string
--- a/stalwart-mail/templates/configmap.yaml
+++ b/stalwart-mail/templates/configmap.yaml
@ -0,0 +1,10 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "stalwart-mail.fullname" . }}
  labels:
    {{- include "stalwart-mail.labels" . | nindent 4 }}
 data:
  "config.toml": |
    {{- toToml .Values.config | replace ".0\n" "\n" | nindent 4 }}
--- a/stalwart-mail/templates/deployment.yaml
+++ b/stalwart-mail/templates/deployment.yaml
@ -14,7 +14,8 @@ spec:
  template:
    metadata:
      annotations:
-        confighash: {{ toYaml .Values.config | sha256sum | trunc 32 }}
+        config-hash: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
        secret-env-hash: {{ include (print $.Template.BasePath "/secrets-env.yaml") . | sha256sum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
@ -39,6 +40,13 @@ spec:
          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
          {{- end }}
          {{- with .Values.env }}
          env:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          envFrom:
            - secretRef:
                name: {{ include "stalwart-mail.fullname" . }}-env
          ports:
            {{- range $name, $port := .Values.service.ports }}
            - name: {{ $name }}
@ -62,9 +70,7 @@ spec:
            - name: config
              mountPath: "/opt/stalwart-mail/etc/config.toml"
              subPath: "config.toml"
-            - name: config
+              readOnly: true
              mountPath: "/opt/stalwart-mail/etc/dkim/private.key"
              subPath: "dkim.key"
            {{- if or .Values.certificate.secretName .Values.certificate.certmanager.enabled }}
            - name: certificate
              mountPath: "/opt/stalwart-mail/etc/certs"
@ -74,8 +80,8 @@ spec:
            {{- end }}
      volumes:
        - name: "config"
-          secret:
+          configMap:
-            secretName: {{ include "stalwart-mail.fullname" . }}
+            name: {{ include "stalwart-mail.fullname" . }}
        {{- if or .Values.certificate.secretName .Values.certificate.certmanager.enabled }}
        - name: certificate
          secret:
--- a/stalwart-mail/templates/secrets-env.yaml
+++ b/stalwart-mail/templates/secrets-env.yaml
@ -0,0 +1,11 @@
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "stalwart-mail.fullname" . }}-env
  labels:
    {{- include "stalwart-mail.labels" . | nindent 4 }}
 data:
  {{- range $key, $value := .Values.secrets.env }}
  {{ $key }}: {{ $value | b64enc }}
  {{- end }}
--- a/stalwart-mail/templates/secrets.yaml
+++ b/stalwart-mail/templates/secrets.yaml
@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "stalwart-mail.fullname" . }}
  labels:
    {{- include "stalwart-mail.labels" . | nindent 4 }}
  annotations:
    confighash: {{ toYaml .Values.config | sha256sum | trunc 32 }}
 data:
  "config.toml": {{ regexReplaceAll
    "trusted-networks = \\[(.*)\\]"
    (
      toToml .Values.config
      | replace ".0\n" "\n"
      | replace "fts-table-duplicated-workaround" "fts"
    )
    "trusted-networks = {${1}}"
    | b64enc }}
  "dkim.key": {{ genPrivateKey "rsa" | b64enc }}
--- a/stalwart-mail/templates/traefik.yaml
+++ b/stalwart-mail/templates/traefik.yaml
@ -9,10 +9,10 @@ spec:
  entryPoints:
    - {{ $entryport }}
  routes:
-    - match: HostSNI(`{{ $.Values.config.macros.host }}`)
+    - match: HostSNI(`{{ $.Values.traefik.host }}`)
      services:
        - name: {{ include "stalwart-mail.fullname" $ }}
-          port: {{ $port}}
+          port: {{ $port }}
          proxyProtocol:
            version: 2
  tls:
--- a/stalwart-mail/values.yaml
+++ b/stalwart-mail/values.yaml
@ -21,713 +21,105 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 ##
 # Configuration of stalwart mail-server
 # defaults taken from: https://github.com/stalwartlabs/mail-server/tree/6aeadb9cda301ec5f210d8e8390515e6292592fa/resources/config
 #
 # files import completed:
 #   - config.toml
 #   - common/*.toml
 #   - imap/*.toml
 #
 ##
 config:
  ##
  # macros
  ##
  # -- macros (from: config.toml)
  macros:
    host: "__HOST__"
    default_domain: "__DOMAIN__"
    default_directory: "memory"
    default_store: "sqlite"
  ##
  # global
  ##
  global:
    shared-map:
      # -- global shared-map capacity (from: common/server.toml)
      capacity: 10
      # -- global shared-map shard (from: common/server.toml)
      shard: 32
    # -- global thead-pool (from: common/server.toml)
    thread-pool:
    # -- global tracing (from: common/tracing.toml)
    tracing:
      method: "stdout"
      level: "info"
  ##
  # server
  ##
  server:
    # -- server hostname (from: common/server.toml)
    hostname: "%{HOST}%"
    security:
      # -- server security blocked-networks (from: common/server.toml)
      blocked-networks: {}
      # -- server security fail2ban (from: common/server.toml)
      fail2ban: "100/1d"
    run-as:
      # -- server run-as user (from: common/server.toml)
      user: "stalwart-mail"
      # -- server run-as group (from: common/server.toml)
      group: "stalwart-mail"
    socket:
      # -- server socket nodelay (from: common/server.toml)
      nodelay: true
      # -- server socket reuse-addr (from: common/server.toml)
      reuse-addr: true
      # -- server socket reuse-port (from: common/server.toml)
      reuse-port: false
      # -- server socket backlog (from: common/server.toml)
      backlog: 1024
      # -- server socket ttl (from: common/server.toml)
      ttl: 3600
      # -- server socket send-buffer-size (from: common/server.toml)
      send-buffer-size: 65535
      # -- server socket recv-buffer-size (from: common/server.toml)
      recv-buffer-size: 65535
      # -- server socket linger (from: common/server.toml)
      linger: 1
      # -- server socket tos (from: common/server.toml)
      tos: 1
    tls:
      # -- server tls enable (from: common/tls.toml)
      enable: true
      # -- server tls implicit (from: common/tls.toml)
      implicit: false
      # -- server tls timeout (from: common/tls.toml)
      timeout: "1m"
      # -- server tls certificate (from: common/tls.toml)
      certificate: "default"
      # -- server tls acme (from: common/tls.toml)
      # example: "letsencrypt"
      acme:
      # -- server tls sni (from: common/tls.toml)
      # example: [{subject: "", certificate: ""}]
      sni:
      # -- server tls protocols (from: common/tls.toml)
      # example: ["TLSv1.2", "TLSv1.3"]
      protocols:
      # -- server tls #ciphers (from: common/tls.toml)
      # example: [ "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256",
      #            "TLS13_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      #            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      #            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      #            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
      ciphers:
      # -- server tls ignore-client-order (from: common/tls.toml)
      ignore-client-order: true
    # -- server listener
    listener:
      smtp:
        protocol: "smtp"
        bind: ["[::]:25"]
      smtp-submission:
        protocol: "smtp"
      submission:
        bind: ["[::]:587"]
      smtps:
        protocol: "smtp"
      submissions:
        bind: ["[::]:465"]
        protocol: "smtp"
        tls:
          implicit: true
      # -- server listener with name imap (from: imap/listener.toml)
      imap:
        bind: ["[::]:143"]
        protocol: "imap"
-
+      imaptls:
      # -- server listener with name imaps (from: imap/listener.toml)
      imaps:
        bind: ["[::]:993"]
        protocol: "imap"
        tls:
          implicit: true
      # -- server listener with name sieve (from: imap/listener.toml)
      sieve:
        bind: ["[::]:4190"]
        protocol: "managesieve"
      https:
        protocol: "http"
        bind: ["[::]:80"]
        tls:
          implicit: true
-      # -- jmap/listener.yaml
+    run-as:
-      http:
+      # -- server run-as user
-        protocol: "jmap"
+      user: "stalwart-mail"
-        bind: ["[::]:80"]
+      # -- server run-as group
-        url: "https://%{HOST}%"
+      group: "stalwart-mail"
  ##
  # sieve
  ##
  sieve:
    untrusted:
      # -- sieve untrusted disable-capabilities (from: common/sieve.toml)
      disable-capabilities: []
      # -- sieve untrusted notification-uris (from: common/sieve.toml)
      notification-uris: ["mailto"]
      # -- sieve untrusted protected-headers (from: common/sieve.toml)
      protected-headers: ["Original-Subject", "Original-From", "Received", "Auto-Submitted"]
      limits:
        # -- sieve untrusted limit name-length (from: common/sieve.toml)
        name-length: 512
        # -- sieve untrusted limit max-scripts (from: common/sieve.toml)
        max-scripts: 256
        # -- sieve untrusted limit script-size (from: common/sieve.toml)
        script-size: 102400
        # -- sieve untrusted limit string-length (from: common/sieve.toml)
        string-length: 4096
        # -- sieve untrusted limit variable-name-length (from: common/sieve.toml)
        variable-name-length: 32
        # -- sieve untrusted limit variable-size (from: common/sieve.toml)
        variable-size: 4096
        # -- sieve untrusted limit nested-blocks (from: common/sieve.toml)
        nested-blocks: 15
        # -- sieve untrusted limit nested-tests (from: common/sieve.toml)
        nested-tests: 15
        # -- sieve untrusted limit nested-foreverypart (from: common/sieve.toml)
        nested-foreverypart: 3
        # -- sieve untrusted limit match-variables (from: common/sieve.toml)
        match-variables: 30
        # -- sieve untrusted limit local-variables (from: common/sieve.toml)
        local-variables: 128
        # -- sieve untrusted limit header-size (from: common/sieve.toml)
        header-size: 1024
        # -- sieve untrusted limit includes (from: common/sieve.toml)
        includes: 3
        # -- sieve untrusted limit nested-includes (from: common/sieve.toml)
        nested-includes: 3
        # -- sieve untrusted limit cpu (from: common/sieve.toml)
        cpu: 5000
        # -- sieve untrusted limit redirects (from: common/sieve.toml)
        redirects: 1
        # -- sieve untrusted limit received-headers (from: common/sieve.toml)
        received-headers: 10
        # -- sieve untrusted limit outgoing-messages (from: common/sieve.toml)
        outgoing-messages: 3
      vacation:
        # -- sieve untrusted vacation default-subject (from: common/sieve.toml)
        default-subject: "Automated reply"
        # -- sieve untrusted vacation subject-prefix (from: common/sieve.toml)
        subject-prefix: "Auto: "
      default-expiry:
        # -- sieve untrusted default-expiry vacation (from: common/sieve.toml)
        vacation: "30d"
        # -- sieve untrusted default-expiry duplicate (from: common/sieve.toml)
        duplicate: "7d"
    trusted:
      # -- sieve trusted from-name (from: common/sieve.toml)
      from-name: "Automated Message"
      # -- sieve trusted from-addr (from: common/sieve.toml)
      from-addr: "no-reply@%{DEFAULT_DOMAIN}%"
      # -- sieve trusted return-path (from: common/sieve.toml)
      return-path: ""
      # -- sieve trusted hostname (from: common/sieve.toml)
      hostname: "%{HOST}%"
      # -- sieve trusted no-capability-check (from: common/sieve.toml)
      no-capability-check: true
      # -- sieve trusted sign (from: common/sieve.toml)
      sign: ["rsa"]
      limits:
        # -- sieve trusted limits redirects (from: common/sieve.toml)
        redirects: 3
        # -- sieve trusted limits out-messages (from: common/sieve.toml)
        out-messages: 5
        # -- sieve trusted limits received-headers (from: common/sieve.toml)
        received-headers: 50
        # -- sieve trusted limits cpu (from: common/sieve.toml)
        cpu: 1048576
        # -- sieve trusted limits nested-includes (from: common/sieve.toml)
        nested-includes: 5
        # -- sieve trusted limits duplicate-expiry (from: common/sieve.toml)
        duplicate-expiry: "7d"
      scripts:
        # -- sieve trusted scripts connect (from: common/sieve.toml)
        connect:
        # -- sieve trusted scripts ehlo (from: common/sieve.toml)
        ehlo:
        # -- sieve trusted scripts mail (from: common/sieve.toml)
        mail:
  ##
  # storage
  ##
  storage:
-    # -- storage data (from: common/store.toml)
+    data: "rocksdb"
-    data: "%{DEFAULT_STORE}%"
+    fts: "rocksdb"
-    # -- storage fts (from: common/store.toml)
+    blob: "rocksdb"
-    # BROKEN / TODO
+    lookup: "rocksdb"
-    # see: https://github.com/stalwartlabs/mail-server/issues/211
+    directory: "internal"
    fts: "%{DEFAULT_STORE}%"
    # -- storage blob (from: common/store.toml)
    blob: "%{DEFAULT_STORE}%"
    # -- storage lookup (from: common/store.toml)
    lookup: "%{DEFAULT_STORE}%"
    # -- storage directory (from: common/store.toml)
    directory: "%{DEFAULT_DIRECTORY}%"
    encryption:
      # -- storage encryption enable (from: common/store.toml)
      enable: true
      # -- storage encryption append (from: common/store.toml)
      append: false
    spam:
      # -- storage spam header (from: common/store.toml)
      header: "X-Spam-Status: Yes"
    # BROKEN / TODO
    # should be fts:
    # see: https://github.com/stalwartlabs/mail-server/issues/211
    fts-table-duplicated-workaround:
      # -- storage - fts - default-language (from: common/store.toml)
      default-language: "en"
    cluster:
      # -- storage - cluster - node-id (from: common/store.toml)
      node-id:
  ##
  # ACME
  ##
  acme:
    # -- acme with name letsencrypt (from: common/tls.toml)
    letsencrypt:
      # -- acme directory (from: common/tls.toml)
      directory: "https://acme-v02.api.letsencrypt.org/directory"
      # -- acme contact (from: common/tls.toml)
      contact: ["postmaster@%{DEFAULT_DOMAIN}%"]
      # -- acme cache (from: common/tls.toml)
      cache: "/opt/stalwart-mail/etc/acme"
      # -- acme port (from: common/tls.toml)
      port: 443
      # -- acme renew-before (from: common/tls.toml)
      renew-before: "30d"
  ##
  # certificate
  ##
  certificate:
    # -- certificate with name default (from: common/tls.toml)
    default:
      # -- certificate cert (from: common/tls.toml)
      cert: "file:///opt/stalwart-mail/etc/certs/tls.crt"
      # -- certificate private-key (from: common/tls.toml)
      private-key: "file:///opt/stalwart-mail/etc/certs/tls.key"
  ##
  # directory
  ##
  directory:
    # -- directory - with name memory (from: directory/internal.yaml)
    memory:
      type: memory
      # -- overwrite me, if not wanted
      disable: false
      options:
        catch-all: true
        subaddressing: true
      principals:
        - type: "admin"
          description: "Superuser"
          name: "admin"
          secret: "changeme"
          mail:
            - "postmaster@%{DEFAULT_DOMAIN}%"
  ##
  # store
  ##
  store:
    rocksdb:
      type: rocksdb
      path: "/data"
      compression: "lz4"
-    # -- store - with name sqlite
+  directory:
-    sqlite:
+    internal:
-      type: "sqlite"
+      type: "internal"
-      # -- overwrite me, if not wanted
+      store: "rocksdb"
      disable: false
      path: "/data/index.sqlite3"
      purge:
        frequency: "0 3 *"
      query:
        name: "SELECT name, type, secret, description, quota FROM accounts WHERE name = ? AND active = true"
        members: "SELECT member_of FROM group_members WHERE name = ?"
        recipients: "SELECT name FROM emails WHERE address = ?"
        emails: "SELECT address FROM emails WHERE name = ? AND type != 'list' ORDER BY type DESC, address ASC"
        verify: "SELECT address FROM emails WHERE address LIKE '%' || ? || '%' AND type = 'primary' ORDER BY address LIMIT 5"
        expand: "SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = ? AND l.type = 'list' ORDER BY p.address LIMIT 50"
        domains: "SELECT 1 FROM emails WHERE address LIKE '%@' || ? LIMIT 1"
-    # -- store - with name fs
+  tracer:
-    fs:
+    otel:
-      type: "fs"
+      enable: false
-      # -- overwrite me, if not wanted
+      type: "open-telemetry"
-      disable: false
+      level: "info"
-      path: "/data/blobs"
+      # -- grpc or http
-      depth: 2
+      transport: "grpc"
-      purge:
+      endpoint: "https://127.0.0.1/otel"
-        frequency: "0 3 *"
+      # -- headers for usage with http (e.g. 'Authorization: <place_auth_here>')
      headers: []
    stdout:
      enable: true
      type: "stdout"
      level: "info"
      ansi: false
  ##
  # OAuth
  ##
  oauth:
    # -- oauth - key
    key: "__OAUTH_KEY__"
    # -- oauth - auth
  auth:
      max-attempts: 3
    # -- oauth - expiry
    expiry:
      user-code: "30m"
      auth-code: "10m"
      token: "1h"
      refresh-token: "30d"
      refresh-token-renew: "4d"
    # -- oauth - cache
    cache:
      size: 128
  ##
  # SMTP configuration (smtp/*.yaml)
  ##
  ##
  # query (from: smtp/queue.yaml)
  ##
  queue:
    # -- queue-path
    path: "/data/queue"
    # -- queue-hash
    hash: 64
    # -- queue-schedule
    schedule:
      retry: "[2m, 5m, 10m, 15m, 30m, 1h, 2h]"
      notify: "[1d, 3d]"
      expire: "5d"
    # -- queue-outbound
    outbound:
      # hostname: "%{HOST}%"
      next-hop:
        - if: "is_local_domain('%{DEFAULT_DIRECTORY}%', rcpt_domain)"
          then: "'local'"
        - else: false
      ip-strategy: "ipv4_then_ipv6"
      tls:
        dane: "optional"
        mta-sts: "optional"
        starttls: "require"
        allow-invalid-certs: false
      limits:
        mx: 7
        multihomed: 2
      timeouts:
        connect: "3m"
        greeting: "3m"
        tls: "2m"
        ehlo: "3m"
        mail-from: "3m"
        rcpt-to: "3m"
        data: "10m"
        mta-sts: "2m"
    quota:
      - match:
        # match: "sender_domain = 'foobar.org'"
        # key: ["rcpt"]
        key:
        messages: 100000
        # 10gb
        size: 10737418240
    throttle:
      - key: ["rcpt_domain"]
        # rate: "100/1h"
        rate:
        concurrency: 5
  ##
  # Report (from: smtp/report.yaml)
  ##
  report:
    # -- report-path
    path: "/data/reports"
    # -- report-hash
    hash: 64
    # submitter: "%{HOST}%"
    # -- report-analysis
    analysis:
      addresses: ["dmarc@*", "abuse@*", "postmaster@*"]
      forward: true
      # store: "/data/incoming"
    # -- report-dsn
    dsn:
      from-name: "'Mail Delivery Subsystem'"
      from-address: "'MAILER-DAEMON@%{DEFAULT_DOMAIN}%'"
      sign: "['rsa']"
    # -- report-dkim
    dkim:
-      from-name: "'Report Subsystem'"
+      # -- auth rule for signing with dkim
-      from-address: "'noreply-dkim@%{DEFAULT_DOMAIN}%'"
+      # @section -- DKIM
-      subject: "'DKIM Authentication Failure Report'"
+      sign:
-      sign: "['rsa']"
+        - if: "listener != 'smtp'"
-      send: "[1, 1d]"
+          then: "['rsa', 'ed25519']"
        - else: false
      # -- verify of dkim signature (relaxed, strict, disable)
      # @section -- DKIM
      verify: "relaxed"
-    # -- report-spf
+  authentication:
-    spf:
+    fallback-admin:
-      from-name: "'Report Subsystem'"
+      # -- username for fallback authentfication
-      from-address: "'noreply-spf@%{DEFAULT_DOMAIN}%'"
+      # @section -- Authentification
-      subject: "'SPF Authentication Failure Report'"
+      user: "admin"
-      sign: "['rsa']"
+      # -- password for fallback authentfication (use env for store in secrets of kubernetes)
-      send: "[1, 1d]"
+      # @section -- Authentification
      secret: "%{env:FALLBACK_ADMIN_SECRET}%"
-    # -- report-dmarc
+secrets:
-    dmarc:
+  env:
-      from-name: "'Report Subsystem'"
+    # -- password for fallback authentfication (env)
-      from-address: "'noreply-dmarc@%{DEFAULT_DOMAIN}%'"
+    # @section -- Authentification
-      subject: "'DMARC Authentication Failure Report'"
+    FALLBACK_ADMIN_SECRET: supersecret
      sign: "['rsa']"
      send: "[1, 1d]"
      aggregate:
        from-name: "'DMARC Report'"
        from-address: "'noreply-dmarc@%{DEFAULT_DOMAIN}%'"
        org-name: "'%{DEFAULT_DOMAIN}%'"
        # contact-info: ""
        send: "daily"
        # -- default: 25 mb
        max-size: 26214400
        sign: "['rsa']"
    # -- report-tls
    tls:
      aggregate:
        from-name: "'TLS Report'"
        from-address: "'noreply-tls@%{DEFAULT_DOMAIN}%'"
        org-name: "'%{DEFAULT_DOMAIN}%'"
        # contact-info: ""
        send: "daily"
        # -- default: 25 mb
        max-size: 26214400
        sign: "['rsa']"
  ##
  # resolver (from: smtp/resolver.yaml)
  ##
  resolver:
    # -- resolver-type
    type: "system"
    # -- resolver-preserve-intermediates
    preserve-intermediates: true
    # -- resolver-concurrency
    concurrency: 2
    # -- resolver-timeout
    timeout: "5s"
    # -- resolver-attempts
    attempts: 2
    # -- resolver-try-tcp-on-error
    try-tcp-on-error: true
    # -- resolver-public-suffix
    public-suffix:
      - "https://publicsuffix.org/list/public_suffix_list.dat"
      - "file:///opt/stalwart-mail/etc/spamfilter/maps/suffix_list.dat.gz"
    # -- resolver-cache
    cache:
      txt: 2048
      mx: 1024
      ipv4: 1024
      ipv6: 1024
      ptr: 1024
      tlsa: 1024
      mta-sts: 1024
  ##
  # signature (from: smtp/signature.yaml)
  ##
  signature:
    # -- signature-rsa
    rsa:
      # public-key: "file://opt/stalwart-mail/etc/dkim/%{DEFAULT_DOMAIN}%.cert"
      private-key: "file://opt/stalwart-mail/etc/dkim/private.key"
      domain: "%{DEFAULT_DOMAIN}%"
      selector: "stalwart"
      headers: ["From", "To", "Date", "Subject", "Message-ID"]
      algorithm: "rsa-sha256"
      canonicalization: "relaxed/relaxed"
      # expire: "10d"
      # third-party: ""
      # third-party-algo: ""
      # auid: ""
      set-body-length: false
      report: true
  ##
  # IMAP
  ##
  imap:
    request:
      # -- imap request max-size (from: imap/settings.toml)
      max-size: 52428800
    auth:
      # -- imap auth max-failures(from: imap/settings.toml)
      max-failures: 3
      # -- imap auth allow-plain-text (from: imap/settings.toml)
      allow-plain-text: false
    folders:
      name:
        # -- imap folders name shared (from: imap/settings.toml)
        shared: "Shared Folders"
    timeout:
      # -- imap timeout authenticated (from: imap/settings.toml)
      authenticated: "30m"
      # -- imap timeout anonymous (from: imap/settings.toml)
      anonymous: "1m"
      # -- imap timeout idle (from: imap/settings.toml)
      idle: "30m"
    rate-limit:
      # -- imap rate-limit requests (from: imap/settings.toml)
      requests: "2000/1m"
      # -- imap rate-limit concurrent (from: imap/settings.toml)
      concurrent: 6
    protocol:
      # -- imap protocol uidplus (from: imap/settings.toml)
      uidplus: false
  ##
  # JMAP
  ##
  jmap:
    # -- jmap-directory (from: jmap/auth.yaml)
    directory: "%{DEFAULT_DIRECTORY}%"
    # -- jmap-session (from: jmap/auth.yaml)
    session:
      cache:
        ttl: "1h"
        size: 100
      purge:
        frequency: "0 3 *"
    # -- jmap-protocol (from: jmap/protocol.yaml)
    protocol:
      get:
        max-objects: 500
      set:
        max-objects: 500
      request:
        max-concurrent: 4
        max-size: 10000000
        max-calls: 16
      query:
        max-results: 5000
      upload:
        max-size: 50000000
        max-concurrent: 4
        ttl: "1h"
        quota:
          files: 1000
          size: 50000000
      changes:
        max-results: 5000
    # -- jmap-mailbox
    mailbox:
      max-depth: 10
      max-name-length: 255
    # -- jmap-email
    email:
      max-attachment-size: 50000000
      max-size: 75000000
      parse:
        max-items: 10
    # -- jmap-principal
    principal:
      allow-lookups: true
    # -- jmap-push (from: jmap/push.yaml)
    push:
      max-total: 100
      throttle: "1ms"
      attempts:
        interval: "1m"
        max: 3
      retry:
        interval: "1s"
      timeout:
        request: "10s"
        verify: "1s"
    # -- jmap-event-source
    event-source:
      throttle: "1s"
    # -- jmap-rate-limit (from: jmap/ratelimit.yaml)
    rate-limit:
      account: "1000/1m"
      authentication: "10/1m"
      anonymous: "100/1m"
      use-forwarded: true
      cache:
        size: 1024
    # -- jmap-web-sockets (from: jmap/websocket.yaml)
    web-sockets:
      throttle: "1s"
      timeout: "10m"
      heartbeat: "1m"
 serviceAccount:
  # Specifies whether a service account should be created
@ -743,6 +135,8 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 env: []
 podSecurityContext: {}
  # fsGroup: 2000