maddy config for lekva.me
diff --git a/scripts/homelab/maddy-config.yaml b/scripts/homelab/maddy-config.yaml
new file mode 100644
index 0000000..c92da8c
--- /dev/null
+++ b/scripts/homelab/maddy-config.yaml
@@ -0,0 +1,178 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config
+ namespace: app-maddy
+data:
+ maddy.conf:
+ ----
+ ## Maddy Mail Server - default configuration file (2021-03-07)
+ # Suitable for small-scale deployments. Uses its own format for local users DB,
+ # should be managed via maddyctl utility.
+ #
+ # See tutorials at https://maddy.email for guidance on typical
+ # configuration changes.
+ #
+ # See manual pages (also available at https://maddy.email) for reference
+ # documentation.
+
+ # ----------------------------------------------------------------------------
+ # Base variables
+
+ $(hostname) = mx1.lekva.me
+ $(primary_domain) = lekva.me
+ $(local_domains) = $(primary_domain)
+
+ tls file /etc/maddy/certs/tls.crt /etc/maddy/certs/tls.key
+
+ # ----------------------------------------------------------------------------
+ # Local storage & authentication
+
+ # pass_table provides local hashed passwords storage for authentication of
+ # users. It can be configured to use any "table" module, in default
+ # configuration a table in SQLite DB is used.
+ # Table can be replaced to use e.g. a file for passwords. Or pass_table module
+ # can be replaced altogether to use some external source of credentials (e.g.
+ # PAM, /etc/shadow file).
+ #
+ # If table module supports it (sql_table does) - credentials can be managed
+ # using 'maddyctl creds' command.
+
+ auth.pass_table local_authdb {
+ table sql_table {
+ driver sqlite3
+ dsn credentials.db
+ table_name passwords
+ }
+ }
+
+ # imapsql module stores all indexes and metadata necessary for IMAP using a
+ # relational database. It is used by IMAP endpoint for mailbox access and
+ # also by SMTP & Submission endpoints for delivery of local messages.
+ #
+ # IMAP accounts, mailboxes and all message metadata can be inspected using
+ # imap-* subcommands of maddyctl utility.
+
+ storage.imapsql local_mailboxes {
+ driver sqlite3
+ dsn imapsql.db
+ }
+
+ # ----------------------------------------------------------------------------
+ # SMTP endpoints + message routing
+
+ hostname $(hostname)
+
+ msgpipeline local_routing {
+ # Insert handling for special-purpose local domains here.
+ # e.g.
+ # destination lists.example.org {
+ # deliver_to lmtp tcp://127.0.0.1:8024
+ # }
+
+ destination postmaster $(local_domains) {
+ modify {
+ replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3"
+ replace_rcpt file /etc/maddy/aliases
+ }
+
+ deliver_to &local_mailboxes
+ }
+
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+
+ smtp tcp://0.0.0.0:25 {
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections.
+ all rate 20 1s
+ all concurrency 10
+ }
+
+ dmarc yes
+ check {
+ require_mx_record
+ dkim
+ spf
+ }
+
+ source $(local_domains) {
+ reject 501 5.1.8 "Use Submission for outgoing SMTP"
+ }
+ default_source {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+ }
+
+ submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ limits {
+ # Up to 50 msgs/sec across any amount of SMTP connections.
+ all rate 50 1s
+ }
+
+ auth &local_authdb
+
+ source $(local_domains) {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ modify {
+ dkim $(primary_domain) $(local_domains) default
+ }
+ deliver_to &remote_queue
+ }
+ }
+ default_source {
+ reject 501 5.1.8 "Non-local sender domain"
+ }
+ }
+
+ target.remote outbound_delivery {
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections
+ # for each recipient domain.
+ destination rate 20 1s
+ destination concurrency 10
+ }
+ mx_auth {
+ dane
+ mtasts {
+ cache fs
+ fs_dir mtasts_cache/
+ }
+ local_policy {
+ min_tls_level encrypted
+ min_mx_level none
+ }
+ }
+ }
+
+ target.queue remote_queue {
+ target &outbound_delivery
+
+ autogenerated_msg_domain $(primary_domain)
+ bounce {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+ }
+ }
+ }
+
+ # ----------------------------------------------------------------------------
+ # IMAP endpoints
+
+ imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+ auth &local_authdb
+ storage &local_mailboxes
+ }