config

package
v0.0.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2024 License: MIT Imports: 14 Imported by: 10

Documentation

Overview

Package config holds the configuration file definitions.

Mox uses two config files:

1. mox.conf, also called the static configuration file. 2. domains.conf, also called the dynamic configuration file.

The static configuration file is never reloaded during the lifetime of a running mox instance. After changes to mox.conf, mox must be restarted for the changes to take effect.

The dynamic configuration file is reloaded automatically when it changes. If the file contains an error after the change, the reload is aborted and the previous version remains active.

Below are "empty" config files, generated from the config file definitions in the source code, along with comments explaining the fields. Fields named "x" are placeholders for user-chosen map keys.

sconf

The config files are in "sconf" format. Properties of sconf files:

  • Indentation with tabs only.
  • "#" as first non-whitespace character makes the line a comment. Lines with a value cannot also have a comment.
  • Values don't have syntax indicating their type. For example, strings are not quoted/escaped and can never span multiple lines.
  • Fields that are optional can be left out completely. But the value of an optional field may itself have required fields.

See https://pkg.go.dev/github.com/mjl-/sconf for details.

mox.conf

# NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be
# on their own line, they don't end a line. Do not escape or quote strings.
# Details: https://pkg.go.dev/github.com/mjl-/sconf.

# Directory where all data is stored, e.g. queue, accounts and messages, ACME TLS
# certs/keys. If this is a relative path, it is relative to the directory of
# mox.conf.
DataDir:

# Default log level, one of: error, info, debug, trace, traceauth, tracedata.
# Trace logs SMTP and IMAP protocol transcripts, with traceauth also messages with
# passwords, and tracedata on top of that also the full data exchanges (full
# messages), which can be a large amount of data.
LogLevel:

# Overrides of log level per package (e.g. queue, smtpclient, smtpserver,
# imapserver, spf, dkim, dmarc, dmarcdb, autotls, junk, mtasts, tlsrpt).
# (optional)
PackageLogLevels:
	x:

# User to switch to after binding to all sockets as root. Default: mox. If the
# value is not a known user, it is parsed as integer and used as uid and gid.
# (optional)
User:

# If true, do not automatically fix file permissions when starting up. By default,
# mox will ensure reasonable owner/permissions on the working, data and config
# directories (and files), and mox binary (if present). (optional)
NoFixPermissions: false

# Full hostname of system, e.g. mail.<domain>
Hostname:

# If enabled, a single DNS TXT lookup of _updates.xmox.nl is done every 24h to
# check for a new release. Each time a new release is found, a changelog is
# fetched from https://updates.xmox.nl/changelog and delivered to the postmaster
# mailbox. (optional)
CheckUpdates: false

# In pedantic mode protocol violations (that happen in the wild) for SMTP/IMAP/etc
# result in errors instead of accepting such behaviour. (optional)
Pedantic: false

# Global TLS configuration, e.g. for additional Certificate Authorities. Used for
# outgoing SMTP connections, HTTPS requests. (optional)
TLS:

	# (optional)
	CA:

		# (optional)
		AdditionalToSystem: false

		# (optional)
		CertFiles:
			-

# Automatic TLS configuration with ACME, e.g. through Let's Encrypt. The key is a
# name referenced in TLS configs, e.g. letsencrypt. (optional)
ACME:
	x:

		# For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory.
		DirectoryURL:

		# How long before expiration to renew the certificate. Default is 30 days.
		# (optional)
		RenewBefore: 0s

		# Email address to register at ACME provider. The provider can email you when
		# certificates are about to expire. If you configure an address for which email is
		# delivered by this server, keep in mind that TLS misconfigurations could result
		# in such notification emails not arriving.
		ContactEmail:

		# TLS port for ACME validation, 443 by default. You should only override this if
		# you cannot listen on port 443 directly. ACME will make requests to port 443, so
		# you'll have to add an external mechanism to get the tls connection here, e.g. by
		# configuring firewall-level port forwarding. Validation over the https port uses
		# tls-alpn-01 with application-layer protocol negotiation, which essentially means
		# the original tls connection must make it here unmodified, an https reverse proxy
		# will not work. (optional)
		Port: 0

		# If set, used for suggested CAA DNS records, for restricting TLS certificate
		# issuance to a Certificate Authority. If empty and DirectyURL is for Let's
		# Encrypt, this value is set automatically to letsencrypt.org. (optional)
		IssuerDomainName:

		# ACME providers can require that a request for a new ACME account reference an
		# existing non-ACME account known to the provider. External account binding
		# references that account by a key id, and authorizes new ACME account requests by
		# signing it with a key known both by the ACME client and ACME provider.
		# (optional)
		ExternalAccountBinding:

			# Key identifier, from ACME provider.
			KeyID:

			# File containing the base64url-encoded key used to sign account requests with
			# external account binding. The ACME provider will verify the account request is
			# correctly signed by the key. File is evaluated relative to the directory of
			# mox.conf.
			KeyFile:

# File containing hash of admin password, for authentication in the web admin
# pages (if enabled). (optional)
AdminPasswordFile:

# Listeners are groups of IP addresses and services enabled on those IP addresses,
# such as SMTP/IMAP or internal endpoints for administration or Prometheus
# metrics. All listeners with SMTP/IMAP services enabled will serve all configured
# domains. If the listener is named 'public', it will get a few helpful additional
# configuration checks, for acme automatic tls certificates and monitoring of ips
# in dnsbls if those are configured.
Listeners:
	x:

		# Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but
		# it is better to explicitly specify the IPs you want to use for email, as mox
		# will make sure outgoing connections will only be made from one of those IPs. If
		# both outgoing IPv4 and IPv6 connectivity is possible, and only one family has
		# explicitly configured addresses, both address families are still used for
		# outgoing connections. Use the "direct" transport to limit address families for
		# outgoing connections.
		IPs:
			-

		# If set, the mail server is configured behind a NAT and field IPs are internal
		# instead of the public IPs, while NATIPs lists the public IPs. Used during
		# IP-related DNS self-checks, such as for iprev, mx, spf, autoconfig,
		# autodiscover, and for autotls. (optional)
		NATIPs:
			-

		# Deprecated, use NATIPs instead. If set, IPs are not the public IPs, but are
		# NATed. Skips IP-related DNS self-checks. (optional)
		IPsNATed: false

		# If empty, the config global Hostname is used. The internal services webadmin,
		# webaccount, webmail and webapi only match requests to IPs, this hostname,
		# "localhost". All except webadmin also match for any client settings domain.
		# (optional)
		Hostname:

		# For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
		TLS:

			# Name of provider from top-level configuration to use for ACME, e.g. letsencrypt.
			# (optional)
			ACME:

			# Keys and certificates to use for this listener. The files are opened by the
			# privileged root process and passed to the unprivileged mox process, so no
			# special permissions are required on the files. If the private key will not be
			# replaced when refreshing certificates, also consider adding the private key to
			# HostPrivateKeyFiles and configuring DANE TLSA DNS records. (optional)
			KeyCerts:
				-

					# Certificate including intermediate CA certificates, in PEM format.
					CertFile:

					# Private key for certificate, in PEM format. PKCS8 is recommended, but PKCS1 and
					# EC private keys are recognized as well.
					KeyFile:

			# Minimum TLS version. Default: TLSv1.2. (optional)
			MinVersion:

			# Private keys used for ACME certificates. Specified explicitly so DANE TLSA DNS
			# records can be generated, even before the certificates are requested. DANE is a
			# mechanism to authenticate remote TLS certificates based on a public key or
			# certificate specified in DNS, protected with DNSSEC. DANE is opportunistic and
			# attempted when delivering SMTP with STARTTLS. The private key files must be in
			# PEM format. PKCS8 is recommended, but PKCS1 and EC private keys are recognized
			# as well. Only RSA 2048 bit and ECDSA P-256 keys are currently used. The first of
			# each is used when requesting new certificates through ACME. (optional)
			HostPrivateKeyFiles:
				-

		# Maximum size in bytes for incoming and outgoing messages. Default is 100MB.
		# (optional)
		SMTPMaxMessageSize: 0

		# (optional)
		SMTP:
			Enabled: false

			# Default 25. (optional)
			Port: 0

			# Do not offer STARTTLS to secure the connection. Not recommended. (optional)
			NoSTARTTLS: false

			# Do not accept incoming messages if STARTTLS is not active. Consider using in
			# combination with an MTA-STS policy and/or DANE. A remote SMTP server may not
			# support TLS and may not be able to deliver messages. Incoming messages for TLS
			# reporting addresses ignore this setting and do not require TLS. (optional)
			RequireSTARTTLS: false

			# Do not announce the REQUIRETLS SMTP extension. Messages delivered using the
			# REQUIRETLS extension should only be distributed onwards to servers also
			# implementing the REQUIRETLS extension. In some situations, such as hosting
			# mailing lists, this may not be feasible due to lack of support for the extension
			# by mailing list subscribers. (optional)
			NoRequireTLS: false

			# Addresses of DNS block lists for incoming messages. Block lists are only
			# consulted for connections/messages without enough reputation to make an
			# accept/reject decision. This prevents sending IPs of all communications to the
			# block list provider. If any of the listed DNSBLs contains a requested IP
			# address, the message is rejected as spam. The DNSBLs are checked for healthiness
			# before use, at most once per 4 hours. IPs we can send from are periodically
			# checked for being in the configured DNSBLs. See MonitorDNSBLs in domains.conf to
			# only monitor IPs we send from, without using those DNSBLs for incoming messages.
			# Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net. See
			# https://www.spamhaus.org/sbl/ and https://www.spamcop.net/ for more information
			# and terms of use. (optional)
			DNSBLs:
				-

			# Delay before accepting a message from a first-time sender for the destination
			# account. Default: 15s. (optional)
			FirstTimeSenderDelay: 0s

		# SMTP for submitting email, e.g. by email applications. Starts out in plain text,
		# can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
		# is always a TLS connection. (optional)
		Submission:
			Enabled: false

			# Default 587. (optional)
			Port: 0

			# Do not require STARTTLS. Since users must login, this means password may be sent
			# without encryption. Not recommended. (optional)
			NoRequireSTARTTLS: false

		# SMTP over TLS for submitting email, by email applications. Requires a TLS
		# config. (optional)
		Submissions:
			Enabled: false

			# Default 465. (optional)
			Port: 0

		# IMAP for reading email, by email applications. Starts out in plain text, can be
		# upgraded to TLS with the STARTTLS command. Prefer using IMAPS instead which is
		# always a TLS connection. (optional)
		IMAP:
			Enabled: false

			# Default 143. (optional)
			Port: 0

			# Enable this only when the connection is otherwise encrypted (e.g. through a
			# VPN). (optional)
			NoRequireSTARTTLS: false

		# IMAP over TLS for reading email, by email applications. Requires a TLS config.
		# (optional)
		IMAPS:
			Enabled: false

			# Default 993. (optional)
			Port: 0

		# Account web interface, for email users wanting to change their accounts, e.g.
		# set new password, set new delivery rulesets. Default path is /. (optional)
		AccountHTTP:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Account web interface listener like AccountHTTP, but for HTTPS. Requires a TLS
		# config. (optional)
		AccountHTTPS:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Admin web interface, for managing domains, accounts, etc. Default path is
		# /admin/. Preferably only enable on non-public IPs. Hint: use 'ssh -L
		# 8080:localhost:80 you@yourmachine' and open http://localhost:8080/admin/, or set
		# up a tunnel (e.g. WireGuard) and add its IP to the mox 'internal' listener.
		# (optional)
		AdminHTTP:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Admin web interface listener like AdminHTTP, but for HTTPS. Requires a TLS
		# config. (optional)
		AdminHTTPS:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Webmail client, for reading email. Default path is /webmail/. (optional)
		WebmailHTTP:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Webmail client, like WebmailHTTP, but for HTTPS. Requires a TLS config.
		# (optional)
		WebmailHTTPS:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Like WebAPIHTTP, but with plain HTTP, without TLS. (optional)
		WebAPIHTTP:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# WebAPI, a simple HTTP/JSON-based API for email, with HTTPS (requires a TLS
		# config). Default path is /webapi/. (optional)
		WebAPIHTTPS:
			Enabled: false

			# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
			# matching behaviour. (optional)
			Port: 0

			# Path to serve requests on. (optional)
			Path:

			# If set, X-Forwarded-* headers are used for the remote IP address for rate
			# limiting and for the "secure" status of cookies. (optional)
			Forwarded: false

		# Serve prometheus metrics, for monitoring. You should not enable this on a public
		# IP. (optional)
		MetricsHTTP:
			Enabled: false

			# Default 8010. (optional)
			Port: 0

		# Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on
		# a public IP! (optional)
		PprofHTTP:
			Enabled: false

			# Default 8011. (optional)
			Port: 0

		# Serve autoconfiguration/autodiscovery to simplify configuring email
		# applications, will use port 443. Requires a TLS config. (optional)
		AutoconfigHTTPS:
			Enabled: false

			# TLS port, 443 by default. You should only override this if you cannot listen on
			# port 443 directly. Autoconfig requests will be made to port 443, so you'll have
			# to add an external mechanism to get the connection here, e.g. by configuring
			# port forwarding. (optional)
			Port: 0

			# If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be
			# useful when the autoconfig domain is reverse proxied. (optional)
			NonTLS: false

		# Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config.
		# (optional)
		MTASTSHTTPS:
			Enabled: false

			# TLS port, 443 by default. You should only override this if you cannot listen on
			# port 443 directly. MTA-STS requests will be made to port 443, so you'll have to
			# add an external mechanism to get the connection here, e.g. by configuring port
			# forwarding. (optional)
			Port: 0

			# If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be
			# useful when the mta-sts domain is reverse proxied. (optional)
			NonTLS: false

		# All configured WebHandlers will serve on an enabled listener. (optional)
		WebserverHTTP:
			Enabled: false

			# Port for plain HTTP (non-TLS) webserver. (optional)
			Port: 0

		# All configured WebHandlers will serve on an enabled listener. Either ACME must
		# be configured, or for each WebHandler domain a TLS certificate must be
		# configured. (optional)
		WebserverHTTPS:
			Enabled: false

			# Port for HTTPS webserver. (optional)
			Port: 0

# Destination for emails delivered to postmaster addresses: a plain 'postmaster'
# without domain, 'postmaster@<hostname>' (also for each listener with SMTP
# enabled), and as fallback for each domain without explicitly configured
# postmaster destination.
Postmaster:
	Account:

	# E.g. Postmaster or Inbox.
	Mailbox:

# Destination for per-host TLS reports (TLSRPT). TLS reports can be per recipient
# domain (for MTA-STS), or per MX host (for DANE). The per-domain TLS reporting
# configuration is in domains.conf. This is the TLS reporting configuration for
# this host. If absent, no host-based TLSRPT address is configured, and no host
# TLSRPT DNS record is suggested. (optional)
HostTLSRPT:

	# Account to deliver TLS reports to. Typically same account as for postmaster.
	Account:

	# Mailbox to deliver TLS reports to. Recommended value: TLSRPT.
	Mailbox:

	# Localpart at hostname to accept TLS reports at. Recommended value: tls-reports.
	Localpart:

# Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be
# given a 'special-use' role, which are understood by most mail clients. If
# absent/empty, the following mailboxes are created: Sent, Archive, Trash, Drafts
# and Junk. (optional)
InitialMailboxes:

	# Special-use roles to mailbox to create. (optional)
	SpecialUse:

		# (optional)
		Sent:

		# (optional)
		Archive:

		# (optional)
		Trash:

		# (optional)
		Draft:

		# (optional)
		Junk:

	# Regular, non-special-use mailboxes to create. (optional)
	Regular:
		-

# Deprecated in favor of InitialMailboxes. Mailboxes to create when adding an
# account. Inbox is always created. If no mailboxes are specified, the following
# are automatically created: Sent, Archive, Trash, Drafts and Junk. (optional)
DefaultMailboxes:
	-

# Transport are mechanisms for delivering messages. Transports can be referenced
# from Routes in accounts, domains and the global configuration. There is always
# an implicit/fallback delivery transport doing direct delivery with SMTP from the
# outgoing message queue. Transports are typically only configured when using
# smarthosts, i.e. when delivering through another SMTP server. Zero or one
# transport methods must be set in a transport, never multiple. When using an
# external party to send email for a domain, keep in mind you may have to add
# their IP address to your domain's SPF record, and possibly additional DKIM
# records. (optional)
Transports:
	x:

		# Submission SMTP over a TLS connection to submit email to a remote queue.
		# (optional)
		Submissions:

			# Host name to connect to and for verifying its TLS certificate.
			Host:

			# If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
			# for submissions (with TLS), 587 for submission (possibly with STARTTLS).
			# (optional)
			Port: 0

			# If set an unverifiable remote TLS certificate during STARTTLS is accepted.
			# (optional)
			STARTTLSInsecureSkipVerify: false

			# If set for submission or smtp transport, do not attempt STARTTLS on the
			# connection. Authentication credentials and messages will be transferred in clear
			# text. (optional)
			NoSTARTTLS: false

			# If set, authentication credentials for the remote server. (optional)
			Auth:
				Username:
				Password:

				# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
				# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
				# PLAIN. Specify the strongest mechanism known to be implemented by the server to
				# prevent mechanism downgrade attacks. (optional)
				Mechanisms:
					-

		# Submission SMTP over a plain TCP connection (possibly with STARTTLS) to submit
		# email to a remote queue. (optional)
		Submission:

			# Host name to connect to and for verifying its TLS certificate.
			Host:

			# If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
			# for submissions (with TLS), 587 for submission (possibly with STARTTLS).
			# (optional)
			Port: 0

			# If set an unverifiable remote TLS certificate during STARTTLS is accepted.
			# (optional)
			STARTTLSInsecureSkipVerify: false

			# If set for submission or smtp transport, do not attempt STARTTLS on the
			# connection. Authentication credentials and messages will be transferred in clear
			# text. (optional)
			NoSTARTTLS: false

			# If set, authentication credentials for the remote server. (optional)
			Auth:
				Username:
				Password:

				# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
				# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
				# PLAIN. Specify the strongest mechanism known to be implemented by the server to
				# prevent mechanism downgrade attacks. (optional)
				Mechanisms:
					-

		# SMTP over a plain connection (possibly with STARTTLS), typically for
		# old-fashioned unauthenticated relaying to a remote queue. (optional)
		SMTP:

			# Host name to connect to and for verifying its TLS certificate.
			Host:

			# If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
			# for submissions (with TLS), 587 for submission (possibly with STARTTLS).
			# (optional)
			Port: 0

			# If set an unverifiable remote TLS certificate during STARTTLS is accepted.
			# (optional)
			STARTTLSInsecureSkipVerify: false

			# If set for submission or smtp transport, do not attempt STARTTLS on the
			# connection. Authentication credentials and messages will be transferred in clear
			# text. (optional)
			NoSTARTTLS: false

			# If set, authentication credentials for the remote server. (optional)
			Auth:
				Username:
				Password:

				# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
				# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
				# PLAIN. Specify the strongest mechanism known to be implemented by the server to
				# prevent mechanism downgrade attacks. (optional)
				Mechanisms:
					-

		# Like regular direct delivery, but makes outgoing connections through a SOCKS
		# proxy. (optional)
		Socks:

			# Address of SOCKS proxy, of the form host:port or ip:port.
			Address:

			# IP addresses connections from the SOCKS server will originate from. This IP
			# addresses should be configured in the SPF record (keep in mind DNS record time
			# to live (TTL) when adding a SOCKS proxy). Reverse DNS should be set up for these
			# address, resolving to RemoteHostname. These are typically the IPv4 and IPv6
			# address for the host in the Address field.
			RemoteIPs:
				-

			# Hostname belonging to RemoteIPs. This name is used during in SMTP EHLO. This is
			# typically the hostname of the host in the Address field.
			RemoteHostname:

		# Like regular direct delivery, but allows to tweak outgoing connections.
		# (optional)
		Direct:

			# If set, outgoing SMTP connections will *NOT* use IPv4 addresses to connect to
			# remote SMTP servers. (optional)
			DisableIPv4: false

			# If set, outgoing SMTP connections will *NOT* use IPv6 addresses to connect to
			# remote SMTP servers. (optional)
			DisableIPv6: false

# Do not send DMARC reports (aggregate only). By default, aggregate reports on
# DMARC evaluations are sent to domains if their DMARC policy requests them.
# Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24
# hours, rounded up so a whole number of intervals cover 24 hours, aligned at
# whole days in UTC. Reports are sent from the postmaster@<mailhostname> address.
# (optional)
NoOutgoingDMARCReports: false

# Do not send TLS reports. By default, reports about failed SMTP STARTTLS
# connections and related MTA-STS/DANE policies are sent to domains if their
# TLSRPT DNS record requests them. Reports covering a 24 hour UTC interval are
# sent daily. Reports are sent from the postmaster address of the configured
# domain the mailhostname is in. If there is no such domain, or it does not have
# DKIM configured, no reports are sent. (optional)
NoOutgoingTLSReports: false

# Also send TLS reports if there were no SMTP STARTTLS connection failures. By
# default, reports are only sent when at least one failure occurred. If a report
# is sent, it does always include the successful connection counts as well.
# (optional)
OutgoingTLSReportsForAllSuccess: false

# Default maximum total message size in bytes for each individual account, only
# applicable if greater than zero. Can be overridden per account. Attempting to
# add new messages to an account beyond its maximum total size will result in an
# error. Useful to prevent a single account from filling storage. The quota only
# applies to the email message files, not to any file system overhead and also not
# the message index database file (account for approximately 15% overhead).
# (optional)
QuotaMessageSize: 0

domains.conf

# NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be
# on their own line, they don't end a line. Do not escape or quote strings.
# Details: https://pkg.go.dev/github.com/mjl-/sconf.

# Domains for which email is accepted. For internationalized domains, use their
# IDNA names in UTF-8.
Domains:
	x:

		# Free-form description of domain. (optional)
		Description:

		# Hostname for client settings instead of the mail server hostname. E.g.
		# mail.<domain>. For future migration to another mail operator without requiring
		# all clients to update their settings, it is convenient to have client settings
		# that reference a subdomain of the hosted domain instead of the hostname of the
		# server where the mail is currently hosted. If empty, the hostname of the mail
		# server is used for client configurations. Unicode name. (optional)
		ClientSettingsDomain:

		# If not empty, only the string before the separator is used to for email delivery
		# decisions. For example, if set to "+", you+anything@example.com will be
		# delivered to you@example.com. (optional)
		LocalpartCatchallSeparator:

		# If set, upper/lower case is relevant for email delivery. (optional)
		LocalpartCaseSensitive: false

		# With DKIM signing, a domain is taking responsibility for (content of) emails it
		# sends, letting receiving mail servers build up a (hopefully positive) reputation
		# of the domain, which can help with mail delivery. (optional)
		DKIM:

			# Emails can be DKIM signed. Config parameters are per selector. A DNS record must
			# be created for each selector. Add the name to Sign to use the selector for
			# signing messages.
			Selectors:
				x:

					# sha256 (default) or (older, not recommended) sha1. (optional)
					Hash:

					# (optional)
					Canonicalization:

						# If set, some modifications to the headers (mostly whitespace) are allowed.
						HeaderRelaxed: false

						# If set, some whitespace modifications to the message body are allowed.
						BodyRelaxed: false

					# Headers to sign with DKIM. If empty, a reasonable default set of headers is
					# selected. (optional)
					Headers:
						-

					# If set, don't prevent duplicate headers from being added. Not recommended.
					# (optional)
					DontSealHeaders: false

					# Period a signature is valid after signing, as duration, e.g. 72h. The period
					# should be enough for delivery at the final destination, potentially with several
					# hops/relays. In the order of days at least. (optional)
					Expiration:

					# Either an RSA or ed25519 private key file in PKCS8 PEM form.
					PrivateKeyFile:

			# List of selectors that emails will be signed with. (optional)
			Sign:
				-

		# With DMARC, a domain publishes, in DNS, a policy on how other mail servers
		# should handle incoming messages with the From-header matching this domain and/or
		# subdomain (depending on the configured alignment). Receiving mail servers use
		# this to build up a reputation of this domain, which can help with mail delivery.
		# A domain can also publish an email address to which reports about DMARC
		# verification results can be sent by verifying mail servers, useful for
		# monitoring. Incoming DMARC reports are automatically parsed, validated, added to
		# metrics and stored in the reporting database for later display in the admin web
		# pages. (optional)
		DMARC:

			# Address-part before the @ that accepts DMARC reports. Must be
			# non-internationalized. Recommended value: dmarc-reports.
			Localpart:

			# Alternative domain for reporting address, for incoming reports. Typically empty,
			# causing the domain wherein this config exists to be used. Can be used to receive
			# reports for domains that aren't fully hosted on this server. Configure such a
			# domain as a hosted domain without making all the DNS changes, and configure this
			# field with a domain that is fully hosted on this server, so the localpart and
			# the domain of this field form a reporting address. Then only update the DMARC
			# DNS record for the not fully hosted domain, ensuring the reporting address is
			# specified in its "rua" field as shown in the suggested DNS settings. Unicode
			# name. (optional)
			Domain:

			# Account to deliver to.
			Account:

			# Mailbox to deliver to, e.g. DMARC.
			Mailbox:

		# MTA-STS is a mechanism that allows publishing a policy with requirements for
		# WebPKI-verified SMTP STARTTLS connections for email delivered to a domain.
		# Existence of a policy is announced in a DNS TXT record (often
		# unprotected/unverified, MTA-STS's weak spot). If a policy exists, it is fetched
		# with a WebPKI-verified HTTPS request. The policy can indicate that
		# WebPKI-verified SMTP STARTTLS is required, and which MX hosts (optionally with a
		# wildcard pattern) are allowd. MX hosts to deliver to are still taken from DNS
		# (again, not necessarily protected/verified), but messages will only be delivered
		# to domains matching the MX hosts from the published policy. Mail servers look up
		# the MTA-STS policy when first delivering to a domain, then keep a cached copy,
		# periodically checking the DNS record if a new policy is available, and fetching
		# and caching it if so. To update a policy, first serve a new policy with an
		# updated policy ID, then update the DNS record (not the other way around). To
		# remove an enforced policy, publish an updated policy with mode "none" for a long
		# enough period so all cached policies have been refreshed (taking DNS TTL and
		# policy max age into account), then remove the policy from DNS, wait for TTL to
		# expire, and stop serving the policy. (optional)
		MTASTS:

			# Policies are versioned. The version must be specified in the DNS record. If you
			# change a policy, first change it here to update the served policy, then update
			# the DNS record with the updated policy ID.
			PolicyID:

			# If set to "enforce", a remote SMTP server will not deliver email to us if it
			# cannot make a WebPKI-verified SMTP STARTTLS connection. In mode "testing",
			# deliveries can be done without verified TLS, but errors will be reported through
			# TLS reporting. In mode "none", verified TLS is not required, used for phasing
			# out an MTA-STS policy.
			Mode:

			# How long a remote mail server is allowed to cache a policy. Typically 1 or
			# several weeks.
			MaxAge: 0s

			# List of server names allowed for SMTP. If empty, the configured hostname is set.
			# Host names can contain a wildcard (*) as a leading label (matching a single
			# label, e.g. *.example matches host.example, not sub.host.example). (optional)
			MX:
				-

		# With TLSRPT a domain specifies in DNS where reports about encountered SMTP TLS
		# behaviour should be sent. Useful for monitoring. Incoming TLS reports are
		# automatically parsed, validated, added to metrics and stored in the reporting
		# database for later display in the admin web pages. (optional)
		TLSRPT:

			# Address-part before the @ that accepts TLSRPT reports. Recommended value:
			# tls-reports.
			Localpart:

			# Alternative domain for reporting address, for incoming reports. Typically empty,
			# causing the domain wherein this config exists to be used. Can be used to receive
			# reports for domains that aren't fully hosted on this server. Configure such a
			# domain as a hosted domain without making all the DNS changes, and configure this
			# field with a domain that is fully hosted on this server, so the localpart and
			# the domain of this field form a reporting address. Then only update the TLSRPT
			# DNS record for the not fully hosted domain, ensuring the reporting address is
			# specified in its "rua" field as shown in the suggested DNS settings. Unicode
			# name. (optional)
			Domain:

			# Account to deliver to.
			Account:

			# Mailbox to deliver to, e.g. TLSRPT.
			Mailbox:

		# Routes for delivering outgoing messages through the queue. Each delivery attempt
		# evaluates account routes, these domain routes and finally global routes. The
		# transport of the first matching route is used in the delivery attempt. If no
		# routes match, which is the default with no configured routes, messages are
		# delivered directly from the queue. (optional)
		Routes:
			-

				# Matches if the envelope from domain matches one of the configured domains, or if
				# the list is empty. If a domain starts with a dot, prefixes of the domain also
				# match. (optional)
				FromDomain:
					-

				# Like FromDomain, but matching against the envelope to domain. (optional)
				ToDomain:
					-

				# Matches if at least this many deliveries have already been attempted. This can
				# be used to attempt sending through a smarthost when direct delivery has failed
				# for several times. (optional)
				MinimumAttempts: 0
				Transport:

		# Aliases that cause messages to be delivered to one or more locally configured
		# addresses. Keys are localparts (encoded, as they appear in email addresses).
		# (optional)
		Aliases:
			x:

				# Expanded addresses to deliver to. These must currently be of addresses of local
				# accounts. To prevent duplicate messages, a member address that is also an
				# explicit recipient in the SMTP transaction will only have the message delivered
				# once. If the address in the message From header is a member, that member also
				# won't receive the message.
				Addresses:
					-

				# If true, anyone can send messages to the list. Otherwise only members, based on
				# message From address, which is assumed to be DMARC-like-verified. (optional)
				PostPublic: false

				# If true, members can see addresses of members. (optional)
				ListMembers: false

				# If true, members are allowed to send messages with this alias address in the
				# message From header. (optional)
				AllowMsgFrom: false

# Accounts represent mox users, each with a password and email address(es) to
# which email can be delivered (possibly at different domains). Each account has
# its own on-disk directory holding its messages and index database. An account
# name is not an email address.
Accounts:
	x:

		# Webhooks for events about outgoing deliveries. (optional)
		OutgoingWebhook:

			# URL to POST webhooks.
			URL:

			# If not empty, value of Authorization header to add to HTTP requests. (optional)
			Authorization:

			# Events to send outgoing delivery notifications for. If absent, all events are
			# sent. Valid values: delivered, suppressed, delayed, failed, relayed, expanded,
			# canceled, unrecognized. (optional)
			Events:
				-

		# Webhooks for events about incoming deliveries over SMTP. (optional)
		IncomingWebhook:

			# URL to POST webhooks to for incoming deliveries over SMTP.
			URL:

			# If not empty, value of Authorization header to add to HTTP requests. (optional)
			Authorization:

		# Login addresses that cause outgoing email to be sent with SMTP MAIL FROM
		# addresses with a unique id after the localpart catchall separator (which must be
		# enabled when addresses are specified here). Any delivery status notifications
		# (DSN, e.g. for bounces), can be related to the original message and recipient
		# with unique id's. You can login to an account with any valid email address,
		# including variants with the localpart catchall separator. You can use this
		# mechanism to both send outgoing messages with and without unique fromid for a
		# given email address. With the webapi and webmail, a unique id will be generated.
		# For submission, the id from the SMTP MAIL FROM command is used if present, and a
		# unique id is generated otherwise. (optional)
		FromIDLoginAddresses:
			-

		# Period to keep messages retired from the queue (delivered or failed) around.
		# Keeping retired messages is useful for maintaining the suppression list for
		# transactional email, for matching incoming DSNs to sent messages, and for
		# debugging. The time at which to clean up (remove) is calculated at retire time.
		# E.g. 168h (1 week). (optional)
		KeepRetiredMessagePeriod: 0s

		# Period to keep webhooks retired from the queue (delivered or failed) around.
		# Useful for debugging. The time at which to clean up (remove) is calculated at
		# retire time. E.g. 168h (1 week). (optional)
		KeepRetiredWebhookPeriod: 0s

		# Default domain for account. Deprecated behaviour: If a destination is not a full
		# address but only a localpart, this domain is added to form a full address.
		Domain:

		# Free form description, e.g. full name or alternative contact info. (optional)
		Description:

		# Full name, to use in message From header when composing messages in webmail. Can
		# be overridden per destination. (optional)
		FullName:

		# Destinations, keys are email addresses (with IDNA domains). All destinations are
		# allowed for logging in with IMAP/SMTP/webmail. If no destinations are
		# configured, the account can not login. If the address is of the form '@domain',
		# i.e. with localpart missing, it serves as a catchall for the domain, matching
		# all messages that are not explicitly configured. Deprecated behaviour: If the
		# address is not a full address but a localpart, it is combined with Domain to
		# form a full address. (optional)
		Destinations:
			x:

				# Mailbox to deliver to if none of Rulesets match. Default: Inbox. (optional)
				Mailbox:

				# Delivery rules based on message and SMTP transaction. You may want to match each
				# mailing list by SMTP MailFrom address, VerifiedDomain and/or List-ID header
				# (typically <listname.example.org> if the list address is listname@example.org),
				# delivering them to their own mailbox. (optional)
				Rulesets:
					-

						# Matches if this regular expression matches (a substring of) the SMTP MAIL FROM
						# address (not the message From-header). E.g. '^user@example\.org$'. (optional)
						SMTPMailFromRegexp:

						# Matches if this regular expression matches (a substring of) the single address
						# in the message From header. (optional)
						MsgFromRegexp:

						# Matches if this domain matches an SPF- and/or DKIM-verified (sub)domain.
						# (optional)
						VerifiedDomain:

						# Matches if these header field/value regular expressions all match (substrings
						# of) the message headers. Header fields and valuees are converted to lower case
						# before matching. Whitespace is trimmed from the value before matching. A header
						# field can occur multiple times in a message, only one instance has to match. For
						# mailing lists, you could match on ^list-id$ with the value typically the mailing
						# list address in angled brackets with @ replaced with a dot, e.g.
						# <name\.lists\.example\.org>. (optional)
						HeadersRegexp:
							x:

						# Influences spam filtering only, this option does not change whether a message
						# matches this ruleset. Can only be used together with SMTPMailFromRegexp and
						# VerifiedDomain. SMTPMailFromRegexp must be set to the address used to deliver
						# the forwarded message, e.g. '^user(|\+.*)@forward\.example$'. Changes to junk
						# analysis: 1. Messages are not rejected for failing a DMARC policy, because a
						# legitimate forwarded message without valid/intact/aligned DKIM signature would
						# be rejected because any verified SPF domain will be 'unaligned', of the
						# forwarding mail server. 2. The sending mail server IP address, and sending EHLO
						# and MAIL FROM domains and matching DKIM domain aren't used in future
						# reputation-based spam classifications (but other verified DKIM domains are)
						# because the forwarding server is not a useful spam signal for future messages.
						# (optional)
						IsForward: false

						# Influences spam filtering only, this option does not change whether a message
						# matches this ruleset. If this domain matches an SPF- and/or DKIM-verified
						# (sub)domain, the message is accepted without further spam checks, such as a junk
						# filter or DMARC reject evaluation. DMARC rejects should not apply for mailing
						# lists that are not configured to rewrite the From-header of messages that don't
						# have a passing DKIM signature of the From-domain. Otherwise, by rejecting
						# messages, you may be automatically unsubscribed from the mailing list. The
						# assumption is that mailing lists do their own spam filtering/moderation.
						# (optional)
						ListAllowDomain:

						# Influences spam filtering only, this option does not change whether a message
						# matches this ruleset. If a message is classified as spam, it isn't rejected
						# during the SMTP transaction (the normal behaviour), but accepted during the SMTP
						# transaction and delivered to the specified mailbox. The specified mailbox is not
						# automatically cleaned up like the account global Rejects mailbox, unless set to
						# that Rejects mailbox. (optional)
						AcceptRejectsToMailbox:

						# Mailbox to deliver to if this ruleset matches.
						Mailbox:

						# Free-form comments. (optional)
						Comment:

				# Full name to use in message From header when composing messages coming from this
				# address with webmail. (optional)
				FullName:

		# If configured, messages classified as weakly spam are rejected with instructions
		# to retry delivery, but this time with a signed token added to the subject.
		# During the next delivery attempt, the signed token will bypass the spam filter.
		# Messages with a clear spam signal, such as a known bad reputation, are
		# rejected/delayed without a signed token. (optional)
		SubjectPass:

			# How long unique values are accepted after generating, e.g. 12h.
			Period: 0s

		# Default maximum total message size in bytes for the account, overriding any
		# globally configured default maximum size if non-zero. A negative value can be
		# used to have no limit in case there is a limit by default. Attempting to add new
		# messages to an account beyond its maximum total size will result in an error.
		# Useful to prevent a single account from filling storage. (optional)
		QuotaMessageSize: 0

		# Mail that looks like spam will be rejected, but a copy can be stored temporarily
		# in a mailbox, e.g. Rejects. If mail isn't coming in when you expect, you can
		# look there. The mail still isn't accepted, so the remote mail server may retry
		# (hopefully, if legitimate), or give up (hopefully, if indeed a spammer).
		# Messages are automatically removed from this mailbox, so do not set it to a
		# mailbox that has messages you want to keep. (optional)
		RejectsMailbox:

		# Don't automatically delete mail in the RejectsMailbox listed above. This can be
		# useful, e.g. for future spam training. It can also cause storage to fill up.
		# (optional)
		KeepRejects: false

		# Automatically set $Junk and $NotJunk flags based on mailbox messages are
		# delivered/moved/copied to. Email clients typically have too limited
		# functionality to conveniently set these flags, especially $NonJunk, but they can
		# all move messages to a different mailbox, so this helps them. (optional)
		AutomaticJunkFlags:

			# If enabled, junk/nonjunk flags will be set automatically if they match some of
			# the regular expressions. When two of the three mailbox regular expressions are
			# set, the remaining one will match all unmatched messages. Messages are matched
			# in the order 'junk', 'neutral', 'not junk', and the search stops on the first
			# match. Mailboxes are lowercased before matching.
			Enabled: false

			# Example: ^(junk|spam). (optional)
			JunkMailboxRegexp:

			# Example: ^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects), and you may wish to
			# add trash depending on how you use it, or leave this empty. (optional)
			NeutralMailboxRegexp:

			# Example: .* or an empty string. (optional)
			NotJunkMailboxRegexp:

		# Content-based filtering, using the junk-status of individual messages to rank
		# words in such messages as spam or ham. It is recommended you always set the
		# applicable (non)-junk status on messages, and that you do not empty your Trash
		# because those messages contain valuable ham/spam training information.
		# (optional)
		JunkFilter:

			# Approximate spaminess score between 0 and 1 above which emails are rejected as
			# spam. Each delivery attempt adds a little noise to make it slightly harder for
			# spammers to identify words that strongly indicate non-spaminess and use it to
			# bypass the filter. E.g. 0.95.
			Threshold: 0.000000
			Params:

				# Track ham/spam ranking for single words. (optional)
				Onegrams: false

				# Track ham/spam ranking for each two consecutive words. (optional)
				Twograms: false

				# Track ham/spam ranking for each three consecutive words. (optional)
				Threegrams: false

				# Maximum power a word (combination) can have. If spaminess is 0.99, and max power
				# is 0.1, spaminess of the word will be set to 0.9. Similar for ham words.
				MaxPower: 0.000000

				# Number of most spammy/hammy words to use for calculating probability. E.g. 10.
				TopWords: 0

				# Ignore words that are this much away from 0.5 haminess/spaminess. E.g. 0.1,
				# causing word (combinations) of 0.4 to 0.6 to be ignored. (optional)
				IgnoreWords: 0.000000

				# Occurrences in word database until a word is considered rare and its influence
				# in calculating probability reduced. E.g. 1 or 2. (optional)
				RareWords: 0

		# Maximum number of outgoing messages for this account in a 24 hour window. This
		# limits the damage to recipients and the reputation of this mail server in case
		# of account compromise. Default 1000. (optional)
		MaxOutgoingMessagesPerDay: 0

		# Maximum number of first-time recipients in outgoing messages for this account in
		# a 24 hour window. This limits the damage to recipients and the reputation of
		# this mail server in case of account compromise. Default 200. (optional)
		MaxFirstTimeRecipientsPerDay: 0

		# Do not apply a delay to SMTP connections before accepting an incoming message
		# from a first-time sender. Can be useful for accounts that sends automated
		# responses and want instant replies. (optional)
		NoFirstTimeSenderDelay: false

		# Routes for delivering outgoing messages through the queue. Each delivery attempt
		# evaluates these account routes, domain routes and finally global routes. The
		# transport of the first matching route is used in the delivery attempt. If no
		# routes match, which is the default with no configured routes, messages are
		# delivered directly from the queue. (optional)
		Routes:
			-

				# Matches if the envelope from domain matches one of the configured domains, or if
				# the list is empty. If a domain starts with a dot, prefixes of the domain also
				# match. (optional)
				FromDomain:
					-

				# Like FromDomain, but matching against the envelope to domain. (optional)
				ToDomain:
					-

				# Matches if at least this many deliveries have already been attempted. This can
				# be used to attempt sending through a smarthost when direct delivery has failed
				# for several times. (optional)
				MinimumAttempts: 0
				Transport:

# Redirect all requests from domain (key) to domain (value). Always redirects to
# HTTPS. For plain HTTP redirects, use a WebHandler with a WebRedirect. (optional)
WebDomainRedirects:
	x:

# Handle webserver requests by serving static files, redirecting, reverse-proxying
# HTTP(s) or passing the request to an internal service. The first matching
# WebHandler will handle the request. Built-in system handlers, e.g. for ACME
# validation, autoconfig and mta-sts always run first. Built-in handlers for
# admin, account, webmail and webapi are evaluated after all handlers, including
# webhandlers (allowing for overrides of internal services for some domains). If
# no handler matches, the response status code is file not found (404). If
# webserver features are missing, forward the requests to an application that
# provides the needed functionality itself. (optional)
WebHandlers:
	-

		# Name to use in logging and metrics. (optional)
		LogName:

		# Both Domain and PathRegexp must match for this WebHandler to match a request.
		# Exactly one of WebStatic, WebRedirect, WebForward, WebInternal must be set.
		Domain:

		# Regular expression matched against request path, must always start with ^ to
		# ensure matching from the start of the path. The matching prefix can optionally
		# be stripped by WebForward. The regular expression does not have to end with $.
		PathRegexp:

		# If set, plain HTTP requests are not automatically permanently redirected (308)
		# to HTTPS. If you don't have a HTTPS webserver configured, set this to true.
		# (optional)
		DontRedirectPlainHTTP: false

		# Transparently compress responses (currently with gzip) if the client supports
		# it, the status is 200 OK, no Content-Encoding is set on the response yet and the
		# Content-Type of the response hints that the data is compressible (text/...,
		# specific application/... and .../...+json and .../...+xml). For static files
		# only, a cache with compressed files is kept. (optional)
		Compress: false

		# Serve static files. (optional)
		WebStatic:

			# Path to strip from the request URL before evaluating to a local path. If the
			# requested URL path does not start with this prefix and ContinueNotFound it is
			# considered non-matching and next WebHandlers are tried. If ContinueNotFound is
			# not set, a file not found (404) is returned in that case. (optional)
			StripPrefix:

			# Directory to serve files from for this handler. Keep in mind that relative paths
			# are relative to the working directory of mox.
			Root:

			# If set, and a directory is requested, and no index.html is present that can be
			# served, a file listing is returned. Results in 403 if ListFiles is not set. If a
			# directory is requested and the URL does not end with a slash, the response is a
			# redirect to the path with trailing slash. (optional)
			ListFiles: false

			# If a requested URL does not exist, don't return a file not found (404) response,
			# but consider this handler non-matching and continue attempts to serve with later
			# WebHandlers, which may be a reverse proxy generating dynamic content, possibly
			# even writing a static file for a next request to serve statically. If
			# ContinueNotFound is set, HTTP requests other than GET and HEAD do not match.
			# This mechanism can be used to implement the equivalent of 'try_files' in other
			# webservers. (optional)
			ContinueNotFound: false

			# Headers to add to the response. Useful for cache-control, content-type, etc. By
			# default, Content-Type headers are automatically added for recognized file types,
			# unless added explicitly through this setting. For directory listings, a
			# content-type header is skipped. (optional)
			ResponseHeaders:
				x:

		# Redirect requests to configured URL. (optional)
		WebRedirect:

			# Base URL to redirect to. The path must be empty and will be replaced, either by
			# the request URL path, or by OrigPathRegexp/ReplacePath. Scheme, host, port and
			# fragment stay intact, and query strings are combined. If empty, the response
			# redirects to a different path through OrigPathRegexp and ReplacePath, which must
			# then be set. Use a URL without scheme to redirect without changing the protocol,
			# e.g. //newdomain/. If a redirect would send a request to a URL with the same
			# scheme, host and path, the WebRedirect does not match so a next WebHandler can
			# be tried. This can be used to redirect all plain http traffic to https.
			# (optional)
			BaseURL:

			# Regular expression for matching path. If set and path does not match, a 404 is
			# returned. The HTTP path used for matching always starts with a slash. (optional)
			OrigPathRegexp:

			# Replacement path for destination URL based on OrigPathRegexp. Implemented with
			# Go's Regexp.ReplaceAllString: $1 is replaced with the text of the first
			# submatch, etc. If both OrigPathRegexp and ReplacePath are empty, BaseURL must be
			# set and all paths are redirected unaltered. (optional)
			ReplacePath:

			# Status code to use in redirect, e.g. 307. By default, a permanent redirect (308)
			# is returned. (optional)
			StatusCode: 0

		# Forward requests to another webserver, i.e. reverse proxy. (optional)
		WebForward:

			# Strip the matching WebHandler path from the WebHandler before forwarding the
			# request. (optional)
			StripPath: false

			# URL to forward HTTP requests to, e.g. http://127.0.0.1:8123/base. If StripPath
			# is false the full request path is added to the URL. Host headers are sent
			# unmodified. New X-Forwarded-{For,Host,Proto} headers are set. Any query string
			# in the URL is ignored. Requests are made using Go's net/http.DefaultTransport
			# that takes environment variables HTTP_PROXY and HTTPS_PROXY into account.
			# Websocket connections are forwarded and data is copied between client and
			# backend without looking at the framing. The websocket 'version' and
			# 'key'/'accept' headers are verified during the handshake, but other websocket
			# headers, including 'origin', 'protocol' and 'extensions' headers, are not
			# inspected and the backend is responsible for verifying/interpreting them.
			URL:

			# Headers to add to the response. Useful for adding security- and cache-related
			# headers. (optional)
			ResponseHeaders:
				x:

		# Pass request to internal service, like webmail, webapi, etc. (optional)
		WebInternal:

			# Path to use as root of internal service, e.g. /webmail/.
			BasePath:

			# Name of the service, values: admin, account, webmail, webapi.
			Service:

# Routes for delivering outgoing messages through the queue. Each delivery attempt
# evaluates account routes, domain routes and finally these global routes. The
# transport of the first matching route is used in the delivery attempt. If no
# routes match, which is the default with no configured routes, messages are
# delivered directly from the queue. (optional)
Routes:
	-

		# Matches if the envelope from domain matches one of the configured domains, or if
		# the list is empty. If a domain starts with a dot, prefixes of the domain also
		# match. (optional)
		FromDomain:
			-

		# Like FromDomain, but matching against the envelope to domain. (optional)
		ToDomain:
			-

		# Matches if at least this many deliveries have already been attempted. This can
		# be used to attempt sending through a smarthost when direct delivery has failed
		# for several times. (optional)
		MinimumAttempts: 0
		Transport:

# DNS blocklists to periodically check with if IPs we send from are present,
# without using them for checking incoming deliveries.. Also see DNSBLs in SMTP
# listeners in mox.conf, which specifies DNSBLs to use both for incoming
# deliveries and for checking our IPs against. Example DNSBLs: sbl.spamhaus.org,
# bl.spamcop.net. (optional)
MonitorDNSBLs:
	-

Examples

Mox includes configuration files to illustrate common setups. You can see these examples with "mox config example", and print a specific example with "mox config example <name>". Below are all examples included in mox.

Example webhandlers

# Snippet of domains.conf to configure WebDomainRedirects and WebHandlers.

# Redirect all requests for mox.example to https://www.mox.example.
WebDomainRedirects:
	mox.example: www.mox.example

# Each request is matched against these handlers until one matches and serves it.
WebHandlers:
	-
		# Redirect all plain http requests to https, leaving path, query strings, etc
		# intact. When the request is already to https, the destination URL would have the
		# same scheme, host and path, causing this redirect handler to not match the
		# request (and not cause a redirect loop) and the webserver to serve the request
		# with a later handler.
		LogName: redirhttps
		Domain: www.mox.example
		PathRegexp: ^/
		# Could leave DontRedirectPlainHTTP at false if it wasn't for this being an
		# example for doing this redirect.
		DontRedirectPlainHTTP: true
		WebRedirect:
			BaseURL: https://www.mox.example
	-
		# The name of the handler, used in logging and metrics.
		LogName: staticmjl
		# With ACME configured, each configured domain will automatically get a TLS
		# certificate on first request.
		Domain: www.mox.example
		PathRegexp: ^/who/mjl/
		WebStatic:
			StripPrefix: /who/mjl
			# Requested path /who/mjl/inferno/ resolves to local web/mjl/inferno.
			# If a directory contains an index.html, it is served when a directory is requested.
			Root: web/mjl
			# With ListFiles true, if a directory does not contain an index.html, the contents are listed.
			ListFiles: true
			ResponseHeaders:
				X-Mox: hi
	-
		LogName: redir
		Domain: www.mox.example
		PathRegexp: ^/redir/a/b/c
		# Don't redirect from plain HTTP to HTTPS.
		DontRedirectPlainHTTP: true
		WebRedirect:
			# Just change the domain and add query string set fragment. No change to scheme.
			# Path will start with /redir/a/b/c (and whathever came after) because no
			# OrigPathRegexp+ReplacePath is set.
			BaseURL: //moxest.example?q=1#frag
			# Default redirection is 308 - Permanent Redirect.
			StatusCode: 307
	-
		LogName: oldnew
		Domain: www.mox.example
		PathRegexp: ^/old/
		WebRedirect:
			# Replace path, leaving rest of URL intact.
			OrigPathRegexp: ^/old/(.*)
			ReplacePath: /new/$1
	-
		LogName: app
		Domain: www.mox.example
		PathRegexp: ^/app/
		WebForward:
			# Strip the path matched by PathRegexp before forwarding the request. So original
			# request /app/api become just /api.
			StripPath: true
			# URL of backend, where requests are forwarded to. The path in the URL is kept,
			# so for incoming request URL /app/api, the outgoing request URL has path /app-v2/api.
			# Requests are made with Go's net/http DefaultTransporter, including using
			# HTTP_PROXY and HTTPS_PROXY environment variables.
			URL: http://127.0.0.1:8900/app-v2/
			# Add headers to response.
			ResponseHeaders:
				X-Frame-Options: deny
				X-Content-Type-Options: nosniff

Example transport

# Snippet for mox.conf, defining a transport called Example that connects on the
# SMTP submission with TLS port 465 ("submissions"), authenticating with
# SCRAM-SHA-256-PLUS (other providers may not support SCRAM-SHA-256-PLUS, but they
# typically do support the older CRAM-MD5).:

# Transport are mechanisms for delivering messages. Transports can be referenced
# from Routes in accounts, domains and the global configuration. There is always
# an implicit/fallback delivery transport doing direct delivery with SMTP from the
# outgoing message queue. Transports are typically only configured when using
# smarthosts, i.e. when delivering through another SMTP server. Zero or one
# transport methods must be set in a transport, never multiple. When using an
# external party to send email for a domain, keep in mind you may have to add
# their IP address to your domain's SPF record, and possibly additional DKIM
# records. (optional)
Transports:
	Example:
		# Submission SMTP over a TLS connection to submit email to a remote queue.
		# (optional)
		Submissions:
			# Host name to connect to and for verifying its TLS certificate.
			Host: smtp.example.com

			# If set, authentication credentials for the remote server. (optional)
			Auth:
				Username: user@example.com
				Password: test1234
				Mechanisms:
					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
					# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
					# PLAIN. Specify the strongest mechanism known to be implemented by the server to
					# prevent mechanism downgrade attacks. (optional)

					- SCRAM-SHA-256-PLUS

# Snippet for domains.conf, specifying a route that sends through the transport:

# Routes for delivering outgoing messages through the queue. Each delivery attempt
# evaluates account routes, domain routes and finally these global routes. The
# transport of the first matching route is used in the delivery attempt. If no
# routes match, which is the default with no configured routes, messages are
# delivered directly from the queue. (optional)
Routes:
	-
		Transport: Example

Index

Constants

View Source
const DefaultMaxMsgSize = 100 * 1024 * 1024

DefaultMaxMsgSize is the maximum message size for incoming and outgoing messages, in bytes. Can be overridden per listener.

Variables

This section is empty.

Functions

func Port

func Port(port, fallback int) int

Port returns port if non-zero, and fallback otherwise.

Types

type ACME

type ACME struct {
	DirectoryURL           string                  `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
	RenewBefore            time.Duration           `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
	ContactEmail           string                  `` /* 289-byte string literal not displayed */
	Port                   int                     `` /* 525-byte string literal not displayed */
	IssuerDomainName       string                  `` /* 239-byte string literal not displayed */
	ExternalAccountBinding *ExternalAccountBinding `` /* 332-byte string literal not displayed */

	Manager *autotls.Manager `sconf:"-" json:"-"`
}

type Account

type Account struct {
	OutgoingWebhook          *OutgoingWebhook `sconf:"optional" sconf-doc:"Webhooks for events about outgoing deliveries."`
	IncomingWebhook          *IncomingWebhook `sconf:"optional" sconf-doc:"Webhooks for events about incoming deliveries over SMTP."`
	FromIDLoginAddresses     []string         `` /* 763-byte string literal not displayed */
	KeepRetiredMessagePeriod time.Duration    `` /* 355-byte string literal not displayed */
	KeepRetiredWebhookPeriod time.Duration    `` /* 216-byte string literal not displayed */

	Domain             string                 `` /* 167-byte string literal not displayed */
	Description        string                 `sconf:"optional" sconf-doc:"Free form description, e.g. full name or alternative contact info."`
	FullName           string                 `` /* 140-byte string literal not displayed */
	Destinations       map[string]Destination `` /* 513-byte string literal not displayed */
	SubjectPass        SubjectPass            `` /* 376-byte string literal not displayed */
	QuotaMessageSize   int64                  `` /* 398-byte string literal not displayed */
	RejectsMailbox     string                 `` /* 458-byte string literal not displayed */
	KeepRejects        bool                   `` /* 185-byte string literal not displayed */
	AutomaticJunkFlags AutomaticJunkFlags     `` /* 312-byte string literal not displayed */
	JunkFilter         *JunkFilter            `` // todo: sane defaults for junkfilter
	/* 332-byte string literal not displayed */
	MaxOutgoingMessagesPerDay    int     `` /* 223-byte string literal not displayed */
	MaxFirstTimeRecipientsPerDay int     `` /* 247-byte string literal not displayed */
	NoFirstTimeSenderDelay       bool    `` /* 216-byte string literal not displayed */
	Routes                       []Route `` /* 373-byte string literal not displayed */

	DNSDomain                  dns.Domain     `sconf:"-"` // Parsed form of Domain.
	JunkMailbox                *regexp.Regexp `sconf:"-" json:"-"`
	NeutralMailbox             *regexp.Regexp `sconf:"-" json:"-"`
	NotJunkMailbox             *regexp.Regexp `sconf:"-" json:"-"`
	ParsedFromIDLoginAddresses []smtp.Address `sconf:"-" json:"-"`
	Aliases                    []AddressAlias `sconf:"-"`
}

type AddressAlias added in v0.0.11

type AddressAlias struct {
	SubscriptionAddress string
	Alias               Alias    // Without members.
	MemberAddresses     []string // Only if allowed to see.
}

type Alias added in v0.0.11

type Alias struct {
	Addresses    []string `` /* 350-byte string literal not displayed */
	PostPublic   bool     `` /* 174-byte string literal not displayed */
	ListMembers  bool     `sconf:"optional" sconf-doc:"If true, members can see addresses of members."`
	AllowMsgFrom bool     `` /* 126-byte string literal not displayed */

	LocalpartStr    string         `sconf:"-"` // In encoded form.
	Domain          dns.Domain     `sconf:"-"`
	ParsedAddresses []AliasAddress `sconf:"-"` // Matches addresses.
}

type AliasAddress added in v0.0.11

type AliasAddress struct {
	Address     smtp.Address // Parsed address.
	AccountName string       // Looked up.
	Destination Destination  // Belonging to address.
}

type AutomaticJunkFlags added in v0.0.11

type AutomaticJunkFlags struct {
	Enabled              bool   `` /* 375-byte string literal not displayed */
	JunkMailboxRegexp    string `sconf:"optional" sconf-doc:"Example: ^(junk|spam)."`
	NeutralMailboxRegexp string `` /* 167-byte string literal not displayed */
	NotJunkMailboxRegexp string `sconf:"optional" sconf-doc:"Example: .* or an empty string."`
}

type Canonicalization added in v0.0.11

type Canonicalization struct {
	HeaderRelaxed bool `sconf-doc:"If set, some modifications to the headers (mostly whitespace) are allowed."`
	BodyRelaxed   bool `sconf-doc:"If set, some whitespace modifications to the message body are allowed."`
}

type DKIM

type DKIM struct {
	Selectors map[string]Selector `` /* 185-byte string literal not displayed */
	Sign      []string            `sconf:"optional" sconf-doc:"List of selectors that emails will be signed with."`
}

type DMARC

type DMARC struct {
	Localpart string `` /* 130-byte string literal not displayed */
	Domain    string `` /* 668-byte string literal not displayed */
	Account   string `sconf-doc:"Account to deliver to."`
	Mailbox   string `sconf-doc:"Mailbox to deliver to, e.g. DMARC."`

	ParsedLocalpart smtp.Localpart `sconf:"-"`
	DNSDomain       dns.Domain     `sconf:"-"` // Effective domain, always set based on Domain field or Domain where this is configured.
}

type Destination

type Destination struct {
	Mailbox  string    `sconf:"optional" sconf-doc:"Mailbox to deliver to if none of Rulesets match. Default: Inbox."`
	Rulesets []Ruleset `` /* 303-byte string literal not displayed */
	FullName string    `` /* 131-byte string literal not displayed */

	DMARCReports     bool `sconf:"-" json:"-"`
	HostTLSReports   bool `sconf:"-" json:"-"`
	DomainTLSReports bool `sconf:"-" json:"-"`
}

func (Destination) Equal

func (d Destination) Equal(o Destination) bool

Equal returns whether d and o are equal, only looking at their user-changeable fields.

type Domain

type Domain struct {
	Description                string           `sconf:"optional" sconf-doc:"Free-form description of domain."`
	ClientSettingsDomain       string           `` /* 470-byte string literal not displayed */
	LocalpartCatchallSeparator string           `` /* 213-byte string literal not displayed */
	LocalpartCaseSensitive     bool             `sconf:"optional" sconf-doc:"If set, upper/lower case is relevant for email delivery."`
	DKIM                       DKIM             `` /* 239-byte string literal not displayed */
	DMARC                      *DMARC           `` /* 654-byte string literal not displayed */
	MTASTS                     *MTASTS          `` /* 1297-byte string literal not displayed */
	TLSRPT                     *TLSRPT          `` /* 310-byte string literal not displayed */
	Routes                     []Route          `` /* 373-byte string literal not displayed */
	Aliases                    map[string]Alias `` /* 183-byte string literal not displayed */

	Domain                  dns.Domain `sconf:"-"`
	ClientSettingsDNSDomain dns.Domain `sconf:"-" json:"-"`

	// Set when DMARC and TLSRPT (when set) has an address with different domain (we're
	// hosting the reporting), and there are no destination addresses configured for
	// the domain. Disables some functionality related to hosting a domain.
	ReportsOnly bool `sconf:"-" json:"-"`
}

type Dynamic

type Dynamic struct {
	Domains            map[string]Domain  `` /* 320-byte string literal not displayed */
	Accounts           map[string]Account `` /* 274-byte string literal not displayed */
	WebDomainRedirects map[string]string  `` /* 177-byte string literal not displayed */
	WebHandlers        []WebHandler       `` /* 683-byte string literal not displayed */
	Routes             []Route            `` /* 373-byte string literal not displayed */
	MonitorDNSBLs      []string           `` /* 347-byte string literal not displayed */

	WebDNSDomainRedirects map[dns.Domain]dns.Domain `sconf:"-" json:"-"`
	MonitorDNSBLZones     []dns.Domain              `sconf:"-"`
	ClientSettingDomains  map[dns.Domain]struct{}   `sconf:"-" json:"-"`
}

Dynamic is the parsed form of domains.conf, and is automatically reloaded when changed.

type ExternalAccountBinding added in v0.0.9

type ExternalAccountBinding struct {
	KeyID   string `sconf-doc:"Key identifier, from ACME provider."`
	KeyFile string `` /* 253-byte string literal not displayed */
}

type IncomingWebhook added in v0.0.11

type IncomingWebhook struct {
	URL           string `sconf-doc:"URL to POST webhooks to for incoming deliveries over SMTP."`
	Authorization string `sconf:"optional" sconf-doc:"If not empty, value of Authorization header to add to HTTP requests."`
}

type InitialMailboxes added in v0.0.6

type InitialMailboxes struct {
	SpecialUse SpecialUseMailboxes `sconf:"optional" sconf-doc:"Special-use roles to mailbox to create."`
	Regular    []string            `sconf:"optional" sconf-doc:"Regular, non-special-use mailboxes to create."`
}

InitialMailboxes are mailboxes created for a new account.

type JunkFilter

type JunkFilter struct {
	Threshold float64 `` /* 277-byte string literal not displayed */
	junk.Params
}

type KeyCert added in v0.0.2

type KeyCert struct {
	CertFile string `sconf-doc:"Certificate including intermediate CA certificates, in PEM format."`
	KeyFile  string `` /* 131-byte string literal not displayed */
}

type Listener

type Listener struct {
	IPs            []string   ``                   /* 504-byte string literal not displayed */
	NATIPs         []string   ``                   /* 279-byte string literal not displayed */
	IPsNATed       bool       ``                   /* 145-byte string literal not displayed */
	Hostname       string     ``                   /* 258-byte string literal not displayed */
	HostnameDomain dns.Domain `sconf:"-" json:"-"` // Set when parsing config.

	TLS                *TLS  `sconf:"optional" sconf-doc:"For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections."`
	SMTPMaxMessageSize int64 `sconf:"optional" sconf-doc:"Maximum size in bytes for incoming and outgoing messages. Default is 100MB."`
	SMTP               struct {
		Enabled         bool
		Port            int  `sconf:"optional" sconf-doc:"Default 25."`
		NoSTARTTLS      bool `sconf:"optional" sconf-doc:"Do not offer STARTTLS to secure the connection. Not recommended."`
		RequireSTARTTLS bool `` /* 325-byte string literal not displayed */
		NoRequireTLS    bool `` /* 361-byte string literal not displayed */

		DNSBLs []string `` /* 796-byte string literal not displayed */

		FirstTimeSenderDelay *time.Duration `` /* 129-byte string literal not displayed */

		DNSBLZones []dns.Domain `sconf:"-"`
	} `sconf:"optional"`
	Submission struct {
		Enabled           bool
		Port              int  `sconf:"optional" sconf-doc:"Default 587."`
		NoRequireSTARTTLS bool `` /* 146-byte string literal not displayed */
	} `` /* 218-byte string literal not displayed */
	Submissions struct {
		Enabled bool
		Port    int `sconf:"optional" sconf-doc:"Default 465."`
	} `sconf:"optional" sconf-doc:"SMTP over TLS for submitting email, by email applications. Requires a TLS config."`
	IMAP struct {
		Enabled           bool
		Port              int  `sconf:"optional" sconf-doc:"Default 143."`
		NoRequireSTARTTLS bool `sconf:"optional" sconf-doc:"Enable this only when the connection is otherwise encrypted (e.g. through a VPN)."`
	} `` /* 212-byte string literal not displayed */
	IMAPS struct {
		Enabled bool
		Port    int `sconf:"optional" sconf-doc:"Default 993."`
	} `sconf:"optional" sconf-doc:"IMAP over TLS for reading email, by email applications. Requires a TLS config."`
	AccountHTTP  WebService `` /* 170-byte string literal not displayed */
	AccountHTTPS WebService `sconf:"optional" sconf-doc:"Account web interface listener like AccountHTTP, but for HTTPS. Requires a TLS config."`
	AdminHTTP    WebService `` /* 328-byte string literal not displayed */
	AdminHTTPS   WebService `sconf:"optional" sconf-doc:"Admin web interface listener like AdminHTTP, but for HTTPS. Requires a TLS config."`
	WebmailHTTP  WebService `sconf:"optional" sconf-doc:"Webmail client, for reading email. Default path is /webmail/."`
	WebmailHTTPS WebService `sconf:"optional" sconf-doc:"Webmail client, like WebmailHTTP, but for HTTPS. Requires a TLS config."`
	WebAPIHTTP   WebService `sconf:"optional" sconf-doc:"Like WebAPIHTTP, but with plain HTTP, without TLS."`
	WebAPIHTTPS  WebService `` /* 138-byte string literal not displayed */
	MetricsHTTP  struct {
		Enabled bool
		Port    int `sconf:"optional" sconf-doc:"Default 8010."`
	} `sconf:"optional" sconf-doc:"Serve prometheus metrics, for monitoring. You should not enable this on a public IP."`
	PprofHTTP struct {
		Enabled bool
		Port    int `sconf:"optional" sconf-doc:"Default 8011."`
	} `sconf:"optional" sconf-doc:"Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on a public IP!"`
	AutoconfigHTTPS struct {
		Enabled bool
		Port    int  `` /* 282-byte string literal not displayed */
		NonTLS  bool `` /* 159-byte string literal not displayed */
	} `` /* 152-byte string literal not displayed */
	MTASTSHTTPS struct {
		Enabled bool
		Port    int  `` /* 279-byte string literal not displayed */
		NonTLS  bool `` /* 156-byte string literal not displayed */
	} `sconf:"optional" sconf-doc:"Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config."`
	WebserverHTTP struct {
		Enabled bool
		Port    int `sconf:"optional" sconf-doc:"Port for plain HTTP (non-TLS) webserver."`
	} `sconf:"optional" sconf-doc:"All configured WebHandlers will serve on an enabled listener."`
	WebserverHTTPS struct {
		Enabled bool
		Port    int `sconf:"optional" sconf-doc:"Port for HTTPS webserver."`
	} `` /* 190-byte string literal not displayed */
}

type MTASTS

type MTASTS struct {
	PolicyID string        `` /* 213-byte string literal not displayed */
	Mode     mtasts.Mode   `` /* 351-byte string literal not displayed */
	MaxAge   time.Duration `sconf-doc:"How long a remote mail server is allowed to cache a policy. Typically 1 or several weeks."`
	MX       []string      `` /* 252-byte string literal not displayed */

}

type OutgoingWebhook added in v0.0.11

type OutgoingWebhook struct {
	URL           string   `sconf-doc:"URL to POST webhooks."`
	Authorization string   `sconf:"optional" sconf-doc:"If not empty, value of Authorization header to add to HTTP requests."`
	Events        []string `` /* 209-byte string literal not displayed */
}

type Route added in v0.0.5

type Route struct {
	FromDomain      []string `` /* 194-byte string literal not displayed */
	ToDomain        []string `sconf:"optional" sconf-doc:"Like FromDomain, but matching against the envelope to domain."`
	MinimumAttempts int      `` /* 205-byte string literal not displayed */
	Transport       string   `sconf:"The transport used for delivering the message that matches requirements of the above fields."`

	FromDomainASCII   []string  `sconf:"-"`
	ToDomainASCII     []string  `sconf:"-"`
	ResolvedTransport Transport `sconf:"-" json:"-"`
}

type Ruleset

type Ruleset struct {
	SMTPMailFromRegexp string            `` /* 175-byte string literal not displayed */
	MsgFromRegexp      string            `` /* 135-byte string literal not displayed */
	VerifiedDomain     string            `sconf:"optional" sconf-doc:"Matches if this domain matches an SPF- and/or DKIM-verified (sub)domain."`
	HeadersRegexp      map[string]string `` /* 524-byte string literal not displayed */

	// todo: once we implement ARC, we can use dkim domains that we cannot verify but that the arc-verified forwarding mail server was able to verify.
	IsForward              bool   `` /* 872-byte string literal not displayed */
	ListAllowDomain        string `` /* 641-byte string literal not displayed */
	AcceptRejectsToMailbox string `` /* 446-byte string literal not displayed */

	Mailbox string `sconf-doc:"Mailbox to deliver to if this ruleset matches."`
	Comment string `sconf:"optional" sconf-doc:"Free-form comments."`

	SMTPMailFromRegexpCompiled *regexp.Regexp      `sconf:"-" json:"-"`
	MsgFromRegexpCompiled      *regexp.Regexp      `sconf:"-" json:"-"`
	VerifiedDNSDomain          dns.Domain          `sconf:"-"`
	HeadersRegexpCompiled      [][2]*regexp.Regexp `sconf:"-" json:"-"`
	ListAllowDNSDomain         dns.Domain          `sconf:"-"`
}

func (Ruleset) Equal

func (r Ruleset) Equal(o Ruleset) bool

Equal returns whether r and o are equal, only looking at their user-changeable fields.

type SMTPAuth added in v0.0.5

type SMTPAuth struct {
	Username   string
	Password   string
	Mechanisms []string `` /* 293-byte string literal not displayed */

	EffectiveMechanisms []string `sconf:"-" json:"-"`
}

SMTPAuth hold authentication credentials used when delivering messages through a smarthost.

type Selector

type Selector struct {
	Hash             string           `sconf:"optional" sconf-doc:"sha256 (default) or (older, not recommended) sha1."`
	HashEffective    string           `sconf:"-"`
	Canonicalization Canonicalization `sconf:"optional"`
	Headers          []string         `sconf:"optional" sconf-doc:"Headers to sign with DKIM. If empty, a reasonable default set of headers is selected."`
	HeadersEffective []string         `sconf:"-"` // Used when signing. Based on Headers from config, or the reasonable default.
	DontSealHeaders  bool             `sconf:"optional" sconf-doc:"If set, don't prevent duplicate headers from being added. Not recommended."`
	Expiration       string           `` /* 230-byte string literal not displayed */
	PrivateKeyFile   string           `sconf-doc:"Either an RSA or ed25519 private key file in PKCS8 PEM form."`

	Algorithm         string        `sconf:"-"`          // "ed25519", "rsa-*", based on private key.
	ExpirationSeconds int           `sconf:"-" json:"-"` // Parsed from Expiration.
	Key               crypto.Signer `sconf:"-" json:"-"` // As parsed with x509.ParsePKCS8PrivateKey.
	Domain            dns.Domain    `sconf:"-" json:"-"` // Of selector only, not FQDN.
}

type SpecialUseMailboxes added in v0.0.6

type SpecialUseMailboxes struct {
	Sent    string `sconf:"optional"`
	Archive string `sconf:"optional"`
	Trash   string `sconf:"optional"`
	Draft   string `sconf:"optional"`
	Junk    string `sconf:"optional"`
}

SpecialUseMailboxes holds mailbox names for special-use roles. Mail clients recognize these special-use roles, e.g. appending sent messages to whichever mailbox has the Sent special-use flag.

type Static

type Static struct {
	DataDir          string            `` /* 386-byte string literal not displayed */
	LogLevel         string            `` /* 291-byte string literal not displayed */
	PackageLogLevels map[string]string `` /* 171-byte string literal not displayed */
	User             string            `` /* 181-byte string literal not displayed */
	NoFixPermissions bool              `` /* 240-byte string literal not displayed */
	Hostname         string            `sconf-doc:"Full hostname of system, e.g. mail.<domain>"`
	HostnameDomain   dns.Domain        `sconf:"-" json:"-"` // Parsed form of hostname.
	CheckUpdates     bool              ``                   /* 267-byte string literal not displayed */
	Pedantic         bool              ``                   /* 163-byte string literal not displayed */
	TLS              struct {
		CA *struct {
			AdditionalToSystem bool     `sconf:"optional"`
			CertFiles          []string `sconf:"optional"`
		} `sconf:"optional"`
		CertPool *x509.CertPool `sconf:"-" json:"-"`
	} `` /* 151-byte string literal not displayed */
	ACME              map[string]ACME     `` /* 158-byte string literal not displayed */
	AdminPasswordFile string              `sconf:"optional" sconf-doc:"File containing hash of admin password, for authentication in the web admin pages (if enabled)."`
	Listeners         map[string]Listener `` /* 442-byte string literal not displayed */
	Postmaster        struct {
		Account string
		Mailbox string `sconf-doc:"E.g. Postmaster or Inbox."`
	} `` /* 260-byte string literal not displayed */
	HostTLSRPT struct {
		Account   string `sconf-doc:"Account to deliver TLS reports to. Typically same account as for postmaster."`
		Mailbox   string `sconf-doc:"Mailbox to deliver TLS reports to. Recommended value: TLSRPT."`
		Localpart string `sconf-doc:"Localpart at hostname to accept TLS reports at. Recommended value: tls-reports."`

		ParsedLocalpart smtp.Localpart `sconf:"-"`
	} `` /* 374-byte string literal not displayed */
	InitialMailboxes InitialMailboxes     `` /* 272-byte string literal not displayed */
	DefaultMailboxes []string             `` /* 249-byte string literal not displayed */
	Transports       map[string]Transport `` /* 653-byte string literal not displayed */
	// Awkward naming of fields to get intended default behaviour for zero values.
	NoOutgoingDMARCReports          bool  `` /* 412-byte string literal not displayed */
	NoOutgoingTLSReports            bool  `` /* 444-byte string literal not displayed */
	OutgoingTLSReportsForAllSuccess bool  `` /* 258-byte string literal not displayed */
	QuotaMessageSize                int64 `` /* 497-byte string literal not displayed */

	// All IPs that were explicitly listened on for external SMTP. Only set when there
	// are no unspecified external SMTP listeners and there is at most one for IPv4 and
	// at most one for IPv6. Used for setting the local address when making outgoing
	// connections. Those IPs are assumed to be in an SPF record for the domain,
	// potentially unlike other IPs on the machine.  If there is only one address
	// family, outgoing connections with the other address family are still made if
	// possible.
	SpecifiedSMTPListenIPs []net.IP `sconf:"-" json:"-"`

	// To switch to after initialization as root.
	UID uint32 `sconf:"-" json:"-"`
	GID uint32 `sconf:"-" json:"-"`
}

Static is a parsed form of the mox.conf configuration file, before converting it into a mox.Config after additional processing.

type SubjectPass added in v0.0.11

type SubjectPass struct {
	Period time.Duration `sconf-doc:"How long unique values are accepted after generating, e.g. 12h."` // todo: have a reasonable default for this?
}

type TLS

type TLS struct {
	ACME                string    `sconf:"optional" sconf-doc:"Name of provider from top-level configuration to use for ACME, e.g. letsencrypt."`
	KeyCerts            []KeyCert `` /* 394-byte string literal not displayed */
	MinVersion          string    `sconf:"optional" sconf-doc:"Minimum TLS version. Default: TLSv1.2."`
	HostPrivateKeyFiles []string  `` /* 640-byte string literal not displayed */

	Config                   *tls.Config     `sconf:"-" json:"-"` // TLS config for non-ACME-verification connections, i.e. SMTP and IMAP, and not port 443. Connections without SNI will use a certificate for the hostname of the listener, connections with an SNI hostname that isn't allowed will be rejected.
	ConfigFallback           *tls.Config     `sconf:"-" json:"-"` // Like Config, but uses the certificate for the listener hostname when the requested SNI hostname is not allowed, instead of causing the connection to fail.
	ACMEConfig               *tls.Config     `sconf:"-" json:"-"` // TLS config that handles ACME verification, for serving on port 443.
	HostPrivateRSA2048Keys   []crypto.Signer `sconf:"-" json:"-"` // Private keys for new TLS certificates for listener host name, for new certificates with ACME, and for DANE records.
	HostPrivateECDSAP256Keys []crypto.Signer `sconf:"-" json:"-"`
}

type TLSRPT

type TLSRPT struct {
	Localpart string `sconf-doc:"Address-part before the @ that accepts TLSRPT reports. Recommended value: tls-reports."`
	Domain    string `` /* 669-byte string literal not displayed */
	Account   string `sconf-doc:"Account to deliver to."`
	Mailbox   string `sconf-doc:"Mailbox to deliver to, e.g. TLSRPT."`

	ParsedLocalpart smtp.Localpart `sconf:"-"`
	DNSDomain       dns.Domain     `sconf:"-"` // Effective domain, always set based on Domain field or Domain where this is configured.
}

type Transport added in v0.0.5

type Transport struct {
	Submissions *TransportSMTP   `sconf:"optional" sconf-doc:"Submission SMTP over a TLS connection to submit email to a remote queue."`
	Submission  *TransportSMTP   `` /* 132-byte string literal not displayed */
	SMTP        *TransportSMTP   `` /* 155-byte string literal not displayed */
	Socks       *TransportSocks  `sconf:"optional" sconf-doc:"Like regular direct delivery, but makes outgoing connections through a SOCKS proxy."`
	Direct      *TransportDirect `sconf:"optional" sconf-doc:"Like regular direct delivery, but allows to tweak outgoing connections."`
}

Transport is a method to delivery a message. At most one of the fields can be non-nil. The non-nil field represents the type of transport. For a transport with all fields nil, regular email delivery is done.

type TransportDirect added in v0.0.11

type TransportDirect struct {
	DisableIPv4 bool `` /* 127-byte string literal not displayed */
	DisableIPv6 bool `` /* 127-byte string literal not displayed */

	IPFamily string `sconf:"-" json:"-"`
}

type TransportSMTP added in v0.0.5

type TransportSMTP struct {
	Host                       string    `sconf-doc:"Host name to connect to and for verifying its TLS certificate."`
	Port                       int       `` /* 182-byte string literal not displayed */
	STARTTLSInsecureSkipVerify bool      `sconf:"optional" sconf-doc:"If set an unverifiable remote TLS certificate during STARTTLS is accepted."`
	NoSTARTTLS                 bool      `` /* 187-byte string literal not displayed */
	Auth                       *SMTPAuth `sconf:"optional" sconf-doc:"If set, authentication credentials for the remote server."`

	DNSHost dns.Domain `sconf:"-" json:"-"`
}

TransportSMTP delivers messages by "submission" (SMTP, typically authenticated) to the queue of a remote host (smarthost), or by relaying (SMTP, typically unauthenticated).

type TransportSocks added in v0.0.5

type TransportSocks struct {
	Address        string   `sconf-doc:"Address of SOCKS proxy, of the form host:port or ip:port."`
	RemoteIPs      []string `` /* 366-byte string literal not displayed */
	RemoteHostname string   `` /* 148-byte string literal not displayed */

	IPs      []net.IP   `sconf:"-" json:"-"` // Parsed form of RemoteIPs.
	Hostname dns.Domain `sconf:"-" json:"-"` // Parsed form of RemoteHostname
}

type WebForward added in v0.0.2

type WebForward struct {
	StripPath       bool              `sconf:"optional" sconf-doc:"Strip the matching WebHandler path from the WebHandler before forwarding the request."`
	URL             string            `` /* 763-byte string literal not displayed */
	ResponseHeaders map[string]string `sconf:"optional" sconf-doc:"Headers to add to the response. Useful for adding security- and cache-related headers."`

	TargetURL *url.URL `sconf:"-" json:"-"`
}

type WebHandler added in v0.0.2

type WebHandler struct {
	LogName               string       `sconf:"optional" sconf-doc:"Name to use in logging and metrics."`
	Domain                string       `` /* 165-byte string literal not displayed */
	PathRegexp            string       `` /* 246-byte string literal not displayed */
	DontRedirectPlainHTTP bool         `` /* 183-byte string literal not displayed */
	Compress              bool         `` /* 385-byte string literal not displayed */
	WebStatic             *WebStatic   `sconf:"optional" sconf-doc:"Serve static files."`
	WebRedirect           *WebRedirect `sconf:"optional" sconf-doc:"Redirect requests to configured URL."`
	WebForward            *WebForward  `sconf:"optional" sconf-doc:"Forward requests to another webserver, i.e. reverse proxy."`
	WebInternal           *WebInternal `sconf:"optional" sconf-doc:"Pass request to internal service, like webmail, webapi, etc."`

	Name      string         `sconf:"-"` // Either LogName, or numeric index if LogName was empty. Used instead of LogName in logging/metrics.
	DNSDomain dns.Domain     `sconf:"-"`
	Path      *regexp.Regexp `sconf:"-" json:"-"`
}

func (WebHandler) Equal added in v0.0.2

func (wh WebHandler) Equal(o WebHandler) bool

Equal returns if wh and o are equal, only looking at fields in the configuration file, not the derived fields.

type WebInternal added in v0.0.12

type WebInternal struct {
	BasePath string `sconf-doc:"Path to use as root of internal service, e.g. /webmail/."`
	Service  string `sconf-doc:"Name of the service, values: admin, account, webmail, webapi."`

	Handler http.Handler `sconf:"-" json:"-"`
}

type WebRedirect added in v0.0.2

type WebRedirect struct {
	BaseURL        string `` /* 654-byte string literal not displayed */
	OrigPathRegexp string `` /* 177-byte string literal not displayed */
	ReplacePath    string `` /* 304-byte string literal not displayed */
	StatusCode     int    `sconf:"optional" sconf-doc:"Status code to use in redirect, e.g. 307. By default, a permanent redirect (308) is returned."`

	URL      *url.URL       `sconf:"-" json:"-"`
	OrigPath *regexp.Regexp `sconf:"-" json:"-"`
}

type WebService added in v0.0.9

type WebService struct {
	Enabled   bool
	Port      int    `sconf:"optional" sconf-doc:"Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname matching behaviour."`
	Path      string `sconf:"optional" sconf-doc:"Path to serve requests on."`
	Forwarded bool   `` /* 153-byte string literal not displayed */
}

WebService is an internal web interface: webmail, webaccount, webadmin, webapi.

type WebStatic added in v0.0.2

type WebStatic struct {
	StripPrefix      string            `` /* 320-byte string literal not displayed */
	Root             string            `` /* 138-byte string literal not displayed */
	ListFiles        bool              `` /* 310-byte string literal not displayed */
	ContinueNotFound bool              `` /* 507-byte string literal not displayed */
	ResponseHeaders  map[string]string `` /* 293-byte string literal not displayed */
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL