tailwart/acl-snippet.hujson

// tailwart — merge into your live Tailscale policy (admin console).
// Snippet, not a full policy. Kept here so an upstream pull of any other repo
// can't clobber it.

// 1) tagOwners — add (self-ownership required for auth-key node creation):
//    "tag:stalwart": ["autogroup:admin", "tag:stalwart"],

// 2) grants — Stalwart reaches the three shared backends:
{ "src": ["tag:stalwart"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
{ "src": ["tag:stalwart"], "dst": ["tag:db-redis"],    "ip": ["tcp:6379"] },
{ "src": ["tag:stalwart"], "dst": ["tag:garage"],      "ip": ["tcp:3900"] },

// 3) grants — the edge proxy (tag:reverse-proxy) reaches the mailbox ports.
//    8080 is the JMAP/admin HTTP tier (fronted by the main L7 Caddy).
//    443 is Stalwart's HTTPS web listener; the edge L4-proxies the public
//    mta-sts/autoconfig/autodiscover SNIs to it (Stalwart terminates TLS with
//    its wildcard cert). PROXY protocol v2, same as the mail ports.
{
  "src": ["tag:reverse-proxy"],
  "dst": ["tag:stalwart"],
  "ip":  ["tcp:25", "tcp:465", "tcp:587", "tcp:143", "tcp:993", "tcp:443", "tcp:8080"],
},

// 4) grant — Stalwart initiates outbound relay to the smarthost (tag:mail).
//    Without this, the sidecar can RECEIVE but cannot INITIATE over the tailnet
//    (default-deny; the KVM host is a different identity and won't mask this).
//    Adjust dst/port to match your smarthost's tag and submission port.
{ "src": ["tag:stalwart"], "dst": ["tag:mail"], "ip": ["tcp:587"] },

// 5) admin console (not this file): assign tag:stalwart to the same OAuth
//    client federatedSocial uses, on the Devices/Core + Keys/AuthKeys scopes.
//    Missing → 403 "calling actor does not have enough permissions" at boot.
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`// tailwart — merge into your live Tailscale policy (admin console).`
			`// Snippet, not a full policy. Kept here so an upstream pull of any other repo`
			`// can't clobber it.`

			`// 1) tagOwners — add (self-ownership required for auth-key node creation):`
			`// "tag:stalwart": ["autogroup:admin", "tag:stalwart"],`

			`// 2) grants — Stalwart reaches the three shared backends:`
			`{ "src": ["tag:stalwart"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },`
			`{ "src": ["tag:stalwart"], "dst": ["tag:db-redis"], "ip": ["tcp:6379"] },`
			`{ "src": ["tag:stalwart"], "dst": ["tag:garage"], "ip": ["tcp:3900"] },`

			`// 3) grants — the edge proxy (tag:reverse-proxy) reaches the mailbox ports.`
			`// 8080 is the JMAP/admin HTTP tier (fronted by the main L7 Caddy).`
Harden mail edge: PG-race healthcheck gate, :443 SNI fan-out, docs Fixes the root cause that was silently dropping Stalwart's cert/setting writes, completes the public HTTPS endpoints, and captures the debugging knowledge. - docker-compose.yml: gate the ts-stalwart healthcheck on Postgres reachability (nc -z the-record-prod:5432) in addition to tailscaled health. Stalwart's depends_on: service_healthy can no longer release it into the window where the tailnet route to Postgres isn't up yet — which was failing table init and losing in-flight cert writes (-> rcgen). - caddy/caddy.json + README: add the :443 SNI fan-out. mta-sts / autoconfig / autodiscover pass through to stalwart:443 (Stalwart terminates TLS with its wildcard cert; no proxy_protocol on :443). All other SNIs go to the box's web Caddy on :8443 (https_port 8443). L7 reverse_proxy is impossible here: CAA pins issuance to Stalwart's ACME account, so Caddy can't obtain its own cert for these names. - acl-snippet.hujson: grant tcp:443 on reverse-proxy -> stalwart for the SNI pass-through. - config/config.json: track the v0.16 bootstrap (commit-safe; the DB secret is an EnvironmentVariable reference, not inline). - LESSONS.md: symptom -> cause -> fix notes (PG race, DNS-01/Spaceship dead key, auto-ban vs PROXY protocol, wildcard-requires-DNS-01, SNI pass-through, ephemeral sidecar IP, LE rate-limit checks). - .gitignore: exclude _backup/ and _validate/ (DB dumps + an inline-secret config) and editor swap files. NEVER commit those. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 00:03:52 -04:00			`// 443 is Stalwart's HTTPS web listener; the edge L4-proxies the public`
			`// mta-sts/autoconfig/autodiscover SNIs to it (Stalwart terminates TLS with`
			`// its wildcard cert). PROXY protocol v2, same as the mail ports.`
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`{`
			`"src": ["tag:reverse-proxy"],`
			`"dst": ["tag:stalwart"],`
Harden mail edge: PG-race healthcheck gate, :443 SNI fan-out, docs Fixes the root cause that was silently dropping Stalwart's cert/setting writes, completes the public HTTPS endpoints, and captures the debugging knowledge. - docker-compose.yml: gate the ts-stalwart healthcheck on Postgres reachability (nc -z the-record-prod:5432) in addition to tailscaled health. Stalwart's depends_on: service_healthy can no longer release it into the window where the tailnet route to Postgres isn't up yet — which was failing table init and losing in-flight cert writes (-> rcgen). - caddy/caddy.json + README: add the :443 SNI fan-out. mta-sts / autoconfig / autodiscover pass through to stalwart:443 (Stalwart terminates TLS with its wildcard cert; no proxy_protocol on :443). All other SNIs go to the box's web Caddy on :8443 (https_port 8443). L7 reverse_proxy is impossible here: CAA pins issuance to Stalwart's ACME account, so Caddy can't obtain its own cert for these names. - acl-snippet.hujson: grant tcp:443 on reverse-proxy -> stalwart for the SNI pass-through. - config/config.json: track the v0.16 bootstrap (commit-safe; the DB secret is an EnvironmentVariable reference, not inline). - LESSONS.md: symptom -> cause -> fix notes (PG race, DNS-01/Spaceship dead key, auto-ban vs PROXY protocol, wildcard-requires-DNS-01, SNI pass-through, ephemeral sidecar IP, LE rate-limit checks). - .gitignore: exclude _backup/ and _validate/ (DB dumps + an inline-secret config) and editor swap files. NEVER commit those. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 00:03:52 -04:00			`"ip": ["tcp:25", "tcp:465", "tcp:587", "tcp:143", "tcp:993", "tcp:443", "tcp:8080"],`
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`},`

docs: capture outbound-relay lessons (IPv6/AAAA trap, SMTP port block, sidecar ACL) LESSONS.md gains 8-12: container has no IPv6 (AAAA fails before A, no fallback), host IPv6 != container IPv6, VPS blocks all outbound SMTP ports (relay over tailnet), sidecar needs a source ACL grant to initiate, and MtaRoute changes only take effect on restart. CLAUDE.md and .env.example warn that the smarthost address must be an IPv4 literal or tailnet IP, never a dual-stack hostname. acl-snippet adds the tag:stalwart -> tag:mail outbound grant. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 17:43:21 -04:00			`// 4) grant — Stalwart initiates outbound relay to the smarthost (tag:mail).`
			`// Without this, the sidecar can RECEIVE but cannot INITIATE over the tailnet`
			`// (default-deny; the KVM host is a different identity and won't mask this).`
			`// Adjust dst/port to match your smarthost's tag and submission port.`
			`{ "src": ["tag:stalwart"], "dst": ["tag:mail"], "ip": ["tcp:587"] },`

			`// 5) admin console (not this file): assign tag:stalwart to the same OAuth`
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`// client federatedSocial uses, on the Devices/Core + Keys/AuthKeys scopes.`
			`// Missing → 403 "calling actor does not have enough permissions" at boot.`