{ "//": "Layer-4 mail edge for tailwart. Pipes raw TCP mail ports to the", "//2": "Stalwart sidecar over the tailnet, preserving client IP via PROXY", "//3": "protocol v2. One server per port (upstream port differs per listener).", "//4": "Stalwart terminates TLS itself — this is pure pass-through.", "apps": { "layer4": { "servers": { "smtp": { "listen": [":25"], "routes": [{ "handle": [{ "handler": "proxy", "proxy_protocol": "v2", "upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:25"] }] }]}] }, "submissions": { "listen": [":465"], "routes": [{ "handle": [{ "handler": "proxy", "proxy_protocol": "v2", "upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:465"] }] }]}] }, "submission": { "listen": [":587"], "routes": [{ "handle": [{ "handler": "proxy", "proxy_protocol": "v2", "upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:587"] }] }]}] }, "imap": { "listen": [":143"], "routes": [{ "handle": [{ "handler": "proxy", "proxy_protocol": "v2", "upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:143"] }] }]}] }, "imaptls": { "listen": [":993"], "routes": [{ "handle": [{ "handler": "proxy", "proxy_protocol": "v2", "upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:993"] }] }]}] }, "web": { "//": "SNI fan-out on the public :443. Stalwart's HTTPS web endpoints", "//2": "(MTA-STS policy, autoconfig, autodiscover) pass through to Stalwart,", "//3": "which terminates TLS with its wildcard cert — NO proxy_protocol here,", "//4": "unlike the mail ports above. Every other SNI falls to the box's own", "//5": "web Caddy on :8443 (set `https_port 8443` there). A mail-only standalone", "//6": "edge omits this server. See README — 'The HTTP side'.", "listen": [":443"], "routes": [ { "match": [{ "tls": { "sni": ["mta-sts.infinidim.net", "autoconfig.infinidim.net", "autodiscover.infinidim.net"] } }], "handle": [{ "handler": "proxy", "upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:443"] }] }] }, { "handle": [{ "handler": "proxy", "upstreams": [{ "dial": ["127.0.0.1:8443"] }] }] } ] } } } } }