Wayne Hayes
38ba2eb83d
Fixes the root cause that was silently dropping Stalwart's cert/setting writes, completes the public HTTPS endpoints, and captures the debugging knowledge. - docker-compose.yml: gate the ts-stalwart healthcheck on Postgres reachability (nc -z the-record-prod:5432) in addition to tailscaled health. Stalwart's depends_on: service_healthy can no longer release it into the window where the tailnet route to Postgres isn't up yet — which was failing table init and losing in-flight cert writes (-> rcgen). - caddy/caddy.json + README: add the :443 SNI fan-out. mta-sts / autoconfig / autodiscover pass through to stalwart:443 (Stalwart terminates TLS with its wildcard cert; no proxy_protocol on :443). All other SNIs go to the box's web Caddy on :8443 (https_port 8443). L7 reverse_proxy is impossible here: CAA pins issuance to Stalwart's ACME account, so Caddy can't obtain its own cert for these names. - acl-snippet.hujson: grant tcp:443 on reverse-proxy -> stalwart for the SNI pass-through. - config/config.json: track the v0.16 bootstrap (commit-safe; the DB secret is an EnvironmentVariable reference, not inline). - LESSONS.md: symptom -> cause -> fix notes (PG race, DNS-01/Spaceship dead key, auto-ban vs PROXY protocol, wildcard-requires-DNS-01, SNI pass-through, ephemeral sidecar IP, LE rate-limit checks). - .gitignore: exclude _backup/ and _validate/ (DB dumps + an inline-secret config) and editor swap files. NEVER commit those. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
77 lines
2.7 KiB
JSON
77 lines
2.7 KiB
JSON
{
|
|
"//": "Layer-4 mail edge for tailwart. Pipes raw TCP mail ports to the",
|
|
"//2": "Stalwart sidecar over the tailnet, preserving client IP via PROXY",
|
|
"//3": "protocol v2. One server per port (upstream port differs per listener).",
|
|
"//4": "Stalwart terminates TLS itself — this is pure pass-through.",
|
|
"apps": {
|
|
"layer4": {
|
|
"servers": {
|
|
"smtp": {
|
|
"listen": [":25"],
|
|
"routes": [{ "handle": [{
|
|
"handler": "proxy",
|
|
"proxy_protocol": "v2",
|
|
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:25"] }]
|
|
}]}]
|
|
},
|
|
"submissions": {
|
|
"listen": [":465"],
|
|
"routes": [{ "handle": [{
|
|
"handler": "proxy",
|
|
"proxy_protocol": "v2",
|
|
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:465"] }]
|
|
}]}]
|
|
},
|
|
"submission": {
|
|
"listen": [":587"],
|
|
"routes": [{ "handle": [{
|
|
"handler": "proxy",
|
|
"proxy_protocol": "v2",
|
|
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:587"] }]
|
|
}]}]
|
|
},
|
|
"imap": {
|
|
"listen": [":143"],
|
|
"routes": [{ "handle": [{
|
|
"handler": "proxy",
|
|
"proxy_protocol": "v2",
|
|
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:143"] }]
|
|
}]}]
|
|
},
|
|
"imaptls": {
|
|
"listen": [":993"],
|
|
"routes": [{ "handle": [{
|
|
"handler": "proxy",
|
|
"proxy_protocol": "v2",
|
|
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:993"] }]
|
|
}]}]
|
|
},
|
|
"web": {
|
|
"//": "SNI fan-out on the public :443. Stalwart's HTTPS web endpoints",
|
|
"//2": "(MTA-STS policy, autoconfig, autodiscover) pass through to Stalwart,",
|
|
"//3": "which terminates TLS with its wildcard cert — NO proxy_protocol here,",
|
|
"//4": "unlike the mail ports above. Every other SNI falls to the box's own",
|
|
"//5": "web Caddy on :8443 (set `https_port 8443` there). A mail-only standalone",
|
|
"//6": "edge omits this server. See README — 'The HTTP side'.",
|
|
"listen": [":443"],
|
|
"routes": [
|
|
{
|
|
"match": [{ "tls": { "sni": ["mta-sts.infinidim.net", "autoconfig.infinidim.net", "autodiscover.infinidim.net"] } }],
|
|
"handle": [{
|
|
"handler": "proxy",
|
|
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:443"] }]
|
|
}]
|
|
},
|
|
{
|
|
"handle": [{
|
|
"handler": "proxy",
|
|
"upstreams": [{ "dial": ["127.0.0.1:8443"] }]
|
|
}]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|