From a8c0574ed6356f1081d6029e1af8f26404c50c06 Mon Sep 17 00:00:00 2001
From: root <root>
Date: Fri, 23 Jan 2026 11:05:49 +0100
Subject: [PATCH] Add SMTP stream proxy configuration for ports 587/465 with
 Let's Encrypt TLS

---
 nginx.conf | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/nginx.conf b/nginx.conf
index dfd77fc..5cda310 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,3 +1,4 @@
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
@@ -103,3 +104,60 @@ events {
 #               proxy      on;
 #       }
 #}
+
+# Stream block for SMTP proxy with Let's Encrypt TLS termination
+stream {
+    # Logging
+    log_format smtp_proxy '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time';
+    
+    # Upstream mail server
+    upstream mail_submission {
+        server 10.0.0.21:587;
+    }
+    
+    upstream mail_smtps {
+        server 10.0.0.21:465;
+    }
+    
+    # SMTP Submission port (STARTTLS) - port 587
+    server {
+        listen 10.0.0.29:587 ssl;
+        proxy_pass mail_submission;
+        proxy_connect_timeout 10s;
+        
+        # Let's Encrypt SSL certificate
+        ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
+        
+        # SSL settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SMTP:10m;
+        ssl_session_timeout 10m;
+        
+        access_log /var/log/nginx/mail-submission-access.log smtp_proxy;
+        error_log /var/log/nginx/mail-submission-error.log;
+    }
+    
+    # SMTPS port (implicit TLS) - port 465
+    server {
+        listen 10.0.0.29:465 ssl;
+        proxy_pass mail_smtps;
+        proxy_connect_timeout 10s;
+        
+        # Let's Encrypt SSL certificate
+        ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem;
+        
+        # SSL settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SMTPS:10m;
+        ssl_session_timeout 10m;
+        
+        access_log /var/log/nginx/mail-smtps-access.log smtp_proxy;
+        error_log /var/log/nginx/mail-smtps-error.log;
+    }
+}