load_module /usr/lib/nginx/modules/ngx_stream_module.so; user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 2048; multi_accept on; use epoll; }http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; keepalive_requests 100; reset_timedout_connection on; types_hash_max_size 2048; # server_tokens off; # File cache for better performance open_file_cache max=10000 inactive=30s; open_file_cache_valid 60s; open_file_cache_min_uses 2; open_file_cache_errors on; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; #ssl_stapling on; #ssl_stapling_verify on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 5; gzip_buffers 16 8k; gzip_http_version 1.1; # Proxy buffer settings proxy_buffers 16 16k; proxy_buffer_size 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} # Stream block for SMTP proxy with Let's Encrypt TLS termination stream { # Logging log_format smtp_proxy '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time'; # Upstream mail server upstream mail_submission { server 10.0.0.21:587; } upstream mail_smtps { server 10.0.0.21:465; } # SMTP Submission port (STARTTLS) - port 587 server { listen 10.0.0.29:587 ssl; proxy_pass mail_submission; proxy_connect_timeout 10s; # Let's Encrypt SSL certificate ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; # SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SMTP:10m; ssl_session_timeout 10m; access_log /var/log/nginx/mail-submission-access.log smtp_proxy; error_log /var/log/nginx/mail-submission-error.log; } # SMTPS port (implicit TLS) - port 465 server { listen 10.0.0.29:465 ssl; proxy_pass mail_smtps; proxy_connect_timeout 10s; # Let's Encrypt SSL certificate ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; # SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SMTPS:10m; ssl_session_timeout 10m; access_log /var/log/nginx/mail-smtps-access.log smtp_proxy; error_log /var/log/nginx/mail-smtps-error.log; } }