feat: randomize SMTP + IMAP ports

2026-06-14 07:31:08 +00:00 · 2026-06-09 10:35:16 +02:00
parent 9da3f5c235
commit d8f2129e78
4 changed files with 43 additions and 10 deletions
@@ -495,15 +495,15 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        if config.tls_cert_mode == "acme":
            port_services.append(("acmetool", 402))
        port_services += [
-            (["imap-login", "dovecot"], 143),
+            (["imap-login", "dovecot"], config.imap_port),
            # acmetool previously listened on port 80,
            # so don't complain during upgrade that moved it to port 402
            # and gave the port to nginx.
            (["acmetool", "nginx"], 80),
            ("nginx", 443),
-            (["master", "smtpd"], 465),
-            (["master", "smtpd"], 587),
-            (["imap-login", "dovecot"], 993),
+            (["master", "smtpd"], config.smtp_port),
+            (["master", "smtpd"], config.smtps_port),
+            (["imap-login", "dovecot"], config.imaps_port),
            ("iroh-relay", 3340),
            ("mtail", 3903),
            ("stats", 3904),
@@ -7,14 +7,14 @@
    <displayShortName>{{ config.mail_domain }}</displayShortName>
    <incomingServer type="imap">
      <hostname>{{ config.mail_domain }}</hostname>
-      <port>993</port>
+      <port>{{ config.imaps_port }}</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <incomingServer type="imap">
      <hostname>{{ config.mail_domain }}</hostname>
-      <port>143</port>
+      <port>{{ config.imap_port }}</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
@@ -28,14 +28,14 @@
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>{{ config.mail_domain }}</hostname>
-      <port>465</port>
+      <port>{{ config.smtps_port }}</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
    <outgoingServer type="smtp">
      <hostname>{{ config.mail_domain }}</hostname>
-      <port>587</port>
+      <port>{{ config.smtp_port }}</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
@@ -31,6 +31,26 @@ stream {
            ~\bimap\b 127.0.0.1:993;
        }

+        server {
+                listen {{ config.smtp_port }};
+                proxy_pass 127.0.0.1:587;
+        }
+
+        server {
+                listen {{ config.imap_port }};
+                proxy_pass 127.0.0.1:143;
+        }
+
+        server {
+                listen {{ config.smtps_port }};
+                proxy_pass 127.0.0.1:465;
+        }
+
+        server {
+                listen {{ config.imaps_port }};
+                proxy_pass 127.0.0.1:993;
+        }
+
        server {
                listen 443;
                {% if not disable_ipv6 %}