Nginx
With Nginx in the picture, HTTPS traffic is typically received by Nginx and proxied to MailArchiva listening on another port (for example, port 8090). Likewise, Nginx may also be configured to receive SMTP traffic on port 25 and forward traffic to MailArchiva listening on a different port (for example, port 26).
By leveraging Nginx to handle incoming TLS connections, MailArchiva is relieved of HTTPS load. When configured correctly, MailArchiva will look for additional HTTP headers to determine a request's original IP Address, Server Name, Scheme, Host and Port. Refer to the table below.
MailArchiva Configuration
The headers in the table are parsed provided the property proxy=yes is added to the Tomcat startup environment. For example, on Linux, the file /opt/mailarchiva/server/startserver should be edited as follows:
After setting the above, restart the MailArchiva service for the proxy mode to be enabled. For security reasons, care should be taken to ensure that Nginx sets values for all of the above headers on the request.
Web console proxy
A sample Nginx proxy configuration is illustrated below. The virtual site below causes Nginx to redirect to HTTPS.
server {
listen 80;
rewrite ^ https://$host$request_uri? permanent;
}
The main virtual site is below. The setting of headers X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Port are needed so that MailArchiva knows the original URL information and Ip Address (for logging and other purposes). When an empty file is written to /etc/nginx/service, Nginx will output a maintenance message indicating that the cloud service is temporarily down for maintenance.
server {
listen 443 ssl default_server;
server_name mailarchivatest.net www.mailarchivatest.net *.mailarchivatest.net;
ssl on;
ssl_certificate /etc/ssl/private/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
if ($deny_connect) {
return 403;
}
error_page 503 /under_maintenance.html;
location = /under_maintenance.html {
}
location / {
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8090;
proxy_redirect off;
proxy_buffering off;
if (-f /etc/nginx/service) {
return 503;
}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_body_temp_path /var/nginx/client_body_temp;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_temp_path /var/nginx/proxy_temp;
charset UTF-8;
proxy_cache backcache;
proxy_cache_key $proxy_host$request_uri$cookie_jessionid;
}
location /linkage {
proxy_pass http://127.0.0.1:8090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location ~ /websocket/chat/* {
proxy_pass http://127.0.0.1:8090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
In addition to the above virtual host configuration, to protect against Http proxy tunneling to external servers, edit /etc/nginx/nginx.conf and insert a map directive after the start of http block as follows:
map $request_method $deny_connect {
default 0;
CONNECT 1;
...
}
Smtp traffic proxy
Proxying SMTP traffic is optional, though useful if one needs to offload the handling of computationally expensive TLS negotiation to native code. The below virtual site is used as the authentication service for SMTP traffic:
server {
listen 127.0.0.1:9000;
location = /authorize {
set $reply OK;
add_header Auth-Status $reply;
add_header Auth-Server 127.0.0.1;
add_header Auth-Port 26;
add_header Auth-Wait 1;
return 204;
}
}
Note the configuration of mail below. It handles the proxying of mail traffic on the SMTP port.
root@:/etc/nginx# cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 20000;
}
http {
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off; include /etc/nginx/mime.types;
default_type application/octet-stream; ##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
proxy_cache_path /var/nginx/cache levels=1:2 keys_zone=backcache:10m max_size=10g inactive=60m use_temp_path=off;
##
# Virtual Host Configs
## include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
mail {
server_name test.mailarchivatest.net;
auth_http localhost:9000/authorize;
proxy_pass_error_message on;
starttls on;
ssl_certificate /etc/ssl/private/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
xclient off;
server {
listen 25;
protocol smtp;
smtp_auth none;
#smtp_auth login plain;
}
}
Office 365 folder sync proxy
The site below is needed to setup folder synchronization with Office 365. It proxy's folder synchronization traffic from https://mailarchiva.mailarchivatest.net/o365 to MailArchiva listening on port 8888 on localhost.
listen 443 ssl;
server_name mailarchiva.mailarchivatest.net;
ssl on;
#ssl_certificate /etc/ssl/private/mailarchivatest.pem;
#ssl_certificate_key /etc/ssl/private/mailarchivatest.key;
ssl_certificate /etc/letsencrypt/live/mailarchivatest.net/_.mailarchivatest.net.bundle;
ssl_certificate_key /etc/letsencrypt/live/mailarchivatest.net/_.mailarchivatest.net.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver valid=300s;
resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
#add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location /o365 {
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8888;
proxy_redirect off;
proxy_buffering off;
if (-f /etc/nginx/service) {
return 503;
}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_f or;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_body_temp_path /var/nginx/client_body_temp;
proxy_set_header Host $http_host;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_temp_path /var/nginx/proxy_temp;
charset UTF-8;
proxy_cache backcache;
proxy_cache_key $proxy_host$request_uri$cookie_jessionid;
}
}
Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.