update mailcow template

defaults/main.yml

@@ -5,6 +5,11 @@ cloud_stage: prod
 cloud_update: false
 domain_external: "my-domain.tld"
 
+floating_ips: []
+#  - ipv4: 10.11.12.13
+#    ipv6: 2001:0db8:85a3:08d3::1/64
+#  - ipv4: 192.168.0.2
+#    ipv6: 2001:0db8:bca2:98d6::1/64
 
 mailcow_instance: "{{ domain_external.split('.')[:-1] | join('') | regex_replace('[^a-zA-Z0-9]+','') }}"
 

templates/opt/mailcow/mailcow.conf.j2

@@ -9,7 +9,7 @@ MAILCOW_HOSTNAME=mail.{{ domain_external }}
 
 # Password hash algorithm
 # Only certain password hash algorithm are supported. For a fully list of supported schemes,
-# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/
+# see https://docs.mailcow.email/models/model-passwd/
 MAILCOW_PASS_SCHEME=BLF-CRYPT
 
 # ------------------------------
@@ -34,8 +34,8 @@ DBROOT={{ mailcow_db_root_pass }}
 # Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
 # IMPORTANT: Do not use port 8081, 9081 or 65510!
 # Example: HTTP_BIND=1.2.3.4
-# For IPv4 and IPv6 leave it empty: HTTP_BIND= & HTTPS_PORT=
-# For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ip_bindings/
+# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
+# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
 
 HTTP_PORT={{ mailcow_http }}
 HTTP_BIND=
@@ -64,7 +64,7 @@ REDIS_PORT={{ mailcow_redis_target }}
 
 # Your timezone
 # See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
-# Use the row named 'TZ database name' + pay attention for 'Notes' row
+# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
 
 TZ={{ mailcow_timezone }}
 
@@ -72,6 +72,13 @@ TZ={{ mailcow_timezone }}
 # Please use lowercase letters only
 
 COMPOSE_PROJECT_NAME={{ mailcow_instance }}
+# Used Docker Compose version
+# Switch here between native (compose plugin) and standalone
+# For more informations take a look at the mailcow docs regarding the configuration options.
+# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
+# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
+
+DOCKER_COMPOSE_VERSION=native
 
 # Set this to "allow" to enable the anyone pseudo user. Disabled by default.
 # When enabled, ACL can be created, that apply to "All authenticated users"
@@ -91,7 +98,7 @@ MAILDIR_GC_TIME={{ mailcow_gc_time }}
 # You can use wildcard records to create specific names for every domain you add to mailcow.
 # Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
 #ADDITIONAL_SAN=imap.*,smtp.*
-# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net"
+# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
 # plus every domain you add in the future.
 #
 # You can also just add static names...
@@ -102,6 +109,13 @@ MAILDIR_GC_TIME={{ mailcow_gc_time }}
 
 ADDITIONAL_SAN=
 
+# Obtain certificates for autodiscover.* and autoconfig.* domains.
+# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
+# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
+# between services. So acme-mailcow obtains for maildomains and all web-things get handled
+# in the reverse proxy.
+AUTODISCOVER_SAN=y
+
 # Additional server names for mailcow UI
 #
 # Specify alternative addresses for the mailcow UI to respond to
@@ -114,11 +128,11 @@ ADDITIONAL_SERVER_NAMES=
 
 # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
 
-SKIP_LETS_ENCRYPT={{ 'n' if (mailcow_use_letsencrypt | default('true') | bool) else 'y' }}
+SKIP_LETS_ENCRYPT={{ 'n' if (mailcow_use_letsencrypt | default('false') | bool) else 'y' }}
 
 # Create seperate certificates for all domains - y/n
 # this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
-# see https://wiki.dovecot.org/SSL/SNIClientSupport
+# see https://doc.dovecot.org/admin_manual/ssl/sni_support
 ENABLE_SSL_SNI=n
 
 # Skip IPv4 check in ACME container - y/n
@@ -129,6 +143,10 @@ SKIP_IP_CHECK={{ 'n' if (mailcow_ip_check | default('true') | bool) else 'y' }}
 
 SKIP_HTTP_VERIFICATION={{ 'n' if (mailcow_http_check  | default('true') | bool) else 'y' }}
 
+# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
+
+SKIP_UNBOUND_HEALTHCHECK={{ 'n' if (mailcow_unbound_check  | default('true') | bool) else 'y' }}
+
 # Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
 
 SKIP_CLAMD={{ 'n' if (mailcow_use_clamav | default('true') | bool) else 'y' }}
@@ -164,9 +182,19 @@ USE_WATCHDOG=y
 #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
 #WATCHDOG_NOTIFY_EMAIL=
 
+# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
+# You can use this to send notifications to services like Discord, Slack and others.
+#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# JSON body included in the webhook POST request. Needs to be in single quotes.
+# Following variables are available: SUBJECT, BODY
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "****\n"}'
+
 # Notify about banned IP (includes whois lookup)
 WATCHDOG_NOTIFY_BAN=n
 
+# Send a notification when the watchdog is started.
+WATCHDOG_NOTIFY_START=y
+
 # Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
 #WATCHDOG_SUBJECT=
 
@@ -177,6 +205,9 @@ WATCHDOG_NOTIFY_BAN=n
 # Will only work with unmodified mailcow setups.
 WATCHDOG_EXTERNAL_CHECKS=n
 
+# Enable watchdog verbose logging
+WATCHDOG_VERBOSE=n
+
 # Max log lines per service to keep in Redis logs
 
 LOG_LINES={{ mailcow_redis_log_count }}
@@ -192,13 +223,17 @@ IPV4_NETWORK={{ mailcow_docker_ipv4_cidr }}
 IPV6_NETWORK={{ mailcow_docker_ipv6_cidr }}
 
 # Use this IPv4 for outgoing connections (SNAT)
-
+{% if floating_ips | length > 0 and 'ipv4' floating_ips[0] %}
+SNAT_TO_SOURCE={{ floating_ips[0].ipv4 }}
+{% else %}
 #SNAT_TO_SOURCE=
-
+{% endif %}
 # Use this IPv6 for outgoing connections (SNAT)
-
+{% if floating_ips | length > 0 and 'ipv4' floating_ips[0] %}
+SNAT6_TO_SOURCE={{ floating_ips[0].ipv6 }}
+{% else %}
 #SNAT6_TO_SOURCE=
-
+{% endif %}
 # Create or override an API key for the web UI
 # You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
 # An API key defined as API_KEY has read-write access
@@ -228,9 +263,25 @@ DOVECOT_MASTER_PASS=
 # Optional: Leave empty for none
 # This value is only used on first order!
 # Setting it at a later point will require the following steps:
-# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/
+# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
 ACME_CONTACT=
 
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+
+# Spamhaus Data Query Service Key
+# Optional: Leave empty for none
+# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
+# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
+# Otherwise it will work normally.
+SPAMHAUS_DQS_KEY=
+
+# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
+# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
+DISABLE_NETFILTER_ISOLATION_RULE=n
+
 {% for config_line in mailcow_other_configs %}
 {{ config_line }}
 {% endfor %}