Initial commit

etc/dovecot/dovecot-dict-sql.conf.ext

@@ -0,0 +1,12 @@
+connect = host=localhost dbname=postfix user=postfix password=YOUR_PASSWORD
+
+map {
+  pattern = shared/last-login/$user
+  table = mailbox
+  value_field = last_login
+  value_type = uint
+
+  fields {
+    username = $user
+  }
+}

etc/dovecot/dovecot-sql.conf.ext

@@ -0,0 +1,10 @@
+connect = host=localhost dbname=postfix user=postfix_readonly password=YOUR_PASSWORD
+driver = mysql
+
+# Query to retrieve password. user can be used to retrieve username in other formats also.
+password_query = SELECT username AS user, CONCAT(password_hash_type, password) AS password, CONCAT(domain, '/', local_part, '/') AS maildir, 5000 AS userdb_uid, 5000 AS userdb_gid, CONCAT('*:bytes=', quota) AS userdb_quota_rule FROM mailbox WHERE username = CONCAT('%n', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active='1'
+
+# Query to retrieve user information, note uid matches dovecot.conf AND Postfix virtual_uid_maps parameter.
+user_query = SELECT CONCAT(domain, '/', local_part, '/') AS maildir, 5000 AS uid, 5000 AS gid, CONCAT('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = CONCAT('%n', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active='1'
+
+iterate_query = SELECT username AS user FROM mailbox

etc/dovecot/dovecot.conf

@@ -0,0 +1,180 @@
+#general settings
+listen = *, ::
+login_greeting = Server ready.
+mmap_disable = yes
+mail_fsync = always
+mail_nfs_index = yes
+mail_nfs_storage = yes
+info_log_path = /dev/null
+auth_verbose = no
+auth_verbose_passwords = no
+auth_debug = no
+auth_debug_passwords = no
+mail_debug = no
+verbose_ssl = no
+mail_location = maildir:/var/mail/vmail/%d/%n
+mail_plugins = $mail_plugins mail_crypt zlib
+mailbox_list_index = yes
+
+#plugin setup
+plugin {
+  mail_crypt_save_version = 2
+  mail_crypt_global_private_key = </etc/dovecot/ecprivkey.pem
+  mail_crypt_global_public_key = </etc/dovecot/ecpubkey.pem
+  zlib_save = gz
+  zlib_save_level = 6
+  quota_grace = 10%%
+  quota_status_success = DUNNO
+  quota_status_nouser = DUNNO
+  quota_status_overquota = "552 5.2.2 Mailbox is full"
+  quota = count:User quota
+  quota_rule = *:bytes=50M
+  quota_vsizes = yes
+  last_login_dict = proxy::lastlogin
+  last_login_key = last-login/%u
+}
+
+#auth settings
+disable_plaintext_auth = yes
+auth_cache_size = 1M
+auth_cache_ttl = 5mins
+auth_cache_negative_ttl = 5mins
+auth_default_realm = danwin1210.de
+auth_username_chars = 
+auth_mechanisms = plain login
+
+#TLS parameters
+ssl = required
+ssl_cert = </etc/acme.sh/danwin1210.de_ecc/fullchain.cer
+ssl_key = </etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+ssl_client_ca_dir = /etc/ssl/certs
+ssl_dh = </etc/dovecot/dh.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = HIGH:!PSK:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
+ssl_curve_list = X448:X25519:secp521r1:secp384r1
+ssl_prefer_server_ciphers = yes
+
+#protocol setup
+protocols = "imap pop3 lmtp"
+protocol lmtp {
+	postmaster_address = postmaster@danwin1210.de
+}
+protocol imap {
+  mail_plugins = $mail_plugins quota imap_quota imap_zlib last_login
+}
+protocol pop3 {
+  mail_plugins = $mail_plugins last_login
+}
+
+#service setup
+service anvil {
+  unix_listener anvil-auth-penalty {
+    #disable since we don't have IP info
+    mode = 0
+  }
+}
+service auth {
+  unix_listener auth-userdb {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+
+  inet_listener {
+    port = 12345
+  }
+
+  user = dovecot
+  group = dovecot
+  client_limit=2448
+}
+service auth-worker {
+  unix_listener auth-worker {
+    mode = 0666
+    user = dovecot
+    group = dovecot
+  }
+}
+service imap {
+  service_count = 1000
+  client_limit = 1
+}
+service imap-login {
+  inet_listener imap {
+    port = 143
+  }
+  service_count = 1000
+  vsz_limit = 1G
+  process_min_avail = 4
+}
+service lmtp {
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0660
+    user = postfix
+    group = postfix
+  }
+  user = vmail
+  group = vmail
+}
+service pop3 {
+  service_count = 1000
+  client_limit = 1
+}
+service pop3-login {
+  inet_listener pop3 {
+    port = 110
+  }
+  service_count = 1000
+  vsz_limit = 1G
+}
+service quota-status {
+  executable = quota-status -p postfix
+  inet_listener quota-status {
+    port = 12340
+  }
+  client_limit = 1
+}
+
+#SQL queries
+passdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+userdb {
+  driver = prefetch
+}
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+dict {
+  lastlogin = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+  user = dovecot
+  group = dovecot
+}
+
+#namespace configuration
+namespace inbox {
+  inbox = yes
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+}

etc/mysql/mariadb.conf.d/manual_settings.cnf

@@ -0,0 +1,44 @@
+[client]
+default-character-set = utf8mb4
+
+[mysqld]
+character_set_server = utf8mb4
+collation_server = utf8mb4_general_ci
+innodb_buffer_pool_size = 64M
+#myisam_sort_buffer_size = 200K
+#bulk_insert_buffer_size = 1M
+#sort_buffer_size = 1M
+innodb_log_buffer_size = 16M
+innodb_log_file_size = 16M
+innodb_flush_log_at_trx_commit = 0
+innodb_defragment = 1
+skip_name_resolve = 1
+query_cache_size = 16M
+query_cache_limit = 4M
+max_connections = 200
+table_open_cache = 15000
+tmp_table_size = 16M
+max_heap_table_size = 16M
+join_buffer_size = 4M
+aria_pagecache_buffer_size = 8M
+aria_sort_buffer_size = 8M
+open_files_limit = 100000
+bind_address = 0.0.0.0
+sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER
+plugin_load_add = file_key_management
+loose_file_key_management_filename = /etc/mysql/encryption/keyfile.enc
+loose_file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
+loose_file_key_management_encryption_algorithm = AES_CTR
+innodb_encrypt_tables = FORCE
+innodb_encrypt_temporary_tables = ON
+innodb_encrypt_log = ON
+encrypt_tmp_files = ON
+encrypt_tmp_disk_tables = ON
+enforce_storage_engine = InnoDB
+encrypt_binlog=ON
+innodb_compression_default=ON
+innodb_compression_algorithm=zlib
+innodb_rollback_on_timeout=1
+innodb_lock_wait_timeout=5
+binlog_row_image = minimal
+binlog_format = ROW

etc/postfix/header_checks

@@ -0,0 +1,2 @@
+/^To:.*@[^@]*\.de-mail\.de/ REJECT "Sorry, you tried contacting a De-Mail Address. This is a special System by the German government, not compatible with E-Mail. More info here: https://www.cio.bund.de/Web/DE/Innovative-Vorhaben/De-Mail/de_mail_node.html"
+/^(To|From).*@example\.com/    REJECT

etc/postfix/helo_checks

@@ -0,0 +1 @@
+DESKTOPRaihan REJECT

etc/postfix/main.cf

@@ -0,0 +1,87 @@
+# general configuration options
+smtpd_banner = danwin1210.de ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 10h
+myhostname = danwin1210.de
+alias_maps = 
+alias_database = 
+myorigin = danwin1210.de
+mydestination = 
+mynetworks = 127.0.0.0/8 192.168.178.0/24 10.9.0.0/24
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+ignore_mx_lookup_error = yes
+always_add_missing_headers = yes
+message_drop_headers = bcc content-length resent-bcc return-path x-mailer x-originating-ip user-agent x-received x-sender-ip x-client-ip x-client-hostname
+notify_classes = 2bounce data delay resource software
+message_size_limit = 52428800
+backwards_bounce_logfile_compatibility = no
+show_user_unknown_table_name = no
+virtual_transport = lmtp:unix:/private/dovecot-lmtp
+compatibility_level = 3.6
+smtputf8_autodetect_classes = all
+
+# TLS parameters
+smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer
+smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+smtpd_tls_ciphers = HIGH
+smtpd_tls_mandatory_ciphers = HIGH
+smtp_tls_ciphers = HIGH
+smtp_tls_mandatory_ciphers = HIGH
+tls_eecdh_auto_curves = X448 X25519 secp521r1 secp384r1 prime256v1
+smtpd_tls_protocols = TLSv1.2 TLSv1.3
+smtp_tls_protocols = TLSv1.2 TLSv1.3
+smtpd_tls_exclude_ciphers = aNULL MD5 SHA CAMELLIA
+smtpd_tls_mandatory_exclude_ciphers = aNULL MD5 SHA CAMELLIA
+smtp_tls_exclude_ciphers = aNULL MD5 SHA CAMELLIA AES+SHA256 AES+SHA384
+smtp_tls_mandatory_exclude_ciphers = aNULL MD5 SHA CAMELLIA AES+SHA256 AES+SHA384
+tls_preempt_cipherlist = yes
+smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.pem
+smtpd_tls_security_level = may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_security_level = may
+smtp_tls_CApath = /etc/ssl/certs
+smtp_dns_support_level = dnssec
+tls_ssl_options = NO_RENEGOTIATION
+smtp_tls_chain_files = /etc/postfix/danwin1210-mail.chain
+smtpd_tls_received_header = yes
+
+#lookup maps for domains and email addresses
+relay_domains = torbox.danwin1210.me torbox.danwin1210.de
+canonical_maps = inline:{{@mail2tor.onion=@mail2tor.com}, {@torbox3uiot6wchz.onion=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}, {@torbox.onion=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}, {@torbox.danwin1210.me=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}, {@torbox.danwin1210.de=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}}
+sender_canonical_maps = inline:{{@localhost=@danwin1210.de}, {@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion=@danwin1210.de}, {@danwin1210.me=@danwin1210.de}}
+transport_maps = inline:{{torbox3uiot6wchz.onion=relay:[torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion]:25}, {.onion=smtp}, {mail2tor.com=relay:[xc7tgk2c5onxni2wsy76jslfsitxjbbptejnqhw6gy2ft7khpevhc7ad.onion]:25}, {blackhost.xyz=relay:[blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion]:25}} proxy:mysql:/etc/postfix/sql/mysql_transport_maps.cf inline:{*=relay:[10.9.0.1]:1025}
+virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
+virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
+virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
+
+#sasl authentication and restrictions
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = danwin1210.de
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_client_restrictions = reject_unauth_pipelining
+smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:12340, permit_sasl_authenticated, check_recipient_access proxy:mysql:/etc/postfix/sql/mysql_tls_policy_in.cf
+smtpd_sender_restrictions = reject_sender_login_mismatch, check_sender_access inline:{{<> = REJECT}}, permit_sasl_authenticated
+smtpd_relay_restrictions = permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination
+smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_auth_maps.cf
+smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_checks
+
+# anti-spam settings
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = inet:127.0.0.1:11332
+milter_default_action = accept
+milter_protocol = 6
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+disable_vrfy_command = yes
+smtpd_discard_ehlo_keywords = silent-discard, dsn
+smtpd_delay_reject = yes
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+default_destination_concurrency_limit = 2
+smtpd_recipient_limit = 10

etc/postfix/master.cf

@@ -0,0 +1,132 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       2       smtpd
+ -o smtpd_sasl_auth_enable=no
+ -o { smtpd_sender_restrictions = check_sender_access inline:{double-bounce@mail.danwin1210.de=OK} check_sender_access mysql:/etc/postfix/sql/mysql_virtual_domain_unauth_block.cf }
+26      inet  n       -       n       -       2       smtpd
+ -o smtpd_sasl_auth_enable=no
+ -o { smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/sql/mysql_virtual_domain_unauth_block.cf }
+ -o smtpd_tls_security_level=may
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+smtps     inet  n       -       n       -       2       smtpd
+  -o smtpd_tls_wrappermode=yes
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+587       inet  n       -       y       -       2       smtpd
+ -o smtpd_tls_security_level=encrypt
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+#proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+relay     unix  -       -       y       -       5       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+#local    unix  -       n       n       -       -       local
+#virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+#scalemail-backend unix	-	n	n	-	2	pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
+

etc/postfix/sql/mysql_tls_policy_in.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT 'reject_plaintext_session' FROM mailbox WHERE username=CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = 1 AND enforce_tls_in = 1 UNION SELECT 'reject_plaintext_session' FROM alias WHERE address=CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = 1 AND enforce_tls_in = 1

etc/postfix/sql/mysql_transport_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT ':' FROM domain WHERE domain='%d' AND active = '1'

etc/postfix/sql/mysql_virtual_alias_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT goto FROM alias WHERE address = CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = 1;

etc/postfix/sql/mysql_virtual_auth_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT username FROM mailbox WHERE username=CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = '1'

etc/postfix/sql/mysql_virtual_domain_unauth_block.cf

@@ -0,0 +1,6 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT 'REJECT' FROM domain WHERE domain='%d' AND active = '1'
+

etc/postfix/sql/mysql_virtual_domains_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

etc/postfix/sql/mysql_virtual_mailbox_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT 1 FROM mailbox WHERE username='%s' AND active = '1'

etc/prosody/prosody.cfg.lua

@@ -0,0 +1,326 @@
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { "daniel@danwin1210.de" }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+-- For a local administrator it's common to place local modifications
+-- under /usr/local/ hierarchy:
+--plugin_paths = { "/usr/local/lib/prosody/modules" }
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+
+	-- Nice to have
+		-- "version"; -- Replies to server version requests
+		-- "uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		-- "register"; -- Allow users to register on this server using a client and change passwords
+		"mam"; -- Store messages in an archive and allow users to access it
+		"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		"websocket"; -- XMPP over WebSockets
+		"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+		--"limits"; -- Enable bandwidth limiting for XMPP connections
+		"groups"; -- Shared roster support
+		"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		"s2s_bidi"; -- Bi-directional server-to-server (XEP-0288)
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		-- "proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+
+	-- Custom added
+		"blocking"; -- Allow blocking users
+		"alias"; -- Alias onion to clearnet
+		"smacks"; -- Stream management
+		-- "csi"; -- Client state indication
+		"filter_chatstates"; -- Hide typing indication on mobile phones
+		"throttle_presence"; -- Update precense on moblile phones less often
+		"cloud_notify"; -- Push notifications for mobile
+		"conversejs";
+		"http_altconnect";
+		"external_services";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Debian:
+--   Do not send the server to background, either systemd or start-stop-daemon take care of that.
+--
+daemonize = false;
+
+-- Debian:
+--   Please, don't change this option since /run/prosody/
+--   is one of the few directories Prosody is allowed to write to
+--
+pidfile = "/run/prosody/prosody.pid";
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+ssl = {
+	key = "/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key";
+	certificate = "/etc/acme.sh/danwin1210.de_ecc/fullchain.cer";
+	dhparam = "/etc/prosody/dh4096.pem";
+	curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
+	ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";
+}
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "imap"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
+-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "YOUR_PASSWORD", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+--
+-- Debian:
+--  Logs info and higher to /var/log
+--  Logs errors to syslog also
+log = {
+	-- Log files (change 'info' to 'debug' for debug logs):
+	info = "/var/log/prosody/prosody.log";
+	error = "/var/log/prosody/prosody.err";
+	-- Syslog:
+	{ levels = { "error" }; to = "syslog";  };
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+-- It's customary to maintain VirtualHost entries in separate config files
+-- under /etc/prosody/conf.d/ directory. Examples of such config files can
+-- be found in /etc/prosody/conf.avail/ directory.
+
+------ Additional config files ------
+-- For organizational purposes you may prefer to add VirtualHost and
+-- Component definitions in their own config files. This line includes
+-- all config files in /etc/prosody/conf.d/
+
+-- custom
+plugin_paths = {"/srv/prosody-modules/"}
+compression_level = 9
+auth_imap_verify_certificate = false
+imap_auth_host = "127.0.0.1"
+aliases = {
+	["danwin1210.me"] = "danwin1210.de";
+	["danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion"] = "danwin1210.de";
+}
+alias_response = "User $alias can be contacted at $target";
+defautl_storage = "sql"
+interfaces = { "0.0.0.0", "::" } -- Listen address
+contact_info = {
+  abuse = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" };
+  admin = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" };
+  feedback = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" };
+  security = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" };
+  support = { "https://danwin1210.de/contact.php", "mailto:daniel@danwin1210.de" };
+}
+data_path = "/srv/var/lib/prosody"
+legacy_ssl_ports = {5223}
+external_services = {
+    {
+        type = "stun",
+        transport = "udp",
+        host = "danwin1210.de",
+        port = 3478
+    }, {
+        type = "turn",
+        transport = "udp",
+        host = "danwin1210.de",
+        port = 3478,
+        secret = "YOUR_SECRET"
+    },
+    {
+        type = "stun",
+        transport = "tcp",
+        host = "danwin1210.de",
+        port = 3478
+    }, {
+        type = "turn",
+        transport = "tcp",
+        host = "danwin1210.de",
+        port = 3478,
+        secret = "YOUR_SECRET"
+    },
+    {
+        type = "stuns",
+        transport = "tcp",
+        host = "danwin1210.de",
+        port = 5349
+    }, {
+        type = "turns",
+        transport = "tcp",
+        host = "danwin1210.de",
+        port = 5349,
+        secret = "YOUR_SECRET"
+    }
+}
+cross_domain_bosh = true
+cross_domain_websocket = true
+
+VirtualHost "danwin1210.de"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+Component "conference.danwin1210.de" "muc"
+modules_enabled = {
+  "vcard_muc",
+  "muc_mam" ,
+}
+
+-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
+Component "proxy.danwin1210.de" "proxy65"
+
+Component "upload.danwin1210.de" "http_file_share"
+http_file_share_size_limit = 100*1024*1024 -- 100 MiB
+http_file_share_daily_quota = 100*1024*1024 -- 100 MiB per day per user
+http_file_share_global_quota = 10*1024*1024*1024 -- 10 GiB total
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"
+Include "conf.d/*.cfg.lua"