MI-483 - Staging configuration, service files and setup script

cfg-prod/client.json5

@@ -0,0 +1,45 @@
+{
+  $schema: "../src/main/resources/schema/client.schema.json",
+
+  // Default MX list and port to attempt to deliver the email to.
+  mx: [
+    "127.0.0.1"
+  ],
+  port: 25,
+
+  // Default TLS enablement.
+  tls: true,
+
+  // Default supported protocols and ciphers.
+  protocols: [
+    "TLSv1.2", "TLSv1.3"
+  ],
+  ciphers: [
+    // Strong ciphers only, no RC4, 3DES, MD5 or SHA1.
+    // TLS 1.3
+    "TLS_AES_256_GCM_SHA384",
+    "TLS_CHACHA20_POLY1305_SHA256",
+    "TLS_AES_128_GCM_SHA256",
+    "TLS_AES_128_CCM_8_SHA256",
+    // TLS 1.2
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+  ],
+
+  // Default EHLO to use.
+  ehlo: "mail.missioninbox.tech",
+
+  // Default sender and recipients.
+  mail: "robin@missioninbox.tech",
+  rcpt: [
+    "robin@example.com"
+  ],
+
+  // Default asserting configuration.
+  assertions: {
+    protocolFails: true, // If protocol assertion fails, fail test/exit gracefully.
+    verifyFails: true // If external verify checks fail, fail test/exit gracefully.
+  }
+}

cfg-prod/dovecot.json5

@@ -0,0 +1,16 @@
+{
+  // Enablement.
+  auth: true,
+
+  // Path to Dovecot authentication socket.
+  authSocket: "/run/dovecot/auth-userdb",
+
+  // Save a copy of each email to Dovecot LDA.
+  saveToDovecotLda: true,
+
+  // Path to Dovecot LDA binary.
+  ldaBinary: "/usr/lib/dovecot/dovecot-lda",
+
+  // Default outbound mailbox.
+  outboundMailbox: "Sent"
+}

cfg-prod/log4j2.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration monitorInterval="30" shutdownHook="disable">
+    <Appenders>
+        <RollingFile name="appender" filePattern="/var/log/robin-%d{yyyyMMdd}.log">
+            <PatternLayout pattern="%-5p|%d{MMdd-HHmmssSSS}|%t|%c{2}|%m%n"/>
+            <Policies>
+                <TimeBasedTriggeringPolicy interval="1" modulate="true"/>
+            </Policies>
+        </RollingFile>
+        <Console name="console" target="SYSTEM_OUT">
+            <PatternLayout pattern="%m%n"/>
+        </Console>
+    </Appenders>
+
+    <Loggers>
+        <Logger name="com.mimecast.robin" level="debug" additivity="false">
+            <AppenderRef ref="appender"/>
+            <AppenderRef ref="console"/>
+        </Logger>
+
+        <Root level="error">
+            <AppenderRef ref="appender"/>
+            <AppenderRef ref="console"/>
+        </Root>
+    </Loggers>
+
+</Configuration>

cfg-prod/prometheus.json5

@@ -0,0 +1,39 @@
+{
+  // Enable/disable Prometheus remote write push.
+  enabled: false,
+
+  // Your remote write endpoint (Prometheus Agent, VictoriaMetrics, Mimir/Thanos Receive, etc.).
+  // Example (Prometheus Agent default): "http://localhost:9201/api/v1/write".
+  remoteWriteUrl: "",
+
+  // Push interval and HTTP timeout (seconds).
+  intervalSeconds: 15,
+  timeoutSeconds: 10,
+
+  // Compress payload with Snappy framed (recommended by most receivers). Set to false to disable.
+  compress: true,
+
+  // Include/exclude filters (regex); metric names use '_' instead of '.'.
+  include: ["^jvm_.*", "^process_.*", "^system_.*"],
+  exclude: [],
+
+  // Tip: Variables below are supported via Magic replacement.
+
+  // Static labels added to every series.
+  labels: {
+    job: "robin",
+    instance: "{$hostname}"
+  },
+
+  // Optional extra headers to include with the request.
+  headers: {},
+
+  // Authentication (choose one)
+  bearerToken: "",
+  basicAuthUser: "",
+  basicAuthPassword: "",
+
+  // Optional multi-tenancy header
+  tenantHeaderName: "",
+  tenantHeaderValue: ""
+}

cfg-prod/properties.json5

@@ -0,0 +1,32 @@
+{
+  // Path to MTA logs if one running on local host.
+  localLogsDir: "/var/log/",
+
+  // Pattern to match UID out of SMT responses.
+  uidPattern: "\\s\\[([a-z0-9\\-_]+)]",
+
+  // Send RSET command before additional envelopes.
+  rsetBetweenEnvelopes: false,
+
+  // Logging config.
+  logging: {
+    data: false, // Log email DATA sent and received.
+    textPartBody: false // Log MIME build case text/* type part contents.
+  },
+
+  // HTTP Requests configuration.
+  request: {
+    connectTimeout: 20,
+    writeTimeout: 20,
+    readTimeout: 90
+  },
+
+  // Humio configuration.
+  humio: {
+    auth: "YOUR_API_KEY",
+    url: "https://humio.example.com/",
+    connectTimeout: 20,
+    writeTimeout: 20,
+    readTimeout: 90
+  }
+}

cfg-prod/queue.json5

@@ -0,0 +1,18 @@
+{
+  // Queue file to use for persisting messages that could not be relayed.
+  queueFile: "/usr/local/robin/relayQueue.db",
+
+  // Queue cron initial run delay (in seconds).
+  queueInitialDelay: 10,
+
+  // Queue cron processing interval (in seconds).
+  queueInterval: 30,
+
+  // Maximum number of messages to attempt to relay per cron tick.
+  maxDequeuePerTick: 10,
+
+  // Concurrency scale for parallel access.
+  // Increase this value to improve performance on high throughput systems.
+  // Must be the sum of all listeners max pool sizes (optionally plus 2 for the dequeue cron and queue-list endpoint).
+  concurrencyScale: 32
+}

cfg-prod/relay.json5

@@ -0,0 +1,34 @@
+{
+  // Enable inbound relay.
+  enabled: false,
+
+  // Enable outbound relay.
+  outboundEnabled: true,
+
+  // Enable outbound MX relay.
+  // When enabled, the server will perform MX lookups for recipient domains instead of using inbound relay host.
+  outboundMxEnabled: true,
+
+  // Disable relay by magic header feature.
+  disableRelayHeader: true,
+
+  // Server to forward mail to.
+  host: "localhost",
+
+  // Port of SMTP server to forward mail to.
+  port: 24,
+
+  // Protocol (Default: ESMTP - Options: SMTP, LMTP, ESMTP, DOVECOT-LDA).
+  protocol: "LMTP",
+
+  // Use secure TLS connection to forward mail.
+  tls: false,
+
+  // Mailbox to use when relaying mail via dovecot-lda depending on direction.
+  // Leave blank to bypass parameters.
+  mailbox: "INBOX", // Inbound
+  outbox: "Sent",   // Outbound
+
+  // Bounce email if relay fails.
+  bounce: true
+}

cfg-prod/routes.json5

@@ -0,0 +1,23 @@
+[
+  // Predefined delivery routes to use instead of MX and port.
+  {
+    name: "loc",
+    mx: ["localhost"],
+    port: 25
+  },
+  {
+    name: "locsub",
+    mx: ["localhost"],
+    port: 587
+  },
+  {
+    name: "stg",
+    mx: ["mail.missioninbox.tech"],
+    port: 25
+  },
+  {
+    name: "stgsub",
+    mx: ["mail.missioninbox.tech"],
+    port: 587
+  }
+]

cfg-prod/scenarios.json5

@@ -0,0 +1,44 @@
+{
+  // Default scenario to use if no others match.
+  "*": {
+    rcpt: [
+      // Custom response for addresses matching value regex.
+      {
+        value: "friday\\-[0-9]+@example\\.com",
+        response: "252 I think I know this user"
+      }
+    ]
+  },
+
+  // How to reject mail at different commands.
+  "reject.com": {
+    // Custom response for EHLO.
+    ehlo: "501 Not talking to you",
+
+    // Custom response for MAIL.
+    mail: "451 I'm not listening to you",
+
+    // Custom response for given recipients.
+    rcpt: [
+      {
+        value: "ultron@reject\\.com",
+        response: "501 Heart not found"
+      }
+    ],
+
+    // Custom response for DATA.
+    data: "554 Your data is corrupted"
+  },
+
+  // How to configure TLS for failure using a deprecated version and weak cipher.
+  "failtls.com" : {
+
+    // Custom response for STARTTLS.
+    // STARTTLS also supports a list of protocols and ciphers to use handshake.
+    starttls: {
+      response: "220 You will fail",
+      protocols: ["TLSv1.0"],
+      ciphers: ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
+    }
+  }
+}

cfg-prod/server.json5

@@ -0,0 +1,89 @@
+{
+  // Hostname to declare in welcome message.
+  hostname: "mail.missioninbox.tech",
+
+  // Interface the server will bind too (default: ::).
+  bind: "::",
+
+  // Port the server will listen too (default: 25, 0 to disable).
+  smtpPort: 25,
+
+  // Port for secure SMTP via SSL/TLS (default: 465, 0 to disable).
+  securePort: 465,
+
+  // Port for mail submission (default: 587, 0 to disable).
+  submissionPort: 587,
+
+  // SMTP port configuration
+  smtpConfig: {
+    // Number of connections to be allowed in the backlog (default: 25).
+    backlog: 25,
+
+    // Minimum number of threads in the pool.
+    minimumPoolSize: 1,
+
+    // Maximum number of threads in the pool.
+    maximumPoolSize: 10,
+
+    // Time (in seconds) to keep idle threads alive.
+    threadKeepAliveTime: 60,
+
+    // Maximum number of SMTP transactions to process over a connection.
+    transactionsLimit: 305,
+
+    // Number of SMTP errors to allow before terminating connection (default: 3).
+    errorLimit: 3
+  },
+
+  // Secure SMTP port configuration
+  secureConfig: {
+    backlog: 25,
+    minimumPoolSize: 1,
+    maximumPoolSize: 10,
+    threadKeepAliveTime: 60,
+    transactionsLimit: 305,
+    errorLimit: 3
+  },
+
+  // Submission port configuration
+  submissionConfig: {
+    backlog: 25,
+    minimumPoolSize: 1,
+    maximumPoolSize: 10,
+    threadKeepAliveTime: 60,
+    transactionsLimit: 305,
+    errorLimit: 3
+  },
+
+  // Advertise AUTH support (default: true).
+  auth: true,
+
+  // Advertise STARTTLS support (default: true).
+  starttls: true,
+
+  // Advertise CHUNKING support (default: true).
+  chunking: true,
+
+  // Java keystore (default: /usr/local/keystore.jks).
+  keystore: "/usr/local/robin/keystore.jks",
+
+  // Keystore password or path to password file.
+  keystorepassword: "avengers",
+
+  // Java truststore (default: /usr/local/truststore.jks).
+  truststore: "/usr/local/robin/truststore.jks",
+
+  // Truststore password or path to password file.
+  truststorepassword: "avengers",
+
+  // Metrics endpoint port.
+  metricsPort: 8080,
+
+  // API endpoint port.
+  apiPort: 8090,
+
+  // Users allowed to authorize to the server.
+  // This feature should be used for testing only.
+  // This is disabled by default for security reasons.
+  usersEnabled: false // See users.json5 for user definitions.
+}