Add specific unencrypted servers for internal connexions (webmails)

nginx/conf/nginx.conf

@@ -20,13 +20,15 @@ http {
     absolute_redirect off;
 
     server {
+      # Always listen over HTTP
       listen 80;
       listen [::]:80;
 
-      # TLS configuration
+      # Only enable HTTPS if TLS is enabled with no error
       {% if TLS and not TLS_ERROR %}
       listen 443 ssl;
       listen [::]:443 ssl;
+
       include /etc/nginx/tls.conf;
       ssl_session_cache shared:SSLHTTP:50m;
       add_header Strict-Transport-Security max-age=15768000;
@@ -36,18 +38,21 @@ http {
       }
       {% endif %}
 
+      # In any case, enable the proxy for certbot if the flavor is letsencrypt
       {% if TLS_FLAVOR == 'letsencrypt' %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://localhost:8000;
       }
       {% endif %}
 
-      # Actual logic
+      # If TLS is failing, prevent access to anything except certbot
       {% if TLS_ERROR %}
       location / {
         return 403;
       }
       {% else %}
+
+      # Actual logic
       {% if WEBMAIL != 'none' %}
       location / {
         return 301 $scheme://$host/webmail/;
@@ -90,6 +95,21 @@ mail {
     ssl_session_cache shared:SSLMAIL:50m;
     {% endif %}
 
+    # Default SMTP server for the webmail (no encryption, but authentication)
+    server {
+      listen 10025;
+      protocol smtp;
+      smtp_auth plain;
+    }
+
+    # Default IMAP server for the webmail (no encryption, but authentication)
+    server {
+      listen 10143;
+      protocol imap;
+      smtp_auth plain;
+    }
+
+    # SMTP is always enabled, to avoid losing emails when TLS is failing
     server {
       listen 25;
       listen [::]:25;
@@ -100,6 +120,7 @@ mail {
       smtp_auth none;
     }
 
+    # All other protocols are disabled if TLS is failing
     {% if not TLS_ERROR %}
     server {
       listen 143;