[server.listener.smtp]
bind = "[::]:25"
protocol = "smtp"

[server.listener.submission]
bind = "[::]:587"
protocol = "smtp"

[server.listener.submissions]
bind = "[::]:465"
protocol = "smtp"
tls.implicit = true

[server.listener.imap]
bind = "[::]:143"
protocol = "imap"

[server.listener.imaptls]
bind = "[::]:993"
protocol = "imap"
tls.implicit = true

[server.listener.pop3]
bind = "[::]:110"
protocol = "pop3"

[server.listener.pop3s]
bind = "[::]:995"
protocol = "pop3"
tls.implicit = true

[server.listener.sieve]
bind = "[::]:4190"
protocol = "managesieve"

[server.listener.https]
protocol = "http"
bind = "127.0.0.1:8443"
tls.implicit = false

[server.listener.http]
protocol = "http"
bind = "127.0.0.1:8880"

[storage]
data = "rocksdb"
fts = "rocksdb"
blob = "rocksdb"
lookup = "rocksdb"
directory = "internal"

[store.rocksdb]
type = "rocksdb"
path = "/opt/stalwart/data"
compression = "lz4"

[directory.internal]
type = "internal"
store = "rocksdb"

[tracer.log]
type = "log"
level = "info"
path = "/opt/stalwart/logs"
prefix = "stalwart.log"
rotate = "daily"
ansi = false
enable = true

[authentication.fallback-admin]
user = "admin"
secret = "$6$stalwartjames$OlCxhWXHNuO3Szh.HHPmjuh3oI/B0iCYjeERKqXSlpGHw40oHxVOd0IW9pJZn54QjA2Dbdlrin.SQRfZBG8pw1"

[lookup.default]
hostname = "mail.jongsma.me"

[certificate.default]
cert = "%{file:/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem}%"
private-key = "%{file:/etc/letsencrypt/live/mail.jongsma.me/privkey.pem}%"
default = true

[server.allowed-ip]
"47.197.93.62" = true

[spam-filter.score]
spam = 8.0
discard = 0
reject = 0

[spam-filter.dnsbl.server.mailspike]
enable = true
scope = "ip"
lookup = "bl.mailspike.net"
tag = "RBL_MAILSPIKE"
score = 7.0

[spam-filter.dnsbl.server.psbl]
enable = true
scope = "ip"
lookup = "psbl.surriel.com"
tag = "RBL_PSBL"
score = 6.0

[spam-filter.dnsbl.server.uceprotect1]
enable = true
scope = "ip"
lookup = "dnsbl.uceprotect.net"
tag = "RBL_UCEPROTECT1"
score = 5.0

[spam-filter.dnsbl.server.spamcop]
enable = true
scope = "ip"
lookup = "bl.spamcop.net"
tag = "RBL_SPAMCOP"
score = 5.0

[spam-filter.dnsbl.server.barracuda]
enable = true
scope = "ip"
lookup = "b.barracudacentral.org"
tag = "RBL_BARRACUDA"
score = 5.0


# Trusted senders — bypass Bayes spam scoring (TRUSTED_DOMAIN = -7.0)
# Added 2026-02-24: squareup.com (Health Link invoices via Square/Amazon SES)
[lookup.trusted-domains]
"squareup.com" = ""
"messaging.squareup.com" = ""
"amazonses.com" = ""

[spam-filter.bayes]
enable = false

# DMARC+DKIM pass = guaranteed inbox — score so low it can never be stamped as spam
# Replaces defaults: DMARC_POLICY_ALLOW=-0.5, DKIM_ALLOW=-0.2
[spam-filter.list.scores]
DMARC_POLICY_ALLOW = -100.0
DKIM_ALLOW = -50.0

# DKIM signature for vault1984.com
[signature."ed25519-vault1984.com"]
algorithm = "ed25519-sha256"
canonicalization = "relaxed/relaxed"
domain = "vault1984.com"
headers = ["From", "To", "Date", "Subject", "Message-ID"]
private-key = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEIO8f0CnaZdOxw5kZg32P2gZdVtCv+nNi1dPQokbRBTjV\n-----END PRIVATE KEY-----\n"
report = false
selector = "stalwart"