/*
Package config holds the configuration file definitions for mox.conf (Static)
and domains.conf (Dynamic).

These config files are in "sconf" format.  Summarized: Indent with tabs, "#" as
first non-whitespace character makes the line a comment (you cannot have a line
with both a value and a comment), strings are not quoted/escaped and can never
span multiple lines. See https://pkg.go.dev/github.com/mjl-/sconf for details.

Annotated empty/default configuration files you could use as a starting point
for your mox.conf and domains.conf, as generated by "mox config
describe-static" and "mox config describe-domains":

# mox.conf

	# Directory where all data is stored, e.g. queue, accounts and messages, ACME TLS
	# certs/keys. If this is a relative path, it is relative to the directory of
	# mox.conf.
	DataDir:

	# Default log level, one of: error, info, debug, trace, traceauth, tracedata.
	# Trace logs SMTP and IMAP protocol transcripts, with traceauth also messages with
	# passwords, and tracedata on top of that also the full data exchanges (full
	# messages), which can be a large amount of data.
	LogLevel:

	# Overrides of log level per package (e.g. queue, smtpclient, smtpserver,
	# imapserver, spf, dkim, dmarc, dmarcdb, autotls, junk, mtasts, tlsrpt).
	# (optional)
	PackageLogLevels:
		x:

	# User to switch to after binding to all sockets as root. Default: mox. If the
	# value is not a known user, it is parsed as integer and used as uid and gid.
	# (optional)
	User:

	# If true, do not automatically fix file permissions when starting up. By default,
	# mox will ensure reasonable owner/permissions on the working, data and config
	# directories (and files), and mox binary (if present). (optional)
	NoFixPermissions: false

	# Full hostname of system, e.g. mail.<domain>
	Hostname:

	# If enabled, a single DNS TXT lookup of _updates.xmox.nl is done every 24h to
	# check for a new release. Each time a new release is found, a changelog is
	# fetched from https://updates.xmox.nl and delivered to the postmaster mailbox.
	# (optional)
	CheckUpdates: false

	# In pedantic mode protocol violations (that happen in the wild) for SMTP/IMAP/etc
	# result in errors instead of accepting such behaviour. (optional)
	Pedantic: false

	# Global TLS configuration, e.g. for additional Certificate Authorities. Used for
	# outgoing SMTP connections, HTTPS requests. (optional)
	TLS:

		# (optional)
		CA:

			# (optional)
			AdditionalToSystem: false

			# (optional)
			CertFiles:
				-

	# Automatic TLS configuration with ACME, e.g. through Let's Encrypt. The key is a
	# name referenced in TLS configs, e.g. letsencrypt. (optional)
	ACME:
		x:

			# For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory.
			DirectoryURL:

			# How long before expiration to renew the certificate. Default is 30 days.
			# (optional)
			RenewBefore: 0s

			# Email address to register at ACME provider. The provider can email you when
			# certificates are about to expire. If you configure an address for which email is
			# delivered by this server, keep in mind that TLS misconfigurations could result
			# in such notification emails not arriving.
			ContactEmail:

			# TLS port for ACME validation, 443 by default. You should only override this if
			# you cannot listen on port 443 directly. ACME will make requests to port 443, so
			# you'll have to add an external mechanism to get the connection here, e.g. by
			# configuring port forwarding. (optional)
			Port: 0

	# File containing hash of admin password, for authentication in the web admin
	# pages (if enabled). (optional)
	AdminPasswordFile:

	# Listeners are groups of IP addresses and services enabled on those IP addresses,
	# such as SMTP/IMAP or internal endpoints for administration or Prometheus
	# metrics. All listeners with SMTP/IMAP services enabled will serve all configured
	# domains. If the listener is named 'public', it will get a few helpful additional
	# configuration checks, for acme automatic tls certificates and monitoring of ips
	# in dnsbls if those are configured.
	Listeners:
		x:

			# Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but
			# it is better to explicitly specify the IPs you want to use for email, as mox
			# will make sure outgoing connections will only be made from one of those IPs.
			IPs:
				-

			# Set this if the specified IPs are not the public IPs, but are NATed. This makes
			# the DNS check skip a few checks related to IPs, such as for iprev, mx, spf,
			# autoconfig, autodiscover. (optional)
			IPsNATed: false

			# If empty, the config global Hostname is used. (optional)
			Hostname:

			# For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
			TLS:

				# Name of provider from top-level configuration to use for ACME, e.g. letsencrypt.
				# (optional)
				ACME:

				# Key and certificate files are opened by the privileged root process and passed
				# to the unprivileged mox process, so no special permissions are required.
				# (optional)
				KeyCerts:
					-

						# Certificate including intermediate CA certificates, in PEM format.
						CertFile:

						# Private key for certificate, in PEM format. PKCS8 is recommended, but PKCS1 and
						# EC private keys are recognized as well.
						KeyFile:

				# Minimum TLS version. Default: TLSv1.2. (optional)
				MinVersion:

			# Maximum size in bytes for incoming and outgoing messages. Default is 100MB.
			# (optional)
			SMTPMaxMessageSize: 0

			# (optional)
			SMTP:
				Enabled: false

				# Default 25. (optional)
				Port: 0

				# Do not offer STARTTLS to secure the connection. Not recommended. (optional)
				NoSTARTTLS: false

				# Do not accept incoming messages if STARTTLS is not active. Can be used in
				# combination with a strict MTA-STS policy. A remote SMTP server may not support
				# TLS and may not be able to deliver messages. (optional)
				RequireSTARTTLS: false

				# Addresses of DNS block lists for incoming messages. Block lists are only
				# consulted for connections/messages without enough reputation to make an
				# accept/reject decision. This prevents sending IPs of all communications to the
				# block list provider. If any of the listed DNSBLs contains a requested IP
				# address, the message is rejected as spam. The DNSBLs are checked for healthiness
				# before use, at most once per 4 hours. Example DNSBLs: sbl.spamhaus.org,
				# bl.spamcop.net (optional)
				DNSBLs:
					-

				# Delay before accepting a message from a first-time sender for the destination
				# account. Default: 15s. (optional)
				FirstTimeSenderDelay: 0s

			# SMTP for submitting email, e.g. by email applications. Starts out in plain text,
			# can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
			# is always a TLS connection. (optional)
			Submission:
				Enabled: false

				# Default 587. (optional)
				Port: 0

				# Do not require STARTTLS. Since users must login, this means password may be sent
				# without encryption. Not recommended. (optional)
				NoRequireSTARTTLS: false

			# SMTP over TLS for submitting email, by email applications. Requires a TLS
			# config. (optional)
			Submissions:
				Enabled: false

				# Default 465. (optional)
				Port: 0

			# IMAP for reading email, by email applications. Starts out in plain text, can be
			# upgraded to TLS with the STARTTLS command. Prefer using IMAPS instead which is
			# always a TLS connection. (optional)
			IMAP:
				Enabled: false

				# Default 143. (optional)
				Port: 0

				# Enable this only when the connection is otherwise encrypted (e.g. through a
				# VPN). (optional)
				NoRequireSTARTTLS: false

			# IMAP over TLS for reading email, by email applications. Requires a TLS config.
			# (optional)
			IMAPS:
				Enabled: false

				# Default 993. (optional)
				Port: 0

			# Account web interface, for email users wanting to change their accounts, e.g.
			# set new password, set new delivery rulesets. Served at /. (optional)
			AccountHTTP:
				Enabled: false

				# Default 80. (optional)
				Port: 0

				# Path to serve account requests on, e.g. /mox/. Useful if domain serves other
				# resources. Default is /. (optional)
				Path:

			# Account web interface listener for HTTPS. Requires a TLS config. (optional)
			AccountHTTPS:
				Enabled: false

				# Default 80. (optional)
				Port: 0

				# Path to serve account requests on, e.g. /mox/. Useful if domain serves other
				# resources. Default is /. (optional)
				Path:

			# Admin web interface, for managing domains, accounts, etc. Served at /admin/.
			# Preferably only enable on non-public IPs. Hint: use 'ssh -L 8080:localhost:80
			# you@yourmachine' and open http://localhost:8080/admin/, or set up a tunnel (e.g.
			# WireGuard) and add its IP to the mox 'internal' listener. (optional)
			AdminHTTP:
				Enabled: false

				# Default 80. (optional)
				Port: 0

				# Path to serve admin requests on, e.g. /moxadmin/. Useful if domain serves other
				# resources. Default is /admin/. (optional)
				Path:

			# Admin web interface listener for HTTPS. Requires a TLS config. Preferably only
			# enable on non-public IPs. (optional)
			AdminHTTPS:
				Enabled: false

				# Default 443. (optional)
				Port: 0

				# Path to serve admin requests on, e.g. /moxadmin/. Useful if domain serves other
				# resources. Default is /admin/. (optional)
				Path:

			# Webmail client, for reading email. (optional)
			WebmailHTTP:
				Enabled: false

				# Default 80. (optional)
				Port: 0

				# Path to serve account requests on. Useful if domain serves other resources.
				# Default is /webmail/. (optional)
				Path:

			# Webmail client, for reading email. (optional)
			WebmailHTTPS:
				Enabled: false

				# Default 443. (optional)
				Port: 0

				# Path to serve account requests on. Useful if domain serves other resources.
				# Default is /webmail/. (optional)
				Path:

			# Serve prometheus metrics, for monitoring. You should not enable this on a public
			# IP. (optional)
			MetricsHTTP:
				Enabled: false

				# Default 8010. (optional)
				Port: 0

			# Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on
			# a public IP! (optional)
			PprofHTTP:
				Enabled: false

				# Default 8011. (optional)
				Port: 0

			# Serve autoconfiguration/autodiscovery to simplify configuring email
			# applications, will use port 443. Requires a TLS config. (optional)
			AutoconfigHTTPS:
				Enabled: false

				# TLS port, 443 by default. You should only override this if you cannot listen on
				# port 443 directly. Autoconfig requests will be made to port 443, so you'll have
				# to add an external mechanism to get the connection here, e.g. by configuring
				# port forwarding. (optional)
				Port: 0

				# If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be
				# useful when the autoconfig domain is reverse proxied. (optional)
				NonTLS: false

			# Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config.
			# (optional)
			MTASTSHTTPS:
				Enabled: false

				# TLS port, 443 by default. You should only override this if you cannot listen on
				# port 443 directly. MTA-STS requests will be made to port 443, so you'll have to
				# add an external mechanism to get the connection here, e.g. by configuring port
				# forwarding. (optional)
				Port: 0

				# If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be
				# useful when the mta-sts domain is reverse proxied. (optional)
				NonTLS: false

			# All configured WebHandlers will serve on an enabled listener. (optional)
			WebserverHTTP:
				Enabled: false

				# Port for plain HTTP (non-TLS) webserver. (optional)
				Port: 0

			# All configured WebHandlers will serve on an enabled listener. Either ACME must
			# be configured, or for each WebHandler domain a TLS certificate must be
			# configured. (optional)
			WebserverHTTPS:
				Enabled: false

				# Port for HTTPS webserver. (optional)
				Port: 0

	# Destination for emails delivered to postmaster addresses: a plain 'postmaster'
	# without domain, 'postmaster@<hostname>' (also for each listener with SMTP
	# enabled), and as fallback for each domain without explicitly configured
	# postmaster destination.
	Postmaster:
		Account:

		# E.g. Postmaster or Inbox.
		Mailbox:

	# Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be
	# given a 'special-use' role, which are understood by most mail clients. If
	# absent/empty, the following mailboxes are created: Sent, Archive, Trash, Drafts
	# and Junk. (optional)
	InitialMailboxes:

		# Special-use roles to mailbox to create. (optional)
		SpecialUse:

			# (optional)
			Sent:

			# (optional)
			Archive:

			# (optional)
			Trash:

			# (optional)
			Draft:

			# (optional)
			Junk:

		# Regular, non-special-use mailboxes to create. (optional)
		Regular:
			-

	# Deprecated in favor of InitialMailboxes. Mailboxes to create when adding an
	# account. Inbox is always created. If no mailboxes are specified, the following
	# are automatically created: Sent, Archive, Trash, Drafts and Junk. (optional)
	DefaultMailboxes:
		-

	# Transport are mechanisms for delivering messages. Transports can be referenced
	# from Routes in accounts, domains and the global configuration. There is always
	# an implicit/fallback delivery transport doing direct delivery with SMTP from the
	# outgoing message queue. Transports are typically only configured when using
	# smarthosts, i.e. when delivering through another SMTP server. Zero or one
	# transport methods must be set in a transport, never multiple. When using an
	# external party to send email for a domain, keep in mind you may have to add
	# their IP address to your domain's SPF record, and possibly additional DKIM
	# records. (optional)
	Transports:
		x:

			# Submission SMTP over a TLS connection to submit email to a remote queue.
			# (optional)
			Submissions:

				# Host name to connect to and for verifying its TLS certificate.
				Host:

				# If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
				# for submissions (with TLS), 587 for submission (possibly with STARTTLS).
				# (optional)
				Port: 0

				# If set an unverifiable remote TLS certificate during STARTTLS is accepted.
				# (optional)
				STARTTLSInsecureSkipVerify: false

				# If set for submission or smtp transport, do not attempt STARTTLS on the
				# connection. Authentication credentials and messages will be transferred in clear
				# text. (optional)
				NoSTARTTLS: false

				# If set, authentication credentials for the remote server. (optional)
				Auth:
					Username:
					Password:

					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
					# CRAM-MD5. Not included by default: PLAIN. (optional)
					Mechanisms:
						-

			# Submission SMTP over a plain TCP connection (possibly with STARTTLS) to submit
			# email to a remote queue. (optional)
			Submission:

				# Host name to connect to and for verifying its TLS certificate.
				Host:

				# If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
				# for submissions (with TLS), 587 for submission (possibly with STARTTLS).
				# (optional)
				Port: 0

				# If set an unverifiable remote TLS certificate during STARTTLS is accepted.
				# (optional)
				STARTTLSInsecureSkipVerify: false

				# If set for submission or smtp transport, do not attempt STARTTLS on the
				# connection. Authentication credentials and messages will be transferred in clear
				# text. (optional)
				NoSTARTTLS: false

				# If set, authentication credentials for the remote server. (optional)
				Auth:
					Username:
					Password:

					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
					# CRAM-MD5. Not included by default: PLAIN. (optional)
					Mechanisms:
						-

			# SMTP over a plain connection (possibly with STARTTLS), typically for
			# old-fashioned unauthenticated relaying to a remote queue. (optional)
			SMTP:

				# Host name to connect to and for verifying its TLS certificate.
				Host:

				# If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
				# for submissions (with TLS), 587 for submission (possibly with STARTTLS).
				# (optional)
				Port: 0

				# If set an unverifiable remote TLS certificate during STARTTLS is accepted.
				# (optional)
				STARTTLSInsecureSkipVerify: false

				# If set for submission or smtp transport, do not attempt STARTTLS on the
				# connection. Authentication credentials and messages will be transferred in clear
				# text. (optional)
				NoSTARTTLS: false

				# If set, authentication credentials for the remote server. (optional)
				Auth:
					Username:
					Password:

					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
					# CRAM-MD5. Not included by default: PLAIN. (optional)
					Mechanisms:
						-

			# Like regular direct delivery, but makes outgoing connections through a SOCKS
			# proxy. (optional)
			Socks:

				# Address of SOCKS proxy, of the form host:port or ip:port.
				Address:

				# IP addresses connections from the SOCKS server will originate from. This IP
				# addresses should be configured in the SPF record (keep in mind DNS record time
				# to live (TTL) when adding a SOCKS proxy). Reverse DNS should be set up for these
				# address, resolving to RemoteHostname. These are typically the IPv4 and IPv6
				# address for the host in the Address field.
				RemoteIPs:
					-

				# Hostname belonging to RemoteIPs. This name is used during in SMTP EHLO. This is
				# typically the hostname of the host in the Address field.
				RemoteHostname:

# domains.conf

	# Domains for which email is accepted. For internationalized domains, use their
	# IDNA names in UTF-8.
	Domains:
		x:

			# Free-form description of domain. (optional)
			Description:

			# If not empty, only the string before the separator is used to for email delivery
			# decisions. For example, if set to "+", you+anything@example.com will be
			# delivered to you@example.com. (optional)
			LocalpartCatchallSeparator:

			# If set, upper/lower case is relevant for email delivery. (optional)
			LocalpartCaseSensitive: false

			# With DKIM signing, a domain is taking responsibility for (content of) emails it
			# sends, letting receiving mail servers build up a (hopefully positive) reputation
			# of the domain, which can help with mail delivery. (optional)
			DKIM:

				# Emails can be DKIM signed. Config parameters are per selector. A DNS record must
				# be created for each selector. Add the name to Sign to use the selector for
				# signing messages.
				Selectors:
					x:

						# sha256 (default) or (older, not recommended) sha1 (optional)
						Hash:

						# (optional)
						Canonicalization:

							# If set, some modifications to the headers (mostly whitespace) are allowed.
							HeaderRelaxed: false

							# If set, some whitespace modifications to the message body are allowed.
							BodyRelaxed: false

						# Headers to sign with DKIM. If empty, a reasonable default set of headers is
						# selected. (optional)
						Headers:
							-

						# If set, don't prevent duplicate headers from being added. Not recommended.
						# (optional)
						DontSealHeaders: false

						# Period a signature is valid after signing, as duration, e.g. 72h. The period
						# should be enough for delivery at the final destination, potentially with several
						# hops/relays. In the order of days at least. (optional)
						Expiration:

						# Either an RSA or ed25519 private key file in PKCS8 PEM form.
						PrivateKeyFile:

				# List of selectors that emails will be signed with. (optional)
				Sign:
					-

			# With DMARC, a domain publishes, in DNS, a policy on how other mail servers
			# should handle incoming messages with the From-header matching this domain and/or
			# subdomain (depending on the configured alignment). Receiving mail servers use
			# this to build up a reputation of this domain, which can help with mail delivery.
			# A domain can also publish an email address to which reports about DMARC
			# verification results can be sent by verifying mail servers, useful for
			# monitoring. Incoming DMARC reports are automatically parsed, validated, added to
			# metrics and stored in the reporting database for later display in the admin web
			# pages. (optional)
			DMARC:

				# Address-part before the @ that accepts DMARC reports. Must be
				# non-internationalized. Recommended value: dmarc-reports.
				Localpart:

				# Account to deliver to.
				Account:

				# Mailbox to deliver to, e.g. DMARC.
				Mailbox:

			# With MTA-STS a domain publishes, in DNS, presence of a policy for
			# using/requiring TLS for SMTP connections. The policy is served over HTTPS.
			# (optional)
			MTASTS:

				# Policies are versioned. The version must be specified in the DNS record. If you
				# change a policy, first change it in mox, then update the DNS record.
				PolicyID:

				# testing, enforce or none. If set to enforce, a remote SMTP server will not
				# deliver email to us if it cannot make a TLS connection.
				Mode:

				# How long a remote mail server is allowed to cache a policy. Typically 1 or
				# several weeks.
				MaxAge: 0s

				# List of server names allowed for SMTP. If empty, the configured hostname is set.
				# Host names can contain a wildcard (*) as a leading label (matching a single
				# label, e.g. *.example matches host.example, not sub.host.example). (optional)
				MX:
					-

			# With TLSRPT a domain specifies in DNS where reports about encountered SMTP TLS
			# behaviour should be sent. Useful for monitoring. Incoming TLS reports are
			# automatically parsed, validated, added to metrics and stored in the reporting
			# database for later display in the admin web pages. (optional)
			TLSRPT:

				# Address-part before the @ that accepts TLSRPT reports. Recommended value:
				# tls-reports.
				Localpart:

				# Account to deliver to.
				Account:

				# Mailbox to deliver to, e.g. TLSRPT.
				Mailbox:

			# Routes for delivering outgoing messages through the queue. Each delivery attempt
			# evaluates account routes, these domain routes and finally global routes. The
			# transport of the first matching route is used in the delivery attempt. If no
			# routes match, which is the default with no configured routes, messages are
			# delivered directly from the queue. (optional)
			Routes:
				-

					# Matches if the envelope from domain matches one of the configured domains, or if
					# the list is empty. If a domain starts with a dot, prefixes of the domain also
					# match. (optional)
					FromDomain:
						-

					# Like FromDomain, but matching against the envelope to domain. (optional)
					ToDomain:
						-

					# Matches if at least this many deliveries have already been attempted. This can
					# be used to attempt sending through a smarthost when direct delivery has failed
					# for several times. (optional)
					MinimumAttempts: 0
					Transport:

	# Accounts to which email can be delivered. An account can accept email for
	# multiple domains, for multiple localparts, and deliver to multiple mailboxes.
	Accounts:
		x:

			# Default domain for account. Deprecated behaviour: If a destination is not a full
			# address but only a localpart, this domain is added to form a full address.
			Domain:

			# Free form description, e.g. full name or alternative contact info. (optional)
			Description:

			# Full name, to use in message From header when composing messages in webmail. Can
			# be overridden per destination. (optional)
			FullName:

			# Destinations, keys are email addresses (with IDNA domains). If the address is of
			# the form '@domain', i.e. with localpart missing, it serves as a catchall for the
			# domain, matching all messages that are not explicitly configured. Deprecated
			# behaviour: If the address is not a full address but a localpart, it is combined
			# with Domain to form a full address.
			Destinations:
				x:

					# Mailbox to deliver to if none of Rulesets match. Default: Inbox. (optional)
					Mailbox:

					# Delivery rules based on message and SMTP transaction. You may want to match each
					# mailing list by SMTP MailFrom address, VerifiedDomain and/or List-ID header
					# (typically <listname.example.org> if the list address is listname@example.org),
					# delivering them to their own mailbox. (optional)
					Rulesets:
						-

							# Matches if this regular expression matches (a substring of) the SMTP MAIL FROM
							# address (not the message From-header). E.g. '^user@example\.org$'. (optional)
							SMTPMailFromRegexp:

							# Matches if this domain matches an SPF- and/or DKIM-verified (sub)domain.
							# (optional)
							VerifiedDomain:

							# Matches if these header field/value regular expressions all match (substrings
							# of) the message headers. Header fields and valuees are converted to lower case
							# before matching. Whitespace is trimmed from the value before matching. A header
							# field can occur multiple times in a message, only one instance has to match. For
							# mailing lists, you could match on ^list-id$ with the value typically the mailing
							# list address in angled brackets with @ replaced with a dot, e.g.
							# <name\.lists\.example\.org>. (optional)
							HeadersRegexp:
								x:

							# Influences spam filtering only, this option does not change whether a message
							# matches this ruleset. Can only be used together with SMTPMailFromRegexp and
							# VerifiedDomain. SMTPMailFromRegexp must be set to the address used to deliver
							# the forwarded message, e.g. '^user(|\+.*)@forward\.example$'. Changes to junk
							# analysis: 1. Messages are not rejects for failing a DMARC policy, because a
							# legitimate forwarded message without valid/intact/aligned DKIM signature would
							# be rejected because any verified SPF domain will be 'unaligned', of the
							# forwarding mail server. 2. The sending mail server IP address, and sending EHLO
							# and MAIL FROM domains and matching DKIM domain aren't used in future
							# reputation-based spam classifications (but other verified DKIM domains are)
							# because the forwarding server is not a useful spam signal for future messages.
							# (optional)
							IsForward: false

							# Influences spam filtering only, this option does not change whether a message
							# matches this ruleset. If this domain matches an SPF- and/or DKIM-verified
							# (sub)domain, the message is accepted without further spam checks, such as a junk
							# filter or DMARC reject evaluation. DMARC rejects should not apply for mailing
							# lists that are not configured to rewrite the From-header of messages that don't
							# have a passing DKIM signature of the From-domain. Otherwise, by rejecting
							# messages, you may be automatically unsubscribed from the mailing list. The
							# assumption is that mailing lists do their own spam filtering/moderation.
							# (optional)
							ListAllowDomain:

							# Influences spam filtering only, this option does not change whether a message
							# matches this ruleset. If a message is classified as spam, it isn't rejected
							# during the SMTP transaction (the normal behaviour), but accepted during the SMTP
							# transaction and delivered to the specified mailbox. The specified mailbox is not
							# automatically cleaned up like the account global Rejects mailbox, unless set to
							# that Rejects mailbox. (optional)
							AcceptRejectsToMailbox:

							# Mailbox to deliver to if this ruleset matches.
							Mailbox:

					# Full name to use in message From header when composing messages coming from this
					# address with webmail. (optional)
					FullName:

			# If configured, messages classified as weakly spam are rejected with instructions
			# to retry delivery, but this time with a signed token added to the subject.
			# During the next delivery attempt, the signed token will bypass the spam filter.
			# Messages with a clear spam signal, such as a known bad reputation, are
			# rejected/delayed without a signed token. (optional)
			SubjectPass:

				# How long unique values are accepted after generating, e.g. 12h.
				Period: 0s

			# Mail that looks like spam will be rejected, but a copy can be stored temporarily
			# in a mailbox, e.g. Rejects. If mail isn't coming in when you expect, you can
			# look there. The mail still isn't accepted, so the remote mail server may retry
			# (hopefully, if legitimate), or give up (hopefully, if indeed a spammer).
			# Messages are automatically removed from this mailbox, so do not set it to a
			# mailbox that has messages you want to keep. (optional)
			RejectsMailbox:

			# Don't automatically delete mail in the RejectsMailbox listed above. This can be
			# useful, e.g. for future spam training. (optional)
			KeepRejects: false

			# Automatically set $Junk and $NotJunk flags based on mailbox messages are
			# delivered/moved/copied to. Email clients typically have too limited
			# functionality to conveniently set these flags, especially $NonJunk, but they can
			# all move messages to a different mailbox, so this helps them. (optional)
			AutomaticJunkFlags:

				# If enabled, flags will be set automatically if they match a regular expression
				# below. When two of the three mailbox regular expressions are set, the remaining
				# one will match all unmatched messages. Messages are matched in the order
				# specified and the search stops on the first match. Mailboxes are lowercased
				# before matching.
				Enabled: false

				# Example: ^(junk|spam). (optional)
				JunkMailboxRegexp:

				# Example: ^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects), and you may wish to
				# add trash depending on how you use it, or leave this empty. (optional)
				NeutralMailboxRegexp:

				# Example: .* or an empty string. (optional)
				NotJunkMailboxRegexp:

			# Content-based filtering, using the junk-status of individual messages to rank
			# words in such messages as spam or ham. It is recommended you always set the
			# applicable (non)-junk status on messages, and that you do not empty your Trash
			# because those messages contain valuable ham/spam training information.
			# (optional)
			JunkFilter:

				# Approximate spaminess score between 0 and 1 above which emails are rejected as
				# spam. Each delivery attempt adds a little noise to make it slightly harder for
				# spammers to identify words that strongly indicate non-spaminess and use it to
				# bypass the filter. E.g. 0.95.
				Threshold: 0.000000
				Params:

					# Track ham/spam ranking for single words. (optional)
					Onegrams: false

					# Track ham/spam ranking for each two consecutive words. (optional)
					Twograms: false

					# Track ham/spam ranking for each three consecutive words. (optional)
					Threegrams: false

					# Maximum power a word (combination) can have. If spaminess is 0.99, and max power
					# is 0.1, spaminess of the word will be set to 0.9. Similar for ham words.
					MaxPower: 0.000000

					# Number of most spammy/hammy words to use for calculating probability. E.g. 10.
					TopWords: 0

					# Ignore words that are this much away from 0.5 haminess/spaminess. E.g. 0.1,
					# causing word (combinations) of 0.4 to 0.6 to be ignored. (optional)
					IgnoreWords: 0.000000

					# Occurrences in word database until a word is considered rare and its influence
					# in calculating probability reduced. E.g. 1 or 2. (optional)
					RareWords: 0

			# Maximum number of outgoing messages for this account in a 24 hour window. This
			# limits the damage to recipients and the reputation of this mail server in case
			# of account compromise. Default 1000. (optional)
			MaxOutgoingMessagesPerDay: 0

			# Maximum number of first-time recipients in outgoing messages for this account in
			# a 24 hour window. This limits the damage to recipients and the reputation of
			# this mail server in case of account compromise. Default 200. (optional)
			MaxFirstTimeRecipientsPerDay: 0

			# Routes for delivering outgoing messages through the queue. Each delivery attempt
			# evaluates these account routes, domain routes and finally global routes. The
			# transport of the first matching route is used in the delivery attempt. If no
			# routes match, which is the default with no configured routes, messages are
			# delivered directly from the queue. (optional)
			Routes:
				-

					# Matches if the envelope from domain matches one of the configured domains, or if
					# the list is empty. If a domain starts with a dot, prefixes of the domain also
					# match. (optional)
					FromDomain:
						-

					# Like FromDomain, but matching against the envelope to domain. (optional)
					ToDomain:
						-

					# Matches if at least this many deliveries have already been attempted. This can
					# be used to attempt sending through a smarthost when direct delivery has failed
					# for several times. (optional)
					MinimumAttempts: 0
					Transport:

	# Redirect all requests from domain (key) to domain (value). Always redirects to
	# HTTPS. For plain HTTP redirects, use a WebHandler with a WebRedirect. (optional)
	WebDomainRedirects:
		x:

	# Handle webserver requests by serving static files, redirecting or
	# reverse-proxying HTTP(s). The first matching WebHandler will handle the request.
	# Built-in handlers, e.g. for account, admin, autoconfig and mta-sts always run
	# first. If no handler matches, the response status code is file not found (404).
	# If functionality you need is missng, simply forward the requests to an
	# application that can provide the needed functionality. (optional)
	WebHandlers:
		-

			# Name to use in logging and metrics. (optional)
			LogName:

			# Both Domain and PathRegexp must match for this WebHandler to match a request.
			# Exactly one of WebStatic, WebRedirect, WebForward must be set.
			Domain:

			# Regular expression matched against request path, must always start with ^ to
			# ensure matching from the start of the path. The matching prefix can optionally
			# be stripped by WebForward. The regular expression does not have to end with $.
			PathRegexp:

			# If set, plain HTTP requests are not automatically permanently redirected (308)
			# to HTTPS. If you don't have a HTTPS webserver configured, set this to true.
			# (optional)
			DontRedirectPlainHTTP: false

			# Serve static files. (optional)
			WebStatic:

				# Path to strip from the request URL before evaluating to a local path. If the
				# requested URL path does not start with this prefix and ContinueNotFound it is
				# considered non-matching and next WebHandlers are tried. If ContinueNotFound is
				# not set, a file not found (404) is returned in that case. (optional)
				StripPrefix:

				# Directory to serve files from for this handler. Keep in mind that relative paths
				# are relative to the working directory of mox.
				Root:

				# If set, and a directory is requested, and no index.html is present that can be
				# served, a file listing is returned. Results in 403 if ListFiles is not set. If a
				# directory is requested and the URL does not end with a slash, the response is a
				# redirect to the path with trailing slash. (optional)
				ListFiles: false

				# If a requested URL does not exist, don't return a file not found (404) response,
				# but consider this handler non-matching and continue attempts to serve with later
				# WebHandlers, which may be a reverse proxy generating dynamic content, possibly
				# even writing a static file for a next request to serve statically. If
				# ContinueNotFound is set, HTTP requests other than GET and HEAD do not match.
				# This mechanism can be used to implement the equivalent of 'try_files' in other
				# webservers. (optional)
				ContinueNotFound: false

				# Headers to add to the response. Useful for cache-control, content-type, etc. By
				# default, Content-Type headers are automatically added for recognized file types,
				# unless added explicitly through this setting. For directory listings, a
				# content-type header is skipped. (optional)
				ResponseHeaders:
					x:

			# Redirect requests to configured URL. (optional)
			WebRedirect:

				# Base URL to redirect to. The path must be empty and will be replaced, either by
				# the request URL path, or by OrigPathRegexp/ReplacePath. Scheme, host, port and
				# fragment stay intact, and query strings are combined. If empty, the response
				# redirects to a different path through OrigPathRegexp and ReplacePath, which must
				# then be set. Use a URL without scheme to redirect without changing the protocol,
				# e.g. //newdomain/. If a redirect would send a request to a URL with the same
				# scheme, host and path, the WebRedirect does not match so a next WebHandler can
				# be tried. This can be used to redirect all plain http traffic to https.
				# (optional)
				BaseURL:

				# Regular expression for matching path. If set and path does not match, a 404 is
				# returned. The HTTP path used for matching always starts with a slash. (optional)
				OrigPathRegexp:

				# Replacement path for destination URL based on OrigPathRegexp. Implemented with
				# Go's Regexp.ReplaceAllString: $1 is replaced with the text of the first
				# submatch, etc. If both OrigPathRegexp and ReplacePath are empty, BaseURL must be
				# set and all paths are redirected unaltered. (optional)
				ReplacePath:

				# Status code to use in redirect, e.g. 307. By default, a permanent redirect (308)
				# is returned. (optional)
				StatusCode: 0

			# Forward requests to another webserver, i.e. reverse proxy. (optional)
			WebForward:

				# Strip the matching WebHandler path from the WebHandler before forwarding the
				# request. (optional)
				StripPath: false

				# URL to forward HTTP requests to, e.g. http://127.0.0.1:8123/base. If StripPath
				# is false the full request path is added to the URL. Host headers are sent
				# unmodified. New X-Forwarded-{For,Host,Proto} headers are set. Any query string
				# in the URL is ignored. Requests are made using Go's net/http.DefaultTransport
				# that takes environment variables HTTP_PROXY and HTTPS_PROXY into account.
				# Websocket connections are forwarded and data is copied between client and
				# backend without looking at the framing. The websocket 'version' and
				# 'key'/'accept' headers are verified during the handshake, but other websocket
				# headers, including 'origin', 'protocol' and 'extensions' headers, are not
				# inspected and the backend is responsible for verifying/interpreting them.
				URL:

				# Headers to add to the response. Useful for adding security- and cache-related
				# headers. (optional)
				ResponseHeaders:
					x:

	# Routes for delivering outgoing messages through the queue. Each delivery attempt
	# evaluates account routes, domain routes and finally these global routes. The
	# transport of the first matching route is used in the delivery attempt. If no
	# routes match, which is the default with no configured routes, messages are
	# delivered directly from the queue. (optional)
	Routes:
		-

			# Matches if the envelope from domain matches one of the configured domains, or if
			# the list is empty. If a domain starts with a dot, prefixes of the domain also
			# match. (optional)
			FromDomain:
				-

			# Like FromDomain, but matching against the envelope to domain. (optional)
			ToDomain:
				-

			# Matches if at least this many deliveries have already been attempted. This can
			# be used to attempt sending through a smarthost when direct delivery has failed
			# for several times. (optional)
			MinimumAttempts: 0
			Transport:

# Examples

Mox includes configuration files to illustrate common setups. You can see these
examples with "mox example", and print a specific example with "mox example
<name>". Below are all examples included in mox.

# Example webhandlers

	# Snippet of domains.conf to configure WebDomainRedirects and WebHandlers.

	# Redirect all requests for mox.example to https://www.mox.example.
	WebDomainRedirects:
		mox.example: www.mox.example

	# Each request is matched against these handlers until one matches and serves it.
	WebHandlers:
		-
			# Redirect all plain http requests to https, leaving path, query strings, etc
			# intact. When the request is already to https, the destination URL would have the
			# same scheme, host and path, causing this redirect handler to not match the
			# request (and not cause a redirect loop) and the webserver to serve the request
			# with a later handler.
			LogName: redirhttps
			Domain: www.mox.example
			PathRegexp: ^/
			# Could leave DontRedirectPlainHTTP at false if it wasn't for this being an
			# example for doing this redirect.
			DontRedirectPlainHTTP: true
			WebRedirect:
				BaseURL: https://www.mox.example
		-
			# The name of the handler, used in logging and metrics.
			LogName: staticmjl
			# With ACME configured, each configured domain will automatically get a TLS
			# certificate on first request.
			Domain: www.mox.example
			PathRegexp: ^/who/mjl/
			WebStatic:
				StripPrefix: /who/mjl
				# Requested path /who/mjl/inferno/ resolves to local web/mjl/inferno.
				# If a directory contains an index.html, it is served when a directory is requested.
				Root: web/mjl
				# With ListFiles true, if a directory does not contain an index.html, the contents are listed.
				ListFiles: true
				ResponseHeaders:
					X-Mox: hi
		-
			LogName: redir
			Domain: www.mox.example
			PathRegexp: ^/redir/a/b/c
			# Don't redirect from plain HTTP to HTTPS.
			DontRedirectPlainHTTP: true
			WebRedirect:
				# Just change the domain and add query string set fragment. No change to scheme.
				# Path will start with /redir/a/b/c (and whathever came after) because no
				# OrigPathRegexp+ReplacePath is set.
				BaseURL: //moxest.example?q=1#frag
				# Default redirection is 308 - Permanent Redirect.
				StatusCode: 307
		-
			LogName: oldnew
			Domain: www.mox.example
			PathRegexp: ^/old/
			WebRedirect:
				# Replace path, leaving rest of URL intact.
				OrigPathRegexp: ^/old/(.*)
				ReplacePath: /new/$1
		-
			LogName: app
			Domain: www.mox.example
			PathRegexp: ^/app/
			WebForward:
				# Strip the path matched by PathRegexp before forwarding the request. So original
				# request /app/api become just /api.
				StripPath: true
				# URL of backend, where requests are forwarded to. The path in the URL is kept,
				# so for incoming request URL /app/api, the outgoing request URL has path /app-v2/api.
				# Requests are made with Go's net/http DefaultTransporter, including using
				# HTTP_PROXY and HTTPS_PROXY environment variables.
				URL: http://127.0.0.1:8900/app-v2/
				# Add headers to response.
				ResponseHeaders:
					X-Frame-Options: deny
					X-Content-Type-Options: nosniff
*/
package config

// NOTE: DO NOT EDIT, this file is generated by ../gendoc.sh.