From 4d92263871e5f28eb9b0b723d3eb3836d4745fb8 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 6 Jan 2026 14:06:55 -0300
Subject: [PATCH] mailu: enable smtpd sasl auth

---
 scripts/nextcloud-maintenance.sh | 29 +++++++++++++++++++++++++++++
 services/mailu/helmrelease.yaml  |  6 ++++++
 2 files changed, 35 insertions(+)

diff --git a/scripts/nextcloud-maintenance.sh b/scripts/nextcloud-maintenance.sh
index af1694c..27c5270 100755
--- a/scripts/nextcloud-maintenance.sh
+++ b/scripts/nextcloud-maintenance.sh
@@ -22,6 +22,35 @@ run_occ theming:config url "https://cloud.bstein.dev"
 run_occ theming:config color "#0f172a"
 run_occ theming:config disable-user-theming yes
 
+log "Applying Atlas Mail styling defaults"
+run_occ app:install customcss >/dev/null 2>&1 || true
+run_occ app:enable customcss >/dev/null 2>&1 || true
+MAIL_CSS=$(cat <<'CSS'
+.mail-message-body, .mail-message-body pre, .mail-message-body code, .mail-message-body table {
+  font-family: "Inter", "Source Sans 3", "Helvetica Neue", Arial, sans-serif;
+  font-size: 14px;
+  line-height: 1.6;
+  color: var(--color-main-text);
+}
+.mail-message-body pre {
+  background: rgba(15, 23, 42, 0.06);
+  padding: 12px;
+  border-radius: 8px;
+}
+.mail-message-body blockquote {
+  border-left: 3px solid var(--color-border);
+  padding-left: 12px;
+  margin: 8px 0;
+  color: var(--color-text-lighter);
+}
+.mail-message-body img {
+  max-width: 100%;
+  border-radius: 6px;
+}
+CSS
+)
+run_occ config:app:set customcss css --value "${MAIL_CSS}" >/dev/null
+
 log "Setting default quota to 200 GB"
 run_occ config:app:set files default_quota --value "200 GB"
 
diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml
index c72c38f..0344a2f 100644
--- a/services/mailu/helmrelease.yaml
+++ b/services/mailu/helmrelease.yaml
@@ -220,11 +220,17 @@ spec:
         postfix.cf: |
           smtpd_helo_required = yes
           smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
+          smtpd_sasl_auth_enable = yes
+          smtpd_sasl_type = dovecot
+          smtpd_sasl_path = private/auth
+          smtpd_sasl_security_options = noanonymous
+          smtpd_sasl_tls_security_options = noanonymous
           smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining
           smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain
           smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
           smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch
           smtpd_tls_auth_only = yes
+          smtpd_forbid_unauth_pipelining = yes
           smtpd_client_connection_rate_limit = 30
           smtpd_client_message_rate_limit = 100
           smtpd_client_recipient_rate_limit = 200