From f979aa993d21ac19f8ac006738d8e12632a74b97 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Sun, 20 Mar 2022 21:15:45 +0100
Subject: [PATCH] email from external network

---
 .../dovecot/dictionaries/22_dovecot.xml       | 62 ++++++++++++++-----
 .../2022.03.08/dovecot/templates/10-ssl.conf  | 10 +++
 .../dovecot/templates/ca_IMAPServer.crt       |  2 +-
 .../dovecot/templates/ca_MailServer.crt       |  2 +-
 .../dovecot/templates/external_imap.crt       |  2 +
 .../dovecot/templates/external_imap.key       |  1 +
 .../2022.03.08/dovecot/templates/main.cf      |  9 ++-
 .../2022.03.08/dovecot/templates/postfix.pem  |  2 +
 .../dovecot/templates/postfix.service         |  1 +
 .../dovecot/templates/postfix_sni.pem         |  3 +
 .../2022.03.08/dovecot/templates/sni          |  4 ++
 .../dictionaries/20-letsencrypt.xml           |  5 +-
 .../letsencrypt/funcs/letsencrypt.py          |  4 +-
 .../2022.03.08/mailman/DEBUG.md               |  1 +
 .../nextcloud/dictionaries/31_nextcloud.xml   | 36 +++++++++++
 .../nextcloud/templates/nextcloud.init        |  3 +-
 .../templates/certificate.crt                 |  2 +-
 .../templates/private.key                     |  2 +-
 .../2022.03.08/postfix-relay/DEBUG.md         |  4 ++
 .../postfix-relay/dictionaries/30_postfix.xml |  4 +-
 .../2022.03.08/postfix-relay/funcs/postfix.py | 12 ++++
 .../funcs/revprox_client.py                   |  6 +-
 22 files changed, 144 insertions(+), 33 deletions(-)
 create mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt
 create mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key
 create mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem
 create mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem
 create mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/sni
 create mode 100644 seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py

diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
index e82fbafc..229fcd63 100644
--- a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
@@ -12,6 +12,9 @@
       <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
       <file>/etc/pki/tls/certs/postfix.crt</file>
       <file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
+      <file>/etc/postfix/sni</file>
+      <file source="postfix_sni.pem" file_type="variable" mode="400" variable="submission_domainname">postfix_pem_files</file>
+      <file mode="400">/etc/postfix/certs/postfix.pem</file>
     </service>
     <service name='dovecot-init'>
       <override/>
@@ -24,7 +27,7 @@
       <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
       <file>/etc/dovecot/conf.d/10-master.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-ssl.conf</file>
+      <file>/etc/dovecot/conf.d/10-ssl.conf</file>
       <!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
       <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
@@ -41,9 +44,15 @@
       <file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
       <file>/etc/pki/tls/certs/dovecot.crt</file>
       <file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
+      <file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
+      <file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
     </service>
   </services>
   <variables>
+    <variable name="external_ports" redefine="True">
+      <value>587</value>
+      <value>993</value>
+    </variable>
     <family name="annuaire">
       <variable name="ldap_key_file_owner" redefine="True">
         <value>dovecot</value>
@@ -52,12 +61,17 @@
         <value>postfix</value>
       </variable>
     </family>
-    <family name="postfix" description="Postfix mail server">
-      <variable name="postfix_my_domains" type="domainname" description="Domaine de courriel généré localement" mandatory="True" multi="True"/>
-      <variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
+    <family name="mail" description="Mail domain" leadership="True">
+      <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
+      <variable name="imap_domainname" type="domainname" mandatory="True"/>
+      <variable name="submission_domainname" type="domainname" mandatory="True"/>
+    </family>
+    <family name="postfix">
+      <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
     </family>
     <family name="dovecot" description="IMAP mail server">
-      <variable name='dovecot_ca_chain' description="CA certificate" hidden='True'/>
+      <variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
+      <variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
       <variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
       <family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
         <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
@@ -68,16 +82,6 @@
     </family>
   </variables>
   <constraints>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">domain_name_eth0</param>
-      <param name="authority_name">MailServer</param>
-      <target>postfix_ca_chain</target>
-    </fill>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">domain_name_eth0</param>
-      <param name="authority_name">IMAPServer</param>
-      <target>dovecot_ca_chain</target>
-    </fill>
     <fill name="get_password">
       <param name="server_name" type="variable">domain_name_eth0</param>
       <param name="username" type="suffix"/>
@@ -89,13 +93,13 @@
       <param name="linked_server" type="variable">smtp_relay_address</param>
       <param name="linked_provider">lmtp_server</param>
       <param name="linked_value" type="variable">domain_name_eth0</param>
-      <target>postfix_my_domains</target>
+      <target>mail_domains</target>
     </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">smtp_relay_address</param>
       <param name="linked_provider">lmtp_criteria</param>
       <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>postfix_my_domains</target>
+      <target>mail_domains</target>
     </check>
     <fill name="calc_value">
       <param type="variable">tls_ca_directory</param>
@@ -103,5 +107,29 @@
       <param name="join">/</param>
       <target>revprox_ca_file</target>
     </fill>
+    <fill name="calc_value">
+      <param>/etc/pki/tls/certs/imap_</param>
+      <param type="variable">imap_domainname</param>
+      <param>.crt</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>external_imap_crt</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/pki/tls/private/imap_</param>
+      <param type="variable">imap_domainname</param>
+      <param>.key</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>external_imap_key</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/postfix/certs/</param>
+      <param type="variable">submission_domainname</param>
+      <param>.pem</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>postfix_pem_files</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf
index 2c9459b2..6adcf9f7 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf
@@ -16,6 +16,16 @@ ssl = required
 #>GNUNUX
 ssl_cert = </etc/pki/tls/certs/dovecot.crt
 ssl_key = </etc/pki/tls/private/dovecot.key
+%for %%mail in %%mail_domains
+local_name %%mail.imap_domainname {
+    ssl_cert = </etc/pki/tls/certs/imap_%%{mail.imap_domainname}.crt
+    ssl_key = </etc/pki/tls/private/imap_%%{mail.imap_domainname}.key
+}
+%end for
+local_name %%domain_name_eth0 {
+    ssl_cert = </etc/pki/tls/certs/dovecot.crt
+    ssl_key = </etc/pki/tls/private/dovecot.key
+}
 #<GNUNUX
 
 # If key file is password protected, give the password here. Alternatively
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
index c60dbecb..deacd1ec 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
@@ -1 +1 @@
-%%dovecot_ca_chain
+%%get_chain(%%domain_name_eth0, "IMAPServer")
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
index dadb6c9e..10f316a5 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
@@ -1 +1 @@
-%%postfix_ca_chain
+%%get_chain(%%domain_name_eth0, "MailServer")
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt
new file mode 100644
index 00000000..ddfa2967
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt
@@ -0,0 +1,2 @@
+%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key
new file mode 100644
index 00000000..1662468a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key
@@ -0,0 +1 @@
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/main.cf b/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
index f078d647..42e60f84 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
@@ -749,6 +749,9 @@ smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
 
 smtpd_tls_CApath = /etc/pki/tls/certs
 smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
+#>GNUNUX
+tls_server_sni_maps = hash:/etc/postfix/sni
+#<GNUNUX
 # Announce STARTTLS support to remote SMTP clients, but do not require that
 # clients use TLS encryption (opportunistic TLS inbound).
 #
@@ -796,7 +799,11 @@ smtpd_sasl_path = /srv/dovecot/auth
 broken_sasl_auth_clients = yes
 
 dovecot_destination_recipient_limit = 1
-virtual_mailbox_domains = %echo ', '.join(%%postfix_my_domains)
+%set %%domains = []
+%for %%domain in %%mail_domains
+%%domains.append(%%str(%%domain))%slurp
+%end for
+virtual_mailbox_domains = %echo ', '.join(%%domains)
 virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_minimum_uid = 1000
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem
new file mode 100644
index 00000000..f7f70610
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem
@@ -0,0 +1,2 @@
+%%get_private_key(%%domain_name_eth0, 'MailServer')
+%%get_certificate(%%domain_name_eth0, "MailServer")
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service
index 0144b44e..499ab72f 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service
@@ -1,3 +1,4 @@
 [Service]
 ExecStartPre=/usr/sbin/postmap /etc/postfix/relay_passwd
+ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni
 PIDFile=/srv/postfix/spool/pid/master.pid
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem b/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem
new file mode 100644
index 00000000..918a89bb
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem
@@ -0,0 +1,3 @@
+%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%%cert
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/sni b/seed/applicationservice/2022.03.08/dovecot/templates/sni
new file mode 100644
index 00000000..60676155
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/sni
@@ -0,0 +1,4 @@
+%for %%name in %%mail_domains
+%%name.submission_domainname /etc/postfix/certs/%%{name.submission_domainname}.pem
+%end for
+%%domain_name_eth0 /etc/postfix/certs/postfix.pem
diff --git a/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml b/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml
index a9f395ea..e305d5bb 100644
--- a/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml
+++ b/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml
@@ -3,8 +3,6 @@
   <variables>
     <family name='letsencrypt' description="Défi DNS pour Let's encrypt" leadership="True">
       <variable name="domain_names" type="domainname" description="Nom des domaines" multi="True"/>
-      <variable name="authority_cn" description="Nom de domaine de l'autorité" mandatory="True"/>
-      <variable name="authority_name" description="Nom de l'authorité" mandatory="True"/>
       <variable name="plugin_name" type="string" description="Nom du greffon de mise à jour DNS du domaine" mandatory="True"/>
       <variable name="credential_filename" type="filename" description="Nom du fichier de configuration du greffin" mandatory="True"/>
       <variable name="email" type="mail" description="Courriel associé au certificat" mandatory="True"/>
@@ -12,8 +10,7 @@
   </variables>
   <constraints>
     <check name="letsencrypt_certif">
-      <param type="variable">authority_cn</param>
-      <param type="variable">authority_name</param>
+      <param type="variable">domain_name_eth0</param>
       <param type="variable">plugin_name</param>
       <param type="variable">credential_filename</param>
       <param type="variable">email</param>
diff --git a/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py b/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py
index 2270e43a..b5a39745 100644
--- a/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py
+++ b/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py
@@ -14,13 +14,13 @@ _X509_DIR = _join(_HERE, 'pki', 'x509')
 
 def letsencrypt_certif(domain: str,
                        authority_cn: str,
-                       authority_name: str,
                        plugin_name: str,
                        credential_filename: str,
                        email: str,
                        ) -> None:
-    if None in (domain, authority_cn, authority_name, plugin_name, credential_filename, email):
+    if None in (domain, authority_cn, plugin_name, credential_filename, email):
         return
+    authority_name = 'External'
     date_file = _join(_LE_DIR, f'{domain}.date')
     date = _datetime.now()
     today = str(date.date())
diff --git a/seed/applicationservice/2022.03.08/mailman/DEBUG.md b/seed/applicationservice/2022.03.08/mailman/DEBUG.md
index 871c9ed0..c9713d23 100644
--- a/seed/applicationservice/2022.03.08/mailman/DEBUG.md
+++ b/seed/applicationservice/2022.03.08/mailman/DEBUG.md
@@ -42,3 +42,4 @@ export MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py
 
 echo "DEBUG=True" >> /etc/mailman3.d/postorius.py
 systemctl restart postorius
+
diff --git a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
index 4bff5373..6aa37d18 100644
--- a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
+++ b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
@@ -17,6 +17,8 @@
       <variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
       <variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
       <variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
+      <variable name="nexcloud_well_known_caldav" type="web_address" hidden='True'/>
+      <variable name="nexcloud_well_known_carddav" type="web_address" hidden='True'/>
     </family>
     <family name="oauth2_client">
       <variable name="oauth2_is_client_application" redefine='True'>
@@ -55,5 +57,39 @@
       <param name="starts_with_char" type="boolean">True</param>
       <target>nextcloud_instance_id</target>
     </fill>
+    <check name="set_linked_multi_variables">
+      <param name="linked_provider_0">revprox_clients</param>
+      <param name="linked_value_0" type="variable">revprox_client_external_domainname</param>
+      <param name="linked_provider_1">revprox_location</param>
+      <param name="linked_value_1">/.well-known/caldav</param>
+      <param name="linked_provider_2">revprox_is_websocket</param>
+      <param name="linked_value_2" type="boolean">False</param>
+      <param name="linked_provider_3">revprox_url</param>
+      <param name="linked_value_3" type="variable">nexcloud_well_known_caldav</param>
+      <target>revprox_client_server_domainname</target>
+    </check>
+    <fill name="calc_web_address">
+      <param type="variable">domain_name_eth0</param>
+      <param type="variable">revprox_client_port</param>
+      <param>/.well-known/caldav</param>
+      <target>nexcloud_well_known_caldav</target>
+    </fill>
+    <check name="set_linked_multi_variables">
+      <param name="linked_provider_0">revprox_clients</param>
+      <param name="linked_value_0" type="variable">revprox_client_external_domainname</param>
+      <param name="linked_provider_1">revprox_location</param>
+      <param name="linked_value_1">/.well-known/carddav</param>
+      <param name="linked_provider_2">revprox_is_websocket</param>
+      <param name="linked_value_2" type="boolean">False</param>
+      <param name="linked_provider_3">revprox_url</param>
+      <param name="linked_value_3" type="variable">nexcloud_well_known_carddav</param>
+      <target>revprox_client_server_domainname</target>
+    </check>
+    <fill name="calc_web_address">
+      <param type="variable">domain_name_eth0</param>
+      <param type="variable">revprox_client_port</param>
+      <param>/.well-known/carddav</param>
+      <target>nexcloud_well_known_carddav</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
index db827d6d..5d6e74f5 100644
--- a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
@@ -14,6 +14,8 @@ else
     sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php
     /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
 fi
+# Upgrade
+/usr/bin/php /usr/share/nextcloud/occ upgrade || true
 # SSO
 /usr/bin/php /usr/share/nextcloud/occ app:enable oidc_login
 # Feature
@@ -49,7 +51,6 @@ fi
 # Need network
 /usr/bin/php /usr/share/nextcloud/occ app:disable weather_status
 # Maintenance
-/usr/bin/php /usr/share/nextcloud/occ upgrade
 /usr/bin/php /usr/share/nextcloud/occ files:scan --all -q
 /usr/bin/php /usr/share/nextcloud/occ maintenance:repair -q
 
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
index 9e4b28f5..45a1426c 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
@@ -1 +1 @@
-%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy')
+%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
index 9e2828c8..1662468a 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
@@ -1 +1 @@
-%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy')
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md b/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md
index be1cb65d..324683b4 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md
+++ b/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md
@@ -45,3 +45,7 @@ postconf maillog_file
 
 postconf maillog_file=/dev/stdout
 
+# Test mail en ligne
+
+https://www.mail-tester.com/
+https://dkimvalidator.com/
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
index 72c6201e..7926827a 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
+++ b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
@@ -37,14 +37,14 @@
     </variable>
     <family name="postfix" description="Postfix mail server">
       <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
-      <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True"/>
+      <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
       <variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
       <variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
       <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
         <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
         <variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
       </family>
-      <variable name='postfix_pem_files' type="filename" description="PEM certificates" hidden='True' multi='True'/>
+      <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
     </family>
     <family name="opendkim">
       <variable name="opendkim_keys" type="filename" description="Keys filename" multi="True" hidden="True"/>
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py b/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py
new file mode 100644
index 00000000..4c43fd16
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py
@@ -0,0 +1,12 @@
+from risotto.utils import multi_function as _multi_function
+
+
+@_multi_function
+def calc_postfix_relay_domains(criteria):
+    relay = set()
+    for lsts in criteria:
+        for lst in lsts:
+            if '@' in lst:
+                lst = lst.split('@')[1]
+            relay.add(lst)
+    return list(relay)
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py b/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py
index 48137516..d781120c 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py
@@ -1,7 +1,9 @@
-def calc_web_address(domain_name:str, port:str, local_location:str):
+def calc_web_address(domain_name: str, port: str, local_location: str) -> str:
     if not domain_name or not port:
         return
-    web_address = f'https://{domain_name}:{port}'
+    web_address = f'https://{domain_name}'
+    if port != '443':
+        web_address += f':{port}'
     if local_location:
         web_address += local_location
     return web_address