# ---------------------------------------------------------------------------- # AliasVault configuration file. # # Note: we recommend using the provided install.sh script to install and # configure AliasVault, as this will automatically set all of the following # variables for you and allow you to easily change them later via the CLI. # It also allows for easily updating AliasVault to a newer version in the # future. # # However if you still wish to manually install or configure AliasVault, # you can do so below. # # After changing settings here, make sure to restart all AliasVault # Docker containers to apply the changes. # ---------------------------------------------------------------------------- # =========================================== # NETWORK PORTS # =========================================== # Configure the network ports used by AliasVault by the `reverse-proxy` and `smtp` containers. # You can change these if the defaults are already in use on your system. # Requires a restart before taking effect. HTTP_PORT=80 HTTPS_PORT=443 SMTP_PORT=25 SMTP_TLS_PORT=587 # Whether to force redirect all HTTP traffic (80) to HTTPS (443). Defaults to true. FORCE_HTTPS_REDIRECT=true # =========================================== # EMAIL SERVER CONFIGURATION # =========================================== # In order to use AliasVault's private email domains feature, you need to configure # your DNS. Please refer to the full documentation for more instructions on DNS: # https://docs.aliasvault.net/installation/install.html#3-email-server-setup # # Set the private email domains below that the server should accept incoming mail for (comma separated values). # Example: PRIVATE_EMAIL_DOMAINS=example.com,example2.org # To disable the private email domains feature, keep this empty. PRIVATE_EMAIL_DOMAINS= # Set private email domains that should be hidden from UI components (comma separated values). # These domains will still function as private email domains for receiving email and claims, # but will not appear in domain selection dropdowns or settings. This is useful for deprecating # legacy domains while maintaining backwards compatibility. # Example: HIDDEN_PRIVATE_EMAIL_DOMAINS=old-domain.com,deprecated.org # Note: Domains listed here should ALSO be included in PRIVATE_EMAIL_DOMAINS above. HIDDEN_PRIVATE_EMAIL_DOMAINS= # Hostname announced in the SMTP banner and EHLO. Should match the PTR (reverse DNS) for your # server's public IP for best deliverability. If empty, "aliasvault" is used. # Example: SMTP_ADVERTISED_HOSTNAME=mail.mydomain.net SMTP_ADVERTISED_HOSTNAME= # Enable TLS for SMTP (STARTTLS). # When enabled, the SMTP server will offer STARTTLS to connecting mail servers. # # IMPORTANT: You must obtain SMTP TLS certificates yourself (e.g., from Let's Encrypt). # The AliasVault installer does not currently support requesting SMTP certificates. # The certificate should be issued for your mail hostname (e.g., mail.example.com). # # To enable SMTP TLS: # 1. Obtain a certificate for your mail hostname (e.g., via certbot/Let's Encrypt) # 2. Combine the certificate and private key into a single .pem file # 3. Place the .pem file in the ./certificates/smtp/ directory # 4. Set SMTP_TLS_ENABLED=true # 5. Restart the SMTP service # # If you have multiple mail domains (e.g., mail.example.com and mail.example2.com), # use a single certificate with Subject Alternative Names (SANs) covering all domains. # # Note: If TLS is enabled but no valid certificate is found, the service will log a # warning (visible in admin) and continue in non-TLS mode. # # Disabling TLS does NOT impact email deliverability (that much). Although some websites # are known to send emails exclusively via TLS connections, this is probably shy of <1% of websites. SMTP_TLS_ENABLED=false # =========================================== # Let's Encrypt configuration # =========================================== # Set whether Let's Encrypt is enabled. This is only supported through # the install.sh script and should be set to false for manual installations. LETSENCRYPT_ENABLED=false # Set the hostname that your AliasVault will be accessible at in order for LetsEncrypt # to do its validation. This value is only required when LETSENCRYPT_ENABLED # is set to true. # Example: `aliasvault.mydomain.net`. HOSTNAME= # =========================================== # Optional configuration settings # =========================================== # Enable or disable ability for new users to create an account via the web interface. # Note: make sure you have created your (own) accounts before setting this to false. PUBLIC_REGISTRATION_ENABLED=true # Whether to enable IP logging for auth attempts. When set to true the last octet is # always still anonymized, e.g. "127.0.0.1" becomes "127.0.0.xxx". IP_LOGGING_ENABLED=true # Set the support email address which is shown to users in the main web app. # Keep this blank if you don't want to show a support email. SUPPORT_EMAIL= # Maximum upload size in megabytes for client-to-server requests (vault sync, # API uploads, etc.). Increase if you run into "413 Request Entity Too Large" # errors when syncing large vaults. Defaults to 100MB. MAX_UPLOAD_SIZE_MB=100 # Restrict access to the /admin endpoint by client IP at the reverse-proxy layer. Options: # - Empty = no restriction (default, preserves existing behavior). # - "private" = allow only loopback + RFC1918 (127/8, 10/8, 172.16/12, 192.168/16). # - A comma-separated list of CIDRs/IPs (e.g. "192.168.1.0/24,10.0.0.0/8"). # Requests from non-allowlisted IPs are silently routed to the client app and will # result in a 404 error. ADMIN_IP_ALLOWLIST= # Trusted upstream proxies that AliasVault's reverse proxy will accept the # X-Forwarded-For header from when determining the real client IP. Options: # - Empty = trust all RFC1918 ranges (10/8, 172.16/12, 192.168/16). # - A comma-separated list of CIDRs/IPs (e.g. "10.0.1.5,192.168.1.0/24") to # trust only those upstream proxies. Recommended when running behind a # specific reverse proxy (HAProxy, Traefik, Cloudflare, etc.) so X-Forwarded-For # from any other source is ignored. # - "none" = trust no upstream proxies; logs always show the direct peer IP. TRUSTED_PROXIES=