# GoMail Configuration # ===================== # Auto-generated and updated on each startup. # Edit freely — your values are always preserved. # Environment variables (or GOMAIL_) override values here. # # --- Server --- # Public hostname of this GoMail instance (no port, no protocol). # Examples: localhost | mail.example.com | 192.168.1.10 # Used to build BASE_URL and OAuth redirect URIs automatically. # Also used in security checks to reject requests with unexpected Host headers. HOSTNAME = localhost # Address and port to listen on. Format: [host]:port # :8080 — all interfaces, port 8080 # 0.0.0.0:8080 — all interfaces (explicit) # 127.0.0.1:8080 — localhost only LISTEN_ADDR = :8080 # Public URL of this instance (no trailing slash). Leave blank to auto-build # from HOSTNAME and LISTEN_ADDR port (recommended). # Auto-build examples: # HOSTNAME=localhost + :8080 → http://localhost:8080 # HOSTNAME=mail.example.com + :443 → https://mail.example.com # HOSTNAME=mail.example.com + :8080 → http://mail.example.com:8080 # Override here only if you need a custom path prefix or your proxy rewrites the URL. BASE_URL = # Set to true when GoMail is served over HTTPS (directly or via proxy). # Marks session cookies as Secure so browsers only send them over TLS. SECURE_COOKIE = false # How long a login session lasts, in seconds. Default: 604800 (7 days). SESSION_MAX_AGE = 604800 # Comma-separated list of IP addresses or CIDR ranges of trusted reverse proxies. # Requests from these IPs may set X-Forwarded-For and X-Forwarded-Proto headers, # which GoMail uses to determine the real client IP and whether TLS is in use. # Examples: # 127.0.0.1 (loopback only — Nginx/Traefik on same host) # 10.0.0.0/8,172.16.0.0/12 (private networks) # 192.168.1.50,192.168.1.51 (specific IPs) # Leave blank to disable proxy trust (requests are taken at face value). # NOTE: Do not add untrusted IPs — clients could spoof their source address. TRUSTED_PROXIES = # --- Storage --- # Path to the SQLite database file. DB_PATH = ./data/gomail.db # AES-256 key protecting all sensitive data at rest (emails, tokens, MFA secrets). # Must be exactly 64 hex characters (= 32 bytes). Auto-generated on first run. # NOTE: Back this up. Losing it makes the entire database permanently unreadable. # openssl rand -hex 32 ENCRYPTION_KEY = 2cf005ce1ed023ad59da92523bc437ec70fb0d2520f977711216fbb5f356fa97 # Secret used to sign session cookies. Auto-generated on first run. # Changing this invalidates all active sessions (everyone gets logged out). SESSION_SECRET = c6502e203937358815053f7849e6da8c376253a4f9a38def54d750219c65660e # --- Gmail / Google OAuth2 --- # Create at: https://console.cloud.google.com/apis/credentials # Application type : Web application # Required scope : https://mail.google.com/ # Redirect URI : /auth/gmail/callback GOOGLE_CLIENT_ID = GOOGLE_CLIENT_SECRET = # Override the Gmail OAuth redirect URL. Leave blank to auto-derive from BASE_URL. # Must exactly match what is registered in Google Cloud Console. GOOGLE_REDIRECT_URL = # --- Outlook / Microsoft 365 OAuth2 --- # Register at: https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps # Required API permissions : IMAP.AccessAsUser.All, SMTP.Send, offline_access, openid, email # Redirect URI : /auth/outlook/callback MICROSOFT_CLIENT_ID = MICROSOFT_CLIENT_SECRET = # Use 'common' to allow any Microsoft account, # or your Azure tenant ID to restrict to one organisation. MICROSOFT_TENANT_ID = common # Override the Outlook OAuth redirect URL. Leave blank to auto-derive from BASE_URL. # Must exactly match what is registered in Azure. MICROSOFT_REDIRECT_URL =