diff --git a/mail/docker-mailserver.yaml b/mail/docker-mailserver.yaml index c2b4255..b1cbf21 100644 --- a/mail/docker-mailserver.yaml +++ b/mail/docker-mailserver.yaml @@ -5,93 +5,55 @@ metadata: namespace: mail immutable: false data: - TLS_LEVEL: modern - POSTSCREEN_ACTION: drop OVERRIDE_HOSTNAME: mail.undercloud.dev - FAIL2BAN_BLOCKTYPE: drop POSTMASTER_ADDRESS: postmaster@undercloud.dev - UPDATE_CHECK_INTERVAL: 10d - POSTFIX_INET_PROTOCOLS: ipv6, ipv4 - ONE_DIR: '0' - ENABLE_CLAMAV: '0' - ENABLE_POSTGREY: '0' - ENABLE_FAIL2BAN: '1' - AMAVIS_LOGLEVEL: '-1' - SPOOF_PROTECTION: '1' - MOVE_SPAM_TO_JUNK: '1' - ENABLE_UPDATE_CHECK: '1' - ENABLE_SPAMASSASSIN: '1' - SUPERVISOR_LOGLEVEL: warn - SPAMASSASSIN_SPAM_TO_INBOX: '1' - DMS_DEBUG: '1' - ENABLE_POP3: '1' - # here, we provide an example for the SSL configuration + TLS_LEVEL: modern SSL_TYPE: manual SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt SSL_KEY_PATH: /secrets/ssl/rsa/tls.key - #ldap + POSTFIX_INET_PROTOCOLS: ipv6, ipv4 + DOVECOT_INET_PROTOCOLS: ipv6, ipv4 + + ONE_DIR: "0" + DMS_DEBUG: "1" + SUPERVISOR_LOGLEVEL: warn + + DMS_VMAIL_UID: "5000" + DMS_VMAIL_GID: "5000" + + ENABLE_CLAMAV: "0" + ENABLE_POSTGREY: "0" + ENABLE_FAIL2BAN: "1" + ENABLE_SPAMASSASSIN: "1" + ENABLE_POP3: "1" + ENABLE_UPDATE_CHECK: "1" + + AMAVIS_LOGLEVEL: "-1" + UPDATE_CHECK_INTERVAL: 10d + POSTSCREEN_ACTION: drop + FAIL2BAN_BLOCKTYPE: drop + SPOOF_PROTECTION: "1" + MOVE_SPAM_TO_JUNK: "1" + SPAMASSASSIN_SPAM_TO_INBOX: "1" + ACCOUNT_PROVISIONER: LDAP - LDAP_SERVER_HOST: ldap://ldap.undercloud.local:389 - LDAP_SEARCH_BASE: dc=undercloud,dc=local - LDAP_BIND_DN: cn=mailserver,ou=serviceaccounts,ou=users,dc=undercloud,dc=local - #LDAP_BIND_PW: 'mypassword' # from secret - SPOOF_PROTECTION: '1' - + LDAP_SERVER_HOST: ldap://dc.undercloud.local:389 + LDAP_SEARCH_BASE: DC=undercloud,DC=local + LDAP_BIND_DN: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + LDAP_QUERY_FILTER_DOMAIN: (|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s)) - LDAP_QUERY_FILTER_USER: (&(objectClass=inetOrgPerson)(mail=%s)) - LDAP_QUERY_FILTER_ALIAS: (&(objectClass=inetOrgPerson)(mailAlias=%s)) + LDAP_QUERY_FILTER_USER: (&(objectClass=person)(mail=%s)) + LDAP_QUERY_FILTER_ALIAS: (&(objectClass=person)(mailAlias=%s)) LDAP_QUERY_FILTER_GROUP: (&(objectClass=groupOfUniqueNames)(mail=%s)) - LDAP_QUERY_FILTER_SENDERS: (&(objectClass=inetOrgPerson)(|(mail=%s))) + LDAP_QUERY_FILTER_SENDERS: (&(objectClass=person)(|(mail=%s)(mailAlias=%s))) - DOVECOT_PASS_ATTRS: uid=user,userPassword=password - #DOVECOT_USER_ATTRS: home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid - DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=5000 - DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(uid=%u))) + DOVECOT_PASS_ATTRS: sAMAccountName=user,userPassword=password + DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:sAMAccountName},=mail=maildir:~/Maildir,=uid=5000,=gid=5000 + DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(sAMAccountName=%n))) + DOVECOT_PASS_FILTER: (&(objectClass=person)(|(mail=%u)(sAMAccountName=%n))) - SASLAUTHD_MECHANISMS: rimap - SASLAUTHD_MECH_OPTIONS: '::1' - - #LDAP_START_TLS: 'yes' - #DOVECOT_TLS: 'yes' - #SASLAUTHD_LDAP_START_TLS: 'yes' ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: mailserver.files - namespace: mail -data: -# postfix-accounts.cf: | -# sebastian@undercloud.dev|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41 -# glodas@undercloud.dev|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41 ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: mailserver.config - namespace: mail - labels: - app: docker-mailserver -#data: -# postfix-main.cf: | -# postscreen_upstream_proxy_protocol = haproxy -# postfix-master.cf: | -# smtp/inet/postscreen_upstream_proxy_protocol=haproxy -# submission/inet/smtpd_upstream_proxy_protocol=haproxy -# smtps/inet/smtpd_upstream_proxy_protocol=haproxy -# dovecot.cf: | -# # Assuming your ingress controller is bound to 10.0.0.0/8 -# haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8, 2001:470:72f0::/48, fd00::/48 -# service imap-login { -# inet_listener imap { -# haproxy = yes -# } -# inet_listener imaps { -# haproxy = yes -# } -# } --- apiVersion: v1 kind: PersistentVolumeClaim @@ -100,11 +62,12 @@ metadata: namespace: mail spec: accessModes: - - ReadWriteMany + - ReadWriteMany resources: requests: - storage: 25G + storage: 25Gi storageClassName: cephfs-hyper + --- apiVersion: apps/v1 kind: Deployment @@ -113,12 +76,11 @@ metadata: namespace: mail annotations: ignore-check.kube-linter.io/run-as-non-root: >- - 'mailserver' needs to run as root + mailserver needs to run as root ignore-check.kube-linter.io/privileged-ports: >- - 'mailserver' needs privilegdes ports + mailserver needs privileged ports ignore-check.kube-linter.io/no-read-only-root-fs: >- - There are too many files written to make The - root FS read-only + mailserver writes to multiple paths spec: replicas: 1 selector: @@ -128,27 +90,15 @@ spec: metadata: labels: app: docker-mailserver - - #annotations: - # container.apparmor.security.beta.kubernetes.io/docker-mailserver: runtime/default spec: securityContext: runAsUser: 0 runAsGroup: 5000 fsGroup: 5000 hostname: mail - #initContainers: - #- name: changeowner - # image: busybox - # command: ["sh", "-c", "chmod +w /var/mail"] - # volumeMounts: - # - name: data - # mountPath: /var/mail - # subPath: data - # readOnly: false containers: - name: docker-mailserver - image: docker.io/mailserver/docker-mailserver:latest + image: ghcr.io/docker-mailserver/docker-mailserver:15.2.2 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: true @@ -156,30 +106,23 @@ spec: runAsUser: 0 runAsGroup: 5000 runAsNonRoot: false - privileged: true + privileged: false capabilities: + drop: ["ALL"] add: - # file permission capabilities - CHOWN - FOWNER - MKNOD - SETGID - SETUID - DAC_OVERRIDE - # network capabilities - - NET_ADMIN # needed for F2B - - NET_RAW # needed for F2B + - NET_ADMIN + - NET_RAW - NET_BIND_SERVICE - # miscellaneous capabilities - SYS_CHROOT - KILL - drop: [ALL] seccompProfile: type: RuntimeDefault - # You want to tune this to your needs. If you disable ClamAV, - # you can use less RAM and CPU. This becomes important in - # case you're low on resources and Kubernetes refuses to - # schedule new pods. resources: limits: memory: 2Gi @@ -187,55 +130,26 @@ spec: requests: memory: 500Mi cpu: 600m - volumeMounts: - - name: files - subPath: postfix-accounts.cf - mountPath: /tmp/docker-mailserver/postfix-accounts.cf - readOnly: true - # PVCs - - name: data - mountPath: /var/mail - subPath: data - readOnly: false - - name: data - mountPath: /var/mail-state - subPath: state - readOnly: false - - name: data - mountPath: /var/log/mail - subPath: log - readOnly: false - # certificates - - name: certificates-rsa - mountPath: /secrets/ssl/rsa/ - readOnly: true - # other - - name: tmp-files - mountPath: /tmp - readOnly: false - - - name: config - subPath: postfix-main.cf - mountPath: /tmp/docker-mailserver/postfix-main.cf - readOnly: true - - name: config - subPath: postfix-master.cf - mountPath: /tmp/docker-mailserver/postfix-master.cf - readOnly: true - - name: config - subPath: dovecot.cf - mountPath: /tmp/docker-mailserver/dovecot.cf - readOnly: true + envFrom: + - configMapRef: + name: mailserver.environment + env: + - name: LDAP_BIND_PW + valueFrom: + secretKeyRef: + name: mailserver-ldap + key: pw ports: - - name: transfer + - name: smtp containerPort: 25 protocol: TCP - - name: esmtp-implicit + - name: smtps containerPort: 465 protocol: TCP - - name: esmtp-explicit + - name: submission containerPort: 587 - - name: imap-implicit + protocol: TCP + - name: imaps containerPort: 993 protocol: TCP - name: imap @@ -247,29 +161,26 @@ spec: - name: pop3s containerPort: 995 protocol: TCP - envFrom: - - configMapRef: - name: mailserver.environment - env: - - name: LDAP_BIND_PW - valueFrom: - secretKeyRef: - name: mailserver-ldap - key: pw + volumeMounts: + - name: data + mountPath: /var/mail + subPath: data + - name: data + mountPath: /var/mail-state + subPath: state + - name: data + mountPath: /var/log/mail + subPath: log + - name: certificates-rsa + mountPath: /secrets/ssl/rsa + readOnly: true + - name: tmp-files + mountPath: /tmp restartPolicy: Always volumes: - # configuration files - - name: files - configMap: - name: mailserver.files - - name: config - configMap: - name: mailserver.config - # PVCs - name: data persistentVolumeClaim: claimName: data - # certificates - name: certificates-rsa secret: secretName: docker-mailserver-tls @@ -278,8 +189,6 @@ spec: path: tls.key - key: tls.crt path: tls.crt - - # other - name: tmp-files emptyDir: {} @@ -290,35 +199,26 @@ metadata: name: docker-mailserver namespace: mail spec: - clusterIP: '2001:470:7116:f:1::50' - clusterIPs: - - '2001:470:7116:f:1::50' - - 10.0.91.50 - ipFamilies: - - IPv6 - - IPv4 - #ipFamilyPolicy: SingleStack ipFamilyPolicy: PreferDualStack + ipFamilies: + - IPv6 + - IPv4 ports: - # Transfer - - name: transfer + - name: smtp port: 25 - targetPort: transfer + targetPort: smtp protocol: TCP - # ESMTP with implicit TLS - - name: esmtp-implicit + - name: smtps port: 465 - targetPort: esmtp-implicit + targetPort: smtps protocol: TCP - # ESMTP with explicit TLS (STARTTLS) - - name: esmtp-explicit + - name: submission port: 587 - targetPort: esmtp-explicit + targetPort: submission protocol: TCP - # IMAPS with implicit TLS - - name: imap-implicit + - name: imaps port: 993 - targetPort: imap-implicit + targetPort: imaps protocol: TCP - name: imap port: 143 @@ -334,5 +234,4 @@ spec: protocol: TCP selector: app: docker-mailserver - #sessionAffinity: None - type: ClusterIP + type: ClusterIP \ No newline at end of file diff --git a/mail/secrets.yaml b/mail/secrets.yaml index 3fe4ad5..7706b7d 100644 --- a/mail/secrets.yaml +++ b/mail/secrets.yaml @@ -4,8 +4,8 @@ metadata: name: mailserver-ldap namespace: mail type: Opaque -data: - pw: c2VjdXJlUFdtYWlsc2VydmVy +stringData: + pw: 1thisismySECURELDAPPWmailserver --- --- apiVersion: v1