Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mail

Browse Source
This commit is contained in:
Gitea Root Administrator
2026-03-21 22:39:33 +00:00
parent 15bcb5d8a7
commit 904c24b9f3
2 changed files with 91 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

269
mail/docker-mailserver.yaml
View File

@@ -5,93 +5,55 @@ metadata:
namespace: mail
immutable: false
data:
TLS_LEVEL: modern
POSTSCREEN_ACTION: drop
OVERRIDE_HOSTNAME: mail.undercloud.dev
FAIL2BAN_BLOCKTYPE: drop
POSTMASTER_ADDRESS: postmaster@undercloud.dev
UPDATE_CHECK_INTERVAL: 10d
POSTFIX_INET_PROTOCOLS: ipv6, ipv4
ONE_DIR: '0'
ENABLE_CLAMAV: '0'
ENABLE_POSTGREY: '0'
ENABLE_FAIL2BAN: '1'
AMAVIS_LOGLEVEL: '-1'
SPOOF_PROTECTION: '1'
MOVE_SPAM_TO_JUNK: '1'
ENABLE_UPDATE_CHECK: '1'
ENABLE_SPAMASSASSIN: '1'
SUPERVISOR_LOGLEVEL: warn
SPAMASSASSIN_SPAM_TO_INBOX: '1'
DMS_DEBUG: '1'
ENABLE_POP3: '1'
# here, we provide an example for the SSL configuration
TLS_LEVEL: modern
SSL_TYPE: manual
SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt
SSL_KEY_PATH: /secrets/ssl/rsa/tls.key
#ldap
POSTFIX_INET_PROTOCOLS: ipv6, ipv4
DOVECOT_INET_PROTOCOLS: ipv6, ipv4
ONE_DIR: "0"
DMS_DEBUG: "1"
SUPERVISOR_LOGLEVEL: warn
DMS_VMAIL_UID: "5000"
DMS_VMAIL_GID: "5000"
ENABLE_CLAMAV: "0"
ENABLE_POSTGREY: "0"
ENABLE_FAIL2BAN: "1"
ENABLE_SPAMASSASSIN: "1"
ENABLE_POP3: "1"
ENABLE_UPDATE_CHECK: "1"
AMAVIS_LOGLEVEL: "-1"
UPDATE_CHECK_INTERVAL: 10d
POSTSCREEN_ACTION: drop
FAIL2BAN_BLOCKTYPE: drop
SPOOF_PROTECTION: "1"
MOVE_SPAM_TO_JUNK: "1"
SPAMASSASSIN_SPAM_TO_INBOX: "1"
ACCOUNT_PROVISIONER: LDAP
LDAP_SERVER_HOST: ldap://ldap.undercloud.local:389
LDAP_SEARCH_BASE: dc=undercloud,dc=local
LDAP_BIND_DN: cn=mailserver,ou=serviceaccounts,ou=users,dc=undercloud,dc=local
#LDAP_BIND_PW: 'mypassword' # from secret
SPOOF_PROTECTION: '1'
LDAP_SERVER_HOST: ldap://dc.undercloud.local:389
LDAP_SEARCH_BASE: DC=undercloud,DC=local
LDAP_BIND_DN: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
LDAP_QUERY_FILTER_DOMAIN: (|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))
LDAP_QUERY_FILTER_USER: (&(objectClass=inetOrgPerson)(mail=%s))
LDAP_QUERY_FILTER_ALIAS: (&(objectClass=inetOrgPerson)(mailAlias=%s))
LDAP_QUERY_FILTER_USER: (&(objectClass=person)(mail=%s))
LDAP_QUERY_FILTER_ALIAS: (&(objectClass=person)(mailAlias=%s))
LDAP_QUERY_FILTER_GROUP: (&(objectClass=groupOfUniqueNames)(mail=%s))
LDAP_QUERY_FILTER_SENDERS: (&(objectClass=inetOrgPerson)(|(mail=%s)))
LDAP_QUERY_FILTER_SENDERS: (&(objectClass=person)(|(mail=%s)(mailAlias=%s)))
DOVECOT_PASS_ATTRS: uid=user,userPassword=password
#DOVECOT_USER_ATTRS: home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid
DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=5000
DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(uid=%u)))
DOVECOT_PASS_ATTRS: sAMAccountName=user,userPassword=password
DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:sAMAccountName},=mail=maildir:~/Maildir,=uid=5000,=gid=5000
DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(sAMAccountName=%n)))
DOVECOT_PASS_FILTER: (&(objectClass=person)(|(mail=%u)(sAMAccountName=%n)))
SASLAUTHD_MECHANISMS: rimap
SASLAUTHD_MECH_OPTIONS: '::1'
#LDAP_START_TLS: 'yes'
#DOVECOT_TLS: 'yes'
#SASLAUTHD_LDAP_START_TLS: 'yes'
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mailserver.files
namespace: mail
data:
# postfix-accounts.cf: |
# sebastian@undercloud.dev|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41
# glodas@undercloud.dev|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41
---
kind: ConfigMap
apiVersion: v1
metadata:
name: mailserver.config
namespace: mail
labels:
app: docker-mailserver
#data:
# postfix-main.cf: |
# postscreen_upstream_proxy_protocol = haproxy
# postfix-master.cf: |
# smtp/inet/postscreen_upstream_proxy_protocol=haproxy
# submission/inet/smtpd_upstream_proxy_protocol=haproxy
# smtps/inet/smtpd_upstream_proxy_protocol=haproxy
# dovecot.cf: |
# # Assuming your ingress controller is bound to 10.0.0.0/8
# haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8, 2001:470:72f0::/48, fd00::/48
# service imap-login {
# inet_listener imap {
# haproxy = yes
# }
# inet_listener imaps {
# haproxy = yes
# }
# }
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -103,8 +65,9 @@ spec:
- ReadWriteMany
resources:
requests:
storage: 25G
storage: 25Gi
storageClassName: cephfs-hyper
---
apiVersion: apps/v1
kind: Deployment
@@ -113,12 +76,11 @@ metadata:
namespace: mail
annotations:
ignore-check.kube-linter.io/run-as-non-root: >-
'mailserver' needs to run as root
mailserver needs to run as root
ignore-check.kube-linter.io/privileged-ports: >-
'mailserver' needs privilegdes ports
mailserver needs privileged ports
ignore-check.kube-linter.io/no-read-only-root-fs: >-
There are too many files written to make The
root FS read-only
mailserver writes to multiple paths
spec:
replicas: 1
selector:
@@ -128,27 +90,15 @@ spec:
metadata:
labels:
app: docker-mailserver
#annotations:
# container.apparmor.security.beta.kubernetes.io/docker-mailserver: runtime/default
spec:
securityContext:
runAsUser: 0
runAsGroup: 5000
fsGroup: 5000
hostname: mail
#initContainers:
#- name: changeowner
# image: busybox
# command: ["sh", "-c", "chmod +w /var/mail"]
# volumeMounts:
# - name: data
# mountPath: /var/mail
# subPath: data
# readOnly: false
containers:
- name: docker-mailserver
image: docker.io/mailserver/docker-mailserver:latest
image: ghcr.io/docker-mailserver/docker-mailserver:15.2.2
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: true
@@ -156,30 +106,23 @@ spec:
runAsUser: 0
runAsGroup: 5000
runAsNonRoot: false
privileged: true
privileged: false
capabilities:
drop: ["ALL"]
add:
# file permission capabilities
- CHOWN
- FOWNER
- MKNOD
- SETGID
- SETUID
- DAC_OVERRIDE
# network capabilities
- NET_ADMIN # needed for F2B
- NET_RAW # needed for F2B
- NET_ADMIN
- NET_RAW
- NET_BIND_SERVICE
# miscellaneous capabilities
- SYS_CHROOT
- KILL
drop: [ALL]
seccompProfile:
type: RuntimeDefault
# You want to tune this to your needs. If you disable ClamAV,
# you can use less RAM and CPU. This becomes important in
# case you're low on resources and Kubernetes refuses to
# schedule new pods.
resources:
limits:
memory: 2Gi
@@ -187,55 +130,26 @@ spec:
requests:
memory: 500Mi
cpu: 600m
volumeMounts:
- name: files
subPath: postfix-accounts.cf
mountPath: /tmp/docker-mailserver/postfix-accounts.cf
readOnly: true
# PVCs
- name: data
mountPath: /var/mail
subPath: data
readOnly: false
- name: data
mountPath: /var/mail-state
subPath: state
readOnly: false
- name: data
mountPath: /var/log/mail
subPath: log
readOnly: false
# certificates
- name: certificates-rsa
mountPath: /secrets/ssl/rsa/
readOnly: true
# other
- name: tmp-files
mountPath: /tmp
readOnly: false
- name: config
subPath: postfix-main.cf
mountPath: /tmp/docker-mailserver/postfix-main.cf
readOnly: true
- name: config
subPath: postfix-master.cf
mountPath: /tmp/docker-mailserver/postfix-master.cf
readOnly: true
- name: config
subPath: dovecot.cf
mountPath: /tmp/docker-mailserver/dovecot.cf
readOnly: true
envFrom:
- configMapRef:
name: mailserver.environment
env:
- name: LDAP_BIND_PW
valueFrom:
secretKeyRef:
name: mailserver-ldap
key: pw
ports:
- name: transfer
- name: smtp
containerPort: 25
protocol: TCP
- name: esmtp-implicit
- name: smtps
containerPort: 465
protocol: TCP
- name: esmtp-explicit
- name: submission
containerPort: 587
- name: imap-implicit
protocol: TCP
- name: imaps
containerPort: 993
protocol: TCP
- name: imap
@@ -247,29 +161,26 @@ spec:
- name: pop3s
containerPort: 995
protocol: TCP
envFrom:
- configMapRef:
name: mailserver.environment
env:
- name: LDAP_BIND_PW
valueFrom:
secretKeyRef:
name: mailserver-ldap
key: pw
volumeMounts:
- name: data
mountPath: /var/mail
subPath: data
- name: data
mountPath: /var/mail-state
subPath: state
- name: data
mountPath: /var/log/mail
subPath: log
- name: certificates-rsa
mountPath: /secrets/ssl/rsa
readOnly: true
- name: tmp-files
mountPath: /tmp
restartPolicy: Always
volumes:
# configuration files
- name: files
configMap:
name: mailserver.files
- name: config
configMap:
name: mailserver.config
# PVCs
- name: data
persistentVolumeClaim:
claimName: data
# certificates
- name: certificates-rsa
secret:
secretName: docker-mailserver-tls
@@ -278,8 +189,6 @@ spec:
path: tls.key
- key: tls.crt
path: tls.crt
# other
- name: tmp-files
emptyDir: {}
@@ -290,35 +199,26 @@ metadata:
name: docker-mailserver
namespace: mail
spec:
clusterIP: '2001:470:7116:f:1::50'
clusterIPs:
- '2001:470:7116:f:1::50'
- 10.0.91.50
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv6
- IPv4
#ipFamilyPolicy: SingleStack
ipFamilyPolicy: PreferDualStack
ports:
# Transfer
- name: transfer
- name: smtp
port: 25
targetPort: transfer
targetPort: smtp
protocol: TCP
# ESMTP with implicit TLS
- name: esmtp-implicit
- name: smtps
port: 465
targetPort: esmtp-implicit
targetPort: smtps
protocol: TCP
# ESMTP with explicit TLS (STARTTLS)
- name: esmtp-explicit
- name: submission
port: 587
targetPort: esmtp-explicit
targetPort: submission
protocol: TCP
# IMAPS with implicit TLS
- name: imap-implicit
- name: imaps
port: 993
targetPort: imap-implicit
targetPort: imaps
protocol: TCP
- name: imap
port: 143
@@ -334,5 +234,4 @@ spec:
protocol: TCP
selector:
app: docker-mailserver
#sessionAffinity: None
type: ClusterIP

4
mail/secrets.yaml
View File

@@ -4,8 +4,8 @@ metadata:
name: mailserver-ldap
namespace: mail
type: Opaque
data:
pw: c2VjdXJlUFdtYWlsc2VydmVy
stringData:
pw: 1thisismySECURELDAPPWmailserver
---
---
apiVersion: v1