apiVersion: v1 kind: ConfigMap metadata: name: mailserver.environment namespace: mail immutable: false data: DOMAINNAME: "undercloud.dev" OVERRIDE_HOSTNAME: "mail.apps.undercloud.dev" SSL_TYPE: "manual" SSL_CERT_PATH: "/secrets/ssl/rsa/tls.crt" SSL_KEY_PATH: "/secrets/ssl/rsa/tls.key" ACCOUNT_PROVISIONER: "LDAP" LDAP_SERVER_HOST: "ldaps://dc.undercloud.local:636" LDAP_SEARCH_BASE: "OU=Undercloud,DC=undercloud,DC=local" LDAP_BIND_DN: "CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local" LDAP_QUERY_FILTER_USER: "(mail=%s)" LDAP_QUERY_FILTER_GROUP: "(mail=%s)" LDAP_QUERY_FILTER_ALIAS: "(proxyAddresses=smtp:%s)" LDAP_QUERY_FILTER_DOMAIN: "(mail=*@%s)" LDAP_TLS_REQCERT: "never" #DOVECOT_PASS_FILTER: "(&(objectClass=user)(sAMAccountName=%n))" #DOVECOT_USER_FILTER: "(&(objectClass=user)(sAMAccountName=%n))" DOVECOT_PASS_FILTER: "(&(objectClass=user)(|(mail=%u)(sAMAccountName=%n)))" DOVECOT_USER_FILTER: "(&(objectClass=user)(|(mail=%u)(sAMAccountName=%n)))" #ENABLE_SASLAUTHD: "1" #SASLAUTHD_MECHANISMS: "ldap" #SASLAUTHD_LDAP_SERVER: "ldaps://dc.undercloud.local:636" #SASLAUTHD_LDAP_BIND_DN: "CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local" #SASLAUTHD_LDAP_SEARCH_BASE: "OU=Undercloud,DC=undercloud,DC=local" #SASLAUTHD_LDAP_FILTER: "(&(sAMAccountName=%U)(objectClass=person))" ENABLE_SASLAUTHD: "1" SASLAUTHD_MECHANISMS: "rimap" SASLAUTHD_MECH_OPTIONS: "127.0.0.1" POSTMASTER_ADDRESS: "postmaster@localhost.localdomain" --- apiVersion: v1 kind: ConfigMap metadata: name: postfix-main-config namespace: mail data: postfix-main.cf: | smtp_address_preference = ipv6 --- apiVersion: v1 kind: ConfigMap metadata: name: dovecot-ldap-config namespace: mail data: dovecot-ldap.conf.ext: | hosts = dc1.undercloud.local dn = CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local dnpass = 1thisismySECURELDAPPWmailserver ldap_version = 3 base = OU=Undercloud,DC=undercloud,DC=local scope = subtree # 🔥 disable cert verification tls = yes tls_require_cert = never # auth via bind (Samba AD style) auth_bind = yes user_filter = (&(objectClass=user)(sAMAccountName=%n)) pass_filter = (&(objectClass=user)(sAMAccountName=%n)) pass_attrs = sAMAccountName=user user_attrs = =home=/var/mail/%{ldap:sAMAccountName},=mail=maildir:~/Maildir,=uid=5000,=gid=5000 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: data namespace: mail spec: accessModes: - ReadWriteMany resources: requests: storage: 25Gi storageClassName: cephfs-hyper --- apiVersion: apps/v1 kind: Deployment metadata: name: docker-mailserver namespace: mail annotations: ignore-check.kube-linter.io/run-as-non-root: >- mailserver needs to run as root ignore-check.kube-linter.io/privileged-ports: >- mailserver needs privileged ports ignore-check.kube-linter.io/no-read-only-root-fs: >- mailserver writes to multiple paths spec: replicas: 1 selector: matchLabels: app: docker-mailserver template: metadata: labels: app: docker-mailserver spec: securityContext: runAsUser: 0 runAsGroup: 5000 fsGroup: 5000 hostname: mail containers: - name: docker-mailserver image: ghcr.io/docker-mailserver/docker-mailserver imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: true readOnlyRootFilesystem: false runAsUser: 0 runAsGroup: 5000 runAsNonRoot: false privileged: false capabilities: drop: ["ALL"] add: - CHOWN - FOWNER - MKNOD - SETGID - SETUID - DAC_OVERRIDE - NET_ADMIN - NET_RAW - NET_BIND_SERVICE - SYS_CHROOT - KILL seccompProfile: type: RuntimeDefault resources: limits: memory: 2Gi cpu: 1500m requests: memory: 500Mi cpu: 600m envFrom: - configMapRef: name: mailserver.environment env: - name: LDAP_BIND_PW valueFrom: secretKeyRef: name: mailserver-ldap key: pw - name: SASLAUTHD_LDAP_PASSWORD valueFrom: secretKeyRef: name: mailserver-ldap key: pw ports: - name: smtp containerPort: 25 protocol: TCP - name: smtps containerPort: 465 protocol: TCP - name: submission containerPort: 587 protocol: TCP - name: imaps containerPort: 993 protocol: TCP - name: imap containerPort: 143 protocol: TCP - name: pop3 containerPort: 110 protocol: TCP - name: pop3s containerPort: 995 protocol: TCP volumeMounts: - name: data mountPath: /var/mail subPath: data - name: data mountPath: /var/mail-state subPath: state - name: data mountPath: /var/log/mail subPath: log - name: certificates-rsa mountPath: /secrets/ssl/rsa readOnly: true - name: tmp-files mountPath: /tmp - name: dovecot-ldap mountPath: /etc/dovecot/dovecot-ldap.conf.ext subPath: dovecot-ldap.conf.ext - name: postfix-main-config mountPath: /tmp/docker-mailserver/postfix-main.cf subPath: postfix-main.cf restartPolicy: Always volumes: - name: data persistentVolumeClaim: claimName: data - name: certificates-rsa secret: secretName: docker-mailserver-tls items: - key: tls.key path: tls.key - key: tls.crt path: tls.crt - name: tmp-files emptyDir: {} - name: dovecot-ldap configMap: name: dovecot-ldap-config - name: postfix-main-config configMap: name: postfix-main-config --- apiVersion: v1 kind: Service metadata: name: docker-mailserver namespace: mail spec: clusterIP: 2001:470:7116:f:1::50 clusterIPs: - 2001:470:7116:f:1::50 - 10.0.91.50 ipFamilyPolicy: PreferDualStack ipFamilies: - IPv6 - IPv4 ports: - name: smtp port: 25 targetPort: smtp protocol: TCP - name: smtps port: 465 targetPort: smtps protocol: TCP - name: submission port: 587 targetPort: submission protocol: TCP - name: imaps port: 993 targetPort: imaps protocol: TCP - name: imap port: 143 targetPort: imap protocol: TCP - name: pop3 port: 110 targetPort: pop3 protocol: TCP - name: pop3s port: 995 targetPort: pop3s protocol: TCP selector: app: docker-mailserver type: ClusterIP