apiVersion: v1 kind: ConfigMap metadata: name: mailserver.environment namespace: mail immutable: false data: TLS_LEVEL: modern POSTSCREEN_ACTION: drop OVERRIDE_HOSTNAME: mail.undercloud.cf FAIL2BAN_BLOCKTYPE: drop POSTMASTER_ADDRESS: postmaster@undercloud.cf UPDATE_CHECK_INTERVAL: 10d POSTFIX_INET_PROTOCOLS: ipv6, ipv4 ONE_DIR: '0' ENABLE_CLAMAV: '0' ENABLE_POSTGREY: '0' ENABLE_FAIL2BAN: '1' AMAVIS_LOGLEVEL: '-1' SPOOF_PROTECTION: '1' MOVE_SPAM_TO_JUNK: '1' ENABLE_UPDATE_CHECK: '1' ENABLE_SPAMASSASSIN: '1' SUPERVISOR_LOGLEVEL: warn SPAMASSASSIN_SPAM_TO_INBOX: '1' DMS_DEBUG: '1' ENABLE_POP3: '1' # here, we provide an example for the SSL configuration SSL_TYPE: manual SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt SSL_KEY_PATH: /secrets/ssl/rsa/tls.key #ldap ACCOUNT_PROVISIONER: LDAP LDAP_SERVER_HOST: ldap.undercloud.cf LDAP_SEARCH_BASE: dc=undercloud,dc=cf LDAP_BIND_DN: cn=mailserver,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf #LDAP_BIND_PW: 'mypassword' # from secret SPOOF_PROTECTION: '1' LDAP_QUERY_FILTER_DOMAIN: (|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s)) LDAP_QUERY_FILTER_USER: (&(objectClass=inetOrgPerson)(mail=%s)) LDAP_QUERY_FILTER_ALIAS: (&(objectClass=inetOrgPerson)(mailAlias=%s)) LDAP_QUERY_FILTER_GROUP: (&(objectClass=groupOfUniqueNames)(mail=%s)) LDAP_QUERY_FILTER_SENDERS: (&(objectClass=inetOrgPerson)(|(mail=%s))) DOVECOT_PASS_ATTRS: uid=user,userPassword=password #DOVECOT_USER_ATTRS: home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=5000 DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(uid=%u))) SASLAUTHD_MECHANISMS: rimap SASLAUTHD_MECH_OPTIONS: '::1' #LDAP_START_TLS: 'yes' #DOVECOT_TLS: 'yes' #SASLAUTHD_LDAP_START_TLS: 'yes' --- apiVersion: v1 kind: ConfigMap metadata: name: mailserver.files namespace: mail data: # postfix-accounts.cf: | # sebastian@undercloud.cf|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41 # glodas@undercloud.cf|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41 --- kind: ConfigMap apiVersion: v1 metadata: name: mailserver.config namespace: mail labels: app: docker-mailserver #data: # postfix-main.cf: | # postscreen_upstream_proxy_protocol = haproxy # postfix-master.cf: | # smtp/inet/postscreen_upstream_proxy_protocol=haproxy # submission/inet/smtpd_upstream_proxy_protocol=haproxy # smtps/inet/smtpd_upstream_proxy_protocol=haproxy # dovecot.cf: | # # Assuming your ingress controller is bound to 10.0.0.0/8 # haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8, 2001:470:72f0::/48, fd00::/48 # service imap-login { # inet_listener imap { # haproxy = yes # } # inet_listener imaps { # haproxy = yes # } # } --- apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: docker-mailserver # Change "rook-ceph" provisioner prefix to match the operator namespace if needed provisioner: rook-ceph.cephfs.csi.ceph.com parameters: # clusterID is the namespace where the rook cluster is running # If you change this namespace, also change the namespace below where the secret namespaces are defined clusterID: rook-ceph # CephFS filesystem name into which the volume shall be created fsName: docker-mailserver # Ceph pool into which the volume shall be created # Required for provisionVolume: "true" pool: docker-mailserver-replicated # The secrets contain Ceph admin credentials. These are generated automatically by the operator # in the same namespace as the cluster. csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph reclaimPolicy: Delete --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: data namespace: mail spec: accessModes: - ReadWriteMany resources: requests: storage: 25G storageClassName: docker-mailserver --- apiVersion: apps/v1 kind: Deployment metadata: name: docker-mailserver namespace: mail annotations: ignore-check.kube-linter.io/run-as-non-root: >- 'mailserver' needs to run as root ignore-check.kube-linter.io/privileged-ports: >- 'mailserver' needs privilegdes ports ignore-check.kube-linter.io/no-read-only-root-fs: >- There are too many files written to make The root FS read-only spec: replicas: 1 selector: matchLabels: app: docker-mailserver template: metadata: labels: app: docker-mailserver #annotations: # container.apparmor.security.beta.kubernetes.io/docker-mailserver: runtime/default spec: securityContext: runAsUser: 0 runAsGroup: 5000 fsGroup: 5000 hostname: mail #initContainers: #- name: changeowner # image: busybox # command: ["sh", "-c", "chmod +w /var/mail"] # volumeMounts: # - name: data # mountPath: /var/mail # subPath: data # readOnly: false containers: - name: docker-mailserver image: docker.io/mailserver/docker-mailserver:latest imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: true readOnlyRootFilesystem: false runAsUser: 0 runAsGroup: 5000 runAsNonRoot: false privileged: true capabilities: add: # file permission capabilities - CHOWN - FOWNER - MKNOD - SETGID - SETUID - DAC_OVERRIDE # network capabilities - NET_ADMIN # needed for F2B - NET_RAW # needed for F2B - NET_BIND_SERVICE # miscellaneous capabilities - SYS_CHROOT - KILL drop: [ALL] seccompProfile: type: RuntimeDefault # You want to tune this to your needs. If you disable ClamAV, # you can use less RAM and CPU. This becomes important in # case you're low on resources and Kubernetes refuses to # schedule new pods. resources: limits: memory: 2Gi cpu: 1500m requests: memory: 500Mi cpu: 600m volumeMounts: - name: files subPath: postfix-accounts.cf mountPath: /tmp/docker-mailserver/postfix-accounts.cf readOnly: true # PVCs - name: data mountPath: /var/mail subPath: data readOnly: false - name: data mountPath: /var/mail-state subPath: state readOnly: false - name: data mountPath: /var/log/mail subPath: log readOnly: false # certificates - name: certificates-rsa mountPath: /secrets/ssl/rsa/ readOnly: true # other - name: tmp-files mountPath: /tmp readOnly: false - name: config subPath: postfix-main.cf mountPath: /tmp/docker-mailserver/postfix-main.cf readOnly: true - name: config subPath: postfix-master.cf mountPath: /tmp/docker-mailserver/postfix-master.cf readOnly: true - name: config subPath: dovecot.cf mountPath: /tmp/docker-mailserver/dovecot.cf readOnly: true ports: - name: transfer containerPort: 25 protocol: TCP - name: esmtp-implicit containerPort: 465 protocol: TCP - name: esmtp-explicit containerPort: 587 - name: imap-implicit containerPort: 993 protocol: TCP - name: imap containerPort: 143 protocol: TCP - name: pop3 containerPort: 110 protocol: TCP - name: pop3s containerPort: 995 protocol: TCP envFrom: - configMapRef: name: mailserver.environment env: - name: LDAP_BIND_PW valueFrom: secretKeyRef: name: mailserver-ldap key: pw restartPolicy: Always volumes: # configuration files - name: files configMap: name: mailserver.files - name: config configMap: name: mailserver.config # PVCs - name: data persistentVolumeClaim: claimName: data # certificates - name: certificates-rsa secret: secretName: docker-mailserver-tls items: - key: tls.key path: tls.key - key: tls.crt path: tls.crt # other - name: tmp-files emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: docker-mailserver namespace: mail spec: clusterIP: '2001:470:72f0:f:1::50' clusterIPs: - '2001:470:72f0:f:1::50' - 10.0.91.50 ipFamilies: - IPv6 - IPv4 #ipFamilyPolicy: SingleStack ipFamilyPolicy: PreferDualStack ports: # Transfer - name: transfer port: 25 targetPort: transfer protocol: TCP # ESMTP with implicit TLS - name: esmtp-implicit port: 465 targetPort: esmtp-implicit protocol: TCP # ESMTP with explicit TLS (STARTTLS) - name: esmtp-explicit port: 587 targetPort: esmtp-explicit protocol: TCP # IMAPS with implicit TLS - name: imap-implicit port: 993 targetPort: imap-implicit protocol: TCP - name: imap port: 143 targetPort: imap protocol: TCP - name: pop3 port: 110 targetPort: pop3 protocol: TCP - name: pop3s port: 995 targetPort: pop3s protocol: TCP selector: app: docker-mailserver #sessionAffinity: None type: ClusterIP