368 lines
11 KiB
YAML
368 lines
11 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: mailserver.environment
|
|
namespace: mail
|
|
immutable: false
|
|
data:
|
|
TLS_LEVEL: modern
|
|
POSTSCREEN_ACTION: drop
|
|
OVERRIDE_HOSTNAME: mail.undercloud.cf
|
|
FAIL2BAN_BLOCKTYPE: drop
|
|
POSTMASTER_ADDRESS: postmaster@undercloud.cf
|
|
UPDATE_CHECK_INTERVAL: 10d
|
|
POSTFIX_INET_PROTOCOLS: ipv6, ipv4
|
|
ONE_DIR: '0'
|
|
ENABLE_CLAMAV: '0'
|
|
ENABLE_POSTGREY: '0'
|
|
ENABLE_FAIL2BAN: '1'
|
|
AMAVIS_LOGLEVEL: '-1'
|
|
SPOOF_PROTECTION: '1'
|
|
MOVE_SPAM_TO_JUNK: '1'
|
|
ENABLE_UPDATE_CHECK: '1'
|
|
ENABLE_SPAMASSASSIN: '1'
|
|
SUPERVISOR_LOGLEVEL: warn
|
|
SPAMASSASSIN_SPAM_TO_INBOX: '1'
|
|
DMS_DEBUG: '1'
|
|
ENABLE_POP3: '1'
|
|
|
|
# here, we provide an example for the SSL configuration
|
|
SSL_TYPE: manual
|
|
SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt
|
|
SSL_KEY_PATH: /secrets/ssl/rsa/tls.key
|
|
|
|
#ldap
|
|
ACCOUNT_PROVISIONER: LDAP
|
|
LDAP_SERVER_HOST: ldap.undercloud.cf
|
|
LDAP_SEARCH_BASE: dc=undercloud,dc=cf
|
|
LDAP_BIND_DN: cn=mailserver,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf
|
|
#LDAP_BIND_PW: 'mypassword' # from secret
|
|
SPOOF_PROTECTION: '1'
|
|
|
|
LDAP_QUERY_FILTER_DOMAIN: (|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))
|
|
LDAP_QUERY_FILTER_USER: (&(objectClass=inetOrgPerson)(mail=%s))
|
|
LDAP_QUERY_FILTER_ALIAS: (&(objectClass=inetOrgPerson)(mailAlias=%s))
|
|
LDAP_QUERY_FILTER_GROUP: (&(objectClass=groupOfUniqueNames)(mail=%s))
|
|
LDAP_QUERY_FILTER_SENDERS: (&(objectClass=inetOrgPerson)(|(mail=%s)))
|
|
|
|
DOVECOT_PASS_ATTRS: uid=user,userPassword=password
|
|
#DOVECOT_USER_ATTRS: home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid
|
|
DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=5000
|
|
DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(uid=%u)))
|
|
|
|
SASLAUTHD_MECHANISMS: rimap
|
|
SASLAUTHD_MECH_OPTIONS: '::1'
|
|
|
|
#LDAP_START_TLS: 'yes'
|
|
#DOVECOT_TLS: 'yes'
|
|
#SASLAUTHD_LDAP_START_TLS: 'yes'
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: mailserver.files
|
|
namespace: mail
|
|
data:
|
|
# postfix-accounts.cf: |
|
|
# sebastian@undercloud.cf|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41
|
|
# glodas@undercloud.cf|{SHA512-CRYPT}$6$ACOZB1B.2yHv8ePj$9vIW46wFqHfIMlP9.sDE1xtk1XN5OhS6etnvv5AxDPVPMFXXx55dVNwybLAaS/YEKahPg56vE9d6CIl7pYDw41
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: mailserver.config
|
|
namespace: mail
|
|
labels:
|
|
app: docker-mailserver
|
|
#data:
|
|
# postfix-main.cf: |
|
|
# postscreen_upstream_proxy_protocol = haproxy
|
|
# postfix-master.cf: |
|
|
# smtp/inet/postscreen_upstream_proxy_protocol=haproxy
|
|
# submission/inet/smtpd_upstream_proxy_protocol=haproxy
|
|
# smtps/inet/smtpd_upstream_proxy_protocol=haproxy
|
|
# dovecot.cf: |
|
|
# # Assuming your ingress controller is bound to 10.0.0.0/8
|
|
# haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8, 2001:470:72f0::/48, fd00::/48
|
|
# service imap-login {
|
|
# inet_listener imap {
|
|
# haproxy = yes
|
|
# }
|
|
# inet_listener imaps {
|
|
# haproxy = yes
|
|
# }
|
|
# }
|
|
---
|
|
apiVersion: storage.k8s.io/v1
|
|
kind: StorageClass
|
|
metadata:
|
|
name: docker-mailserver
|
|
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
|
|
provisioner: rook-ceph.cephfs.csi.ceph.com
|
|
parameters:
|
|
# clusterID is the namespace where the rook cluster is running
|
|
# If you change this namespace, also change the namespace below where the secret namespaces are defined
|
|
clusterID: rook-ceph
|
|
|
|
# CephFS filesystem name into which the volume shall be created
|
|
fsName: docker-mailserver
|
|
|
|
# Ceph pool into which the volume shall be created
|
|
# Required for provisionVolume: "true"
|
|
pool: docker-mailserver-replicated
|
|
|
|
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
|
|
# in the same namespace as the cluster.
|
|
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
|
|
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
|
|
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
|
|
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
|
|
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
|
|
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
|
|
|
|
reclaimPolicy: Delete
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: data
|
|
namespace: mail
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 25G
|
|
storageClassName: docker-mailserver
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: docker-mailserver
|
|
namespace: mail
|
|
annotations:
|
|
ignore-check.kube-linter.io/run-as-non-root: >-
|
|
'mailserver' needs to run as root
|
|
ignore-check.kube-linter.io/privileged-ports: >-
|
|
'mailserver' needs privilegdes ports
|
|
ignore-check.kube-linter.io/no-read-only-root-fs: >-
|
|
There are too many files written to make The
|
|
root FS read-only
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: docker-mailserver
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: docker-mailserver
|
|
|
|
#annotations:
|
|
# container.apparmor.security.beta.kubernetes.io/docker-mailserver: runtime/default
|
|
spec:
|
|
securityContext:
|
|
runAsUser: 0
|
|
runAsGroup: 5000
|
|
fsGroup: 5000
|
|
hostname: mail
|
|
#initContainers:
|
|
#- name: changeowner
|
|
# image: busybox
|
|
# command: ["sh", "-c", "chmod +w /var/mail"]
|
|
# volumeMounts:
|
|
# - name: data
|
|
# mountPath: /var/mail
|
|
# subPath: data
|
|
# readOnly: false
|
|
containers:
|
|
- name: docker-mailserver
|
|
image: docker.io/mailserver/docker-mailserver:latest
|
|
imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
allowPrivilegeEscalation: true
|
|
readOnlyRootFilesystem: false
|
|
runAsUser: 0
|
|
runAsGroup: 5000
|
|
runAsNonRoot: false
|
|
privileged: true
|
|
capabilities:
|
|
add:
|
|
# file permission capabilities
|
|
- CHOWN
|
|
- FOWNER
|
|
- MKNOD
|
|
- SETGID
|
|
- SETUID
|
|
- DAC_OVERRIDE
|
|
# network capabilities
|
|
- NET_ADMIN # needed for F2B
|
|
- NET_RAW # needed for F2B
|
|
- NET_BIND_SERVICE
|
|
# miscellaneous capabilities
|
|
- SYS_CHROOT
|
|
- KILL
|
|
drop: [ALL]
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
# You want to tune this to your needs. If you disable ClamAV,
|
|
# you can use less RAM and CPU. This becomes important in
|
|
# case you're low on resources and Kubernetes refuses to
|
|
# schedule new pods.
|
|
resources:
|
|
limits:
|
|
memory: 2Gi
|
|
cpu: 1500m
|
|
requests:
|
|
memory: 500Mi
|
|
cpu: 600m
|
|
volumeMounts:
|
|
- name: files
|
|
subPath: postfix-accounts.cf
|
|
mountPath: /tmp/docker-mailserver/postfix-accounts.cf
|
|
readOnly: true
|
|
# PVCs
|
|
- name: data
|
|
mountPath: /var/mail
|
|
subPath: data
|
|
readOnly: false
|
|
- name: data
|
|
mountPath: /var/mail-state
|
|
subPath: state
|
|
readOnly: false
|
|
- name: data
|
|
mountPath: /var/log/mail
|
|
subPath: log
|
|
readOnly: false
|
|
# certificates
|
|
- name: certificates-rsa
|
|
mountPath: /secrets/ssl/rsa/
|
|
readOnly: true
|
|
# other
|
|
- name: tmp-files
|
|
mountPath: /tmp
|
|
readOnly: false
|
|
|
|
- name: config
|
|
subPath: postfix-main.cf
|
|
mountPath: /tmp/docker-mailserver/postfix-main.cf
|
|
readOnly: true
|
|
- name: config
|
|
subPath: postfix-master.cf
|
|
mountPath: /tmp/docker-mailserver/postfix-master.cf
|
|
readOnly: true
|
|
- name: config
|
|
subPath: dovecot.cf
|
|
mountPath: /tmp/docker-mailserver/dovecot.cf
|
|
readOnly: true
|
|
ports:
|
|
- name: transfer
|
|
containerPort: 25
|
|
protocol: TCP
|
|
- name: esmtp-implicit
|
|
containerPort: 465
|
|
protocol: TCP
|
|
- name: esmtp-explicit
|
|
containerPort: 587
|
|
- name: imap-implicit
|
|
containerPort: 993
|
|
protocol: TCP
|
|
- name: imap
|
|
containerPort: 143
|
|
protocol: TCP
|
|
- name: pop3
|
|
containerPort: 110
|
|
protocol: TCP
|
|
- name: pop3s
|
|
containerPort: 995
|
|
protocol: TCP
|
|
envFrom:
|
|
- configMapRef:
|
|
name: mailserver.environment
|
|
env:
|
|
- name: LDAP_BIND_PW
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: mailserver-ldap
|
|
key: pw
|
|
restartPolicy: Always
|
|
volumes:
|
|
# configuration files
|
|
- name: files
|
|
configMap:
|
|
name: mailserver.files
|
|
- name: config
|
|
configMap:
|
|
name: mailserver.config
|
|
# PVCs
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: data
|
|
# certificates
|
|
- name: certificates-rsa
|
|
secret:
|
|
secretName: docker-mailserver-tls
|
|
items:
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
|
|
# other
|
|
- name: tmp-files
|
|
emptyDir: {}
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: docker-mailserver
|
|
namespace: mail
|
|
spec:
|
|
clusterIP: '2001:470:72f0:f:1::50'
|
|
clusterIPs:
|
|
- '2001:470:72f0:f:1::50'
|
|
- 10.0.91.50
|
|
ipFamilies:
|
|
- IPv6
|
|
- IPv4
|
|
#ipFamilyPolicy: SingleStack
|
|
ipFamilyPolicy: PreferDualStack
|
|
ports:
|
|
# Transfer
|
|
- name: transfer
|
|
port: 25
|
|
targetPort: transfer
|
|
protocol: TCP
|
|
# ESMTP with implicit TLS
|
|
- name: esmtp-implicit
|
|
port: 465
|
|
targetPort: esmtp-implicit
|
|
protocol: TCP
|
|
# ESMTP with explicit TLS (STARTTLS)
|
|
- name: esmtp-explicit
|
|
port: 587
|
|
targetPort: esmtp-explicit
|
|
protocol: TCP
|
|
# IMAPS with implicit TLS
|
|
- name: imap-implicit
|
|
port: 993
|
|
targetPort: imap-implicit
|
|
protocol: TCP
|
|
- name: imap
|
|
port: 143
|
|
targetPort: imap
|
|
protocol: TCP
|
|
- name: pop3
|
|
port: 110
|
|
targetPort: pop3
|
|
protocol: TCP
|
|
- name: pop3s
|
|
port: 995
|
|
targetPort: pop3s
|
|
protocol: TCP
|
|
selector:
|
|
app: docker-mailserver
|
|
#sessionAffinity: None
|
|
type: ClusterIP
|