237 lines
6.0 KiB
YAML
237 lines
6.0 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: mailserver.environment
|
|
namespace: mail
|
|
immutable: false
|
|
data:
|
|
OVERRIDE_HOSTNAME: mail.undercloud.dev
|
|
POSTMASTER_ADDRESS: postmaster@undercloud.dev
|
|
|
|
TLS_LEVEL: modern
|
|
SSL_TYPE: manual
|
|
SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt
|
|
SSL_KEY_PATH: /secrets/ssl/rsa/tls.key
|
|
|
|
POSTFIX_INET_PROTOCOLS: ipv6, ipv4
|
|
DOVECOT_INET_PROTOCOLS: ipv6, ipv4
|
|
|
|
ONE_DIR: "0"
|
|
DMS_DEBUG: "1"
|
|
SUPERVISOR_LOGLEVEL: warn
|
|
|
|
DMS_VMAIL_UID: "5000"
|
|
DMS_VMAIL_GID: "5000"
|
|
|
|
ENABLE_CLAMAV: "0"
|
|
ENABLE_POSTGREY: "0"
|
|
ENABLE_FAIL2BAN: "1"
|
|
ENABLE_SPAMASSASSIN: "1"
|
|
ENABLE_POP3: "1"
|
|
ENABLE_UPDATE_CHECK: "1"
|
|
|
|
AMAVIS_LOGLEVEL: "-1"
|
|
UPDATE_CHECK_INTERVAL: 10d
|
|
POSTSCREEN_ACTION: drop
|
|
FAIL2BAN_BLOCKTYPE: drop
|
|
SPOOF_PROTECTION: "1"
|
|
MOVE_SPAM_TO_JUNK: "1"
|
|
SPAMASSASSIN_SPAM_TO_INBOX: "1"
|
|
|
|
ACCOUNT_PROVISIONER: LDAP
|
|
LDAP_SERVER_HOST: ldap://dc.undercloud.local:389
|
|
LDAP_SEARCH_BASE: DC=undercloud,DC=local
|
|
LDAP_BIND_DN: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
|
|
|
|
LDAP_QUERY_FILTER_DOMAIN: (|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))
|
|
LDAP_QUERY_FILTER_USER: (&(objectClass=person)(mail=%s))
|
|
LDAP_QUERY_FILTER_ALIAS: (&(objectClass=person)(mailAlias=%s))
|
|
LDAP_QUERY_FILTER_GROUP: (&(objectClass=groupOfUniqueNames)(mail=%s))
|
|
LDAP_QUERY_FILTER_SENDERS: (&(objectClass=person)(|(mail=%s)(mailAlias=%s)))
|
|
|
|
DOVECOT_PASS_ATTRS: sAMAccountName=user,userPassword=password
|
|
DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:sAMAccountName},=mail=maildir:~/Maildir,=uid=5000,=gid=5000
|
|
DOVECOT_USER_FILTER: (&(objectClass=person)(|(mail=%u)(sAMAccountName=%n)))
|
|
DOVECOT_PASS_FILTER: (&(objectClass=person)(|(mail=%u)(sAMAccountName=%n)))
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: data
|
|
namespace: mail
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 25Gi
|
|
storageClassName: cephfs-hyper
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: docker-mailserver
|
|
namespace: mail
|
|
annotations:
|
|
ignore-check.kube-linter.io/run-as-non-root: >-
|
|
mailserver needs to run as root
|
|
ignore-check.kube-linter.io/privileged-ports: >-
|
|
mailserver needs privileged ports
|
|
ignore-check.kube-linter.io/no-read-only-root-fs: >-
|
|
mailserver writes to multiple paths
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: docker-mailserver
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: docker-mailserver
|
|
spec:
|
|
securityContext:
|
|
runAsUser: 0
|
|
runAsGroup: 5000
|
|
fsGroup: 5000
|
|
hostname: mail
|
|
containers:
|
|
- name: docker-mailserver
|
|
image: ghcr.io/docker-mailserver/docker-mailserver:15.2.2
|
|
imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
allowPrivilegeEscalation: true
|
|
readOnlyRootFilesystem: false
|
|
runAsUser: 0
|
|
runAsGroup: 5000
|
|
runAsNonRoot: false
|
|
privileged: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
add:
|
|
- CHOWN
|
|
- FOWNER
|
|
- MKNOD
|
|
- SETGID
|
|
- SETUID
|
|
- DAC_OVERRIDE
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
- NET_BIND_SERVICE
|
|
- SYS_CHROOT
|
|
- KILL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
resources:
|
|
limits:
|
|
memory: 2Gi
|
|
cpu: 1500m
|
|
requests:
|
|
memory: 500Mi
|
|
cpu: 600m
|
|
envFrom:
|
|
- configMapRef:
|
|
name: mailserver.environment
|
|
env:
|
|
- name: LDAP_BIND_PW
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: mailserver-ldap
|
|
key: pw
|
|
ports:
|
|
- name: smtp
|
|
containerPort: 25
|
|
protocol: TCP
|
|
- name: smtps
|
|
containerPort: 465
|
|
protocol: TCP
|
|
- name: submission
|
|
containerPort: 587
|
|
protocol: TCP
|
|
- name: imaps
|
|
containerPort: 993
|
|
protocol: TCP
|
|
- name: imap
|
|
containerPort: 143
|
|
protocol: TCP
|
|
- name: pop3
|
|
containerPort: 110
|
|
protocol: TCP
|
|
- name: pop3s
|
|
containerPort: 995
|
|
protocol: TCP
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /var/mail
|
|
subPath: data
|
|
- name: data
|
|
mountPath: /var/mail-state
|
|
subPath: state
|
|
- name: data
|
|
mountPath: /var/log/mail
|
|
subPath: log
|
|
- name: certificates-rsa
|
|
mountPath: /secrets/ssl/rsa
|
|
readOnly: true
|
|
- name: tmp-files
|
|
mountPath: /tmp
|
|
restartPolicy: Always
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: data
|
|
- name: certificates-rsa
|
|
secret:
|
|
secretName: docker-mailserver-tls
|
|
items:
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- name: tmp-files
|
|
emptyDir: {}
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: docker-mailserver
|
|
namespace: mail
|
|
spec:
|
|
ipFamilyPolicy: PreferDualStack
|
|
ipFamilies:
|
|
- IPv6
|
|
- IPv4
|
|
ports:
|
|
- name: smtp
|
|
port: 25
|
|
targetPort: smtp
|
|
protocol: TCP
|
|
- name: smtps
|
|
port: 465
|
|
targetPort: smtps
|
|
protocol: TCP
|
|
- name: submission
|
|
port: 587
|
|
targetPort: submission
|
|
protocol: TCP
|
|
- name: imaps
|
|
port: 993
|
|
targetPort: imaps
|
|
protocol: TCP
|
|
- name: imap
|
|
port: 143
|
|
targetPort: imap
|
|
protocol: TCP
|
|
- name: pop3
|
|
port: 110
|
|
targetPort: pop3
|
|
protocol: TCP
|
|
- name: pop3s
|
|
port: 995
|
|
targetPort: pop3s
|
|
protocol: TCP
|
|
selector:
|
|
app: docker-mailserver
|
|
type: ClusterIP |