Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a3ad5ec308927d5f05855768450a99cfc2efdbc2
k8s-apps/mail/docker-mailserver.yaml
shodan 69121c9741 certs
2026-03-22 21:15:49 +00:00

260 lines
6.8 KiB
YAML
Raw Blame History

apiVersion: v1
kind: ConfigMap
metadata:
name: mailserver.environment
namespace: mail
immutable: false
data:
OVERRIDE_HOSTNAME: "mail.apps.undercloud.dev"
SSL_TYPE: "manual"
SSL_CERT_PATH: "/secrets/ssl/rsa/tls.crt"
SSL_KEY_PATH: "/secrets/ssl/rsa/tls.key"
ACCOUNT_PROVISIONER: "LDAP"
LDAP_SERVER_HOST: "ldaps://dc.undercloud.local:636"
LDAP_SEARCH_BASE: "OU=Undercloud,DC=undercloud,DC=local"
LDAP_BIND_DN: "CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local"
LDAP_QUERY_FILTER_USER: "(mail=%s)"
LDAP_QUERY_FILTER_GROUP: "(mail=%s)"
LDAP_QUERY_FILTER_ALIAS: "(proxyAddresses=smtp:%s)"
LDAP_QUERY_FILTER_DOMAIN: "(mail=*@%s)"
LDAP_TLS_REQCERT: "never"
DOVECOT_PASS_FILTER: "(&(objectClass=user)(sAMAccountName=%n))"
DOVECOT_USER_FILTER: "(&(objectClass=user)(sAMAccountName=%n))"
ENABLE_SASLAUTHD: "1"
SASLAUTHD_MECHANISMS: "ldap"
SASLAUTHD_LDAP_SERVER: "ldaps://dc.undercloud.local:636"
SASLAUTHD_LDAP_BIND_DN: "CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local"
SASLAUTHD_LDAP_SEARCH_BASE: "OU=Undercloud,DC=undercloud,DC=local"
SASLAUTHD_LDAP_FILTER: "(&(sAMAccountName=%U)(objectClass=person))"
POSTMASTER_ADDRESS: "postmaster@localhost.localdomain"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dovecot-ldap-config
namespace: mail
data:
dovecot-ldap.conf.ext: |
hosts = dc1.undercloud.local
dn = CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
dnpass = 1thisismySECURELDAPPWmailserver
ldap_version = 3
base = OU=Undercloud,DC=undercloud,DC=local
scope = subtree
# 🔥 disable cert verification
tls = yes
tls_require_cert = never
# auth via bind (Samba AD style)
auth_bind = yes
user_filter = (&(objectClass=user)(sAMAccountName=%n))
pass_filter = (&(objectClass=user)(sAMAccountName=%n))
pass_attrs = sAMAccountName=user
user_attrs = =home=/var/mail/%{ldap:sAMAccountName},=mail=maildir:~/Maildir,=uid=5000,=gid=5000
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
namespace: mail
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 25Gi
storageClassName: cephfs-hyper
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-mailserver
namespace: mail
annotations:
ignore-check.kube-linter.io/run-as-non-root: >-
mailserver needs to run as root
ignore-check.kube-linter.io/privileged-ports: >-
mailserver needs privileged ports
ignore-check.kube-linter.io/no-read-only-root-fs: >-
mailserver writes to multiple paths
spec:
replicas: 1
selector:
matchLabels:
app: docker-mailserver
template:
metadata:
labels:
app: docker-mailserver
spec:
securityContext:
runAsUser: 0
runAsGroup: 5000
fsGroup: 5000
hostname: mail
containers:
- name: docker-mailserver
image: ghcr.io/docker-mailserver/docker-mailserver
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 5000
runAsNonRoot: false
privileged: false
capabilities:
drop: ["ALL"]
add:
- CHOWN
- FOWNER
- MKNOD
- SETGID
- SETUID
- DAC_OVERRIDE
- NET_ADMIN
- NET_RAW
- NET_BIND_SERVICE
- SYS_CHROOT
- KILL
seccompProfile:
type: RuntimeDefault
resources:
limits:
memory: 2Gi
cpu: 1500m
requests:
memory: 500Mi
cpu: 600m
envFrom:
- configMapRef:
name: mailserver.environment
env:
- name: LDAP_BIND_PW
valueFrom:
secretKeyRef:
name: mailserver-ldap
key: pw
- name: SASLAUTHD_LDAP_PASSWORD
valueFrom:
secretKeyRef:
name: mailserver-ldap
key: pw
ports:
- name: smtp
containerPort: 25
protocol: TCP
- name: smtps
containerPort: 465
protocol: TCP
- name: submission
containerPort: 587
protocol: TCP
- name: imaps
containerPort: 993
protocol: TCP
- name: imap
containerPort: 143
protocol: TCP
- name: pop3
containerPort: 110
protocol: TCP
- name: pop3s
containerPort: 995
protocol: TCP
volumeMounts:
- name: data
mountPath: /var/mail
subPath: data
- name: data
mountPath: /var/mail-state
subPath: state
- name: data
mountPath: /var/log/mail
subPath: log
- name: certificates-rsa
mountPath: /secrets/ssl/rsa
readOnly: true
- name: tmp-files
mountPath: /tmp
- name: dovecot-ldap
mountPath: /etc/dovecot/dovecot-ldap.conf.ext
subPath: dovecot-ldap.conf.ext
restartPolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: data
- name: certificates-rsa
secret:
secretName: docker-mailserver-tls
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
- name: tmp-files
emptyDir: {}
- name: dovecot-ldap
configMap:
name: dovecot-ldap-config
---
apiVersion: v1
kind: Service
metadata:
name: docker-mailserver
namespace: mail
spec:
clusterIP: 2001:470:7116:f:1::50
clusterIPs:
- 2001:470:7116:f:1::50
- 10.0.91.50
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv6
- IPv4
ports:
- name: smtp
port: 25
targetPort: smtp
protocol: TCP
- name: smtps
port: 465
targetPort: smtps
protocol: TCP
- name: submission
port: 587
targetPort: submission
protocol: TCP
- name: imaps
port: 993
targetPort: imaps
protocol: TCP
- name: imap
port: 143
targetPort: imap
protocol: TCP
- name: pop3
port: 110
targetPort: pop3
protocol: TCP
- name: pop3s
port: 995
targetPort: pop3s
protocol: TCP
selector:
app: docker-mailserver
type: ClusterIP
Reference in New Issue View Git Blame Copy Permalink