diff --git a/charts/mok/Chart.yaml b/charts/mok/Chart.yaml
index 87bf6ee3483aef6aacf40cde0fc27f891b4f82eb..4d6a7bb5d4afc6549ffa06efde38da3b7a0c1b7a 100644
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
description: |
Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
type: application
-version: 0.2.0
+version: 0.3.0
sources:
- https://de.postfix.org/ftpmirror/index.html
- https://github.com/dovecot/core
diff --git a/charts/mok/README.md b/charts/mok/README.md
index 859672563f7c483ffcadb532454ecbfbbee5649d..9e168e817bf4f1d012b43eda10c3a72418325c33 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -1,6 +1,6 @@
# mok
- 
+ 
Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
@@ -60,6 +60,8 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
| postfix.nodeSelector | object | `{}` | |
| postfix.podAnnotations | object | `{}` | |
| postfix.podSecurityContext | object | `{}` | |
+| postfix.postscreen.cidr | string | `"127.0.0.1/32"` | CIDR that is allowed to use Proxy protocol on port 10025 |
+| postfix.postscreen.enabled | bool | `false` | Enable proxy protocol support |
| postfix.replicaCount | int | `1` | Number of postfix pods. |
| postfix.resources.limits.cpu | string | `"500m"` | |
| postfix.resources.limits.memory | string | `"512Mi"` | |
diff --git a/charts/mok/templates/networkpolicy.yaml b/charts/mok/templates/networkpolicy.yaml
index 3c8b3a31475a3737def956d6e0f0164274de0a8a..84806d6228587f7d77afce48b667ea8655a4522d 100644
--- a/charts/mok/templates/networkpolicy.yaml
+++ b/charts/mok/templates/networkpolicy.yaml
@@ -60,6 +60,14 @@ spec:
protocol: TCP
- port: 587
protocol: TCP
+ {{- if .Values.postfix.postscreen.enabled }}
+ - from:
+ - ipBlock:
+ cidr: {{ .Values.postfix.postscreen.cidr }}
+ ports:
+ - port: 10025
+ protocol: TCP
+ {{- end }}
podSelector:
matchLabels:
{{- include "mok.selectorLabels" . | nindent 6 }}
diff --git a/charts/mok/templates/postfix.yaml b/charts/mok/templates/postfix.yaml
index c22e9ddf101a547742b59f8404ef7004e525475a..d9607a9816caa25bebdedd141ee3f172a3837759 100644
--- a/charts/mok/templates/postfix.yaml
+++ b/charts/mok/templates/postfix.yaml
@@ -18,6 +18,11 @@ spec:
- port: 587
name: submission
protocol: TCP
+ {{- if .Values.postfix.postscreen.enabled }}
+ - port: 10025
+ name: postscreen
+ protocol: TCP
+ {{- end }}
selector:
{{- include "mok.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: postfix
@@ -119,6 +124,10 @@ spec:
name: submissions
- containerPort: 587
name: submission
+ {{- if .Values.postfix.postscreen.enabled }}
+ - containerPort: 10025
+ name: postscreen
+ {{- end }}
resources:
{{- toYaml .Values.postfix.resources | nindent 12 }}
securityContext:
diff --git a/charts/mok/tests/networkpolicies_test.yaml b/charts/mok/tests/networkpolicies_test.yaml
index e086b306df9e6e79e4a335526652f52b1c118116..2f2aa564b2685663878fd800230384fb9167261c 100644
--- a/charts/mok/tests/networkpolicies_test.yaml
+++ b/charts/mok/tests/networkpolicies_test.yaml
@@ -218,6 +218,39 @@ tests:
app.kubernetes.io/name: mok
documentIndex: 1
template: networkpolicy.yaml
+ - it: allows postfix's postscreen from reverse-proxy
+ release:
+ name: "test-suite"
+ set:
+ postfix:
+ postscreen:
+ enabled: true
+ cidr: 127.0.123.123/32
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 127.0.123.123/32
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 10025
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 1
+ template: networkpolicy.yaml
- it: matches snapshot
asserts:
- matchSnapshot: {}
diff --git a/charts/mok/tests/postfix_test.yaml b/charts/mok/tests/postfix_test.yaml
index 2246fefa87a82e993de81eef8076d07bbaccbd2e..b85c8d39d42fa0d8cfde55bb34da3d86cd5c54f1 100644
--- a/charts/mok/tests/postfix_test.yaml
+++ b/charts/mok/tests/postfix_test.yaml
@@ -48,6 +48,28 @@ tests:
name: smtp
documentIndex: 1
template: postfix.yaml
+ - it: has postscreen port if enabled
+ set:
+ postfix:
+ postscreen:
+ enabled: true
+ cidr: 127.0.123.123/32
+ asserts:
+ - contains:
+ path: spec.ports
+ content:
+ port: 10025
+ name: postscreen
+ protocol: TCP
+ documentIndex: 0
+ template: postfix.yaml
+ - contains:
+ path: spec.template.spec.containers[0].ports
+ content:
+ containerPort: 10025
+ name: postscreen
+ documentIndex: 1
+ template: postfix.yaml
- it: has config hash for auto-reload
set:
dovecot:
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index b0cc7a10ce05e55cf560966345985b818da6e1c3..c32172f75cbfa20d66f1d41c2a9fbf7bea1af775 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -44,7 +44,7 @@ postfix:
repository: quay.io/shivering-isles/postfix
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is "latest"
- tag: "0.1.1"
+ tag: "0.2.0"
imagePullSecrets: []
@@ -52,6 +52,12 @@ postfix:
podSecurityContext: {}
+ postscreen:
+ # -- Enable proxy protocol support
+ enabled: false
+ # -- CIDR that is allowed to use Proxy protocol on port 10025
+ cidr: 127.0.0.1/32
+
securityContext:
# -- prevent any process in the container to regain capabilities once dropped
allowPrivilegeEscalation: false
diff --git a/images/postfix/.release b/images/postfix/.release
index 30d50427739d190b6e70eb3a52e9718040f29ef2..9990762bde3b533f2e4bbdb21f5c172741e881f3 100644
--- a/images/postfix/.release
+++ b/images/postfix/.release
@@ -1 +1 @@
-release=0.1.1
+release=0.2.0
diff --git a/images/postfix/Containerfile b/images/postfix/Containerfile
index 9f7b2db3cbd8e7c36c7b4aa7ed60ea6266c9c2aa..03ac284e4e0a2c773ca2b1dccbdf1296b465e41b 100644
--- a/images/postfix/Containerfile
+++ b/images/postfix/Containerfile
@@ -17,9 +17,10 @@ COPY docker/rsyslog.conf /etc/
COPY docker/start.sh /usr/local/libexec/start.sh
RUN chmod +x /usr/local/libexec/start.sh
-# 25: SMTP (Server2Server)
-# 465: SUBMISSIONS (SSL)
-# 587: SMTP (StartTLS)
-EXPOSE 25 465 587
+# 25: SMTP (Server2Server)
+# 465: SUBMISSIONS (SSL)
+# 587: SMTP (StartTLS)
+# 10025: Postscreen for HAProxy
+EXPOSE 25 465 587 10025
ENTRYPOINT [ "sh" , "/usr/local/libexec/start.sh" ]
diff --git a/images/postfix/config/main.cf b/images/postfix/config/main.cf
index ecfb7b7ac71dc2e08d857167529ef437a6cb9c7e..f493d0d7493080d66797294e76e8517957ef5b5c 100644
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -181,3 +181,5 @@ maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
unverified_recipient_reject_code = 577
compatibility_level = 2
+
+postscreen_upstream_proxy_protocol = haproxy
diff --git a/images/postfix/config/master.cf b/images/postfix/config/master.cf
index 8c2e8ab8aa92bed5e07fc53995519b1b3e6b3ed3..082af700a577765047a7bd8a69a9360675aa9e3c 100644
--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
@@ -2,7 +2,7 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
-#smtp inet n - - - 1 postscreen
+10025 inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy