feat(postfix): Add ability to utilise proxy-protocol

This patch should enable the postfix setup in MoK to utilise the proxy-protocol and therefore gather required IP information from connecting clients. It's implemented based on some documentation regard the topic and is useful for reverse-proxy setups e.g. behind haproxy. References: https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/

feat(postfix): Add ability to utilise proxy-protocol
ce35b0be · Sheogorath · 99b52ec6 · ce35b0be · ce35b0be · ce35b0be
Verified Commit ce35b0be authored 2 years ago by Sheogorath
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
 description: |
  Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 type: application
-version: 0.2.0
+version: 0.3.0
 sources:
  - https://de.postfix.org/ftpmirror/index.html
  - https://github.com/dovecot/core

--- a/charts/mok/README.md
+++ b/charts/mok/README.md
 # mok

-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.

@@ -60,6 +60,8 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | postfix.nodeSelector | object | `{}` |  |
 | postfix.podAnnotations | object | `{}` |  |
 | postfix.podSecurityContext | object | `{}` |  |
+| postfix.postscreen.cidr | string | `"127.0.0.1/32"` | CIDR that is allowed to use Proxy protocol on port 10025 |
+| postfix.postscreen.enabled | bool | `false` | Enable proxy protocol support |
 | postfix.replicaCount | int | `1` | Number of postfix pods. |
 | postfix.resources.limits.cpu | string | `"500m"` |  |
 | postfix.resources.limits.memory | string | `"512Mi"` |  |

--- a/charts/mok/templates/networkpolicy.yaml
+++ b/charts/mok/templates/networkpolicy.yaml
@@ -60,6 +60,14 @@ spec:
      protocol: TCP
    - port: 587
      protocol: TCP
+  {{- if .Values.postfix.postscreen.enabled }}
+  - from:
+    - ipBlock:
+        cidr: {{ .Values.postfix.postscreen.cidr }}
+    ports:
+    - port: 10025
+      protocol: TCP
+  {{- end }}
  podSelector:
    matchLabels:
      {{- include "mok.selectorLabels" . | nindent 6 }}

--- a/charts/mok/templates/postfix.yaml
+++ b/charts/mok/templates/postfix.yaml
@@ -18,6 +18,11 @@ spec:
  - port: 587
    name: submission
    protocol: TCP
+  {{- if .Values.postfix.postscreen.enabled }}
+  - port: 10025
+    name: postscreen
+    protocol: TCP
+  {{- end }}
  selector:
    {{- include "mok.selectorLabels" . | nindent 4 }}
    app.kubernetes.io/component: postfix
@@ -119,6 +124,10 @@ spec:
              name: submissions
            - containerPort: 587
              name: submission
+            {{- if .Values.postfix.postscreen.enabled }}
+            - containerPort: 10025
+              name: postscreen
+            {{- end }}
          resources:
            {{- toYaml .Values.postfix.resources | nindent 12 }}
          securityContext:

--- a/charts/mok/tests/networkpolicies_test.yaml
+++ b/charts/mok/tests/networkpolicies_test.yaml
@@ -218,6 +218,39 @@ tests:
            app.kubernetes.io/name: mok
        documentIndex: 1
        template: networkpolicy.yaml
+  - it: allows postfix's postscreen from reverse-proxy
+    release:
+      name: "test-suite"
+    set:
+      postfix:
+        postscreen:
+          enabled: true
+          cidr: 127.0.123.123/32
+    asserts:
+      - equal:
+          path: spec.ingress[1].from[0].ipBlock.cidr
+          value: 127.0.123.123/32
+        documentIndex: 1
+        template: networkpolicy.yaml
+      - isEmpty:
+          path: spec.ingress[1].from[0].ipBlock.except
+        documentIndex: 1
+        template: networkpolicy.yaml
+      - contains:
+          path: spec.ingress[1].ports
+          content:
+            port: 10025
+            protocol: TCP
+        documentIndex: 1
+        template: networkpolicy.yaml
+      - equal:
+          path: spec.podSelector.matchLabels
+          value:
+            app.kubernetes.io/component: postfix
+            app.kubernetes.io/instance: test-suite
+            app.kubernetes.io/name: mok
+        documentIndex: 1
+        template: networkpolicy.yaml
  - it: matches snapshot
    asserts:
      - matchSnapshot: {}
--- a/charts/mok/tests/postfix_test.yaml
+++ b/charts/mok/tests/postfix_test.yaml
@@ -48,6 +48,28 @@ tests:
            name: smtp
        documentIndex: 1
        template: postfix.yaml
+  - it: has postscreen port if enabled
+    set:
+      postfix:
+        postscreen:
+          enabled: true
+          cidr: 127.0.123.123/32
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            port: 10025
+            name: postscreen
+            protocol: TCP
+        documentIndex: 0
+        template: postfix.yaml
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            containerPort: 10025
+            name: postscreen
+        documentIndex: 1
+        template: postfix.yaml
  - it: has config hash for auto-reload
    set:
      dovecot:

--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -44,7 +44,7 @@ postfix:
    repository: quay.io/shivering-isles/postfix
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is "latest"
-    tag: "0.1.1"
+    tag: "0.2.0"

  imagePullSecrets: []

@@ -52,6 +52,12 @@ postfix:

  podSecurityContext: {}

+  postscreen:
+    # -- Enable proxy protocol support
+    enabled: false
+    # -- CIDR that is allowed to use Proxy protocol on port 10025
+    cidr: 127.0.0.1/32
+
  securityContext:
    # -- prevent any process in the container to regain capabilities once dropped
    allowPrivilegeEscalation: false

--- a/images/postfix/.release
+++ b/images/postfix/.release
-release=0.1.1
+release=0.2.0
--- a/images/postfix/Containerfile
+++ b/images/postfix/Containerfile
@@ -17,9 +17,10 @@ COPY docker/rsyslog.conf /etc/
 COPY docker/start.sh /usr/local/libexec/start.sh
 RUN chmod +x /usr/local/libexec/start.sh

-#   25: SMTP (Server2Server)
-#  465: SUBMISSIONS (SSL)
-#  587: SMTP (StartTLS)
-EXPOSE 25 465 587
+#    25: SMTP (Server2Server)
+#   465: SUBMISSIONS (SSL)
+#   587: SMTP (StartTLS)
+# 10025: Postscreen for HAProxy
+EXPOSE 25 465 587 10025

 ENTRYPOINT [ "sh" , "/usr/local/libexec/start.sh" ]
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -181,3 +181,5 @@ maximal_queue_lifetime = 1d
 bounce_queue_lifetime = 1d
 unverified_recipient_reject_code = 577
 compatibility_level = 2
+
+postscreen_upstream_proxy_protocol = haproxy
--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
@@ -2,7 +2,7 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-#smtp      inet  n       -       -       -       1       postscreen
+10025      inet  n       -       -       -       1       postscreen
 #smtpd     pass  -       -       -       -       -       smtpd
 #dnsblog   unix  -       -       -       -       0       dnsblog
 #tlsproxy  unix  -       -       -       -       0       tlsproxy