diff --git a/apps/k8s01/mail/mail-values.yaml b/apps/k8s01/mail/mail-values.yaml
index db89b1d27d0f7893c611b6526a347d04953bc2de..635856e42ceb2c61368faade105a26e8e07cfff4 100644
--- a/apps/k8s01/mail/mail-values.yaml
+++ b/apps/k8s01/mail/mail-values.yaml
@@ -5,15 +5,15 @@ metadata:
namespace: mail
type: Opaque
stringData:
- values-overrides.yaml: ENC[AES256_GCM,data:J4Ws9KzUEaYaxNH6jugU4q+K3RfoASRnB+/IzQYLrA9EVK5puei77oMHAKAUf15lP7CW8MKxWyVnFbE6fP664LDriS1xNHUgE0NVLXb5bdbo/zAHIaq3fDk1iklYRNphy/GCUQqJBYSzsaATsQprs5Sz/odYVjT2HWmHiT3z5f31Oy0U2f59xz0TGRyUIxOhslP/VryEc8xtjwIpnA8UxCJXta6s7u7KBTHFvQ1rG2hbXwWAtWGwcRVNa//D4hhCppkNGiN/RHYLDCk2/pI9RKhSagYXM2+CT7jS1lG6c2X5CxQyWKZgiwISubeqAK39pT4nYFFOC0eZv5y5Octd2kZBepoNeZCPPliIjfD/Q1DolQ0RfdPG7kxSRvcqxeRZenwd/R/gOo6ugXVQX/yV+Wanaozm6TqBDaLtn+rjx+LXcVEkaGMQ7UYAz8e+RaGXeoj0UwF3YHhEBSE5DGHZ8oHE7XZoxDj3nsnNt8HZnpbFNSWDzFoTw4ba4qRoHGTdpRFpe96VBAWNjXzn4CEBg1MB2zu2l83GynrnlzDbiSXSd8nA5nukJ+8RbOJVAcBRK3/WFPBc0X11wzrS4qg+nBRzmepUVRaP35EH5it4m3nD0cU2lq0SX1bRWb/I/jGn0iadcpQ/y0mXT/r/BKK8yDUow7+u7wjM2WnGuH31ZrwQPq5nbxNNWLQ2K5DmeRnWDG4PUy89/m1D7Uq8FyJ4tsxKoJCw43sWy+SVNvbmtz//M78kl+apneEymdIhaCiJQczqC2Z13umcSpD5QUu8SH2Fe19z6+6L19Wy3BUGrrh7dz/8hybTImNO+OuPJh9zK6vktQi1ooGJt21OUkCMdWERHVMpgsGdCtF3Ds4pLCdFG8H5/1EfLLFTzHuSrAcx8YT1Y8MW4/xqeLBa+2HHkKw//lpQIxfDKbXHF6TQCG++tcEh8bIHUwYUuhwxHMTfaMWMQ0h6Wpp7ck29Qm5SJqz+7ZKWx8tS6T5HXH+TdMWFQe+ObYE86se0/MAKNziUuBHMRQGbGtIGLOq9AnU180r4y7d3ji8dWLIRkK1udXJc7+wXWV4ntHu+m4152janc7cnJWxZ9XJ9AwaMvySaByazkO3tg1u/REE587rAWJqKxzz8AGEccWE0oJA2AQJluIR+M2hxCnQ47tUE8fbwKorFy3SR9XJ9zbCv2XdMabgmsA0z9pbMbyWBkRSGS3OqtdP6DjG1FfddQ4tF2gexjI1YZg==,iv:44m5tiAyAp89C8lE8zB4agHyNfo9kFRdu0mMRrd9Uik=,tag:9QtJ/TPWZ2nOyEA0isrujQ==,type:str]
+ values-overrides.yaml: ENC[AES256_GCM,data:TAecg951hRmAiBvevpBfmh/7n/CmUTPFlorl61U+IVSlSH3Ct3YWxztaD1slT4ugT3+digXaHaoeUtwMdqS65qYCHf5FlHqQBHIQ5mUGkt1WxyBltp4FkgjVUn5g7wDOaIxg2tpkmCNxuQ7vnk+GOeeaRPnD3rADIP4vvKhrA8MuL7qHL6vIzBmZFCORfKuSk0NBjIgXkqRJtQmzDF8i3zlh8fnW/E9g83QW+1DCfNkt2v9++NihP52A1WWZrxSUMNGv0Ui+Bhv85k9Lhh3hLUTnxq2xMKGFh5omvNd5WLvGFZ7LCO7cX+CFx1qCGZPBNGSK+TvrcoeZgvgyhd1sXti6Fk+iIHq+kWJU4O6T2CZA5J1C7iZTq0kU2/hwzjR8S2RIAG7Z9qz8nTO5OCpigXrTf/AJiaru6QPoUMrmBCAn2meiNBAYXLa5XIiQ4FOCY4gVrWXb43YsKQ7CLUENXJhokQw/iBHONsCO7N3nsIh9ASvaSBVDiXrGCExQBrDH54q7GaKcbUNsedgn3qq6LebGjYsOOJAS/U805JJpoRc/ZgqS1wV6O+GBm1Cv3kc0KUdI+fRwLZoJT+HFEKbOcNBpS4OJuPzmMAa2d9hdevKB1HuZbKwsNX2ItvrC4t2+gKQ5emCy39/COZfZbLPyI5hUyzsO3bcmCk8jrRzMT731iT1WqtUQpu92j/58FPpieNGVKD2AfOY5dE77lYWGNKZ/b/muF3burn09teIwhLsA/ZqQeqBGS2JPKkCI7OeR+tbCj05VufmUHL7Wz/tcAgY0O539unahwqHpCEObRgrcWWaWlc1t3xS22mlX306uj5yzULDUWSzMjkr+bgHqND1b1JIYuNlr/f8yD1wEymkLSe2pUAoR1d+ktRh7RZEqhL8JREZJluTKU9IBLIw8M7gjC4Tg6fA+8ZDWqtZn6nnVUpIaqi5+hgnSf2xYt6iEqYBj1F/I82JPzR0ESXZj4mgQEzJczfF0iJuXeVBZwSAoWjp2RM8yyR5qOXBArKOrZZyklSIZwwc5YiMQy5PqMbwuX6VBnr/WbLmDO7XlN+J74tAHW5z8w9jOc8dl6+ubZYb72sxgrAAOZRlf2aBPNl8/kF/kQK+6mPIuEfRaH7p3DFrV+h6dFxEydEWJ+H1pmmzKqVT/D+GzbFXnR/s3fwsoeBlLYvHpt6M8q3C6fRjCUcGw1ZRUBhcyJhj6P8DFg1poibeVSfUr5T+cFVv40zhYA8LaYIhsOVhSKSx+kpqP3hQbxyqlyor2zSqdFUxmo7vfrqox4tdcGffheXiUr5ITCgoX3vJwUSnze/OlaykO,iv:rEMzJeuIzrVs6QN+fxHlZ1WHBZbp2mrGJE+P3axuIbk=,tag:+UOk9zXdhAtu/+80CZkInw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-06-26T21:04:03Z"
- mac: ENC[AES256_GCM,data:8EwGqZ0/JvdGLuX53iin8IFC8j0QTYI5OynaQnBF/MZER8Q/3oUZ8wajX7e3iLk/0k9wYjQfeCb/ljrMEpPVXEQ0GSnYOByEuJvCsYvoQBRikaD+MFmSS3Mvv7JwOOmEemyut2O+pzqjsVIyr14jXsAdud0e9su5XcqpnDiYuow=,iv:/TqNevubPSt5A/5/WHsLvNBOYKMxlaUp3HhO2vAXFT8=,tag:CV+IWiOVaB8sGcQAK/nTpw==,type:str]
+ lastmodified: "2022-06-29T22:08:03Z"
+ mac: ENC[AES256_GCM,data:GuFsI6fqDSwDIpe1xRxlPCrN4MGOn/G4AejRTkr99O71F2aBgtUpiBN1OSr9cpdROn2l3Y2zF94ojpuUETVBgTOmpBV9hXC1KL/IBk5Uo+Cr9TvyeSe9WRz/xnr9oMPaOMhjWHNJHujYBGHosV+hav55HuMoHGUvVU/4TnRr5hY=,iv:xH8uB54aZ/Oh441qynOx0h+C4uMk74Ot6UvMDl7M+fc=,tag:HOntUWzgnJXe/6EuZ2dDkg==,type:str]
pgp:
- created_at: "2022-04-19T15:47:33Z"
enc: |-
diff --git a/charts/mok/Chart.yaml b/charts/mok/Chart.yaml
index 87bf6ee3483aef6aacf40cde0fc27f891b4f82eb..b99393d000269d13eeea08fee661d2fb3d3795c4 100644
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
description: |
Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
type: application
-version: 0.2.0
+version: 0.3.1
sources:
- https://de.postfix.org/ftpmirror/index.html
- https://github.com/dovecot/core
diff --git a/charts/mok/README.md b/charts/mok/README.md
index 859672563f7c483ffcadb532454ecbfbbee5649d..9e168e817bf4f1d012b43eda10c3a72418325c33 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -1,6 +1,6 @@
# mok
- 
+ 
Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
@@ -60,6 +60,8 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
| postfix.nodeSelector | object | `{}` | |
| postfix.podAnnotations | object | `{}` | |
| postfix.podSecurityContext | object | `{}` | |
+| postfix.postscreen.cidr | string | `"127.0.0.1/32"` | CIDR that is allowed to use Proxy protocol on port 10025 |
+| postfix.postscreen.enabled | bool | `false` | Enable proxy protocol support |
| postfix.replicaCount | int | `1` | Number of postfix pods. |
| postfix.resources.limits.cpu | string | `"500m"` | |
| postfix.resources.limits.memory | string | `"512Mi"` | |
diff --git a/charts/mok/templates/networkpolicy.yaml b/charts/mok/templates/networkpolicy.yaml
index 3c8b3a31475a3737def956d6e0f0164274de0a8a..84806d6228587f7d77afce48b667ea8655a4522d 100644
--- a/charts/mok/templates/networkpolicy.yaml
+++ b/charts/mok/templates/networkpolicy.yaml
@@ -60,6 +60,14 @@ spec:
protocol: TCP
- port: 587
protocol: TCP
+ {{- if .Values.postfix.postscreen.enabled }}
+ - from:
+ - ipBlock:
+ cidr: {{ .Values.postfix.postscreen.cidr }}
+ ports:
+ - port: 10025
+ protocol: TCP
+ {{- end }}
podSelector:
matchLabels:
{{- include "mok.selectorLabels" . | nindent 6 }}
diff --git a/charts/mok/templates/postfix.yaml b/charts/mok/templates/postfix.yaml
index c22e9ddf101a547742b59f8404ef7004e525475a..d9607a9816caa25bebdedd141ee3f172a3837759 100644
--- a/charts/mok/templates/postfix.yaml
+++ b/charts/mok/templates/postfix.yaml
@@ -18,6 +18,11 @@ spec:
- port: 587
name: submission
protocol: TCP
+ {{- if .Values.postfix.postscreen.enabled }}
+ - port: 10025
+ name: postscreen
+ protocol: TCP
+ {{- end }}
selector:
{{- include "mok.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: postfix
@@ -119,6 +124,10 @@ spec:
name: submissions
- containerPort: 587
name: submission
+ {{- if .Values.postfix.postscreen.enabled }}
+ - containerPort: 10025
+ name: postscreen
+ {{- end }}
resources:
{{- toYaml .Values.postfix.resources | nindent 12 }}
securityContext:
diff --git a/charts/mok/tests/networkpolicies_test.yaml b/charts/mok/tests/networkpolicies_test.yaml
index e086b306df9e6e79e4a335526652f52b1c118116..2f2aa564b2685663878fd800230384fb9167261c 100644
--- a/charts/mok/tests/networkpolicies_test.yaml
+++ b/charts/mok/tests/networkpolicies_test.yaml
@@ -218,6 +218,39 @@ tests:
app.kubernetes.io/name: mok
documentIndex: 1
template: networkpolicy.yaml
+ - it: allows postfix's postscreen from reverse-proxy
+ release:
+ name: "test-suite"
+ set:
+ postfix:
+ postscreen:
+ enabled: true
+ cidr: 127.0.123.123/32
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 127.0.123.123/32
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 10025
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 1
+ template: networkpolicy.yaml
- it: matches snapshot
asserts:
- matchSnapshot: {}
diff --git a/charts/mok/tests/postfix_test.yaml b/charts/mok/tests/postfix_test.yaml
index 2246fefa87a82e993de81eef8076d07bbaccbd2e..b85c8d39d42fa0d8cfde55bb34da3d86cd5c54f1 100644
--- a/charts/mok/tests/postfix_test.yaml
+++ b/charts/mok/tests/postfix_test.yaml
@@ -48,6 +48,28 @@ tests:
name: smtp
documentIndex: 1
template: postfix.yaml
+ - it: has postscreen port if enabled
+ set:
+ postfix:
+ postscreen:
+ enabled: true
+ cidr: 127.0.123.123/32
+ asserts:
+ - contains:
+ path: spec.ports
+ content:
+ port: 10025
+ name: postscreen
+ protocol: TCP
+ documentIndex: 0
+ template: postfix.yaml
+ - contains:
+ path: spec.template.spec.containers[0].ports
+ content:
+ containerPort: 10025
+ name: postscreen
+ documentIndex: 1
+ template: postfix.yaml
- it: has config hash for auto-reload
set:
dovecot:
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index b0cc7a10ce05e55cf560966345985b818da6e1c3..cb6d14dc65a5950707cf43ba758b23ca52307d34 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -44,7 +44,7 @@ postfix:
repository: quay.io/shivering-isles/postfix
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is "latest"
- tag: "0.1.1"
+ tag: "0.2.1"
imagePullSecrets: []
@@ -52,6 +52,12 @@ postfix:
podSecurityContext: {}
+ postscreen:
+ # -- Enable proxy protocol support
+ enabled: false
+ # -- CIDR that is allowed to use Proxy protocol on port 10025
+ cidr: 127.0.0.1/32
+
securityContext:
# -- prevent any process in the container to regain capabilities once dropped
allowPrivilegeEscalation: false
diff --git a/images/postfix/.release b/images/postfix/.release
index 30d50427739d190b6e70eb3a52e9718040f29ef2..15daeb6b1493316c2289f761e5071e4a07503a4f 100644
--- a/images/postfix/.release
+++ b/images/postfix/.release
@@ -1 +1 @@
-release=0.1.1
+release=0.2.1
diff --git a/images/postfix/Containerfile b/images/postfix/Containerfile
index 9f7b2db3cbd8e7c36c7b4aa7ed60ea6266c9c2aa..03ac284e4e0a2c773ca2b1dccbdf1296b465e41b 100644
--- a/images/postfix/Containerfile
+++ b/images/postfix/Containerfile
@@ -17,9 +17,10 @@ COPY docker/rsyslog.conf /etc/
COPY docker/start.sh /usr/local/libexec/start.sh
RUN chmod +x /usr/local/libexec/start.sh
-# 25: SMTP (Server2Server)
-# 465: SUBMISSIONS (SSL)
-# 587: SMTP (StartTLS)
-EXPOSE 25 465 587
+# 25: SMTP (Server2Server)
+# 465: SUBMISSIONS (SSL)
+# 587: SMTP (StartTLS)
+# 10025: Postscreen for HAProxy
+EXPOSE 25 465 587 10025
ENTRYPOINT [ "sh" , "/usr/local/libexec/start.sh" ]
diff --git a/images/postfix/config/main.cf b/images/postfix/config/main.cf
index ecfb7b7ac71dc2e08d857167529ef437a6cb9c7e..f493d0d7493080d66797294e76e8517957ef5b5c 100644
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -181,3 +181,5 @@ maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
unverified_recipient_reject_code = 577
compatibility_level = 2
+
+postscreen_upstream_proxy_protocol = haproxy
diff --git a/images/postfix/config/master.cf b/images/postfix/config/master.cf
index 8c2e8ab8aa92bed5e07fc53995519b1b3e6b3ed3..faea48565fe03ad8202735b599152b5505c7700a 100644
--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
@@ -2,9 +2,9 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
-#smtp inet n - - - 1 postscreen
+10025 inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
-#dnsblog unix - - - - 0 dnsblog
+dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps