feat(postfix): deploy postfix MTA and rspamd spam filter
- mailgateway namespace with Deployment + HPA (2-6 replicas) - rspamd Deployment + HPA (2-6 replicas) with milter interface - postfix configured to relay inbound mail to stalwart via transport maps - rspamd milter on port 11332 for spam scanning and DKIM signing - DKIM keys stored in Vault at kubernetes/namespace/mailgateway/default/dkim-keys - TLS cert via cert-manager (vault-issuer) for mail.main.unkin.net - rspamd web UI exposed via Traefik Gateway at rspamd.k8s.syd1.au.unkin.net - postfix external LoadBalancer service for inbound MX on port 25 - Add full main.cf and master.cf as ConfigMap resources mounted via subPath - main.cf: relay-only gateway config, texthash: transport maps, rspamd milter - master.cf: standard smtp + submission (587, TLS required) + internal processes - MAILNAME/MY_NETWORKS/MY_DESTINATION env vars kept in sync with main.cf - LOG_TO_STDOUT=1 for k8s log collection
This commit is contained in:
@@ -0,0 +1,47 @@
|
||||
# Basic identity — kept in sync with MAILNAME/MY_NETWORKS/MY_DESTINATION env vars
|
||||
# so the tozd startup script's postconf calls are no-ops
|
||||
myhostname = mail.main.unkin.net
|
||||
myorigin = main.unkin.net
|
||||
mydestination = localhost.localdomain, localhost
|
||||
mynetworks = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
||||
inet_protocols = ipv4
|
||||
inet_interfaces = all
|
||||
|
||||
# No local delivery — we're a relay-only gateway
|
||||
local_transport = error:no local delivery
|
||||
alias_maps =
|
||||
alias_database =
|
||||
|
||||
# Relay inbound mail for these domains to Stalwart
|
||||
# texthash: reads plain text without requiring postmap (Alpine has no hash/btree)
|
||||
relay_domains = main.unkin.net unkin.net
|
||||
transport_maps = texthash:/etc/postfix/transport
|
||||
|
||||
# rspamd milter (same namespace — short DNS name resolves)
|
||||
smtpd_milters = inet:rspamd:11332
|
||||
non_smtpd_milters = inet:rspamd:11332
|
||||
milter_default_action = accept
|
||||
milter_protocol = 6
|
||||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
||||
|
||||
# Inbound TLS (cert from cert-manager Certificate resource)
|
||||
smtpd_use_tls = yes
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_cert_file = /etc/postfix/tls/tls.crt
|
||||
smtpd_tls_key_file = /etc/postfix/tls/tls.key
|
||||
smtpd_tls_loglevel = 1
|
||||
|
||||
# Outbound TLS (opportunistic)
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_loglevel = 1
|
||||
|
||||
# Message size limit (50 MiB)
|
||||
message_size_limit = 52428800
|
||||
mailbox_size_limit = 0
|
||||
|
||||
# Queue retention
|
||||
maximal_queue_lifetime = 5d
|
||||
bounce_queue_lifetime = 1d
|
||||
|
||||
# Log to stdout for k8s log collection
|
||||
maillog_file = /dev/stdout
|
||||
@@ -0,0 +1,42 @@
|
||||
# ==========================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (yes) (never) (100)
|
||||
# ==========================================================================
|
||||
|
||||
# SMTP inbound (port 25) — runs rspamd milter, relays to Stalwart via transport_maps
|
||||
smtp inet n - n - - smtpd
|
||||
|
||||
# Submission (port 587) — TLS required, relay from trusted mynetworks only
|
||||
submission inet n - n - - smtpd
|
||||
-o syslog_name=postfix/submission
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=no
|
||||
-o smtpd_reject_unlisted_recipient=no
|
||||
-o smtpd_relay_restrictions=permit_mynetworks,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
|
||||
# Internal postfix processes
|
||||
pickup unix n - n 60 1 pickup
|
||||
cleanup unix n - n - 0 cleanup
|
||||
qmgr unix n - n 300 1 qmgr
|
||||
tlsmgr unix - - n 1000? 1 tlsmgr
|
||||
rewrite unix - - n - - trivial-rewrite
|
||||
bounce unix - - n - 0 bounce
|
||||
defer unix - - n - 0 bounce
|
||||
trace unix - - n - 0 bounce
|
||||
verify unix - - n - 1 verify
|
||||
flush unix n - n 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - n - - smtp
|
||||
relay unix - - n - - smtp
|
||||
showq unix n - n - - showq
|
||||
error unix - - n - - error
|
||||
retry unix - - n - - error
|
||||
discard unix - - n - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - n - - lmtp
|
||||
anvil unix - - n - 1 anvil
|
||||
scache unix - - n - 1 scache
|
||||
postlog unix-dgram n - n - 1 postlogd
|
||||
@@ -0,0 +1,2 @@
|
||||
main.unkin.net smtp:[stalwart.stalwart.svc.cluster.local]:25
|
||||
unkin.net smtp:[stalwart.stalwart.svc.cluster.local]:25
|
||||
@@ -0,0 +1,13 @@
|
||||
enabled = true;
|
||||
selector = "mail";
|
||||
|
||||
domain {
|
||||
main.unkin.net {
|
||||
privkey = "/etc/rspamd/dkim/private_key";
|
||||
selector = "mail";
|
||||
}
|
||||
unkin.net {
|
||||
privkey = "/etc/rspamd/dkim/private_key";
|
||||
selector = "mail";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
extended_spam_headers = true;
|
||||
use = ["x-spam-status", "x-spam-score", "authentication-results"];
|
||||
@@ -0,0 +1,7 @@
|
||||
milter = yes;
|
||||
bind_socket = "*:11332";
|
||||
|
||||
upstream "local" {
|
||||
default = yes;
|
||||
self_scan = yes;
|
||||
}
|
||||
Reference in New Issue
Block a user