5 Commits

Author SHA1 Message Date
unkinben 5b3058e75e fix(postfix): use hash: transport_maps with postmap init container
- Splits hash-type map files into a separate postfix-maps ConfigMap
- Adds postmap init container that builds .db files from all maps into
  a postfix-db emptyDir, which is then subPath-mounted per map in the
  main container
- Updates transport_maps in main.cf to hash:/etc/postfix/transport
2026-05-24 20:38:27 +10:00
unkinben ebc21b9fa1 fix(postfix): use .unkin.net subdomain pattern in transport map
per transport(5), .domain matches all subdomains. main.unkin.net was
an exact-match entry; .unkin.net covers it and any future subdomains.
2026-05-24 20:35:19 +10:00
unkinben d57c1db5f8 fix(mailgateway): pin postfix-external LoadBalancer to 198.18.199.1 2026-05-24 19:54:08 +10:00
unkinben 942e23c146 fix(mailgateway): add purelb dmz service-group annotation to LoadBalancer 2026-05-24 19:52:16 +10:00
unkinben b09cd1628d feat(postfix): deploy postfix MTA and rspamd spam filter
- mailgateway namespace with Deployment + HPA (2-6 replicas)
- rspamd Deployment + HPA (2-6 replicas) with milter interface
- postfix configured to relay inbound mail to stalwart via transport maps
- rspamd milter on port 11332 for spam scanning and DKIM signing
- DKIM keys stored in Vault at kubernetes/namespace/mailgateway/default/dkim-keys
- TLS cert via cert-manager (vault-issuer) for mail.main.unkin.net
- rspamd web UI exposed via Traefik Gateway at rspamd.k8s.syd1.au.unkin.net
- postfix external LoadBalancer service for inbound MX on port 25
- Add full main.cf and master.cf as ConfigMap resources mounted via subPath
  - main.cf: relay-only gateway config, texthash: transport maps, rspamd milter
  - master.cf: standard smtp + submission (587, TLS required) + internal processes
- MAILNAME/MY_NETWORKS/MY_DESTINATION env vars kept in sync with main.cf
- LOG_TO_STDOUT=1 for k8s log collection
2026-05-24 12:46:28 +10:00
20 changed files with 586 additions and 0 deletions
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: postfix-smtp-tls
namespace: mailgateway
spec:
secretName: postfix-smtp-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: mail.main.unkin.net
dnsNames:
- mail.main.unkin.net
- smtp-in.main.unkin.net
privateKey:
size: 4096
algorithm: RSA
+37
View File
@@ -0,0 +1,37 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: rspamd.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: rspamd.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
name: rspamd
namespace: mailgateway
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: rspamd.k8s.syd1.au.unkin.net
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: rspamd.k8s.syd1.au.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: rspamd-tls
mode: Terminate
+16
View File
@@ -0,0 +1,16 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: rspamd
namespace: mailgateway
spec:
parentRefs:
- name: rspamd
namespace: mailgateway
hostnames:
- rspamd.k8s.syd1.au.unkin.net
rules:
- backendRefs:
- name: rspamd
port: 11334
+36
View File
@@ -0,0 +1,36 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- certificate.yaml
- gateway.yaml
- httproute.yaml
- namespace.yaml
- postfix-deployment.yaml
- postfix-hpa.yaml
- rspamd-deployment.yaml
- rspamd-hpa.yaml
- services.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
configMapGenerator:
- name: postfix-config
files:
- main.cf=resources/postfix/main.cf
- master.cf=resources/postfix/master.cf
options:
disableNameSuffixHash: true
- name: postfix-maps
files:
- transport=resources/postfix/transport
options:
disableNameSuffixHash: true
- name: rspamd-config
files:
- worker-proxy.inc=resources/rspamd/local.d/worker-proxy.inc
- dkim_signing.conf=resources/rspamd/local.d/dkim_signing.conf
- milter_headers.conf=resources/rspamd/local.d/milter_headers.conf
options:
disableNameSuffixHash: true
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: mailgateway
@@ -0,0 +1,105 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: postfix
namespace: mailgateway
spec:
selector:
matchLabels:
app: postfix
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: postfix
spec:
initContainers:
- name: postmap
image: tozd/postfix:alpine-322
command: ["/bin/sh", "-c"]
args:
- |
for f in /etc/postfix/maps/*; do
base=$(basename "$f")
cp "$f" /tmp/"$base"
postmap hash:/tmp/"$base"
cp /tmp/"${base}.db" /etc/postfix/db/
done
volumeMounts:
- name: postfix-maps
mountPath: /etc/postfix/maps
readOnly: true
- name: postfix-db
mountPath: /etc/postfix/db
containers:
- name: postfix
image: tozd/postfix:alpine-322
ports:
- containerPort: 25
name: smtp
protocol: TCP
- containerPort: 587
name: submission
protocol: TCP
env:
# Keep these in sync with main.cf so the tozd startup postconf calls are no-ops
- name: MAILNAME
value: "mail.main.unkin.net"
- name: MY_NETWORKS
value: "127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
- name: MY_DESTINATION
value: "localhost.localdomain, localhost"
- name: LOG_TO_STDOUT
value: "1"
livenessProbe:
tcpSocket:
port: 25
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
tcpSocket:
port: 25
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "1"
memory: 512Mi
volumeMounts:
- name: postfix-config
mountPath: /etc/postfix/main.cf
subPath: main.cf
- name: postfix-config
mountPath: /etc/postfix/master.cf
subPath: master.cf
- name: postfix-db
mountPath: /etc/postfix/transport.db
subPath: transport.db
- name: postfix-tls
mountPath: /etc/postfix/tls
readOnly: true
- name: spool
mountPath: /var/spool/postfix
volumes:
- name: postfix-config
configMap:
name: postfix-config
- name: postfix-maps
configMap:
name: postfix-maps
- name: postfix-db
emptyDir: {}
- name: postfix-tls
secret:
secretName: postfix-smtp-tls
- name: spool
emptyDir: {}
+38
View File
@@ -0,0 +1,38 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: postfix-hpa
namespace: mailgateway
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: postfix
minReplicas: 2
maxReplicas: 6
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 60
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 30
periodSeconds: 60
@@ -0,0 +1,46 @@
# Basic identity — kept in sync with MAILNAME/MY_NETWORKS/MY_DESTINATION env vars
# so the tozd startup script's postconf calls are no-ops
myhostname = mail.main.unkin.net
myorigin = main.unkin.net
mydestination = localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
inet_protocols = ipv4
inet_interfaces = all
# No local delivery — we're a relay-only gateway
local_transport = error:no local delivery
alias_maps =
alias_database =
# Relay inbound mail for these domains to Stalwart
relay_domains = main.unkin.net unkin.net
transport_maps = hash:/etc/postfix/transport
# rspamd milter (same namespace — short DNS name resolves)
smtpd_milters = inet:rspamd:11332
non_smtpd_milters = inet:rspamd:11332
milter_default_action = accept
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
# Inbound TLS (cert from cert-manager Certificate resource)
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/tls/tls.crt
smtpd_tls_key_file = /etc/postfix/tls/tls.key
smtpd_tls_loglevel = 1
# Outbound TLS (opportunistic)
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# Message size limit (50 MiB)
message_size_limit = 52428800
mailbox_size_limit = 0
# Queue retention
maximal_queue_lifetime = 5d
bounce_queue_lifetime = 1d
# Log to stdout for k8s log collection
maillog_file = /dev/stdout
@@ -0,0 +1,42 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# SMTP inbound (port 25) — runs rspamd milter, relays to Stalwart via transport_maps
smtp inet n - n - - smtpd
# Submission (port 587) — TLS required, relay from trusted mynetworks only
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=no
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o milter_macro_daemon_name=ORIGINATING
# Internal postfix processes
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
@@ -0,0 +1,2 @@
.unkin.net smtp:[stalwart.stalwart.svc.cluster.local]:25
unkin.net smtp:[stalwart.stalwart.svc.cluster.local]:25
@@ -0,0 +1,13 @@
enabled = true;
selector = "mail";
domain {
main.unkin.net {
privkey = "/etc/rspamd/dkim/private_key";
selector = "mail";
}
unkin.net {
privkey = "/etc/rspamd/dkim/private_key";
selector = "mail";
}
}
@@ -0,0 +1,2 @@
extended_spam_headers = true;
use = ["x-spam-status", "x-spam-score", "authentication-results"];
@@ -0,0 +1,7 @@
milter = yes;
bind_socket = "*:11332";
upstream "local" {
default = yes;
self_scan = yes;
}
@@ -0,0 +1,75 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: rspamd
namespace: mailgateway
spec:
selector:
matchLabels:
app: rspamd
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: rspamd
spec:
securityContext:
runAsUser: 11333
runAsGroup: 11333
fsGroup: 11333
containers:
- name: rspamd
image: rspamd/rspamd:4.0.1
ports:
- containerPort: 11332
name: milter
protocol: TCP
- containerPort: 11333
name: worker
protocol: TCP
- containerPort: 11334
name: controller
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: 11334
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ping
port: 11334
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "1"
memory: 512Mi
volumeMounts:
- name: rspamd-config
mountPath: /etc/rspamd/local.d
readOnly: true
- name: dkim-keys
mountPath: /etc/rspamd/dkim
readOnly: true
- name: rspamd-data
mountPath: /var/lib/rspamd
volumes:
- name: rspamd-config
configMap:
name: rspamd-config
- name: dkim-keys
secret:
secretName: dkim-keys
- name: rspamd-data
emptyDir: {}
+38
View File
@@ -0,0 +1,38 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: rspamd-hpa
namespace: mailgateway
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: rspamd
minReplicas: 2
maxReplicas: 6
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 30
periodSeconds: 60
+64
View File
@@ -0,0 +1,64 @@
---
# Internal service for rspamd - used by postfix pods in the same namespace
apiVersion: v1
kind: Service
metadata:
name: rspamd
namespace: mailgateway
spec:
selector:
app: rspamd
ports:
- name: milter
port: 11332
targetPort: 11332
protocol: TCP
- name: worker
port: 11333
targetPort: 11333
protocol: TCP
- name: controller
port: 11334
targetPort: 11334
protocol: TCP
---
# Internal ClusterIP for postfix - used by stalwart for outbound relay
apiVersion: v1
kind: Service
metadata:
name: postfix
namespace: mailgateway
spec:
selector:
app: postfix
ports:
- name: smtp
port: 25
targetPort: 25
protocol: TCP
- name: submission
port: 587
targetPort: 587
protocol: TCP
---
# External LoadBalancer for inbound MX (internet → postfix)
apiVersion: v1
kind: Service
metadata:
name: postfix-external
namespace: mailgateway
annotations:
external-dns.alpha.kubernetes.io/hostname: smtp-in.main.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.199.1
purelb.io/service-group: dmz
purelb.io/addresses: 198.18.199.1
spec:
type: LoadBalancer
externalTrafficPolicy: Local
selector:
app: postfix
ports:
- name: smtp
port: 25
targetPort: 25
protocol: TCP
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: mailgateway
spec:
allowedNamespaces:
- mailgateway
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,17 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: dkim-keys
namespace: mailgateway
spec:
destination:
create: true
name: dkim-keys
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/mailgateway/default/dkim-keys
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/mailgateway
+1
View File
@@ -21,6 +21,7 @@ spec:
- path: apps/overlays/*/inteldeviceplugins-system
- path: apps/overlays/*/jfrog
- path: apps/overlays/*/node-feature-discovery
- path: apps/overlays/*/mailgateway
- path: apps/overlays/*/puppet
- path: apps/overlays/*/purelb
- path: apps/overlays/*/reflector-system