b09cd1628d
- mailgateway namespace with Deployment + HPA (2-6 replicas) - rspamd Deployment + HPA (2-6 replicas) with milter interface - postfix configured to relay inbound mail to stalwart via transport maps - rspamd milter on port 11332 for spam scanning and DKIM signing - DKIM keys stored in Vault at kubernetes/namespace/mailgateway/default/dkim-keys - TLS cert via cert-manager (vault-issuer) for mail.main.unkin.net - rspamd web UI exposed via Traefik Gateway at rspamd.k8s.syd1.au.unkin.net - postfix external LoadBalancer service for inbound MX on port 25 - Add full main.cf and master.cf as ConfigMap resources mounted via subPath - main.cf: relay-only gateway config, texthash: transport maps, rspamd milter - master.cf: standard smtp + submission (587, TLS required) + internal processes - MAILNAME/MY_NETWORKS/MY_DESTINATION env vars kept in sync with main.cf - LOG_TO_STDOUT=1 for k8s log collection
48 lines
1.5 KiB
CFEngine3
48 lines
1.5 KiB
CFEngine3
# Basic identity — kept in sync with MAILNAME/MY_NETWORKS/MY_DESTINATION env vars
|
|
# so the tozd startup script's postconf calls are no-ops
|
|
myhostname = mail.main.unkin.net
|
|
myorigin = main.unkin.net
|
|
mydestination = localhost.localdomain, localhost
|
|
mynetworks = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
|
inet_protocols = ipv4
|
|
inet_interfaces = all
|
|
|
|
# No local delivery — we're a relay-only gateway
|
|
local_transport = error:no local delivery
|
|
alias_maps =
|
|
alias_database =
|
|
|
|
# Relay inbound mail for these domains to Stalwart
|
|
# texthash: reads plain text without requiring postmap (Alpine has no hash/btree)
|
|
relay_domains = main.unkin.net unkin.net
|
|
transport_maps = texthash:/etc/postfix/transport
|
|
|
|
# rspamd milter (same namespace — short DNS name resolves)
|
|
smtpd_milters = inet:rspamd:11332
|
|
non_smtpd_milters = inet:rspamd:11332
|
|
milter_default_action = accept
|
|
milter_protocol = 6
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
# Inbound TLS (cert from cert-manager Certificate resource)
|
|
smtpd_use_tls = yes
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_cert_file = /etc/postfix/tls/tls.crt
|
|
smtpd_tls_key_file = /etc/postfix/tls/tls.key
|
|
smtpd_tls_loglevel = 1
|
|
|
|
# Outbound TLS (opportunistic)
|
|
smtp_tls_security_level = may
|
|
smtp_tls_loglevel = 1
|
|
|
|
# Message size limit (50 MiB)
|
|
message_size_limit = 52428800
|
|
mailbox_size_limit = 0
|
|
|
|
# Queue retention
|
|
maximal_queue_lifetime = 5d
|
|
bounce_queue_lifetime = 1d
|
|
|
|
# Log to stdout for k8s log collection
|
|
maillog_file = /dev/stdout
|