Add mail

argocd/applications/mail.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: mail
+spec:
+ project: default
+ source:
+ repoURL: git@github.com:hashbang/gitops.git
+ path: mail/
+ targetRevision: HEAD
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: mail
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true

argocd/kustomization.yaml

@@ -17,6 +17,7 @@ resources:
  - applications/external-dns.yaml
  - applications/ingress-nginx.yaml
  - applications/ircd.yaml
+ - applications/mail.yaml
  - applications/monitoring.yaml
  - applications/mtls.yaml
  - applications/site.yaml

cert-manager-issuers/prod_issuer.yaml

@@ -16,6 +16,7 @@ spec:
  dnsZones:
  - "irc.hashbang.sh"
  - "hashbang.sh"
+ - "mail.hashbang.sh"
  dns01:
  route53:
  region: us-west-2

mail/README.md

@@ -0,0 +1,5 @@
+# Mail
+
+https://github.com/hashbang/docker-postfix
+
+Delivers mail to the shell servers

mail/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+ namespace: mail
+ name: mail.hashbang.sh
+spec:
+ secretName: mail-certs
+ dnsNames:
+ - mail.hashbang.sh
+ issuerRef:
+ name: letsencrypt-prod
+ kind: ClusterIssuer

mail/files/main.cf

@@ -0,0 +1,52 @@
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file = /etc/postfix/certs/tls.crt
+smtpd_tls_key_file = /etc/postfix/certs/tls.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+# smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = no
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtp_tls_security_level = dane
+smtp_tls_note_starttls_offer = yes
+smtp_dns_support_level = dnssec
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+myhostname = mail.hashbang.sh
+relay_domains = hashbang.sh
+mydestination = mail.hashbang.sh, hashbang.sh, localhost.hashbang.sh, localhost
+mynetworks = 127.0.0.0/8 46.4.114.111
+relayhost =
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = $mydomain
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+virtual_alias_maps = pgsql:/etc/postfix/userdb-aliases.cf
+
+message_size_limit = 52428800
+
+compatibility_level = 2
+
+# Support PROXY from load balancer
+postscreen_upstream_proxy_protocol = haproxy

mail/files/master.cf

@@ -0,0 +1,116 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - n - 1 postscreen
+smtpd pass - - n - - smtpd
+#dnsblog unix - - n - 0 dnsblog
+#tlsproxy unix - - n - 0 tlsproxy
+#submission inet n - n - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#smtps inet n - n - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - n - - qmqpd
+pickup unix n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - n - - smtp
+relay unix - - n - - smtp -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5
+# -o smtp_connect_timeout=5
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+scache unix - - n - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

mail/files/userdb-aliases.cf

@@ -0,0 +1,5 @@
+# See pgsql_table(5)
+
+domain = hashbang.sh
+hosts = postgresql://mail:userdb-mail-lookup@userdb-attempt-too-do-user-989073-0.db.ondigitalocean.com:25060/userdb?sslmode=require
+query = select name || '@' || host from passwd where name = '%u'

mail/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mail
+resources:
+ - resources.yaml
+ - certificate.yaml
+configMapGenerator:
+ - name: mail-config
+ files:
+ - files/main.cf
+ - files/master.cf
+ - files/userdb-aliases.cf
+generators:
+ - secret-generator.yaml
+images:
+ - name: hashbang/postfix
+ digest: sha256:1c9491593e383b95cde6c75a82abcfe2e12e4a26b1656abeaac0bf1f8209b9ee
+ - name: alpine
+ newTag: alpine:3.12.0
+ digest: sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65

mail/resources.yaml

@@ -0,0 +1,118 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: mail
+spec:
+ selector:
+ matchLabels:
+ app: mail
+ replicas: 1
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ app: mail
+ spec:
+ shareProcessNamespace: true
+ containers:
+ - name: postfix
+ image: hashbang/postfix
+ command: ["/bin/sh"]
+ args:
+ - "-c"
+ - |
+ ln -sf /etc/postfix/secrets/aliases /etc/aliases;
+ exec bash ./run.sh;
+ ports:
+ - containerPort: 25
+ name: smtp
+ readinessProbe:
+ tcpSocket:
+ port: 25
+ livenessProbe:
+ tcpSocket:
+ port: 25
+ volumeMounts:
+ - mountPath: /etc/postfix/main.cf
+ name: mail-config
+ subPath: main.cf
+ readOnly: true
+ - mountPath: /etc/postfix/master.cf
+ name: mail-config
+ subPath: master.cf
+ readOnly: true
+ - mountPath: /etc/postfix/userdb-aliases.cf
+ name: mail-config
+ subPath: userdb-aliases.cf
+ readOnly: true
+ - mountPath: /etc/postfix/secrets
+ name: mail-secrets
+ readOnly: true
+ - mountPath: /etc/postfix/certs
+ name: mail-certs
+ readOnly: true
+ - mountPath: /var/spool/postfix
+ name: mail-spool
+ - name: config-reloader
+ # image includes busybox's inotifyd + pkill
+ image: alpine
+ command: ["/bin/sh"]
+ args:
+ - "-c"
+ - |
+ echo "Watching /etc/postfix/certs";
+ inotifyd - /etc/postfix/certs:wMymndox | while read -r notifies ; do
+ echo "notify received: $notifies";
+ echo "sending SIGHUP";
+ pkill -HUP tlsmgr;
+ done
+ echo "Exiting.";
+ volumeMounts:
+ - mountPath: /etc/postfix/certs
+ name: mail-certs
+ readOnly: true
+ volumes:
+ - name: mail-config
+ configMap:
+ name: mail-config
+ - name: mail-secrets
+ secret:
+ secretName: mail-secrets
+ - name: mail-certs
+ secret:
+ secretName: mail-certs
+ - name: mail-spool
+ persistentVolumeClaim:
+ claimName: mail-spool
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: mail
+ labels:
+ app: mail
+ annotations:
+ service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+ external-dns.alpha.kubernetes.io/hostname: "mail.hashbang.sh"
+spec:
+ type: LoadBalancer
+ ports:
+ - name: smtp
+ port: 25
+ targetPort: 25
+ selector:
+ app: mail
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: mail-spool
+ labels:
+ app: mail
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi

mail/secret-generator.yaml

@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+ name: mail-secrets
+files:
+ - ./secrets.enc.yaml