mirror/docker-mailserver.docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-08-03 17:44:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

deploy: d3b9746c6f

Browse source
This commit is contained in:
github-actions[bot] 2022-01-27 17:13:38 +00:00
parent ebcd9a7028
commit a263ac892d
48 changed files with 1303 additions and 1289 deletions
Download patch file Download diff file Expand all files Collapse all files

590
edge/config/advanced/kubernetes/index.html
View file

@ -15,7 +15,7 @@
<link rel="canonical" href="https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/kubernetes/">
<link rel="icon" href="../../../assets/logo/favicon-32x32.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.1.1">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.1.7">
@ -23,7 +23,7 @@
<link rel="stylesheet" href="../../../assets/stylesheets/main.23b6d78a.min.css">
<link rel="stylesheet" href="../../../assets/stylesheets/main.cd566b2a.min.css">
<link rel="stylesheet" href="../../../assets/stylesheets/palette.e6a45f82.min.css">
@ -62,7 +62,7 @@
<script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)</script>
<script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
@ -1718,244 +1718,244 @@
<h2 id="manifests"><a class="toclink" href="#manifests">Manifests</a></h2>
<h3 id="configuration"><a class="toclink" href="#configuration">Configuration</a></h3>
<p>We want to provide the basic configuration in the form of environment variables with a <code>ConfigMap</code>. Note that this is just an example configuration; tune the <code>ConfigMap</code> to your needs.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver.environment</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver.environment</span><span class="w"></span>
<span class="nt">immutable</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span> <span class="c1"># turn off during development</span>
<span class="nt">immutable</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span><span class="c1"># turn off during development</span><span class="w"></span>
<span class="nt">data</span><span class="p">:</span>
<span class="nt">TLS_LEVEL</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">modern</span>
<span class="nt">POSTSCREEN_ACTION</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">drop</span>
<span class="nt">OVERRIDE_HOSTNAME</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mail.example.com</span>
<span class="nt">FAIL2BAN_BLOCKTYPE</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">drop</span>
<span class="nt">POSTMASTER_ADDRESS</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">postmaster@example.com</span>
<span class="nt">UPDATE_CHECK_INTERVAL</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">10d</span>
<span class="nt">POSTFIX_INET_PROTOCOLS</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ipv4</span>
<span class="nt">ONE_DIR</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">DMS_DEBUG</span><span class="p">:</span> <span class="s">&#39;0&#39;</span>
<span class="nt">ENABLE_CLAMAV</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">ENABLE_POSTGREY</span><span class="p">:</span> <span class="s">&#39;0&#39;</span>
<span class="nt">ENABLE_FAIL2BAN</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">AMAVIS_LOGLEVEL</span><span class="p">:</span> <span class="s">&#39;-1&#39;</span>
<span class="nt">SPOOF_PROTECTION</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">MOVE_SPAM_TO_JUNK</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">ENABLE_UPDATE_CHECK</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">ENABLE_SPAMASSASSIN</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">SUPERVISOR_LOGLEVEL</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">warn</span>
<span class="nt">SPAMASSASSIN_SPAM_TO_INBOX</span><span class="p">:</span> <span class="s">&#39;1&#39;</span>
<span class="nt">data</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">TLS_LEVEL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">modern</span><span class="w"></span>
<span class="w"> </span><span class="nt">POSTSCREEN_ACTION</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">drop</span><span class="w"></span>
<span class="w"> </span><span class="nt">OVERRIDE_HOSTNAME</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mail.example.com</span><span class="w"></span>
<span class="w"> </span><span class="nt">FAIL2BAN_BLOCKTYPE</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">drop</span><span class="w"></span>
<span class="w"> </span><span class="nt">POSTMASTER_ADDRESS</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">postmaster@example.com</span><span class="w"></span>
<span class="w"> </span><span class="nt">UPDATE_CHECK_INTERVAL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10d</span><span class="w"></span>
<span class="w"> </span><span class="nt">POSTFIX_INET_PROTOCOLS</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ipv4</span><span class="w"></span>
<span class="w"> </span><span class="nt">ONE_DIR</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">DMS_DEBUG</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;0&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">ENABLE_CLAMAV</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">ENABLE_POSTGREY</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;0&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">ENABLE_FAIL2BAN</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">AMAVIS_LOGLEVEL</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;-1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">SPOOF_PROTECTION</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">MOVE_SPAM_TO_JUNK</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">ENABLE_UPDATE_CHECK</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">ENABLE_SPAMASSASSIN</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
<span class="w"> </span><span class="nt">SUPERVISOR_LOGLEVEL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">warn</span><span class="w"></span>
<span class="w"> </span><span class="nt">SPAMASSASSIN_SPAM_TO_INBOX</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;1&#39;</span><span class="w"></span>
</code></pre></div>
<p>We can also make use of user-provided configuration files, e.g. <code>user-patches.sh</code>, <code>postfix-accounts.cf</code> and more, to adjust <code>docker-mailserver</code> to our likings. We encourage you to have a look at <a href="https://kustomize.io/">Kustomize</a> for creating <code>ConfigMap</code>s from multiple files, but for now, we will provide a simple, hand-written example. This example is absolutely minimal and only goes to show what can be done.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver.files</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver.files</span><span class="w"></span>
<span class="nt">data</span><span class="p">:</span>
<span class="nt">postfix-accounts.cf</span><span class="p">:</span> <span class="p p-Indicator">|</span>
<span class="no">test@example.com|{SHA512-CRYPT}$6$someHashValueHere</span>
<span class="no">other@example.com|{SHA512-CRYPT}$6$someOtherHashValueHere</span>
<span class="nt">data</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">postfix-accounts.cf</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span><span class="w"></span>
<span class="w"> </span><span class="no">test@example.com|{SHA512-CRYPT}$6$someHashValueHere</span><span class="w"></span>
<span class="w"> </span><span class="no">other@example.com|{SHA512-CRYPT}$6$someOtherHashValueHere</span><span class="w"></span>
</code></pre></div>
<h3 id="persistence"><a class="toclink" href="#persistence">Persistence</a></h3>
<p>Thereafter, we need persistence for our data.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">PersistentVolumeClaim</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PersistentVolumeClaim</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">storageClassName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">local-path</span>
<span class="nt">accessModes</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span>
<span class="nt">resources</span><span class="p">:</span>
<span class="nt">requests</span><span class="p">:</span>
<span class="nt">storage</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">25Gi</span>
<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">local-path</span><span class="w"></span>
<span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ReadWriteOnce</span><span class="w"></span>
<span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">25Gi</span><span class="w"></span>
</code></pre></div>
<h3 id="service"><a class="toclink" href="#service">Service</a></h3>
<p>A <code>Service</code> is required for getting the traffic to the pod itself. The service is somewhat crucial. Its configuration determines whether the original IP from the sender will be kept. <a href="#exposing-your-mail-server-to-the-outside-world">More about this further down below</a>.</p>
<p>The configuration you're seeing does keep the original IP, but you will not be able to scale this way. We have chosen to go this route in this case because we think most K8s users will only want to have one instance anyway, and users that need high availability know how to do it anyways.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Service</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">labels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">LoadBalancer</span>
<span class="nt">externalTrafficPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Local</span>
<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">LoadBalancer</span><span class="w"></span>
<span class="w"> </span><span class="nt">externalTrafficPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Local</span><span class="w"></span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">ports</span><span class="p">:</span>
<span class="c1"># Transfer</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">transfer</span>
<span class="nt">port</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">25</span>
<span class="nt">targetPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">transfer</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="c1"># ESMTP with implicit TLS</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">esmtp-implicit</span>
<span class="nt">port</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">465</span>
<span class="nt">targetPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">esmtp-implicit</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="c1"># ESMTP with explicit TLS (STARTTLS)</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">esmtp-explicit</span>
<span class="nt">port</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">587</span>
<span class="nt">targetPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">esmtp-explicit</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="c1"># IMAPS with implicit TLS</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">imap-implicit</span>
<span class="nt">port</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">993</span>
<span class="nt">targetPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">imap-implicit</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Transfer</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">transfer</span><span class="w"></span>
<span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">25</span><span class="w"></span>
<span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">transfer</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
<span class="w"> </span><span class="c1"># ESMTP with implicit TLS</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">esmtp-implicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">465</span><span class="w"></span>
<span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">esmtp-implicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
<span class="w"> </span><span class="c1"># ESMTP with explicit TLS (STARTTLS)</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">esmtp-explicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">587</span><span class="w"></span>
<span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">esmtp-explicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
<span class="w"> </span><span class="c1"># IMAPS with implicit TLS</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">imap-implicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">993</span><span class="w"></span>
<span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">imap-implicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
</code></pre></div>
<h3 id="deployments"><a class="toclink" href="#deployments">Deployments</a></h3>
<p>Last but not least, the <code>Deployment</code> becomes the most complex component. It instructs Kubernetes how to run the docker-mailserver container and how to apply your ConfigMaps and persisted storage. Additionally, we can set options to enforce runtime security here.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">annotations</span><span class="p">:</span>
<span class="nt">ignore-check.kube-linter.io/run-as-non-root</span><span class="p">:</span> <span class="p p-Indicator">&gt;-</span>
<span class="no">&#39;mailserver&#39; needs to run as root</span>
<span class="nt">ignore-check.kube-linter.io/privileged-ports</span><span class="p">:</span> <span class="p p-Indicator">&gt;-</span>
<span class="no">&#39;mailserver&#39; needs privilegdes ports</span>
<span class="nt">ignore-check.kube-linter.io/no-read-only-root-fs</span><span class="p">:</span> <span class="p p-Indicator">&gt;-</span>
<span class="no">There are too many files written to make The</span>
<span class="no">root FS read-only</span>
<span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">ignore-check.kube-linter.io/run-as-non-root</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">&gt;-</span><span class="w"></span>
<span class="w"> </span><span class="no">&#39;mailserver&#39; needs to run as root</span><span class="w"></span>
<span class="w"> </span><span class="nt">ignore-check.kube-linter.io/privileged-ports</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">&gt;-</span><span class="w"></span>
<span class="w"> </span><span class="no">&#39;mailserver&#39; needs privilegdes ports</span><span class="w"></span>
<span class="w"> </span><span class="nt">ignore-check.kube-linter.io/no-read-only-root-fs</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">&gt;-</span><span class="w"></span>
<span class="w"> </span><span class="no">There are too many files written to make The</span><span class="w"></span>
<span class="w"> </span><span class="no">root FS read-only</span><span class="w"></span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">replicas</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1</span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">matchLabels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span><span class="w"></span>
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">template</span><span class="p">:</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">labels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">annotations</span><span class="p">:</span>
<span class="nt">container.apparmor.security.beta.kubernetes.io/mailserver</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">runtime/default</span>
<span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">container.apparmor.security.beta.kubernetes.io/mailserver</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">runtime/default</span><span class="w"></span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">hostname</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mail</span>
<span class="nt">containers</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/docker-mailserver/docker-mailserver:latest</span>
<span class="nt">imagePullPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">IfNotPresent</span>
<span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mail</span><span class="w"></span>
<span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker.io/docker-mailserver/docker-mailserver:latest</span><span class="w"></span>
<span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">IfNotPresent</span><span class="w"></span>
<span class="nt">securityContext</span><span class="p">:</span>
<span class="nt">allowPrivilegeEscalation</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="nt">readOnlyRootFilesystem</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="nt">runAsUser</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">0</span>
<span class="nt">runAsGroup</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">0</span>
<span class="nt">runAsNonRoot</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="nt">privileged</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="nt">capabilities</span><span class="p">:</span>
<span class="nt">add</span><span class="p">:</span>
<span class="c1"># file permission capabilities</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">CHOWN</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">FOWNER</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">MKNOD</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">SETGID</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">SETUID</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">DAC_OVERRIDE</span>
<span class="c1"># network capabilities</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">NET_ADMIN</span> <span class="c1"># needed for F2B</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">NET_RAW</span> <span class="c1"># needed for F2B</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">NET_BIND_SERVICE</span>
<span class="c1"># miscellaneous capabilities</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">SYS_CHROOT</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">SYS_PTRACE</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">KILL</span>
<span class="nt">drop</span><span class="p">:</span> <span class="p p-Indicator">[</span><span class="nv">ALL</span><span class="p p-Indicator">]</span>
<span class="nt">seccompProfile</span><span class="p">:</span>
<span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">RuntimeDefault</span>
<span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnlyRootFilesystem</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0</span><span class="w"></span>
<span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0</span><span class="w"></span>
<span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="w"> </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">add</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># file permission capabilities</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">CHOWN</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">FOWNER</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MKNOD</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SETGID</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SETUID</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DAC_OVERRIDE</span><span class="w"></span>
<span class="w"> </span><span class="c1"># network capabilities</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">NET_ADMIN</span><span class="w"> </span><span class="c1"># needed for F2B</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">NET_RAW</span><span class="w"> </span><span class="c1"># needed for F2B</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">NET_BIND_SERVICE</span><span class="w"></span>
<span class="w"> </span><span class="c1"># miscellaneous capabilities</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SYS_CHROOT</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SYS_PTRACE</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">KILL</span><span class="w"></span>
<span class="w"> </span><span class="nt">drop</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">ALL</span><span class="p p-Indicator">]</span><span class="w"></span>
<span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">RuntimeDefault</span><span class="w"></span>
<span class="c1"># You want to tune this to your needs. If you disable ClamAV,</span>
<span class="c1"># you can use less RAM and CPU. This becomes important in</span>
<span class="c1"># case you&#39;re low on resources and Kubernetes refuses to</span>
<span class="c1"># schedule new pods.</span>
<span class="nt">resources</span><span class="p">:</span>
<span class="nt">limits</span><span class="p">:</span>
<span class="nt">memory</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">4Gi</span>
<span class="nt">cpu</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1500m</span>
<span class="nt">requests</span><span class="p">:</span>
<span class="nt">memory</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">2Gi</span>
<span class="nt">cpu</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">600m</span>
<span class="w"> </span><span class="c1"># You want to tune this to your needs. If you disable ClamAV,</span><span class="w"></span>
<span class="w"> </span><span class="c1"># you can use less RAM and CPU. This becomes important in</span><span class="w"></span>
<span class="w"> </span><span class="c1"># case you&#39;re low on resources and Kubernetes refuses to</span><span class="w"></span>
<span class="w"> </span><span class="c1"># schedule new pods.</span><span class="w"></span>
<span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">4Gi</span><span class="w"></span>
<span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1500m</span><span class="w"></span>
<span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2Gi</span><span class="w"></span>
<span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">600m</span><span class="w"></span>
<span class="nt">volumeMounts</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">files</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">postfix-accounts.cf</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/postfix-accounts.cf</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">files</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">postfix-accounts.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/postfix-accounts.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
<span class="c1"># PVCs</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/var/mail</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/var/mail-state</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">state</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/var/log/mail</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">log</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="w"> </span><span class="c1"># PVCs</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/mail</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/mail-state</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">state</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/log/mail</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">log</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="c1"># other</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">tmp-files</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/tmp</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="w"> </span><span class="c1"># other</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tmp-files</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span><span class="w"></span>
<span class="nt">ports</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">transfer</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">25</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">esmtp-implicit</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">465</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">esmtp-explicit</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">587</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">imap-implicit</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">993</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">transfer</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">25</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">esmtp-implicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">465</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">esmtp-explicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">587</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">imap-implicit</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">993</span><span class="w"></span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span><span class="w"></span>
<span class="nt">envFrom</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">configMapRef</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver.environment</span>
<span class="w"> </span><span class="nt">envFrom</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">configMapRef</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver.environment</span><span class="w"></span>
<span class="nt">restartPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Always</span>
<span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span><span class="w"></span>
<span class="nt">volumes</span><span class="p">:</span>
<span class="c1"># configuration files</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">files</span>
<span class="nt">configMap</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver.files</span>
<span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># configuration files</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">files</span><span class="w"></span>
<span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver.files</span><span class="w"></span>
<span class="c1"># PVCs</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="nt">persistentVolumeClaim</span><span class="p">:</span>
<span class="nt">claimName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">data</span>
<span class="w"> </span><span class="c1"># PVCs</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="w"> </span><span class="nt">persistentVolumeClaim</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">claimName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="w"></span>
<span class="c1"># other</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">tmp-files</span>
<span class="nt">emptyDir</span><span class="p">:</span> <span class="p p-Indicator">{}</span>
<span class="w"> </span><span class="c1"># other</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tmp-files</span><span class="w"></span>
<span class="w"> </span><span class="nt">emptyDir</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span><span class="w"></span>
</code></pre></div>
<h3 id="sensitive-data"><a class="toclink" href="#sensitive-data">Sensitive Data</a></h3>
<p>By now, <code>docker-mailserver</code> starts, but does not really work for long (or at all), because we're lacking certificates. The <a href="../../security/ssl/">TLS docs page</a> provides guidance for various approaches.</p>
@ -1965,29 +1965,29 @@
</div>
<h2 id="exposing-your-mail-server-to-the-outside-world"><a class="toclink" href="#exposing-your-mail-server-to-the-outside-world">Exposing your Mail-Server to the Outside World</a></h2>
<p>The more difficult part with K8s is to expose a deployed <code>docker-mailserver</code> to the outside world. K8s provides multiple ways for doing that; each has downsides and complexity. The major problem with exposing <code>docker-mailserver</code> to outside world in K8s is to <a href="https://kubernetes.io/docs/tutorials/services/source-ip">preserve the real client IP</a>. The real client IP is required by <code>docker-mailserver</code> for performing IP-based SPF checks and spam checks. If you do not require SPF checks for incoming mails, you may disable them in your <a href="../override-defaults/postfix/">Postfix configuration</a> by dropping the line that states: <code>check_policy_service unix:private/policyd-spf</code>.</p>
<p>The easiest approach was covered above, using <code class="highlight"><span class="nt">externalTrafficPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Local</span></code>, which disables the service proxy, but makes the service local as well (which does not scale). This approach only works when you are given the correct (that is, a public and routable) IP address by a load balancer (like MetalLB). In this sense, the approach above is similar to the next example below. We want to provide you with a few alternatives too. <strong>But</strong> we also want to communicate the idea of another simple method: you could use a load-balancer without an external IP and DNAT the network traffic to the mail-server. After all, this does not interfere with SPF checks because it keeps the origin IP address. If no dedicated external IP address is available, you could try the latter approach, if one is available, use the former.</p>
<p>The easiest approach was covered above, using <code class="highlight"><span class="nt">externalTrafficPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Local</span><span class="w"></span></code>, which disables the service proxy, but makes the service local as well (which does not scale). This approach only works when you are given the correct (that is, a public and routable) IP address by a load balancer (like MetalLB). In this sense, the approach above is similar to the next example below. We want to provide you with a few alternatives too. <strong>But</strong> we also want to communicate the idea of another simple method: you could use a load-balancer without an external IP and DNAT the network traffic to the mail-server. After all, this does not interfere with SPF checks because it keeps the origin IP address. If no dedicated external IP address is available, you could try the latter approach, if one is available, use the former.</p>
<h3 id="external-ips-service"><a class="toclink" href="#external-ips-service">External IPs Service</a></h3>
<p>The simplest way is to expose <code>docker-mailserver</code> as a <a href="https://kubernetes.io/docs/concepts/services-networking/service">Service</a> with <a href="https://kubernetes.io/docs/concepts/services-networking/service/#external-ips">external IPs</a>. This is very similar to the approach taken above. Here, an external IP is given to the service directly by you. With the approach above, you tell your load-balancer to do this.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Service</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">labels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">ports</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">smtp</span>
<span class="nt">port</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">25</span>
<span class="nt">targetPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">smtp</span>
<span class="c1"># ...</span>
<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">smtp</span><span class="w"></span>
<span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">25</span><span class="w"></span>
<span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">smtp</span><span class="w"></span>
<span class="w"> </span><span class="c1"># ...</span><span class="w"></span>
<span class="nt">externalIPs</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">80.11.12.10</span>
<span class="w"> </span><span class="nt">externalIPs</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80.11.12.10</span><span class="w"></span>
</code></pre></div>
<p>This approach</p>
<ul>
@ -2002,31 +2002,31 @@
</ul>
<h3 id="bind-to-concrete-node-and-use-host-network"><a class="toclink" href="#bind-to-concrete-node-and-use-host-network">Bind to concrete Node and use host network</a></h3>
<p>One way to preserve the real client IP is to use <code>hostPort</code> and <code>hostNetwork: true</code>. This comes at the cost of availability; you can reach <code>docker-mailserver</code> from the outside world only via IPs of <a href="https://kubernetes.io/docs/concepts/architecture/nodes">Node</a> where <code>docker-mailserver</code> is deployed.</p>
<div class="highlight"><pre><span></span><code><span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="c1"># ...</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">hostNetwork</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="c1"># ...</span><span class="w"></span>
<span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">hostNetwork</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
<span class="c1"># ...</span>
<span class="nt">containers</span><span class="p">:</span>
<span class="c1"># ...</span>
<span class="nt">ports</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">smtp</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">25</span>
<span class="nt">hostPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">25</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">smtp-auth</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">587</span>
<span class="nt">hostPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">587</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">imap-secure</span>
<span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">993</span>
<span class="nt">hostPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">993</span>
<span class="c1"># ...</span>
<span class="w"> </span><span class="c1"># ...</span><span class="w"></span>
<span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># ...</span><span class="w"></span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">smtp</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">25</span><span class="w"></span>
<span class="w"> </span><span class="nt">hostPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">25</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">smtp-auth</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">587</span><span class="w"></span>
<span class="w"> </span><span class="nt">hostPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">587</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">imap-secure</span><span class="w"></span>
<span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">993</span><span class="w"></span>
<span class="w"> </span><span class="nt">hostPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">993</span><span class="w"></span>
<span class="w"> </span><span class="c1"># ...</span><span class="w"></span>
</code></pre></div>
<p>With this approach,</p>
<ul>
@ -2037,10 +2037,10 @@
<p>This way is ideologically the same as <a href="#proxy-port-to-service">using a proxy pod</a>, but instead of a separate proxy pod, you configure your ingress to proxy TCP traffic to the <code>docker-mailserver</code> pod using the PROXY protocol, which preserves the real client IP.</p>
<h4 id="configure-your-ingress"><a class="toclink" href="#configure-your-ingress">Configure your Ingress</a></h4>
<p>With an <a href="https://kubernetes.github.io/ingress-nginx">NGINX ingress controller</a>, set <code>externalTrafficPolicy: Local</code> for its service, and add the following to the TCP services config map (as described <a href="https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services">here</a>):</p>
<div class="highlight"><pre><span></span><code><span class="nt">25</span><span class="p">:</span> <span class="s">&quot;mailserver/mailserver:25::PROXY&quot;</span>
<span class="nt">465</span><span class="p">:</span> <span class="s">&quot;mailserver/mailserver:465::PROXY&quot;</span>
<span class="nt">587</span><span class="p">:</span> <span class="s">&quot;mailserver/mailserver:587::PROXY&quot;</span>
<span class="nt">993</span><span class="p">:</span> <span class="s">&quot;mailserver/mailserver:993::PROXY&quot;</span>
<div class="highlight"><pre><span></span><code><span class="nt">25</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;mailserver/mailserver:25::PROXY&quot;</span><span class="w"></span>
<span class="nt">465</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;mailserver/mailserver:465::PROXY&quot;</span><span class="w"></span>
<span class="nt">587</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;mailserver/mailserver:587::PROXY&quot;</span><span class="w"></span>
<span class="nt">993</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;mailserver/mailserver:993::PROXY&quot;</span><span class="w"></span>
</code></pre></div>
<div class="admonition help">
<p class="admonition-title">HAProxy</p>
@ -2050,55 +2050,55 @@
<p>Then, configure both <a href="../override-defaults/postfix/">Postfix</a> and <a href="../override-defaults/dovecot/">Dovecot</a> to expect the PROXY protocol:</p>
<details class="example">
<summary>HAProxy Example</summary>
<div class="highlight"><pre><span></span><code><span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver.config</span>
<span class="nt">labels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">data</span><span class="p">:</span>
<span class="nt">postfix-main.cf</span><span class="p">:</span> <span class="p p-Indicator">|</span>
<span class="no">postscreen_upstream_proxy_protocol = haproxy</span>
<span class="nt">postfix-master.cf</span><span class="p">:</span> <span class="p p-Indicator">|</span>
<span class="no">smtp/inet/postscreen_upstream_proxy_protocol=haproxy</span>
<span class="no">submission/inet/smtpd_upstream_proxy_protocol=haproxy</span>
<span class="no">smtps/inet/smtpd_upstream_proxy_protocol=haproxy</span>
<span class="nt">dovecot.cf</span><span class="p">:</span> <span class="p p-Indicator">|</span>
<span class="no"># Assuming your ingress controller is bound to 10.0.0.0/8</span>
<span class="no">haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8</span>
<span class="no">service imap-login {</span>
<span class="no">inet_listener imap {</span>
<span class="no">haproxy = yes</span>
<span class="no">}</span>
<span class="no">inet_listener imaps {</span>
<span class="no">haproxy = yes</span>
<span class="no">}</span>
<span class="no">}</span>
<span class="c1"># ...</span>
<span class="nn">---</span>
<div class="highlight"><pre><span></span><code><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver.config</span><span class="w"></span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">data</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">postfix-main.cf</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span><span class="w"></span>
<span class="w"> </span><span class="no">postscreen_upstream_proxy_protocol = haproxy</span><span class="w"></span>
<span class="w"> </span><span class="nt">postfix-master.cf</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span><span class="w"></span>
<span class="w"> </span><span class="no">smtp/inet/postscreen_upstream_proxy_protocol=haproxy</span><span class="w"></span>
<span class="w"> </span><span class="no">submission/inet/smtpd_upstream_proxy_protocol=haproxy</span><span class="w"></span>
<span class="w"> </span><span class="no">smtps/inet/smtpd_upstream_proxy_protocol=haproxy</span><span class="w"></span>
<span class="w"> </span><span class="nt">dovecot.cf</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span><span class="w"></span>
<span class="w"> </span><span class="no"># Assuming your ingress controller is bound to 10.0.0.0/8</span><span class="w"></span>
<span class="w"> </span><span class="no">haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8</span><span class="w"></span>
<span class="w"> </span><span class="no">service imap-login {</span><span class="w"></span>
<span class="w"> </span><span class="no">inet_listener imap {</span><span class="w"></span>
<span class="w"> </span><span class="no">haproxy = yes</span><span class="w"></span>
<span class="w"> </span><span class="no">}</span><span class="w"></span>
<span class="w"> </span><span class="no">inet_listener imaps {</span><span class="w"></span>
<span class="w"> </span><span class="no">haproxy = yes</span><span class="w"></span>
<span class="w"> </span><span class="no">}</span><span class="w"></span>
<span class="w"> </span><span class="no">}</span><span class="w"></span>
<span class="c1"># ...</span><span class="w"></span>
<span class="nn">---</span><span class="w"></span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">mailserver</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">template</span><span class="p">:</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">containers</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker-mailserver</span>
<span class="nt">volumeMounts</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">config</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">postfix-main.cf</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/postfix-main.cf</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">config</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">postfix-master.cf</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/postfix-master.cf</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">config</span>
<span class="nt">subPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dovecot.cf</span>
<span class="nt">mountPath</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/dovecot.cf</span>
<span class="nt">readOnly</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span><span class="w"></span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span><span class="w"></span>
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailserver</span><span class="w"></span>
<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker-mailserver</span><span class="w"></span>
<span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">config</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">postfix-main.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/postfix-main.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">config</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">postfix-master.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/postfix-master.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">config</span><span class="w"></span>
<span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dovecot.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/tmp/docker-mailserver/dovecot.cf</span><span class="w"></span>
<span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
</code></pre></div>
</details>
<p>With this approach,</p>
@ -2179,10 +2179,10 @@
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "navigation.top", "navigation.expand", "navigation.instant", "content.code.annotate"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../../../assets/javascripts/workers/search.c7dec7e7.min.js", "version": {"provider": "mike"}}</script>
<script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "navigation.top", "navigation.expand", "navigation.instant", "content.code.annotate"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../../../assets/javascripts/workers/search.22074ed6.min.js", "version": {"provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.da79ceb7.min.js"></script>
<script src="../../../assets/javascripts/bundle.01de222e.min.js"></script>
</body>