From 48567f0630ab24f00321485f29ac7f089557cae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 27 Aug 2023 20:24:36 +0300 Subject: [PATCH] wildduck: Clean up configs --- wildduck/.gitignore | 1 + wildduck/README.md | 7 +++++++ wildduck/haraka.yaml | 13 +++++++++++-- wildduck/loadbalancer.yaml | 4 ---- wildduck/srs.yaml | 10 ++++++++++ wildduck/wildduck-operator.yaml | 2 +- wildduck/wildduck.yaml | 8 ++++++++ wildduck/wildflock.yaml | 2 +- wildduck/zonemta.yaml | 11 +++++++---- 9 files changed, 46 insertions(+), 12 deletions(-) create mode 100644 wildduck/srs.yaml diff --git a/wildduck/.gitignore b/wildduck/.gitignore index 5dddbe2..e87e4f4 100644 --- a/wildduck/.gitignore +++ b/wildduck/.gitignore @@ -1 +1,2 @@ +dhparams.pem secret.yml diff --git a/wildduck/README.md b/wildduck/README.md index 4714e69..98b4bce 100644 --- a/wildduck/README.md +++ b/wildduck/README.md @@ -22,3 +22,10 @@ The mail stack consists of several moving parts: Outside Kubernetes there is NAT rule on the Mikrotik router which rewrites source IP of any TCP port 25 headed traffic to originate from the IP address of the mail exchange. + +TODO: Figure out how to automate DH parameters generation: + +``` +openssl dhparam -out dhparams.pem 2048 +kubectl create secret generic -n wildduck dhparams --from-file=dhparams.pem +``` diff --git a/wildduck/haraka.yaml b/wildduck/haraka.yaml index 7ad16eb..e0698c3 100644 --- a/wildduck/haraka.yaml +++ b/wildduck/haraka.yaml @@ -11,7 +11,9 @@ data: spf clamd rspamd + dkim_verify wildduck + tls rspamd.ini: |- host = rspamd port = 11333 @@ -53,7 +55,7 @@ data: "redis": process.env.REDIS_URI, "mongo": { "url": process.env.MONGO_URI, - "sender": "application" + "sender": "zone-mta", }, "sender": { "enabled": true, @@ -62,7 +64,7 @@ data: "collection": "zone-queue" }, "srs": { - "secret": "foobar" + "secret": process.env.SRS_SECRET }, "attachments": { "type": "gridstore", @@ -135,6 +137,11 @@ spec: - mountPath: /cert name: cert env: + - name: SRS_SECRET + valueFrom: + secretKeyRef: + name: srs + key: secret - name: REDIS_URI valueFrom: secretKeyRef: @@ -152,6 +159,8 @@ spec: - name: wildduck-haraka-config projected: sources: + - secret: + name: dhparams - configMap: name: haraka - name: var-lib-haraka diff --git a/wildduck/loadbalancer.yaml b/wildduck/loadbalancer.yaml index 147ea0c..fc5123d 100644 --- a/wildduck/loadbalancer.yaml +++ b/wildduck/loadbalancer.yaml @@ -13,9 +13,6 @@ spec: selector: app.kubernetes.io/name: wildduck ports: - - port: 8080 - name: wildduck-api - targetPort: wildduck-api - port: 993 name: wildduck-mda targetPort: wildduck-mda @@ -25,4 +22,3 @@ spec: - port: 25 name: haraka-mta targetPort: haraka-mta - diff --git a/wildduck/srs.yaml b/wildduck/srs.yaml new file mode 100644 index 0000000..748b55a --- /dev/null +++ b/wildduck/srs.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: codemowers.cloud/v1beta1 +kind: SecretClaim +metadata: + name: srs +spec: + size: 32 + mapping: + - key: secret + value: "%(plaintext)s" diff --git a/wildduck/wildduck-operator.yaml b/wildduck/wildduck-operator.yaml index 94ce547..4f74153 100644 --- a/wildduck/wildduck-operator.yaml +++ b/wildduck/wildduck-operator.yaml @@ -24,7 +24,7 @@ spec: - name: ALLOWED_GROUPS value: k-space:friends,k-space:floor - name: WILDDUCK_API_URL - value: http://mail2.k-space.ee:8080 + value: http://wildduck-api:8080 - name: WILDDUCK_API_TOKEN valueFrom: secretKeyRef: diff --git a/wildduck/wildduck.yaml b/wildduck/wildduck.yaml index 9d1556d..5a38464 100644 --- a/wildduck/wildduck.yaml +++ b/wildduck/wildduck.yaml @@ -55,6 +55,14 @@ spec: cpu: 10m memory: 100Mi env: + - name: APPCONF_emailDomain + value: k-space.ee + - name: APPCONF_log_level + value: info + - name: APPCONF_maxForwards + value: "2000" + - name: APPCONF_hostname + value: mail.k-space.ee - name: APPCONF_tls_key value: /cert/tls.key - name: APPCONF_tls_cert diff --git a/wildduck/wildflock.yaml b/wildduck/wildflock.yaml index c9c5f99..8e671d9 100644 --- a/wildduck/wildflock.yaml +++ b/wildduck/wildflock.yaml @@ -105,7 +105,7 @@ spec: - name: NODE_ENV value: prod - name: WILDDUCK_URL - value: https://mail.k-space.ee + value: http://wildduck-api:8080 - name: WILDDUCK_TOKEN valueFrom: secretKeyRef: diff --git a/wildduck/zonemta.yaml b/wildduck/zonemta.yaml index 0f4b319..0b63a22 100644 --- a/wildduck/zonemta.yaml +++ b/wildduck/zonemta.yaml @@ -16,9 +16,7 @@ data: hostname="mail.k-space.ee" authlogExpireDays=30 [wildduck.srs] - enabled=false - # SRS secret value. Must be the same as in the MX side - secret="................................" + enabled=true rewriteDomain="k-space.ee" zonemta.toml: |- [log] @@ -57,7 +55,7 @@ spec: spec: containers: - name: zonemta - image: docker.io/codemowers/wildduck-zonemta-outbound:latest@sha256:a35453409c29882bacb4a758909a38ed62daa875ad72cf706996bb144703ef49 + image: docker.io/codemowers/wildduck-zonemta-outbound:latest@sha256:0878c803164e636820398f11a3811f3d92b7771c6202cfe229f97449d0009119 imagePullPolicy: IfNotPresent command: - /sbin/tini @@ -83,6 +81,11 @@ spec: cpu: 10m memory: 500Mi env: + - name: APPCONF_plugins_wildduck_srs_secret + valueFrom: + secretKeyRef: + name: srs + key: secret - name: APPCONF_dbs_sender value: zone-mta - name: APPCONF_dbs_mongo