AllardDCS/kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff21c258e07e4a87fb9340de2d8aab208bc0baf6
kubernetes/lp/dockermail/values.new
T
allard ff21c258e0 eindelijk weer eens een push
2026-05-31 16:07:30 +02:00

653 lines
22 KiB
Plaintext
Raw Blame History

nameOverride: ""
fullnameOverride: ""
image:
## image.name is the name of the container image to use. Refer to https://hub.docker.com/r/mailserver/docker-mailserver
name: "mailserver/docker-mailserver"
## image.tag is the tag of the container image to use. Refer to https://hub.docker.com/r/mailserver/docker-mailserver
## If image.tag is not defined it will default to `.Chart.appVersion`
# tag: "latest"
pullPolicy: "IfNotPresent"
# Specify whether to create a serviceAccount for the pod. The name is generated from the
# dockermailserver.serviceAccountName template
serviceAccount:
create: true
## Specify the name of a TLS secret that contains a certificate and private key for your email domain.
## See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
certificate:
# List extra RBL domains to use for hard reject filtering
rblRejectDomains: []
deployment:
## How many versions of the deployment to run
replicas: 1
## Optionally specify affinity for the deployment
affinity: {}
## Optionally add additional annotations to the deployment
annotations: {}
## Optionally add additional labels to the deployment
labels: {}
## Optionally specify a runtimeClassName for the deployment
runtimeClassName:
## Optionally specify a priorityClassName for the deployment
priorityClassName:
## Optionally specify a nodeSelector for the deployment
nodeSelector: {}
## Update strategy - only really applicable for deployments with RWO PVs attached
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Setting the strategy to "Recreate" (our default) will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
strategy:
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 1
type: "Recreate"
## The following variables affect the behaviour of docker-mailserver
## See https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/ for details
## Note that an empty value indicates the default as described in the docs above
env:
# -----------------------------------------------
# --- Required Section ---------------------------
# -----------------------------------------------
OVERRIDE_HOSTNAME: mail.example.com # You must OVERRIDE this!
# -----------------------------------------------
# --- General Section ---------------------------
# -----------------------------------------------
LOG_LEVEL: info
SUPERVISOR_LOGLEVEL:
DMS_VMAIL_UID:
DMS_VMAIL_GID:
ACCOUNT_PROVISIONER:
POSTMASTER_ADDRESS:
ENABLE_UPDATE_CHECK: 1
UPDATE_CHECK_INTERVAL: 1d
PERMIT_DOCKER: none
TZ:
NETWORK_INTERFACE:
TLS_LEVEL:
SPOOF_PROTECTION:
ENABLE_SRS: 0
ENABLE_OPENDKIM: 0
ENABLE_OPENDMARC: 0
ENABLE_POLICYD_SPF: 0
ENABLE_POP3:
ENABLE_IMAP: 1
ENABLE_CLAMAV: 0
ENABLE_RSPAMD: 1
ENABLE_RSPAMD_REDIS: 1
RSPAMD_LEARN: 0
RSPAMD_CHECK_AUTHENTICATED: 0
RSPAMD_GREYLISTING: 0
RSPAMD_HFILTER: 1
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE: 6
RSPAMD_NEURAL: 0
ENABLE_AMAVIS: 0
AMAVIS_LOGLEVEL: 0
ENABLE_DNSBL: 0
ENABLE_FAIL2BAN: 0
FAIL2BAN_BLOCKTYPE: drop
ENABLE_MANAGESIEVE:
POSTSCREEN_ACTION: enforce
SMTP_ONLY:
# These values are automatically set by the chart based on the certificate key
# SSL_TYPE:
# SSL_CERT_PATH:
# SSL_KEY_PATH:
SSL_ALT_CERT_PATH:
SSL_ALT_KEY_PATH:
VIRUSMAILS_DELETE_DELAY:
POSTFIX_DAGENT:
POSTFIX_MAILBOX_SIZE_LIMIT:
ENABLE_QUOTAS: 1
POSTFIX_MESSAGE_SIZE_LIMIT:
CLAMAV_MESSAGE_SIZE_LIMIT:
PFLOGSUMM_TRIGGER:
PFLOGSUMM_RECIPIENT:
PFLOGSUMM_SENDER:
LOGWATCH_INTERVAL:
LOGWATCH_RECIPIENT:
LOGWATCH_SENDER:
REPORT_RECIPIENT:
REPORT_SENDER:
LOGROTATE_COUNT: 4
LOGROTATE_INTERVAL: weekly
POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME: 0
POSTFIX_INET_PROTOCOLS: all
DOVECOT_INET_PROTOCOLS: all
# -----------------------------------------------
# --- SpamAssassin Section ----------------------
# -----------------------------------------------
ENABLE_SPAMASSASSIN: 0
ENABLE_SPAMASSASSIN_KAM: 0
SPAMASSASSIN_SPAM_TO_INBOX: 1
MOVE_SPAM_TO_JUNK: 1
MARK_SPAM_AS_READ: 0
SA_TAG: 2.0
SA_TAG2: 6.31
SA_KILL: 10.0
SPAM_SUBJECT: '***SPAM*** '
# -----------------------------------------------
# --- Fetchmail Section -------------------------
# -----------------------------------------------
ENABLE_FETCHMAIL: 0
FETCHMAIL_POLL: 300
FETCHMAIL_PARALLEL: 0
ENABLE_GETMAIL: 0
GETMAIL_POLL: 5
# -----------------------------------------------
# --- LDAP Section ------------------------------
# -----------------------------------------------
LDAP_START_TLS:
LDAP_SERVER_HOST:
LDAP_SEARCH_BASE:
# set those unless you're using a secret
#LDAP_BIND_DN:
#LDAP_BIND_PW:
LDAP_QUERY_FILTER_USER:
LDAP_QUERY_FILTER_GROUP:
LDAP_QUERY_FILTER_ALIAS:
LDAP_QUERY_FILTER_DOMAIN:
# -----------------------------------------------
# --- Dovecot Section ---------------------------
# -----------------------------------------------
DOVECOT_TLS:
DOVECOT_USER_FILTER:
DOVECOT_PASS_FILTER:
DOVECOT_MAILBOX_FORMAT: maildir
DOVECOT_AUTH_BIND:
# -----------------------------------------------
# --- Postgrey Section --------------------------
# -----------------------------------------------
ENABLE_POSTGREY: 0
POSTGREY_DELAY: 300
POSTGREY_MAX_AGE: 35
POSTGREY_TEXT: "Delayed by Postgrey"
POSTGREY_AUTO_WHITELIST_CLIENTS: 5
# -----------------------------------------------
# --- SASL Section ------------------------------
# -----------------------------------------------
ENABLE_SASLAUTHD: 0
SASLAUTHD_MECHANISMS:
SASLAUTHD_MECH_OPTIONS:
SASLAUTHD_LDAP_SERVER:
# set those unless you're using a secret
#SASLAUTHD_LDAP_BIND_DN:
#SASLAUTHD_LDAP_PASSWORD:
SASLAUTHD_LDAP_SEARCH_BASE:
SASLAUTHD_LDAP_FILTER:
SASLAUTHD_LDAP_START_TLS:
SASLAUTHD_LDAP_TLS_CHECK_PEER:
SASLAUTHD_LDAP_TLS_CACERT_FILE:
SASLAUTHD_LDAP_TLS_CACERT_DIR:
SASLAUTHD_LDAP_PASSWORD_ATTR:
SASLAUTHD_LDAP_AUTH_METHOD:
SASLAUTHD_LDAP_MECH:
# -----------------------------------------------
# --- SRS Section -------------------------------
# -----------------------------------------------
SRS_SENDER_CLASSES: envelope_sender
SRS_EXCLUDE_DOMAINS:
SRS_SECRET:
# -----------------------------------------------
# --- Default Relay Host Section ----------------
# -----------------------------------------------
DEFAULT_RELAY_HOST:
# -----------------------------------------------
# --- Multi-Domain Relay Section ----------------
# -----------------------------------------------
RELAY_HOST:
RELAY_PORT: 25
RELAY_USER:
# set those unless you're using a secret
#RELAY_PASSWORD:
securityContext:
runAsUser: 5000
runAsGroup: 5000
containerSecurityContext:
readOnlyRootFilesystem: false # incompatible with the way docker-mailserver works
privileged: false
## More generally, a "request" can be thought of as "how much is this container expected to need usually". it should be
## possible to burst outside these constraints (during a high load operation). However, Kubernetes may kill the pod
## if the node is under too higher load and the burst is outside its request
##
## Limits are hard limits. Violating them is either impossible, or results in container death. I'm not sure whether
## making these optional is a good idea or not; at the moment, I think I'm happy to defer QOS to the cluster and try
## and keep requests close to usage.
##
## Requests are what are used to determine whether more software "fits" onto the cluster.
##
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
## Ref: https://github.com/kubernetes/kubernetes/blob/master/docs/design/resource-qos.md
## Ref: https://docs.docker.com/engine/reference/run/#/runtime-constraints-on-resources
resources:
requests:
## How much CPU this container is expected to need
cpu: "1"
## How much memory this container is expected to need.
## Reduce these at requests your peril - too few resources can cause daemons (i.e., clamd) to fail, or timeouts to occur.
## A test installation with clamd running was killed when it consumed 1437Mi (which is why this value was increased to 1536)
memory: "1536Mi"
ephemeral-storage: "100Mi"
limits:
## The max CPU this container should be allowed to use
cpu: "2"
## The max memory this container should be allowed to use. Note: If a container exceeds its memory limit,
## it may terminated.
memory: "2048Mi"
ephemeral-storage: "500Mi"
## Container resource resize policy for the docker-mailserver container
## Allows dynamic adjustment of CPU and memory resources without pod restart
## Useful for handling load spikes or optimizing resource utilization in production
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/
resizePolicy: []
# - resourceName: memory
# restartPolicy: NotRequired
# - resourceName: cpu
# restartPolicy: RestartContainer
## Optionally specify tolerations for the deployment
tolerations: []
## Optionally specify initContainers
initContainers: []
# - name: init
# image: alpine:3
# command: [sh, -c]
# args:
# - echo "Hello, world!" > /mnt/extra-storage/test
# volumeMounts:
# - name: extra-storage
# mountPath: /mnt/extra-storage
# subPath: another-folder
## Optionally specify a list of extra mounts to add (normally used with extraVolumes)
extraVolumeMounts: []
# - name: extra-storage
# mountPath: /mnt/extra-storage
# subPath: another-folder
## Optionally specify a list of extra volumes to add
extraVolumes: []
# - name: extra-storage
# emptyDir: {}
service:
## What scope the service should be exposed in. One of:
## - LoadBalancer (to the world)
## - NodePort (to the world, via high port on a node)
## - ClusterIP (to the cluster)
type: "ClusterIP"
## Manually overwrite the externalTrafficPolicy. One of:
## - Local
## - Cluster
## Set it to "Local" when used with type "LoadBalancer" and set it to "Cluster" when used with "NodePort",
## unless you have a good reason not to.
# externalTrafficPolicy: "Cluster"
## Traffic distribution preference for Services. One of:
## - PreferClose
## - PreferSameZone (started from 1.34)
## - PreferSameNode (started from 1.34)
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
trafficDistribution: ""
## If there is a particular IP that should be used for the service, specify it here.
## Note: It's quite unlikely that an IP should be specific. Normally, the best thing to do is leave it to Kubernetes
## to allocate a free IP from the pool.
## Default: Automatically assign a random IP
# clusterIp:
annotations: {}
labels: {}
# Note this is a dictionary and not a list so individual keys can be overridden by --set or --value helm parameters
persistent_volume_claims:
# Stores generated configuration files
# https://docker-mailserver.github.io/docker-mailserver/edge/faq/#what-about-the-docker-datadmsconfig-directory
mail-config:
enabled: true
existingClaim: ""
size: 1Mi
annotations: {}
accessModes:
- ReadWriteOnce
storageClass:
selector: {}
# Stores emails
mail-data:
enabled: true
existingClaim: ""
size: 10Gi
annotations: {}
accessModes:
- ReadWriteOnce
storageClass:
selector: {}
# Stores state for Postfix, Dovecot, Fail2Ban, Amavis, PostGrey, ClamAV, SpamAssassin, Rspamd & Redis
# https://docker-mailserver.github.io/docker-mailserver/edge/faq/#what-about-the-docker-datadmsmail-state-directory
mail-state:
enabled: true
existingClaim: ""
size: 1Gi
annotations: {}
accessModes:
- ReadWriteOnce
storageClass:
selector: {}
# Store mail logs
mail-log:
enabled: true
existingClaim: ""
size: 1Gi
annotations: {}
accessModes:
- ReadWriteOnce
storageClass:
selector: {}
persistence:
# Stores generated configuration files
# https://docker-mailserver.github.io/docker-mailserver/edge/faq/#what-about-the-docker-datadmsconfig-directory
mail-config:
volumeName: mail-config
mountPath: /tmp/docker-mailserver
subPath:
# Stores emails
mail-data:
volumeName: mail-data
mountPath: /var/mail
subPath:
# Stores state for Postfix, Dovecot, Fail2Ban, Amavis, PostGrey, ClamAV, SpamAssassin, Rspamd & Redis
# https://docker-mailserver.github.io/docker-mailserver/edge/faq/#what-about-the-docker-datadmsmail-state-directory
mail-state:
volumeName: mail-state
mountPath: /var/mail-state
subPath:
# Store mail logs
mail-log:
volumeName: mail-log
mountPath: /var/log/mail
subPath:
## Monitoring adds the prometheus.io annotations to pods and services, so that the Prometheus Kubernetes SD mechanism
## as configured in the examples will automatically discover both the pods and the services to query.
##
## This defaults on, as the annotations should do no harm where Prometheus is not available but will automatically
## expose the application where Prometheus is.
##
## See https://github.com/prometheus/docs/blob/master/content/docs/operating/configuration.md
## See https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml
monitoring:
## Whether to scrape this service with the monitoring toolkit. Mostly useful for blackbox probing of a given service
## to ensure it's "up"
service:
## monitoring should be configured to only scrape services that have a value of "true"
scrape: "true"
## monitoring should be configured to only probe services that have a value of "true"
probe: "false"
## Path on which metrics are exposed
path: "/metrics"
## Port on which HTTP server is served
port: "9102"
## Whether to scape the pods associated with this application. Useful for collecting metrics.
pod:
## monitoring should be configured to only scrape pods that have a value of `true`
scrape: "true"
## monitoring should be configured to only probe services that have a value of "true"
probe: "false"
## Path on which metrics are exposed
path: "/metrics"
## Port on which HTTP server is served
port: "9102"
rspamd:
ingress:
enabled: false
ingressClassName: nginx
annotations: {}
host: rspamd.example.com
path: /
tls:
enabled: false
secret:
dovecot:
fullTextSearch:
enabled: false
verbose: 0 # 0 (silent), 1 (verbose) or 2 (debug)
resources:
memory: 2GB
cron:
enabled: true # Optimize index every day
schedule: 0 4 * * * # Every day at 4am
proxyProtocol:
enabled: true
# List of sources (in CIDR format, space-separated) to permit PROXY protocol from
trustedNetworks: "10.0.0.0/8 192.168.0.0/16 172.16.0.0/12"
# when metrics is enabled, we mount subpath log from pvc into /var/log/mail
metrics:
enabled: false
image:
name: blackflysolutions/postfix-exporter@sha256
tag: 7ed7c0534112aff5b44757ae84a206bf659171631edfc325c3c1638d78e74f73
pullPolicy: "IfNotPresent"
resources:
requests:
memory: "256Mi"
# cpu: "100M"
#limits:
# memory: "256Mi"
# cpu: "500M"
## Container resource resize policy for the metrics-exporter container
## Allows dynamic adjustment of CPU and memory resources without pod restart
## Useful for handling load spikes or optimizing resource utilization in production
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/
resizePolicy: []
# - resourceName: memory
# restartPolicy: NotRequired
# - resourceName: cpu
# restartPolicy: RestartContainer
serviceMonitor:
enabled: false
scrapeInterval: 15s
## Optionally add additional labels to the deployment
labels: {}
## ConfigMaps (and Secrets) are used to copy docker-mailserver configuration files
## into running containers. This chart automatically sets up any config files that
## are stored in its chart/config directory.
##
## However, Helm does not provide a way to save external files to a ConfigMap or Secret.
## This is problem for docker-mailserver because you need to setup postfix accounts,
## dovecot accounts, etc.
##
## The configs and secrets keys solve this problem. They allow you to add additional config
## files by either referencing existing ConfigMaps (that you create before installing the Chart)
## or by creating new ones (set the create key to true).
##
configMaps:
dovecot.cf:
create: true
path: dovecot.cf
data: |
{{- if .Values.proxyProtocol.enabled }}
haproxy_trusted_networks = {{ .Values.proxyProtocol.trustedNetworks }}
{{- if and (.Values.deployment.env.ENABLE_IMAP) (not .Values.deployment.env.SMTP_ONLY) }}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imap_proxyprotocol {
haproxy = yes
port = 10143
ssl = no
}
inet_listener imaps_proxyprotocol {
haproxy = yes
port = 10993
ssl = yes
}
}
{{- end -}}
{{- if and (.Values.deployment.env.ENABLE_POP3) (not .Values.deployment.env.SMTP_ONLY) }}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
inet_listener pop3_proxyprotocol {
haproxy = yes
port = 10110
ssl = no
}
inet_listener pop3s_proxyprotocol {
haproxy = yes
port = 10995
ssl = yes
}
}
{{- end -}}
{{- if and (.Values.deployment.env.ENABLE_MANAGESIEVE) (not .Values.deployment.env.SMTP_ONLY) }}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_proxyprotocol {
port = 14190
}
}
{{- end -}}
{{- end -}}
fts-xapian-plugin.conf:
create: true
path: /etc/dovecot/conf.d/10-plugin.conf
data: |
{{- if .Values.dovecot.fullTextSearch.enabled }}
mail_plugins = $mail_plugins fts fts_xapian
plugin {
fts = xapian
fts_xapian = partial=3 full=20 verbose={{ .Values.dovecot.fullTextSearch.verbose }}
fts_autoindex = yes
fts_enforced = yes
# Index attachements
fts_decoder = decode2text
}
service indexer-worker {
# limit size of indexer-worker RAM usage, ex: 512MB, 1GB, 2GB
vsz_limit = {{ .Values.dovecot.fullTextSearch.resources.memory }}
}
{{- end -}}
user-patches.sh:
create: true
path: user-patches.sh
data: |
#!/bin/bash
{{- if .Values.proxyProtocol.enabled }}
# NOTE: Keep in sync with upstream advice:
# https://github.com/docker-mailserver/docker-mailserver/blob/v15.0.0/docs/content/examples/tutorials/mailserver-behind-proxy.md?plain=1#L238-L268
# Duplicate the config for the submission(s) service ports (587 / 465) with adjustments for the PROXY ports (10587 / 10465) and `syslog_name` setting:
postconf -Mf submission/inet | sed -e s/^submission/10587/ -e 's/submission/submission-proxyprotocol/' >> /etc/postfix/master.cf
postconf -Mf submissions/inet | sed -e s/^submissions/10465/ -e 's/submissions/submissions-proxyprotocol/' >> /etc/postfix/master.cf
# Enable PROXY Protocol support for these new service variants:
postconf -P 10587/inet/smtpd_upstream_proxy_protocol=haproxy
postconf -P 10465/inet/smtpd_upstream_proxy_protocol=haproxy
# Create a variant for port 25 too (NOTE: Port 10025 is already assigned in DMS to Amavis):
postconf -Mf smtp/inet | sed -e s/^smtp/12525/ >> /etc/postfix/master.cf
# Enable PROXY Protocol support:
# - Uses a different setting as port 25 is handled via the postscreen service
# - Optionally configure a `syslog_name` to distinguish in logs:
postconf -P \
12525/inet/postscreen_upstream_proxy_protocol=haproxy \
12525/inet/syslog_name=postfix/smtpd-proxyprotocol
# Add the `proxy:` prefix to share this cache between each running postscreen service via `proxymap`:
postconf 'postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache'
{{- end }}
## The secrets key works the same way as the configs key. Use secrets to store sensitive information,
## such as DKIM signing keys.
##
## secrets:
## rspamd.example.com:
## name: rspamd.example.com # This is the name of the Secret
## create: true # If true, create a new Secret
## path: rspamd.dkim.rsa-2048-mail-example.com.private.txt
## data: abace # If create is true, then you must specify content. Must be base 64 encoded!
##
## rspamd.dkim.rsa-2048-mail-example.com.public:
## name: rspamd.dkim.rsa-2048-mail-example.com.public
## create: true
## path: rspamd/dkim/rsa-2048-mail-example.com.public
## data: abace # If create is true, then you must specify content. Must be base 64 encoded!
##
## If you set the create key to false, then you must manually create the Secrets before deploying the chart.
##
## kubectl create secret rspamd.example.com --namespace mail --from-file=rspamd.dkim.rsa-2048-mail-example.com.private.txt=<path_to_rspamd.dkim.rsa-2048-mail-example.com.private.txt>
secrets: {}
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
Reference in New Issue View Git Blame Copy Permalink