kubernetes/lp/dockermail/values.org

nameOverride: "" fullnameOverride: ""

image: ## image.name is the name of the container image to use. Refer to https://hub.docker.com/r/mailserver/docker-mailserver name: "mailserver/docker-mailserver" ## image.tag is the tag of the container image to use. Refer to https://hub.docker.com/r/mailserver/docker-mailserver ## If image.tag is not defined it will default to `.Chart.appVersion`

pullPolicy: "IfNotPresent"

serviceAccount: create: true

## Specify the name of a TLS secret that contains a certificate and private key for your email domain. ## See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets certificate: mail-certificate-secret

rblRejectDomains: []

deployment: ## How many versions of the deployment to run replicas: 1

## Optionally specify affinity for the deployment affinity: {}

## Optionally add additional annotations to the deployment annotations: {}

## Optionally add additional labels to the deployment labels: {}

## Optionally specify a runtimeClassName for the deployment runtimeClassName:

## Optionally specify a priorityClassName for the deployment priorityClassName:

## Optionally specify a nodeSelector for the deployment nodeSelector: {}

## Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Setting the strategy to "Recreate" (our default) will ## terminate the single previous pod, so that the new, incoming pod can attach to the PV strategy:

type: "Recreate"

## The following variables affect the behaviour of docker-mailserver ## See https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/ for details ## Note that an empty value indicates the default as described in the docs above env:

OVERRIDE_HOSTNAME: mail.allarddcs.nl # You must OVERRIDE this!

LOG_LEVEL: info SUPERVISOR_LOGLEVEL: DMS_VMAIL_UID: DMS_VMAIL_GID: ACCOUNT_PROVISIONER: POSTMASTER_ADDRESS: ENABLE_UPDATE_CHECK: 1 UPDATE_CHECK_INTERVAL: 1d PERMIT_DOCKER: none TZ: NETWORK_INTERFACE: TLS_LEVEL: SPOOF_PROTECTION: ENABLE_SRS: 0 ENABLE_OPENDKIM: 0 ENABLE_OPENDMARC: 0 ENABLE_POLICYD_SPF: 0 ENABLE_POP3: ENABLE_IMAP: 1 ENABLE_CLAMAV: 0 ENABLE_RSPAMD: 1 ENABLE_RSPAMD_REDIS: 1 RSPAMD_LEARN: 0 RSPAMD_CHECK_AUTHENTICATED: 0 RSPAMD_GREYLISTING: 0 RSPAMD_HFILTER: 1 RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE: 6 RSPAMD_NEURAL: 0 ENABLE_AMAVIS: 0 AMAVIS_LOGLEVEL: 0 ENABLE_DNSBL: 0 ENABLE_FAIL2BAN: 0 FAIL2BAN_BLOCKTYPE: drop ENABLE_MANAGESIEVE: POSTSCREEN_ACTION: enforce SMTP_ONLY:

SSL_ALT_CERT_PATH: SSL_ALT_KEY_PATH: VIRUSMAILS_DELETE_DELAY: POSTFIX_DAGENT: POSTFIX_MAILBOX_SIZE_LIMIT: ENABLE_QUOTAS: 1 POSTFIX_MESSAGE_SIZE_LIMIT: CLAMAV_MESSAGE_SIZE_LIMIT: PFLOGSUMM_TRIGGER: PFLOGSUMM_RECIPIENT: PFLOGSUMM_SENDER: LOGWATCH_INTERVAL: LOGWATCH_RECIPIENT: LOGWATCH_SENDER: REPORT_RECIPIENT: REPORT_SENDER: LOGROTATE_COUNT: 4 LOGROTATE_INTERVAL: weekly POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME: 0 POSTFIX_INET_PROTOCOLS: all DOVECOT_INET_PROTOCOLS: all

ENABLE_SPAMASSASSIN: 0 ENABLE_SPAMASSASSIN_KAM: 0 SPAMASSASSIN_SPAM_TO_INBOX: 1 MOVE_SPAM_TO_JUNK: 1 MARK_SPAM_AS_READ: 0 SA_TAG: 2.0 SA_TAG2: 6.31 SA_KILL: 10.0 SPAM_SUBJECT: 'SPAM '

ENABLE_FETCHMAIL: 0 FETCHMAIL_POLL: 300 FETCHMAIL_PARALLEL: 0 ENABLE_GETMAIL: 0 GETMAIL_POLL: 5

LDAP_START_TLS: LDAP_SERVER_HOST: LDAP_SEARCH_BASE:

#LDAP_BIND_DN: #LDAP_BIND_PW: LDAP_QUERY_FILTER_USER: LDAP_QUERY_FILTER_GROUP: LDAP_QUERY_FILTER_ALIAS: LDAP_QUERY_FILTER_DOMAIN:

DOVECOT_TLS: DOVECOT_USER_FILTER: DOVECOT_PASS_FILTER: DOVECOT_MAILBOX_FORMAT: maildir DOVECOT_AUTH_BIND:

ENABLE_POSTGREY: 0 POSTGREY_DELAY: 300 POSTGREY_MAX_AGE: 35 POSTGREY_TEXT: "Delayed by Postgrey" POSTGREY_AUTO_WHITELIST_CLIENTS: 5

ENABLE_SASLAUTHD: 0 SASLAUTHD_MECHANISMS: SASLAUTHD_MECH_OPTIONS: SASLAUTHD_LDAP_SERVER:

#SASLAUTHD_LDAP_BIND_DN: #SASLAUTHD_LDAP_PASSWORD: SASLAUTHD_LDAP_SEARCH_BASE: SASLAUTHD_LDAP_FILTER: SASLAUTHD_LDAP_START_TLS: SASLAUTHD_LDAP_TLS_CHECK_PEER: SASLAUTHD_LDAP_TLS_CACERT_FILE: SASLAUTHD_LDAP_TLS_CACERT_DIR: SASLAUTHD_LDAP_PASSWORD_ATTR: SASLAUTHD_LDAP_AUTH_METHOD: SASLAUTHD_LDAP_MECH:

SRS_SENDER_CLASSES: envelope_sender SRS_EXCLUDE_DOMAINS: SRS_SECRET:

DEFAULT_RELAY_HOST:

RELAY_HOST: RELAY_PORT: 25 RELAY_USER:

#RELAY_PASSWORD:

securityContext: runAsUser: 5000 runAsGroup: 5000

containerSecurityContext: readOnlyRootFilesystem: false # incompatible with the way docker-mailserver works privileged: false

## More generally, a "request" can be thought of as "how much is this container expected to need usually". it should be ## possible to burst outside these constraints (during a high load operation). However, Kubernetes may kill the pod ## if the node is under too higher load and the burst is outside its request ## ## Limits are hard limits. Violating them is either impossible, or results in container death. I'm not sure whether ## making these optional is a good idea or not; at the moment, I think I'm happy to defer QOS to the cluster and try ## and keep requests close to usage. ## ## Requests are what are used to determine whether more software "fits" onto the cluster. ## ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## Ref: https://github.com/kubernetes/kubernetes/blob/master/docs/design/resource-qos.md ## Ref: https://docs.docker.com/engine/reference/run/#/runtime-constraints-on-resources resources: requests: ## How much CPU this container is expected to need cpu: "1" ## How much memory this container is expected to need. ## Reduce these at requests your peril - too few resources can cause daemons (i.e., clamd) to fail, or timeouts to occur. ## A test installation with clamd running was killed when it consumed 1437Mi (which is why this value was increased to 1536) memory: "1536Mi" ephemeral-storage: "100Mi" limits: ## The max CPU this container should be allowed to use cpu: "2" ## The max memory this container should be allowed to use. Note: If a container exceeds its memory limit, ## it may terminated. memory: "2048Mi" ephemeral-storage: "500Mi"

## Container resource resize policy for the docker-mailserver container ## Allows dynamic adjustment of CPU and memory resources without pod restart ## Useful for handling load spikes or optimizing resource utilization in production ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/ resizePolicy: []

## Optionally specify tolerations for the deployment tolerations: []

## Optionally specify initContainers initContainers: []

## Optionally specify a list of extra mounts to add (normally used with extraVolumes) extraVolumeMounts: []

## Optionally specify a list of extra volumes to add extraVolumes: []

service: ## What scope the service should be exposed in. One of: ## - LoadBalancer (to the world) ## - NodePort (to the world, via high port on a node) ## - ClusterIP (to the cluster) type: "LoadBalancer" ## Manually overwrite the externalTrafficPolicy. One of: ## - Local ## - Cluster ## Set it to "Local" when used with type "LoadBalancer" and set it to "Cluster" when used with "NodePort", ## unless you have a good reason not to.

## Traffic distribution preference for Services. One of: ## - PreferClose ## - PreferSameZone (started from 1.34) ## - PreferSameNode (started from 1.34) ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution trafficDistribution: "" ## If there is a particular IP that should be used for the service, specify it here. ## Note: It's quite unlikely that an IP should be specific. Normally, the best thing to do is leave it to Kubernetes ## to allocate a free IP from the pool. ## Default: Automatically assign a random IP

annotations: {} labels: {}

persistent_volume_claims: mail-config: enabled: true existingClaim: "mail-docker-mailserver-mail-config-pvc" size: 1Mi annotations: {} accessModes:

• ReadWriteOnce

storageClass: selector: {}

mail-data: enabled: true existingClaim: "mail-docker-mailserver-mail-data-pvc" size: 10Gi annotations: {} accessModes:

• ReadWriteOnce

storageClass: selector: {}

mail-state: enabled: true existingClaim: "mail-docker-mailserver-mail-state-pvc" size: 1Gi annotations: {} accessModes:

• ReadWriteOnce

storageClass: selector: {}

mail-log: enabled: true existingClaim: "mail-docker-mailserver-mail-log-pvc" size: 1Gi annotations: {} accessModes:

• ReadWriteOnce

storageClass: selector: {}

persistence:

mail-config: volumeName: mail-config mountPath: /tmp/docker-mailserver subPath:

mail-data: volumeName: mail-data mountPath: /var/mail subPath:

mail-state: volumeName: mail-state mountPath: /var/mail-state subPath:

mail-log: volumeName: mail-log mountPath: /var/log/mail subPath:

## Monitoring adds the prometheus.io annotations to pods and services, so that the Prometheus Kubernetes SD mechanism ## as configured in the examples will automatically discover both the pods and the services to query. ## ## This defaults on, as the annotations should do no harm where Prometheus is not available but will automatically ## expose the application where Prometheus is. ## ## See https://github.com/prometheus/docs/blob/master/content/docs/operating/configuration.md ## See https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml monitoring: ## Whether to scrape this service with the monitoring toolkit. Mostly useful for blackbox probing of a given service ## to ensure it's "up" service: ## monitoring should be configured to only scrape services that have a value of "true" scrape: "true" ## monitoring should be configured to only probe services that have a value of "true" probe: "false" ## Path on which metrics are exposed path: "/metrics" ## Port on which HTTP server is served port: "9102" ## Whether to scape the pods associated with this application. Useful for collecting metrics. pod: ## monitoring should be configured to only scrape pods that have a value of `true` scrape: "true" ## monitoring should be configured to only probe services that have a value of "true" probe: "false" ## Path on which metrics are exposed path: "/metrics" ## Port on which HTTP server is served port: "9102"

rspamd: ingress: enabled: false ingressClassName: nginx annotations: {} host: rspamd.example.com path: / tls: enabled: false secret:

dovecot: fullTextSearch: enabled: false verbose: 0 # 0 (silent), 1 (verbose) or 2 (debug) resources: memory: 2GB cron: enabled: true # Optimize index every day schedule: 0 4 * * * # Every day at 4am

proxyProtocol: enabled: true

trustedNetworks: "10.0.0.0/8 192.168.0.0/16 172.16.0.0/12"

metrics: enabled: false image: name: blackflysolutions/postfix-exporter@sha256 tag: 7ed7c0534112aff5b44757ae84a206bf659171631edfc325c3c1638d78e74f73 pullPolicy: "IfNotPresent"

resources: requests: memory: "256Mi"

#limits:

## Container resource resize policy for the metrics-exporter container ## Allows dynamic adjustment of CPU and memory resources without pod restart ## Useful for handling load spikes or optimizing resource utilization in production ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/ resizePolicy: []

serviceMonitor: enabled: false scrapeInterval: 15s ## Optionally add additional labels to the deployment labels: {}

## ConfigMaps (and Secrets) are used to copy docker-mailserver configuration files ## into running containers. This chart automatically sets up any config files that ## are stored in its chart/config directory. ## ## However, Helm does not provide a way to save external files to a ConfigMap or Secret. ## This is problem for docker-mailserver because you need to setup postfix accounts, ## dovecot accounts, etc. ## ## The configs and secrets keys solve this problem. They allow you to add additional config ## files by either referencing existing ConfigMaps (that you create before installing the Chart) ## or by creating new ones (set the create key to true). ## configMaps: dovecot.cf: create: true path: dovecot.cf data: | {{- if .Values.proxyProtocol.enabled }} haproxy_trusted_networks = {{ .Values.proxyProtocol.trustedNetworks }}

{{- if and (.Values.deployment.env.ENABLE_IMAP) (not .Values.deployment.env.SMTP_ONLY) }} service imap-login { inet_listener imap { port = 143 }

inet_listener imaps { port = 993 ssl = yes }

inet_listener imap_proxyprotocol { haproxy = yes port = 10143 ssl = no }

inet_listener imaps_proxyprotocol { haproxy = yes port = 10993 ssl = yes } } {{- end -}}

{{- if and (.Values.deployment.env.ENABLE_POP3) (not .Values.deployment.env.SMTP_ONLY) }} service pop3-login { inet_listener pop3 { port = 110 }

inet_listener pop3s { port = 995 ssl = yes }

inet_listener pop3_proxyprotocol { haproxy = yes port = 10110 ssl = no }

inet_listener pop3s_proxyprotocol { haproxy = yes port = 10995 ssl = yes } } {{- end -}}

{{- if and (.Values.deployment.env.ENABLE_MANAGESIEVE) (not .Values.deployment.env.SMTP_ONLY) }} service managesieve-login { inet_listener sieve { port = 4190 }

inet_listener sieve_proxyprotocol { port = 14190 } } {{- end -}} {{- end -}}

fts-xapian-plugin.conf: create: true path: /etc/dovecot/conf.d/10-plugin.conf data: | {{- if .Values.dovecot.fullTextSearch.enabled }} mail_plugins = $mail_plugins fts fts_xapian

plugin { fts = xapian fts_xapian = partial=3 full=20 verbose={{ .Values.dovecot.fullTextSearch.verbose }}

fts_autoindex = yes fts_enforced = yes

fts_decoder = decode2text }

service indexer-worker {

vsz_limit = {{ .Values.dovecot.fullTextSearch.resources.memory }} } {{- end -}}

user-patches.sh: create: true path: user-patches.sh data: | #!/bin/bash

{{- if .Values.proxyProtocol.enabled }}

postconf -Mf submission/inet | sed -e s/^submission/10587/ -e 's/submission/submission-proxyprotocol/' >> etc/postfix/master.cf postconf -Mf submissions/inet | sed -e s/^submissions/10465 -e 's/submissions/submissions-proxyprotocol/' >> /etc/postfix/master.cf

postconf -P 10587/inet/smtpd_upstream_proxy_protocol=haproxy postconf -P 10465/inet/smtpd_upstream_proxy_protocol=haproxy

postconf -Mf smtp/inet | sed -e s/^smtp/12525/ >> /etc/postfix/master.cf

postconf -P \ 12525/inet/postscreen_upstream_proxy_protocol=haproxy \ 12525/inet/syslog_name=postfix/smtpd-proxyprotocol

postconf 'postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache' {{- end }}

## The secrets key works the same way as the configs key. Use secrets to store sensitive information, ## such as DKIM signing keys. ## ## secrets: ## rspamd.example.com: ## name: rspamd.example.com # This is the name of the Secret ## create: true # If true, create a new Secret ## path: rspamd.dkim.rsa-2048-mail-example.com.private.txt ## data: abace # If create is true, then you must specify content. Must be base 64 encoded! ## ## rspamd.dkim.rsa-2048-mail-example.com.public: ## name: rspamd.dkim.rsa-2048-mail-example.com.public ## create: true ## path: rspamd/dkim/rsa-2048-mail-example.com.public ## data: abace # If create is true, then you must specify content. Must be base 64 encoded! ## ## If you set the create key to false, then you must manually create the Secrets before deploying the chart. ## ## kubectl create secret rspamd.example.com –namespace mail –from-file=rspamd.dkim.rsa-2048-mail-example.com.private.txt=<path_to_rspamd.dkim.rsa-2048-mail-example.com.private.txt> secrets: {}

## @param extraDeploy Array of extra objects to deploy with the release ## extraDeploy: []