--- # tasks file for postfix - name: Create Postfix namespace k8s: state: present definition: apiVersion: v1 kind: Namespace metadata: name: postfix - name: Request a certificate for postfix k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: postfix namespace: postfix spec: secretName: postfix privateKey: algorithm: RSA encoding: PKCS1 size: 2048 duration: 2160h # 90d renewBefore: 360h # 15d isCA: false usages: - server auth - client auth subject: organizations: - EOM commonName: postfix.eom.dev dnsNames: - postfix.eom.dev - dovecot.eom.dev issuerRef: name: ca-issuer kind: ClusterIssuer - name: Create a persistent volume claim for mail k8s: state: present definition: apiVersion: v1 kind: PersistentVolumeClaim metadata: name: postfix namespace: postfix spec: accessModes: - ReadWriteOnce resources: requests: storage: 2Ti - name: Create a deployment k8s: definition: apiVersion: v1 kind: Deployment metadata: name: postfix namespace: postfix spec: replicas: 1 selector: matchLabels: app: postfix template: metadata: labels: app: postfix spec: containers: - name: postfix image: mailserver/docker-mailserver volumeMounts: - name: ssl mountPath: /etc/letsencrypt - name: postfix mountPath: /var/mail ports: - containerPort: 25 - containerPort: 465 - containerPort: 587 - containerPort: 993 env: - name: OVERRIDE_HOSTNAME value: "postfix.eom.dev" - name: POSTMASTER_ADDRESS value: "postfix@postfix.eom.dev" - name: ACCOUNT_PROVISIONER value: "LDAP" - name: LDAP_SERVER_HOST value: "ldap://openldap.openldap.svc.cluster.local/" - name: LDAP_SEARCH_BASE value: "dc=eom,dc=dev" - name: LDAP_BIND_DN value: "cn=readonly,dc=eom,dc=dev" - name: LDAP_BIND_PW value: "{{ openldap_readonly_password }}" - name: LDAP_QUERY_FILTER_DOMAIN value: "(mail=*@%s)" - name: LDAP_QUERY_FILTER_USER value: "(&(mail=%s)(memberOf=cn=Postfix Users,ou=Postfix,ou=Services,dc=eom,dc=dev))" - name: LDAP_QUERY_FILTER_ALIAS value: "(&(objectClass=posixAccount)(mailAlias=%s))" - name: LDAP_QUERY_FILTER_GROUP value: "(&(objectClass=posixAccount)(mailGroupMember=%s))" - name: LDAP_QUERY_FILTER_SENDERS value: "(&(objectClass=posixAccount)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))" - name: SPOOF_PROTECTION value: "1" - name: DOVECOT_AUTH_BIND value: "yes" - name: DOVECOT_DEFAULT_PASS_SCHEME value: "MD5-CRYPT" - name: DOVECOT_USER_FILTER value: "(&(objectClass=posixAccount)(uid=%n)(memberOf=cn=Dovecot Users,ou=Dovecot,ou=Services,dc=eom,dc=dev))" - name: DOVECOT_PASS_ATTRS value: "uid=user,userPassword=password" - name: DOVECOT_USER_ATTRS value: "=home=/var/mail/%{ldap:uid},=uid=%{ldap:uidNumber},=gid=%{ldap:gidNumber},=mail=maildir:~/Maildir" - name: ENABLE_SASLAUTHD value: "1" - name: SASLAUTHD_MECHANISMS value: "ldap" - name: SASLAUTHD_LDAP_FILTER value: "(mail=%U@postfix.eom.dev)" - name: SSL_TYPE value: "manual" - name: SSL_CERT_PATH value: "/etc/letsencrypt/tls.crt" - name: SSL_KEY_PATH value: "/etc/letsencrypt/tls.key" volumes: - name: ssl secret: secretName: postfix - name: postfix persistentVolumeClaim: claimName: postfix - name: Expose deployment as a service k8s: definition: apiVersion: v1 kind: Service metadata: name: postfix namespace: postfix spec: selector: app: postfix ports: - port: 25 name: smtp-a - port: 465 name: smtp-b - port: 587 name: smtps - port: 993 name: imap type: LoadBalancer