2026-01-19 13:57:50 +01:00
|
|
|
# Base Mailu Helm values for Bakery-IA
|
|
|
|
|
# Preserves critical configurations from the original Kustomize setup
|
|
|
|
|
|
2026-01-19 15:15:04 +01:00
|
|
|
# Global DNS configuration for DNSSEC validation
|
|
|
|
|
global:
|
2026-01-19 16:31:11 +01:00
|
|
|
# Using Unbound DNS resolver directly for DNSSEC validation
|
|
|
|
|
# Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
|
2026-01-21 23:16:19 +01:00
|
|
|
# DNS server IP will be dynamically resolved during deployment
|
|
|
|
|
# custom_dns_servers: "" # Will be set dynamically by deployment script
|
2026-01-19 15:15:04 +01:00
|
|
|
|
2026-01-19 13:57:50 +01:00
|
|
|
# Domain configuration
|
|
|
|
|
domain: "DOMAIN_PLACEHOLDER"
|
|
|
|
|
hostnames:
|
|
|
|
|
- "mail.DOMAIN_PLACEHOLDER"
|
|
|
|
|
|
|
|
|
|
# Mailu version to match the original setup
|
|
|
|
|
mailuVersion: "2024.06"
|
|
|
|
|
|
|
|
|
|
# Secret key for authentication cookies
|
|
|
|
|
secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7"
|
|
|
|
|
|
|
|
|
|
# Timezone
|
|
|
|
|
timezone: "Etc/UTC"
|
|
|
|
|
|
|
|
|
|
# Postmaster configuration
|
|
|
|
|
postmaster: "admin"
|
|
|
|
|
|
2026-01-21 16:21:24 +01:00
|
|
|
# Initial admin account configuration
|
|
|
|
|
# This creates an admin user as part of the Helm deployment
|
|
|
|
|
# Credentials can be provided directly or via Kubernetes secret
|
|
|
|
|
initialAccount:
|
|
|
|
|
enabled: true
|
|
|
|
|
username: "admin"
|
|
|
|
|
domain: "" # Set in environment-specific values (dev/prod)
|
|
|
|
|
password: "" # Leave empty to use existingSecret
|
|
|
|
|
existingSecret: "mailu-admin-credentials"
|
|
|
|
|
existingSecretPasswordKey: "password"
|
|
|
|
|
mode: "ifmissing" # Only create if account doesn't exist
|
|
|
|
|
|
2026-01-19 13:57:50 +01:00
|
|
|
# TLS configuration
|
|
|
|
|
tls:
|
2026-01-19 16:31:11 +01:00
|
|
|
flavor: "notls" # Disable TLS for development
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# Limits configuration
|
|
|
|
|
limits:
|
|
|
|
|
messageSizeLimitInMegabytes: 50
|
|
|
|
|
authRatelimit:
|
|
|
|
|
ip: "60/hour"
|
|
|
|
|
user: "100/day"
|
|
|
|
|
messageRatelimit:
|
|
|
|
|
value: "200/day"
|
|
|
|
|
|
|
|
|
|
# External relay configuration (Mailgun)
|
2026-01-20 22:05:10 +01:00
|
|
|
# Mailu will relay all outbound emails through Mailgun SMTP
|
2026-01-21 16:21:24 +01:00
|
|
|
# Credentials are loaded from Kubernetes secret for security
|
2026-01-19 13:57:50 +01:00
|
|
|
externalRelay:
|
|
|
|
|
host: "[smtp.mailgun.org]:587"
|
2026-01-21 16:21:24 +01:00
|
|
|
# Use existing secret for credentials (recommended for security)
|
|
|
|
|
secretName: "mailu-mailgun-credentials"
|
|
|
|
|
usernameKey: "RELAY_USERNAME"
|
|
|
|
|
passwordKey: "RELAY_PASSWORD"
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# Webmail configuration
|
|
|
|
|
webmail:
|
|
|
|
|
enabled: true
|
2026-01-21 16:21:24 +01:00
|
|
|
type: "roundcube"
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# Antivirus and antispam configuration
|
|
|
|
|
antivirus:
|
|
|
|
|
enabled: false # Disabled in dev to save resources
|
|
|
|
|
antispam:
|
|
|
|
|
enabled: true
|
|
|
|
|
flavor: "rspamd"
|
|
|
|
|
|
|
|
|
|
# Welcome message
|
|
|
|
|
welcomeMessage:
|
|
|
|
|
enabled: false # Disabled during development
|
|
|
|
|
|
|
|
|
|
# Logging
|
|
|
|
|
logLevel: "INFO"
|
|
|
|
|
|
|
|
|
|
# Network configuration
|
|
|
|
|
subnet: "10.42.0.0/16"
|
|
|
|
|
|
2026-01-19 16:31:11 +01:00
|
|
|
# Redis configuration - using internal Redis (built-in)
|
2026-01-19 13:57:50 +01:00
|
|
|
externalRedis:
|
2026-01-19 16:31:11 +01:00
|
|
|
enabled: false
|
|
|
|
|
# host: "redis-service.bakery-ia.svc.cluster.local"
|
|
|
|
|
# port: 6380
|
2026-01-19 13:57:50 +01:00
|
|
|
adminQuotaDbId: 15
|
|
|
|
|
adminRateLimitDbId: 15
|
|
|
|
|
rspamdDbId: 15
|
|
|
|
|
|
2026-01-19 16:31:11 +01:00
|
|
|
# Database configuration - using default SQLite (built-in)
|
2026-01-19 13:57:50 +01:00
|
|
|
externalDatabase:
|
2026-01-19 16:31:11 +01:00
|
|
|
enabled: false
|
|
|
|
|
# type: "postgresql"
|
|
|
|
|
# host: "postgres-service.bakery-ia.svc.cluster.local"
|
|
|
|
|
# port: 5432
|
|
|
|
|
# database: "mailu"
|
|
|
|
|
# username: "mailu"
|
|
|
|
|
# password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT"
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# Persistence configuration
|
|
|
|
|
persistence:
|
|
|
|
|
single_pvc: true
|
|
|
|
|
size: 10Gi
|
|
|
|
|
storageClass: ""
|
|
|
|
|
accessModes: [ReadWriteOnce]
|
|
|
|
|
|
|
|
|
|
# Ingress configuration - disabled to use with existing ingress
|
|
|
|
|
ingress:
|
|
|
|
|
enabled: false # Disable chart's Ingress; use existing one
|
|
|
|
|
tls: false # Disable TLS in chart since ingress handles it
|
|
|
|
|
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
|
|
|
|
|
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
|
|
|
|
|
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
|
|
|
|
|
path: /
|
|
|
|
|
pathType: ImplementationSpecific
|
|
|
|
|
|
|
|
|
|
# Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying
|
|
|
|
|
proxyProtocol:
|
|
|
|
|
smtp: false
|
|
|
|
|
smtps: false
|
|
|
|
|
submission: false
|
|
|
|
|
imap: false
|
|
|
|
|
imaps: false
|
|
|
|
|
pop3: false
|
|
|
|
|
pop3s: false
|
|
|
|
|
manageSieve: false
|
|
|
|
|
|
|
|
|
|
# Front configuration
|
|
|
|
|
front:
|
|
|
|
|
image:
|
|
|
|
|
tag: "2024.06"
|
|
|
|
|
replicaCount: 1
|
|
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
ports:
|
|
|
|
|
http: 80
|
|
|
|
|
https: 443
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 100m
|
|
|
|
|
memory: 128Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: 200m
|
|
|
|
|
memory: 256Mi
|
|
|
|
|
|
|
|
|
|
# Admin configuration
|
|
|
|
|
admin:
|
|
|
|
|
image:
|
|
|
|
|
tag: "2024.06"
|
|
|
|
|
replicaCount: 1
|
|
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
port: 80
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 100m
|
|
|
|
|
memory: 256Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: 300m
|
|
|
|
|
memory: 512Mi
|
|
|
|
|
|
|
|
|
|
# Postfix configuration
|
|
|
|
|
postfix:
|
|
|
|
|
image:
|
|
|
|
|
tag: "2024.06"
|
|
|
|
|
replicaCount: 1
|
|
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
ports:
|
|
|
|
|
smtp: 25
|
|
|
|
|
submission: 587
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 100m
|
|
|
|
|
memory: 256Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: 500m
|
|
|
|
|
memory: 512Mi
|
|
|
|
|
|
|
|
|
|
# Dovecot configuration
|
|
|
|
|
dovecot:
|
|
|
|
|
image:
|
|
|
|
|
tag: "2024.06"
|
|
|
|
|
replicaCount: 1
|
|
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
ports:
|
|
|
|
|
imap: 143
|
|
|
|
|
imaps: 993
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 100m
|
|
|
|
|
memory: 256Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: 500m
|
|
|
|
|
memory: 512Mi
|
|
|
|
|
|
|
|
|
|
# Rspamd configuration
|
|
|
|
|
rspamd:
|
|
|
|
|
image:
|
|
|
|
|
tag: "2024.06"
|
|
|
|
|
replicaCount: 1
|
|
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
ports:
|
|
|
|
|
rspamd: 11333
|
|
|
|
|
rspamd-admin: 11334
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 200m
|
|
|
|
|
memory: 512Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: 1000m
|
|
|
|
|
memory: 1Gi
|
|
|
|
|
|
|
|
|
|
# Network Policy
|
|
|
|
|
networkPolicy:
|
|
|
|
|
enabled: true
|
|
|
|
|
ingressController:
|
|
|
|
|
namespace: ingress-nginx
|
|
|
|
|
podSelector: |
|
|
|
|
|
matchLabels:
|
|
|
|
|
app.kubernetes.io/name: ingress-nginx
|
|
|
|
|
app.kubernetes.io/instance: ingress-nginx
|
2026-01-19 15:15:04 +01:00
|
|
|
app.kubernetes.io/component: controller
|
|
|
|
|
|
2026-01-19 16:31:11 +01:00
|
|
|
# DNS Policy Configuration
|
|
|
|
|
# Use Kubernetes DNS (ClusterFirst) for internal service resolution
|
|
|
|
|
# DNSSEC validation for email is handled by rspamd component
|
|
|
|
|
# Note: For production with DNSSEC needs, configure CoreDNS to forward to Unbound
|
|
|
|
|
dnsPolicy: "ClusterFirst"
|
