bakery-ia/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml

# Network Policy to allow notification service to send emails via Mailu
# This policy allows egress from notification-service to mailu-front on SMTP port 25
#
# NOTE: Mailu is configured with TLS_FLAVOR: "notls" and subnet: "10.1.0.0/16"
# This allows unauthenticated relay from trusted pod network on port 25
# mailu-front (nginx) handles SMTP and proxies to postfix internally
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-notification-to-mailu-smtp
  namespace: bakery-ia
  labels:
    app: notification-service
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app: notification-service
  policyTypes:
    - Egress
  egress:
    # Allow SMTP traffic to mailu-front (port 25, no TLS)
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: mailu
              app.kubernetes.io/component: front
      ports:
        - port: 25
          protocol: TCP
---
# Allow ingress TO mailu-front FROM any pod in bakery-ia namespace
# This is needed because mailu-allow-internal only allows traffic from mailu pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-mailu-smtp-from-apps
  namespace: bakery-ia
  labels:
    app: mailu
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: mailu
      app.kubernetes.io/component: front
  policyTypes:
    - Ingress
  ingress:
    # Allow SMTP from any pod in bakery-ia namespace
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: bakery-ia
      ports:
        - port: 25
          protocol: TCP