Add new infra architecture 8

infrastructure/platform/mail/mailu-helm/dev/values.yaml

@@ -1,18 +1,27 @@
 # Development-tuned Mailu configuration
 global:
-  # Using Kubernetes cluster DNS for name resolution
+  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
   # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
-  custom_dns_servers: "10.96.0.10"  # Kubernetes cluster DNS IP
+  custom_dns_servers: "10.98.197.120"  # Unbound DNS service IP
 
 # Redis configuration - use built-in Mailu Redis (no authentication needed)
 externalRedis:
   enabled: false
 
 # Component-specific DNS configuration
-# Admin uses Kubernetes DNS (ClusterFirst) to resolve internal services like Redis
-# DNSSEC validation is handled at the application level by rspamd
+# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
 admin:
-  dnsPolicy: "ClusterFirst"
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "10.98.197.120"   # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns)
+    searches:
+      - "bakery-ia.svc.cluster.local"
+      - "svc.cluster.local"
+      - "cluster.local"
+    options:
+      - name: ndots
+        value: "5"
 
 # RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
 # Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
@@ -20,14 +29,16 @@ rspamd:
   dnsPolicy: "ClusterFirst"
 
 # Domain configuration for dev
-domain: "bakery-ia.local"
+# NOTE: Using .dev TLD instead of .local because email-validator library
+# rejects .local domains as "special-use or reserved names" (RFC 6761)
+domain: "bakery-ia.dev"
 hostnames:
-  - "mail.bakery-ia.local"
+  - "mail.bakery-ia.dev"
 
 # External relay configuration for dev
 externalRelay:
   host: "[smtp.mailgun.org]:587"
-  username: "postmaster@bakery-ia.local"
+  username: "postmaster@bakery-ia.dev"
   password: "mailgun-api-key-replace-in-production"
 
 # Environment-specific configurations