Fix some issues 7

infrastructure/environments/common/configs/configmap.yaml

@@ -176,9 +176,9 @@ data:
   # ================================================================
   # EMAIL CONFIGURATION
   # ================================================================
-  SMTP_HOST: "mailu-front.bakery-ia.svc.cluster.local"
+  SMTP_HOST: "mailu-postfix.bakery-ia.svc.cluster.local"
-  SMTP_PORT: "587"
+  SMTP_PORT: "25"
-  SMTP_TLS: "true"
+  SMTP_TLS: "false"
   SMTP_SSL: "false"
   DEFAULT_FROM_EMAIL: "noreply@bakewise.ai"
   DEFAULT_FROM_NAME: "Bakery-Forecast"

infrastructure/environments/prod/k8s-manifests/kustomization.yaml

@@ -15,6 +15,7 @@ resources:
   - ../../../platform/networking/ingress/overlays/prod
   - ../../../platform/gateway
   - ../../../platform/storage
+  - ../../../platform/security/network-policies
   - ../../../services/databases
   - ../../../services/microservices
   # NOTE: CI/CD (gitea, tekton, flux) deployed via Helm, not kustomize

infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml

@@ -0,0 +1,62 @@
+# Network Policy to allow notification service to send emails via Mailu
+# This policy allows egress from notification-service to mailu-postfix on SMTP ports
+#
+# NOTE: Postfix only listens on port 25 (and 10025 internally), NOT 587
+# Port 587 (submission) is handled by mailu-front which proxies to postfix
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-notification-to-mailu-smtp
+  namespace: bakery-ia
+  labels:
+    app: notification-service
+    component: network-policy
+    tier: security
+spec:
+  podSelector:
+    matchLabels:
+      app: notification-service
+  policyTypes:
+    - Egress
+  egress:
+    # Allow SMTP traffic to mailu-postfix (port 25)
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: mailu
+              app.kubernetes.io/component: postfix
+      ports:
+        - port: 25
+          protocol: TCP
+        - port: 10025
+          protocol: TCP
+---
+# Allow ingress TO mailu-postfix FROM any pod in bakery-ia namespace
+# This is needed because mailu-allow-internal only allows traffic from mailu pods
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-mailu-smtp-from-apps
+  namespace: bakery-ia
+  labels:
+    app: mailu
+    component: network-policy
+    tier: security
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: mailu
+      app.kubernetes.io/component: postfix
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow SMTP from any pod in bakery-ia namespace
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: bakery-ia
+      ports:
+        - port: 25
+          protocol: TCP
+        - port: 10025
+          protocol: TCP

infrastructure/platform/security/network-policies/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+metadata:
+  name: network-policies
+
+resources:
+  # NOTE: global-default-networkpolicy.yaml and global-project-networkpolicy.yaml
+  # are excluded for now as they have overlapping/conflicting policies.
+  # Mailu's Helm chart manages its own network policies.
+  # Only including specific policies needed for cross-service communication.
+  - allow-notification-to-mailu.yaml

services/notification/app/main.py

@@ -28,7 +28,7 @@ import asyncio
 
 
 class NotificationService(StandardFastAPIService):
-    """t - Notification Service with standardized setup"""
+    """t - dfsss Notification Service with standardized setup"""
 
     expected_migration_version = "whatsapp001"