Fix some issues 10

infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml

@@ -1,8 +1,9 @@
 # Network Policy to allow notification service to send emails via Mailu
-# This policy allows egress from notification-service to mailu-postfix on SMTP ports
+# This policy allows egress from notification-service to mailu-front on SMTP port 25
 #
-# NOTE: Postfix only listens on port 25 (and 10025 internally), NOT 587
-# Port 587 (submission) is handled by mailu-front which proxies to postfix
+# NOTE: Mailu is configured with TLS_FLAVOR: "notls" and subnet: "10.1.0.0/16"
+# This allows unauthenticated relay from trusted pod network on port 25
+# mailu-front (nginx) handles SMTP and proxies to postfix internally
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,19 +20,17 @@ spec:
   policyTypes:
     - Egress
   egress:
-    # Allow SMTP traffic to mailu-postfix (port 25)
+    # Allow SMTP traffic to mailu-front (port 25, no TLS)
     - to:
         - podSelector:
             matchLabels:
               app.kubernetes.io/instance: mailu
-              app.kubernetes.io/component: postfix
+              app.kubernetes.io/component: front
       ports:
         - port: 25
           protocol: TCP
-        - port: 10025
-          protocol: TCP
 ---
-# Allow ingress TO mailu-postfix FROM any pod in bakery-ia namespace
+# Allow ingress TO mailu-front FROM any pod in bakery-ia namespace
 # This is needed because mailu-allow-internal only allows traffic from mailu pods
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -46,7 +45,7 @@ spec:
   podSelector:
     matchLabels:
       app.kubernetes.io/instance: mailu
-      app.kubernetes.io/component: postfix
+      app.kubernetes.io/component: front
   policyTypes:
     - Ingress
   ingress:
@@ -58,5 +57,3 @@ spec:
       ports:
         - port: 25
           protocol: TCP
-        - port: 10025
-          protocol: TCP