diff --git a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
index 94581fd2..38bc45b5 100644
--- a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
+++ b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
@@ -53,7 +53,7 @@ spec:
         - name: DOCKER_CONFIG
           value: /tekton/home/.docker
       script: |
-        #!/bin/bash
+        #!/busybox/sh
         set -e
 
         echo "==================================================================="
@@ -65,13 +65,13 @@ spec:
         echo "Git Revision:    $(params.git-revision)"
         echo "==================================================================="
 
-        # Split services parameter by comma
-        IFS=',' read -ra SERVICES <<< "$(params.services)"
+        # Split services parameter by comma using POSIX-compatible method
+        SERVICES="$(params.services)"
 
-        # Build each service
-        for service in "${SERVICES[@]}"; do
-          service=$(echo "$service" | xargs)  # Trim whitespace
-          if [ -n "$service" ] && [ "$service" != "none" ]; then
+        # Build each service - iterate using tr to convert commas to newlines
+        echo "$SERVICES" | tr ',' '\n' | while read service; do
+          service=$(echo "$service" | tr -d ' ')  # Trim whitespace
+          if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then
             echo ""
             echo "Building service: $service"
             echo "-------------------------------------------------------------------"
diff --git a/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml b/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml
index ff0ebd1a..20791411 100644
--- a/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml
+++ b/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml
@@ -35,9 +35,9 @@ spec:
           type: RuntimeDefault
       workingDir: $(workspaces.source.path)
       script: |
-        #!/bin/bash
+        #!/bin/sh
         set -e
-        
+
         echo "============================================"
         echo "Running Unit Tests"
         echo "Services: $(params.services)"
@@ -78,9 +78,9 @@ spec:
           type: RuntimeDefault
       workingDir: $(workspaces.source.path)
       script: |
-        #!/bin/bash
+        #!/bin/sh
         set -e
-        
+
         echo "============================================"
         echo "Running Integration Tests"
         echo "Services: $(params.services)"
diff --git a/infrastructure/platform/mail/mailu-helm/prod/mailu-ingress.yaml b/infrastructure/platform/mail/mailu-helm/prod/mailu-ingress.yaml
index 046b9a89..be3c15a4 100644
--- a/infrastructure/platform/mail/mailu-helm/prod/mailu-ingress.yaml
+++ b/infrastructure/platform/mail/mailu-helm/prod/mailu-ingress.yaml
@@ -9,29 +9,46 @@ metadata:
     environment: production
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
+    # Proxy settings for large attachments and long connections
     nginx.ingress.kubernetes.io/proxy-body-size: "100m"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
+    # SSL redirect
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    # CRITICAL: Headers for Mailu compatibility to fix webmail redirect loop
+    # CRITICAL: Disable proxy buffering for webmail streaming/long-polling
+    # This prevents the "stuck loading" issue with Roundcube webmail
+    # Reference: https://github.com/Mailu/Mailu/issues/2850
+    nginx.ingress.kubernetes.io/proxy-buffering: "off"
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+    # WebSocket support for webmail real-time features
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/upstream-hash-by: "$remote_addr"
+    # CRITICAL: Configuration snippet for Mailu header handling
+    # Fixes redirect loops by ensuring Mailu sees the correct protocol
+    # Reference: https://mailu.io/2.0/reverse.html
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      # Set proper headers for Mailu
-      more_set_headers "X-Forwarded-Proto $scheme";
-      more_set_headers "X-Forwarded-Port $server_port";
-      more_set_headers "X-Original-Forwarded-For $http_x_forwarded_for";
+      # CRITICAL: Force X-Forwarded-Proto to https to prevent redirect loops
+      # Mailu's internal nginx checks this header to decide if redirect is needed
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header X-Forwarded-Port 443;
+      proxy_set_header X-Forwarded-Ssl on;
 
-      # Handle redirects properly to prevent loops for webmail
-      proxy_redirect https://$host https://$host;
-      proxy_redirect http://$host https://$host;
-
-      # Ensure proper host header
+      # Real IP headers for Mailu logging and rate limiting
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-    # Additional proxy settings for Mailu
-    nginx.ingress.kubernetes.io/proxy-set-headers: "X-Forwarded-Proto https"
+
+      # Fix redirects from Mailu internal services (admin, webmail)
+      # Don't add trailing slash to prevent 404 on redirects
+      proxy_redirect http://localhost https://$host;
+      proxy_redirect https://localhost https://$host;
+      proxy_redirect http://$host https://$host;
+
+      # Disable buffering for streaming responses (webmail)
+      proxy_buffering off;
+      proxy_cache off;
 spec:
   ingressClassName: nginx
   tls:
diff --git a/infrastructure/platform/mail/mailu-helm/prod/values.yaml b/infrastructure/platform/mail/mailu-helm/prod/values.yaml
index ebbdf1ab..e807afed 100644
--- a/infrastructure/platform/mail/mailu-helm/prod/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/prod/values.yaml
@@ -103,18 +103,24 @@ replicaCount: 1  # Can be increased in production as needed
 secretKey: "generate-strong-key-here-for-production"
 
 # Ingress configuration for production - disabled to use with existing ingress
+# External nginx-ingress handles TLS termination and proxies to Mailu front
 ingress:
-  enabled: false  # Disable chart's Ingress; use existing one
+  enabled: false  # Disable chart's Ingress; use existing mailu-ingress.yaml
   tls: false      # Disable TLS in chart since ingress handles it
-  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
-  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
-  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
+  tlsFlavorOverride: notls  # No TLS on internal NGINX; external ingress handles TLS
+  # CRITICAL: Real IP header configuration for proper client IP detection
+  # This must match the header set by nginx-ingress (X-Real-IP)
+  # Reference: https://mailu.io/2.0/reverse.html
+  realIpHeader: X-Real-IP
+  realIpFrom: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"  # Trust cluster pod CIDRs
   path: /
   pathType: ImplementationSpecific
 
-# TLS flavor for production (uses Let's Encrypt)
+# TLS flavor for production
+# "notls" because external ingress handles TLS termination
+# The ingress sends X-Forwarded-Proto: https to tell Mailu the original protocol
 tls:
-  flavor: "cert"
+  flavor: "notls"
 
 # Welcome message (enabled in production)
 welcomeMessage: