# Production-tuned Mailu configuration global: # Using Kubernetes cluster DNS for name resolution custom_dns_servers: "10.96.0.10" # Kubernetes cluster DNS IP # Redis configuration - use built-in Mailu Redis (no authentication needed for internal) externalRedis: enabled: false # DNS configuration for production # Use Kubernetes DNS (ClusterFirst) which forwards to Unbound via CoreDNS # This is configured automatically by the mailu-helm Tilt resource admin: dnsPolicy: "ClusterFirst" rspamd: dnsPolicy: "ClusterFirst" # Domain configuration for production domain: "bakewise.ai" hostnames: - "mail.bakewise.ai" # Initial admin account for production environment # Password is stored in mailu-admin-credentials secret initialAccount: enabled: true username: "admin" domain: "bakewise.ai" existingSecret: "mailu-admin-credentials" existingSecretPasswordKey: "password" mode: "ifmissing" # External relay configuration for production (Mailgun) # All outbound emails will be relayed through Mailgun SMTP # To configure: # 1. Register at mailgun.com and verify your domain (bakewise.ai) # 2. Get your SMTP credentials from Mailgun dashboard # 3. Update the secret in configs/mailgun-credentials-secret.yaml # 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia externalRelay: host: "[smtp.mailgun.org]:587" # Credentials loaded from Kubernetes secret secretName: "mailu-mailgun-credentials" usernameKey: "RELAY_USERNAME" passwordKey: "RELAY_PASSWORD" # Environment-specific configurations persistence: enabled: true # Production: use microk8s-hostpath or longhorn storageClass: "longhorn" # Assuming Longhorn is available in production size: "20Gi" # Larger storage for production email volume # Resource allocations for production resources: admin: requests: cpu: "200m" memory: "256Mi" limits: cpu: "1" memory: "512Mi" front: requests: cpu: "100m" memory: "128Mi" limits: cpu: "500m" memory: "256Mi" postfix: requests: cpu: "200m" memory: "256Mi" limits: cpu: "1" memory: "512Mi" dovecot: requests: cpu: "200m" memory: "256Mi" limits: cpu: "1" memory: "512Mi" rspamd: requests: cpu: "100m" memory: "128Mi" limits: cpu: "500m" memory: "256Mi" clamav: requests: cpu: "200m" memory: "512Mi" limits: cpu: "1" memory: "1Gi" replicaCount: 1 # Can be increased in production as needed # Security settings secretKey: "generate-strong-key-here-for-production" # Ingress configuration for production - disabled to use with existing ingress ingress: enabled: false # Disable chart's Ingress; use existing one tls: false # Disable TLS in chart since ingress handles it tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS realIpHeader: X-Forwarded-For # Header for client IP from your Ingress realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security) path: / pathType: ImplementationSpecific # TLS flavor for production (uses Let's Encrypt) tls: flavor: "cert" # Welcome message (enabled in production) welcomeMessage: enabled: true subject: "Welcome to Bakewise.ai Email Service" body: "Welcome to our email service. Please change your password and update your profile." # Log level for production logLevel: "WARNING" # Enable antivirus in production antivirus: enabled: true flavor: "clamav" # Production-specific settings env: DEBUG: "false" LOG_LEVEL: "WARNING" TLS_FLAVOR: "cert" REDIS_PASSWORD: "secure-redis-password" # Enable monitoring in production monitoring: enabled: true # Production-specific security settings securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 # Network policies for production networkPolicy: enabled: true ingressController: namespace: ingress-nginx podSelector: | matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller monitoring: namespace: monitoring podSelector: | matchLabels: app: signoz-prometheus