# Webmail DNS Configuration Guide

This guide provides the DNS configuration required to make the webmail system accessible from `webmail.bakewise.ai`.

## Production DNS Configuration

### Required DNS Records for `webmail.bakewise.ai`

```bash
# A Record for webmail subdomain
webmail.bakewise.ai.    IN A    <your-ingress-ip>

# CNAME Record (alternative approach)
webmail.bakewise.ai.    IN CNAME    bakewise.ai.

# MX Record for email delivery (if receiving emails)
bakewise.ai.            IN MX    10 webmail.bakewise.ai.

# SPF Record (authorize webmail server)
bakewise.ai.            IN TXT   "v=spf1 include:mailgun.org ~all"

# DKIM Record (will be generated by Mailu)
mailu._domainkey.bakewise.ai.    IN TXT   "v=DKIM1; k=rsa; p=<public-key>"

# DMARC Record
_dmarc.bakewise.ai.     IN TXT   "v=DMARC1; p=quarantine; rua=mailto:dmarc@bakewise.ai"
```

## Development DNS Configuration

### Required DNS Records for `webmail.bakery-ia.local`

For local development, add these entries to your `/etc/hosts` file:

```bash
# Add to /etc/hosts
127.0.0.1    webmail.bakery-ia.local
127.0.0.1    bakery-ia.local
127.0.0.1    monitoring.bakery-ia.local
```

## TLS Certificate Configuration

The ingress configuration includes automatic TLS certificate provisioning using cert-manager with Let's Encrypt.

### Production TLS Configuration

The production ingress (`prod-ingress.yaml`) includes:

```yaml
tls:
- hosts:
  - bakewise.ai
  - monitoring.bakewise.ai
  - webmail.bakewise.ai  # ← Added webmail domain
  secretName: bakery-ia-prod-tls-cert
```

### Development TLS Configuration

The development ingress (`dev-ingress.yaml`) includes:

```yaml
tls:
- hosts:
  - localhost
  - bakery-ia.local
  - monitoring.bakery-ia.local
  - webmail.bakery-ia.local  # ← Added webmail domain
  secretName: bakery-dev-tls-cert
```

## Ingress Routing Configuration

### Production Routing

The production ingress routes traffic as follows:

- `https://bakewise.ai/` → Frontend service (port 3000)
- `https://bakewise.ai/api/` → Gateway service (port 8000)
- `https://monitoring.bakewise.ai/` → SigNoz monitoring (port 8080)
- `https://webmail.bakewise.ai/` → Email webmail (port 80)
- `https://webmail.bakewise.ai/webmail` → Email webmail
- `https://webmail.bakewise.ai/admin` → Email admin interface

### Development Routing

The development ingress routes traffic as follows:

- `https://localhost/` → Frontend service (port 3000)
- `https://localhost/api/` → Gateway service (port 8000)
- `https://bakery-ia.local/` → Frontend service (port 3000)
- `https://bakery-ia.local/api/` → Gateway service (port 8000)
- `https://monitoring.bakery-ia.local/` → SigNoz monitoring (port 8080)
- `https://webmail.bakery-ia.local/` → Email webmail (port 80)
- `https://webmail.bakery-ia.local/webmail` → Email webmail
- `https://webmail.bakery-ia.local/admin` → Email admin interface

## Security Headers

The webmail ingress includes enhanced security headers:

```nginx
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; 
style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; 
connect-src 'self'; frame-src 'self';
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
```

## Deployment Steps

### 1. Update DNS Records

```bash
# For production (using Cloudflare as example)
cfcli dns create bakewise.ai A webmail <ingress-ip> --ttl 3600 --proxied

# For development (add to /etc/hosts)
echo "127.0.0.1 webmail.bakery-ia.local" | sudo tee -a /etc/hosts
```

### 2. Apply Ingress Configuration

```bash
# Apply the updated ingress configuration
kubectl apply -k infrastructure/environments/prod/k8s-manifests/

# Verify the ingress is configured correctly
kubectl get ingress -n bakery-ia
kubectl describe ingress bakery-ingress-prod -n bakery-ia
```

### 3. Verify TLS Certificates

```bash
# Check TLS certificate status
kubectl get certificaterequest -n bakery-ia
kubectl get certificate -n bakery-ia

# Check certificate details
kubectl describe certificate bakery-ia-prod-tls-cert -n bakery-ia
```

### 4. Test Webmail Access

```bash
# Test webmail accessibility
curl -I https://webmail.bakewise.ai
curl -I https://webmail.bakewise.ai/webmail
curl -I https://webmail.bakewise.ai/admin

# Test from browser
open https://webmail.bakewise.ai
```

## Troubleshooting

### DNS Issues

```bash
# Check DNS resolution
dig webmail.bakewise.ai
nslookup webmail.bakewise.ai

# Check ingress controller logs
kubectl logs -f -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
```

### TLS Issues

```bash
# Check cert-manager logs
kubectl logs -f -n cert-manager -l app=cert-manager

# Check certificate status
kubectl get certificaterequest,certificate,order,challenge -n bakery-ia
```

### Ingress Issues

```bash
# Check ingress controller events
kubectl get events -n ingress-nginx

# Check ingress description
kubectl describe ingress -n bakery-ia
```

## Monitoring and Maintenance

### Check Webmail Service Status

```bash
# Check email services
kubectl get pods -n bakery-ia -l app=email

# Check webmail service
kubectl get service email-webmail -n bakery-ia

# Check ingress routing
kubectl get ingress -n bakery-ia -o yaml | grep -A 10 webmail
```

### Update DNS Records

When the ingress IP changes, update the DNS records:

```bash
# Get current ingress IP
kubectl get service -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

# Update DNS (Cloudflare example)
cfcli dns update bakewise.ai A webmail <new-ip> --ttl 3600 --proxied
```

## Access Information

After configuration, the webmail system will be accessible at:

- **Production**: `https://webmail.bakewise.ai`
- **Development**: `https://webmail.bakery-ia.local`

Default credentials (configured in secrets):
- **Admin**: `admin@bakewise.ai`
- **Password**: Configured in `email-secrets`

## Integration with Existing Systems

The webmail system integrates with:

1. **SMTP Service**: `email-smtp.bakery-ia.svc.cluster.local:587`
2. **IMAP Service**: `email-imap.bakery-ia.svc.cluster.local:993`
3. **Notification Service**: Uses the new SMTP service for email notifications
4. **Monitoring**: SigNoz alerts use the new email service

## Backup and Recovery

### DNS Backup

```bash
# Export DNS records (Cloudflare example)
cfcli dns export bakewise.ai > dns-backup.json

# Restore DNS records
cfcli dns import bakewise.ai dns-backup.json
```

### Certificate Backup

```bash
# Export TLS secrets
kubectl get secret bakery-ia-prod-tls-cert -n bakery-ia -o yaml > tls-backup.yaml

# Restore TLS secrets
kubectl apply -f tls-backup.yaml
```

## References

- [Cert-manager Documentation](https://cert-manager.io/docs/)
- [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)
- [Let's Encrypt](https://letsencrypt.org/)
- [DNS Configuration Best Practices](https://www.cloudflare.com/learning/dns/)

This configuration provides a secure, scalable webmail solution that integrates seamlessly with the existing Bakery-IA infrastructure.