apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: mailu-network-policy namespace: bakery-ia labels: app: mailu component: network-policy spec: # Apply to all Mailu pods (matches mailu-deployment.yaml labels) podSelector: matchLabels: app: mailu policyTypes: - Ingress - Egress ingress: # Allow SMTP from notification-service - from: - podSelector: matchLabels: app: notification-service ports: - port: 25 - port: 587 # Allow SMTP from other internal services that may need to send email - from: - podSelector: matchLabels: app.kubernetes.io/name: bakery-ia ports: - port: 587 # Allow webmail/admin access via ingress controller - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ingress-nginx ports: - port: 80 - port: 443 # Allow internal Mailu component communication - from: - podSelector: matchLabels: app: mailu ports: - port: 25 - port: 587 - port: 143 - port: 993 - port: 80 - port: 11333 - port: 11334 egress: # Allow relay to external SMTP (Mailgun) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - port: 587 - port: 465 - port: 25 # Allow internal Mailu component communication - to: - podSelector: matchLabels: app: mailu ports: - port: 25 - port: 587 - port: 143 - port: 993 - port: 80 - port: 11333 - port: 11334 # Allow connection to shared Redis (database 15) - to: - podSelector: matchLabels: app.kubernetes.io/name: redis ports: - port: 6379 # Allow DNS lookups - to: [] ports: - port: 53 protocol: UDP - port: 53 protocol: TCP