# Base Mailu Helm values for Bakery-IA # Preserves critical configurations from the original Kustomize setup # Global DNS configuration for DNSSEC validation global: # Using Unbound DNS resolver directly for DNSSEC validation # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local # Static ClusterIP configured in unbound-helm/values.yaml custom_dns_servers: "10.96.53.53" # Unbound DNS static ClusterIP # Domain configuration domain: "DOMAIN_PLACEHOLDER" hostnames: - "mail.DOMAIN_PLACEHOLDER" # Mailu version to match the original setup mailuVersion: "2024.06" # Secret key for authentication cookies secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7" # Timezone timezone: "Etc/UTC" # Postmaster configuration postmaster: "admin" # TLS configuration tls: flavor: "notls" # Disable TLS for development # Limits configuration limits: messageSizeLimitInMegabytes: 50 authRatelimit: ip: "60/hour" user: "100/day" messageRatelimit: value: "200/day" # External relay configuration (Mailgun) externalRelay: host: "[smtp.mailgun.org]:587" username: "postmaster@DOMAIN_PLACEHOLDER" password: "mailgun-api-key-replace-in-production" # Webmail configuration webmail: enabled: true flavor: "roundcube" # Antivirus and antispam configuration antivirus: enabled: false # Disabled in dev to save resources antispam: enabled: true flavor: "rspamd" # Welcome message welcomeMessage: enabled: false # Disabled during development # Logging logLevel: "INFO" # Network configuration subnet: "10.42.0.0/16" # Redis configuration - using internal Redis (built-in) externalRedis: enabled: false # host: "redis-service.bakery-ia.svc.cluster.local" # port: 6380 adminQuotaDbId: 15 adminRateLimitDbId: 15 rspamdDbId: 15 # Database configuration - using default SQLite (built-in) externalDatabase: enabled: false # type: "postgresql" # host: "postgres-service.bakery-ia.svc.cluster.local" # port: 5432 # database: "mailu" # username: "mailu" # password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT" # Persistence configuration persistence: single_pvc: true size: 10Gi storageClass: "" accessModes: [ReadWriteOnce] # Ingress configuration - disabled to use with existing ingress ingress: enabled: false # Disable chart's Ingress; use existing one tls: false # Disable TLS in chart since ingress handles it tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS realIpHeader: X-Forwarded-For # Header for client IP from your Ingress realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security) path: / pathType: ImplementationSpecific # Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying proxyProtocol: smtp: false smtps: false submission: false imap: false imaps: false pop3: false pop3s: false manageSieve: false # Front configuration front: image: tag: "2024.06" replicaCount: 1 service: type: ClusterIP ports: http: 80 https: 443 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 200m memory: 256Mi # Admin configuration admin: image: tag: "2024.06" replicaCount: 1 service: type: ClusterIP port: 80 resources: requests: cpu: 100m memory: 256Mi limits: cpu: 300m memory: 512Mi # Postfix configuration postfix: image: tag: "2024.06" replicaCount: 1 service: type: ClusterIP ports: smtp: 25 submission: 587 resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi # Dovecot configuration dovecot: image: tag: "2024.06" replicaCount: 1 service: type: ClusterIP ports: imap: 143 imaps: 993 resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi # Rspamd configuration rspamd: image: tag: "2024.06" replicaCount: 1 service: type: ClusterIP ports: rspamd: 11333 rspamd-admin: 11334 resources: requests: cpu: 200m memory: 512Mi limits: cpu: 1000m memory: 1Gi # Network Policy networkPolicy: enabled: true ingressController: namespace: ingress-nginx podSelector: | matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller # DNS Policy Configuration # Use Kubernetes DNS (ClusterFirst) for internal service resolution # DNSSEC validation for email is handled by rspamd component # Note: For production with DNSSEC needs, configure CoreDNS to forward to Unbound dnsPolicy: "ClusterFirst"