# Network Policy to allow notification service to send emails via Mailu
# This policy allows egress from notification-service to mailu-postfix on SMTP ports
#
# NOTE: Postfix only listens on port 25 (and 10025 internally), NOT 587
# Port 587 (submission) is handled by mailu-front which proxies to postfix
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-notification-to-mailu-smtp
  namespace: bakery-ia
  labels:
    app: notification-service
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app: notification-service
  policyTypes:
    - Egress
  egress:
    # Allow SMTP traffic to mailu-postfix (port 25)
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: mailu
              app.kubernetes.io/component: postfix
      ports:
        - port: 25
          protocol: TCP
        - port: 10025
          protocol: TCP
---
# Allow ingress TO mailu-postfix FROM any pod in bakery-ia namespace
# This is needed because mailu-allow-internal only allows traffic from mailu pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-mailu-smtp-from-apps
  namespace: bakery-ia
  labels:
    app: mailu
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: mailu
      app.kubernetes.io/component: postfix
  policyTypes:
    - Ingress
  ingress:
    # Allow SMTP from any pod in bakery-ia namespace
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: bakery-ia
      ports:
        - port: 25
          protocol: TCP
        - port: 10025
          protocol: TCP