6.9 KiB
6.9 KiB
Webmail DNS Configuration Guide
This guide provides the DNS configuration required to make the webmail system accessible from webmail.bakewise.ai.
Production DNS Configuration
Required DNS Records for webmail.bakewise.ai
# A Record for webmail subdomain
webmail.bakewise.ai. IN A <your-ingress-ip>
# CNAME Record (alternative approach)
webmail.bakewise.ai. IN CNAME bakewise.ai.
# MX Record for email delivery (if receiving emails)
bakewise.ai. IN MX 10 webmail.bakewise.ai.
# SPF Record (authorize webmail server)
bakewise.ai. IN TXT "v=spf1 include:mailgun.org ~all"
# DKIM Record (will be generated by Mailu)
mailu._domainkey.bakewise.ai. IN TXT "v=DKIM1; k=rsa; p=<public-key>"
# DMARC Record
_dmarc.bakewise.ai. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@bakewise.ai"
Development DNS Configuration
Required DNS Records for webmail.bakery-ia.local
For local development, add these entries to your /etc/hosts file:
# Add to /etc/hosts
127.0.0.1 webmail.bakery-ia.local
127.0.0.1 bakery-ia.local
127.0.0.1 monitoring.bakery-ia.local
TLS Certificate Configuration
The ingress configuration includes automatic TLS certificate provisioning using cert-manager with Let's Encrypt.
Production TLS Configuration
The production ingress (prod-ingress.yaml) includes:
tls:
- hosts:
- bakewise.ai
- monitoring.bakewise.ai
- webmail.bakewise.ai # ← Added webmail domain
secretName: bakery-ia-prod-tls-cert
Development TLS Configuration
The development ingress (dev-ingress.yaml) includes:
tls:
- hosts:
- localhost
- bakery-ia.local
- monitoring.bakery-ia.local
- webmail.bakery-ia.local # ← Added webmail domain
secretName: bakery-dev-tls-cert
Ingress Routing Configuration
Production Routing
The production ingress routes traffic as follows:
https://bakewise.ai/→ Frontend service (port 3000)https://bakewise.ai/api/→ Gateway service (port 8000)https://monitoring.bakewise.ai/→ SigNoz monitoring (port 8080)https://webmail.bakewise.ai/→ Email webmail (port 80)https://webmail.bakewise.ai/webmail→ Email webmailhttps://webmail.bakewise.ai/admin→ Email admin interface
Development Routing
The development ingress routes traffic as follows:
https://localhost/→ Frontend service (port 3000)https://localhost/api/→ Gateway service (port 8000)https://bakery-ia.local/→ Frontend service (port 3000)https://bakery-ia.local/api/→ Gateway service (port 8000)https://monitoring.bakery-ia.local/→ SigNoz monitoring (port 8080)https://webmail.bakery-ia.local/→ Email webmail (port 80)https://webmail.bakery-ia.local/webmail→ Email webmailhttps://webmail.bakery-ia.local/admin→ Email admin interface
Security Headers
The webmail ingress includes enhanced security headers:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';
connect-src 'self'; frame-src 'self';
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Deployment Steps
1. Update DNS Records
# For production (using Cloudflare as example)
cfcli dns create bakewise.ai A webmail <ingress-ip> --ttl 3600 --proxied
# For development (add to /etc/hosts)
echo "127.0.0.1 webmail.bakery-ia.local" | sudo tee -a /etc/hosts
2. Apply Ingress Configuration
# Apply the updated ingress configuration
kubectl apply -k infrastructure/environments/prod/k8s-manifests/
# Verify the ingress is configured correctly
kubectl get ingress -n bakery-ia
kubectl describe ingress bakery-ingress-prod -n bakery-ia
3. Verify TLS Certificates
# Check TLS certificate status
kubectl get certificaterequest -n bakery-ia
kubectl get certificate -n bakery-ia
# Check certificate details
kubectl describe certificate bakery-ia-prod-tls-cert -n bakery-ia
4. Test Webmail Access
# Test webmail accessibility
curl -I https://webmail.bakewise.ai
curl -I https://webmail.bakewise.ai/webmail
curl -I https://webmail.bakewise.ai/admin
# Test from browser
open https://webmail.bakewise.ai
Troubleshooting
DNS Issues
# Check DNS resolution
dig webmail.bakewise.ai
nslookup webmail.bakewise.ai
# Check ingress controller logs
kubectl logs -f -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
TLS Issues
# Check cert-manager logs
kubectl logs -f -n cert-manager -l app=cert-manager
# Check certificate status
kubectl get certificaterequest,certificate,order,challenge -n bakery-ia
Ingress Issues
# Check ingress controller events
kubectl get events -n ingress-nginx
# Check ingress description
kubectl describe ingress -n bakery-ia
Monitoring and Maintenance
Check Webmail Service Status
# Check email services
kubectl get pods -n bakery-ia -l app=email
# Check webmail service
kubectl get service email-webmail -n bakery-ia
# Check ingress routing
kubectl get ingress -n bakery-ia -o yaml | grep -A 10 webmail
Update DNS Records
When the ingress IP changes, update the DNS records:
# Get current ingress IP
kubectl get service -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
# Update DNS (Cloudflare example)
cfcli dns update bakewise.ai A webmail <new-ip> --ttl 3600 --proxied
Access Information
After configuration, the webmail system will be accessible at:
- Production:
https://webmail.bakewise.ai - Development:
https://webmail.bakery-ia.local
Default credentials (configured in secrets):
- Admin:
admin@bakewise.ai - Password: Configured in
email-secrets
Integration with Existing Systems
The webmail system integrates with:
- SMTP Service:
email-smtp.bakery-ia.svc.cluster.local:587 - IMAP Service:
email-imap.bakery-ia.svc.cluster.local:993 - Notification Service: Uses the new SMTP service for email notifications
- Monitoring: SigNoz alerts use the new email service
Backup and Recovery
DNS Backup
# Export DNS records (Cloudflare example)
cfcli dns export bakewise.ai > dns-backup.json
# Restore DNS records
cfcli dns import bakewise.ai dns-backup.json
Certificate Backup
# Export TLS secrets
kubectl get secret bakery-ia-prod-tls-cert -n bakery-ia -o yaml > tls-backup.yaml
# Restore TLS secrets
kubectl apply -f tls-backup.yaml
References
This configuration provides a secure, scalable webmail solution that integrates seamlessly with the existing Bakery-IA infrastructure.