Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply suggestions from code review

This commit is contained in:
Brennan Kinney 2024-03-10 18:02:28 +13:00 committed by GitHub
parent edf0a623e4
commit 50c27f39b4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 33 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
docs/content/config/advanced/kubernetes.md
View File

@ -77,7 +77,7 @@ When you do not want to or you cannot use Helm, below is a simple starting point
!!! attention "Static Configuration" !!! attention "Static Configuration"
With the inline `postfix-accounts.cf` file configured above, the content is fixed: you cannot change the configuration or persists modifications, i.e. adding or removing accounts is not possible. You need to use a `PersistentVolumeClaim` in case `postfix-accounts.cf` cannot be static. With the inline `postfix-accounts.cf` config above, the file content is static (_modifications like adding or removing account lines will not persist_). When your configs should be dynamic you should instead use a `PersistentVolumeClaim`.
For production deployments, use persistent volumes instead to support dynamic config files. For production deployments, use persistent volumes instead to support dynamic config files.
@ -355,7 +355,7 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
This approach only works when: This approach only works when:
1. You can dedicate a **publicly routable IP** address to the DMS configured `Service` (_e.g. with a load balancer like [MetalLB][metallb-web]_). 1. You can dedicate a **publicly routable IP** address to the DMS configured `Service` (_e.g. with a load balancer like [MetalLB][metallb-web]_).
2. The publicly routable IP is required to be dedicated to allow your mail server to have matching `A` and `PTR` records (_which other mail servers will use to verify trust when they receive mail sent from your DMS instance_). 2. The IP must be dedicated to allow your mail server to have matching `A` and `PTR` records (_which other mail servers will use to verify trust when they receive mail sent from your DMS instance_).
In this setup, you configure a load balancer to give the DMS configured `Service` a dedicated, publicly routable IP address. In this setup, you configure a load balancer to give the DMS configured `Service` a dedicated, publicly routable IP address.
@ -386,7 +386,7 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
namespace: metallb-system namespace: metallb-system
spec: spec:
addresses: [ <YOUR PUBLIC, DEDICATED IP IN CIDR NOTATION> ] addresses: [ <YOUR PUBLIC DEDICATED IP IN CIDR NOTATION> ]
autoAssign: true autoAssign: true
--- ---
@ -405,8 +405,8 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
- :+1: simple - :+1: simple
- :-1: requires a dedicated, publicly routable IP address - :-1: requires a dedicated, publicly routable IP address
- :-1: limited to the node with the dedicated IP address - :-1: limited to a single node (_associated to the dedicated IP address_)
- :point_right: requires the setup of a load balancer - :point_right: requires configuring a load balancer
=== "External-IP Service" === "External-IP Service"
@ -417,7 +417,7 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
This approach only works when: This approach only works when:
1. You can dedicate a **publicly routable IP** address to the DMS configured `Service`. 1. You can dedicate a **publicly routable IP** address to the DMS configured `Service`.
2. The publicly routable IP is required to be dedicated to allow your mail server to have matching `A` and `PTR` records (_which other mail servers will use to verify trust when they receive mail sent from your DMS instance_). 2. The IP must be dedicated to allow your mail server to have matching `A` and `PTR` records (_which other mail servers will use to verify trust when they receive mail sent from your DMS instance_).
In this setup, you set up the DMS configured `Service` manually with an "[external IP][Kubernetes-network-external-ip]", providing the dedicated, publicly routable IP address yourself. In this setup, you set up the DMS configured `Service` manually with an "[external IP][Kubernetes-network-external-ip]", providing the dedicated, publicly routable IP address yourself.
@ -459,7 +459,9 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
**General** **General**
One way to also preserve the real client IP is to use `hostPort` and `hostNetwork: true`. This approach is similar to host network in Docker. Using `hostPort` and `hostNetwork: true` is a similar approach to [`network_mode: host` with Docker Compose][docker-docs::compose::network_mode].
[docker-docs::compose::network_mode]: https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode
**Example** **Example**
@ -484,8 +486,8 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
hostPort: 25 hostPort: 25
- name: submissions - name: submissions
containerPort: 465 containerPort: 465
hostPort: 587 hostPort: 465
- name: 465 - name: submission
containerPort: 587 containerPort: 587
hostPort: 587 hostPort: 587
- name: imaps - name: imaps
@ -504,30 +506,32 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
=== "Using the PROXY Protocol" === "Using the PROXY Protocol"
**General** !!! question "What is the PROXY protocol?"
PROXY protocol is a network protocol for preserving a clients IP address when the clients TCP connection passes through a proxy. You can use a compatible proxy that supports PROXY protocol (NGINX, HAProxy, Traefik), a proxy that may already be the ingress in your cluster, to also accept and forward connections for DMS. PROXY protocol is a network protocol for preserving a clients IP address when the clients TCP connection passes through a proxy.
```mermaid It is a common feature supported among reverse-proxy services (_NGINX, HAProxy, Traefik_), which you may already have handling ingress traffic for your cluster.
flowchart LR
A(External Mail Server) -->|Incoming connection| B
subgraph cluster
B("Ingress Acting as a Proxy") -->|PROXY protocol connection| C(DMS)
end
```
!!! tip "For more information on the PROXY protocol, refer to [our dedicated docs page][docs-mailserver-behind-proxy] on the feature." ```mermaid
flowchart LR
A(External Mail Server) -->|Incoming connection| B
subgraph cluster
B("Ingress Acting as a Proxy") -->|PROXY protocol connection| C(DMS)
end
```
**Advantages / Disadvantages** For more information on the PROXY protocol, refer to [our dedicated docs page][docs-mailserver-behind-proxy] on the topic.
- :+1: preserves the origin IP address of clients (_which is crucial for DNS related checks_); !!! abstract "Advantages / Disadvantages"
- :+1: aligns with a best practice for Kubernetes by using a dedicated ingress to route external traffic to the k8s cluster (_which additionally benefits from the flexibility of routing rules_); and
- :+1: avoids the restraint of a single [node][Kubernetes-nodes] (_as a workaround to preserve the original client IP_). - :heavy_check_mark: Preserves the origin IP address of clients (_which is crucial for DNS related checks_);
- :point_right: requires a proxy (if you do not already have one, e.g. as an ingress, you will need to set up one) - :heavy_check_mark: Aligns with a best practice for Kubernetes by using a dedicated ingress, routing external traffic to the k8s cluster (_with the benefits of flexible routing rules_)
- :-1: added complexity - :heavy_check_mark: Avoids the restraint of a single [node][Kubernetes-nodes] (_as a workaround to preserve the original client IP_).
- on the manifest side: changing the DMS configured `Service` - :heavy_multiplication_x: Introduces complexity by requiring:
- on DMS' side: changing the Postfix and Dovecot configuration - A reverse-proxy / ingress controller (_potentially extra setup_)
- :-1: if you want to have cluster-internal traffic remain cluster-internal, you will need to "duplicate" the ports for Postfix and Dovecot to have ports that are PROXY-protocol enabled and ports that remain "normal" - Kubernetes manifest changes for the DMS configured `Service`
- DMS configuration changes for Postfix and Dovecot
- :heavy_multiplication_x: To keep support for direct connections to DMS services internally within cluster, service ports must be "duplicated" to offer an alternative port for connections using PROXY protocol.
**Examples** **Examples**
@ -638,7 +642,7 @@ The major problem with exposing DMS to the outside world in Kubernetes is to [pr
--- ---
kind: Deployment kind: Deployment
apiVersion: extensions/v1beta1 apiVersion: apps/v1
metadata: metadata:
name: mailserver name: mailserver
spec: spec: