add sendgrid smtp relay settings to postfix [ci skip]

2022-12-17 14:04:52 +00:00 · 2022-12-17 14:04:52 +00:00 · 18a7a6fea2
commit 18a7a6fea2
parent c8ea8a52bb
6 changed files with 26 additions and 6 deletions
--- a/main.tf
+++ b/main.tf
@ -16,6 +16,7 @@ variable "client_certificate_secret_name" {}
 variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
 variable "mailserver_opendkim_key" {}
+variable "mailserver_sasl_passwd" {}
 variable "pihole_web_password" {}
 variable "webhook_handler_secret" {}
 variable "wireguard_wg_0_conf" {}
@ -191,6 +192,7 @@ module "kubernetes_cluster" {
  # dockerhub_password             = var.dockerhub_password
  client_certificate_secret_name = var.client_certificate_secret_name
  mailserver_accounts            = var.mailserver_accounts
+  mailserver_sasl_passwd         = var.mailserver_sasl_passwd
  mailserver_aliases             = var.mailserver_aliases
  mailserver_opendkim_key        = var.mailserver_opendkim_key
  pihole_web_password            = var.pihole_web_password
--- a/modules/kubernetes/mailserver/main.tf
+++ b/modules/kubernetes/mailserver/main.tf
@ -2,6 +2,9 @@ variable "tls_secret_name" {}
 variable "mailserver_accounts" {}
 variable "postfix_account_aliases" {}
 variable "opendkim_key" {}
+variable "sasl_passwd" {
+  default = ""
+}

 resource "kubernetes_namespace" "mailserver" {
  metadata {
@ -66,9 +69,10 @@ resource "kubernetes_config_map" "mailserver_config" {
    "postfix-main.cf"     = var.postfix_cf
    "postfix-virtual.cf"  = format("%s%s", var.postfix_account_aliases, file("${path.module}/extra/aliases.txt"))

-    KeyTable     = "mail._domainkey.viktorbarzin.me viktorbarzin.me:mail:/etc/opendkim/keys/viktorbarzin.me-mail.key\n"
-    SigningTable = "*@viktorbarzin.me mail._domainkey.viktorbarzin.me\n"
-    TrustedHosts = "127.0.0.1\nlocalhost\n"
+    KeyTable      = "mail._domainkey.viktorbarzin.me viktorbarzin.me:mail:/etc/opendkim/keys/viktorbarzin.me-mail.key\n"
+    SigningTable  = "*@viktorbarzin.me mail._domainkey.viktorbarzin.me\n"
+    TrustedHosts  = "127.0.0.1\nlocalhost\n"
+    "sasl_passwd" = var.sasl_passwd
  }
  # Password hashes are different each time and avoid changing secret constantly. 
  # Either 1.Create consistent hashes or 2.Find a way to ignore_changes on per password
@ -252,6 +256,12 @@ resource "kubernetes_deployment" "mailserver" {
            name       = "var-run-dovecot"
            mount_path = "/var/run/dovecot"
          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/etc/postfix/sasl/passwd"
+            sub_path   = "sasl_passwd"
+            read_only  = true
+          }
          port {
            name           = "smtp"
            container_port = 25
--- a/modules/kubernetes/mailserver/variables.tf
+++ b/modules/kubernetes/mailserver/variables.tf
@ -12,7 +12,6 @@ readme_directory = no
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = $myhostname, localhost.$mydomain, localhost
-relayhost =
 mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 10.47.0.11/32
 mailbox_size_limit = 0
 recipient_delimiter = +
@ -27,7 +26,6 @@ smtpd_tls_key_file=/tmp/ssl/tls.key
 smtpd_tls_security_level = may
 smtpd_use_tls=yes
 smtpd_tls_loglevel = 1
-smtp_tls_security_level = may
 smtp_tls_loglevel = 1
 tls_ssl_options = NO_COMPRESSION
 tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
@ -72,11 +70,19 @@ postscreen_bare_newline_action = enforce
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_path = /var/spool/postfix/private/auth
 smtpd_sasl_type = dovecot
-
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_local_domain = $mydomain
 broken_sasl_auth_clients = yes

+# SMTP configuration
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+smtp_sasl_security_options = noanonymous
+smtp_sasl_tls_security_options = noanonymous
+smtp_tls_security_level = encrypt
+header_size_limit = 4096000
+relayhost = [smtp.sendgrid.net]:587
+
 # Mail directory
 virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
 virtual_mailbox_domains = /etc/postfix/vhost
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -5,6 +5,7 @@ variable "hackmd_db_password" {}
 variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
 variable "mailserver_opendkim_key" {}
+variable "mailserver_sasl_passwd" {}
 variable "pihole_web_password" {}
 variable "webhook_handler_secret" {}
 variable "wireguard_wg_0_conf" {}
@ -132,6 +133,7 @@ module "mailserver" {
  mailserver_accounts     = var.mailserver_accounts
  postfix_account_aliases = var.mailserver_aliases
  opendkim_key            = var.mailserver_opendkim_key
+  sasl_passwd             = var.mailserver_sasl_passwd

  depends_on = [null_resource.core_services]
 }
--- a/terraform.tfstate
+++ b/terraform.tfstate
--- a/terraform.tfvars
+++ b/terraform.tfvars