diff --git a/main.tf b/main.tf index 61f0ef44..82b93a6b 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,7 @@ variable "client_certificate_secret_name" {} variable "mailserver_accounts" {} variable "mailserver_aliases" {} variable "mailserver_opendkim_key" {} +variable "mailserver_sasl_passwd" {} variable "pihole_web_password" {} variable "webhook_handler_secret" {} variable "wireguard_wg_0_conf" {} @@ -191,6 +192,7 @@ module "kubernetes_cluster" { # dockerhub_password = var.dockerhub_password client_certificate_secret_name = var.client_certificate_secret_name mailserver_accounts = var.mailserver_accounts + mailserver_sasl_passwd = var.mailserver_sasl_passwd mailserver_aliases = var.mailserver_aliases mailserver_opendkim_key = var.mailserver_opendkim_key pihole_web_password = var.pihole_web_password diff --git a/modules/kubernetes/mailserver/main.tf b/modules/kubernetes/mailserver/main.tf index 7f00d5c6..ef000e15 100644 --- a/modules/kubernetes/mailserver/main.tf +++ b/modules/kubernetes/mailserver/main.tf @@ -2,6 +2,9 @@ variable "tls_secret_name" {} variable "mailserver_accounts" {} variable "postfix_account_aliases" {} variable "opendkim_key" {} +variable "sasl_passwd" { + default = "" +} resource "kubernetes_namespace" "mailserver" { metadata { @@ -66,9 +69,10 @@ resource "kubernetes_config_map" "mailserver_config" { "postfix-main.cf" = var.postfix_cf "postfix-virtual.cf" = format("%s%s", var.postfix_account_aliases, file("${path.module}/extra/aliases.txt")) - KeyTable = "mail._domainkey.viktorbarzin.me viktorbarzin.me:mail:/etc/opendkim/keys/viktorbarzin.me-mail.key\n" - SigningTable = "*@viktorbarzin.me mail._domainkey.viktorbarzin.me\n" - TrustedHosts = "127.0.0.1\nlocalhost\n" + KeyTable = "mail._domainkey.viktorbarzin.me viktorbarzin.me:mail:/etc/opendkim/keys/viktorbarzin.me-mail.key\n" + SigningTable = "*@viktorbarzin.me mail._domainkey.viktorbarzin.me\n" + TrustedHosts = "127.0.0.1\nlocalhost\n" + "sasl_passwd" = var.sasl_passwd } # Password hashes are different each time and avoid changing secret constantly. # Either 1.Create consistent hashes or 2.Find a way to ignore_changes on per password @@ -252,6 +256,12 @@ resource "kubernetes_deployment" "mailserver" { name = "var-run-dovecot" mount_path = "/var/run/dovecot" } + volume_mount { + name = "config" + mount_path = "/etc/postfix/sasl/passwd" + sub_path = "sasl_passwd" + read_only = true + } port { name = "smtp" container_port = 25 diff --git a/modules/kubernetes/mailserver/variables.tf b/modules/kubernetes/mailserver/variables.tf index 076ce81f..2e2a2e71 100644 --- a/modules/kubernetes/mailserver/variables.tf +++ b/modules/kubernetes/mailserver/variables.tf @@ -12,7 +12,6 @@ readme_directory = no alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = $myhostname, localhost.$mydomain, localhost -relayhost = mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 10.47.0.11/32 mailbox_size_limit = 0 recipient_delimiter = + @@ -27,7 +26,6 @@ smtpd_tls_key_file=/tmp/ssl/tls.key smtpd_tls_security_level = may smtpd_use_tls=yes smtpd_tls_loglevel = 1 -smtp_tls_security_level = may smtp_tls_loglevel = 1 tls_ssl_options = NO_COMPRESSION tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS @@ -72,11 +70,19 @@ postscreen_bare_newline_action = enforce smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_type = dovecot - smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes +# SMTP configuration +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd +smtp_sasl_security_options = noanonymous +smtp_sasl_tls_security_options = noanonymous +smtp_tls_security_level = encrypt +header_size_limit = 4096000 +relayhost = [smtp.sendgrid.net]:587 + # Mail directory virtual_transport = lmtp:unix:/var/run/dovecot/lmtp virtual_mailbox_domains = /etc/postfix/vhost diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 4bebd2c7..8390be92 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -5,6 +5,7 @@ variable "hackmd_db_password" {} variable "mailserver_accounts" {} variable "mailserver_aliases" {} variable "mailserver_opendkim_key" {} +variable "mailserver_sasl_passwd" {} variable "pihole_web_password" {} variable "webhook_handler_secret" {} variable "wireguard_wg_0_conf" {} @@ -132,6 +133,7 @@ module "mailserver" { mailserver_accounts = var.mailserver_accounts postfix_account_aliases = var.mailserver_aliases opendkim_key = var.mailserver_opendkim_key + sasl_passwd = var.mailserver_sasl_passwd depends_on = [null_resource.core_services] } diff --git a/terraform.tfstate b/terraform.tfstate index 6b5607ac..f7b55434 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 331aa191..9ec7d425 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ