upgrade tf providers; do not reset all defaults in postfix; enable spoof protection [ci skip]

2024-01-01 21:23:06 +00:00 · 2024-01-01 21:23:06 +00:00 · 552da26fff
commit 552da26fff
parent 8cd1e448f0
5 changed files with 77 additions and 59 deletions
--- a/modules/kubernetes/mailserver/main.tf
+++ b/modules/kubernetes/mailserver/main.tf
@ -2,7 +2,7 @@ variable "tls_secret_name" {}
 variable "mailserver_accounts" {}
 variable "postfix_account_aliases" {}
 variable "opendkim_key" {}
-variable "sasl_passwd" {}
+variable "sasl_passwd" {} # For sendgrid i.e relayhost

 resource "kubernetes_namespace" "mailserver" {
  metadata {
@ -43,6 +43,7 @@ resource "kubernetes_config_map" "mailserver_env_config" {
    POSTFIX_MESSAGE_SIZE_LIMIT             = 1024 * 1024 * 200 # 200 MB
    POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME = "1"
    TLS_LEVEL                              = "intermediate"
+    SPOOF_PROTECTION                       = "1"
    SSL_TYPE                               = "manual"
    SSL_CERT_PATH                          = "/tmp/ssl/tls.crt"
    SSL_KEY_PATH                           = "/tmp/ssl/tls.key"
@ -185,12 +186,12 @@ resource "kubernetes_deployment" "mailserver" {
            sub_path   = "postfix-accounts.cf"
            read_only  = true
          }
-          # volume_mount {
-          #   name       = "config"
-          #   mount_path = "/tmp/docker-mailserver/postfix-main.cf"
-          #   sub_path   = "postfix-main.cf"
-          #   read_only  = true
-          # }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/postfix-main.cf"
+            sub_path   = "postfix-main.cf"
+            read_only  = true
+          }
          volume_mount {
            name       = "config"
            mount_path = "/tmp/docker-mailserver/postfix-virtual.cf"
--- a/modules/kubernetes/mailserver/variables.tf
+++ b/modules/kubernetes/mailserver/variables.tf
@ -1,5 +1,18 @@
+# this is appended and merged to the main postfix.cf
+# see defaults - https://github.com/docker-mailserver/docker-mailserver/blob/master/target/postfix/main.cf
 variable "postfix_cf" {
  default = <<EOT
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+smtp_sasl_security_options = noanonymous
+smtp_sasl_tls_security_options = noanonymous
+smtp_tls_security_level = encrypt
+header_size_limit = 4096000
+relayhost = [smtp.sendgrid.net]:587
+EOT
+}
+variable "postfix_cf_reference_DO_NOT_USE" {
+  default = <<EOT
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version

 smtpd_banner = $myhostname ESMTP $mail_name (Debian)