initial

2021-02-07 23:45:55 +00:00 · 2021-02-07 23:45:55 +00:00 · 7a7bc34ae3
commit 7a7bc34ae3
32 changed files with 4857 additions and 0 deletions
--- a/modules/kubernetes/mailserver/main.tf
+++ b/modules/kubernetes/mailserver/main.tf
@ -0,0 +1,65 @@
+variable "mailserver_accounts" {}
+variable postfix_account_aliases {}
+
+resource "kubernetes_namespace" "mailserver" {
+  metadata {
+    name = "mailserver"
+  }
+}
+
+resource "kubernetes_config_map" "mailserver_env_config" {
+  metadata {
+    name      = "mailserver.env.config"
+    namespace = "mailserver"
+    labels = {
+      app = "mailserver"
+    }
+  }
+
+  data = {
+    DMS_DEBUG           = "0"
+    ENABLE_CLAMAV       = "0"
+    ENABLE_FAIL2BAN     = "1"
+    ENABLE_FETCHMAIL    = "0"
+    ENABLE_POSTGREY     = "0"
+    ENABLE_SPAMASSASSIN = "0"
+    ENABLE_SRS          = "1"
+    FETCHMAIL_POLL      = "120"
+    ONE_DIR             = "1"
+    OVERRIDE_HOSTNAME   = "mail.viktorbarzin.me"
+    TLS_LEVEL           = "intermediate"
+  }
+}
+
+locals {
+  postfix_accounts_cf = join("\n", [for user, pass in var.mailserver_accounts : "${user}|${bcrypt(pass, 6)}"])
+  #   postfix_accounts_cf = join("\n", [for user, pass in var.mailserver_accounts : format("%s%s%s", user, "|{SHA512-CRYPT}$6$$", sha512(pass))])  # Does not work :/
+}
+
+resource "kubernetes_config_map" "mailserver_config" {
+  metadata {
+    name      = "mailserver.config"
+    namespace = "mailserver"
+
+    labels = {
+      app = "mailserver"
+    }
+  }
+
+  data = {
+    # Actual mail settings
+    "postfix-accounts.cf" = local.postfix_accounts_cf
+    "postfix-main.cf"     = var.postfix_cf
+    "postfix-virtual.cf"  = var.postfix_account_aliases
+
+    KeyTable     = "mail._domainkey.viktorbarzin.me viktorbarzin.me:mail:/etc/opendkim/keys/viktorbarzin.me-mail.key\n"
+    SigningTable = "*@viktorbarzin.me mail._domainkey.viktorbarzin.me\n"
+    TrustedHosts = "127.0.0.1\nlocalhost\n"
+  }
+  # Password hashes are different each time and avoid changing secret constantly. 
+  # Either 1.Create consistent hashes or 2.Find a way to ignore_changes on per password
+  lifecycle {
+    ignore_changes = [data["postfix-accounts.cf"]]
+  }
+
+}
--- a/modules/kubernetes/mailserver/variables.tf
+++ b/modules/kubernetes/mailserver/variables.tf
@ -0,0 +1,118 @@
+variable "postfix_cf" {
+  default = <<EOT
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian)
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+
+# Basic configuration
+# myhostname =
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = $myhostname, localhost.$mydomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 10.47.0.11/32
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+#smtpd_tls_CAfile=
+#smtp_tls_CAfile=
+smtpd_tls_security_level = may
+smtpd_use_tls=yes
+smtpd_tls_loglevel = 1
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
+tls_ssl_options = NO_COMPRESSION
+tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+tls_preempt_cipherlist = yes
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
+smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
+smtpd_tls_CApath = /etc/ssl/certs
+smtp_tls_CApath = /etc/ssl/certs
+
+# Settings to prevent SPAM early
+smtpd_helo_required = yes
+smtpd_delay_reject = yes
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
+smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
+disable_vrfy_command = yes
+
+# Postscreen settings to drop zombies/open relays/spam early
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites = zen.spamhaus.org*3
+        bl.mailspike.net
+        b.barracudacentral.org*2
+        bl.spameatingmonkey.net
+        bl.spamcop.net
+        dnsbl.sorbs.net
+        psbl.surriel.com
+        list.dnswl.org=127.0.[0..255].0*-2
+        list.dnswl.org=127.0.[0..255].1*-3
+        list.dnswl.org=127.0.[0..255].[2..3]*-4
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_whitelist_threshold = -1
+postscreen_greet_action = enforce
+postscreen_bare_newline_action = enforce
+
+# SASL
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = /var/spool/postfix/private/auth
+smtpd_sasl_type = dovecot
+
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = $mydomain
+broken_sasl_auth_clients = yes
+
+# Mail directory
+virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
+virtual_mailbox_domains = /etc/postfix/vhost
+virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
+virtual_alias_maps = texthash:/etc/postfix/virtual
+
+# Additional option for filtering
+content_filter = smtp-amavis:[127.0.0.1]:10024
+
+# Milters used by DKIM
+milter_protocol = 6
+milter_default_action = accept
+dkim_milter = inet:localhost:8891
+dmarc_milter = inet:localhost:8893
+smtpd_milters = $dkim_milter,$dmarc_milter
+non_smtpd_milters = $dkim_milter
+
+# SPF policy settings
+policyd-spf_time_limit = 3600
+
+# Header checks for content inspection on receiving
+header_checks = pcre:/etc/postfix/maps/header_checks.pcre
+
+# Remove unwanted headers that reveail our privacy
+smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
+myhostname = mail.viktorbarzin.me
+mydomain = viktorbarzin.me
+smtputf8_enable = no
+message_size_limit = 10240000
+sender_canonical_maps = tcp:localhost:10001
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:localhost:10002
+recipient_canonical_classes = envelope_recipient,header_recipient
+compatibility_level = 2
+
+always_add_missing_headers = yes
+EOT
+}
+