fix(postfix): Add internal authentication

2025-12-07 07:51:38 +01:00 · 2025-03-04 19:31:12 +01:00
parent f34a4a3601
commit 2389d59735
14 changed files with 177 additions and 36 deletions
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -136,8 +136,8 @@ configuration:
      port: 25
      tls: false
      starttls: false
-      username: ""
-      password: ""
+      username: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}

    oidc:
      clientId: "opendesk-matrix"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -142,16 +142,16 @@ configuration:

  smtp:
    auth:
-      enabled: false
+      enabled: true
      username:
-        value: ""
+        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
      password:
-        value: ""
+        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    port: 25
+    port: 587
    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.domain }}"
-    security: ""
+    security: "tls"
    skipVerifyPeer: true

  quota:
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -168,6 +168,9 @@ backend:
    DJANGO_EMAIL_HOST: "postfix"
    DJANGO_EMAIL_PORT: 25
    DJANGO_EMAIL_USE_SSL: False
+    DJANGO_EMAIL_HOST_USER: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+    DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+    DJANGO_EMAIL_USE_TLS: False
    OIDC_RP_CLIENT_ID: "opendesk-notes"
    OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
    OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -537,8 +537,9 @@ nubusKeycloakExtensions:
      ssl: false
      starttls: false
    auth:
-      enabled: false
-      username: ""
+      enabled: true
+      username: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
      existingSecret:
        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
        keyMapping:
@@ -1108,7 +1109,7 @@ nubusStackDataUms:
    umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    smtpPort: 25
-    smtpUser: ""
+    smtpUser: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
    smtpStartTls: false
    ldapBase: {{ .Values.ldap.baseDn }}
  templateContext:
@@ -1414,7 +1415,7 @@ extraSecrets:
      umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
    stringData:
-      umcKeycloakExtensionsSmtpPassword: ""
+      umcKeycloakExtensionsSmtpPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
  - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
    stringData:
      password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
@@ -1424,7 +1425,7 @@ extraSecrets:
      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
  - name: "ums-umc-server-smtp-credentials-custom"
    stringData:
-      password: ""
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
  - name: "ums-provisioning-ox-credentials"
    stringData:
      ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -51,6 +51,16 @@ repositories:
    oci: true
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

+  # openDesk Postfix
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
+  - name: "postfix-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.postfix.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+
 releases:
  - name: "dovecot"
    chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
@@ -66,6 +76,17 @@ releases:
    installed: {{ .Values.apps.dovecot.enabled }}
    timeout: 900

+  - name: "postfix-ox"
+    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
+    version: "{{ .Values.charts.postfix.version }}"
+    values:
+      - "values-postfix.yaml.gotmpl"
+      {{- range .Values.customization.release.postfix }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.postfix.enabled }}
+    timeout: 900
+
  - name: "open-xchange"
    chart: "open-xchange-repo/{{ .Values.charts.oxAppSuite.name }}"
    version: "{{ .Values.charts.oxAppSuite.version }}"
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -241,7 +241,7 @@ appsuite:
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
-      com.openexchange.mail.transportServer: "postfix"
+      com.openexchange.mail.transportServer: "postfix-ox"
      com.openexchange.mail.transportServerSource: "global"
      # Requirements for OX-Connector
      com.openexchange.user.enforceUniqueDisplayName: "false"
@@ -287,7 +287,12 @@ appsuite:
      # Guard
      com.openexchange.guard.storage.file.fileStorageType: "file"
      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
+      com.openexchange.guard.guestSMTPMailFrom: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      com.openexchange.guard.guestSMTPPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+      com.openexchange.guard.guestSMTPPort: "25"
      com.openexchange.guard.guestSMTPServer: "postfix"
+      com.openexchange.guard.guestSMTPUsername: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      com.openexchange.guard.useStartTLS: "false"
      # S/MIME
      # Usage (in browser console after login):
      # http = (await import('./io.ox/core/http.js')).default
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -0,0 +1,100 @@
+{{/*
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+certificate:
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
+  request:
+    enabled: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: false
+  runAsUser: 0
+  runAsGroup: 0
+  privileged: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.postfix.registry | quote }}
+  repository: {{ .Values.images.postfix.repository | quote }}
+  tag: {{ .Values.images.postfix.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+persistence:
+  size: {{ .Values.persistence.storages.postfix.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.postfix.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+postfix:
+  amavisHost: ""
+  amavisPortIn: ""
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
+  hostname: "postfix"
+  inetProtocols: "ipv4"
+  milterDefaultAction: "tempfail"
+  overrides:
+    - fileName: "sasl_passwd.map"
+      content:
+        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
+  {{- if .Values.apps.dkimpy.enabled }}
+  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
+  {{- end }}
+  rspamdHost: ""
+  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
+  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
+  smtpSASLAuthEnable: "yes"
+  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
+  smtpTLSSecurityLevel: "encrypt"
+  smtpdSASLAuthEnable: "yes"
+  smtpdSASLSecurityOptions: "noanonymous"
+  smtpdSASLType: "dovecot"
+  smtpdTLSSecurityLevel: "encrypt"
+  smtpdTLSCertFile: "/etc/tls/tls.crt"
+  smtpdKeyFile: "/etc/tls/tls.key"
+  smtpdSASLPath: "inet:dovecot:3659"
+
+  staticAuthDB:
+    enabled: false
+
+  {{- if .Values.antivirus.milter.host }}
+  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
+  {{- else }}
+  {{- if .Values.apps.clamavDistributed.enabled }}
+  smtpdMilters: "inet:clamav-milter:7357"
+  {{- else if .Values.apps.clamavSimple.enabled }}
+  smtpdMilters: "inet:clamav-simple:7357"
+  {{- end }}
+  {{- end }}
+  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
+  virtualTransport: "lmtps:dovecot:24"
+
+podAnnotations: {}
+
+replicaCount: {{ .Values.replicas.postfix }}
+
+resources:
+  {{ .Values.resources.postfix | toYaml | nindent 2 }}
+
+{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
+service:
+  external:
+    enabled: true
+    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
+{{- end }}
+...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -76,13 +76,13 @@ environment:
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: ""
-  OPENPROJECT_SMTP__PASSWORD: ""
-  OPENPROJECT_SMTP__PORT: 25
+  OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+  OPENPROJECT_SMTP__PORT: 587
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-  OPENPROJECT_SMTP__AUTHENTICATION: "none"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
+  OPENPROJECT_SMTP__AUTHENTICATION: "cram_md5"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -15,7 +15,7 @@ containerSecurityContext:
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
  runAsNonRoot: false
  runAsUser: 0
  runAsGroup: 0
@@ -60,14 +60,20 @@ postfix:
  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
  smtpSASLAuthEnable: "yes"
  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
-  smtpUseTLS: "yes"
-  smtpdSASLAuthEnable: "no"
+  smtpTLSSecurityLevel: "encrypt"
+  smtpdSASLAuthEnable: "yes"
  smtpdSASLSecurityOptions: "noanonymous"
-  smtpdSASLType: "dovecot"
-  smtpdUseTLS: "yes"
+  smtpdSASLType: "cyrus"
+  smtpdTLSSecurityLevel: "may"
  smtpdTLSCertFile: "/etc/tls/tls.crt"
  smtpdKeyFile: "/etc/tls/tls.key"
-  smtpdSASLPath: "inet:dovecot:3659"
+  smtpdSASLPath: "smtpd"
+
+  staticAuthDB:
+    enabled: true
+    username: "opendesk-system"
+    password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+
  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
  {{- else }}
@@ -77,7 +83,7 @@ postfix:
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
  {{- end }}
-  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
+  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
  virtualTransport: "lmtps:dovecot:24"

 podAnnotations: {}
@@ -87,10 +93,7 @@ replicaCount: {{ .Values.replicas.postfix }}
 resources:
  {{ .Values.resources.postfix | toYaml | nindent 2 }}

-{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
 service:
  external:
-    enabled: true
-    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
-{{- end }}
+    enabled: false
 ...
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -167,8 +167,10 @@ properties:
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 587
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
  ## Link LDAP users and users authenticated through OIDC
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -419,7 +419,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
    name: "postfix"
-    version: "2.3.0"
+    version: "2.3.2"
    verify: true
  postgresql:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/global.yaml.gotmpl
+++ b/helmfile/environments/default/global.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -17,6 +17,10 @@ global:
  #
  mailDomain: {{ env "MAIL_DOMAIN" | quote }}

+  ## Define additional mail domains, comma separated, e.g. domain1.de,domain2.de
+  #
+  additionalMailDomains: ""
+
  ## Define synapse host
  ## If this is unset the "domain" value above should be used in all references
  #
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -880,7 +880,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "2.0.0@sha256:5b2432dc09318db172a593bca860887ee9d713b9987db64f8b265f3e08a1d374"
+    tag: "3.0.1@sha256:d2c6543b35b616ac3e6c8c27222d3154c0d35680813a8942ce0cc3fa9ea72a6d"
  postgresql:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -23,6 +23,8 @@ secrets:
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
  oxConnector:
    provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
+  postfix:
+    opendeskSystemPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postfix" "opendesk-system" | sha1sum | quote }}
  nubus:
    masterpassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}