fix(open-xchange): Streamline postfix milter configuration

docs/architecture.md

@@ -26,6 +26,9 @@ SPDX-License-Identifier: Apache-2.0
   * [Filepicker](#filepicker)
   * [Newsfeed](#newsfeed)
   * [(OpenProject) File store](#openproject-file-store)
+* [Mail setup](#mail-setup)
+  * [Overview](#overview-1)
+  * [The Postfixes](#the-postfixes)
 * [Applications vs. services](#applications-vs-services)
   * [Collabora (weboffice)](#collabora-weboffice)
   * [CryptPad Online (diagrams)](#cryptpad-online-diagrams)
@@ -348,6 +351,85 @@ The file store must still be enabled per project in OpenProject's project admin
 - [OpenProject's documentation on Nextcloud integration](https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/)
 - [OpenProject Integration Nextcloud app](https://apps.nextcloud.com/apps/integration_openproject)
 
+# Mail setup
+
+The mail setup depicted in the diagram below shows the design to support multiple application workloads inside openDesk while interoperating with external mail infrastructures and optional mail clients like Thunderbird.
+
+The system is intentionally modular: different applications (Nextcloud, OpenProject, XWiki, Synapse, Notes, etc.) may need to send emails even when no full groupware stack is deployed. In that case the following components are also not being deployed:
+
+* `Dovecot`
+* `Postfix-OX`
+
+Even without these components, the platform remains operational for outbound email because the (Base) Postfix instance provides a simple SMTP submission service using static SASL credentials. This allows all applications in *openDesk* to continue sending system notifications and user emails.
+
+## Overview
+
+```mermaid
+flowchart-elk
+
+extClient[optional Mail Clients]
+extRelay[Mailrelay/MXe]
+extMTA[MTAs]
+
+subgraph extSvc[K8s External Servies]
+    extSvcDC((dovecot-external))
+    extSvcPF((postfix-ox-external))
+end
+
+subgraph openDesk
+    subgraph Apps
+        AppsOther[Nubus<br>Nextcloud<br>OpenProject<br>Synapse<br>XWiki<br>Notes]
+        AppsOXAS[OX App Suite]
+    end
+    subgraph Postfix
+        PostfixBase[#40;Base#41; Postfix]
+        PostfixOX[Postfix-OX]
+    end
+    Dovecot[Dovecot<br>authenticates using<br>SASL using LDAP & OAuth]
+    Dovecot -->|Sieve mails<br>without no auth| PostfixBase
+    PostfixOX -->|auth|Dovecot
+end
+
+Postfix -->|lmtps| Dovecot
+Postfix -->|smtp| extRelay
+
+extSvcDC --> Dovecot
+extSvcPF --> PostfixOX
+
+AppsOther -->|auth:<br>static creds.| PostfixBase
+AppsOXAS --> Dovecot
+AppsOXAS -->|auth:<br>OAuth| PostfixOX
+
+extClient --> extSvcDC
+extMTA -->|WARNING: SPF and DKIM validation required| extSvcPF
+extClient -->|auth:<br>LDAP| extSvcPF
+
+classDef postfix fill:#85extMTA9C;
+class PostfixBase postfix;
+classDef postfix-ox fill:#F3E5Dovecot;
+class PostfixOX,extSvcPF postfix-ox;
+classDef dovecot fill:#BECBD6;
+class Dovecot,extSvcDC dovecot;
+```
+
+## The Postfixes
+
+* Common for both Postfix
+  * Deliver internal mails to Dovecot using lmtps
+  * Deliver non-internal mails directly to a configured mail relay or to the recipients MX
+
+* (Base) Postfix specific
+   * SMTP submission from applications using static credentials
+   * SMTP submission without authentication for Dovecot generated mails by Sieve filters, e.g. out-of-office replys, as Dovecot does not support authentication in this flow
+   * Available even if OX App Suite is not installed
+
+* Postfix-OX specific
+   * External mails are relayed for internal maildomains unauthenticated
+   * Requires Dovecot for SASL authentication on
+     * mails sent from OX App Suite's Web UI using OAuth
+     * mails sent from mail clients using LDAP Auth
+   * Used exclusively when OX App Suite is deployed
+
 # Applications vs. services
 
 openDesk consists of a variety of open-source projects, please find an overview below:

docs/getting-started.md

@@ -341,6 +341,16 @@ smtp:
   password: "secret"
 ```
 
+It is strongly recommended to configure a milter host for spam filtering (e.g. Rspamd) to get SPF and DKIM
+validation for incoming mails in place. Otherwise external senders could spoof internal sender addresses.
+
+```yaml
+smtp:
+  spamMilter:
+    host: "rspamd.domain.internal"
+    port: "11332"
+```
+
 ### TURN configuration
 
 Some components (Jitsi, Element) use a TURN server for direct communication. You can configure your own TURN server with

docs/migrations.md

@@ -13,7 +13,6 @@ SPDX-License-Identifier: Apache-2.0
   * [Versions ≥ v1.11.0](#versions--v1110)
     * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
       * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
-      * [Helmfile new secret: `secrets.nextcloud.statusPassword`](#helmfile-new-secret-secretsnextcloudstatuspassword)
   * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
       * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
@@ -215,20 +214,6 @@ Setting service annotation by `annotations.openxchangePostfix.service` applied t
 and external service. This key now only sets annotations for the internal service. If you want to set
 annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
 
-#### Helmfile new secret: `secrets.nextcloud.statusPassword`
-
-**Target group:** All existing deployments that use self-defined secrets and have deployed Nextcloud.
-
-Access to Nextcloud's `/status.php` requires now BasicAuth. The related password is set in
-[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key
-`secrets.nextcloud.statusPassword`.
-
-If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will
-be derived from the `MASTER_PASSWORD`.
-
-> [!note]
-> The username for the BasicAuth is hardcoded to "status-access".
-
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -118,10 +118,6 @@ aio:
           value: {{ .Values.databases.nextcloud.password | quote }}
           {{- end }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
-    status:
-      password:
-        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
-
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -47,12 +47,29 @@ postfix:
   inetProtocols: "ipv4"
   messageSizeLimit: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
   milterDefaultAction: "tempfail"
-  {{- if .Values.apps.dkimpy.enabled }}
-  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
-  {{- end }}
+  smtpdMilters:
+    {{- if .Values.apps.dkimpy.enabled }}
+    - host: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}"
+      port: 8892
+    {{- end }}
+    {{- if .Values.smtp.spamMilter.host }}
+    - host: {{ .Values.smtp.spamMilter.host | quote }}
+      port: {{ .Values.smtp.spamMilter.port }}
+    {{- end }}
+    {{- if .Values.antivirus.milter.host }}
+    - host: {{ .Values.antivirus.milter.host | quote }}
+      port: {{ .Values.antivirus.milter.port }}
+    {{- else }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
+    - host: "clamav-milter"
+      port:7357
+    {{- else if .Values.apps.clamavSimple.enabled }}
+    - host: "clamav-simple"
+      port: 7357
+    {{- end }}
+    {{- end }}
   minTLSVersion: "TLSv1.2"
   smtpdTLSMandatoryCiphers: "medium"
-  rspamdHost: ""
   {{- if .Values.smtp.host }}
   relayHost:
     enabled: true
@@ -100,15 +117,6 @@ postfix:
       # -- return the following attribute from all found leaves when a recursive search is done
       leafResultAttribute: "mailPrimaryAddress"
 
-  {{- if .Values.antivirus.milter.host }}
-  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
-  {{- else }}
-  {{- if .Values.apps.clamavDistributed.enabled }}
-  smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.apps.clamavSimple.enabled }}
-  smtpdMilters: "inet:clamav-simple:7357"
-  {{- end }}
-  {{- end }}
   virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}
   virtualTransport: "lmtps:dovecot:24"
 

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -33,9 +33,6 @@ config:
         value: "nextcloud"
       password:
         value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
-    status:
-      password:
-        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -57,10 +57,23 @@ postfix:
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
-  {{- if .Values.apps.dkimpy.enabled }}
-  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
-  {{- end }}
-  rspamdHost: ""
+  smtpdMilters:
+    {{- if .Values.apps.dkimpy.enabled }}
+    - host: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}"
+      port: 8892
+    {{- end }}
+    {{- if .Values.antivirus.milter.host }}
+    - host: {{ .Values.antivirus.milter.host | quote }}
+      port: {{ .Values.antivirus.milter.port }}
+    {{- else }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
+    - host: "clamav-milter"
+      port: 7357
+    {{- else if .Values.apps.clamavSimple.enabled }}
+    - host: "clamav-simple"
+      port: 7357
+    {{- end }}
+    {{- end }}
   {{- if .Values.smtp.host }}
   relayHost:
     enabled: true
@@ -116,15 +129,6 @@ postfix:
       # -- return the following attribute from all found leaves when a recursive search is done
       leafResultAttribute: "mailPrimaryAddress"
 
-  {{- if .Values.antivirus.milter.host }}
-  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
-  {{- else }}
-  {{- if .Values.apps.clamavDistributed.enabled }}
-  smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.apps.clamavSimple.enabled }}
-  smtpdMilters: "inet:clamav-simple:7357"
-  {{- end }}
-  {{- end }}
   # Only deliver mail to Dovecot, if it is available
   {{- if .Values.apps.oxAppSuite.enabled }}
   virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,7 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.7.1@sha256:aa91feaa89989178d859f21bb25633ef07facea19ac3ef696186256492a13b17"
+    tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -249,7 +249,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "4.5.0"
+    version: "4.4.4"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -259,7 +259,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "4.5.0"
+    version: "4.4.4"
     verify: true
   nextcloudNotifyPush:
     # providerCategory: "Platform"
@@ -269,7 +269,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-notifypush"
-    version: "4.5.0"
+    version: "4.4.4"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -383,7 +383,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "2.3.0"
+    version: "2.2.0"
     verify: true
   otterize:
     # providerCategory: "Platform"
@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.1.0"
+    version: "5.1.1"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml.gotmpl

@@ -330,7 +330,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.11.0@sha256:481e83fb913c98d2ede8ae734f406ac5c12f805093af0a34cb9c86eeaa56bc01"
+    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -770,7 +770,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
-    tag: "1.2.0@sha256:7d2ab97a8cd17aa2c12a6d613044c848edf0371974662390eb08c197aa12b84a"
+    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
   openprojectDbInit:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"

helmfile/environments/default/secrets.yaml.gotmpl

@@ -101,7 +101,6 @@ secrets:
   nextcloud:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
     metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
-    statusPassword: {{ derivePassword 1 "medium" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_status_user" | sha1sum | quote }}
   openproject:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
     apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}

helmfile/environments/default/smtp.yaml.gotmpl

@@ -7,6 +7,9 @@ smtp:
   username: ""
   password: {{ env "SMTP_PASSWORD" | quote }}
   localpartNoReply: "no-reply"
+  spamMilter:
+    host: ""
+    port: 11332
 
   # For the following settings to have effect `apps.dkimpy.enabled` must be `true`.
   dkim: