fix(open-xchange): Configure all milters in smtpdMilters

.gitlab-ci.yml

@@ -767,17 +767,33 @@ import-default-accounts:
     - "echo \"Starting default account import for ${DOMAIN}\""
     - "cd /app"
     - |
-      ./user_import_udm_rest_api.py \
+      set +e
-        --import_domain ${DOMAIN} \
+      success=0
-        --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
+      for i in {1..5}; do
-        --set_default_password ${DEFAULT_ACCOUNTS_PASSWORD} \
+        echo "Attempt $i/5..."
-        --import_filename ./template.ods \
+        ./user_import_udm_rest_api.py \
-        --admin_enable_fileshare True \
+          --import_domain ${DOMAIN} \
-        --admin_enable_knowledgemanagement True \
+          --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
-        --admin_enable_projectmanagement True \
+          --set_default_password ${DEFAULT_ACCOUNTS_PASSWORD} \
-        --create_admin_accounts True \
+          --import_filename ./template.ods \
-        --create_maildomains True \
+          --admin_enable_fileshare True \
-        --verify_certificate False
+          --admin_enable_knowledgemanagement True \
+          --admin_enable_projectmanagement True \
+          --create_admin_accounts True \
+          --create_maildomains True \
+          --verify_certificate False
+        if [ $? -eq 0 ]; then
+          echo "Script succeeded on attempt $i."
+          success=1
+          break
+        fi
+        echo "Script failed. Waiting 60 seconds before retry..."
+        sleep 60
+      done
+      if [ "$success" -ne 1 ]; then
+        echo "Script failed after 5 attempts."
+        exit 1
+      fi
 
 run-tests:
   stage: "post-execute"

CHANGELOG.md

@@ -14,7 +14,7 @@
 * **open-xchange:** Template SASL security options ([684c6d4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/684c6d4f29dd447872ebe582eef43c04034896f7))
 * **open-xchange:** Update Dovecot configuration based on supplier's best practise review ([850761e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/850761e0475b2f281fb23f6972d5c74fbdaa3a61))
 * **opendesk-static-files:** [[#260](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/260)] Fix doublette creation of configmap `data` keys when the same file is referenced multiple times for a component ([b5a76be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b5a76bea57ef7b136c54d1bc95c40f0a0c3f9716))
-* **openproject:** Update from 16.1.0 to 16.1.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
+* **openproject:** Update from 16.6.0 to 16.6.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
 * **xwiki:** Update XWiki from 17.4.4 to 17.4.7 ([02a3b77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02a3b7711490394690df70ca92bab58b253e34f5))
 
 

docs/architecture.md

@@ -26,6 +26,9 @@ SPDX-License-Identifier: Apache-2.0
   * [Filepicker](#filepicker)
   * [Newsfeed](#newsfeed)
   * [(OpenProject) File store](#openproject-file-store)
+* [Mail setup](#mail-setup)
+  * [Overview](#overview-1)
+  * [The Postfixes](#the-postfixes)
 * [Applications vs. services](#applications-vs-services)
   * [Collabora (weboffice)](#collabora-weboffice)
   * [CryptPad Online (diagrams)](#cryptpad-online-diagrams)
@@ -348,6 +351,85 @@ The file store must still be enabled per project in OpenProject's project admin
 - [OpenProject's documentation on Nextcloud integration](https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/)
 - [OpenProject Integration Nextcloud app](https://apps.nextcloud.com/apps/integration_openproject)
 
+# Mail setup
+
+The mail setup depicted in the diagram below shows the design to support multiple application workloads inside openDesk while interoperating with external mail infrastructures and optional mail clients like Thunderbird.
+
+The system is intentionally modular: different applications (Nextcloud, OpenProject, XWiki, Synapse, Notes, etc.) may need to send emails even when no full groupware stack is deployed. In that case the following components are also not being deployed:
+
+* `Dovecot`
+* `Postfix-OX`
+
+Even without these components, the platform remains operational for outbound email because the (Base) Postfix instance provides a simple SMTP submission service using static SASL credentials. This allows all applications in *openDesk* to continue sending system notifications and user emails.
+
+## Overview
+
+```mermaid
+flowchart-elk
+
+extClient[optional Mail Clients]
+extRelay[Mailrelay/MXe]
+extMTA[MTAs]
+
+subgraph extSvc[K8s External Servies]
+    extSvcDC((dovecot-external))
+    extSvcPF((postfix-ox-external))
+end
+
+subgraph openDesk
+    subgraph Apps
+        AppsOther[Nubus<br>Nextcloud<br>OpenProject<br>Synapse<br>XWiki<br>Notes]
+        AppsOXAS[OX App Suite]
+    end
+    subgraph Postfix
+        PostfixBase[#40;Base#41; Postfix]
+        PostfixOX[Postfix-OX]
+    end
+    Dovecot[Dovecot<br>authenticates using<br>SASL using LDAP & OAuth]
+    Dovecot -->|Sieve mails<br>without no auth| PostfixBase
+    PostfixOX -->|auth|Dovecot
+end
+
+Postfix -->|lmtps| Dovecot
+Postfix -->|smtp| extRelay
+
+extSvcDC --> Dovecot
+extSvcPF --> PostfixOX
+
+AppsOther -->|auth:<br>static creds.| PostfixBase
+AppsOXAS --> Dovecot
+AppsOXAS -->|auth:<br>OAuth| PostfixOX
+
+extClient --> extSvcDC
+extMTA -->|WARNING: SPF and DKIM validation required| extSvcPF
+extClient -->|auth:<br>LDAP| extSvcPF
+
+classDef postfix fill:#85extMTA9C;
+class PostfixBase postfix;
+classDef postfix-ox fill:#F3E5Dovecot;
+class PostfixOX,extSvcPF postfix-ox;
+classDef dovecot fill:#BECBD6;
+class Dovecot,extSvcDC dovecot;
+```
+
+## The Postfixes
+
+* Common for both Postfix
+  * Deliver internal mails to Dovecot using lmtps
+  * Deliver non-internal mails directly to a configured mail relay or to the recipients MX
+
+* (Base) Postfix specific
+   * SMTP submission from applications using static credentials
+   * SMTP submission without authentication for Dovecot generated mails by Sieve filters, e.g. out-of-office replys, as Dovecot does not support authentication in this flow
+   * Available even if OX App Suite is not installed
+
+* Postfix-OX specific
+   * External mails are relayed for internal maildomains unauthenticated
+   * Requires Dovecot for SASL authentication on
+     * mails sent from OX App Suite's Web UI using OAuth
+     * mails sent from mail clients using LDAP Auth
+   * Used exclusively when OX App Suite is deployed
+
 # Applications vs. services
 
 openDesk consists of a variety of open-source projects, please find an overview below:

docs/getting-started.md

@@ -65,7 +65,7 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | Record name                   | Type | Value                                              | Additional information                                            |
 |-------------------------------|------|----------------------------------------------------|-------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                   |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                   |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            | Optional                                                          |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                   |
@@ -341,6 +341,16 @@ smtp:
   password: "secret"
 ```
 
+It is strongly recommended to configure a milter host for spam filtering (e.g. Rspamd) to get SPF and DKIM
+validation for incoming mails in place. Otherwise external senders could spoof internal sender addresses.
+
+```yaml
+smtp:
+  spamMilter:
+    host: "rspamd.domain.internal"
+    port: "11332"
+```
+
 ### TURN configuration
 
 Some components (Jitsi, Element) use a TURN server for direct communication. You can configure your own TURN server with

docs/migrations.md

@@ -10,8 +10,12 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [Versions ≥ v1.11.0](#versions--v1110)
+    * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
+      * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
   * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
+      * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
       * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix)
       * [Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword`](#helmfile-new-secret-secretsdoveocotsharedmailboxesmasterpassword)
       * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
@@ -181,10 +185,58 @@ If you would like more details about the automated migrations, please read secti
 > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from
 > version 1.7.0 to version 1.7.1.
 
+## Versions ≥ v1.11.0
+
+### Pre-upgrade to versions ≥ v1.11.0
+
+#### Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)
+
+**Target group:** Existing deployments using `service` annotations.
+
+The three non-HTTP external services support now explicit annotations.
+See [`annotations.yaml.gomtpl`](../helmfile/environments/default/annotations.yaml.gotmpl) for reference.
+
+**Jitsi JVB**
+
+The already existing annotation key `annotations.jitsiJVB.service` has been renamed to
+`annotations.jitsiJVB.serviceExternal` be in line with the newly added ones for Postfix and Dovecot.
+If you make use of the JVB service annotation please rename the attribute to the new `serviceExternal` standard.
+
+**Dovecot**
+
+Setting service annotation by `annotations.openxchangeDovecot.service` applied the annotations to the internal
+and external service. This key now only sets annotations for the internal service. If you want to set
+annotations for the external service use the newly introduced key `annotations.openxchangeDovecot.serviceExternal`.
+
+**Postfix**
+
+Setting service annotation by `annotations.openxchangePostfix.service` applied the annotations to the internal
+and external service. This key now only sets annotations for the internal service. If you want to set
+annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
+
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0
 
+#### Deployment cleanup: Collabora Controller
+
+**Target group:** Existing openDesk Enterprise deployments using Collabora Controller. Actually only long running
+deployments are affected, but following the instructions won't hurt.
+
+As per upstream release notes for [Collabora Online Controller 1.1.4](https://www.collaboraonline.com/cool-controller-release-notes/)
+you have to remove the existing leases of the Controller. You can do so by setting `<your_namespace>` and executing
+the commands below.
+
+```shell
+export NAMESPACE=<your_namespace>
+export COLLABORA_CONTROLLER_DEPLOYMENT_NAME=collabora-controller-cool-controller
+kubectl -n ${NAMESPACE} scale deployment/${COLLABORA_CONTROLLER_DEPLOYMENT_NAME} --replicas=0
+kubectl -n ${NAMESPACE} delete -n collabora leases.coordination.k8s.io collabora-online
+```
+
+> [!note]
+> The Collabora Online Controller is not scaled up again, as this would happen as part of the upgrade deployment.
+
 #### Helmfile new secret: `secrets.nubus.ldapSearch.postfix`
 
 **Target group:** All existing deployments that use self-defined secrets.

docs/monitoring.md

@@ -23,8 +23,7 @@ openDesk includes integration with Prometheus-based monitoring.
 
 Together with [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), you can easily leverage the full potential of the open-source cloud-native observability stack.
 
-Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack
+Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack repository which should at least include the Prometheus Operator.
-repository or Prometheus operator.
 
 # Defaults
 
@@ -33,14 +32,16 @@ All configurable options and their defaults can be found in
 
 # Metrics
 
-To deploy `podMonitor` and `serviceMonitor` custom resources, enable it by:
+To deploy `podMonitor` and `serviceMonitor` custom resources, enable them by:
 
 ```yaml
-prometheus:
+monitoring:
-  serviceMonitors:
+  prometheus:
-    enabled: true
+    serviceMonitors:
-  podMonitors:
+      enabled: true
-    enabled: true
+    podMonitors:
+      enabled: true
+```
 ```
 
 # Alerts
@@ -51,19 +52,23 @@ Some of these are created by our partners while others are defined in [opendesk-
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:
 
 ```yaml
-prometheus:
+monitoring:
-  prometheusRules:
+  prometheus:
-    enabled: true
+    prometheusRules:
+      enabled: true
 ```
 
 # Dashboards for Grafana
 
-To deploy optional Grafana dashboards with ConfigMaps, enable the functionality with:
+If your Grafana instance is deployed via kube-prometheus-stack, or you have deployed the [Sidecar for datasources](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#sidecar-for-datasources), openDesk can make dashboards available via ConfigMap resources. 
+
+Enable the functionality with the following snippet:
 
 ```yaml
-grafana:
+monitoring:
-  dashboards:
+  grafana:
-    enabled: true
+    dashboards:
+      enabled: true
 ```
 
 Please find further details in the [related Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards).

docs/requirements.md

@@ -29,14 +29,14 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
-- [Helm](https://helm.sh/) >= v3.17.3, but not v3.18.0[^1]
+- [Helm](https://helm.sh/) >= v3.17.3 (but not v3.18.0[^1]) and < v4[^2],
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0
 - [HelmDiff](https://github.com/databus23/helm-diff) >= v3.11.0
-- Volume provisioner supporting RWO (read-write-once)[^2]
+- Volume provisioner supporting RWO (read-write-once)[^3]
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 
 **Additional openDesk Enterprise requirements**
-- [OpenKruise](https://openkruise.io/)[^3] >= v1.6
+- [OpenKruise](https://openkruise.io/)[^4] >= v1.6
 
 # Hardware
 
@@ -138,8 +138,11 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 
 # Footnotes
 
-[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
+[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm v3.18.0 is not supported.
 
-[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+[^2]: Helm v4 introduced stricter flag grouping that is not yet supported by the helmdiff plugin.
+
+[^3]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+
+[^4]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
 
-[^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -248,9 +248,9 @@ jitsi:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
-    {{- if .Values.annotations.jitsiJvb.service }}
+    {{- if .Values.annotations.jitsiJvb.serviceExternal }}
       annotations:
-        {{ .Values.annotations.jitsiJvb.service | toYaml | nindent 8 }}
+        {{ .Values.annotations.jitsiJvb.serviceExternal | toYaml | nindent 8 }}
     {{- end }}
     securityContext:
       allowPrivilegeEscalation: false

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -140,6 +140,8 @@ service:
     {{ .Values.annotations.openxchangeDovecot.service | toYaml | nindent 4 }}
   external:
     enabled: true
+    annotations:
+      {{ .Values.annotations.openxchangeDovecot.serviceExternal | toYaml | nindent 6 }}
     type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
 {{- end }}
 

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -47,12 +47,29 @@ postfix:
   inetProtocols: "ipv4"
   messageSizeLimit: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
   milterDefaultAction: "tempfail"
-  {{- if .Values.apps.dkimpy.enabled }}
+  smtpdMilters:
-  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
+    {{- if .Values.apps.dkimpy.enabled }}
-  {{- end }}
+    - host: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}"
+      port: 8892
+    {{- end }}
+    {{- if .Values.smtp.spamMilter.host }}
+    - host: {{ .Values.smtp.spamMilter.host | quote }}
+      port: {{ .Values.smtp.spamMilter.port }}
+    {{- end }}
+    {{- if .Values.antivirus.milter.host }}
+    - host: {{ .Values.antivirus.milter.host | quote }}
+      port: {{ .Values.antivirus.milter.port }}
+    {{- else }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
+    - host: "clamav-milter"
+      port:7357
+    {{- else if .Values.apps.clamavSimple.enabled }}
+    - host: "clamav-simple"
+      port: 7357
+    {{- end }}
+    {{- end }}
   minTLSVersion: "TLSv1.2"
   smtpdTLSMandatoryCiphers: "medium"
-  rspamdHost: ""
   {{- if .Values.smtp.host }}
   relayHost:
     enabled: true
@@ -100,15 +117,6 @@ postfix:
       # -- return the following attribute from all found leaves when a recursive search is done
       leafResultAttribute: "mailPrimaryAddress"
 
-  {{- if .Values.antivirus.milter.host }}
-  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
-  {{- else }}
-  {{- if .Values.apps.clamavDistributed.enabled }}
-  smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.apps.clamavSimple.enabled }}
-  smtpdMilters: "inet:clamav-simple:7357"
-  {{- end }}
-  {{- end }}
   virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}
   virtualTransport: "lmtps:dovecot:24"
 
@@ -129,6 +137,8 @@ service:
     {{ .Values.annotations.openxchangePostfix.service | toYaml | nindent 4 }}
   external:
     enabled: true
+    annotations:
+      {{ .Values.annotations.openxchangePostfix.serviceExternal | toYaml | nindent 6 }}
     type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
 {{- end }}
 ...

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -57,10 +57,23 @@ postfix:
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
-  {{- if .Values.apps.dkimpy.enabled }}
+  smtpdMilters:
-  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
+    {{- if .Values.apps.dkimpy.enabled }}
-  {{- end }}
+    - host: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}"
-  rspamdHost: ""
+      port: 8892
+    {{- end }}
+    {{- if .Values.antivirus.milter.host }}
+    - host: {{ .Values.antivirus.milter.host | quote }}
+      port: {{ .Values.antivirus.milter.port }}
+    {{- else }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
+    - host: "clamav-milter"
+      port: 7357
+    {{- else if .Values.apps.clamavSimple.enabled }}
+    - host: "clamav-simple"
+      port: 7357
+    {{- end }}
+    {{- end }}
   {{- if .Values.smtp.host }}
   relayHost:
     enabled: true
@@ -116,15 +129,6 @@ postfix:
       # -- return the following attribute from all found leaves when a recursive search is done
       leafResultAttribute: "mailPrimaryAddress"
 
-  {{- if .Values.antivirus.milter.host }}
-  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
-  {{- else }}
-  {{- if .Values.apps.clamavDistributed.enabled }}
-  smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.apps.clamavSimple.enabled }}
-  smtpdMilters: "inet:clamav-simple:7357"
-  {{- end }}
-  {{- end }}
   # Only deliver mail to Dovecot, if it is available
   {{- if .Values.apps.oxAppSuite.enabled }}
   virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.2.1"
+    version: "3.3.0"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default/annotations.yaml.gotmpl

@@ -95,7 +95,7 @@ annotations:
     serviceAccount: ~
   jitsiJvb:
     pod: ~
-    service: ~
+    serviceExternal: ~
     metricsPrometheus: ~
     metricsGrafana: ~
   jitsiProsody:
@@ -360,6 +360,7 @@ annotations:
     pod: ~
     service: ~
     serviceAccount: ~
+    serviceExternal: ~
   openxchangeEnterpriseContactPicker:
     appsuiteCoreMw:
     appsuiteCoreMwPod: ~
@@ -369,6 +370,7 @@ annotations:
   openxchangePostfix:
     pod: ~
     service: ~
+    serviceExternal: ~
   openxchangePublicSectorUi:
     pod: ~
   servicesExternalClamavDistributed:

helmfile/environments/default/charts.yaml.gotmpl

@@ -97,7 +97,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "3.2.1"
+    version: "3.3.0"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.0.2"
+    version: "5.1.1"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/smtp.yaml.gotmpl

@@ -7,6 +7,9 @@ smtp:
   username: ""
   password: {{ env "SMTP_PASSWORD" | quote }}
   localpartNoReply: "no-reply"
+  spamMilter:
+    host: ""
+    port: 11332
 
   # For the following settings to have effect `apps.dkimpy.enabled` must be `true`.
   dkim: