# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- certificate: secretName: {{ .Values.ingress.tls.secretName | quote }} request: enabled: false commonAnnotations: {{ .Values.annotations.servicesExternalPostfix.common | toYaml | nindent 2 }} containerSecurityContext: allowPrivilegeEscalation: true capabilities: {} enabled: true seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 runAsGroup: 0 privileged: true seLinuxOptions: {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }} global: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.postfix.registry | quote }} repository: {{ .Values.images.postfix.repository | quote }} tag: {{ .Values.images.postfix.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} persistence: size: {{ .Values.persistence.storages.postfix.size | quote }} storageClass: {{ coalesce .Values.persistence.storages.postfix.storageClassName .Values.persistence.storageClassNames.RWO | quote }} annotations: {{ .Values.annotations.servicesExternalPostfix.persistence | toYaml | nindent 4 }} podAnnotations: {{ .Values.annotations.servicesExternalPostfix.pod | toYaml | nindent 2 }} podSecurityContext: enabled: true fsGroup: 101 postfix: amavisHost: "" amavisPortIn: "" domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} hostname: "postfix" inetProtocols: "ipv4" milterDefaultAction: "accept" {{- if .Values.apps.dkimpy.enabled }} dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892" {{- end }} rspamdHost: "" {{- if .Values.smtp.host }} relayHost: enabled: true host: {{ .Values.smtp.host }} port: {{ .Values.smtp.port }} authentication: username: value: {{ .Values.smtp.username }} password: value: {{ .Values.smtp.password }} {{- end }} # Warning: This setting allows unauthenticated mail relay from relayNets! allowRelayNets: true relayNets: {{ join " " .Values.cluster.networking.cidr | quote }} minTLSVersion: "TLSv1.3" smtpdTLSMandatoryCiphers: "high" smtpSASLAuthEnable: "yes" smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map" smtpTLSSecurityLevel: "encrypt" smtpdSASLAuthEnable: "yes" smtpdSASLSecurityOptions: "noanonymous" smtpdSASLType: "cyrus" smtpdTLSSecurityLevel: "may" smtpdTLSCertFile: "/etc/tls/tls.crt" smtpdKeyFile: "/etc/tls/tls.key" smtpdSASLPath: "smtpd" staticAuthDB: enabled: true username: value: "opendesk-system" password: value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }} {{- if .Values.antivirus.milter.host }} smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}" {{- else }} {{- if .Values.apps.clamavDistributed.enabled }} smtpdMilters: "inet:clamav-milter:7357" {{- else if .Values.apps.clamavSimple.enabled }} smtpdMilters: "inet:clamav-simple:7357" {{- end }} {{- end }} # Only deliver mail to Dovecot, if it is available {{- if .Values.apps.oxAppSuite.enabled }} virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }} virtualTransport: "lmtps:dovecot:24" {{- end }} podAnnotations: {} replicaCount: {{ .Values.replicas.postfix }} resources: {{ .Values.resources.postfix | toYaml | nindent 2 }} service: annotations: {{ .Values.annotations.servicesExternalPostfix.service | toYaml | nindent 4 }} external: enabled: false serviceAccount: annotations: {{ .Values.annotations.servicesExternalPostfix.serviceAccount | toYaml | nindent 4 }} ...