You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: charts/docker-mailserver/README.md
+13-5Lines changed: 13 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -205,13 +205,13 @@ The chart will then automatically copy the certificate and private key to the `/
205
205
206
206
## Ports
207
207
208
-
If you are running on a bare-metal Kubernetes cluster, you will have to expose ports to the internet to receive and send emails. In addition, you need to make sure that `docker-mailserver`` receives the correct client IP address so that spam filtering works.
208
+
If you are running on a bare-metal Kubernetes cluster, you will have to expose ports to the internet to receive and send emails. In addition, you need to make sure that `docker-mailserver` receives the correct client IP address so that spam filtering works.
209
209
210
-
This can get a bit complicated, as explained in the `docker-mailserver` [documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/kubernetes/#exposing-your-mail-server-to-the-outside-world).
210
+
This can get a bit complicated, as explained in the `docker-mailserver` [documentation][dms-docs::k8s::network-config].
211
211
212
-
One approach to preserving the client IP address is to use the PROXY protocol, which is explained in the [documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/kubernetes/#proxy-port-to-service-via-proxy-protocol).
212
+
One approach to preserving the client IP address is to [use the PROXY protocol][dms-docs::k8s::proxy-protocol].
213
213
214
-
The Helm chart supports the use of the proxy protocol via the `proxyProtocol` key. By default `proxyProtocol.enable` is true, and `trustedNetworks` is set to the private IP network ranges, as are typically used inside a cluster. Additionally, you will need to enable the proxyProtocol for your loadbalancer. If you are using a cloud service they will most likely have documentation on how to do this for their loadbalancer. If you are using k3s then this is currently impossible with the default components.
214
+
The Helm chart supports the use of the proxy protocol via the `proxyProtocol` key. By default `proxyProtocol.enable` is true, and `trustedNetworks` is set to the private IP network ranges, as are typically used inside a cluster.
For security, you should narrow this to the actual range of IP addresses used by your ingress controller pods, and be certain to exclude any IP ranges gatewayed from IPv6 to v4 or vice versa.
223
+
Additionally, you will need to enable `proxyProtocol` for your loadbalancer.
224
+
- If you are using a cloud service they will most likely have documentation on how to do this for their loadbalancer.
225
+
- If you are using k3s then this is [currently impossible][k3s-klipperlb-pp] with the default components.
226
+
227
+
For security, you should narrow `trustedNetworks` to the actual range of IP addresses used by your ingress controller pods, and be certain to exclude any IP ranges gatewayed from IPv6 to v4 or vice versa.
224
228
Also note that any compromised container in the cluster could use the PROXY protocol to evade some security measures, so set a `NetworkPolicy` that only allows the appropriate pods to connect to the DMS pod.
225
229
226
230
Enabling the PROXY protocol will create an additional port for each protocol (by adding 10,000 to the standard port value) that is configured to understand the PROXY protocol. Thus:
@@ -237,6 +241,10 @@ Enabling the PROXY protocol will create an additional port for each protocol (by
237
241
238
242
If you do not enable the PROXY protocol and your mail server is not exposed using a load-balancer service with an external traffic policy in "Local" mode, then all incoming mail traffic will look like it comes from a local Kubernetes cluster IP.
Docker-mailserver assumes there are [four](https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/optional-config/#volumes) mounted volumes:
0 commit comments