apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "mailu-helm.fullname" . }}-smtp
  labels:
    component: smtp
    {{- include "mailu-helm.labels" . | nindent 4 }}
data:
  postfix.cf: |-
    # General TLS configuration
    tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM:DHE-RSA-CHACHA20-POLY1305:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!CAMELLIA
    tls_preempt_cipherlist=yes
    tls_ssl_options=NO_COMPRESSION

    # Outgoing TLS is more flexible because 1. not all receiving servers will
    # support TLS, 2. not all will have and up-to-date TLS stack.
    smtp_tls_security_level=may
    smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
    smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1
    smtpd_tls_security_level=may
    smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
    smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1
    lmtp_tls_ciphers = high
    lmtp_tls_mandatory_ciphers = high
    smtp_tls_ciphers = high
    smtp_tls_mandatory_ciphers = high
    smtpd_tls_ciphers = high
    smtpd_tls_mandatory_ciphers = high
    # Relayed networks
    mynetworks=127.0.0.1/32 [::1]/128 {{ .Values.config.subnet }} {{ .Values.config.subnet_external }}/32
    smtpd_authorized_xclient_hosts={{ .Values.config.subnet }} {{ .Values.config.subnet_external }}/32

    postscreen_upstream_proxy_protocol = haproxy
    postscreen_upstream_proxy_protocol = haproxy
    smtpd_tls_key_file=/certs/tls.key
    smtpd_tls_cert_file=/certs/tls.crt
    smtpd_use_tls = yes
    smtp_use_tls = yes
  postfix.master: |-
    # expose proxy protocol support
    10024/inet=10024     inet  n       -       n       -       1       postscreen
    smtpd/pass=smtpd     pass  -       -       n       -       -       smtpd