dvirlabs/mail-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mail-services/MAIL_STACK_README.md

530 lines
13 KiB
Markdown
Raw Blame History

# Lightweight Mail Stack for k3s GitOps Lab
Complete deployment of **Stalwart Mail Server** + **SnappyMail** webmail using GitOps with ArgoCD.
## 📋 Overview
This repository deploys a lightweight, modern mail stack designed for self-hosting and lab environments:
- **Stalwart Mail Server**: All-in-one mail server (SMTP, IMAP, Admin UI)
- **SnappyMail**: Modern, lightweight webmail client
- **GitOps**: Managed by ArgoCD
- **Storage**: NFS-based persistent volumes
- **Ingress**: Traefik for web UI access
## 🏗️ Architecture
```
┌─────────────────────────────────────────────────┐
│ Traefik Ingress │
│ mail.dvirlabs.com webmail.dvirlabs.com │
└───────────┬──────────────────────┬──────────────┘
│ │
│ │
┌───────▼────────┐ ┌────────▼────────┐
│ Stalwart │◄───│ SnappyMail │
│ Mail Server │ │ Webmail │
│ │ │ │
│ • SMTP │ │ Connects via: │
│ • IMAP │ │ • IMAP:993 │
│ • Admin UI │ │ • SMTP:587 │
└────────┬───────┘ └─────────────────┘
┌────────▼───────┐
│ NFS Storage │
│ Mail Data │
└────────────────┘
```
## 📁 Repository Structure
```
mail-services/
├── argocd-apps/
│ ├── stalwart.yaml # ArgoCD Application for Stalwart
│ └── snappymail.yaml # ArgoCD Application for SnappyMail
├── charts/
│ ├── stalwart/ # Local Helm chart for Stalwart
│ │ ├── Chart.yaml
│ │ ├── values.yaml # Default values
│ │ └── templates/
│ │ ├── namespace.yaml
│ │ ├── secret.yaml
│ │ ├── statefulset.yaml
│ │ ├── service.yaml
│ │ └── ingress.yaml
│ └── snappymail/ # Local Helm chart for SnappyMail
│ ├── Chart.yaml
│ ├── values.yaml # Default values
│ └── templates/
│ ├── deployment.yaml
│ ├── pvc.yaml
│ ├── service.yaml
│ ├── ingress.yaml
│ └── configmap.yaml
└── manifests/
├── stalwart/
│ └── values.yaml # Custom values for dvirlabs.com
└── snappymail/
└── values.yaml # Custom values for dvirlabs.com
```
## 🚀 Quick Start
### Prerequisites
- k3s cluster running
- ArgoCD installed and configured
- Traefik ingress controller
- NFS storage class (`nfs-client`)
- DNS records pointing to your cluster
### Step 1: Update Configuration
1. **Update ArgoCD Application manifests** with your Git repository URL:
```bash
# Edit both files and replace YOUR_USERNAME with your actual repo
vim argocd-apps/stalwart.yaml
vim argocd-apps/snappymail.yaml
```
2. **Change the Stalwart admin password**:
```bash
# Edit and set a strong password
vim manifests/stalwart/values.yaml
```
Find this section and change `CHANGE_ME_PLEASE_USE_STRONG_PASSWORD`:
```yaml
secret:
create: true
name: stalwart-credentials
adminPassword: "YOUR_STRONG_PASSWORD_HERE"
```
3. **Update domain names** (if not using dvirlabs.com):
```bash
# Update in both files
vim manifests/stalwart/values.yaml
vim manifests/snappymail/values.yaml
```
### Step 2: Deploy with ArgoCD
```bash
# Apply ArgoCD Applications
kubectl apply -f argocd-apps/stalwart.yaml
kubectl apply -f argocd-apps/snappymail.yaml
# Check deployment status
kubectl get applications -n argocd
# Watch pods come up
kubectl get pods -n mail -w
```
### Step 3: Verify Deployment
```bash
# Check all resources in mail namespace
kubectl get all -n mail
# Check PVCs
kubectl get pvc -n mail
# Check ingresses
kubectl get ingress -n mail
```
Expected output:
```
NAME READY STATUS RESTARTS AGE
pod/stalwart-0 1/1 Running 0 2m
pod/snappymail-xxx-xxx 1/1 Running 0 2m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
service/stalwart ClusterIP 10.43.x.x <none> 8080/TCP,25/TCP,587/TCP,993/TCP
service/snappymail ClusterIP 10.43.x.x <none> 8888/TCP
NAME CLASS HOSTS
ingress.networking.k8s.io/stalwart traefik mail.dvirlabs.com
ingress.networking.k8s.io/snappymail traefik webmail.dvirlabs.com
```
## 🌐 Access the Services
### Stalwart Admin UI
URL: `https://mail.dvirlabs.com`
Default credentials:
- Username: `admin@dvirlabs.com`
- Password: (the one you set in manifests/stalwart/values.yaml)
### SnappyMail Webmail
URL: `https://webmail.dvirlabs.com`
First-time setup:
1. Access the admin panel: `https://webmail.dvirlabs.com/?admin`
2. Default admin password: `12345` (change immediately!)
3. Configure mail server connection:
- **IMAP Server**: `stalwart.mail.svc.cluster.local`
- **IMAP Port**: `993`
- **IMAP Security**: SSL/TLS
- **SMTP Server**: `stalwart.mail.svc.cluster.local`
- **SMTP Port**: `587`
- **SMTP Security**: STARTTLS
## 📧 Configuring Real Mail Service
### Important: Cloudflare Tunnel Limitations
⚠️ **WARNING**: While Cloudflare Tunnel works fine for web UIs (admin panel and webmail), it **CANNOT** be used for actual email protocols (SMTP/IMAP).
**What works through Cloudflare Tunnel:**
- ✅ Stalwart admin UI (HTTPS)
- ✅ SnappyMail webmail (HTTPS)
**What does NOT work through Cloudflare Tunnel:**
- ❌ Receiving mail from other servers (SMTP port 25)
- ❌ Sending mail to other servers (SMTP port 25)
- ❌ External email clients (IMAP/SMTP)
### Required for Real Email
To receive and send real email, you need:
#### 1. DNS Records
```dns
; MX Record (Mail Exchange)
@ IN MX 10 mail.dvirlabs.com.
; A Record (pointing to your public IP - NOT Cloudflare Tunnel)
mail IN A YOUR_PUBLIC_IP
; SPF Record (Sender Policy Framework)
@ IN TXT "v=spf1 mx ~all"
; DMARC Record
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:admin@dvirlabs.com"
; DKIM Record (generated by Stalwart)
; Get this from Stalwart admin UI after setup
default._domainkey IN TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE"
```
#### 2. Port Forwarding
You need to expose these ports directly (NOT through Cloudflare):
```
Port 25 (SMTP) - Required for receiving mail from other servers
Port 587 (SMTP) - Required for sending mail (submission)
Port 465 (SMTPS) - Optional, secure SMTP submission
Port 993 (IMAPS) - Required for IMAP access
Port 143 (IMAP) - Optional, plaintext IMAP
```
**Option A: NodePort Service**
```bash
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: stalwart-external
namespace: mail
spec:
type: NodePort
ports:
- name: smtp
port: 25
targetPort: 25
nodePort: 30025
- name: submission
port: 587
targetPort: 587
nodePort: 30587
- name: imaps
port: 993
targetPort: 993
nodePort: 30993
selector:
app.kubernetes.io/name: stalwart
EOF
```
Then forward ports 25, 587, 993 from your router to your k3s node on ports 30025, 30587, 30993.
**Option B: LoadBalancer with MetalLB**
If you have MetalLB configured:
```bash
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: stalwart-lb
namespace: mail
spec:
type: LoadBalancer
loadBalancerIP: YOUR_LB_IP
ports:
- name: smtp
port: 25
targetPort: 25
- name: submission
port: 587
targetPort: 587
- name: imaps
port: 993
targetPort: 993
selector:
app.kubernetes.io/name: stalwart
EOF
```
#### 3. PTR (Reverse DNS) Record
Contact your ISP or VPS provider to set a PTR record:
```
YOUR_PUBLIC_IP -> mail.dvirlabs.com
```
This is **critical** for email deliverability. Without it, many servers will reject your mail.
## 🔧 Configuration Management
### Using External Secrets (Recommended for Production)
Instead of storing passwords in Git, use External Secrets Operator:
1. Install External Secrets Operator
2. Create a secret in your secret backend (Vault, AWS Secrets Manager, etc.)
3. Update manifests/stalwart/values.yaml:
```yaml
secret:
create: false # Don't create the secret
name: stalwart-credentials # Reference external secret
```
4. Create an ExternalSecret:
```yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: stalwart-credentials
namespace: mail
spec:
refreshInterval: 1h
secretStoreRef:
name: your-secret-store
kind: SecretStore
target:
name: stalwart-credentials
data:
- secretKey: STALWART_ADMIN_PASSWORD
remoteRef:
key: mail/stalwart/admin-password
```
## 🛠️ Maintenance
### View Stalwart Logs
```bash
kubectl logs -n mail stalwart-0 -f
```
### View SnappyMail Logs
```bash
kubectl logs -n mail -l app.kubernetes.io/name=snappymail -f
```
### Access Stalwart Shell
```bash
kubectl exec -it -n mail stalwart-0 -- /bin/sh
```
### Backup Mail Data
```bash
# Backup Stalwart data
kubectl exec -n mail stalwart-0 -- tar czf /tmp/mail-backup.tar.gz /opt/stalwart-mail
kubectl cp mail/stalwart-0:/tmp/mail-backup.tar.gz ./mail-backup-$(date +%Y%m%d).tar.gz
# Backup SnappyMail config
kubectl exec -n mail -l app.kubernetes.io/name=snappymail -- tar czf /tmp/snappymail-backup.tar.gz /var/lib/snappymail
kubectl cp mail/snappymail-xxx:/tmp/snappymail-backup.tar.gz ./snappymail-backup-$(date +%Y%m%d).tar.gz
```
### Restore from Backup
```bash
# Restore Stalwart
kubectl cp ./mail-backup.tar.gz mail/stalwart-0:/tmp/mail-backup.tar.gz
kubectl exec -n mail stalwart-0 -- tar xzf /tmp/mail-backup.tar.gz -C /
kubectl rollout restart statefulset -n mail stalwart
```
## 🔍 Troubleshooting
### Pods Not Starting
```bash
# Check pod events
kubectl describe pod -n mail stalwart-0
kubectl describe pod -n mail -l app.kubernetes.io/name=snappymail
# Check PVC status
kubectl get pvc -n mail
```
### Ingress Not Working
```bash
# Check ingress status
kubectl describe ingress -n mail
# Check Traefik logs
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik
# Test internal connectivity
kubectl run -it --rm debug --image=busybox -n mail -- wget -O- http://stalwart:8080
```
### SnappyMail Can't Connect to Stalwart
```bash
# Test IMAP connectivity from SnappyMail pod
kubectl exec -it -n mail -l app.kubernetes.io/name=snappymail -- nc -zv stalwart.mail.svc.cluster.local 993
# Check Stalwart service
kubectl get svc -n mail stalwart
```
### Email Not Being Delivered
Common issues:
1. **No PTR record**: Check reverse DNS
2. **Port 25 blocked**: Many ISPs block outbound port 25
3. **Missing SPF/DKIM/DMARC**: Check DNS records
4. **IP on blacklist**: Check https://mxtoolbox.com/blacklists.aspx
## 📊 Monitoring
### Check Mail Queue
```bash
# Access Stalwart admin UI
# https://mail.dvirlabs.com
# Navigate to Queue section
```
### Resource Usage
```bash
# Check pod resource usage
kubectl top pods -n mail
# Check PVC usage
kubectl exec -n mail stalwart-0 -- df -h /opt/stalwart-mail
```
## 🔐 Security Hardening
### Recommended Post-Deployment Steps
1. **Change SnappyMail admin password** immediately
2. **Enable fail2ban** for brute force protection
3. **Set up TLS certificates** with cert-manager (if not using Cloudflare)
4. **Enable DKIM signing** in Stalwart
5. **Configure rate limiting** in Stalwart
6. **Regular backups** of mail data
7. **Monitor logs** for suspicious activity
### TLS Certificates with cert-manager
If you want Let's Encrypt certificates instead of Cloudflare:
```yaml
# Add to ingress annotations
cert-manager.io/cluster-issuer: letsencrypt-prod
```
And configure TLS:
```yaml
tls:
- hosts:
- mail.dvirlabs.com
secretName: stalwart-tls
```
## 📚 Additional Resources
- [Stalwart Documentation](https://stalw.art/docs)
- [SnappyMail Documentation](https://snappymail.eu/)
- [Email Deliverability Best Practices](https://www.mail-tester.com/)
- [DKIM Setup Guide](https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/)
## ⚙️ Customization
### Adjust Storage Size
Edit `manifests/stalwart/values.yaml` or `manifests/snappymail/values.yaml`:
```yaml
persistence:
size: 50Gi # Increase as needed
```
### Change Resource Limits
Edit `manifests/*/values.yaml`:
```yaml
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "8Gi"
cpu: "4000m"
```
### Add Multiple Domains
Configure in Stalwart admin UI after deployment.
## 🤝 Contributing
This is a personal lab setup, but feel free to fork and adapt for your needs!
## 📝 License
MIT License - Use at your own risk
## ⚠️ Disclaimer
This setup is designed for lab/self-hosting environments. For production use:
- Use External Secrets for credentials
- Set up proper TLS certificates
- Configure backup automation
- Enable monitoring and alerting
- Review security best practices
- Test email deliverability thoroughly
Reference in New Issue View Git Blame Copy Permalink