Initialcommit for mail relay server

.github/workflows/build-and-push-on-tag.yaml

@@ -0,0 +1,37 @@
+---
+name: Build and push Docker Image on Tag
+
+on:
+  push:
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+'
+jobs:
+  pre_build:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+      suffix: ${{ steps.tag.outputs.suffix }}
+    steps:
+      - name: Filter Tag name
+        uses: olegtarasov/[email protected]
+        id: tag
+        with:
+          tagRegex: "(?<tag>[0-9]+.[0-9]+.[0-9]+)"
+  build_and_push_postfix:
+    needs: pre_build
+    uses: hpi-schul-cloud/infra-tools/.github/workflows/build-and-push.yaml@master
+    with:
+      registry: ghcr.io
+      image: dbildungsplattform/mail-relay-server
+      file: Dockerfile.postfix
+      tag: ${{ needs.pre_build.outputs.tag }}
+      suffix: ${{ needs.pre_build.outputs.suffix }}
+  build_and_push_exporter:
+    needs: pre_build
+    uses: hpi-schul-cloud/infra-tools/.github/workflows/build-and-push.yaml@master
+    with:
+      registry: ghcr.io
+      image: dbildungsplattform/mail-relay-server-exporter
+      file: Dockerfile.exporter
+      tag: ${{ needs.pre_build.outputs.tag }}
+      suffix: ${{ needs.pre_build.outputs.suffix }}

.github/workflows/moodle-to-ghcr-on-push.yaml

@@ -0,0 +1,18 @@
+---
+name: Moodle Docker Image on Push to GHCR
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  build_image_on_push:
+    permissions:
+      packages: write
+      security-events: write
+      actions: read
+      contents: read
+    uses: hpi-schul-cloud/infra-tools/.github/workflows/imagetoghcr-on-push.yaml@master
+    with:
+      image_name: "moodle"

.github/workflows/trivy-cron.yaml

@@ -0,0 +1,16 @@
+---
+name: Docker Image Trivy Image Vulnerability Scan Cron Job
+on:
+  schedule:
+
+    - cron: '0 2 * * *'
+permissions:
+  # security-events required for all workflows; action, contents only required for workflows in private repositories
+  security-events: write
+  actions: read
+  contents: read
+jobs:
+  trivy_image_scan_cron:
+    uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@master
+    with:
+      image-ref: 'ghcr.io/dbildungsplattform/moodle:latest'

Dockerfile.exporter

@@ -0,0 +1,14 @@
+# Verwende Alpine Linux als Basis
+FROM alpine:3
+
+# Installiere benötigte Werkzeuge
+RUN apk add --no-cache curl ca-certificates && \
+    curl -L https://github.com/sergeymakinen/postfix_exporter/releases/download/v1.2.4/postfix_exporter_1.2.4_linux_amd64.tar.gz | tar -xz -C /usr/local/bin
+
+# Setze den Pfad zum Postfix Log
+ENV POSTFIX_LOG_PATH="/var/log/mail.log"
+
+# Expose Port für den Exporter
+EXPOSE 9154
+
+CMD ["postfix_exporter"]

Dockerfile.postfix

@@ -0,0 +1,24 @@
+FROM alpine:3
+# Installiere Postfix und notwendige Pakete
+RUN apk add --no-cache postfix cyrus-sasl cyrus-sasl-login ca-certificates
+
+# Kopiere das Startskript ins Image
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# Umgebungsvariablen für die Postfix Konfiguration (mit Standardwerten)
+ENV RELAY_HOST="[smtp.example.com]:587" \
+    SMTP_SASL_AUTH_ENABLE="yes" \
+    SMTP_SASL_SECURITY_OPTIONS="noanonymous" \
+    SMTP_SASL_PASSWORD_MAPS="hash:/etc/postfix/sasl_passwd" \
+    SMTPD_RECIPIENT_RESTRICTIONS="permit_sasl_authenticated,reject" \
+    SMTP_TLS_SECURITY_LEVEL="may" \
+    SMTP_TLS_CAFILE="/etc/ssl/certs/ca-certificates.crt" \
+    MECH_LIST="plain login" \
+    PW_CHECK_METHOD="saslauthd"
+
+# Expose SMTP port
+EXPOSE 25 587
+
+# Startskript als Einstiegspunkt
+CMD ["/entrypoint.sh"]

charts/mail-relay-server/Chart.yml

@@ -0,0 +1,4 @@
+apiVersion: v2
+name: mail-relay-server
+description: A Helm chart for deploying Postfix with SASL authentication on Kubernetes
+version: 0.1.0

charts/mail-relay-server/templates/deployment.yml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-postfix
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-postfix
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-postfix
+    spec:
+      containers:
+        - name: postfix
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          volumeMounts:
+          - name: sasl-passwd
+            mountPath: /etc/postfix/sasl_passwd
+            subPath: sasl_passwd
+          ports:
+          - containerPort: {{ .Values.service.postfixPort }}
+          env:
+            - name: SMTPD_SASL_AUTH_ENABLE
+              value: "{{ .Values.env.SMTPD_SASL_AUTH_ENABLE }}"
+            - name: SMTPD_SASL_SECURITY_OPTIONS
+              value: "{{ .Values.env.SMTPD_SASL_SECURITY_OPTIONS }}"
+            - name: SMTPD_RECIPIENT_RESTRICTIONS
+              value: "{{ .Values.env.SMTPD_RECIPIENT_RESTRICTIONS }}"
+            - name: MECH_LIST
+              value: "{{ .Values.env.MECH_LIST }}"
+            - name: PW_CHECK_METHOD
+              value: "{{ .Values.env.PW_CHECK_METHOD }}"
+        - name: {{ .Release.Name }}-postfix-exporter
+          image: "{{ .Values.exporterImage.repository }}:{{ .Values.exporterImage.tag }}"
+          ports:
+          - containerPort: {{ .Values.service.exporterPort }}
+      volumes:
+        - name: sasl-passwd
+          secret:
+            secretName: postfix-sasl-secret

charts/mail-relay-server/templates/service.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-postfix
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.postfixPort }}
+      protocol: TCP
+  selector:
+    app: {{ .Release.Name }}-postfix

charts/mail-relay-server/values.yml

@@ -0,0 +1,22 @@
+replicaCount: 1
+
+postfixImage:
+  repository: my-postfix
+  tag: latest
+  pullPolicy: IfNotPresent
+exporterImage:
+  repository: my-postfix-exporter
+  tag: latest
+  pullPolicy: IfNotPresent
+
+service:
+  type: ClusterIP
+  postfixPort: 587
+  exporterPort: 9154
+
+env:
+  SMTPD_SASL_AUTH_ENABLE: "yes"
+  SMTPD_SASL_SECURITY_OPTIONS: "noanonymous"
+  SMTPD_RECIPIENT_RESTRICTIONS: "permit_sasl_authenticated,reject"
+  MECH_LIST: "plain login"
+  PW_CHECK_METHOD: "saslauthd"

entrypoint.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Konfiguriere Postfix mit Umgebungsvariablen
+postconf -e "relayhost = ${RELAY_HOST}" \
+         -e "smtp_sasl_auth_enable = ${SMTP_SASL_AUTH_ENABLE}" \
+         -e "smtp_sasl_security_options = ${SMTP_SASL_SECURITY_OPTIONS}" \
+         -e "smtp_sasl_password_maps = ${SMTP_SASL_PASSWORD_MAPS}" \
+         -e 'smtpd_sasl_local_domain = $myhostname' \
+         -e "smtpd_recipient_restrictions=${SMTPD_RECIPIENT_RESTRICTIONS}" \
+         -e "smtp_tls_security_level = ${SMTP_TLS_SECURITY_LEVEL}" \
+         -e "smtp_tls_CAfile = ${SMTP_TLS_CAFILE}"
+
+# Erstelle smtpd.conf für Cyrus-SASL
+echo "pwcheck_method: ${PW_CHECK_METHOD}" > /etc/sasl2/smtpd.conf
+echo "mech_list: ${MECH_LIST}" >> /etc/sasl2/smtpd.conf
+
+saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd
+
+adduser -D ${SMTP_USER} -s /bin/false && echo "${SMTP_USER}:${SMTP_PASSWORD}" | chpasswd
+
+# Überprüfe, ob die sasl_passwd-Datei vorhanden ist
+if [ -f "/etc/postfix/sasl_passwd" ]; then
+    # Erstelle die sasl_passwd.db-Datei
+    postmap hash:/etc/postfix/sasl_passwd
+    chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
+fi
+
+# Starte Postfix im Vordergrund
+postfix start
+tail -f /var/log/mail.log