docker
/
docker-mailserver
mirror of https://github.com/tomav/docker-mailserver.git
1
0
Fork 0
Code Issues Releases Wiki Activity

rewrite Kubernetes page 

- re-structure the page (mainly introducing `===`) to enable users to
  switch easily between individual parts of this docs page
- rewrite the PROXY protocol parts
- add Traefik PROXY protocol example with deciated proxy-ports
This commit is contained in:
georglauterbach 2024-03-07 11:06:34 +01:00
parent 3649699197
commit d2a57be44f
No known key found for this signature in database
GPG Key ID: F367F7C43C118578
2 changed files with 556 additions and 445 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

994
docs/content/config/advanced/kubernetes.md
View File

File diff suppressed because it is too large Load Diff

7
docs/content/examples/tutorials/mailserver-behind-proxy.md
View File

@ -14,6 +14,8 @@ This reduces many of the benefits for why you might use a reverse proxy, but the
Some deployments may require a service to route traffic (kubernetes) when deploying, in which case the below advice is important to understand well.
We also provide a [dedicated documentation page][docs::kubernetes] for using a proxy in Kubernetes.
## What can go wrong?
Without a reverse proxy involved, a service is typically aware of the client IP for a connection.
@ -354,9 +356,8 @@ Software on the receiving end of the connection often supports configuring an IP
[`postscreen_access_list`][postfix-docs::settings::postscreen_access_list] (_or [`smtpd_client_restrictions`][postfix-docs::settings::smtpd_client_restrictions] with [`check_client_access`][postfix-docs::settings::check_client_access] for ports 587/465_) can both restrict access by IP via a [CIDR lookup table][postfix-docs::config-table::cidr], however the client IP is already rewritten at this point via PROXY protocol.
Thus those settings cannot be used for restricting access to only trusted proxies, only to the actual clients.
A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.
A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.
### Monitoring
@ -373,6 +374,8 @@ While PROXY protocol works well with the reverse proxy, you may have some contai
You should adjust configuration of these monitoring services to monitor for auth failures from those services directly instead, adding an exclusion for that service IP from any DMS logs monitored (_but be mindful of PROXY header forgery risks_).
[docs::kubernetes]: ../../../config/advanced/kubernetes/#__tabbed_2_4
[docs::overrides::dovecot]: ../../config/advanced/override-defaults/dovecot.md
[docs::overrides::postfix]: ../../config/advanced/override-defaults/postfix.md
[docs::overrides::user-patches]: ../../config/advanced/override-defaults/user-patches.md