fix proxy protocol issue and refactored proxyprotocol configuration

[lodatol]

this pull request fix #518

Problem

• Two template conditions made it impossible to enable PROXY protocol correctly:
• Fail if PROXY ports are enabled but .Values.ingress.realIpFrom is empty.
• Fail if PROXY ports are enabled but .Values.ingress.realIpHeader is set.
• The proxy protocol must be detected/handled by the frontend pod, but the original checks live under the ingress area and were conditionally comparing against a service defined elsewhere (frontend).
• Because the front pod (dovecot proxy,nginx port 25 proxy) is shared between optionally-deployed frontend load balancer and ingress, having proxy configuration split between ingress and frontend caused incompatible/contradictory validation and incorrect runtime behavior (remote IP not recognized; open relay custom config; spam/botnet IP matching failing).

What I changed

• Moved PROXY protocol configuration and validation from the ingress templates/values into the frontend section.
• Adjusted templates so PROXY ports, real IP header, and real IP CIDRs are defined and validated in the frontend scope only.
• Removed contradictory checks that referenced .Values.ingress.* when the actual behavior depends on the frontend runtime.
• Kept behavior such that enabling PROXY ports requires appropriate frontend real-IP configuration, but no longer blocks valid deployments when ingress is absent or configured separately.

Why this fixes it

• The front pod is the component that must parse the PROXY protocol env variable and restore the real client IP; placing the config and validation there ensures the chart enforces the correct relationship between PROXY ports and real-IP settings.
• This avoids mis-matched configuration when ingress and service types (LoadBalancer, NodePort) and ingress are used independently or omitted.
• Allows modern ingress/controllers that support TCP/UDP (for example NGINX with TCP load balancing + cert-manager) to be used without forcing ingress-level proxy settings.

Migration / Upgrade notes

• If you previously tried to enable PROXY protocol via ingress.realIpFrom / ingress.realIpHeader, move those settings into the frontend section (see values file for exact keys).
• On upgrade, validate that frontend realIpFrom (CIDRs) values are present when frontend.proxyProtocol.ports is non-empty.

Testing performed

• Rendered templates with combinations of:
• frontend proxy ports enabled/disabled
• frontend.realIpFrom present/absent
• ingress present/absent
• Confirmed chart no longer fails templating with valid frontend-level proxy configuration and that pods will be recreated with the correct runtime flags.
• Tested basic mail flow and IP-based spam rules in an environment using NGINX ingress controller with TCP load balancing to confirm real client IP is preserved.

Request for reviewers

• Please review template changes in the frontend and ingress files for:
• correctness of moved value names and paths
• any references to .Values.ingress.proxyPort that should instead reference .Values.front.proxyProtocol.ports*
• Verify examples/README and values.yaml are updated to show the new front.proxyProtocol keys.
• Run a local render/helm lint and, if possible, deploy to a staging cluster that uses an ingress controller with TCP support.

[lodatol]

If helpful, I can provide an architecture diagram plus a ready-to-use values.yaml example showing how to configure PROXY protocol, ingress (TCP/UDP), and the frontend reverse-proxy in a private Kubernetes environment using a modern ingress controller.
What I will include:
• A clear component diagram showing traffic flow from LoadBalancer → ingress controller (TCP/UDP) → frontend pod and where PROXY headers are handled
• Concrete values.yaml snippets for frontend.proxyProtocol, frontend.realIpFrom, frontend.realIpHeader, and common ingress/tcp mappings
• Notes on required ingress-controller configuration (NGINX example)

Say the word and I’ll add the diagram and few explanation.

[lodatol]

I have also update readme , default values and missing sieve web port exposure

[lodatol]

fix #264 also

[timothyclarke]

Suggested change

	## Enabling any of these requires to have ingress.realIpFrom set
	## Enabling any of these requires to have front.proxyProtocol.realIpFrom set

Note I'm not a mod, just wanting to use this code too

[lodatol]

Good catch! Great I forgot this doc

[timothyclarke]

You need to get 587 into this list for submission to work
otherwise https://github.com/Mailu/Mailu/blob/master/core/nginx/dovecot/proxy.conf#L162 fails

mailu.enabledPorts Feeds into envvars-configmap.yaml Line 117 PORTS that is used in https://github.com/Mailu/Mailu/blob/master/core/base/libs/socrate/socrate/system.py#L144-L147 which would set PORT_587 which the above proxy.conf line uses

[lodatol]

The problem was not with submission, but with managesieve.
With the previous version it would never be deployed when using the ingress controller.
The same issue was written also in other defect.