fix proxy protocol issue and refactored proxyprotocol configuration

charts/mailu/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 # renovate: datasource=github-releases depName=Mailu/mailu
 appVersion: 2024.06.45
-version: 2.6.1
+version: 2.6.2
 name: mailu
 description: This chart installs the Mailu mail system on Kubernetes
 home: https://mailu.io

charts/mailu/README.md

@@ -297,16 +297,7 @@ helm uninstall mailu --namespace=mailu-mailserver
 | `ingress.secrets`                   | Custom TLS certificates as secrets                                                                                               | `[]`                     |
 | `ingress.extraRules`                | Additional rules to be covered with this ingress record                                                                          | `[]`                     |
 | `ingress.realIpHeader`              | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod                                                       | `X-Forwarded-For`        |
-| `ingress.realIpFrom`                | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod                                                         | `""`                     |
 | `ingress.tlsFlavorOverride`         | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod                                                      | `""`                     |
-| `ingress.proxyProtocol.pop3`        | Enable PROXY protocol for POP3 (110/tcp)                                                                                         | `false`                  |
-| `ingress.proxyProtocol.pop3s`       | Enable PROXY protocol for POP3S (995/tcp)                                                                                        | `false`                  |
-| `ingress.proxyProtocol.imap`        | Enable PROXY protocol for IMAP (143/tcp)                                                                                         | `false`                  |
-| `ingress.proxyProtocol.imaps`       | Enable PROXY protocol for IMAPS (993/tcp)                                                                                        | `false`                  |
-| `ingress.proxyProtocol.smtp`        | Enable PROXY protocol for SMTP (25/tcp)                                                                                          | `false`                  |
-| `ingress.proxyProtocol.smtps`       | Enable PROXY protocol for SMTPS (465/tcp)                                                                                        | `false`                  |
-| `ingress.proxyProtocol.submission`  | Enable PROXY protocol for Submission (587/tcp)                                                                                   | `false`                  |
-| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp)                                                                                 | `false`                  |
 
 ### Proxy auth configuration
 
@@ -348,6 +339,16 @@ helm uninstall mailu --namespace=mailu-mailserver
 | `front.externalService.nodePorts.smtps`       | NodePort to use for SMTP (TLS) (defaults to 465/tcp)                                  | `465`           |
 | `front.externalService.nodePorts.submission`  | NodePort to use for Submission (defaults to 587/tcp)                                  | `587`           |
 | `front.externalService.nodePorts.manageSieve` | NodePort to use for ManageSieve (defaults to 4190/tcp)                                | `4190`          |
+| `proxyProtocol.enabled`                       | Enable PROXY protocol support in the `front` pod                                      | `false`         |
+| `proxyProtocol.realIpFrom`                    | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod              | `""`            |
+| `proxyProtocol.ports.pop3`                    | Enable PROXY protocol for POP3 (110/tcp)                                              | `false`         |
+| `proxyProtocol.ports.pop3s`                   | Enable PROXY protocol for POP3S (995/tcp)                                             | `false`         |
+| `proxyProtocol.ports.imap`                    | Enable PROXY protocol for IMAP (143/tcp)                                              | `false`         |
+| `proxyProtocol.ports.imaps`                   | Enable PROXY protocol for IMAPS (993/tcp)                                             | `false`         |
+| `proxyProtocol.ports.smtp`                    | Enable PROXY protocol for SMTP (25/tcp)                                               | `false`         |
+| `proxyProtocol.ports.smtps`                   | Enable PROXY protocol for SMTPS (465/tcp)                                             | `false`         |
+| `proxyProtocol.ports.submission`              | Enable PROXY protocol for Submission (587/tcp)                                        | `false`         |
+| `proxyProtocol.ports.manageSieve`             | Enable PROXY protocol for ManageSieve (4190/tcp)                                      | `false`         |
 | `front.kind`                                  | Kind of resource to create for the front (`Deployment` or `DaemonSet`)                | `Deployment`    |
 | `front.replicaCount`                          | Number of front replicas to deploy (only for `Deployment` kind)                       | `1`             |
 | `front.resources.limits`                      | The resources limits for the container                                                | `{}`            |

charts/mailu/templates/_services.tpl

@@ -175,6 +175,7 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn`
 {{- if .Values.ingress.enabled -}}
     {{- $enabledPorts = append $enabledPorts "80" -}}
     {{- $enabledPorts = append $enabledPorts "443" -}}
+    {{- $enabledPorts = append $enabledPorts "4190" -}}
 {{- end -}}
 
 {{- if .Values.front.hostPort.enabled -}}
@@ -216,42 +217,37 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn`
 {{- define "mailu.proxyProtocolPorts" -}}
 {{- $proxyProtocolPorts := list -}}
 
-{{- if .Values.front.externalService.enabled -}}
-    {{- if and .Values.front.externalService.ports.pop3 .Values.ingress.proxyProtocol.pop3 -}}
+{{- if .Values.front.proxyProtocol.enabled -}}
+    {{- if .Values.front.proxyProtocol.ports.pop3 -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "110" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.pop3s .Values.ingress.proxyProtocol.pop3s -}}
+    {{- if .Values.front.proxyProtocol.ports.pop3s -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "995" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.imap .Values.ingress.proxyProtocol.imap -}}
+    {{- if .Values.front.proxyProtocol.ports.imap -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "143" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.imaps .Values.ingress.proxyProtocol.imaps -}}
+    {{- if .Values.front.proxyProtocol.ports.imaps -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "993" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.smtp .Values.ingress.proxyProtocol.smtp -}}
+    {{- if .Values.front.proxyProtocol.ports.smtp -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "25" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.smtps .Values.ingress.proxyProtocol.smtps -}}
+    {{- if .Values.front.proxyProtocol.ports.smtps -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "465" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.submission .Values.ingress.proxyProtocol.submission -}}
+    {{- if .Values.front.proxyProtocol.ports.submission -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "587" -}}
     {{- end -}}
-    {{- if and .Values.front.externalService.ports.manageSieve .Values.ingress.proxyProtocol.manageSieve -}}
+    {{- if .Values.front.proxyProtocol.ports.manageSieve -}}
         {{- $proxyProtocolPorts = append $proxyProtocolPorts "4190" -}}
     {{- end -}}
 {{- end -}}
 
 {{- $proxyProtocolPortsString := join "," $proxyProtocolPorts -}}
-{{/* if any ports are enabled and .ingress.realIpFrom is empty, fail */}}
-{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.ingress.realIpFrom) -}}
-    {{- fail "PROXY protocol is enabled for some ports, but ingress.realIpFrom is not set" -}}
-{{- end -}}
-
-{{/* if any ports are enabled and .ingress.realIpHeader is set, fail */}}
-{{- if and (gt (len $proxyProtocolPorts) 0) .Values.ingress.realIpHeader -}}
-    {{- fail "PROXY protocol is enabled for some ports, but ingress.realIpHeader is set" -}}
+{{/* if any ports are enabled and front.proxyProtocol.realIpFrom is empty, fail */}}
+{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.front.proxyProtocol.realIpFrom) -}}
+    {{- fail "PROXY protocol is enabled for some ports, but front.proxyProtocol.realIpFrom is not set" -}}
 {{- end -}}
 
 {{- printf "%s" $proxyProtocolPortsString -}}

charts/mailu/templates/envvars-configmap.yaml

@@ -128,7 +128,7 @@ data:
   PROXY_AUTH_WHITELIST: {{ . | quote }}
   {{- end }}
   RATELIMIT_STORAGE_URL: {{ printf "redis://%s:%s/%s" (include "mailu.redis.serviceFqdn" .) (include "mailu.redis.port" .) (include "mailu.redis.db.rateLimit" .) }}
-  {{- with .Values.ingress.realIpFrom }}
+  {{- with .Values.front.proxyProtocol.realIpFrom }}
   REAL_IP_FROM: {{ . | quote }}
   {{- end }}
   {{- with .Values.ingress.realIpHeader }}
@@ -201,7 +201,7 @@ data:
   REDIS_ADDRESS: {{ include "mailu.redis.serviceFqdn" . }}
   SMTP_ADDRESS: {{ include "mailu.postfix.serviceFqdn" . }}
 
-{{- if .Values.front.externalService.enabled }}
+{{- if .Values.front.proxyProtocol.enabled }}
   PROXY_PROTOCOL: {{ include "mailu.proxyProtocolPorts" . | quote }}
 {{- end }}
 

charts/mailu/values.yaml

@@ -655,31 +655,13 @@ ingress:
   ## @param ingress.realIpHeader Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod
   realIpHeader: X-Forwarded-For
 
-  ## @param ingress.realIpFrom Sets the value of `REAL_IP_FROM` environment variable in the `front` pod
-  realIpFrom: ""
+
 
   ## @param ingress.tlsFlavorOverride Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod
   ## This is normally auto-detected, only change it if you know what you are doing.
   tlsFlavorOverride: ""
 
-  ## @param ingress.proxyProtocol.pop3 Enable PROXY protocol for POP3 (110/tcp)
-  ## @param ingress.proxyProtocol.pop3s Enable PROXY protocol for POP3S (995/tcp)
-  ## @param ingress.proxyProtocol.imap Enable PROXY protocol for IMAP (143/tcp)
-  ## @param ingress.proxyProtocol.imaps Enable PROXY protocol for IMAPS (993/tcp)
-  ## @param ingress.proxyProtocol.smtp Enable PROXY protocol for SMTP (25/tcp)
-  ## @param ingress.proxyProtocol.smtps Enable PROXY protocol for SMTPS (465/tcp)
-  ## @param ingress.proxyProtocol.submission Enable PROXY protocol for Submission (587/tcp)
-  ## @param ingress.proxyProtocol.manageSieve Enable PROXY protocol for ManageSieve (4190/tcp)
-  ## Enabling any of these requires to have ingress.realIpFrom set
-  proxyProtocol:
-    pop3: false
-    pop3s: false
-    imap: false
-    imaps: false
-    smtp: false
-    smtps: false
-    submission: false
-    manageSieve: false
+
 
 ## @section Proxy auth configuration
 ## ref: https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy
@@ -768,6 +750,41 @@ front:
       submission: 587
       manageSieve: 4190
 
+  ## @section ProxyProtocol configuration
+  ## If the front service is sitting behind a load balancer that supports
+  ## PROXY protocol (e.g. HAPROXY, AWS ELB/ALB), you can enable it here.
+  ## This will make Mailu aware of the original client IP address.
+  ## ref: https://mailu.io/master/configuration.html#proxy-protocol
+  proxyProtocol:
+    ## @param front.proxyProtocol.enabled Enable PROXY protocol support in the `front` pod
+    enabled: false
+
+    ## @param front.proxyProtocol.realIpFrom Sets the value of `REAL_IP_FROM` environment variable in the `front` pod
+    ## This should be set to the CIDR(s) of the load balancer(s) in front of Mailu
+    ## or pod that forwards traffic to Mailu supporting PROXY protocol.
+    ## For example, if using an Ingress controller, this should be set to the
+    ## pod CIDR of the cluster.
+    realIpFrom: "10.42.0.0/16"
+
+    ## @param front.proxyProtocol.ports.pop3 Enable PROXY protocol for POP3 (110/tcp)
+    ## @param front.proxyProtocol.ports.pop3s Enable PROXY protocol for POP3S (995/tcp)
+    ## @param front.proxyProtocol.ports.imap Enable PROXY protocol for IMAP (143/tcp)
+    ## @param front.proxyProtocol.ports.imaps Enable PROXY protocol for IMAPS (993/tcp)
+    ## @param front.proxyProtocol.ports.smtp Enable PROXY protocol for SMTP (25/tcp)
+    ## @param front.proxyProtocol.ports.smtps Enable PROXY protocol for SMTPS (465/tcp)
+    ## @param front.proxyProtocol.ports.submission Enable PROXY protocol for Submission (587/tcp)
+    ## @param front.proxyProtocol.ports.manageSieve Enable PROXY protocol for ManageSieve (4190/tcp)
+    ## Enabling any of these requires to have ingress.realIpFrom set
+    ports:
+      pop3: false
+      pop3s: false
+      imap: false
+      imaps: false
+      smtp: false
+      smtps: false
+      submission: false
+      manageSieve: false
+
   ## @param front.kind Kind of resource to create for the front (`Deployment` or `DaemonSet`)
   kind: Deployment