charts/mail-gateway/templates/config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: maddy
  namespace: {{ .Release.Namespace }}
data:
  smtp-servers.conf: |
    maddy.{{ .Values.domains.primary.namespace}}.svc.cluster.local:587
    {{ range .Values.domains.others}}
    maddy.{{ .namespace }}.svc.cluster.local:587
    {{ end }}
  maddy.conf: |
    $(hostname) = {{ .Values.domains.primary.mx }}
    $(primary_domain) = {{ .Values.domains.primary.name }}
    $(local_domains) = {{ .Values.domains.primary.name }}{{ range .Values.domains.others }} {{ .name }}{{ end }}

    tls file /etc/maddy/certs/tls.crt /etc/maddy/certs/tls.key

    auth.external authsmtp {
        helper /usr/bin/auth-smtp
        perdomain yes
        domains $(local_domains)
    }

    hostname $(hostname)

    msgpipeline local_routing {
        destination {{ .Values.domains.primary.name }} {
            deliver_to &{{ .Values.domains.primary.name }}
        }
        {{ range .Values.domains.others }}
        destination {{ .name }} {
            deliver_to &{{ .name }}
        }
        {{ end }}
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }

    smtp tcp://0.0.0.0:25 {
        insecure_auth no

        defer_sender_reject yes

        limits {
            # Up to 20 msgs/sec across max. 10 SMTP connections.
            all rate 20 1s
            all concurrency 10
        }

        dmarc yes
        check {
            require_mx_record
            dkim
            spf
        }

        source $(local_domains) {
            reject 501 5.1.8 "Use Submission for outgoing SMTP"
        }
        default_source {
            destination $(local_domains) {
                deliver_to &local_routing
            }
            default_destination {
                reject 550 5.1.1 "User doesn't exist"
            }
        }
    }

    submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
        auth &authsmtp
        insecure_auth yes

        defer_sender_reject yes

        source $(local_domains) {
            destination $(local_domains) {
                deliver_to &local_routing
            }
            default_destination {
                modify {
                    dkim $(primary_domain) $(local_domains) default
                }
                deliver_to &remote_queue
            }
        }
        default_source {
            reject 501 5.1.8 "Non-local sender domain"
        }
    }

    target.smtp {{ .Values.domains.primary.name }} {
        hostname $(hostname)
        attempt_starttls false
        require_tls no
        auth off
        targets tcp://maddy.{{ .Values.domains.primary.namespace }}.svc.cluster.local:25
    }

    {{ range .Values.domains.others }}
    target.smtp {{ .name }} {
        hostname mail.{{ .name }}
        attempt_starttls false
        require_tls no
        auth off
        targets tcp://maddy.{{ .namespace }}.svc.cluster.local:25
    }
    {{ end }}

    target.queue remote_queue {
        target &outbound_delivery

        autogenerated_msg_domain $(primary_domain)
        bounce {
            destination postmaster $(local_domains) {
                deliver_to &local_routing
            }
            default_destination {
                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
            }
        }
    }

    target.remote outbound_delivery {
        limits {
            # Up to 20 msgs/sec across max. 10 SMTP connections
            # for each recipient domain.
            destination rate 20 1s
            destination concurrency 10
        }
        mx_auth {
            dane
            mtasts {
                cache fs
                fs_dir mtasts_cache/
            }
            local_policy {
                min_tls_level encrypted
                min_mx_level none
            }
        }
    }