Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use POD_ADDRESS_RANGE for Dovecot if it exists #448

Merged
merged 1 commit into from May 28, 2018
Merged

Use POD_ADDRESS_RANGE for Dovecot if it exists #448

merged 1 commit into from May 28, 2018

Conversation

romracer
Copy link
Contributor

@romracer romracer commented Apr 14, 2018
edited

This is required to override allow_nets in the Dovecot passdb query. In a Kubernetes environment where pods are not recreated with the same IP address, restricting to FRONT_ADDRESS and WEBMAIL_ADDRESS only works as long as the front and webmail pod don't die. Once they die, the query no longer is valid as their IP addresses have changed.

This solves the problem by allowing a POD_ADDRESS_RANGE environment variable in Dovecot which can be defined as a subnet (10.0.0.0/12 for example) that encompasses any possible IP address a pod may receive. If POD_ADDRESS_RANGE is not defined, previous behavior to use FRONT_ADDRESS and WEBMAIL_ADDRESS continues.

If its helpful for testing, an image is pushed to Docker hub romracer/mailu-dovecot:master with this change. I am currently using that version of this container in a Kubernetes setup.

@romracer
Use POD_ADDRESS_RANGE for Dovecot if it exists
6018995 
This is required to override allow_nets in a Kubernetes environment where pods are not recreated with the same IP address.
@romracer
Copy link
Contributor Author

Is there anything I could do to improve this commit?

I've been running Mailu in Kubernetes with this change. All of the other containers in the Mailu stack that might restrict to specific IPs can be overridden via settings or use service IPs in Kubernetes. Dovecot is the only one I couldn't do that with.

And technically, I could, but its ugly and prone to future errors. Example: provide a dovecot.conf and dovecot-sql.conf.ext in /overrides and use the override dovecot.conf to point to the override dovecot-sql.conf.ext for queries. But once upstream dovecot-sql.conf.ext changes (ie. the iterate query), this breaks as we have to update our override to match.

@kaiyou
Copy link
Member

kaiyou commented May 28, 2018

Sorry mostly for the delays, which are unacceptable but due to a pretty tight professional life :)

I think your way of implementing this is probably the best there is at this point. My only fear is obviously that other containers can of course bypass authentication. If this is opt-in only, I guess it is a good enough workaround for power user who understand the consequences.

@kaiyou
Copy link
Member

kaiyou commented May 28, 2018

Thanks anyway, I will merge it at this point :)

@kaiyou kaiyou merged commit a47ba34 into Mailu:master May 28, 2018
@frgomes
Copy link
Contributor

frgomes commented Jun 1, 2020

I think that core/admin/mailu/configuration.py should define the default:

    'SUBNET': '0.0.0.0/0',
    'POD_ADDRESS_RANGE': None

so that it does not matter if you are using Swarm or Kubernetes, the default is "it should work without any additional configuration".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@romracer @kaiyou @frgomes @muhlemmer