# smtp-relay

Postfix SMTP relay with Cyrus SASL authentication and TLS.

Used by Mailu (personal + Solidaria NGO) on valhalla to route outbound mail through
hermes, which has a trusted residential IP accepted by Gmail and Hotmail.

Image: `harbor.manabo.org/library/smtp-relay`  
Deployed on: hermes (`clusters/hermes/smtp-relay/` in asgard)

---

## Build

```bash
./build.sh 1.0.0
```

Packages the Dockerfile context, uploads to MinIO, runs Kaniko in-cluster on valhalla,
and pushes the resulting image to Harbor.

---

## Configuration

### Required Vault secrets (`app/smtp-relay/smtp-relay-sasl`)

| Key | Description |
|-----|-------------|
| `relay_user` | SASL username (e.g. `relayuser`) |
| `relay_pass` | SASL password (plaintext — stored in Vault) |
| `relay_domain` | SASL domain (e.g. `manabo.org`) |

### TLS (`certs/smtp-relay-tls`)

Wildcard cert for `relay.manabo.org` — pushed to Vault via PushSecret on valhalla.

### Env vars (from ExternalSecret)

| Var | Source |
|-----|--------|
| `RELAY_AUTH_USER` | `relay_user` |
| `RELAY_AUTH_PASS` | `relay_pass` |
| `RELAY_AUTH_DOMAIN` | `relay_domain` |

---

## How it works

- Listens on ports **25** (SMTP, TLS optional) and **587** (submission, TLS required)
- Uses `hostNetwork: true` — ports exposed directly on the hermes host IP
- Entrypoint creates a `sasldb2` user from the env vars on every start
- Only clients authenticated via SASL can relay mail
- TLS cert mounted from Vault ExternalSecret

---

## Gotchas

- **sasldb2 recreated on every restart**: credentials are read from env vars and
  `saslpasswd2` re-creates the sasldb. This is intentional (stateless SASL).
- **No DKIM**: DKIM signing is not implemented in this image. Relay delivers mail
  as-is; DKIM signatures must be added by the sending MTA (Mailu).