fix(stalwart-mail): secret generate

stalwart-mail/Chart.yaml

@@ -3,9 +3,9 @@ name: stalwart-mail
 description: Helm Chart for Stalwart Mail Server - Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP)
 icon: https://stalw.art/home/apple-touch-icon.png
 type: application
-version: 0.0.2
+version: 0.0.3
 # renovate: image=docker.io/stalwartlabs/mail-server
-appVersion: "0.5.3"
+appVersion: "0.7.2"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

stalwart-mail/templates/configmap.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "stalwart-mail.fullname" . }}
+  labels:
+    {{- include "stalwart-mail.labels" . | nindent 4 }}
+data:
+  "config.toml": |
+    {{- toToml .Values.config | replace ".0\n" "\n" | nindent 4 }}

stalwart-mail/templates/deployment.yaml

@@ -14,7 +14,8 @@ spec:
   template:
     metadata:
       annotations:
-        confighash: {{ toYaml .Values.config | sha256sum | trunc 32 }}
+        config-hash: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        secret-env-hash: {{ include (print $.Template.BasePath "/secrets-env.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -39,6 +40,13 @@ spec:
           image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
           imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
           {{- end }}
+          {{- with .Values.env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ include "stalwart-mail.fullname" . }}-env
           ports:
             {{- range $name, $port := .Values.service.ports }}
             - name: {{ $name }}
@@ -62,9 +70,15 @@ spec:
             - name: config
               mountPath: "/opt/stalwart-mail/etc/config.toml"
               subPath: "config.toml"
-            - name: config
-              mountPath: "/opt/stalwart-mail/etc/dkim/private.key"
-              subPath: "dkim.key"
+              readOnly: true
+            - name: secrets
+              mountPath: "/opt/stalwart-smtp/etc/private/dkim-rsa.key"
+              subPath: "dkim-rsa.key"
+              readOnly: true
+            - name: secrets
+              mountPath: "/opt/stalwart-smtp/etc/private/dkim-ed.key"
+              subPath: "dkim-ed.key"
+              readOnly: true
             {{- if or .Values.certificate.secretName .Values.certificate.certmanager.enabled }}
             - name: certificate
               mountPath: "/opt/stalwart-mail/etc/certs"
@@ -74,6 +88,9 @@ spec:
             {{- end }}
       volumes:
         - name: "config"
+          configMap:
+            name: {{ include "stalwart-mail.fullname" . }}
+        - name: "secrets"
           secret:
             secretName: {{ include "stalwart-mail.fullname" . }}
         {{- if or .Values.certificate.secretName .Values.certificate.certmanager.enabled }}

stalwart-mail/templates/secrets-env.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "stalwart-mail.fullname" . }}-env
+  labels:
+    {{- include "stalwart-mail.labels" . | nindent 4 }}
+data:
+  {{- range $key, $value := .Values.secrets.env }}
+  {{ $key }}: {{ $value | b64enc }}
+  {{- end }}

stalwart-mail/templates/secrets.yaml

@@ -1,20 +1,12 @@
 ---
+{{- $secretName := include "stalwart-mail.fullname" . }}
+{{- $currentData := lookup "v1" "Secret" .Release.Namespace $secretName }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "stalwart-mail.fullname" . }}
   labels:
     {{- include "stalwart-mail.labels" . | nindent 4 }}
-  annotations:
-    confighash: {{ toYaml .Values.config | sha256sum | trunc 32 }}
 data:
-  "config.toml": {{ regexReplaceAll
-    "trusted-networks = \\[(.*)\\]"
-    (
-      toToml .Values.config
-      | replace ".0\n" "\n"
-      | replace "fts-table-duplicated-workaround" "fts"
-    )
-    "trusted-networks = {${1}}"
-    | b64enc }}
-  "dkim.key": {{ genPrivateKey "rsa" | b64enc }}
+  dkim-rsa.key: {{ $dkimSigningRSA := (dig "data" "dkim-rsa.key" "" $currentData | b64dec) | default (genPrivateKey "rsa") | b64enc }}
+  dkim-ed.key: {{ $dkimSigning := (dig "data" "dkim-ed.key" "" $currentData | b64dec) | default (genPrivateKey "ecdsa") | b64enc }}

stalwart-mail/templates/traefik.yaml

@@ -9,10 +9,10 @@ spec:
   entryPoints:
     - {{ $entryport }}
   routes:
-    - match: HostSNI(`{{ $.Values.config.macros.host }}`)
+    - match: HostSNI(`{{ $.Values.traefik.host }}`)
       services:
         - name: {{ include "stalwart-mail.fullname" $ }}
-          port: {{ $port}}
+          port: {{ $port }}
           proxyProtocol:
             version: 2
   tls:

stalwart-mail/values.yaml

@@ -21,701 +21,150 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-
-##
-# Configuration of stalwart mail-server
-# defaults taken from: https://github.com/stalwartlabs/mail-server/tree/6aeadb9cda301ec5f210d8e8390515e6292592fa/resources/config
-#
-# files import completed:
-#   - config.toml
-#   - common/*.toml
-#   - imap/*.toml
-#
-##
 config:
-
-
-  ##
-  # macros
-  ##
-
-  # -- macros (from: config.toml)
-  macros:
-    host: "__HOST__"
-    default_domain: "__DOMAIN__"
-    default_directory: "memory"
-    default_store: "sqlite"
-
-
-  ##
-  # global
-  ##
-
-  global:
-    shared-map:
-      # -- global shared-map capacity (from: common/server.toml)
-      capacity: 10
-      # -- global shared-map shard (from: common/server.toml)
-      shard: 32
-
-    # -- global thead-pool (from: common/server.toml)
-    thread-pool:
-
-    # -- global tracing (from: common/tracing.toml)
-    tracing:
-      method: "stdout"
-      level: "info"
-
-
-  ##
-  # server
-  ##
-
   server:
-    # -- server hostname (from: common/server.toml)
-    hostname: "%{HOST}%"
-
-    security:
-      # -- server security blocked-networks (from: common/server.toml)
-      blocked-networks: {}
-      # -- server security fail2ban (from: common/server.toml)
-      fail2ban: "100/1d"
-
-    run-as:
-      # -- server run-as user (from: common/server.toml)
-      user: "stalwart-mail"
-      # -- server run-as group (from: common/server.toml)
-      group: "stalwart-mail"
-
-    socket:
-      # -- server socket nodelay (from: common/server.toml)
-      nodelay: true
-      # -- server socket reuse-addr (from: common/server.toml)
-      reuse-addr: true
-      # -- server socket reuse-port (from: common/server.toml)
-      reuse-port: false
-      # -- server socket backlog (from: common/server.toml)
-      backlog: 1024
-      # -- server socket ttl (from: common/server.toml)
-      ttl: 3600
-      # -- server socket send-buffer-size (from: common/server.toml)
-      send-buffer-size: 65535
-      # -- server socket recv-buffer-size (from: common/server.toml)
-      recv-buffer-size: 65535
-      # -- server socket linger (from: common/server.toml)
-      linger: 1
-      # -- server socket tos (from: common/server.toml)
-      tos: 1
-
-    tls:
-      # -- server tls enable (from: common/tls.toml)
-      enable: true
-      # -- server tls implicit (from: common/tls.toml)
-      implicit: false
-      # -- server tls timeout (from: common/tls.toml)
-      timeout: "1m"
-      # -- server tls certificate (from: common/tls.toml)
-      certificate: "default"
-      # -- server tls acme (from: common/tls.toml)
-      # example: "letsencrypt"
-      acme:
-      # -- server tls sni (from: common/tls.toml)
-      # example: [{subject: "", certificate: ""}]
-      sni:
-      # -- server tls protocols (from: common/tls.toml)
-      # example: ["TLSv1.2", "TLSv1.3"]
-      protocols:
-      # -- server tls #ciphers (from: common/tls.toml)
-      # example: [ "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256",
-      #            "TLS13_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-      #            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-      #            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      #            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
-      ciphers:
-      # -- server tls ignore-client-order (from: common/tls.toml)
-      ignore-client-order: true
-
-    # -- server listener
     listener:
       smtp:
-        protocol: "smtp"
         bind: ["[::]:25"]
-      smtp-submission:
         protocol: "smtp"
+      submission:
         bind: ["[::]:587"]
-      smtps:
         protocol: "smtp"
+      submissions:
         bind: ["[::]:465"]
+        protocol: "smtp"
         tls:
           implicit: true
-
-      # -- server listener with name imap (from: imap/listener.toml)
       imap:
         bind: ["[::]:143"]
         protocol: "imap"
-
-      # -- server listener with name imaps (from: imap/listener.toml)
-      imaps:
+      imaptls:
         bind: ["[::]:993"]
         protocol: "imap"
         tls:
           implicit: true
 
-      # -- server listener with name sieve (from: imap/listener.toml)
       sieve:
         bind: ["[::]:4190"]
         protocol: "managesieve"
+
+      https:
+        protocol: "http"
+        bind: ["[::]:80"]
         tls:
           implicit: true
 
-      # -- jmap/listener.yaml
-      http:
-        protocol: "jmap"
-        bind: ["[::]:80"]
-        url: "https://%{HOST}%"
-
-
-  ##
-  # sieve
-  ##
-
-  sieve:
-    untrusted:
-      # -- sieve untrusted disable-capabilities (from: common/sieve.toml)
-      disable-capabilities: []
-      # -- sieve untrusted notification-uris (from: common/sieve.toml)
-      notification-uris: ["mailto"]
-      # -- sieve untrusted protected-headers (from: common/sieve.toml)
-      protected-headers: ["Original-Subject", "Original-From", "Received", "Auto-Submitted"]
-
-      limits:
-        # -- sieve untrusted limit name-length (from: common/sieve.toml)
-        name-length: 512
-        # -- sieve untrusted limit max-scripts (from: common/sieve.toml)
-        max-scripts: 256
-        # -- sieve untrusted limit script-size (from: common/sieve.toml)
-        script-size: 102400
-        # -- sieve untrusted limit string-length (from: common/sieve.toml)
-        string-length: 4096
-        # -- sieve untrusted limit variable-name-length (from: common/sieve.toml)
-        variable-name-length: 32
-        # -- sieve untrusted limit variable-size (from: common/sieve.toml)
-        variable-size: 4096
-        # -- sieve untrusted limit nested-blocks (from: common/sieve.toml)
-        nested-blocks: 15
-        # -- sieve untrusted limit nested-tests (from: common/sieve.toml)
-        nested-tests: 15
-        # -- sieve untrusted limit nested-foreverypart (from: common/sieve.toml)
-        nested-foreverypart: 3
-        # -- sieve untrusted limit match-variables (from: common/sieve.toml)
-        match-variables: 30
-        # -- sieve untrusted limit local-variables (from: common/sieve.toml)
-        local-variables: 128
-        # -- sieve untrusted limit header-size (from: common/sieve.toml)
-        header-size: 1024
-        # -- sieve untrusted limit includes (from: common/sieve.toml)
-        includes: 3
-        # -- sieve untrusted limit nested-includes (from: common/sieve.toml)
-        nested-includes: 3
-        # -- sieve untrusted limit cpu (from: common/sieve.toml)
-        cpu: 5000
-        # -- sieve untrusted limit redirects (from: common/sieve.toml)
-        redirects: 1
-        # -- sieve untrusted limit received-headers (from: common/sieve.toml)
-        received-headers: 10
-        # -- sieve untrusted limit outgoing-messages (from: common/sieve.toml)
-        outgoing-messages: 3
-
-      vacation:
-        # -- sieve untrusted vacation default-subject (from: common/sieve.toml)
-        default-subject: "Automated reply"
-        # -- sieve untrusted vacation subject-prefix (from: common/sieve.toml)
-        subject-prefix: "Auto: "
-
-      default-expiry:
-        # -- sieve untrusted default-expiry vacation (from: common/sieve.toml)
-        vacation: "30d"
-        # -- sieve untrusted default-expiry duplicate (from: common/sieve.toml)
-        duplicate: "7d"
-
-    trusted:
-      # -- sieve trusted from-name (from: common/sieve.toml)
-      from-name: "Automated Message"
-      # -- sieve trusted from-addr (from: common/sieve.toml)
-      from-addr: "no-reply@%{DEFAULT_DOMAIN}%"
-      # -- sieve trusted return-path (from: common/sieve.toml)
-      return-path: ""
-      # -- sieve trusted hostname (from: common/sieve.toml)
-      hostname: "%{HOST}%"
-      # -- sieve trusted no-capability-check (from: common/sieve.toml)
-      no-capability-check: true
-      # -- sieve trusted sign (from: common/sieve.toml)
-      sign: ["rsa"]
-
-      limits:
-        # -- sieve trusted limits redirects (from: common/sieve.toml)
-        redirects: 3
-        # -- sieve trusted limits out-messages (from: common/sieve.toml)
-        out-messages: 5
-        # -- sieve trusted limits received-headers (from: common/sieve.toml)
-        received-headers: 50
-        # -- sieve trusted limits cpu (from: common/sieve.toml)
-        cpu: 1048576
-        # -- sieve trusted limits nested-includes (from: common/sieve.toml)
-        nested-includes: 5
-        # -- sieve trusted limits duplicate-expiry (from: common/sieve.toml)
-        duplicate-expiry: "7d"
-
-      scripts:
-        # -- sieve trusted scripts connect (from: common/sieve.toml)
-        connect:
-        # -- sieve trusted scripts ehlo (from: common/sieve.toml)
-        ehlo:
-        # -- sieve trusted scripts mail (from: common/sieve.toml)
-        mail:
-
-  ##
-  # storage
-  ##
+    run-as:
+      # -- server run-as user
+      user: "stalwart-mail"
+      # -- server run-as group
+      group: "stalwart-mail"
 
   storage:
-    # -- storage data (from: common/store.toml)
-    data: "%{DEFAULT_STORE}%"
-    # -- storage fts (from: common/store.toml)
-    # BROKEN / TODO
-    # see: https://github.com/stalwartlabs/mail-server/issues/211
-    fts: "%{DEFAULT_STORE}%"
-    # -- storage blob (from: common/store.toml)
-    blob: "%{DEFAULT_STORE}%"
-    # -- storage lookup (from: common/store.toml)
-    lookup: "%{DEFAULT_STORE}%"
-    # -- storage directory (from: common/store.toml)
-    directory: "%{DEFAULT_DIRECTORY}%"
-    encryption:
-      # -- storage encryption enable (from: common/store.toml)
-      enable: true
-      # -- storage encryption append (from: common/store.toml)
-      append: false
-    spam:
-      # -- storage spam header (from: common/store.toml)
-      header: "X-Spam-Status: Yes"
-    # BROKEN / TODO
-    # should be fts:
-    # see: https://github.com/stalwartlabs/mail-server/issues/211
-    fts-table-duplicated-workaround:
-      # -- storage - fts - default-language (from: common/store.toml)
-      default-language: "en"
-    cluster:
-      # -- storage - cluster - node-id (from: common/store.toml)
-      node-id:
-
-
-  ##
-  # ACME
-  ##
-
-  acme:
-    # -- acme with name letsencrypt (from: common/tls.toml)
-    letsencrypt:
-      # -- acme directory (from: common/tls.toml)
-      directory: "https://acme-v02.api.letsencrypt.org/directory"
-      # -- acme contact (from: common/tls.toml)
-      contact: ["postmaster@%{DEFAULT_DOMAIN}%"]
-      # -- acme cache (from: common/tls.toml)
-      cache: "/opt/stalwart-mail/etc/acme"
-      # -- acme port (from: common/tls.toml)
-      port: 443
-      # -- acme renew-before (from: common/tls.toml)
-      renew-before: "30d"
-
-  ##
-  # certificate
-  ##
-
-  certificate:
-    # -- certificate with name default (from: common/tls.toml)
-    default:
-      # -- certificate cert (from: common/tls.toml)
-      cert: "file:///opt/stalwart-mail/etc/certs/tls.crt"
-      # -- certificate private-key (from: common/tls.toml)
-      private-key: "file:///opt/stalwart-mail/etc/certs/tls.key"
-
-
-  ##
-  # directory
-  ##
-
-  directory:
-
-    # -- directory - with name memory (from: directory/internal.yaml)
-    memory:
-      type: memory
-      # -- overwrite me, if not wanted
-      disable: false
-      options:
-        catch-all: true
-        subaddressing: true
-      principals:
-        - type: "admin"
-          description: "Superuser"
-          name: "admin"
-          secret: "changeme"
-          mail:
-            - "postmaster@%{DEFAULT_DOMAIN}%"
-
-
-  ##
-  # store
-  ##
+    data: "rocksdb"
+    fts: "rocksdb"
+    blob: "rocksdb"
+    lookup: "rocksdb"
+    directory: "internal"
 
   store:
+    rocksdb:
+      type: rocksdb
+      path: "/data"
+      compression: "lz4"
 
-    # -- store - with name sqlite
-    sqlite:
-      type: "sqlite"
-      # -- overwrite me, if not wanted
-      disable: false
-      path: "/data/index.sqlite3"
-      purge:
-        frequency: "0 3 *"
-      query:
-        name: "SELECT name, type, secret, description, quota FROM accounts WHERE name = ? AND active = true"
-        members: "SELECT member_of FROM group_members WHERE name = ?"
-        recipients: "SELECT name FROM emails WHERE address = ?"
-        emails: "SELECT address FROM emails WHERE name = ? AND type != 'list' ORDER BY type DESC, address ASC"
-        verify: "SELECT address FROM emails WHERE address LIKE '%' || ? || '%' AND type = 'primary' ORDER BY address LIMIT 5"
-        expand: "SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = ? AND l.type = 'list' ORDER BY p.address LIMIT 50"
-        domains: "SELECT 1 FROM emails WHERE address LIKE '%@' || ? LIMIT 1"
+  directory:
+    internal:
+      type: "internal"
+      store: "rocksdb"
 
-    # -- store - with name fs
-    fs:
-      type: "fs"
-      # -- overwrite me, if not wanted
-      disable: false
-      path: "/data/blobs"
-      depth: 2
-      purge:
-        frequency: "0 3 *"
+  tracer:
+    otel:
+      enable: false
+      type: "open-telemetry"
+      level: "info"
+      # -- grpc or http
+      transport: "grpc"
+      endpoint: "https://127.0.0.1/otel"
+      # -- headers for usage with http (e.g. 'Authorization: <place_auth_here>')
+      headers: []
+    stdout:
+      enable: true
+      type: "stdout"
+      level: "info"
+      ansi: false
 
-
-  ##
-  # OAuth
-  ##
-
-  oauth:
-
-    # -- oauth - key
-    key: "__OAUTH_KEY__"
-
-    # -- oauth - auth
-    auth:
-      max-attempts: 3
-
-    # -- oauth - expiry
-    expiry:
-      user-code: "30m"
-      auth-code: "10m"
-      token: "1h"
-      refresh-token: "30d"
-      refresh-token-renew: "4d"
-
-    # -- oauth - cache
-    cache:
-      size: 128
-
-
-  ##
-  # SMTP configuration (smtp/*.yaml)
-  ##
-
-
-  ##
-  # query (from: smtp/queue.yaml)
-  ##
-
-  queue:
-    # -- queue-path
-    path: "/data/queue"
-    # -- queue-hash
-    hash: 64
-
-    # -- queue-schedule
-    schedule:
-      retry: ["2m", "5m", "10m", "15m", "30m", "1h", "2h"]
-      notify: ["1d", "3d"]
-      expire: "5d"
-
-    # -- queue-outbound
-    outbound:
-      # hostname: "%{HOST}%"
-      next-hop:
-        - if: "rcpt-domain"
-          in-list: "%{DEFAULT_DIRECTORY}%/domains"
-          then: "local"
-        - else: false
-      ip-strategy: "ipv4-then-ipv6"
-      tls:
-        dane: "optional"
-        mta-sts: "optional"
-        starttls: "require"
-        allow-invalid-certs: false
-      limits:
-        mx: 7
-        multihomed: 2
-      timeouts:
-        connect: "3m"
-        greeting: "3m"
-        tls: "2m"
-        ehlo: "3m"
-        mail-from: "3m"
-        rcpt-to: "3m"
-        data: "10m"
-        mta-sts: "2m"
-
-
-  ##
-  # Report (from: smtp/report.yaml)
-  ##
-
-  report:
-    # -- report-path
-    path: "/data/reports"
-    # -- report-hash
-    hash: 64
-    # submitter: "%{HOST}%"
-
-    # -- report-analysis
-    analysis:
-      addresses: ["dmarc@*", "abuse@*", "postmaster@*"]
-      forward: true
-      # store: "/data/incoming"
-
-    # -- report-dsn
-    dsn:
-      from-name: "Mail Delivery Subsystem"
-      from-address: "MAILER-DAEMON@%{DEFAULT_DOMAIN}%"
-      sign: ["rsa"]
-
-    # -- report-dkim
+  auth:
     dkim:
-      from-name: "Report Subsystem"
-      from-address: "noreply-dkim@%{DEFAULT_DOMAIN}%"
-      subject: "DKIM Authentication Failure Report"
-      sign: ["rsa"]
-      send: "1/1d"
-
-    # -- report-spf
-    spf:
-      from-name: "Report Subsystem"
-      from-address: "noreply-spf@%{DEFAULT_DOMAIN}%"
-      subject: "SPF Authentication Failure Report"
-      send: "1/1d"
-      sign: ["rsa"]
-
-    # -- report-dmarc
-    dmarc:
-      from-name: "Report Subsystem"
-      from-address: "noreply-dmarc@%{DEFAULT_DOMAIN}%"
-      subject: "DMARC Authentication Failure Report"
-      send: "1/1d"
-      sign: ["rsa"]
-      aggregate:
-        from-name: "DMARC Report"
-        from-address: "noreply-dmarc@%{DEFAULT_DOMAIN}%"
-        org-name: "%{DEFAULT_DOMAIN}%"
-        # contact-info: ""
-        send: "daily"
-        # -- default: 25 mb
-        max-size: 26214400
-        sign: ["rsa"]
-
-    # -- report-tls
-    tls:
-      aggregate:
-        from-name: "TLS Report"
-        from-address: "noreply-tls@%{DEFAULT_DOMAIN}%"
-        org-name: "%{DEFAULT_DOMAIN}%"
-        # contact-info: ""
-        send: "daily"
-        # -- default: 25 mb
-        max-size: 26214400
-        sign: ["rsa"]
-
-
-  ##
-  # resolver (from: smtp/resolver.yaml)
-  ##
-
-  resolver:
-    # -- resolver-type
-    type: "system"
-    # -- resolver-preserve-intermediates
-    preserve-intermediates: true
-    # -- resolver-concurrency
-    concurrency: 2
-    # -- resolver-timeout
-    timeout: "5s"
-    # -- resolver-attempts
-    attempts: 2
-    # -- resolver-try-tcp-on-error
-    try-tcp-on-error: true
-    # -- resolver-public-suffix
-    public-suffix:
-      - "https://publicsuffix.org/list/public_suffix_list.dat"
-      - "file:///opt/stalwart-mail/etc/spamfilter/maps/suffix_list.dat.gz"
-
-    # -- resolver-cache
-    cache:
-      txt: 2048
-      mx: 1024
-      ipv4: 1024
-      ipv6: 1024
-      ptr: 1024
-      tlsa: 1024
-      mta-sts: 1024
-
-
-  ##
-  # signature (from: smtp/signature.yaml)
-  ##
-
+      # -- auth rule for signing with dkim
+      # @section -- DKIM
+      sign:
+        - if: "listener != 'smtp'"
+          then: "['rsa', 'ed25519']"
+        - else: false
+      # -- verify of dkim signature (relaxed, strict, disable)
+      # @section -- DKIM
+      verify: "relaxed"
   signature:
-    # -- signature-rsa
     rsa:
-      # public-key: "file://opt/stalwart-mail/etc/dkim/%{DEFAULT_DOMAIN}%.cert"
-      private-key: "file://opt/stalwart-mail/etc/dkim/private.key"
-      domain: "%{DEFAULT_DOMAIN}%"
-      selector: "stalwart"
+      # -- private key for dkim signing (use file for store in secrets of kubernetes - rsa)
+      # @section -- DKIM
+      private-key: "%{file:/opt/stalwart-smtp/etc/private/dkim-rsa.key}%"
+      # @section -- DKIM
+      domain: "foobar.org"
+      # @section -- DKIM
+      selector: "rsa_default"
+      # -- signing of this headers (rsa)
+      # @section -- DKIM
       headers: ["From", "To", "Date", "Subject", "Message-ID"]
+      # -- alogorithm of signing (rsa)
+      # @section -- DKIM
       algorithm: "rsa-sha256"
+      # @section -- DKIM
       canonicalization: "relaxed/relaxed"
-      # expire: "10d"
-      # third-party: ""
-      # third-party-algo: ""
-      # auid: ""
+      # @section -- DKIM
+      expire: "10d"
+      # @section -- DKIM
       set-body-length: false
+      # -- report of signing (rsa)
+      # @section -- DKIM
       report: true
+    ed25519:
+      # -- private key for dkim signing (use file for store in secrets of kubernetes - ed25519)
+      # @section -- DKIM
+      private-key: "%{file:/opt/stalwart-smtp/etc/private/dkim-ed.key}%"
+      # @section -- DKIM
+      domain: "foobar.org"
+      # @section -- DKIM
+      selector: "ed_default"
+      # -- signing of this headers (ed25519)
+      # @section -- DKIM
+      headers: ["From", "To", "Date", "Subject", "Message-ID"]
+      # -- alogorithm of signing (ed25519)
+      # @section -- DKIM
+      algorithm: "ed25519-sha256"
+      # @section -- DKIM
+      canonicalization: "simple/simple"
+      # @section -- DKIM
+      set-body-length: true
+      # -- report of signing (ed25519)
+      # @section -- DKIM
+      report: false
 
+  authentication:
+    fallback-admin:
+      # -- username for fallback authentfication
+      # @section -- Authentification
+      user: "admin"
+      # -- password for fallback authentfication (use env for store in secrets of kubernetes)
+      # @section -- Authentification
+      secret: "%{env:FALLBACK_ADMIN_SECRET}%"
 
-  ##
-  # IMAP
-  ##
-
-  imap:
-    request:
-      # -- imap request max-size (from: imap/settings.toml)
-      max-size: 52428800
-    auth:
-      # -- imap auth max-failures(from: imap/settings.toml)
-      max-failures: 3
-      # -- imap auth allow-plain-text (from: imap/settings.toml)
-      allow-plain-text: false
-    folders:
-      name:
-        # -- imap folders name shared (from: imap/settings.toml)
-        shared: "Shared Folders"
-    timeout:
-      # -- imap timeout authenticated (from: imap/settings.toml)
-      authenticated: "30m"
-      # -- imap timeout anonymous (from: imap/settings.toml)
-      anonymous: "1m"
-      # -- imap timeout idle (from: imap/settings.toml)
-      idle: "30m"
-    rate-limit:
-      # -- imap rate-limit requests (from: imap/settings.toml)
-      requests: "2000/1m"
-      # -- imap rate-limit concurrent (from: imap/settings.toml)
-      concurrent: 6
-    protocol:
-      # -- imap protocol uidplus (from: imap/settings.toml)
-      uidplus: false
-
-
-  ##
-  # JMAP
-  ##
-
-  jmap:
-    # -- jmap-directory (from: jmap/auth.yaml)
-    directory: "%{DEFAULT_DIRECTORY}%"
-    # -- jmap-session (from: jmap/auth.yaml)
-    session:
-      cache:
-        ttl: "1h"
-        size: 100
-      purge:
-        frequency: "0 3 *"
-
-    # -- jmap-protocol (from: jmap/protocol.yaml)
-    protocol:
-      get:
-        max-objects: 500
-      set:
-        max-objects: 500
-      request:
-        max-concurrent: 4
-        max-size: 10000000
-        max-calls: 16
-      query:
-        max-results: 5000
-      upload:
-        max-size: 50000000
-        max-concurrent: 4
-        ttl: "1h"
-        quota:
-          files: 1000
-          size: 50000000
-      changes:
-        max-results: 5000
-
-    # -- jmap-mailbox
-    mailbox:
-      max-depth: 10
-      max-name-length: 255
-
-    # -- jmap-email
-    email:
-      max-attachment-size: 50000000
-      max-size: 75000000
-
-      parse:
-        max-items: 10
-
-    # -- jmap-principal
-    principal:
-      allow-lookups: true
-
-    # -- jmap-push (from: jmap/push.yaml)
-    push:
-      max-total: 100
-      throttle: "1ms"
-      attempts:
-        interval: "1m"
-        max: 3
-      retry:
-        interval: "1s"
-      timeout:
-        request: "10s"
-        verify: "1s"
-
-    # -- jmap-event-source
-    event-source:
-      throttle: "1s"
-
-    # -- jmap-rate-limit (from: jmap/ratelimit.yaml)
-    rate-limit:
-      account: "1000/1m"
-      authentication: "10/1m"
-      anonymous: "100/1m"
-      use-forwarded: true
-      cache:
-        size: 1024
-
-    # -- jmap-web-sockets (from: jmap/websocket.yaml)
-    web-sockets:
-      throttle: "1s"
-      timeout: "10m"
-      heartbeat: "1m"
+secrets:
+  env:
+    # -- password for fallback authentfication (env)
+    # @section -- Authentification
+    FALLBACK_ADMIN_SECRET: supersecret
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -731,6 +180,8 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
+env: []
+
 podSecurityContext: {}
   # fsGroup: 2000