Mailu Mail Server

Complete mail server suite deployed on the kup6s.com Kubernetes cluster, providing SMTP, IMAP, webmail, and administration interfaces.

Overview

Mailu is an all-in-one mail server solution deployed at mail.kup6s.com with:

• SMTP - Email sending/receiving (ports 25, 465, 587)

• IMAP - Email retrieval (port 993)

• POP3 - Alternative email retrieval (port 995)

• Webmail - Browser-based email access (Roundcube)

• Admin UI - Server administration interface

• Authentication - Integrated SSO with rate limiting

Architecture

Mailu uses a critical architectural pattern where Traefik terminates TLS for all protocols (HTTP and mail), while Mailu’s nginx frontend runs in HTTP-only mode. This avoids HTTP 301 redirect loops that occur with traditional TLS passthrough approaches.

See: Traefik TLS Termination for Mail Protocols for complete architectural details.

Key Features

• Unified TLS Management: Traefik handles all TLS termination with cert-manager certificates

• PostgreSQL Backend: CloudNativePG cluster for high availability

• CDK8S Deployment: Type-safe Kubernetes manifests with dynamic service references

• GitOps Sync: ArgoCD for automated deployment

• LoadBalancer Integration: Hetzner Cloud LoadBalancer with 8 exposed ports

Access

• Webmail: https://mail.kup6s.com

• Admin: https://mail.kup6s.com/admin

• SMTP (Submission): mail.kup6s.com:587 (STARTTLS)

• SMTPS: mail.kup6s.com:465 (TLS)

• IMAPS: mail.kup6s.com:993 (TLS)

• POP3S: mail.kup6s.com:995 (TLS)

DNS Configuration

Service Records (LoadBalancer)

mail.kup6s.com.  IN  A      167.233.14.203
mail.kup6s.com.  IN  AAAA   2a01:4f8:1c1f:6562::1
kup6s.com.       IN  MX  10 mail.kup6s.com.

Email Authentication (SPF)

kup6s.com.  IN  TXT  "v=spf1 mx a:mail.kup6s.com ip4:5.75.247.168 ip6:2a01:4f8:c012:f3f0::1 ~all"

Egress IP: 5.75.247.168 (control-fsn1 node) - all outbound mail routes through this IP via Cilium egress gateway.

Reverse DNS (PTR)

Configured in Hetzner Console for egress node:

• 5.75.247.168 → mail.kup6s.com

• 2a01:4f8:c012:f3f0::1 → mail.kup6s.com

Source Code

• Manifests: dp-infra/mailu/manifests/ (generated, committed to git)

• CDK8S Source: dp-infra/mailu/charts/ (TypeScript)

• Library: generic-charts/cdk8s-mailu/ (reusable CDK8S constructs)

• Configuration: dp-infra/mailu/config.yaml

• ArgoCD App: argoapps/dist/mailu.k8s.yaml

Deployment Method

Deployed via ArgoCD using GitOps:

1. CDK8S code generates Kubernetes manifests

2. Manifests committed to dp-infra/mailu/manifests/

3. ArgoCD syncs from git repository automatically

4. Configuration changes in config.yaml trigger rebuild and sync

Documentation

How-To Guides

Practical guides for common tasks:

• Configure Mail Client - Set up Thunderbird, Apple Mail, Android, Outlook

• Configure Egress Gateway - Set up consistent source IP for SPF compliance

• Troubleshoot SMTP Errors - Resolve connection and authentication issues

Explanation

Architecture and design decisions:

• Traefik TLS Termination Pattern - Core architectural decision with nginx wrapper details (required reading)

• Egress Gateway for SPF Compliance - Consistent source IP for email deliverability

• Dovecot Submission Service - Dedicated service for webmail email sending

Reference

Configuration details and options:

• Configuration Options - Server-side configuration reference

Related Infrastructure Documentation

• CDK8S Infrastructure as Code - Understanding dynamic service names

• ArgoCD GitOps - Deployment workflow