[BUG] - ManageSieve unreachable

[hans-fischer]

Describe the bug
In roundcube > Settings > Filter a connection problem occures.

To Reproduce
Steps to reproduce the behavior (include specific Helm or Kubernetes commands if applicable):

1. Go to roundcube
2. Go to Settings
3. Go to Filter
4. See error

Expected behavior
I would like to edit sieves, but there seem to be a problem.

Environment (please complete the following information):

• Helm Chart Version: 2.1.2
• Helm Version: v3.16.2
• Kubernetes Version: 1.31.4
• Kubernetes Platform: kubeadm
• Mailu Version: 2024.06.10

Values.yaml Configuration
Please provide your values.yaml configuration file or the relevant parts of it (ensure sensitive data is redacted).

---
# source: https://github.com/Mailu/helm-charts/blob/master/mailu/values.yaml

global:
  storageClass: "nvme-r2-ext4"
  database:
    roundcube:
      database: roundcube
      username: roundcube_owner_user
      existingSecret: "roundcube-owner-user.mailu-postgres.credentials.postgresql.acid.zalan.do"
      existingSecretPasswordKey: "password"

existingSecret: "mailu-secret-key"

timezone: "Europe/Berlin"

initialAccount:
  enabled: false # we going to do it over mail_user_config
  password: "provided-but-not-used-fK3qzr2X5gCjAMYmQ6LTcvGseSDHJEPd" # helm-chart enfores a password but will be overwritten by 'flask mailu config-import'

subnet: "10.252.0.0/16" # Insert Podnet here

logLevel: "INFO"

recipientDelimiter: "+"

domain: "example.com"
hostnames:
  - "mail.example.com"

customization:
  siteName: "Mailu by example.com"
  website: "https://mail.example.com"
  logoUrl: ""
  logoBackground: ""

limits:
  messageSizeLimitInMegabytes: 1024

  authRatelimit:
    ip: 60/hour
    ipv4Mask: 24
    ipv6Mask: 56
    user: 100/day
    exemptionLength: 86400
    exemption: ""

  messageRatelimit:
    value: 50/day
    exemption: ""

externalDatabase:
  enabled: true
  type: "postgresql"
  host: "mailu-postgres"
  port: 5432
  database: mailu
  # username: mailu
  # password: ""
  existingSecret: "mailu-owner-user.mailu-postgres.credentials.postgresql.acid.zalan.do"
  # existingSecretDatabaseKey: "database"
  existingSecretUsernameKey: "username"
  existingSecretPasswordKey: "password"

persistence:
  single_pvc: false

ingress:
  # not useful to have a public certificate that exposes roundcube-entrypoints. Should be separate certs.
  enabled: false


front:
  logLevel: "INFO"
  updateStrategy:
    type: RollingUpdate
  kind: DaemonSet
  podLabels:
    gnp/external-reverse-proxy: ""
    gnp/monitoring-client: ""
  extraVolumeMounts:
    - name: dovecot-configfiles
      mountPath: /etc/dovecot/conf.d/10-metrics.conf
      subPath: 10-metrics.conf
  extraVolumes:
    - name: dovecot-configfiles
      configMap:
        name: dovecot-extra-configfiles
  nodeSelector:
    node-role.kubernetes.io/external-proxy: ""
  tolerations:
  # A tolleration for node taint node-role.kubernetes.io/edge-node:NoSchedule
  - key: "node-role.kubernetes.io/edge-node"
    operator: "Exists"
    effect: "NoSchedule"
  containerSecurityContext:
    capabilities:
      add:
        - "SYS_CHROOT"
    enabled: true
    runAsUser: 0
  resources:
    requests:
      memory: "128Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"

admin:
  updateStrategy:
    type: Recreate
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "512Mi"
      cpu: "100m"
    limits:
      memory: "2Gi"

redis:
  enabled: true
  architecture: standalone
  master:
    persistence:
      enabled: true
      size: 20Gi
      storageClass: "nvme-r2-ext4"
      accessModes: [ReadWriteOnce]
      annotations:
        helm.sh/resource-policy: "keep"
  replica:
    count: 0

postfix:
  updateStrategy:
    type: Recreate
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  nodeSelector:
    node-role.kubernetes.io/external-proxy: ""
  tolerations:
  # A tolleration for node taint node-role.kubernetes.io/edge-node:NoSchedule
  - key: "node-role.kubernetes.io/edge-node"
    operator: "Exists"
    effect: "NoSchedule"
  resources:
    requests:
      memory: "64Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
  overrides:
    postfix.master: |
      showq/unix=showq unix n - n - -

dovecot:
  podLabels:
    gnp/internet-https: ""
    gnp/monitoring-client: ""
    kyverno/inject-truststore: "extended"
    minio-backup/s3-bucket: "com.example.k8s-main.mailu.dovecot.mails"
    minio-backup/volume-mount: "data"
  updateStrategy:
    type: Recreate
  persistence:
    size: 2000Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  containerSecurityContext:
    capabilities:
      add:
        - "SYS_CHROOT"
    enabled: true
    runAsUser: 0
  extraVolumeMounts:
    - name: dovecot-configfiles
      mountPath: /etc/dovecot/conf.d/10-metrics.conf
      subPath: 10-metrics.conf
  extraVolumes:
    - name: dovecot-configfiles
      configMap:
        name: dovecot-extra-configfiles
  overrides:
    dovecot.conf: |
      !include /etc/dovecot/conf.d/10-metrics.conf
  resources:
    requests:
      memory: "2Gi"
      cpu: "100m"
    limits:
      memory: "8Gi"

rspamd:
  podLabels:
    gnp/internet-tcp: ""
  updateStrategy:
    type: Recreate
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "512Mi"
      cpu: "100m"
    limits:
      memory: "2Gi"
  overrides:
    # will be copied to /etc/rspamd/local.d/
    blacklist.conf: |
      #override.d/multimap.conf
      local_bl_domain {
        type = "from";
        filter = "email:domain";
        map = "/etc/rspamd/override.d/blacklist.inc";
        score = 14;
        description = "Senders domain part is on the local blacklist";
        group = "local_bl";
        action = "reject";
      }
    blacklist.inc: |
      #Blacklisted domains. All emails from these domains are blacklisted and will be rejected.
      #This file is LIVE reloaded by rspamd. Any changes are EFFECTIVE IMMEDIATELY.
      community.com

# An antivirus server helps fighting large scale virus spreading campaigns that leverage e-mail for initial infection. Make sure that you have at least 1GB of memory for ClamAV to load its signature database.
clamav:
  updateStrategy:
    type: RollingUpdate
  podLabels:
    {{ network_policy_label_namespace }}/internet-https: ""
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "2Gi"
      cpu: "100m"
    limits:
      memory: "4Gi"

webmail:
  podLabels:
    gnp/internet-tcp: ""
  updateStrategy:
    type: Recreate
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "128Mi"
      cpu: "100m"
    limits:
      memory: "2Gi"

# A Webdav server exposes a Dav interface over HTTP so that clients can store contacts or calendars using the mail account.
webdav:
  enabled: true
  updateStrategy:
    type: Recreate
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "64Mi"
      cpu: "25m"
    limits:
      memory: "1Gi"

# Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.
fetchmail:
  enabled: true
  updateStrategy:
    type: Recreate
  persistence:
    size: 20Gi
    storageClass: "nvme-r2-ext4"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "64Mi"
      cpu: "25m"
    limits:
      memory: "1Gi"

# Tika enables the functionality for searching through attachments. Tika scans documents in email attachments, process (OCR, keyword extraction) and then index them in a way they can be efficiently searched. This requires significant resources (RAM, CPU and storage).
tika:
  enabled: true
  languages:
    - en
    - de
  resources:
    requests:
      memory: "1Gi"
      cpu: "100m"
    limits:
      memory: "4Gi"

Additional information
I my kinda curious, is managed sieve supported or not. There are many issues and many pr's about that topic.
Shoud it work or is is daed?
Should it work out-of-the-box or can I do sth. to make is work?

[Data-Bike]

Hello!

I have the same problem
Do you have any solution?

Thank you!

[NewBlade]

I had the same issue and after some digging around, this seems to be caused by a conditional configuration for dovecot inside the front container:

https://github.com/Mailu/Mailu/blob/922347252076ebf50ac237f2df1f830e3702f5ba/core/nginx/dovecot/proxy.conf#L78-L96

This variable is set through the configmap envvars

helm-charts/mailu/templates/envvars-configmap.yaml

Line 67 in 98da259

PORTS: {{ include "mailu.enabledPorts" . }}

which is filled by _services.tpl

helm-charts/mailu/templates/_services.tpl

Lines 171 to 205 in 98da259

	{{/* Combine the enabled ports that should be exposed into a comma-separated string */}}
	{{- define "mailu.enabledPorts" -}}
	{{- $enabledPorts := list -}}
	{{- if .Values.ingress.enabled -}}
	{{- $enabledPorts = append $enabledPorts "80" -}}
	{{- $enabledPorts = append $enabledPorts "443" -}}
	{{- end -}}
	{{- if .Values.front.externalService.enabled -}}
	{{- if .Values.front.externalService.ports.pop3 -}}
	{{- $enabledPorts = append $enabledPorts "110" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.pop3s -}}
	{{- $enabledPorts = append $enabledPorts "995" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.imap -}}
	{{- $enabledPorts = append $enabledPorts "143" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.imaps -}}
	{{- $enabledPorts = append $enabledPorts "993" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.smtp -}}
	{{- $enabledPorts = append $enabledPorts "25" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.smtps -}}
	{{- $enabledPorts = append $enabledPorts "465" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.submission -}}
	{{- $enabledPorts = append $enabledPorts "587" -}}
	{{- end -}}
	{{- if .Values.front.externalService.ports.manageSieve -}}
	{{- $enabledPorts = append $enabledPorts "4190" -}}
	{{- end -}}
	{{- end -}}

So, if you just enable ingress, and don't set front.externalService.enabled = true, PORT_4190 is not set and thus, 14190 is not available.

I am not sure though if this is intended behaviour, because i am using hostPort.enabled = true (the default) and these two options seem mutually exclusive according to docs?

https://github.com/Mailu/helm-charts/tree/master/mailu#exposing-mail-ports-to-the-public

Long story short: I changed PORTS: 80,443 to PORTS: 80,443,4190 in the configmap and now everything works :)

[hans-fischer]

Ohh that sounds amazing! A working sieve would be so awesome!

You mean that I edit the deployed ConfigMap after Helm has run.
And than restart the front pod?

Let me try it.

[Data-Bike]

Thank you @NewBlade

Your solution solved my problem

[hans-fischer]

Thank you @NewBlade,

worked for me either.

I added the Port 4190 to the ConfigMap "mailu-envvars" after the helm release was deployed and restartet front-pods.