Deploying Mailu Mail Server on Kubernetes: Step-by-Step Guide
Mailu is a containerized mail server optimized for Docker and Kubernetes environments. Unlike traditional Postfix and Dovecot setups that require heavy configuration, Mailu deploys with minimal effort, making it ideal for home labs and testing setups. This guide walks you through installing Mailu in a Kubernetes cluster using Helm, configuring network policies, DNS records, and security measures.
Preparing Infrastructure and DNS
Before installing Mailu, complete these essential infrastructure steps. First, you need a domain with DNS management capabilities—for this example, we'll use yourdomain.com. Second, secure a static public IP (e.g., 1.2.3.4) with a reverse (PTR) record set up by your ISP. Without a PTR record, major email providers will flag your emails as spam.
Key DNS records to create:
- A record: mail.yourdomain.com → 1.2.3.4
- MX record: @ → mail.yourdomain.com
After setup, verify with nslookup 1.2.3.4—it should resolve to mail.yourdomain.com, confirming your PTR record is correct.
Setting Up Kubernetes and Deploying Mailu
For security, isolate the mail server in its own namespace to minimize risks— we'll use dmz-mailu here. Apply a network policy right away to block all inbound and outbound traffic by default, allowing only essential ports.
Example network policy (network-policy-dmz-mail.yaml):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-dmz-mail-deny
namespace: dmz-mail
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-mailu-ports
namespace: dmz-mail
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 25
- protocol: TCP
port: 465
Next, add the Mailu Helm repo and create a values.yaml file. Key settings include your domain, timezone, initial admin account, storage options, and network interfaces. Match the StorageClass to your cluster's setup.
Core values.yaml parameters:
hostnames: ["mail.yourdomain.com"]domain: yourdomain.cominitialAccountfor admin setup- PostgreSQL or MariaDB configs
- Persistence settings (e.g.,
size: 50Gi) - Ingress config with cert-manager annotations
- Frontend as LoadBalancer type
Install the chart with:
helm install mailu mailu/mailu -n dmz-mailu --values mailu_values.yaml
Fixing TLS Issues and Advanced Config
Mailu can hit SSL errors with Ingress due to TLS handling quirks. A workaround is a dedicated LoadBalancer Service for the frontend, moving the web UI to its own IP and bypassing Ingress TLS conflicts.
Example manifest (svc-mailu-front-web.yaml):
apiVersion: v1
kind: Service
metadata:
name: svc-mailu-front-web
namespace: dmz-mail
spec:
externalTrafficPolicy: Local
ports:
- port: 443
protocol: TCP
targetPort: 443
selector:
app.kubernetes.io/component: front
app.kubernetes.io/instance: mailu
app.kubernetes.io/name: mailu
type: LoadBalancer
loadBalancerIP: 192.168.10.201
Apply it, then point mail-local.yourdomain.com to that IP in your local DNS or hosts file. Also forward port 25 from your gateway to the loadBalancerIP in values.yaml for incoming mail.
Configuring DKIM, DMARC, and SPF
To ensure delivery to services like Gmail or Outlook, set up DKIM, DMARC, and SPF. These authentication protocols verify your sender legitimacy and keep emails out of spam folders.
Setup steps:
- In the Mailu admin web UI, go to Administration → Mail Domains → select your domain → Edit.
- Click Generate Keys in the top right.
- Copy the TXT records for DKIM, DMARC, and SPF into your domain's DNS.
- Wait for propagation (up to 48 hours).
Validate with tools like mxtoolbox.com. Test by sending to external addresses—initial emails might hit spam, so check junk folders.
Performance and Security Optimization
Mailu includes optional components you can disable to save resources or simplify setup. ClamAV (antivirus), OleTools (Office file scanner), and Tika (metadata handler) aren't essential for core mail functions—set them to false in values.yaml.
Recommended for home use:
clamav: falseoletools: falsetika: false
Keep Rspamd (spam filter) enabled—it handles inbound and outbound mail effectively.
Key Takeaways
- A PTR record on your static IP is crucial for reliable delivery.
- Dedicated namespace and network policies boost deployment security.
- Use a separate LoadBalancer Service to resolve Ingress TLS issues.
- DKIM, DMARC, and SPF are must-haves for external email delivery.
- Disable non-essential components like ClamAV to cut resource use.
— Editorial Team
No comments yet.