From 3f87debcf804f95e6d7635c81f983da1f9ea408c Mon Sep 17 00:00:00 2001
From: ordinarthur <@arthurbarre.js@gmail.com>
Date: Mon, 20 Apr 2026 10:18:58 +0200
Subject: [PATCH] fix(maddy): correct global hostname + run subcommand + dkim
 syntax
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- add top-level `hostname $(hostname)` directive (required by maddy 0.8)
- invoke as `maddy -config … run` (global flag before subcommand)
- fix dkim syntax: `dkim DOMAIN SELECTOR` (no key-size positional arg —
  that was being parsed as a second selector, generating bogus keys)
- use bounce block on local_queue target instead of (local_routing) macro
---
 k8s/maddy.yml | 105 +++++++++++++++++++++++++-------------------------
 1 file changed, 52 insertions(+), 53 deletions(-)

diff --git a/k8s/maddy.yml b/k8s/maddy.yml
index 554779b..7a9aeea 100644
--- a/k8s/maddy.yml
+++ b/k8s/maddy.yml
@@ -24,75 +24,74 @@ metadata:
   namespace: anydrop
 data:
   maddy.conf: |
+    # Global directives — both the top-level `hostname`/`tls` statements AND
+    # the macros of the same name are required. Macros are substituted into
+    # module blocks below; the bare directives configure the process.
     $(hostname) = mail.anydrop.arthurbarre.fr
     $(primary_domain) = anydrop.arthurbarre.fr
     $(local_domains) = $(primary_domain)
 
+    hostname $(hostname)
     tls off
 
-    # -------------------------------------------------------------------
-    # Outbound pipeline — sign with DKIM, send directly to destination MX.
-    # -------------------------------------------------------------------
-    (local_routing) {
-      destination postmaster $(local_domains) {
-        reject 550 5.1.1 "No local mailboxes — outbound only"
-      }
-      default_destination {
-        modify {
-          dkim $(primary_domain) default (1024)
+    # Outbound delivery pipeline ----------------------------------------------
+    target.queue local_queue {
+        target &remote_delivery
+        autogenerated_msg_domain $(primary_domain)
+        bounce {
+            destination postmaster $(local_domains) {
+                reject 550 5.0.0 "Bounces ignored — outbound only"
+            }
+            default_destination {
+                reject 550 5.0.0 "Bounces ignored — outbound only"
+            }
         }
-        deliver_to &remote_queue
-      }
-    }
-
-    target.queue remote_queue {
-      target &remote_delivery
-      max_parallelism 16
-      max_tries 20
     }
 
     target.remote remote_delivery {
-      limits {
-        destination rate 20 1s
-        destination concurrency 10
-      }
-      mx_auth {
-        dane
-        mtasts {
-          cache fs
-          fs_dir mtasts_cache/
+        limits {
+            destination rate 20 1s
+            destination concurrency 10
         }
-        local_policy {
-          min_tls_level none
-          min_mx_level none
+        mx_auth {
+            dane
+            mtasts {
+                cache fs
+                fs_dir mtasts_cache/
+            }
+            local_policy {
+                min_tls_level none
+                min_mx_level none
+            }
         }
-      }
     }
 
-    # -------------------------------------------------------------------
-    # SMTP submission endpoint (internal only — cluster-ip service).
-    # No TLS required in-cluster; the server process talks to maddy over
-    # the flat pod network.
-    # -------------------------------------------------------------------
+    # SMTP submission listener — internal ClusterIP service only.
+    # No auth enforced: the service is not reachable outside the cluster
+    # network. If you ever expose this externally, add an `auth` block.
     smtp tcp://0.0.0.0:587 {
-      limits {
-        all rate 100 1s
-        all concurrency 50
-      }
-      source $(local_domains) {
-        reject 501 5.1.8 "Non-local sender refused"
-      }
-      default_source {
-        destination postmaster $(local_domains) {
-          reject 550 5.1.1 "Cannot send to local — outbound only"
+        hostname $(hostname)
+        tls off
+
+        limits {
+            all rate 100 1s
+            all concurrency 50
         }
-        default_destination {
-          modify {
-            dkim $(primary_domain) default (1024)
-          }
-          deliver_to &remote_queue
+
+        source $(local_domains) {
+            destination postmaster $(local_domains) {
+                reject 550 5.1.1 "Local delivery disabled"
+            }
+            default_destination {
+                modify {
+                    dkim $(primary_domain) default
+                }
+                deliver_to &local_queue
+            }
+        }
+        default_source {
+            reject 501 5.1.8 "Non-local sender refused"
         }
-      }
     }
 
 ---
@@ -128,7 +127,7 @@ spec:
       containers:
         - name: maddy
           image: foxcpp/maddy:0.8
-          args: ["-config", "/etc/maddy/maddy.conf"]
+          args: ["-config", "/etc/maddy/maddy.conf", "run"]
           ports:
             - containerPort: 587
               name: submission