Deploy (email) - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

Currently, the ingress-nginx doesn’t support TCP/UDP services due to Kubernetes limitations. The required workaround is to expose the TCP (for example SMTP(S), IMAP(S)) to be accessible from outside over internet, a Kubernetes Service LoadBalancer. This means inbound email need to be sent using this Service LoadBalancer address which is serving tcp traffic. This may means there is an overhead of an extra L4 LoadBalancer cost. This is purely due to current limitations on Kubernetes for TCP/UDP services and not related to Content Services helm setup.

So, for example if your Content Services Helm chart is enabled with Inbound/Outbound email in domain *.example.com, then the service endpoints would be:

  • myacs.example.com - for general Alfresco, Digital Workspace, and Share endpoints
  • smtps-myacs.example.com - for sending emails to Content Services smtp(s) server (for example port: 1125 (smtps), 1144(imaps))

It is recommended to enable TLS while configuring SMTP(s) and IMAP(s) configuration. If TLS is enabled for inbound email, then the helm chart expects the TLS certificate as a Secret before installing the chart. This secret name is passed on as a parameter with helm chart installation to be used for inbound email with TLS and repository will create keystore and truststore accordingly from the provided SSL certificates.

For example, if your Content Services email server name is smtps-myacs.example.com and your SSL certificates (self signed or signed) are cert.pem, fullchain.pem and privkey.pem run the following command to create a Kubernetes TLS secret:

kubectl create secret tls your-cert-secret --key privkey.pem --cert fullchain.pem --namespace=alfresco

Deploy the latest version of Content Services Enterprise by running the command below (replace YOUR-DOMAIN-NAME with the hosted zone you created, and replace the email values accordingly). See the table of Configuration options for the full list of available options.

helm install acs alfresco/alfresco-content-services \
--set externalPort="443" \
--set externalProtocol="https" \
--set externalHost="acs.YOUR-DOMAIN-NAME" \
--set persistence.enabled=true \
--set persistence.storageClass.enabled=true \
--set persistence.storageClass.name="nfs-client" \
--set global.alfrescoRegistryPullSecrets=quay-registry-secret \
--set mail.host="smtp.gmail.com" \
--set mail.from.default="some.user@gmail.com" \
--set mail.username="some.user@gmail.com" \
--set mail.password="somepassword" \
--set mail.protocol=smtps \
--set mail.smtp.auth=true \
--set mail.smtps.auth=true \
--set email.server.enabled=true \
--set email.server.auth.enabled=true \
--set email.server.enableTLS=true \
--set email.server.domain=smtps-myacs.example.com \
--set email.inbound.unknownUser="some.user@gmail.com" \
--set email.ssl.secretName=your-cert-secret \
--set imap.server.enabled=true \
--set imap.server.imap.enabled=true \
--set imap.server.imaps.enabled=true \
--atomic \
--timeout 10m0s \
--namespace=alfresco
Note: If you’re using GMail or Yahoo as the outbound email server, your application’s attempts to send outgoing emails may be blocked by email providers due to their security policies, as it considers the authentication attempts to be suspicious. When this happens, you will receive a security alert at the corresponding email address. To proceed, you will need to manually confirm the validity of the authentication attempt before the email provider will permit the application to send outbound emails. See Less secure apps & your Google Account for more information.