fix proxy protocol issue and refactored proxyprotocol configuration

[lodatol]

this pull request fix #518

Problem

• Two template conditions made it impossible to enable PROXY protocol correctly:
• Fail if PROXY ports are enabled but .Values.ingress.realIpFrom is empty.
• Fail if PROXY ports are enabled but .Values.ingress.realIpHeader is set.
• The proxy protocol must be detected/handled by the frontend pod, but the original checks live under the ingress area and were conditionally comparing against a service defined elsewhere (frontend).
• Because the front pod (dovecot proxy,nginx port 25 proxy) is shared between optionally-deployed frontend load balancer and ingress, having proxy configuration split between ingress and frontend caused incompatible/contradictory validation and incorrect runtime behavior (remote IP not recognized; open relay custom config; spam/botnet IP matching failing).

What I changed

• Moved PROXY protocol configuration and validation from the ingress templates/values into the frontend section.
• Adjusted templates so PROXY ports, real IP header, and real IP CIDRs are defined and validated in the frontend scope only.
• Removed contradictory checks that referenced .Values.ingress.* when the actual behavior depends on the frontend runtime.
• Kept behavior such that enabling PROXY ports requires appropriate frontend real-IP configuration, but no longer blocks valid deployments when ingress is absent or configured separately.

Why this fixes it

• The front pod is the component that must parse the PROXY protocol env variable and restore the real client IP; placing the config and validation there ensures the chart enforces the correct relationship between PROXY ports and real-IP settings.
• This avoids mis-matched configuration when ingress and service types (LoadBalancer, NodePort) and ingress are used independently or omitted.
• Allows modern ingress/controllers that support TCP/UDP (for example NGINX with TCP load balancing + cert-manager) to be used without forcing ingress-level proxy settings.

Migration / Upgrade notes

• If you previously tried to enable PROXY protocol via ingress.realIpFrom / ingress.realIpHeader, move those settings into the frontend section (see values file for exact keys).
• On upgrade, validate that frontend realIpFrom (CIDRs) values are present when frontend.proxyProtocol.ports is non-empty.

Testing performed

• Rendered templates with combinations of:
• frontend proxy ports enabled/disabled
• frontend.realIpFrom present/absent
• ingress present/absent
• Confirmed chart no longer fails templating with valid frontend-level proxy configuration and that pods will be recreated with the correct runtime flags.
• Tested basic mail flow and IP-based spam rules in an environment using NGINX ingress controller with TCP load balancing to confirm real client IP is preserved.

Request for reviewers

• Please review template changes in the frontend and ingress files for:
• correctness of moved value names and paths
• any references to .Values.ingress.proxyPort that should instead reference .Values.front.proxyProtocol.ports*
• Verify examples/README and values.yaml are updated to show the new front.proxyProtocol keys.
• Run a local render/helm lint and, if possible, deploy to a staging cluster that uses an ingress controller with TCP support.

[lodatol]

If helpful, I can provide an architecture diagram plus a ready-to-use values.yaml example showing how to configure PROXY protocol, ingress (TCP/UDP), and the frontend reverse-proxy in a private Kubernetes environment using a modern ingress controller.
What I will include:
• A clear component diagram showing traffic flow from LoadBalancer → ingress controller (TCP/UDP) → frontend pod and where PROXY headers are handled
• Concrete values.yaml snippets for frontend.proxyProtocol, frontend.realIpFrom, frontend.realIpHeader, and common ingress/tcp mappings
• Notes on required ingress-controller configuration (NGINX example)

Say the word and I’ll add the diagram and few explanation.

[lodatol]

I have also update readme , default values and missing sieve web port exposure

[lodatol]

fix #264 also