fix: add SMTP relay on main server for Outline email auth

tools-server (85.193.83.9) has outbound SMTP ports 465/587 blocked by VPS
provider. Added tecnativa/postfix-relay container on main server that relays
to smtp.resend.com:587. Outline now uses ip_main:1025 as SMTP host.

- UFW rule: allow port 1025 from ip_tools only
- Remove stale authelia_image from docker pull list

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/services/tasks/main.yml

@@ -24,14 +24,22 @@
     - "{{ loki_image }}"
     - "{{ promtail_image }}"
     - "{{ crowdsec_image }}"
-    - "{{ authelia_image }}"
     - "{{ uptime_kuma_image }}"
+    - "tecnativa/postfix-relay"
   register: pull_result
   changed_when: "'Status: Downloaded newer image' in pull_result.stdout"
   retries: 5
   delay: 30
   until: pull_result.rc == 0
 
+- name: Allow SMTP relay port from tools server
+  community.general.ufw:
+    rule: allow
+    port: "1025"
+    proto: tcp
+    src: "{{ ip_tools }}"
+    comment: "SMTP relay for tools-server Outline"
+
 - name: Deploy Docker Compose stack
   community.docker.docker_compose_v2:
     project_src: "{{ services_root }}"

roles/services/templates/docker-compose.yml.j2

@@ -570,3 +570,28 @@ services:
       interval: 30s
       timeout: 5s
       retries: 3
+
+  # ── SMTP Relay ─────────────────────────────────────────────────────────────
+  # Forwards mail from tools-server (85.193.83.9) to Resend SMTP.
+  # tools-server has outbound SMTP blocked by the VPS provider.
+  # Listens on 85.193.83.9:1025 (UFW allows only from ip_tools).
+  smtp-relay:
+    image: tecnativa/postfix-relay
+    container_name: smtp-relay
+    restart: unless-stopped
+    ports:
+      - "{{ ip_tools }}:1025:25"
+    networks:
+      - proxy
+    environment:
+      - MAILNAME={{ domain_base }}
+      - MAIL_RELAY_HOST=smtp.resend.com
+      - MAIL_RELAY_PORT=587
+      - MAIL_RELAY_USER=resend
+      - MAIL_RELAY_PASS={{ resend_api_key }}
+      - MAIL_RELAY_MYHOSTNAME=mail.{{ domain_base }}
+    logging:
+      driver: json-file
+      options:
+        max-size: "5m"
+        max-file: "2"

roles/tools/templates/env.j2

@@ -27,14 +27,12 @@ FILE_STORAGE=s3
 # Auth
 AUTH_PROVIDERS=email
 
-# SMTP via Resend
+# SMTP via relay on main server (tools-server has outbound SMTP blocked)
-SMTP_HOST=smtp.resend.com
+SMTP_HOST={{ ip_main }}
-SMTP_PORT=465
+SMTP_PORT=1025
-SMTP_USERNAME=resend
-SMTP_PASSWORD={{ resend_api_key }}
 SMTP_FROM_EMAIL=noreply@{{ domain_base }}
 SMTP_FROM_NAME=Visual Wiki
-SMTP_SECURE=true
+SMTP_SECURE=false
 
 # Outline DB password (used in docker-compose)
 OUTLINE_DB_PASSWORD={{ outline_db_password }}