Operations grimoire/Mail: Difference between revisions
(+snappymail) |
|||
(18 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes. | The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes. | ||
<div style="float: right; width: 22em; border: solid 2px black; padding: 1em;> | |||
'''{{FULLPAGENAME}}''' | |||
{{Special:Prefixindex/{{FULLPAGENAME}}/}} | |||
</div> | |||
== Third party services == | == Third party services == | ||
Line 7: | Line 12: | ||
== Nasqueron mail services == | == Nasqueron mail services == | ||
=== Architecture === | === Architecture === | ||
We use the following servers: | We use the following servers: | ||
* Postfix | * Postfix | ||
** 25 is for mail servers | ** 25 is for mail servers | ||
** 587 is for STARTTLS + user auth | ** 587 is for STARTTLS + user auth | ||
* dovecot for IMAP / POP | * dovecot for IMAP / POP ✅ | ||
* SpamAssassin, OpenDKIM (see [[/DKIM]]) | * SpamAssassin, OpenDKIM (see [[/DKIM]]) 🚧🔨⏳ | ||
* Sympa for the mailing lists | * Sympa for the mailing lists 🚧🔨⏳ | ||
* | * PostgreSQL on cluster db-A to store user accounts mailboxes ✅ | ||
* nginx to serve web applications | * MariaDB on cluster db-B to store sympa data 🚧🔨⏳ | ||
* nginx to serve web applications ✅ | |||
When not specified otherwise, the services are located on Hervil. | |||
The services with ✅ belong to the new installation and works correctly. | |||
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral. | |||
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org). | |||
Sympa manages the mailing lists. | |||
=== Webmail === | |||
==== Snappymail ==== | |||
There is only one account supported for administration: | |||
* URL: https://mail.nasqueron.org/snappymail/?admin | |||
* Credentials: stored in Vault at ops/infra/mailserver/snappymail | |||
If | If a plugin uses a third-party service, [[Privacy/Mail]] needs to be updated. | ||
=== Add a domain === | === Add a domain === | ||
# Add it to https:// | # Add it to https://admin.mail.nasqueron.org | ||
# Follow [[/DKIM]] procedure | # Follow [[/DKIM]] procedure | ||
Line 53: | Line 53: | ||
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116. | You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116. | ||
== Hervil == | |||
=== Network === | |||
Routing tables | |||
Internet: | |||
Destination Gateway Flags Netif Expire | |||
default 51.210.99.254 UGS vmx1 | |||
51.210.99.254 link#2 UHS vmx1 | |||
51.255.124.8/30 172.27.27.1 UGS vmx0 | |||
For SPF record we need to make the mail go out from the ip : 51.210.99.254 | |||
To permit acme.sh we make a route thrugh router.OO1 | |||
== Troubleshoot == | |||
=== Dashboards === | |||
On Grafana, the following dashboards are available: | |||
* [https://grafana.nasqueron.org/d/h36Havfik/postfix-legacy-dashboard?orgId=1 Postfix] | |||
The following dashboards are missing, feel free to create one: | |||
* Dovecot | |||
=== Logs === | |||
On FreeBSD servers, mail logs are consolidated into <code>/var/log/maillog</code> by syslog daemon. | |||
=== Test to send e-mail with telnet or openssl clients === | |||
You can test STARTTLS with openssl s_client: | |||
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf | |||
Flags: | |||
* The -starttls smtp option is the one to send the STARTTLS command | |||
* The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO). | |||
* The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL. | |||
=== @nasqueron.org must be sent through mail.nasqueron.org === | |||
A SPF record ''v=spf1 a:mail.nasqueron.org -all'' should exist. | |||
If set, any application app.nasqueron.org should: | |||
* send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one; | |||
* define SPF and if possible DKIM records for this @app.nasqueron.org mail domain. | |||
=== Can't reach ACME DNS API === | |||
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron. | |||
Add a route to use router-001 gateway: <code>route add 51.255.124.8/30 172.27.27.1</code> | |||
=== Brute-force attacks === | |||
You can block individual IP or a range with pf, see [[Operations grimoire/Firewall]]. | |||
[[Category:Mail]] |
Latest revision as of 06:36, 2 November 2024
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.
Operations grimoire/Mail
Third party services
Mainly, they provide configuration wizards, logs, and API keys on a web interface.
Operations grimoire/External services says who to contact to debug any issue, configure them, etc.
Nasqueron mail services
Architecture
We use the following servers:
- Postfix
- 25 is for mail servers
- 587 is for STARTTLS + user auth
- dovecot for IMAP / POP ✅
- SpamAssassin, OpenDKIM (see /DKIM) 🚧🔨⏳
- Sympa for the mailing lists 🚧🔨⏳
- PostgreSQL on cluster db-A to store user accounts mailboxes ✅
- MariaDB on cluster db-B to store sympa data 🚧🔨⏳
- nginx to serve web applications ✅
When not specified otherwise, the services are located on Hervil.
The services with ✅ belong to the new installation and works correctly.
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral.
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org).
Sympa manages the mailing lists.
Webmail
Snappymail
There is only one account supported for administration:
- URL: https://mail.nasqueron.org/snappymail/?admin
- Credentials: stored in Vault at ops/infra/mailserver/snappymail
If a plugin uses a third-party service, Privacy/Mail needs to be updated.
Add a domain
- Add it to https://admin.mail.nasqueron.org
- Follow /DKIM procedure
It's ready.
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.
Hervil
Network
Routing tables
Internet: Destination Gateway Flags Netif Expire default 51.210.99.254 UGS vmx1 51.210.99.254 link#2 UHS vmx1 51.255.124.8/30 172.27.27.1 UGS vmx0
For SPF record we need to make the mail go out from the ip : 51.210.99.254 To permit acme.sh we make a route thrugh router.OO1
Troubleshoot
Dashboards
On Grafana, the following dashboards are available:
The following dashboards are missing, feel free to create one:
- Dovecot
Logs
On FreeBSD servers, mail logs are consolidated into /var/log/maillog
by syslog daemon.
Test to send e-mail with telnet or openssl clients
You can test STARTTLS with openssl s_client:
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf
Flags:
* The -starttls smtp option is the one to send the STARTTLS command * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO). * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.
@nasqueron.org must be sent through mail.nasqueron.org
A SPF record v=spf1 a:mail.nasqueron.org -all should exist.
If set, any application app.nasqueron.org should:
- send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
- define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.
Can't reach ACME DNS API
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron.
Add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1
Brute-force attacks
You can block individual IP or a range with pf, see Operations grimoire/Firewall.