Operations grimoire/Mail: Difference between revisions
| (6 intermediate revisions by the same user not shown) | |||
| Line 34: | Line 34: | ||
| Sympa manages the mailing lists. | Sympa manages the mailing lists. | ||
| === Webmail === | |||
| ==== Snappymail ==== | |||
| There is only one account supported for administration: | |||
| * URL: https://mail.nasqueron.org/snappymail/?admin | |||
| * Credentials: stored in Vault at ops/infra/mailserver/snappymail | |||
| If a plugin uses a third-party service, [[Privacy/Mail]] needs to be updated. | |||
| === Add a domain === | === Add a domain === | ||
| Line 43: | Line 53: | ||
| You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116. | You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116. | ||
| == Hervil == | == Hervil == | ||
| Line 91: | Line 65: | ||
|      51.255.124.8/30    172.27.27.1        UGS        vmx0 |      51.255.124.8/30    172.27.27.1        UGS        vmx0 | ||
| For SPF record we need to make the mail go out from the  | For SPF record we need to make the mail go out from the IP 51.210.99.254. | ||
| To permit acme.sh we make a route  | To permit acme.sh we make a route through router-OO1. | ||
| == SPF and DKIM records == | |||
| === SPF === | |||
| Mails are currently sent from: | |||
| {| class="wikitable" | |||
| |+ Sources for @nasqueron.org | |||
| |- | |||
| ! Server !! IPs !! Description !! Use cases | |||
| |- | |||
| | hervil || n/a, <code>+mx</code> || SMTP || Users and applications mailboxes | |||
| |- | |||
| | web-001 || 51.255.124.10/30 2001:41d0:303:d971::517e:c0de/56 || PHP applications || MediaWiki SaaS | |||
| |} | |||
| == Troubleshoot == | == Troubleshoot == | ||
| Line 127: | Line 116: | ||
| If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron. | If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron. | ||
| Add a route to use router-001 gateway: <code>route add 51.255.124.8/30 172.27.27.1<code> | Add a route to use router-001 gateway: <code>route add 51.255.124.8/30 172.27.27.1</code> | ||
| === Brute-force attacks === | |||
| You can block individual IP or a range with pf, see [[Operations grimoire/Firewall]]. | |||
| [[Category:Mail]] | |||
Latest revision as of 17:22, 3 February 2025
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.
Operations grimoire/Mail
Third party services
Mainly, they provide configuration wizards, logs, and API keys on a web interface.
Operations grimoire/External services says who to contact to debug any issue, configure them, etc.
Nasqueron mail services
Architecture
We use the following servers:
- Postfix
- 25 is for mail servers
- 587 is for STARTTLS + user auth
 
- dovecot for IMAP / POP ✅
- SpamAssassin, OpenDKIM (see /DKIM) 🚧🔨⏳
- Sympa for the mailing lists 🚧🔨⏳
- PostgreSQL on cluster db-A to store user accounts mailboxes ✅
- MariaDB on cluster db-B to store sympa data 🚧🔨⏳
- nginx to serve web applications ✅
When not specified otherwise, the services are located on Hervil.
The services with ✅ belong to the new installation and works correctly.
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral.
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org).
Sympa manages the mailing lists.
Webmail
Snappymail
There is only one account supported for administration:
- URL: https://mail.nasqueron.org/snappymail/?admin
- Credentials: stored in Vault at ops/infra/mailserver/snappymail
If a plugin uses a third-party service, Privacy/Mail needs to be updated.
Add a domain
- Add it to https://admin.mail.nasqueron.org
- Follow /DKIM procedure
It's ready.
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.
Hervil
Network
Routing tables
Internet: Destination Gateway Flags Netif Expire default 51.210.99.254 UGS vmx1 51.210.99.254 link#2 UHS vmx1 51.255.124.8/30 172.27.27.1 UGS vmx0
For SPF record we need to make the mail go out from the IP 51.210.99.254. To permit acme.sh we make a route through router-OO1.
SPF and DKIM records
SPF
Mails are currently sent from:
| Server | IPs | Description | Use cases | 
|---|---|---|---|
| hervil | n/a, +mx | SMTP | Users and applications mailboxes | 
| web-001 | 51.255.124.10/30 2001:41d0:303:d971::517e:c0de/56 | PHP applications | MediaWiki SaaS | 
Troubleshoot
Dashboards
On Grafana, the following dashboards are available:
The following dashboards are missing, feel free to create one:
- Dovecot
Logs
On FreeBSD servers, mail logs are consolidated into /var/log/maillog by syslog daemon.
Test to send e-mail with telnet or openssl clients
You can test STARTTLS with openssl s_client:
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf
Flags:
* The -starttls smtp option is the one to send the STARTTLS command * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO). * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.
@nasqueron.org must be sent through mail.nasqueron.org
A SPF record v=spf1 a:mail.nasqueron.org -all should exist.
If set, any application app.nasqueron.org should:
- send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
- define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.
Can't reach ACME DNS API
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron.
Add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1
Brute-force attacks
You can block individual IP or a range with pf, see Operations grimoire/Firewall.

