Operations grimoire/Mail: Difference between revisions
(→Log in to the server: -1) |
(+snappymail) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
== Nasqueron mail services == | == Nasqueron mail services == | ||
=== Architecture === | === Architecture === | ||
We use the following servers: | We use the following servers: | ||
* Postfix | * Postfix | ||
** 25 is for mail servers | ** 25 is for mail servers | ||
** 587 is for STARTTLS + user auth | ** 587 is for STARTTLS + user auth | ||
* dovecot for IMAP / POP | * dovecot for IMAP / POP ✅ | ||
* SpamAssassin, OpenDKIM (see [[/DKIM]]) | * SpamAssassin, OpenDKIM (see [[/DKIM]]) 🚧🔨⏳ | ||
* Sympa for the mailing lists | * Sympa for the mailing lists 🚧🔨⏳ | ||
* | * PostgreSQL on cluster db-A to store user accounts mailboxes ✅ | ||
* nginx to serve web applications | * MariaDB on cluster db-B to store sympa data 🚧🔨⏳ | ||
* nginx to serve web applications ✅ | |||
When not specified otherwise, the services are located on Hervil. | |||
User accounts are stored in a | The services with ✅ belong to the new installation and works correctly. | ||
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral. | |||
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org). | |||
Sympa manages the mailing lists. | Sympa manages the mailing lists. | ||
=== Webmail === | |||
==== Snappymail ==== | |||
There is only one account supported for administration: | |||
* URL: https://mail.nasqueron.org/snappymail/?admin | |||
* Credentials: stored in Vault at ops/infra/mailserver/snappymail | |||
If a plugin uses a third-party service, [[Privacy/Mail]] needs to be updated. | |||
=== Add a domain === | === Add a domain === | ||
# Add it to https:// | # Add it to https://admin.mail.nasqueron.org | ||
# Follow [[/DKIM]] procedure | # Follow [[/DKIM]] procedure | ||
Line 47: | Line 53: | ||
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116. | You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116. | ||
== Hervil == | == Hervil == | ||
Line 131: | Line 101: | ||
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron. | If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron. | ||
Add a route to use router-001 gateway: <code>route add 51.255.124.8/30 172.27.27.1<code> | Add a route to use router-001 gateway: <code>route add 51.255.124.8/30 172.27.27.1</code> | ||
=== Brute-force attacks === | |||
You can block individual IP or a range with pf, see [[Operations grimoire/Firewall]]. | |||
[[Category:Mail]] |
Latest revision as of 06:36, 2 November 2024
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.
Operations grimoire/Mail
Third party services
Mainly, they provide configuration wizards, logs, and API keys on a web interface.
Operations grimoire/External services says who to contact to debug any issue, configure them, etc.
Nasqueron mail services
Architecture
We use the following servers:
- Postfix
- 25 is for mail servers
- 587 is for STARTTLS + user auth
- dovecot for IMAP / POP ✅
- SpamAssassin, OpenDKIM (see /DKIM) 🚧🔨⏳
- Sympa for the mailing lists 🚧🔨⏳
- PostgreSQL on cluster db-A to store user accounts mailboxes ✅
- MariaDB on cluster db-B to store sympa data 🚧🔨⏳
- nginx to serve web applications ✅
When not specified otherwise, the services are located on Hervil.
The services with ✅ belong to the new installation and works correctly.
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral.
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org).
Sympa manages the mailing lists.
Webmail
Snappymail
There is only one account supported for administration:
- URL: https://mail.nasqueron.org/snappymail/?admin
- Credentials: stored in Vault at ops/infra/mailserver/snappymail
If a plugin uses a third-party service, Privacy/Mail needs to be updated.
Add a domain
- Add it to https://admin.mail.nasqueron.org
- Follow /DKIM procedure
It's ready.
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.
Hervil
Network
Routing tables
Internet: Destination Gateway Flags Netif Expire default 51.210.99.254 UGS vmx1 51.210.99.254 link#2 UHS vmx1 51.255.124.8/30 172.27.27.1 UGS vmx0
For SPF record we need to make the mail go out from the ip : 51.210.99.254 To permit acme.sh we make a route thrugh router.OO1
Troubleshoot
Dashboards
On Grafana, the following dashboards are available:
The following dashboards are missing, feel free to create one:
- Dovecot
Logs
On FreeBSD servers, mail logs are consolidated into /var/log/maillog
by syslog daemon.
Test to send e-mail with telnet or openssl clients
You can test STARTTLS with openssl s_client:
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf
Flags:
* The -starttls smtp option is the one to send the STARTTLS command * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO). * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.
@nasqueron.org must be sent through mail.nasqueron.org
A SPF record v=spf1 a:mail.nasqueron.org -all should exist.
If set, any application app.nasqueron.org should:
- send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
- define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.
Can't reach ACME DNS API
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron.
Add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1
Brute-force attacks
You can block individual IP or a range with pf, see Operations grimoire/Firewall.