Operations grimoire/Mail: Difference between revisions

From Nasqueron Agora
No edit summary
(+snappymail)
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.
<div style="float: right; width: 22em; border: solid 2px black; padding: 1em;>
'''{{FULLPAGENAME}}'''
{{Special:Prefixindex/{{FULLPAGENAME}}/}}
</div>


== Third party services ==
== Third party services ==
Line 7: Line 12:


== Nasqueron mail services ==
== Nasqueron mail services ==
=== Architecture ===
=== Architecture ===
We use the following servers:
We use the following servers:
* Postfix
* Postfix  
** 25 is for mail servers
** 25 is for mail servers
** 587 is for STARTTLS + user auth
** 587 is for STARTTLS + user auth
* dovecot for IMAP / POP
* dovecot for IMAP / POP
* SpamAssassin, OpenDKIM (see [[/DKIM]])
* SpamAssassin, OpenDKIM (see [[/DKIM]]) 🚧🔨⏳
* Sympa for the mailing lists
* Sympa for the mailing lists 🚧🔨⏳
* MySQL to store user accounts mailboxes and sympa data
* PostgreSQL on cluster db-A to store user accounts mailboxes
* nginx to serve web applications
* MariaDB  on cluster db-B to store sympa data 🚧🔨⏳
* nginx to serve web applications
 
When not specified otherwise, the services are located on Hervil.


/etc/postfix and /etc/dovecot are Git repositories, so commit your configuration changes.
The services with ✅ belong to the new installation and works correctly.


User accounts are stored in a MySQL database. They are managed by ViMbAdmin (on https://vma.nasqueron.org).
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral.
 
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org).


Sympa manages the mailing lists.
Sympa manages the mailing lists.


A nginx server serves vma as vma.nasqinternal, Roundcube as mail.nasqinternal and Sympa.
=== Webmail ===
On Dwellers, nginx assumes SSL termination and the relevant vhosts like mail.nasqueron.org, mail.wolfplex.be, etc.
==== Snappymail ====


All that should be migrated to configuration as code to be managed through Salt.
There is only one account supported for administration:


A lxc container has been chosen for more stability: Docker assumes we can respin containers, host OS can change. The lxc container is isolated, stable and lxc doesn't ask restarts.
* URL: https://mail.nasqueron.org/snappymail/?admin
* Credentials: stored in Vault at ops/infra/mailserver/snappymail


=== Log in to the server ===
If a plugin uses a third-party service, [[Privacy/Mail]] needs to be updated.
Mail server lives on the lxc container <code>mailserver</code> on [[Dwellers]].


To access it, you must so:
=== Add a domain ===
  * ssh dwellers
  * attach to the container (<code>lxc-attach -n mailserver [tcsh]</code>)


If you need to access a lxc container, you can script something do to:
# Add it to https://admin.mail.nasqueron.org
<code>$SSH $LXC_SERVER $LXC_EXEC $CONTAINER_NAME $LXC_COMMAND</code>
# Follow [[/DKIM]] procedure


Here, it would be <code>ssh -t dwellers.nasqueron.org sudo lxc-attach -n mailserver tcsh</code>.
It's ready.


To be able to use sudo for lxc-attach, you must belong to the `ops` group.
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.


=== Add a domain ===
== Hervil ==
 
=== Network ===
Routing tables
 
    Internet:
    Destination        Gateway            Flags    Netif Expire
    default            51.210.99.254      UGS        vmx1
    51.210.99.254      link#2            UHS        vmx1
    51.255.124.8/30    172.27.27.1        UGS        vmx0
 
For SPF record we need to make the mail go out from the ip : 51.210.99.254
To permit acme.sh we make a route thrugh router.OO1
 
== Troubleshoot ==
=== Dashboards ===
On Grafana, the following dashboards are available:
* [https://grafana.nasqueron.org/d/h36Havfik/postfix-legacy-dashboard?orgId=1 Postfix]
 
The following dashboards are missing, feel free to create one:
* Dovecot
 
=== Logs ===
On FreeBSD servers, mail logs are consolidated into <code>/var/log/maillog</code> by syslog daemon.
 
=== Test to send e-mail with telnet or openssl clients ===
 
You can test STARTTLS with openssl s_client:
 
    openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf
 
Flags:
  * The -starttls smtp option is the one to send the STARTTLS command
  * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO).
  * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.
 
=== @nasqueron.org must be sent through mail.nasqueron.org ===
A SPF record ''v=spf1 a:mail.nasqueron.org -all'' should exist.
 
If set, any application app.nasqueron.org should:
* send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
* define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.
 
=== Can't reach ACME DNS API ===
 
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron.
 
Add a route to use router-001 gateway: <code>route add 51.255.124.8/30 172.27.27.1</code>


1. Add it to https://vma.nasqueron.org
=== Brute-force attacks ===
2. Follow [[/DKIM]] procedure


It's ready.
You can block individual IP or a range with pf, see [[Operations grimoire/Firewall]].


You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.
[[Category:Mail]]

Latest revision as of 06:36, 2 November 2024

The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.

Third party services

Mainly, they provide configuration wizards, logs, and API keys on a web interface.

Operations grimoire/External services says who to contact to debug any issue, configure them, etc.

Nasqueron mail services

Architecture

We use the following servers:

  • Postfix
    • 25 is for mail servers
    • 587 is for STARTTLS + user auth
  • dovecot for IMAP / POP ✅
  • SpamAssassin, OpenDKIM (see /DKIM) 🚧🔨⏳
  • Sympa for the mailing lists 🚧🔨⏳
  • PostgreSQL on cluster db-A to store user accounts mailboxes ✅
  • MariaDB on cluster db-B to store sympa data 🚧🔨⏳
  • nginx to serve web applications ✅

When not specified otherwise, the services are located on Hervil.

The services with ✅ belong to the new installation and works correctly.

The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral.

User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org).

Sympa manages the mailing lists.

Webmail

Snappymail

There is only one account supported for administration:

If a plugin uses a third-party service, Privacy/Mail needs to be updated.

Add a domain

  1. Add it to https://admin.mail.nasqueron.org
  2. Follow /DKIM procedure

It's ready.

You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.

Hervil

Network

Routing tables

   Internet:
   Destination        Gateway            Flags     Netif Expire
   default            51.210.99.254      UGS        vmx1
   51.210.99.254      link#2             UHS        vmx1
   51.255.124.8/30    172.27.27.1        UGS        vmx0

For SPF record we need to make the mail go out from the ip : 51.210.99.254 To permit acme.sh we make a route thrugh router.OO1

Troubleshoot

Dashboards

On Grafana, the following dashboards are available:

The following dashboards are missing, feel free to create one:

  • Dovecot

Logs

On FreeBSD servers, mail logs are consolidated into /var/log/maillog by syslog daemon.

Test to send e-mail with telnet or openssl clients

You can test STARTTLS with openssl s_client:

   openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf 

Flags:

 * The -starttls smtp option is the one to send the STARTTLS command
 * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO).
 * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.

@nasqueron.org must be sent through mail.nasqueron.org

A SPF record v=spf1 a:mail.nasqueron.org -all should exist.

If set, any application app.nasqueron.org should:

  • send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
  • define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.

Can't reach ACME DNS API

If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron.

Add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1

Brute-force attacks

You can block individual IP or a range with pf, see Operations grimoire/Firewall.