Operations grimoire/Mail: Difference between revisions

The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.

Third party services

Mainly, they provide configuration wizards, logs, and API keys on a web interface.

Operations grimoire/External services says who to contact to debug any issue, configure them, etc.

Nasqueron mail services

Architecture

We use the following servers:

• Postfix
  • 25 is for mail servers
  • 587 is for STARTTLS + user auth
• dovecot for IMAP / POP
• SpamAssassin, OpenDKIM (see /DKIM)
• Sympa for the mailing lists
• MySQL to store user accounts mailboxes and sympa data
• nginx to serve web applications

/etc/postfix and /etc/dovecot are Git repositories, so commit your configuration changes.

User accounts are stored in a MySQL database. They are managed by ViMbAdmin (on https://vma.nasqueron.org).

Sympa manages the mailing lists.

A nginx server serves vma as vma.nasqinternal, Roundcube as mail.nasqinternal and Sympa. On Dwellers, nginx assumes SSL termination and the relevant vhosts like mail.nasqueron.org, mail.wolfplex.be, etc.

All that should be migrated to configuration as code to be managed through Salt.

A lxc container has been chosen for more stability: Docker assumes we can respin containers, host OS can change. The lxc container is isolated, stable and lxc doesn't ask restarts.

Log in to the server

Mail server lives on the lxc container mailserver on Dwellers.

To access it, you must so:

 * ssh dwellers
 * attach to the container (lxc-attach -n mailserver [tcsh])

If you need to access a lxc container, you can script something do to: $SSH $LXC_SERVER $LXC_EXEC $CONTAINER_NAME $LXC_COMMAND

Here, it would be ssh -t dwellers.nasqueron.org sudo lxc-attach -n mailserver tcsh.

To be able to use sudo for lxc-attach, you must belong to the `ops` group.

Add a domain

1. Add it to https://vma.nasqueron.org
2. Follow /DKIM procedure

It's ready.

You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.

New deploy thinking

Hervil

Network

Routing tables

   Internet:
   Destination        Gateway            Flags     Netif Expire
   default            51.210.99.254      UGS        vmx1
   51.210.99.254      link#2             UHS        vmx1
   51.255.124.8/30    172.27.27.1        UGS        vmx0

For SPF record we need to make the mail go out from the ip : 51.210.99.254 To permit acme.sh we make a route thrugh router.OO1

Troubleshoot

Dashboards

On Grafana, the following dashboards are available:

• Postfix

The following dashboards are missing, feel free to create one:

• Dovecot

Logs

On FreeBSD servers, mail logs are consolidated into /var/log/maillog by syslog daemon.

Test to send e-mail with telnet or openssl clients

You can test STARTTLS with openssl s_client:

   openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf 

Flags:

 * The -starttls smtp option is the one to send the STARTTLS command
 * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO).
 * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.

@nasqueron.org must be sent through mail.nasqueron.org

A SPF record v=spf1 a:mail.nasqueron.org -all should exist.

If set, any application app.nasqueron.org should:

• send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
• define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.