Operations grimoire/Mail
The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.
Operations grimoire/Mail
Third party services
Mainly, they provide configuration wizards, logs, and API keys on a web interface.
Operations grimoire/External services says who to contact to debug any issue, configure them, etc.
Nasqueron mail services
Architecture
We use the following servers:
- Postfix
- 25 is for mail servers
- 587 is for STARTTLS + user auth
- dovecot for IMAP / POP ✅
- SpamAssassin, OpenDKIM (see /DKIM) 🚧🔨⏳
- Sympa for the mailing lists 🚧🔨⏳
- PostgreSQL on cluster db-A to store user accounts mailboxes ✅
- MariaDB on cluster db-B to store sympa data 🚧🔨⏳
- nginx to serve web applications ✅
When not specified otherwise, the services are located on Hervil.
The services with ✅ belong to the new installation and works correctly.
The services with 🚧🔨⏳ belong to the old installation and are being reinstalled as part of the Mail project on DevCentral.
User accounts are stored in a database. They are managed by ViMbAdmin (on https://admin.mail.nasqueron.org).
Sympa manages the mailing lists.
Add a domain
- Add it to https://admin.mail.nasqueron.org
- Follow /DKIM procedure
It's ready.
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.
Hervil
Network
Routing tables
Internet: Destination Gateway Flags Netif Expire default 51.210.99.254 UGS vmx1 51.210.99.254 link#2 UHS vmx1 51.255.124.8/30 172.27.27.1 UGS vmx0
For SPF record we need to make the mail go out from the ip : 51.210.99.254 To permit acme.sh we make a route thrugh router.OO1
Troubleshoot
Dashboards
On Grafana, the following dashboards are available:
The following dashboards are missing, feel free to create one:
- Dovecot
Logs
On FreeBSD servers, mail logs are consolidated into /var/log/maillog
by syslog daemon.
Test to send e-mail with telnet or openssl clients
You can test STARTTLS with openssl s_client:
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf
Flags:
* The -starttls smtp option is the one to send the STARTTLS command * The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO). * The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.
@nasqueron.org must be sent through mail.nasqueron.org
A SPF record v=spf1 a:mail.nasqueron.org -all should exist.
If set, any application app.nasqueron.org should:
- send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;
- define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.
Can't reach ACME DNS API
If you got a 403 by running acme.sh (only visible in --debug mode), the IP of the server isn't in geo_nasqueron.
Add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1
Brute-force attacks
You can block individual IP or a range with pf, see Operations grimoire/Firewall.